################################################################ # ThreatFox IOCs: Suricata rules # # Last updated: 2024-07-26 21:35:10 UTC # # # # Terms Of Use: https://threatfox.abuse.ch/faq/#tos # # For questions please contact threatfox [at] abuse.ch # ################################################################ # alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/javascriptsecurelowwindows.php"; depth:31; nocase; http.host; content:"660256cm.nyashka.top"; depth:20; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1303950/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_26; classtype:trojan-activity; sid:91303950; rev:1;) alert tcp $HOME_NET any -> [185.158.248.143] 80 (msg:"ThreatFox WarmCookie botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1303946/; target:src_ip; metadata: confidence_level 50, first_seen 2024_07_26; classtype:trojan-activity; sid:91303946; rev:1;) alert tcp $HOME_NET any -> [176.31.45.36] 80 (msg:"ThreatFox WarmCookie botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1303947/; target:src_ip; metadata: confidence_level 50, first_seen 2024_07_26; classtype:trojan-activity; sid:91303947; rev:1;) alert tcp $HOME_NET any -> [45.155.249.102] 80 (msg:"ThreatFox WarmCookie botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1303945/; target:src_ip; metadata: confidence_level 50, first_seen 2024_07_26; classtype:trojan-activity; sid:91303945; rev:1;) alert tcp $HOME_NET any -> [45.143.166.66] 443 (msg:"ThreatFox Latrodectus botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1303944/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_26; classtype:trojan-activity; sid:91303944; rev:1;) alert tcp $HOME_NET any -> [157.90.30.125] 3306 (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1303943/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_26; classtype:trojan-activity; sid:91303943; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"overstockads.com"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1303942/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_26; classtype:trojan-activity; sid:91303942; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"weaknessmznxo.shop"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1303941/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_26; classtype:trojan-activity; sid:91303941; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"stimultaionsppzv.shop"; depth:21; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1303940/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_26; classtype:trojan-activity; sid:91303940; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"shellfyyousdjz.shop"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1303939/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_26; classtype:trojan-activity; sid:91303939; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"parntorpkxzlp.shop"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1303938/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_26; classtype:trojan-activity; sid:91303938; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"horizonvxjis.shop"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1303936/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_26; classtype:trojan-activity; sid:91303936; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"kaminiasbbefow.shop"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1303937/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_26; classtype:trojan-activity; sid:91303937; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"grassytaisol.shop"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1303935/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_26; classtype:trojan-activity; sid:91303935; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"effectivedoxzj.shop"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1303934/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_26; classtype:trojan-activity; sid:91303934; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"broccoltisop.shop"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1303933/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_26; classtype:trojan-activity; sid:91303933; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"bravedreacisopm.shop"; depth:20; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1303932/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_26; classtype:trojan-activity; sid:91303932; rev:1;) alert tcp $HOME_NET any -> [23.94.183.150] 5058 (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1303931/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_26; classtype:trojan-activity; sid:91303931; rev:1;) alert tcp $HOME_NET any -> [196.206.78.106] 10000 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1303930/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_26; classtype:trojan-activity; sid:91303930; rev:1;) alert tcp $HOME_NET any -> [185.215.113.9] 9137 (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1303927/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_26; classtype:trojan-activity; sid:91303927; rev:1;) alert tcp $HOME_NET any -> [45.140.147.183] 12245 (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1303926/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_26; classtype:trojan-activity; sid:91303926; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cdn-vs/original.js"; depth:19; nocase; http.host; content:"canroura.com"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1303922/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_26; classtype:trojan-activity; sid:91303922; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"canroura.com"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1303923/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_26; classtype:trojan-activity; sid:91303923; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cdn-vs/main.php"; depth:16; nocase; http.host; content:"canroura.com"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1303924/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_26; classtype:trojan-activity; sid:91303924; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cdn-vs/22per.php"; depth:17; nocase; http.host; content:"canroura.com"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1303925/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_26; classtype:trojan-activity; sid:91303925; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mozi.m"; depth:7; nocase; http.host; content:"27.217.175.226"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1303921/; target:src_ip; metadata: confidence_level 50, first_seen 2024_07_26; classtype:trojan-activity; sid:91303921; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/l1nc0in.php"; depth:12; nocase; http.host; content:"fqq121.beget.tech"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1303920/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_26; classtype:trojan-activity; sid:91303920; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/2259cd8f.php"; depth:13; nocase; http.host; content:"a1008296.xsph.ru"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1303919/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_26; classtype:trojan-activity; sid:91303919; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cdn-vs/original.js"; depth:19; nocase; http.host; content:"megasena777.top"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1303914/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_26; classtype:trojan-activity; sid:91303914; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"megasena777.top"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1303915/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_26; classtype:trojan-activity; sid:91303915; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cdn-vs/main.php"; depth:16; nocase; http.host; content:"megasena777.top"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1303916/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_26; classtype:trojan-activity; sid:91303916; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cdn-vs/22per.php"; depth:17; nocase; http.host; content:"megasena777.top"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1303917/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_26; classtype:trojan-activity; sid:91303917; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pixel.gif"; depth:10; nocase; http.host; content:"47.243.165.127"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1303918/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_26; classtype:trojan-activity; sid:91303918; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api/firecom.php"; depth:16; nocase; http.host; content:"109.120.176.203"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1303913/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_26; classtype:trojan-activity; sid:91303913; rev:1;) alert tcp $HOME_NET any -> [147.185.221.20] 55257 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1303912/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_26; classtype:trojan-activity; sid:91303912; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"talk-saturn.gl.at.ply.gg"; depth:24; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1303908/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_26; classtype:trojan-activity; sid:91303908; rev:1;) alert tcp $HOME_NET any -> [147.185.221.21] 35975 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1303907/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_26; classtype:trojan-activity; sid:91303907; rev:1;) alert tcp $HOME_NET any -> [94.156.69.39] 7744 (msg:"ThreatFox STRRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1303911/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_26; classtype:trojan-activity; sid:91303911; rev:1;) alert tcp $HOME_NET any -> [84.38.129.21] 1912 (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1303910/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_26; classtype:trojan-activity; sid:91303910; rev:1;) alert tcp $HOME_NET any -> [50.18.145.13] 14445 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1303909/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_26; classtype:trojan-activity; sid:91303909; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mozi.m"; depth:7; nocase; http.host; content:"118.240.211.157"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1303906/; target:src_ip; metadata: confidence_level 50, first_seen 2024_07_26; classtype:trojan-activity; sid:91303906; rev:1;) alert tcp $HOME_NET any -> [185.215.113.16] 80 (msg:"ThreatFox Amadey botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1303905/; target:src_ip; metadata: confidence_level 50, first_seen 2024_07_26; classtype:trojan-activity; sid:91303905; rev:1;) alert tcp $HOME_NET any -> [185.215.113.19] 80 (msg:"ThreatFox Amadey botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1303904/; target:src_ip; metadata: confidence_level 50, first_seen 2024_07_26; classtype:trojan-activity; sid:91303904; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"subtitlez0.duckdns.org"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1303859/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_26; classtype:trojan-activity; sid:91303859; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"subtitle42.duckdns.org"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1303857/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_26; classtype:trojan-activity; sid:91303857; rev:1;) alert tcp $HOME_NET any -> [168.76.20.194] 7771 (msg:"ThreatFox SpyNote botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1303860/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_26; classtype:trojan-activity; sid:91303860; rev:1;) alert tcp $HOME_NET any -> [18.229.146.63] 26109 (msg:"ThreatFox SpyNote botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1303861/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_26; classtype:trojan-activity; sid:91303861; rev:1;) alert tcp $HOME_NET any -> [167.71.14.135] 1118 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1303862/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_26; classtype:trojan-activity; sid:91303862; rev:1;) alert tcp $HOME_NET any -> [147.185.221.21] 35433 (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1303863/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_26; classtype:trojan-activity; sid:91303863; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"thomas-partly.gl.at.ply.gg"; depth:26; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1303864/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_26; classtype:trojan-activity; sid:91303864; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jo89ku7d/index.php"; depth:19; nocase; http.host; content:"185.215.113.16"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1303865/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_26; classtype:trojan-activity; sid:91303865; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/vi9leo/index.php"; depth:17; nocase; http.host; content:"185.215.113.19"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1303867/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_26; classtype:trojan-activity; sid:91303867; rev:1;) alert tcp $HOME_NET any -> [147.185.221.21] 35584 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1303868/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_26; classtype:trojan-activity; sid:91303868; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"id-diesel.gl.at.ply.gg"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1303869/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_26; classtype:trojan-activity; sid:91303869; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api/firepro.php"; depth:16; nocase; http.host; content:"109.120.176.203"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1303873/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_26; classtype:trojan-activity; sid:91303873; rev:1;) alert tcp $HOME_NET any -> [185.195.26.95] 8080 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1303870/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_26; classtype:trojan-activity; sid:91303870; rev:1;) alert tcp $HOME_NET any -> [168.76.20.202] 7771 (msg:"ThreatFox SpyNote botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1303858/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_26; classtype:trojan-activity; sid:91303858; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api/flash.php"; depth:14; nocase; http.host; content:"109.120.176.203"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1303633/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_26; classtype:trojan-activity; sid:91303633; rev:1;) alert tcp $HOME_NET any -> [51.195.145.80] 14640 (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1303855/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_26; classtype:trojan-activity; sid:91303855; rev:1;) alert tcp $HOME_NET any -> [64.176.172.133] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1303903/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_26; classtype:trojan-activity; sid:91303903; rev:1;) alert tcp $HOME_NET any -> [154.12.84.184] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1303902/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_26; classtype:trojan-activity; sid:91303902; rev:1;) alert tcp $HOME_NET any -> [47.92.68.143] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1303901/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_26; classtype:trojan-activity; sid:91303901; rev:1;) alert tcp $HOME_NET any -> [119.91.61.117] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1303900/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_26; classtype:trojan-activity; sid:91303900; rev:1;) alert tcp $HOME_NET any -> [101.132.106.244] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1303899/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_26; classtype:trojan-activity; sid:91303899; rev:1;) alert tcp $HOME_NET any -> [106.15.229.159] 9999 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1303898/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_26; classtype:trojan-activity; sid:91303898; rev:1;) alert tcp $HOME_NET any -> [154.12.20.68] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1303897/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_26; classtype:trojan-activity; sid:91303897; rev:1;) alert tcp $HOME_NET any -> [47.245.94.124] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1303895/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_26; classtype:trojan-activity; sid:91303895; rev:1;) alert tcp $HOME_NET any -> [47.96.239.18] 7777 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1303896/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_26; classtype:trojan-activity; sid:91303896; rev:1;) alert tcp $HOME_NET any -> [47.121.129.112] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1303894/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_26; classtype:trojan-activity; sid:91303894; rev:1;) alert tcp $HOME_NET any -> [141.98.197.31] 8081 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1303893/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_26; classtype:trojan-activity; sid:91303893; rev:1;) alert tcp $HOME_NET any -> [107.173.53.203] 8080 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1303892/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_26; classtype:trojan-activity; sid:91303892; rev:1;) alert tcp $HOME_NET any -> [118.89.116.174] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1303891/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_26; classtype:trojan-activity; sid:91303891; rev:1;) alert tcp $HOME_NET any -> [101.200.58.204] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1303890/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_26; classtype:trojan-activity; sid:91303890; rev:1;) alert tcp $HOME_NET any -> [47.96.183.161] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1303889/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_26; classtype:trojan-activity; sid:91303889; rev:1;) alert tcp $HOME_NET any -> [47.121.127.117] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1303888/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_26; classtype:trojan-activity; sid:91303888; rev:1;) alert tcp $HOME_NET any -> [116.62.60.64] 82 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1303887/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_26; classtype:trojan-activity; sid:91303887; rev:1;) alert tcp $HOME_NET any -> [204.152.203.78] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1303886/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_26; classtype:trojan-activity; sid:91303886; rev:1;) alert tcp $HOME_NET any -> [120.79.76.84] 8080 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1303884/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_26; classtype:trojan-activity; sid:91303884; rev:1;) alert tcp $HOME_NET any -> [47.121.119.130] 9999 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1303885/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_26; classtype:trojan-activity; sid:91303885; rev:1;) alert tcp $HOME_NET any -> [47.113.202.225] 8000 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1303883/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_26; classtype:trojan-activity; sid:91303883; rev:1;) alert tcp $HOME_NET any -> [154.12.20.77] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1303882/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_26; classtype:trojan-activity; sid:91303882; rev:1;) alert tcp $HOME_NET any -> [139.196.74.248] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1303881/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_26; classtype:trojan-activity; sid:91303881; rev:1;) alert tcp $HOME_NET any -> [47.95.10.131] 8090 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1303880/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_26; classtype:trojan-activity; sid:91303880; rev:1;) alert tcp $HOME_NET any -> [39.105.24.180] 9999 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1303878/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_26; classtype:trojan-activity; sid:91303878; rev:1;) alert tcp $HOME_NET any -> [39.105.194.239] 9999 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1303879/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_26; classtype:trojan-activity; sid:91303879; rev:1;) alert tcp $HOME_NET any -> [175.27.168.214] 8086 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1303877/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_26; classtype:trojan-activity; sid:91303877; rev:1;) alert tcp $HOME_NET any -> [107.173.53.203] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1303876/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_26; classtype:trojan-activity; sid:91303876; rev:1;) alert tcp $HOME_NET any -> [47.91.14.8] 8443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1303875/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_26; classtype:trojan-activity; sid:91303875; rev:1;) alert tcp $HOME_NET any -> [94.191.4.49] 8443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1303874/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_26; classtype:trojan-activity; sid:91303874; rev:1;) alert tcp $HOME_NET any -> [45.132.107.72] 8090 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1303872/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_26; classtype:trojan-activity; sid:91303872; rev:1;) alert tcp $HOME_NET any -> [45.132.107.72] 4449 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1303871/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_26; classtype:trojan-activity; sid:91303871; rev:1;) alert tcp $HOME_NET any -> [38.180.203.208] 14238 (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1303866/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_25; classtype:trojan-activity; sid:91303866; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mozi.m"; depth:7; nocase; http.host; content:"221.15.198.201"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1303856/; target:src_ip; metadata: confidence_level 50, first_seen 2024_07_25; classtype:trojan-activity; sid:91303856; rev:1;) alert tcp $HOME_NET any -> [103.198.26.25] 96 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1303635/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_25; classtype:trojan-activity; sid:91303635; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/index.php/jlbcyg0q595vs4hef0"; depth:29; nocase; http.host; content:"45.61.136.20"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1303634/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_25; classtype:trojan-activity; sid:91303634; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/vfrg2l1ej33bley00jdn9pxusvox2mni-ntw9upuopg"; depth:44; nocase; http.host; content:"packedbrick.com"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1303632/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_25; classtype:trojan-activity; sid:91303632; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api/twofish.php"; depth:16; nocase; http.host; content:"109.120.176.203"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1303629/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_25; classtype:trojan-activity; sid:91303629; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"soft-download123file.xyz"; depth:24; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1303630/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_25; classtype:trojan-activity; sid:91303630; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"packedbrick.com"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1303631/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_25; classtype:trojan-activity; sid:91303631; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cdn-vs/original.js"; depth:19; nocase; http.host; content:"imc1.top"; depth:8; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1303620/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_25; classtype:trojan-activity; sid:91303620; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"imc1.top"; depth:8; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1303621/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_25; classtype:trojan-activity; sid:91303621; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cdn-vs/main.php"; depth:16; nocase; http.host; content:"imc1.top"; depth:8; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1303622/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_25; classtype:trojan-activity; sid:91303622; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cdn-vs/22per.php"; depth:17; nocase; http.host; content:"imc1.top"; depth:8; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1303623/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_25; classtype:trojan-activity; sid:91303623; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/data.php"; depth:9; nocase; http.host; content:"hhic.top"; depth:8; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1303624/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_25; classtype:trojan-activity; sid:91303624; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cdn-vs/original.js"; depth:19; nocase; http.host; content:"novidadesfresquinhas.online"; depth:27; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1303625/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_25; classtype:trojan-activity; sid:91303625; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"novidadesfresquinhas.online"; depth:27; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1303626/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_25; classtype:trojan-activity; sid:91303626; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cdn-vs/main.php"; depth:16; nocase; http.host; content:"novidadesfresquinhas.online"; depth:27; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1303627/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_25; classtype:trojan-activity; sid:91303627; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cdn-vs/22per.php"; depth:17; nocase; http.host; content:"novidadesfresquinhas.online"; depth:27; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1303628/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_25; classtype:trojan-activity; sid:91303628; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/load"; depth:5; nocase; http.host; content:"104.131.159.100"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1303619/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_25; classtype:trojan-activity; sid:91303619; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"office-adr.com"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1303618/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_25; classtype:trojan-activity; sid:91303618; rev:1;) alert tcp $HOME_NET any -> [5.253.86.233] 2404 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1303617/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_25; classtype:trojan-activity; sid:91303617; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"troia23.duckdns.org"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1303582/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_25; classtype:trojan-activity; sid:91303582; rev:1;) alert tcp $HOME_NET any -> [41.249.55.89] 10000 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1303502/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_25; classtype:trojan-activity; sid:91303502; rev:1;) alert tcp $HOME_NET any -> [103.144.139.144] 443 (msg:"ThreatFox Unidentified 111 (Latrodectus) botnet C2 traffic (ip:port - confidence level: 70%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1303479/; target:src_ip; metadata: confidence_level 70, first_seen 2024_07_25; classtype:trojan-activity; sid:91303479; rev:1;) alert tcp $HOME_NET any -> [103.117.141.98] 443 (msg:"ThreatFox Unidentified 111 (Latrodectus) botnet C2 traffic (ip:port - confidence level: 70%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1303478/; target:src_ip; metadata: confidence_level 70, first_seen 2024_07_25; classtype:trojan-activity; sid:91303478; rev:1;) alert tcp $HOME_NET any -> [91.242.163.155] 443 (msg:"ThreatFox Unidentified 111 (Latrodectus) botnet C2 traffic (ip:port - confidence level: 70%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1303477/; target:src_ip; metadata: confidence_level 70, first_seen 2024_07_25; classtype:trojan-activity; sid:91303477; rev:1;) alert tcp $HOME_NET any -> [60.205.226.146] 8080 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1303616/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_25; classtype:trojan-activity; sid:91303616; rev:1;) alert tcp $HOME_NET any -> [74.48.84.44] 5555 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1303615/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_25; classtype:trojan-activity; sid:91303615; rev:1;) alert tcp $HOME_NET any -> [106.15.199.56] 8000 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1303614/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_25; classtype:trojan-activity; sid:91303614; rev:1;) alert tcp $HOME_NET any -> [106.15.229.159] 7777 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1303613/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_25; classtype:trojan-activity; sid:91303613; rev:1;) alert tcp $HOME_NET any -> [36.133.13.63] 8088 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1303612/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_25; classtype:trojan-activity; sid:91303612; rev:1;) alert tcp $HOME_NET any -> [47.116.176.97] 8001 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1303611/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_25; classtype:trojan-activity; sid:91303611; rev:1;) alert tcp $HOME_NET any -> [122.152.232.22] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1303610/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_25; classtype:trojan-activity; sid:91303610; rev:1;) alert tcp $HOME_NET any -> [91.92.244.163] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1303609/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_25; classtype:trojan-activity; sid:91303609; rev:1;) alert tcp $HOME_NET any -> [20.117.173.23] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1303608/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_25; classtype:trojan-activity; sid:91303608; rev:1;) alert tcp $HOME_NET any -> [60.205.226.146] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1303607/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_25; classtype:trojan-activity; sid:91303607; rev:1;) alert tcp $HOME_NET any -> [106.14.211.58] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1303606/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_25; classtype:trojan-activity; sid:91303606; rev:1;) alert tcp $HOME_NET any -> [47.103.135.162] 8443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1303605/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_25; classtype:trojan-activity; sid:91303605; rev:1;) alert tcp $HOME_NET any -> [139.224.199.55] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1303604/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_25; classtype:trojan-activity; sid:91303604; rev:1;) alert tcp $HOME_NET any -> [47.108.77.135] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1303603/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_25; classtype:trojan-activity; sid:91303603; rev:1;) alert tcp $HOME_NET any -> [47.99.195.123] 8888 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1303601/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_25; classtype:trojan-activity; sid:91303601; rev:1;) alert tcp $HOME_NET any -> [1.92.92.7] 90 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1303602/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_25; classtype:trojan-activity; sid:91303602; rev:1;) alert tcp $HOME_NET any -> [47.108.27.61] 8888 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1303600/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_25; classtype:trojan-activity; sid:91303600; rev:1;) alert tcp $HOME_NET any -> [117.50.180.189] 88 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1303599/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_25; classtype:trojan-activity; sid:91303599; rev:1;) alert tcp $HOME_NET any -> [106.14.96.25] 8443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1303598/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_25; classtype:trojan-activity; sid:91303598; rev:1;) alert tcp $HOME_NET any -> [81.70.246.230] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1303597/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_25; classtype:trojan-activity; sid:91303597; rev:1;) alert tcp $HOME_NET any -> [39.101.72.235] 8086 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1303596/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_25; classtype:trojan-activity; sid:91303596; rev:1;) alert tcp $HOME_NET any -> [106.52.196.33] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1303595/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_25; classtype:trojan-activity; sid:91303595; rev:1;) alert tcp $HOME_NET any -> [39.105.161.32] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1303594/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_25; classtype:trojan-activity; sid:91303594; rev:1;) alert tcp $HOME_NET any -> [49.232.137.101] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1303593/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_25; classtype:trojan-activity; sid:91303593; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/l1nc0in.php"; depth:12; nocase; http.host; content:"cz41806.tw1.ru"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1303592/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_25; classtype:trojan-activity; sid:91303592; rev:1;) alert tcp $HOME_NET any -> [43.143.123.22] 443 (msg:"ThreatFox SquidLoader botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1303591/; target:src_ip; metadata: confidence_level 50, first_seen 2024_07_25; classtype:trojan-activity; sid:91303591; rev:1;) alert tcp $HOME_NET any -> [193.29.13.46] 5850 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1303590/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_25; classtype:trojan-activity; sid:91303590; rev:1;) alert tcp $HOME_NET any -> [45.83.207.67] 6652 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1303589/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_25; classtype:trojan-activity; sid:91303589; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/vmhttptempdownloads.php"; depth:24; nocase; http.host; content:"722659cl.nyashtop.top"; depth:21; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1303588/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_25; classtype:trojan-activity; sid:91303588; rev:1;) alert tcp $HOME_NET any -> [46.183.223.47] 7777 (msg:"ThreatFox AdWind botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1303587/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_25; classtype:trojan-activity; sid:91303587; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/l1nc0in.php"; depth:12; nocase; http.host; content:"a1008315.xsph.ru"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1303586/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_25; classtype:trojan-activity; sid:91303586; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mtxd"; depth:5; nocase; http.host; content:"192.168.0.131"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1303585/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_25; classtype:trojan-activity; sid:91303585; rev:1;) alert tcp $HOME_NET any -> [147.185.221.21] 11656 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1303584/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_25; classtype:trojan-activity; sid:91303584; rev:1;) alert tcp $HOME_NET any -> [83.144.109.70] 80 (msg:"ThreatFox Emotet botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1303583/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_25; classtype:trojan-activity; sid:91303583; rev:1;) alert tcp $HOME_NET any -> [5.12.233.12] 80 (msg:"ThreatFox Emotet botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1303581/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_25; classtype:trojan-activity; sid:91303581; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/g.pixel"; depth:8; nocase; http.host; content:"10.211.55.8"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1303580/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_25; classtype:trojan-activity; sid:91303580; rev:1;) alert tcp $HOME_NET any -> [147.185.221.18] 52136 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1303579/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_25; classtype:trojan-activity; sid:91303579; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bootstrap-2.min.js"; depth:19; nocase; http.host; content:"service-1kx1l5oj-1305976706.bj.tencentapigw.com.cn"; depth:50; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1303578/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_25; classtype:trojan-activity; sid:91303578; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sldz"; depth:5; nocase; http.host; content:"5.34.205.152"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1303577/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_25; classtype:trojan-activity; sid:91303577; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dhnc"; depth:5; nocase; http.host; content:"38.12.0.151"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1303576/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_25; classtype:trojan-activity; sid:91303576; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jw2j"; depth:5; nocase; http.host; content:"192.168.50.141"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1303575/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_25; classtype:trojan-activity; sid:91303575; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/4qjn"; depth:5; nocase; http.host; content:"172.18.0.1"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1303574/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_25; classtype:trojan-activity; sid:91303574; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/rn4i"; depth:5; nocase; http.host; content:"120.48.5.80"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1303573/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_25; classtype:trojan-activity; sid:91303573; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jquery-3.3.1.min.js"; depth:20; nocase; http.host; content:"www.orcasvip.com"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1303572/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_25; classtype:trojan-activity; sid:91303572; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jquery-3.3.1.min.js"; depth:20; nocase; http.host; content:"ns2.icbc-com-cn.com"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1303571/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_25; classtype:trojan-activity; sid:91303571; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jquery-3.3.1.min.js"; depth:20; nocase; http.host; content:"ns1.icbc-com-cn.com"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1303570/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_25; classtype:trojan-activity; sid:91303570; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/1fzl"; depth:5; nocase; http.host; content:"103.47.82.210"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1303569/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_25; classtype:trojan-activity; sid:91303569; rev:1;) alert tcp $HOME_NET any -> [147.185.221.19] 2035 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1303568/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_25; classtype:trojan-activity; sid:91303568; rev:1;) alert tcp $HOME_NET any -> [147.185.221.16] 2035 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1303567/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_25; classtype:trojan-activity; sid:91303567; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/en_us/all.js"; depth:13; nocase; http.host; content:"8.130.52.13"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1303566/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_25; classtype:trojan-activity; sid:91303566; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/fbqd"; depth:5; nocase; http.host; content:"192.168.203.131"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1303565/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_25; classtype:trojan-activity; sid:91303565; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/introduction/edr"; depth:17; nocase; http.host; content:"192.168.3.140"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1303564/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_25; classtype:trojan-activity; sid:91303564; rev:1;) alert tcp $HOME_NET any -> [18.229.140.246] 1177 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1303563/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_25; classtype:trojan-activity; sid:91303563; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/lkss"; depth:5; nocase; http.host; content:"207.148.99.69"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1303562/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_25; classtype:trojan-activity; sid:91303562; rev:1;) alert tcp $HOME_NET any -> [98.156.206.153] 80 (msg:"ThreatFox Emotet botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1303561/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_25; classtype:trojan-activity; sid:91303561; rev:1;) alert tcp $HOME_NET any -> [98.15.140.226] 80 (msg:"ThreatFox Emotet botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1303560/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_25; classtype:trojan-activity; sid:91303560; rev:1;) alert tcp $HOME_NET any -> [87.127.197.7] 8080 (msg:"ThreatFox Emotet botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1303559/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_25; classtype:trojan-activity; sid:91303559; rev:1;) alert tcp $HOME_NET any -> [82.223.70.24] 8080 (msg:"ThreatFox Emotet botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1303557/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_25; classtype:trojan-activity; sid:91303557; rev:1;) alert tcp $HOME_NET any -> [85.152.174.56] 80 (msg:"ThreatFox Emotet botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1303558/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_25; classtype:trojan-activity; sid:91303558; rev:1;) alert tcp $HOME_NET any -> [78.186.5.109] 443 (msg:"ThreatFox Emotet botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1303555/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_25; classtype:trojan-activity; sid:91303555; rev:1;) alert tcp $HOME_NET any -> [78.189.165.52] 8080 (msg:"ThreatFox Emotet botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1303556/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_25; classtype:trojan-activity; sid:91303556; rev:1;) alert tcp $HOME_NET any -> [68.44.137.144] 443 (msg:"ThreatFox Emotet botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1303554/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_25; classtype:trojan-activity; sid:91303554; rev:1;) alert tcp $HOME_NET any -> [67.235.68.222] 80 (msg:"ThreatFox Emotet botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1303553/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_25; classtype:trojan-activity; sid:91303553; rev:1;) alert tcp $HOME_NET any -> [60.130.173.117] 80 (msg:"ThreatFox Emotet botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1303551/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_25; classtype:trojan-activity; sid:91303551; rev:1;) alert tcp $HOME_NET any -> [60.250.78.22] 443 (msg:"ThreatFox Emotet botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1303552/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_25; classtype:trojan-activity; sid:91303552; rev:1;) alert tcp $HOME_NET any -> [59.20.65.102] 80 (msg:"ThreatFox Emotet botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1303550/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_25; classtype:trojan-activity; sid:91303550; rev:1;) alert tcp $HOME_NET any -> [58.171.38.26] 80 (msg:"ThreatFox Emotet botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1303548/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_25; classtype:trojan-activity; sid:91303548; rev:1;) alert tcp $HOME_NET any -> [58.177.172.160] 80 (msg:"ThreatFox Emotet botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1303549/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_25; classtype:trojan-activity; sid:91303549; rev:1;) alert tcp $HOME_NET any -> [46.105.131.69] 443 (msg:"ThreatFox Emotet botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1303547/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_25; classtype:trojan-activity; sid:91303547; rev:1;) alert tcp $HOME_NET any -> [23.92.16.164] 8080 (msg:"ThreatFox Emotet botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1303545/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_25; classtype:trojan-activity; sid:91303545; rev:1;) alert tcp $HOME_NET any -> [24.94.237.248] 80 (msg:"ThreatFox Emotet botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1303546/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_25; classtype:trojan-activity; sid:91303546; rev:1;) alert tcp $HOME_NET any -> [212.174.19.87] 80 (msg:"ThreatFox Emotet botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1303544/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_25; classtype:trojan-activity; sid:91303544; rev:1;) alert tcp $HOME_NET any -> [209.151.248.242] 8080 (msg:"ThreatFox Emotet botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1303542/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_25; classtype:trojan-activity; sid:91303542; rev:1;) alert tcp $HOME_NET any -> [210.56.10.58] 80 (msg:"ThreatFox Emotet botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1303543/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_25; classtype:trojan-activity; sid:91303543; rev:1;) alert tcp $HOME_NET any -> [196.179.249.218] 8080 (msg:"ThreatFox Emotet botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1303541/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_25; classtype:trojan-activity; sid:91303541; rev:1;) alert tcp $HOME_NET any -> [195.244.215.206] 80 (msg:"ThreatFox Emotet botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1303539/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_25; classtype:trojan-activity; sid:91303539; rev:1;) alert tcp $HOME_NET any -> [195.76.232.114] 80 (msg:"ThreatFox Emotet botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1303540/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_25; classtype:trojan-activity; sid:91303540; rev:1;) alert tcp $HOME_NET any -> [186.208.123.210] 443 (msg:"ThreatFox Emotet botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1303537/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_25; classtype:trojan-activity; sid:91303537; rev:1;) alert tcp $HOME_NET any -> [193.80.169.64] 80 (msg:"ThreatFox Emotet botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1303538/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_25; classtype:trojan-activity; sid:91303538; rev:1;) alert tcp $HOME_NET any -> [185.155.20.82] 80 (msg:"ThreatFox Emotet botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1303536/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_25; classtype:trojan-activity; sid:91303536; rev:1;) alert tcp $HOME_NET any -> [178.20.74.212] 80 (msg:"ThreatFox Emotet botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1303535/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_25; classtype:trojan-activity; sid:91303535; rev:1;) alert tcp $HOME_NET any -> [176.9.43.37] 8080 (msg:"ThreatFox Emotet botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1303533/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_25; classtype:trojan-activity; sid:91303533; rev:1;) alert tcp $HOME_NET any -> [177.230.81.0] 22 (msg:"ThreatFox Emotet botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1303534/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_25; classtype:trojan-activity; sid:91303534; rev:1;) alert tcp $HOME_NET any -> [160.16.215.66] 8080 (msg:"ThreatFox Emotet botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1303532/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_25; classtype:trojan-activity; sid:91303532; rev:1;) alert tcp $HOME_NET any -> [136.243.205.112] 7080 (msg:"ThreatFox Emotet botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1303531/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_25; classtype:trojan-activity; sid:91303531; rev:1;) alert tcp $HOME_NET any -> [120.151.135.224] 80 (msg:"ThreatFox Emotet botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1303530/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_25; classtype:trojan-activity; sid:91303530; rev:1;) alert tcp $HOME_NET any -> [113.61.66.94] 80 (msg:"ThreatFox Emotet botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1303528/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_25; classtype:trojan-activity; sid:91303528; rev:1;) alert tcp $HOME_NET any -> [114.145.241.208] 80 (msg:"ThreatFox Emotet botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1303529/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_25; classtype:trojan-activity; sid:91303529; rev:1;) alert tcp $HOME_NET any -> [101.187.97.173] 80 (msg:"ThreatFox Emotet botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1303527/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_25; classtype:trojan-activity; sid:91303527; rev:1;) alert tcp $HOME_NET any -> [41.142.43.242] 10000 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1303526/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_25; classtype:trojan-activity; sid:91303526; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jquery-3.3.1.min.js"; depth:20; nocase; http.host; content:"148.135.103.71"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1303525/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_25; classtype:trojan-activity; sid:91303525; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jquery-3.3.1.min.js"; depth:20; nocase; http.host; content:"mirocrsoft.info"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1303524/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_25; classtype:trojan-activity; sid:91303524; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/__utm.gif"; depth:10; nocase; http.host; content:"154.16.10.161"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1303523/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_25; classtype:trojan-activity; sid:91303523; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/1omp"; depth:5; nocase; http.host; content:"50.118.225.251"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1303522/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_25; classtype:trojan-activity; sid:91303522; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/s1cv"; depth:5; nocase; http.host; content:"192.168.44.131"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1303521/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_25; classtype:trojan-activity; sid:91303521; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mozi.m"; depth:7; nocase; http.host; content:"42.232.25.76"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1303520/; target:src_ip; metadata: confidence_level 50, first_seen 2024_07_25; classtype:trojan-activity; sid:91303520; rev:1;) alert tcp $HOME_NET any -> [31.43.185.8] 2202 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1303519/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_25; classtype:trojan-activity; sid:91303519; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jbel"; depth:5; nocase; http.host; content:"198.44.165.98"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1303518/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_25; classtype:trojan-activity; sid:91303518; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/download/20/zo2xy7a4bowu"; depth:25; nocase; http.host; content:"39.100.86.42"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1303516/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_24; classtype:trojan-activity; sid:91303516; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ji5u"; depth:5; nocase; http.host; content:"43.138.15.224"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1303517/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_24; classtype:trojan-activity; sid:91303517; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bootstrap-2.min.js"; depth:19; nocase; http.host; content:"service-a0y8baw1-1319935181.bj.apigw.tencentcs.com"; depth:50; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1303515/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_24; classtype:trojan-activity; sid:91303515; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/o1ex"; depth:5; nocase; http.host; content:"107.174.69.116"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1303514/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_24; classtype:trojan-activity; sid:91303514; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jquery-3.3.2.slim.min.js"; depth:25; nocase; http.host; content:"45.144.136.27"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1303513/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_24; classtype:trojan-activity; sid:91303513; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ttil"; depth:5; nocase; http.host; content:"102bd03.r9.cpolar.top"; depth:21; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1303512/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_24; classtype:trojan-activity; sid:91303512; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api-gateway/jpaas-jis-coruser-server/front/coruserlogin/usernamepwd-login.jspx"; depth:79; nocase; http.host; content:"36.138.209.232"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1303511/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_24; classtype:trojan-activity; sid:91303511; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dpixel"; depth:7; nocase; http.host; content:"192.168.132.129"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1303510/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_24; classtype:trojan-activity; sid:91303510; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/z4wx"; depth:5; nocase; http.host; content:"10.10.3.201"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1303509/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_24; classtype:trojan-activity; sid:91303509; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/enhb"; depth:5; nocase; http.host; content:"update.micdosoft.top"; depth:20; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1303508/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_24; classtype:trojan-activity; sid:91303508; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/updates.rss"; depth:12; nocase; http.host; content:"222.190.151.52"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1303507/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_24; classtype:trojan-activity; sid:91303507; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/5df1b3cb.php"; depth:13; nocase; http.host; content:"a1008223.xsph.ru"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1303506/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_24; classtype:trojan-activity; sid:91303506; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/o5ud"; depth:5; nocase; http.host; content:"120.26.48.63"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1303505/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_24; classtype:trojan-activity; sid:91303505; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/drbnpfh9"; depth:9; nocase; http.host; content:"111.229.181.176"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1303504/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_24; classtype:trojan-activity; sid:91303504; rev:1;) alert tcp $HOME_NET any -> [94.156.69.39] 9553 (msg:"ThreatFox STRRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1303503/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_24; classtype:trojan-activity; sid:91303503; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bangumi/play/ep816608"; depth:22; nocase; http.host; content:"150.158.75.38"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1303501/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_24; classtype:trojan-activity; sid:91303501; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/2atv"; depth:5; nocase; http.host; content:"192.168.52.128"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1303500/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_24; classtype:trojan-activity; sid:91303500; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jquery-3.3.1.min.js"; depth:20; nocase; http.host; content:"192.168.0.237"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1303499/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_24; classtype:trojan-activity; sid:91303499; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bootstrap-2.min.js"; depth:19; nocase; http.host; content:"service-0heq5aek-1325313187.gz.tencentapigw.com.cn"; depth:50; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1303498/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_24; classtype:trojan-activity; sid:91303498; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/7.jpg"; depth:6; nocase; http.host; content:"wellsfargocs.ddns.us"; depth:20; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1303497/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_24; classtype:trojan-activity; sid:91303497; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/5.jpg"; depth:6; nocase; http.host; content:"wellsfargocs.ddns.us"; depth:20; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1303496/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_24; classtype:trojan-activity; sid:91303496; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/4.jpg"; depth:6; nocase; http.host; content:"wellsfargocs.ddns.us"; depth:20; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1303495/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_24; classtype:trojan-activity; sid:91303495; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/1.jpg"; depth:6; nocase; http.host; content:"wellsfargocs.ddns.us"; depth:20; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1303494/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_24; classtype:trojan-activity; sid:91303494; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/unft"; depth:5; nocase; http.host; content:"120.27.142.96"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1303493/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_24; classtype:trojan-activity; sid:91303493; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/2wqc"; depth:5; nocase; http.host; content:"8.137.127.73"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1303492/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_24; classtype:trojan-activity; sid:91303492; rev:1;) alert tcp $HOME_NET any -> [37.48.118.12] 26546 (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1303491/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_24; classtype:trojan-activity; sid:91303491; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"closedjuruwk.shop"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1303490/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_24; classtype:trojan-activity; sid:91303490; rev:1;) alert tcp $HOME_NET any -> [91.242.163.172] 443 (msg:"ThreatFox Latrodectus botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1303480/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_24; classtype:trojan-activity; sid:91303480; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jquery-3.3.1.min.js"; depth:20; nocase; http.host; content:"tgsk.xyz"; depth:8; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1303476/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_24; classtype:trojan-activity; sid:91303476; rev:1;) alert tcp $HOME_NET any -> [185.130.225.203] 80 (msg:"ThreatFox Loki Password Stealer (PWS) botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1303475/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_24; classtype:trojan-activity; sid:91303475; rev:1;) alert tcp $HOME_NET any -> [185.222.58.231] 55615 (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1303474/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_24; classtype:trojan-activity; sid:91303474; rev:1;) alert tcp $HOME_NET any -> [185.222.58.231] 7869 (msg:"ThreatFox Nanocore RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1303473/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_24; classtype:trojan-activity; sid:91303473; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ca"; depth:3; nocase; http.host; content:"192.168.3.4"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1303472/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_24; classtype:trojan-activity; sid:91303472; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cdn-vs/original.js"; depth:19; nocase; http.host; content:"denaumtz.com"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1303466/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_24; classtype:trojan-activity; sid:91303466; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"denaumtz.com"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1303467/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_24; classtype:trojan-activity; sid:91303467; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cdn-vs/main.php"; depth:16; nocase; http.host; content:"denaumtz.com"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1303468/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_24; classtype:trojan-activity; sid:91303468; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cdn-vs/22per.php"; depth:17; nocase; http.host; content:"denaumtz.com"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1303469/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_24; classtype:trojan-activity; sid:91303469; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ekid"; depth:5; nocase; http.host; content:"192.168.1.11"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1303471/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_24; classtype:trojan-activity; sid:91303471; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"spliceszongsop.shop"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1303470/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_24; classtype:trojan-activity; sid:91303470; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/fidj"; depth:5; nocase; http.host; content:"192.168.1.211"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1303465/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_24; classtype:trojan-activity; sid:91303465; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dhz7"; depth:5; nocase; http.host; content:"62.234.50.197"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1303464/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_24; classtype:trojan-activity; sid:91303464; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/socialapiversion=1.1"; depth:21; nocase; http.host; content:"43.138.44.158"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1303463/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_24; classtype:trojan-activity; sid:91303463; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ebdr"; depth:5; nocase; http.host; content:"103.146.22.197"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1303462/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_24; classtype:trojan-activity; sid:91303462; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 49%)"; dns_query; content:"sticky.oystergardening.name"; depth:27; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1303461/; target:src_ip; metadata: confidence_level 49, first_seen 2024_07_24; classtype:trojan-activity; sid:91303461; rev:1;) alert tcp $HOME_NET any -> [45.141.87.124] 9000 (msg:"ThreatFox SectopRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1303458/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_24; classtype:trojan-activity; sid:91303458; rev:1;) alert tcp $HOME_NET any -> [213.5.130.58] 443 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 49%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1303459/; target:src_ip; metadata: confidence_level 49, first_seen 2024_07_24; classtype:trojan-activity; sid:91303459; rev:1;) alert tcp $HOME_NET any -> [172.104.160.126] 5000 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 49%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1303460/; target:src_ip; metadata: confidence_level 49, first_seen 2024_07_24; classtype:trojan-activity; sid:91303460; rev:1;) alert tcp $HOME_NET any -> [80.76.49.119] 1912 (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1303457/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_24; classtype:trojan-activity; sid:91303457; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"warrantelespsz.shop"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1303456/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_24; classtype:trojan-activity; sid:91303456; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mozi.m"; depth:7; nocase; http.host; content:"123.4.203.99"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1303455/; target:src_ip; metadata: confidence_level 50, first_seen 2024_07_24; classtype:trojan-activity; sid:91303455; rev:1;) alert tcp $HOME_NET any -> [31.177.108.53] 11099 (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1303203/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_24; classtype:trojan-activity; sid:91303203; rev:1;) alert tcp $HOME_NET any -> [147.185.221.21] 31388 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1303206/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_24; classtype:trojan-activity; sid:91303206; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"insurance-helmet.gl.at.ply.gg"; depth:29; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1303207/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_24; classtype:trojan-activity; sid:91303207; rev:1;) alert tcp $HOME_NET any -> [192.169.69.25] 7890 (msg:"ThreatFox Nanocore RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1303420/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_24; classtype:trojan-activity; sid:91303420; rev:1;) alert tcp $HOME_NET any -> [47.92.93.42] 8081 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1303454/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_24; classtype:trojan-activity; sid:91303454; rev:1;) alert tcp $HOME_NET any -> [8.153.36.151] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1303452/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_24; classtype:trojan-activity; sid:91303452; rev:1;) alert tcp $HOME_NET any -> [8.210.135.61] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1303453/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_24; classtype:trojan-activity; sid:91303453; rev:1;) alert tcp $HOME_NET any -> [8.140.198.146] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1303449/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_24; classtype:trojan-activity; sid:91303449; rev:1;) alert tcp $HOME_NET any -> [103.185.248.187] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1303450/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_24; classtype:trojan-activity; sid:91303450; rev:1;) alert tcp $HOME_NET any -> [81.70.246.230] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1303451/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_24; classtype:trojan-activity; sid:91303451; rev:1;) alert tcp $HOME_NET any -> [47.236.74.146] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1303448/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_24; classtype:trojan-activity; sid:91303448; rev:1;) alert tcp $HOME_NET any -> [62.234.42.20] 8443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1303447/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_24; classtype:trojan-activity; sid:91303447; rev:1;) alert tcp $HOME_NET any -> [47.120.3.50] 8000 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1303446/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_24; classtype:trojan-activity; sid:91303446; rev:1;) alert tcp $HOME_NET any -> [47.116.176.97] 81 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1303445/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_24; classtype:trojan-activity; sid:91303445; rev:1;) alert tcp $HOME_NET any -> [47.91.14.8] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1303444/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_24; classtype:trojan-activity; sid:91303444; rev:1;) alert tcp $HOME_NET any -> [118.31.238.130] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1303443/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_24; classtype:trojan-activity; sid:91303443; rev:1;) alert tcp $HOME_NET any -> [8.130.83.3] 9999 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1303441/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_24; classtype:trojan-activity; sid:91303441; rev:1;) alert tcp $HOME_NET any -> [103.185.248.187] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1303442/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_24; classtype:trojan-activity; sid:91303442; rev:1;) alert tcp $HOME_NET any -> [47.96.78.5] 8080 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1303439/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_24; classtype:trojan-activity; sid:91303439; rev:1;) alert tcp $HOME_NET any -> [106.14.211.58] 8080 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1303440/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_24; classtype:trojan-activity; sid:91303440; rev:1;) alert tcp $HOME_NET any -> [45.148.120.22] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1303438/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_24; classtype:trojan-activity; sid:91303438; rev:1;) alert tcp $HOME_NET any -> [175.178.160.167] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1303436/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_24; classtype:trojan-activity; sid:91303436; rev:1;) alert tcp $HOME_NET any -> [185.208.158.228] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1303437/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_24; classtype:trojan-activity; sid:91303437; rev:1;) alert tcp $HOME_NET any -> [121.40.157.87] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1303435/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_24; classtype:trojan-activity; sid:91303435; rev:1;) alert tcp $HOME_NET any -> [124.220.19.159] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1303434/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_24; classtype:trojan-activity; sid:91303434; rev:1;) alert tcp $HOME_NET any -> [97.64.26.63] 7443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1303433/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_24; classtype:trojan-activity; sid:91303433; rev:1;) alert tcp $HOME_NET any -> [66.42.43.38] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1303432/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_24; classtype:trojan-activity; sid:91303432; rev:1;) alert tcp $HOME_NET any -> [39.105.200.143] 9999 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1303431/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_24; classtype:trojan-activity; sid:91303431; rev:1;) alert tcp $HOME_NET any -> [101.43.103.253] 8080 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1303430/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_24; classtype:trojan-activity; sid:91303430; rev:1;) alert tcp $HOME_NET any -> [124.223.28.20] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1303429/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_24; classtype:trojan-activity; sid:91303429; rev:1;) alert tcp $HOME_NET any -> [45.133.239.95] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1303428/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_24; classtype:trojan-activity; sid:91303428; rev:1;) alert tcp $HOME_NET any -> [8.134.220.29] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1303427/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_24; classtype:trojan-activity; sid:91303427; rev:1;) alert tcp $HOME_NET any -> [43.135.163.87] 8080 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1303426/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_24; classtype:trojan-activity; sid:91303426; rev:1;) alert tcp $HOME_NET any -> [52.171.219.111] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1303425/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_24; classtype:trojan-activity; sid:91303425; rev:1;) alert tcp $HOME_NET any -> [8.140.198.146] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1303424/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_24; classtype:trojan-activity; sid:91303424; rev:1;) alert tcp $HOME_NET any -> [27.25.152.79] 7777 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1303423/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_24; classtype:trojan-activity; sid:91303423; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"beatablydoxzcop.shop"; depth:20; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1303422/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_24; classtype:trojan-activity; sid:91303422; rev:1;) alert tcp $HOME_NET any -> [94.156.69.174] 7459 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1303421/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_24; classtype:trojan-activity; sid:91303421; rev:1;) alert tcp $HOME_NET any -> [89.105.219.86] 39931 (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1303419/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_23; classtype:trojan-activity; sid:91303419; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/l1nc0in.php"; depth:12; nocase; http.host; content:"a1008817.xsph.ru"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1303418/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_23; classtype:trojan-activity; sid:91303418; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"trobulepcatoa.shop"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1303417/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_23; classtype:trojan-activity; sid:91303417; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"importancedopz.shop"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1303416/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_23; classtype:trojan-activity; sid:91303416; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/63383610eec59ec3.php"; depth:21; nocase; http.host; content:"91.92.244.238"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1303205/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_23; classtype:trojan-activity; sid:91303205; rev:1;) alert tcp $HOME_NET any -> [185.106.92.124] 2007 (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1303204/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_23; classtype:trojan-activity; sid:91303204; rev:1;) alert tcp $HOME_NET any -> [45.83.31.49] 1912 (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1303202/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_23; classtype:trojan-activity; sid:91303202; rev:1;) alert tcp $HOME_NET any -> [159.89.26.154] 80 (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1303200/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_23; classtype:trojan-activity; sid:91303200; rev:1;) alert tcp $HOME_NET any -> [104.131.166.122] 80 (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1303201/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_23; classtype:trojan-activity; sid:91303201; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"104.131.166.122"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1303197/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_23; classtype:trojan-activity; sid:91303197; rev:1;) alert tcp $HOME_NET any -> [5.75.212.60] 443 (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1303198/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_23; classtype:trojan-activity; sid:91303198; rev:1;) alert tcp $HOME_NET any -> [5.75.253.161] 443 (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1303199/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_23; classtype:trojan-activity; sid:91303199; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"159.89.26.154"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1303196/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_23; classtype:trojan-activity; sid:91303196; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/obeliszxgeaea_1337"; depth:19; nocase; http.host; content:"t.me"; depth:4; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1303195/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_23; classtype:trojan-activity; sid:91303195; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"5.75.253.161"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1303194/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_23; classtype:trojan-activity; sid:91303194; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"5.75.212.60"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1303193/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_23; classtype:trojan-activity; sid:91303193; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/armad2a"; depth:8; nocase; http.host; content:"t.me"; depth:4; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1303192/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_23; classtype:trojan-activity; sid:91303192; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/profiles/76561199747278259"; depth:27; nocase; http.host; content:"steamcommunity.com"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1303191/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_23; classtype:trojan-activity; sid:91303191; rev:1;) alert tcp $HOME_NET any -> [4.233.220.67] 6670 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1303190/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_23; classtype:trojan-activity; sid:91303190; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cdn-vs/original.js"; depth:19; nocase; http.host; content:"knoxvillevideoproductions.com"; depth:29; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1303186/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_23; classtype:trojan-activity; sid:91303186; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"knoxvillevideoproductions.com"; depth:29; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1303187/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_23; classtype:trojan-activity; sid:91303187; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cdn-vs/main.php"; depth:16; nocase; http.host; content:"knoxvillevideoproductions.com"; depth:29; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1303188/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_23; classtype:trojan-activity; sid:91303188; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cdn-vs/22per.php"; depth:17; nocase; http.host; content:"knoxvillevideoproductions.com"; depth:29; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1303189/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_23; classtype:trojan-activity; sid:91303189; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 49%)"; dns_query; content:"peleinufele.kozow.com"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1303184/; target:src_ip; metadata: confidence_level 49, first_seen 2024_07_23; classtype:trojan-activity; sid:91303184; rev:1;) alert tcp $HOME_NET any -> [45.88.186.194] 443 (msg:"ThreatFox FAKEUPDATES payload delivery (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1303182/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_23; classtype:trojan-activity; sid:91303182; rev:1;) alert tcp $HOME_NET any -> [77.91.77.55] 32024 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 49%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1303183/; target:src_ip; metadata: confidence_level 49, first_seen 2024_07_23; classtype:trojan-activity; sid:91303183; rev:1;) alert tcp $HOME_NET any -> [172.111.232.162] 1620 (msg:"ThreatFox Nanocore RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1303185/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_23; classtype:trojan-activity; sid:91303185; rev:1;) alert tcp $HOME_NET any -> [34.102.5.126] 5050 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1303181/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_23; classtype:trojan-activity; sid:91303181; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox credit card skimming (domain - confidence level: 100%)"; dns_query; content:"analytics-open.com"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1303178/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_23; classtype:bad-unknown; sid:91303178; rev:1;) alert tcp $HOME_NET any -> [147.185.221.21] 9316 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1303179/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_23; classtype:trojan-activity; sid:91303179; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"components-resort.gl.at.ply.gg"; depth:30; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1303180/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_23; classtype:trojan-activity; sid:91303180; rev:1;) alert tcp $HOME_NET any -> [147.185.221.21] 30335 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1303177/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_23; classtype:trojan-activity; sid:91303177; rev:1;) alert tcp $HOME_NET any -> [45.66.231.136] 80 (msg:"ThreatFox Loki Password Stealer (PWS) botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1303175/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_23; classtype:trojan-activity; sid:91303175; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"overclockingmachines.info"; depth:25; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1303176/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_23; classtype:trojan-activity; sid:91303176; rev:1;) alert tcp $HOME_NET any -> [146.70.137.90] 3343 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1303174/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_23; classtype:trojan-activity; sid:91303174; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/26c76d23.php"; depth:13; nocase; http.host; content:"f1002548.xsph.ru"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1303173/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_23; classtype:trojan-activity; sid:91303173; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bally/fre.php"; depth:14; nocase; http.host; content:"overclockingmachines.info"; depth:25; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1303172/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_23; classtype:trojan-activity; sid:91303172; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"movedwithdrwiaso.shop"; depth:21; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1303171/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_23; classtype:trojan-activity; sid:91303171; rev:1;) alert tcp $HOME_NET any -> [94.131.3.105] 20115 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1303170/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_23; classtype:trojan-activity; sid:91303170; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/6b8b1207.php"; depth:13; nocase; http.host; content:"a0998722.xsph.ru"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1303169/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_23; classtype:trojan-activity; sid:91303169; rev:1;) alert tcp $HOME_NET any -> [93.157.106.225] 1312 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1303142/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_23; classtype:trojan-activity; sid:91303142; rev:1;) alert tcp $HOME_NET any -> [45.61.184.84] 48055 (msg:"ThreatFox BillGates botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1303137/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_23; classtype:trojan-activity; sid:91303137; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"jdd.nimade.top"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1303138/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_23; classtype:trojan-activity; sid:91303138; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 85%)"; dns_query; content:"trinnodolart.com"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1303136/; target:src_ip; metadata: confidence_level 85, first_seen 2024_07_23; classtype:trojan-activity; sid:91303136; rev:1;) alert tcp $HOME_NET any -> [121.43.128.240] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1303167/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_23; classtype:trojan-activity; sid:91303167; rev:1;) alert tcp $HOME_NET any -> [119.45.38.62] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1303168/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_23; classtype:trojan-activity; sid:91303168; rev:1;) alert tcp $HOME_NET any -> [172.233.11.40] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1303166/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_23; classtype:trojan-activity; sid:91303166; rev:1;) alert tcp $HOME_NET any -> [62.234.42.20] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1303165/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_23; classtype:trojan-activity; sid:91303165; rev:1;) alert tcp $HOME_NET any -> [45.76.178.200] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1303164/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_23; classtype:trojan-activity; sid:91303164; rev:1;) alert tcp $HOME_NET any -> [156.255.2.100] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1303163/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_23; classtype:trojan-activity; sid:91303163; rev:1;) alert tcp $HOME_NET any -> [43.142.138.45] 10001 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1303162/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_23; classtype:trojan-activity; sid:91303162; rev:1;) alert tcp $HOME_NET any -> [47.103.50.88] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1303160/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_23; classtype:trojan-activity; sid:91303160; rev:1;) alert tcp $HOME_NET any -> [104.238.34.195] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1303161/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_23; classtype:trojan-activity; sid:91303161; rev:1;) alert tcp $HOME_NET any -> [119.45.38.62] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1303159/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_23; classtype:trojan-activity; sid:91303159; rev:1;) alert tcp $HOME_NET any -> [49.65.96.139] 8087 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1303158/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_23; classtype:trojan-activity; sid:91303158; rev:1;) alert tcp $HOME_NET any -> [159.75.120.80] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1303157/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_23; classtype:trojan-activity; sid:91303157; rev:1;) alert tcp $HOME_NET any -> [107.173.53.191] 8080 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1303156/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_23; classtype:trojan-activity; sid:91303156; rev:1;) alert tcp $HOME_NET any -> [154.201.86.215] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1303155/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_23; classtype:trojan-activity; sid:91303155; rev:1;) alert tcp $HOME_NET any -> [39.102.211.254] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1303154/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_23; classtype:trojan-activity; sid:91303154; rev:1;) alert tcp $HOME_NET any -> [112.124.35.130] 801 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1303153/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_23; classtype:trojan-activity; sid:91303153; rev:1;) alert tcp $HOME_NET any -> [139.180.212.161] 8080 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1303152/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_23; classtype:trojan-activity; sid:91303152; rev:1;) alert tcp $HOME_NET any -> [154.12.23.144] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1303151/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_23; classtype:trojan-activity; sid:91303151; rev:1;) alert tcp $HOME_NET any -> [121.43.128.240] 8443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1303150/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_23; classtype:trojan-activity; sid:91303150; rev:1;) alert tcp $HOME_NET any -> [43.139.195.46] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1303149/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_23; classtype:trojan-activity; sid:91303149; rev:1;) alert tcp $HOME_NET any -> [119.23.234.195] 7777 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1303148/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_23; classtype:trojan-activity; sid:91303148; rev:1;) alert tcp $HOME_NET any -> [110.42.211.238] 8080 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1303147/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_23; classtype:trojan-activity; sid:91303147; rev:1;) alert tcp $HOME_NET any -> [150.158.121.15] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1303146/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_23; classtype:trojan-activity; sid:91303146; rev:1;) alert tcp $HOME_NET any -> [206.217.128.11] 1912 (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1303145/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_23; classtype:trojan-activity; sid:91303145; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/videorequestasyncuniversaldatalife.php"; depth:39; nocase; http.host; content:"973845cm.nyashka.top"; depth:20; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1303144/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_23; classtype:trojan-activity; sid:91303144; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/l1nc0in.php"; depth:12; nocase; http.host; content:"f1007612.xsph.ru"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1303143/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_23; classtype:trojan-activity; sid:91303143; rev:1;) alert tcp $HOME_NET any -> [103.71.152.68] 1000 (msg:"ThreatFox Ghost RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1303141/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_22; classtype:trojan-activity; sid:91303141; rev:1;) alert tcp $HOME_NET any -> [188.165.120.122] 6622 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1303140/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_22; classtype:trojan-activity; sid:91303140; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"mundannetransuq.shop"; depth:20; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1303139/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_22; classtype:trojan-activity; sid:91303139; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cdn-vs/main.php"; depth:16; nocase; http.host; content:"berrebyre.com"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1302970/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_22; classtype:trojan-activity; sid:91302970; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cdn-vs/22per.php"; depth:17; nocase; http.host; content:"berrebyre.com"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1302971/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_22; classtype:trojan-activity; sid:91302971; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/data.php"; depth:9; nocase; http.host; content:"2n8rd3zz1.top"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1302972/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_22; classtype:trojan-activity; sid:91302972; rev:1;) alert tcp $HOME_NET any -> [46.246.82.15] 6060 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1302974/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_22; classtype:trojan-activity; sid:91302974; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"linternadc24.duckdns.org"; depth:24; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1302975/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_22; classtype:trojan-activity; sid:91302975; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"desquare27.duckdns.org"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1302976/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_22; classtype:trojan-activity; sid:91302976; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"cisadhsgov.org"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1303134/; target:src_ip; metadata: confidence_level 50, first_seen 2024_07_22; classtype:trojan-activity; sid:91303134; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"berrebyre.com"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1302969/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_22; classtype:trojan-activity; sid:91302969; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"filesoftdownload.shop"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1302967/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_22; classtype:trojan-activity; sid:91302967; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cdn-vs/original.js"; depth:19; nocase; http.host; content:"berrebyre.com"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1302968/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_22; classtype:trojan-activity; sid:91302968; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mozi.m"; depth:7; nocase; http.host; content:"42.178.182.170"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1303133/; target:src_ip; metadata: confidence_level 50, first_seen 2024_07_22; classtype:trojan-activity; sid:91303133; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ga.js"; depth:6; nocase; http.host; content:"104.236.128.148"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1303119/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_22; classtype:trojan-activity; sid:91303119; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/activity"; depth:9; nocase; http.host; content:"104.236.128.148"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1303056/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_22; classtype:trojan-activity; sid:91303056; rev:1;) alert tcp $HOME_NET any -> [62.133.174.224] 3056 (msg:"ThreatFox XenoRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1302977/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_22; classtype:trojan-activity; sid:91302977; rev:1;) alert tcp $HOME_NET any -> [212.162.149.48] 2049 (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1302973/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_22; classtype:trojan-activity; sid:91302973; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"147.45.44.25"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1302966/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_22; classtype:trojan-activity; sid:91302966; rev:1;) alert tcp $HOME_NET any -> [88.99.151.68] 7200 (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1302951/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_22; classtype:trojan-activity; sid:91302951; rev:1;) alert tcp $HOME_NET any -> [3.67.161.133] 17742 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1302961/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_22; classtype:trojan-activity; sid:91302961; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/v1/upload.php"; depth:14; nocase; http.host; content:"tvfift15pn.top"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1302964/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_22; classtype:trojan-activity; sid:91302964; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/2f0fe259.php"; depth:13; nocase; http.host; content:"a1007516.xsph.ru"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1302965/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_22; classtype:trojan-activity; sid:91302965; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"enormousseop.shop"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1302963/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_22; classtype:trojan-activity; sid:91302963; rev:1;) alert tcp $HOME_NET any -> [95.216.123.82] 3193 (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1302962/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_22; classtype:trojan-activity; sid:91302962; rev:1;) alert tcp $HOME_NET any -> [3.127.181.115] 17742 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1302960/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_22; classtype:trojan-activity; sid:91302960; rev:1;) alert tcp $HOME_NET any -> [3.67.62.142] 17742 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1302959/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_22; classtype:trojan-activity; sid:91302959; rev:1;) alert tcp $HOME_NET any -> [3.67.112.102] 17742 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1302958/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_22; classtype:trojan-activity; sid:91302958; rev:1;) alert tcp $HOME_NET any -> [18.158.58.205] 17742 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1302957/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_22; classtype:trojan-activity; sid:91302957; rev:1;) alert tcp $HOME_NET any -> [3.64.4.198] 17742 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1302956/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_22; classtype:trojan-activity; sid:91302956; rev:1;) alert tcp $HOME_NET any -> [45.141.87.124] 15647 (msg:"ThreatFox SectopRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1302955/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_22; classtype:trojan-activity; sid:91302955; rev:1;) alert tcp $HOME_NET any -> [94.232.249.204] 29295 (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1302954/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_22; classtype:trojan-activity; sid:91302954; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"lihtgyimm.com"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1302953/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_22; classtype:trojan-activity; sid:91302953; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/2c1e62a3.php"; depth:13; nocase; http.host; content:"cc53534.tw1.ru"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1302952/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_22; classtype:trojan-activity; sid:91302952; rev:1;) alert tcp $HOME_NET any -> [94.156.248.33] 56999 (msg:"ThreatFox MooBot botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1302749/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_22; classtype:trojan-activity; sid:91302749; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"c.cnc.gay"; depth:9; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1302750/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_22; classtype:trojan-activity; sid:91302750; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bot7277950797:aaf99nw5rat1bhnmmwy_tqnyjfu3dyj5rhc/sendmessage"; depth:62; nocase; http.host; content:"api.telegram.org"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1302889/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_22; classtype:trojan-activity; sid:91302889; rev:1;) alert tcp $HOME_NET any -> [45.95.169.147] 5555 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1302890/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_22; classtype:trojan-activity; sid:91302890; rev:1;) alert tcp $HOME_NET any -> [45.139.104.237] 9506 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1302891/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_22; classtype:trojan-activity; sid:91302891; rev:1;) alert tcp $HOME_NET any -> [194.124.227.4] 59666 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1302894/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_22; classtype:trojan-activity; sid:91302894; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"xjp.cyberspeed.baby"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1302895/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_22; classtype:trojan-activity; sid:91302895; rev:1;) alert tcp $HOME_NET any -> [176.32.39.130] 5555 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1302896/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_22; classtype:trojan-activity; sid:91302896; rev:1;) alert tcp $HOME_NET any -> [5.42.92.213] 46419 (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1302935/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_22; classtype:trojan-activity; sid:91302935; rev:1;) alert tcp $HOME_NET any -> [41.142.19.187] 10000 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1302937/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_22; classtype:trojan-activity; sid:91302937; rev:1;) alert tcp $HOME_NET any -> [46.23.108.170] 6149 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1302938/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_22; classtype:trojan-activity; sid:91302938; rev:1;) alert tcp $HOME_NET any -> [45.83.207.67] 6522 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1302940/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_22; classtype:trojan-activity; sid:91302940; rev:1;) alert tcp $HOME_NET any -> [117.72.79.81] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1302950/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_22; classtype:trojan-activity; sid:91302950; rev:1;) alert tcp $HOME_NET any -> [47.97.162.223] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1302949/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_22; classtype:trojan-activity; sid:91302949; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/l1nc0in.php"; depth:12; nocase; http.host; content:"f1006727.xsph.ru"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1302948/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_22; classtype:trojan-activity; sid:91302948; rev:1;) alert tcp $HOME_NET any -> [8.138.1.0] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1302947/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_22; classtype:trojan-activity; sid:91302947; rev:1;) alert tcp $HOME_NET any -> [103.136.68.246] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1302946/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_22; classtype:trojan-activity; sid:91302946; rev:1;) alert tcp $HOME_NET any -> [47.96.78.5] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1302945/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_22; classtype:trojan-activity; sid:91302945; rev:1;) alert tcp $HOME_NET any -> [175.178.23.244] 8123 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1302944/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_22; classtype:trojan-activity; sid:91302944; rev:1;) alert tcp $HOME_NET any -> [8.130.100.130] 9999 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1302943/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_22; classtype:trojan-activity; sid:91302943; rev:1;) alert tcp $HOME_NET any -> [39.102.210.162] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1302942/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_22; classtype:trojan-activity; sid:91302942; rev:1;) alert tcp $HOME_NET any -> [152.42.208.9] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1302941/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_22; classtype:trojan-activity; sid:91302941; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/f3ee98d7eec07fb9.php"; depth:21; nocase; http.host; content:"85.28.47.101"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1302939/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_22; classtype:trojan-activity; sid:91302939; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/b238c1f1.php"; depth:13; nocase; http.host; content:"a1006920.xsph.ru"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1302936/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_22; classtype:trojan-activity; sid:91302936; rev:1;) alert tcp $HOME_NET any -> [103.186.116.90] 67 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1302910/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_22; classtype:trojan-activity; sid:91302910; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/0687abc4.php"; depth:13; nocase; http.host; content:"ct54429.tw1.ru"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1302909/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_22; classtype:trojan-activity; sid:91302909; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"kennyremcosbelintourismedleonline.gleeze.com"; depth:44; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1302908/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_22; classtype:trojan-activity; sid:91302908; rev:1;) alert tcp $HOME_NET any -> [80.66.81.55] 48622 (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1302897/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_22; classtype:trojan-activity; sid:91302897; rev:1;) alert tcp $HOME_NET any -> [84.32.41.12] 443 (msg:"ThreatFox Unidentified 111 (Latrodectus) botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1302886/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_21; classtype:trojan-activity; sid:91302886; rev:1;) alert tcp $HOME_NET any -> [185.81.113.87] 443 (msg:"ThreatFox Unidentified 111 (Latrodectus) botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1302887/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_21; classtype:trojan-activity; sid:91302887; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"patpricespeaks.com"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1302882/; target:src_ip; metadata: confidence_level 50, first_seen 2024_07_21; classtype:trojan-activity; sid:91302882; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"seowebguy.com"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1302883/; target:src_ip; metadata: confidence_level 50, first_seen 2024_07_21; classtype:trojan-activity; sid:91302883; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"shippwd.com"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1302884/; target:src_ip; metadata: confidence_level 50, first_seen 2024_07_21; classtype:trojan-activity; sid:91302884; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"twm-master.com"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1302885/; target:src_ip; metadata: confidence_level 50, first_seen 2024_07_21; classtype:trojan-activity; sid:91302885; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"ankaplast.com"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1302869/; target:src_ip; metadata: confidence_level 50, first_seen 2024_07_21; classtype:trojan-activity; sid:91302869; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"aquatictt.com"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1302870/; target:src_ip; metadata: confidence_level 50, first_seen 2024_07_21; classtype:trojan-activity; sid:91302870; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"bbm-e.com"; depth:9; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1302871/; target:src_ip; metadata: confidence_level 50, first_seen 2024_07_21; classtype:trojan-activity; sid:91302871; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"biofuelsevent.com"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1302872/; target:src_ip; metadata: confidence_level 50, first_seen 2024_07_21; classtype:trojan-activity; sid:91302872; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"blftrade.com"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1302873/; target:src_ip; metadata: confidence_level 50, first_seen 2024_07_21; classtype:trojan-activity; sid:91302873; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"bp-training.com"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1302874/; target:src_ip; metadata: confidence_level 50, first_seen 2024_07_21; classtype:trojan-activity; sid:91302874; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"colinscaravans.com"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1302875/; target:src_ip; metadata: confidence_level 50, first_seen 2024_07_21; classtype:trojan-activity; sid:91302875; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"cormdale.com"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1302876/; target:src_ip; metadata: confidence_level 50, first_seen 2024_07_21; classtype:trojan-activity; sid:91302876; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"freeflashbuilder.com"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1302877/; target:src_ip; metadata: confidence_level 50, first_seen 2024_07_21; classtype:trojan-activity; sid:91302877; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"identi-tech.com"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1302878/; target:src_ip; metadata: confidence_level 50, first_seen 2024_07_21; classtype:trojan-activity; sid:91302878; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"inabove.com"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1302879/; target:src_ip; metadata: confidence_level 50, first_seen 2024_07_21; classtype:trojan-activity; sid:91302879; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"lc218.com"; depth:9; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1302880/; target:src_ip; metadata: confidence_level 50, first_seen 2024_07_21; classtype:trojan-activity; sid:91302880; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"mello-roos.com"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1302881/; target:src_ip; metadata: confidence_level 50, first_seen 2024_07_21; classtype:trojan-activity; sid:91302881; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mozi.m"; depth:7; nocase; http.host; content:"59.97.124.213"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1302868/; target:src_ip; metadata: confidence_level 50, first_seen 2024_07_21; classtype:trojan-activity; sid:91302868; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-includes/pomo/woo.php"; depth:25; nocase; http.host; content:"www.leoapexphoto.com"; depth:20; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1302548/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_21; classtype:trojan-activity; sid:91302548; rev:1;) alert tcp $HOME_NET any -> [173.46.80.233] 443 (msg:"ThreatFox NetSupportManager RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1302549/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_21; classtype:trojan-activity; sid:91302549; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"vector.mineheaven.org"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1302595/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_21; classtype:trojan-activity; sid:91302595; rev:1;) alert tcp $HOME_NET any -> [15.235.203.214] 2466 (msg:"ThreatFox MooBot botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1302594/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_21; classtype:trojan-activity; sid:91302594; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"multipleonlinegahiddenzonline.organiccrap.com"; depth:45; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1302717/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_21; classtype:trojan-activity; sid:91302717; rev:1;) alert tcp $HOME_NET any -> [34.102.5.126] 1177 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1302722/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_21; classtype:trojan-activity; sid:91302722; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"welovebadge.com"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1302748/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_21; classtype:trojan-activity; sid:91302748; rev:1;) alert tcp $HOME_NET any -> [106.52.16.241] 8088 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1302747/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_21; classtype:trojan-activity; sid:91302747; rev:1;) alert tcp $HOME_NET any -> [154.205.136.200] 9990 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1302745/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_21; classtype:trojan-activity; sid:91302745; rev:1;) alert tcp $HOME_NET any -> [47.237.25.143] 8001 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1302746/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_21; classtype:trojan-activity; sid:91302746; rev:1;) alert tcp $HOME_NET any -> [46.20.109.62] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1302744/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_21; classtype:trojan-activity; sid:91302744; rev:1;) alert tcp $HOME_NET any -> [47.236.74.146] 8443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1302742/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_21; classtype:trojan-activity; sid:91302742; rev:1;) alert tcp $HOME_NET any -> [84.247.185.157] 81 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1302743/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_21; classtype:trojan-activity; sid:91302743; rev:1;) alert tcp $HOME_NET any -> [116.62.60.64] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1302741/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_21; classtype:trojan-activity; sid:91302741; rev:1;) alert tcp $HOME_NET any -> [124.222.8.226] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1302740/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_21; classtype:trojan-activity; sid:91302740; rev:1;) alert tcp $HOME_NET any -> [124.223.11.239] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1302739/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_21; classtype:trojan-activity; sid:91302739; rev:1;) alert tcp $HOME_NET any -> [8.137.39.212] 9999 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1302738/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_21; classtype:trojan-activity; sid:91302738; rev:1;) alert tcp $HOME_NET any -> [116.62.60.64] 81 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1302737/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_21; classtype:trojan-activity; sid:91302737; rev:1;) alert tcp $HOME_NET any -> [141.98.7.17] 8443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1302736/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_21; classtype:trojan-activity; sid:91302736; rev:1;) alert tcp $HOME_NET any -> [82.152.164.236] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1302735/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_21; classtype:trojan-activity; sid:91302735; rev:1;) alert tcp $HOME_NET any -> [47.121.183.221] 8088 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1302734/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_21; classtype:trojan-activity; sid:91302734; rev:1;) alert tcp $HOME_NET any -> [47.108.115.205] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1302733/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_21; classtype:trojan-activity; sid:91302733; rev:1;) alert tcp $HOME_NET any -> [119.29.228.202] 8443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1302732/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_21; classtype:trojan-activity; sid:91302732; rev:1;) alert tcp $HOME_NET any -> [47.99.91.46] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1302731/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_21; classtype:trojan-activity; sid:91302731; rev:1;) alert tcp $HOME_NET any -> [103.119.18.15] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1302730/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_21; classtype:trojan-activity; sid:91302730; rev:1;) alert tcp $HOME_NET any -> [140.246.220.21] 8081 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1302729/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_21; classtype:trojan-activity; sid:91302729; rev:1;) alert tcp $HOME_NET any -> [38.181.52.216] 8001 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1302728/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_21; classtype:trojan-activity; sid:91302728; rev:1;) alert tcp $HOME_NET any -> [150.158.84.155] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1302727/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_21; classtype:trojan-activity; sid:91302727; rev:1;) alert tcp $HOME_NET any -> [194.36.191.22] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1302725/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_21; classtype:trojan-activity; sid:91302725; rev:1;) alert tcp $HOME_NET any -> [103.119.18.15] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1302726/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_21; classtype:trojan-activity; sid:91302726; rev:1;) alert tcp $HOME_NET any -> [45.137.22.242] 55615 (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1302724/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_21; classtype:trojan-activity; sid:91302724; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mozi.m"; depth:7; nocase; http.host; content:"115.59.234.1"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1302723/; target:src_ip; metadata: confidence_level 50, first_seen 2024_07_21; classtype:trojan-activity; sid:91302723; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/processorpython/0/downloadsdlephp/updatepipe/3/externalsql/4cdn8/updatephppoll0/9mariadbdownloads/uploadscdn/4uploadstraffic/_asyncpoll7/better68/provider/provider/linejs.php"; depth:175; nocase; http.host; content:"89.208.14.64"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1302721/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_21; classtype:trojan-activity; sid:91302721; rev:1;) alert tcp $HOME_NET any -> [85.28.47.123] 4782 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1302720/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_21; classtype:trojan-activity; sid:91302720; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/l1nc0in.php"; depth:12; nocase; http.host; content:"a1005850.xsph.ru"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1302719/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_21; classtype:trojan-activity; sid:91302719; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/94a69671.php"; depth:13; nocase; http.host; content:"a1005337.xsph.ru"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1302718/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_20; classtype:trojan-activity; sid:91302718; rev:1;) alert tcp $HOME_NET any -> [5.149.255.194] 443 (msg:"ThreatFox Unidentified 111 (Latrodectus) botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1302716/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_20; classtype:trojan-activity; sid:91302716; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/4ee9dc5a.php"; depth:13; nocase; http.host; content:"a1006461.xsph.ru"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1302547/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_20; classtype:trojan-activity; sid:91302547; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"jesusgabrielahumadalora09.con-ip.com"; depth:36; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1302546/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_20; classtype:trojan-activity; sid:91302546; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"portalintranetgrupobbva.com"; depth:27; nocase; reference:url, threatfox.abuse.ch/ioc/1302545/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_20; classtype:trojan-activity; sid:91302545; rev:1;) alert tcp $HOME_NET any -> [8.222.231.128] 7443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1302539/; target:src_ip; metadata: confidence_level 50, first_seen 2024_07_20; classtype:trojan-activity; sid:91302539; rev:1;) alert tcp $HOME_NET any -> [37.228.129.31] 8000 (msg:"ThreatFox Unknown malware payload delivery (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1302541/; target:src_ip; metadata: confidence_level 50, first_seen 2024_07_20; classtype:trojan-activity; sid:91302541; rev:1;) alert tcp $HOME_NET any -> [206.206.77.77] 443 (msg:"ThreatFox pupy botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1302537/; target:src_ip; metadata: confidence_level 50, first_seen 2024_07_20; classtype:trojan-activity; sid:91302537; rev:1;) alert tcp $HOME_NET any -> [152.42.232.171] 7443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1302538/; target:src_ip; metadata: confidence_level 50, first_seen 2024_07_20; classtype:trojan-activity; sid:91302538; rev:1;) alert tcp $HOME_NET any -> [46.246.14.3] 8000 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1302535/; target:src_ip; metadata: confidence_level 50, first_seen 2024_07_20; classtype:trojan-activity; sid:91302535; rev:1;) alert tcp $HOME_NET any -> [97.74.92.239] 443 (msg:"ThreatFox pupy botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1302536/; target:src_ip; metadata: confidence_level 50, first_seen 2024_07_20; classtype:trojan-activity; sid:91302536; rev:1;) alert tcp $HOME_NET any -> [193.37.59.116] 56999 (msg:"ThreatFox MooBot botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1302534/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_20; classtype:trojan-activity; sid:91302534; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"spackledzpxs.shop"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1302544/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_20; classtype:trojan-activity; sid:91302544; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/j5jt"; depth:5; nocase; http.host; content:"8.137.164.212"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1302543/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_20; classtype:trojan-activity; sid:91302543; rev:1;) alert tcp $HOME_NET any -> [78.159.112.21] 5230 (msg:"ThreatFox Nanocore RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1302542/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_20; classtype:trojan-activity; sid:91302542; rev:1;) alert tcp $HOME_NET any -> [8.137.164.212] 4000 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1302540/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_20; classtype:trojan-activity; sid:91302540; rev:1;) alert tcp $HOME_NET any -> [147.45.43.136] 80 (msg:"ThreatFox AMOS botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1302533/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_20; classtype:trojan-activity; sid:91302533; rev:1;) alert tcp $HOME_NET any -> [102.72.3.145] 1111 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1302532/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_20; classtype:trojan-activity; sid:91302532; rev:1;) alert tcp $HOME_NET any -> [45.83.207.67] 4545 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1302528/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_20; classtype:trojan-activity; sid:91302528; rev:1;) alert tcp $HOME_NET any -> [147.185.221.18] 37615 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1302529/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_20; classtype:trojan-activity; sid:91302529; rev:1;) alert tcp $HOME_NET any -> [94.213.226.126] 3001 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1302530/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_20; classtype:trojan-activity; sid:91302530; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"fyn001.ddns.net"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1302531/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_20; classtype:trojan-activity; sid:91302531; rev:1;) alert tcp $HOME_NET any -> [117.72.8.192] 8443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1302527/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_20; classtype:trojan-activity; sid:91302527; rev:1;) alert tcp $HOME_NET any -> [119.29.228.202] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1302526/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_20; classtype:trojan-activity; sid:91302526; rev:1;) alert tcp $HOME_NET any -> [193.37.69.73] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1302525/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_20; classtype:trojan-activity; sid:91302525; rev:1;) alert tcp $HOME_NET any -> [87.251.67.74] 81 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1302524/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_20; classtype:trojan-activity; sid:91302524; rev:1;) alert tcp $HOME_NET any -> [123.56.121.145] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1302523/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_20; classtype:trojan-activity; sid:91302523; rev:1;) alert tcp $HOME_NET any -> [139.162.86.250] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1302522/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_20; classtype:trojan-activity; sid:91302522; rev:1;) alert tcp $HOME_NET any -> [47.121.123.96] 8088 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1302521/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_20; classtype:trojan-activity; sid:91302521; rev:1;) alert tcp $HOME_NET any -> [47.99.113.40] 8111 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1302520/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_20; classtype:trojan-activity; sid:91302520; rev:1;) alert tcp $HOME_NET any -> [101.42.153.7] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1302519/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_20; classtype:trojan-activity; sid:91302519; rev:1;) alert tcp $HOME_NET any -> [116.196.70.28] 8081 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1302518/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_20; classtype:trojan-activity; sid:91302518; rev:1;) alert tcp $HOME_NET any -> [101.200.192.48] 8111 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1302517/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_20; classtype:trojan-activity; sid:91302517; rev:1;) alert tcp $HOME_NET any -> [185.74.222.145] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1302516/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_20; classtype:trojan-activity; sid:91302516; rev:1;) alert tcp $HOME_NET any -> [121.40.216.117] 8081 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1302515/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_20; classtype:trojan-activity; sid:91302515; rev:1;) alert tcp $HOME_NET any -> [8.147.234.137] 9999 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1302514/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_20; classtype:trojan-activity; sid:91302514; rev:1;) alert tcp $HOME_NET any -> [124.222.43.134] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1302513/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_20; classtype:trojan-activity; sid:91302513; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"upknittsoappz.shop"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1302512/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_20; classtype:trojan-activity; sid:91302512; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"unseaffarignsk.shop"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1302511/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_20; classtype:trojan-activity; sid:91302511; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"shepherdlyopzc.shop"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1302510/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_20; classtype:trojan-activity; sid:91302510; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"outpointsozp.shop"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1302509/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_20; classtype:trojan-activity; sid:91302509; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"liernessfornicsa.shop"; depth:21; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1302508/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_20; classtype:trojan-activity; sid:91302508; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"lariatedzugspd.shop"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1302507/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_20; classtype:trojan-activity; sid:91302507; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"indexterityszcoxp.shop"; depth:22; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1302506/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_20; classtype:trojan-activity; sid:91302506; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"callosallsaospz.shop"; depth:20; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1302505/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_20; classtype:trojan-activity; sid:91302505; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"freezetdopzx.shop"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1302504/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_20; classtype:trojan-activity; sid:91302504; rev:1;) alert tcp $HOME_NET any -> [185.244.212.106] 2227 (msg:"ThreatFox PovertyStealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1302503/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_20; classtype:trojan-activity; sid:91302503; rev:1;) alert tcp $HOME_NET any -> [5.45.79.5] 32421 (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1302502/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_20; classtype:trojan-activity; sid:91302502; rev:1;) alert tcp $HOME_NET any -> [94.232.249.206] 80 (msg:"ThreatFox Mars Stealer botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1302501/; target:src_ip; metadata: confidence_level 50, first_seen 2024_07_20; classtype:trojan-activity; sid:91302501; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mozi.m"; depth:7; nocase; http.host; content:"115.48.18.21"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1302500/; target:src_ip; metadata: confidence_level 50, first_seen 2024_07_20; classtype:trojan-activity; sid:91302500; rev:1;) alert tcp $HOME_NET any -> [193.138.195.191] 443 (msg:"ThreatFox Unidentified 111 (Latrodectus) botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1302499/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_19; classtype:trojan-activity; sid:91302499; rev:1;) alert tcp $HOME_NET any -> [196.206.79.116] 10000 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1302498/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_19; classtype:trojan-activity; sid:91302498; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/vmpythonjavascriptdbasyncuploads.php"; depth:37; nocase; http.host; content:"815622cm.n9shteam3.top"; depth:22; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1302497/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_19; classtype:trojan-activity; sid:91302497; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cdn-vs/original.js"; depth:19; nocase; http.host; content:"magaanthem.com"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1302490/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_19; classtype:trojan-activity; sid:91302490; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"magaanthem.com"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1302491/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_19; classtype:trojan-activity; sid:91302491; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cdn-vs/main.php"; depth:16; nocase; http.host; content:"magaanthem.com"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1302492/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_19; classtype:trojan-activity; sid:91302492; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cdn-vs/22per.php"; depth:17; nocase; http.host; content:"magaanthem.com"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1302493/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_19; classtype:trojan-activity; sid:91302493; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mozi.m"; depth:7; nocase; http.host; content:"113.231.92.243"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1302489/; target:src_ip; metadata: confidence_level 50, first_seen 2024_07_19; classtype:trojan-activity; sid:91302489; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mozi.m"; depth:7; nocase; http.host; content:"59.89.71.22"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1302488/; target:src_ip; metadata: confidence_level 50, first_seen 2024_07_19; classtype:trojan-activity; sid:91302488; rev:1;) alert tcp $HOME_NET any -> [91.222.173.167] 80 (msg:"ThreatFox DarkGate botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1302486/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_19; classtype:trojan-activity; sid:91302486; rev:1;) alert tcp $HOME_NET any -> [91.222.175.250] 80 (msg:"ThreatFox DarkGate botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1302487/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_19; classtype:trojan-activity; sid:91302487; rev:1;) alert tcp $HOME_NET any -> [178.23.190.118] 52499 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1302485/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_19; classtype:trojan-activity; sid:91302485; rev:1;) alert tcp $HOME_NET any -> [52.67.113.233] 5222 (msg:"ThreatFox Revenge RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1302484/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_19; classtype:trojan-activity; sid:91302484; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"overshootsizx.shop"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1302483/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_19; classtype:trojan-activity; sid:91302483; rev:1;) alert tcp $HOME_NET any -> [79.137.192.15] 80 (msg:"ThreatFox Amadey botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1302482/; target:src_ip; metadata: confidence_level 50, first_seen 2024_07_19; classtype:trojan-activity; sid:91302482; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"geotravelsgi.xyz"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1302481/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_19; classtype:trojan-activity; sid:91302481; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cdn-vs/22per.php"; depth:17; nocase; http.host; content:"wilderglamour.com"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1302479/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_19; classtype:trojan-activity; sid:91302479; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/data.php"; depth:9; nocase; http.host; content:"3hhr8h2hx.top"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1302480/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_19; classtype:trojan-activity; sid:91302480; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cdn-vs/original.js"; depth:19; nocase; http.host; content:"wilderglamour.com"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1302476/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_19; classtype:trojan-activity; sid:91302476; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"wilderglamour.com"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1302477/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_19; classtype:trojan-activity; sid:91302477; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cdn-vs/main.php"; depth:16; nocase; http.host; content:"wilderglamour.com"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1302478/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_19; classtype:trojan-activity; sid:91302478; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"necessary-sick.gl.at.ply.gg"; depth:27; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1302252/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_19; classtype:trojan-activity; sid:91302252; rev:1;) alert tcp $HOME_NET any -> [193.3.19.146] 41239 (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1302447/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_19; classtype:trojan-activity; sid:91302447; rev:1;) alert tcp $HOME_NET any -> [5.59.248.52] 1312 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1302450/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_19; classtype:trojan-activity; sid:91302450; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/n9djvsc3x/index.php"; depth:20; nocase; http.host; content:"79.137.192.15"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1302446/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_19; classtype:trojan-activity; sid:91302446; rev:1;) alert tcp $HOME_NET any -> [45.77.166.78] 44506 (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1302249/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_19; classtype:trojan-activity; sid:91302249; rev:1;) alert tcp $HOME_NET any -> [207.148.69.28] 6608 (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1302250/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_19; classtype:trojan-activity; sid:91302250; rev:1;) alert tcp $HOME_NET any -> [147.185.221.18] 32835 (msg:"ThreatFox ArrowRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1302251/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_19; classtype:trojan-activity; sid:91302251; rev:1;) alert tcp $HOME_NET any -> [94.156.69.115] 46958 (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1302227/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_19; classtype:trojan-activity; sid:91302227; rev:1;) alert tcp $HOME_NET any -> [216.218.135.118] 1512 (msg:"ThreatFox Nanocore RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1302243/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_19; classtype:trojan-activity; sid:91302243; rev:1;) alert tcp $HOME_NET any -> [204.10.160.140] 7001 (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1302244/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_19; classtype:trojan-activity; sid:91302244; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"ndm2398asdlw.shop"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1302245/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_19; classtype:trojan-activity; sid:91302245; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"ndm2398asdlw.lol"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1302246/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_19; classtype:trojan-activity; sid:91302246; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"ndm2398asdlw.homes"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1302247/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_19; classtype:trojan-activity; sid:91302247; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"ndm2398asdlw.mom"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1302248/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_19; classtype:trojan-activity; sid:91302248; rev:1;) alert tcp $HOME_NET any -> [206.238.115.159] 8080 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1302475/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_19; classtype:trojan-activity; sid:91302475; rev:1;) alert tcp $HOME_NET any -> [194.36.171.35] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1302474/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_19; classtype:trojan-activity; sid:91302474; rev:1;) alert tcp $HOME_NET any -> [106.54.199.174] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1302472/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_19; classtype:trojan-activity; sid:91302472; rev:1;) alert tcp $HOME_NET any -> [107.174.252.70] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1302473/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_19; classtype:trojan-activity; sid:91302473; rev:1;) alert tcp $HOME_NET any -> [8.130.171.41] 808 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1302471/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_19; classtype:trojan-activity; sid:91302471; rev:1;) alert tcp $HOME_NET any -> [101.201.29.209] 9999 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1302470/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_19; classtype:trojan-activity; sid:91302470; rev:1;) alert tcp $HOME_NET any -> [18.221.155.0] 2053 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1302469/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_19; classtype:trojan-activity; sid:91302469; rev:1;) alert tcp $HOME_NET any -> [192.3.211.196] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1302468/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_19; classtype:trojan-activity; sid:91302468; rev:1;) alert tcp $HOME_NET any -> [47.99.68.201] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1302467/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_19; classtype:trojan-activity; sid:91302467; rev:1;) alert tcp $HOME_NET any -> [82.156.132.161] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1302465/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_19; classtype:trojan-activity; sid:91302465; rev:1;) alert tcp $HOME_NET any -> [82.156.202.26] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1302466/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_19; classtype:trojan-activity; sid:91302466; rev:1;) alert tcp $HOME_NET any -> [194.36.171.35] 8443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1302464/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_19; classtype:trojan-activity; sid:91302464; rev:1;) alert tcp $HOME_NET any -> [121.36.48.187] 9999 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1302463/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_19; classtype:trojan-activity; sid:91302463; rev:1;) alert tcp $HOME_NET any -> [107.173.53.191] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1302462/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_19; classtype:trojan-activity; sid:91302462; rev:1;) alert tcp $HOME_NET any -> [39.106.36.26] 8888 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1302461/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_19; classtype:trojan-activity; sid:91302461; rev:1;) alert tcp $HOME_NET any -> [113.44.67.208] 8888 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1302460/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_19; classtype:trojan-activity; sid:91302460; rev:1;) alert tcp $HOME_NET any -> [124.70.94.251] 1234 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1302459/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_19; classtype:trojan-activity; sid:91302459; rev:1;) alert tcp $HOME_NET any -> [123.57.186.159] 7777 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1302458/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_19; classtype:trojan-activity; sid:91302458; rev:1;) alert tcp $HOME_NET any -> [92.63.107.3] 8443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1302457/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_19; classtype:trojan-activity; sid:91302457; rev:1;) alert tcp $HOME_NET any -> [118.178.229.189] 9999 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1302455/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_19; classtype:trojan-activity; sid:91302455; rev:1;) alert tcp $HOME_NET any -> [206.238.115.223] 4444 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1302456/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_19; classtype:trojan-activity; sid:91302456; rev:1;) alert tcp $HOME_NET any -> [104.168.117.168] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1302454/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_19; classtype:trojan-activity; sid:91302454; rev:1;) alert tcp $HOME_NET any -> [116.108.20.142] 8443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1302453/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_19; classtype:trojan-activity; sid:91302453; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/5499d72b3a3e55be.php"; depth:21; nocase; http.host; content:"85.28.47.31"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1302452/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_19; classtype:trojan-activity; sid:91302452; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/load"; depth:5; nocase; http.host; content:"103.82.55.27"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1302451/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_19; classtype:trojan-activity; sid:91302451; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/9hht"; depth:5; nocase; http.host; content:"103.82.55.27"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1302449/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_19; classtype:trojan-activity; sid:91302449; rev:1;) alert tcp $HOME_NET any -> [103.82.55.27] 13118 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1302448/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_19; classtype:trojan-activity; sid:91302448; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/vmpacketasync.php"; depth:18; nocase; http.host; content:"796646cm.nyashka.top"; depth:20; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1302445/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_18; classtype:trojan-activity; sid:91302445; rev:1;) alert tcp $HOME_NET any -> [91.242.163.202] 443 (msg:"ThreatFox Unidentified 111 (Latrodectus) botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1302442/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_18; classtype:trojan-activity; sid:91302442; rev:1;) alert tcp $HOME_NET any -> [193.243.147.77] 443 (msg:"ThreatFox Unidentified 111 (Latrodectus) botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1302443/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_18; classtype:trojan-activity; sid:91302443; rev:1;) alert tcp $HOME_NET any -> [91.193.18.176] 443 (msg:"ThreatFox Unidentified 111 (Latrodectus) botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1302444/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_18; classtype:trojan-activity; sid:91302444; rev:1;) alert tcp $HOME_NET any -> [89.251.22.26] 443 (msg:"ThreatFox Unidentified 111 (Latrodectus) botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1302441/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_18; classtype:trojan-activity; sid:91302441; rev:1;) alert tcp $HOME_NET any -> [105.154.100.59] 10000 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1302440/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_18; classtype:trojan-activity; sid:91302440; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mozi.m"; depth:7; nocase; http.host; content:"115.56.6.11"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1302439/; target:src_ip; metadata: confidence_level 50, first_seen 2024_07_18; classtype:trojan-activity; sid:91302439; rev:1;) alert tcp $HOME_NET any -> [45.148.244.13] 1604 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1302242/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_18; classtype:trojan-activity; sid:91302242; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"95.216.182.106"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1302241/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_18; classtype:trojan-activity; sid:91302241; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"5.75.214.144"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1302240/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_18; classtype:trojan-activity; sid:91302240; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"116.202.190.124"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1302239/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_18; classtype:trojan-activity; sid:91302239; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"95.217.243.180"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1302238/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_18; classtype:trojan-activity; sid:91302238; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"78.46.255.249"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1302237/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_18; classtype:trojan-activity; sid:91302237; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/profiles/76561199743486170"; depth:27; nocase; http.host; content:"steamcommunity.com"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1302236/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_18; classtype:trojan-activity; sid:91302236; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/s41l0"; depth:6; nocase; http.host; content:"t.me"; depth:4; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1302235/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_18; classtype:trojan-activity; sid:91302235; rev:1;) alert tcp $HOME_NET any -> [77.91.77.82] 80 (msg:"ThreatFox Amadey botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1302233/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_18; classtype:trojan-activity; sid:91302233; rev:1;) alert tcp $HOME_NET any -> [85.28.47.30] 80 (msg:"ThreatFox Amadey botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1302234/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_18; classtype:trojan-activity; sid:91302234; rev:1;) alert tcp $HOME_NET any -> [116.202.190.124] 443 (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1302230/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_18; classtype:trojan-activity; sid:91302230; rev:1;) alert tcp $HOME_NET any -> [5.75.214.144] 443 (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1302231/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_18; classtype:trojan-activity; sid:91302231; rev:1;) alert tcp $HOME_NET any -> [95.216.182.106] 443 (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1302232/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_18; classtype:trojan-activity; sid:91302232; rev:1;) alert tcp $HOME_NET any -> [78.46.255.249] 443 (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1302228/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_18; classtype:trojan-activity; sid:91302228; rev:1;) alert tcp $HOME_NET any -> [95.217.243.180] 443 (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1302229/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_18; classtype:trojan-activity; sid:91302229; rev:1;) alert tcp $HOME_NET any -> [47.99.177.59] 8443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1302226/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_18; classtype:trojan-activity; sid:91302226; rev:1;) alert tcp $HOME_NET any -> [5.188.86.71] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1302225/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_18; classtype:trojan-activity; sid:91302225; rev:1;) alert tcp $HOME_NET any -> [103.199.100.15] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1302224/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_18; classtype:trojan-activity; sid:91302224; rev:1;) alert tcp $HOME_NET any -> [120.46.190.216] 7777 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1302223/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_18; classtype:trojan-activity; sid:91302223; rev:1;) alert tcp $HOME_NET any -> [103.199.100.2] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1302222/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_18; classtype:trojan-activity; sid:91302222; rev:1;) alert tcp $HOME_NET any -> [154.201.86.169] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1302221/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_18; classtype:trojan-activity; sid:91302221; rev:1;) alert tcp $HOME_NET any -> [139.159.235.105] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1302219/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_18; classtype:trojan-activity; sid:91302219; rev:1;) alert tcp $HOME_NET any -> [23.94.141.249] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1302220/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_18; classtype:trojan-activity; sid:91302220; rev:1;) alert tcp $HOME_NET any -> [47.92.109.147] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1302218/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_18; classtype:trojan-activity; sid:91302218; rev:1;) alert tcp $HOME_NET any -> [123.57.5.163] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1302217/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_18; classtype:trojan-activity; sid:91302217; rev:1;) alert tcp $HOME_NET any -> [139.159.235.105] 8888 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1302214/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_18; classtype:trojan-activity; sid:91302214; rev:1;) alert tcp $HOME_NET any -> [124.221.200.19] 8888 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1302215/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_18; classtype:trojan-activity; sid:91302215; rev:1;) alert tcp $HOME_NET any -> [117.50.177.190] 8888 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1302216/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_18; classtype:trojan-activity; sid:91302216; rev:1;) alert tcp $HOME_NET any -> [47.236.53.235] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1302212/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_18; classtype:trojan-activity; sid:91302212; rev:1;) alert tcp $HOME_NET any -> [47.236.48.71] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1302213/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_18; classtype:trojan-activity; sid:91302213; rev:1;) alert tcp $HOME_NET any -> [119.91.153.13] 9999 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1302211/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_18; classtype:trojan-activity; sid:91302211; rev:1;) alert tcp $HOME_NET any -> [116.62.149.37] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1302210/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_18; classtype:trojan-activity; sid:91302210; rev:1;) alert tcp $HOME_NET any -> [106.53.213.253] 8082 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1302209/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_18; classtype:trojan-activity; sid:91302209; rev:1;) alert tcp $HOME_NET any -> [47.94.213.94] 8111 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1302208/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_18; classtype:trojan-activity; sid:91302208; rev:1;) alert tcp $HOME_NET any -> [47.108.168.196] 8111 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1302207/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_18; classtype:trojan-activity; sid:91302207; rev:1;) alert tcp $HOME_NET any -> [62.234.18.252] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1302206/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_18; classtype:trojan-activity; sid:91302206; rev:1;) alert tcp $HOME_NET any -> [103.199.100.28] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1302205/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_18; classtype:trojan-activity; sid:91302205; rev:1;) alert tcp $HOME_NET any -> [107.173.53.191] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1302204/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_18; classtype:trojan-activity; sid:91302204; rev:1;) alert tcp $HOME_NET any -> [47.76.230.250] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1302203/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_18; classtype:trojan-activity; sid:91302203; rev:1;) alert tcp $HOME_NET any -> [121.41.36.81] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1302202/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_18; classtype:trojan-activity; sid:91302202; rev:1;) alert tcp $HOME_NET any -> [8.222.242.102] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1302201/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_18; classtype:trojan-activity; sid:91302201; rev:1;) alert tcp $HOME_NET any -> [8.222.197.61] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1302200/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_18; classtype:trojan-activity; sid:91302200; rev:1;) alert tcp $HOME_NET any -> [47.108.90.232] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1302198/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_18; classtype:trojan-activity; sid:91302198; rev:1;) alert tcp $HOME_NET any -> [8.137.96.177] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1302199/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_18; classtype:trojan-activity; sid:91302199; rev:1;) alert tcp $HOME_NET any -> [47.236.49.64] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1302197/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_18; classtype:trojan-activity; sid:91302197; rev:1;) alert tcp $HOME_NET any -> [202.95.12.132] 8443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1302196/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_18; classtype:trojan-activity; sid:91302196; rev:1;) alert tcp $HOME_NET any -> [101.132.253.18] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1302195/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_18; classtype:trojan-activity; sid:91302195; rev:1;) alert tcp $HOME_NET any -> [103.199.100.15] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1302194/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_18; classtype:trojan-activity; sid:91302194; rev:1;) alert tcp $HOME_NET any -> [47.236.51.54] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1302192/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_18; classtype:trojan-activity; sid:91302192; rev:1;) alert tcp $HOME_NET any -> [47.99.45.207] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1302193/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_18; classtype:trojan-activity; sid:91302193; rev:1;) alert tcp $HOME_NET any -> [134.122.176.156] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1302191/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_18; classtype:trojan-activity; sid:91302191; rev:1;) alert tcp $HOME_NET any -> [117.72.13.23] 3000 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1302190/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_18; classtype:trojan-activity; sid:91302190; rev:1;) alert tcp $HOME_NET any -> [103.199.100.2] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1302189/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_18; classtype:trojan-activity; sid:91302189; rev:1;) alert tcp $HOME_NET any -> [42.194.196.215] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1302188/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_18; classtype:trojan-activity; sid:91302188; rev:1;) alert tcp $HOME_NET any -> [92.63.107.3] 8080 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1302187/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_18; classtype:trojan-activity; sid:91302187; rev:1;) alert tcp $HOME_NET any -> [103.199.100.28] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1302186/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_18; classtype:trojan-activity; sid:91302186; rev:1;) alert tcp $HOME_NET any -> [54.153.17.157] 14445 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1302172/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_18; classtype:trojan-activity; sid:91302172; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"mrat23009.dyndns.org"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1302173/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_18; classtype:trojan-activity; sid:91302173; rev:1;) alert tcp $HOME_NET any -> [80.87.206.197] 443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1302185/; target:src_ip; metadata: confidence_level 50, first_seen 2024_07_18; classtype:trojan-activity; sid:91302185; rev:1;) alert tcp $HOME_NET any -> [149.104.29.1] 8082 (msg:"ThreatFox VBREVSHELL botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1302184/; target:src_ip; metadata: confidence_level 50, first_seen 2024_07_18; classtype:trojan-activity; sid:91302184; rev:1;) alert tcp $HOME_NET any -> [45.11.41.89] 8888 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1302183/; target:src_ip; metadata: confidence_level 80, first_seen 2024_07_18; classtype:trojan-activity; sid:91302183; rev:1;) alert tcp $HOME_NET any -> [94.156.64.184] 80 (msg:"ThreatFox Hook botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1302182/; target:src_ip; metadata: confidence_level 80, first_seen 2024_07_18; classtype:trojan-activity; sid:91302182; rev:1;) alert tcp $HOME_NET any -> [124.70.0.130] 9080 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1302181/; target:src_ip; metadata: confidence_level 80, first_seen 2024_07_18; classtype:trojan-activity; sid:91302181; rev:1;) alert tcp $HOME_NET any -> [116.205.188.138] 81 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1302180/; target:src_ip; metadata: confidence_level 80, first_seen 2024_07_18; classtype:trojan-activity; sid:91302180; rev:1;) alert tcp $HOME_NET any -> [8.222.217.180] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1302179/; target:src_ip; metadata: confidence_level 80, first_seen 2024_07_18; classtype:trojan-activity; sid:91302179; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/track3/wordpress/geovideodlejavascript/5php1/requestprocessorlinux/uploads/dle/traffic/0lowdatalife/1wp/jsto2temporary/protectpacket/voiddbprivate/securedumppoll/6longpollserver0/mariadb50/bigload/externalsecureeternal/0/vmpythonsecurecpugamemultidbasyncdatalifelocal.php"; depth:272; nocase; http.host; content:"62.109.18.87"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1302178/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_17; classtype:trojan-activity; sid:91302178; rev:1;) alert tcp $HOME_NET any -> [103.145.86.153] 6666 (msg:"ThreatFox Ghost RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1302176/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_17; classtype:trojan-activity; sid:91302176; rev:1;) alert tcp $HOME_NET any -> [47.111.82.157] 14352 (msg:"ThreatFox Ghost RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1302175/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_17; classtype:trojan-activity; sid:91302175; rev:1;) alert tcp $HOME_NET any -> [103.144.139.194] 443 (msg:"ThreatFox Unidentified 111 (Latrodectus) botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1302174/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_17; classtype:trojan-activity; sid:91302174; rev:1;) alert tcp $HOME_NET any -> [2.58.80.130] 7707 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1302168/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_17; classtype:trojan-activity; sid:91302168; rev:1;) alert tcp $HOME_NET any -> [2.58.80.130] 8808 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1302169/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_17; classtype:trojan-activity; sid:91302169; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"scar77747.duckdns.org"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1302170/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_17; classtype:trojan-activity; sid:91302170; rev:1;) alert tcp $HOME_NET any -> [147.185.221.21] 19455 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1302171/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_17; classtype:trojan-activity; sid:91302171; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mozi.m"; depth:7; nocase; http.host; content:"115.48.144.215"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1302167/; target:src_ip; metadata: confidence_level 50, first_seen 2024_07_17; classtype:trojan-activity; sid:91302167; rev:1;) alert tcp $HOME_NET any -> [160.176.168.94] 10000 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1302166/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_17; classtype:trojan-activity; sid:91302166; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 49%)"; dns_query; content:"poolpush.pro"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1301945/; target:src_ip; metadata: confidence_level 49, first_seen 2024_07_17; classtype:trojan-activity; sid:91301945; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 49%)"; dns_query; content:"cryptonomiconf.me"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1301946/; target:src_ip; metadata: confidence_level 49, first_seen 2024_07_17; classtype:trojan-activity; sid:91301946; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 49%)"; dns_query; content:"confbesttop.xyz"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1301947/; target:src_ip; metadata: confidence_level 49, first_seen 2024_07_17; classtype:trojan-activity; sid:91301947; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 49%)"; dns_query; content:"trymyconf.com"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1301948/; target:src_ip; metadata: confidence_level 49, first_seen 2024_07_17; classtype:trojan-activity; sid:91301948; rev:1;) alert tcp $HOME_NET any -> [147.185.221.21] 14365 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1302164/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_17; classtype:trojan-activity; sid:91302164; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/03ca76cc.php"; depth:13; nocase; http.host; content:"cp57330.tw1.ru"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1302165/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_17; classtype:trojan-activity; sid:91302165; rev:1;) alert tcp $HOME_NET any -> [217.138.215.82] 80 (msg:"ThreatFox Stealc botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1301971/; target:src_ip; metadata: confidence_level 80, first_seen 2024_07_17; classtype:trojan-activity; sid:91301971; rev:1;) alert tcp $HOME_NET any -> [217.138.215.82] 22 (msg:"ThreatFox Stealc botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1301970/; target:src_ip; metadata: confidence_level 80, first_seen 2024_07_17; classtype:trojan-activity; sid:91301970; rev:1;) alert tcp $HOME_NET any -> [79.137.203.159] 80 (msg:"ThreatFox Meduza Stealer botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1301969/; target:src_ip; metadata: confidence_level 80, first_seen 2024_07_17; classtype:trojan-activity; sid:91301969; rev:1;) alert tcp $HOME_NET any -> [81.214.24.181] 51200 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1301968/; target:src_ip; metadata: confidence_level 80, first_seen 2024_07_17; classtype:trojan-activity; sid:91301968; rev:1;) alert tcp $HOME_NET any -> [81.214.24.181] 24998 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1301967/; target:src_ip; metadata: confidence_level 80, first_seen 2024_07_17; classtype:trojan-activity; sid:91301967; rev:1;) alert tcp $HOME_NET any -> [81.214.24.181] 14151 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1301966/; target:src_ip; metadata: confidence_level 80, first_seen 2024_07_17; classtype:trojan-activity; sid:91301966; rev:1;) alert tcp $HOME_NET any -> [81.214.24.181] 999 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1301965/; target:src_ip; metadata: confidence_level 80, first_seen 2024_07_17; classtype:trojan-activity; sid:91301965; rev:1;) alert tcp $HOME_NET any -> [186.233.231.95] 7777 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1301964/; target:src_ip; metadata: confidence_level 80, first_seen 2024_07_17; classtype:trojan-activity; sid:91301964; rev:1;) alert tcp $HOME_NET any -> [91.188.254.83] 80 (msg:"ThreatFox Hook botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1301963/; target:src_ip; metadata: confidence_level 80, first_seen 2024_07_17; classtype:trojan-activity; sid:91301963; rev:1;) alert tcp $HOME_NET any -> [47.99.185.31] 8081 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1301962/; target:src_ip; metadata: confidence_level 80, first_seen 2024_07_17; classtype:trojan-activity; sid:91301962; rev:1;) alert tcp $HOME_NET any -> [36.134.129.16] 4433 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1301961/; target:src_ip; metadata: confidence_level 80, first_seen 2024_07_17; classtype:trojan-activity; sid:91301961; rev:1;) alert tcp $HOME_NET any -> [185.77.225.88] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1301960/; target:src_ip; metadata: confidence_level 80, first_seen 2024_07_17; classtype:trojan-activity; sid:91301960; rev:1;) alert tcp $HOME_NET any -> [154.243.176.5] 80 (msg:"ThreatFox Orcus RAT botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1301959/; target:src_ip; metadata: confidence_level 80, first_seen 2024_07_17; classtype:trojan-activity; sid:91301959; rev:1;) alert tcp $HOME_NET any -> [168.119.197.49] 443 (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1301958/; target:src_ip; metadata: confidence_level 80, first_seen 2024_07_17; classtype:trojan-activity; sid:91301958; rev:1;) alert tcp $HOME_NET any -> [168.119.197.49] 80 (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1301957/; target:src_ip; metadata: confidence_level 80, first_seen 2024_07_17; classtype:trojan-activity; sid:91301957; rev:1;) alert tcp $HOME_NET any -> [168.119.197.39] 443 (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1301956/; target:src_ip; metadata: confidence_level 80, first_seen 2024_07_17; classtype:trojan-activity; sid:91301956; rev:1;) alert tcp $HOME_NET any -> [168.119.197.39] 80 (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1301955/; target:src_ip; metadata: confidence_level 80, first_seen 2024_07_17; classtype:trojan-activity; sid:91301955; rev:1;) alert tcp $HOME_NET any -> [168.119.197.36] 443 (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1301954/; target:src_ip; metadata: confidence_level 80, first_seen 2024_07_17; classtype:trojan-activity; sid:91301954; rev:1;) alert tcp $HOME_NET any -> [168.119.197.36] 80 (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1301953/; target:src_ip; metadata: confidence_level 80, first_seen 2024_07_17; classtype:trojan-activity; sid:91301953; rev:1;) alert tcp $HOME_NET any -> [172.245.106.43] 28053 (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1301952/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_17; classtype:trojan-activity; sid:91301952; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/rat/l1nc0in.php"; depth:16; nocase; http.host; content:"a1005682.xsph.ru"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1301951/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_17; classtype:trojan-activity; sid:91301951; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"doortseropa.com"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1301949/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_17; classtype:trojan-activity; sid:91301949; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"isomicrotich.com"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1301950/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_17; classtype:trojan-activity; sid:91301950; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/out.php"; depth:8; nocase; http.host; content:"45.9.74.36"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1301940/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_17; classtype:trojan-activity; sid:91301940; rev:1;) alert tcp $HOME_NET any -> [45.9.74.36] 80 (msg:"ThreatFox StrelaStealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1301941/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_17; classtype:trojan-activity; sid:91301941; rev:1;) alert tcp $HOME_NET any -> [45.9.74.36] 8888 (msg:"ThreatFox StrelaStealer payload delivery (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1301942/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_17; classtype:trojan-activity; sid:91301942; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/196371523423251.dll"; depth:20; nocase; http.host; content:"45.9.74.36"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1301943/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_17; classtype:trojan-activity; sid:91301943; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"oakgrovetraining.com"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1301935/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_17; classtype:trojan-activity; sid:91301935; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ccrhs.shop"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1301933/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_17; classtype:trojan-activity; sid:91301933; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cdn-vs/original.js"; depth:19; nocase; http.host; content:"oakgrovetraining.com"; depth:20; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1301934/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_17; classtype:trojan-activity; sid:91301934; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cdn-vs/cache.php"; depth:17; nocase; http.host; content:"oakgrovetraining.com"; depth:20; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1301936/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_17; classtype:trojan-activity; sid:91301936; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cdn-vs/data.php"; depth:16; nocase; http.host; content:"luxurycaborental.com"; depth:20; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1301938/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_17; classtype:trojan-activity; sid:91301938; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cdn-vs/33per.php"; depth:17; nocase; http.host; content:"oakgrovetraining.com"; depth:20; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1301937/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_17; classtype:trojan-activity; sid:91301937; rev:1;) alert tcp $HOME_NET any -> [194.180.191.69] 443 (msg:"ThreatFox NetSupportManager RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1301939/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_17; classtype:trojan-activity; sid:91301939; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/lb341/index.php"; depth:16; nocase; http.host; content:"ccrhs.shop"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1301932/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_17; classtype:trojan-activity; sid:91301932; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"whangeeeerodpz.shop"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1301931/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_17; classtype:trojan-activity; sid:91301931; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"othergate.site"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1301930/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_17; classtype:trojan-activity; sid:91301930; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"australiaivf.com"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1301929/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_17; classtype:trojan-activity; sid:91301929; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"eventgrids.online"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1301928/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_17; classtype:trojan-activity; sid:91301928; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/index.php/5597912977140"; depth:24; nocase; http.host; content:"45.61.136.20"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1301927/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_17; classtype:trojan-activity; sid:91301927; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/rmh6"; depth:5; nocase; http.host; content:"8.130.114.243"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1301926/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_17; classtype:trojan-activity; sid:91301926; rev:1;) alert tcp $HOME_NET any -> [2.58.56.186] 1912 (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1301925/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_17; classtype:trojan-activity; sid:91301925; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/b179d065.php"; depth:13; nocase; http.host; content:"cr55307.tw1.ru"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1301924/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_17; classtype:trojan-activity; sid:91301924; rev:1;) alert tcp $HOME_NET any -> [147.185.221.21] 5271 (msg:"ThreatFox STRRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1301923/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_17; classtype:trojan-activity; sid:91301923; rev:1;) alert tcp $HOME_NET any -> [8.138.150.164] 8888 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1301922/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_17; classtype:trojan-activity; sid:91301922; rev:1;) alert tcp $HOME_NET any -> [47.98.101.92] 8090 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1301921/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_17; classtype:trojan-activity; sid:91301921; rev:1;) alert tcp $HOME_NET any -> [120.53.120.95] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1301920/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_17; classtype:trojan-activity; sid:91301920; rev:1;) alert tcp $HOME_NET any -> [192.3.128.204] 8888 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1301919/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_17; classtype:trojan-activity; sid:91301919; rev:1;) alert tcp $HOME_NET any -> [154.204.179.83] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1301918/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_17; classtype:trojan-activity; sid:91301918; rev:1;) alert tcp $HOME_NET any -> [65.20.83.114] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1301917/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_17; classtype:trojan-activity; sid:91301917; rev:1;) alert tcp $HOME_NET any -> [202.95.12.132] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1301916/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_17; classtype:trojan-activity; sid:91301916; rev:1;) alert tcp $HOME_NET any -> [8.223.20.63] 2053 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1301915/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_17; classtype:trojan-activity; sid:91301915; rev:1;) alert tcp $HOME_NET any -> [8.134.51.218] 8088 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1301914/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_17; classtype:trojan-activity; sid:91301914; rev:1;) alert tcp $HOME_NET any -> [59.110.136.135] 4443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1301913/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_17; classtype:trojan-activity; sid:91301913; rev:1;) alert tcp $HOME_NET any -> [85.214.111.149] 6667 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1301912/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_17; classtype:trojan-activity; sid:91301912; rev:1;) alert tcp $HOME_NET any -> [47.236.135.143] 9998 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1301911/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_17; classtype:trojan-activity; sid:91301911; rev:1;) alert tcp $HOME_NET any -> [47.237.84.207] 8443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1301910/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_17; classtype:trojan-activity; sid:91301910; rev:1;) alert tcp $HOME_NET any -> [45.148.120.22] 8008 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1301909/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_17; classtype:trojan-activity; sid:91301909; rev:1;) alert tcp $HOME_NET any -> [39.102.210.212] 9999 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1301908/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_17; classtype:trojan-activity; sid:91301908; rev:1;) alert tcp $HOME_NET any -> [34.239.111.159] 32400 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1301907/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_17; classtype:trojan-activity; sid:91301907; rev:1;) alert tcp $HOME_NET any -> [47.109.77.84] 808 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1301906/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_17; classtype:trojan-activity; sid:91301906; rev:1;) alert tcp $HOME_NET any -> [206.237.41.109] 199 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1301905/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_17; classtype:trojan-activity; sid:91301905; rev:1;) alert tcp $HOME_NET any -> [195.245.241.222] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1301904/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_17; classtype:trojan-activity; sid:91301904; rev:1;) alert tcp $HOME_NET any -> [172.104.166.155] 3333 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1301903/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_17; classtype:trojan-activity; sid:91301903; rev:1;) alert tcp $HOME_NET any -> [13.229.45.124] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1301902/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_17; classtype:trojan-activity; sid:91301902; rev:1;) alert tcp $HOME_NET any -> [115.159.62.32] 81 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1301901/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_17; classtype:trojan-activity; sid:91301901; rev:1;) alert tcp $HOME_NET any -> [118.25.19.201] 8443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1301900/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_17; classtype:trojan-activity; sid:91301900; rev:1;) alert tcp $HOME_NET any -> [102.134.54.216] 8089 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1301899/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_17; classtype:trojan-activity; sid:91301899; rev:1;) alert tcp $HOME_NET any -> [1.92.100.58] 9898 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1301898/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_17; classtype:trojan-activity; sid:91301898; rev:1;) alert tcp $HOME_NET any -> [47.109.59.121] 9999 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1301897/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_17; classtype:trojan-activity; sid:91301897; rev:1;) alert tcp $HOME_NET any -> [116.205.225.75] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1301896/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_17; classtype:trojan-activity; sid:91301896; rev:1;) alert tcp $HOME_NET any -> [47.93.43.183] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1301895/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_17; classtype:trojan-activity; sid:91301895; rev:1;) alert tcp $HOME_NET any -> [118.31.238.112] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1301894/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_17; classtype:trojan-activity; sid:91301894; rev:1;) alert tcp $HOME_NET any -> [8.138.43.240] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1301893/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_17; classtype:trojan-activity; sid:91301893; rev:1;) alert tcp $HOME_NET any -> [139.84.140.40] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1301892/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_17; classtype:trojan-activity; sid:91301892; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"tax-sri.gl.at.ply.gg"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1301871/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_17; classtype:trojan-activity; sid:91301871; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"matrixxcloud.duckdns.org"; depth:24; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1301878/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_17; classtype:trojan-activity; sid:91301878; rev:1;) alert tcp $HOME_NET any -> [60.204.134.21] 8443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1301891/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_17; classtype:trojan-activity; sid:91301891; rev:1;) alert tcp $HOME_NET any -> [88.168.211.65] 6004 (msg:"ThreatFox XWorm botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1301846/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_17; classtype:trojan-activity; sid:91301846; rev:1;) alert tcp $HOME_NET any -> [160.177.77.33] 10000 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1301873/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_17; classtype:trojan-activity; sid:91301873; rev:1;) alert tcp $HOME_NET any -> [46.19.143.28] 2969 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1301882/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_17; classtype:trojan-activity; sid:91301882; rev:1;) alert tcp $HOME_NET any -> [115.159.62.32] 83 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1301890/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_17; classtype:trojan-activity; sid:91301890; rev:1;) alert tcp $HOME_NET any -> [8.135.237.16] 9999 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1301889/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_17; classtype:trojan-activity; sid:91301889; rev:1;) alert tcp $HOME_NET any -> [18.140.63.42] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1301888/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_17; classtype:trojan-activity; sid:91301888; rev:1;) alert tcp $HOME_NET any -> [39.105.24.228] 81 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1301887/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_17; classtype:trojan-activity; sid:91301887; rev:1;) alert tcp $HOME_NET any -> [202.95.12.132] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1301886/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_17; classtype:trojan-activity; sid:91301886; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mozi.m"; depth:7; nocase; http.host; content:"59.89.199.1"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1301885/; target:src_ip; metadata: confidence_level 50, first_seen 2024_07_17; classtype:trojan-activity; sid:91301885; rev:1;) alert tcp $HOME_NET any -> [185.222.57.147] 55615 (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1301884/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_17; classtype:trojan-activity; sid:91301884; rev:1;) alert tcp $HOME_NET any -> [80.66.89.126] 22968 (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1301883/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_17; classtype:trojan-activity; sid:91301883; rev:1;) alert tcp $HOME_NET any -> [85.28.47.67] 21663 (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1301881/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_17; classtype:trojan-activity; sid:91301881; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"365officemail.com"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1301880/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_17; classtype:trojan-activity; sid:91301880; rev:1;) alert tcp $HOME_NET any -> [147.185.221.21] 9755 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1301879/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_17; classtype:trojan-activity; sid:91301879; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/l1nc0in.php"; depth:12; nocase; http.host; content:"a0999665.xsph.ru"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1301877/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_17; classtype:trojan-activity; sid:91301877; rev:1;) alert tcp $HOME_NET any -> [2.58.56.193] 49958 (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1301876/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_17; classtype:trojan-activity; sid:91301876; rev:1;) alert tcp $HOME_NET any -> [46.226.163.38] 80 (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1301875/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_17; classtype:trojan-activity; sid:91301875; rev:1;) alert tcp $HOME_NET any -> [185.29.9.110] 2404 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1301874/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_17; classtype:trojan-activity; sid:91301874; rev:1;) alert tcp $HOME_NET any -> [165.227.210.132] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1301872/; target:src_ip; metadata: confidence_level 80, first_seen 2024_07_17; classtype:trojan-activity; sid:91301872; rev:1;) alert tcp $HOME_NET any -> [172.167.19.28] 7088 (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1301870/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_17; classtype:trojan-activity; sid:91301870; rev:1;) alert tcp $HOME_NET any -> [168.119.197.50] 80 (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1301869/; target:src_ip; metadata: confidence_level 80, first_seen 2024_07_17; classtype:trojan-activity; sid:91301869; rev:1;) alert tcp $HOME_NET any -> [168.119.197.50] 443 (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1301868/; target:src_ip; metadata: confidence_level 80, first_seen 2024_07_17; classtype:trojan-activity; sid:91301868; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/requestgeodatalifecdn.php"; depth:26; nocase; http.host; content:"boldenis44.top"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1301867/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_17; classtype:trojan-activity; sid:91301867; rev:1;) alert tcp $HOME_NET any -> [176.97.210.241] 5552 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1301866/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_16; classtype:trojan-activity; sid:91301866; rev:1;) alert tcp $HOME_NET any -> [147.185.221.21] 6240 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1301849/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_16; classtype:trojan-activity; sid:91301849; rev:1;) alert tcp $HOME_NET any -> [51.91.35.148] 443 (msg:"ThreatFox Unidentified 111 (Latrodectus) botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1301847/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_16; classtype:trojan-activity; sid:91301847; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cdn-vs/original.js"; depth:19; nocase; http.host; content:"hippieblissprovising.com"; depth:24; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1301842/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_16; classtype:trojan-activity; sid:91301842; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cdn-vs/cache.php"; depth:17; nocase; http.host; content:"hippieblissprovising.com"; depth:24; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1301844/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_16; classtype:trojan-activity; sid:91301844; rev:1;) alert tcp $HOME_NET any -> [147.185.221.21] 18082 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1301841/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_16; classtype:trojan-activity; sid:91301841; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"hippieblissprovising.com"; depth:24; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1301843/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_16; classtype:trojan-activity; sid:91301843; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cdn-vs/33per.php"; depth:17; nocase; http.host; content:"hippieblissprovising.com"; depth:24; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1301845/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_16; classtype:trojan-activity; sid:91301845; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/externalvmpipetoprocessserverprotectcdn.php"; depth:44; nocase; http.host; content:"92.63.101.139"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1301840/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_16; classtype:trojan-activity; sid:91301840; rev:1;) alert tcp $HOME_NET any -> [147.185.221.20] 9336 (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1301839/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_16; classtype:trojan-activity; sid:91301839; rev:1;) alert tcp $HOME_NET any -> [84.38.182.16] 443 (msg:"ThreatFox FAKEUPDATES payload delivery (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1301642/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_16; classtype:trojan-activity; sid:91301642; rev:1;) alert tcp $HOME_NET any -> [185.222.57.67] 55615 (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1301838/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_16; classtype:trojan-activity; sid:91301838; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ty7y"; depth:5; nocase; http.host; content:"124.222.72.51"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1301645/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_16; classtype:trojan-activity; sid:91301645; rev:1;) alert tcp $HOME_NET any -> [124.222.72.51] 4433 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1301644/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_16; classtype:trojan-activity; sid:91301644; rev:1;) alert tcp $HOME_NET any -> [42.51.37.127] 50050 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1301643/; target:src_ip; metadata: confidence_level 80, first_seen 2024_07_16; classtype:trojan-activity; sid:91301643; rev:1;) alert tcp $HOME_NET any -> [47.97.97.167] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1301641/; target:src_ip; metadata: confidence_level 80, first_seen 2024_07_16; classtype:trojan-activity; sid:91301641; rev:1;) alert tcp $HOME_NET any -> [103.146.179.110] 9443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1301640/; target:src_ip; metadata: confidence_level 80, first_seen 2024_07_16; classtype:trojan-activity; sid:91301640; rev:1;) alert tcp $HOME_NET any -> [168.119.197.51] 443 (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1301639/; target:src_ip; metadata: confidence_level 80, first_seen 2024_07_16; classtype:trojan-activity; sid:91301639; rev:1;) alert tcp $HOME_NET any -> [168.119.197.51] 80 (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1301638/; target:src_ip; metadata: confidence_level 80, first_seen 2024_07_16; classtype:trojan-activity; sid:91301638; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/linuxprocessgeoimage/5/vm5/2traffictempapi/9php/httpapibasewindowsdatalifedlelocalpublictempcentral.php"; depth:104; nocase; http.host; content:"217.28.222.194"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1301637/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_16; classtype:trojan-activity; sid:91301637; rev:1;) alert tcp $HOME_NET any -> [78.142.29.49] 4443 (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1301636/; target:src_ip; metadata: confidence_level 80, first_seen 2024_07_16; classtype:trojan-activity; sid:91301636; rev:1;) alert tcp $HOME_NET any -> [37.130.98.195] 1604 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1301635/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_16; classtype:trojan-activity; sid:91301635; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"verose.top"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1301632/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_16; classtype:trojan-activity; sid:91301632; rev:1;) alert tcp $HOME_NET any -> [104.21.95.88] 80 (msg:"ThreatFox Loki Password Stealer (PWS) botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1301633/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_16; classtype:trojan-activity; sid:91301633; rev:1;) alert tcp $HOME_NET any -> [213.109.202.15] 15647 (msg:"ThreatFox SectopRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1301634/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_16; classtype:trojan-activity; sid:91301634; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/alpha/five/fre.php"; depth:19; nocase; http.host; content:"verose.top"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1301631/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_16; classtype:trojan-activity; sid:91301631; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"away-displays.gl.at.ply.gg"; depth:26; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1301626/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_16; classtype:trojan-activity; sid:91301626; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api/twofish.php"; depth:16; nocase; http.host; content:"77.105.133.27"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1301627/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_16; classtype:trojan-activity; sid:91301627; rev:1;) alert tcp $HOME_NET any -> [95.211.6.240] 57887 (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1301630/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_16; classtype:trojan-activity; sid:91301630; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/3/basevoiddbcentral/1/basemulti/privatelongpoll/_to/8linuxwordpressvm/dbsecure/5db/62mariadb/55pipeimage/2authprotectupdate/8updatedatalife/externalvmtosecureapilinuxflowergeneratorprivatetemp.php"; depth:197; nocase; http.host; content:"178.208.86.27"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1301629/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_16; classtype:trojan-activity; sid:91301629; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mozi.m"; depth:7; nocase; http.host; content:"117.198.11.56"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1301628/; target:src_ip; metadata: confidence_level 50, first_seen 2024_07_16; classtype:trojan-activity; sid:91301628; rev:1;) alert tcp $HOME_NET any -> [2.58.80.130] 6606 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1301625/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_16; classtype:trojan-activity; sid:91301625; rev:1;) alert tcp $HOME_NET any -> [91.92.248.167] 1294 (msg:"ThreatFox XenoRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1301624/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_16; classtype:trojan-activity; sid:91301624; rev:1;) alert tcp $HOME_NET any -> [147.185.221.21] 15158 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1301613/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_16; classtype:trojan-activity; sid:91301613; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api/firecom.php"; depth:16; nocase; http.host; content:"77.105.133.27"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1301618/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_16; classtype:trojan-activity; sid:91301618; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 49%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/live/"; depth:6; nocase; http.host; content:"lettecoft.com"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1301614/; target:src_ip; metadata: confidence_level 49, first_seen 2024_07_16; classtype:trojan-activity; sid:91301614; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 49%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/live/"; depth:6; nocase; http.host; content:"ultroawest.com"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1301615/; target:src_ip; metadata: confidence_level 49, first_seen 2024_07_16; classtype:trojan-activity; sid:91301615; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api/firepro.php"; depth:16; nocase; http.host; content:"77.105.133.27"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1301617/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_16; classtype:trojan-activity; sid:91301617; rev:1;) alert tcp $HOME_NET any -> [191.232.181.180] 8443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1301619/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_16; classtype:trojan-activity; sid:91301619; rev:1;) alert tcp $HOME_NET any -> [191.232.181.180] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1301620/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_16; classtype:trojan-activity; sid:91301620; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api/flash.php"; depth:14; nocase; http.host; content:"77.105.133.27"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1301622/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_16; classtype:trojan-activity; sid:91301622; rev:1;) alert tcp $HOME_NET any -> [77.91.77.178] 80 (msg:"ThreatFox AMOS botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1301623/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_16; classtype:trojan-activity; sid:91301623; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pythondefaultsqlbasetrackcentral.php"; depth:37; nocase; http.host; content:"papka.top"; depth:9; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1301621/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_16; classtype:trojan-activity; sid:91301621; rev:1;) alert tcp $HOME_NET any -> [185.222.57.74] 55615 (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1301616/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_16; classtype:trojan-activity; sid:91301616; rev:1;) alert tcp $HOME_NET any -> [185.222.57.153] 55615 (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1301612/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_16; classtype:trojan-activity; sid:91301612; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/rudolph/five/fre.php"; depth:21; nocase; http.host; content:"rocheholding.top"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1301611/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_16; classtype:trojan-activity; sid:91301611; rev:1;) alert tcp $HOME_NET any -> [8.134.12.90] 7777 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1301610/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_16; classtype:trojan-activity; sid:91301610; rev:1;) alert tcp $HOME_NET any -> [172.245.184.135] 8888 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1301609/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_16; classtype:trojan-activity; sid:91301609; rev:1;) alert tcp $HOME_NET any -> [91.208.73.75] 82 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1301608/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_16; classtype:trojan-activity; sid:91301608; rev:1;) alert tcp $HOME_NET any -> [8.223.20.63] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1301606/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_16; classtype:trojan-activity; sid:91301606; rev:1;) alert tcp $HOME_NET any -> [45.61.136.83] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1301607/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_16; classtype:trojan-activity; sid:91301607; rev:1;) alert tcp $HOME_NET any -> [103.113.70.89] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1301604/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_16; classtype:trojan-activity; sid:91301604; rev:1;) alert tcp $HOME_NET any -> [140.143.146.248] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1301605/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_16; classtype:trojan-activity; sid:91301605; rev:1;) alert tcp $HOME_NET any -> [118.194.237.184] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1301603/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_16; classtype:trojan-activity; sid:91301603; rev:1;) alert tcp $HOME_NET any -> [47.97.71.149] 7777 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1301602/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_16; classtype:trojan-activity; sid:91301602; rev:1;) alert tcp $HOME_NET any -> [124.222.97.236] 9090 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1301601/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_16; classtype:trojan-activity; sid:91301601; rev:1;) alert tcp $HOME_NET any -> [106.14.69.133] 8081 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1301600/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_16; classtype:trojan-activity; sid:91301600; rev:1;) alert tcp $HOME_NET any -> [121.199.56.173] 8443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1301599/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_16; classtype:trojan-activity; sid:91301599; rev:1;) alert tcp $HOME_NET any -> [8.130.113.74] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1301598/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_16; classtype:trojan-activity; sid:91301598; rev:1;) alert tcp $HOME_NET any -> [140.143.146.248] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1301597/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_16; classtype:trojan-activity; sid:91301597; rev:1;) alert tcp $HOME_NET any -> [116.198.232.235] 8088 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1301596/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_16; classtype:trojan-activity; sid:91301596; rev:1;) alert tcp $HOME_NET any -> [39.98.37.146] 8080 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1301595/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_16; classtype:trojan-activity; sid:91301595; rev:1;) alert tcp $HOME_NET any -> [124.222.92.17] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1301594/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_16; classtype:trojan-activity; sid:91301594; rev:1;) alert tcp $HOME_NET any -> [118.24.89.121] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1301593/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_16; classtype:trojan-activity; sid:91301593; rev:1;) alert tcp $HOME_NET any -> [8.223.29.254] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1301591/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_16; classtype:trojan-activity; sid:91301591; rev:1;) alert tcp $HOME_NET any -> [163.44.196.162] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1301592/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_16; classtype:trojan-activity; sid:91301592; rev:1;) alert tcp $HOME_NET any -> [91.92.249.167] 28788 (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1301572/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_16; classtype:trojan-activity; sid:91301572; rev:1;) alert tcp $HOME_NET any -> [38.180.204.127] 17052 (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1301584/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_16; classtype:trojan-activity; sid:91301584; rev:1;) alert tcp $HOME_NET any -> [89.213.177.93] 7000 (msg:"ThreatFox XWorm botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1301589/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_16; classtype:trojan-activity; sid:91301589; rev:1;) alert tcp $HOME_NET any -> [89.213.177.100] 7000 (msg:"ThreatFox XWorm botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1301590/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_16; classtype:trojan-activity; sid:91301590; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pythonphp_cpubase.php"; depth:22; nocase; http.host; content:"ozero.top"; depth:9; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1301588/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_16; classtype:trojan-activity; sid:91301588; rev:1;) alert tcp $HOME_NET any -> [178.254.41.13] 23 (msg:"ThreatFox MooBot botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1301587/; target:src_ip; metadata: confidence_level 80, first_seen 2024_07_16; classtype:trojan-activity; sid:91301587; rev:1;) alert tcp $HOME_NET any -> [8.138.150.198] 8899 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1301586/; target:src_ip; metadata: confidence_level 80, first_seen 2024_07_16; classtype:trojan-activity; sid:91301586; rev:1;) alert tcp $HOME_NET any -> [150.158.155.208] 63636 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1301585/; target:src_ip; metadata: confidence_level 80, first_seen 2024_07_16; classtype:trojan-activity; sid:91301585; rev:1;) alert tcp $HOME_NET any -> [198.46.145.130] 50050 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1301583/; target:src_ip; metadata: confidence_level 80, first_seen 2024_07_16; classtype:trojan-activity; sid:91301583; rev:1;) alert tcp $HOME_NET any -> [45.152.65.39] 9999 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1301582/; target:src_ip; metadata: confidence_level 80, first_seen 2024_07_16; classtype:trojan-activity; sid:91301582; rev:1;) alert tcp $HOME_NET any -> [167.71.85.87] 80 (msg:"ThreatFox Hook botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1301581/; target:src_ip; metadata: confidence_level 80, first_seen 2024_07_16; classtype:trojan-activity; sid:91301581; rev:1;) alert tcp $HOME_NET any -> [104.194.154.198] 80 (msg:"ThreatFox RecordBreaker botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1301580/; target:src_ip; metadata: confidence_level 80, first_seen 2024_07_16; classtype:trojan-activity; sid:91301580; rev:1;) alert tcp $HOME_NET any -> [64.190.113.27] 8081 (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1301579/; target:src_ip; metadata: confidence_level 80, first_seen 2024_07_16; classtype:trojan-activity; sid:91301579; rev:1;) alert tcp $HOME_NET any -> [95.65.165.151] 4444 (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1301578/; target:src_ip; metadata: confidence_level 80, first_seen 2024_07_16; classtype:trojan-activity; sid:91301578; rev:1;) alert tcp $HOME_NET any -> [38.181.25.40] 8899 (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1301577/; target:src_ip; metadata: confidence_level 80, first_seen 2024_07_16; classtype:trojan-activity; sid:91301577; rev:1;) alert tcp $HOME_NET any -> [51.161.41.214] 443 (msg:"ThreatFox Unidentified 111 (Latrodectus) botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1301576/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_15; classtype:trojan-activity; sid:91301576; rev:1;) alert tcp $HOME_NET any -> [91.242.163.242] 443 (msg:"ThreatFox Unidentified 111 (Latrodectus) botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1301574/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_15; classtype:trojan-activity; sid:91301574; rev:1;) alert tcp $HOME_NET any -> [49.13.5.52] 443 (msg:"ThreatFox Unidentified 111 (Latrodectus) botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1301575/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_15; classtype:trojan-activity; sid:91301575; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/externaleternal_pollpacketlongpollapitestuploads.php"; depth:53; nocase; http.host; content:"193046cm.nyashka.top"; depth:20; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1301573/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_15; classtype:trojan-activity; sid:91301573; rev:1;) alert tcp $HOME_NET any -> [159.203.177.31] 16383 (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1301571/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_15; classtype:trojan-activity; sid:91301571; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/46ea3ef0390e13b4.php"; depth:21; nocase; http.host; content:"5.230.253.197"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1301570/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_15; classtype:trojan-activity; sid:91301570; rev:1;) alert tcp $HOME_NET any -> [3.125.223.134] 14213 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1301567/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_15; classtype:trojan-activity; sid:91301567; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"answers-crisis.gl.at.ply.gg"; depth:27; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1301569/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_15; classtype:trojan-activity; sid:91301569; rev:1;) alert tcp $HOME_NET any -> [147.185.221.20] 64407 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1301568/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_15; classtype:trojan-activity; sid:91301568; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/index.php/slide"; depth:16; nocase; http.host; content:"45.61.136.20"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1301566/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_15; classtype:trojan-activity; sid:91301566; rev:1;) alert tcp $HOME_NET any -> [185.196.8.126] 80 (msg:"ThreatFox Amadey botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1301439/; target:src_ip; metadata: confidence_level 50, first_seen 2024_07_15; classtype:trojan-activity; sid:91301439; rev:1;) alert tcp $HOME_NET any -> [118.31.238.164] 60000 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1301438/; target:src_ip; metadata: confidence_level 80, first_seen 2024_07_15; classtype:trojan-activity; sid:91301438; rev:1;) alert tcp $HOME_NET any -> [45.77.18.127] 10000 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1301437/; target:src_ip; metadata: confidence_level 80, first_seen 2024_07_15; classtype:trojan-activity; sid:91301437; rev:1;) alert tcp $HOME_NET any -> [45.43.143.25] 8080 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1301436/; target:src_ip; metadata: confidence_level 80, first_seen 2024_07_15; classtype:trojan-activity; sid:91301436; rev:1;) alert tcp $HOME_NET any -> [176.114.64.50] 80 (msg:"ThreatFox Hook botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1301435/; target:src_ip; metadata: confidence_level 80, first_seen 2024_07_15; classtype:trojan-activity; sid:91301435; rev:1;) alert tcp $HOME_NET any -> [154.197.98.103] 80 (msg:"ThreatFox Hook botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1301434/; target:src_ip; metadata: confidence_level 80, first_seen 2024_07_15; classtype:trojan-activity; sid:91301434; rev:1;) alert tcp $HOME_NET any -> [43.136.96.90] 1443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1301433/; target:src_ip; metadata: confidence_level 80, first_seen 2024_07_15; classtype:trojan-activity; sid:91301433; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/h9fmdw5/index.php"; depth:18; nocase; http.host; content:"downloaddining.com"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1301421/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_15; classtype:trojan-activity; sid:91301421; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/h9fmdw5/login.php"; depth:18; nocase; http.host; content:"downloaddining.com"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1301422/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_15; classtype:trojan-activity; sid:91301422; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"bigmouthudiop.shop"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1301423/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_15; classtype:trojan-activity; sid:91301423; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"bigmouthudiop.shop"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1301424/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_15; classtype:trojan-activity; sid:91301424; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"declaredczxi.shop"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1301427/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_15; classtype:trojan-activity; sid:91301427; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"applyzxcksdia.shop"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1301425/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_15; classtype:trojan-activity; sid:91301425; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"replacedoxcjzp.shop"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1301426/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_15; classtype:trojan-activity; sid:91301426; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"catchddkxozvp.shop"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1301428/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_15; classtype:trojan-activity; sid:91301428; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"arriveoxpzxo.shop"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1301429/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_15; classtype:trojan-activity; sid:91301429; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"contemplateodszsv.shop"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1301430/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_15; classtype:trojan-activity; sid:91301430; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"bindceasdiwozx.shop"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1301431/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_15; classtype:trojan-activity; sid:91301431; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"conformfucdioz.shop"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1301432/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_15; classtype:trojan-activity; sid:91301432; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/index.php/file.php"; depth:19; nocase; http.host; content:"104.248.205.66"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1301420/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_15; classtype:trojan-activity; sid:91301420; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/h9fmdw7/index.php"; depth:18; nocase; http.host; content:"185.196.8.126"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1301419/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_15; classtype:trojan-activity; sid:91301419; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/login.php"; depth:10; nocase; http.host; content:"77.105.160.40"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1301417/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_15; classtype:trojan-activity; sid:91301417; rev:1;) alert tcp $HOME_NET any -> [77.105.160.40] 80 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1301418/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_15; classtype:trojan-activity; sid:91301418; rev:1;) alert tcp $HOME_NET any -> [3.125.209.94] 16730 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1301413/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_15; classtype:trojan-activity; sid:91301413; rev:1;) alert tcp $HOME_NET any -> [18.158.249.75] 16730 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1301414/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_15; classtype:trojan-activity; sid:91301414; rev:1;) alert tcp $HOME_NET any -> [147.185.221.19] 30060 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1301415/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_15; classtype:trojan-activity; sid:91301415; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"advanced-cognitive.gl.at.ply.gg"; depth:31; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1301416/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_15; classtype:trojan-activity; sid:91301416; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/adcount.js"; depth:11; nocase; http.host; content:"e2sky.com"; depth:9; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1301408/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_15; classtype:trojan-activity; sid:91301408; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"e2sky.com"; depth:9; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1301409/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_15; classtype:trojan-activity; sid:91301409; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/js.php"; depth:7; nocase; http.host; content:"e2sky.com"; depth:9; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1301410/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_15; classtype:trojan-activity; sid:91301410; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-content/upgrade/qasd.php"; depth:28; nocase; http.host; content:"talk2rami.com"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1301411/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_15; classtype:trojan-activity; sid:91301411; rev:1;) alert tcp $HOME_NET any -> [154.9.249.164] 3778 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1301405/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_15; classtype:trojan-activity; sid:91301405; rev:1;) alert tcp $HOME_NET any -> [77.238.250.123] 80 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1301406/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_15; classtype:trojan-activity; sid:91301406; rev:1;) alert tcp $HOME_NET any -> [157.173.210.213] 443 (msg:"ThreatFox NetSupportManager RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1301412/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_15; classtype:trojan-activity; sid:91301412; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/index.php/wp"; depth:13; nocase; http.host; content:"104.248.205.66"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1301407/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_15; classtype:trojan-activity; sid:91301407; rev:1;) alert tcp $HOME_NET any -> [172.93.222.25] 2404 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1301404/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_15; classtype:trojan-activity; sid:91301404; rev:1;) alert tcp $HOME_NET any -> [91.215.85.111] 80 (msg:"ThreatFox GootLoader botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1301326/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_15; classtype:trojan-activity; sid:91301326; rev:1;) alert tcp $HOME_NET any -> [91.215.85.21] 443 (msg:"ThreatFox GootLoader botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1301329/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_15; classtype:trojan-activity; sid:91301329; rev:1;) alert tcp $HOME_NET any -> [147.185.221.21] 14200 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1301148/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_15; classtype:trojan-activity; sid:91301148; rev:1;) alert tcp $HOME_NET any -> [147.185.221.21] 14640 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1301270/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_15; classtype:trojan-activity; sid:91301270; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"peter-tampa.gl.at.ply.gg"; depth:24; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1301271/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_15; classtype:trojan-activity; sid:91301271; rev:1;) alert tcp $HOME_NET any -> [31.44.2.165] 23 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1301269/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_15; classtype:trojan-activity; sid:91301269; rev:1;) alert tcp $HOME_NET any -> [91.215.85.111] 443 (msg:"ThreatFox GootLoader botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1301327/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_15; classtype:trojan-activity; sid:91301327; rev:1;) alert tcp $HOME_NET any -> [91.215.85.21] 80 (msg:"ThreatFox GootLoader botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1301328/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_15; classtype:trojan-activity; sid:91301328; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cdn-vs/original.js"; depth:19; nocase; http.host; content:"luxurycaborental.com"; depth:20; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1301332/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_15; classtype:trojan-activity; sid:91301332; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"luxurycaborental.com"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1301333/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_15; classtype:trojan-activity; sid:91301333; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cdn-vs/cache.php"; depth:17; nocase; http.host; content:"luxurycaborental.com"; depth:20; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1301334/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_15; classtype:trojan-activity; sid:91301334; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cdn-vs/33per.php"; depth:17; nocase; http.host; content:"luxurycaborental.com"; depth:20; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1301335/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_15; classtype:trojan-activity; sid:91301335; rev:1;) alert tcp $HOME_NET any -> [147.185.221.21] 9137 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1301362/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_15; classtype:trojan-activity; sid:91301362; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"service-extract.gl.at.ply.gg"; depth:28; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1301363/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_15; classtype:trojan-activity; sid:91301363; rev:1;) alert tcp $HOME_NET any -> [41.142.37.55] 10000 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1301370/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_15; classtype:trojan-activity; sid:91301370; rev:1;) alert tcp $HOME_NET any -> [141.98.168.9] 443 (msg:"ThreatFox Carbanak botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1301382/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_15; classtype:trojan-activity; sid:91301382; rev:1;) alert tcp $HOME_NET any -> [163.123.141.178] 443 (msg:"ThreatFox Carbanak botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1301383/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_15; classtype:trojan-activity; sid:91301383; rev:1;) alert tcp $HOME_NET any -> [88.214.27.174] 443 (msg:"ThreatFox Carbanak botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1301384/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_15; classtype:trojan-activity; sid:91301384; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"find-domain-a.com"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1301385/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_15; classtype:trojan-activity; sid:91301385; rev:1;) alert tcp $HOME_NET any -> [101.43.47.211] 4444 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1301403/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_15; classtype:trojan-activity; sid:91301403; rev:1;) alert tcp $HOME_NET any -> [185.106.176.168] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1301402/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_15; classtype:trojan-activity; sid:91301402; rev:1;) alert tcp $HOME_NET any -> [164.215.103.176] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1301401/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_15; classtype:trojan-activity; sid:91301401; rev:1;) alert tcp $HOME_NET any -> [164.215.103.176] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1301400/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_15; classtype:trojan-activity; sid:91301400; rev:1;) alert tcp $HOME_NET any -> [47.238.102.250] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1301399/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_15; classtype:trojan-activity; sid:91301399; rev:1;) alert tcp $HOME_NET any -> [111.230.212.37] 6789 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1301398/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_15; classtype:trojan-activity; sid:91301398; rev:1;) alert tcp $HOME_NET any -> [119.29.232.58] 8888 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1301397/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_15; classtype:trojan-activity; sid:91301397; rev:1;) alert tcp $HOME_NET any -> [103.113.70.89] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1301396/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_15; classtype:trojan-activity; sid:91301396; rev:1;) alert tcp $HOME_NET any -> [150.158.135.229] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1301395/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_15; classtype:trojan-activity; sid:91301395; rev:1;) alert tcp $HOME_NET any -> [119.29.232.58] 9999 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1301394/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_15; classtype:trojan-activity; sid:91301394; rev:1;) alert tcp $HOME_NET any -> [47.98.188.233] 88 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1301393/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_15; classtype:trojan-activity; sid:91301393; rev:1;) alert tcp $HOME_NET any -> [119.29.232.58] 7777 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1301392/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_15; classtype:trojan-activity; sid:91301392; rev:1;) alert tcp $HOME_NET any -> [119.29.232.58] 5555 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1301391/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_15; classtype:trojan-activity; sid:91301391; rev:1;) alert tcp $HOME_NET any -> [150.158.135.229] 8080 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1301390/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_15; classtype:trojan-activity; sid:91301390; rev:1;) alert tcp $HOME_NET any -> [47.100.1.190] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1301389/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_15; classtype:trojan-activity; sid:91301389; rev:1;) alert tcp $HOME_NET any -> [92.249.48.33] 1337 (msg:"ThreatFox MooBot botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1301381/; target:src_ip; metadata: confidence_level 80, first_seen 2024_07_15; classtype:trojan-activity; sid:91301381; rev:1;) alert tcp $HOME_NET any -> [3.239.43.62] 50050 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1301380/; target:src_ip; metadata: confidence_level 80, first_seen 2024_07_15; classtype:trojan-activity; sid:91301380; rev:1;) alert tcp $HOME_NET any -> [107.173.11.22] 50050 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1301379/; target:src_ip; metadata: confidence_level 80, first_seen 2024_07_15; classtype:trojan-activity; sid:91301379; rev:1;) alert tcp $HOME_NET any -> [23.94.245.115] 50050 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1301378/; target:src_ip; metadata: confidence_level 80, first_seen 2024_07_15; classtype:trojan-activity; sid:91301378; rev:1;) alert tcp $HOME_NET any -> [185.18.222.93] 80 (msg:"ThreatFox Hook botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1301377/; target:src_ip; metadata: confidence_level 80, first_seen 2024_07_15; classtype:trojan-activity; sid:91301377; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"moonapi.site"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1301376/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91301376; rev:1;) alert tcp $HOME_NET any -> [4.233.209.62] 80 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1301374/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91301374; rev:1;) alert tcp $HOME_NET any -> [4.233.209.62] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1301375/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91301375; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"kittycatmeow.xyz"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1301372/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91301372; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ransomware.kittycatmeow.xyz"; depth:27; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1301373/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91301373; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/externaldefaultprivate.php"; depth:27; nocase; http.host; content:"949542cm.nyashka.top"; depth:20; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1301371/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91301371; rev:1;) alert tcp $HOME_NET any -> [185.49.71.23] 80 (msg:"ThreatFox WarmCookie botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1301369/; target:src_ip; metadata: confidence_level 50, first_seen 2024_07_14; classtype:trojan-activity; sid:91301369; rev:1;) alert tcp $HOME_NET any -> [103.144.139.189] 443 (msg:"ThreatFox Unidentified 111 (Latrodectus) botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1301368/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_14; classtype:trojan-activity; sid:91301368; rev:1;) alert tcp $HOME_NET any -> [193.138.195.196] 443 (msg:"ThreatFox Unidentified 111 (Latrodectus) botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1301367/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_14; classtype:trojan-activity; sid:91301367; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"alphadawgrecords.com"; depth:20; nocase; reference:url, threatfox.abuse.ch/ioc/1301331/; target:src_ip; metadata: confidence_level 50, first_seen 2024_07_14; classtype:trojan-activity; sid:91301331; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mozi.m"; depth:7; nocase; http.host; content:"120.61.80.102"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1301330/; target:src_ip; metadata: confidence_level 50, first_seen 2024_07_14; classtype:trojan-activity; sid:91301330; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/570d5d5e8678366c.php"; depth:21; nocase; http.host; content:"85.28.47.70"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1301268/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91301268; rev:1;) alert tcp $HOME_NET any -> [45.130.151.211] 443 (msg:"ThreatFox SpyNote payload delivery (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1301266/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91301266; rev:1;) alert tcp $HOME_NET any -> [45.130.151.211] 80 (msg:"ThreatFox SpyNote payload delivery (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1301267/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91301267; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dx/9232.apk"; depth:12; nocase; http.host; content:"45.130.151.211"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1301265/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91301265; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dx/8320.apk"; depth:12; nocase; http.host; content:"45.130.151.211"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1301264/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91301264; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dx/8212.apk"; depth:12; nocase; http.host; content:"45.130.151.211"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1301263/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91301263; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dx/8156.apk"; depth:12; nocase; http.host; content:"45.130.151.211"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1301262/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91301262; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dx/7072.apk"; depth:12; nocase; http.host; content:"45.130.151.211"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1301261/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91301261; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dx/6513.apk"; depth:12; nocase; http.host; content:"45.130.151.211"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1301260/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91301260; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dx/4417.apk"; depth:12; nocase; http.host; content:"45.130.151.211"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1301259/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91301259; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dx/29157.apk"; depth:13; nocase; http.host; content:"45.130.151.211"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1301258/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91301258; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dx/28002.apk"; depth:13; nocase; http.host; content:"45.130.151.211"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1301257/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91301257; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dx/27610.apk"; depth:13; nocase; http.host; content:"45.130.151.211"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1301256/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91301256; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dx/27314.apk"; depth:13; nocase; http.host; content:"45.130.151.211"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1301255/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91301255; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dx/25804.apk"; depth:13; nocase; http.host; content:"45.130.151.211"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1301254/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91301254; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dx/25461.apk"; depth:13; nocase; http.host; content:"45.130.151.211"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1301253/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91301253; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dx/24404.apk"; depth:13; nocase; http.host; content:"45.130.151.211"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1301252/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91301252; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dx/20714.apk"; depth:13; nocase; http.host; content:"45.130.151.211"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1301251/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91301251; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dx/20632.apk"; depth:13; nocase; http.host; content:"45.130.151.211"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1301250/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91301250; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dx/20049.apk"; depth:13; nocase; http.host; content:"45.130.151.211"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1301249/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91301249; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dx/20009.apk"; depth:13; nocase; http.host; content:"45.130.151.211"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1301248/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91301248; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dx/18901.apk"; depth:13; nocase; http.host; content:"45.130.151.211"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1301247/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91301247; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dx/17752.apk"; depth:13; nocase; http.host; content:"45.130.151.211"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1301246/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91301246; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dx/13483.apk"; depth:13; nocase; http.host; content:"45.130.151.211"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1301245/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91301245; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dx/12179.apk"; depth:13; nocase; http.host; content:"45.130.151.211"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1301244/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91301244; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dx/11965.apk"; depth:13; nocase; http.host; content:"45.130.151.211"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1301243/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91301243; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dx/10646.apk"; depth:13; nocase; http.host; content:"45.130.151.211"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1301242/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91301242; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dx/10188.apk"; depth:13; nocase; http.host; content:"45.130.151.211"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1301241/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91301241; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/d/5664.apk"; depth:11; nocase; http.host; content:"45.130.151.211"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1301240/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91301240; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/d/4943.apk"; depth:11; nocase; http.host; content:"45.130.151.211"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1301239/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91301239; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/d/28460.apk"; depth:12; nocase; http.host; content:"45.130.151.211"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1301238/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91301238; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/d/24046.apk"; depth:12; nocase; http.host; content:"45.130.151.211"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1301237/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91301237; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/d/23828.apk"; depth:12; nocase; http.host; content:"45.130.151.211"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1301236/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91301236; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/d/2327.apk"; depth:11; nocase; http.host; content:"45.130.151.211"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1301235/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91301235; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/d/23184.apk"; depth:12; nocase; http.host; content:"45.130.151.211"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1301234/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91301234; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/d/19203.apk"; depth:12; nocase; http.host; content:"45.130.151.211"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1301233/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91301233; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/d/1683.apk"; depth:11; nocase; http.host; content:"45.130.151.211"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1301232/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91301232; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/d/16340.apk"; depth:12; nocase; http.host; content:"45.130.151.211"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1301231/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91301231; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/d/16290.apk"; depth:12; nocase; http.host; content:"45.130.151.211"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1301230/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91301230; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/d/16260.apk"; depth:12; nocase; http.host; content:"45.130.151.211"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1301229/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91301229; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/d/16250.apk"; depth:12; nocase; http.host; content:"45.130.151.211"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1301228/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91301228; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/d/1625.apk"; depth:11; nocase; http.host; content:"45.130.151.211"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1301227/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91301227; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/d/15472.apk"; depth:12; nocase; http.host; content:"45.130.151.211"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1301226/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91301226; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/d/14471.apk"; depth:12; nocase; http.host; content:"45.130.151.211"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1301225/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91301225; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/d/14257.apk"; depth:12; nocase; http.host; content:"45.130.151.211"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1301224/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91301224; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/d/142.apk"; depth:10; nocase; http.host; content:"45.130.151.211"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1301223/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91301223; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/d/11735.apk"; depth:12; nocase; http.host; content:"45.130.151.211"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1301222/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91301222; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/d/11108.apk"; depth:12; nocase; http.host; content:"45.130.151.211"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1301221/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91301221; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/d/10368.apk"; depth:12; nocase; http.host; content:"45.130.151.211"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1301220/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91301220; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/d/10366.apk"; depth:12; nocase; http.host; content:"45.130.151.211"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1301219/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91301219; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/d/10339.apk"; depth:12; nocase; http.host; content:"45.130.151.211"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1301218/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91301218; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/d/10123.apk"; depth:12; nocase; http.host; content:"45.130.151.211"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1301217/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91301217; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/d/10113.apk"; depth:12; nocase; http.host; content:"45.130.151.211"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1301216/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91301216; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/d/1.apk"; depth:8; nocase; http.host; content:"45.130.151.211"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1301215/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91301215; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dx/8320.apk"; depth:12; nocase; http.host; content:"45.130.151.211"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1301213/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91301213; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dx/9232.apk"; depth:12; nocase; http.host; content:"45.130.151.211"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1301214/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91301214; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dx/8212.apk"; depth:12; nocase; http.host; content:"45.130.151.211"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1301212/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91301212; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dx/7072.apk"; depth:12; nocase; http.host; content:"45.130.151.211"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1301210/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91301210; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dx/8156.apk"; depth:12; nocase; http.host; content:"45.130.151.211"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1301211/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91301211; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dx/4417.apk"; depth:12; nocase; http.host; content:"45.130.151.211"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1301208/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91301208; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dx/6513.apk"; depth:12; nocase; http.host; content:"45.130.151.211"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1301209/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91301209; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dx/28002.apk"; depth:13; nocase; http.host; content:"45.130.151.211"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1301206/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91301206; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dx/29157.apk"; depth:13; nocase; http.host; content:"45.130.151.211"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1301207/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91301207; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dx/27610.apk"; depth:13; nocase; http.host; content:"45.130.151.211"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1301205/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91301205; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dx/25804.apk"; depth:13; nocase; http.host; content:"45.130.151.211"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1301203/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91301203; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dx/27314.apk"; depth:13; nocase; http.host; content:"45.130.151.211"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1301204/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91301204; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dx/24404.apk"; depth:13; nocase; http.host; content:"45.130.151.211"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1301201/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91301201; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dx/25461.apk"; depth:13; nocase; http.host; content:"45.130.151.211"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1301202/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91301202; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dx/20714.apk"; depth:13; nocase; http.host; content:"45.130.151.211"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1301200/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91301200; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dx/20049.apk"; depth:13; nocase; http.host; content:"45.130.151.211"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1301198/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91301198; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dx/20632.apk"; depth:13; nocase; http.host; content:"45.130.151.211"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1301199/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91301199; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dx/20009.apk"; depth:13; nocase; http.host; content:"45.130.151.211"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1301197/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91301197; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dx/17752.apk"; depth:13; nocase; http.host; content:"45.130.151.211"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1301195/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91301195; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dx/18901.apk"; depth:13; nocase; http.host; content:"45.130.151.211"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1301196/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91301196; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dx/12179.apk"; depth:13; nocase; http.host; content:"45.130.151.211"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1301193/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91301193; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dx/13483.apk"; depth:13; nocase; http.host; content:"45.130.151.211"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1301194/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91301194; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dx/11965.apk"; depth:13; nocase; http.host; content:"45.130.151.211"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1301192/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91301192; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dx/10646.apk"; depth:13; nocase; http.host; content:"45.130.151.211"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1301191/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91301191; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/d/5664.apk"; depth:11; nocase; http.host; content:"45.130.151.211"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1301189/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91301189; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dx/10188.apk"; depth:13; nocase; http.host; content:"45.130.151.211"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1301190/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91301190; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/d/28460.apk"; depth:12; nocase; http.host; content:"45.130.151.211"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1301187/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91301187; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/d/4943.apk"; depth:11; nocase; http.host; content:"45.130.151.211"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1301188/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91301188; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/d/24046.apk"; depth:12; nocase; http.host; content:"45.130.151.211"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1301186/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91301186; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/d/2327.apk"; depth:11; nocase; http.host; content:"45.130.151.211"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1301184/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91301184; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/d/23828.apk"; depth:12; nocase; http.host; content:"45.130.151.211"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1301185/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91301185; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/d/19203.apk"; depth:12; nocase; http.host; content:"45.130.151.211"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1301182/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91301182; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/d/23184.apk"; depth:12; nocase; http.host; content:"45.130.151.211"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1301183/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91301183; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/d/1683.apk"; depth:11; nocase; http.host; content:"45.130.151.211"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1301181/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91301181; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/d/16290.apk"; depth:12; nocase; http.host; content:"45.130.151.211"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1301179/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91301179; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/d/16340.apk"; depth:12; nocase; http.host; content:"45.130.151.211"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1301180/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91301180; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/d/16260.apk"; depth:12; nocase; http.host; content:"45.130.151.211"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1301178/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91301178; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/d/1625.apk"; depth:11; nocase; http.host; content:"45.130.151.211"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1301176/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91301176; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/d/16250.apk"; depth:12; nocase; http.host; content:"45.130.151.211"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1301177/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91301177; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/d/15472.apk"; depth:12; nocase; http.host; content:"45.130.151.211"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1301175/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91301175; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/d/14257.apk"; depth:12; nocase; http.host; content:"45.130.151.211"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1301173/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91301173; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/d/14471.apk"; depth:12; nocase; http.host; content:"45.130.151.211"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1301174/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91301174; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/d/142.apk"; depth:10; nocase; http.host; content:"45.130.151.211"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1301172/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91301172; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/d/11108.apk"; depth:12; nocase; http.host; content:"45.130.151.211"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1301170/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91301170; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/d/11735.apk"; depth:12; nocase; http.host; content:"45.130.151.211"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1301171/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91301171; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/d/10368.apk"; depth:12; nocase; http.host; content:"45.130.151.211"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1301169/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91301169; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/d/10339.apk"; depth:12; nocase; http.host; content:"45.130.151.211"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1301167/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91301167; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/d/10366.apk"; depth:12; nocase; http.host; content:"45.130.151.211"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1301168/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91301168; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/d/10123.apk"; depth:12; nocase; http.host; content:"45.130.151.211"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1301166/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91301166; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/d/1.apk"; depth:8; nocase; http.host; content:"45.130.151.211"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1301164/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91301164; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/d/10113.apk"; depth:12; nocase; http.host; content:"45.130.151.211"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1301165/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91301165; rev:1;) alert tcp $HOME_NET any -> [91.222.173.64] 80 (msg:"ThreatFox DarkGate botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1301163/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91301163; rev:1;) alert tcp $HOME_NET any -> [185.106.93.99] 80 (msg:"ThreatFox Stealc botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1301162/; target:src_ip; metadata: confidence_level 80, first_seen 2024_07_14; classtype:trojan-activity; sid:91301162; rev:1;) alert tcp $HOME_NET any -> [185.106.93.99] 22 (msg:"ThreatFox Stealc botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1301161/; target:src_ip; metadata: confidence_level 80, first_seen 2024_07_14; classtype:trojan-activity; sid:91301161; rev:1;) alert tcp $HOME_NET any -> [185.196.9.5] 51237 (msg:"ThreatFox MooBot botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1301160/; target:src_ip; metadata: confidence_level 80, first_seen 2024_07_14; classtype:trojan-activity; sid:91301160; rev:1;) alert tcp $HOME_NET any -> [175.178.225.161] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1301159/; target:src_ip; metadata: confidence_level 80, first_seen 2024_07_14; classtype:trojan-activity; sid:91301159; rev:1;) alert tcp $HOME_NET any -> [5.42.106.42] 80 (msg:"ThreatFox Meduza Stealer botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1301158/; target:src_ip; metadata: confidence_level 80, first_seen 2024_07_14; classtype:trojan-activity; sid:91301158; rev:1;) alert tcp $HOME_NET any -> [23.94.230.182] 50050 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1301157/; target:src_ip; metadata: confidence_level 80, first_seen 2024_07_14; classtype:trojan-activity; sid:91301157; rev:1;) alert tcp $HOME_NET any -> [194.163.144.18] 80 (msg:"ThreatFox Hook botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1301156/; target:src_ip; metadata: confidence_level 80, first_seen 2024_07_14; classtype:trojan-activity; sid:91301156; rev:1;) alert tcp $HOME_NET any -> [47.109.98.153] 88 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1301155/; target:src_ip; metadata: confidence_level 80, first_seen 2024_07_14; classtype:trojan-activity; sid:91301155; rev:1;) alert tcp $HOME_NET any -> [121.199.175.4] 6000 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1301154/; target:src_ip; metadata: confidence_level 80, first_seen 2024_07_14; classtype:trojan-activity; sid:91301154; rev:1;) alert tcp $HOME_NET any -> [85.28.47.116] 80 (msg:"ThreatFox RecordBreaker botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1301153/; target:src_ip; metadata: confidence_level 80, first_seen 2024_07_14; classtype:trojan-activity; sid:91301153; rev:1;) alert tcp $HOME_NET any -> [147.45.44.25] 80 (msg:"ThreatFox RecordBreaker botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1301152/; target:src_ip; metadata: confidence_level 80, first_seen 2024_07_14; classtype:trojan-activity; sid:91301152; rev:1;) alert tcp $HOME_NET any -> [103.74.101.154] 4443 (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1301151/; target:src_ip; metadata: confidence_level 80, first_seen 2024_07_14; classtype:trojan-activity; sid:91301151; rev:1;) alert tcp $HOME_NET any -> [45.66.231.182] 7777 (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1301150/; target:src_ip; metadata: confidence_level 80, first_seen 2024_07_14; classtype:trojan-activity; sid:91301150; rev:1;) alert tcp $HOME_NET any -> [185.235.137.84] 443 (msg:"ThreatFox Unidentified 111 (Latrodectus) botnet C2 traffic (ip:port - confidence level: 60%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1301149/; target:src_ip; metadata: confidence_level 60, first_seen 2024_07_14; classtype:trojan-activity; sid:91301149; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 49%)"; dns_query; content:"0212top.online"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1297865/; target:src_ip; metadata: confidence_level 49, first_seen 2024_07_14; classtype:trojan-activity; sid:91297865; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 49%)"; dns_query; content:"0212top.site"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1297866/; target:src_ip; metadata: confidence_level 49, first_seen 2024_07_14; classtype:trojan-activity; sid:91297866; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 49%)"; dns_query; content:"0212top.top"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1297868/; target:src_ip; metadata: confidence_level 49, first_seen 2024_07_14; classtype:trojan-activity; sid:91297868; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 49%)"; dns_query; content:"0212top.xyz"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1297869/; target:src_ip; metadata: confidence_level 49, first_seen 2024_07_14; classtype:trojan-activity; sid:91297869; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 49%)"; dns_query; content:"0909kses.top"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1297871/; target:src_ip; metadata: confidence_level 49, first_seen 2024_07_14; classtype:trojan-activity; sid:91297871; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 49%)"; dns_query; content:"ww-1.us.to"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1297819/; target:src_ip; metadata: confidence_level 49, first_seen 2024_07_14; classtype:trojan-activity; sid:91297819; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 49%)"; dns_query; content:"11234jkhfkujhs.online"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1297872/; target:src_ip; metadata: confidence_level 49, first_seen 2024_07_14; classtype:trojan-activity; sid:91297872; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 49%)"; dns_query; content:"wwwgoogl.zapto.org"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1297815/; target:src_ip; metadata: confidence_level 49, first_seen 2024_07_14; classtype:trojan-activity; sid:91297815; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 49%)"; dns_query; content:"aextg.us.to"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1297817/; target:src_ip; metadata: confidence_level 49, first_seen 2024_07_14; classtype:trojan-activity; sid:91297817; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 49%)"; dns_query; content:"linux.kyun.li"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1297818/; target:src_ip; metadata: confidence_level 49, first_seen 2024_07_14; classtype:trojan-activity; sid:91297818; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"update.micro.gay"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1297780/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_14; classtype:trojan-activity; sid:91297780; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"shaduruanjian8.com"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1297787/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_14; classtype:trojan-activity; sid:91297787; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"it.jmjejij.otzo.com"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1297779/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_14; classtype:trojan-activity; sid:91297779; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"app.kaspersky-scan.com"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1297781/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_14; classtype:trojan-activity; sid:91297781; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"hb.kaspersky-scan.com"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1297782/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_14; classtype:trojan-activity; sid:91297782; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"cloud.microsoftsservice.com"; depth:27; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1297783/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_14; classtype:trojan-activity; sid:91297783; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"ns.supermirco.us"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1297784/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_14; classtype:trojan-activity; sid:91297784; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"top.microsoftsservice.com"; depth:25; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1297785/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_14; classtype:trojan-activity; sid:91297785; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"cloud.kaspersky-scan.com"; depth:24; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1297786/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_14; classtype:trojan-activity; sid:91297786; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"www.shaduruanjian8.com"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1297788/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_14; classtype:trojan-activity; sid:91297788; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"img.shaduruanjian8.com"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1297789/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_14; classtype:trojan-activity; sid:91297789; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"www.stdhgd.com"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1297790/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_14; classtype:trojan-activity; sid:91297790; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"auth.microsoftsservice.com"; depth:26; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1297791/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_14; classtype:trojan-activity; sid:91297791; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"db.microsoftsservice.com"; depth:24; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1297792/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_14; classtype:trojan-activity; sid:91297792; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"id2.microsoftsservice.com"; depth:25; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1297793/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_14; classtype:trojan-activity; sid:91297793; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"mircoo.supermirco.us"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1297795/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_14; classtype:trojan-activity; sid:91297795; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"weblink.microsoftsservice.com"; depth:29; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1297794/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_14; classtype:trojan-activity; sid:91297794; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"gov.jmjejij.otzo.com"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1297778/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_14; classtype:trojan-activity; sid:91297778; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"tc.microsoftsservice.com"; depth:24; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1297796/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_14; classtype:trojan-activity; sid:91297796; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 49%)"; dns_query; content:"stevenhead.ddns.net"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1298309/; target:src_ip; metadata: confidence_level 49, first_seen 2024_07_14; classtype:trojan-activity; sid:91298309; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/3910.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1301147/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91301147; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/3909.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1301145/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91301145; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/391.dll"; depth:8; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1301146/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91301146; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/3908.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1301144/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91301144; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/3907.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1301143/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91301143; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/3906.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1301142/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91301142; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/3905.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1301141/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91301141; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/3904.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1301140/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91301140; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/3903.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1301139/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91301139; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/3901.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1301137/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91301137; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/3902.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1301138/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91301138; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/3900.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1301136/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91301136; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/39.dll"; depth:7; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1301134/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91301134; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/390.dll"; depth:8; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1301135/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91301135; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/3899.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1301133/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91301133; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/3897.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1301131/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91301131; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/3898.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1301132/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91301132; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/3896.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1301130/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91301130; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/3894.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1301128/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91301128; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/3895.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1301129/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91301129; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/3893.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1301127/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91301127; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/3891.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1301125/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91301125; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/3892.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1301126/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91301126; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/3890.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1301124/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91301124; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/3889.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1301122/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91301122; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/389.dll"; depth:8; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1301123/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91301123; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/3888.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1301121/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91301121; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/3887.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1301120/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91301120; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/3885.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1301118/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91301118; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/3886.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1301119/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91301119; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/3884.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1301117/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91301117; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/3882.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1301115/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91301115; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/3883.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1301116/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91301116; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/3881.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1301114/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91301114; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/3880.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1301113/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91301113; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/3879.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1301111/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91301111; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/388.dll"; depth:8; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1301112/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91301112; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/3878.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1301110/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91301110; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/3877.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1301109/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91301109; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/3875.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1301107/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91301107; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/3876.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1301108/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91301108; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/3874.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1301106/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91301106; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/3872.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1301104/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91301104; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/3873.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1301105/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91301105; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/3871.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1301103/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91301103; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/387.dll"; depth:8; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1301101/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91301101; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/3870.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1301102/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91301102; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/3869.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1301100/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91301100; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/3867.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1301098/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91301098; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/3868.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1301099/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91301099; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/3866.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1301097/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91301097; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/3864.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1301095/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91301095; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/3865.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1301096/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91301096; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/3863.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1301094/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91301094; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/3861.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1301092/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91301092; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/3862.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1301093/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91301093; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/3860.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1301091/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91301091; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/3859.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1301089/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91301089; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/386.dll"; depth:8; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1301090/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91301090; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/3858.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1301088/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91301088; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/3856.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1301086/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91301086; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/3857.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1301087/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91301087; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/3855.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1301085/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91301085; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/3853.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1301083/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91301083; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/3854.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1301084/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91301084; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/3852.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1301082/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91301082; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/3850.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1301080/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91301080; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/3851.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1301081/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91301081; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/385.dll"; depth:8; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1301079/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91301079; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/3848.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1301077/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91301077; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/3849.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1301078/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91301078; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/3846.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1301075/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91301075; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/3847.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1301076/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91301076; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/3845.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1301074/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91301074; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/3843.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1301072/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91301072; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/3844.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1301073/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91301073; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/3842.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1301071/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91301071; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/3841.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1301070/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91301070; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/384.dll"; depth:8; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1301068/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91301068; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/3840.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1301069/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91301069; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/3839.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1301067/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91301067; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/3837.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1301065/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91301065; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/3838.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1301066/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91301066; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/3836.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1301064/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91301064; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/3834.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1301062/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91301062; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/3835.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1301063/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91301063; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/3833.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1301061/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91301061; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/3831.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1301059/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91301059; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/3832.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1301060/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91301060; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/3830.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1301058/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91301058; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/3829.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1301056/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91301056; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/383.dll"; depth:8; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1301057/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91301057; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/3828.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1301055/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91301055; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/3826.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1301053/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91301053; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/3827.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1301054/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91301054; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/3825.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1301052/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91301052; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/3823.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1301050/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91301050; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/3824.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1301051/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91301051; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/3822.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1301049/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91301049; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/3820.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1301047/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91301047; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/3821.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1301048/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91301048; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/382.dll"; depth:8; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1301046/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91301046; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/3818.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1301044/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91301044; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/3819.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1301045/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91301045; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/3817.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1301043/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91301043; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/3815.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1301041/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91301041; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/3816.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1301042/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91301042; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/3814.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1301040/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91301040; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/3812.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1301038/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91301038; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/3813.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1301039/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91301039; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/3811.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1301037/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91301037; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/381.dll"; depth:8; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1301035/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91301035; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/3810.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1301036/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91301036; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/3809.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1301034/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91301034; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/3807.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1301032/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91301032; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/3808.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1301033/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91301033; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/3805.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1301030/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91301030; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/3806.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1301031/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91301031; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/3804.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1301029/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91301029; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/3802.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1301027/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91301027; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/3803.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1301028/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91301028; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/3801.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1301026/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91301026; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/380.dll"; depth:8; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1301024/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91301024; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/3800.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1301025/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91301025; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/38.dll"; depth:7; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1301023/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91301023; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/3798.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1301021/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91301021; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/3799.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1301022/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91301022; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/3797.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1301020/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91301020; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/3795.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1301018/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91301018; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/3796.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1301019/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91301019; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/3794.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1301017/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91301017; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/3793.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1301016/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91301016; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/3791.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1301014/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91301014; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/3792.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1301015/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91301015; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/3790.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1301013/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91301013; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/3789.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1301011/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91301011; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/379.dll"; depth:8; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1301012/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91301012; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/3787.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1301009/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91301009; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/3788.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1301010/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91301010; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/3785.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1301007/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91301007; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/3786.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1301008/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91301008; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/3784.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1301006/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91301006; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/3782.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1301004/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91301004; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/3783.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1301005/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91301005; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/3780.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1301002/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91301002; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/3781.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1301003/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91301003; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/378.dll"; depth:8; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1301001/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91301001; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/3778.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1300999/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91300999; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/3779.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1301000/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91301000; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/3777.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1300998/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91300998; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/3775.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1300996/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91300996; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/3776.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1300997/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91300997; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/3773.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1300994/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91300994; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/3774.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1300995/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91300995; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/3772.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1300993/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91300993; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/3770.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1300991/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91300991; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/3771.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1300992/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91300992; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/3769.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1300989/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91300989; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/377.dll"; depth:8; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1300990/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91300990; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/3768.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1300988/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91300988; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/3766.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1300986/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91300986; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/3767.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1300987/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91300987; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/3765.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1300985/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91300985; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/3763.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1300983/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91300983; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/3764.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1300984/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91300984; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/3762.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1300982/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91300982; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/3760.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1300980/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91300980; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/3761.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1300981/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91300981; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/376.dll"; depth:8; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1300979/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91300979; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/3758.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1300977/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91300977; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/3759.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1300978/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91300978; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/3757.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1300976/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91300976; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/3755.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1300974/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91300974; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/3756.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1300975/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91300975; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/3754.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1300973/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91300973; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/3752.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1300971/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91300971; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/3753.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1300972/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91300972; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/3751.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1300970/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91300970; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/375.dll"; depth:8; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1300968/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91300968; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/3750.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1300969/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91300969; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/3749.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1300967/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91300967; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/3747.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1300965/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91300965; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/3748.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1300966/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91300966; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/3746.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1300964/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91300964; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/3745.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1300963/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91300963; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/3743.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1300961/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91300961; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/3744.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1300962/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91300962; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/3742.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1300960/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91300960; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/3741.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1300959/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91300959; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/374.dll"; depth:8; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1300957/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91300957; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/3740.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1300958/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91300958; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/3739.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1300956/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91300956; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/3737.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1300954/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91300954; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/3738.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1300955/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91300955; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/3736.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1300953/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91300953; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/3734.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1300951/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91300951; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/3735.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1300952/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91300952; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/3733.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1300950/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91300950; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/3731.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1300948/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91300948; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/3732.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1300949/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91300949; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/3730.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1300947/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91300947; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/3729.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1300945/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91300945; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/373.dll"; depth:8; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1300946/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91300946; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/3728.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1300944/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91300944; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/3727.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1300943/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91300943; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/3726.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1300942/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91300942; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/3724.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1300940/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91300940; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/3725.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1300941/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91300941; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/3723.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1300939/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91300939; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/3722.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1300938/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91300938; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/3720.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1300936/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91300936; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/3721.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1300937/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91300937; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/372.dll"; depth:8; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1300935/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91300935; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/3718.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1300933/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91300933; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/3719.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1300934/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91300934; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/3717.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1300932/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91300932; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/3715.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1300930/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91300930; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/3716.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1300931/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91300931; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/3714.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1300929/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91300929; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/3712.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1300927/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91300927; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/3713.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1300928/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91300928; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/3711.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1300926/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91300926; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/3710.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1300925/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91300925; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/3709.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1300923/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91300923; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/371.dll"; depth:8; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1300924/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91300924; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/3708.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1300922/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91300922; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/3706.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1300920/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91300920; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/3707.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1300921/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91300921; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/3705.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1300919/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91300919; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/3704.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1300918/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91300918; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/3702.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1300916/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91300916; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/3703.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1300917/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91300917; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/3701.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1300915/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91300915; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/370.dll"; depth:8; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1300913/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91300913; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/3700.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1300914/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91300914; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/37.dll"; depth:7; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1300912/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91300912; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/3698.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1300910/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91300910; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/3699.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1300911/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91300911; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/3697.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1300909/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91300909; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/3695.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1300907/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91300907; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/3696.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1300908/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91300908; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/3694.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1300906/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91300906; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/3692.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1300904/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91300904; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/3693.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1300905/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91300905; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/3691.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1300903/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91300903; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/369.dll"; depth:8; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1300901/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91300901; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/3690.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1300902/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91300902; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/3689.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1300900/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91300900; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/3688.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1300899/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91300899; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/3686.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1300897/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91300897; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/3687.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1300898/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91300898; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/3685.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1300896/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91300896; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/3683.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1300894/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91300894; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/3684.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1300895/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91300895; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/3682.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1300893/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91300893; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/3680.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1300891/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91300891; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/3681.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1300892/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91300892; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/368.dll"; depth:8; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1300890/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91300890; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/3678.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1300888/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91300888; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/3679.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1300889/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91300889; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/3677.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1300887/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91300887; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/3675.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1300885/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91300885; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/3676.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1300886/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91300886; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/3674.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1300884/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91300884; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/3672.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1300882/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91300882; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/3673.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1300883/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91300883; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/3671.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1300881/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91300881; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/367.dll"; depth:8; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1300879/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91300879; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/3670.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1300880/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91300880; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/3669.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1300878/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91300878; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/3668.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1300877/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91300877; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/3666.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1300875/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91300875; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/3667.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1300876/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91300876; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/3665.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1300874/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91300874; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/3664.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1300873/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91300873; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/3662.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1300871/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91300871; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/3663.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1300872/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91300872; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/3661.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1300870/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91300870; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/366.dll"; depth:8; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1300868/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91300868; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/3660.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1300869/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91300869; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/3659.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1300867/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91300867; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/3657.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1300865/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91300865; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/3658.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1300866/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91300866; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/3656.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1300864/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91300864; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/3654.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1300862/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91300862; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/3655.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1300863/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91300863; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/3653.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1300861/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91300861; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/3651.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1300859/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91300859; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/3652.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1300860/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91300860; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/3650.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1300858/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91300858; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/3649.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1300856/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91300856; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/365.dll"; depth:8; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1300857/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91300857; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/3648.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1300855/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91300855; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/3646.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1300853/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91300853; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/3647.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1300854/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91300854; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/3645.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1300852/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91300852; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/3643.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1300850/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91300850; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/3644.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1300851/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91300851; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/3642.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1300849/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91300849; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/3641.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1300848/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91300848; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/364.dll"; depth:8; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1300846/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91300846; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/3640.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1300847/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91300847; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/3639.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1300845/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91300845; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/3637.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1300843/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91300843; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/3638.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1300844/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91300844; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/3636.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1300842/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91300842; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/3634.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1300840/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91300840; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/3635.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1300841/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91300841; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/3633.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1300839/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91300839; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/3631.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1300837/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91300837; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/3632.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1300838/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91300838; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/3630.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1300836/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91300836; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/3629.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1300834/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91300834; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/363.dll"; depth:8; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1300835/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91300835; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/3628.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1300833/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91300833; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/3626.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1300831/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91300831; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/3627.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1300832/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91300832; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/3625.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1300830/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91300830; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/3623.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1300828/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91300828; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/3624.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1300829/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91300829; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/3622.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1300827/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91300827; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/3621.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1300826/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91300826; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/362.dll"; depth:8; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1300824/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91300824; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/3620.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1300825/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91300825; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/3619.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1300823/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91300823; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/3617.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1300821/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91300821; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/3618.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1300822/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91300822; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/3616.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1300820/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91300820; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/3614.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1300818/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91300818; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/3615.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1300819/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91300819; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/3613.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1300817/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91300817; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/3612.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1300816/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91300816; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/3611.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1300815/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91300815; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/3610.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1300814/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91300814; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/361.dll"; depth:8; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1300813/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91300813; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/3609.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1300812/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91300812; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/3608.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1300811/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91300811; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/3607.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1300810/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91300810; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/3606.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1300809/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91300809; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/3605.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1300808/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91300808; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/3604.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1300807/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91300807; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/3603.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1300806/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91300806; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/3602.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1300805/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91300805; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/3601.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1300804/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91300804; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/3600.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1300803/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91300803; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/360.dll"; depth:8; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1300802/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91300802; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/3599.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1300800/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91300800; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/36.dll"; depth:7; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1300801/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91300801; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/3598.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1300799/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91300799; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/3596.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1300797/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91300797; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/3597.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1300798/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91300798; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/3594.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1300795/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91300795; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/3595.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1300796/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91300796; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/3593.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1300794/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91300794; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/3591.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1300792/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91300792; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/3592.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1300793/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91300793; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/359.dll"; depth:8; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1300790/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91300790; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/3590.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1300791/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91300791; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/3589.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1300789/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91300789; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/3587.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1300787/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91300787; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/3588.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1300788/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91300788; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/3585.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1300785/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91300785; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/3586.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1300786/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91300786; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/3584.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1300784/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91300784; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/3582.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1300782/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91300782; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/3583.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1300783/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91300783; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/3581.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1300781/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91300781; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/358.dll"; depth:8; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1300779/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91300779; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/3580.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1300780/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91300780; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/3578.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1300777/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91300777; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/3579.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1300778/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91300778; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/3577.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1300776/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91300776; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/3575.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1300774/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91300774; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/3576.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1300775/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91300775; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/3574.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1300773/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91300773; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/3572.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1300771/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91300771; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/3573.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1300772/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91300772; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/3570.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1300769/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91300769; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/3571.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1300770/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91300770; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/357.dll"; depth:8; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1300768/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91300768; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/3568.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1300766/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91300766; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/3569.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1300767/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91300767; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/3566.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1300764/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91300764; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/3567.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1300765/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91300765; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/3564.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1300762/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91300762; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/3565.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1300763/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91300763; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/3563.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1300761/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91300761; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/3561.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1300759/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91300759; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/3562.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1300760/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91300760; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/356.dll"; depth:8; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1300757/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91300757; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/3560.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1300758/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91300758; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/3559.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1300756/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91300756; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/3557.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1300754/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91300754; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/3558.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1300755/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91300755; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/3555.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1300752/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91300752; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/3556.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1300753/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91300753; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/3553.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1300750/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91300750; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/3554.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1300751/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91300751; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/3552.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1300749/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91300749; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/3550.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1300747/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91300747; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/3551.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1300748/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91300748; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/3549.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1300745/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91300745; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/355.dll"; depth:8; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1300746/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91300746; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/3548.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1300744/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91300744; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/3546.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1300742/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91300742; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/3547.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1300743/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91300743; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/3544.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1300740/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91300740; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/3545.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1300741/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91300741; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/3543.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1300739/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91300739; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/3541.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1300737/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91300737; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/3542.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1300738/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91300738; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/354.dll"; depth:8; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1300735/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91300735; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/3540.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1300736/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91300736; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/3538.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1300733/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91300733; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/3539.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1300734/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91300734; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/3537.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1300732/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91300732; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/3535.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1300730/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91300730; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/3536.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1300731/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91300731; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/3533.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1300728/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91300728; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/3534.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1300729/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91300729; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/3532.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1300727/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91300727; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/3530.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1300725/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91300725; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/3531.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1300726/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91300726; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/3529.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1300723/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91300723; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/353.dll"; depth:8; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1300724/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91300724; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/3528.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1300722/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91300722; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/3526.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1300720/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91300720; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/3527.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1300721/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91300721; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/3524.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1300718/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91300718; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/3525.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1300719/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91300719; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/3522.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1300716/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91300716; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/3523.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1300717/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91300717; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/3521.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1300715/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91300715; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/352.dll"; depth:8; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1300713/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91300713; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/3520.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1300714/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91300714; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/3519.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1300712/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91300712; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/3517.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1300710/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91300710; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/3518.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1300711/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91300711; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/3515.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1300708/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91300708; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/3516.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1300709/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91300709; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/3514.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1300707/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91300707; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/3512.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1300705/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91300705; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/3513.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1300706/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91300706; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/3510.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1300703/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91300703; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/3511.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1300704/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91300704; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/351.dll"; depth:8; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1300702/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91300702; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/3509.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1300701/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91300701; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/3507.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1300699/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91300699; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/3508.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1300700/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91300700; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/3506.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1300698/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91300698; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/3504.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1300696/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91300696; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/3505.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1300697/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91300697; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/3502.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1300694/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91300694; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/3503.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1300695/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91300695; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/3500.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1300692/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91300692; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/3501.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1300693/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91300693; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/350.dll"; depth:8; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1300691/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91300691; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/3499.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1300689/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91300689; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/35.dll"; depth:7; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1300690/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91300690; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/3497.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1300687/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91300687; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/3498.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1300688/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91300688; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/3496.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1300686/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91300686; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/3494.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1300684/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91300684; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/3495.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1300685/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91300685; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/3492.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1300682/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91300682; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/3493.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1300683/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91300683; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/3490.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1300680/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91300680; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/3491.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1300681/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91300681; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/349.dll"; depth:8; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1300679/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91300679; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/3488.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1300677/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91300677; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/3489.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1300678/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91300678; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/3486.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1300675/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91300675; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/3487.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1300676/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91300676; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/3485.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1300674/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91300674; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/3483.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1300672/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91300672; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/3484.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1300673/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91300673; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/3481.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1300670/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91300670; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/3482.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1300671/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91300671; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/3480.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1300669/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91300669; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/3479.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1300667/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91300667; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/348.dll"; depth:8; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1300668/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91300668; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/3478.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1300666/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91300666; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/3476.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1300664/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91300664; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/3477.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1300665/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91300665; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/3475.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1300663/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91300663; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/3473.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1300661/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91300661; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/3474.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1300662/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91300662; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/3472.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1300660/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91300660; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/3470.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1300658/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91300658; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/3471.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1300659/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91300659; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/347.dll"; depth:8; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1300657/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91300657; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/3468.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1300655/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91300655; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/3469.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1300656/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91300656; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/3467.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1300654/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91300654; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/3465.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1300652/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91300652; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/3466.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1300653/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91300653; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/3463.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1300650/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91300650; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/3464.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1300651/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91300651; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/3462.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1300649/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91300649; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/3460.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1300647/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91300647; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/3461.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1300648/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91300648; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/3459.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1300645/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91300645; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/346.dll"; depth:8; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1300646/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91300646; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/3458.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1300644/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91300644; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/3456.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1300642/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91300642; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/3457.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1300643/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91300643; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/3455.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1300641/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91300641; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/3453.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1300639/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91300639; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/3454.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1300640/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91300640; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/3452.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1300638/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91300638; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/3450.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1300636/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91300636; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/3451.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1300637/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91300637; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/345.dll"; depth:8; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1300635/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91300635; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/3448.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1300633/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91300633; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/3449.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1300634/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91300634; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/3446.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1300631/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91300631; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/3447.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1300632/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91300632; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/3445.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1300630/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91300630; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/3443.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1300628/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91300628; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/3444.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1300629/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91300629; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/3442.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1300627/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91300627; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/3440.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1300625/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91300625; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/3441.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1300626/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91300626; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/344.dll"; depth:8; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1300624/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91300624; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/3438.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1300622/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91300622; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/3439.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1300623/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91300623; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/3436.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1300620/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91300620; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/3437.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1300621/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91300621; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/3435.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1300619/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91300619; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/3433.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1300617/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91300617; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/3434.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1300618/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91300618; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/3431.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1300615/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91300615; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/3432.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1300616/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91300616; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/3430.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1300614/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91300614; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/3429.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1300612/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91300612; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/343.dll"; depth:8; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1300613/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91300613; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/3427.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1300610/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91300610; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/3428.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1300611/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91300611; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/3426.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1300609/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91300609; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/3425.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1300608/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91300608; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/3424.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1300607/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91300607; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/3423.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1300606/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91300606; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/3421.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1300604/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91300604; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/3422.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1300605/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91300605; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/3420.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1300603/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91300603; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/3419.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1300601/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91300601; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/342.dll"; depth:8; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1300602/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91300602; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/3417.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1300599/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91300599; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/3418.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1300600/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91300600; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/3416.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1300598/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91300598; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/3414.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1300596/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91300596; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/3415.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1300597/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91300597; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/3413.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1300595/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91300595; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/3411.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1300593/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91300593; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/3412.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1300594/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91300594; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/3410.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1300592/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91300592; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/3409.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1300590/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91300590; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/341.dll"; depth:8; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1300591/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91300591; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/3407.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1300588/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91300588; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/3408.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1300589/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91300589; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/3406.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1300587/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91300587; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/3404.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1300585/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91300585; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/3405.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1300586/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91300586; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/3402.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1300583/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91300583; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/3403.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1300584/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91300584; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/3401.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1300582/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91300582; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/340.dll"; depth:8; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1300580/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91300580; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/3400.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1300581/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91300581; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/3399.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1300578/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91300578; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/34.dll"; depth:7; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1300579/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91300579; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/3397.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1300576/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91300576; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/3398.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1300577/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91300577; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/3396.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1300575/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91300575; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/3394.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1300573/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91300573; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/3395.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1300574/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91300574; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/3392.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1300571/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91300571; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/3393.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1300572/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91300572; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/3391.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1300570/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91300570; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/339.dll"; depth:8; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1300568/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91300568; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/3390.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1300569/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91300569; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/3388.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1300566/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91300566; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/3389.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1300567/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91300567; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/3387.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1300565/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91300565; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/3385.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1300563/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91300563; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/3386.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1300564/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91300564; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/3383.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1300561/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91300561; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/3384.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1300562/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91300562; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/3381.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1300559/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91300559; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/3382.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1300560/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91300560; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/3380.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1300558/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91300558; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/3379.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1300556/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91300556; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/338.dll"; depth:8; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1300557/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91300557; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/3377.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1300554/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91300554; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/3378.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1300555/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91300555; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/3376.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1300553/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91300553; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/3374.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1300551/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91300551; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/3375.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1300552/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91300552; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/3372.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1300549/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91300549; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/3373.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1300550/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91300550; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/3370.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1300547/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91300547; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/3371.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1300548/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91300548; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/337.dll"; depth:8; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1300546/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91300546; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/3368.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1300544/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91300544; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/3369.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1300545/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91300545; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/3366.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1300542/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91300542; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/3367.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1300543/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91300543; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/3364.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1300540/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91300540; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/3365.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1300541/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91300541; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/3363.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1300539/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91300539; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/3361.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1300537/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91300537; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/3362.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1300538/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91300538; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/336.dll"; depth:8; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1300535/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91300535; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/3360.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1300536/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91300536; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/3359.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1300534/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91300534; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/3357.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1300532/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91300532; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/3358.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1300533/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91300533; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/3355.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1300530/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91300530; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/3356.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1300531/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91300531; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/3354.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1300529/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91300529; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/3352.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1300527/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91300527; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/3353.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1300528/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91300528; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/3350.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1300525/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91300525; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/3351.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1300526/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91300526; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/3349.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1300523/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91300523; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/335.dll"; depth:8; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1300524/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91300524; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/3348.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1300522/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91300522; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/3346.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1300520/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91300520; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/3347.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1300521/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91300521; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/3344.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1300518/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91300518; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/3345.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1300519/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91300519; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/3343.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1300517/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91300517; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/3341.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1300515/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91300515; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/3342.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1300516/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91300516; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/334.dll"; depth:8; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1300513/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91300513; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/3340.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1300514/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91300514; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/3338.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1300511/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91300511; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/3339.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1300512/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91300512; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/3337.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1300510/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91300510; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/3335.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1300508/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91300508; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/3336.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1300509/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91300509; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/3334.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1300507/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91300507; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/3333.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1300506/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91300506; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/3331.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1300504/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91300504; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/3332.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1300505/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91300505; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/3330.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1300503/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91300503; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/3329.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1300501/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91300501; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/333.dll"; depth:8; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1300502/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91300502; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/3327.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1300499/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91300499; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/3328.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1300500/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91300500; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/3325.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1300497/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91300497; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/3326.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1300498/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91300498; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/3324.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1300496/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91300496; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/3322.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1300494/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91300494; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/3323.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1300495/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91300495; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/3320.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1300492/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91300492; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/3321.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1300493/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91300493; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/332.dll"; depth:8; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1300491/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91300491; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/3318.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1300489/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91300489; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/3319.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1300490/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91300490; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/3316.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1300487/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91300487; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/3317.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1300488/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91300488; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/3314.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1300485/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91300485; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/3315.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1300486/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91300486; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/3313.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1300484/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91300484; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/3311.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1300482/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91300482; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/3312.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1300483/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91300483; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/3310.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1300481/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91300481; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/3309.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1300479/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91300479; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/331.dll"; depth:8; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1300480/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91300480; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/3308.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1300478/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91300478; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/3306.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1300476/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91300476; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/3307.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1300477/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91300477; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/3305.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1300475/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91300475; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/3303.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1300473/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91300473; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/3304.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1300474/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91300474; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/3301.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1300471/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91300471; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/3302.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1300472/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91300472; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/3300.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1300470/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91300470; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/33.dll"; depth:7; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1300468/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91300468; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/330.dll"; depth:8; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1300469/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91300469; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/3298.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1300466/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91300466; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/3299.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1300467/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91300467; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/3296.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1300464/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91300464; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/3297.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1300465/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91300465; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/3295.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1300463/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91300463; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/3293.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1300461/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91300461; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/3294.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1300462/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91300462; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/3291.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1300459/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91300459; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/3292.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1300460/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91300460; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/3290.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1300458/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91300458; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/3289.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1300456/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91300456; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/329.dll"; depth:8; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1300457/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91300457; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/3287.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1300454/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91300454; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/3288.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1300455/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91300455; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/3285.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1300452/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91300452; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/3286.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1300453/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91300453; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/3284.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1300451/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91300451; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/3282.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1300449/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91300449; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/3283.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1300450/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91300450; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/3280.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1300447/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91300447; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/3281.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1300448/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91300448; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/328.dll"; depth:8; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1300446/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91300446; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/3278.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1300444/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91300444; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/3279.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1300445/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91300445; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/3277.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1300443/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91300443; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/3275.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1300441/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91300441; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/3276.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1300442/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91300442; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/3273.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1300439/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91300439; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/3274.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1300440/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91300440; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/3272.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1300438/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91300438; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/3270.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1300436/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91300436; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/3271.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1300437/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91300437; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/3269.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1300434/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91300434; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/327.dll"; depth:8; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1300435/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91300435; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/3268.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1300433/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91300433; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/3266.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1300431/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91300431; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/3267.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1300432/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91300432; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/3264.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1300429/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91300429; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/3265.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1300430/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91300430; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/3262.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1300427/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91300427; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/3263.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1300428/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91300428; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/3261.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1300426/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91300426; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/326.dll"; depth:8; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1300424/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91300424; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/3260.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1300425/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91300425; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/3258.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1300422/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91300422; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/3259.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1300423/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91300423; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/3257.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1300421/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91300421; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/3255.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1300419/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91300419; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/3256.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1300420/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91300420; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/3253.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1300417/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91300417; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/3254.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1300418/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91300418; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/3252.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1300416/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91300416; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/3250.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1300414/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91300414; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/3251.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1300415/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91300415; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/3249.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1300412/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91300412; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/325.dll"; depth:8; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1300413/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91300413; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/3247.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1300410/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91300410; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/3248.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1300411/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91300411; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/3246.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1300409/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91300409; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/3245.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1300408/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91300408; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/3244.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1300407/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91300407; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/3242.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1300405/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91300405; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/3243.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1300406/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91300406; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/3240.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1300403/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91300403; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/3241.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1300404/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91300404; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/3239.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1300401/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91300401; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/324.dll"; depth:8; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1300402/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91300402; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/3238.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1300400/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91300400; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/3236.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1300398/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91300398; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/3237.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1300399/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91300399; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/3234.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1300396/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91300396; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/3235.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1300397/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91300397; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/3233.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1300395/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91300395; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/3231.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1300393/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91300393; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/3232.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1300394/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91300394; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/323.dll"; depth:8; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1300391/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91300391; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/3230.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1300392/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91300392; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/3228.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1300389/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91300389; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/3229.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1300390/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91300390; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/3227.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1300388/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91300388; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/3225.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1300386/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91300386; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/3226.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1300387/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91300387; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/3224.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1300385/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91300385; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/3222.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1300383/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91300383; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/3223.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1300384/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91300384; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/3221.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1300382/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91300382; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/322.dll"; depth:8; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1300380/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91300380; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/3220.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1300381/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91300381; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/3219.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1300379/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91300379; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/3217.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1300377/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91300377; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/3218.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1300378/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91300378; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/3216.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1300376/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91300376; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/3214.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1300374/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91300374; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/3215.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1300375/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91300375; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/3213.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1300373/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91300373; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/3211.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1300371/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91300371; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/3212.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1300372/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91300372; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/3210.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1300370/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91300370; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/3209.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1300368/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91300368; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/321.dll"; depth:8; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1300369/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91300369; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/3208.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1300367/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91300367; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/3206.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1300365/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91300365; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/3207.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1300366/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91300366; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/3205.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1300364/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91300364; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/3203.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1300362/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91300362; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/3204.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1300363/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91300363; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/3202.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1300361/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91300361; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/3200.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1300359/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91300359; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/3201.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1300360/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91300360; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/320.dll"; depth:8; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1300358/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91300358; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/32.dll"; depth:7; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1300357/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91300357; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/3199.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1300356/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91300356; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/3197.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1300354/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91300354; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/3198.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1300355/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91300355; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/3196.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1300353/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91300353; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/3195.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1300352/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91300352; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/3193.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1300350/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91300350; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/3194.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1300351/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91300351; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/3192.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1300349/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91300349; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/3191.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1300348/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91300348; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/3190.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1300347/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91300347; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/319.dll"; depth:8; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1300346/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91300346; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/3189.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1300345/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91300345; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/3188.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1300344/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91300344; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/3187.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1300343/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91300343; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/3186.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1300342/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91300342; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/3185.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1300341/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91300341; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/3184.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1300340/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91300340; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/3183.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1300339/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91300339; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/3182.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1300338/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91300338; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/3181.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1300337/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91300337; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/3180.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1300336/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91300336; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/318.dll"; depth:8; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1300335/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91300335; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/3179.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1300334/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91300334; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/3178.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1300333/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91300333; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/3176.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1300331/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91300331; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/3177.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1300332/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91300332; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/3175.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1300330/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91300330; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/3173.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1300328/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91300328; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/3174.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1300329/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91300329; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/3172.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1300327/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91300327; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/3170.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1300325/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91300325; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/3171.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1300326/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91300326; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/317.dll"; depth:8; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1300324/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91300324; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/3168.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1300322/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91300322; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/3169.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1300323/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91300323; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/3166.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1300320/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91300320; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/3167.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1300321/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91300321; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/3165.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1300319/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91300319; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/3163.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1300317/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91300317; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/3164.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1300318/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91300318; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/3162.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1300316/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91300316; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/3160.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1300314/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91300314; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/3161.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1300315/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91300315; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/316.dll"; depth:8; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1300313/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91300313; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/3158.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1300311/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91300311; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/3159.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1300312/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91300312; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/3157.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1300310/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91300310; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/3155.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1300308/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91300308; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/3156.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1300309/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91300309; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/3154.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1300307/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91300307; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/3152.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1300305/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91300305; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/3153.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1300306/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91300306; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/3151.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1300304/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91300304; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/315.dll"; depth:8; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1300302/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91300302; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/3150.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1300303/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91300303; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/3149.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1300301/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91300301; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/3148.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1300300/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91300300; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/3146.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1300298/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91300298; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/3147.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1300299/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91300299; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/3145.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1300297/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91300297; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/3143.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1300295/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91300295; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/3144.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1300296/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91300296; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/3141.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1300293/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91300293; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/3142.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1300294/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91300294; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/3140.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1300292/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91300292; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/3139.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1300290/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91300290; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/314.dll"; depth:8; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1300291/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91300291; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/3138.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1300289/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91300289; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/3136.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1300287/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91300287; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/3137.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1300288/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91300288; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/3135.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1300286/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91300286; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/3133.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1300284/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91300284; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/3134.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1300285/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91300285; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/3132.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1300283/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91300283; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/3130.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1300281/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91300281; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/3131.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1300282/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91300282; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/313.dll"; depth:8; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1300280/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91300280; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/3128.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1300278/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91300278; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/3129.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1300279/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91300279; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/3126.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1300276/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91300276; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/3127.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1300277/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91300277; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/3125.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1300275/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91300275; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/3123.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1300273/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91300273; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/3124.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1300274/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91300274; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/3122.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1300272/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91300272; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/3120.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1300270/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91300270; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/3121.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1300271/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91300271; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/312.dll"; depth:8; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1300269/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91300269; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/3118.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1300267/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91300267; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/3119.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1300268/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91300268; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/3117.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1300266/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91300266; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/3115.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1300264/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91300264; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/3116.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1300265/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91300265; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/3114.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1300263/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91300263; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/3112.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1300261/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91300261; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/3113.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1300262/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91300262; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/3111.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1300260/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91300260; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/311.dll"; depth:8; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1300258/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91300258; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/3110.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1300259/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91300259; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/3109.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1300257/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91300257; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/3107.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1300255/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91300255; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/3108.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1300256/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91300256; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/3106.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1300254/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91300254; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/3104.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1300252/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91300252; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/3105.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1300253/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91300253; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/3103.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1300251/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91300251; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/3101.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1300249/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91300249; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/3102.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1300250/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91300250; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/3100.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1300248/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91300248; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/31.dll"; depth:7; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1300246/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91300246; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/310.dll"; depth:8; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1300247/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91300247; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/3099.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1300245/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91300245; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/3097.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1300243/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91300243; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/3098.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1300244/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91300244; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/3096.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1300242/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91300242; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/3095.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1300241/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91300241; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/3093.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1300239/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91300239; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/3094.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1300240/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91300240; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/3092.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1300238/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91300238; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/3090.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1300236/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91300236; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/3091.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1300237/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91300237; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/309.dll"; depth:8; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1300235/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91300235; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/3088.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1300233/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91300233; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/3089.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1300234/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91300234; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/3087.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1300232/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91300232; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/3085.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1300230/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91300230; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/3086.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1300231/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91300231; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/3084.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1300229/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91300229; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/3082.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1300227/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91300227; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/3083.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1300228/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91300228; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/3081.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1300226/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91300226; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/308.dll"; depth:8; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1300224/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91300224; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/3080.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1300225/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91300225; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/3079.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1300223/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91300223; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/3077.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1300221/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91300221; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/3078.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1300222/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91300222; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/3075.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1300219/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91300219; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/3076.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1300220/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91300220; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/3074.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1300218/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91300218; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/3072.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1300216/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91300216; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/3073.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1300217/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91300217; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/3071.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1300215/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91300215; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/307.dll"; depth:8; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1300213/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91300213; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/3070.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1300214/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91300214; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/3069.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1300212/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91300212; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/3067.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1300210/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91300210; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/3068.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1300211/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91300211; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/3066.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1300209/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91300209; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/3064.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1300207/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91300207; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/3065.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1300208/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91300208; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/3063.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1300206/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91300206; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/3061.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1300204/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91300204; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/3062.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1300205/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91300205; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/306.dll"; depth:8; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1300202/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91300202; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/3060.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1300203/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91300203; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/3058.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1300200/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91300200; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/3059.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1300201/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91300201; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/3057.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1300199/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91300199; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/3055.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1300197/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91300197; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/3056.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1300198/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91300198; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/3053.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1300195/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91300195; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/3054.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1300196/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91300196; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/3052.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1300194/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91300194; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/3050.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1300192/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91300192; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/3051.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1300193/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91300193; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/3049.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1300190/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91300190; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/305.dll"; depth:8; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1300191/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91300191; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/3047.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1300188/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91300188; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/3048.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1300189/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91300189; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/3046.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1300187/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91300187; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/3044.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1300185/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91300185; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/3045.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1300186/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91300186; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/3042.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1300183/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91300183; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/3043.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1300184/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91300184; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/3041.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1300182/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91300182; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/304.dll"; depth:8; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1300180/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91300180; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/3040.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1300181/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91300181; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/3038.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1300178/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91300178; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/3039.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1300179/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91300179; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/3036.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1300176/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91300176; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/3037.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1300177/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91300177; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/3035.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1300175/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91300175; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/3033.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1300173/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91300173; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/3034.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1300174/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91300174; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/3031.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1300171/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91300171; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/3032.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1300172/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91300172; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/3030.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1300170/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91300170; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/3029.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1300168/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91300168; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/303.dll"; depth:8; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1300169/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91300169; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/3027.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1300166/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91300166; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/3028.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1300167/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91300167; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/3025.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1300164/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91300164; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/3026.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1300165/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91300165; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/3024.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1300163/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91300163; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/3022.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1300161/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91300161; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/3023.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1300162/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91300162; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/3020.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1300159/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91300159; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/3021.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1300160/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91300160; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/302.dll"; depth:8; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1300158/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91300158; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/3018.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1300156/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91300156; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/3019.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1300157/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91300157; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/3016.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1300154/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91300154; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/3017.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1300155/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91300155; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/3014.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1300152/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91300152; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/3015.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1300153/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91300153; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/3013.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1300151/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91300151; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/3011.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1300149/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91300149; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/3012.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1300150/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91300150; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/301.dll"; depth:8; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1300147/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91300147; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/3010.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1300148/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91300148; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/3009.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1300146/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91300146; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/3008.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1300145/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91300145; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/3006.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1300143/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91300143; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/3007.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1300144/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91300144; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/3004.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1300141/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91300141; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/3005.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1300142/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91300142; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/3002.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1300139/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91300139; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/3003.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1300140/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91300140; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/3001.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1300138/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91300138; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/300.dll"; depth:8; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1300136/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91300136; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/3000.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1300137/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91300137; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/3.dll"; depth:6; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1300134/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91300134; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/30.dll"; depth:7; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1300135/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91300135; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/2999.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1300133/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91300133; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/2997.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1300131/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91300131; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/2998.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1300132/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91300132; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/2995.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1300129/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91300129; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/2996.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1300130/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91300130; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/2994.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1300128/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91300128; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/2992.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1300126/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91300126; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/2993.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1300127/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91300127; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/2990.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1300124/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91300124; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/2991.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1300125/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91300125; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/299.dll"; depth:8; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1300123/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91300123; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/2988.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1300121/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91300121; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/2989.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1300122/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91300122; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/2986.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1300119/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91300119; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/2987.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1300120/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91300120; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/2985.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1300118/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91300118; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/2983.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1300116/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91300116; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/2984.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1300117/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91300117; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/2981.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1300114/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91300114; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/2982.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1300115/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91300115; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/2980.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1300113/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91300113; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/2979.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1300111/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91300111; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/298.dll"; depth:8; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1300112/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91300112; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/2977.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1300109/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91300109; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/2978.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1300110/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91300110; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/2975.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1300107/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91300107; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/2976.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1300108/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91300108; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/2974.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1300106/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91300106; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/2972.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1300104/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91300104; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/2973.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1300105/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91300105; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/2970.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1300102/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91300102; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/2971.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1300103/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91300103; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/2969.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1300100/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91300100; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/297.dll"; depth:8; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1300101/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91300101; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/2968.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1300099/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91300099; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/2966.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1300097/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91300097; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/2967.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1300098/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91300098; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/2964.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1300095/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91300095; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/2965.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1300096/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91300096; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/2963.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1300094/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91300094; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/2961.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1300092/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91300092; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/2962.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1300093/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91300093; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/296.dll"; depth:8; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1300090/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91300090; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/2960.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1300091/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91300091; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/2959.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1300089/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91300089; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/2957.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1300087/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91300087; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/2958.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1300088/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91300088; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/2955.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1300085/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91300085; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/2956.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1300086/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91300086; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/2954.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1300084/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91300084; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/2952.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1300082/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91300082; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/2953.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1300083/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91300083; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/2950.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1300080/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91300080; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/2951.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1300081/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91300081; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/2949.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1300078/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91300078; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/295.dll"; depth:8; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1300079/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91300079; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/2948.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1300077/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91300077; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/2946.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1300075/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91300075; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/2947.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1300076/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91300076; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/2944.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1300073/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91300073; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/2945.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1300074/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91300074; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/2943.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1300072/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91300072; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/2941.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1300070/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91300070; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/2942.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1300071/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91300071; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/294.dll"; depth:8; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1300068/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91300068; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/2940.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1300069/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91300069; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/2939.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1300067/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91300067; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/2937.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1300065/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91300065; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/2938.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1300066/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91300066; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/2935.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1300063/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91300063; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/2936.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1300064/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91300064; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/2933.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1300061/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91300061; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/2934.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1300062/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91300062; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/2932.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1300060/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91300060; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/2930.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1300058/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91300058; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/2931.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1300059/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91300059; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/2929.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1300056/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91300056; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/293.dll"; depth:8; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1300057/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91300057; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/2928.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1300055/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91300055; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/2926.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1300053/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91300053; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/2927.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1300054/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91300054; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/2924.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1300051/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91300051; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/2925.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1300052/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91300052; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/2923.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1300050/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91300050; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/2921.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1300048/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91300048; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/2922.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1300049/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91300049; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/292.dll"; depth:8; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1300046/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91300046; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/2920.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1300047/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91300047; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/2918.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1300044/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91300044; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/2919.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1300045/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91300045; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/2917.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1300043/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91300043; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/2916.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1300042/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91300042; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/2914.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1300040/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91300040; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/2915.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1300041/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91300041; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/2912.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1300038/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91300038; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/2913.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1300039/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91300039; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/2911.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1300037/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91300037; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/291.dll"; depth:8; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1300035/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91300035; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/2910.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1300036/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91300036; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/2908.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1300033/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91300033; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/2909.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1300034/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91300034; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/2907.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1300032/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91300032; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/2905.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1300030/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91300030; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/2906.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1300031/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91300031; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/2904.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1300029/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91300029; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/2902.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1300027/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91300027; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/2903.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1300028/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91300028; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/2900.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1300025/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91300025; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/2901.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1300026/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91300026; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/290.dll"; depth:8; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1300024/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91300024; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/2899.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1300022/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91300022; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/29.dll"; depth:7; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1300023/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91300023; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/2898.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1300021/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91300021; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/2896.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1300019/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91300019; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/2897.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1300020/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91300020; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/2895.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1300018/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91300018; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/2893.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1300016/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91300016; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/2894.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1300017/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91300017; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/2892.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1300015/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91300015; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/2890.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1300013/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91300013; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/2891.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1300014/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91300014; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/289.dll"; depth:8; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1300012/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91300012; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/2889.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1300011/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91300011; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/2887.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1300009/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91300009; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/2888.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1300010/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91300010; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/2886.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1300008/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91300008; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/2884.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1300006/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91300006; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/2885.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1300007/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91300007; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/2883.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1300005/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91300005; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/2882.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1300004/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91300004; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/2881.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1300003/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91300003; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/288.dll"; depth:8; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1300001/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91300001; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/2880.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1300002/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91300002; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/2879.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1300000/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91300000; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/2878.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1299999/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91299999; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/2877.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1299998/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91299998; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/2876.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1299997/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91299997; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/2874.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1299995/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91299995; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/2875.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1299996/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91299996; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/2873.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1299994/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91299994; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/2871.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1299992/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91299992; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/2872.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1299993/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91299993; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/2870.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1299991/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91299991; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/287.dll"; depth:8; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1299990/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91299990; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/2868.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1299988/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91299988; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/2869.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1299989/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91299989; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/2867.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1299987/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91299987; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/2865.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1299985/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91299985; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/2866.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1299986/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91299986; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/2864.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1299984/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91299984; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/2863.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1299983/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91299983; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/2861.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1299981/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91299981; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/2862.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1299982/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91299982; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/2860.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1299980/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91299980; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/2859.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1299978/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91299978; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/286.dll"; depth:8; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1299979/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91299979; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/2858.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1299977/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91299977; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/2857.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1299976/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91299976; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/2855.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1299974/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91299974; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/2856.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1299975/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91299975; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/2854.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1299973/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91299973; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/2853.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1299972/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91299972; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/2851.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1299970/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91299970; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/2852.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1299971/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91299971; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/2850.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1299969/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91299969; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/2849.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1299967/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91299967; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/285.dll"; depth:8; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1299968/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91299968; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/2848.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1299966/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91299966; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/2847.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1299965/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91299965; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/2845.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1299963/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91299963; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/2846.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1299964/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91299964; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/2844.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1299962/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91299962; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/2842.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1299960/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91299960; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/2843.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1299961/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91299961; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/2841.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1299959/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91299959; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/2840.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1299958/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91299958; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/284.dll"; depth:8; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1299957/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91299957; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/2839.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1299956/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91299956; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/2837.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1299954/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91299954; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/2838.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1299955/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91299955; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/2836.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1299953/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91299953; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/2835.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1299952/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91299952; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/2833.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1299950/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91299950; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/2834.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1299951/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91299951; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/2832.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1299949/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91299949; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/2830.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1299947/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91299947; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/2831.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1299948/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91299948; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/283.dll"; depth:8; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1299946/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91299946; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/2828.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1299944/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91299944; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/2829.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1299945/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91299945; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/2827.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1299943/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91299943; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/2826.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1299942/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91299942; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/2824.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1299940/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91299940; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/2825.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1299941/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91299941; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/2823.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1299939/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91299939; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/2822.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1299938/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91299938; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/2820.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1299936/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91299936; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/2821.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1299937/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91299937; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/282.dll"; depth:8; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1299935/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91299935; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/2819.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1299934/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91299934; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/2818.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1299933/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91299933; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/2817.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1299932/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91299932; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/2816.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1299931/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91299931; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/2815.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1299930/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91299930; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/2814.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1299929/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91299929; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/2813.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1299928/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91299928; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/2812.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1299927/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91299927; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/2811.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1299926/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91299926; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/2810.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1299925/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91299925; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/281.dll"; depth:8; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1299924/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91299924; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/2809.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1299923/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91299923; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/2808.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1299922/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91299922; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/2807.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1299921/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91299921; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/2806.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1299920/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91299920; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/2805.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1299919/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91299919; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/2804.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1299918/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91299918; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/2803.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1299917/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91299917; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/2802.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1299916/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91299916; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/2801.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1299915/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91299915; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/2800.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1299914/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91299914; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/280.dll"; depth:8; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1299913/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91299913; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/28.dll"; depth:7; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1299912/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91299912; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/2799.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1299911/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91299911; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/2798.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1299910/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91299910; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/2796.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1299908/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91299908; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/2797.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1299909/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91299909; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/2794.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1299906/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91299906; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/2795.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1299907/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91299907; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/2793.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1299905/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91299905; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/2791.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1299903/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91299903; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/2792.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1299904/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91299904; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/279.dll"; depth:8; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1299901/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91299901; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/2790.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1299902/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91299902; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/2788.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1299899/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91299899; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/2789.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1299900/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91299900; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/2787.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1299898/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91299898; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/2785.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1299896/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91299896; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/2786.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1299897/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91299897; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/2783.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1299894/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91299894; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/2784.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1299895/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91299895; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/2781.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1299892/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91299892; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/2782.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1299893/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91299893; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/2780.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1299891/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91299891; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/2779.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1299889/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91299889; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/278.dll"; depth:8; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1299890/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91299890; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/2777.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1299887/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91299887; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/2778.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1299888/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91299888; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/2775.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1299885/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91299885; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/2776.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1299886/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91299886; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/2774.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1299884/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91299884; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/2772.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1299882/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91299882; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/2773.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1299883/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91299883; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/2770.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1299880/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91299880; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/2771.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1299881/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91299881; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/277.dll"; depth:8; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1299879/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91299879; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/2768.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1299877/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91299877; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/2769.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1299878/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91299878; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/2766.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1299875/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91299875; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/2767.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1299876/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91299876; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/2764.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1299873/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91299873; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/2765.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1299874/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91299874; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/2763.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1299872/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91299872; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/2761.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1299870/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91299870; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/2762.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1299871/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91299871; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/276.dll"; depth:8; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1299868/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91299868; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/2760.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1299869/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91299869; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/2758.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1299866/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91299866; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/2759.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1299867/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91299867; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/2757.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1299865/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91299865; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/2755.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1299863/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91299863; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/2756.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1299864/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91299864; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/2753.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1299861/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91299861; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/2754.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1299862/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91299862; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/2751.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1299859/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91299859; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/2752.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1299860/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91299860; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/2750.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1299858/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91299858; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/2749.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1299856/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91299856; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/275.dll"; depth:8; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1299857/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91299857; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/2748.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1299855/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91299855; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/2746.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1299853/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91299853; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/2747.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1299854/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91299854; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/2745.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1299852/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91299852; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/2743.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1299850/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91299850; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/2744.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1299851/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91299851; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/2741.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1299848/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91299848; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/2742.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1299849/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91299849; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/274.dll"; depth:8; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1299846/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91299846; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/2740.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1299847/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91299847; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/2739.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1299845/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91299845; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/2737.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1299843/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91299843; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/2738.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1299844/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91299844; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/2735.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1299841/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91299841; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/2736.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1299842/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91299842; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/2733.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1299839/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91299839; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/2734.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1299840/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91299840; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/2732.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1299838/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91299838; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/2730.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1299836/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91299836; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/2731.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1299837/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91299837; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/2729.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1299834/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91299834; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/273.dll"; depth:8; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1299835/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91299835; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/2727.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1299832/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91299832; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/2728.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1299833/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91299833; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/2726.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1299831/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91299831; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/2724.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1299829/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91299829; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/2725.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1299830/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91299830; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/2722.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1299827/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91299827; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/2723.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1299828/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91299828; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/2720.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1299825/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91299825; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/2721.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1299826/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91299826; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/272.dll"; depth:8; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1299824/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91299824; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/2718.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1299822/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91299822; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/2719.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1299823/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91299823; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/2716.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1299820/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91299820; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/2717.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1299821/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91299821; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/2714.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1299818/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91299818; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/2715.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1299819/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91299819; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/2713.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1299817/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91299817; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/2711.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1299815/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91299815; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/2712.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1299816/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91299816; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/271.dll"; depth:8; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1299813/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91299813; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/2710.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1299814/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91299814; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/2709.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1299812/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91299812; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/2708.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1299811/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91299811; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/2706.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1299809/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91299809; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/2707.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1299810/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91299810; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/2705.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1299808/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91299808; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/2703.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1299806/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91299806; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/2704.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1299807/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91299807; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/2701.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1299804/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91299804; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/2702.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1299805/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91299805; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/2700.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1299803/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91299803; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/27.dll"; depth:7; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1299801/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91299801; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/270.dll"; depth:8; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1299802/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91299802; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/2698.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1299799/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91299799; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/2699.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1299800/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91299800; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/2696.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1299797/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91299797; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/2697.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1299798/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91299798; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/2695.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1299796/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91299796; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/2693.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1299794/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91299794; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/2694.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1299795/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91299795; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/2691.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1299792/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91299792; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/2692.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1299793/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91299793; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/269.dll"; depth:8; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1299790/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91299790; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/2690.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1299791/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91299791; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/2689.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1299789/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91299789; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/2687.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1299787/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91299787; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/2688.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1299788/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91299788; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/2685.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1299785/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91299785; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/2686.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1299786/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91299786; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/2683.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1299783/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91299783; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/2684.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1299784/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91299784; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/2682.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1299782/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91299782; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/2680.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1299780/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91299780; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/2681.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1299781/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91299781; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/2679.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1299778/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91299778; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/268.dll"; depth:8; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1299779/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91299779; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/2677.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1299776/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91299776; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/2678.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1299777/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91299777; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/2676.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1299775/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91299775; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/2674.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1299773/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91299773; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/2675.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1299774/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91299774; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/2672.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1299771/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91299771; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/2673.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1299772/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91299772; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/2671.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1299770/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91299770; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/267.dll"; depth:8; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1299768/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91299768; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/2670.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1299769/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91299769; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/2668.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1299766/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91299766; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/2669.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1299767/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91299767; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/2666.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1299764/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91299764; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/2667.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1299765/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91299765; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/2665.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1299763/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91299763; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/2663.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1299761/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91299761; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/2664.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1299762/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91299762; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/2661.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1299759/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91299759; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/2662.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1299760/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91299760; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/266.dll"; depth:8; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1299757/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91299757; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/2660.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1299758/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91299758; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/2659.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1299756/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91299756; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/2657.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1299754/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91299754; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/2658.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1299755/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91299755; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/2655.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1299752/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91299752; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/2656.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1299753/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91299753; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/2653.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1299750/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91299750; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/2654.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1299751/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91299751; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/2652.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1299749/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91299749; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/2650.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1299747/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91299747; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/2651.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1299748/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91299748; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/2649.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1299745/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91299745; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/265.dll"; depth:8; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1299746/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91299746; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/2647.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1299743/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91299743; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/2648.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1299744/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91299744; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/2646.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1299742/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91299742; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/2644.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1299740/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91299740; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/2645.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1299741/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91299741; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/2642.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1299738/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91299738; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/2643.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1299739/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91299739; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/2640.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1299736/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91299736; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/2641.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1299737/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91299737; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/264.dll"; depth:8; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1299735/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91299735; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/2638.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1299733/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91299733; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/2639.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1299734/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91299734; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/2636.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1299731/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91299731; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/2637.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1299732/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91299732; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/2634.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1299729/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91299729; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/2635.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1299730/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91299730; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/2633.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1299728/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91299728; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/2631.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1299726/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91299726; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/2632.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1299727/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91299727; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/263.dll"; depth:8; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1299724/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91299724; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/2630.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1299725/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91299725; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/2628.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1299722/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91299722; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/2629.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1299723/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91299723; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/2627.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1299721/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91299721; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/2625.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1299719/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91299719; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/2626.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1299720/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91299720; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/2623.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1299717/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91299717; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/2624.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1299718/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91299718; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/2621.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1299715/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91299715; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/2622.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1299716/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91299716; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/2620.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1299714/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91299714; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/2619.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1299712/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91299712; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/262.dll"; depth:8; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1299713/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91299713; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/2617.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1299710/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91299710; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/2618.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1299711/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91299711; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/2616.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1299709/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91299709; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/2615.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1299708/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91299708; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/2613.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1299706/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91299706; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/2614.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1299707/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91299707; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/2611.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1299704/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91299704; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/2612.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1299705/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91299705; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/261.dll"; depth:8; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1299702/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91299702; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/2610.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1299703/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91299703; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/2609.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1299701/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91299701; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/2607.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1299699/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91299699; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/2608.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1299700/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91299700; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/2605.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1299697/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91299697; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/2606.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1299698/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91299698; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/2603.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1299695/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91299695; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/2604.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1299696/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91299696; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/2602.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1299694/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91299694; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/2600.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1299692/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91299692; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/2601.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1299693/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91299693; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/26.dll"; depth:7; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1299690/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91299690; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/260.dll"; depth:8; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1299691/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91299691; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/2598.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1299688/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91299688; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/2599.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1299689/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91299689; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/2597.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1299687/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91299687; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/2595.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1299685/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91299685; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/2596.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1299686/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91299686; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/2593.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1299683/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91299683; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/2594.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1299684/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91299684; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/2592.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1299682/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91299682; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/2590.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1299680/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91299680; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/2591.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1299681/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91299681; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/2589.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1299678/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91299678; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/259.dll"; depth:8; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1299679/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91299679; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/2588.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1299677/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91299677; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/2586.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1299675/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91299675; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/2587.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1299676/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91299676; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/2584.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1299673/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91299673; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/2585.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1299674/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91299674; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/2582.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1299671/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91299671; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/2583.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1299672/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91299672; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/2581.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1299670/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91299670; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/258.dll"; depth:8; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1299668/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91299668; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/2580.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1299669/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91299669; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/2578.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1299666/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91299666; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/2579.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1299667/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91299667; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/2577.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1299665/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91299665; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/2575.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1299663/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91299663; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/2576.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1299664/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91299664; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/2573.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1299661/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91299661; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/2574.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1299662/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91299662; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/2572.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1299660/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91299660; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/2570.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1299658/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91299658; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/2571.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1299659/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91299659; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/2569.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1299656/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91299656; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/257.dll"; depth:8; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1299657/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91299657; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/2567.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1299654/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91299654; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/2568.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1299655/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91299655; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/2566.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1299653/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91299653; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/2564.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1299651/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91299651; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/2565.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1299652/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91299652; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/2562.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1299649/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91299649; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/2563.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1299650/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91299650; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/2561.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1299648/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91299648; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/256.dll"; depth:8; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1299646/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91299646; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/2560.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1299647/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91299647; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/2558.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1299644/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91299644; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/2559.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1299645/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91299645; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/2556.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1299642/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91299642; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/2557.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1299643/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91299643; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/2555.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1299641/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91299641; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/2553.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1299639/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91299639; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/2554.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1299640/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91299640; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/2551.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1299637/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91299637; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/2552.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1299638/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91299638; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/255.dll"; depth:8; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1299635/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91299635; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/2550.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1299636/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91299636; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/2549.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1299634/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91299634; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/2547.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1299632/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91299632; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/2548.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1299633/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91299633; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/2545.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1299630/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91299630; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/2546.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1299631/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91299631; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/2544.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1299629/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91299629; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/2542.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1299627/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91299627; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/2543.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1299628/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91299628; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/2540.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1299625/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91299625; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/2541.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1299626/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91299626; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/2539.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1299623/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91299623; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/254.dll"; depth:8; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1299624/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91299624; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/2538.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1299622/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91299622; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/2536.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1299620/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91299620; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/2537.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1299621/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91299621; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/2534.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1299618/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91299618; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/2535.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1299619/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91299619; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/2533.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1299617/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91299617; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/2531.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1299615/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91299615; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/2532.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1299616/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91299616; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/253.dll"; depth:8; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1299613/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91299613; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/2530.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1299614/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91299614; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/2529.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1299612/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91299612; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/2527.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1299610/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91299610; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/2528.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1299611/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91299611; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/2525.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1299608/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91299608; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/2526.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1299609/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91299609; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/2524.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1299607/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91299607; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/2522.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1299605/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91299605; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/2523.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1299606/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91299606; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/2521.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1299604/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91299604; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/252.dll"; depth:8; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1299602/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91299602; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/2520.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1299603/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91299603; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/2518.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1299600/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91299600; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/2519.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1299601/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91299601; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/2517.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1299599/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91299599; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/2515.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1299597/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91299597; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/2516.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1299598/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91299598; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/2513.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1299595/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91299595; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/2514.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1299596/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91299596; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/2511.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1299593/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91299593; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/2512.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1299594/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91299594; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/2510.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1299592/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91299592; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/2509.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1299590/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91299590; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/251.dll"; depth:8; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1299591/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91299591; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/2507.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1299588/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91299588; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/2508.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1299589/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91299589; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/2506.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1299587/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91299587; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/2504.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1299585/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91299585; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/2505.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1299586/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91299586; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/2502.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1299583/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91299583; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/2503.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1299584/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91299584; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/2500.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1299581/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91299581; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/2501.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1299582/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91299582; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/250.dll"; depth:8; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1299580/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91299580; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/2499.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1299578/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91299578; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/25.dll"; depth:7; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1299579/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91299579; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/2497.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1299576/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91299576; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/2498.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1299577/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91299577; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/2496.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1299575/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91299575; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/2494.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1299573/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91299573; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/2495.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1299574/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91299574; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/2492.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1299571/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91299571; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/2493.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1299572/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91299572; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/2490.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1299569/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91299569; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/2491.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1299570/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91299570; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/249.dll"; depth:8; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1299568/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91299568; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/2488.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1299566/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91299566; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/2489.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1299567/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91299567; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/2486.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1299564/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91299564; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/2487.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1299565/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91299565; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/2484.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1299562/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91299562; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/2485.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1299563/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91299563; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/2483.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1299561/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91299561; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/2481.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1299559/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91299559; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/2482.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1299560/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91299560; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/248.dll"; depth:8; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1299557/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91299557; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/2480.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1299558/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91299558; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/2479.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1299556/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91299556; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/2477.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1299554/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91299554; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/2478.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1299555/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91299555; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/2475.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1299552/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91299552; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/2476.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1299553/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91299553; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/2474.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1299551/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91299551; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/2472.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1299549/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91299549; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/2473.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1299550/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91299550; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/2470.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1299547/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91299547; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/2471.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1299548/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91299548; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/2469.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1299545/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91299545; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/247.dll"; depth:8; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1299546/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91299546; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/2468.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1299544/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91299544; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/2466.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1299542/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91299542; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/2467.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1299543/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91299543; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/2464.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1299540/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91299540; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/2465.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1299541/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91299541; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/2463.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1299539/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91299539; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/2461.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1299537/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91299537; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/2462.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1299538/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91299538; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/2460.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1299536/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91299536; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/2459.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1299534/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91299534; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/246.dll"; depth:8; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1299535/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91299535; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/2457.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1299532/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91299532; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/2458.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1299533/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91299533; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/2455.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1299530/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91299530; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/2456.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1299531/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91299531; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/2454.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1299529/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91299529; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/2452.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1299527/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91299527; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/2453.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1299528/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91299528; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/2450.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1299525/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91299525; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/2451.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1299526/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91299526; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/245.dll"; depth:8; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1299524/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91299524; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/2448.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1299522/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91299522; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/2449.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1299523/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91299523; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/2447.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1299521/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91299521; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/2445.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1299519/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91299519; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/2446.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1299520/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91299520; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/2443.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1299517/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91299517; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/2444.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1299518/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91299518; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/2442.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1299516/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91299516; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/2440.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1299514/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91299514; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/2441.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1299515/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91299515; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/2439.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1299512/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91299512; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/244.dll"; depth:8; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1299513/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91299513; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/2438.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1299511/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91299511; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/2436.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1299509/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91299509; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/2437.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1299510/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91299510; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/2434.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1299507/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91299507; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/2435.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1299508/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91299508; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/2433.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1299506/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91299506; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/2432.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1299505/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91299505; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/2430.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1299503/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91299503; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/2431.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1299504/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91299504; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/2429.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1299501/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91299501; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/243.dll"; depth:8; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1299502/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91299502; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/2428.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1299500/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91299500; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/2427.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1299499/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91299499; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/2425.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1299497/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91299497; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/2426.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1299498/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91299498; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/2423.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1299495/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91299495; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/2424.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1299496/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91299496; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/2421.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1299493/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91299493; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/2422.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1299494/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91299494; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/2420.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1299492/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91299492; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/2419.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1299490/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91299490; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/242.dll"; depth:8; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1299491/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91299491; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/2417.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1299488/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91299488; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/2418.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1299489/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91299489; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/2416.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1299487/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91299487; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/2414.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1299485/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91299485; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/2415.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1299486/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91299486; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/2412.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1299483/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91299483; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/2413.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1299484/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91299484; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/2410.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1299481/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91299481; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/2411.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1299482/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91299482; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/241.dll"; depth:8; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1299480/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91299480; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/2408.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1299478/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91299478; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/2409.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1299479/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91299479; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/2406.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1299476/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91299476; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/2407.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1299477/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91299477; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/2405.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1299475/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91299475; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/2403.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1299473/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91299473; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/2404.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1299474/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91299474; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/2401.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1299471/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91299471; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/2402.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1299472/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91299472; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/2400.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1299470/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91299470; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/24.dll"; depth:7; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1299468/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91299468; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/240.dll"; depth:8; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1299469/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91299469; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/2398.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1299466/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91299466; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/2399.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1299467/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91299467; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/2397.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1299465/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91299465; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/2395.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1299463/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91299463; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/2396.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1299464/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91299464; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/2394.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1299462/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91299462; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/2392.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1299460/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91299460; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/2393.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1299461/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91299461; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/2391.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1299459/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91299459; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/239.dll"; depth:8; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1299457/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91299457; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/2390.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1299458/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91299458; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/2389.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1299456/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91299456; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/2387.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1299454/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91299454; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/2388.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1299455/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91299455; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/2386.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1299453/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91299453; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/2384.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1299451/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91299451; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/2385.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1299452/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91299452; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/2383.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1299450/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91299450; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/2382.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1299449/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91299449; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/2380.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1299447/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91299447; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/2381.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1299448/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91299448; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/238.dll"; depth:8; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1299446/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91299446; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/2379.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1299445/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91299445; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/2377.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1299443/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91299443; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/2378.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1299444/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91299444; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/2376.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1299442/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91299442; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/2375.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1299441/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91299441; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/2374.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1299440/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91299440; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/2373.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1299439/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91299439; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/2372.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1299438/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91299438; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/2371.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1299437/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91299437; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/2370.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1299436/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91299436; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/237.dll"; depth:8; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1299435/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91299435; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/2369.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1299434/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91299434; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/2368.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1299433/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91299433; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/2367.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1299432/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91299432; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/2366.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1299431/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91299431; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/2365.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1299430/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91299430; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/2364.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1299429/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91299429; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/2363.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1299428/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91299428; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/2362.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1299427/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91299427; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/2361.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1299426/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91299426; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/236.dll"; depth:8; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1299424/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91299424; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/2360.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1299425/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91299425; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/2358.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1299422/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91299422; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/2359.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1299423/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91299423; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/2357.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1299421/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91299421; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/2355.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1299419/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91299419; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/2356.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1299420/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91299420; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/2354.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1299418/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91299418; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/2352.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1299416/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91299416; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/2353.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1299417/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91299417; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/2351.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1299415/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91299415; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/235.dll"; depth:8; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1299413/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91299413; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/2350.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1299414/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91299414; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/2348.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1299411/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91299411; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/2349.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1299412/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91299412; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/2347.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1299410/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91299410; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/2345.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1299408/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91299408; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/2346.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1299409/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91299409; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/2344.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1299407/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91299407; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/2342.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1299405/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91299405; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/2343.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1299406/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91299406; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/2340.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1299403/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91299403; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/2341.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1299404/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91299404; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/234.dll"; depth:8; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1299402/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91299402; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/2338.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1299400/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91299400; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/2339.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1299401/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91299401; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/2337.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1299399/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91299399; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/2335.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1299397/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91299397; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/2336.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1299398/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91299398; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/2333.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1299395/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91299395; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/2334.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1299396/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91299396; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/2332.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1299394/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91299394; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/2330.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1299392/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91299392; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/2331.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1299393/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91299393; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/233.dll"; depth:8; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1299391/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91299391; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/2328.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1299389/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91299389; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/2329.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1299390/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91299390; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/2327.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1299388/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91299388; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/2325.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1299386/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91299386; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/2326.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1299387/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91299387; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/2324.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1299385/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91299385; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/2322.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1299383/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91299383; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/2323.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1299384/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91299384; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/2321.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1299382/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91299382; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/232.dll"; depth:8; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1299380/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91299380; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/2320.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1299381/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91299381; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/2319.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1299379/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91299379; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/2317.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1299377/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91299377; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/2318.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1299378/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91299378; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/2316.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1299376/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91299376; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/2314.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1299374/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91299374; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/2315.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1299375/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91299375; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/2313.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1299373/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91299373; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/2311.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1299371/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91299371; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/2312.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1299372/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91299372; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/2310.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1299370/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91299370; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/2309.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1299368/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91299368; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/231.dll"; depth:8; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1299369/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91299369; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/2307.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1299366/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91299366; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/2308.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1299367/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91299367; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/2306.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1299365/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91299365; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/2304.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1299363/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91299363; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/2305.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1299364/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91299364; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/2303.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1299362/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91299362; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/2301.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1299360/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91299360; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/2302.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1299361/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91299361; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/230.dll"; depth:8; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1299358/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91299358; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/2300.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1299359/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91299359; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/23.dll"; depth:7; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1299357/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91299357; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/2298.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1299355/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91299355; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/2299.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1299356/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91299356; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/2297.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1299354/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91299354; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/2295.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1299352/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91299352; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/2296.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1299353/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91299353; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/2293.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1299350/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91299350; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/2294.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1299351/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91299351; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/2292.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1299349/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91299349; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/2290.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1299347/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91299347; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/2291.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1299348/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91299348; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/229.dll"; depth:8; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1299346/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91299346; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/2288.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1299344/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91299344; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/2289.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1299345/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91299345; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/2287.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1299343/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91299343; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/2285.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1299341/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91299341; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/2286.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1299342/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91299342; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/2283.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1299339/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91299339; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/2284.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1299340/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91299340; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/2282.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1299338/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91299338; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/2280.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1299336/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91299336; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/2281.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1299337/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91299337; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/228.dll"; depth:8; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1299335/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91299335; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/2279.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1299334/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91299334; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/2277.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1299332/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91299332; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/2278.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1299333/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91299333; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/2276.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1299331/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91299331; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/2274.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1299329/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91299329; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/2275.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1299330/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91299330; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/2273.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1299328/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91299328; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/2271.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1299326/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91299326; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/2272.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1299327/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91299327; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/2270.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1299325/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91299325; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/2269.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1299323/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91299323; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/227.dll"; depth:8; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1299324/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91299324; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/2268.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1299322/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91299322; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/2266.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1299320/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91299320; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/2267.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1299321/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91299321; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/2264.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1299318/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91299318; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/2265.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1299319/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91299319; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/2263.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1299317/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91299317; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/2261.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1299315/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91299315; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/2262.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1299316/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91299316; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/2260.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1299314/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91299314; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/2259.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1299312/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91299312; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/226.dll"; depth:8; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1299313/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91299313; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/2258.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1299311/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91299311; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/2256.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1299309/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91299309; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/2257.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1299310/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91299310; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/2254.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1299307/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91299307; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/2255.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1299308/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91299308; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/2253.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1299306/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91299306; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/2251.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1299304/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91299304; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/2252.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1299305/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91299305; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/2250.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1299303/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91299303; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/2249.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1299301/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91299301; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/225.dll"; depth:8; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1299302/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91299302; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/2248.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1299300/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91299300; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/2246.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1299298/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91299298; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/2247.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1299299/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91299299; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/2245.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1299297/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91299297; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/2243.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1299295/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91299295; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/2244.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1299296/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91299296; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/2241.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1299293/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91299293; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/2242.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1299294/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91299294; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/2240.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1299292/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91299292; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/2239.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1299290/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91299290; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/224.dll"; depth:8; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1299291/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91299291; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/2238.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1299289/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91299289; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/2236.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1299287/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91299287; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/2237.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1299288/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91299288; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/2235.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1299286/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91299286; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/2233.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1299284/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91299284; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/2234.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1299285/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91299285; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/2231.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1299282/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91299282; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/2232.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1299283/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91299283; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/2230.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1299281/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91299281; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/2229.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1299279/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91299279; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/223.dll"; depth:8; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1299280/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91299280; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/2228.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1299278/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91299278; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/2226.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1299276/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91299276; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/2227.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1299277/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91299277; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/2224.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1299274/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91299274; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/2225.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1299275/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91299275; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/2223.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1299273/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91299273; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/2221.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1299271/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91299271; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/2222.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1299272/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91299272; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/222.dll"; depth:8; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1299269/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91299269; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/2220.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1299270/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91299270; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/2218.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1299267/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91299267; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/2219.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1299268/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91299268; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/2217.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1299266/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91299266; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/2215.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1299264/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91299264; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/2216.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1299265/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91299265; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/2213.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1299262/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91299262; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/2214.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1299263/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91299263; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/2211.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1299260/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91299260; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/2212.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1299261/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91299261; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/2210.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1299259/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91299259; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/2209.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1299257/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91299257; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/221.dll"; depth:8; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1299258/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91299258; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/2207.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1299255/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91299255; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/2208.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1299256/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91299256; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/2206.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1299254/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91299254; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/2204.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1299252/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91299252; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/2205.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1299253/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91299253; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/2202.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1299250/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91299250; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/2203.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1299251/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91299251; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/2200.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1299248/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91299248; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/2201.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1299249/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91299249; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/220.dll"; depth:8; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1299247/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91299247; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/2199.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1299245/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91299245; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/22.dll"; depth:7; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1299246/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91299246; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/2197.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1299243/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91299243; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/2198.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1299244/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91299244; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/2195.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1299241/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91299241; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/2196.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1299242/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91299242; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/2194.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1299240/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91299240; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/2193.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1299239/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91299239; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/2191.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1299237/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91299237; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/2192.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1299238/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91299238; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/2190.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1299236/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91299236; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/2189.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1299234/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91299234; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/219.dll"; depth:8; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1299235/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91299235; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/2187.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1299232/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91299232; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/2188.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1299233/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91299233; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/2185.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1299230/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91299230; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/2186.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1299231/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91299231; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/2184.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1299229/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91299229; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/2182.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1299227/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91299227; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/2183.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1299228/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91299228; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/2180.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1299225/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91299225; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/2181.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1299226/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91299226; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/2179.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1299223/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91299223; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/218.dll"; depth:8; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1299224/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91299224; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/2178.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1299222/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91299222; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/2176.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1299220/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91299220; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/2177.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1299221/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91299221; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/2174.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1299218/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91299218; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/2175.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1299219/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91299219; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/2172.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1299216/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91299216; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/2173.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1299217/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91299217; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/2171.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1299215/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91299215; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/217.dll"; depth:8; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1299213/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91299213; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/2170.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1299214/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91299214; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/2168.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1299211/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91299211; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/2169.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1299212/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91299212; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/2166.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1299209/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91299209; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/2167.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1299210/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91299210; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/2165.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1299208/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91299208; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/2163.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1299206/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91299206; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/2164.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1299207/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91299207; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/2161.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1299204/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91299204; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/2162.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1299205/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91299205; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/216.dll"; depth:8; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1299202/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91299202; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/2160.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1299203/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91299203; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/2159.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1299201/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91299201; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/2157.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1299199/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91299199; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/2158.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1299200/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91299200; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/2155.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1299197/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91299197; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/2156.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1299198/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91299198; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/2154.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1299196/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91299196; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/2152.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1299194/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91299194; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/2153.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1299195/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91299195; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/2150.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1299192/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91299192; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/2151.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1299193/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91299193; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/2149.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1299190/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91299190; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/215.dll"; depth:8; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1299191/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91299191; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/2148.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1299189/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91299189; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/2146.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1299187/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91299187; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/2147.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1299188/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91299188; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/2144.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1299185/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91299185; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/2145.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1299186/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91299186; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/2142.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1299183/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91299183; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/2143.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1299184/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91299184; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/2141.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1299182/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91299182; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/214.dll"; depth:8; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1299180/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91299180; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/2140.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1299181/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91299181; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/2138.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1299178/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91299178; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/2139.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1299179/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91299179; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/2136.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1299176/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91299176; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/2137.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1299177/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91299177; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/2135.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1299175/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91299175; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/2133.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1299173/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91299173; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/2134.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1299174/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91299174; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/2131.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1299171/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91299171; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/2132.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1299172/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91299172; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/213.dll"; depth:8; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1299169/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91299169; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/2130.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1299170/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91299170; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/2129.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1299168/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91299168; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/2127.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1299166/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91299166; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/2128.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1299167/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91299167; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/2125.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1299164/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91299164; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/2126.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1299165/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91299165; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/2123.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1299162/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91299162; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/2124.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1299163/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91299163; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/2122.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1299161/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91299161; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/2120.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1299159/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91299159; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/2121.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1299160/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91299160; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/2119.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1299157/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91299157; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/212.dll"; depth:8; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1299158/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91299158; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/2118.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1299156/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91299156; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/2116.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1299154/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91299154; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/2117.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1299155/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91299155; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/2114.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1299152/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91299152; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/2115.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1299153/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91299153; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/2112.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1299150/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91299150; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/2113.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1299151/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91299151; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/2111.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1299149/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91299149; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/211.dll"; depth:8; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1299147/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91299147; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/2110.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1299148/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91299148; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/2108.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1299145/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91299145; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/2109.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1299146/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91299146; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/2106.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1299143/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91299143; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/2107.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1299144/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91299144; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/2105.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1299142/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91299142; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/2103.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1299140/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91299140; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/2104.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1299141/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91299141; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/2101.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1299138/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91299138; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/2102.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1299139/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91299139; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/2100.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1299137/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91299137; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/21.dll"; depth:7; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1299135/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91299135; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/210.dll"; depth:8; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1299136/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91299136; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/2099.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1299134/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91299134; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/2097.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1299132/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91299132; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/2098.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1299133/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91299133; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/2095.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1299130/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91299130; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/2096.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1299131/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91299131; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/2094.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1299129/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91299129; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/2092.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1299127/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91299127; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/2093.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1299128/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91299128; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/2091.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1299126/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91299126; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/2090.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1299125/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91299125; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/2089.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1299123/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91299123; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/209.dll"; depth:8; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1299124/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91299124; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/2087.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1299121/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91299121; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/2088.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1299122/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91299122; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/2086.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1299120/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91299120; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/2084.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1299118/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91299118; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/2085.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1299119/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91299119; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/2082.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1299116/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91299116; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/2083.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1299117/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91299117; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/2080.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1299114/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91299114; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/2081.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1299115/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91299115; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/208.dll"; depth:8; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1299113/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91299113; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/2078.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1299111/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91299111; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/2079.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1299112/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91299112; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/2076.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1299109/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91299109; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/2077.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1299110/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91299110; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/2074.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1299107/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91299107; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/2075.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1299108/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91299108; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/2073.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1299106/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91299106; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/2071.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1299104/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91299104; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/2072.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1299105/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91299105; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/207.dll"; depth:8; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1299102/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91299102; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/2070.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1299103/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91299103; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/2069.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1299101/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91299101; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/2067.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1299099/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91299099; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/2068.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1299100/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91299100; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/2065.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1299097/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91299097; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/2066.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1299098/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91299098; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/2063.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1299095/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91299095; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/2064.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1299096/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91299096; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/2062.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1299094/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91299094; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/2060.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1299092/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91299092; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/2061.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1299093/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91299093; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/2059.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1299090/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91299090; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/206.dll"; depth:8; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1299091/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91299091; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/2058.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1299089/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91299089; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/2056.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1299087/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91299087; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/2057.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1299088/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91299088; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/2054.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1299085/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91299085; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/2055.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1299086/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91299086; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/2053.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1299084/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91299084; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/2051.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1299082/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91299082; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/2052.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1299083/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91299083; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/205.dll"; depth:8; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1299080/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91299080; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/2050.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1299081/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91299081; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/2049.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1299079/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91299079; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/2047.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1299077/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91299077; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/2048.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1299078/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91299078; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/2045.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1299075/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91299075; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/2046.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1299076/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91299076; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/2043.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1299073/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91299073; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/2044.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1299074/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91299074; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/2041.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1299071/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91299071; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/2042.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1299072/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91299072; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/2040.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1299070/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91299070; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/2039.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1299068/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91299068; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/204.dll"; depth:8; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1299069/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91299069; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/2037.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1299066/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91299066; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/2038.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1299067/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91299067; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/2036.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1299065/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91299065; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/2034.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1299063/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91299063; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/2035.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1299064/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91299064; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/2032.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1299061/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91299061; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/2033.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1299062/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91299062; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/2030.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1299059/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91299059; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/2031.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1299060/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91299060; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/2029.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1299057/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91299057; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/203.dll"; depth:8; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1299058/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91299058; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/2028.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1299056/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91299056; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/2026.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1299054/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91299054; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/2027.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1299055/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91299055; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/2024.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1299052/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91299052; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/2025.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1299053/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91299053; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/2022.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1299050/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91299050; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/2023.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1299051/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91299051; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/2021.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1299049/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91299049; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/202.dll"; depth:8; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1299047/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91299047; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/2020.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1299048/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91299048; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/2018.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1299045/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91299045; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/2019.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1299046/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91299046; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/2016.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1299043/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91299043; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/2017.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1299044/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91299044; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/2015.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1299042/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91299042; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/2013.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1299040/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91299040; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/2014.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1299041/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91299041; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/2011.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1299038/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91299038; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/2012.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1299039/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91299039; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/2010.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1299037/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91299037; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/201.dll"; depth:8; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1299036/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91299036; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/2009.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1299035/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91299035; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/2007.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1299033/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91299033; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/2008.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1299034/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91299034; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/2006.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1299032/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91299032; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/2004.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1299030/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91299030; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/2005.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1299031/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91299031; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/2002.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1299028/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91299028; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/2003.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1299029/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91299029; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/2000.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1299026/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91299026; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/2001.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1299027/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91299027; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/200.dll"; depth:8; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1299025/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91299025; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/2.dll"; depth:6; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1299023/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91299023; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/20.dll"; depth:7; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1299024/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91299024; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/1998.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1299021/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91299021; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/1999.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1299022/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91299022; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/1996.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1299019/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91299019; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/1997.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1299020/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91299020; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/1995.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1299018/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91299018; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/1993.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1299016/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91299016; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/1994.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1299017/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91299017; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/1991.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1299014/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91299014; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/1992.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1299015/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91299015; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/1990.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1299013/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91299013; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/1989.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1299011/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91299011; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/199.dll"; depth:8; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1299012/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91299012; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/1987.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1299009/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91299009; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/1988.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1299010/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91299010; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/1986.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1299008/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91299008; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/1984.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1299006/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91299006; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/1985.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1299007/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91299007; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/1982.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1299004/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91299004; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/1983.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1299005/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91299005; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/1980.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1299002/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91299002; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/1981.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1299003/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91299003; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/198.dll"; depth:8; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1299001/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91299001; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/1978.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1298999/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91298999; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/1979.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1299000/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91299000; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/1976.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1298997/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91298997; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/1977.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1298998/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91298998; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/1974.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1298995/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91298995; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/1975.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1298996/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91298996; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/1973.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1298994/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91298994; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/1971.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1298992/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91298992; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/1972.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1298993/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91298993; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/197.dll"; depth:8; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1298990/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91298990; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/1970.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1298991/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91298991; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/1969.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1298989/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91298989; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/1967.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1298987/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91298987; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/1968.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1298988/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91298988; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/1965.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1298985/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91298985; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/1966.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1298986/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91298986; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/1963.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1298983/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91298983; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/1964.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1298984/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91298984; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/1962.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1298982/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91298982; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/1960.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1298980/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91298980; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/1961.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1298981/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91298981; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/1959.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1298978/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91298978; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/196.dll"; depth:8; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1298979/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91298979; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/1957.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1298976/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91298976; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/1958.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1298977/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91298977; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/1956.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1298975/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91298975; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/1954.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1298973/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91298973; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/1955.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1298974/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91298974; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/1952.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1298971/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91298971; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/1953.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1298972/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91298972; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/1951.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1298970/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91298970; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/195.dll"; depth:8; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1298968/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91298968; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/1950.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1298969/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91298969; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/1949.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1298967/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91298967; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/1947.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1298965/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91298965; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/1948.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1298966/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91298966; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/1945.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1298963/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91298963; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/1946.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1298964/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91298964; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/1944.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1298962/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91298962; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/1943.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1298961/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91298961; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/1942.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1298960/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91298960; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/1941.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1298959/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91298959; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/1940.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1298958/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91298958; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/194.dll"; depth:8; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1298957/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91298957; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/1939.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1298956/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91298956; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/1938.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1298955/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91298955; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/1937.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1298954/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91298954; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/1936.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1298953/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91298953; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/1935.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1298952/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91298952; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/1934.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1298951/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91298951; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/1933.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1298950/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91298950; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/1932.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1298949/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91298949; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/1931.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1298948/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91298948; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/193.dll"; depth:8; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1298946/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91298946; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/1930.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1298947/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91298947; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/1929.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1298945/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91298945; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/1927.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1298943/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91298943; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/1928.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1298944/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91298944; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/1925.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1298941/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91298941; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/1926.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1298942/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91298942; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/1923.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1298939/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91298939; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/1924.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1298940/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91298940; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/1922.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1298938/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91298938; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/1920.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1298936/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91298936; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/1921.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1298937/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91298937; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/1919.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1298934/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91298934; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/192.dll"; depth:8; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1298935/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91298935; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/1917.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1298932/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91298932; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/1918.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1298933/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91298933; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/1916.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1298931/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91298931; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/1914.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1298929/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91298929; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/1915.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1298930/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91298930; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/1912.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1298927/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91298927; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/1913.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1298928/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91298928; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/1910.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1298925/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91298925; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/1911.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1298926/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91298926; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/191.dll"; depth:8; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1298924/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91298924; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/1908.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1298922/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91298922; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/1909.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1298923/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91298923; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/1906.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1298920/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91298920; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/1907.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1298921/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91298921; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/1904.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1298918/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91298918; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/1905.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1298919/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91298919; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/1902.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1298916/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91298916; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/1903.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1298917/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91298917; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/1901.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1298915/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91298915; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/190.dll"; depth:8; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1298913/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91298913; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/1900.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1298914/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91298914; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/1899.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1298911/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91298911; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/19.dll"; depth:7; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1298912/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91298912; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/1898.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1298910/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91298910; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/1896.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1298908/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91298908; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/1897.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1298909/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91298909; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/1894.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1298906/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91298906; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/1895.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1298907/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91298907; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/1892.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1298904/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91298904; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/1893.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1298905/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91298905; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/1891.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1298903/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91298903; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/189.dll"; depth:8; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1298901/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91298901; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/1890.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1298902/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91298902; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/1888.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1298899/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91298899; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/1889.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1298900/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91298900; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/1886.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1298897/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91298897; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/1887.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1298898/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91298898; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/1885.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1298896/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91298896; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/1883.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1298894/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91298894; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/1884.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1298895/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91298895; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/1881.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1298892/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91298892; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/1882.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1298893/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91298893; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/1880.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1298891/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91298891; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/1879.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1298889/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91298889; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/188.dll"; depth:8; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1298890/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91298890; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/1877.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1298887/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91298887; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/1878.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1298888/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91298888; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/1875.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1298885/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91298885; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/1876.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1298886/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91298886; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/1874.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1298884/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91298884; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/1872.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1298882/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91298882; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/1873.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1298883/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91298883; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/1870.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1298880/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91298880; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/1871.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1298881/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91298881; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/1869.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1298878/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91298878; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/187.dll"; depth:8; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1298879/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91298879; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/1868.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1298877/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91298877; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/1866.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1298875/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91298875; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/1867.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1298876/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91298876; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/1864.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1298873/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91298873; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/1865.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1298874/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91298874; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/1862.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1298871/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91298871; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/1863.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1298872/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91298872; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/1861.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1298870/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91298870; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/186.dll"; depth:8; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1298868/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91298868; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/1860.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1298869/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91298869; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/1858.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1298866/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91298866; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/1859.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1298867/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91298867; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/1856.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1298864/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91298864; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/1857.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1298865/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91298865; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/1855.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1298863/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91298863; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/1853.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1298861/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91298861; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/1854.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1298862/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91298862; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/1851.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1298859/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91298859; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/1852.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1298860/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91298860; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/185.dll"; depth:8; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1298857/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91298857; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/1850.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1298858/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91298858; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/1849.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1298856/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91298856; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/1847.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1298854/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91298854; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/1848.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1298855/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91298855; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/1845.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1298852/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91298852; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/1846.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1298853/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91298853; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/1843.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1298850/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91298850; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/1844.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1298851/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91298851; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/1842.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1298849/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91298849; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/1840.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1298847/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91298847; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/1841.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1298848/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91298848; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/184.dll"; depth:8; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1298846/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91298846; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/1838.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1298844/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91298844; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/1839.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1298845/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91298845; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/1836.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1298842/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91298842; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/1837.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1298843/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91298843; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/1834.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1298840/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91298840; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/1835.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1298841/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91298841; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/1833.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1298839/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91298839; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/1831.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1298837/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91298837; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/1832.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1298838/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91298838; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/183.dll"; depth:8; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1298835/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91298835; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/1830.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1298836/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91298836; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/1828.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1298833/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91298833; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/1829.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1298834/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91298834; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/1827.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1298832/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91298832; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/1825.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1298830/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91298830; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/1826.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1298831/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91298831; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/1823.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1298828/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91298828; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/1824.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1298829/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91298829; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/1821.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1298826/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91298826; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/1822.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1298827/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91298827; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/182.dll"; depth:8; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1298824/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91298824; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/1820.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1298825/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91298825; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/1819.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1298823/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91298823; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/1817.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1298821/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91298821; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/1818.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1298822/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91298822; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/1815.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1298819/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91298819; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/1816.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1298820/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91298820; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/1813.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1298817/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91298817; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/1814.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1298818/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91298818; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/1812.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1298816/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91298816; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/1810.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1298814/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91298814; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/1811.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1298815/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91298815; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/1809.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1298812/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91298812; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/181.dll"; depth:8; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1298813/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91298813; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/1807.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1298810/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91298810; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/1808.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1298811/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91298811; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/1806.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1298809/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91298809; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/1804.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1298807/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91298807; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/1805.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1298808/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91298808; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/1802.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1298805/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91298805; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/1803.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1298806/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91298806; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/1800.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1298803/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91298803; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/1801.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1298804/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91298804; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/180.dll"; depth:8; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1298802/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91298802; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/1799.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1298800/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91298800; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/18.dll"; depth:7; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1298801/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91298801; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/1797.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1298798/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91298798; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/1798.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1298799/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91298799; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/1795.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1298796/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91298796; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/1796.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1298797/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91298797; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/1793.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1298794/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91298794; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/1794.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1298795/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91298795; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/1792.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1298793/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91298793; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/1790.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1298791/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91298791; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/1791.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1298792/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91298792; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/1789.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1298789/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91298789; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/179.dll"; depth:8; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1298790/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91298790; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/1787.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1298787/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91298787; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/1788.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1298788/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91298788; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/1786.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1298786/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91298786; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/1784.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1298784/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91298784; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/1785.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1298785/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91298785; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/1782.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1298782/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91298782; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/1783.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1298783/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91298783; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/1780.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1298780/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91298780; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/1781.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1298781/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91298781; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/178.dll"; depth:8; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1298779/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91298779; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/1778.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1298777/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91298777; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/1779.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1298778/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91298778; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/1776.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1298775/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91298775; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/1777.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1298776/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91298776; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/1774.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1298773/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91298773; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/1775.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1298774/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91298774; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/1772.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1298771/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91298771; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/1773.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1298772/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91298772; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/1771.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1298770/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91298770; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/177.dll"; depth:8; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1298768/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91298768; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/1770.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1298769/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91298769; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/1768.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1298766/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91298766; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/1769.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1298767/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91298767; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/1766.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1298764/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91298764; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/1767.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1298765/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91298765; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/1765.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1298763/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91298763; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/1763.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1298761/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91298761; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/1764.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1298762/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91298762; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/1761.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1298759/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91298759; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/1762.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1298760/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91298760; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/1760.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1298758/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91298758; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/1759.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1298756/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91298756; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/176.dll"; depth:8; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1298757/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91298757; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/1758.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1298755/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91298755; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/1756.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1298753/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91298753; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/1757.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1298754/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91298754; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/1755.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1298752/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91298752; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/1753.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1298750/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91298750; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/1754.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1298751/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91298751; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/1751.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1298748/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91298748; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/1752.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1298749/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91298749; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/1750.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1298747/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91298747; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/1749.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1298745/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91298745; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/175.dll"; depth:8; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1298746/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91298746; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/1748.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1298744/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91298744; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/1746.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1298742/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91298742; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/1747.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1298743/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91298743; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/1745.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1298741/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91298741; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/1743.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1298739/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91298739; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/1744.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1298740/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91298740; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/1741.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1298737/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91298737; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/1742.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1298738/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91298738; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/174.dll"; depth:8; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1298735/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91298735; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/1740.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1298736/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91298736; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/1739.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1298734/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91298734; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/1737.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1298732/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91298732; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/1738.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1298733/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91298733; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/1736.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1298731/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91298731; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/1734.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1298729/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91298729; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/1735.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1298730/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91298730; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/1732.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1298727/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91298727; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/1733.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1298728/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91298728; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/1730.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1298725/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91298725; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/1731.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1298726/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91298726; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/173.dll"; depth:8; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1298724/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91298724; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/1728.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1298722/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91298722; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/1729.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1298723/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91298723; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/1727.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1298721/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91298721; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/1725.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1298719/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91298719; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/1726.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1298720/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91298720; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/1723.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1298717/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91298717; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/1724.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1298718/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91298718; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/1722.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1298716/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91298716; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/1720.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1298714/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91298714; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/1721.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1298715/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91298715; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/172.dll"; depth:8; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1298713/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91298713; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/1718.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1298711/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91298711; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/1719.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1298712/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91298712; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/1716.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1298709/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91298709; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/1717.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1298710/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91298710; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/1715.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1298708/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91298708; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/1713.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1298706/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91298706; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/1714.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1298707/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91298707; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/1712.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1298705/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91298705; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/1711.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1298704/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91298704; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/1710.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1298703/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91298703; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/171.dll"; depth:8; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1298702/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91298702; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/1709.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1298701/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91298701; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/1708.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1298700/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91298700; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/1707.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1298699/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91298699; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/1706.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1298698/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91298698; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/1705.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1298697/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91298697; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/1704.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1298696/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91298696; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/1703.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1298695/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91298695; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/1702.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1298694/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91298694; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/1701.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1298693/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91298693; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/1700.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1298692/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91298692; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/170.dll"; depth:8; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1298691/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91298691; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/1699.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1298689/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91298689; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/17.dll"; depth:7; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1298690/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91298690; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/1697.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1298687/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91298687; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/1698.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1298688/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91298688; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/1696.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1298686/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91298686; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/1694.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1298684/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91298684; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/1695.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1298685/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91298685; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/1693.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1298683/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91298683; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/1691.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1298681/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91298681; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/1692.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1298682/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91298682; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/169.dll"; depth:8; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1298679/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91298679; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/1690.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1298680/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91298680; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/1688.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1298677/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91298677; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/1689.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1298678/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91298678; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/1687.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1298676/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91298676; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/1685.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1298674/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91298674; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/1686.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1298675/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91298675; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/1683.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1298672/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91298672; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/1684.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1298673/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91298673; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/1681.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1298670/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91298670; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/1682.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1298671/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91298671; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/1680.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1298669/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91298669; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/1679.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1298667/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91298667; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/168.dll"; depth:8; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1298668/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91298668; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/1677.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1298665/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91298665; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/1678.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1298666/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91298666; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/1676.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1298664/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91298664; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/1675.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1298663/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91298663; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/1673.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1298661/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91298661; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/1674.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1298662/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91298662; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/1672.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1298660/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91298660; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/1670.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1298658/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91298658; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/1671.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1298659/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91298659; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/1669.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1298656/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91298656; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/167.dll"; depth:8; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1298657/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91298657; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/1667.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1298654/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91298654; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/1668.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1298655/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91298655; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/1665.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1298652/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91298652; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/1666.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1298653/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91298653; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/1664.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1298651/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91298651; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/1662.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1298649/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91298649; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/1663.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1298650/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91298650; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/1660.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1298647/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91298647; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/1661.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1298648/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91298648; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/1659.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1298645/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91298645; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/166.dll"; depth:8; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1298646/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91298646; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/1658.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1298644/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91298644; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/1656.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1298642/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91298642; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/1657.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1298643/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91298643; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/1654.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1298640/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91298640; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/1655.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1298641/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91298641; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/1652.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1298638/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91298638; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/1653.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1298639/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91298639; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/1651.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1298637/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91298637; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/165.dll"; depth:8; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1298635/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91298635; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/1650.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1298636/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91298636; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/1648.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1298633/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91298633; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/1649.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1298634/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91298634; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/1647.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1298632/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91298632; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/1645.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1298630/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91298630; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/1646.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1298631/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91298631; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/1643.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1298628/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91298628; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/1644.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1298629/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91298629; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/1641.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1298626/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91298626; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/1642.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1298627/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91298627; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/1640.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1298625/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91298625; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/1639.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1298623/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91298623; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/164.dll"; depth:8; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1298624/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91298624; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/1637.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1298621/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91298621; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/1638.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1298622/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91298622; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/1635.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1298619/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91298619; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/1636.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1298620/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91298620; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/1633.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1298617/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91298617; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/1634.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1298618/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91298618; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/1632.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1298616/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91298616; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/1630.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1298614/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91298614; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/1631.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1298615/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91298615; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/1629.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1298612/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91298612; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/163.dll"; depth:8; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1298613/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91298613; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/1628.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1298611/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91298611; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/1626.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1298609/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91298609; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/1627.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1298610/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91298610; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/1624.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1298607/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91298607; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/1625.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1298608/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91298608; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/1622.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1298605/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91298605; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/1623.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1298606/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91298606; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/1621.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1298604/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91298604; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/162.dll"; depth:8; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1298602/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91298602; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/1620.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1298603/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91298603; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/1618.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1298600/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91298600; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/1619.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1298601/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91298601; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/1616.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1298598/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91298598; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/1617.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1298599/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91298599; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/1615.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1298597/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91298597; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/1613.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1298595/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91298595; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/1614.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1298596/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91298596; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/1611.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1298593/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91298593; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/1612.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1298594/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91298594; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/1610.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1298592/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91298592; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/1609.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1298590/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91298590; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/161.dll"; depth:8; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1298591/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91298591; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/1607.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1298588/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91298588; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/1608.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1298589/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91298589; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/1605.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1298586/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91298586; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/1606.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1298587/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91298587; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/1604.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1298585/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91298585; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/1602.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1298583/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91298583; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/1603.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1298584/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91298584; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/1600.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1298581/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91298581; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/1601.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1298582/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91298582; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/16.dll"; depth:7; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1298579/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91298579; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/160.dll"; depth:8; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1298580/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91298580; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/1599.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1298578/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91298578; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/1597.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1298576/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91298576; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/1598.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1298577/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91298577; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/1595.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1298574/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91298574; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/1596.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1298575/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91298575; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/1593.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1298572/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91298572; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/1594.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1298573/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91298573; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/1592.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1298571/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91298571; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/1590.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1298569/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91298569; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/1591.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1298570/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91298570; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/1589.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1298567/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91298567; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/159.dll"; depth:8; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1298568/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91298568; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/1587.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1298565/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91298565; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/1588.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1298566/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91298566; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/1586.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1298564/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91298564; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/1584.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1298562/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91298562; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/1585.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1298563/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91298563; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/1583.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1298561/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91298561; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/1581.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1298559/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91298559; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/1582.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1298560/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91298560; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/158.dll"; depth:8; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1298557/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91298557; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/1580.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1298558/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91298558; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/1579.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1298556/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91298556; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/1577.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1298554/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91298554; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/1578.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1298555/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91298555; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/1575.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1298552/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91298552; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/1576.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1298553/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91298553; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/1573.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1298550/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91298550; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/1574.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1298551/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91298551; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/1572.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1298549/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91298549; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/1570.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1298547/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91298547; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/1571.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1298548/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91298548; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/1569.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1298545/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91298545; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/157.dll"; depth:8; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1298546/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91298546; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/1567.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1298543/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91298543; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/1568.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1298544/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91298544; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/1566.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1298542/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91298542; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/1564.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1298540/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91298540; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/1565.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1298541/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91298541; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/1562.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1298538/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91298538; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/1563.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1298539/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91298539; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/1560.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1298536/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91298536; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/1561.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1298537/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91298537; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/156.dll"; depth:8; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1298535/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91298535; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/1559.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1298534/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91298534; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/1558.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1298533/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91298533; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/1556.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1298531/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91298531; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/1557.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1298532/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91298532; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/1555.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1298530/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91298530; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/1553.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1298528/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91298528; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/1554.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1298529/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91298529; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/1551.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1298526/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91298526; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/1552.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1298527/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91298527; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/1550.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1298525/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91298525; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/1549.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1298523/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91298523; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/155.dll"; depth:8; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1298524/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91298524; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/1548.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1298522/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91298522; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/1546.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1298520/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91298520; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/1547.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1298521/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91298521; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/1545.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1298519/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91298519; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/1543.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1298517/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91298517; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/1544.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1298518/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91298518; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/1542.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1298516/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91298516; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/1540.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1298514/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91298514; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/1541.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1298515/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91298515; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/154.dll"; depth:8; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1298513/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91298513; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/1538.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1298511/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91298511; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/1539.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1298512/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91298512; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/1537.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1298510/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91298510; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/1536.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1298509/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91298509; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/1535.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1298508/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91298508; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/1534.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1298507/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91298507; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/1533.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1298506/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91298506; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/1532.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1298505/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91298505; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/1531.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1298504/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91298504; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/1530.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1298503/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91298503; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/153.dll"; depth:8; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1298502/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91298502; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/1529.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1298501/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91298501; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/1528.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1298500/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91298500; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/1527.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1298499/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91298499; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/1526.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1298498/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91298498; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/1525.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1298497/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91298497; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/1524.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1298496/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91298496; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/1523.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1298495/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91298495; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/1522.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1298494/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91298494; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/1521.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1298493/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91298493; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/1520.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1298492/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91298492; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/152.dll"; depth:8; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1298491/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91298491; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/1519.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1298490/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91298490; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/1518.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1298489/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91298489; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/1516.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1298487/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91298487; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/1517.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1298488/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91298488; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/1515.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1298486/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91298486; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/1513.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1298484/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91298484; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/1514.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1298485/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91298485; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/1512.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1298483/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91298483; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/1510.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1298481/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91298481; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/1511.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1298482/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91298482; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/1509.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1298479/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91298479; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/151.dll"; depth:8; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1298480/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91298480; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/1508.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1298478/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91298478; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/1506.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1298476/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91298476; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/1507.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1298477/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91298477; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/1505.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1298475/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91298475; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/1503.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1298473/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91298473; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/1504.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1298474/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91298474; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/1502.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1298472/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91298472; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/1500.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1298470/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91298470; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/1501.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1298471/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91298471; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/15.dll"; depth:7; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1298468/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91298468; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/150.dll"; depth:8; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1298469/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91298469; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/1499.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1298467/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91298467; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/1498.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1298466/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91298466; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/1497.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1298465/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91298465; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/1496.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1298464/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91298464; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/1494.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1298462/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91298462; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/1495.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1298463/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91298463; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/1492.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1298460/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91298460; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/1493.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1298461/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91298461; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/1491.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1298459/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91298459; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/1490.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1298458/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91298458; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/1489.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1298456/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91298456; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/149.dll"; depth:8; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1298457/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91298457; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/1488.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1298455/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91298455; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/1487.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1298454/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91298454; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/1486.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1298453/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91298453; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/1484.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1298451/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91298451; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/1485.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1298452/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91298452; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/1483.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1298450/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91298450; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/1481.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1298448/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91298448; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/1482.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1298449/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91298449; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/1480.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1298447/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91298447; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/1479.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1298445/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91298445; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/148.dll"; depth:8; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1298446/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91298446; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/1477.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1298443/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91298443; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/1478.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1298444/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91298444; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/1476.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1298442/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91298442; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/1474.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1298440/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91298440; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/1475.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1298441/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91298441; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/1473.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1298439/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91298439; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/1471.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1298437/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91298437; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/1472.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1298438/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91298438; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/1470.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1298436/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91298436; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/1469.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1298434/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91298434; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/147.dll"; depth:8; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1298435/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91298435; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/1468.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1298433/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91298433; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/1466.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1298431/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91298431; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/1467.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1298432/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91298432; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/1465.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1298430/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91298430; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/1463.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1298428/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91298428; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/1464.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1298429/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91298429; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/1462.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1298427/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91298427; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/1460.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1298425/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91298425; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/1461.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1298426/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91298426; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/146.dll"; depth:8; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1298424/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91298424; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/1458.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1298422/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91298422; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/1459.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1298423/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91298423; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/1457.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1298421/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91298421; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/1456.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1298420/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91298420; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/1454.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1298418/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91298418; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/1455.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1298419/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91298419; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/1453.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1298417/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91298417; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/1452.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1298416/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91298416; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/1450.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1298414/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91298414; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/1451.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1298415/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91298415; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/145.dll"; depth:8; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1298413/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91298413; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/1449.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1298412/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91298412; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/1447.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1298410/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91298410; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/1448.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1298411/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91298411; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/1446.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1298409/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91298409; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/1445.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1298408/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91298408; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/1443.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1298406/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91298406; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/1444.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1298407/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91298407; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/1442.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1298405/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91298405; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/1440.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1298403/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91298403; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/1441.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1298404/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91298404; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/144.dll"; depth:8; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1298402/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91298402; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/1439.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1298401/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91298401; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/1437.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1298399/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91298399; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/1438.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1298400/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91298400; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/1436.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1298398/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91298398; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/1434.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1298396/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91298396; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/1435.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1298397/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91298397; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/1432.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1298394/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91298394; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/1433.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1298395/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91298395; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/1431.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1298393/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91298393; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/1430.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1298392/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91298392; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/143.dll"; depth:8; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1298391/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91298391; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/1429.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1298390/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91298390; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/1428.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1298389/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91298389; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/1426.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1298387/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91298387; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/1427.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1298388/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91298388; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/1425.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1298386/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91298386; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/1423.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1298384/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91298384; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/1424.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1298385/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91298385; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/1421.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1298382/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91298382; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/1422.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1298383/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91298383; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/1420.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1298381/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91298381; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/1419.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1298379/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91298379; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/142.dll"; depth:8; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1298380/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91298380; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/1418.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1298378/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91298378; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/1417.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1298377/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91298377; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/1415.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1298375/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91298375; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/1416.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1298376/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91298376; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/1414.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1298374/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91298374; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/1412.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1298372/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91298372; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/1413.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1298373/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91298373; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/1411.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1298371/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91298371; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/1410.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1298370/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91298370; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/1409.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1298368/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91298368; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/141.dll"; depth:8; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1298369/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91298369; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/1408.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1298367/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91298367; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/1407.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1298366/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91298366; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/1405.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1298364/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91298364; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/1406.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1298365/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91298365; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/1404.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1298363/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91298363; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/1402.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1298361/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91298361; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/1403.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1298362/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91298362; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/1400.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1298359/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91298359; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/1401.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1298360/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91298360; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/140.dll"; depth:8; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1298358/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91298358; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/1399.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1298356/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91298356; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/14.dll"; depth:7; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1298357/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91298357; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/1397.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1298354/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91298354; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/1398.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1298355/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91298355; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/1395.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1298352/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91298352; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/1396.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1298353/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91298353; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/1394.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1298351/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91298351; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/1392.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1298349/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91298349; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/1393.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1298350/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91298350; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/1390.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1298347/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91298347; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/1391.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1298348/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91298348; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/139.dll"; depth:8; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1298346/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91298346; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/1389.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1298345/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91298345; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/1387.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1298343/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91298343; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/1388.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1298344/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91298344; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/1385.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1298341/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91298341; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/1386.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1298342/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91298342; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/1384.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1298340/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91298340; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/1382.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1298338/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91298338; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/1383.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1298339/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91298339; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/1381.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1298337/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91298337; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/138.dll"; depth:8; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1298335/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91298335; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/1380.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1298336/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91298336; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/1379.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1298334/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91298334; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/1377.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1298332/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91298332; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/1378.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1298333/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91298333; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/1376.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1298331/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91298331; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/1374.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1298329/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91298329; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/1375.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1298330/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91298330; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/1373.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1298328/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91298328; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/1371.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1298326/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91298326; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/1372.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1298327/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91298327; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/1370.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1298325/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91298325; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/1369.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1298323/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91298323; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/137.dll"; depth:8; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1298324/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91298324; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/1367.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1298321/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91298321; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/1368.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1298322/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91298322; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/1366.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1298320/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91298320; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/1364.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1298318/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91298318; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/1365.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1298319/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91298319; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/1363.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1298317/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91298317; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/1362.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1298316/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91298316; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/1360.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1298314/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91298314; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/1361.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1298315/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91298315; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/136.dll"; depth:8; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1298313/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91298313; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/1358.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1298311/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91298311; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/1359.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1298312/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91298312; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/1357.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1298310/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91298310; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/1355.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1298307/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91298307; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/1356.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1298308/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91298308; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/1354.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1298306/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91298306; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/1352.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1298304/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91298304; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/1353.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1298305/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91298305; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/1351.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1298303/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91298303; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/135.dll"; depth:8; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1298301/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91298301; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/1350.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1298302/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91298302; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/1349.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1298300/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91298300; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/1347.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1298298/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91298298; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/1348.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1298299/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91298299; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/1346.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1298297/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91298297; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/1345.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1298296/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91298296; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/1344.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1298295/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91298295; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/1342.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1298293/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91298293; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/1343.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1298294/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91298294; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/1341.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1298292/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91298292; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/1340.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1298291/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91298291; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/1339.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1298289/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91298289; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/134.dll"; depth:8; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1298290/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91298290; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/1338.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1298288/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91298288; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/1337.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1298287/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91298287; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/1335.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1298285/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91298285; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/1336.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1298286/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91298286; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/1334.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1298284/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91298284; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/1333.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1298283/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91298283; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/1331.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1298281/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91298281; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/1332.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1298282/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91298282; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/1330.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1298280/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91298280; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/1329.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1298278/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91298278; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/133.dll"; depth:8; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1298279/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91298279; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/1328.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1298277/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91298277; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/1326.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1298275/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91298275; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/1327.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1298276/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91298276; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/1325.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1298274/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91298274; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/1324.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1298273/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91298273; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/1322.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1298271/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91298271; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/1323.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1298272/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91298272; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/1321.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1298270/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91298270; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/132.dll"; depth:8; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1298268/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91298268; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/1320.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1298269/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91298269; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/1319.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1298267/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91298267; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/1317.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1298265/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91298265; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/1318.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1298266/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91298266; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/1316.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1298264/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91298264; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/1315.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1298263/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91298263; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/1313.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1298261/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91298261; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/1314.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1298262/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91298262; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/1312.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1298260/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91298260; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/1310.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1298258/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91298258; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/1311.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1298259/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91298259; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/131.dll"; depth:8; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1298257/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91298257; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/1309.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1298256/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91298256; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/1307.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1298254/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91298254; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/1308.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1298255/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91298255; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/1306.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1298253/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91298253; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/1304.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1298251/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91298251; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/1305.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1298252/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91298252; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/1303.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1298250/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91298250; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/1302.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1298249/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91298249; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/1301.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1298248/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91298248; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/1300.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1298247/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91298247; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/13.dll"; depth:7; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1298245/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91298245; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/130.dll"; depth:8; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1298246/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91298246; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/1299.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1298244/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91298244; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/1298.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1298243/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91298243; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/1297.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1298242/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91298242; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/1296.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1298241/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91298241; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/1295.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1298240/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91298240; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/1293.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1298238/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91298238; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/1294.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1298239/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91298239; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/1292.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1298237/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91298237; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/1291.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1298236/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91298236; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/1290.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1298235/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91298235; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/129.dll"; depth:8; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1298234/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91298234; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/1289.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1298233/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91298233; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/1288.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1298232/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91298232; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/1286.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1298230/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91298230; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/1287.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1298231/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91298231; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/1285.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1298229/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91298229; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/1283.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1298227/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91298227; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/1284.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1298228/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91298228; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/1282.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1298226/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91298226; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/1280.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1298224/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91298224; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/1281.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1298225/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91298225; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/128.dll"; depth:8; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1298223/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91298223; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/1278.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1298221/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91298221; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/1279.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1298222/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91298222; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/1277.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1298220/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91298220; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/1275.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1298218/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91298218; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/1276.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1298219/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91298219; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/1274.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1298217/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91298217; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/1273.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1298216/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91298216; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/1271.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1298214/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91298214; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/1272.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1298215/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91298215; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/127.dll"; depth:8; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1298212/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91298212; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/1270.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1298213/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91298213; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/1269.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1298211/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91298211; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/1267.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1298209/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91298209; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/1268.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1298210/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91298210; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/1265.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1298207/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91298207; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/1266.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1298208/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91298208; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/1263.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1298205/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91298205; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/1264.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1298206/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91298206; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/1262.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1298204/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91298204; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/1260.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1298202/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91298202; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/1261.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1298203/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91298203; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/1259.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1298200/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91298200; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/126.dll"; depth:8; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1298201/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91298201; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/1258.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1298199/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91298199; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/1256.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1298197/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91298197; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/1257.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1298198/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91298198; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/1254.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1298195/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91298195; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/1255.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1298196/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91298196; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/1252.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1298193/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91298193; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/1253.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1298194/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91298194; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/1250.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1298191/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91298191; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/1251.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1298192/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91298192; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/125.dll"; depth:8; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1298190/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91298190; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/1248.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1298188/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91298188; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/1249.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1298189/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91298189; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/1246.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1298186/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91298186; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/1247.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1298187/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91298187; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/1244.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1298184/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91298184; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/1245.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1298185/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91298185; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/1243.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1298183/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91298183; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/1241.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1298181/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91298181; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/1242.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1298182/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91298182; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/124.dll"; depth:8; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1298179/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91298179; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/1240.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1298180/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91298180; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/1238.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1298177/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91298177; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/1239.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1298178/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91298178; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/1236.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1298175/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91298175; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/1237.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1298176/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91298176; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/1235.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1298174/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91298174; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/1233.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1298172/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91298172; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/1234.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1298173/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91298173; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/1231.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1298170/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91298170; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/1232.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1298171/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91298171; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/123.dll"; depth:8; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1298168/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91298168; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/1230.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1298169/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91298169; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/1228.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1298166/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91298166; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/1229.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1298167/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91298167; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/1227.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1298165/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91298165; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/1225.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1298163/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91298163; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/1226.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1298164/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91298164; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/1223.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1298161/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91298161; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/1224.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1298162/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91298162; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/1221.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1298159/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91298159; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/1222.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1298160/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91298160; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/122.dll"; depth:8; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1298157/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91298157; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/1220.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1298158/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91298158; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/1219.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1298156/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91298156; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/1217.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1298154/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91298154; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/1218.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1298155/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91298155; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/1215.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1298152/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91298152; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/1216.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1298153/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91298153; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/1213.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1298150/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91298150; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/1214.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1298151/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91298151; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/1212.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1298149/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91298149; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/1210.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1298147/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91298147; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/1211.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1298148/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91298148; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/1209.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1298145/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91298145; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/121.dll"; depth:8; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1298146/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91298146; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/1207.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1298143/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91298143; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/1208.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1298144/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91298144; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/1206.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1298142/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91298142; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/1204.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1298140/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91298140; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/1205.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1298141/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91298141; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/1202.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1298138/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91298138; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/1203.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1298139/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91298139; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/1201.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1298137/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91298137; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/120.dll"; depth:8; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1298135/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91298135; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/1200.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1298136/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91298136; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/12.dll"; depth:7; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1298134/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91298134; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/1198.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1298132/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91298132; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/1199.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1298133/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91298133; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/1196.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1298130/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91298130; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/1197.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1298131/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91298131; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/1194.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1298128/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91298128; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/1195.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1298129/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91298129; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/1192.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1298126/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91298126; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/1193.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1298127/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91298127; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/1191.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1298125/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91298125; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/119.dll"; depth:8; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1298123/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91298123; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/1190.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1298124/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91298124; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/1188.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1298121/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91298121; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/1189.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1298122/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91298122; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/1186.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1298119/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91298119; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/1187.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1298120/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91298120; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/1184.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1298117/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91298117; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/1185.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1298118/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91298118; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/1183.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1298116/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91298116; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/1181.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1298114/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91298114; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/1182.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1298115/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91298115; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/118.dll"; depth:8; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1298112/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91298112; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/1180.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1298113/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91298113; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/1178.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1298110/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91298110; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/1179.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1298111/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91298111; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/1176.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1298108/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91298108; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/1177.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1298109/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91298109; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/1175.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1298107/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91298107; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/1173.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1298105/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91298105; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/1174.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1298106/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91298106; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/1171.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1298103/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91298103; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/1172.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1298104/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91298104; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/117.dll"; depth:8; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1298101/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91298101; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/1170.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1298102/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91298102; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/1169.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1298100/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91298100; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/1167.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1298098/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91298098; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/1168.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1298099/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91298099; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/1165.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1298096/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91298096; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/1166.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1298097/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91298097; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/1164.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1298095/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91298095; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/1162.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1298093/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91298093; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/1163.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1298094/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91298094; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/1160.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1298091/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91298091; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/1161.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1298092/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91298092; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/1159.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1298089/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91298089; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/116.dll"; depth:8; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1298090/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91298090; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/1158.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1298088/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91298088; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/1156.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1298086/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91298086; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/1157.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1298087/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91298087; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/1154.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1298084/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91298084; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/1155.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1298085/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91298085; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/1152.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1298082/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91298082; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/1153.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1298083/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91298083; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/1151.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1298081/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91298081; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/115.dll"; depth:8; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1298079/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91298079; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/1150.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1298080/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91298080; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/1149.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1298078/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91298078; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/1147.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1298076/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91298076; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/1148.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1298077/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91298077; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/1146.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1298075/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91298075; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/1144.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1298073/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91298073; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/1145.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1298074/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91298074; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/1142.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1298071/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91298071; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/1143.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1298072/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91298072; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/1141.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1298070/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91298070; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/114.dll"; depth:8; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1298068/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91298068; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/1140.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1298069/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91298069; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/1139.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1298067/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91298067; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/1138.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1298066/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91298066; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/1136.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1298064/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91298064; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/1137.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1298065/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91298065; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/1135.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1298063/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91298063; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/1134.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1298062/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91298062; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/1133.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1298061/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91298061; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/1132.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1298060/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91298060; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/1131.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1298059/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91298059; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/1130.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1298058/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91298058; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/113.dll"; depth:8; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1298057/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91298057; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/1129.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1298056/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91298056; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/1128.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1298055/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91298055; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/1127.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1298054/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91298054; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/1126.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1298053/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91298053; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/1125.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1298052/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91298052; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/1124.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1298051/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91298051; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/1122.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1298049/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91298049; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/1123.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1298050/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91298050; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/1121.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1298048/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91298048; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/112.dll"; depth:8; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1298046/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91298046; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/1120.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1298047/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91298047; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/1118.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1298044/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91298044; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/1119.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1298045/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91298045; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/1116.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1298042/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91298042; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/1117.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1298043/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91298043; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/1114.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1298040/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91298040; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/1115.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1298041/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91298041; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/1113.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1298039/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91298039; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/1111.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1298037/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91298037; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/1112.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1298038/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91298038; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/111.dll"; depth:8; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1298035/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91298035; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/1110.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1298036/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91298036; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/1108.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1298033/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91298033; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/1109.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1298034/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91298034; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/1106.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1298031/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91298031; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/1107.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1298032/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91298032; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/1105.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1298030/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91298030; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/1103.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1298028/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91298028; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/1104.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1298029/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91298029; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/1101.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1298026/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91298026; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/1102.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1298027/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91298027; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/110.dll"; depth:8; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1298024/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91298024; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/1100.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1298025/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91298025; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/11.dll"; depth:7; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1298023/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91298023; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/1098.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1298021/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91298021; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/1099.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1298022/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91298022; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/1096.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1298019/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91298019; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/1097.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1298020/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91298020; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/1095.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1298018/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91298018; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 49%)"; dns_query; content:"ilusofficial.com"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1298015/; target:src_ip; metadata: confidence_level 49, first_seen 2024_07_14; classtype:trojan-activity; sid:91298015; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/1093.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1298016/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91298016; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/1094.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1298017/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91298017; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 49%)"; dns_query; content:"notliion.com"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1298009/; target:src_ip; metadata: confidence_level 49, first_seen 2024_07_14; classtype:trojan-activity; sid:91298009; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 49%)"; dns_query; content:"notlon.top"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1298010/; target:src_ip; metadata: confidence_level 49, first_seen 2024_07_14; classtype:trojan-activity; sid:91298010; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/1091.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1298011/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91298011; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 49%)"; dns_query; content:"notlilon.co"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1298012/; target:src_ip; metadata: confidence_level 49, first_seen 2024_07_14; classtype:trojan-activity; sid:91298012; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 49%)"; dns_query; content:"findreaders.com"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1298013/; target:src_ip; metadata: confidence_level 49, first_seen 2024_07_14; classtype:trojan-activity; sid:91298013; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/1092.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1298014/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91298014; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/109.dll"; depth:8; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1298005/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91298005; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 49%)"; dns_query; content:"amydlesk.com"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1298006/; target:src_ip; metadata: confidence_level 49, first_seen 2024_07_14; classtype:trojan-activity; sid:91298006; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/1090.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1298007/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91298007; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 49%)"; dns_query; content:"notilon.co"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1298008/; target:src_ip; metadata: confidence_level 49, first_seen 2024_07_14; classtype:trojan-activity; sid:91298008; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/1089.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1298004/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91298004; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/1087.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1298002/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91298002; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/1088.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1298003/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91298003; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/1085.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1298000/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91298000; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/1086.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1298001/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91298001; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/1084.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1297999/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91297999; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/1082.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1297997/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91297997; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/1083.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1297998/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91297998; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/1081.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1297996/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91297996; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/108.dll"; depth:8; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1297994/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91297994; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/1080.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1297995/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91297995; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/1078.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1297992/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91297992; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/1079.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1297993/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91297993; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/1077.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1297991/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91297991; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/1075.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1297989/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91297989; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/1076.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1297990/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91297990; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/1073.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1297987/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91297987; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/1074.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1297988/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91297988; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/1072.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1297986/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91297986; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/1070.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1297984/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91297984; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/1071.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1297985/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91297985; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/1069.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1297978/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91297978; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 49%)"; dns_query; content:"topttr.com"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1297979/; target:src_ip; metadata: confidence_level 49, first_seen 2024_07_14; classtype:trojan-activity; sid:91297979; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 49%)"; dns_query; content:"trust-flare.ru"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1297980/; target:src_ip; metadata: confidence_level 49, first_seen 2024_07_14; classtype:trojan-activity; sid:91297980; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 49%)"; dns_query; content:"trust-flare.site"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1297981/; target:src_ip; metadata: confidence_level 49, first_seen 2024_07_14; classtype:trojan-activity; sid:91297981; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/107.dll"; depth:8; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1297982/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91297982; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 49%)"; dns_query; content:"trustdwnl.ru"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1297983/; target:src_ip; metadata: confidence_level 49, first_seen 2024_07_14; classtype:trojan-activity; sid:91297983; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 49%)"; dns_query; content:"prkl-ads.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1297973/; target:src_ip; metadata: confidence_level 49, first_seen 2024_07_14; classtype:trojan-activity; sid:91297973; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 49%)"; dns_query; content:"prkl-ads.site"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1297974/; target:src_ip; metadata: confidence_level 49, first_seen 2024_07_14; classtype:trojan-activity; sid:91297974; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/1068.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1297975/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91297975; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 49%)"; dns_query; content:"test-pn.ru"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1297976/; target:src_ip; metadata: confidence_level 49, first_seen 2024_07_14; classtype:trojan-activity; sid:91297976; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 49%)"; dns_query; content:"test-pn.site"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1297977/; target:src_ip; metadata: confidence_level 49, first_seen 2024_07_14; classtype:trojan-activity; sid:91297977; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 49%)"; dns_query; content:"new-prok.site"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1297968/; target:src_ip; metadata: confidence_level 49, first_seen 2024_07_14; classtype:trojan-activity; sid:91297968; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/1066.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1297969/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91297969; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 49%)"; dns_query; content:"newtorpan.ru"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1297970/; target:src_ip; metadata: confidence_level 49, first_seen 2024_07_14; classtype:trojan-activity; sid:91297970; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 49%)"; dns_query; content:"newtorpan.site"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1297971/; target:src_ip; metadata: confidence_level 49, first_seen 2024_07_14; classtype:trojan-activity; sid:91297971; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/1067.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1297972/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91297972; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/1064.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1297962/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91297962; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 49%)"; dns_query; content:"infocdn-111.online"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1297963/; target:src_ip; metadata: confidence_level 49, first_seen 2024_07_14; classtype:trojan-activity; sid:91297963; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 49%)"; dns_query; content:"infocdn-111.site"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1297964/; target:src_ip; metadata: confidence_level 49, first_seen 2024_07_14; classtype:trojan-activity; sid:91297964; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 49%)"; dns_query; content:"infocdn-111.xyz"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1297965/; target:src_ip; metadata: confidence_level 49, first_seen 2024_07_14; classtype:trojan-activity; sid:91297965; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/1065.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1297966/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91297966; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 49%)"; dns_query; content:"new-prok.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1297967/; target:src_ip; metadata: confidence_level 49, first_seen 2024_07_14; classtype:trojan-activity; sid:91297967; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 49%)"; dns_query; content:"fresh-prok.site"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1297957/; target:src_ip; metadata: confidence_level 49, first_seen 2024_07_14; classtype:trojan-activity; sid:91297957; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 49%)"; dns_query; content:"ganalytics-api.com"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1297958/; target:src_ip; metadata: confidence_level 49, first_seen 2024_07_14; classtype:trojan-activity; sid:91297958; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/1063.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1297959/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91297959; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 49%)"; dns_query; content:"gotrustfear.ru"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1297960/; target:src_ip; metadata: confidence_level 49, first_seen 2024_07_14; classtype:trojan-activity; sid:91297960; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 49%)"; dns_query; content:"gotrustfear.site"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1297961/; target:src_ip; metadata: confidence_level 49, first_seen 2024_07_14; classtype:trojan-activity; sid:91297961; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 49%)"; dns_query; content:"cornbascet.ru"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1297951/; target:src_ip; metadata: confidence_level 49, first_seen 2024_07_14; classtype:trojan-activity; sid:91297951; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/1061.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1297952/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91297952; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 49%)"; dns_query; content:"cornbascet.site"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1297953/; target:src_ip; metadata: confidence_level 49, first_seen 2024_07_14; classtype:trojan-activity; sid:91297953; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 49%)"; dns_query; content:"dns-inform.top"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1297954/; target:src_ip; metadata: confidence_level 49, first_seen 2024_07_14; classtype:trojan-activity; sid:91297954; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 49%)"; dns_query; content:"fresh-prok.ru"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1297955/; target:src_ip; metadata: confidence_level 49, first_seen 2024_07_14; classtype:trojan-activity; sid:91297955; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/1062.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1297956/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91297956; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 49%)"; dns_query; content:"clk-brood.online"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1297945/; target:src_ip; metadata: confidence_level 49, first_seen 2024_07_14; classtype:trojan-activity; sid:91297945; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/106.dll"; depth:8; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1297946/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91297946; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 49%)"; dns_query; content:"clk-brood.top"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1297947/; target:src_ip; metadata: confidence_level 49, first_seen 2024_07_14; classtype:trojan-activity; sid:91297947; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 49%)"; dns_query; content:"clk-info.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1297948/; target:src_ip; metadata: confidence_level 49, first_seen 2024_07_14; classtype:trojan-activity; sid:91297948; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/1060.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1297949/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91297949; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 49%)"; dns_query; content:"clk-info.site"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1297950/; target:src_ip; metadata: confidence_level 49, first_seen 2024_07_14; classtype:trojan-activity; sid:91297950; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 49%)"; dns_query; content:"cdn-new-dwnl.ru"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1297941/; target:src_ip; metadata: confidence_level 49, first_seen 2024_07_14; classtype:trojan-activity; sid:91297941; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 49%)"; dns_query; content:"clk-brom.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1297942/; target:src_ip; metadata: confidence_level 49, first_seen 2024_07_14; classtype:trojan-activity; sid:91297942; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/1059.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1297943/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91297943; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 49%)"; dns_query; content:"clk-brom.site"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1297944/; target:src_ip; metadata: confidence_level 49, first_seen 2024_07_14; classtype:trojan-activity; sid:91297944; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 49%)"; dns_query; content:"cdn-ads.ru"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1297935/; target:src_ip; metadata: confidence_level 49, first_seen 2024_07_14; classtype:trojan-activity; sid:91297935; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/1057.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1297936/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91297936; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 49%)"; dns_query; content:"cdn-ads.site"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1297937/; target:src_ip; metadata: confidence_level 49, first_seen 2024_07_14; classtype:trojan-activity; sid:91297937; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 49%)"; dns_query; content:"cdn-dwnld.ru"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1297938/; target:src_ip; metadata: confidence_level 49, first_seen 2024_07_14; classtype:trojan-activity; sid:91297938; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/1058.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1297939/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91297939; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 49%)"; dns_query; content:"cdn-dwnld.site"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1297940/; target:src_ip; metadata: confidence_level 49, first_seen 2024_07_14; classtype:trojan-activity; sid:91297940; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 49%)"; dns_query; content:"ads-info.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1297929/; target:src_ip; metadata: confidence_level 49, first_seen 2024_07_14; classtype:trojan-activity; sid:91297929; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/1055.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1297930/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91297930; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 49%)"; dns_query; content:"ads-info.site"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1297931/; target:src_ip; metadata: confidence_level 49, first_seen 2024_07_14; classtype:trojan-activity; sid:91297931; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 49%)"; dns_query; content:"aipanelnew.ru"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1297932/; target:src_ip; metadata: confidence_level 49, first_seen 2024_07_14; classtype:trojan-activity; sid:91297932; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/1056.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1297933/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91297933; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 49%)"; dns_query; content:"aipanelnew.site"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1297934/; target:src_ip; metadata: confidence_level 49, first_seen 2024_07_14; classtype:trojan-activity; sid:91297934; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 49%)"; dns_query; content:"98762341tdgi.site"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1297924/; target:src_ip; metadata: confidence_level 49, first_seen 2024_07_14; classtype:trojan-activity; sid:91297924; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 49%)"; dns_query; content:"98762341tdgi.top"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1297925/; target:src_ip; metadata: confidence_level 49, first_seen 2024_07_14; classtype:trojan-activity; sid:91297925; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/1054.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1297926/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91297926; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 49%)"; dns_query; content:"98762341tdgi.xyz"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1297927/; target:src_ip; metadata: confidence_level 49, first_seen 2024_07_14; classtype:trojan-activity; sid:91297927; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 49%)"; dns_query; content:"999-ads-info.top"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1297928/; target:src_ip; metadata: confidence_level 49, first_seen 2024_07_14; classtype:trojan-activity; sid:91297928; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 49%)"; dns_query; content:"756-ads-info.xyz"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1297919/; target:src_ip; metadata: confidence_level 49, first_seen 2024_07_14; classtype:trojan-activity; sid:91297919; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/1052.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1297920/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91297920; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 49%)"; dns_query; content:"875jhrfks.top"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1297921/; target:src_ip; metadata: confidence_level 49, first_seen 2024_07_14; classtype:trojan-activity; sid:91297921; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 49%)"; dns_query; content:"98762341tdgi.online"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1297922/; target:src_ip; metadata: confidence_level 49, first_seen 2024_07_14; classtype:trojan-activity; sid:91297922; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/1053.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1297923/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91297923; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/1050.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1297913/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91297913; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 49%)"; dns_query; content:"364klhjsfsl.top"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1297914/; target:src_ip; metadata: confidence_level 49, first_seen 2024_07_14; classtype:trojan-activity; sid:91297914; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 49%)"; dns_query; content:"465jsdlkd.top"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1297915/; target:src_ip; metadata: confidence_level 49, first_seen 2024_07_14; classtype:trojan-activity; sid:91297915; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/1051.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1297916/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91297916; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 49%)"; dns_query; content:"756-ads-info.site"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1297917/; target:src_ip; metadata: confidence_level 49, first_seen 2024_07_14; classtype:trojan-activity; sid:91297917; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 49%)"; dns_query; content:"756-ads-info.top"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1297918/; target:src_ip; metadata: confidence_level 49, first_seen 2024_07_14; classtype:trojan-activity; sid:91297918; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 49%)"; dns_query; content:"3010offers.site"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1297908/; target:src_ip; metadata: confidence_level 49, first_seen 2024_07_14; classtype:trojan-activity; sid:91297908; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 49%)"; dns_query; content:"3010offers.top"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1297909/; target:src_ip; metadata: confidence_level 49, first_seen 2024_07_14; classtype:trojan-activity; sid:91297909; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/105.dll"; depth:8; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1297910/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91297910; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 49%)"; dns_query; content:"3010offers.xyz"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1297911/; target:src_ip; metadata: confidence_level 49, first_seen 2024_07_14; classtype:trojan-activity; sid:91297911; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 49%)"; dns_query; content:"343-ads-info.top"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1297912/; target:src_ip; metadata: confidence_level 49, first_seen 2024_07_14; classtype:trojan-activity; sid:91297912; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/1048.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1297903/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91297903; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 49%)"; dns_query; content:"3010cars.top"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1297904/; target:src_ip; metadata: confidence_level 49, first_seen 2024_07_14; classtype:trojan-activity; sid:91297904; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 49%)"; dns_query; content:"3010cars.xyz"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1297905/; target:src_ip; metadata: confidence_level 49, first_seen 2024_07_14; classtype:trojan-activity; sid:91297905; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 49%)"; dns_query; content:"3010offers.online"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1297906/; target:src_ip; metadata: confidence_level 49, first_seen 2024_07_14; classtype:trojan-activity; sid:91297906; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/1049.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1297907/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91297907; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/1046.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1297897/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91297897; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 49%)"; dns_query; content:"2610kjhsda.top"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1297898/; target:src_ip; metadata: confidence_level 49, first_seen 2024_07_14; classtype:trojan-activity; sid:91297898; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 49%)"; dns_query; content:"2610kjhsda.xyz"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1297899/; target:src_ip; metadata: confidence_level 49, first_seen 2024_07_14; classtype:trojan-activity; sid:91297899; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/1047.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1297900/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91297900; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 49%)"; dns_query; content:"3010cars.online"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1297901/; target:src_ip; metadata: confidence_level 49, first_seen 2024_07_14; classtype:trojan-activity; sid:91297901; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 49%)"; dns_query; content:"3010cars.site"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1297902/; target:src_ip; metadata: confidence_level 49, first_seen 2024_07_14; classtype:trojan-activity; sid:91297902; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 49%)"; dns_query; content:"2610asdkj.top"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1297892/; target:src_ip; metadata: confidence_level 49, first_seen 2024_07_14; classtype:trojan-activity; sid:91297892; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 49%)"; dns_query; content:"2610asdkj.xyz"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1297893/; target:src_ip; metadata: confidence_level 49, first_seen 2024_07_14; classtype:trojan-activity; sid:91297893; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/1045.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1297894/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91297894; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 49%)"; dns_query; content:"2610kjhsda.online"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1297895/; target:src_ip; metadata: confidence_level 49, first_seen 2024_07_14; classtype:trojan-activity; sid:91297895; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 49%)"; dns_query; content:"2610kjhsda.site"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1297896/; target:src_ip; metadata: confidence_level 49, first_seen 2024_07_14; classtype:trojan-activity; sid:91297896; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 49%)"; dns_query; content:"2311forget.site"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1297886/; target:src_ip; metadata: confidence_level 49, first_seen 2024_07_14; classtype:trojan-activity; sid:91297886; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/1043.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1297887/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91297887; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 49%)"; dns_query; content:"2311forget.xyz"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1297888/; target:src_ip; metadata: confidence_level 49, first_seen 2024_07_14; classtype:trojan-activity; sid:91297888; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 49%)"; dns_query; content:"2610asdkj.online"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1297889/; target:src_ip; metadata: confidence_level 49, first_seen 2024_07_14; classtype:trojan-activity; sid:91297889; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/1044.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1297890/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91297890; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 49%)"; dns_query; content:"2610asdkj.site"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1297891/; target:src_ip; metadata: confidence_level 49, first_seen 2024_07_14; classtype:trojan-activity; sid:91297891; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/1041.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1297881/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91297881; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 49%)"; dns_query; content:"1212stars.xyz"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1297882/; target:src_ip; metadata: confidence_level 49, first_seen 2024_07_14; classtype:trojan-activity; sid:91297882; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 49%)"; dns_query; content:"2311foreign.xyz"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1297883/; target:src_ip; metadata: confidence_level 49, first_seen 2024_07_14; classtype:trojan-activity; sid:91297883; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/1042.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1297884/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91297884; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 49%)"; dns_query; content:"2311forget.online"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1297885/; target:src_ip; metadata: confidence_level 49, first_seen 2024_07_14; classtype:trojan-activity; sid:91297885; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 49%)"; dns_query; content:"11234jkhfkujhs.xyz"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1297876/; target:src_ip; metadata: confidence_level 49, first_seen 2024_07_14; classtype:trojan-activity; sid:91297876; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/1040.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1297877/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91297877; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 49%)"; dns_query; content:"1212stars.online"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1297878/; target:src_ip; metadata: confidence_level 49, first_seen 2024_07_14; classtype:trojan-activity; sid:91297878; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 49%)"; dns_query; content:"1212stars.site"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1297879/; target:src_ip; metadata: confidence_level 49, first_seen 2024_07_14; classtype:trojan-activity; sid:91297879; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 49%)"; dns_query; content:"1212stars.top"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1297880/; target:src_ip; metadata: confidence_level 49, first_seen 2024_07_14; classtype:trojan-activity; sid:91297880; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/1039.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1297870/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91297870; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 49%)"; dns_query; content:"11234jkhfkujhs.site"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1297873/; target:src_ip; metadata: confidence_level 49, first_seen 2024_07_14; classtype:trojan-activity; sid:91297873; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/104.dll"; depth:8; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1297874/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91297874; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 49%)"; dns_query; content:"11234jkhfkujhs.top"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1297875/; target:src_ip; metadata: confidence_level 49, first_seen 2024_07_14; classtype:trojan-activity; sid:91297875; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/1038.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1297867/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91297867; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/1036.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1297863/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91297863; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/1037.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1297864/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91297864; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/1034.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1297861/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91297861; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/1035.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1297862/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91297862; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/1033.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1297860/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91297860; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/1031.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1297858/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91297858; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/1032.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1297859/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91297859; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/103.dll"; depth:8; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1297856/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91297856; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/1030.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1297857/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91297857; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/1029.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1297855/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91297855; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/1027.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1297853/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91297853; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/1028.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1297854/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91297854; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/1025.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1297851/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91297851; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/1026.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1297852/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91297852; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/1023.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1297849/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91297849; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/1024.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1297850/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91297850; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/1021.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1297847/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91297847; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/1022.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1297848/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91297848; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/1020.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1297846/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91297846; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/1019.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1297844/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91297844; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/102.dll"; depth:8; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1297845/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91297845; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/1017.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1297842/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91297842; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/1018.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1297843/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91297843; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/1015.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1297840/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91297840; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/1016.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1297841/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91297841; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/1013.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1297838/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91297838; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/1014.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1297839/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91297839; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/1012.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1297837/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91297837; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/1010.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1297835/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91297835; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/1011.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1297836/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91297836; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/1009.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1297833/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91297833; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/101.dll"; depth:8; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1297834/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91297834; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/1007.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1297831/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91297831; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/1008.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1297832/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91297832; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/1006.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1297830/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91297830; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/1004.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1297828/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91297828; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/1005.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1297829/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91297829; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/1002.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1297826/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91297826; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/1003.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1297827/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91297827; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/1000.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1297824/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91297824; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/1001.dll"; depth:9; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1297825/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91297825; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/10.dll"; depth:7; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1297822/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91297822; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/100.dll"; depth:8; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1297823/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91297823; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/1.dll"; depth:6; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1297821/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91297821; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/0.dll"; depth:6; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1297820/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91297820; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 49%)"; dns_query; content:"somrasdc.ddns.net"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1297816/; target:src_ip; metadata: confidence_level 49, first_seen 2024_07_14; classtype:trojan-activity; sid:91297816; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"geriguna.shop"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1297810/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91297810; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"marda.shop"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1297811/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91297811; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"flameshamer.shop"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1297812/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91297812; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"gloomcutter.shop"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1297813/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91297813; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"gunigunde.shop"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1297814/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91297814; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"haelma.shop"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1297797/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91297797; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"farpetor.shop"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1297798/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91297798; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"glynnorin.shop"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1297799/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91297799; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"wordstaker.shop"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1297800/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91297800; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"warcracker.shop"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1297801/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91297801; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"gerlia.shop"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1297802/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91297802; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"zinhice.shop"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1297803/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91297803; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"grike.shop"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1297804/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91297804; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"wordbracer.shop"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1297805/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91297805; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"gotrada.shop"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1297806/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91297806; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"gonnhild.shop"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1297807/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91297807; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"hild.shop"; depth:9; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1297808/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91297808; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"wordmover.shop"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1297809/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91297809; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"nazi.igboat.com"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1297574/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91297574; rev:1;) alert tcp $HOME_NET any -> [185.208.158.215] 9506 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1297776/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_14; classtype:trojan-activity; sid:91297776; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/d4e186a7092be5c7.php"; depth:21; nocase; http.host; content:"89.110.69.218"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1297777/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91297777; rev:1;) alert tcp $HOME_NET any -> [47.238.31.2] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1297775/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91297775; rev:1;) alert tcp $HOME_NET any -> [47.109.104.151] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1297773/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91297773; rev:1;) alert tcp $HOME_NET any -> [139.9.219.175] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1297774/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91297774; rev:1;) alert tcp $HOME_NET any -> [140.143.134.126] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1297772/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91297772; rev:1;) alert tcp $HOME_NET any -> [47.120.70.150] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1297771/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91297771; rev:1;) alert tcp $HOME_NET any -> [47.100.1.190] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1297770/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91297770; rev:1;) alert tcp $HOME_NET any -> [8.130.32.36] 8443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1297769/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91297769; rev:1;) alert tcp $HOME_NET any -> [8.130.32.36] 8000 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1297768/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91297768; rev:1;) alert tcp $HOME_NET any -> [47.92.75.101] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1297767/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91297767; rev:1;) alert tcp $HOME_NET any -> [47.115.38.144] 9080 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1297766/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91297766; rev:1;) alert tcp $HOME_NET any -> [43.139.221.182] 10001 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1297764/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91297764; rev:1;) alert tcp $HOME_NET any -> [49.232.173.2] 8001 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1297765/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91297765; rev:1;) alert tcp $HOME_NET any -> [114.242.13.218] 7777 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1297763/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91297763; rev:1;) alert tcp $HOME_NET any -> [162.251.94.192] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1297762/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91297762; rev:1;) alert tcp $HOME_NET any -> [60.204.134.21] 801 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1297761/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91297761; rev:1;) alert tcp $HOME_NET any -> [108.61.192.110] 8808 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1297760/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91297760; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/externalcpudefaultdb.php"; depth:25; nocase; http.host; content:"574056cm.nyashka.top"; depth:20; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1297756/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_14; classtype:trojan-activity; sid:91297756; rev:1;) alert tcp $HOME_NET any -> [139.155.68.35] 60180 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1297586/; target:src_ip; metadata: confidence_level 80, first_seen 2024_07_14; classtype:trojan-activity; sid:91297586; rev:1;) alert tcp $HOME_NET any -> [198.46.182.56] 50050 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1297585/; target:src_ip; metadata: confidence_level 80, first_seen 2024_07_14; classtype:trojan-activity; sid:91297585; rev:1;) alert tcp $HOME_NET any -> [144.21.56.77] 443 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1297584/; target:src_ip; metadata: confidence_level 80, first_seen 2024_07_14; classtype:trojan-activity; sid:91297584; rev:1;) alert tcp $HOME_NET any -> [43.143.237.216] 10011 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1297583/; target:src_ip; metadata: confidence_level 80, first_seen 2024_07_14; classtype:trojan-activity; sid:91297583; rev:1;) alert tcp $HOME_NET any -> [103.142.146.13] 29000 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1297582/; target:src_ip; metadata: confidence_level 80, first_seen 2024_07_14; classtype:trojan-activity; sid:91297582; rev:1;) alert tcp $HOME_NET any -> [185.196.9.6] 43164 (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1297581/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_13; classtype:trojan-activity; sid:91297581; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/201a735ed890db75.php"; depth:21; nocase; http.host; content:"46.8.238.240"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1297580/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_13; classtype:trojan-activity; sid:91297580; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/server1/09d1f581.php"; depth:21; nocase; http.host; content:"a0992484.xsph.ru"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1297579/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_13; classtype:trojan-activity; sid:91297579; rev:1;) alert tcp $HOME_NET any -> [124.248.69.14] 14363 (msg:"ThreatFox Ghost RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1297578/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_13; classtype:trojan-activity; sid:91297578; rev:1;) alert tcp $HOME_NET any -> [183.131.85.64] 14363 (msg:"ThreatFox Ghost RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1297577/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_13; classtype:trojan-activity; sid:91297577; rev:1;) alert tcp $HOME_NET any -> [5.42.92.30] 41178 (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1297576/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_13; classtype:trojan-activity; sid:91297576; rev:1;) alert tcp $HOME_NET any -> [91.92.249.24] 4808 (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1297575/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_13; classtype:trojan-activity; sid:91297575; rev:1;) alert tcp $HOME_NET any -> [95.217.245.123] 3306 (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1297573/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_13; classtype:trojan-activity; sid:91297573; rev:1;) alert tcp $HOME_NET any -> [141.94.122.30] 443 (msg:"ThreatFox Unidentified 111 (Latrodectus) botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1297572/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_13; classtype:trojan-activity; sid:91297572; rev:1;) alert tcp $HOME_NET any -> [92.246.136.10] 13731 (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1297571/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_13; classtype:trojan-activity; sid:91297571; rev:1;) alert tcp $HOME_NET any -> [91.92.245.105] 53297 (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1297570/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_13; classtype:trojan-activity; sid:91297570; rev:1;) alert tcp $HOME_NET any -> [85.28.47.132] 80 (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1297569/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_13; classtype:trojan-activity; sid:91297569; rev:1;) alert tcp $HOME_NET any -> [47.242.1.120] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1297568/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_13; classtype:trojan-activity; sid:91297568; rev:1;) alert tcp $HOME_NET any -> [49.232.173.2] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1297567/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_13; classtype:trojan-activity; sid:91297567; rev:1;) alert tcp $HOME_NET any -> [18.191.219.171] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1297566/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_13; classtype:trojan-activity; sid:91297566; rev:1;) alert tcp $HOME_NET any -> [47.109.104.151] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1297565/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_13; classtype:trojan-activity; sid:91297565; rev:1;) alert tcp $HOME_NET any -> [43.143.175.225] 4444 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1297564/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_13; classtype:trojan-activity; sid:91297564; rev:1;) alert tcp $HOME_NET any -> [47.109.199.221] 1234 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1297563/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_13; classtype:trojan-activity; sid:91297563; rev:1;) alert tcp $HOME_NET any -> [122.152.221.28] 8090 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1297562/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_13; classtype:trojan-activity; sid:91297562; rev:1;) alert tcp $HOME_NET any -> [121.37.229.218] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1297561/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_13; classtype:trojan-activity; sid:91297561; rev:1;) alert tcp $HOME_NET any -> [206.206.77.56] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1297559/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_13; classtype:trojan-activity; sid:91297559; rev:1;) alert tcp $HOME_NET any -> [59.110.136.135] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1297560/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_13; classtype:trojan-activity; sid:91297560; rev:1;) alert tcp $HOME_NET any -> [139.59.214.140] 447 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1297558/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_13; classtype:trojan-activity; sid:91297558; rev:1;) alert tcp $HOME_NET any -> [123.57.186.159] 5555 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1297557/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_13; classtype:trojan-activity; sid:91297557; rev:1;) alert tcp $HOME_NET any -> [124.223.77.53] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1297556/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_13; classtype:trojan-activity; sid:91297556; rev:1;) alert tcp $HOME_NET any -> [45.12.53.231] 8443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1297555/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_13; classtype:trojan-activity; sid:91297555; rev:1;) alert tcp $HOME_NET any -> [150.158.20.197] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1297554/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_13; classtype:trojan-activity; sid:91297554; rev:1;) alert tcp $HOME_NET any -> [39.99.158.212] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1297553/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_13; classtype:trojan-activity; sid:91297553; rev:1;) alert tcp $HOME_NET any -> [139.9.219.175] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1297552/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_13; classtype:trojan-activity; sid:91297552; rev:1;) alert tcp $HOME_NET any -> [156.238.225.81] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1297551/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_13; classtype:trojan-activity; sid:91297551; rev:1;) alert tcp $HOME_NET any -> [124.132.152.24] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1297550/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_13; classtype:trojan-activity; sid:91297550; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/globals.css"; depth:12; nocase; http.host; content:"itechnetworkbd.com"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1297549/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_13; classtype:trojan-activity; sid:91297549; rev:1;) alert tcp $HOME_NET any -> [3.127.138.57] 15240 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1297491/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_13; classtype:trojan-activity; sid:91297491; rev:1;) alert tcp $HOME_NET any -> [18.156.13.209] 15240 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1297490/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_13; classtype:trojan-activity; sid:91297490; rev:1;) alert tcp $HOME_NET any -> [18.192.93.86] 15240 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1297492/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_13; classtype:trojan-activity; sid:91297492; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"736526437472.com"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1297495/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_13; classtype:trojan-activity; sid:91297495; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"783247237256214.com"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1297493/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_13; classtype:trojan-activity; sid:91297493; rev:1;) alert tcp $HOME_NET any -> [5.42.92.29] 80 (msg:"ThreatFox Hook botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1297494/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_13; classtype:trojan-activity; sid:91297494; rev:1;) alert tcp $HOME_NET any -> [18.198.77.177] 14294 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1297464/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_13; classtype:trojan-activity; sid:91297464; rev:1;) alert tcp $HOME_NET any -> [89.117.23.25] 35999 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1297465/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_13; classtype:trojan-activity; sid:91297465; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"njas.duckdns.org"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1297466/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_13; classtype:trojan-activity; sid:91297466; rev:1;) alert tcp $HOME_NET any -> [147.185.221.21] 6703 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1297479/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_13; classtype:trojan-activity; sid:91297479; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"le-pencil.gl.at.ply.gg"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1297480/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_13; classtype:trojan-activity; sid:91297480; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/out.php"; depth:8; nocase; http.host; content:"45.9.74.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1297489/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_13; classtype:trojan-activity; sid:91297489; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api/endpoint.php"; depth:17; nocase; http.host; content:"newstroczvmonmy3ne1w.su"; depth:23; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1297485/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_13; classtype:trojan-activity; sid:91297485; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pages/login.php"; depth:16; nocase; http.host; content:"newstroczvmonmy3ne1w.su"; depth:23; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1297486/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_13; classtype:trojan-activity; sid:91297486; rev:1;) alert tcp $HOME_NET any -> [192.210.149.120] 50050 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1297548/; target:src_ip; metadata: confidence_level 80, first_seen 2024_07_13; classtype:trojan-activity; sid:91297548; rev:1;) alert tcp $HOME_NET any -> [43.139.118.222] 9090 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1297547/; target:src_ip; metadata: confidence_level 80, first_seen 2024_07_13; classtype:trojan-activity; sid:91297547; rev:1;) alert tcp $HOME_NET any -> [186.233.231.18] 7777 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1297546/; target:src_ip; metadata: confidence_level 80, first_seen 2024_07_13; classtype:trojan-activity; sid:91297546; rev:1;) alert tcp $HOME_NET any -> [14.103.48.107] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1297545/; target:src_ip; metadata: confidence_level 80, first_seen 2024_07_13; classtype:trojan-activity; sid:91297545; rev:1;) alert tcp $HOME_NET any -> [113.45.218.129] 4567 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1297544/; target:src_ip; metadata: confidence_level 80, first_seen 2024_07_13; classtype:trojan-activity; sid:91297544; rev:1;) alert tcp $HOME_NET any -> [183.81.81.92] 4444 (msg:"ThreatFox Orcus RAT botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1297543/; target:src_ip; metadata: confidence_level 80, first_seen 2024_07_13; classtype:trojan-activity; sid:91297543; rev:1;) alert tcp $HOME_NET any -> [5.206.224.223] 80 (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1297542/; target:src_ip; metadata: confidence_level 80, first_seen 2024_07_13; classtype:trojan-activity; sid:91297542; rev:1;) alert tcp $HOME_NET any -> [2.56.245.243] 7777 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1297541/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_13; classtype:trojan-activity; sid:91297541; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"areaseguras.con-ip.com"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1297496/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_13; classtype:trojan-activity; sid:91297496; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"rtc-moostas.com"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1297488/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_13; classtype:trojan-activity; sid:91297488; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/buy/"; depth:5; nocase; http.host; content:"rtc-moostas.com"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1297487/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_13; classtype:trojan-activity; sid:91297487; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"65.109.241.221"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1297484/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_13; classtype:trojan-activity; sid:91297484; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"49.12.115.229"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1297483/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_13; classtype:trojan-activity; sid:91297483; rev:1;) alert tcp $HOME_NET any -> [49.12.115.229] 443 (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1297481/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_13; classtype:trojan-activity; sid:91297481; rev:1;) alert tcp $HOME_NET any -> [65.109.241.221] 443 (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1297482/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_13; classtype:trojan-activity; sid:91297482; rev:1;) alert tcp $HOME_NET any -> [147.185.221.20] 36100 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1297478/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_13; classtype:trojan-activity; sid:91297478; rev:1;) alert tcp $HOME_NET any -> [94.156.71.159] 1200 (msg:"ThreatFox MooBot botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1297477/; target:src_ip; metadata: confidence_level 80, first_seen 2024_07_13; classtype:trojan-activity; sid:91297477; rev:1;) alert tcp $HOME_NET any -> [94.232.249.115] 9078 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1297476/; target:src_ip; metadata: confidence_level 80, first_seen 2024_07_13; classtype:trojan-activity; sid:91297476; rev:1;) alert tcp $HOME_NET any -> [192.227.238.85] 50050 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1297475/; target:src_ip; metadata: confidence_level 80, first_seen 2024_07_13; classtype:trojan-activity; sid:91297475; rev:1;) alert tcp $HOME_NET any -> [23.95.248.202] 50050 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1297474/; target:src_ip; metadata: confidence_level 80, first_seen 2024_07_13; classtype:trojan-activity; sid:91297474; rev:1;) alert tcp $HOME_NET any -> [23.94.234.84] 50050 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1297473/; target:src_ip; metadata: confidence_level 80, first_seen 2024_07_13; classtype:trojan-activity; sid:91297473; rev:1;) alert tcp $HOME_NET any -> [192.227.244.210] 50050 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1297472/; target:src_ip; metadata: confidence_level 80, first_seen 2024_07_13; classtype:trojan-activity; sid:91297472; rev:1;) alert tcp $HOME_NET any -> [213.238.177.160] 8080 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1297471/; target:src_ip; metadata: confidence_level 80, first_seen 2024_07_13; classtype:trojan-activity; sid:91297471; rev:1;) alert tcp $HOME_NET any -> [45.77.146.136] 80 (msg:"ThreatFox Hook botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1297470/; target:src_ip; metadata: confidence_level 80, first_seen 2024_07_13; classtype:trojan-activity; sid:91297470; rev:1;) alert tcp $HOME_NET any -> [121.40.59.114] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1297469/; target:src_ip; metadata: confidence_level 80, first_seen 2024_07_13; classtype:trojan-activity; sid:91297469; rev:1;) alert tcp $HOME_NET any -> [89.147.111.100] 8080 (msg:"ThreatFox RecordBreaker botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1297468/; target:src_ip; metadata: confidence_level 80, first_seen 2024_07_13; classtype:trojan-activity; sid:91297468; rev:1;) alert tcp $HOME_NET any -> [79.110.49.25] 4449 (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1297467/; target:src_ip; metadata: confidence_level 80, first_seen 2024_07_13; classtype:trojan-activity; sid:91297467; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"wtffckbeachpro2.com"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1297459/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_12; classtype:trojan-activity; sid:91297459; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"tonflux.com"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1297462/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_12; classtype:trojan-activity; sid:91297462; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ltdoffs.online"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1297461/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_12; classtype:trojan-activity; sid:91297461; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"236462572337423.online"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1297460/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_12; classtype:trojan-activity; sid:91297460; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"engine-cheers.gl.at.ply.gg"; depth:26; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1297457/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_12; classtype:trojan-activity; sid:91297457; rev:1;) alert tcp $HOME_NET any -> [45.94.31.179] 80 (msg:"ThreatFox Hook botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1297458/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_12; classtype:trojan-activity; sid:91297458; rev:1;) alert tcp $HOME_NET any -> [147.185.221.20] 7436 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1297456/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_12; classtype:trojan-activity; sid:91297456; rev:1;) alert tcp $HOME_NET any -> [185.222.58.80] 7688 (msg:"ThreatFox STRRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1297455/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_12; classtype:trojan-activity; sid:91297455; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"daslkjfhi2.homes"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1297433/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_12; classtype:trojan-activity; sid:91297433; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"daslkjfhi2.pics"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1297432/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_12; classtype:trojan-activity; sid:91297432; rev:1;) alert tcp $HOME_NET any -> [5.149.254.13] 443 (msg:"ThreatFox Unidentified 111 (Latrodectus) botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1297463/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_12; classtype:trojan-activity; sid:91297463; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"requestyex.shop"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1297454/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_12; classtype:trojan-activity; sid:91297454; rev:1;) alert tcp $HOME_NET any -> [194.55.186.27] 80 (msg:"ThreatFox Stealc botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1297453/; target:src_ip; metadata: confidence_level 80, first_seen 2024_07_12; classtype:trojan-activity; sid:91297453; rev:1;) alert tcp $HOME_NET any -> [194.55.186.27] 22 (msg:"ThreatFox Stealc botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1297452/; target:src_ip; metadata: confidence_level 80, first_seen 2024_07_12; classtype:trojan-activity; sid:91297452; rev:1;) alert tcp $HOME_NET any -> [39.104.22.98] 50050 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1297451/; target:src_ip; metadata: confidence_level 80, first_seen 2024_07_12; classtype:trojan-activity; sid:91297451; rev:1;) alert tcp $HOME_NET any -> [47.92.75.101] 11050 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1297450/; target:src_ip; metadata: confidence_level 80, first_seen 2024_07_12; classtype:trojan-activity; sid:91297450; rev:1;) alert tcp $HOME_NET any -> [79.132.140.216] 41000 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1297449/; target:src_ip; metadata: confidence_level 80, first_seen 2024_07_12; classtype:trojan-activity; sid:91297449; rev:1;) alert tcp $HOME_NET any -> [1.117.64.149] 50001 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1297448/; target:src_ip; metadata: confidence_level 80, first_seen 2024_07_12; classtype:trojan-activity; sid:91297448; rev:1;) alert tcp $HOME_NET any -> [23.94.230.179] 50050 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1297447/; target:src_ip; metadata: confidence_level 80, first_seen 2024_07_12; classtype:trojan-activity; sid:91297447; rev:1;) alert tcp $HOME_NET any -> [47.237.111.1] 50050 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1297446/; target:src_ip; metadata: confidence_level 80, first_seen 2024_07_12; classtype:trojan-activity; sid:91297446; rev:1;) alert tcp $HOME_NET any -> [107.173.11.20] 50050 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1297445/; target:src_ip; metadata: confidence_level 80, first_seen 2024_07_12; classtype:trojan-activity; sid:91297445; rev:1;) alert tcp $HOME_NET any -> [23.95.248.206] 50050 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1297444/; target:src_ip; metadata: confidence_level 80, first_seen 2024_07_12; classtype:trojan-activity; sid:91297444; rev:1;) alert tcp $HOME_NET any -> [198.46.145.137] 50050 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1297443/; target:src_ip; metadata: confidence_level 80, first_seen 2024_07_12; classtype:trojan-activity; sid:91297443; rev:1;) alert tcp $HOME_NET any -> [107.173.11.18] 50050 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1297442/; target:src_ip; metadata: confidence_level 80, first_seen 2024_07_12; classtype:trojan-activity; sid:91297442; rev:1;) alert tcp $HOME_NET any -> [159.89.204.231] 443 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1297441/; target:src_ip; metadata: confidence_level 80, first_seen 2024_07_12; classtype:trojan-activity; sid:91297441; rev:1;) alert tcp $HOME_NET any -> [159.100.20.48] 80 (msg:"ThreatFox Hook botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1297440/; target:src_ip; metadata: confidence_level 80, first_seen 2024_07_12; classtype:trojan-activity; sid:91297440; rev:1;) alert tcp $HOME_NET any -> [58.87.103.109] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1297439/; target:src_ip; metadata: confidence_level 80, first_seen 2024_07_12; classtype:trojan-activity; sid:91297439; rev:1;) alert tcp $HOME_NET any -> [49.145.121.169] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1297438/; target:src_ip; metadata: confidence_level 80, first_seen 2024_07_12; classtype:trojan-activity; sid:91297438; rev:1;) alert tcp $HOME_NET any -> [95.217.240.177] 80 (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1297437/; target:src_ip; metadata: confidence_level 80, first_seen 2024_07_12; classtype:trojan-activity; sid:91297437; rev:1;) alert tcp $HOME_NET any -> [95.217.240.177] 443 (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1297436/; target:src_ip; metadata: confidence_level 80, first_seen 2024_07_12; classtype:trojan-activity; sid:91297436; rev:1;) alert tcp $HOME_NET any -> [39.101.122.168] 9000 (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1297435/; target:src_ip; metadata: confidence_level 80, first_seen 2024_07_12; classtype:trojan-activity; sid:91297435; rev:1;) alert tcp $HOME_NET any -> [103.97.178.205] 2000 (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1297434/; target:src_ip; metadata: confidence_level 80, first_seen 2024_07_12; classtype:trojan-activity; sid:91297434; rev:1;) alert tcp $HOME_NET any -> [45.140.19.240] 80 (msg:"ThreatFox Amadey botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1297271/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_12; classtype:trojan-activity; sid:91297271; rev:1;) alert tcp $HOME_NET any -> [91.222.175.247] 443 (msg:"ThreatFox NetSupportManager RAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1297272/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_12; classtype:trojan-activity; sid:91297272; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"dtolnhd.info"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1297266/; target:src_ip; metadata: confidence_level 50, first_seen 2024_07_12; classtype:trojan-activity; sid:91297266; rev:1;) alert tcp $HOME_NET any -> [43.153.49.49] 8888 (msg:"ThreatFox PrivateLoader botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1297267/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_12; classtype:trojan-activity; sid:91297267; rev:1;) alert tcp $HOME_NET any -> [85.28.47.30] 80 (msg:"ThreatFox Stealc botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1297268/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_12; classtype:trojan-activity; sid:91297268; rev:1;) alert tcp $HOME_NET any -> [77.91.77.82] 80 (msg:"ThreatFox Amadey botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1297269/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_12; classtype:trojan-activity; sid:91297269; rev:1;) alert tcp $HOME_NET any -> [77.221.152.198] 4444 (msg:"ThreatFox XenoRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1297265/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_12; classtype:trojan-activity; sid:91297265; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"domaplc.top"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1297264/; target:src_ip; metadata: confidence_level 50, first_seen 2024_07_12; classtype:trojan-activity; sid:91297264; rev:1;) alert tcp $HOME_NET any -> [91.92.246.78] 2404 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1297263/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_12; classtype:trojan-activity; sid:91297263; rev:1;) alert tcp $HOME_NET any -> [212.162.149.77] 1912 (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1297262/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_12; classtype:trojan-activity; sid:91297262; rev:1;) alert tcp $HOME_NET any -> [139.180.156.134] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1297261/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_12; classtype:trojan-activity; sid:91297261; rev:1;) alert tcp $HOME_NET any -> [154.8.197.118] 5555 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1297260/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_12; classtype:trojan-activity; sid:91297260; rev:1;) alert tcp $HOME_NET any -> [101.34.163.3] 85 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1297259/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_12; classtype:trojan-activity; sid:91297259; rev:1;) alert tcp $HOME_NET any -> [38.6.177.226] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1297258/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_12; classtype:trojan-activity; sid:91297258; rev:1;) alert tcp $HOME_NET any -> [89.251.22.11] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1297257/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_12; classtype:trojan-activity; sid:91297257; rev:1;) alert tcp $HOME_NET any -> [8.130.135.130] 8099 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1297256/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_12; classtype:trojan-activity; sid:91297256; rev:1;) alert tcp $HOME_NET any -> [47.108.164.45] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1297255/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_12; classtype:trojan-activity; sid:91297255; rev:1;) alert tcp $HOME_NET any -> [47.236.96.238] 4433 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1297254/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_12; classtype:trojan-activity; sid:91297254; rev:1;) alert tcp $HOME_NET any -> [43.143.111.123] 5555 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1297253/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_12; classtype:trojan-activity; sid:91297253; rev:1;) alert tcp $HOME_NET any -> [39.104.18.200] 9000 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1297252/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_12; classtype:trojan-activity; sid:91297252; rev:1;) alert tcp $HOME_NET any -> [114.55.100.165] 9998 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1297251/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_12; classtype:trojan-activity; sid:91297251; rev:1;) alert tcp $HOME_NET any -> [82.156.133.228] 8081 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1297250/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_12; classtype:trojan-activity; sid:91297250; rev:1;) alert tcp $HOME_NET any -> [1.94.178.166] 801 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1297249/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_12; classtype:trojan-activity; sid:91297249; rev:1;) alert tcp $HOME_NET any -> [82.157.137.77] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1297248/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_12; classtype:trojan-activity; sid:91297248; rev:1;) alert tcp $HOME_NET any -> [47.100.1.190] 8443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1297247/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_12; classtype:trojan-activity; sid:91297247; rev:1;) alert tcp $HOME_NET any -> [124.223.54.76] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1297246/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_12; classtype:trojan-activity; sid:91297246; rev:1;) alert tcp $HOME_NET any -> [124.222.115.41] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1297245/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_12; classtype:trojan-activity; sid:91297245; rev:1;) alert tcp $HOME_NET any -> [59.110.136.135] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1297244/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_12; classtype:trojan-activity; sid:91297244; rev:1;) alert tcp $HOME_NET any -> [111.229.124.152] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1297242/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_12; classtype:trojan-activity; sid:91297242; rev:1;) alert tcp $HOME_NET any -> [154.201.86.215] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1297243/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_12; classtype:trojan-activity; sid:91297243; rev:1;) alert tcp $HOME_NET any -> [124.223.54.76] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1297241/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_12; classtype:trojan-activity; sid:91297241; rev:1;) alert tcp $HOME_NET any -> [118.107.4.166] 808 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1297240/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_12; classtype:trojan-activity; sid:91297240; rev:1;) alert tcp $HOME_NET any -> [124.70.196.94] 4443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1297239/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_12; classtype:trojan-activity; sid:91297239; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ymjhm2m5zjyyody5/"; depth:18; nocase; http.host; content:"mutocosturoyur.com"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1297227/; target:src_ip; metadata: confidence_level 80, first_seen 2024_07_12; classtype:trojan-activity; sid:91297227; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ymjhm2m5zjyyody5/"; depth:18; nocase; http.host; content:"lolo2naberlo.com"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1297228/; target:src_ip; metadata: confidence_level 80, first_seen 2024_07_12; classtype:trojan-activity; sid:91297228; rev:1;) alert tcp $HOME_NET any -> [43.138.246.207] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1297238/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_12; classtype:trojan-activity; sid:91297238; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ymjhm2m5zjyyody5/"; depth:18; nocase; http.host; content:"havalarsicaktir.com"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1297229/; target:src_ip; metadata: confidence_level 80, first_seen 2024_07_12; classtype:trojan-activity; sid:91297229; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ymjhm2m5zjyyody5/"; depth:18; nocase; http.host; content:"r4s5t2t2fa.com"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1297230/; target:src_ip; metadata: confidence_level 80, first_seen 2024_07_12; classtype:trojan-activity; sid:91297230; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ymjhm2m5zjyyody5/"; depth:18; nocase; http.host; content:"gurcustill254.com"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1297231/; target:src_ip; metadata: confidence_level 80, first_seen 2024_07_12; classtype:trojan-activity; sid:91297231; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/nge2y2rjyjdmyjg3/"; depth:18; nocase; http.host; content:"kesmecekarpuz.site"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1297232/; target:src_ip; metadata: confidence_level 80, first_seen 2024_07_12; classtype:trojan-activity; sid:91297232; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/nge2y2rjyjdmyjg3/"; depth:18; nocase; http.host; content:"kesmecekarpuz.com"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1297233/; target:src_ip; metadata: confidence_level 80, first_seen 2024_07_12; classtype:trojan-activity; sid:91297233; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/nge2y2rjyjdmyjg3/"; depth:18; nocase; http.host; content:"kesmecekarpuz145.com"; depth:20; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1297234/; target:src_ip; metadata: confidence_level 80, first_seen 2024_07_12; classtype:trojan-activity; sid:91297234; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/nge2y2rjyjdmyjg3/"; depth:18; nocase; http.host; content:"kesmecekarpuz878.com"; depth:20; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1297235/; target:src_ip; metadata: confidence_level 80, first_seen 2024_07_12; classtype:trojan-activity; sid:91297235; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/nge2y2rjyjdmyjg3/"; depth:18; nocase; http.host; content:"kesmecekarpuz5446.com"; depth:21; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1297236/; target:src_ip; metadata: confidence_level 80, first_seen 2024_07_12; classtype:trojan-activity; sid:91297236; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/nge2y2rjyjdmyjg3/"; depth:18; nocase; http.host; content:"kesmecekarpuz8455.com"; depth:21; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1297237/; target:src_ip; metadata: confidence_level 80, first_seen 2024_07_12; classtype:trojan-activity; sid:91297237; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/t"; depth:2; nocase; http.host; content:"185.165.171.49"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1297209/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_12; classtype:trojan-activity; sid:91297209; rev:1;) alert tcp $HOME_NET any -> [185.165.171.49] 443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1297204/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_12; classtype:trojan-activity; sid:91297204; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"185.165.171.49"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1297205/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_12; classtype:trojan-activity; sid:91297205; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/n"; depth:2; nocase; http.host; content:"185.165.171.49"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1297206/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_12; classtype:trojan-activity; sid:91297206; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/l"; depth:2; nocase; http.host; content:"185.165.171.49"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1297207/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_12; classtype:trojan-activity; sid:91297207; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"185.165.171.49"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1297208/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_12; classtype:trojan-activity; sid:91297208; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/z"; depth:2; nocase; http.host; content:"185.165.171.49"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1297210/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_12; classtype:trojan-activity; sid:91297210; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/to"; depth:3; nocase; http.host; content:"185.165.171.49"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1297211/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_12; classtype:trojan-activity; sid:91297211; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/d"; depth:2; nocase; http.host; content:"185.165.171.49"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1297212/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_12; classtype:trojan-activity; sid:91297212; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ro"; depth:3; nocase; http.host; content:"185.165.171.49"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1297213/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_12; classtype:trojan-activity; sid:91297213; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/b"; depth:2; nocase; http.host; content:"185.165.171.49"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1297214/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_12; classtype:trojan-activity; sid:91297214; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/h"; depth:2; nocase; http.host; content:"185.165.171.49"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1297215/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_12; classtype:trojan-activity; sid:91297215; rev:1;) alert tcp $HOME_NET any -> [160.176.168.17] 10000 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1297194/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_12; classtype:trojan-activity; sid:91297194; rev:1;) alert tcp $HOME_NET any -> [147.185.221.21] 9212 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1297196/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_12; classtype:trojan-activity; sid:91297196; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"credit-ecommerce.gl.at.ply.gg"; depth:29; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1297197/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_12; classtype:trojan-activity; sid:91297197; rev:1;) alert tcp $HOME_NET any -> [45.77.45.120] 443 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1297203/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_12; classtype:trojan-activity; sid:91297203; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"daslkjfhi2.lol"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1297224/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_12; classtype:trojan-activity; sid:91297224; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 85%)"; dns_query; content:"kooktaripa.com"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1297174/; target:src_ip; metadata: confidence_level 85, first_seen 2024_07_12; classtype:trojan-activity; sid:91297174; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 85%)"; dns_query; content:"astopertat.com"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1297169/; target:src_ip; metadata: confidence_level 85, first_seen 2024_07_12; classtype:trojan-activity; sid:91297169; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 85%)"; dns_query; content:"carflotyup.com"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1297170/; target:src_ip; metadata: confidence_level 85, first_seen 2024_07_12; classtype:trojan-activity; sid:91297170; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 85%)"; dns_query; content:"garipaupsa.com"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1297171/; target:src_ip; metadata: confidence_level 85, first_seen 2024_07_12; classtype:trojan-activity; sid:91297171; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 85%)"; dns_query; content:"grazafnulp.com"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1297172/; target:src_ip; metadata: confidence_level 85, first_seen 2024_07_12; classtype:trojan-activity; sid:91297172; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 85%)"; dns_query; content:"asloyganza.com"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1297168/; target:src_ip; metadata: confidence_level 85, first_seen 2024_07_12; classtype:trojan-activity; sid:91297168; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 85%)"; dns_query; content:"aytoplesit.com"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1297165/; target:src_ip; metadata: confidence_level 85, first_seen 2024_07_12; classtype:trojan-activity; sid:91297165; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 85%)"; dns_query; content:"architrata.com"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1297166/; target:src_ip; metadata: confidence_level 85, first_seen 2024_07_12; classtype:trojan-activity; sid:91297166; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 85%)"; dns_query; content:"asiporata.com"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1297167/; target:src_ip; metadata: confidence_level 85, first_seen 2024_07_12; classtype:trojan-activity; sid:91297167; rev:1;) alert tcp $HOME_NET any -> [147.185.221.21] 9388 (msg:"ThreatFox Nanocore RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1297162/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_12; classtype:trojan-activity; sid:91297162; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"21.ip.gl.ply.gg"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1297163/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_12; classtype:trojan-activity; sid:91297163; rev:1;) alert tcp $HOME_NET any -> [213.109.147.229] 443 (msg:"ThreatFox Unidentified 111 (Latrodectus) botnet C2 traffic (ip:port - confidence level: 85%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1297164/; target:src_ip; metadata: confidence_level 85, first_seen 2024_07_12; classtype:trojan-activity; sid:91297164; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 85%)"; dns_query; content:"jinolearwe.com"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1297173/; target:src_ip; metadata: confidence_level 85, first_seen 2024_07_12; classtype:trojan-activity; sid:91297173; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 85%)"; dns_query; content:"nitraderasolo.com"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1297175/; target:src_ip; metadata: confidence_level 85, first_seen 2024_07_12; classtype:trojan-activity; sid:91297175; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 85%)"; dns_query; content:"paskalpinster.com"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1297176/; target:src_ip; metadata: confidence_level 85, first_seen 2024_07_12; classtype:trojan-activity; sid:91297176; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 85%)"; dns_query; content:"spikeliftall.com"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1297177/; target:src_ip; metadata: confidence_level 85, first_seen 2024_07_12; classtype:trojan-activity; sid:91297177; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 85%)"; dns_query; content:"stripplasst.com"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1297178/; target:src_ip; metadata: confidence_level 85, first_seen 2024_07_12; classtype:trojan-activity; sid:91297178; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 85%)"; dns_query; content:"worlpquano.com"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1297179/; target:src_ip; metadata: confidence_level 85, first_seen 2024_07_12; classtype:trojan-activity; sid:91297179; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mozi.m"; depth:7; nocase; http.host; content:"102.33.37.205"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1297226/; target:src_ip; metadata: confidence_level 50, first_seen 2024_07_12; classtype:trojan-activity; sid:91297226; rev:1;) alert tcp $HOME_NET any -> [64.112.85.3] 4449 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1297225/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_12; classtype:trojan-activity; sid:91297225; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"replacedoxcjzp.shop"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1297223/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_12; classtype:trojan-activity; sid:91297223; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"declaredczxi.shop"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1297222/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_12; classtype:trojan-activity; sid:91297222; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"contemplateodszsv.shop"; depth:22; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1297221/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_12; classtype:trojan-activity; sid:91297221; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"conformfucdioz.shop"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1297220/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_12; classtype:trojan-activity; sid:91297220; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"catchddkxozvp.shop"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1297219/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_12; classtype:trojan-activity; sid:91297219; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"bindceasdiwozx.shop"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1297218/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_12; classtype:trojan-activity; sid:91297218; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"arriveoxpzxo.shop"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1297217/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_12; classtype:trojan-activity; sid:91297217; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"applyzxcksdia.shop"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1297216/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_12; classtype:trojan-activity; sid:91297216; rev:1;) alert tcp $HOME_NET any -> [45.139.198.242] 6606 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1297202/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_12; classtype:trojan-activity; sid:91297202; rev:1;) alert tcp $HOME_NET any -> [172.81.131.198] 16383 (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1297201/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_12; classtype:trojan-activity; sid:91297201; rev:1;) alert tcp $HOME_NET any -> [204.10.160.198] 1950 (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1297199/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_12; classtype:trojan-activity; sid:91297199; rev:1;) alert tcp $HOME_NET any -> [89.23.102.149] 28394 (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1297198/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_12; classtype:trojan-activity; sid:91297198; rev:1;) alert tcp $HOME_NET any -> [91.92.243.245] 47477 (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1297195/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_12; classtype:trojan-activity; sid:91297195; rev:1;) alert tcp $HOME_NET any -> [16.63.34.199] 50050 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1297193/; target:src_ip; metadata: confidence_level 80, first_seen 2024_07_12; classtype:trojan-activity; sid:91297193; rev:1;) alert tcp $HOME_NET any -> [194.62.250.122] 36001 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1297192/; target:src_ip; metadata: confidence_level 80, first_seen 2024_07_12; classtype:trojan-activity; sid:91297192; rev:1;) alert tcp $HOME_NET any -> [23.94.230.181] 50050 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1297191/; target:src_ip; metadata: confidence_level 80, first_seen 2024_07_12; classtype:trojan-activity; sid:91297191; rev:1;) alert tcp $HOME_NET any -> [198.46.182.51] 50050 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1297190/; target:src_ip; metadata: confidence_level 80, first_seen 2024_07_12; classtype:trojan-activity; sid:91297190; rev:1;) alert tcp $HOME_NET any -> [23.95.248.201] 50050 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1297189/; target:src_ip; metadata: confidence_level 80, first_seen 2024_07_12; classtype:trojan-activity; sid:91297189; rev:1;) alert tcp $HOME_NET any -> [192.210.149.125] 50050 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1297188/; target:src_ip; metadata: confidence_level 80, first_seen 2024_07_12; classtype:trojan-activity; sid:91297188; rev:1;) alert tcp $HOME_NET any -> [23.95.190.184] 50050 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1297187/; target:src_ip; metadata: confidence_level 80, first_seen 2024_07_12; classtype:trojan-activity; sid:91297187; rev:1;) alert tcp $HOME_NET any -> [23.94.230.190] 50050 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1297186/; target:src_ip; metadata: confidence_level 80, first_seen 2024_07_12; classtype:trojan-activity; sid:91297186; rev:1;) alert tcp $HOME_NET any -> [192.227.245.180] 50050 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1297185/; target:src_ip; metadata: confidence_level 80, first_seen 2024_07_12; classtype:trojan-activity; sid:91297185; rev:1;) alert tcp $HOME_NET any -> [198.46.145.131] 50050 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1297184/; target:src_ip; metadata: confidence_level 80, first_seen 2024_07_12; classtype:trojan-activity; sid:91297184; rev:1;) alert tcp $HOME_NET any -> [41.216.189.133] 443 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1297183/; target:src_ip; metadata: confidence_level 80, first_seen 2024_07_12; classtype:trojan-activity; sid:91297183; rev:1;) alert tcp $HOME_NET any -> [188.124.59.14] 45361 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1297182/; target:src_ip; metadata: confidence_level 80, first_seen 2024_07_12; classtype:trojan-activity; sid:91297182; rev:1;) alert tcp $HOME_NET any -> [34.44.55.114] 80 (msg:"ThreatFox Hook botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1297181/; target:src_ip; metadata: confidence_level 80, first_seen 2024_07_12; classtype:trojan-activity; sid:91297181; rev:1;) alert tcp $HOME_NET any -> [37.221.67.64] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1297180/; target:src_ip; metadata: confidence_level 80, first_seen 2024_07_12; classtype:trojan-activity; sid:91297180; rev:1;) alert tcp $HOME_NET any -> [162.55.165.63] 443 (msg:"ThreatFox Unidentified 111 (Latrodectus) botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1297161/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_11; classtype:trojan-activity; sid:91297161; rev:1;) alert tcp $HOME_NET any -> [5.42.104.154] 6448 (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1296928/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_11; classtype:trojan-activity; sid:91296928; rev:1;) alert tcp $HOME_NET any -> [147.45.44.3] 80 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1297150/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_11; classtype:trojan-activity; sid:91297150; rev:1;) alert tcp $HOME_NET any -> [142.171.48.89] 50050 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1297160/; target:src_ip; metadata: confidence_level 80, first_seen 2024_07_11; classtype:trojan-activity; sid:91297160; rev:1;) alert tcp $HOME_NET any -> [124.220.7.195] 50050 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1297159/; target:src_ip; metadata: confidence_level 80, first_seen 2024_07_11; classtype:trojan-activity; sid:91297159; rev:1;) alert tcp $HOME_NET any -> [192.227.245.184] 50050 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1297158/; target:src_ip; metadata: confidence_level 80, first_seen 2024_07_11; classtype:trojan-activity; sid:91297158; rev:1;) alert tcp $HOME_NET any -> [192.227.245.186] 50050 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1297157/; target:src_ip; metadata: confidence_level 80, first_seen 2024_07_11; classtype:trojan-activity; sid:91297157; rev:1;) alert tcp $HOME_NET any -> [23.95.190.182] 50050 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1297156/; target:src_ip; metadata: confidence_level 80, first_seen 2024_07_11; classtype:trojan-activity; sid:91297156; rev:1;) alert tcp $HOME_NET any -> [192.210.149.118] 50050 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1297155/; target:src_ip; metadata: confidence_level 80, first_seen 2024_07_11; classtype:trojan-activity; sid:91297155; rev:1;) alert tcp $HOME_NET any -> [192.227.245.189] 50050 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1297154/; target:src_ip; metadata: confidence_level 80, first_seen 2024_07_11; classtype:trojan-activity; sid:91297154; rev:1;) alert tcp $HOME_NET any -> [192.227.244.220] 50050 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1297153/; target:src_ip; metadata: confidence_level 80, first_seen 2024_07_11; classtype:trojan-activity; sid:91297153; rev:1;) alert tcp $HOME_NET any -> [23.95.190.180] 50050 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1297152/; target:src_ip; metadata: confidence_level 80, first_seen 2024_07_11; classtype:trojan-activity; sid:91297152; rev:1;) alert tcp $HOME_NET any -> [192.210.194.45] 50050 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1297151/; target:src_ip; metadata: confidence_level 80, first_seen 2024_07_11; classtype:trojan-activity; sid:91297151; rev:1;) alert tcp $HOME_NET any -> [5.42.92.29] 80 (msg:"ThreatFox Hook botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1297149/; target:src_ip; metadata: confidence_level 80, first_seen 2024_07_11; classtype:trojan-activity; sid:91297149; rev:1;) alert tcp $HOME_NET any -> [34.170.36.96] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1297148/; target:src_ip; metadata: confidence_level 80, first_seen 2024_07_11; classtype:trojan-activity; sid:91297148; rev:1;) alert tcp $HOME_NET any -> [192.227.229.201] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1297147/; target:src_ip; metadata: confidence_level 80, first_seen 2024_07_11; classtype:trojan-activity; sid:91297147; rev:1;) alert tcp $HOME_NET any -> [134.122.191.245] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1297146/; target:src_ip; metadata: confidence_level 80, first_seen 2024_07_11; classtype:trojan-activity; sid:91297146; rev:1;) alert tcp $HOME_NET any -> [5.206.224.223] 4449 (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1297145/; target:src_ip; metadata: confidence_level 80, first_seen 2024_07_11; classtype:trojan-activity; sid:91297145; rev:1;) alert tcp $HOME_NET any -> [5.42.99.177] 80 (msg:"ThreatFox PrivateLoader botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1296921/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_11; classtype:trojan-activity; sid:91296921; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/v1/upload.php"; depth:14; nocase; http.host; content:"tztwo2sr.top"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1296922/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_11; classtype:trojan-activity; sid:91296922; rev:1;) alert tcp $HOME_NET any -> [77.105.133.27] 80 (msg:"ThreatFox PrivateLoader botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1296920/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_11; classtype:trojan-activity; sid:91296920; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/v1/upload.php"; depth:14; nocase; http.host; content:"tzfift15vt.top"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1296923/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_11; classtype:trojan-activity; sid:91296923; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/upload.php"; depth:11; nocase; http.host; content:"rzfift15sr.top"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1296924/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_11; classtype:trojan-activity; sid:91296924; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/upload.php"; depth:11; nocase; http.host; content:"rcthre3pt.top"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1296926/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_11; classtype:trojan-activity; sid:91296926; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/upload.php"; depth:11; nocase; http.host; content:"rxfift15sr.top"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1296927/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_11; classtype:trojan-activity; sid:91296927; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/upload.php"; depth:11; nocase; http.host; content:"rzsixt16vt.top"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1296925/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_11; classtype:trojan-activity; sid:91296925; rev:1;) alert tcp $HOME_NET any -> [45.66.231.218] 4259 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1296919/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_11; classtype:trojan-activity; sid:91296919; rev:1;) alert tcp $HOME_NET any -> [185.208.158.116] 80 (msg:"ThreatFox Amadey botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1296918/; target:src_ip; metadata: confidence_level 50, first_seen 2024_07_11; classtype:trojan-activity; sid:91296918; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"pgfabrics.com"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1296917/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_11; classtype:trojan-activity; sid:91296917; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"91.202.233.138"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1296916/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_11; classtype:trojan-activity; sid:91296916; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"94.156.68.253"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1296914/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_11; classtype:trojan-activity; sid:91296914; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"94.156.79.169"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1296915/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_11; classtype:trojan-activity; sid:91296915; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"91.92.251.201"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1296912/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_11; classtype:trojan-activity; sid:91296912; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"176.111.174.221"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1296913/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_11; classtype:trojan-activity; sid:91296913; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"5.42.92.29"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1296911/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_11; classtype:trojan-activity; sid:91296911; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"94.156.79.168"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1296908/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_11; classtype:trojan-activity; sid:91296908; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"118.107.244.100"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1296910/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_11; classtype:trojan-activity; sid:91296910; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"94.156.8.158"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1296909/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_11; classtype:trojan-activity; sid:91296909; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"93.123.39.249"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1296906/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_11; classtype:trojan-activity; sid:91296906; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"91.92.240.70"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1296907/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_11; classtype:trojan-activity; sid:91296907; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"114.130.36.119"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1296904/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_11; classtype:trojan-activity; sid:91296904; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"114.130.36.121"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1296905/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_11; classtype:trojan-activity; sid:91296905; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"194.55.186.200"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1296903/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_11; classtype:trojan-activity; sid:91296903; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"118.107.244.99"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1296901/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_11; classtype:trojan-activity; sid:91296901; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"185.216.70.62"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1296902/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_11; classtype:trojan-activity; sid:91296902; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"94.156.8.106"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1296899/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_11; classtype:trojan-activity; sid:91296899; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"94.156.65.2"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1296900/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_11; classtype:trojan-activity; sid:91296900; rev:1;) alert tcp $HOME_NET any -> [45.9.74.32] 8888 (msg:"ThreatFox StrelaStealer payload delivery (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1296897/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_11; classtype:trojan-activity; sid:91296897; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/upload-wallet"; depth:14; nocase; http.host; content:"92.246.138.20"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1296890/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_11; classtype:trojan-activity; sid:91296890; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/victim"; depth:7; nocase; http.host; content:"92.246.138.20"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1296891/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_11; classtype:trojan-activity; sid:91296891; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/receive-cookies"; depth:16; nocase; http.host; content:"92.246.138.20"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1296887/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_11; classtype:trojan-activity; sid:91296887; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/receive-passwords"; depth:18; nocase; http.host; content:"92.246.138.20"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1296888/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_11; classtype:trojan-activity; sid:91296888; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/receive-tokens"; depth:15; nocase; http.host; content:"92.246.138.20"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1296889/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_11; classtype:trojan-activity; sid:91296889; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/discordtokens"; depth:14; nocase; http.host; content:"92.246.138.20"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1296885/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_11; classtype:trojan-activity; sid:91296885; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/new-wallets"; depth:12; nocase; http.host; content:"92.246.138.20"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1296886/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_11; classtype:trojan-activity; sid:91296886; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/decrypt"; depth:8; nocase; http.host; content:"92.246.138.20"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1296882/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_11; classtype:trojan-activity; sid:91296882; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/decrypt-firefox"; depth:16; nocase; http.host; content:"92.246.138.20"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1296883/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_11; classtype:trojan-activity; sid:91296883; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/decrypt-passwords"; depth:18; nocase; http.host; content:"92.246.138.20"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1296884/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_11; classtype:trojan-activity; sid:91296884; rev:1;) alert tcp $HOME_NET any -> [107.172.16.206] 8089 (msg:"ThreatFox ConnectBack botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1296878/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_11; classtype:trojan-activity; sid:91296878; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"linntopdmspqp.lol"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1296880/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_11; classtype:trojan-activity; sid:91296880; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"bmld.shop"; depth:9; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1296876/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_11; classtype:trojan-activity; sid:91296876; rev:1;) alert tcp $HOME_NET any -> [104.243.242.169] 8258 (msg:"ThreatFox Nanocore RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1296877/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_11; classtype:trojan-activity; sid:91296877; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/hb9ivshs01/index.php"; depth:21; nocase; http.host; content:"185.208.158.116"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1296873/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_11; classtype:trojan-activity; sid:91296873; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/zip-and-upload"; depth:15; nocase; http.host; content:"92.246.138.20"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1296892/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_11; classtype:trojan-activity; sid:91296892; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/error"; depth:6; nocase; http.host; content:"92.246.138.20"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1296893/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_11; classtype:trojan-activity; sid:91296893; rev:1;) alert tcp $HOME_NET any -> [92.246.138.20] 80 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1296894/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_11; classtype:trojan-activity; sid:91296894; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"shared-celestial.com"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1296896/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_11; classtype:trojan-activity; sid:91296896; rev:1;) alert tcp $HOME_NET any -> [23.227.203.18] 44577 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1296895/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_11; classtype:trojan-activity; sid:91296895; rev:1;) alert tcp $HOME_NET any -> [94.156.65.182] 31051 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1296881/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_11; classtype:trojan-activity; sid:91296881; rev:1;) alert tcp $HOME_NET any -> [89.23.96.98] 1912 (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1296879/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_11; classtype:trojan-activity; sid:91296879; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ml341/index.php"; depth:16; nocase; http.host; content:"bmld.shop"; depth:9; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1296875/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_11; classtype:trojan-activity; sid:91296875; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/l1nc0in.php"; depth:12; nocase; http.host; content:"f0979909.xsph.ru"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1296874/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_11; classtype:trojan-activity; sid:91296874; rev:1;) alert tcp $HOME_NET any -> [75.127.7.188] 2404 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1296872/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_11; classtype:trojan-activity; sid:91296872; rev:1;) alert tcp $HOME_NET any -> [104.243.242.169] 1620 (msg:"ThreatFox Nanocore RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1296851/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_11; classtype:trojan-activity; sid:91296851; rev:1;) alert tcp $HOME_NET any -> [206.238.197.80] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1296871/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_11; classtype:trojan-activity; sid:91296871; rev:1;) alert tcp $HOME_NET any -> [43.138.195.98] 8088 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1296870/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_11; classtype:trojan-activity; sid:91296870; rev:1;) alert tcp $HOME_NET any -> [206.238.197.80] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1296869/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_11; classtype:trojan-activity; sid:91296869; rev:1;) alert tcp $HOME_NET any -> [60.205.58.225] 8080 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1296868/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_11; classtype:trojan-activity; sid:91296868; rev:1;) alert tcp $HOME_NET any -> [119.91.95.88] 8888 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1296867/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_11; classtype:trojan-activity; sid:91296867; rev:1;) alert tcp $HOME_NET any -> [1.117.64.149] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1296865/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_11; classtype:trojan-activity; sid:91296865; rev:1;) alert tcp $HOME_NET any -> [47.236.244.129] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1296866/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_11; classtype:trojan-activity; sid:91296866; rev:1;) alert tcp $HOME_NET any -> [107.175.85.70] 8081 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1296864/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_11; classtype:trojan-activity; sid:91296864; rev:1;) alert tcp $HOME_NET any -> [103.146.22.197] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1296863/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_11; classtype:trojan-activity; sid:91296863; rev:1;) alert tcp $HOME_NET any -> [104.199.239.191] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1296862/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_11; classtype:trojan-activity; sid:91296862; rev:1;) alert tcp $HOME_NET any -> [47.116.127.11] 8080 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1296861/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_11; classtype:trojan-activity; sid:91296861; rev:1;) alert tcp $HOME_NET any -> [36.138.173.47] 18081 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1296860/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_11; classtype:trojan-activity; sid:91296860; rev:1;) alert tcp $HOME_NET any -> [124.222.92.17] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1296859/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_11; classtype:trojan-activity; sid:91296859; rev:1;) alert tcp $HOME_NET any -> [108.174.58.123] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1296858/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_11; classtype:trojan-activity; sid:91296858; rev:1;) alert tcp $HOME_NET any -> [81.70.254.166] 8888 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1296857/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_11; classtype:trojan-activity; sid:91296857; rev:1;) alert tcp $HOME_NET any -> [89.116.233.110] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1296856/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_11; classtype:trojan-activity; sid:91296856; rev:1;) alert tcp $HOME_NET any -> [81.70.254.166] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1296855/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_11; classtype:trojan-activity; sid:91296855; rev:1;) alert tcp $HOME_NET any -> [91.214.78.222] 1080 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1296854/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_11; classtype:trojan-activity; sid:91296854; rev:1;) alert tcp $HOME_NET any -> [47.108.238.83] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1296853/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_11; classtype:trojan-activity; sid:91296853; rev:1;) alert tcp $HOME_NET any -> [45.133.238.41] 9999 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1296852/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_11; classtype:trojan-activity; sid:91296852; rev:1;) alert tcp $HOME_NET any -> [147.185.221.21] 6643 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1296814/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_11; classtype:trojan-activity; sid:91296814; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"commission-machines.gl.at.ply.gg"; depth:32; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1296815/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_11; classtype:trojan-activity; sid:91296815; rev:1;) alert tcp $HOME_NET any -> [147.185.221.21] 6567 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1296816/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_11; classtype:trojan-activity; sid:91296816; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"within-gym.gl.at.ply.gg"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1296817/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_11; classtype:trojan-activity; sid:91296817; rev:1;) alert tcp $HOME_NET any -> [3.126.37.18] 17814 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1296818/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_11; classtype:trojan-activity; sid:91296818; rev:1;) alert tcp $HOME_NET any -> [147.185.221.21] 2094 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1296819/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_11; classtype:trojan-activity; sid:91296819; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"data-dakota.gl.at.ply.gg"; depth:24; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1296820/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_11; classtype:trojan-activity; sid:91296820; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"newskingdomz.live"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1296822/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_11; classtype:trojan-activity; sid:91296822; rev:1;) alert tcp $HOME_NET any -> [147.124.212.217] 22330 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1296823/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_11; classtype:trojan-activity; sid:91296823; rev:1;) alert tcp $HOME_NET any -> [147.185.221.21] 6732 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1296825/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_11; classtype:trojan-activity; sid:91296825; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"gran-dinero.fans"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1296847/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_11; classtype:trojan-activity; sid:91296847; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"temporary.fail"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1296848/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_11; classtype:trojan-activity; sid:91296848; rev:1;) alert tcp $HOME_NET any -> [164.92.235.130] 443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1296680/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_11; classtype:trojan-activity; sid:91296680; rev:1;) alert tcp $HOME_NET any -> [23.123.90.188] 443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1296681/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_11; classtype:trojan-activity; sid:91296681; rev:1;) alert tcp $HOME_NET any -> [194.87.69.245] 53 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1296682/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_11; classtype:trojan-activity; sid:91296682; rev:1;) alert tcp $HOME_NET any -> [194.87.69.245] 80 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1296683/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_11; classtype:trojan-activity; sid:91296683; rev:1;) alert tcp $HOME_NET any -> [20.127.222.106] 443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1296684/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_11; classtype:trojan-activity; sid:91296684; rev:1;) alert tcp $HOME_NET any -> [185.53.177.52] 80 (msg:"ThreatFox Loki Password Stealer (PWS) botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1296807/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_11; classtype:trojan-activity; sid:91296807; rev:1;) alert tcp $HOME_NET any -> [194.87.69.245] 443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1296685/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_11; classtype:trojan-activity; sid:91296685; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"umarguzardijye.com"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1296808/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_11; classtype:trojan-activity; sid:91296808; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bot7224070216:aaevfqvn6xrsarprtimpxhunih2wuzlzw1a/sendmessage"; depth:62; nocase; http.host; content:"api.telegram.org"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1296809/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_11; classtype:trojan-activity; sid:91296809; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bot7169426142:aag_nuf4vfdd3yaliw-re-uanudvey15spm/sendmessage"; depth:62; nocase; http.host; content:"api.telegram.org"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1296810/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_11; classtype:trojan-activity; sid:91296810; rev:1;) alert tcp $HOME_NET any -> [78.168.2.118] 443 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1296678/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_11; classtype:trojan-activity; sid:91296678; rev:1;) alert tcp $HOME_NET any -> [84.247.185.157] 443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1296679/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_11; classtype:trojan-activity; sid:91296679; rev:1;) alert tcp $HOME_NET any -> [68.1.192.197] 443 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1296674/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_11; classtype:trojan-activity; sid:91296674; rev:1;) alert tcp $HOME_NET any -> [47.247.13.79] 443 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1296677/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_11; classtype:trojan-activity; sid:91296677; rev:1;) alert tcp $HOME_NET any -> [47.247.13.78] 443 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1296675/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_11; classtype:trojan-activity; sid:91296675; rev:1;) alert tcp $HOME_NET any -> [47.247.13.74] 443 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1296676/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_11; classtype:trojan-activity; sid:91296676; rev:1;) alert tcp $HOME_NET any -> [47.247.13.73] 443 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1296673/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_11; classtype:trojan-activity; sid:91296673; rev:1;) alert tcp $HOME_NET any -> [217.76.50.73] 3256 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1296671/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_11; classtype:trojan-activity; sid:91296671; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"jswebcloud.com"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1296672/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_11; classtype:trojan-activity; sid:91296672; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/l1nc0in.php"; depth:12; nocase; http.host; content:"cp57435.tw1.ru"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1296850/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_11; classtype:trojan-activity; sid:91296850; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ecafc5f6.php"; depth:13; nocase; http.host; content:"a1003569.xsph.ru"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1296849/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_11; classtype:trojan-activity; sid:91296849; rev:1;) alert tcp $HOME_NET any -> [54.91.135.60] 5222 (msg:"ThreatFox Revenge RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1296846/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_11; classtype:trojan-activity; sid:91296846; rev:1;) alert tcp $HOME_NET any -> [91.92.248.36] 34568 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1296845/; target:src_ip; metadata: confidence_level 80, first_seen 2024_07_11; classtype:trojan-activity; sid:91296845; rev:1;) alert tcp $HOME_NET any -> [120.53.230.248] 20241 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1296844/; target:src_ip; metadata: confidence_level 80, first_seen 2024_07_11; classtype:trojan-activity; sid:91296844; rev:1;) alert tcp $HOME_NET any -> [95.179.187.178] 54781 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1296843/; target:src_ip; metadata: confidence_level 80, first_seen 2024_07_11; classtype:trojan-activity; sid:91296843; rev:1;) alert tcp $HOME_NET any -> [23.94.234.94] 50050 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1296842/; target:src_ip; metadata: confidence_level 80, first_seen 2024_07_11; classtype:trojan-activity; sid:91296842; rev:1;) alert tcp $HOME_NET any -> [14.103.51.225] 8089 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1296841/; target:src_ip; metadata: confidence_level 80, first_seen 2024_07_11; classtype:trojan-activity; sid:91296841; rev:1;) alert tcp $HOME_NET any -> [107.173.11.24] 50050 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1296840/; target:src_ip; metadata: confidence_level 80, first_seen 2024_07_11; classtype:trojan-activity; sid:91296840; rev:1;) alert tcp $HOME_NET any -> [23.95.190.189] 50050 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1296839/; target:src_ip; metadata: confidence_level 80, first_seen 2024_07_11; classtype:trojan-activity; sid:91296839; rev:1;) alert tcp $HOME_NET any -> [198.46.182.62] 50050 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1296838/; target:src_ip; metadata: confidence_level 80, first_seen 2024_07_11; classtype:trojan-activity; sid:91296838; rev:1;) alert tcp $HOME_NET any -> [23.95.243.28] 50050 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1296837/; target:src_ip; metadata: confidence_level 80, first_seen 2024_07_11; classtype:trojan-activity; sid:91296837; rev:1;) alert tcp $HOME_NET any -> [23.94.230.178] 50050 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1296836/; target:src_ip; metadata: confidence_level 80, first_seen 2024_07_11; classtype:trojan-activity; sid:91296836; rev:1;) alert tcp $HOME_NET any -> [192.227.238.86] 50050 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1296835/; target:src_ip; metadata: confidence_level 80, first_seen 2024_07_11; classtype:trojan-activity; sid:91296835; rev:1;) alert tcp $HOME_NET any -> [23.95.190.181] 50050 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1296834/; target:src_ip; metadata: confidence_level 80, first_seen 2024_07_11; classtype:trojan-activity; sid:91296834; rev:1;) alert tcp $HOME_NET any -> [185.216.68.217] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1296833/; target:src_ip; metadata: confidence_level 80, first_seen 2024_07_11; classtype:trojan-activity; sid:91296833; rev:1;) alert tcp $HOME_NET any -> [129.226.148.15] 9090 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1296832/; target:src_ip; metadata: confidence_level 80, first_seen 2024_07_11; classtype:trojan-activity; sid:91296832; rev:1;) alert tcp $HOME_NET any -> [205.234.146.142] 443 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1296831/; target:src_ip; metadata: confidence_level 80, first_seen 2024_07_11; classtype:trojan-activity; sid:91296831; rev:1;) alert tcp $HOME_NET any -> [185.218.0.101] 80 (msg:"ThreatFox Hook botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1296830/; target:src_ip; metadata: confidence_level 80, first_seen 2024_07_11; classtype:trojan-activity; sid:91296830; rev:1;) alert tcp $HOME_NET any -> [193.134.211.50] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1296829/; target:src_ip; metadata: confidence_level 80, first_seen 2024_07_11; classtype:trojan-activity; sid:91296829; rev:1;) alert tcp $HOME_NET any -> [171.235.46.230] 4449 (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1296828/; target:src_ip; metadata: confidence_level 80, first_seen 2024_07_11; classtype:trojan-activity; sid:91296828; rev:1;) alert tcp $HOME_NET any -> [171.235.46.230] 5002 (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1296827/; target:src_ip; metadata: confidence_level 80, first_seen 2024_07_11; classtype:trojan-activity; sid:91296827; rev:1;) alert tcp $HOME_NET any -> [171.235.46.230] 5001 (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1296826/; target:src_ip; metadata: confidence_level 80, first_seen 2024_07_11; classtype:trojan-activity; sid:91296826; rev:1;) alert tcp $HOME_NET any -> [196.64.248.166] 10000 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1296824/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_10; classtype:trojan-activity; sid:91296824; rev:1;) alert tcp $HOME_NET any -> [45.66.231.158] 8080 (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1296821/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_10; classtype:trojan-activity; sid:91296821; rev:1;) alert tcp $HOME_NET any -> [84.32.41.151] 443 (msg:"ThreatFox Unidentified 111 (Latrodectus) botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1296812/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_10; classtype:trojan-activity; sid:91296812; rev:1;) alert tcp $HOME_NET any -> [84.32.41.111] 443 (msg:"ThreatFox Unidentified 111 (Latrodectus) botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1296813/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_10; classtype:trojan-activity; sid:91296813; rev:1;) alert tcp $HOME_NET any -> [87.121.61.160] 443 (msg:"ThreatFox Unidentified 111 (Latrodectus) botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1296811/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_10; classtype:trojan-activity; sid:91296811; rev:1;) alert tcp $HOME_NET any -> [46.183.222.27] 1912 (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1296806/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_10; classtype:trojan-activity; sid:91296806; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/129edec4272dc2c8.php"; depth:21; nocase; http.host; content:"45.152.114.233"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1296670/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_10; classtype:trojan-activity; sid:91296670; rev:1;) alert tcp $HOME_NET any -> [188.245.82.177] 22 (msg:"ThreatFox Stealc botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1296669/; target:src_ip; metadata: confidence_level 80, first_seen 2024_07_10; classtype:trojan-activity; sid:91296669; rev:1;) alert tcp $HOME_NET any -> [188.245.82.177] 80 (msg:"ThreatFox Stealc botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1296668/; target:src_ip; metadata: confidence_level 80, first_seen 2024_07_10; classtype:trojan-activity; sid:91296668; rev:1;) alert tcp $HOME_NET any -> [94.156.79.31] 22 (msg:"ThreatFox Stealc botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1296667/; target:src_ip; metadata: confidence_level 80, first_seen 2024_07_10; classtype:trojan-activity; sid:91296667; rev:1;) alert tcp $HOME_NET any -> [94.156.79.31] 80 (msg:"ThreatFox Stealc botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1296666/; target:src_ip; metadata: confidence_level 80, first_seen 2024_07_10; classtype:trojan-activity; sid:91296666; rev:1;) alert tcp $HOME_NET any -> [185.216.70.126] 22 (msg:"ThreatFox Stealc botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1296665/; target:src_ip; metadata: confidence_level 80, first_seen 2024_07_10; classtype:trojan-activity; sid:91296665; rev:1;) alert tcp $HOME_NET any -> [185.216.70.126] 80 (msg:"ThreatFox Stealc botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1296664/; target:src_ip; metadata: confidence_level 80, first_seen 2024_07_10; classtype:trojan-activity; sid:91296664; rev:1;) alert tcp $HOME_NET any -> [185.216.70.128] 22 (msg:"ThreatFox Stealc botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1296663/; target:src_ip; metadata: confidence_level 80, first_seen 2024_07_10; classtype:trojan-activity; sid:91296663; rev:1;) alert tcp $HOME_NET any -> [185.216.70.128] 80 (msg:"ThreatFox Stealc botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1296662/; target:src_ip; metadata: confidence_level 80, first_seen 2024_07_10; classtype:trojan-activity; sid:91296662; rev:1;) alert tcp $HOME_NET any -> [192.227.238.90] 50050 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1296661/; target:src_ip; metadata: confidence_level 80, first_seen 2024_07_10; classtype:trojan-activity; sid:91296661; rev:1;) alert tcp $HOME_NET any -> [23.95.190.185] 50050 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1296660/; target:src_ip; metadata: confidence_level 80, first_seen 2024_07_10; classtype:trojan-activity; sid:91296660; rev:1;) alert tcp $HOME_NET any -> [192.227.245.178] 50050 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1296659/; target:src_ip; metadata: confidence_level 80, first_seen 2024_07_10; classtype:trojan-activity; sid:91296659; rev:1;) alert tcp $HOME_NET any -> [198.46.182.57] 50050 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1296658/; target:src_ip; metadata: confidence_level 80, first_seen 2024_07_10; classtype:trojan-activity; sid:91296658; rev:1;) alert tcp $HOME_NET any -> [124.221.133.199] 13389 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1296657/; target:src_ip; metadata: confidence_level 80, first_seen 2024_07_10; classtype:trojan-activity; sid:91296657; rev:1;) alert tcp $HOME_NET any -> [23.95.243.20] 50050 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1296656/; target:src_ip; metadata: confidence_level 80, first_seen 2024_07_10; classtype:trojan-activity; sid:91296656; rev:1;) alert tcp $HOME_NET any -> [23.95.248.205] 50050 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1296655/; target:src_ip; metadata: confidence_level 80, first_seen 2024_07_10; classtype:trojan-activity; sid:91296655; rev:1;) alert tcp $HOME_NET any -> [192.210.194.46] 50050 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1296654/; target:src_ip; metadata: confidence_level 80, first_seen 2024_07_10; classtype:trojan-activity; sid:91296654; rev:1;) alert tcp $HOME_NET any -> [192.210.149.122] 50050 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1296653/; target:src_ip; metadata: confidence_level 80, first_seen 2024_07_10; classtype:trojan-activity; sid:91296653; rev:1;) alert tcp $HOME_NET any -> [198.46.182.50] 50050 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1296652/; target:src_ip; metadata: confidence_level 80, first_seen 2024_07_10; classtype:trojan-activity; sid:91296652; rev:1;) alert tcp $HOME_NET any -> [23.95.181.157] 50050 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1296651/; target:src_ip; metadata: confidence_level 80, first_seen 2024_07_10; classtype:trojan-activity; sid:91296651; rev:1;) alert tcp $HOME_NET any -> [23.94.230.188] 50050 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1296650/; target:src_ip; metadata: confidence_level 80, first_seen 2024_07_10; classtype:trojan-activity; sid:91296650; rev:1;) alert tcp $HOME_NET any -> [106.53.213.253] 50533 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1296649/; target:src_ip; metadata: confidence_level 80, first_seen 2024_07_10; classtype:trojan-activity; sid:91296649; rev:1;) alert tcp $HOME_NET any -> [35.239.247.201] 443 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1296648/; target:src_ip; metadata: confidence_level 80, first_seen 2024_07_10; classtype:trojan-activity; sid:91296648; rev:1;) alert tcp $HOME_NET any -> [94.237.61.149] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1296647/; target:src_ip; metadata: confidence_level 80, first_seen 2024_07_10; classtype:trojan-activity; sid:91296647; rev:1;) alert tcp $HOME_NET any -> [213.219.199.52] 80 (msg:"ThreatFox Hook botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1296646/; target:src_ip; metadata: confidence_level 80, first_seen 2024_07_10; classtype:trojan-activity; sid:91296646; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/kl341/index.php"; depth:16; nocase; http.host; content:"hqt3.shop"; depth:9; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1296636/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_10; classtype:trojan-activity; sid:91296636; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"hqt3.shop"; depth:9; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1296638/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_10; classtype:trojan-activity; sid:91296638; rev:1;) alert tcp $HOME_NET any -> [175.24.204.79] 10010 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1296645/; target:src_ip; metadata: confidence_level 80, first_seen 2024_07_10; classtype:trojan-activity; sid:91296645; rev:1;) alert tcp $HOME_NET any -> [116.62.169.135] 8090 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1296644/; target:src_ip; metadata: confidence_level 80, first_seen 2024_07_10; classtype:trojan-activity; sid:91296644; rev:1;) alert tcp $HOME_NET any -> [156.238.233.183] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1296643/; target:src_ip; metadata: confidence_level 80, first_seen 2024_07_10; classtype:trojan-activity; sid:91296643; rev:1;) alert tcp $HOME_NET any -> [47.106.157.118] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1296642/; target:src_ip; metadata: confidence_level 80, first_seen 2024_07_10; classtype:trojan-activity; sid:91296642; rev:1;) alert tcp $HOME_NET any -> [45.153.231.163] 80 (msg:"ThreatFox RecordBreaker botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1296641/; target:src_ip; metadata: confidence_level 80, first_seen 2024_07_10; classtype:trojan-activity; sid:91296641; rev:1;) alert tcp $HOME_NET any -> [65.109.233.123] 80 (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1296640/; target:src_ip; metadata: confidence_level 80, first_seen 2024_07_10; classtype:trojan-activity; sid:91296640; rev:1;) alert tcp $HOME_NET any -> [65.109.233.123] 443 (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1296639/; target:src_ip; metadata: confidence_level 80, first_seen 2024_07_10; classtype:trojan-activity; sid:91296639; rev:1;) alert tcp $HOME_NET any -> [185.216.214.217] 8488 (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1296635/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_10; classtype:trojan-activity; sid:91296635; rev:1;) alert tcp $HOME_NET any -> [117.216.185.86] 443 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1296624/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_10; classtype:trojan-activity; sid:91296624; rev:1;) alert tcp $HOME_NET any -> [75.132.35.60] 443 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1296625/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_10; classtype:trojan-activity; sid:91296625; rev:1;) alert tcp $HOME_NET any -> [71.31.160.43] 22 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1296621/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_10; classtype:trojan-activity; sid:91296621; rev:1;) alert tcp $HOME_NET any -> [189.159.113.190] 995 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1296622/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_10; classtype:trojan-activity; sid:91296622; rev:1;) alert tcp $HOME_NET any -> [98.148.177.77] 443 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1296623/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_10; classtype:trojan-activity; sid:91296623; rev:1;) alert tcp $HOME_NET any -> [67.197.97.144] 443 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1296619/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_10; classtype:trojan-activity; sid:91296619; rev:1;) alert tcp $HOME_NET any -> [70.173.46.139] 443 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1296620/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_10; classtype:trojan-activity; sid:91296620; rev:1;) alert tcp $HOME_NET any -> [108.183.200.239] 443 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1296618/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_10; classtype:trojan-activity; sid:91296618; rev:1;) alert tcp $HOME_NET any -> [108.21.107.203] 443 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1296616/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_10; classtype:trojan-activity; sid:91296616; rev:1;) alert tcp $HOME_NET any -> [162.154.223.73] 443 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1296617/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_10; classtype:trojan-activity; sid:91296617; rev:1;) alert tcp $HOME_NET any -> [197.160.20.211] 443 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1296615/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_10; classtype:trojan-activity; sid:91296615; rev:1;) alert tcp $HOME_NET any -> [89.43.108.19] 443 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1296613/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_10; classtype:trojan-activity; sid:91296613; rev:1;) alert tcp $HOME_NET any -> [203.198.96.239] 443 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1296614/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_10; classtype:trojan-activity; sid:91296614; rev:1;) alert tcp $HOME_NET any -> [72.179.242.236] 0 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1296610/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_10; classtype:trojan-activity; sid:91296610; rev:1;) alert tcp $HOME_NET any -> [150.143.128.70] 2222 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1296611/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_10; classtype:trojan-activity; sid:91296611; rev:1;) alert tcp $HOME_NET any -> [65.116.179.83] 443 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1296612/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_10; classtype:trojan-activity; sid:91296612; rev:1;) alert tcp $HOME_NET any -> [65.131.44.40] 995 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1296609/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_10; classtype:trojan-activity; sid:91296609; rev:1;) alert tcp $HOME_NET any -> [188.173.214.88] 443 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1296607/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_10; classtype:trojan-activity; sid:91296607; rev:1;) alert tcp $HOME_NET any -> [86.125.210.26] 443 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1296608/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_10; classtype:trojan-activity; sid:91296608; rev:1;) alert tcp $HOME_NET any -> [117.199.195.112] 443 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1296606/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_10; classtype:trojan-activity; sid:91296606; rev:1;) alert tcp $HOME_NET any -> [75.71.77.59] 443 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1296604/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_10; classtype:trojan-activity; sid:91296604; rev:1;) alert tcp $HOME_NET any -> [173.173.77.164] 443 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1296605/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_10; classtype:trojan-activity; sid:91296605; rev:1;) alert tcp $HOME_NET any -> [94.176.220.76] 2222 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1296602/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_10; classtype:trojan-activity; sid:91296602; rev:1;) alert tcp $HOME_NET any -> [96.227.122.123] 443 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1296603/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_10; classtype:trojan-activity; sid:91296603; rev:1;) alert tcp $HOME_NET any -> [216.110.249.252] 2222 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1296601/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_10; classtype:trojan-activity; sid:91296601; rev:1;) alert tcp $HOME_NET any -> [175.137.136.79] 443 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1296599/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_10; classtype:trojan-activity; sid:91296599; rev:1;) alert tcp $HOME_NET any -> [73.232.165.200] 995 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1296600/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_10; classtype:trojan-activity; sid:91296600; rev:1;) alert tcp $HOME_NET any -> [89.213.177.81] 6969 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1296597/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_10; classtype:trojan-activity; sid:91296597; rev:1;) alert tcp $HOME_NET any -> [67.0.74.119] 443 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1296598/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_10; classtype:trojan-activity; sid:91296598; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cdn-vs/original.js"; depth:19; nocase; http.host; content:"sherwoodhomeshow.com"; depth:20; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1296592/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_10; classtype:trojan-activity; sid:91296592; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"sherwoodhomeshow.com"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1296593/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_10; classtype:trojan-activity; sid:91296593; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cdn-vs/33per.php"; depth:17; nocase; http.host; content:"sherwoodhomeshow.com"; depth:20; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1296595/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_10; classtype:trojan-activity; sid:91296595; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cdn-vs/cache.php"; depth:17; nocase; http.host; content:"sherwoodhomeshow.com"; depth:20; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1296594/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_10; classtype:trojan-activity; sid:91296594; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/data.php"; depth:9; nocase; http.host; content:"dfwreds.com"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1296596/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_10; classtype:trojan-activity; sid:91296596; rev:1;) alert tcp $HOME_NET any -> [189.160.217.221] 443 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1296626/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_10; classtype:trojan-activity; sid:91296626; rev:1;) alert tcp $HOME_NET any -> [72.45.14.185] 443 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1296627/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_10; classtype:trojan-activity; sid:91296627; rev:1;) alert tcp $HOME_NET any -> [101.108.113.6] 443 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1296628/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_10; classtype:trojan-activity; sid:91296628; rev:1;) alert tcp $HOME_NET any -> [98.13.0.128] 443 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1296629/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_10; classtype:trojan-activity; sid:91296629; rev:1;) alert tcp $HOME_NET any -> [175.111.128.234] 995 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1296630/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_10; classtype:trojan-activity; sid:91296630; rev:1;) alert tcp $HOME_NET any -> [216.137.140.236] 2222 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1296631/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_10; classtype:trojan-activity; sid:91296631; rev:1;) alert tcp $HOME_NET any -> [24.191.214.43] 2083 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1296632/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_10; classtype:trojan-activity; sid:91296632; rev:1;) alert tcp $HOME_NET any -> [72.177.157.217] 443 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1296633/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_10; classtype:trojan-activity; sid:91296633; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/hb9ivshs02/index.php"; depth:21; nocase; http.host; content:"89.23.103.42"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1296634/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_10; classtype:trojan-activity; sid:91296634; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/providervideojspollmultifloweruniversaldle.php"; depth:47; nocase; http.host; content:"hendai.top"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1296591/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_10; classtype:trojan-activity; sid:91296591; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/9a2b7d14.php"; depth:13; nocase; http.host; content:"cf30785.tw1.ru"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1296590/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_10; classtype:trojan-activity; sid:91296590; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"respectabledpcs.shop"; depth:20; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1296589/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_10; classtype:trojan-activity; sid:91296589; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/zdljmgyyztq3ywri/"; depth:18; nocase; http.host; content:"selamcanoonaber.site"; depth:20; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1296583/; target:src_ip; metadata: confidence_level 80, first_seen 2024_07_10; classtype:trojan-activity; sid:91296583; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/zdljmgyyztq3ywri/"; depth:18; nocase; http.host; content:"hava540derece.com"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1296584/; target:src_ip; metadata: confidence_level 80, first_seen 2024_07_10; classtype:trojan-activity; sid:91296584; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/zdljmgyyztq3ywri/"; depth:18; nocase; http.host; content:"cehennemdirloo34.com"; depth:20; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1296585/; target:src_ip; metadata: confidence_level 80, first_seen 2024_07_10; classtype:trojan-activity; sid:91296585; rev:1;) alert tcp $HOME_NET any -> [147.185.221.18] 32415 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1296579/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_10; classtype:trojan-activity; sid:91296579; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"made-infant.gl.at.ply.gg"; depth:24; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1296580/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_10; classtype:trojan-activity; sid:91296580; rev:1;) alert tcp $HOME_NET any -> [94.156.66.188] 81 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1296581/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_10; classtype:trojan-activity; sid:91296581; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/zdljmgyyztq3ywri/"; depth:18; nocase; http.host; content:"sicaktanbayilcam52.com"; depth:22; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1296586/; target:src_ip; metadata: confidence_level 80, first_seen 2024_07_10; classtype:trojan-activity; sid:91296586; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/zdljmgyyztq3ywri/"; depth:18; nocase; http.host; content:"otururkenterliyorum42.com"; depth:25; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1296587/; target:src_ip; metadata: confidence_level 80, first_seen 2024_07_10; classtype:trojan-activity; sid:91296587; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/zdljmgyyztq3ywri/"; depth:18; nocase; http.host; content:"sicakdanbeynimyandii2.com"; depth:25; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1296588/; target:src_ip; metadata: confidence_level 80, first_seen 2024_07_10; classtype:trojan-activity; sid:91296588; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"begghurldids.shop"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1296582/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_10; classtype:trojan-activity; sid:91296582; rev:1;) alert tcp $HOME_NET any -> [114.215.183.77] 7777 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1296578/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_10; classtype:trojan-activity; sid:91296578; rev:1;) alert tcp $HOME_NET any -> [23.95.47.68] 808 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1296577/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_10; classtype:trojan-activity; sid:91296577; rev:1;) alert tcp $HOME_NET any -> [156.238.233.183] 4444 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1296576/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_10; classtype:trojan-activity; sid:91296576; rev:1;) alert tcp $HOME_NET any -> [173.44.141.7] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1296575/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_10; classtype:trojan-activity; sid:91296575; rev:1;) alert tcp $HOME_NET any -> [95.169.21.241] 8088 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1296574/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_10; classtype:trojan-activity; sid:91296574; rev:1;) alert tcp $HOME_NET any -> [156.238.233.183] 9001 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1296573/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_10; classtype:trojan-activity; sid:91296573; rev:1;) alert tcp $HOME_NET any -> [121.196.246.141] 81 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1296572/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_10; classtype:trojan-activity; sid:91296572; rev:1;) alert tcp $HOME_NET any -> [8.138.104.108] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1296571/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_10; classtype:trojan-activity; sid:91296571; rev:1;) alert tcp $HOME_NET any -> [110.41.46.45] 8443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1296570/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_10; classtype:trojan-activity; sid:91296570; rev:1;) alert tcp $HOME_NET any -> [107.148.237.220] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1296569/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_10; classtype:trojan-activity; sid:91296569; rev:1;) alert tcp $HOME_NET any -> [110.41.69.239] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1296568/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_10; classtype:trojan-activity; sid:91296568; rev:1;) alert tcp $HOME_NET any -> [47.92.24.139] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1296567/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_10; classtype:trojan-activity; sid:91296567; rev:1;) alert tcp $HOME_NET any -> [47.113.200.137] 7777 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1296566/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_10; classtype:trojan-activity; sid:91296566; rev:1;) alert tcp $HOME_NET any -> [185.18.222.235] 8443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1296565/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_10; classtype:trojan-activity; sid:91296565; rev:1;) alert tcp $HOME_NET any -> [8.137.93.215] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1296564/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_10; classtype:trojan-activity; sid:91296564; rev:1;) alert tcp $HOME_NET any -> [42.194.251.253] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1296563/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_10; classtype:trojan-activity; sid:91296563; rev:1;) alert tcp $HOME_NET any -> [45.90.220.185] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1296562/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_10; classtype:trojan-activity; sid:91296562; rev:1;) alert tcp $HOME_NET any -> [47.236.37.210] 7777 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1296561/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_10; classtype:trojan-activity; sid:91296561; rev:1;) alert tcp $HOME_NET any -> [8.142.93.103] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1296560/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_10; classtype:trojan-activity; sid:91296560; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-includes/images/x3h6.php"; depth:28; nocase; http.host; content:"evolverangesolutions.com"; depth:24; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1296485/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_10; classtype:trojan-activity; sid:91296485; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/adcount.js"; depth:11; nocase; http.host; content:"edveha.com"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1296483/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_10; classtype:trojan-activity; sid:91296483; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/js.php"; depth:7; nocase; http.host; content:"edveha.com"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1296484/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_10; classtype:trojan-activity; sid:91296484; rev:1;) alert tcp $HOME_NET any -> [147.185.221.21] 5008 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1296489/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_10; classtype:trojan-activity; sid:91296489; rev:1;) alert tcp $HOME_NET any -> [81.219.193.10] 21114 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1296490/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_10; classtype:trojan-activity; sid:91296490; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api/heartbeat"; depth:14; nocase; http.host; content:"81.219.193.10"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1296491/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_10; classtype:trojan-activity; sid:91296491; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api/sysinfo"; depth:12; nocase; http.host; content:"81.219.193.10"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1296492/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_10; classtype:trojan-activity; sid:91296492; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"bittercoldzzdwu.shop"; depth:20; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1296493/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_10; classtype:trojan-activity; sid:91296493; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"bittercoldzzdwu.shop"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1296494/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_10; classtype:trojan-activity; sid:91296494; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"samsunglimited.top"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1296557/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_10; classtype:trojan-activity; sid:91296557; rev:1;) alert tcp $HOME_NET any -> [31.192.237.18] 80 (msg:"ThreatFox Loki Password Stealer (PWS) botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1296559/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_10; classtype:trojan-activity; sid:91296559; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cdn-vs/original.js"; depth:19; nocase; http.host; content:"eternosrelojeria.com"; depth:20; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1296206/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_10; classtype:trojan-activity; sid:91296206; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"eternosrelojeria.com"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1296207/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_10; classtype:trojan-activity; sid:91296207; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cdn-vs/cache.php"; depth:17; nocase; http.host; content:"eternosrelojeria.com"; depth:20; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1296208/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_10; classtype:trojan-activity; sid:91296208; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"healthsurveysolutions.com"; depth:25; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1296210/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_10; classtype:trojan-activity; sid:91296210; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cdn-vs/33per.php"; depth:17; nocase; http.host; content:"eternosrelojeria.com"; depth:20; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1296209/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_10; classtype:trojan-activity; sid:91296209; rev:1;) alert tcp $HOME_NET any -> [18.197.239.109] 15358 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1296451/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_10; classtype:trojan-activity; sid:91296451; rev:1;) alert tcp $HOME_NET any -> [91.242.163.144] 443 (msg:"ThreatFox Unidentified 111 (Latrodectus) botnet C2 traffic (ip:port - confidence level: 85%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1296455/; target:src_ip; metadata: confidence_level 85, first_seen 2024_07_10; classtype:trojan-activity; sid:91296455; rev:1;) alert tcp $HOME_NET any -> [185.241.208.181] 3030 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1296558/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_10; classtype:trojan-activity; sid:91296558; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/evie4/five/fre.php"; depth:19; nocase; http.host; content:"samsunglimited.top"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1296555/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_10; classtype:trojan-activity; sid:91296555; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mozi.m"; depth:7; nocase; http.host; content:"1.70.13.13"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1296554/; target:src_ip; metadata: confidence_level 50, first_seen 2024_07_10; classtype:trojan-activity; sid:91296554; rev:1;) alert tcp $HOME_NET any -> [40.86.87.10] 22 (msg:"ThreatFox Stealc botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1296553/; target:src_ip; metadata: confidence_level 80, first_seen 2024_07_10; classtype:trojan-activity; sid:91296553; rev:1;) alert tcp $HOME_NET any -> [40.86.87.10] 80 (msg:"ThreatFox Stealc botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1296552/; target:src_ip; metadata: confidence_level 80, first_seen 2024_07_10; classtype:trojan-activity; sid:91296552; rev:1;) alert tcp $HOME_NET any -> [5.230.253.197] 80 (msg:"ThreatFox Stealc botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1296551/; target:src_ip; metadata: confidence_level 80, first_seen 2024_07_10; classtype:trojan-activity; sid:91296551; rev:1;) alert tcp $HOME_NET any -> [5.230.253.197] 22 (msg:"ThreatFox Stealc botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1296550/; target:src_ip; metadata: confidence_level 80, first_seen 2024_07_10; classtype:trojan-activity; sid:91296550; rev:1;) alert tcp $HOME_NET any -> [35.74.81.43] 22 (msg:"ThreatFox Stealc botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1296549/; target:src_ip; metadata: confidence_level 80, first_seen 2024_07_10; classtype:trojan-activity; sid:91296549; rev:1;) alert tcp $HOME_NET any -> [35.74.81.43] 80 (msg:"ThreatFox Stealc botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1296548/; target:src_ip; metadata: confidence_level 80, first_seen 2024_07_10; classtype:trojan-activity; sid:91296548; rev:1;) alert tcp $HOME_NET any -> [45.152.114.233] 22 (msg:"ThreatFox Stealc botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1296547/; target:src_ip; metadata: confidence_level 80, first_seen 2024_07_10; classtype:trojan-activity; sid:91296547; rev:1;) alert tcp $HOME_NET any -> [45.152.114.233] 80 (msg:"ThreatFox Stealc botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1296546/; target:src_ip; metadata: confidence_level 80, first_seen 2024_07_10; classtype:trojan-activity; sid:91296546; rev:1;) alert tcp $HOME_NET any -> [194.116.214.29] 22 (msg:"ThreatFox Stealc botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1296545/; target:src_ip; metadata: confidence_level 80, first_seen 2024_07_10; classtype:trojan-activity; sid:91296545; rev:1;) alert tcp $HOME_NET any -> [194.116.214.29] 80 (msg:"ThreatFox Stealc botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1296544/; target:src_ip; metadata: confidence_level 80, first_seen 2024_07_10; classtype:trojan-activity; sid:91296544; rev:1;) alert tcp $HOME_NET any -> [89.110.74.220] 80 (msg:"ThreatFox Stealc botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1296543/; target:src_ip; metadata: confidence_level 80, first_seen 2024_07_10; classtype:trojan-activity; sid:91296543; rev:1;) alert tcp $HOME_NET any -> [89.110.74.220] 22 (msg:"ThreatFox Stealc botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1296542/; target:src_ip; metadata: confidence_level 80, first_seen 2024_07_10; classtype:trojan-activity; sid:91296542; rev:1;) alert tcp $HOME_NET any -> [146.70.86.49] 80 (msg:"ThreatFox Stealc botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1296541/; target:src_ip; metadata: confidence_level 80, first_seen 2024_07_10; classtype:trojan-activity; sid:91296541; rev:1;) alert tcp $HOME_NET any -> [146.70.86.49] 22 (msg:"ThreatFox Stealc botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1296540/; target:src_ip; metadata: confidence_level 80, first_seen 2024_07_10; classtype:trojan-activity; sid:91296540; rev:1;) alert tcp $HOME_NET any -> [89.169.54.23] 80 (msg:"ThreatFox Stealc botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1296539/; target:src_ip; metadata: confidence_level 80, first_seen 2024_07_10; classtype:trojan-activity; sid:91296539; rev:1;) alert tcp $HOME_NET any -> [89.169.54.23] 22 (msg:"ThreatFox Stealc botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1296538/; target:src_ip; metadata: confidence_level 80, first_seen 2024_07_10; classtype:trojan-activity; sid:91296538; rev:1;) alert tcp $HOME_NET any -> [146.70.86.139] 22 (msg:"ThreatFox Stealc botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1296537/; target:src_ip; metadata: confidence_level 80, first_seen 2024_07_10; classtype:trojan-activity; sid:91296537; rev:1;) alert tcp $HOME_NET any -> [146.70.86.139] 80 (msg:"ThreatFox Stealc botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1296536/; target:src_ip; metadata: confidence_level 80, first_seen 2024_07_10; classtype:trojan-activity; sid:91296536; rev:1;) alert tcp $HOME_NET any -> [91.214.78.137] 22 (msg:"ThreatFox Stealc botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1296535/; target:src_ip; metadata: confidence_level 80, first_seen 2024_07_10; classtype:trojan-activity; sid:91296535; rev:1;) alert tcp $HOME_NET any -> [91.214.78.137] 80 (msg:"ThreatFox Stealc botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1296534/; target:src_ip; metadata: confidence_level 80, first_seen 2024_07_10; classtype:trojan-activity; sid:91296534; rev:1;) alert tcp $HOME_NET any -> [193.176.153.226] 22 (msg:"ThreatFox Stealc botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1296533/; target:src_ip; metadata: confidence_level 80, first_seen 2024_07_10; classtype:trojan-activity; sid:91296533; rev:1;) alert tcp $HOME_NET any -> [193.176.153.226] 80 (msg:"ThreatFox Stealc botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1296532/; target:src_ip; metadata: confidence_level 80, first_seen 2024_07_10; classtype:trojan-activity; sid:91296532; rev:1;) alert tcp $HOME_NET any -> [185.208.158.128] 47925 (msg:"ThreatFox MooBot botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1296531/; target:src_ip; metadata: confidence_level 80, first_seen 2024_07_10; classtype:trojan-activity; sid:91296531; rev:1;) alert tcp $HOME_NET any -> [45.156.21.122] 8977 (msg:"ThreatFox MooBot botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1296530/; target:src_ip; metadata: confidence_level 80, first_seen 2024_07_10; classtype:trojan-activity; sid:91296530; rev:1;) alert tcp $HOME_NET any -> [45.128.232.198] 47925 (msg:"ThreatFox MooBot botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1296529/; target:src_ip; metadata: confidence_level 80, first_seen 2024_07_10; classtype:trojan-activity; sid:91296529; rev:1;) alert tcp $HOME_NET any -> [189.126.106.199] 47925 (msg:"ThreatFox MooBot botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1296528/; target:src_ip; metadata: confidence_level 80, first_seen 2024_07_10; classtype:trojan-activity; sid:91296528; rev:1;) alert tcp $HOME_NET any -> [94.156.65.60] 33006 (msg:"ThreatFox MooBot botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1296527/; target:src_ip; metadata: confidence_level 80, first_seen 2024_07_10; classtype:trojan-activity; sid:91296527; rev:1;) alert tcp $HOME_NET any -> [103.97.58.169] 47925 (msg:"ThreatFox MooBot botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1296526/; target:src_ip; metadata: confidence_level 80, first_seen 2024_07_10; classtype:trojan-activity; sid:91296526; rev:1;) alert tcp $HOME_NET any -> [173.44.141.207] 50050 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1296525/; target:src_ip; metadata: confidence_level 80, first_seen 2024_07_10; classtype:trojan-activity; sid:91296525; rev:1;) alert tcp $HOME_NET any -> [8.143.2.128] 50050 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1296524/; target:src_ip; metadata: confidence_level 80, first_seen 2024_07_10; classtype:trojan-activity; sid:91296524; rev:1;) alert tcp $HOME_NET any -> [117.72.35.30] 50050 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1296523/; target:src_ip; metadata: confidence_level 80, first_seen 2024_07_10; classtype:trojan-activity; sid:91296523; rev:1;) alert tcp $HOME_NET any -> [168.100.11.194] 80 (msg:"ThreatFox Nimplant botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1296522/; target:src_ip; metadata: confidence_level 80, first_seen 2024_07_10; classtype:trojan-activity; sid:91296522; rev:1;) alert tcp $HOME_NET any -> [103.152.254.175] 80 (msg:"ThreatFox Nimplant botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1296521/; target:src_ip; metadata: confidence_level 80, first_seen 2024_07_10; classtype:trojan-activity; sid:91296521; rev:1;) alert tcp $HOME_NET any -> [185.153.197.160] 83 (msg:"ThreatFox Nimplant botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1296520/; target:src_ip; metadata: confidence_level 80, first_seen 2024_07_10; classtype:trojan-activity; sid:91296520; rev:1;) alert tcp $HOME_NET any -> [172.93.218.178] 45667 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1296519/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_10; classtype:trojan-activity; sid:91296519; rev:1;) alert tcp $HOME_NET any -> [23.94.245.114] 50050 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1296518/; target:src_ip; metadata: confidence_level 80, first_seen 2024_07_10; classtype:trojan-activity; sid:91296518; rev:1;) alert tcp $HOME_NET any -> [198.46.145.138] 50050 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1296517/; target:src_ip; metadata: confidence_level 80, first_seen 2024_07_10; classtype:trojan-activity; sid:91296517; rev:1;) alert tcp $HOME_NET any -> [23.95.181.147] 50050 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1296516/; target:src_ip; metadata: confidence_level 80, first_seen 2024_07_10; classtype:trojan-activity; sid:91296516; rev:1;) alert tcp $HOME_NET any -> [192.227.238.89] 50050 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1296515/; target:src_ip; metadata: confidence_level 80, first_seen 2024_07_10; classtype:trojan-activity; sid:91296515; rev:1;) alert tcp $HOME_NET any -> [23.95.243.22] 50050 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1296514/; target:src_ip; metadata: confidence_level 80, first_seen 2024_07_10; classtype:trojan-activity; sid:91296514; rev:1;) alert tcp $HOME_NET any -> [107.173.11.27] 50050 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1296513/; target:src_ip; metadata: confidence_level 80, first_seen 2024_07_10; classtype:trojan-activity; sid:91296513; rev:1;) alert tcp $HOME_NET any -> [23.95.248.204] 50050 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1296512/; target:src_ip; metadata: confidence_level 80, first_seen 2024_07_10; classtype:trojan-activity; sid:91296512; rev:1;) alert tcp $HOME_NET any -> [192.227.244.217] 50050 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1296511/; target:src_ip; metadata: confidence_level 80, first_seen 2024_07_10; classtype:trojan-activity; sid:91296511; rev:1;) alert tcp $HOME_NET any -> [192.227.244.221] 50050 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1296510/; target:src_ip; metadata: confidence_level 80, first_seen 2024_07_10; classtype:trojan-activity; sid:91296510; rev:1;) alert tcp $HOME_NET any -> [23.95.243.26] 50050 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1296509/; target:src_ip; metadata: confidence_level 80, first_seen 2024_07_10; classtype:trojan-activity; sid:91296509; rev:1;) alert tcp $HOME_NET any -> [198.46.145.135] 50050 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1296508/; target:src_ip; metadata: confidence_level 80, first_seen 2024_07_10; classtype:trojan-activity; sid:91296508; rev:1;) alert tcp $HOME_NET any -> [192.227.245.182] 50050 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1296507/; target:src_ip; metadata: confidence_level 80, first_seen 2024_07_10; classtype:trojan-activity; sid:91296507; rev:1;) alert tcp $HOME_NET any -> [192.210.194.43] 50050 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1296506/; target:src_ip; metadata: confidence_level 80, first_seen 2024_07_10; classtype:trojan-activity; sid:91296506; rev:1;) alert tcp $HOME_NET any -> [23.95.190.187] 50050 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1296505/; target:src_ip; metadata: confidence_level 80, first_seen 2024_07_10; classtype:trojan-activity; sid:91296505; rev:1;) alert tcp $HOME_NET any -> [107.173.11.30] 50050 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1296504/; target:src_ip; metadata: confidence_level 80, first_seen 2024_07_10; classtype:trojan-activity; sid:91296504; rev:1;) alert tcp $HOME_NET any -> [23.95.181.149] 50050 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1296503/; target:src_ip; metadata: confidence_level 80, first_seen 2024_07_10; classtype:trojan-activity; sid:91296503; rev:1;) alert tcp $HOME_NET any -> [23.94.245.120] 50050 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1296502/; target:src_ip; metadata: confidence_level 80, first_seen 2024_07_10; classtype:trojan-activity; sid:91296502; rev:1;) alert tcp $HOME_NET any -> [23.95.190.179] 50050 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1296501/; target:src_ip; metadata: confidence_level 80, first_seen 2024_07_10; classtype:trojan-activity; sid:91296501; rev:1;) alert tcp $HOME_NET any -> [45.8.146.32] 40040 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1296500/; target:src_ip; metadata: confidence_level 80, first_seen 2024_07_10; classtype:trojan-activity; sid:91296500; rev:1;) alert tcp $HOME_NET any -> [3.68.56.232] 19764 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1296499/; target:src_ip; metadata: confidence_level 80, first_seen 2024_07_10; classtype:trojan-activity; sid:91296499; rev:1;) alert tcp $HOME_NET any -> [38.47.122.208] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1296498/; target:src_ip; metadata: confidence_level 80, first_seen 2024_07_10; classtype:trojan-activity; sid:91296498; rev:1;) alert tcp $HOME_NET any -> [154.92.14.41] 2998 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1296497/; target:src_ip; metadata: confidence_level 80, first_seen 2024_07_10; classtype:trojan-activity; sid:91296497; rev:1;) alert tcp $HOME_NET any -> [188.27.167.94] 8080 (msg:"ThreatFox Orcus RAT botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1296496/; target:src_ip; metadata: confidence_level 80, first_seen 2024_07_10; classtype:trojan-activity; sid:91296496; rev:1;) alert tcp $HOME_NET any -> [192.121.23.67] 80 (msg:"ThreatFox RecordBreaker botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1296495/; target:src_ip; metadata: confidence_level 80, first_seen 2024_07_10; classtype:trojan-activity; sid:91296495; rev:1;) alert tcp $HOME_NET any -> [141.94.122.25] 443 (msg:"ThreatFox Unidentified 111 (Latrodectus) botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1296487/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_09; classtype:trojan-activity; sid:91296487; rev:1;) alert tcp $HOME_NET any -> [180.131.145.32] 443 (msg:"ThreatFox Unidentified 111 (Latrodectus) botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1296488/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_09; classtype:trojan-activity; sid:91296488; rev:1;) alert tcp $HOME_NET any -> [204.14.75.2] 16383 (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1296486/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_09; classtype:trojan-activity; sid:91296486; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/owa/"; depth:5; nocase; http.host; content:"198.44.174.177"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1296481/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_09; classtype:trojan-activity; sid:91296481; rev:1;) alert tcp $HOME_NET any -> [198.44.174.177] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1296482/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_09; classtype:trojan-activity; sid:91296482; rev:1;) alert tcp $HOME_NET any -> [43.138.0.179] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1296480/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_09; classtype:trojan-activity; sid:91296480; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/load"; depth:5; nocase; http.host; content:"43.138.0.179"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1296479/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_09; classtype:trojan-activity; sid:91296479; rev:1;) alert tcp $HOME_NET any -> [178.188.188.213] 5500 (msg:"ThreatFox NetSupportManager RAT botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1296478/; target:src_ip; metadata: confidence_level 50, first_seen 2024_07_09; classtype:trojan-activity; sid:91296478; rev:1;) alert tcp $HOME_NET any -> [185.83.148.30] 3085 (msg:"ThreatFox NetSupportManager RAT botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1296477/; target:src_ip; metadata: confidence_level 50, first_seen 2024_07_09; classtype:trojan-activity; sid:91296477; rev:1;) alert tcp $HOME_NET any -> [45.83.31.241] 7777 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1296476/; target:src_ip; metadata: confidence_level 50, first_seen 2024_07_09; classtype:trojan-activity; sid:91296476; rev:1;) alert tcp $HOME_NET any -> [46.246.6.21] 2000 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1296475/; target:src_ip; metadata: confidence_level 50, first_seen 2024_07_09; classtype:trojan-activity; sid:91296475; rev:1;) alert tcp $HOME_NET any -> [193.26.115.34] 8808 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1296474/; target:src_ip; metadata: confidence_level 50, first_seen 2024_07_09; classtype:trojan-activity; sid:91296474; rev:1;) alert tcp $HOME_NET any -> [93.127.186.6] 80 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1296473/; target:src_ip; metadata: confidence_level 50, first_seen 2024_07_09; classtype:trojan-activity; sid:91296473; rev:1;) alert tcp $HOME_NET any -> [39.40.230.249] 995 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1296472/; target:src_ip; metadata: confidence_level 50, first_seen 2024_07_09; classtype:trojan-activity; sid:91296472; rev:1;) alert tcp $HOME_NET any -> [39.40.138.21] 995 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1296471/; target:src_ip; metadata: confidence_level 50, first_seen 2024_07_09; classtype:trojan-activity; sid:91296471; rev:1;) alert tcp $HOME_NET any -> [75.161.204.192] 443 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1296470/; target:src_ip; metadata: confidence_level 50, first_seen 2024_07_09; classtype:trojan-activity; sid:91296470; rev:1;) alert tcp $HOME_NET any -> [86.190.166.243] 2222 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1296469/; target:src_ip; metadata: confidence_level 50, first_seen 2024_07_09; classtype:trojan-activity; sid:91296469; rev:1;) alert tcp $HOME_NET any -> [176.44.123.218] 443 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1296468/; target:src_ip; metadata: confidence_level 50, first_seen 2024_07_09; classtype:trojan-activity; sid:91296468; rev:1;) alert tcp $HOME_NET any -> [119.82.123.248] 443 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1296467/; target:src_ip; metadata: confidence_level 50, first_seen 2024_07_09; classtype:trojan-activity; sid:91296467; rev:1;) alert tcp $HOME_NET any -> [3.249.18.15] 445 (msg:"ThreatFox Responder botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1296466/; target:src_ip; metadata: confidence_level 50, first_seen 2024_07_09; classtype:trojan-activity; sid:91296466; rev:1;) alert tcp $HOME_NET any -> [27.32.139.82] 80 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1296465/; target:src_ip; metadata: confidence_level 50, first_seen 2024_07_09; classtype:trojan-activity; sid:91296465; rev:1;) alert tcp $HOME_NET any -> [185.142.184.125] 443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1296464/; target:src_ip; metadata: confidence_level 50, first_seen 2024_07_09; classtype:trojan-activity; sid:91296464; rev:1;) alert tcp $HOME_NET any -> [51.195.138.219] 8443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1296463/; target:src_ip; metadata: confidence_level 50, first_seen 2024_07_09; classtype:trojan-activity; sid:91296463; rev:1;) alert tcp $HOME_NET any -> [51.195.138.219] 443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1296462/; target:src_ip; metadata: confidence_level 50, first_seen 2024_07_09; classtype:trojan-activity; sid:91296462; rev:1;) alert tcp $HOME_NET any -> [52.136.201.239] 80 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1296461/; target:src_ip; metadata: confidence_level 50, first_seen 2024_07_09; classtype:trojan-activity; sid:91296461; rev:1;) alert tcp $HOME_NET any -> [170.64.131.82] 443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1296460/; target:src_ip; metadata: confidence_level 50, first_seen 2024_07_09; classtype:trojan-activity; sid:91296460; rev:1;) alert tcp $HOME_NET any -> [8.222.235.145] 443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1296459/; target:src_ip; metadata: confidence_level 50, first_seen 2024_07_09; classtype:trojan-activity; sid:91296459; rev:1;) alert tcp $HOME_NET any -> [94.156.66.181] 443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1296458/; target:src_ip; metadata: confidence_level 50, first_seen 2024_07_09; classtype:trojan-activity; sid:91296458; rev:1;) alert tcp $HOME_NET any -> [103.136.43.10] 8443 (msg:"ThreatFox BianLian botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1296457/; target:src_ip; metadata: confidence_level 50, first_seen 2024_07_09; classtype:trojan-activity; sid:91296457; rev:1;) alert tcp $HOME_NET any -> [149.224.90.120] 7443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1296456/; target:src_ip; metadata: confidence_level 50, first_seen 2024_07_09; classtype:trojan-activity; sid:91296456; rev:1;) alert tcp $HOME_NET any -> [35.84.184.254] 7443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1296454/; target:src_ip; metadata: confidence_level 50, first_seen 2024_07_09; classtype:trojan-activity; sid:91296454; rev:1;) alert tcp $HOME_NET any -> [206.166.251.107] 4443 (msg:"ThreatFox Brute Ratel C4 botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1296453/; target:src_ip; metadata: confidence_level 50, first_seen 2024_07_09; classtype:trojan-activity; sid:91296453; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mozi.m"; depth:7; nocase; http.host; content:"59.91.89.33"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1296452/; target:src_ip; metadata: confidence_level 50, first_seen 2024_07_09; classtype:trojan-activity; sid:91296452; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/privateflower/flowergeneratoreternaltest/6uploadsphp/external2public4/1localflower/serverbaselocaleternal/flowerapiserver/temp/private6game/7update/imagepythonhttplowmultitraffic.php"; depth:183; nocase; http.host; content:"5.42.104.244"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1296205/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_09; classtype:trojan-activity; sid:91296205; rev:1;) alert tcp $HOME_NET any -> [95.217.30.242] 443 (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1296204/; target:src_ip; metadata: confidence_level 80, first_seen 2024_07_09; classtype:trojan-activity; sid:91296204; rev:1;) alert tcp $HOME_NET any -> [95.217.30.242] 80 (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1296203/; target:src_ip; metadata: confidence_level 80, first_seen 2024_07_09; classtype:trojan-activity; sid:91296203; rev:1;) alert tcp $HOME_NET any -> [95.217.241.23] 80 (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1296202/; target:src_ip; metadata: confidence_level 80, first_seen 2024_07_09; classtype:trojan-activity; sid:91296202; rev:1;) alert tcp $HOME_NET any -> [88.198.89.4] 443 (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1296201/; target:src_ip; metadata: confidence_level 80, first_seen 2024_07_09; classtype:trojan-activity; sid:91296201; rev:1;) alert tcp $HOME_NET any -> [88.198.89.4] 80 (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1296200/; target:src_ip; metadata: confidence_level 80, first_seen 2024_07_09; classtype:trojan-activity; sid:91296200; rev:1;) alert tcp $HOME_NET any -> [171.235.46.230] 9999 (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1296199/; target:src_ip; metadata: confidence_level 80, first_seen 2024_07_09; classtype:trojan-activity; sid:91296199; rev:1;) alert tcp $HOME_NET any -> [171.235.46.230] 8000 (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1296198/; target:src_ip; metadata: confidence_level 80, first_seen 2024_07_09; classtype:trojan-activity; sid:91296198; rev:1;) alert tcp $HOME_NET any -> [171.235.46.230] 6000 (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1296197/; target:src_ip; metadata: confidence_level 80, first_seen 2024_07_09; classtype:trojan-activity; sid:91296197; rev:1;) alert tcp $HOME_NET any -> [171.235.46.230] 5000 (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1296196/; target:src_ip; metadata: confidence_level 80, first_seen 2024_07_09; classtype:trojan-activity; sid:91296196; rev:1;) alert tcp $HOME_NET any -> [171.232.6.89] 4449 (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1296195/; target:src_ip; metadata: confidence_level 80, first_seen 2024_07_09; classtype:trojan-activity; sid:91296195; rev:1;) alert tcp $HOME_NET any -> [171.232.6.89] 9999 (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1296194/; target:src_ip; metadata: confidence_level 80, first_seen 2024_07_09; classtype:trojan-activity; sid:91296194; rev:1;) alert tcp $HOME_NET any -> [171.232.6.89] 8000 (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1296193/; target:src_ip; metadata: confidence_level 80, first_seen 2024_07_09; classtype:trojan-activity; sid:91296193; rev:1;) alert tcp $HOME_NET any -> [171.232.6.89] 6000 (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1296192/; target:src_ip; metadata: confidence_level 80, first_seen 2024_07_09; classtype:trojan-activity; sid:91296192; rev:1;) alert tcp $HOME_NET any -> [171.232.6.89] 5002 (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1296191/; target:src_ip; metadata: confidence_level 80, first_seen 2024_07_09; classtype:trojan-activity; sid:91296191; rev:1;) alert tcp $HOME_NET any -> [171.232.6.89] 5001 (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1296190/; target:src_ip; metadata: confidence_level 80, first_seen 2024_07_09; classtype:trojan-activity; sid:91296190; rev:1;) alert tcp $HOME_NET any -> [171.232.6.89] 5000 (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1296189/; target:src_ip; metadata: confidence_level 80, first_seen 2024_07_09; classtype:trojan-activity; sid:91296189; rev:1;) alert tcp $HOME_NET any -> [147.185.221.20] 63331 (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1296188/; target:src_ip; metadata: confidence_level 80, first_seen 2024_07_09; classtype:trojan-activity; sid:91296188; rev:1;) alert tcp $HOME_NET any -> [146.19.9.48] 4449 (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1296187/; target:src_ip; metadata: confidence_level 80, first_seen 2024_07_09; classtype:trojan-activity; sid:91296187; rev:1;) alert tcp $HOME_NET any -> [91.92.247.147] 8080 (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1296186/; target:src_ip; metadata: confidence_level 80, first_seen 2024_07_09; classtype:trojan-activity; sid:91296186; rev:1;) alert tcp $HOME_NET any -> [80.253.246.53] 2000 (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1296185/; target:src_ip; metadata: confidence_level 80, first_seen 2024_07_09; classtype:trojan-activity; sid:91296185; rev:1;) alert tcp $HOME_NET any -> [91.92.250.148] 7777 (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1296184/; target:src_ip; metadata: confidence_level 80, first_seen 2024_07_09; classtype:trojan-activity; sid:91296184; rev:1;) alert tcp $HOME_NET any -> [89.213.56.62] 3306 (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1296183/; target:src_ip; metadata: confidence_level 80, first_seen 2024_07_09; classtype:trojan-activity; sid:91296183; rev:1;) alert tcp $HOME_NET any -> [5.206.224.154] 4449 (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1296182/; target:src_ip; metadata: confidence_level 80, first_seen 2024_07_09; classtype:trojan-activity; sid:91296182; rev:1;) alert tcp $HOME_NET any -> [13.50.4.180] 7854 (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1296181/; target:src_ip; metadata: confidence_level 80, first_seen 2024_07_09; classtype:trojan-activity; sid:91296181; rev:1;) alert tcp $HOME_NET any -> [194.55.186.187] 4443 (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1296180/; target:src_ip; metadata: confidence_level 80, first_seen 2024_07_09; classtype:trojan-activity; sid:91296180; rev:1;) alert tcp $HOME_NET any -> [194.55.186.188] 4443 (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1296179/; target:src_ip; metadata: confidence_level 80, first_seen 2024_07_09; classtype:trojan-activity; sid:91296179; rev:1;) alert tcp $HOME_NET any -> [157.20.182.172] 4449 (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1296178/; target:src_ip; metadata: confidence_level 80, first_seen 2024_07_09; classtype:trojan-activity; sid:91296178; rev:1;) alert tcp $HOME_NET any -> [104.238.23.4] 4449 (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1296177/; target:src_ip; metadata: confidence_level 80, first_seen 2024_07_09; classtype:trojan-activity; sid:91296177; rev:1;) alert tcp $HOME_NET any -> [198.12.66.100] 4443 (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1296176/; target:src_ip; metadata: confidence_level 80, first_seen 2024_07_09; classtype:trojan-activity; sid:91296176; rev:1;) alert tcp $HOME_NET any -> [147.185.221.21] 4041 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1296062/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_09; classtype:trojan-activity; sid:91296062; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"unit-latinas.gl.at.ply.gg"; depth:25; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1296063/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_09; classtype:trojan-activity; sid:91296063; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cdn-vs/original.js"; depth:19; nocase; http.host; content:"aestheticainteriors.com"; depth:23; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1296163/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_09; classtype:trojan-activity; sid:91296163; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"aestheticainteriors.com"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1296164/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_09; classtype:trojan-activity; sid:91296164; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cdn-vs/cache.php"; depth:17; nocase; http.host; content:"aestheticainteriors.com"; depth:23; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1296165/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_09; classtype:trojan-activity; sid:91296165; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cdn-vs/33per.php"; depth:17; nocase; http.host; content:"aestheticainteriors.com"; depth:23; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1296166/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_09; classtype:trojan-activity; sid:91296166; rev:1;) alert tcp $HOME_NET any -> [18.177.76.42] 18505 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1296174/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_09; classtype:trojan-activity; sid:91296174; rev:1;) alert tcp $HOME_NET any -> [144.126.149.221] 77 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1296175/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_09; classtype:trojan-activity; sid:91296175; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/activity"; depth:9; nocase; http.host; content:"1.117.64.149"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1296173/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_09; classtype:trojan-activity; sid:91296173; rev:1;) alert tcp $HOME_NET any -> [45.11.59.87] 80 (msg:"ThreatFox DarkGate botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1296172/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_09; classtype:trojan-activity; sid:91296172; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/visit.js"; depth:9; nocase; http.host; content:"89.116.128.246"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1296171/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_09; classtype:trojan-activity; sid:91296171; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"plpoh.xyz"; depth:9; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1296167/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_09; classtype:trojan-activity; sid:91296167; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"pbdbj.xyz"; depth:9; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1296168/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_09; classtype:trojan-activity; sid:91296168; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"pdddk.xyz"; depth:9; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1296169/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_09; classtype:trojan-activity; sid:91296169; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ihpe.xyz"; depth:8; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1296170/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_09; classtype:trojan-activity; sid:91296170; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dpixel"; depth:7; nocase; http.host; content:"154.3.1.215"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1296162/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_09; classtype:trojan-activity; sid:91296162; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dpixel"; depth:7; nocase; http.host; content:"123.207.202.227"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1296161/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_09; classtype:trojan-activity; sid:91296161; rev:1;) alert tcp $HOME_NET any -> [45.155.120.25] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1296160/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_09; classtype:trojan-activity; sid:91296160; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jquery-3.3.1.min.js"; depth:20; nocase; http.host; content:"heart-direct.online"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1296159/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_09; classtype:trojan-activity; sid:91296159; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/match"; depth:6; nocase; http.host; content:"143.198.83.253"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1296158/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_09; classtype:trojan-activity; sid:91296158; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/activity"; depth:9; nocase; http.host; content:"185.77.226.142"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1296157/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_09; classtype:trojan-activity; sid:91296157; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"d2n3frqp29q6z9.cloudfront.net"; depth:29; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1296155/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_09; classtype:trojan-activity; sid:91296155; rev:1;) alert tcp $HOME_NET any -> [44.223.138.151] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1296156/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_09; classtype:trojan-activity; sid:91296156; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books"; depth:60; nocase; http.host; content:"d2n3frqp29q6z9.cloudfront.net"; depth:29; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1296154/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_09; classtype:trojan-activity; sid:91296154; rev:1;) alert tcp $HOME_NET any -> [54.161.191.72] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1296153/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_09; classtype:trojan-activity; sid:91296153; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/enrollmentinfo/"; depth:16; nocase; http.host; content:"www.e-enroll-benefits.com"; depth:25; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1296152/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_09; classtype:trojan-activity; sid:91296152; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/visit.js"; depth:9; nocase; http.host; content:"47.242.30.202"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1296151/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_09; classtype:trojan-activity; sid:91296151; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ga.js"; depth:6; nocase; http.host; content:"38.60.253.183"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1296150/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_09; classtype:trojan-activity; sid:91296150; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/load"; depth:5; nocase; http.host; content:"114.55.57.77"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1296149/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_09; classtype:trojan-activity; sid:91296149; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pixel.gif"; depth:10; nocase; http.host; content:"35.198.215.60"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1296148/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_09; classtype:trojan-activity; sid:91296148; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cm"; depth:3; nocase; http.host; content:"gmail.google-api.workers.dev"; depth:28; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1296146/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_09; classtype:trojan-activity; sid:91296146; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"gmail.google-api.workers.dev"; depth:28; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1296147/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_09; classtype:trojan-activity; sid:91296147; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wiki/doc"; depth:9; nocase; http.host; content:"36.138.173.47"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1296145/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_09; classtype:trojan-activity; sid:91296145; rev:1;) alert tcp $HOME_NET any -> [101.33.225.206] 9443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1296144/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_09; classtype:trojan-activity; sid:91296144; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/js/jquery-3.4.1.min.js"; depth:23; nocase; http.host; content:"google-logs.top.cdn.dnsv1.com"; depth:29; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1296142/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_09; classtype:trojan-activity; sid:91296142; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"google-logs.top.cdn.dnsv1.com"; depth:29; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1296143/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_09; classtype:trojan-activity; sid:91296143; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/fwlink"; depth:7; nocase; http.host; content:"8.130.26.140"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1296141/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_09; classtype:trojan-activity; sid:91296141; rev:1;) alert tcp $HOME_NET any -> [124.70.31.150] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1296140/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_09; classtype:trojan-activity; sid:91296140; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/en_us/all.js"; depth:13; nocase; http.host; content:"124.70.31.150"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1296139/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_09; classtype:trojan-activity; sid:91296139; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/update"; depth:7; nocase; http.host; content:"185.196.8.136"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1296138/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_09; classtype:trojan-activity; sid:91296138; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/j.ad"; depth:5; nocase; http.host; content:"103.146.159.3"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1296137/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_09; classtype:trojan-activity; sid:91296137; rev:1;) alert tcp $HOME_NET any -> [185.143.223.43] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1296136/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_09; classtype:trojan-activity; sid:91296136; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api/v2/login"; depth:13; nocase; http.host; content:"fortunate-homonym-gw.aws-euc1.cloud-ara.tyk.io"; depth:46; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1296134/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_09; classtype:trojan-activity; sid:91296134; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"fortunate-homonym-gw.aws-euc1.cloud-ara.tyk.io"; depth:46; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1296135/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_09; classtype:trojan-activity; sid:91296135; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/activity"; depth:9; nocase; http.host; content:"121.40.196.250"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1296133/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_09; classtype:trojan-activity; sid:91296133; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ca"; depth:3; nocase; http.host; content:"43.131.247.236"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1296132/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_09; classtype:trojan-activity; sid:91296132; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/webindex/index.html"; depth:20; nocase; http.host; content:"134.175.229.118"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1296131/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_09; classtype:trojan-activity; sid:91296131; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/updates.rss"; depth:12; nocase; http.host; content:"38.54.30.122"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1296130/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_09; classtype:trojan-activity; sid:91296130; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/en_us/all.js"; depth:13; nocase; http.host; content:"185.150.26.240"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1296129/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_09; classtype:trojan-activity; sid:91296129; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/g.pixel"; depth:8; nocase; http.host; content:"156.238.234.187"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1296128/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_09; classtype:trojan-activity; sid:91296128; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/en_us/all.js"; depth:13; nocase; http.host; content:"39.100.132.142"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1296127/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_09; classtype:trojan-activity; sid:91296127; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"www.qianxinniubi.live"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1296126/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_09; classtype:trojan-activity; sid:91296126; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sm.js"; depth:6; nocase; http.host; content:"www.qianxinniubi.live"; depth:21; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1296125/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_09; classtype:trojan-activity; sid:91296125; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"qianxinniubi.live"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1296124/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_09; classtype:trojan-activity; sid:91296124; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sm.js"; depth:6; nocase; http.host; content:"qianxinniubi.live"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1296123/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_09; classtype:trojan-activity; sid:91296123; rev:1;) alert tcp $HOME_NET any -> [101.33.225.206] 7443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1296122/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_09; classtype:trojan-activity; sid:91296122; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"zbiso.com"; depth:9; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1296121/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_09; classtype:trojan-activity; sid:91296121; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/js/jquery-3.4.1.min.js"; depth:23; nocase; http.host; content:"zbiso.com"; depth:9; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1296120/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_09; classtype:trojan-activity; sid:91296120; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/g.pixel"; depth:8; nocase; http.host; content:"47.92.70.19"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1296119/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_09; classtype:trojan-activity; sid:91296119; rev:1;) alert tcp $HOME_NET any -> [111.230.82.83] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1296118/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_09; classtype:trojan-activity; sid:91296118; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/analytics/v1_upload"; depth:20; nocase; http.host; content:"111.230.82.83"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1296117/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_09; classtype:trojan-activity; sid:91296117; rev:1;) alert tcp $HOME_NET any -> [165.140.240.126] 8443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1296116/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_09; classtype:trojan-activity; sid:91296116; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/www/handle/doc"; depth:15; nocase; http.host; content:"gov.vsj888.shop"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1296110/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_09; classtype:trojan-activity; sid:91296110; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/www/handle/doc"; depth:15; nocase; http.host; content:"vsj888.shop"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1296109/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_09; classtype:trojan-activity; sid:91296109; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ca"; depth:3; nocase; http.host; content:"13.75.93.92"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1296108/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_09; classtype:trojan-activity; sid:91296108; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/en_us/all.js"; depth:13; nocase; http.host; content:"204.13.153.138"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1296107/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_09; classtype:trojan-activity; sid:91296107; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/j.ad"; depth:5; nocase; http.host; content:"47.242.30.202"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1296106/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_09; classtype:trojan-activity; sid:91296106; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/visit.js"; depth:9; nocase; http.host; content:"150.109.21.231"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1296105/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_09; classtype:trojan-activity; sid:91296105; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/activity"; depth:9; nocase; http.host; content:"155.94.204.114"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1296104/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_09; classtype:trojan-activity; sid:91296104; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/g.pixel"; depth:8; nocase; http.host; content:"64.176.85.5"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1296103/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_09; classtype:trojan-activity; sid:91296103; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pixel.gif"; depth:10; nocase; http.host; content:"47.236.24.118"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1296102/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_09; classtype:trojan-activity; sid:91296102; rev:1;) alert tcp $HOME_NET any -> [54.161.191.72] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1296101/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_09; classtype:trojan-activity; sid:91296101; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/enrollmentinfo/"; depth:16; nocase; http.host; content:"www.e-enroll-benefits.com"; depth:25; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1296100/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_09; classtype:trojan-activity; sid:91296100; rev:1;) alert tcp $HOME_NET any -> [156.227.234.160] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1296099/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_09; classtype:trojan-activity; sid:91296099; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/load"; depth:5; nocase; http.host; content:"lanhu999.vip"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1296097/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_09; classtype:trojan-activity; sid:91296097; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"lanhu999.vip"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1296098/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_09; classtype:trojan-activity; sid:91296098; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/load"; depth:5; nocase; http.host; content:"142.171.177.156"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1296096/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_09; classtype:trojan-activity; sid:91296096; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/www/handle/doc"; depth:15; nocase; http.host; content:"38.60.252.118"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1296095/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_09; classtype:trojan-activity; sid:91296095; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/fwlink"; depth:7; nocase; http.host; content:"123.57.183.22"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1296094/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_09; classtype:trojan-activity; sid:91296094; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pixel.gif"; depth:10; nocase; http.host; content:"121.43.174.203"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1296093/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_09; classtype:trojan-activity; sid:91296093; rev:1;) alert tcp $HOME_NET any -> [124.222.15.221] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1296092/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_09; classtype:trojan-activity; sid:91296092; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/rewardsapp/ncfooter"; depth:20; nocase; http.host; content:"221.227.232.106"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1296091/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_09; classtype:trojan-activity; sid:91296091; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/hp/api/v1/carousel"; depth:19; nocase; http.host; content:"59.80.47.124"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1296090/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_09; classtype:trojan-activity; sid:91296090; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/hp/api/v1/carousel"; depth:19; nocase; http.host; content:"111.51.156.247"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1296089/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_09; classtype:trojan-activity; sid:91296089; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/rewardsapp/ncfooter"; depth:20; nocase; http.host; content:"183.232.189.148"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1296088/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_09; classtype:trojan-activity; sid:91296088; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/en_us/all.js"; depth:13; nocase; http.host; content:"20.239.165.111"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1296087/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_09; classtype:trojan-activity; sid:91296087; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pixel"; depth:6; nocase; http.host; content:"204.13.153.138"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1296086/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_09; classtype:trojan-activity; sid:91296086; rev:1;) alert tcp $HOME_NET any -> [195.201.89.97] 443 (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1296084/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_09; classtype:trojan-activity; sid:91296084; rev:1;) alert tcp $HOME_NET any -> [5.75.221.27] 5432 (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1296085/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_09; classtype:trojan-activity; sid:91296085; rev:1;) alert tcp $HOME_NET any -> [37.27.186.135] 443 (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1296080/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_09; classtype:trojan-activity; sid:91296080; rev:1;) alert tcp $HOME_NET any -> [95.217.241.48] 443 (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1296081/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_09; classtype:trojan-activity; sid:91296081; rev:1;) alert tcp $HOME_NET any -> [95.217.241.23] 443 (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1296082/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_09; classtype:trojan-activity; sid:91296082; rev:1;) alert tcp $HOME_NET any -> [5.75.215.90] 443 (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1296083/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_09; classtype:trojan-activity; sid:91296083; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"5.75.221.27"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1296075/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_09; classtype:trojan-activity; sid:91296075; rev:1;) alert tcp $HOME_NET any -> [88.198.239.243] 443 (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1296076/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_09; classtype:trojan-activity; sid:91296076; rev:1;) alert tcp $HOME_NET any -> [95.217.27.167] 443 (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1296077/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_09; classtype:trojan-activity; sid:91296077; rev:1;) alert tcp $HOME_NET any -> [195.201.89.97] 5432 (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1296078/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_09; classtype:trojan-activity; sid:91296078; rev:1;) alert tcp $HOME_NET any -> [78.46.201.42] 443 (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1296079/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_09; classtype:trojan-activity; sid:91296079; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"195.201.89.97"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1296074/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_09; classtype:trojan-activity; sid:91296074; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"5.75.215.90"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1296073/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_09; classtype:trojan-activity; sid:91296073; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"95.217.241.23"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1296072/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_09; classtype:trojan-activity; sid:91296072; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"95.217.241.48"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1296071/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_09; classtype:trojan-activity; sid:91296071; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"37.27.186.135"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1296070/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_09; classtype:trojan-activity; sid:91296070; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"78.46.201.42"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1296069/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_09; classtype:trojan-activity; sid:91296069; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"195.201.89.97"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1296068/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_09; classtype:trojan-activity; sid:91296068; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"95.217.27.167"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1296067/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_09; classtype:trojan-activity; sid:91296067; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"88.198.239.243"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1296066/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_09; classtype:trojan-activity; sid:91296066; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/puffclou"; depth:9; nocase; http.host; content:"t.me"; depth:4; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1296065/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_09; classtype:trojan-activity; sid:91296065; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/profiles/76561199735694209"; depth:27; nocase; http.host; content:"steamcommunity.com"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1296064/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_09; classtype:trojan-activity; sid:91296064; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ns2.crowdstrikebit.com"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1296060/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_09; classtype:trojan-activity; sid:91296060; rev:1;) alert tcp $HOME_NET any -> [45.77.9.186] 53 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1296061/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_09; classtype:trojan-activity; sid:91296061; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ns1.crowdstrikebit.com"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1296059/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_09; classtype:trojan-activity; sid:91296059; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/phpwppublic.php"; depth:16; nocase; http.host; content:"082650cm.nyashka.top"; depth:20; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1296058/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_09; classtype:trojan-activity; sid:91296058; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/server.php"; depth:11; nocase; http.host; content:"45.9.74.13"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1296040/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_09; classtype:trojan-activity; sid:91296040; rev:1;) alert tcp $HOME_NET any -> [45.9.74.13] 80 (msg:"ThreatFox StrelaStealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1296042/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_09; classtype:trojan-activity; sid:91296042; rev:1;) alert tcp $HOME_NET any -> [104.21.22.240] 80 (msg:"ThreatFox Loki Password Stealer (PWS) botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1296043/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_09; classtype:trojan-activity; sid:91296043; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"gitak.top"; depth:9; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1296044/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_09; classtype:trojan-activity; sid:91296044; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/visit.js"; depth:9; nocase; http.host; content:"111.230.72.242"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1296055/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_09; classtype:trojan-activity; sid:91296055; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/p2p"; depth:4; nocase; http.host; content:"tl-group.org"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1296056/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_09; classtype:trojan-activity; sid:91296056; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mozi.m"; depth:7; nocase; http.host; content:"85.185.12.185"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1296057/; target:src_ip; metadata: confidence_level 50, first_seen 2024_07_09; classtype:trojan-activity; sid:91296057; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/fwlink"; depth:7; nocase; http.host; content:"45.133.238.41"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1296054/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_09; classtype:trojan-activity; sid:91296054; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cm"; depth:3; nocase; http.host; content:"81.70.190.25"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1296053/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_09; classtype:trojan-activity; sid:91296053; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ca"; depth:3; nocase; http.host; content:"121.37.156.225"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1296052/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_09; classtype:trojan-activity; sid:91296052; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books"; depth:60; nocase; http.host; content:"testgk.oss-cn-beijing.aliyuncs.com"; depth:34; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1296051/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_09; classtype:trojan-activity; sid:91296051; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pixel"; depth:6; nocase; http.host; content:"118.194.233.185"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1296049/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_09; classtype:trojan-activity; sid:91296049; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/eo"; depth:3; nocase; http.host; content:"upshare.wimscp.net"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1296048/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_09; classtype:trojan-activity; sid:91296048; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api/getit"; depth:10; nocase; http.host; content:"openshift.echase.cn.cdn.dnsv1.com"; depth:33; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1296046/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_09; classtype:trojan-activity; sid:91296046; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"openshift.echase.cn.cdn.dnsv1.com"; depth:33; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1296047/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_09; classtype:trojan-activity; sid:91296047; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/push"; depth:5; nocase; http.host; content:"47.76.67.52"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1296045/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_09; classtype:trojan-activity; sid:91296045; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/evie2/five/fre.php"; depth:19; nocase; http.host; content:"gitak.top"; depth:9; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1296041/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_09; classtype:trojan-activity; sid:91296041; rev:1;) alert tcp $HOME_NET any -> [147.45.184.183] 4158 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1296039/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_09; classtype:trojan-activity; sid:91296039; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"bflow-musico.fun"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1296037/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_09; classtype:trojan-activity; sid:91296037; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"stationacutwo.shop"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1296038/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_09; classtype:trojan-activity; sid:91296038; rev:1;) alert tcp $HOME_NET any -> [38.170.239.50] 6192 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1296036/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_09; classtype:trojan-activity; sid:91296036; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"stationacutwo.shop"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1296035/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_09; classtype:trojan-activity; sid:91296035; rev:1;) alert tcp $HOME_NET any -> [147.124.212.130] 2405 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1296034/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_09; classtype:trojan-activity; sid:91296034; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/index.php/61226985438917786"; depth:28; nocase; http.host; content:"104.248.205.66"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1296033/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_09; classtype:trojan-activity; sid:91296033; rev:1;) alert tcp $HOME_NET any -> [177.255.84.124] 7040 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1296032/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_09; classtype:trojan-activity; sid:91296032; rev:1;) alert tcp $HOME_NET any -> [147.185.221.20] 59813 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1295793/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_09; classtype:trojan-activity; sid:91295793; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"invisibledovereats.shop"; depth:23; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1295791/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_09; classtype:trojan-activity; sid:91295791; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"politics-installing.gl.at.ply.gg"; depth:32; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1295794/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_09; classtype:trojan-activity; sid:91295794; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cdn-vs/original.js"; depth:19; nocase; http.host; content:"busbookingjbg.com"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1295795/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_09; classtype:trojan-activity; sid:91295795; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"busbookingjbg.com"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1295796/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_09; classtype:trojan-activity; sid:91295796; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cdn-vs/cache.php"; depth:17; nocase; http.host; content:"busbookingjbg.com"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1295797/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_09; classtype:trojan-activity; sid:91295797; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cdn-vs/33per.php"; depth:17; nocase; http.host; content:"busbookingjbg.com"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1295798/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_09; classtype:trojan-activity; sid:91295798; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cdn-bs/original.js"; depth:19; nocase; http.host; content:"busbookingjbg.com"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1295818/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_09; classtype:trojan-activity; sid:91295818; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cdn-vs/cache.php"; depth:17; nocase; http.host; content:"busbookingjbg.com"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1295819/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_09; classtype:trojan-activity; sid:91295819; rev:1;) alert tcp $HOME_NET any -> [45.9.74.13] 8888 (msg:"ThreatFox StrelaStealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1295815/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_09; classtype:trojan-activity; sid:91295815; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"busbookingjbg.com"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1295817/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_09; classtype:trojan-activity; sid:91295817; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cdn-vs/33per.php"; depth:17; nocase; http.host; content:"busbookingjbg.com"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1295820/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_09; classtype:trojan-activity; sid:91295820; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"osgnhr9zv.top"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1295821/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_09; classtype:trojan-activity; sid:91295821; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"support.firewallsupportservers.com"; depth:34; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1295924/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_09; classtype:trojan-activity; sid:91295924; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/submit"; depth:7; nocase; http.host; content:"188.116.22.65"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1295926/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_09; classtype:trojan-activity; sid:91295926; rev:1;) alert tcp $HOME_NET any -> [18.157.68.73] 16943 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1295824/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_09; classtype:trojan-activity; sid:91295824; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"firewallsupportservers.com"; depth:26; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1295925/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_09; classtype:trojan-activity; sid:91295925; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/roboform.dll"; depth:13; nocase; http.host; content:"185.173.93.167"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1295927/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_09; classtype:trojan-activity; sid:91295927; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/windowswatcher.key"; depth:19; nocase; http.host; content:"185.173.93.167"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1295928/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_09; classtype:trojan-activity; sid:91295928; rev:1;) alert tcp $HOME_NET any -> [197.83.246.223] 443 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1295929/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_09; classtype:trojan-activity; sid:91295929; rev:1;) alert tcp $HOME_NET any -> [88.232.103.173] 443 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1295930/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_09; classtype:trojan-activity; sid:91295930; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"cloud.edgerapidcdn.com"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1295951/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_09; classtype:trojan-activity; sid:91295951; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"secure.globalultracdn.com"; depth:25; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1295952/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_09; classtype:trojan-activity; sid:91295952; rev:1;) alert tcp $HOME_NET any -> [18.192.93.86] 16943 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1295945/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_09; classtype:trojan-activity; sid:91295945; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"edgerapidcdn.com"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1295950/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_09; classtype:trojan-activity; sid:91295950; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ced268c0bcc9de5f.php"; depth:21; nocase; http.host; content:"bigdogfoundation.com"; depth:20; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1295954/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_09; classtype:trojan-activity; sid:91295954; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"bigdogfoundation.com"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1295955/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_09; classtype:trojan-activity; sid:91295955; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ced268c0bcc9de5f.php"; depth:21; nocase; http.host; content:"176.123.5.92"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1295957/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_09; classtype:trojan-activity; sid:91295957; rev:1;) alert tcp $HOME_NET any -> [176.123.5.92] 80 (msg:"ThreatFox Stealc botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1295958/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_09; classtype:trojan-activity; sid:91295958; rev:1;) alert tcp $HOME_NET any -> [147.185.221.21] 3238 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1295962/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_09; classtype:trojan-activity; sid:91295962; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"3654.ddns.net"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1295964/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_09; classtype:trojan-activity; sid:91295964; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"kinltd.top"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1295967/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_09; classtype:trojan-activity; sid:91295967; rev:1;) alert tcp $HOME_NET any -> [37.221.65.48] 4466 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1295969/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_09; classtype:trojan-activity; sid:91295969; rev:1;) alert tcp $HOME_NET any -> [91.92.242.121] 38241 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1295974/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_09; classtype:trojan-activity; sid:91295974; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"wrld-proxy.ru"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1295975/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_09; classtype:trojan-activity; sid:91295975; rev:1;) alert tcp $HOME_NET any -> [104.243.242.168] 1620 (msg:"ThreatFox Nanocore RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1295978/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_09; classtype:trojan-activity; sid:91295978; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-includes/css/539.php"; depth:24; nocase; http.host; content:"bretagne-balades.com"; depth:20; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1295981/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_09; classtype:trojan-activity; sid:91295981; rev:1;) alert tcp $HOME_NET any -> [45.11.59.217] 443 (msg:"ThreatFox NetSupportManager RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1295990/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_09; classtype:trojan-activity; sid:91295990; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/2a5cb35a.php"; depth:13; nocase; http.host; content:"cl71096.tw1.ru"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1296031/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_09; classtype:trojan-activity; sid:91296031; rev:1;) alert tcp $HOME_NET any -> [47.242.30.202] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1296030/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_09; classtype:trojan-activity; sid:91296030; rev:1;) alert tcp $HOME_NET any -> [8.138.128.252] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1296029/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_09; classtype:trojan-activity; sid:91296029; rev:1;) alert tcp $HOME_NET any -> [120.53.240.136] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1296027/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_09; classtype:trojan-activity; sid:91296027; rev:1;) alert tcp $HOME_NET any -> [185.234.72.188] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1296028/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_09; classtype:trojan-activity; sid:91296028; rev:1;) alert tcp $HOME_NET any -> [124.70.196.94] 8080 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1296025/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_09; classtype:trojan-activity; sid:91296025; rev:1;) alert tcp $HOME_NET any -> [175.178.33.154] 8080 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1296026/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_09; classtype:trojan-activity; sid:91296026; rev:1;) alert tcp $HOME_NET any -> [175.41.154.10] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1296024/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_09; classtype:trojan-activity; sid:91296024; rev:1;) alert tcp $HOME_NET any -> [8.137.115.105] 8088 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1296023/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_09; classtype:trojan-activity; sid:91296023; rev:1;) alert tcp $HOME_NET any -> [138.68.81.178] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1296022/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_09; classtype:trojan-activity; sid:91296022; rev:1;) alert tcp $HOME_NET any -> [47.116.0.157] 8111 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1296021/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_09; classtype:trojan-activity; sid:91296021; rev:1;) alert tcp $HOME_NET any -> [42.51.28.252] 8010 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1296020/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_09; classtype:trojan-activity; sid:91296020; rev:1;) alert tcp $HOME_NET any -> [8.130.131.150] 801 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1296019/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_09; classtype:trojan-activity; sid:91296019; rev:1;) alert tcp $HOME_NET any -> [101.42.52.250] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1296018/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_09; classtype:trojan-activity; sid:91296018; rev:1;) alert tcp $HOME_NET any -> [148.66.62.234] 9999 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1296017/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_09; classtype:trojan-activity; sid:91296017; rev:1;) alert tcp $HOME_NET any -> [103.146.179.101] 8888 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1296016/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_09; classtype:trojan-activity; sid:91296016; rev:1;) alert tcp $HOME_NET any -> [82.157.179.232] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1296014/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_09; classtype:trojan-activity; sid:91296014; rev:1;) alert tcp $HOME_NET any -> [47.92.95.38] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1296015/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_09; classtype:trojan-activity; sid:91296015; rev:1;) alert tcp $HOME_NET any -> [8.140.198.73] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1296013/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_09; classtype:trojan-activity; sid:91296013; rev:1;) alert tcp $HOME_NET any -> [62.234.31.154] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1296012/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_09; classtype:trojan-activity; sid:91296012; rev:1;) alert tcp $HOME_NET any -> [47.242.30.202] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1296011/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_09; classtype:trojan-activity; sid:91296011; rev:1;) alert tcp $HOME_NET any -> [111.229.156.4] 4444 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1296010/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_09; classtype:trojan-activity; sid:91296010; rev:1;) alert tcp $HOME_NET any -> [192.3.95.204] 8787 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1296009/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_09; classtype:trojan-activity; sid:91296009; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/e2d7d29621e1052a.php"; depth:21; nocase; http.host; content:"91.92.240.120"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1296008/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_09; classtype:trojan-activity; sid:91296008; rev:1;) alert tcp $HOME_NET any -> [93.198.179.203] 81 (msg:"ThreatFox NetSupportManager RAT botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1296007/; target:src_ip; metadata: confidence_level 50, first_seen 2024_07_09; classtype:trojan-activity; sid:91296007; rev:1;) alert tcp $HOME_NET any -> [213.149.181.121] 469 (msg:"ThreatFox NetSupportManager RAT botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1296006/; target:src_ip; metadata: confidence_level 50, first_seen 2024_07_09; classtype:trojan-activity; sid:91296006; rev:1;) alert tcp $HOME_NET any -> [109.195.124.16] 3321 (msg:"ThreatFox NetSupportManager RAT botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1296005/; target:src_ip; metadata: confidence_level 50, first_seen 2024_07_09; classtype:trojan-activity; sid:91296005; rev:1;) alert tcp $HOME_NET any -> [190.210.247.1] 5909 (msg:"ThreatFox NetSupportManager RAT botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1296004/; target:src_ip; metadata: confidence_level 50, first_seen 2024_07_09; classtype:trojan-activity; sid:91296004; rev:1;) alert tcp $HOME_NET any -> [20.105.139.205] 443 (msg:"ThreatFox NetSupportManager RAT botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1296003/; target:src_ip; metadata: confidence_level 50, first_seen 2024_07_09; classtype:trojan-activity; sid:91296003; rev:1;) alert tcp $HOME_NET any -> [213.195.119.190] 6001 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1296002/; target:src_ip; metadata: confidence_level 50, first_seen 2024_07_09; classtype:trojan-activity; sid:91296002; rev:1;) alert tcp $HOME_NET any -> [46.246.6.20] 2000 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1296001/; target:src_ip; metadata: confidence_level 50, first_seen 2024_07_09; classtype:trojan-activity; sid:91296001; rev:1;) alert tcp $HOME_NET any -> [64.23.254.15] 4000 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1296000/; target:src_ip; metadata: confidence_level 50, first_seen 2024_07_09; classtype:trojan-activity; sid:91296000; rev:1;) alert tcp $HOME_NET any -> [64.176.56.63] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1295999/; target:src_ip; metadata: confidence_level 50, first_seen 2024_07_09; classtype:trojan-activity; sid:91295999; rev:1;) alert tcp $HOME_NET any -> [77.105.146.121] 80 (msg:"ThreatFox Meduza Stealer botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1295998/; target:src_ip; metadata: confidence_level 50, first_seen 2024_07_09; classtype:trojan-activity; sid:91295998; rev:1;) alert tcp $HOME_NET any -> [119.29.238.164] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1295997/; target:src_ip; metadata: confidence_level 50, first_seen 2024_07_09; classtype:trojan-activity; sid:91295997; rev:1;) alert tcp $HOME_NET any -> [103.146.179.122] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1295996/; target:src_ip; metadata: confidence_level 50, first_seen 2024_07_09; classtype:trojan-activity; sid:91295996; rev:1;) alert tcp $HOME_NET any -> [38.47.107.61] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1295995/; target:src_ip; metadata: confidence_level 50, first_seen 2024_07_09; classtype:trojan-activity; sid:91295995; rev:1;) alert tcp $HOME_NET any -> [148.135.90.110] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1295994/; target:src_ip; metadata: confidence_level 50, first_seen 2024_07_09; classtype:trojan-activity; sid:91295994; rev:1;) alert tcp $HOME_NET any -> [143.92.60.22] 9999 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1295993/; target:src_ip; metadata: confidence_level 50, first_seen 2024_07_09; classtype:trojan-activity; sid:91295993; rev:1;) alert tcp $HOME_NET any -> [143.92.60.20] 9999 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1295992/; target:src_ip; metadata: confidence_level 50, first_seen 2024_07_09; classtype:trojan-activity; sid:91295992; rev:1;) alert tcp $HOME_NET any -> [69.207.218.57] 443 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1295991/; target:src_ip; metadata: confidence_level 50, first_seen 2024_07_09; classtype:trojan-activity; sid:91295991; rev:1;) alert tcp $HOME_NET any -> [67.219.98.156] 445 (msg:"ThreatFox Responder botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1295989/; target:src_ip; metadata: confidence_level 50, first_seen 2024_07_09; classtype:trojan-activity; sid:91295989; rev:1;) alert tcp $HOME_NET any -> [77.68.29.89] 8443 (msg:"ThreatFox Deimos botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1295988/; target:src_ip; metadata: confidence_level 50, first_seen 2024_07_09; classtype:trojan-activity; sid:91295988; rev:1;) alert tcp $HOME_NET any -> [117.53.43.106] 443 (msg:"ThreatFox Deimos botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1295987/; target:src_ip; metadata: confidence_level 50, first_seen 2024_07_09; classtype:trojan-activity; sid:91295987; rev:1;) alert tcp $HOME_NET any -> [195.2.71.30] 443 (msg:"ThreatFox Deimos botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1295986/; target:src_ip; metadata: confidence_level 50, first_seen 2024_07_09; classtype:trojan-activity; sid:91295986; rev:1;) alert tcp $HOME_NET any -> [206.166.251.107] 8443 (msg:"ThreatFox Brute Ratel C4 botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1295985/; target:src_ip; metadata: confidence_level 50, first_seen 2024_07_09; classtype:trojan-activity; sid:91295985; rev:1;) alert tcp $HOME_NET any -> [148.135.35.239] 8443 (msg:"ThreatFox Brute Ratel C4 botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1295984/; target:src_ip; metadata: confidence_level 50, first_seen 2024_07_09; classtype:trojan-activity; sid:91295984; rev:1;) alert tcp $HOME_NET any -> [163.69.90.233] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1295983/; target:src_ip; metadata: confidence_level 50, first_seen 2024_07_09; classtype:trojan-activity; sid:91295983; rev:1;) alert tcp $HOME_NET any -> [163.69.90.233] 9200 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1295982/; target:src_ip; metadata: confidence_level 50, first_seen 2024_07_09; classtype:trojan-activity; sid:91295982; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mozi.m"; depth:7; nocase; http.host; content:"117.194.171.209"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1295980/; target:src_ip; metadata: confidence_level 50, first_seen 2024_07_09; classtype:trojan-activity; sid:91295980; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/buy/"; depth:5; nocase; http.host; content:"hpr-rtlernt.com"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1295979/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_09; classtype:trojan-activity; sid:91295979; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"hpr-rtlernt.com"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1295977/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_09; classtype:trojan-activity; sid:91295977; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/a40a3f7a.php"; depth:13; nocase; http.host; content:"co30059.tw1.ru"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1295976/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_09; classtype:trojan-activity; sid:91295976; rev:1;) alert tcp $HOME_NET any -> [206.238.199.35] 6000 (msg:"ThreatFox Ghost RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1295973/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_09; classtype:trojan-activity; sid:91295973; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/index.php/pages"; depth:16; nocase; http.host; content:"104.248.205.66"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1295972/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_09; classtype:trojan-activity; sid:91295972; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/nf6s"; depth:5; nocase; http.host; content:"47.108.134.185"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1295971/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_09; classtype:trojan-activity; sid:91295971; rev:1;) alert tcp $HOME_NET any -> [47.108.134.185] 6666 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1295970/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_09; classtype:trojan-activity; sid:91295970; rev:1;) alert tcp $HOME_NET any -> [147.185.221.20] 60349 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1295968/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_09; classtype:trojan-activity; sid:91295968; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/evie1/five/fre.php"; depth:19; nocase; http.host; content:"kinltd.top"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1295965/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_09; classtype:trojan-activity; sid:91295965; rev:1;) alert tcp $HOME_NET any -> [91.92.252.133] 3654 (msg:"ThreatFox Nanocore RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1295963/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_09; classtype:trojan-activity; sid:91295963; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ca"; depth:3; nocase; http.host; content:"101.43.198.94"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1295961/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_09; classtype:trojan-activity; sid:91295961; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api/x"; depth:6; nocase; http.host; content:"1.117.60.10"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1295960/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_08; classtype:trojan-activity; sid:91295960; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"mint-stealer.top"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1295959/; target:src_ip; metadata: confidence_level 50, first_seen 2024_07_08; classtype:trojan-activity; sid:91295959; rev:1;) alert tcp $HOME_NET any -> [163.5.64.209] 7707 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1295956/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_08; classtype:trojan-activity; sid:91295956; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/c927f440.php"; depth:13; nocase; http.host; content:"a1003574.xsph.ru"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1295953/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_08; classtype:trojan-activity; sid:91295953; rev:1;) alert tcp $HOME_NET any -> [37.27.186.67] 443 (msg:"ThreatFox Unidentified 111 (Latrodectus) botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1295949/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_08; classtype:trojan-activity; sid:91295949; rev:1;) alert tcp $HOME_NET any -> [103.144.139.182] 443 (msg:"ThreatFox Unidentified 111 (Latrodectus) botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1295947/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_08; classtype:trojan-activity; sid:91295947; rev:1;) alert tcp $HOME_NET any -> [103.144.139.174] 443 (msg:"ThreatFox Unidentified 111 (Latrodectus) botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1295948/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_08; classtype:trojan-activity; sid:91295948; rev:1;) alert tcp $HOME_NET any -> [84.38.134.17] 1912 (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1295946/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_08; classtype:trojan-activity; sid:91295946; rev:1;) alert tcp $HOME_NET any -> [23.95.182.12] 443 (msg:"ThreatFox FAKEUPDATES botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1295944/; target:src_ip; metadata: confidence_level 50, first_seen 2024_07_08; classtype:trojan-activity; sid:91295944; rev:1;) alert tcp $HOME_NET any -> [213.195.119.190] 5001 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1295943/; target:src_ip; metadata: confidence_level 50, first_seen 2024_07_08; classtype:trojan-activity; sid:91295943; rev:1;) alert tcp $HOME_NET any -> [213.195.119.190] 4002 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1295942/; target:src_ip; metadata: confidence_level 50, first_seen 2024_07_08; classtype:trojan-activity; sid:91295942; rev:1;) alert tcp $HOME_NET any -> [172.245.20.196] 8080 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1295941/; target:src_ip; metadata: confidence_level 50, first_seen 2024_07_08; classtype:trojan-activity; sid:91295941; rev:1;) alert tcp $HOME_NET any -> [114.55.250.233] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1295940/; target:src_ip; metadata: confidence_level 50, first_seen 2024_07_08; classtype:trojan-activity; sid:91295940; rev:1;) alert tcp $HOME_NET any -> [120.27.247.180] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1295939/; target:src_ip; metadata: confidence_level 50, first_seen 2024_07_08; classtype:trojan-activity; sid:91295939; rev:1;) alert tcp $HOME_NET any -> [143.92.60.11] 9999 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1295938/; target:src_ip; metadata: confidence_level 50, first_seen 2024_07_08; classtype:trojan-activity; sid:91295938; rev:1;) alert tcp $HOME_NET any -> [188.4.193.176] 995 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1295937/; target:src_ip; metadata: confidence_level 50, first_seen 2024_07_08; classtype:trojan-activity; sid:91295937; rev:1;) alert tcp $HOME_NET any -> [39.40.164.166] 995 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1295936/; target:src_ip; metadata: confidence_level 50, first_seen 2024_07_08; classtype:trojan-activity; sid:91295936; rev:1;) alert tcp $HOME_NET any -> [52.237.200.231] 443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1295935/; target:src_ip; metadata: confidence_level 50, first_seen 2024_07_08; classtype:trojan-activity; sid:91295935; rev:1;) alert tcp $HOME_NET any -> [210.2.169.247] 80 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1295934/; target:src_ip; metadata: confidence_level 50, first_seen 2024_07_08; classtype:trojan-activity; sid:91295934; rev:1;) alert tcp $HOME_NET any -> [43.156.57.179] 443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1295933/; target:src_ip; metadata: confidence_level 50, first_seen 2024_07_08; classtype:trojan-activity; sid:91295933; rev:1;) alert tcp $HOME_NET any -> [107.174.121.75] 7443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1295932/; target:src_ip; metadata: confidence_level 50, first_seen 2024_07_08; classtype:trojan-activity; sid:91295932; rev:1;) alert tcp $HOME_NET any -> [206.119.167.171] 20000 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1295931/; target:src_ip; metadata: confidence_level 50, first_seen 2024_07_08; classtype:trojan-activity; sid:91295931; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/l1nc0in.php"; depth:12; nocase; http.host; content:"cy70322.tw1.ru"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1295823/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_08; classtype:trojan-activity; sid:91295823; rev:1;) alert tcp $HOME_NET any -> [38.92.40.91] 11170 (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1295822/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_08; classtype:trojan-activity; sid:91295822; rev:1;) alert tcp $HOME_NET any -> [103.186.116.90] 70 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1295816/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_08; classtype:trojan-activity; sid:91295816; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dpixel"; depth:7; nocase; http.host; content:"116.114.20.180"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1295814/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_08; classtype:trojan-activity; sid:91295814; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dpixel"; depth:7; nocase; http.host; content:"118.194.233.185"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1295813/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_08; classtype:trojan-activity; sid:91295813; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cx"; depth:3; nocase; http.host; content:"192.210.194.42"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1295812/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_08; classtype:trojan-activity; sid:91295812; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api/getit"; depth:10; nocase; http.host; content:"124.232.162.139"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1295811/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_08; classtype:trojan-activity; sid:91295811; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/antdesign3.js"; depth:14; nocase; http.host; content:"111.230.5.199"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1295810/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_08; classtype:trojan-activity; sid:91295810; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cx"; depth:3; nocase; http.host; content:"42.193.17.127"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1295809/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_08; classtype:trojan-activity; sid:91295809; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/c/msdownload/update/others/2016/12/29136388_"; depth:45; nocase; http.host; content:"185.196.8.93"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1295808/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_08; classtype:trojan-activity; sid:91295808; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ca"; depth:3; nocase; http.host; content:"114.55.100.165"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1295807/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_08; classtype:trojan-activity; sid:91295807; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"jiumi.eu.org"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1295806/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_08; classtype:trojan-activity; sid:91295806; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pixel"; depth:6; nocase; http.host; content:"jiumi.eu.org"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1295805/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_08; classtype:trojan-activity; sid:91295805; rev:1;) alert tcp $HOME_NET any -> [79.110.49.175] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1295804/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_08; classtype:trojan-activity; sid:91295804; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bg"; depth:3; nocase; http.host; content:"upshare.wimscp.net"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1295802/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_08; classtype:trojan-activity; sid:91295802; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"upshare.wimscp.net"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1295803/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_08; classtype:trojan-activity; sid:91295803; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/image/"; depth:7; nocase; http.host; content:"47.96.174.24"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1295801/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_08; classtype:trojan-activity; sid:91295801; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/js/jquery-3.3.1.min.js"; depth:23; nocase; http.host; content:"45.148.120.161"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1295799/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_08; classtype:trojan-activity; sid:91295799; rev:1;) alert tcp $HOME_NET any -> [45.148.120.161] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1295800/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_08; classtype:trojan-activity; sid:91295800; rev:1;) alert tcp $HOME_NET any -> [185.216.214.217] 5858 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1295792/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_08; classtype:trojan-activity; sid:91295792; rev:1;) alert tcp $HOME_NET any -> [91.92.240.13] 80 (msg:"ThreatFox Amadey payload delivery (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1295787/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_08; classtype:trojan-activity; sid:91295787; rev:1;) alert tcp $HOME_NET any -> [185.216.214.217] 80 (msg:"ThreatFox Amadey payload delivery (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1295788/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_08; classtype:trojan-activity; sid:91295788; rev:1;) alert tcp $HOME_NET any -> [77.91.77.81] 80 (msg:"ThreatFox Amadey payload delivery (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1295789/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_08; classtype:trojan-activity; sid:91295789; rev:1;) alert tcp $HOME_NET any -> [8.208.15.65] 80 (msg:"ThreatFox Amadey payload delivery (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1295790/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_08; classtype:trojan-activity; sid:91295790; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api/x"; depth:6; nocase; http.host; content:"82.156.188.211"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1295786/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_08; classtype:trojan-activity; sid:91295786; rev:1;) alert tcp $HOME_NET any -> [94.228.166.74] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1295785/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_08; classtype:trojan-activity; sid:91295785; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/visit.js"; depth:9; nocase; http.host; content:"94.228.166.74"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1295784/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_08; classtype:trojan-activity; sid:91295784; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/vmphpupdatedefaultlocal.php"; depth:28; nocase; http.host; content:"483130cm.nyashka.top"; depth:20; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1295783/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_08; classtype:trojan-activity; sid:91295783; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api.php"; depth:8; nocase; http.host; content:"www.parkavenueplasticsurgeon.com"; depth:32; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1295775/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_08; classtype:trojan-activity; sid:91295775; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/get.php"; depth:8; nocase; http.host; content:"www.fysio-opdenkamp.nl"; depth:22; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1295776/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_08; classtype:trojan-activity; sid:91295776; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/get.php"; depth:8; nocase; http.host; content:"www.iot-directory.com"; depth:21; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1295777/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_08; classtype:trojan-activity; sid:91295777; rev:1;) alert tcp $HOME_NET any -> [103.186.24.200] 7727 (msg:"ThreatFox Nanocore RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1295782/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_08; classtype:trojan-activity; sid:91295782; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/updates.rss"; depth:12; nocase; http.host; content:"101.43.198.94"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1295781/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_08; classtype:trojan-activity; sid:91295781; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/l1nc0in.php"; depth:12; nocase; http.host; content:"f1003430.xsph.ru"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1295780/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_08; classtype:trojan-activity; sid:91295780; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/l1nc0in.php"; depth:12; nocase; http.host; content:"co44847.tw1.ru"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1295779/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_08; classtype:trojan-activity; sid:91295779; rev:1;) alert tcp $HOME_NET any -> [77.73.129.75] 1912 (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1295778/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_08; classtype:trojan-activity; sid:91295778; rev:1;) alert tcp $HOME_NET any -> [88.226.188.159] 5552 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1295709/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_08; classtype:trojan-activity; sid:91295709; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"jvjv2044duck33.duckdns.org"; depth:26; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1295710/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_08; classtype:trojan-activity; sid:91295710; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/archive.php"; depth:12; nocase; http.host; content:"www.tischtennis-friedrichshain.de"; depth:33; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1295716/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_08; classtype:trojan-activity; sid:91295716; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/article.php"; depth:12; nocase; http.host; content:"www.galterredelpo.it"; depth:20; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1295717/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_08; classtype:trojan-activity; sid:91295717; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blog.php"; depth:9; nocase; http.host; content:"v207.ru.is"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1295719/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_08; classtype:trojan-activity; sid:91295719; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/get.php"; depth:8; nocase; http.host; content:"www.finskaterapihundskolan.com"; depth:30; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1295720/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_08; classtype:trojan-activity; sid:91295720; rev:1;) alert tcp $HOME_NET any -> [66.29.130.54] 80 (msg:"ThreatFox Loki Password Stealer (PWS) botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1295724/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_08; classtype:trojan-activity; sid:91295724; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"ad4teg.com"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1295725/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_08; classtype:trojan-activity; sid:91295725; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"indialongvenomminister01connection.myddns.rocks"; depth:47; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1295729/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_08; classtype:trojan-activity; sid:91295729; rev:1;) alert tcp $HOME_NET any -> [89.23.101.114] 1912 (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1295766/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_08; classtype:trojan-activity; sid:91295766; rev:1;) alert tcp $HOME_NET any -> [111.229.121.143] 82 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1295774/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_08; classtype:trojan-activity; sid:91295774; rev:1;) alert tcp $HOME_NET any -> [47.109.68.159] 8888 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1295773/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_08; classtype:trojan-activity; sid:91295773; rev:1;) alert tcp $HOME_NET any -> [154.9.253.13] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1295772/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_08; classtype:trojan-activity; sid:91295772; rev:1;) alert tcp $HOME_NET any -> [182.92.164.57] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1295771/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_08; classtype:trojan-activity; sid:91295771; rev:1;) alert tcp $HOME_NET any -> [118.31.238.164] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1295770/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_08; classtype:trojan-activity; sid:91295770; rev:1;) alert tcp $HOME_NET any -> [107.174.172.210] 4444 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1295769/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_08; classtype:trojan-activity; sid:91295769; rev:1;) alert tcp $HOME_NET any -> [123.207.202.227] 5555 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1295768/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_08; classtype:trojan-activity; sid:91295768; rev:1;) alert tcp $HOME_NET any -> [91.208.73.75] 81 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1295767/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_08; classtype:trojan-activity; sid:91295767; rev:1;) alert tcp $HOME_NET any -> [185.196.8.136] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1295765/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_08; classtype:trojan-activity; sid:91295765; rev:1;) alert tcp $HOME_NET any -> [140.246.220.21] 4444 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1295764/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_08; classtype:trojan-activity; sid:91295764; rev:1;) alert tcp $HOME_NET any -> [1.92.77.93] 5555 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1295763/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_08; classtype:trojan-activity; sid:91295763; rev:1;) alert tcp $HOME_NET any -> [103.36.196.60] 8090 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1295762/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_08; classtype:trojan-activity; sid:91295762; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"protonpin.com"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1295753/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_08; classtype:trojan-activity; sid:91295753; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"protonsvin.com"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1295754/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_08; classtype:trojan-activity; sid:91295754; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"protonsvip.com"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1295755/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_08; classtype:trojan-activity; sid:91295755; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"vmvares.com"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1295756/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_08; classtype:trojan-activity; sid:91295756; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"vmvere.com"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1295757/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_08; classtype:trojan-activity; sid:91295757; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"vmveres.com"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1295758/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_08; classtype:trojan-activity; sid:91295758; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"webaxt.com"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1295759/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_08; classtype:trojan-activity; sid:91295759; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"websext.com"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1295760/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_08; classtype:trojan-activity; sid:91295760; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"websixt.com"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1295761/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_08; classtype:trojan-activity; sid:91295761; rev:1;) alert tcp $HOME_NET any -> [210.249.114.153] 80 (msg:"ThreatFox NetSupportManager RAT botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1295752/; target:src_ip; metadata: confidence_level 50, first_seen 2024_07_08; classtype:trojan-activity; sid:91295752; rev:1;) alert tcp $HOME_NET any -> [101.108.135.200] 7443 (msg:"ThreatFox NetSupportManager RAT botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1295751/; target:src_ip; metadata: confidence_level 50, first_seen 2024_07_08; classtype:trojan-activity; sid:91295751; rev:1;) alert tcp $HOME_NET any -> [92.186.214.11] 3085 (msg:"ThreatFox NetSupportManager RAT botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1295750/; target:src_ip; metadata: confidence_level 50, first_seen 2024_07_08; classtype:trojan-activity; sid:91295750; rev:1;) alert tcp $HOME_NET any -> [93.232.108.46] 81 (msg:"ThreatFox NetSupportManager RAT botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1295749/; target:src_ip; metadata: confidence_level 50, first_seen 2024_07_08; classtype:trojan-activity; sid:91295749; rev:1;) alert tcp $HOME_NET any -> [45.83.31.19] 7777 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1295748/; target:src_ip; metadata: confidence_level 50, first_seen 2024_07_08; classtype:trojan-activity; sid:91295748; rev:1;) alert tcp $HOME_NET any -> [45.83.31.19] 6666 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1295747/; target:src_ip; metadata: confidence_level 50, first_seen 2024_07_08; classtype:trojan-activity; sid:91295747; rev:1;) alert tcp $HOME_NET any -> [45.88.186.168] 9999 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1295746/; target:src_ip; metadata: confidence_level 50, first_seen 2024_07_08; classtype:trojan-activity; sid:91295746; rev:1;) alert tcp $HOME_NET any -> [45.88.186.168] 8888 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1295745/; target:src_ip; metadata: confidence_level 50, first_seen 2024_07_08; classtype:trojan-activity; sid:91295745; rev:1;) alert tcp $HOME_NET any -> [79.110.49.135] 80 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1295744/; target:src_ip; metadata: confidence_level 50, first_seen 2024_07_08; classtype:trojan-activity; sid:91295744; rev:1;) alert tcp $HOME_NET any -> [192.227.190.133] 8888 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1295743/; target:src_ip; metadata: confidence_level 50, first_seen 2024_07_08; classtype:trojan-activity; sid:91295743; rev:1;) alert tcp $HOME_NET any -> [207.32.219.81] 8808 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1295742/; target:src_ip; metadata: confidence_level 50, first_seen 2024_07_08; classtype:trojan-activity; sid:91295742; rev:1;) alert tcp $HOME_NET any -> [213.195.119.190] 5000 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1295741/; target:src_ip; metadata: confidence_level 50, first_seen 2024_07_08; classtype:trojan-activity; sid:91295741; rev:1;) alert tcp $HOME_NET any -> [123.14.96.138] 8000 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1295740/; target:src_ip; metadata: confidence_level 50, first_seen 2024_07_08; classtype:trojan-activity; sid:91295740; rev:1;) alert tcp $HOME_NET any -> [196.206.85.8] 995 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1295739/; target:src_ip; metadata: confidence_level 50, first_seen 2024_07_08; classtype:trojan-activity; sid:91295739; rev:1;) alert tcp $HOME_NET any -> [2.49.174.207] 443 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1295738/; target:src_ip; metadata: confidence_level 50, first_seen 2024_07_08; classtype:trojan-activity; sid:91295738; rev:1;) alert tcp $HOME_NET any -> [45.129.13.135] 40000 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1295737/; target:src_ip; metadata: confidence_level 50, first_seen 2024_07_08; classtype:trojan-activity; sid:91295737; rev:1;) alert tcp $HOME_NET any -> [45.15.143.151] 8443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1295736/; target:src_ip; metadata: confidence_level 50, first_seen 2024_07_08; classtype:trojan-activity; sid:91295736; rev:1;) alert tcp $HOME_NET any -> [45.66.231.211] 443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1295735/; target:src_ip; metadata: confidence_level 50, first_seen 2024_07_08; classtype:trojan-activity; sid:91295735; rev:1;) alert tcp $HOME_NET any -> [91.236.230.33] 6595 (msg:"ThreatFox BianLian botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1295734/; target:src_ip; metadata: confidence_level 50, first_seen 2024_07_08; classtype:trojan-activity; sid:91295734; rev:1;) alert tcp $HOME_NET any -> [111.62.71.36] 4505 (msg:"ThreatFox Deimos botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1295733/; target:src_ip; metadata: confidence_level 50, first_seen 2024_07_08; classtype:trojan-activity; sid:91295733; rev:1;) alert tcp $HOME_NET any -> [46.8.237.247] 7443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1295732/; target:src_ip; metadata: confidence_level 50, first_seen 2024_07_08; classtype:trojan-activity; sid:91295732; rev:1;) alert tcp $HOME_NET any -> [160.238.36.36] 7443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1295731/; target:src_ip; metadata: confidence_level 50, first_seen 2024_07_08; classtype:trojan-activity; sid:91295731; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mozi.m"; depth:7; nocase; http.host; content:"59.91.82.137"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1295730/; target:src_ip; metadata: confidence_level 50, first_seen 2024_07_08; classtype:trojan-activity; sid:91295730; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/piperequestsecurepacketlowbigloaddefaulttempuploadstemporary.php"; depth:65; nocase; http.host; content:"651186lm.nyashmyash.top"; depth:23; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1295728/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_08; classtype:trojan-activity; sid:91295728; rev:1;) alert tcp $HOME_NET any -> [93.115.10.211] 1604 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1295727/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_08; classtype:trojan-activity; sid:91295727; rev:1;) alert tcp $HOME_NET any -> [78.159.112.21] 54980 (msg:"ThreatFox Nanocore RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1295726/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_08; classtype:trojan-activity; sid:91295726; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"sx.adminer.eu.org"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1295723/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_08; classtype:trojan-activity; sid:91295723; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/en_us/all.js"; depth:13; nocase; http.host; content:"sx.adminer.eu.org"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1295722/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_08; classtype:trojan-activity; sid:91295722; rev:1;) alert tcp $HOME_NET any -> [51.81.126.51] 3888 (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1295721/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_08; classtype:trojan-activity; sid:91295721; rev:1;) alert tcp $HOME_NET any -> [80.251.213.227] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1295714/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_07; classtype:trojan-activity; sid:91295714; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"lsx.adminer.eu.org"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1295713/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_07; classtype:trojan-activity; sid:91295713; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dot.gif"; depth:8; nocase; http.host; content:"lsx.adminer.eu.org"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1295712/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_07; classtype:trojan-activity; sid:91295712; rev:1;) alert tcp $HOME_NET any -> [45.129.199.25] 443 (msg:"ThreatFox Unidentified 111 (Latrodectus) botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1295711/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_07; classtype:trojan-activity; sid:91295711; rev:1;) alert tcp $HOME_NET any -> [109.107.189.16] 18079 (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1295708/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_07; classtype:trojan-activity; sid:91295708; rev:1;) alert tcp $HOME_NET any -> [18.198.77.177] 15003 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1295706/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_07; classtype:trojan-activity; sid:91295706; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"autodiscover.itechnetworkbd.com"; depth:31; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1295500/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_07; classtype:trojan-activity; sid:91295500; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api.php"; depth:8; nocase; http.host; content:"www.tcvscpa.com"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1295654/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_07; classtype:trojan-activity; sid:91295654; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"autoconfig.itechnetworkbd.com"; depth:29; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1295499/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_07; classtype:trojan-activity; sid:91295499; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"cpanel.itechnetworkbd.com"; depth:25; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1295501/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_07; classtype:trojan-activity; sid:91295501; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ftp.itechnetworkbd.com"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1295502/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_07; classtype:trojan-activity; sid:91295502; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"webmail.itechnetworkbd.com"; depth:26; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1295503/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_07; classtype:trojan-activity; sid:91295503; rev:1;) alert tcp $HOME_NET any -> [122.51.216.39] 8443 (msg:"ThreatFox DoomedLoader botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1295655/; target:src_ip; metadata: confidence_level 50, first_seen 2024_07_07; classtype:trojan-activity; sid:91295655; rev:1;) alert tcp $HOME_NET any -> [38.58.177.229] 4258 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1295656/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_07; classtype:trojan-activity; sid:91295656; rev:1;) alert tcp $HOME_NET any -> [20.52.165.210] 39030 (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1295685/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_07; classtype:trojan-activity; sid:91295685; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/archive.php"; depth:12; nocase; http.host; content:"www.lamausolea.com"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1295688/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_07; classtype:trojan-activity; sid:91295688; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"micsoft.workers.dev"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1295686/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_07; classtype:trojan-activity; sid:91295686; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/get.php"; depth:8; nocase; http.host; content:"www.eugica.vn"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1295687/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_07; classtype:trojan-activity; sid:91295687; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api.php"; depth:8; nocase; http.host; content:"www.osweb.jp"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1295689/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_07; classtype:trojan-activity; sid:91295689; rev:1;) alert tcp $HOME_NET any -> [3.121.139.82] 15003 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1295707/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_07; classtype:trojan-activity; sid:91295707; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/__utm.gif"; depth:10; nocase; http.host; content:"113.125.179.13"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1295705/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_07; classtype:trojan-activity; sid:91295705; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/image/"; depth:7; nocase; http.host; content:"42.51.28.252"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1295704/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_07; classtype:trojan-activity; sid:91295704; rev:1;) alert tcp $HOME_NET any -> [40.85.218.196] 59595 (msg:"ThreatFox NetSupportManager RAT botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1295703/; target:src_ip; metadata: confidence_level 50, first_seen 2024_07_07; classtype:trojan-activity; sid:91295703; rev:1;) alert tcp $HOME_NET any -> [212.231.195.19] 3085 (msg:"ThreatFox NetSupportManager RAT botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1295702/; target:src_ip; metadata: confidence_level 50, first_seen 2024_07_07; classtype:trojan-activity; sid:91295702; rev:1;) alert tcp $HOME_NET any -> [4.246.230.34] 2000 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1295701/; target:src_ip; metadata: confidence_level 50, first_seen 2024_07_07; classtype:trojan-activity; sid:91295701; rev:1;) alert tcp $HOME_NET any -> [192.227.190.133] 7777 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1295699/; target:src_ip; metadata: confidence_level 50, first_seen 2024_07_07; classtype:trojan-activity; sid:91295699; rev:1;) alert tcp $HOME_NET any -> [192.227.190.133] 9999 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1295700/; target:src_ip; metadata: confidence_level 50, first_seen 2024_07_07; classtype:trojan-activity; sid:91295700; rev:1;) alert tcp $HOME_NET any -> [198.58.123.40] 6606 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1295698/; target:src_ip; metadata: confidence_level 50, first_seen 2024_07_07; classtype:trojan-activity; sid:91295698; rev:1;) alert tcp $HOME_NET any -> [193.26.115.34] 7707 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1295697/; target:src_ip; metadata: confidence_level 50, first_seen 2024_07_07; classtype:trojan-activity; sid:91295697; rev:1;) alert tcp $HOME_NET any -> [45.83.31.19] 8888 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1295696/; target:src_ip; metadata: confidence_level 50, first_seen 2024_07_07; classtype:trojan-activity; sid:91295696; rev:1;) alert tcp $HOME_NET any -> [188.54.14.24] 443 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1295695/; target:src_ip; metadata: confidence_level 50, first_seen 2024_07_07; classtype:trojan-activity; sid:91295695; rev:1;) alert tcp $HOME_NET any -> [39.60.177.99] 50001 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1295694/; target:src_ip; metadata: confidence_level 50, first_seen 2024_07_07; classtype:trojan-activity; sid:91295694; rev:1;) alert tcp $HOME_NET any -> [86.126.234.129] 443 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1295693/; target:src_ip; metadata: confidence_level 50, first_seen 2024_07_07; classtype:trojan-activity; sid:91295693; rev:1;) alert tcp $HOME_NET any -> [194.36.171.35] 443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1295692/; target:src_ip; metadata: confidence_level 50, first_seen 2024_07_07; classtype:trojan-activity; sid:91295692; rev:1;) alert tcp $HOME_NET any -> [59.103.87.145] 443 (msg:"ThreatFox Deimos botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1295691/; target:src_ip; metadata: confidence_level 50, first_seen 2024_07_07; classtype:trojan-activity; sid:91295691; rev:1;) alert tcp $HOME_NET any -> [194.110.173.14] 443 (msg:"ThreatFox Deimos botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1295690/; target:src_ip; metadata: confidence_level 50, first_seen 2024_07_07; classtype:trojan-activity; sid:91295690; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"anyone-blogging.gl.at.ply.gg"; depth:28; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1295660/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_07; classtype:trojan-activity; sid:91295660; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"www.dpm-sael.com"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1295661/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_07; classtype:trojan-activity; sid:91295661; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/file/gz93ykbl"; depth:14; nocase; http.host; content:"mega.nz"; depth:7; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1295657/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_07; classtype:trojan-activity; sid:91295657; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ie9compatviewlist.xml"; depth:22; nocase; http.host; content:"43.153.222.28"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1295498/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_07; classtype:trojan-activity; sid:91295498; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pixel.gif"; depth:10; nocase; http.host; content:"101.43.12.111"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1295497/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_07; classtype:trojan-activity; sid:91295497; rev:1;) alert tcp $HOME_NET any -> [5.149.249.162] 443 (msg:"ThreatFox Unidentified 111 (Latrodectus) botnet C2 traffic (ip:port - confidence level: 60%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1295496/; target:src_ip; metadata: confidence_level 60, first_seen 2024_07_07; classtype:trojan-activity; sid:91295496; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/2fca4d4264af2833.php"; depth:21; nocase; http.host; content:"9507c272a51ce8cefc8761591b2c50e6.fit"; depth:36; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1295494/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_07; classtype:trojan-activity; sid:91295494; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"9507c272a51ce8cefc8761591b2c50e6.fit"; depth:36; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1295495/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_07; classtype:trojan-activity; sid:91295495; rev:1;) alert tcp $HOME_NET any -> [144.91.76.242] 44300 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1295481/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_07; classtype:trojan-activity; sid:91295481; rev:1;) alert tcp $HOME_NET any -> [146.70.113.159] 50025 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1295482/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_07; classtype:trojan-activity; sid:91295482; rev:1;) alert tcp $HOME_NET any -> [159.223.0.103] 42069 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1295483/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_07; classtype:trojan-activity; sid:91295483; rev:1;) alert tcp $HOME_NET any -> [8.220.193.117] 7144 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1295484/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_07; classtype:trojan-activity; sid:91295484; rev:1;) alert tcp $HOME_NET any -> [84.46.244.20] 1999 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1295485/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_07; classtype:trojan-activity; sid:91295485; rev:1;) alert tcp $HOME_NET any -> [220.133.126.65] 8080 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1295486/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_07; classtype:trojan-activity; sid:91295486; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"infodigitalbusiness.com"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1295487/; target:src_ip; metadata: confidence_level 50, first_seen 2024_07_07; classtype:trojan-activity; sid:91295487; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"itconsultoriayseguridad.com"; depth:27; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1295488/; target:src_ip; metadata: confidence_level 50, first_seen 2024_07_07; classtype:trojan-activity; sid:91295488; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"anchondrica.info"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1295489/; target:src_ip; metadata: confidence_level 50, first_seen 2024_07_07; classtype:trojan-activity; sid:91295489; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"mybadsite.com"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1295490/; target:src_ip; metadata: confidence_level 50, first_seen 2024_07_07; classtype:trojan-activity; sid:91295490; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"strykercp.com"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1295491/; target:src_ip; metadata: confidence_level 50, first_seen 2024_07_07; classtype:trojan-activity; sid:91295491; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"seetoo.ossadmin.site"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1295492/; target:src_ip; metadata: confidence_level 50, first_seen 2024_07_07; classtype:trojan-activity; sid:91295492; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"senesolde.com"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1295493/; target:src_ip; metadata: confidence_level 50, first_seen 2024_07_07; classtype:trojan-activity; sid:91295493; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/6dqr"; depth:5; nocase; http.host; content:"192.168.188.134"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1295480/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_07; classtype:trojan-activity; sid:91295480; rev:1;) alert tcp $HOME_NET any -> [89.23.103.42] 80 (msg:"ThreatFox Amadey botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1295479/; target:src_ip; metadata: confidence_level 50, first_seen 2024_07_07; classtype:trojan-activity; sid:91295479; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api.php"; depth:8; nocase; http.host; content:"www.suviki.com"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1295478/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_07; classtype:trojan-activity; sid:91295478; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"singaporebooking.com"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1295475/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_07; classtype:trojan-activity; sid:91295475; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ww12.chainlistr.com"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1295476/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_07; classtype:trojan-activity; sid:91295476; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"correos.pa-ock.click"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1295477/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_07; classtype:trojan-activity; sid:91295477; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"expressvpnservices.online"; depth:25; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1295473/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_07; classtype:trojan-activity; sid:91295473; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"cingapore.com"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1295468/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_07; classtype:trojan-activity; sid:91295468; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"singaporeentertainment.com"; depth:26; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1295474/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_07; classtype:trojan-activity; sid:91295474; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"nightcrows.com.nightciows.com"; depth:29; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1295470/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_07; classtype:trojan-activity; sid:91295470; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ticket-singapore.com"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1295471/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_07; classtype:trojan-activity; sid:91295471; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"com.nightciows.com"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1295469/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_07; classtype:trojan-activity; sid:91295469; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"singaporedui.com"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1295472/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_07; classtype:trojan-activity; sid:91295472; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/hb9ivshs03/index.php"; depth:21; nocase; http.host; content:"89.23.103.42"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1295466/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_07; classtype:trojan-activity; sid:91295466; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"app.chainlirst.com"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1295467/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_07; classtype:trojan-activity; sid:91295467; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"tl-group.org"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1295464/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_07; classtype:trojan-activity; sid:91295464; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"tl-group.org"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1295465/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_07; classtype:trojan-activity; sid:91295465; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"tl-group.org"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1295463/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_07; classtype:trojan-activity; sid:91295463; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/hb9ivshs01/index.php"; depth:21; nocase; http.host; content:"89.23.103.42"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1295462/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_07; classtype:trojan-activity; sid:91295462; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/hb9ivshs01/index.php"; depth:21; nocase; http.host; content:"94.232.249.157"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1295459/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_07; classtype:trojan-activity; sid:91295459; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"daslkjfhi2.xyz"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1295461/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_07; classtype:trojan-activity; sid:91295461; rev:1;) alert tcp $HOME_NET any -> [94.232.249.157] 80 (msg:"ThreatFox Amadey botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1295460/; target:src_ip; metadata: confidence_level 50, first_seen 2024_07_07; classtype:trojan-activity; sid:91295460; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/get.php"; depth:8; nocase; http.host; content:"www.hotelleportalou.com"; depth:23; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1295456/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_07; classtype:trojan-activity; sid:91295456; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api.php"; depth:8; nocase; http.host; content:"www.montebello6.se"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1295457/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_07; classtype:trojan-activity; sid:91295457; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api.php"; depth:8; nocase; http.host; content:"www.ripcoltd.co.uk"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1295458/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_07; classtype:trojan-activity; sid:91295458; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/hb9ivshs03/index.php"; depth:21; nocase; http.host; content:"94.232.249.157"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1295455/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_07; classtype:trojan-activity; sid:91295455; rev:1;) alert tcp $HOME_NET any -> [157.20.182.172] 4449 (msg:"ThreatFox Venom RAT payload delivery (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1295446/; target:src_ip; metadata: confidence_level 50, first_seen 2024_07_07; classtype:trojan-activity; sid:91295446; rev:1;) alert tcp $HOME_NET any -> [13.50.4.180] 7854 (msg:"ThreatFox Venom RAT payload delivery (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1295447/; target:src_ip; metadata: confidence_level 50, first_seen 2024_07_07; classtype:trojan-activity; sid:91295447; rev:1;) alert tcp $HOME_NET any -> [91.92.250.148] 7777 (msg:"ThreatFox Venom RAT payload delivery (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1295448/; target:src_ip; metadata: confidence_level 50, first_seen 2024_07_07; classtype:trojan-activity; sid:91295448; rev:1;) alert tcp $HOME_NET any -> [5.206.224.154] 4449 (msg:"ThreatFox Venom RAT payload delivery (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1295449/; target:src_ip; metadata: confidence_level 50, first_seen 2024_07_07; classtype:trojan-activity; sid:91295449; rev:1;) alert tcp $HOME_NET any -> [222.239.35.173] 4449 (msg:"ThreatFox Venom RAT payload delivery (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1295450/; target:src_ip; metadata: confidence_level 50, first_seen 2024_07_07; classtype:trojan-activity; sid:91295450; rev:1;) alert tcp $HOME_NET any -> [2.58.84.229] 80 (msg:"ThreatFox Venom RAT payload delivery (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1295451/; target:src_ip; metadata: confidence_level 50, first_seen 2024_07_07; classtype:trojan-activity; sid:91295451; rev:1;) alert tcp $HOME_NET any -> [147.185.221.20] 63331 (msg:"ThreatFox Venom RAT payload delivery (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1295452/; target:src_ip; metadata: confidence_level 50, first_seen 2024_07_07; classtype:trojan-activity; sid:91295452; rev:1;) alert tcp $HOME_NET any -> [171.232.6.89] 4449 (msg:"ThreatFox Venom RAT payload delivery (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1295454/; target:src_ip; metadata: confidence_level 50, first_seen 2024_07_07; classtype:trojan-activity; sid:91295454; rev:1;) alert tcp $HOME_NET any -> [95.142.46.3] 7000 (msg:"ThreatFox Venom RAT payload delivery (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1295453/; target:src_ip; metadata: confidence_level 50, first_seen 2024_07_07; classtype:trojan-activity; sid:91295453; rev:1;) alert tcp $HOME_NET any -> [157.245.50.107] 60000 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1295441/; target:src_ip; metadata: confidence_level 50, first_seen 2024_07_07; classtype:trojan-activity; sid:91295441; rev:1;) alert tcp $HOME_NET any -> [8.222.215.124] 60000 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1295442/; target:src_ip; metadata: confidence_level 50, first_seen 2024_07_07; classtype:trojan-activity; sid:91295442; rev:1;) alert tcp $HOME_NET any -> [209.97.165.234] 60000 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1295443/; target:src_ip; metadata: confidence_level 50, first_seen 2024_07_07; classtype:trojan-activity; sid:91295443; rev:1;) alert tcp $HOME_NET any -> [176.221.16.167] 60000 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1295444/; target:src_ip; metadata: confidence_level 50, first_seen 2024_07_07; classtype:trojan-activity; sid:91295444; rev:1;) alert tcp $HOME_NET any -> [13.229.219.118] 60000 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1295445/; target:src_ip; metadata: confidence_level 50, first_seen 2024_07_07; classtype:trojan-activity; sid:91295445; rev:1;) alert tcp $HOME_NET any -> [157.20.182.172] 3232 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1295316/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_07; classtype:trojan-activity; sid:91295316; rev:1;) alert tcp $HOME_NET any -> [91.92.255.91] 3232 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1295317/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_07; classtype:trojan-activity; sid:91295317; rev:1;) alert tcp $HOME_NET any -> [47.76.105.152] 65503 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1295314/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_07; classtype:trojan-activity; sid:91295314; rev:1;) alert tcp $HOME_NET any -> [51.89.253.9] 7878 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1295315/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_07; classtype:trojan-activity; sid:91295315; rev:1;) alert tcp $HOME_NET any -> [47.243.233.199] 65503 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1295312/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_07; classtype:trojan-activity; sid:91295312; rev:1;) alert tcp $HOME_NET any -> [8.218.235.124] 65503 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1295313/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_07; classtype:trojan-activity; sid:91295313; rev:1;) alert tcp $HOME_NET any -> [8.218.129.126] 65503 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1295311/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_07; classtype:trojan-activity; sid:91295311; rev:1;) alert tcp $HOME_NET any -> [103.244.226.241] 65503 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1295309/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_07; classtype:trojan-activity; sid:91295309; rev:1;) alert tcp $HOME_NET any -> [47.243.187.196] 65503 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1295310/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_07; classtype:trojan-activity; sid:91295310; rev:1;) alert tcp $HOME_NET any -> [192.197.113.223] 65503 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1295308/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_07; classtype:trojan-activity; sid:91295308; rev:1;) alert tcp $HOME_NET any -> [47.242.122.228] 65503 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1295306/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_07; classtype:trojan-activity; sid:91295306; rev:1;) alert tcp $HOME_NET any -> [185.121.169.214] 65503 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1295307/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_07; classtype:trojan-activity; sid:91295307; rev:1;) alert tcp $HOME_NET any -> [103.244.226.252] 65503 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1295305/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_07; classtype:trojan-activity; sid:91295305; rev:1;) alert tcp $HOME_NET any -> [8.217.215.116] 65503 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1295303/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_07; classtype:trojan-activity; sid:91295303; rev:1;) alert tcp $HOME_NET any -> [47.76.98.21] 65503 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1295304/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_07; classtype:trojan-activity; sid:91295304; rev:1;) alert tcp $HOME_NET any -> [154.212.146.156] 65503 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1295302/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_07; classtype:trojan-activity; sid:91295302; rev:1;) alert tcp $HOME_NET any -> [47.238.38.102] 65503 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1295301/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_07; classtype:trojan-activity; sid:91295301; rev:1;) alert tcp $HOME_NET any -> [94.156.79.231] 2011 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1295318/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_07; classtype:trojan-activity; sid:91295318; rev:1;) alert tcp $HOME_NET any -> [154.205.147.125] 60000 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1295319/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_07; classtype:trojan-activity; sid:91295319; rev:1;) alert tcp $HOME_NET any -> [156.251.137.156] 8888 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1295320/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_07; classtype:trojan-activity; sid:91295320; rev:1;) alert tcp $HOME_NET any -> [47.238.143.105] 8443 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1295321/; target:src_ip; metadata: confidence_level 50, first_seen 2024_07_07; classtype:trojan-activity; sid:91295321; rev:1;) alert tcp $HOME_NET any -> [165.154.224.19] 4449 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1295322/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_07; classtype:trojan-activity; sid:91295322; rev:1;) alert tcp $HOME_NET any -> [117.18.12.93] 8880 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1295323/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_07; classtype:trojan-activity; sid:91295323; rev:1;) alert tcp $HOME_NET any -> [39.99.206.34] 8880 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1295324/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_07; classtype:trojan-activity; sid:91295324; rev:1;) alert tcp $HOME_NET any -> [20.205.58.253] 8880 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1295325/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_07; classtype:trojan-activity; sid:91295325; rev:1;) alert tcp $HOME_NET any -> [107.149.163.118] 8080 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1295326/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_07; classtype:trojan-activity; sid:91295326; rev:1;) alert tcp $HOME_NET any -> [106.54.204.119] 5050 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1295327/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_07; classtype:trojan-activity; sid:91295327; rev:1;) alert tcp $HOME_NET any -> [101.43.47.165] 4449 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1295328/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_07; classtype:trojan-activity; sid:91295328; rev:1;) alert tcp $HOME_NET any -> [123.60.58.162] 90 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1295329/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_07; classtype:trojan-activity; sid:91295329; rev:1;) alert tcp $HOME_NET any -> [154.212.146.175] 65503 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1295299/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_07; classtype:trojan-activity; sid:91295299; rev:1;) alert tcp $HOME_NET any -> [47.238.183.60] 65503 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1295300/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_07; classtype:trojan-activity; sid:91295300; rev:1;) alert tcp $HOME_NET any -> [47.238.194.61] 65503 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1295297/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_07; classtype:trojan-activity; sid:91295297; rev:1;) alert tcp $HOME_NET any -> [8.217.13.16] 65503 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1295298/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_07; classtype:trojan-activity; sid:91295298; rev:1;) alert tcp $HOME_NET any -> [144.172.76.78] 443 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1295296/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_07; classtype:trojan-activity; sid:91295296; rev:1;) alert tcp $HOME_NET any -> [47.148.68.129] 8197 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1295332/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_07; classtype:trojan-activity; sid:91295332; rev:1;) alert tcp $HOME_NET any -> [157.20.182.100] 4449 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1295330/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_07; classtype:trojan-activity; sid:91295330; rev:1;) alert tcp $HOME_NET any -> [157.20.182.101] 4449 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1295331/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_07; classtype:trojan-activity; sid:91295331; rev:1;) alert tcp $HOME_NET any -> [24.144.93.178] 443 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1295339/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_07; classtype:trojan-activity; sid:91295339; rev:1;) alert tcp $HOME_NET any -> [43.138.184.91] 443 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1295340/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_07; classtype:trojan-activity; sid:91295340; rev:1;) alert tcp $HOME_NET any -> [34.142.201.103] 443 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1295341/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_07; classtype:trojan-activity; sid:91295341; rev:1;) alert tcp $HOME_NET any -> [104.248.28.235] 8443 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1295342/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_07; classtype:trojan-activity; sid:91295342; rev:1;) alert tcp $HOME_NET any -> [68.221.169.30] 443 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1295343/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_07; classtype:trojan-activity; sid:91295343; rev:1;) alert tcp $HOME_NET any -> [193.3.19.136] 443 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1295344/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_07; classtype:trojan-activity; sid:91295344; rev:1;) alert tcp $HOME_NET any -> [34.242.163.197] 443 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1295345/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_07; classtype:trojan-activity; sid:91295345; rev:1;) alert tcp $HOME_NET any -> [194.87.206.105] 443 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1295346/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_07; classtype:trojan-activity; sid:91295346; rev:1;) alert tcp $HOME_NET any -> [141.148.237.143] 443 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1295347/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_07; classtype:trojan-activity; sid:91295347; rev:1;) alert tcp $HOME_NET any -> [151.236.216.235] 443 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1295348/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_07; classtype:trojan-activity; sid:91295348; rev:1;) alert tcp $HOME_NET any -> [188.127.251.218] 443 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1295349/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_07; classtype:trojan-activity; sid:91295349; rev:1;) alert tcp $HOME_NET any -> [159.246.29.116] 443 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1295350/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_07; classtype:trojan-activity; sid:91295350; rev:1;) alert tcp $HOME_NET any -> [209.38.176.168] 8443 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1295351/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_07; classtype:trojan-activity; sid:91295351; rev:1;) alert tcp $HOME_NET any -> [195.133.32.194] 443 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1295352/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_07; classtype:trojan-activity; sid:91295352; rev:1;) alert tcp $HOME_NET any -> [109.234.35.14] 443 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1295353/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_07; classtype:trojan-activity; sid:91295353; rev:1;) alert tcp $HOME_NET any -> [64.227.65.209] 8443 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1295354/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_07; classtype:trojan-activity; sid:91295354; rev:1;) alert tcp $HOME_NET any -> [13.60.67.6] 443 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1295355/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_07; classtype:trojan-activity; sid:91295355; rev:1;) alert tcp $HOME_NET any -> [185.112.144.70] 443 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1295356/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_07; classtype:trojan-activity; sid:91295356; rev:1;) alert tcp $HOME_NET any -> [185.208.158.208] 5012 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1295360/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_07; classtype:trojan-activity; sid:91295360; rev:1;) alert tcp $HOME_NET any -> [94.156.64.24] 443 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1295361/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_07; classtype:trojan-activity; sid:91295361; rev:1;) alert tcp $HOME_NET any -> [154.221.25.6] 443 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1295359/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_07; classtype:trojan-activity; sid:91295359; rev:1;) alert tcp $HOME_NET any -> [5.9.87.28] 8585 (msg:"ThreatFox Borat RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1295357/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_07; classtype:trojan-activity; sid:91295357; rev:1;) alert tcp $HOME_NET any -> [203.23.128.30] 5353 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1295362/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_07; classtype:trojan-activity; sid:91295362; rev:1;) alert tcp $HOME_NET any -> [143.92.49.122] 4545 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1295363/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_07; classtype:trojan-activity; sid:91295363; rev:1;) alert tcp $HOME_NET any -> [191.82.218.149] 2000 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1295364/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_07; classtype:trojan-activity; sid:91295364; rev:1;) alert tcp $HOME_NET any -> [43.135.119.209] 8443 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1295366/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_07; classtype:trojan-activity; sid:91295366; rev:1;) alert tcp $HOME_NET any -> [185.234.72.39] 443 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1295365/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_07; classtype:trojan-activity; sid:91295365; rev:1;) alert tcp $HOME_NET any -> [117.18.7.76] 4044 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1295367/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_07; classtype:trojan-activity; sid:91295367; rev:1;) alert tcp $HOME_NET any -> [121.62.23.208] 4999 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1295368/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_07; classtype:trojan-activity; sid:91295368; rev:1;) alert tcp $HOME_NET any -> [91.92.249.238] 443 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1295369/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_07; classtype:trojan-activity; sid:91295369; rev:1;) alert tcp $HOME_NET any -> [202.103.157.162] 4999 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1295370/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_07; classtype:trojan-activity; sid:91295370; rev:1;) alert tcp $HOME_NET any -> [8.137.103.16] 8000 (msg:"ThreatFox Unknown malware payload delivery (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1295387/; target:src_ip; metadata: confidence_level 50, first_seen 2024_07_07; classtype:trojan-activity; sid:91295387; rev:1;) alert tcp $HOME_NET any -> [39.198.215.60] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1295393/; target:src_ip; metadata: confidence_level 50, first_seen 2024_07_07; classtype:trojan-activity; sid:91295393; rev:1;) alert tcp $HOME_NET any -> [47.236.135.143] 10000 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1295392/; target:src_ip; metadata: confidence_level 50, first_seen 2024_07_07; classtype:trojan-activity; sid:91295392; rev:1;) alert tcp $HOME_NET any -> [58.185.25.6] 8090 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1295394/; target:src_ip; metadata: confidence_level 50, first_seen 2024_07_07; classtype:trojan-activity; sid:91295394; rev:1;) alert tcp $HOME_NET any -> [64.176.85.5] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1295396/; target:src_ip; metadata: confidence_level 50, first_seen 2024_07_07; classtype:trojan-activity; sid:91295396; rev:1;) alert tcp $HOME_NET any -> [47.236.24.118] 4444 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1295397/; target:src_ip; metadata: confidence_level 50, first_seen 2024_07_07; classtype:trojan-activity; sid:91295397; rev:1;) alert tcp $HOME_NET any -> [47.245.97.19] 7000 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1295398/; target:src_ip; metadata: confidence_level 50, first_seen 2024_07_07; classtype:trojan-activity; sid:91295398; rev:1;) alert tcp $HOME_NET any -> [95.111.201.68] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1295408/; target:src_ip; metadata: confidence_level 50, first_seen 2024_07_07; classtype:trojan-activity; sid:91295408; rev:1;) alert tcp $HOME_NET any -> [94.237.78.244] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1295409/; target:src_ip; metadata: confidence_level 50, first_seen 2024_07_07; classtype:trojan-activity; sid:91295409; rev:1;) alert tcp $HOME_NET any -> [95.111.192.27] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1295410/; target:src_ip; metadata: confidence_level 50, first_seen 2024_07_07; classtype:trojan-activity; sid:91295410; rev:1;) alert tcp $HOME_NET any -> [95.111.194.96] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1295411/; target:src_ip; metadata: confidence_level 50, first_seen 2024_07_07; classtype:trojan-activity; sid:91295411; rev:1;) alert tcp $HOME_NET any -> [95.111.201.82] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1295412/; target:src_ip; metadata: confidence_level 50, first_seen 2024_07_07; classtype:trojan-activity; sid:91295412; rev:1;) alert tcp $HOME_NET any -> [95.111.201.190] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1295413/; target:src_ip; metadata: confidence_level 50, first_seen 2024_07_07; classtype:trojan-activity; sid:91295413; rev:1;) alert tcp $HOME_NET any -> [94.237.78.16] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1295414/; target:src_ip; metadata: confidence_level 50, first_seen 2024_07_07; classtype:trojan-activity; sid:91295414; rev:1;) alert tcp $HOME_NET any -> [94.237.72.158] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1295415/; target:src_ip; metadata: confidence_level 50, first_seen 2024_07_07; classtype:trojan-activity; sid:91295415; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cdn-vs/original.js"; depth:19; nocase; http.host; content:"helloehoes.com"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1295371/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_07; classtype:trojan-activity; sid:91295371; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"helloehoes.com"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1295372/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_07; classtype:trojan-activity; sid:91295372; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cdn-vs/cache.php"; depth:17; nocase; http.host; content:"helloehoes.com"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1295373/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_07; classtype:trojan-activity; sid:91295373; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cdn-vs/33per.php"; depth:17; nocase; http.host; content:"helloehoes.com"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1295374/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_07; classtype:trojan-activity; sid:91295374; rev:1;) alert tcp $HOME_NET any -> [3.67.62.142] 12761 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1295375/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_07; classtype:trojan-activity; sid:91295375; rev:1;) alert tcp $HOME_NET any -> [18.158.58.205] 12761 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1295376/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_07; classtype:trojan-activity; sid:91295376; rev:1;) alert tcp $HOME_NET any -> [3.67.112.102] 12761 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1295377/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_07; classtype:trojan-activity; sid:91295377; rev:1;) alert tcp $HOME_NET any -> [147.185.221.19] 32714 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1295378/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_07; classtype:trojan-activity; sid:91295378; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/archive.php"; depth:12; nocase; http.host; content:"zharov.info"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1295382/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_07; classtype:trojan-activity; sid:91295382; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/get.php"; depth:8; nocase; http.host; content:"www.globeagency.com"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1295383/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_07; classtype:trojan-activity; sid:91295383; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api.php"; depth:8; nocase; http.host; content:"www.taiwandiginews.com.tw"; depth:25; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1295384/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_07; classtype:trojan-activity; sid:91295384; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/article.php"; depth:12; nocase; http.host; content:"www.dreaming.works"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1295386/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_07; classtype:trojan-activity; sid:91295386; rev:1;) alert tcp $HOME_NET any -> [95.111.194.172] 443 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1295416/; target:src_ip; metadata: confidence_level 50, first_seen 2024_07_07; classtype:trojan-activity; sid:91295416; rev:1;) alert tcp $HOME_NET any -> [77.105.133.39] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1295421/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_07; classtype:trojan-activity; sid:91295421; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"encrypt.astachk0809.xyz"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1295293/; target:src_ip; metadata: confidence_level 50, first_seen 2024_07_07; classtype:trojan-activity; sid:91295293; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"astachk0809.xyz"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1295294/; target:src_ip; metadata: confidence_level 50, first_seen 2024_07_07; classtype:trojan-activity; sid:91295294; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"eduardalinn.lol"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1295295/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_07; classtype:trojan-activity; sid:91295295; rev:1;) alert tcp $HOME_NET any -> [203.161.43.195] 444 (msg:"ThreatFox BianLian botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1295292/; target:src_ip; metadata: confidence_level 50, first_seen 2024_07_07; classtype:trojan-activity; sid:91295292; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api/"; depth:5; nocase; http.host; content:"eduardalinn.lol"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1295291/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_07; classtype:trojan-activity; sid:91295291; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"136.169.29.34.bc.googleusercontent.com"; depth:38; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1295286/; target:src_ip; metadata: confidence_level 50, first_seen 2024_07_07; classtype:trojan-activity; sid:91295286; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pypi-update.exe"; depth:16; nocase; http.host; content:"love-odyssey.com"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1295290/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_07; classtype:trojan-activity; sid:91295290; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/get.php"; depth:8; nocase; http.host; content:"www.holzkontor.de"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1295288/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_07; classtype:trojan-activity; sid:91295288; rev:1;) alert tcp $HOME_NET any -> [129.205.113.180] 6060 (msg:"ThreatFox STRRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1295284/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_07; classtype:trojan-activity; sid:91295284; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"paul.sportlearningcenters.info"; depth:30; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1295285/; target:src_ip; metadata: confidence_level 50, first_seen 2024_07_07; classtype:trojan-activity; sid:91295285; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"dollarman101.hopto.org"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1295283/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_07; classtype:trojan-activity; sid:91295283; rev:1;) alert tcp $HOME_NET any -> [23.224.144.212] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1295440/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_07; classtype:trojan-activity; sid:91295440; rev:1;) alert tcp $HOME_NET any -> [8.130.26.140] 8001 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1295439/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_07; classtype:trojan-activity; sid:91295439; rev:1;) alert tcp $HOME_NET any -> [209.38.41.26] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1295438/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_07; classtype:trojan-activity; sid:91295438; rev:1;) alert tcp $HOME_NET any -> [23.224.171.148] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1295437/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_07; classtype:trojan-activity; sid:91295437; rev:1;) alert tcp $HOME_NET any -> [13.75.93.92] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1295436/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_07; classtype:trojan-activity; sid:91295436; rev:1;) alert tcp $HOME_NET any -> [121.40.173.67] 82 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1295435/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_07; classtype:trojan-activity; sid:91295435; rev:1;) alert tcp $HOME_NET any -> [84.46.244.143] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1295433/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_07; classtype:trojan-activity; sid:91295433; rev:1;) alert tcp $HOME_NET any -> [206.206.123.202] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1295434/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_07; classtype:trojan-activity; sid:91295434; rev:1;) alert tcp $HOME_NET any -> [113.125.179.13] 8123 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1295432/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_07; classtype:trojan-activity; sid:91295432; rev:1;) alert tcp $HOME_NET any -> [89.116.128.246] 8866 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1295431/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_07; classtype:trojan-activity; sid:91295431; rev:1;) alert tcp $HOME_NET any -> [80.251.213.227] 8080 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1295430/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_07; classtype:trojan-activity; sid:91295430; rev:1;) alert tcp $HOME_NET any -> [8.137.93.215] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1295429/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_07; classtype:trojan-activity; sid:91295429; rev:1;) alert tcp $HOME_NET any -> [84.46.244.143] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1295428/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_07; classtype:trojan-activity; sid:91295428; rev:1;) alert tcp $HOME_NET any -> [47.121.133.136] 1234 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1295427/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_07; classtype:trojan-activity; sid:91295427; rev:1;) alert tcp $HOME_NET any -> [121.196.246.141] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1295425/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_07; classtype:trojan-activity; sid:91295425; rev:1;) alert tcp $HOME_NET any -> [120.26.208.218] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1295426/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_07; classtype:trojan-activity; sid:91295426; rev:1;) alert tcp $HOME_NET any -> [38.60.252.118] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1295424/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_07; classtype:trojan-activity; sid:91295424; rev:1;) alert tcp $HOME_NET any -> [94.228.166.40] 7707 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1295423/; target:src_ip; metadata: confidence_level 50, first_seen 2024_07_07; classtype:trojan-activity; sid:91295423; rev:1;) alert tcp $HOME_NET any -> [38.22.104.179] 80 (msg:"ThreatFox Meduza Stealer botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1295422/; target:src_ip; metadata: confidence_level 50, first_seen 2024_07_07; classtype:trojan-activity; sid:91295422; rev:1;) alert tcp $HOME_NET any -> [105.155.167.249] 10000 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1295420/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_07; classtype:trojan-activity; sid:91295420; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/aaf2541f.php"; depth:13; nocase; http.host; content:"a1002185.xsph.ru"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1295419/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_07; classtype:trojan-activity; sid:91295419; rev:1;) alert tcp $HOME_NET any -> [45.137.22.78] 55615 (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1295418/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_07; classtype:trojan-activity; sid:91295418; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/9b53fb902ecbf12d.php"; depth:21; nocase; http.host; content:"139.99.67.238"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1295417/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_07; classtype:trojan-activity; sid:91295417; rev:1;) alert tcp $HOME_NET any -> [193.107.109.59] 443 (msg:"ThreatFox FAKEUPDATES botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1295407/; target:src_ip; metadata: confidence_level 50, first_seen 2024_07_07; classtype:trojan-activity; sid:91295407; rev:1;) alert tcp $HOME_NET any -> [140.82.12.6] 443 (msg:"ThreatFox FAKEUPDATES botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1295406/; target:src_ip; metadata: confidence_level 50, first_seen 2024_07_07; classtype:trojan-activity; sid:91295406; rev:1;) alert tcp $HOME_NET any -> [23.24.178.33] 3085 (msg:"ThreatFox NetSupportManager RAT botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1295405/; target:src_ip; metadata: confidence_level 50, first_seen 2024_07_07; classtype:trojan-activity; sid:91295405; rev:1;) alert tcp $HOME_NET any -> [23.26.108.141] 8888 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1295404/; target:src_ip; metadata: confidence_level 50, first_seen 2024_07_07; classtype:trojan-activity; sid:91295404; rev:1;) alert tcp $HOME_NET any -> [46.246.80.22] 2000 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1295403/; target:src_ip; metadata: confidence_level 50, first_seen 2024_07_07; classtype:trojan-activity; sid:91295403; rev:1;) alert tcp $HOME_NET any -> [194.55.186.200] 80 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1295402/; target:src_ip; metadata: confidence_level 50, first_seen 2024_07_07; classtype:trojan-activity; sid:91295402; rev:1;) alert tcp $HOME_NET any -> [79.137.207.237] 80 (msg:"ThreatFox Meduza Stealer botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1295401/; target:src_ip; metadata: confidence_level 50, first_seen 2024_07_07; classtype:trojan-activity; sid:91295401; rev:1;) alert tcp $HOME_NET any -> [172.111.151.128] 8081 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1295400/; target:src_ip; metadata: confidence_level 50, first_seen 2024_07_07; classtype:trojan-activity; sid:91295400; rev:1;) alert tcp $HOME_NET any -> [94.102.49.161] 55001 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1295399/; target:src_ip; metadata: confidence_level 50, first_seen 2024_07_07; classtype:trojan-activity; sid:91295399; rev:1;) alert tcp $HOME_NET any -> [96.9.225.128] 57870 (msg:"ThreatFox BianLian botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1295391/; target:src_ip; metadata: confidence_level 50, first_seen 2024_07_07; classtype:trojan-activity; sid:91295391; rev:1;) alert tcp $HOME_NET any -> [67.217.60.68] 8443 (msg:"ThreatFox BianLian botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1295390/; target:src_ip; metadata: confidence_level 50, first_seen 2024_07_07; classtype:trojan-activity; sid:91295390; rev:1;) alert tcp $HOME_NET any -> [120.201.229.105] 4506 (msg:"ThreatFox Deimos botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1295389/; target:src_ip; metadata: confidence_level 50, first_seen 2024_07_07; classtype:trojan-activity; sid:91295389; rev:1;) alert tcp $HOME_NET any -> [163.181.90.73] 4506 (msg:"ThreatFox Deimos botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1295388/; target:src_ip; metadata: confidence_level 50, first_seen 2024_07_07; classtype:trojan-activity; sid:91295388; rev:1;) alert tcp $HOME_NET any -> [77.105.133.39] 4433 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1295381/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_06; classtype:trojan-activity; sid:91295381; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/antdesign3.js"; depth:14; nocase; http.host; content:"111.230.5.199"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1295379/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_06; classtype:trojan-activity; sid:91295379; rev:1;) alert tcp $HOME_NET any -> [111.230.5.199] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1295380/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_06; classtype:trojan-activity; sid:91295380; rev:1;) alert tcp $HOME_NET any -> [92.249.48.66] 443 (msg:"ThreatFox Unidentified 111 (Latrodectus) botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1295358/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_06; classtype:trojan-activity; sid:91295358; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bigloaddle.php"; depth:15; nocase; http.host; content:"737397cm.nyashka.top"; depth:20; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1295338/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_06; classtype:trojan-activity; sid:91295338; rev:1;) alert tcp $HOME_NET any -> [124.70.196.94] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1295337/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_06; classtype:trojan-activity; sid:91295337; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api/getit"; depth:10; nocase; http.host; content:"51ape.cc"; depth:8; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1295336/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_06; classtype:trojan-activity; sid:91295336; rev:1;) alert tcp $HOME_NET any -> [72.200.237.73] 443 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1295335/; target:src_ip; metadata: confidence_level 50, first_seen 2024_07_06; classtype:trojan-activity; sid:91295335; rev:1;) alert tcp $HOME_NET any -> [194.213.18.182] 443 (msg:"ThreatFox BianLian botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1295334/; target:src_ip; metadata: confidence_level 50, first_seen 2024_07_06; classtype:trojan-activity; sid:91295334; rev:1;) alert tcp $HOME_NET any -> [46.8.237.108] 7443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1295333/; target:src_ip; metadata: confidence_level 50, first_seen 2024_07_06; classtype:trojan-activity; sid:91295333; rev:1;) alert tcp $HOME_NET any -> [147.45.41.14] 12428 (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1295282/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_06; classtype:trojan-activity; sid:91295282; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/get.php"; depth:8; nocase; http.host; content:"www.hastingsarchitecture.com"; depth:28; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1295148/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_06; classtype:trojan-activity; sid:91295148; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"civilizzzationo.shop"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1295149/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_06; classtype:trojan-activity; sid:91295149; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/archive.php"; depth:12; nocase; http.host; content:"www.toscalindeboom.nl"; depth:21; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1295150/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_06; classtype:trojan-activity; sid:91295150; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api.php"; depth:8; nocase; http.host; content:"www.malfant-masson-genealogie.fr"; depth:32; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1295151/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_06; classtype:trojan-activity; sid:91295151; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/get.php"; depth:8; nocase; http.host; content:"www.johann-wittmann.com"; depth:23; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1295152/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_06; classtype:trojan-activity; sid:91295152; rev:1;) alert tcp $HOME_NET any -> [173.195.100.68] 1912 (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1295173/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_06; classtype:trojan-activity; sid:91295173; rev:1;) alert tcp $HOME_NET any -> [94.232.249.204] 8808 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1295172/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_06; classtype:trojan-activity; sid:91295172; rev:1;) alert tcp $HOME_NET any -> [94.232.249.204] 7707 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1295171/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_06; classtype:trojan-activity; sid:91295171; rev:1;) alert tcp $HOME_NET any -> [94.232.249.204] 6660 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1295170/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_06; classtype:trojan-activity; sid:91295170; rev:1;) alert tcp $HOME_NET any -> [162.252.175.117] 443 (msg:"ThreatFox FAKEUPDATES botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1295169/; target:src_ip; metadata: confidence_level 50, first_seen 2024_07_06; classtype:trojan-activity; sid:91295169; rev:1;) alert tcp $HOME_NET any -> [94.232.249.204] 6606 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1295168/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_06; classtype:trojan-activity; sid:91295168; rev:1;) alert tcp $HOME_NET any -> [94.232.249.204] 1912 (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1295167/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_06; classtype:trojan-activity; sid:91295167; rev:1;) alert tcp $HOME_NET any -> [86.126.208.107] 443 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1295166/; target:src_ip; metadata: confidence_level 50, first_seen 2024_07_06; classtype:trojan-activity; sid:91295166; rev:1;) alert tcp $HOME_NET any -> [146.71.81.126] 3291 (msg:"ThreatFox BianLian botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1295165/; target:src_ip; metadata: confidence_level 50, first_seen 2024_07_06; classtype:trojan-activity; sid:91295165; rev:1;) alert tcp $HOME_NET any -> [172.232.250.47] 443 (msg:"ThreatFox Deimos botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1295164/; target:src_ip; metadata: confidence_level 50, first_seen 2024_07_06; classtype:trojan-activity; sid:91295164; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ptj"; depth:4; nocase; http.host; content:"118.107.4.157"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1295163/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_06; classtype:trojan-activity; sid:91295163; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"113.125.179.13"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1295162/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_06; classtype:trojan-activity; sid:91295162; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/j.ad"; depth:5; nocase; http.host; content:"123.60.135.22"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1295161/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_06; classtype:trojan-activity; sid:91295161; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/match"; depth:6; nocase; http.host; content:"139.59.214.140"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1295160/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_06; classtype:trojan-activity; sid:91295160; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/j.ad"; depth:5; nocase; http.host; content:"101.132.182.180"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1295159/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_06; classtype:trojan-activity; sid:91295159; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/push"; depth:5; nocase; http.host; content:"176.58.127.16"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1295158/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_06; classtype:trojan-activity; sid:91295158; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api/getit"; depth:10; nocase; http.host; content:"51ape.cc"; depth:8; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1295157/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_06; classtype:trojan-activity; sid:91295157; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/imagevideopipehttplowgamebigloadmultidlelocal.php"; depth:50; nocase; http.host; content:"911628cm.nyashka.top"; depth:20; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1295156/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_06; classtype:trojan-activity; sid:91295156; rev:1;) alert tcp $HOME_NET any -> [206.206.123.202] 4433 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1295155/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_06; classtype:trojan-activity; sid:91295155; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"itechnetworkbd.com"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1295154/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_06; classtype:trojan-activity; sid:91295154; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/subscriptionid.css"; depth:19; nocase; http.host; content:"itechnetworkbd.com"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1295153/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_06; classtype:trojan-activity; sid:91295153; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/26b1ea9d.php"; depth:13; nocase; http.host; content:"a1002962.xsph.ru"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1295147/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_06; classtype:trojan-activity; sid:91295147; rev:1;) alert tcp $HOME_NET any -> [185.104.195.215] 2005 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1295146/; target:src_ip; metadata: confidence_level 50, first_seen 2024_07_06; classtype:trojan-activity; sid:91295146; rev:1;) alert tcp $HOME_NET any -> [128.90.113.88] 9999 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1295145/; target:src_ip; metadata: confidence_level 50, first_seen 2024_07_06; classtype:trojan-activity; sid:91295145; rev:1;) alert tcp $HOME_NET any -> [34.92.138.93] 50555 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1295144/; target:src_ip; metadata: confidence_level 50, first_seen 2024_07_06; classtype:trojan-activity; sid:91295144; rev:1;) alert tcp $HOME_NET any -> [139.59.215.185] 4000 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1295143/; target:src_ip; metadata: confidence_level 50, first_seen 2024_07_06; classtype:trojan-activity; sid:91295143; rev:1;) alert tcp $HOME_NET any -> [47.121.134.201] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1295142/; target:src_ip; metadata: confidence_level 50, first_seen 2024_07_06; classtype:trojan-activity; sid:91295142; rev:1;) alert tcp $HOME_NET any -> [40.124.112.232] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1295141/; target:src_ip; metadata: confidence_level 50, first_seen 2024_07_06; classtype:trojan-activity; sid:91295141; rev:1;) alert tcp $HOME_NET any -> [149.88.92.117] 20001 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1295140/; target:src_ip; metadata: confidence_level 50, first_seen 2024_07_06; classtype:trojan-activity; sid:91295140; rev:1;) alert tcp $HOME_NET any -> [175.10.46.1] 4432 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1295139/; target:src_ip; metadata: confidence_level 50, first_seen 2024_07_06; classtype:trojan-activity; sid:91295139; rev:1;) alert tcp $HOME_NET any -> [62.234.162.181] 443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1295138/; target:src_ip; metadata: confidence_level 50, first_seen 2024_07_06; classtype:trojan-activity; sid:91295138; rev:1;) alert tcp $HOME_NET any -> [98.66.155.188] 443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1295137/; target:src_ip; metadata: confidence_level 50, first_seen 2024_07_06; classtype:trojan-activity; sid:91295137; rev:1;) alert tcp $HOME_NET any -> [103.57.249.42] 8443 (msg:"ThreatFox BianLian botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1295136/; target:src_ip; metadata: confidence_level 50, first_seen 2024_07_06; classtype:trojan-activity; sid:91295136; rev:1;) alert tcp $HOME_NET any -> [77.68.26.59] 8443 (msg:"ThreatFox Deimos botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1295135/; target:src_ip; metadata: confidence_level 50, first_seen 2024_07_06; classtype:trojan-activity; sid:91295135; rev:1;) alert tcp $HOME_NET any -> [154.92.10.73] 4506 (msg:"ThreatFox Deimos botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1295134/; target:src_ip; metadata: confidence_level 50, first_seen 2024_07_06; classtype:trojan-activity; sid:91295134; rev:1;) alert tcp $HOME_NET any -> [119.188.218.158] 4506 (msg:"ThreatFox Deimos botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1295133/; target:src_ip; metadata: confidence_level 50, first_seen 2024_07_06; classtype:trojan-activity; sid:91295133; rev:1;) alert tcp $HOME_NET any -> [163.181.160.83] 4506 (msg:"ThreatFox Deimos botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1295132/; target:src_ip; metadata: confidence_level 50, first_seen 2024_07_06; classtype:trojan-activity; sid:91295132; rev:1;) alert tcp $HOME_NET any -> [47.109.51.223] 7443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1295131/; target:src_ip; metadata: confidence_level 50, first_seen 2024_07_06; classtype:trojan-activity; sid:91295131; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"rejgroups.com"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1295128/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_06; classtype:trojan-activity; sid:91295128; rev:1;) alert tcp $HOME_NET any -> [94.237.55.62] 30570 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1295130/; target:src_ip; metadata: confidence_level 50, first_seen 2024_07_06; classtype:trojan-activity; sid:91295130; rev:1;) alert tcp $HOME_NET any -> [94.237.55.62] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1295129/; target:src_ip; metadata: confidence_level 50, first_seen 2024_07_06; classtype:trojan-activity; sid:91295129; rev:1;) alert tcp $HOME_NET any -> [101.43.245.190] 60000 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1295125/; target:src_ip; metadata: confidence_level 50, first_seen 2024_07_06; classtype:trojan-activity; sid:91295125; rev:1;) alert tcp $HOME_NET any -> [144.91.86.139] 2155 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1295126/; target:src_ip; metadata: confidence_level 50, first_seen 2024_07_06; classtype:trojan-activity; sid:91295126; rev:1;) alert tcp $HOME_NET any -> [209.94.63.123] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1295115/; target:src_ip; metadata: confidence_level 50, first_seen 2024_07_06; classtype:trojan-activity; sid:91295115; rev:1;) alert tcp $HOME_NET any -> [194.113.72.216] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1295116/; target:src_ip; metadata: confidence_level 50, first_seen 2024_07_06; classtype:trojan-activity; sid:91295116; rev:1;) alert tcp $HOME_NET any -> [209.94.57.45] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1295117/; target:src_ip; metadata: confidence_level 50, first_seen 2024_07_06; classtype:trojan-activity; sid:91295117; rev:1;) alert tcp $HOME_NET any -> [209.94.56.165] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1295118/; target:src_ip; metadata: confidence_level 50, first_seen 2024_07_06; classtype:trojan-activity; sid:91295118; rev:1;) alert tcp $HOME_NET any -> [209.94.59.21] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1295119/; target:src_ip; metadata: confidence_level 50, first_seen 2024_07_06; classtype:trojan-activity; sid:91295119; rev:1;) alert tcp $HOME_NET any -> [209.94.58.188] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1295120/; target:src_ip; metadata: confidence_level 50, first_seen 2024_07_06; classtype:trojan-activity; sid:91295120; rev:1;) alert tcp $HOME_NET any -> [209.94.58.221] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1295121/; target:src_ip; metadata: confidence_level 50, first_seen 2024_07_06; classtype:trojan-activity; sid:91295121; rev:1;) alert tcp $HOME_NET any -> [209.151.151.74] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1295122/; target:src_ip; metadata: confidence_level 50, first_seen 2024_07_06; classtype:trojan-activity; sid:91295122; rev:1;) alert tcp $HOME_NET any -> [209.151.154.202] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1295123/; target:src_ip; metadata: confidence_level 50, first_seen 2024_07_06; classtype:trojan-activity; sid:91295123; rev:1;) alert tcp $HOME_NET any -> [209.94.56.191] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1295124/; target:src_ip; metadata: confidence_level 50, first_seen 2024_07_06; classtype:trojan-activity; sid:91295124; rev:1;) alert tcp $HOME_NET any -> [77.105.160.76] 18731 (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1295114/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_06; classtype:trojan-activity; sid:91295114; rev:1;) alert tcp $HOME_NET any -> [95.111.213.71] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1295090/; target:src_ip; metadata: confidence_level 50, first_seen 2024_07_06; classtype:trojan-activity; sid:91295090; rev:1;) alert tcp $HOME_NET any -> [209.151.150.75] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1295091/; target:src_ip; metadata: confidence_level 50, first_seen 2024_07_06; classtype:trojan-activity; sid:91295091; rev:1;) alert tcp $HOME_NET any -> [194.113.73.88] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1295092/; target:src_ip; metadata: confidence_level 50, first_seen 2024_07_06; classtype:trojan-activity; sid:91295092; rev:1;) alert tcp $HOME_NET any -> [209.94.60.77] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1295093/; target:src_ip; metadata: confidence_level 50, first_seen 2024_07_06; classtype:trojan-activity; sid:91295093; rev:1;) alert tcp $HOME_NET any -> [209.151.148.187] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1295094/; target:src_ip; metadata: confidence_level 50, first_seen 2024_07_06; classtype:trojan-activity; sid:91295094; rev:1;) alert tcp $HOME_NET any -> [209.94.58.17] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1295095/; target:src_ip; metadata: confidence_level 50, first_seen 2024_07_06; classtype:trojan-activity; sid:91295095; rev:1;) alert tcp $HOME_NET any -> [209.94.58.235] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1295096/; target:src_ip; metadata: confidence_level 50, first_seen 2024_07_06; classtype:trojan-activity; sid:91295096; rev:1;) alert tcp $HOME_NET any -> [209.94.58.146] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1295097/; target:src_ip; metadata: confidence_level 50, first_seen 2024_07_06; classtype:trojan-activity; sid:91295097; rev:1;) alert tcp $HOME_NET any -> [209.94.57.137] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1295098/; target:src_ip; metadata: confidence_level 50, first_seen 2024_07_06; classtype:trojan-activity; sid:91295098; rev:1;) alert tcp $HOME_NET any -> [209.94.56.20] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1295099/; target:src_ip; metadata: confidence_level 50, first_seen 2024_07_06; classtype:trojan-activity; sid:91295099; rev:1;) alert tcp $HOME_NET any -> [209.94.63.170] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1295100/; target:src_ip; metadata: confidence_level 50, first_seen 2024_07_06; classtype:trojan-activity; sid:91295100; rev:1;) alert tcp $HOME_NET any -> [209.94.56.130] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1295101/; target:src_ip; metadata: confidence_level 50, first_seen 2024_07_06; classtype:trojan-activity; sid:91295101; rev:1;) alert tcp $HOME_NET any -> [209.94.63.82] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1295102/; target:src_ip; metadata: confidence_level 50, first_seen 2024_07_06; classtype:trojan-activity; sid:91295102; rev:1;) alert tcp $HOME_NET any -> [209.151.149.39] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1295103/; target:src_ip; metadata: confidence_level 50, first_seen 2024_07_06; classtype:trojan-activity; sid:91295103; rev:1;) alert tcp $HOME_NET any -> [209.151.154.165] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1295104/; target:src_ip; metadata: confidence_level 50, first_seen 2024_07_06; classtype:trojan-activity; sid:91295104; rev:1;) alert tcp $HOME_NET any -> [209.151.148.17] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1295105/; target:src_ip; metadata: confidence_level 50, first_seen 2024_07_06; classtype:trojan-activity; sid:91295105; rev:1;) alert tcp $HOME_NET any -> [209.151.150.164] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1295106/; target:src_ip; metadata: confidence_level 50, first_seen 2024_07_06; classtype:trojan-activity; sid:91295106; rev:1;) alert tcp $HOME_NET any -> [209.151.154.57] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1295107/; target:src_ip; metadata: confidence_level 50, first_seen 2024_07_06; classtype:trojan-activity; sid:91295107; rev:1;) alert tcp $HOME_NET any -> [209.94.58.130] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1295108/; target:src_ip; metadata: confidence_level 50, first_seen 2024_07_06; classtype:trojan-activity; sid:91295108; rev:1;) alert tcp $HOME_NET any -> [209.151.150.28] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1295109/; target:src_ip; metadata: confidence_level 50, first_seen 2024_07_06; classtype:trojan-activity; sid:91295109; rev:1;) alert tcp $HOME_NET any -> [209.151.153.11] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1295110/; target:src_ip; metadata: confidence_level 50, first_seen 2024_07_06; classtype:trojan-activity; sid:91295110; rev:1;) alert tcp $HOME_NET any -> [209.94.63.68] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1295111/; target:src_ip; metadata: confidence_level 50, first_seen 2024_07_06; classtype:trojan-activity; sid:91295111; rev:1;) alert tcp $HOME_NET any -> [209.94.62.30] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1295112/; target:src_ip; metadata: confidence_level 50, first_seen 2024_07_06; classtype:trojan-activity; sid:91295112; rev:1;) alert tcp $HOME_NET any -> [209.151.149.164] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1295088/; target:src_ip; metadata: confidence_level 50, first_seen 2024_07_06; classtype:trojan-activity; sid:91295088; rev:1;) alert tcp $HOME_NET any -> [209.94.57.138] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1295113/; target:src_ip; metadata: confidence_level 50, first_seen 2024_07_06; classtype:trojan-activity; sid:91295113; rev:1;) alert tcp $HOME_NET any -> [95.111.212.13] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1295089/; target:src_ip; metadata: confidence_level 50, first_seen 2024_07_06; classtype:trojan-activity; sid:91295089; rev:1;) alert tcp $HOME_NET any -> [209.94.58.51] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1295086/; target:src_ip; metadata: confidence_level 50, first_seen 2024_07_06; classtype:trojan-activity; sid:91295086; rev:1;) alert tcp $HOME_NET any -> [194.113.72.146] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1295087/; target:src_ip; metadata: confidence_level 50, first_seen 2024_07_06; classtype:trojan-activity; sid:91295087; rev:1;) alert tcp $HOME_NET any -> [209.94.60.89] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1295084/; target:src_ip; metadata: confidence_level 50, first_seen 2024_07_06; classtype:trojan-activity; sid:91295084; rev:1;) alert tcp $HOME_NET any -> [194.113.72.22] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1295085/; target:src_ip; metadata: confidence_level 50, first_seen 2024_07_06; classtype:trojan-activity; sid:91295085; rev:1;) alert tcp $HOME_NET any -> [209.151.148.58] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1295080/; target:src_ip; metadata: confidence_level 50, first_seen 2024_07_06; classtype:trojan-activity; sid:91295080; rev:1;) alert tcp $HOME_NET any -> [209.151.150.17] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1295077/; target:src_ip; metadata: confidence_level 50, first_seen 2024_07_06; classtype:trojan-activity; sid:91295077; rev:1;) alert tcp $HOME_NET any -> [209.151.153.209] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1295078/; target:src_ip; metadata: confidence_level 50, first_seen 2024_07_06; classtype:trojan-activity; sid:91295078; rev:1;) alert tcp $HOME_NET any -> [209.151.153.18] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1295079/; target:src_ip; metadata: confidence_level 50, first_seen 2024_07_06; classtype:trojan-activity; sid:91295079; rev:1;) alert tcp $HOME_NET any -> [194.113.75.141] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1295075/; target:src_ip; metadata: confidence_level 50, first_seen 2024_07_06; classtype:trojan-activity; sid:91295075; rev:1;) alert tcp $HOME_NET any -> [209.151.150.60] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1295076/; target:src_ip; metadata: confidence_level 50, first_seen 2024_07_06; classtype:trojan-activity; sid:91295076; rev:1;) alert tcp $HOME_NET any -> [209.151.155.3] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1295072/; target:src_ip; metadata: confidence_level 50, first_seen 2024_07_06; classtype:trojan-activity; sid:91295072; rev:1;) alert tcp $HOME_NET any -> [194.113.73.38] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1295073/; target:src_ip; metadata: confidence_level 50, first_seen 2024_07_06; classtype:trojan-activity; sid:91295073; rev:1;) alert tcp $HOME_NET any -> [209.94.58.245] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1295074/; target:src_ip; metadata: confidence_level 50, first_seen 2024_07_06; classtype:trojan-activity; sid:91295074; rev:1;) alert tcp $HOME_NET any -> [209.151.155.49] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1295068/; target:src_ip; metadata: confidence_level 50, first_seen 2024_07_06; classtype:trojan-activity; sid:91295068; rev:1;) alert tcp $HOME_NET any -> [209.151.154.251] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1295070/; target:src_ip; metadata: confidence_level 50, first_seen 2024_07_06; classtype:trojan-activity; sid:91295070; rev:1;) alert tcp $HOME_NET any -> [209.151.154.244] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1295071/; target:src_ip; metadata: confidence_level 50, first_seen 2024_07_06; classtype:trojan-activity; sid:91295071; rev:1;) alert tcp $HOME_NET any -> [209.151.155.151] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1295069/; target:src_ip; metadata: confidence_level 50, first_seen 2024_07_06; classtype:trojan-activity; sid:91295069; rev:1;) alert tcp $HOME_NET any -> [77.105.164.59] 20204 (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1295066/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_06; classtype:trojan-activity; sid:91295066; rev:1;) alert tcp $HOME_NET any -> [209.151.148.122] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1295067/; target:src_ip; metadata: confidence_level 50, first_seen 2024_07_06; classtype:trojan-activity; sid:91295067; rev:1;) alert tcp $HOME_NET any -> [209.151.154.48] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1295081/; target:src_ip; metadata: confidence_level 50, first_seen 2024_07_06; classtype:trojan-activity; sid:91295081; rev:1;) alert tcp $HOME_NET any -> [209.151.149.232] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1295082/; target:src_ip; metadata: confidence_level 50, first_seen 2024_07_06; classtype:trojan-activity; sid:91295082; rev:1;) alert tcp $HOME_NET any -> [209.151.155.254] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1295083/; target:src_ip; metadata: confidence_level 50, first_seen 2024_07_06; classtype:trojan-activity; sid:91295083; rev:1;) alert tcp $HOME_NET any -> [34.126.174.34] 2001 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1295057/; target:src_ip; metadata: confidence_level 50, first_seen 2024_07_06; classtype:trojan-activity; sid:91295057; rev:1;) alert tcp $HOME_NET any -> [209.94.58.12] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1295058/; target:src_ip; metadata: confidence_level 50, first_seen 2024_07_06; classtype:trojan-activity; sid:91295058; rev:1;) alert tcp $HOME_NET any -> [209.151.152.35] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1295062/; target:src_ip; metadata: confidence_level 50, first_seen 2024_07_06; classtype:trojan-activity; sid:91295062; rev:1;) alert tcp $HOME_NET any -> [111.230.72.242] 56789 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1295059/; target:src_ip; metadata: confidence_level 50, first_seen 2024_07_06; classtype:trojan-activity; sid:91295059; rev:1;) alert tcp $HOME_NET any -> [94.237.99.198] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1295060/; target:src_ip; metadata: confidence_level 50, first_seen 2024_07_06; classtype:trojan-activity; sid:91295060; rev:1;) alert tcp $HOME_NET any -> [213.219.199.48] 1912 (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1295061/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_06; classtype:trojan-activity; sid:91295061; rev:1;) alert tcp $HOME_NET any -> [94.237.26.131] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1295063/; target:src_ip; metadata: confidence_level 50, first_seen 2024_07_06; classtype:trojan-activity; sid:91295063; rev:1;) alert tcp $HOME_NET any -> [209.151.155.135] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1295064/; target:src_ip; metadata: confidence_level 50, first_seen 2024_07_06; classtype:trojan-activity; sid:91295064; rev:1;) alert tcp $HOME_NET any -> [209.151.155.187] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1295065/; target:src_ip; metadata: confidence_level 50, first_seen 2024_07_06; classtype:trojan-activity; sid:91295065; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cdn-vs/original.js"; depth:19; nocase; http.host; content:"tempesolarcompany.com"; depth:21; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1294780/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_06; classtype:trojan-activity; sid:91294780; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cdn-vs/cache.php"; depth:17; nocase; http.host; content:"tempesolarcompany.com"; depth:21; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1294781/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_06; classtype:trojan-activity; sid:91294781; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cdn-vs/33per.php"; depth:17; nocase; http.host; content:"tempesolarcompany.com"; depth:21; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1294782/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_06; classtype:trojan-activity; sid:91294782; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/data.php"; depth:9; nocase; http.host; content:"osgnhr9zv.top"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1294783/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_06; classtype:trojan-activity; sid:91294783; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 49%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/kinsa.php"; depth:10; nocase; http.host; content:"app.seoul.minia.ml"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1294982/; target:src_ip; metadata: confidence_level 49, first_seen 2024_07_06; classtype:trojan-activity; sid:91294982; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 49%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/index.php"; depth:10; nocase; http.host; content:"go.ktspace.p-e.kr"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1294984/; target:src_ip; metadata: confidence_level 49, first_seen 2024_07_06; classtype:trojan-activity; sid:91294984; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 49%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/index.php"; depth:10; nocase; http.host; content:"users.nya.pub"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1294983/; target:src_ip; metadata: confidence_level 49, first_seen 2024_07_06; classtype:trojan-activity; sid:91294983; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 49%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/index.php"; depth:10; nocase; http.host; content:"on.ktspace.p-e.kr"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1294985/; target:src_ip; metadata: confidence_level 49, first_seen 2024_07_06; classtype:trojan-activity; sid:91294985; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 49%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/index.php"; depth:10; nocase; http.host; content:"aa.olixa.p-e.kr"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1294986/; target:src_ip; metadata: confidence_level 49, first_seen 2024_07_06; classtype:trojan-activity; sid:91294986; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 49%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/index.php"; depth:10; nocase; http.host; content:"jp.hyyeo.p-e.kr"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1294988/; target:src_ip; metadata: confidence_level 49, first_seen 2024_07_06; classtype:trojan-activity; sid:91294988; rev:1;) alert tcp $HOME_NET any -> [15.229.32.8] 47925 (msg:"ThreatFox MooBot botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1294753/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_06; classtype:trojan-activity; sid:91294753; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"br.suicide2024.xyz"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1294754/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_06; classtype:trojan-activity; sid:91294754; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"assignmentygassdyw.shop"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1294773/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_06; classtype:trojan-activity; sid:91294773; rev:1;) alert tcp $HOME_NET any -> [20.244.3.237] 80 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1294774/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_06; classtype:trojan-activity; sid:91294774; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 75%)"; dns_query; content:"osgnhr9zv.top"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1294778/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_06; classtype:trojan-activity; sid:91294778; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 75%)"; dns_query; content:"tempesolarcompany.com"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1294779/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_06; classtype:trojan-activity; sid:91294779; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 49%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/index.php"; depth:10; nocase; http.host; content:"uo.zosua.o-r.kr"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1294987/; target:src_ip; metadata: confidence_level 49, first_seen 2024_07_06; classtype:trojan-activity; sid:91294987; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 49%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/index.php"; depth:10; nocase; http.host; content:"ai.hyyeo.p-e.kr"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1294989/; target:src_ip; metadata: confidence_level 49, first_seen 2024_07_06; classtype:trojan-activity; sid:91294989; rev:1;) alert tcp $HOME_NET any -> [91.92.242.245] 443 (msg:"ThreatFox Rhadamanthys botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1294990/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_06; classtype:trojan-activity; sid:91294990; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/get.php"; depth:8; nocase; http.host; content:"www.hatsandbootslinedanceherning.dk"; depth:35; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1294991/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_06; classtype:trojan-activity; sid:91294991; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blog.php"; depth:9; nocase; http.host; content:"traveling.winklen.ch"; depth:20; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1294992/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_06; classtype:trojan-activity; sid:91294992; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"s1mpl3.simple-url.com"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1294993/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_06; classtype:trojan-activity; sid:91294993; rev:1;) alert tcp $HOME_NET any -> [163.5.112.100] 6606 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1294994/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_06; classtype:trojan-activity; sid:91294994; rev:1;) alert tcp $HOME_NET any -> [163.5.112.100] 7707 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1294995/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_06; classtype:trojan-activity; sid:91294995; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api.php"; depth:8; nocase; http.host; content:"www.ototo.com.cn"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1295013/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_06; classtype:trojan-activity; sid:91295013; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/get.php"; depth:8; nocase; http.host; content:"www.gaep.net"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1295014/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_06; classtype:trojan-activity; sid:91295014; rev:1;) alert tcp $HOME_NET any -> [163.5.112.100] 8808 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1294996/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_06; classtype:trojan-activity; sid:91294996; rev:1;) alert tcp $HOME_NET any -> [95.169.205.186] 80 (msg:"ThreatFox RecordBreaker botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1295056/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_06; classtype:trojan-activity; sid:91295056; rev:1;) alert tcp $HOME_NET any -> [194.36.188.145] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1295055/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_06; classtype:trojan-activity; sid:91295055; rev:1;) alert tcp $HOME_NET any -> [114.55.224.174] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1295053/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_06; classtype:trojan-activity; sid:91295053; rev:1;) alert tcp $HOME_NET any -> [104.168.164.34] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1295054/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_06; classtype:trojan-activity; sid:91295054; rev:1;) alert tcp $HOME_NET any -> [123.60.135.22] 8080 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1295052/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_06; classtype:trojan-activity; sid:91295052; rev:1;) alert tcp $HOME_NET any -> [123.57.39.80] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1295051/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_06; classtype:trojan-activity; sid:91295051; rev:1;) alert tcp $HOME_NET any -> [47.97.110.38] 801 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1295049/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_06; classtype:trojan-activity; sid:91295049; rev:1;) alert tcp $HOME_NET any -> [118.178.136.105] 801 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1295050/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_06; classtype:trojan-activity; sid:91295050; rev:1;) alert tcp $HOME_NET any -> [51.195.143.128] 801 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1295047/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_06; classtype:trojan-activity; sid:91295047; rev:1;) alert tcp $HOME_NET any -> [123.57.86.232] 801 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1295048/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_06; classtype:trojan-activity; sid:91295048; rev:1;) alert tcp $HOME_NET any -> [39.107.137.106] 81 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1295045/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_06; classtype:trojan-activity; sid:91295045; rev:1;) alert tcp $HOME_NET any -> [123.57.223.188] 81 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1295046/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_06; classtype:trojan-activity; sid:91295046; rev:1;) alert tcp $HOME_NET any -> [43.140.200.250] 20000 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1295044/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_06; classtype:trojan-activity; sid:91295044; rev:1;) alert tcp $HOME_NET any -> [36.133.13.63] 8003 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1295043/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_06; classtype:trojan-activity; sid:91295043; rev:1;) alert tcp $HOME_NET any -> [23.94.49.188] 555 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1295042/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_06; classtype:trojan-activity; sid:91295042; rev:1;) alert tcp $HOME_NET any -> [156.238.234.187] 6379 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1295041/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_06; classtype:trojan-activity; sid:91295041; rev:1;) alert tcp $HOME_NET any -> [139.9.190.31] 8080 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1295040/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_06; classtype:trojan-activity; sid:91295040; rev:1;) alert tcp $HOME_NET any -> [106.53.48.69] 3333 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1295039/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_06; classtype:trojan-activity; sid:91295039; rev:1;) alert tcp $HOME_NET any -> [121.41.56.9] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1295037/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_06; classtype:trojan-activity; sid:91295037; rev:1;) alert tcp $HOME_NET any -> [123.57.223.188] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1295038/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_06; classtype:trojan-activity; sid:91295038; rev:1;) alert tcp $HOME_NET any -> [103.44.238.143] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1295035/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_06; classtype:trojan-activity; sid:91295035; rev:1;) alert tcp $HOME_NET any -> [118.178.136.105] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1295036/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_06; classtype:trojan-activity; sid:91295036; rev:1;) alert tcp $HOME_NET any -> [123.57.88.41] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1295034/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_06; classtype:trojan-activity; sid:91295034; rev:1;) alert tcp $HOME_NET any -> [39.105.197.210] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1295031/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_06; classtype:trojan-activity; sid:91295031; rev:1;) alert tcp $HOME_NET any -> [123.57.66.246] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1295032/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_06; classtype:trojan-activity; sid:91295032; rev:1;) alert tcp $HOME_NET any -> [47.97.28.59] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1295033/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_06; classtype:trojan-activity; sid:91295033; rev:1;) alert tcp $HOME_NET any -> [123.56.100.154] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1295030/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_06; classtype:trojan-activity; sid:91295030; rev:1;) alert tcp $HOME_NET any -> [43.131.247.236] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1295029/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_06; classtype:trojan-activity; sid:91295029; rev:1;) alert tcp $HOME_NET any -> [118.31.44.222] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1295028/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_06; classtype:trojan-activity; sid:91295028; rev:1;) alert tcp $HOME_NET any -> [39.105.197.210] 81 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1295027/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_06; classtype:trojan-activity; sid:91295027; rev:1;) alert tcp $HOME_NET any -> [107.174.63.246] 8080 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1295026/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_06; classtype:trojan-activity; sid:91295026; rev:1;) alert tcp $HOME_NET any -> [47.92.4.197] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1295025/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_06; classtype:trojan-activity; sid:91295025; rev:1;) alert tcp $HOME_NET any -> [38.54.30.122] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1295024/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_06; classtype:trojan-activity; sid:91295024; rev:1;) alert tcp $HOME_NET any -> [134.175.98.115] 8888 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1295022/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_06; classtype:trojan-activity; sid:91295022; rev:1;) alert tcp $HOME_NET any -> [121.5.3.212] 8081 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1295023/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_06; classtype:trojan-activity; sid:91295023; rev:1;) alert tcp $HOME_NET any -> [43.159.48.160] 801 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1295020/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_06; classtype:trojan-activity; sid:91295020; rev:1;) alert tcp $HOME_NET any -> [51.195.144.89] 801 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1295021/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_06; classtype:trojan-activity; sid:91295021; rev:1;) alert tcp $HOME_NET any -> [40.124.112.232] 4433 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1295019/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_06; classtype:trojan-activity; sid:91295019; rev:1;) alert tcp $HOME_NET any -> [101.133.229.117] 8080 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1295018/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_06; classtype:trojan-activity; sid:91295018; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/lineserver.php"; depth:15; nocase; http.host; content:"868920cm.nyashka.top"; depth:20; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1295017/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_06; classtype:trojan-activity; sid:91295017; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"95.169.205.186"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1295016/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_06; classtype:trojan-activity; sid:91295016; rev:1;) alert tcp $HOME_NET any -> [94.156.67.140] 31957 (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1295015/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_06; classtype:trojan-activity; sid:91295015; rev:1;) alert tcp $HOME_NET any -> [43.247.135.44] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1295012/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_05; classtype:trojan-activity; sid:91295012; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/j.ad"; depth:5; nocase; http.host; content:"43.247.135.44"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1295011/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_05; classtype:trojan-activity; sid:91295011; rev:1;) alert tcp $HOME_NET any -> [50.3.132.237] 443 (msg:"ThreatFox Unidentified 111 (Latrodectus) botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1295009/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_05; classtype:trojan-activity; sid:91295009; rev:1;) alert tcp $HOME_NET any -> [104.129.20.123] 443 (msg:"ThreatFox Unidentified 111 (Latrodectus) botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1295010/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_05; classtype:trojan-activity; sid:91295010; rev:1;) alert tcp $HOME_NET any -> [45.66.231.254] 5555 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1295008/; target:src_ip; metadata: confidence_level 50, first_seen 2024_07_05; classtype:trojan-activity; sid:91295008; rev:1;) alert tcp $HOME_NET any -> [46.246.14.9] 8000 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1295007/; target:src_ip; metadata: confidence_level 50, first_seen 2024_07_05; classtype:trojan-activity; sid:91295007; rev:1;) alert tcp $HOME_NET any -> [70.27.138.15] 2222 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1295006/; target:src_ip; metadata: confidence_level 50, first_seen 2024_07_05; classtype:trojan-activity; sid:91295006; rev:1;) alert tcp $HOME_NET any -> [62.1.63.185] 995 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1295005/; target:src_ip; metadata: confidence_level 50, first_seen 2024_07_05; classtype:trojan-activity; sid:91295005; rev:1;) alert tcp $HOME_NET any -> [189.140.13.109] 443 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1295004/; target:src_ip; metadata: confidence_level 50, first_seen 2024_07_05; classtype:trojan-activity; sid:91295004; rev:1;) alert tcp $HOME_NET any -> [139.84.132.161] 443 (msg:"ThreatFox pupy botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1295003/; target:src_ip; metadata: confidence_level 50, first_seen 2024_07_05; classtype:trojan-activity; sid:91295003; rev:1;) alert tcp $HOME_NET any -> [98.66.155.188] 80 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1295002/; target:src_ip; metadata: confidence_level 50, first_seen 2024_07_05; classtype:trojan-activity; sid:91295002; rev:1;) alert tcp $HOME_NET any -> [101.206.204.92] 4506 (msg:"ThreatFox Deimos botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1295001/; target:src_ip; metadata: confidence_level 50, first_seen 2024_07_05; classtype:trojan-activity; sid:91295001; rev:1;) alert tcp $HOME_NET any -> [119.188.218.158] 4505 (msg:"ThreatFox Deimos botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1295000/; target:src_ip; metadata: confidence_level 50, first_seen 2024_07_05; classtype:trojan-activity; sid:91295000; rev:1;) alert tcp $HOME_NET any -> [88.214.25.227] 7443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1294999/; target:src_ip; metadata: confidence_level 50, first_seen 2024_07_05; classtype:trojan-activity; sid:91294999; rev:1;) alert tcp $HOME_NET any -> [185.237.165.247] 8443 (msg:"ThreatFox Brute Ratel C4 botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1294998/; target:src_ip; metadata: confidence_level 50, first_seen 2024_07_05; classtype:trojan-activity; sid:91294998; rev:1;) alert tcp $HOME_NET any -> [5.230.253.211] 7443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1294997/; target:src_ip; metadata: confidence_level 50, first_seen 2024_07_05; classtype:trojan-activity; sid:91294997; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/l1nc0in.php"; depth:12; nocase; http.host; content:"a1002079.xsph.ru"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1294981/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_05; classtype:trojan-activity; sid:91294981; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jquery-3.3.1.min.js"; depth:20; nocase; http.host; content:"106.53.213.253"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1294777/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_05; classtype:trojan-activity; sid:91294777; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/j.ad"; depth:5; nocase; http.host; content:"120.77.150.119"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1294776/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_05; classtype:trojan-activity; sid:91294776; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/updates.rss"; depth:12; nocase; http.host; content:"89.116.128.246"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1294775/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_05; classtype:trojan-activity; sid:91294775; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/26beb9ab.php"; depth:13; nocase; http.host; content:"a1001668.xsph.ru"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1294772/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_05; classtype:trojan-activity; sid:91294772; rev:1;) alert tcp $HOME_NET any -> [161.129.65.145] 4483 (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1294771/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_05; classtype:trojan-activity; sid:91294771; rev:1;) alert tcp $HOME_NET any -> [81.19.137.226] 2024 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1294770/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_05; classtype:trojan-activity; sid:91294770; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/920475a59bac849d.php"; depth:21; nocase; http.host; content:"85.28.47.30"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1294769/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_05; classtype:trojan-activity; sid:91294769; rev:1;) alert tcp $HOME_NET any -> [160.177.68.83] 10000 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1294768/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_05; classtype:trojan-activity; sid:91294768; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/l1nc0in.php"; depth:12; nocase; http.host; content:"cz61492.tw1.ru"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1294767/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_05; classtype:trojan-activity; sid:91294767; rev:1;) alert tcp $HOME_NET any -> [95.217.245.123] 443 (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1294766/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_05; classtype:trojan-activity; sid:91294766; rev:1;) alert tcp $HOME_NET any -> [147.45.44.83] 6483 (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1294765/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_05; classtype:trojan-activity; sid:91294765; rev:1;) alert tcp $HOME_NET any -> [45.137.22.171] 55615 (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1294764/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_05; classtype:trojan-activity; sid:91294764; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/26universal/defaultexternal0/0protonbasetraffic/trafficpublicprotect/authauthprovider_/temp8/uploadssql34/dbvm/cpuupdate/wordpress8/79api/traffic/4httplinuxvideo/9/updatesecureserverpublic/uploads/pollserver.php"; depth:212; nocase; http.host; content:"94.156.67.121"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1294763/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_05; classtype:trojan-activity; sid:91294763; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/8ab73f07.php"; depth:13; nocase; http.host; content:"cz36357.tw1.ru"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1294762/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_05; classtype:trojan-activity; sid:91294762; rev:1;) alert tcp $HOME_NET any -> [45.137.22.124] 55615 (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1294761/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_05; classtype:trojan-activity; sid:91294761; rev:1;) alert tcp $HOME_NET any -> [147.185.221.20] 26916 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1294760/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_05; classtype:trojan-activity; sid:91294760; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/hqk341/index.php"; depth:17; nocase; http.host; content:"hqt3.shop"; depth:9; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1294759/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_05; classtype:trojan-activity; sid:91294759; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cj1/five/fre.php"; depth:17; nocase; http.host; content:"ransomproducts.top"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1294758/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_05; classtype:trojan-activity; sid:91294758; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/40db11be.php"; depth:13; nocase; http.host; content:"a0999723.xsph.ru"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1294757/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_05; classtype:trojan-activity; sid:91294757; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"5.181.159.42"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1294756/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_05; classtype:trojan-activity; sid:91294756; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/f5bbe4ad.php"; depth:13; nocase; http.host; content:"cg69956.tw1.ru"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1294755/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_05; classtype:trojan-activity; sid:91294755; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mozi.m"; depth:7; nocase; http.host; content:"58.222.130.34"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1294752/; target:src_ip; metadata: confidence_level 50, first_seen 2024_07_05; classtype:trojan-activity; sid:91294752; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ca"; depth:3; nocase; http.host; content:"23.95.65.198"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1294751/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_05; classtype:trojan-activity; sid:91294751; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/activity"; depth:9; nocase; http.host; content:"42.193.17.127"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1294750/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_05; classtype:trojan-activity; sid:91294750; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/updates.rss"; depth:12; nocase; http.host; content:"23.95.65.198"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1294749/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_05; classtype:trojan-activity; sid:91294749; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/g.pixel"; depth:8; nocase; http.host; content:"39.101.77.24"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1294748/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_05; classtype:trojan-activity; sid:91294748; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/visit.js"; depth:9; nocase; http.host; content:"152.136.128.162"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1294747/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_05; classtype:trojan-activity; sid:91294747; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ca"; depth:3; nocase; http.host; content:"176.58.127.16"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1294746/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_05; classtype:trojan-activity; sid:91294746; rev:1;) alert tcp $HOME_NET any -> [51.195.144.89] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1294738/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_05; classtype:trojan-activity; sid:91294738; rev:1;) alert tcp $HOME_NET any -> [51.195.143.128] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1294737/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_05; classtype:trojan-activity; sid:91294737; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/g.pixel"; depth:8; nocase; http.host; content:"51.195.143.128"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1294736/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_05; classtype:trojan-activity; sid:91294736; rev:1;) alert tcp $HOME_NET any -> [5.59.248.195] 1312 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1294735/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_05; classtype:trojan-activity; sid:91294735; rev:1;) alert tcp $HOME_NET any -> [164.90.201.215] 4258 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1294733/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_05; classtype:trojan-activity; sid:91294733; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/article.php"; depth:12; nocase; http.host; content:"www.equip.com.es"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1294734/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_05; classtype:trojan-activity; sid:91294734; rev:1;) alert tcp $HOME_NET any -> [31.172.87.138] 333 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1294732/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_05; classtype:trojan-activity; sid:91294732; rev:1;) alert tcp $HOME_NET any -> [93.123.85.246] 6963 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1294707/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_05; classtype:trojan-activity; sid:91294707; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"extorteauhhwigw.shop"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1294708/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_05; classtype:trojan-activity; sid:91294708; rev:1;) alert tcp $HOME_NET any -> [109.195.102.70] 443 (msg:"ThreatFox NetSupportManager RAT botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1294731/; target:src_ip; metadata: confidence_level 50, first_seen 2024_07_05; classtype:trojan-activity; sid:91294731; rev:1;) alert tcp $HOME_NET any -> [172.111.150.131] 2000 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1294730/; target:src_ip; metadata: confidence_level 50, first_seen 2024_07_05; classtype:trojan-activity; sid:91294730; rev:1;) alert tcp $HOME_NET any -> [147.189.170.37] 7777 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1294729/; target:src_ip; metadata: confidence_level 50, first_seen 2024_07_05; classtype:trojan-activity; sid:91294729; rev:1;) alert tcp $HOME_NET any -> [128.90.113.125] 9999 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1294728/; target:src_ip; metadata: confidence_level 50, first_seen 2024_07_05; classtype:trojan-activity; sid:91294728; rev:1;) alert tcp $HOME_NET any -> [123.14.99.44] 8000 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1294727/; target:src_ip; metadata: confidence_level 50, first_seen 2024_07_05; classtype:trojan-activity; sid:91294727; rev:1;) alert tcp $HOME_NET any -> [199.204.96.234] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1294726/; target:src_ip; metadata: confidence_level 50, first_seen 2024_07_05; classtype:trojan-activity; sid:91294726; rev:1;) alert tcp $HOME_NET any -> [46.246.82.21] 9000 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1294725/; target:src_ip; metadata: confidence_level 50, first_seen 2024_07_05; classtype:trojan-activity; sid:91294725; rev:1;) alert tcp $HOME_NET any -> [217.165.74.94] 22 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1294724/; target:src_ip; metadata: confidence_level 50, first_seen 2024_07_05; classtype:trojan-activity; sid:91294724; rev:1;) alert tcp $HOME_NET any -> [187.224.14.27] 443 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1294723/; target:src_ip; metadata: confidence_level 50, first_seen 2024_07_05; classtype:trojan-activity; sid:91294723; rev:1;) alert tcp $HOME_NET any -> [70.27.138.96] 2222 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1294722/; target:src_ip; metadata: confidence_level 50, first_seen 2024_07_05; classtype:trojan-activity; sid:91294722; rev:1;) alert tcp $HOME_NET any -> [63.250.56.42] 88 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1294721/; target:src_ip; metadata: confidence_level 50, first_seen 2024_07_05; classtype:trojan-activity; sid:91294721; rev:1;) alert tcp $HOME_NET any -> [63.250.56.42] 81 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1294720/; target:src_ip; metadata: confidence_level 50, first_seen 2024_07_05; classtype:trojan-activity; sid:91294720; rev:1;) alert tcp $HOME_NET any -> [172.232.44.70] 443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1294719/; target:src_ip; metadata: confidence_level 50, first_seen 2024_07_05; classtype:trojan-activity; sid:91294719; rev:1;) alert tcp $HOME_NET any -> [141.98.233.72] 443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1294718/; target:src_ip; metadata: confidence_level 50, first_seen 2024_07_05; classtype:trojan-activity; sid:91294718; rev:1;) alert tcp $HOME_NET any -> [66.70.202.83] 443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1294717/; target:src_ip; metadata: confidence_level 50, first_seen 2024_07_05; classtype:trojan-activity; sid:91294717; rev:1;) alert tcp $HOME_NET any -> [81.19.141.238] 443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1294716/; target:src_ip; metadata: confidence_level 50, first_seen 2024_07_05; classtype:trojan-activity; sid:91294716; rev:1;) alert tcp $HOME_NET any -> [220.133.126.65] 9200 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1294715/; target:src_ip; metadata: confidence_level 50, first_seen 2024_07_05; classtype:trojan-activity; sid:91294715; rev:1;) alert tcp $HOME_NET any -> [43.224.239.81] 443 (msg:"ThreatFox Deimos botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1294714/; target:src_ip; metadata: confidence_level 50, first_seen 2024_07_05; classtype:trojan-activity; sid:91294714; rev:1;) alert tcp $HOME_NET any -> [163.181.130.79] 4506 (msg:"ThreatFox Deimos botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1294713/; target:src_ip; metadata: confidence_level 50, first_seen 2024_07_05; classtype:trojan-activity; sid:91294713; rev:1;) alert tcp $HOME_NET any -> [165.232.177.53] 7443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1294712/; target:src_ip; metadata: confidence_level 50, first_seen 2024_07_05; classtype:trojan-activity; sid:91294712; rev:1;) alert tcp $HOME_NET any -> [86.38.247.225] 7443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1294711/; target:src_ip; metadata: confidence_level 50, first_seen 2024_07_05; classtype:trojan-activity; sid:91294711; rev:1;) alert tcp $HOME_NET any -> [43.143.216.228] 7443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1294710/; target:src_ip; metadata: confidence_level 50, first_seen 2024_07_05; classtype:trojan-activity; sid:91294710; rev:1;) alert tcp $HOME_NET any -> [104.129.181.195] 443 (msg:"ThreatFox Brute Ratel C4 botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1294709/; target:src_ip; metadata: confidence_level 50, first_seen 2024_07_05; classtype:trojan-activity; sid:91294709; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"bitchsafettyudjwu.shop"; depth:22; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1294706/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_05; classtype:trojan-activity; sid:91294706; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"stema-it.cfd"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1294704/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_05; classtype:trojan-activity; sid:91294704; rev:1;) alert tcp $HOME_NET any -> [154.3.1.215] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1294705/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_05; classtype:trojan-activity; sid:91294705; rev:1;) alert tcp $HOME_NET any -> [101.133.229.117] 8081 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1294702/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_05; classtype:trojan-activity; sid:91294702; rev:1;) alert tcp $HOME_NET any -> [182.92.152.55] 81 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1294701/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_05; classtype:trojan-activity; sid:91294701; rev:1;) alert tcp $HOME_NET any -> [150.158.20.197] 8080 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1294700/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_05; classtype:trojan-activity; sid:91294700; rev:1;) alert tcp $HOME_NET any -> [114.55.119.40] 8080 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1294699/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_05; classtype:trojan-activity; sid:91294699; rev:1;) alert tcp $HOME_NET any -> [182.92.152.55] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1294698/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_05; classtype:trojan-activity; sid:91294698; rev:1;) alert tcp $HOME_NET any -> [143.198.83.253] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1294696/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_05; classtype:trojan-activity; sid:91294696; rev:1;) alert tcp $HOME_NET any -> [38.60.253.183] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1294697/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_05; classtype:trojan-activity; sid:91294697; rev:1;) alert tcp $HOME_NET any -> [150.109.21.231] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1294695/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_05; classtype:trojan-activity; sid:91294695; rev:1;) alert tcp $HOME_NET any -> [8.137.93.215] 81 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1294693/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_05; classtype:trojan-activity; sid:91294693; rev:1;) alert tcp $HOME_NET any -> [152.136.128.162] 12345 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1294694/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_05; classtype:trojan-activity; sid:91294694; rev:1;) alert tcp $HOME_NET any -> [106.53.97.219] 8880 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1294692/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_05; classtype:trojan-activity; sid:91294692; rev:1;) alert tcp $HOME_NET any -> [91.238.181.230] 8080 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1294691/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_05; classtype:trojan-activity; sid:91294691; rev:1;) alert tcp $HOME_NET any -> [121.43.230.160] 8443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1294690/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_05; classtype:trojan-activity; sid:91294690; rev:1;) alert tcp $HOME_NET any -> [101.126.16.222] 3333 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1294689/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_05; classtype:trojan-activity; sid:91294689; rev:1;) alert tcp $HOME_NET any -> [47.94.171.242] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1294688/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_05; classtype:trojan-activity; sid:91294688; rev:1;) alert tcp $HOME_NET any -> [106.54.201.63] 7777 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1294686/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_05; classtype:trojan-activity; sid:91294686; rev:1;) alert tcp $HOME_NET any -> [120.26.116.41] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1294687/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_05; classtype:trojan-activity; sid:91294687; rev:1;) alert tcp $HOME_NET any -> [139.9.196.215] 8001 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1294685/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_05; classtype:trojan-activity; sid:91294685; rev:1;) alert tcp $HOME_NET any -> [103.124.104.194] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1294684/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_05; classtype:trojan-activity; sid:91294684; rev:1;) alert tcp $HOME_NET any -> [159.203.56.145] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1294683/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_05; classtype:trojan-activity; sid:91294683; rev:1;) alert tcp $HOME_NET any -> [204.13.153.138] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1294682/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_05; classtype:trojan-activity; sid:91294682; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"answerrsdo.shop"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1294648/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_05; classtype:trojan-activity; sid:91294648; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"bargainnykwo.shop"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1294645/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_05; classtype:trojan-activity; sid:91294645; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"affecthorsedpo.shop"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1294646/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_05; classtype:trojan-activity; sid:91294646; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"radiationnopp.shop"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1294647/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_05; classtype:trojan-activity; sid:91294647; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"lyingchemicow.shop"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1294642/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_05; classtype:trojan-activity; sid:91294642; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"bouncedgowp.shop"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1294643/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_05; classtype:trojan-activity; sid:91294643; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"bannngwko.shop"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1294644/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_05; classtype:trojan-activity; sid:91294644; rev:1;) alert tcp $HOME_NET any -> [8.137.104.53] 8080 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1294681/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_05; classtype:trojan-activity; sid:91294681; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"charmingtranskw.xyz"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1294640/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_05; classtype:trojan-activity; sid:91294640; rev:1;) alert tcp $HOME_NET any -> [62.234.36.48] 8080 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1294680/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_05; classtype:trojan-activity; sid:91294680; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/article.php"; depth:12; nocase; http.host; content:"www.d-garage.jp"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1294641/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_05; classtype:trojan-activity; sid:91294641; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"publicitttyps.shop"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1294649/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_05; classtype:trojan-activity; sid:91294649; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"benchillppwo.shop"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1294650/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_05; classtype:trojan-activity; sid:91294650; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"lyingchemicow.shop"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1294651/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_05; classtype:trojan-activity; sid:91294651; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"bouncedgowp.shop"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1294652/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_05; classtype:trojan-activity; sid:91294652; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"bannngwko.shop"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1294653/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_05; classtype:trojan-activity; sid:91294653; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"bargainnykwo.shop"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1294654/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_05; classtype:trojan-activity; sid:91294654; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"affecthorsedpo.shop"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1294655/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_05; classtype:trojan-activity; sid:91294655; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"radiationnopp.shop"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1294656/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_05; classtype:trojan-activity; sid:91294656; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"answerrsdo.shop"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1294657/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_05; classtype:trojan-activity; sid:91294657; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"publicitttyps.shop"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1294658/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_05; classtype:trojan-activity; sid:91294658; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"benchillppwo.shop"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1294659/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_05; classtype:trojan-activity; sid:91294659; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/understanding-the-different-types-of-states-in-international-law/"; depth:66; nocase; http.host; content:"produtoresflorestais.pt"; depth:23; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1294662/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_05; classtype:trojan-activity; sid:91294662; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/article.php"; depth:12; nocase; http.host; content:"www.divorcedwomensclub.com.au"; depth:29; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1294664/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_05; classtype:trojan-activity; sid:91294664; rev:1;) alert tcp $HOME_NET any -> [185.216.70.123] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1294679/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_05; classtype:trojan-activity; sid:91294679; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/understanding-the-different-types-of-states-in-international-law"; depth:65; nocase; http.host; content:"produtoresflorestais.pt"; depth:23; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1294665/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_05; classtype:trojan-activity; sid:91294665; rev:1;) alert tcp $HOME_NET any -> [123.60.168.6] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1294678/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_05; classtype:trojan-activity; sid:91294678; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/article.php"; depth:12; nocase; http.host; content:"www.dobrykrawiec.pl"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1294668/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_05; classtype:trojan-activity; sid:91294668; rev:1;) alert tcp $HOME_NET any -> [147.185.221.20] 47561 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1294671/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_05; classtype:trojan-activity; sid:91294671; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"five-sequences.gl.at.ply.gg"; depth:27; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1294672/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_05; classtype:trojan-activity; sid:91294672; rev:1;) alert tcp $HOME_NET any -> [3.95.80.218] 443 (msg:"ThreatFox Cobalt Strike payload delivery (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1294673/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_05; classtype:trojan-activity; sid:91294673; rev:1;) alert tcp $HOME_NET any -> [39.104.18.200] 8000 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1294677/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_05; classtype:trojan-activity; sid:91294677; rev:1;) alert tcp $HOME_NET any -> [103.207.68.65] 81 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1294676/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_05; classtype:trojan-activity; sid:91294676; rev:1;) alert tcp $HOME_NET any -> [119.28.159.21] 444 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1294675/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_05; classtype:trojan-activity; sid:91294675; rev:1;) alert tcp $HOME_NET any -> [39.99.234.112] 8888 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1294674/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_05; classtype:trojan-activity; sid:91294674; rev:1;) alert tcp $HOME_NET any -> [77.105.132.27] 8081 (msg:"ThreatFox RisePro botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1294670/; target:src_ip; metadata: confidence_level 50, first_seen 2024_07_05; classtype:trojan-activity; sid:91294670; rev:1;) alert tcp $HOME_NET any -> [147.45.47.155] 80 (msg:"ThreatFox Amadey botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1294669/; target:src_ip; metadata: confidence_level 50, first_seen 2024_07_05; classtype:trojan-activity; sid:91294669; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pixel"; depth:6; nocase; http.host; content:"205.198.64.65"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1294661/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_04; classtype:trojan-activity; sid:91294661; rev:1;) alert tcp $HOME_NET any -> [45.129.0.115] 443 (msg:"ThreatFox Unidentified 111 (Latrodectus) botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1294660/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_04; classtype:trojan-activity; sid:91294660; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"civilizzzationo.shop"; depth:20; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1294639/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_04; classtype:trojan-activity; sid:91294639; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"unwielldyzpwo.shop"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1294638/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_04; classtype:trojan-activity; sid:91294638; rev:1;) alert tcp $HOME_NET any -> [34.126.174.34] 3002 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1294630/; target:src_ip; metadata: confidence_level 50, first_seen 2024_07_04; classtype:trojan-activity; sid:91294630; rev:1;) alert tcp $HOME_NET any -> [45.66.231.254] 7777 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1294629/; target:src_ip; metadata: confidence_level 50, first_seen 2024_07_04; classtype:trojan-activity; sid:91294629; rev:1;) alert tcp $HOME_NET any -> [45.66.231.254] 6006 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1294628/; target:src_ip; metadata: confidence_level 50, first_seen 2024_07_04; classtype:trojan-activity; sid:91294628; rev:1;) alert tcp $HOME_NET any -> [45.66.231.254] 4444 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1294627/; target:src_ip; metadata: confidence_level 50, first_seen 2024_07_04; classtype:trojan-activity; sid:91294627; rev:1;) alert tcp $HOME_NET any -> [34.122.213.13] 80 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1294626/; target:src_ip; metadata: confidence_level 50, first_seen 2024_07_04; classtype:trojan-activity; sid:91294626; rev:1;) alert tcp $HOME_NET any -> [49.113.77.12] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1294625/; target:src_ip; metadata: confidence_level 50, first_seen 2024_07_04; classtype:trojan-activity; sid:91294625; rev:1;) alert tcp $HOME_NET any -> [158.58.172.127] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1294624/; target:src_ip; metadata: confidence_level 50, first_seen 2024_07_04; classtype:trojan-activity; sid:91294624; rev:1;) alert tcp $HOME_NET any -> [38.12.36.54] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1294623/; target:src_ip; metadata: confidence_level 50, first_seen 2024_07_04; classtype:trojan-activity; sid:91294623; rev:1;) alert tcp $HOME_NET any -> [45.241.39.172] 995 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1294622/; target:src_ip; metadata: confidence_level 50, first_seen 2024_07_04; classtype:trojan-activity; sid:91294622; rev:1;) alert tcp $HOME_NET any -> [118.161.12.237] 443 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1294621/; target:src_ip; metadata: confidence_level 50, first_seen 2024_07_04; classtype:trojan-activity; sid:91294621; rev:1;) alert tcp $HOME_NET any -> [150.158.53.58] 9200 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1294620/; target:src_ip; metadata: confidence_level 50, first_seen 2024_07_04; classtype:trojan-activity; sid:91294620; rev:1;) alert tcp $HOME_NET any -> [94.156.8.20] 443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1294619/; target:src_ip; metadata: confidence_level 50, first_seen 2024_07_04; classtype:trojan-activity; sid:91294619; rev:1;) alert tcp $HOME_NET any -> [81.43.24.131] 443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1294618/; target:src_ip; metadata: confidence_level 50, first_seen 2024_07_04; classtype:trojan-activity; sid:91294618; rev:1;) alert tcp $HOME_NET any -> [63.250.56.42] 8443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1294617/; target:src_ip; metadata: confidence_level 50, first_seen 2024_07_04; classtype:trojan-activity; sid:91294617; rev:1;) alert tcp $HOME_NET any -> [172.104.157.219] 443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1294616/; target:src_ip; metadata: confidence_level 50, first_seen 2024_07_04; classtype:trojan-activity; sid:91294616; rev:1;) alert tcp $HOME_NET any -> [116.62.142.170] 443 (msg:"ThreatFox BianLian botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1294615/; target:src_ip; metadata: confidence_level 50, first_seen 2024_07_04; classtype:trojan-activity; sid:91294615; rev:1;) alert tcp $HOME_NET any -> [164.90.194.34] 443 (msg:"ThreatFox BianLian botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1294614/; target:src_ip; metadata: confidence_level 50, first_seen 2024_07_04; classtype:trojan-activity; sid:91294614; rev:1;) alert tcp $HOME_NET any -> [154.12.56.138] 443 (msg:"ThreatFox Deimos botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1294613/; target:src_ip; metadata: confidence_level 50, first_seen 2024_07_04; classtype:trojan-activity; sid:91294613; rev:1;) alert tcp $HOME_NET any -> [178.209.99.214] 8443 (msg:"ThreatFox Deimos botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1294612/; target:src_ip; metadata: confidence_level 50, first_seen 2024_07_04; classtype:trojan-activity; sid:91294612; rev:1;) alert tcp $HOME_NET any -> [124.163.194.70] 4506 (msg:"ThreatFox Deimos botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1294611/; target:src_ip; metadata: confidence_level 50, first_seen 2024_07_04; classtype:trojan-activity; sid:91294611; rev:1;) alert tcp $HOME_NET any -> [13.201.63.1] 7443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1294610/; target:src_ip; metadata: confidence_level 50, first_seen 2024_07_04; classtype:trojan-activity; sid:91294610; rev:1;) alert tcp $HOME_NET any -> [188.166.252.88] 7443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1294609/; target:src_ip; metadata: confidence_level 50, first_seen 2024_07_04; classtype:trojan-activity; sid:91294609; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api/3"; depth:6; nocase; http.host; content:"cdn.wnza.shop"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1294607/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_04; classtype:trojan-activity; sid:91294607; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"cdn.wnza.shop"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1294608/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_04; classtype:trojan-activity; sid:91294608; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pixel"; depth:6; nocase; http.host; content:"47.93.53.140"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1294606/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_04; classtype:trojan-activity; sid:91294606; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dot.gif"; depth:8; nocase; http.host; content:"43.138.30.109"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1294605/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_04; classtype:trojan-activity; sid:91294605; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"trusted-updates.germanywestcentral.cloudapp.azure.com"; depth:53; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1294604/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_04; classtype:trojan-activity; sid:91294604; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/c/msdownload/update/others/2020/06/29136400_"; depth:45; nocase; http.host; content:"trusted-updates.germanywestcentral.cloudapp.azure.com"; depth:53; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1294603/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_04; classtype:trojan-activity; sid:91294603; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/push"; depth:5; nocase; http.host; content:"121.36.255.43"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1294602/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_04; classtype:trojan-activity; sid:91294602; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/antdesign3.js"; depth:14; nocase; http.host; content:"temp.sftech.shop"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1294600/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_04; classtype:trojan-activity; sid:91294600; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"temp.sftech.shop"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1294601/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_04; classtype:trojan-activity; sid:91294601; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tab_home_active.css"; depth:20; nocase; http.host; content:"185.196.8.93"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1294599/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_04; classtype:trojan-activity; sid:91294599; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cx"; depth:3; nocase; http.host; content:"49.235.118.195"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1294598/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_04; classtype:trojan-activity; sid:91294598; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"www.dpm-sael.com"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1294350/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_04; classtype:trojan-activity; sid:91294350; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"juderule.africa"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1294349/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_04; classtype:trojan-activity; sid:91294349; rev:1;) alert tcp $HOME_NET any -> [5.101.50.209] 443 (msg:"ThreatFox FAKEUPDATES payload delivery (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1294346/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_04; classtype:trojan-activity; sid:91294346; rev:1;) alert tcp $HOME_NET any -> [185.251.91.91] 443 (msg:"ThreatFox FAKEUPDATES payload delivery (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1294347/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_04; classtype:trojan-activity; sid:91294347; rev:1;) alert tcp $HOME_NET any -> [43.255.241.232] 5555 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1294348/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_04; classtype:trojan-activity; sid:91294348; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"pcapi-server.com"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1294344/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_04; classtype:trojan-activity; sid:91294344; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"solutionhub.cc"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1294345/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_04; classtype:trojan-activity; sid:91294345; rev:1;) alert tcp $HOME_NET any -> [91.92.253.215] 1912 (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1294338/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_04; classtype:trojan-activity; sid:91294338; rev:1;) alert tcp $HOME_NET any -> [189.18.237.15] 8081 (msg:"ThreatFox Cobalt Strike payload delivery (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1294300/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_04; classtype:trojan-activity; sid:91294300; rev:1;) alert tcp $HOME_NET any -> [54.249.35.233] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1294343/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_04; classtype:trojan-activity; sid:91294343; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ptj"; depth:4; nocase; http.host; content:"54.249.35.233"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1294342/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_04; classtype:trojan-activity; sid:91294342; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/g.pixel"; depth:8; nocase; http.host; content:"156.238.234.187"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1294341/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_04; classtype:trojan-activity; sid:91294341; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/__utm.gif"; depth:10; nocase; http.host; content:"110.40.138.5"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1294340/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_04; classtype:trojan-activity; sid:91294340; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/j.ad"; depth:5; nocase; http.host; content:"47.108.106.118"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1294339/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_04; classtype:trojan-activity; sid:91294339; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/activity"; depth:9; nocase; http.host; content:"1.12.181.224"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1294337/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_04; classtype:trojan-activity; sid:91294337; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cm"; depth:3; nocase; http.host; content:"106.53.48.69"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1294336/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_04; classtype:trojan-activity; sid:91294336; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"c3.redteam.club"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1294334/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_04; classtype:trojan-activity; sid:91294334; rev:1;) alert tcp $HOME_NET any -> [1.117.64.149] 6666 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1294335/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_04; classtype:trojan-activity; sid:91294335; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pixel.gif"; depth:10; nocase; http.host; content:"c3.redteam.club"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1294333/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_04; classtype:trojan-activity; sid:91294333; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cm"; depth:3; nocase; http.host; content:"c2.redteam.club"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1294331/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_04; classtype:trojan-activity; sid:91294331; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"c2.redteam.club"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1294332/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_04; classtype:trojan-activity; sid:91294332; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cx"; depth:3; nocase; http.host; content:"c1.redteam.club"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1294329/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_04; classtype:trojan-activity; sid:91294329; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"c1.redteam.club"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1294330/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_04; classtype:trojan-activity; sid:91294330; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dot.gif"; depth:8; nocase; http.host; content:"124.223.101.175"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1294328/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_04; classtype:trojan-activity; sid:91294328; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/_/scs/mail-static/_/js/"; depth:24; nocase; http.host; content:"arbiankroos.com"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1294326/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_04; classtype:trojan-activity; sid:91294326; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"arbiankroos.com"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1294327/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_04; classtype:trojan-activity; sid:91294327; rev:1;) alert tcp $HOME_NET any -> [34.206.138.66] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1294325/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_04; classtype:trojan-activity; sid:91294325; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"d2kw3fh12wz47k.cloudfront.net"; depth:29; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1294324/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_04; classtype:trojan-activity; sid:91294324; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books"; depth:60; nocase; http.host; content:"d2kw3fh12wz47k.cloudfront.net"; depth:29; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1294323/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_04; classtype:trojan-activity; sid:91294323; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jquery-3.3.1.min.js"; depth:20; nocase; http.host; content:"36.133.13.63"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1294322/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_04; classtype:trojan-activity; sid:91294322; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/activity"; depth:9; nocase; http.host; content:"23.94.49.188"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1294321/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_04; classtype:trojan-activity; sid:91294321; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jquery-3.3.1.min.js"; depth:20; nocase; http.host; content:"74.211.106.191"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1294319/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_04; classtype:trojan-activity; sid:91294319; rev:1;) alert tcp $HOME_NET any -> [74.211.106.191] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1294320/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_04; classtype:trojan-activity; sid:91294320; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dot.gif"; depth:8; nocase; http.host; content:"47.120.60.201"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1294318/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_04; classtype:trojan-activity; sid:91294318; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/activity"; depth:9; nocase; http.host; content:"106.14.69.133"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1294317/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_04; classtype:trojan-activity; sid:91294317; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/updates.rss"; depth:12; nocase; http.host; content:"43.198.87.72"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1294316/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_04; classtype:trojan-activity; sid:91294316; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wiki/doc"; depth:9; nocase; http.host; content:"testgk.oss-cn-beijing.aliyuncs.com"; depth:34; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1294314/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_04; classtype:trojan-activity; sid:91294314; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"testgk.oss-cn-beijing.aliyuncs.com"; depth:34; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1294315/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_04; classtype:trojan-activity; sid:91294315; rev:1;) alert tcp $HOME_NET any -> [114.55.119.40] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1294313/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_04; classtype:trojan-activity; sid:91294313; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cx"; depth:3; nocase; http.host; content:"114.55.119.40"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1294312/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_04; classtype:trojan-activity; sid:91294312; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/activity"; depth:9; nocase; http.host; content:"139.59.214.140"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1294311/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_04; classtype:trojan-activity; sid:91294311; rev:1;) alert tcp $HOME_NET any -> [39.101.77.24] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1294310/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_04; classtype:trojan-activity; sid:91294310; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ga.js"; depth:6; nocase; http.host; content:"39.101.77.24"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1294309/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_04; classtype:trojan-activity; sid:91294309; rev:1;) alert tcp $HOME_NET any -> [54.249.35.233] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1294308/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_04; classtype:trojan-activity; sid:91294308; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/__utm.gif"; depth:10; nocase; http.host; content:"54.249.35.233"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1294307/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_04; classtype:trojan-activity; sid:91294307; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/visit.js"; depth:9; nocase; http.host; content:"35.225.182.42"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1294306/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_04; classtype:trojan-activity; sid:91294306; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dot.gif"; depth:8; nocase; http.host; content:"121.43.174.203"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1294305/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_04; classtype:trojan-activity; sid:91294305; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pixel"; depth:6; nocase; http.host; content:"43.143.111.123"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1294304/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_04; classtype:trojan-activity; sid:91294304; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dpixel"; depth:7; nocase; http.host; content:"95.214.234.74"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1294303/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_04; classtype:trojan-activity; sid:91294303; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/match"; depth:6; nocase; http.host; content:"43.143.111.123"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1294302/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_04; classtype:trojan-activity; sid:91294302; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/visit.js"; depth:9; nocase; http.host; content:"192.210.194.42"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1294301/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_04; classtype:trojan-activity; sid:91294301; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/gv.css"; depth:7; nocase; http.host; content:"185.196.8.93"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1294299/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_04; classtype:trojan-activity; sid:91294299; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/load"; depth:5; nocase; http.host; content:"43.153.222.28"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1294298/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_04; classtype:trojan-activity; sid:91294298; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cx"; depth:3; nocase; http.host; content:"43.138.30.109"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1294297/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_04; classtype:trojan-activity; sid:91294297; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/activity"; depth:9; nocase; http.host; content:"wnaz.shop"; depth:9; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1294296/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_04; classtype:trojan-activity; sid:91294296; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/load"; depth:5; nocase; http.host; content:"192.144.219.118"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1294295/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_04; classtype:trojan-activity; sid:91294295; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/updates.rss"; depth:12; nocase; http.host; content:"106.53.213.253"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1294294/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_04; classtype:trojan-activity; sid:91294294; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pixel.gif"; depth:10; nocase; http.host; content:"cs.xfdaili.com"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1294293/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_04; classtype:trojan-activity; sid:91294293; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/activity"; depth:9; nocase; http.host; content:"123.207.213.191"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1294292/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_04; classtype:trojan-activity; sid:91294292; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/visit.js"; depth:9; nocase; http.host; content:"23.95.65.198"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1294291/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_04; classtype:trojan-activity; sid:91294291; rev:1;) alert tcp $HOME_NET any -> [188.208.141.211] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1294290/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_04; classtype:trojan-activity; sid:91294290; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"aa.yukklzwo.vip"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1294289/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_04; classtype:trojan-activity; sid:91294289; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/5en1bjq8aauym2zgoy3k/ll_9354efa.js"; depth:35; nocase; http.host; content:"aa.yukklzwo.vip"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1294288/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_04; classtype:trojan-activity; sid:91294288; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"qq.yukklzwo.vip"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1294287/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_04; classtype:trojan-activity; sid:91294287; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/5en1bjq8aauym2zgoy3k/ll_9354efa.js"; depth:35; nocase; http.host; content:"qq.yukklzwo.vip"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1294286/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_04; classtype:trojan-activity; sid:91294286; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/5en1bjq8aauym2zgoy3k/ll_9354efa.js"; depth:35; nocase; http.host; content:"api.yukklzwo.vip"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1294284/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_04; classtype:trojan-activity; sid:91294284; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"api.yukklzwo.vip"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1294285/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_04; classtype:trojan-activity; sid:91294285; rev:1;) alert tcp $HOME_NET any -> [5.59.248.211] 9506 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1294281/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_04; classtype:trojan-activity; sid:91294281; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/article.php"; depth:12; nocase; http.host; content:"www.bemiva.it"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1294283/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_04; classtype:trojan-activity; sid:91294283; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/article.php"; depth:12; nocase; http.host; content:"www.belindadavisbranchlaw.com"; depth:29; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1294275/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_04; classtype:trojan-activity; sid:91294275; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dpixel"; depth:7; nocase; http.host; content:"8.130.114.243"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1294280/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_04; classtype:trojan-activity; sid:91294280; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ca"; depth:3; nocase; http.host; content:"14.103.51.225"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1294279/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_04; classtype:trojan-activity; sid:91294279; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/en_us/all.js"; depth:13; nocase; http.host; content:"39.100.182.56"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1294278/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_04; classtype:trojan-activity; sid:91294278; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/en_us/all.js"; depth:13; nocase; http.host; content:"101.43.109.204"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1294277/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_04; classtype:trojan-activity; sid:91294277; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/g.pixel"; depth:8; nocase; http.host; content:"47.92.75.135"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1294276/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_04; classtype:trojan-activity; sid:91294276; rev:1;) alert tcp $HOME_NET any -> [79.110.62.16] 1912 (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1293161/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_04; classtype:trojan-activity; sid:91293161; rev:1;) alert tcp $HOME_NET any -> [91.222.173.204] 80 (msg:"ThreatFox DarkGate botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1294175/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_04; classtype:trojan-activity; sid:91294175; rev:1;) alert tcp $HOME_NET any -> [178.78.19.238] 1337 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1294163/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_04; classtype:trojan-activity; sid:91294163; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/website.php"; depth:12; nocase; http.host; content:"starjod.xyz"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1294191/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_04; classtype:trojan-activity; sid:91294191; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/4444.elf"; depth:9; nocase; http.host; content:"144.22.38.242"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1294203/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_04; classtype:trojan-activity; sid:91294203; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/5555.exe"; depth:9; nocase; http.host; content:"144.22.38.242"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1294205/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_04; classtype:trojan-activity; sid:91294205; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/article.php"; depth:12; nocase; http.host; content:"www.antonina.campi.spotkaniakultur.com"; depth:38; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1294197/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_04; classtype:trojan-activity; sid:91294197; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/4444.apk"; depth:9; nocase; http.host; content:"144.22.38.242"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1294202/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_04; classtype:trojan-activity; sid:91294202; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/4444.exe"; depth:9; nocase; http.host; content:"144.22.38.242"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1294204/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_04; classtype:trojan-activity; sid:91294204; rev:1;) alert tcp $HOME_NET any -> [144.22.38.242] 6666 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1294209/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_04; classtype:trojan-activity; sid:91294209; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/6666.apk"; depth:9; nocase; http.host; content:"144.22.38.242"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1294206/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_04; classtype:trojan-activity; sid:91294206; rev:1;) alert tcp $HOME_NET any -> [144.22.38.242] 4444 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1294207/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_04; classtype:trojan-activity; sid:91294207; rev:1;) alert tcp $HOME_NET any -> [144.22.38.242] 5555 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1294208/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_04; classtype:trojan-activity; sid:91294208; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/article.php"; depth:12; nocase; http.host; content:"www.arkadiuszkedziora.pl"; depth:24; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1294242/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_04; classtype:trojan-activity; sid:91294242; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ktcweovz.exe"; depth:13; nocase; http.host; content:"92.204.170.238"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1294268/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_04; classtype:trojan-activity; sid:91294268; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/obdaiofi.exe"; depth:13; nocase; http.host; content:"92.204.170.238"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1294269/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_04; classtype:trojan-activity; sid:91294269; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/%e5%a4%8d%e5%8f%a4%e6%94%bb%e7%95%a5.exe"; depth:41; nocase; http.host; content:"122.51.183.116"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1294270/; target:src_ip; metadata: confidence_level 50, first_seen 2024_07_04; classtype:trojan-activity; sid:91294270; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/h.exe"; depth:6; nocase; http.host; content:"194.156.98.18"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1294272/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_04; classtype:trojan-activity; sid:91294272; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/svohost.exe"; depth:12; nocase; http.host; content:"122.51.183.116"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1294271/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_04; classtype:trojan-activity; sid:91294271; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/httpd.exe"; depth:10; nocase; http.host; content:"194.156.98.18"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1294273/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_04; classtype:trojan-activity; sid:91294273; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/assets/css/tailwindcss/version_1.1.0/min/tailwind.min.css"; depth:58; nocase; http.host; content:"194.156.98.18"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1294274/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_04; classtype:trojan-activity; sid:91294274; rev:1;) alert tcp $HOME_NET any -> [88.17.27.121] 443 (msg:"ThreatFox NetSupportManager RAT botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1294267/; target:src_ip; metadata: confidence_level 50, first_seen 2024_07_04; classtype:trojan-activity; sid:91294267; rev:1;) alert tcp $HOME_NET any -> [178.124.152.84] 8443 (msg:"ThreatFox NetSupportManager RAT botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1294266/; target:src_ip; metadata: confidence_level 50, first_seen 2024_07_04; classtype:trojan-activity; sid:91294266; rev:1;) alert tcp $HOME_NET any -> [34.126.174.34] 888 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1294265/; target:src_ip; metadata: confidence_level 50, first_seen 2024_07_04; classtype:trojan-activity; sid:91294265; rev:1;) alert tcp $HOME_NET any -> [34.126.174.34] 20000 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1294264/; target:src_ip; metadata: confidence_level 50, first_seen 2024_07_04; classtype:trojan-activity; sid:91294264; rev:1;) alert tcp $HOME_NET any -> [34.126.174.34] 3000 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1294263/; target:src_ip; metadata: confidence_level 50, first_seen 2024_07_04; classtype:trojan-activity; sid:91294263; rev:1;) alert tcp $HOME_NET any -> [45.66.231.254] 8008 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1294262/; target:src_ip; metadata: confidence_level 50, first_seen 2024_07_04; classtype:trojan-activity; sid:91294262; rev:1;) alert tcp $HOME_NET any -> [178.73.218.22] 2000 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1294261/; target:src_ip; metadata: confidence_level 50, first_seen 2024_07_04; classtype:trojan-activity; sid:91294261; rev:1;) alert tcp $HOME_NET any -> [77.105.147.118] 50555 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1294260/; target:src_ip; metadata: confidence_level 50, first_seen 2024_07_04; classtype:trojan-activity; sid:91294260; rev:1;) alert tcp $HOME_NET any -> [47.108.136.43] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1294259/; target:src_ip; metadata: confidence_level 50, first_seen 2024_07_04; classtype:trojan-activity; sid:91294259; rev:1;) alert tcp $HOME_NET any -> [1.94.105.216] 8000 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1294258/; target:src_ip; metadata: confidence_level 50, first_seen 2024_07_04; classtype:trojan-activity; sid:91294258; rev:1;) alert tcp $HOME_NET any -> [46.246.6.14] 2222 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1294257/; target:src_ip; metadata: confidence_level 50, first_seen 2024_07_04; classtype:trojan-activity; sid:91294257; rev:1;) alert tcp $HOME_NET any -> [103.147.185.18] 8848 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1294256/; target:src_ip; metadata: confidence_level 50, first_seen 2024_07_04; classtype:trojan-activity; sid:91294256; rev:1;) alert tcp $HOME_NET any -> [46.246.6.18] 9000 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1294255/; target:src_ip; metadata: confidence_level 50, first_seen 2024_07_04; classtype:trojan-activity; sid:91294255; rev:1;) alert tcp $HOME_NET any -> [78.183.223.252] 443 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1294254/; target:src_ip; metadata: confidence_level 50, first_seen 2024_07_04; classtype:trojan-activity; sid:91294254; rev:1;) alert tcp $HOME_NET any -> [54.254.249.67] 443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1294253/; target:src_ip; metadata: confidence_level 50, first_seen 2024_07_04; classtype:trojan-activity; sid:91294253; rev:1;) alert tcp $HOME_NET any -> [144.24.16.54] 80 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1294252/; target:src_ip; metadata: confidence_level 50, first_seen 2024_07_04; classtype:trojan-activity; sid:91294252; rev:1;) alert tcp $HOME_NET any -> [51.158.70.117] 80 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1294251/; target:src_ip; metadata: confidence_level 50, first_seen 2024_07_04; classtype:trojan-activity; sid:91294251; rev:1;) alert tcp $HOME_NET any -> [104.238.57.234] 443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1294250/; target:src_ip; metadata: confidence_level 50, first_seen 2024_07_04; classtype:trojan-activity; sid:91294250; rev:1;) alert tcp $HOME_NET any -> [206.188.196.135] 8443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1294249/; target:src_ip; metadata: confidence_level 50, first_seen 2024_07_04; classtype:trojan-activity; sid:91294249; rev:1;) alert tcp $HOME_NET any -> [5.252.176.136] 9090 (msg:"ThreatFox BianLian botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1294248/; target:src_ip; metadata: confidence_level 50, first_seen 2024_07_04; classtype:trojan-activity; sid:91294248; rev:1;) alert tcp $HOME_NET any -> [45.200.8.110] 4505 (msg:"ThreatFox Deimos botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1294247/; target:src_ip; metadata: confidence_level 50, first_seen 2024_07_04; classtype:trojan-activity; sid:91294247; rev:1;) alert tcp $HOME_NET any -> [162.251.95.44] 7443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1294246/; target:src_ip; metadata: confidence_level 50, first_seen 2024_07_04; classtype:trojan-activity; sid:91294246; rev:1;) alert tcp $HOME_NET any -> [13.40.7.10] 7443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1294245/; target:src_ip; metadata: confidence_level 50, first_seen 2024_07_04; classtype:trojan-activity; sid:91294245; rev:1;) alert tcp $HOME_NET any -> [45.77.172.240] 8443 (msg:"ThreatFox Brute Ratel C4 botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1294244/; target:src_ip; metadata: confidence_level 50, first_seen 2024_07_04; classtype:trojan-activity; sid:91294244; rev:1;) alert tcp $HOME_NET any -> [172.93.218.178] 44555 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1294243/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_04; classtype:trojan-activity; sid:91294243; rev:1;) alert tcp $HOME_NET any -> [103.108.41.147] 9001 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1294241/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_04; classtype:trojan-activity; sid:91294241; rev:1;) alert tcp $HOME_NET any -> [39.101.71.208] 8088 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1294240/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_04; classtype:trojan-activity; sid:91294240; rev:1;) alert tcp $HOME_NET any -> [139.159.163.30] 8080 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1294238/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_04; classtype:trojan-activity; sid:91294238; rev:1;) alert tcp $HOME_NET any -> [31.192.108.40] 8080 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1294239/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_04; classtype:trojan-activity; sid:91294239; rev:1;) alert tcp $HOME_NET any -> [54.174.120.223] 81 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1294237/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_04; classtype:trojan-activity; sid:91294237; rev:1;) alert tcp $HOME_NET any -> [47.94.133.210] 8888 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1294236/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_04; classtype:trojan-activity; sid:91294236; rev:1;) alert tcp $HOME_NET any -> [1.12.181.224] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1294234/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_04; classtype:trojan-activity; sid:91294234; rev:1;) alert tcp $HOME_NET any -> [54.174.120.223] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1294235/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_04; classtype:trojan-activity; sid:91294235; rev:1;) alert tcp $HOME_NET any -> [172.86.124.64] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1294232/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_04; classtype:trojan-activity; sid:91294232; rev:1;) alert tcp $HOME_NET any -> [142.171.177.156] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1294233/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_04; classtype:trojan-activity; sid:91294233; rev:1;) alert tcp $HOME_NET any -> [103.108.41.146] 9001 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1294231/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_04; classtype:trojan-activity; sid:91294231; rev:1;) alert tcp $HOME_NET any -> [124.221.66.51] 2095 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1294230/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_04; classtype:trojan-activity; sid:91294230; rev:1;) alert tcp $HOME_NET any -> [159.75.164.94] 8888 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1294229/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_04; classtype:trojan-activity; sid:91294229; rev:1;) alert tcp $HOME_NET any -> [107.172.46.157] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1294228/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_04; classtype:trojan-activity; sid:91294228; rev:1;) alert tcp $HOME_NET any -> [154.201.78.34] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1294227/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_04; classtype:trojan-activity; sid:91294227; rev:1;) alert tcp $HOME_NET any -> [205.198.64.65] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1294225/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_04; classtype:trojan-activity; sid:91294225; rev:1;) alert tcp $HOME_NET any -> [47.99.78.222] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1294226/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_04; classtype:trojan-activity; sid:91294226; rev:1;) alert tcp $HOME_NET any -> [1.92.89.193] 9999 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1294224/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_04; classtype:trojan-activity; sid:91294224; rev:1;) alert tcp $HOME_NET any -> [8.130.33.181] 8888 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1294223/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_04; classtype:trojan-activity; sid:91294223; rev:1;) alert tcp $HOME_NET any -> [47.103.36.17] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1294222/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_04; classtype:trojan-activity; sid:91294222; rev:1;) alert tcp $HOME_NET any -> [35.225.182.42] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1294221/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_04; classtype:trojan-activity; sid:91294221; rev:1;) alert tcp $HOME_NET any -> [8.130.114.243] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1294220/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_04; classtype:trojan-activity; sid:91294220; rev:1;) alert tcp $HOME_NET any -> [154.201.87.164] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1294219/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_04; classtype:trojan-activity; sid:91294219; rev:1;) alert tcp $HOME_NET any -> [35.225.182.42] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1294218/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_04; classtype:trojan-activity; sid:91294218; rev:1;) alert tcp $HOME_NET any -> [59.110.28.63] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1294217/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_04; classtype:trojan-activity; sid:91294217; rev:1;) alert tcp $HOME_NET any -> [103.108.41.148] 9001 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1294216/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_04; classtype:trojan-activity; sid:91294216; rev:1;) alert tcp $HOME_NET any -> [49.232.56.252] 8000 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1294215/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_04; classtype:trojan-activity; sid:91294215; rev:1;) alert tcp $HOME_NET any -> [117.72.47.134] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1294214/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_04; classtype:trojan-activity; sid:91294214; rev:1;) alert tcp $HOME_NET any -> [47.101.136.3] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1294213/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_04; classtype:trojan-activity; sid:91294213; rev:1;) alert tcp $HOME_NET any -> [8.130.102.101] 801 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1294212/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_04; classtype:trojan-activity; sid:91294212; rev:1;) alert tcp $HOME_NET any -> [124.222.81.106] 8888 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1294211/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_04; classtype:trojan-activity; sid:91294211; rev:1;) alert tcp $HOME_NET any -> [39.96.33.40] 8080 (msg:"ThreatFox WhiteSnake Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1294210/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_04; classtype:trojan-activity; sid:91294210; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ie9compatviewlist.xml"; depth:22; nocase; http.host; content:"47.236.69.44"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1294200/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_04; classtype:trojan-activity; sid:91294200; rev:1;) alert tcp $HOME_NET any -> [47.237.84.207] 8002 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1294201/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_04; classtype:trojan-activity; sid:91294201; rev:1;) alert tcp $HOME_NET any -> [47.237.84.207] 8001 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1294199/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_04; classtype:trojan-activity; sid:91294199; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ptj"; depth:4; nocase; http.host; content:"47.237.84.207"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1294198/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_04; classtype:trojan-activity; sid:91294198; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/l1nc0in.php"; depth:12; nocase; http.host; content:"a0996099.xsph.ru"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1294195/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_04; classtype:trojan-activity; sid:91294195; rev:1;) alert tcp $HOME_NET any -> [77.91.77.180] 50500 (msg:"ThreatFox RisePro botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1294194/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_04; classtype:trojan-activity; sid:91294194; rev:1;) alert tcp $HOME_NET any -> [105.154.107.145] 10000 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1294193/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_04; classtype:trojan-activity; sid:91294193; rev:1;) alert tcp $HOME_NET any -> [94.156.71.43] 80 (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1294192/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_04; classtype:trojan-activity; sid:91294192; rev:1;) alert tcp $HOME_NET any -> [213.109.147.69] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1294190/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_03; classtype:trojan-activity; sid:91294190; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/d/msdownload/update/2021/11/33002773_x86_b78cd82ceba723.cab"; depth:60; nocase; http.host; content:"213.109.147.69"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1294189/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_03; classtype:trojan-activity; sid:91294189; rev:1;) alert tcp $HOME_NET any -> [124.70.196.94] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1294188/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_03; classtype:trojan-activity; sid:91294188; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"51ape.cc"; depth:8; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1294187/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_03; classtype:trojan-activity; sid:91294187; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/aaaaaaaaa"; depth:10; nocase; http.host; content:"51ape.cc"; depth:8; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1294186/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_03; classtype:trojan-activity; sid:91294186; rev:1;) alert tcp $HOME_NET any -> [47.237.84.207] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1294185/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_03; classtype:trojan-activity; sid:91294185; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"wnaz.shop"; depth:9; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1294184/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_03; classtype:trojan-activity; sid:91294184; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dpixel"; depth:7; nocase; http.host; content:"wnaz.shop"; depth:9; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1294183/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_03; classtype:trojan-activity; sid:91294183; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/l1nc0in.php"; depth:12; nocase; http.host; content:"a1000454.xsph.ru"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1294182/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_03; classtype:trojan-activity; sid:91294182; rev:1;) alert tcp $HOME_NET any -> [45.140.146.14] 443 (msg:"ThreatFox Unidentified 111 (Latrodectus) botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1294180/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_03; classtype:trojan-activity; sid:91294180; rev:1;) alert tcp $HOME_NET any -> [91.242.163.140] 443 (msg:"ThreatFox Unidentified 111 (Latrodectus) botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1294181/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_03; classtype:trojan-activity; sid:91294181; rev:1;) alert tcp $HOME_NET any -> [92.249.48.35] 443 (msg:"ThreatFox Unidentified 111 (Latrodectus) botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1294177/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_03; classtype:trojan-activity; sid:91294177; rev:1;) alert tcp $HOME_NET any -> [184.174.96.119] 443 (msg:"ThreatFox Unidentified 111 (Latrodectus) botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1294178/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_03; classtype:trojan-activity; sid:91294178; rev:1;) alert tcp $HOME_NET any -> [103.144.139.163] 443 (msg:"ThreatFox Unidentified 111 (Latrodectus) botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1294179/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_03; classtype:trojan-activity; sid:91294179; rev:1;) alert tcp $HOME_NET any -> [46.246.96.48] 443 (msg:"ThreatFox Unidentified 111 (Latrodectus) botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1294176/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_03; classtype:trojan-activity; sid:91294176; rev:1;) alert tcp $HOME_NET any -> [172.111.150.139] 2000 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1294174/; target:src_ip; metadata: confidence_level 50, first_seen 2024_07_03; classtype:trojan-activity; sid:91294174; rev:1;) alert tcp $HOME_NET any -> [191.93.113.10] 9003 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1294173/; target:src_ip; metadata: confidence_level 50, first_seen 2024_07_03; classtype:trojan-activity; sid:91294173; rev:1;) alert tcp $HOME_NET any -> [172.111.150.142] 2000 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1294172/; target:src_ip; metadata: confidence_level 50, first_seen 2024_07_03; classtype:trojan-activity; sid:91294172; rev:1;) alert tcp $HOME_NET any -> [41.62.90.108] 80 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1294171/; target:src_ip; metadata: confidence_level 50, first_seen 2024_07_03; classtype:trojan-activity; sid:91294171; rev:1;) alert tcp $HOME_NET any -> [185.121.169.124] 80 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1294170/; target:src_ip; metadata: confidence_level 50, first_seen 2024_07_03; classtype:trojan-activity; sid:91294170; rev:1;) alert tcp $HOME_NET any -> [81.177.140.77] 80 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1294169/; target:src_ip; metadata: confidence_level 50, first_seen 2024_07_03; classtype:trojan-activity; sid:91294169; rev:1;) alert tcp $HOME_NET any -> [119.29.209.159] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1294168/; target:src_ip; metadata: confidence_level 50, first_seen 2024_07_03; classtype:trojan-activity; sid:91294168; rev:1;) alert tcp $HOME_NET any -> [125.40.75.92] 8000 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1294167/; target:src_ip; metadata: confidence_level 50, first_seen 2024_07_03; classtype:trojan-activity; sid:91294167; rev:1;) alert tcp $HOME_NET any -> [5.188.50.123] 445 (msg:"ThreatFox Responder botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1294166/; target:src_ip; metadata: confidence_level 50, first_seen 2024_07_03; classtype:trojan-activity; sid:91294166; rev:1;) alert tcp $HOME_NET any -> [146.70.113.159] 443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1294165/; target:src_ip; metadata: confidence_level 50, first_seen 2024_07_03; classtype:trojan-activity; sid:91294165; rev:1;) alert tcp $HOME_NET any -> [51.158.70.117] 443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1294164/; target:src_ip; metadata: confidence_level 50, first_seen 2024_07_03; classtype:trojan-activity; sid:91294164; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/j.ad"; depth:5; nocase; http.host; content:"103.207.68.65"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1294162/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_03; classtype:trojan-activity; sid:91294162; rev:1;) alert tcp $HOME_NET any -> [94.237.109.133] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1294158/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_03; classtype:trojan-activity; sid:91294158; rev:1;) alert tcp $HOME_NET any -> [94.237.109.135] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1294159/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_03; classtype:trojan-activity; sid:91294159; rev:1;) alert tcp $HOME_NET any -> [94.237.109.136] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1294160/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_03; classtype:trojan-activity; sid:91294160; rev:1;) alert tcp $HOME_NET any -> [94.237.109.137] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1294161/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_03; classtype:trojan-activity; sid:91294161; rev:1;) alert tcp $HOME_NET any -> [94.237.108.241] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1294147/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_03; classtype:trojan-activity; sid:91294147; rev:1;) alert tcp $HOME_NET any -> [94.237.109.0] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1294148/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_03; classtype:trojan-activity; sid:91294148; rev:1;) alert tcp $HOME_NET any -> [94.237.109.4] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1294149/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_03; classtype:trojan-activity; sid:91294149; rev:1;) alert tcp $HOME_NET any -> [94.237.109.7] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1294150/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_03; classtype:trojan-activity; sid:91294150; rev:1;) alert tcp $HOME_NET any -> [94.237.109.29] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1294151/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_03; classtype:trojan-activity; sid:91294151; rev:1;) alert tcp $HOME_NET any -> [94.237.109.45] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1294152/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_03; classtype:trojan-activity; sid:91294152; rev:1;) alert tcp $HOME_NET any -> [94.237.109.49] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1294153/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_03; classtype:trojan-activity; sid:91294153; rev:1;) alert tcp $HOME_NET any -> [94.237.109.55] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1294154/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_03; classtype:trojan-activity; sid:91294154; rev:1;) alert tcp $HOME_NET any -> [94.237.109.76] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1294155/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_03; classtype:trojan-activity; sid:91294155; rev:1;) alert tcp $HOME_NET any -> [94.237.109.125] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1294156/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_03; classtype:trojan-activity; sid:91294156; rev:1;) alert tcp $HOME_NET any -> [94.237.109.128] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1294157/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_03; classtype:trojan-activity; sid:91294157; rev:1;) alert tcp $HOME_NET any -> [94.237.103.196] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1294138/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_03; classtype:trojan-activity; sid:91294138; rev:1;) alert tcp $HOME_NET any -> [94.237.108.38] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1294139/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_03; classtype:trojan-activity; sid:91294139; rev:1;) alert tcp $HOME_NET any -> [94.237.108.120] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1294140/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_03; classtype:trojan-activity; sid:91294140; rev:1;) alert tcp $HOME_NET any -> [94.237.108.139] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1294141/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_03; classtype:trojan-activity; sid:91294141; rev:1;) alert tcp $HOME_NET any -> [94.237.108.179] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1294142/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_03; classtype:trojan-activity; sid:91294142; rev:1;) alert tcp $HOME_NET any -> [94.237.108.185] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1294143/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_03; classtype:trojan-activity; sid:91294143; rev:1;) alert tcp $HOME_NET any -> [94.237.108.187] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1294144/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_03; classtype:trojan-activity; sid:91294144; rev:1;) alert tcp $HOME_NET any -> [94.237.108.198] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1294145/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_03; classtype:trojan-activity; sid:91294145; rev:1;) alert tcp $HOME_NET any -> [94.237.108.231] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1294146/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_03; classtype:trojan-activity; sid:91294146; rev:1;) alert tcp $HOME_NET any -> [94.237.102.173] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1294130/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_03; classtype:trojan-activity; sid:91294130; rev:1;) alert tcp $HOME_NET any -> [94.237.102.198] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1294131/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_03; classtype:trojan-activity; sid:91294131; rev:1;) alert tcp $HOME_NET any -> [94.237.103.27] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1294132/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_03; classtype:trojan-activity; sid:91294132; rev:1;) alert tcp $HOME_NET any -> [94.237.103.96] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1294133/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_03; classtype:trojan-activity; sid:91294133; rev:1;) alert tcp $HOME_NET any -> [94.237.103.132] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1294134/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_03; classtype:trojan-activity; sid:91294134; rev:1;) alert tcp $HOME_NET any -> [94.237.103.141] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1294135/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_03; classtype:trojan-activity; sid:91294135; rev:1;) alert tcp $HOME_NET any -> [94.237.103.149] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1294136/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_03; classtype:trojan-activity; sid:91294136; rev:1;) alert tcp $HOME_NET any -> [94.237.103.164] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1294137/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_03; classtype:trojan-activity; sid:91294137; rev:1;) alert tcp $HOME_NET any -> [94.237.101.155] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1294120/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_03; classtype:trojan-activity; sid:91294120; rev:1;) alert tcp $HOME_NET any -> [94.237.101.198] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1294121/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_03; classtype:trojan-activity; sid:91294121; rev:1;) alert tcp $HOME_NET any -> [94.237.101.235] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1294122/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_03; classtype:trojan-activity; sid:91294122; rev:1;) alert tcp $HOME_NET any -> [94.237.102.5] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1294123/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_03; classtype:trojan-activity; sid:91294123; rev:1;) alert tcp $HOME_NET any -> [94.237.102.17] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1294124/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_03; classtype:trojan-activity; sid:91294124; rev:1;) alert tcp $HOME_NET any -> [94.237.102.24] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1294125/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_03; classtype:trojan-activity; sid:91294125; rev:1;) alert tcp $HOME_NET any -> [94.237.102.51] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1294126/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_03; classtype:trojan-activity; sid:91294126; rev:1;) alert tcp $HOME_NET any -> [94.237.102.98] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1294127/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_03; classtype:trojan-activity; sid:91294127; rev:1;) alert tcp $HOME_NET any -> [94.237.102.100] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1294128/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_03; classtype:trojan-activity; sid:91294128; rev:1;) alert tcp $HOME_NET any -> [94.237.102.150] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1294129/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_03; classtype:trojan-activity; sid:91294129; rev:1;) alert tcp $HOME_NET any -> [94.237.100.143] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1294111/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_03; classtype:trojan-activity; sid:91294111; rev:1;) alert tcp $HOME_NET any -> [94.237.100.148] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1294112/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_03; classtype:trojan-activity; sid:91294112; rev:1;) alert tcp $HOME_NET any -> [94.237.100.200] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1294113/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_03; classtype:trojan-activity; sid:91294113; rev:1;) alert tcp $HOME_NET any -> [94.237.100.223] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1294114/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_03; classtype:trojan-activity; sid:91294114; rev:1;) alert tcp $HOME_NET any -> [94.237.100.248] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1294115/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_03; classtype:trojan-activity; sid:91294115; rev:1;) alert tcp $HOME_NET any -> [94.237.101.33] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1294116/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_03; classtype:trojan-activity; sid:91294116; rev:1;) alert tcp $HOME_NET any -> [94.237.101.71] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1294117/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_03; classtype:trojan-activity; sid:91294117; rev:1;) alert tcp $HOME_NET any -> [94.237.101.77] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1294118/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_03; classtype:trojan-activity; sid:91294118; rev:1;) alert tcp $HOME_NET any -> [94.237.101.151] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1294119/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_03; classtype:trojan-activity; sid:91294119; rev:1;) alert tcp $HOME_NET any -> [94.237.99.154] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1294100/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_03; classtype:trojan-activity; sid:91294100; rev:1;) alert tcp $HOME_NET any -> [94.237.99.162] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1294101/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_03; classtype:trojan-activity; sid:91294101; rev:1;) alert tcp $HOME_NET any -> [94.237.99.219] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1294102/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_03; classtype:trojan-activity; sid:91294102; rev:1;) alert tcp $HOME_NET any -> [94.237.99.247] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1294103/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_03; classtype:trojan-activity; sid:91294103; rev:1;) alert tcp $HOME_NET any -> [94.237.99.250] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1294104/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_03; classtype:trojan-activity; sid:91294104; rev:1;) alert tcp $HOME_NET any -> [94.237.100.50] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1294105/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_03; classtype:trojan-activity; sid:91294105; rev:1;) alert tcp $HOME_NET any -> [94.237.100.86] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1294106/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_03; classtype:trojan-activity; sid:91294106; rev:1;) alert tcp $HOME_NET any -> [94.237.100.105] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1294107/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_03; classtype:trojan-activity; sid:91294107; rev:1;) alert tcp $HOME_NET any -> [94.237.100.116] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1294108/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_03; classtype:trojan-activity; sid:91294108; rev:1;) alert tcp $HOME_NET any -> [94.237.100.126] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1294109/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_03; classtype:trojan-activity; sid:91294109; rev:1;) alert tcp $HOME_NET any -> [94.237.100.134] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1294110/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_03; classtype:trojan-activity; sid:91294110; rev:1;) alert tcp $HOME_NET any -> [94.237.98.242] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1294087/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_03; classtype:trojan-activity; sid:91294087; rev:1;) alert tcp $HOME_NET any -> [94.237.98.247] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1294088/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_03; classtype:trojan-activity; sid:91294088; rev:1;) alert tcp $HOME_NET any -> [94.237.99.8] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1294089/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_03; classtype:trojan-activity; sid:91294089; rev:1;) alert tcp $HOME_NET any -> [94.237.99.32] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1294090/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_03; classtype:trojan-activity; sid:91294090; rev:1;) alert tcp $HOME_NET any -> [94.237.99.36] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1294091/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_03; classtype:trojan-activity; sid:91294091; rev:1;) alert tcp $HOME_NET any -> [94.237.99.38] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1294092/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_03; classtype:trojan-activity; sid:91294092; rev:1;) alert tcp $HOME_NET any -> [94.237.99.40] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1294093/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_03; classtype:trojan-activity; sid:91294093; rev:1;) alert tcp $HOME_NET any -> [94.237.99.94] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1294094/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_03; classtype:trojan-activity; sid:91294094; rev:1;) alert tcp $HOME_NET any -> [94.237.99.96] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1294095/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_03; classtype:trojan-activity; sid:91294095; rev:1;) alert tcp $HOME_NET any -> [94.237.99.114] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1294096/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_03; classtype:trojan-activity; sid:91294096; rev:1;) alert tcp $HOME_NET any -> [94.237.99.132] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1294097/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_03; classtype:trojan-activity; sid:91294097; rev:1;) alert tcp $HOME_NET any -> [94.237.99.145] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1294098/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_03; classtype:trojan-activity; sid:91294098; rev:1;) alert tcp $HOME_NET any -> [94.237.99.150] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1294099/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_03; classtype:trojan-activity; sid:91294099; rev:1;) alert tcp $HOME_NET any -> [94.237.97.247] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1294074/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_03; classtype:trojan-activity; sid:91294074; rev:1;) alert tcp $HOME_NET any -> [94.237.97.251] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1294075/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_03; classtype:trojan-activity; sid:91294075; rev:1;) alert tcp $HOME_NET any -> [94.237.98.13] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1294076/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_03; classtype:trojan-activity; sid:91294076; rev:1;) alert tcp $HOME_NET any -> [94.237.98.15] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1294077/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_03; classtype:trojan-activity; sid:91294077; rev:1;) alert tcp $HOME_NET any -> [94.237.98.38] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1294078/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_03; classtype:trojan-activity; sid:91294078; rev:1;) alert tcp $HOME_NET any -> [94.237.98.54] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1294079/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_03; classtype:trojan-activity; sid:91294079; rev:1;) alert tcp $HOME_NET any -> [94.237.98.86] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1294080/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_03; classtype:trojan-activity; sid:91294080; rev:1;) alert tcp $HOME_NET any -> [94.237.98.90] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1294081/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_03; classtype:trojan-activity; sid:91294081; rev:1;) alert tcp $HOME_NET any -> [94.237.98.95] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1294082/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_03; classtype:trojan-activity; sid:91294082; rev:1;) alert tcp $HOME_NET any -> [94.237.98.99] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1294083/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_03; classtype:trojan-activity; sid:91294083; rev:1;) alert tcp $HOME_NET any -> [94.237.98.171] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1294084/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_03; classtype:trojan-activity; sid:91294084; rev:1;) alert tcp $HOME_NET any -> [94.237.98.203] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1294085/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_03; classtype:trojan-activity; sid:91294085; rev:1;) alert tcp $HOME_NET any -> [94.237.98.227] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1294086/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_03; classtype:trojan-activity; sid:91294086; rev:1;) alert tcp $HOME_NET any -> [94.237.96.61] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1294062/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_03; classtype:trojan-activity; sid:91294062; rev:1;) alert tcp $HOME_NET any -> [94.237.96.93] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1294063/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_03; classtype:trojan-activity; sid:91294063; rev:1;) alert tcp $HOME_NET any -> [94.237.96.96] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1294064/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_03; classtype:trojan-activity; sid:91294064; rev:1;) alert tcp $HOME_NET any -> [94.237.96.99] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1294065/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_03; classtype:trojan-activity; sid:91294065; rev:1;) alert tcp $HOME_NET any -> [94.237.96.103] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1294066/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_03; classtype:trojan-activity; sid:91294066; rev:1;) alert tcp $HOME_NET any -> [94.237.96.127] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1294067/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_03; classtype:trojan-activity; sid:91294067; rev:1;) alert tcp $HOME_NET any -> [94.237.96.181] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1294068/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_03; classtype:trojan-activity; sid:91294068; rev:1;) alert tcp $HOME_NET any -> [94.237.96.210] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1294069/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_03; classtype:trojan-activity; sid:91294069; rev:1;) alert tcp $HOME_NET any -> [94.237.96.217] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1294070/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_03; classtype:trojan-activity; sid:91294070; rev:1;) alert tcp $HOME_NET any -> [94.237.96.246] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1294071/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_03; classtype:trojan-activity; sid:91294071; rev:1;) alert tcp $HOME_NET any -> [94.237.97.108] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1294072/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_03; classtype:trojan-activity; sid:91294072; rev:1;) alert tcp $HOME_NET any -> [94.237.97.195] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1294073/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_03; classtype:trojan-activity; sid:91294073; rev:1;) alert tcp $HOME_NET any -> [94.237.94.215] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1294049/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_03; classtype:trojan-activity; sid:91294049; rev:1;) alert tcp $HOME_NET any -> [94.237.95.57] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1294050/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_03; classtype:trojan-activity; sid:91294050; rev:1;) alert tcp $HOME_NET any -> [94.237.95.65] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1294051/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_03; classtype:trojan-activity; sid:91294051; rev:1;) alert tcp $HOME_NET any -> [94.237.95.78] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1294052/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_03; classtype:trojan-activity; sid:91294052; rev:1;) alert tcp $HOME_NET any -> [94.237.95.113] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1294053/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_03; classtype:trojan-activity; sid:91294053; rev:1;) alert tcp $HOME_NET any -> [94.237.95.122] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1294054/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_03; classtype:trojan-activity; sid:91294054; rev:1;) alert tcp $HOME_NET any -> [94.237.95.144] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1294055/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_03; classtype:trojan-activity; sid:91294055; rev:1;) alert tcp $HOME_NET any -> [94.237.95.165] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1294056/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_03; classtype:trojan-activity; sid:91294056; rev:1;) alert tcp $HOME_NET any -> [94.237.95.175] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1294057/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_03; classtype:trojan-activity; sid:91294057; rev:1;) alert tcp $HOME_NET any -> [94.237.95.192] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1294058/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_03; classtype:trojan-activity; sid:91294058; rev:1;) alert tcp $HOME_NET any -> [94.237.95.246] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1294059/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_03; classtype:trojan-activity; sid:91294059; rev:1;) alert tcp $HOME_NET any -> [94.237.95.253] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1294060/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_03; classtype:trojan-activity; sid:91294060; rev:1;) alert tcp $HOME_NET any -> [94.237.96.12] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1294061/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_03; classtype:trojan-activity; sid:91294061; rev:1;) alert tcp $HOME_NET any -> [94.237.93.147] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1294037/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_03; classtype:trojan-activity; sid:91294037; rev:1;) alert tcp $HOME_NET any -> [94.237.93.196] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1294038/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_03; classtype:trojan-activity; sid:91294038; rev:1;) alert tcp $HOME_NET any -> [94.237.93.208] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1294039/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_03; classtype:trojan-activity; sid:91294039; rev:1;) alert tcp $HOME_NET any -> [94.237.93.233] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1294040/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_03; classtype:trojan-activity; sid:91294040; rev:1;) alert tcp $HOME_NET any -> [94.237.93.249] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1294041/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_03; classtype:trojan-activity; sid:91294041; rev:1;) alert tcp $HOME_NET any -> [94.237.93.251] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1294042/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_03; classtype:trojan-activity; sid:91294042; rev:1;) alert tcp $HOME_NET any -> [94.237.94.9] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1294043/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_03; classtype:trojan-activity; sid:91294043; rev:1;) alert tcp $HOME_NET any -> [94.237.94.13] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1294044/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_03; classtype:trojan-activity; sid:91294044; rev:1;) alert tcp $HOME_NET any -> [94.237.94.32] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1294045/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_03; classtype:trojan-activity; sid:91294045; rev:1;) alert tcp $HOME_NET any -> [94.237.94.52] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1294046/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_03; classtype:trojan-activity; sid:91294046; rev:1;) alert tcp $HOME_NET any -> [94.237.94.117] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1294047/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_03; classtype:trojan-activity; sid:91294047; rev:1;) alert tcp $HOME_NET any -> [94.237.94.150] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1294048/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_03; classtype:trojan-activity; sid:91294048; rev:1;) alert tcp $HOME_NET any -> [94.237.92.14] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1294025/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_03; classtype:trojan-activity; sid:91294025; rev:1;) alert tcp $HOME_NET any -> [94.237.92.42] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1294026/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_03; classtype:trojan-activity; sid:91294026; rev:1;) alert tcp $HOME_NET any -> [94.237.92.57] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1294027/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_03; classtype:trojan-activity; sid:91294027; rev:1;) alert tcp $HOME_NET any -> [94.237.92.65] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1294028/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_03; classtype:trojan-activity; sid:91294028; rev:1;) alert tcp $HOME_NET any -> [94.237.92.110] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1294029/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_03; classtype:trojan-activity; sid:91294029; rev:1;) alert tcp $HOME_NET any -> [94.237.92.126] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1294030/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_03; classtype:trojan-activity; sid:91294030; rev:1;) alert tcp $HOME_NET any -> [94.237.92.192] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1294031/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_03; classtype:trojan-activity; sid:91294031; rev:1;) alert tcp $HOME_NET any -> [94.237.92.197] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1294032/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_03; classtype:trojan-activity; sid:91294032; rev:1;) alert tcp $HOME_NET any -> [94.237.92.242] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1294033/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_03; classtype:trojan-activity; sid:91294033; rev:1;) alert tcp $HOME_NET any -> [94.237.93.29] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1294034/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_03; classtype:trojan-activity; sid:91294034; rev:1;) alert tcp $HOME_NET any -> [94.237.93.98] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1294035/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_03; classtype:trojan-activity; sid:91294035; rev:1;) alert tcp $HOME_NET any -> [94.237.93.139] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1294036/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_03; classtype:trojan-activity; sid:91294036; rev:1;) alert tcp $HOME_NET any -> [94.237.91.110] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1294014/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_03; classtype:trojan-activity; sid:91294014; rev:1;) alert tcp $HOME_NET any -> [94.237.91.115] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1294015/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_03; classtype:trojan-activity; sid:91294015; rev:1;) alert tcp $HOME_NET any -> [94.237.91.120] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1294016/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_03; classtype:trojan-activity; sid:91294016; rev:1;) alert tcp $HOME_NET any -> [94.237.91.167] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1294017/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_03; classtype:trojan-activity; sid:91294017; rev:1;) alert tcp $HOME_NET any -> [94.237.91.179] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1294018/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_03; classtype:trojan-activity; sid:91294018; rev:1;) alert tcp $HOME_NET any -> [94.237.91.185] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1294019/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_03; classtype:trojan-activity; sid:91294019; rev:1;) alert tcp $HOME_NET any -> [94.237.91.201] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1294020/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_03; classtype:trojan-activity; sid:91294020; rev:1;) alert tcp $HOME_NET any -> [94.237.91.212] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1294021/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_03; classtype:trojan-activity; sid:91294021; rev:1;) alert tcp $HOME_NET any -> [94.237.91.222] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1294022/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_03; classtype:trojan-activity; sid:91294022; rev:1;) alert tcp $HOME_NET any -> [94.237.91.232] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1294023/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_03; classtype:trojan-activity; sid:91294023; rev:1;) alert tcp $HOME_NET any -> [94.237.91.254] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1294024/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_03; classtype:trojan-activity; sid:91294024; rev:1;) alert tcp $HOME_NET any -> [94.237.90.89] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1294004/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_03; classtype:trojan-activity; sid:91294004; rev:1;) alert tcp $HOME_NET any -> [94.237.90.112] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1294005/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_03; classtype:trojan-activity; sid:91294005; rev:1;) alert tcp $HOME_NET any -> [94.237.90.154] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1294006/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_03; classtype:trojan-activity; sid:91294006; rev:1;) alert tcp $HOME_NET any -> [94.237.90.160] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1294007/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_03; classtype:trojan-activity; sid:91294007; rev:1;) alert tcp $HOME_NET any -> [94.237.90.238] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1294008/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_03; classtype:trojan-activity; sid:91294008; rev:1;) alert tcp $HOME_NET any -> [94.237.91.16] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1294009/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_03; classtype:trojan-activity; sid:91294009; rev:1;) alert tcp $HOME_NET any -> [94.237.91.47] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1294010/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_03; classtype:trojan-activity; sid:91294010; rev:1;) alert tcp $HOME_NET any -> [94.237.91.50] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1294011/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_03; classtype:trojan-activity; sid:91294011; rev:1;) alert tcp $HOME_NET any -> [94.237.91.93] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1294012/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_03; classtype:trojan-activity; sid:91294012; rev:1;) alert tcp $HOME_NET any -> [94.237.91.101] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1294013/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_03; classtype:trojan-activity; sid:91294013; rev:1;) alert tcp $HOME_NET any -> [94.237.89.225] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1293991/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_03; classtype:trojan-activity; sid:91293991; rev:1;) alert tcp $HOME_NET any -> [94.237.89.230] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1293992/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_03; classtype:trojan-activity; sid:91293992; rev:1;) alert tcp $HOME_NET any -> [94.237.89.246] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1293993/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_03; classtype:trojan-activity; sid:91293993; rev:1;) alert tcp $HOME_NET any -> [94.237.89.254] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1293994/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_03; classtype:trojan-activity; sid:91293994; rev:1;) alert tcp $HOME_NET any -> [94.237.90.1] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1293995/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_03; classtype:trojan-activity; sid:91293995; rev:1;) alert tcp $HOME_NET any -> [94.237.90.16] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1293996/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_03; classtype:trojan-activity; sid:91293996; rev:1;) alert tcp $HOME_NET any -> [94.237.90.22] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1293997/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_03; classtype:trojan-activity; sid:91293997; rev:1;) alert tcp $HOME_NET any -> [94.237.90.28] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1293998/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_03; classtype:trojan-activity; sid:91293998; rev:1;) alert tcp $HOME_NET any -> [94.237.90.41] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1293999/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_03; classtype:trojan-activity; sid:91293999; rev:1;) alert tcp $HOME_NET any -> [94.237.90.50] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1294000/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_03; classtype:trojan-activity; sid:91294000; rev:1;) alert tcp $HOME_NET any -> [94.237.90.51] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1294001/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_03; classtype:trojan-activity; sid:91294001; rev:1;) alert tcp $HOME_NET any -> [94.237.90.63] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1294002/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_03; classtype:trojan-activity; sid:91294002; rev:1;) alert tcp $HOME_NET any -> [94.237.90.66] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1294003/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_03; classtype:trojan-activity; sid:91294003; rev:1;) alert tcp $HOME_NET any -> [94.237.89.26] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1293979/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_03; classtype:trojan-activity; sid:91293979; rev:1;) alert tcp $HOME_NET any -> [94.237.89.34] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1293980/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_03; classtype:trojan-activity; sid:91293980; rev:1;) alert tcp $HOME_NET any -> [94.237.89.36] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1293981/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_03; classtype:trojan-activity; sid:91293981; rev:1;) alert tcp $HOME_NET any -> [94.237.89.42] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1293982/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_03; classtype:trojan-activity; sid:91293982; rev:1;) alert tcp $HOME_NET any -> [94.237.89.58] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1293983/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_03; classtype:trojan-activity; sid:91293983; rev:1;) alert tcp $HOME_NET any -> [94.237.89.84] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1293984/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_03; classtype:trojan-activity; sid:91293984; rev:1;) alert tcp $HOME_NET any -> [94.237.89.108] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1293985/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_03; classtype:trojan-activity; sid:91293985; rev:1;) alert tcp $HOME_NET any -> [94.237.89.116] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1293986/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_03; classtype:trojan-activity; sid:91293986; rev:1;) alert tcp $HOME_NET any -> [94.237.89.121] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1293987/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_03; classtype:trojan-activity; sid:91293987; rev:1;) alert tcp $HOME_NET any -> [94.237.89.128] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1293988/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_03; classtype:trojan-activity; sid:91293988; rev:1;) alert tcp $HOME_NET any -> [94.237.89.162] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1293989/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_03; classtype:trojan-activity; sid:91293989; rev:1;) alert tcp $HOME_NET any -> [94.237.89.213] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1293990/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_03; classtype:trojan-activity; sid:91293990; rev:1;) alert tcp $HOME_NET any -> [94.237.88.31] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1293967/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_03; classtype:trojan-activity; sid:91293967; rev:1;) alert tcp $HOME_NET any -> [94.237.88.52] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1293968/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_03; classtype:trojan-activity; sid:91293968; rev:1;) alert tcp $HOME_NET any -> [94.237.88.66] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1293969/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_03; classtype:trojan-activity; sid:91293969; rev:1;) alert tcp $HOME_NET any -> [94.237.88.86] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1293970/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_03; classtype:trojan-activity; sid:91293970; rev:1;) alert tcp $HOME_NET any -> [94.237.88.91] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1293971/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_03; classtype:trojan-activity; sid:91293971; rev:1;) alert tcp $HOME_NET any -> [94.237.88.109] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1293972/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_03; classtype:trojan-activity; sid:91293972; rev:1;) alert tcp $HOME_NET any -> [94.237.88.121] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1293973/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_03; classtype:trojan-activity; sid:91293973; rev:1;) alert tcp $HOME_NET any -> [94.237.88.130] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1293974/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_03; classtype:trojan-activity; sid:91293974; rev:1;) alert tcp $HOME_NET any -> [94.237.88.180] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1293975/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_03; classtype:trojan-activity; sid:91293975; rev:1;) alert tcp $HOME_NET any -> [94.237.88.197] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1293976/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_03; classtype:trojan-activity; sid:91293976; rev:1;) alert tcp $HOME_NET any -> [94.237.89.11] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1293977/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_03; classtype:trojan-activity; sid:91293977; rev:1;) alert tcp $HOME_NET any -> [94.237.89.23] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1293978/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_03; classtype:trojan-activity; sid:91293978; rev:1;) alert tcp $HOME_NET any -> [94.237.87.24] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1293955/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_03; classtype:trojan-activity; sid:91293955; rev:1;) alert tcp $HOME_NET any -> [94.237.87.50] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1293956/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_03; classtype:trojan-activity; sid:91293956; rev:1;) alert tcp $HOME_NET any -> [94.237.87.55] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1293957/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_03; classtype:trojan-activity; sid:91293957; rev:1;) alert tcp $HOME_NET any -> [94.237.87.64] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1293958/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_03; classtype:trojan-activity; sid:91293958; rev:1;) alert tcp $HOME_NET any -> [94.237.87.73] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1293959/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_03; classtype:trojan-activity; sid:91293959; rev:1;) alert tcp $HOME_NET any -> [94.237.87.155] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1293960/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_03; classtype:trojan-activity; sid:91293960; rev:1;) alert tcp $HOME_NET any -> [94.237.87.172] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1293961/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_03; classtype:trojan-activity; sid:91293961; rev:1;) alert tcp $HOME_NET any -> [94.237.87.205] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1293962/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_03; classtype:trojan-activity; sid:91293962; rev:1;) alert tcp $HOME_NET any -> [94.237.87.233] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1293963/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_03; classtype:trojan-activity; sid:91293963; rev:1;) alert tcp $HOME_NET any -> [94.237.87.240] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1293964/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_03; classtype:trojan-activity; sid:91293964; rev:1;) alert tcp $HOME_NET any -> [94.237.87.241] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1293965/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_03; classtype:trojan-activity; sid:91293965; rev:1;) alert tcp $HOME_NET any -> [94.237.88.23] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1293966/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_03; classtype:trojan-activity; sid:91293966; rev:1;) alert tcp $HOME_NET any -> [94.237.85.124] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1293944/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_03; classtype:trojan-activity; sid:91293944; rev:1;) alert tcp $HOME_NET any -> [94.237.85.148] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1293945/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_03; classtype:trojan-activity; sid:91293945; rev:1;) alert tcp $HOME_NET any -> [94.237.85.172] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1293946/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_03; classtype:trojan-activity; sid:91293946; rev:1;) alert tcp $HOME_NET any -> [94.237.86.62] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1293947/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_03; classtype:trojan-activity; sid:91293947; rev:1;) alert tcp $HOME_NET any -> [94.237.86.95] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1293948/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_03; classtype:trojan-activity; sid:91293948; rev:1;) alert tcp $HOME_NET any -> [94.237.86.137] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1293949/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_03; classtype:trojan-activity; sid:91293949; rev:1;) alert tcp $HOME_NET any -> [94.237.86.138] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1293950/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_03; classtype:trojan-activity; sid:91293950; rev:1;) alert tcp $HOME_NET any -> [94.237.86.155] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1293951/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_03; classtype:trojan-activity; sid:91293951; rev:1;) alert tcp $HOME_NET any -> [94.237.86.217] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1293952/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_03; classtype:trojan-activity; sid:91293952; rev:1;) alert tcp $HOME_NET any -> [94.237.86.249] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1293953/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_03; classtype:trojan-activity; sid:91293953; rev:1;) alert tcp $HOME_NET any -> [94.237.87.18] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1293954/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_03; classtype:trojan-activity; sid:91293954; rev:1;) alert tcp $HOME_NET any -> [94.237.83.97] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1293932/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_03; classtype:trojan-activity; sid:91293932; rev:1;) alert tcp $HOME_NET any -> [94.237.83.178] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1293933/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_03; classtype:trojan-activity; sid:91293933; rev:1;) alert tcp $HOME_NET any -> [94.237.84.39] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1293934/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_03; classtype:trojan-activity; sid:91293934; rev:1;) alert tcp $HOME_NET any -> [94.237.84.54] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1293935/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_03; classtype:trojan-activity; sid:91293935; rev:1;) alert tcp $HOME_NET any -> [94.237.84.78] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1293936/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_03; classtype:trojan-activity; sid:91293936; rev:1;) alert tcp $HOME_NET any -> [94.237.84.98] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1293937/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_03; classtype:trojan-activity; sid:91293937; rev:1;) alert tcp $HOME_NET any -> [94.237.84.176] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1293938/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_03; classtype:trojan-activity; sid:91293938; rev:1;) alert tcp $HOME_NET any -> [94.237.84.214] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1293939/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_03; classtype:trojan-activity; sid:91293939; rev:1;) alert tcp $HOME_NET any -> [94.237.84.236] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1293940/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_03; classtype:trojan-activity; sid:91293940; rev:1;) alert tcp $HOME_NET any -> [94.237.85.60] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1293941/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_03; classtype:trojan-activity; sid:91293941; rev:1;) alert tcp $HOME_NET any -> [94.237.85.100] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1293942/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_03; classtype:trojan-activity; sid:91293942; rev:1;) alert tcp $HOME_NET any -> [94.237.85.102] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1293943/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_03; classtype:trojan-activity; sid:91293943; rev:1;) alert tcp $HOME_NET any -> [94.237.81.161] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1293920/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_03; classtype:trojan-activity; sid:91293920; rev:1;) alert tcp $HOME_NET any -> [94.237.81.168] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1293921/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_03; classtype:trojan-activity; sid:91293921; rev:1;) alert tcp $HOME_NET any -> [94.237.81.171] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1293922/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_03; classtype:trojan-activity; sid:91293922; rev:1;) alert tcp $HOME_NET any -> [94.237.81.238] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1293923/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_03; classtype:trojan-activity; sid:91293923; rev:1;) alert tcp $HOME_NET any -> [94.237.82.14] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1293924/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_03; classtype:trojan-activity; sid:91293924; rev:1;) alert tcp $HOME_NET any -> [94.237.82.91] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1293925/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_03; classtype:trojan-activity; sid:91293925; rev:1;) alert tcp $HOME_NET any -> [94.237.82.187] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1293926/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_03; classtype:trojan-activity; sid:91293926; rev:1;) alert tcp $HOME_NET any -> [94.237.82.197] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1293927/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_03; classtype:trojan-activity; sid:91293927; rev:1;) alert tcp $HOME_NET any -> [94.237.82.200] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1293928/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_03; classtype:trojan-activity; sid:91293928; rev:1;) alert tcp $HOME_NET any -> [94.237.83.45] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1293929/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_03; classtype:trojan-activity; sid:91293929; rev:1;) alert tcp $HOME_NET any -> [94.237.83.55] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1293930/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_03; classtype:trojan-activity; sid:91293930; rev:1;) alert tcp $HOME_NET any -> [94.237.83.65] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1293931/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_03; classtype:trojan-activity; sid:91293931; rev:1;) alert tcp $HOME_NET any -> [94.237.80.83] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1293910/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_03; classtype:trojan-activity; sid:91293910; rev:1;) alert tcp $HOME_NET any -> [94.237.80.124] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1293911/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_03; classtype:trojan-activity; sid:91293911; rev:1;) alert tcp $HOME_NET any -> [94.237.80.129] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1293912/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_03; classtype:trojan-activity; sid:91293912; rev:1;) alert tcp $HOME_NET any -> [94.237.80.213] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1293913/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_03; classtype:trojan-activity; sid:91293913; rev:1;) alert tcp $HOME_NET any -> [94.237.80.227] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1293914/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_03; classtype:trojan-activity; sid:91293914; rev:1;) alert tcp $HOME_NET any -> [94.237.80.248] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1293915/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_03; classtype:trojan-activity; sid:91293915; rev:1;) alert tcp $HOME_NET any -> [94.237.80.253] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1293916/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_03; classtype:trojan-activity; sid:91293916; rev:1;) alert tcp $HOME_NET any -> [94.237.81.32] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1293917/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_03; classtype:trojan-activity; sid:91293917; rev:1;) alert tcp $HOME_NET any -> [94.237.81.40] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1293918/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_03; classtype:trojan-activity; sid:91293918; rev:1;) alert tcp $HOME_NET any -> [94.237.81.129] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1293919/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_03; classtype:trojan-activity; sid:91293919; rev:1;) alert tcp $HOME_NET any -> [94.237.63.250] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1293898/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_03; classtype:trojan-activity; sid:91293898; rev:1;) alert tcp $HOME_NET any -> [94.237.63.251] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1293899/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_03; classtype:trojan-activity; sid:91293899; rev:1;) alert tcp $HOME_NET any -> [94.237.63.253] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1293900/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_03; classtype:trojan-activity; sid:91293900; rev:1;) alert tcp $HOME_NET any -> [94.237.67.31] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1293901/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_03; classtype:trojan-activity; sid:91293901; rev:1;) alert tcp $HOME_NET any -> [94.237.72.91] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1293902/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_03; classtype:trojan-activity; sid:91293902; rev:1;) alert tcp $HOME_NET any -> [94.237.77.52] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1293903/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_03; classtype:trojan-activity; sid:91293903; rev:1;) alert tcp $HOME_NET any -> [94.237.79.38] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1293904/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_03; classtype:trojan-activity; sid:91293904; rev:1;) alert tcp $HOME_NET any -> [94.237.79.123] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1293905/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_03; classtype:trojan-activity; sid:91293905; rev:1;) alert tcp $HOME_NET any -> [94.237.79.215] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1293906/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_03; classtype:trojan-activity; sid:91293906; rev:1;) alert tcp $HOME_NET any -> [94.237.79.223] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1293907/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_03; classtype:trojan-activity; sid:91293907; rev:1;) alert tcp $HOME_NET any -> [94.237.80.29] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1293908/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_03; classtype:trojan-activity; sid:91293908; rev:1;) alert tcp $HOME_NET any -> [94.237.80.49] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1293909/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_03; classtype:trojan-activity; sid:91293909; rev:1;) alert tcp $HOME_NET any -> [94.237.63.216] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1293887/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_03; classtype:trojan-activity; sid:91293887; rev:1;) alert tcp $HOME_NET any -> [94.237.63.219] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1293888/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_03; classtype:trojan-activity; sid:91293888; rev:1;) alert tcp $HOME_NET any -> [94.237.63.223] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1293889/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_03; classtype:trojan-activity; sid:91293889; rev:1;) alert tcp $HOME_NET any -> [94.237.63.225] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1293890/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_03; classtype:trojan-activity; sid:91293890; rev:1;) alert tcp $HOME_NET any -> [94.237.63.229] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1293891/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_03; classtype:trojan-activity; sid:91293891; rev:1;) alert tcp $HOME_NET any -> [94.237.63.230] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1293892/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_03; classtype:trojan-activity; sid:91293892; rev:1;) alert tcp $HOME_NET any -> [94.237.63.234] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1293893/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_03; classtype:trojan-activity; sid:91293893; rev:1;) alert tcp $HOME_NET any -> [94.237.63.235] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1293894/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_03; classtype:trojan-activity; sid:91293894; rev:1;) alert tcp $HOME_NET any -> [94.237.63.238] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1293895/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_03; classtype:trojan-activity; sid:91293895; rev:1;) alert tcp $HOME_NET any -> [94.237.63.244] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1293896/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_03; classtype:trojan-activity; sid:91293896; rev:1;) alert tcp $HOME_NET any -> [94.237.63.247] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1293897/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_03; classtype:trojan-activity; sid:91293897; rev:1;) alert tcp $HOME_NET any -> [94.237.63.149] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1293876/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_03; classtype:trojan-activity; sid:91293876; rev:1;) alert tcp $HOME_NET any -> [94.237.63.154] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1293877/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_03; classtype:trojan-activity; sid:91293877; rev:1;) alert tcp $HOME_NET any -> [94.237.63.158] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1293878/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_03; classtype:trojan-activity; sid:91293878; rev:1;) alert tcp $HOME_NET any -> [94.237.63.166] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1293879/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_03; classtype:trojan-activity; sid:91293879; rev:1;) alert tcp $HOME_NET any -> [94.237.63.167] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1293880/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_03; classtype:trojan-activity; sid:91293880; rev:1;) alert tcp $HOME_NET any -> [94.237.63.171] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1293881/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_03; classtype:trojan-activity; sid:91293881; rev:1;) alert tcp $HOME_NET any -> [94.237.63.183] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1293882/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_03; classtype:trojan-activity; sid:91293882; rev:1;) alert tcp $HOME_NET any -> [94.237.63.184] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1293883/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_03; classtype:trojan-activity; sid:91293883; rev:1;) alert tcp $HOME_NET any -> [94.237.63.188] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1293884/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_03; classtype:trojan-activity; sid:91293884; rev:1;) alert tcp $HOME_NET any -> [94.237.63.202] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1293885/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_03; classtype:trojan-activity; sid:91293885; rev:1;) alert tcp $HOME_NET any -> [94.237.63.206] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1293886/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_03; classtype:trojan-activity; sid:91293886; rev:1;) alert tcp $HOME_NET any -> [94.237.63.89] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1293867/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_03; classtype:trojan-activity; sid:91293867; rev:1;) alert tcp $HOME_NET any -> [94.237.63.90] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1293868/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_03; classtype:trojan-activity; sid:91293868; rev:1;) alert tcp $HOME_NET any -> [94.237.63.93] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1293869/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_03; classtype:trojan-activity; sid:91293869; rev:1;) alert tcp $HOME_NET any -> [94.237.63.106] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1293870/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_03; classtype:trojan-activity; sid:91293870; rev:1;) alert tcp $HOME_NET any -> [94.237.63.112] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1293871/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_03; classtype:trojan-activity; sid:91293871; rev:1;) alert tcp $HOME_NET any -> [94.237.63.120] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1293872/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_03; classtype:trojan-activity; sid:91293872; rev:1;) alert tcp $HOME_NET any -> [94.237.63.133] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1293873/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_03; classtype:trojan-activity; sid:91293873; rev:1;) alert tcp $HOME_NET any -> [94.237.63.135] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1293874/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_03; classtype:trojan-activity; sid:91293874; rev:1;) alert tcp $HOME_NET any -> [94.237.63.146] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1293875/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_03; classtype:trojan-activity; sid:91293875; rev:1;) alert tcp $HOME_NET any -> [94.237.63.39] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1293854/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_03; classtype:trojan-activity; sid:91293854; rev:1;) alert tcp $HOME_NET any -> [94.237.63.43] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1293855/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_03; classtype:trojan-activity; sid:91293855; rev:1;) alert tcp $HOME_NET any -> [94.237.63.45] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1293856/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_03; classtype:trojan-activity; sid:91293856; rev:1;) alert tcp $HOME_NET any -> [94.237.63.47] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1293857/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_03; classtype:trojan-activity; sid:91293857; rev:1;) alert tcp $HOME_NET any -> [94.237.63.49] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1293858/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_03; classtype:trojan-activity; sid:91293858; rev:1;) alert tcp $HOME_NET any -> [94.237.63.52] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1293859/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_03; classtype:trojan-activity; sid:91293859; rev:1;) alert tcp $HOME_NET any -> [94.237.63.62] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1293860/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_03; classtype:trojan-activity; sid:91293860; rev:1;) alert tcp $HOME_NET any -> [94.237.63.64] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1293861/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_03; classtype:trojan-activity; sid:91293861; rev:1;) alert tcp $HOME_NET any -> [94.237.63.65] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1293862/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_03; classtype:trojan-activity; sid:91293862; rev:1;) alert tcp $HOME_NET any -> [94.237.63.69] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1293863/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_03; classtype:trojan-activity; sid:91293863; rev:1;) alert tcp $HOME_NET any -> [94.237.63.80] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1293864/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_03; classtype:trojan-activity; sid:91293864; rev:1;) alert tcp $HOME_NET any -> [94.237.63.81] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1293865/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_03; classtype:trojan-activity; sid:91293865; rev:1;) alert tcp $HOME_NET any -> [94.237.63.83] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1293866/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_03; classtype:trojan-activity; sid:91293866; rev:1;) alert tcp $HOME_NET any -> [94.237.62.246] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1293841/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_03; classtype:trojan-activity; sid:91293841; rev:1;) alert tcp $HOME_NET any -> [94.237.62.252] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1293842/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_03; classtype:trojan-activity; sid:91293842; rev:1;) alert tcp $HOME_NET any -> [94.237.63.0] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1293843/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_03; classtype:trojan-activity; sid:91293843; rev:1;) alert tcp $HOME_NET any -> [94.237.63.1] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1293844/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_03; classtype:trojan-activity; sid:91293844; rev:1;) alert tcp $HOME_NET any -> [94.237.63.2] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1293845/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_03; classtype:trojan-activity; sid:91293845; rev:1;) alert tcp $HOME_NET any -> [94.237.63.6] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1293846/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_03; classtype:trojan-activity; sid:91293846; rev:1;) alert tcp $HOME_NET any -> [94.237.63.9] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1293847/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_03; classtype:trojan-activity; sid:91293847; rev:1;) alert tcp $HOME_NET any -> [94.237.63.12] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1293848/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_03; classtype:trojan-activity; sid:91293848; rev:1;) alert tcp $HOME_NET any -> [94.237.63.15] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1293849/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_03; classtype:trojan-activity; sid:91293849; rev:1;) alert tcp $HOME_NET any -> [94.237.63.27] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1293850/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_03; classtype:trojan-activity; sid:91293850; rev:1;) alert tcp $HOME_NET any -> [94.237.63.28] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1293851/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_03; classtype:trojan-activity; sid:91293851; rev:1;) alert tcp $HOME_NET any -> [94.237.63.32] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1293852/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_03; classtype:trojan-activity; sid:91293852; rev:1;) alert tcp $HOME_NET any -> [94.237.63.34] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1293853/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_03; classtype:trojan-activity; sid:91293853; rev:1;) alert tcp $HOME_NET any -> [94.237.62.185] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1293832/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_03; classtype:trojan-activity; sid:91293832; rev:1;) alert tcp $HOME_NET any -> [94.237.62.189] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1293833/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_03; classtype:trojan-activity; sid:91293833; rev:1;) alert tcp $HOME_NET any -> [94.237.62.193] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1293834/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_03; classtype:trojan-activity; sid:91293834; rev:1;) alert tcp $HOME_NET any -> [94.237.62.194] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1293835/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_03; classtype:trojan-activity; sid:91293835; rev:1;) alert tcp $HOME_NET any -> [94.237.62.198] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1293836/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_03; classtype:trojan-activity; sid:91293836; rev:1;) alert tcp $HOME_NET any -> [94.237.62.207] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1293837/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_03; classtype:trojan-activity; sid:91293837; rev:1;) alert tcp $HOME_NET any -> [94.237.62.212] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1293838/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_03; classtype:trojan-activity; sid:91293838; rev:1;) alert tcp $HOME_NET any -> [94.237.62.221] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1293839/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_03; classtype:trojan-activity; sid:91293839; rev:1;) alert tcp $HOME_NET any -> [94.237.62.227] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1293840/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_03; classtype:trojan-activity; sid:91293840; rev:1;) alert tcp $HOME_NET any -> [94.237.62.147] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1293823/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_03; classtype:trojan-activity; sid:91293823; rev:1;) alert tcp $HOME_NET any -> [94.237.62.150] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1293824/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_03; classtype:trojan-activity; sid:91293824; rev:1;) alert tcp $HOME_NET any -> [94.237.62.157] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1293825/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_03; classtype:trojan-activity; sid:91293825; rev:1;) alert tcp $HOME_NET any -> [94.237.62.162] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1293826/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_03; classtype:trojan-activity; sid:91293826; rev:1;) alert tcp $HOME_NET any -> [94.237.62.166] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1293827/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_03; classtype:trojan-activity; sid:91293827; rev:1;) alert tcp $HOME_NET any -> [94.237.62.171] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1293828/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_03; classtype:trojan-activity; sid:91293828; rev:1;) alert tcp $HOME_NET any -> [94.237.62.172] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1293829/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_03; classtype:trojan-activity; sid:91293829; rev:1;) alert tcp $HOME_NET any -> [94.237.62.179] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1293830/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_03; classtype:trojan-activity; sid:91293830; rev:1;) alert tcp $HOME_NET any -> [94.237.62.182] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1293831/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_03; classtype:trojan-activity; sid:91293831; rev:1;) alert tcp $HOME_NET any -> [94.237.62.63] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1293811/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_03; classtype:trojan-activity; sid:91293811; rev:1;) alert tcp $HOME_NET any -> [94.237.62.68] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1293812/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_03; classtype:trojan-activity; sid:91293812; rev:1;) alert tcp $HOME_NET any -> [94.237.62.79] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1293813/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_03; classtype:trojan-activity; sid:91293813; rev:1;) alert tcp $HOME_NET any -> [94.237.62.91] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1293814/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_03; classtype:trojan-activity; sid:91293814; rev:1;) alert tcp $HOME_NET any -> [94.237.62.97] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1293815/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_03; classtype:trojan-activity; sid:91293815; rev:1;) alert tcp $HOME_NET any -> [94.237.62.98] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1293816/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_03; classtype:trojan-activity; sid:91293816; rev:1;) alert tcp $HOME_NET any -> [94.237.62.103] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1293817/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_03; classtype:trojan-activity; sid:91293817; rev:1;) alert tcp $HOME_NET any -> [94.237.62.114] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1293818/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_03; classtype:trojan-activity; sid:91293818; rev:1;) alert tcp $HOME_NET any -> [94.237.62.131] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1293819/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_03; classtype:trojan-activity; sid:91293819; rev:1;) alert tcp $HOME_NET any -> [94.237.62.135] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1293820/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_03; classtype:trojan-activity; sid:91293820; rev:1;) alert tcp $HOME_NET any -> [94.237.62.136] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1293821/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_03; classtype:trojan-activity; sid:91293821; rev:1;) alert tcp $HOME_NET any -> [94.237.62.139] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1293822/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_03; classtype:trojan-activity; sid:91293822; rev:1;) alert tcp $HOME_NET any -> [94.237.61.246] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1293798/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_03; classtype:trojan-activity; sid:91293798; rev:1;) alert tcp $HOME_NET any -> [94.237.62.8] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1293799/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_03; classtype:trojan-activity; sid:91293799; rev:1;) alert tcp $HOME_NET any -> [94.237.62.10] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1293800/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_03; classtype:trojan-activity; sid:91293800; rev:1;) alert tcp $HOME_NET any -> [94.237.62.17] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1293801/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_03; classtype:trojan-activity; sid:91293801; rev:1;) alert tcp $HOME_NET any -> [94.237.62.41] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1293802/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_03; classtype:trojan-activity; sid:91293802; rev:1;) alert tcp $HOME_NET any -> [94.237.62.43] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1293803/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_03; classtype:trojan-activity; sid:91293803; rev:1;) alert tcp $HOME_NET any -> [94.237.62.46] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1293804/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_03; classtype:trojan-activity; sid:91293804; rev:1;) alert tcp $HOME_NET any -> [94.237.62.49] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1293805/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_03; classtype:trojan-activity; sid:91293805; rev:1;) alert tcp $HOME_NET any -> [94.237.62.50] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1293806/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_03; classtype:trojan-activity; sid:91293806; rev:1;) alert tcp $HOME_NET any -> [94.237.62.51] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1293807/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_03; classtype:trojan-activity; sid:91293807; rev:1;) alert tcp $HOME_NET any -> [94.237.62.52] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1293808/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_03; classtype:trojan-activity; sid:91293808; rev:1;) alert tcp $HOME_NET any -> [94.237.62.54] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1293809/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_03; classtype:trojan-activity; sid:91293809; rev:1;) alert tcp $HOME_NET any -> [94.237.62.57] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1293810/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_03; classtype:trojan-activity; sid:91293810; rev:1;) alert tcp $HOME_NET any -> [94.237.61.195] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1293790/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_03; classtype:trojan-activity; sid:91293790; rev:1;) alert tcp $HOME_NET any -> [94.237.61.205] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1293791/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_03; classtype:trojan-activity; sid:91293791; rev:1;) alert tcp $HOME_NET any -> [94.237.61.206] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1293792/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_03; classtype:trojan-activity; sid:91293792; rev:1;) alert tcp $HOME_NET any -> [94.237.61.209] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1293793/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_03; classtype:trojan-activity; sid:91293793; rev:1;) alert tcp $HOME_NET any -> [94.237.61.225] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1293794/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_03; classtype:trojan-activity; sid:91293794; rev:1;) alert tcp $HOME_NET any -> [94.237.61.229] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1293795/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_03; classtype:trojan-activity; sid:91293795; rev:1;) alert tcp $HOME_NET any -> [94.237.61.230] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1293796/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_03; classtype:trojan-activity; sid:91293796; rev:1;) alert tcp $HOME_NET any -> [94.237.61.244] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1293797/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_03; classtype:trojan-activity; sid:91293797; rev:1;) alert tcp $HOME_NET any -> [94.237.61.53] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1293779/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_03; classtype:trojan-activity; sid:91293779; rev:1;) alert tcp $HOME_NET any -> [94.237.61.57] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1293780/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_03; classtype:trojan-activity; sid:91293780; rev:1;) alert tcp $HOME_NET any -> [94.237.61.82] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1293781/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_03; classtype:trojan-activity; sid:91293781; rev:1;) alert tcp $HOME_NET any -> [94.237.61.94] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1293782/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_03; classtype:trojan-activity; sid:91293782; rev:1;) alert tcp $HOME_NET any -> [94.237.61.96] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1293783/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_03; classtype:trojan-activity; sid:91293783; rev:1;) alert tcp $HOME_NET any -> [94.237.61.116] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1293784/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_03; classtype:trojan-activity; sid:91293784; rev:1;) alert tcp $HOME_NET any -> [94.237.61.138] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1293785/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_03; classtype:trojan-activity; sid:91293785; rev:1;) alert tcp $HOME_NET any -> [94.237.61.156] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1293786/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_03; classtype:trojan-activity; sid:91293786; rev:1;) alert tcp $HOME_NET any -> [94.237.61.168] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1293787/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_03; classtype:trojan-activity; sid:91293787; rev:1;) alert tcp $HOME_NET any -> [94.237.61.170] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1293788/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_03; classtype:trojan-activity; sid:91293788; rev:1;) alert tcp $HOME_NET any -> [94.237.61.173] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1293789/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_03; classtype:trojan-activity; sid:91293789; rev:1;) alert tcp $HOME_NET any -> [94.237.60.202] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1293768/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_03; classtype:trojan-activity; sid:91293768; rev:1;) alert tcp $HOME_NET any -> [94.237.60.208] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1293769/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_03; classtype:trojan-activity; sid:91293769; rev:1;) alert tcp $HOME_NET any -> [94.237.60.225] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1293770/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_03; classtype:trojan-activity; sid:91293770; rev:1;) alert tcp $HOME_NET any -> [94.237.60.244] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1293771/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_03; classtype:trojan-activity; sid:91293771; rev:1;) alert tcp $HOME_NET any -> [94.237.60.252] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1293772/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_03; classtype:trojan-activity; sid:91293772; rev:1;) alert tcp $HOME_NET any -> [94.237.60.253] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1293773/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_03; classtype:trojan-activity; sid:91293773; rev:1;) alert tcp $HOME_NET any -> [94.237.60.255] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1293774/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_03; classtype:trojan-activity; sid:91293774; rev:1;) alert tcp $HOME_NET any -> [94.237.61.3] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1293775/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_03; classtype:trojan-activity; sid:91293775; rev:1;) alert tcp $HOME_NET any -> [94.237.61.8] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1293776/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_03; classtype:trojan-activity; sid:91293776; rev:1;) alert tcp $HOME_NET any -> [94.237.61.25] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1293777/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_03; classtype:trojan-activity; sid:91293777; rev:1;) alert tcp $HOME_NET any -> [94.237.61.49] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1293778/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_03; classtype:trojan-activity; sid:91293778; rev:1;) alert tcp $HOME_NET any -> [94.237.60.118] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1293758/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_03; classtype:trojan-activity; sid:91293758; rev:1;) alert tcp $HOME_NET any -> [94.237.60.124] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1293759/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_03; classtype:trojan-activity; sid:91293759; rev:1;) alert tcp $HOME_NET any -> [94.237.60.129] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1293760/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_03; classtype:trojan-activity; sid:91293760; rev:1;) alert tcp $HOME_NET any -> [94.237.60.148] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1293761/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_03; classtype:trojan-activity; sid:91293761; rev:1;) alert tcp $HOME_NET any -> [94.237.60.154] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1293762/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_03; classtype:trojan-activity; sid:91293762; rev:1;) alert tcp $HOME_NET any -> [94.237.60.155] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1293763/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_03; classtype:trojan-activity; sid:91293763; rev:1;) alert tcp $HOME_NET any -> [94.237.60.158] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1293764/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_03; classtype:trojan-activity; sid:91293764; rev:1;) alert tcp $HOME_NET any -> [94.237.60.169] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1293765/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_03; classtype:trojan-activity; sid:91293765; rev:1;) alert tcp $HOME_NET any -> [94.237.60.192] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1293766/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_03; classtype:trojan-activity; sid:91293766; rev:1;) alert tcp $HOME_NET any -> [94.237.60.200] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1293767/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_03; classtype:trojan-activity; sid:91293767; rev:1;) alert tcp $HOME_NET any -> [94.237.60.12] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1293745/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_03; classtype:trojan-activity; sid:91293745; rev:1;) alert tcp $HOME_NET any -> [94.237.60.17] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1293746/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_03; classtype:trojan-activity; sid:91293746; rev:1;) alert tcp $HOME_NET any -> [94.237.60.24] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1293747/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_03; classtype:trojan-activity; sid:91293747; rev:1;) alert tcp $HOME_NET any -> [94.237.60.30] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1293748/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_03; classtype:trojan-activity; sid:91293748; rev:1;) alert tcp $HOME_NET any -> [94.237.60.33] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1293749/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_03; classtype:trojan-activity; sid:91293749; rev:1;) alert tcp $HOME_NET any -> [94.237.60.35] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1293750/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_03; classtype:trojan-activity; sid:91293750; rev:1;) alert tcp $HOME_NET any -> [94.237.60.39] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1293751/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_03; classtype:trojan-activity; sid:91293751; rev:1;) alert tcp $HOME_NET any -> [94.237.60.48] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1293752/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_03; classtype:trojan-activity; sid:91293752; rev:1;) alert tcp $HOME_NET any -> [94.237.60.55] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1293753/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_03; classtype:trojan-activity; sid:91293753; rev:1;) alert tcp $HOME_NET any -> [94.237.60.60] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1293754/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_03; classtype:trojan-activity; sid:91293754; rev:1;) alert tcp $HOME_NET any -> [94.237.60.86] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1293755/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_03; classtype:trojan-activity; sid:91293755; rev:1;) alert tcp $HOME_NET any -> [94.237.60.97] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1293756/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_03; classtype:trojan-activity; sid:91293756; rev:1;) alert tcp $HOME_NET any -> [94.237.60.100] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1293757/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_03; classtype:trojan-activity; sid:91293757; rev:1;) alert tcp $HOME_NET any -> [94.237.59.198] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1293734/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_03; classtype:trojan-activity; sid:91293734; rev:1;) alert tcp $HOME_NET any -> [94.237.59.201] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1293735/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_03; classtype:trojan-activity; sid:91293735; rev:1;) alert tcp $HOME_NET any -> [94.237.59.205] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1293736/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_03; classtype:trojan-activity; sid:91293736; rev:1;) alert tcp $HOME_NET any -> [94.237.59.207] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1293737/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_03; classtype:trojan-activity; sid:91293737; rev:1;) alert tcp $HOME_NET any -> [94.237.59.219] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1293738/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_03; classtype:trojan-activity; sid:91293738; rev:1;) alert tcp $HOME_NET any -> [94.237.59.232] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1293739/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_03; classtype:trojan-activity; sid:91293739; rev:1;) alert tcp $HOME_NET any -> [94.237.59.237] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1293740/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_03; classtype:trojan-activity; sid:91293740; rev:1;) alert tcp $HOME_NET any -> [94.237.59.243] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1293741/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_03; classtype:trojan-activity; sid:91293741; rev:1;) alert tcp $HOME_NET any -> [94.237.59.248] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1293742/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_03; classtype:trojan-activity; sid:91293742; rev:1;) alert tcp $HOME_NET any -> [94.237.59.251] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1293743/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_03; classtype:trojan-activity; sid:91293743; rev:1;) alert tcp $HOME_NET any -> [94.237.60.11] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1293744/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_03; classtype:trojan-activity; sid:91293744; rev:1;) alert tcp $HOME_NET any -> [94.237.59.118] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1293724/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_03; classtype:trojan-activity; sid:91293724; rev:1;) alert tcp $HOME_NET any -> [94.237.59.125] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1293725/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_03; classtype:trojan-activity; sid:91293725; rev:1;) alert tcp $HOME_NET any -> [94.237.59.138] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1293726/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_03; classtype:trojan-activity; sid:91293726; rev:1;) alert tcp $HOME_NET any -> [94.237.59.152] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1293727/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_03; classtype:trojan-activity; sid:91293727; rev:1;) alert tcp $HOME_NET any -> [94.237.59.154] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1293728/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_03; classtype:trojan-activity; sid:91293728; rev:1;) alert tcp $HOME_NET any -> [94.237.59.155] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1293729/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_03; classtype:trojan-activity; sid:91293729; rev:1;) alert tcp $HOME_NET any -> [94.237.59.156] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1293730/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_03; classtype:trojan-activity; sid:91293730; rev:1;) alert tcp $HOME_NET any -> [94.237.59.193] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1293731/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_03; classtype:trojan-activity; sid:91293731; rev:1;) alert tcp $HOME_NET any -> [94.237.59.194] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1293732/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_03; classtype:trojan-activity; sid:91293732; rev:1;) alert tcp $HOME_NET any -> [94.237.59.197] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1293733/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_03; classtype:trojan-activity; sid:91293733; rev:1;) alert tcp $HOME_NET any -> [94.237.59.27] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1293713/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_03; classtype:trojan-activity; sid:91293713; rev:1;) alert tcp $HOME_NET any -> [94.237.59.42] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1293714/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_03; classtype:trojan-activity; sid:91293714; rev:1;) alert tcp $HOME_NET any -> [94.237.59.55] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1293715/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_03; classtype:trojan-activity; sid:91293715; rev:1;) alert tcp $HOME_NET any -> [94.237.59.56] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1293716/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_03; classtype:trojan-activity; sid:91293716; rev:1;) alert tcp $HOME_NET any -> [94.237.59.76] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1293717/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_03; classtype:trojan-activity; sid:91293717; rev:1;) alert tcp $HOME_NET any -> [94.237.59.90] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1293718/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_03; classtype:trojan-activity; sid:91293718; rev:1;) alert tcp $HOME_NET any -> [94.237.59.94] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1293719/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_03; classtype:trojan-activity; sid:91293719; rev:1;) alert tcp $HOME_NET any -> [94.237.59.101] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1293720/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_03; classtype:trojan-activity; sid:91293720; rev:1;) alert tcp $HOME_NET any -> [94.237.59.103] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1293721/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_03; classtype:trojan-activity; sid:91293721; rev:1;) alert tcp $HOME_NET any -> [94.237.59.112] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1293722/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_03; classtype:trojan-activity; sid:91293722; rev:1;) alert tcp $HOME_NET any -> [94.237.59.113] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1293723/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_03; classtype:trojan-activity; sid:91293723; rev:1;) alert tcp $HOME_NET any -> [94.237.58.190] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1293701/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_03; classtype:trojan-activity; sid:91293701; rev:1;) alert tcp $HOME_NET any -> [94.237.58.193] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1293702/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_03; classtype:trojan-activity; sid:91293702; rev:1;) alert tcp $HOME_NET any -> [94.237.58.206] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1293703/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_03; classtype:trojan-activity; sid:91293703; rev:1;) alert tcp $HOME_NET any -> [94.237.58.225] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1293704/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_03; classtype:trojan-activity; sid:91293704; rev:1;) alert tcp $HOME_NET any -> [94.237.58.240] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1293705/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_03; classtype:trojan-activity; sid:91293705; rev:1;) alert tcp $HOME_NET any -> [94.237.59.0] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1293706/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_03; classtype:trojan-activity; sid:91293706; rev:1;) alert tcp $HOME_NET any -> [94.237.59.2] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1293707/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_03; classtype:trojan-activity; sid:91293707; rev:1;) alert tcp $HOME_NET any -> [94.237.59.4] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1293708/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_03; classtype:trojan-activity; sid:91293708; rev:1;) alert tcp $HOME_NET any -> [94.237.59.6] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1293709/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_03; classtype:trojan-activity; sid:91293709; rev:1;) alert tcp $HOME_NET any -> [94.237.59.7] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1293710/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_03; classtype:trojan-activity; sid:91293710; rev:1;) alert tcp $HOME_NET any -> [94.237.59.8] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1293711/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_03; classtype:trojan-activity; sid:91293711; rev:1;) alert tcp $HOME_NET any -> [94.237.59.10] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1293712/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_03; classtype:trojan-activity; sid:91293712; rev:1;) alert tcp $HOME_NET any -> [94.237.58.126] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1293691/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_03; classtype:trojan-activity; sid:91293691; rev:1;) alert tcp $HOME_NET any -> [94.237.58.133] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1293692/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_03; classtype:trojan-activity; sid:91293692; rev:1;) alert tcp $HOME_NET any -> [94.237.58.146] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1293693/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_03; classtype:trojan-activity; sid:91293693; rev:1;) alert tcp $HOME_NET any -> [94.237.58.148] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1293694/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_03; classtype:trojan-activity; sid:91293694; rev:1;) alert tcp $HOME_NET any -> [94.237.58.152] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1293695/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_03; classtype:trojan-activity; sid:91293695; rev:1;) alert tcp $HOME_NET any -> [94.237.58.157] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1293696/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_03; classtype:trojan-activity; sid:91293696; rev:1;) alert tcp $HOME_NET any -> [94.237.58.159] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1293697/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_03; classtype:trojan-activity; sid:91293697; rev:1;) alert tcp $HOME_NET any -> [94.237.58.165] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1293698/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_03; classtype:trojan-activity; sid:91293698; rev:1;) alert tcp $HOME_NET any -> [94.237.58.178] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1293699/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_03; classtype:trojan-activity; sid:91293699; rev:1;) alert tcp $HOME_NET any -> [94.237.58.185] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1293700/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_03; classtype:trojan-activity; sid:91293700; rev:1;) alert tcp $HOME_NET any -> [94.237.58.37] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1293679/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_03; classtype:trojan-activity; sid:91293679; rev:1;) alert tcp $HOME_NET any -> [94.237.58.38] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1293680/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_03; classtype:trojan-activity; sid:91293680; rev:1;) alert tcp $HOME_NET any -> [94.237.58.40] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1293681/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_03; classtype:trojan-activity; sid:91293681; rev:1;) alert tcp $HOME_NET any -> [94.237.58.44] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1293682/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_03; classtype:trojan-activity; sid:91293682; rev:1;) alert tcp $HOME_NET any -> [94.237.58.47] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1293683/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_03; classtype:trojan-activity; sid:91293683; rev:1;) alert tcp $HOME_NET any -> [94.237.58.53] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1293684/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_03; classtype:trojan-activity; sid:91293684; rev:1;) alert tcp $HOME_NET any -> [94.237.58.66] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1293685/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_03; classtype:trojan-activity; sid:91293685; rev:1;) alert tcp $HOME_NET any -> [94.237.58.74] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1293686/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_03; classtype:trojan-activity; sid:91293686; rev:1;) alert tcp $HOME_NET any -> [94.237.58.78] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1293687/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_03; classtype:trojan-activity; sid:91293687; rev:1;) alert tcp $HOME_NET any -> [94.237.58.91] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1293688/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_03; classtype:trojan-activity; sid:91293688; rev:1;) alert tcp $HOME_NET any -> [94.237.58.101] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1293689/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_03; classtype:trojan-activity; sid:91293689; rev:1;) alert tcp $HOME_NET any -> [94.237.58.123] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1293690/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_03; classtype:trojan-activity; sid:91293690; rev:1;) alert tcp $HOME_NET any -> [94.237.57.182] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1293667/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_03; classtype:trojan-activity; sid:91293667; rev:1;) alert tcp $HOME_NET any -> [94.237.57.191] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1293668/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_03; classtype:trojan-activity; sid:91293668; rev:1;) alert tcp $HOME_NET any -> [94.237.57.207] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1293669/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_03; classtype:trojan-activity; sid:91293669; rev:1;) alert tcp $HOME_NET any -> [94.237.57.211] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1293670/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_03; classtype:trojan-activity; sid:91293670; rev:1;) alert tcp $HOME_NET any -> [94.237.57.212] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1293671/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_03; classtype:trojan-activity; sid:91293671; rev:1;) alert tcp $HOME_NET any -> [94.237.57.215] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1293672/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_03; classtype:trojan-activity; sid:91293672; rev:1;) alert tcp $HOME_NET any -> [94.237.57.220] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1293673/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_03; classtype:trojan-activity; sid:91293673; rev:1;) alert tcp $HOME_NET any -> [94.237.57.236] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1293674/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_03; classtype:trojan-activity; sid:91293674; rev:1;) alert tcp $HOME_NET any -> [94.237.58.9] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1293675/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_03; classtype:trojan-activity; sid:91293675; rev:1;) alert tcp $HOME_NET any -> [94.237.58.12] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1293676/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_03; classtype:trojan-activity; sid:91293676; rev:1;) alert tcp $HOME_NET any -> [94.237.58.14] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1293677/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_03; classtype:trojan-activity; sid:91293677; rev:1;) alert tcp $HOME_NET any -> [94.237.58.36] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1293678/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_03; classtype:trojan-activity; sid:91293678; rev:1;) alert tcp $HOME_NET any -> [94.237.57.73] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1293656/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_03; classtype:trojan-activity; sid:91293656; rev:1;) alert tcp $HOME_NET any -> [94.237.57.74] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1293657/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_03; classtype:trojan-activity; sid:91293657; rev:1;) alert tcp $HOME_NET any -> [94.237.57.111] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1293658/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_03; classtype:trojan-activity; sid:91293658; rev:1;) alert tcp $HOME_NET any -> [94.237.57.116] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1293659/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_03; classtype:trojan-activity; sid:91293659; rev:1;) alert tcp $HOME_NET any -> [94.237.57.128] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1293660/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_03; classtype:trojan-activity; sid:91293660; rev:1;) alert tcp $HOME_NET any -> [94.237.57.131] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1293661/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_03; classtype:trojan-activity; sid:91293661; rev:1;) alert tcp $HOME_NET any -> [94.237.57.139] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1293662/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_03; classtype:trojan-activity; sid:91293662; rev:1;) alert tcp $HOME_NET any -> [94.237.57.154] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1293663/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_03; classtype:trojan-activity; sid:91293663; rev:1;) alert tcp $HOME_NET any -> [94.237.57.157] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1293664/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_03; classtype:trojan-activity; sid:91293664; rev:1;) alert tcp $HOME_NET any -> [94.237.57.170] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1293665/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_03; classtype:trojan-activity; sid:91293665; rev:1;) alert tcp $HOME_NET any -> [94.237.57.179] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1293666/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_03; classtype:trojan-activity; sid:91293666; rev:1;) alert tcp $HOME_NET any -> [94.237.56.216] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1293642/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_03; classtype:trojan-activity; sid:91293642; rev:1;) alert tcp $HOME_NET any -> [94.237.56.226] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1293643/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_03; classtype:trojan-activity; sid:91293643; rev:1;) alert tcp $HOME_NET any -> [94.237.56.241] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1293644/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_03; classtype:trojan-activity; sid:91293644; rev:1;) alert tcp $HOME_NET any -> [94.237.56.255] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1293645/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_03; classtype:trojan-activity; sid:91293645; rev:1;) alert tcp $HOME_NET any -> [94.237.57.2] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1293646/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_03; classtype:trojan-activity; sid:91293646; rev:1;) alert tcp $HOME_NET any -> [94.237.57.22] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1293647/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_03; classtype:trojan-activity; sid:91293647; rev:1;) alert tcp $HOME_NET any -> [94.237.57.23] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1293648/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_03; classtype:trojan-activity; sid:91293648; rev:1;) alert tcp $HOME_NET any -> [94.237.57.40] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1293649/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_03; classtype:trojan-activity; sid:91293649; rev:1;) alert tcp $HOME_NET any -> [94.237.57.44] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1293650/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_03; classtype:trojan-activity; sid:91293650; rev:1;) alert tcp $HOME_NET any -> [94.237.57.46] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1293651/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_03; classtype:trojan-activity; sid:91293651; rev:1;) alert tcp $HOME_NET any -> [94.237.57.48] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1293652/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_03; classtype:trojan-activity; sid:91293652; rev:1;) alert tcp $HOME_NET any -> [94.237.57.55] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1293653/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_03; classtype:trojan-activity; sid:91293653; rev:1;) alert tcp $HOME_NET any -> [94.237.57.56] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1293654/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_03; classtype:trojan-activity; sid:91293654; rev:1;) alert tcp $HOME_NET any -> [94.237.57.60] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1293655/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_03; classtype:trojan-activity; sid:91293655; rev:1;) alert tcp $HOME_NET any -> [94.237.56.123] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1293632/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_03; classtype:trojan-activity; sid:91293632; rev:1;) alert tcp $HOME_NET any -> [94.237.56.136] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1293633/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_03; classtype:trojan-activity; sid:91293633; rev:1;) alert tcp $HOME_NET any -> [94.237.56.152] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1293634/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_03; classtype:trojan-activity; sid:91293634; rev:1;) alert tcp $HOME_NET any -> [94.237.56.157] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1293635/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_03; classtype:trojan-activity; sid:91293635; rev:1;) alert tcp $HOME_NET any -> [94.237.56.168] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1293636/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_03; classtype:trojan-activity; sid:91293636; rev:1;) alert tcp $HOME_NET any -> [94.237.56.175] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1293637/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_03; classtype:trojan-activity; sid:91293637; rev:1;) alert tcp $HOME_NET any -> [94.237.56.202] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1293638/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_03; classtype:trojan-activity; sid:91293638; rev:1;) alert tcp $HOME_NET any -> [94.237.56.207] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1293639/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_03; classtype:trojan-activity; sid:91293639; rev:1;) alert tcp $HOME_NET any -> [94.237.56.209] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1293640/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_03; classtype:trojan-activity; sid:91293640; rev:1;) alert tcp $HOME_NET any -> [94.237.56.211] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1293641/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_03; classtype:trojan-activity; sid:91293641; rev:1;) alert tcp $HOME_NET any -> [94.237.55.217] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1293619/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_03; classtype:trojan-activity; sid:91293619; rev:1;) alert tcp $HOME_NET any -> [94.237.55.246] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1293620/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_03; classtype:trojan-activity; sid:91293620; rev:1;) alert tcp $HOME_NET any -> [94.237.55.249] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1293621/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_03; classtype:trojan-activity; sid:91293621; rev:1;) alert tcp $HOME_NET any -> [94.237.55.253] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1293622/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_03; classtype:trojan-activity; sid:91293622; rev:1;) alert tcp $HOME_NET any -> [94.237.56.23] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1293623/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_03; classtype:trojan-activity; sid:91293623; rev:1;) alert tcp $HOME_NET any -> [94.237.56.30] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1293624/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_03; classtype:trojan-activity; sid:91293624; rev:1;) alert tcp $HOME_NET any -> [94.237.56.58] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1293625/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_03; classtype:trojan-activity; sid:91293625; rev:1;) alert tcp $HOME_NET any -> [94.237.56.62] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1293626/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_03; classtype:trojan-activity; sid:91293626; rev:1;) alert tcp $HOME_NET any -> [94.237.56.65] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1293627/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_03; classtype:trojan-activity; sid:91293627; rev:1;) alert tcp $HOME_NET any -> [94.237.56.72] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1293628/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_03; classtype:trojan-activity; sid:91293628; rev:1;) alert tcp $HOME_NET any -> [94.237.56.85] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1293629/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_03; classtype:trojan-activity; sid:91293629; rev:1;) alert tcp $HOME_NET any -> [94.237.56.99] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1293630/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_03; classtype:trojan-activity; sid:91293630; rev:1;) alert tcp $HOME_NET any -> [94.237.56.116] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1293631/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_03; classtype:trojan-activity; sid:91293631; rev:1;) alert tcp $HOME_NET any -> [94.237.55.143] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1293610/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_03; classtype:trojan-activity; sid:91293610; rev:1;) alert tcp $HOME_NET any -> [94.237.55.160] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1293611/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_03; classtype:trojan-activity; sid:91293611; rev:1;) alert tcp $HOME_NET any -> [94.237.55.185] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1293612/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_03; classtype:trojan-activity; sid:91293612; rev:1;) alert tcp $HOME_NET any -> [94.237.55.190] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1293613/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_03; classtype:trojan-activity; sid:91293613; rev:1;) alert tcp $HOME_NET any -> [94.237.55.195] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1293614/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_03; classtype:trojan-activity; sid:91293614; rev:1;) alert tcp $HOME_NET any -> [94.237.55.200] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1293615/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_03; classtype:trojan-activity; sid:91293615; rev:1;) alert tcp $HOME_NET any -> [94.237.55.206] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1293616/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_03; classtype:trojan-activity; sid:91293616; rev:1;) alert tcp $HOME_NET any -> [94.237.55.213] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1293617/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_03; classtype:trojan-activity; sid:91293617; rev:1;) alert tcp $HOME_NET any -> [94.237.55.214] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1293618/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_03; classtype:trojan-activity; sid:91293618; rev:1;) alert tcp $HOME_NET any -> [94.237.55.44] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1293599/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_03; classtype:trojan-activity; sid:91293599; rev:1;) alert tcp $HOME_NET any -> [94.237.55.49] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1293600/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_03; classtype:trojan-activity; sid:91293600; rev:1;) alert tcp $HOME_NET any -> [94.237.55.63] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1293601/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_03; classtype:trojan-activity; sid:91293601; rev:1;) alert tcp $HOME_NET any -> [94.237.55.66] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1293602/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_03; classtype:trojan-activity; sid:91293602; rev:1;) alert tcp $HOME_NET any -> [94.237.55.88] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1293603/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_03; classtype:trojan-activity; sid:91293603; rev:1;) alert tcp $HOME_NET any -> [94.237.55.102] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1293604/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_03; classtype:trojan-activity; sid:91293604; rev:1;) alert tcp $HOME_NET any -> [94.237.55.109] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1293605/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_03; classtype:trojan-activity; sid:91293605; rev:1;) alert tcp $HOME_NET any -> [94.237.55.110] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1293606/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_03; classtype:trojan-activity; sid:91293606; rev:1;) alert tcp $HOME_NET any -> [94.237.55.121] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1293607/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_03; classtype:trojan-activity; sid:91293607; rev:1;) alert tcp $HOME_NET any -> [94.237.55.124] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1293608/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_03; classtype:trojan-activity; sid:91293608; rev:1;) alert tcp $HOME_NET any -> [94.237.55.133] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1293609/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_03; classtype:trojan-activity; sid:91293609; rev:1;) alert tcp $HOME_NET any -> [94.237.54.178] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1293586/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_03; classtype:trojan-activity; sid:91293586; rev:1;) alert tcp $HOME_NET any -> [94.237.54.189] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1293587/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_03; classtype:trojan-activity; sid:91293587; rev:1;) alert tcp $HOME_NET any -> [94.237.54.198] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1293588/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_03; classtype:trojan-activity; sid:91293588; rev:1;) alert tcp $HOME_NET any -> [94.237.54.205] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1293589/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_03; classtype:trojan-activity; sid:91293589; rev:1;) alert tcp $HOME_NET any -> [94.237.54.213] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1293590/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_03; classtype:trojan-activity; sid:91293590; rev:1;) alert tcp $HOME_NET any -> [94.237.55.0] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1293591/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_03; classtype:trojan-activity; sid:91293591; rev:1;) alert tcp $HOME_NET any -> [94.237.55.2] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1293592/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_03; classtype:trojan-activity; sid:91293592; rev:1;) alert tcp $HOME_NET any -> [94.237.55.8] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1293593/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_03; classtype:trojan-activity; sid:91293593; rev:1;) alert tcp $HOME_NET any -> [94.237.55.10] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1293594/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_03; classtype:trojan-activity; sid:91293594; rev:1;) alert tcp $HOME_NET any -> [94.237.55.15] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1293595/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_03; classtype:trojan-activity; sid:91293595; rev:1;) alert tcp $HOME_NET any -> [94.237.55.30] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1293596/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_03; classtype:trojan-activity; sid:91293596; rev:1;) alert tcp $HOME_NET any -> [94.237.55.36] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1293597/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_03; classtype:trojan-activity; sid:91293597; rev:1;) alert tcp $HOME_NET any -> [94.237.55.37] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1293598/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_03; classtype:trojan-activity; sid:91293598; rev:1;) alert tcp $HOME_NET any -> [94.237.54.104] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1293575/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_03; classtype:trojan-activity; sid:91293575; rev:1;) alert tcp $HOME_NET any -> [94.237.54.108] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1293576/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_03; classtype:trojan-activity; sid:91293576; rev:1;) alert tcp $HOME_NET any -> [94.237.54.116] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1293577/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_03; classtype:trojan-activity; sid:91293577; rev:1;) alert tcp $HOME_NET any -> [94.237.54.125] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1293578/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_03; classtype:trojan-activity; sid:91293578; rev:1;) alert tcp $HOME_NET any -> [94.237.54.130] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1293579/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_03; classtype:trojan-activity; sid:91293579; rev:1;) alert tcp $HOME_NET any -> [94.237.54.134] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1293580/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_03; classtype:trojan-activity; sid:91293580; rev:1;) alert tcp $HOME_NET any -> [94.237.54.135] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1293581/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_03; classtype:trojan-activity; sid:91293581; rev:1;) alert tcp $HOME_NET any -> [94.237.54.168] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1293582/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_03; classtype:trojan-activity; sid:91293582; rev:1;) alert tcp $HOME_NET any -> [94.237.54.172] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1293583/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_03; classtype:trojan-activity; sid:91293583; rev:1;) alert tcp $HOME_NET any -> [94.237.54.173] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1293584/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_03; classtype:trojan-activity; sid:91293584; rev:1;) alert tcp $HOME_NET any -> [94.237.54.174] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1293585/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_03; classtype:trojan-activity; sid:91293585; rev:1;) alert tcp $HOME_NET any -> [94.237.54.27] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1293562/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_03; classtype:trojan-activity; sid:91293562; rev:1;) alert tcp $HOME_NET any -> [94.237.54.29] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1293563/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_03; classtype:trojan-activity; sid:91293563; rev:1;) alert tcp $HOME_NET any -> [94.237.54.39] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1293564/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_03; classtype:trojan-activity; sid:91293564; rev:1;) alert tcp $HOME_NET any -> [94.237.54.41] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1293565/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_03; classtype:trojan-activity; sid:91293565; rev:1;) alert tcp $HOME_NET any -> [94.237.54.44] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1293566/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_03; classtype:trojan-activity; sid:91293566; rev:1;) alert tcp $HOME_NET any -> [94.237.54.48] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1293567/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_03; classtype:trojan-activity; sid:91293567; rev:1;) alert tcp $HOME_NET any -> [94.237.54.66] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1293568/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_03; classtype:trojan-activity; sid:91293568; rev:1;) alert tcp $HOME_NET any -> [94.237.54.69] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1293569/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_03; classtype:trojan-activity; sid:91293569; rev:1;) alert tcp $HOME_NET any -> [94.237.54.73] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1293570/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_03; classtype:trojan-activity; sid:91293570; rev:1;) alert tcp $HOME_NET any -> [94.237.54.77] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1293571/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_03; classtype:trojan-activity; sid:91293571; rev:1;) alert tcp $HOME_NET any -> [94.237.54.82] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1293572/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_03; classtype:trojan-activity; sid:91293572; rev:1;) alert tcp $HOME_NET any -> [94.237.54.89] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1293573/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_03; classtype:trojan-activity; sid:91293573; rev:1;) alert tcp $HOME_NET any -> [94.237.54.96] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1293574/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_03; classtype:trojan-activity; sid:91293574; rev:1;) alert tcp $HOME_NET any -> [94.237.53.108] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1293551/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_03; classtype:trojan-activity; sid:91293551; rev:1;) alert tcp $HOME_NET any -> [94.237.53.112] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1293552/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_03; classtype:trojan-activity; sid:91293552; rev:1;) alert tcp $HOME_NET any -> [94.237.53.150] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1293553/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_03; classtype:trojan-activity; sid:91293553; rev:1;) alert tcp $HOME_NET any -> [94.237.53.153] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1293554/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_03; classtype:trojan-activity; sid:91293554; rev:1;) alert tcp $HOME_NET any -> [94.237.53.170] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1293555/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_03; classtype:trojan-activity; sid:91293555; rev:1;) alert tcp $HOME_NET any -> [94.237.53.201] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1293556/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_03; classtype:trojan-activity; sid:91293556; rev:1;) alert tcp $HOME_NET any -> [94.237.53.233] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1293557/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_03; classtype:trojan-activity; sid:91293557; rev:1;) alert tcp $HOME_NET any -> [94.237.53.236] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1293558/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_03; classtype:trojan-activity; sid:91293558; rev:1;) alert tcp $HOME_NET any -> [94.237.53.238] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1293559/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_03; classtype:trojan-activity; sid:91293559; rev:1;) alert tcp $HOME_NET any -> [94.237.53.247] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1293560/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_03; classtype:trojan-activity; sid:91293560; rev:1;) alert tcp $HOME_NET any -> [94.237.54.10] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1293561/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_03; classtype:trojan-activity; sid:91293561; rev:1;) alert tcp $HOME_NET any -> [94.237.52.165] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1293538/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_03; classtype:trojan-activity; sid:91293538; rev:1;) alert tcp $HOME_NET any -> [94.237.52.242] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1293539/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_03; classtype:trojan-activity; sid:91293539; rev:1;) alert tcp $HOME_NET any -> [94.237.52.254] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1293540/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_03; classtype:trojan-activity; sid:91293540; rev:1;) alert tcp $HOME_NET any -> [94.237.53.16] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1293541/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_03; classtype:trojan-activity; sid:91293541; rev:1;) alert tcp $HOME_NET any -> [94.237.53.18] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1293542/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_03; classtype:trojan-activity; sid:91293542; rev:1;) alert tcp $HOME_NET any -> [94.237.53.33] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1293543/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_03; classtype:trojan-activity; sid:91293543; rev:1;) alert tcp $HOME_NET any -> [94.237.53.37] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1293544/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_03; classtype:trojan-activity; sid:91293544; rev:1;) alert tcp $HOME_NET any -> [94.237.53.40] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1293545/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_03; classtype:trojan-activity; sid:91293545; rev:1;) alert tcp $HOME_NET any -> [94.237.53.43] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1293546/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_03; classtype:trojan-activity; sid:91293546; rev:1;) alert tcp $HOME_NET any -> [94.237.53.45] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1293547/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_03; classtype:trojan-activity; sid:91293547; rev:1;) alert tcp $HOME_NET any -> [94.237.53.56] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1293548/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_03; classtype:trojan-activity; sid:91293548; rev:1;) alert tcp $HOME_NET any -> [94.237.53.81] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1293549/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_03; classtype:trojan-activity; sid:91293549; rev:1;) alert tcp $HOME_NET any -> [94.237.53.87] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1293550/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_03; classtype:trojan-activity; sid:91293550; rev:1;) alert tcp $HOME_NET any -> [94.237.51.167] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1293527/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_03; classtype:trojan-activity; sid:91293527; rev:1;) alert tcp $HOME_NET any -> [94.237.51.210] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1293528/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_03; classtype:trojan-activity; sid:91293528; rev:1;) alert tcp $HOME_NET any -> [94.237.51.214] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1293529/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_03; classtype:trojan-activity; sid:91293529; rev:1;) alert tcp $HOME_NET any -> [94.237.51.241] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1293530/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_03; classtype:trojan-activity; sid:91293530; rev:1;) alert tcp $HOME_NET any -> [94.237.51.243] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1293531/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_03; classtype:trojan-activity; sid:91293531; rev:1;) alert tcp $HOME_NET any -> [94.237.52.35] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1293532/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_03; classtype:trojan-activity; sid:91293532; rev:1;) alert tcp $HOME_NET any -> [94.237.52.37] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1293533/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_03; classtype:trojan-activity; sid:91293533; rev:1;) alert tcp $HOME_NET any -> [94.237.52.82] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1293534/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_03; classtype:trojan-activity; sid:91293534; rev:1;) alert tcp $HOME_NET any -> [94.237.52.99] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1293535/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_03; classtype:trojan-activity; sid:91293535; rev:1;) alert tcp $HOME_NET any -> [94.237.52.145] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1293536/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_03; classtype:trojan-activity; sid:91293536; rev:1;) alert tcp $HOME_NET any -> [94.237.52.151] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1293537/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_03; classtype:trojan-activity; sid:91293537; rev:1;) alert tcp $HOME_NET any -> [94.237.51.109] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1293517/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_03; classtype:trojan-activity; sid:91293517; rev:1;) alert tcp $HOME_NET any -> [94.237.51.113] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1293518/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_03; classtype:trojan-activity; sid:91293518; rev:1;) alert tcp $HOME_NET any -> [94.237.51.114] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1293519/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_03; classtype:trojan-activity; sid:91293519; rev:1;) alert tcp $HOME_NET any -> [94.237.51.117] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1293520/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_03; classtype:trojan-activity; sid:91293520; rev:1;) alert tcp $HOME_NET any -> [94.237.51.124] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1293521/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_03; classtype:trojan-activity; sid:91293521; rev:1;) alert tcp $HOME_NET any -> [94.237.51.127] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1293522/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_03; classtype:trojan-activity; sid:91293522; rev:1;) alert tcp $HOME_NET any -> [94.237.51.131] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1293523/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_03; classtype:trojan-activity; sid:91293523; rev:1;) alert tcp $HOME_NET any -> [94.237.51.135] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1293524/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_03; classtype:trojan-activity; sid:91293524; rev:1;) alert tcp $HOME_NET any -> [94.237.51.147] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1293525/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_03; classtype:trojan-activity; sid:91293525; rev:1;) alert tcp $HOME_NET any -> [94.237.51.157] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1293526/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_03; classtype:trojan-activity; sid:91293526; rev:1;) alert tcp $HOME_NET any -> [94.237.51.80] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1293513/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_03; classtype:trojan-activity; sid:91293513; rev:1;) alert tcp $HOME_NET any -> [94.237.51.89] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1293514/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_03; classtype:trojan-activity; sid:91293514; rev:1;) alert tcp $HOME_NET any -> [94.237.51.98] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1293515/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_03; classtype:trojan-activity; sid:91293515; rev:1;) alert tcp $HOME_NET any -> [94.237.51.101] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1293516/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_03; classtype:trojan-activity; sid:91293516; rev:1;) alert tcp $HOME_NET any -> [94.237.50.239] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1293499/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_03; classtype:trojan-activity; sid:91293499; rev:1;) alert tcp $HOME_NET any -> [94.237.50.247] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1293500/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_03; classtype:trojan-activity; sid:91293500; rev:1;) alert tcp $HOME_NET any -> [94.237.51.1] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1293501/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_03; classtype:trojan-activity; sid:91293501; rev:1;) alert tcp $HOME_NET any -> [94.237.51.2] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1293502/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_03; classtype:trojan-activity; sid:91293502; rev:1;) alert tcp $HOME_NET any -> [94.237.51.10] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1293503/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_03; classtype:trojan-activity; sid:91293503; rev:1;) alert tcp $HOME_NET any -> [94.237.51.11] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1293504/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_03; classtype:trojan-activity; sid:91293504; rev:1;) alert tcp $HOME_NET any -> [94.237.51.15] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1293505/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_03; classtype:trojan-activity; sid:91293505; rev:1;) alert tcp $HOME_NET any -> [94.237.51.23] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1293506/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_03; classtype:trojan-activity; sid:91293506; rev:1;) alert tcp $HOME_NET any -> [94.237.51.26] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1293507/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_03; classtype:trojan-activity; sid:91293507; rev:1;) alert tcp $HOME_NET any -> [94.237.51.38] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1293508/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_03; classtype:trojan-activity; sid:91293508; rev:1;) alert tcp $HOME_NET any -> [94.237.51.41] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1293509/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_03; classtype:trojan-activity; sid:91293509; rev:1;) alert tcp $HOME_NET any -> [94.237.51.60] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1293510/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_03; classtype:trojan-activity; sid:91293510; rev:1;) alert tcp $HOME_NET any -> [94.237.51.69] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1293511/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_03; classtype:trojan-activity; sid:91293511; rev:1;) alert tcp $HOME_NET any -> [94.237.51.79] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1293512/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_03; classtype:trojan-activity; sid:91293512; rev:1;) alert tcp $HOME_NET any -> [94.237.50.155] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1293488/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_03; classtype:trojan-activity; sid:91293488; rev:1;) alert tcp $HOME_NET any -> [94.237.50.158] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1293489/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_03; classtype:trojan-activity; sid:91293489; rev:1;) alert tcp $HOME_NET any -> [94.237.50.174] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1293490/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_03; classtype:trojan-activity; sid:91293490; rev:1;) alert tcp $HOME_NET any -> [94.237.50.183] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1293491/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_03; classtype:trojan-activity; sid:91293491; rev:1;) alert tcp $HOME_NET any -> [94.237.50.184] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1293492/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_03; classtype:trojan-activity; sid:91293492; rev:1;) alert tcp $HOME_NET any -> [94.237.50.191] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1293493/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_03; classtype:trojan-activity; sid:91293493; rev:1;) alert tcp $HOME_NET any -> [94.237.50.197] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1293494/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_03; classtype:trojan-activity; sid:91293494; rev:1;) alert tcp $HOME_NET any -> [94.237.50.201] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1293495/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_03; classtype:trojan-activity; sid:91293495; rev:1;) alert tcp $HOME_NET any -> [94.237.50.217] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1293496/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_03; classtype:trojan-activity; sid:91293496; rev:1;) alert tcp $HOME_NET any -> [94.237.50.220] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1293497/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_03; classtype:trojan-activity; sid:91293497; rev:1;) alert tcp $HOME_NET any -> [94.237.50.237] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1293498/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_03; classtype:trojan-activity; sid:91293498; rev:1;) alert tcp $HOME_NET any -> [94.237.50.83] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1293477/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_03; classtype:trojan-activity; sid:91293477; rev:1;) alert tcp $HOME_NET any -> [94.237.50.86] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1293478/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_03; classtype:trojan-activity; sid:91293478; rev:1;) alert tcp $HOME_NET any -> [94.237.50.89] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1293479/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_03; classtype:trojan-activity; sid:91293479; rev:1;) alert tcp $HOME_NET any -> [94.237.50.90] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1293480/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_03; classtype:trojan-activity; sid:91293480; rev:1;) alert tcp $HOME_NET any -> [94.237.50.96] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1293481/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_03; classtype:trojan-activity; sid:91293481; rev:1;) alert tcp $HOME_NET any -> [94.237.50.101] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1293482/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_03; classtype:trojan-activity; sid:91293482; rev:1;) alert tcp $HOME_NET any -> [94.237.50.112] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1293483/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_03; classtype:trojan-activity; sid:91293483; rev:1;) alert tcp $HOME_NET any -> [94.237.50.137] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1293484/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_03; classtype:trojan-activity; sid:91293484; rev:1;) alert tcp $HOME_NET any -> [94.237.50.144] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1293485/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_03; classtype:trojan-activity; sid:91293485; rev:1;) alert tcp $HOME_NET any -> [94.237.50.148] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1293486/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_03; classtype:trojan-activity; sid:91293486; rev:1;) alert tcp $HOME_NET any -> [94.237.50.149] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1293487/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_03; classtype:trojan-activity; sid:91293487; rev:1;) alert tcp $HOME_NET any -> [94.237.49.227] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1293464/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_03; classtype:trojan-activity; sid:91293464; rev:1;) alert tcp $HOME_NET any -> [94.237.49.244] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1293465/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_03; classtype:trojan-activity; sid:91293465; rev:1;) alert tcp $HOME_NET any -> [94.237.50.28] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1293466/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_03; classtype:trojan-activity; sid:91293466; rev:1;) alert tcp $HOME_NET any -> [94.237.50.31] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1293467/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_03; classtype:trojan-activity; sid:91293467; rev:1;) alert tcp $HOME_NET any -> [94.237.50.43] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1293468/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_03; classtype:trojan-activity; sid:91293468; rev:1;) alert tcp $HOME_NET any -> [94.237.50.45] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1293469/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_03; classtype:trojan-activity; sid:91293469; rev:1;) alert tcp $HOME_NET any -> [94.237.50.48] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1293470/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_03; classtype:trojan-activity; sid:91293470; rev:1;) alert tcp $HOME_NET any -> [94.237.50.60] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1293471/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_03; classtype:trojan-activity; sid:91293471; rev:1;) alert tcp $HOME_NET any -> [94.237.50.64] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1293472/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_03; classtype:trojan-activity; sid:91293472; rev:1;) alert tcp $HOME_NET any -> [94.237.50.67] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1293473/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_03; classtype:trojan-activity; sid:91293473; rev:1;) alert tcp $HOME_NET any -> [94.237.50.69] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1293474/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_03; classtype:trojan-activity; sid:91293474; rev:1;) alert tcp $HOME_NET any -> [94.237.50.72] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1293475/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_03; classtype:trojan-activity; sid:91293475; rev:1;) alert tcp $HOME_NET any -> [94.237.50.81] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1293476/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_03; classtype:trojan-activity; sid:91293476; rev:1;) alert tcp $HOME_NET any -> [94.237.49.113] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1293454/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_03; classtype:trojan-activity; sid:91293454; rev:1;) alert tcp $HOME_NET any -> [94.237.49.127] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1293455/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_03; classtype:trojan-activity; sid:91293455; rev:1;) alert tcp $HOME_NET any -> [94.237.49.141] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1293456/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_03; classtype:trojan-activity; sid:91293456; rev:1;) alert tcp $HOME_NET any -> [94.237.49.144] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1293457/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_03; classtype:trojan-activity; sid:91293457; rev:1;) alert tcp $HOME_NET any -> [94.237.49.176] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1293458/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_03; classtype:trojan-activity; sid:91293458; rev:1;) alert tcp $HOME_NET any -> [94.237.49.180] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1293459/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_03; classtype:trojan-activity; sid:91293459; rev:1;) alert tcp $HOME_NET any -> [94.237.49.184] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1293460/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_03; classtype:trojan-activity; sid:91293460; rev:1;) alert tcp $HOME_NET any -> [94.237.49.190] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1293461/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_03; classtype:trojan-activity; sid:91293461; rev:1;) alert tcp $HOME_NET any -> [94.237.49.200] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1293462/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_03; classtype:trojan-activity; sid:91293462; rev:1;) alert tcp $HOME_NET any -> [94.237.49.213] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1293463/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_03; classtype:trojan-activity; sid:91293463; rev:1;) alert tcp $HOME_NET any -> [94.237.48.235] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1293440/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_03; classtype:trojan-activity; sid:91293440; rev:1;) alert tcp $HOME_NET any -> [94.237.48.249] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1293441/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_03; classtype:trojan-activity; sid:91293441; rev:1;) alert tcp $HOME_NET any -> [94.237.49.6] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1293442/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_03; classtype:trojan-activity; sid:91293442; rev:1;) alert tcp $HOME_NET any -> [94.237.49.15] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1293443/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_03; classtype:trojan-activity; sid:91293443; rev:1;) alert tcp $HOME_NET any -> [94.237.49.32] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1293444/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_03; classtype:trojan-activity; sid:91293444; rev:1;) alert tcp $HOME_NET any -> [94.237.49.33] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1293445/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_03; classtype:trojan-activity; sid:91293445; rev:1;) alert tcp $HOME_NET any -> [94.237.49.37] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1293446/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_03; classtype:trojan-activity; sid:91293446; rev:1;) alert tcp $HOME_NET any -> [94.237.49.39] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1293447/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_03; classtype:trojan-activity; sid:91293447; rev:1;) alert tcp $HOME_NET any -> [94.237.49.43] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1293448/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_03; classtype:trojan-activity; sid:91293448; rev:1;) alert tcp $HOME_NET any -> [94.237.49.53] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1293449/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_03; classtype:trojan-activity; sid:91293449; rev:1;) alert tcp $HOME_NET any -> [94.237.49.70] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1293450/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_03; classtype:trojan-activity; sid:91293450; rev:1;) alert tcp $HOME_NET any -> [94.237.49.78] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1293451/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_03; classtype:trojan-activity; sid:91293451; rev:1;) alert tcp $HOME_NET any -> [94.237.49.87] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1293452/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_03; classtype:trojan-activity; sid:91293452; rev:1;) alert tcp $HOME_NET any -> [94.237.49.98] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1293453/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_03; classtype:trojan-activity; sid:91293453; rev:1;) alert tcp $HOME_NET any -> [94.237.48.64] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1293430/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_03; classtype:trojan-activity; sid:91293430; rev:1;) alert tcp $HOME_NET any -> [94.237.48.102] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1293431/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_03; classtype:trojan-activity; sid:91293431; rev:1;) alert tcp $HOME_NET any -> [94.237.48.106] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1293432/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_03; classtype:trojan-activity; sid:91293432; rev:1;) alert tcp $HOME_NET any -> [94.237.48.119] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1293433/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_03; classtype:trojan-activity; sid:91293433; rev:1;) alert tcp $HOME_NET any -> [94.237.48.139] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1293434/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_03; classtype:trojan-activity; sid:91293434; rev:1;) alert tcp $HOME_NET any -> [94.237.48.174] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1293435/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_03; classtype:trojan-activity; sid:91293435; rev:1;) alert tcp $HOME_NET any -> [94.237.48.178] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1293436/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_03; classtype:trojan-activity; sid:91293436; rev:1;) alert tcp $HOME_NET any -> [94.237.48.197] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1293437/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_03; classtype:trojan-activity; sid:91293437; rev:1;) alert tcp $HOME_NET any -> [94.237.48.213] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1293438/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_03; classtype:trojan-activity; sid:91293438; rev:1;) alert tcp $HOME_NET any -> [94.237.48.218] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1293439/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_03; classtype:trojan-activity; sid:91293439; rev:1;) alert tcp $HOME_NET any -> [94.237.47.21] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1293418/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_03; classtype:trojan-activity; sid:91293418; rev:1;) alert tcp $HOME_NET any -> [94.237.47.60] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1293419/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_03; classtype:trojan-activity; sid:91293419; rev:1;) alert tcp $HOME_NET any -> [94.237.47.112] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1293420/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_03; classtype:trojan-activity; sid:91293420; rev:1;) alert tcp $HOME_NET any -> [94.237.47.172] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1293421/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_03; classtype:trojan-activity; sid:91293421; rev:1;) alert tcp $HOME_NET any -> [94.237.47.186] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1293422/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_03; classtype:trojan-activity; sid:91293422; rev:1;) alert tcp $HOME_NET any -> [94.237.47.199] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1293423/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_03; classtype:trojan-activity; sid:91293423; rev:1;) alert tcp $HOME_NET any -> [94.237.47.236] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1293424/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_03; classtype:trojan-activity; sid:91293424; rev:1;) alert tcp $HOME_NET any -> [94.237.48.21] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1293425/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_03; classtype:trojan-activity; sid:91293425; rev:1;) alert tcp $HOME_NET any -> [94.237.48.47] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1293426/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_03; classtype:trojan-activity; sid:91293426; rev:1;) alert tcp $HOME_NET any -> [94.237.48.56] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1293427/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_03; classtype:trojan-activity; sid:91293427; rev:1;) alert tcp $HOME_NET any -> [94.237.48.59] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1293428/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_03; classtype:trojan-activity; sid:91293428; rev:1;) alert tcp $HOME_NET any -> [94.237.48.60] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1293429/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_03; classtype:trojan-activity; sid:91293429; rev:1;) alert tcp $HOME_NET any -> [94.237.46.65] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1293407/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_03; classtype:trojan-activity; sid:91293407; rev:1;) alert tcp $HOME_NET any -> [94.237.46.69] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1293408/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_03; classtype:trojan-activity; sid:91293408; rev:1;) alert tcp $HOME_NET any -> [94.237.46.76] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1293409/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_03; classtype:trojan-activity; sid:91293409; rev:1;) alert tcp $HOME_NET any -> [94.237.46.89] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1293410/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_03; classtype:trojan-activity; sid:91293410; rev:1;) alert tcp $HOME_NET any -> [94.237.46.142] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1293411/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_03; classtype:trojan-activity; sid:91293411; rev:1;) alert tcp $HOME_NET any -> [94.237.46.201] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1293412/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_03; classtype:trojan-activity; sid:91293412; rev:1;) alert tcp $HOME_NET any -> [94.237.46.214] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1293413/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_03; classtype:trojan-activity; sid:91293413; rev:1;) alert tcp $HOME_NET any -> [94.237.46.254] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1293414/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_03; classtype:trojan-activity; sid:91293414; rev:1;) alert tcp $HOME_NET any -> [94.237.47.1] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1293415/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_03; classtype:trojan-activity; sid:91293415; rev:1;) alert tcp $HOME_NET any -> [94.237.47.6] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1293416/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_03; classtype:trojan-activity; sid:91293416; rev:1;) alert tcp $HOME_NET any -> [94.237.47.10] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1293417/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_03; classtype:trojan-activity; sid:91293417; rev:1;) alert tcp $HOME_NET any -> [94.237.45.106] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1293395/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_03; classtype:trojan-activity; sid:91293395; rev:1;) alert tcp $HOME_NET any -> [94.237.45.122] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1293396/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_03; classtype:trojan-activity; sid:91293396; rev:1;) alert tcp $HOME_NET any -> [94.237.45.145] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1293397/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_03; classtype:trojan-activity; sid:91293397; rev:1;) alert tcp $HOME_NET any -> [94.237.45.193] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1293398/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_03; classtype:trojan-activity; sid:91293398; rev:1;) alert tcp $HOME_NET any -> [94.237.45.200] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1293399/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_03; classtype:trojan-activity; sid:91293399; rev:1;) alert tcp $HOME_NET any -> [94.237.45.212] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1293400/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_03; classtype:trojan-activity; sid:91293400; rev:1;) alert tcp $HOME_NET any -> [94.237.45.229] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1293401/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_03; classtype:trojan-activity; sid:91293401; rev:1;) alert tcp $HOME_NET any -> [94.237.46.10] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1293402/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_03; classtype:trojan-activity; sid:91293402; rev:1;) alert tcp $HOME_NET any -> [94.237.46.20] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1293403/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_03; classtype:trojan-activity; sid:91293403; rev:1;) alert tcp $HOME_NET any -> [94.237.46.23] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1293404/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_03; classtype:trojan-activity; sid:91293404; rev:1;) alert tcp $HOME_NET any -> [94.237.46.37] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1293405/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_03; classtype:trojan-activity; sid:91293405; rev:1;) alert tcp $HOME_NET any -> [94.237.46.50] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1293406/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_03; classtype:trojan-activity; sid:91293406; rev:1;) alert tcp $HOME_NET any -> [94.237.44.229] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1293383/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_03; classtype:trojan-activity; sid:91293383; rev:1;) alert tcp $HOME_NET any -> [94.237.44.249] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1293384/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_03; classtype:trojan-activity; sid:91293384; rev:1;) alert tcp $HOME_NET any -> [94.237.45.3] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1293385/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_03; classtype:trojan-activity; sid:91293385; rev:1;) alert tcp $HOME_NET any -> [94.237.45.6] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1293386/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_03; classtype:trojan-activity; sid:91293386; rev:1;) alert tcp $HOME_NET any -> [94.237.45.19] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1293387/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_03; classtype:trojan-activity; sid:91293387; rev:1;) alert tcp $HOME_NET any -> [94.237.45.20] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1293388/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_03; classtype:trojan-activity; sid:91293388; rev:1;) alert tcp $HOME_NET any -> [94.237.45.59] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1293389/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_03; classtype:trojan-activity; sid:91293389; rev:1;) alert tcp $HOME_NET any -> [94.237.45.79] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1293390/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_03; classtype:trojan-activity; sid:91293390; rev:1;) alert tcp $HOME_NET any -> [94.237.45.83] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1293391/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_03; classtype:trojan-activity; sid:91293391; rev:1;) alert tcp $HOME_NET any -> [94.237.45.96] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1293392/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_03; classtype:trojan-activity; sid:91293392; rev:1;) alert tcp $HOME_NET any -> [94.237.45.100] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1293393/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_03; classtype:trojan-activity; sid:91293393; rev:1;) alert tcp $HOME_NET any -> [94.237.45.102] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1293394/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_03; classtype:trojan-activity; sid:91293394; rev:1;) alert tcp $HOME_NET any -> [94.237.43.61] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1293372/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_03; classtype:trojan-activity; sid:91293372; rev:1;) alert tcp $HOME_NET any -> [94.237.43.127] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1293373/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_03; classtype:trojan-activity; sid:91293373; rev:1;) alert tcp $HOME_NET any -> [94.237.43.131] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1293374/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_03; classtype:trojan-activity; sid:91293374; rev:1;) alert tcp $HOME_NET any -> [94.237.44.30] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1293375/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_03; classtype:trojan-activity; sid:91293375; rev:1;) alert tcp $HOME_NET any -> [94.237.44.39] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1293376/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_03; classtype:trojan-activity; sid:91293376; rev:1;) alert tcp $HOME_NET any -> [94.237.44.63] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1293377/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_03; classtype:trojan-activity; sid:91293377; rev:1;) alert tcp $HOME_NET any -> [94.237.44.83] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1293378/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_03; classtype:trojan-activity; sid:91293378; rev:1;) alert tcp $HOME_NET any -> [94.237.44.108] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1293379/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_03; classtype:trojan-activity; sid:91293379; rev:1;) alert tcp $HOME_NET any -> [94.237.44.113] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1293380/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_03; classtype:trojan-activity; sid:91293380; rev:1;) alert tcp $HOME_NET any -> [94.237.44.196] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1293381/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_03; classtype:trojan-activity; sid:91293381; rev:1;) alert tcp $HOME_NET any -> [94.237.44.207] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1293382/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_03; classtype:trojan-activity; sid:91293382; rev:1;) alert tcp $HOME_NET any -> [94.237.42.50] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1293361/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_03; classtype:trojan-activity; sid:91293361; rev:1;) alert tcp $HOME_NET any -> [94.237.42.101] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1293362/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_03; classtype:trojan-activity; sid:91293362; rev:1;) alert tcp $HOME_NET any -> [94.237.42.106] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1293363/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_03; classtype:trojan-activity; sid:91293363; rev:1;) alert tcp $HOME_NET any -> [94.237.42.116] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1293364/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_03; classtype:trojan-activity; sid:91293364; rev:1;) alert tcp $HOME_NET any -> [94.237.42.130] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1293365/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_03; classtype:trojan-activity; sid:91293365; rev:1;) alert tcp $HOME_NET any -> [94.237.42.181] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1293366/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_03; classtype:trojan-activity; sid:91293366; rev:1;) alert tcp $HOME_NET any -> [94.237.42.194] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1293367/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_03; classtype:trojan-activity; sid:91293367; rev:1;) alert tcp $HOME_NET any -> [94.237.43.1] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1293368/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_03; classtype:trojan-activity; sid:91293368; rev:1;) alert tcp $HOME_NET any -> [94.237.43.5] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1293369/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_03; classtype:trojan-activity; sid:91293369; rev:1;) alert tcp $HOME_NET any -> [94.237.43.28] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1293370/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_03; classtype:trojan-activity; sid:91293370; rev:1;) alert tcp $HOME_NET any -> [94.237.43.33] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1293371/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_03; classtype:trojan-activity; sid:91293371; rev:1;) alert tcp $HOME_NET any -> [94.237.40.132] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1293350/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_03; classtype:trojan-activity; sid:91293350; rev:1;) alert tcp $HOME_NET any -> [94.237.40.145] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1293351/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_03; classtype:trojan-activity; sid:91293351; rev:1;) alert tcp $HOME_NET any -> [94.237.40.153] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1293352/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_03; classtype:trojan-activity; sid:91293352; rev:1;) alert tcp $HOME_NET any -> [94.237.40.176] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1293353/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_03; classtype:trojan-activity; sid:91293353; rev:1;) alert tcp $HOME_NET any -> [94.237.40.180] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1293354/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_03; classtype:trojan-activity; sid:91293354; rev:1;) alert tcp $HOME_NET any -> [94.237.40.203] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1293355/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_03; classtype:trojan-activity; sid:91293355; rev:1;) alert tcp $HOME_NET any -> [94.237.40.255] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1293356/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_03; classtype:trojan-activity; sid:91293356; rev:1;) alert tcp $HOME_NET any -> [94.237.41.14] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1293357/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_03; classtype:trojan-activity; sid:91293357; rev:1;) alert tcp $HOME_NET any -> [94.237.41.98] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1293358/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_03; classtype:trojan-activity; sid:91293358; rev:1;) alert tcp $HOME_NET any -> [94.237.41.233] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1293359/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_03; classtype:trojan-activity; sid:91293359; rev:1;) alert tcp $HOME_NET any -> [94.237.42.29] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1293360/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_03; classtype:trojan-activity; sid:91293360; rev:1;) alert tcp $HOME_NET any -> [94.237.31.214] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1293339/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_03; classtype:trojan-activity; sid:91293339; rev:1;) alert tcp $HOME_NET any -> [94.237.31.220] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1293340/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_03; classtype:trojan-activity; sid:91293340; rev:1;) alert tcp $HOME_NET any -> [94.237.31.236] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1293341/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_03; classtype:trojan-activity; sid:91293341; rev:1;) alert tcp $HOME_NET any -> [94.237.31.252] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1293342/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_03; classtype:trojan-activity; sid:91293342; rev:1;) alert tcp $HOME_NET any -> [94.237.40.15] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1293343/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_03; classtype:trojan-activity; sid:91293343; rev:1;) alert tcp $HOME_NET any -> [94.237.40.18] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1293344/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_03; classtype:trojan-activity; sid:91293344; rev:1;) alert tcp $HOME_NET any -> [94.237.40.27] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1293345/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_03; classtype:trojan-activity; sid:91293345; rev:1;) alert tcp $HOME_NET any -> [94.237.40.28] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1293346/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_03; classtype:trojan-activity; sid:91293346; rev:1;) alert tcp $HOME_NET any -> [94.237.40.63] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1293347/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_03; classtype:trojan-activity; sid:91293347; rev:1;) alert tcp $HOME_NET any -> [94.237.40.107] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1293348/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_03; classtype:trojan-activity; sid:91293348; rev:1;) alert tcp $HOME_NET any -> [94.237.40.122] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1293349/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_03; classtype:trojan-activity; sid:91293349; rev:1;) alert tcp $HOME_NET any -> [94.237.31.157] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1293331/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_03; classtype:trojan-activity; sid:91293331; rev:1;) alert tcp $HOME_NET any -> [94.237.31.171] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1293332/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_03; classtype:trojan-activity; sid:91293332; rev:1;) alert tcp $HOME_NET any -> [94.237.31.177] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1293333/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_03; classtype:trojan-activity; sid:91293333; rev:1;) alert tcp $HOME_NET any -> [94.237.31.178] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1293334/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_03; classtype:trojan-activity; sid:91293334; rev:1;) alert tcp $HOME_NET any -> [94.237.31.185] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1293335/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_03; classtype:trojan-activity; sid:91293335; rev:1;) alert tcp $HOME_NET any -> [94.237.31.202] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1293336/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_03; classtype:trojan-activity; sid:91293336; rev:1;) alert tcp $HOME_NET any -> [94.237.31.203] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1293337/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_03; classtype:trojan-activity; sid:91293337; rev:1;) alert tcp $HOME_NET any -> [94.237.31.208] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1293338/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_03; classtype:trojan-activity; sid:91293338; rev:1;) alert tcp $HOME_NET any -> [94.237.31.30] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1293320/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_03; classtype:trojan-activity; sid:91293320; rev:1;) alert tcp $HOME_NET any -> [94.237.31.38] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1293321/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_03; classtype:trojan-activity; sid:91293321; rev:1;) alert tcp $HOME_NET any -> [94.237.31.50] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1293322/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_03; classtype:trojan-activity; sid:91293322; rev:1;) alert tcp $HOME_NET any -> [94.237.31.62] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1293323/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_03; classtype:trojan-activity; sid:91293323; rev:1;) alert tcp $HOME_NET any -> [94.237.31.72] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1293324/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_03; classtype:trojan-activity; sid:91293324; rev:1;) alert tcp $HOME_NET any -> [94.237.31.82] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1293325/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_03; classtype:trojan-activity; sid:91293325; rev:1;) alert tcp $HOME_NET any -> [94.237.31.100] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1293326/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_03; classtype:trojan-activity; sid:91293326; rev:1;) alert tcp $HOME_NET any -> [94.237.31.102] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1293327/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_03; classtype:trojan-activity; sid:91293327; rev:1;) alert tcp $HOME_NET any -> [94.237.31.113] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1293328/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_03; classtype:trojan-activity; sid:91293328; rev:1;) alert tcp $HOME_NET any -> [94.237.31.120] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1293329/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_03; classtype:trojan-activity; sid:91293329; rev:1;) alert tcp $HOME_NET any -> [94.237.31.145] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1293330/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_03; classtype:trojan-activity; sid:91293330; rev:1;) alert tcp $HOME_NET any -> [94.237.30.99] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1293310/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_03; classtype:trojan-activity; sid:91293310; rev:1;) alert tcp $HOME_NET any -> [94.237.30.137] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1293311/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_03; classtype:trojan-activity; sid:91293311; rev:1;) alert tcp $HOME_NET any -> [94.237.30.154] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1293312/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_03; classtype:trojan-activity; sid:91293312; rev:1;) alert tcp $HOME_NET any -> [94.237.30.155] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1293313/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_03; classtype:trojan-activity; sid:91293313; rev:1;) alert tcp $HOME_NET any -> [94.237.30.168] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1293314/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_03; classtype:trojan-activity; sid:91293314; rev:1;) alert tcp $HOME_NET any -> [94.237.30.200] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1293315/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_03; classtype:trojan-activity; sid:91293315; rev:1;) alert tcp $HOME_NET any -> [94.237.30.201] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1293316/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_03; classtype:trojan-activity; sid:91293316; rev:1;) alert tcp $HOME_NET any -> [94.237.30.209] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1293317/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_03; classtype:trojan-activity; sid:91293317; rev:1;) alert tcp $HOME_NET any -> [94.237.30.228] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1293318/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_03; classtype:trojan-activity; sid:91293318; rev:1;) alert tcp $HOME_NET any -> [94.237.30.242] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1293319/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_03; classtype:trojan-activity; sid:91293319; rev:1;) alert tcp $HOME_NET any -> [94.237.29.176] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1293298/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_03; classtype:trojan-activity; sid:91293298; rev:1;) alert tcp $HOME_NET any -> [94.237.29.197] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1293299/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_03; classtype:trojan-activity; sid:91293299; rev:1;) alert tcp $HOME_NET any -> [94.237.29.206] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1293300/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_03; classtype:trojan-activity; sid:91293300; rev:1;) alert tcp $HOME_NET any -> [94.237.29.208] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1293301/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_03; classtype:trojan-activity; sid:91293301; rev:1;) alert tcp $HOME_NET any -> [94.237.29.223] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1293302/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_03; classtype:trojan-activity; sid:91293302; rev:1;) alert tcp $HOME_NET any -> [94.237.29.230] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1293303/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_03; classtype:trojan-activity; sid:91293303; rev:1;) alert tcp $HOME_NET any -> [94.237.29.238] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1293304/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_03; classtype:trojan-activity; sid:91293304; rev:1;) alert tcp $HOME_NET any -> [94.237.30.1] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1293305/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_03; classtype:trojan-activity; sid:91293305; rev:1;) alert tcp $HOME_NET any -> [94.237.30.19] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1293306/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_03; classtype:trojan-activity; sid:91293306; rev:1;) alert tcp $HOME_NET any -> [94.237.30.53] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1293307/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_03; classtype:trojan-activity; sid:91293307; rev:1;) alert tcp $HOME_NET any -> [94.237.30.58] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1293308/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_03; classtype:trojan-activity; sid:91293308; rev:1;) alert tcp $HOME_NET any -> [94.237.30.88] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1293309/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_03; classtype:trojan-activity; sid:91293309; rev:1;) alert tcp $HOME_NET any -> [94.237.29.96] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1293289/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_03; classtype:trojan-activity; sid:91293289; rev:1;) alert tcp $HOME_NET any -> [94.237.29.115] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1293290/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_03; classtype:trojan-activity; sid:91293290; rev:1;) alert tcp $HOME_NET any -> [94.237.29.119] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1293291/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_03; classtype:trojan-activity; sid:91293291; rev:1;) alert tcp $HOME_NET any -> [94.237.29.121] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1293292/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_03; classtype:trojan-activity; sid:91293292; rev:1;) alert tcp $HOME_NET any -> [94.237.29.127] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1293293/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_03; classtype:trojan-activity; sid:91293293; rev:1;) alert tcp $HOME_NET any -> [94.237.29.136] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1293294/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_03; classtype:trojan-activity; sid:91293294; rev:1;) alert tcp $HOME_NET any -> [94.237.29.141] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1293295/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_03; classtype:trojan-activity; sid:91293295; rev:1;) alert tcp $HOME_NET any -> [94.237.29.145] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1293296/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_03; classtype:trojan-activity; sid:91293296; rev:1;) alert tcp $HOME_NET any -> [94.237.29.156] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1293297/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_03; classtype:trojan-activity; sid:91293297; rev:1;) alert tcp $HOME_NET any -> [94.237.28.225] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1293275/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_03; classtype:trojan-activity; sid:91293275; rev:1;) alert tcp $HOME_NET any -> [94.237.28.227] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1293276/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_03; classtype:trojan-activity; sid:91293276; rev:1;) alert tcp $HOME_NET any -> [94.237.29.0] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1293277/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_03; classtype:trojan-activity; sid:91293277; rev:1;) alert tcp $HOME_NET any -> [94.237.29.34] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1293278/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_03; classtype:trojan-activity; sid:91293278; rev:1;) alert tcp $HOME_NET any -> [94.237.29.42] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1293279/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_03; classtype:trojan-activity; sid:91293279; rev:1;) alert tcp $HOME_NET any -> [94.237.29.43] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1293280/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_03; classtype:trojan-activity; sid:91293280; rev:1;) alert tcp $HOME_NET any -> [94.237.29.44] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1293281/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_03; classtype:trojan-activity; sid:91293281; rev:1;) alert tcp $HOME_NET any -> [94.237.29.45] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1293282/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_03; classtype:trojan-activity; sid:91293282; rev:1;) alert tcp $HOME_NET any -> [94.237.29.47] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1293283/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_03; classtype:trojan-activity; sid:91293283; rev:1;) alert tcp $HOME_NET any -> [94.237.29.52] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1293284/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_03; classtype:trojan-activity; sid:91293284; rev:1;) alert tcp $HOME_NET any -> [94.237.29.53] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1293285/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_03; classtype:trojan-activity; sid:91293285; rev:1;) alert tcp $HOME_NET any -> [94.237.29.67] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1293286/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_03; classtype:trojan-activity; sid:91293286; rev:1;) alert tcp $HOME_NET any -> [94.237.29.89] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1293287/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_03; classtype:trojan-activity; sid:91293287; rev:1;) alert tcp $HOME_NET any -> [94.237.29.93] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1293288/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_03; classtype:trojan-activity; sid:91293288; rev:1;) alert tcp $HOME_NET any -> [94.237.28.69] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1293265/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_03; classtype:trojan-activity; sid:91293265; rev:1;) alert tcp $HOME_NET any -> [94.237.28.108] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1293266/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_03; classtype:trojan-activity; sid:91293266; rev:1;) alert tcp $HOME_NET any -> [94.237.28.127] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1293267/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_03; classtype:trojan-activity; sid:91293267; rev:1;) alert tcp $HOME_NET any -> [94.237.28.141] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1293268/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_03; classtype:trojan-activity; sid:91293268; rev:1;) alert tcp $HOME_NET any -> [94.237.28.146] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1293269/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_03; classtype:trojan-activity; sid:91293269; rev:1;) alert tcp $HOME_NET any -> [94.237.28.147] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1293270/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_03; classtype:trojan-activity; sid:91293270; rev:1;) alert tcp $HOME_NET any -> [94.237.28.188] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1293271/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_03; classtype:trojan-activity; sid:91293271; rev:1;) alert tcp $HOME_NET any -> [94.237.28.200] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1293272/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_03; classtype:trojan-activity; sid:91293272; rev:1;) alert tcp $HOME_NET any -> [94.237.28.215] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1293273/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_03; classtype:trojan-activity; sid:91293273; rev:1;) alert tcp $HOME_NET any -> [94.237.28.222] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1293274/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_03; classtype:trojan-activity; sid:91293274; rev:1;) alert tcp $HOME_NET any -> [94.237.26.221] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1293253/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_03; classtype:trojan-activity; sid:91293253; rev:1;) alert tcp $HOME_NET any -> [94.237.27.10] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1293254/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_03; classtype:trojan-activity; sid:91293254; rev:1;) alert tcp $HOME_NET any -> [94.237.27.39] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1293255/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_03; classtype:trojan-activity; sid:91293255; rev:1;) alert tcp $HOME_NET any -> [94.237.27.47] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1293256/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_03; classtype:trojan-activity; sid:91293256; rev:1;) alert tcp $HOME_NET any -> [94.237.27.52] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1293257/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_03; classtype:trojan-activity; sid:91293257; rev:1;) alert tcp $HOME_NET any -> [94.237.27.59] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1293258/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_03; classtype:trojan-activity; sid:91293258; rev:1;) alert tcp $HOME_NET any -> [94.237.27.97] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1293259/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_03; classtype:trojan-activity; sid:91293259; rev:1;) alert tcp $HOME_NET any -> [94.237.27.153] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1293260/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_03; classtype:trojan-activity; sid:91293260; rev:1;) alert tcp $HOME_NET any -> [94.237.27.171] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1293261/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_03; classtype:trojan-activity; sid:91293261; rev:1;) alert tcp $HOME_NET any -> [94.237.27.182] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1293262/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_03; classtype:trojan-activity; sid:91293262; rev:1;) alert tcp $HOME_NET any -> [94.237.28.53] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1293263/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_03; classtype:trojan-activity; sid:91293263; rev:1;) alert tcp $HOME_NET any -> [94.237.28.58] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1293264/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_03; classtype:trojan-activity; sid:91293264; rev:1;) alert tcp $HOME_NET any -> [94.237.25.202] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1293241/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_03; classtype:trojan-activity; sid:91293241; rev:1;) alert tcp $HOME_NET any -> [94.237.25.214] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1293242/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_03; classtype:trojan-activity; sid:91293242; rev:1;) alert tcp $HOME_NET any -> [94.237.25.223] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1293243/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_03; classtype:trojan-activity; sid:91293243; rev:1;) alert tcp $HOME_NET any -> [94.237.25.230] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1293244/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_03; classtype:trojan-activity; sid:91293244; rev:1;) alert tcp $HOME_NET any -> [94.237.26.77] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1293245/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_03; classtype:trojan-activity; sid:91293245; rev:1;) alert tcp $HOME_NET any -> [94.237.26.82] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1293246/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_03; classtype:trojan-activity; sid:91293246; rev:1;) alert tcp $HOME_NET any -> [94.237.26.87] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1293247/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_03; classtype:trojan-activity; sid:91293247; rev:1;) alert tcp $HOME_NET any -> [94.237.26.105] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1293248/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_03; classtype:trojan-activity; sid:91293248; rev:1;) alert tcp $HOME_NET any -> [94.237.26.147] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1293249/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_03; classtype:trojan-activity; sid:91293249; rev:1;) alert tcp $HOME_NET any -> [94.237.26.190] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1293250/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_03; classtype:trojan-activity; sid:91293250; rev:1;) alert tcp $HOME_NET any -> [94.237.26.191] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1293251/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_03; classtype:trojan-activity; sid:91293251; rev:1;) alert tcp $HOME_NET any -> [94.237.26.218] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1293252/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_03; classtype:trojan-activity; sid:91293252; rev:1;) alert tcp $HOME_NET any -> [94.237.24.212] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1293229/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_03; classtype:trojan-activity; sid:91293229; rev:1;) alert tcp $HOME_NET any -> [94.237.24.251] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1293230/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_03; classtype:trojan-activity; sid:91293230; rev:1;) alert tcp $HOME_NET any -> [94.237.25.0] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1293231/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_03; classtype:trojan-activity; sid:91293231; rev:1;) alert tcp $HOME_NET any -> [94.237.25.9] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1293232/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_03; classtype:trojan-activity; sid:91293232; rev:1;) alert tcp $HOME_NET any -> [94.237.25.60] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1293233/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_03; classtype:trojan-activity; sid:91293233; rev:1;) alert tcp $HOME_NET any -> [94.237.25.63] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1293234/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_03; classtype:trojan-activity; sid:91293234; rev:1;) alert tcp $HOME_NET any -> [94.237.25.102] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1293235/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_03; classtype:trojan-activity; sid:91293235; rev:1;) alert tcp $HOME_NET any -> [94.237.25.125] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1293236/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_03; classtype:trojan-activity; sid:91293236; rev:1;) alert tcp $HOME_NET any -> [94.237.25.138] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1293237/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_03; classtype:trojan-activity; sid:91293237; rev:1;) alert tcp $HOME_NET any -> [94.237.25.196] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1293238/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_03; classtype:trojan-activity; sid:91293238; rev:1;) alert tcp $HOME_NET any -> [94.237.25.197] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1293239/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_03; classtype:trojan-activity; sid:91293239; rev:1;) alert tcp $HOME_NET any -> [94.237.25.200] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1293240/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_03; classtype:trojan-activity; sid:91293240; rev:1;) alert tcp $HOME_NET any -> [94.237.24.112] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1293220/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_03; classtype:trojan-activity; sid:91293220; rev:1;) alert tcp $HOME_NET any -> [94.237.24.121] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1293221/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_03; classtype:trojan-activity; sid:91293221; rev:1;) alert tcp $HOME_NET any -> [94.237.24.124] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1293222/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_03; classtype:trojan-activity; sid:91293222; rev:1;) alert tcp $HOME_NET any -> [94.237.24.162] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1293223/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_03; classtype:trojan-activity; sid:91293223; rev:1;) alert tcp $HOME_NET any -> [94.237.24.170] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1293224/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_03; classtype:trojan-activity; sid:91293224; rev:1;) alert tcp $HOME_NET any -> [94.237.24.174] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1293225/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_03; classtype:trojan-activity; sid:91293225; rev:1;) alert tcp $HOME_NET any -> [94.237.24.194] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1293226/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_03; classtype:trojan-activity; sid:91293226; rev:1;) alert tcp $HOME_NET any -> [94.237.24.204] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1293227/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_03; classtype:trojan-activity; sid:91293227; rev:1;) alert tcp $HOME_NET any -> [94.237.24.207] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1293228/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_03; classtype:trojan-activity; sid:91293228; rev:1;) alert tcp $HOME_NET any -> [83.136.253.53] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1293210/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_03; classtype:trojan-activity; sid:91293210; rev:1;) alert tcp $HOME_NET any -> [83.136.253.71] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1293211/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_03; classtype:trojan-activity; sid:91293211; rev:1;) alert tcp $HOME_NET any -> [83.136.253.106] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1293212/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_03; classtype:trojan-activity; sid:91293212; rev:1;) alert tcp $HOME_NET any -> [83.136.253.134] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1293213/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_03; classtype:trojan-activity; sid:91293213; rev:1;) alert tcp $HOME_NET any -> [83.136.253.214] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1293214/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_03; classtype:trojan-activity; sid:91293214; rev:1;) alert tcp $HOME_NET any -> [94.237.24.71] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1293215/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_03; classtype:trojan-activity; sid:91293215; rev:1;) alert tcp $HOME_NET any -> [94.237.24.72] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1293216/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_03; classtype:trojan-activity; sid:91293216; rev:1;) alert tcp $HOME_NET any -> [94.237.24.83] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1293217/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_03; classtype:trojan-activity; sid:91293217; rev:1;) alert tcp $HOME_NET any -> [94.237.24.105] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1293218/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_03; classtype:trojan-activity; sid:91293218; rev:1;) alert tcp $HOME_NET any -> [94.237.24.107] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1293219/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_03; classtype:trojan-activity; sid:91293219; rev:1;) alert tcp $HOME_NET any -> [5.22.210.179] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1293198/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_03; classtype:trojan-activity; sid:91293198; rev:1;) alert tcp $HOME_NET any -> [5.22.210.202] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1293199/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_03; classtype:trojan-activity; sid:91293199; rev:1;) alert tcp $HOME_NET any -> [5.22.211.2] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1293200/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_03; classtype:trojan-activity; sid:91293200; rev:1;) alert tcp $HOME_NET any -> [5.22.211.28] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1293201/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_03; classtype:trojan-activity; sid:91293201; rev:1;) alert tcp $HOME_NET any -> [5.22.211.30] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1293202/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_03; classtype:trojan-activity; sid:91293202; rev:1;) alert tcp $HOME_NET any -> [5.22.211.43] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1293203/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_03; classtype:trojan-activity; sid:91293203; rev:1;) alert tcp $HOME_NET any -> [5.22.211.132] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1293204/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_03; classtype:trojan-activity; sid:91293204; rev:1;) alert tcp $HOME_NET any -> [5.22.211.141] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1293205/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_03; classtype:trojan-activity; sid:91293205; rev:1;) alert tcp $HOME_NET any -> [5.22.211.168] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1293206/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_03; classtype:trojan-activity; sid:91293206; rev:1;) alert tcp $HOME_NET any -> [5.22.211.197] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1293207/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_03; classtype:trojan-activity; sid:91293207; rev:1;) alert tcp $HOME_NET any -> [5.22.211.210] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1293208/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_03; classtype:trojan-activity; sid:91293208; rev:1;) alert tcp $HOME_NET any -> [5.22.211.247] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1293209/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_03; classtype:trojan-activity; sid:91293209; rev:1;) alert tcp $HOME_NET any -> [5.22.209.193] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1293190/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_03; classtype:trojan-activity; sid:91293190; rev:1;) alert tcp $HOME_NET any -> [5.22.209.206] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1293191/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_03; classtype:trojan-activity; sid:91293191; rev:1;) alert tcp $HOME_NET any -> [5.22.209.224] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1293192/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_03; classtype:trojan-activity; sid:91293192; rev:1;) alert tcp $HOME_NET any -> [5.22.209.225] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1293193/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_03; classtype:trojan-activity; sid:91293193; rev:1;) alert tcp $HOME_NET any -> [5.22.209.234] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1293194/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_03; classtype:trojan-activity; sid:91293194; rev:1;) alert tcp $HOME_NET any -> [5.22.209.237] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1293195/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_03; classtype:trojan-activity; sid:91293195; rev:1;) alert tcp $HOME_NET any -> [5.22.210.47] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1293196/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_03; classtype:trojan-activity; sid:91293196; rev:1;) alert tcp $HOME_NET any -> [5.22.210.105] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1293197/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_03; classtype:trojan-activity; sid:91293197; rev:1;) alert tcp $HOME_NET any -> [5.22.209.102] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1293184/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_03; classtype:trojan-activity; sid:91293184; rev:1;) alert tcp $HOME_NET any -> [5.22.209.113] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1293185/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_03; classtype:trojan-activity; sid:91293185; rev:1;) alert tcp $HOME_NET any -> [5.22.209.159] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1293186/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_03; classtype:trojan-activity; sid:91293186; rev:1;) alert tcp $HOME_NET any -> [5.22.209.171] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1293187/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_03; classtype:trojan-activity; sid:91293187; rev:1;) alert tcp $HOME_NET any -> [5.22.209.178] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1293188/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_03; classtype:trojan-activity; sid:91293188; rev:1;) alert tcp $HOME_NET any -> [5.22.209.185] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1293189/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_03; classtype:trojan-activity; sid:91293189; rev:1;) alert tcp $HOME_NET any -> [5.22.208.232] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1293176/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_03; classtype:trojan-activity; sid:91293176; rev:1;) alert tcp $HOME_NET any -> [5.22.208.254] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1293177/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_03; classtype:trojan-activity; sid:91293177; rev:1;) alert tcp $HOME_NET any -> [5.22.209.23] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1293178/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_03; classtype:trojan-activity; sid:91293178; rev:1;) alert tcp $HOME_NET any -> [5.22.209.32] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1293179/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_03; classtype:trojan-activity; sid:91293179; rev:1;) alert tcp $HOME_NET any -> [5.22.209.35] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1293180/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_03; classtype:trojan-activity; sid:91293180; rev:1;) alert tcp $HOME_NET any -> [5.22.209.52] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1293181/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_03; classtype:trojan-activity; sid:91293181; rev:1;) alert tcp $HOME_NET any -> [5.22.209.68] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1293182/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_03; classtype:trojan-activity; sid:91293182; rev:1;) alert tcp $HOME_NET any -> [5.22.209.69] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1293183/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_03; classtype:trojan-activity; sid:91293183; rev:1;) alert tcp $HOME_NET any -> [5.22.208.105] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1293169/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_03; classtype:trojan-activity; sid:91293169; rev:1;) alert tcp $HOME_NET any -> [5.22.208.109] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1293170/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_03; classtype:trojan-activity; sid:91293170; rev:1;) alert tcp $HOME_NET any -> [5.22.208.140] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1293171/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_03; classtype:trojan-activity; sid:91293171; rev:1;) alert tcp $HOME_NET any -> [5.22.208.141] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1293172/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_03; classtype:trojan-activity; sid:91293172; rev:1;) alert tcp $HOME_NET any -> [5.22.208.143] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1293173/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_03; classtype:trojan-activity; sid:91293173; rev:1;) alert tcp $HOME_NET any -> [5.22.208.149] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1293174/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_03; classtype:trojan-activity; sid:91293174; rev:1;) alert tcp $HOME_NET any -> [5.22.208.209] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1293175/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_03; classtype:trojan-activity; sid:91293175; rev:1;) alert tcp $HOME_NET any -> [5.22.208.10] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1293163/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_03; classtype:trojan-activity; sid:91293163; rev:1;) alert tcp $HOME_NET any -> [5.22.208.49] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1293164/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_03; classtype:trojan-activity; sid:91293164; rev:1;) alert tcp $HOME_NET any -> [5.22.208.56] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1293165/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_03; classtype:trojan-activity; sid:91293165; rev:1;) alert tcp $HOME_NET any -> [5.22.208.78] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1293166/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_03; classtype:trojan-activity; sid:91293166; rev:1;) alert tcp $HOME_NET any -> [5.22.208.87] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1293167/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_03; classtype:trojan-activity; sid:91293167; rev:1;) alert tcp $HOME_NET any -> [5.22.208.93] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1293168/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_03; classtype:trojan-activity; sid:91293168; rev:1;) alert tcp $HOME_NET any -> [77.91.77.180] 8081 (msg:"ThreatFox RisePro botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1293162/; target:src_ip; metadata: confidence_level 50, first_seen 2024_07_03; classtype:trojan-activity; sid:91293162; rev:1;) alert tcp $HOME_NET any -> [185.222.58.91] 55615 (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1293160/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_03; classtype:trojan-activity; sid:91293160; rev:1;) alert tcp $HOME_NET any -> [192.3.64.149] 2888 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1293159/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_03; classtype:trojan-activity; sid:91293159; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/2022/11/26/pls-00208-identifier-is-not-a-legal-cursor-attribute"; depth:64; nocase; http.host; content:"trustadvisorygroup.com"; depth:22; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1293157/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_03; classtype:trojan-activity; sid:91293157; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/article.php"; depth:12; nocase; http.host; content:"www.future-plast.com"; depth:20; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1293158/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_03; classtype:trojan-activity; sid:91293158; rev:1;) alert tcp $HOME_NET any -> [191.101.130.177] 6903 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1292964/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_03; classtype:trojan-activity; sid:91292964; rev:1;) alert tcp $HOME_NET any -> [91.92.240.13] 1256 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1292932/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_03; classtype:trojan-activity; sid:91292932; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cdn-vs/original.js"; depth:19; nocase; http.host; content:"adobefallshomes.com"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1292927/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_03; classtype:trojan-activity; sid:91292927; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"adobefallshomes.com"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1292928/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_03; classtype:trojan-activity; sid:91292928; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cdn-vs/cache.php"; depth:17; nocase; http.host; content:"adobefallshomes.com"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1292929/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_03; classtype:trojan-activity; sid:91292929; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cdn-vs/33per.php"; depth:17; nocase; http.host; content:"adobefallshomes.com"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1292930/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_03; classtype:trojan-activity; sid:91292930; rev:1;) alert tcp $HOME_NET any -> [23.237.71.242] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1292931/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_03; classtype:trojan-activity; sid:91292931; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cdn-vs/original.js"; depth:19; nocase; http.host; content:"adobefallshomes.com"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1292934/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_03; classtype:trojan-activity; sid:91292934; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cdn-vs/cache.php"; depth:17; nocase; http.host; content:"adobefallshomes.com"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1292935/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_03; classtype:trojan-activity; sid:91292935; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cdn-vs/33per.php"; depth:17; nocase; http.host; content:"adobefallshomes.com"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1292936/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_03; classtype:trojan-activity; sid:91292936; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"helpcenter.cyou"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1292937/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_03; classtype:trojan-activity; sid:91292937; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"adobefallshomes.com"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1292938/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_03; classtype:trojan-activity; sid:91292938; rev:1;) alert tcp $HOME_NET any -> [91.92.253.215] 4782 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1292941/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_03; classtype:trojan-activity; sid:91292941; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/linetopythonjslowupdatelongpollwindowsflower.php"; depth:49; nocase; http.host; content:"podval.top"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1292963/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_03; classtype:trojan-activity; sid:91292963; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dpixel"; depth:7; nocase; http.host; content:"47.109.186.179"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1292962/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_03; classtype:trojan-activity; sid:91292962; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cm"; depth:3; nocase; http.host; content:"123.57.85.206"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1292961/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_03; classtype:trojan-activity; sid:91292961; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ie9compatviewlist.xml"; depth:22; nocase; http.host; content:"47.109.51.223"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1292960/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_03; classtype:trojan-activity; sid:91292960; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cm"; depth:3; nocase; http.host; content:"103.116.245.79"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1292959/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_03; classtype:trojan-activity; sid:91292959; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/g.pixel"; depth:8; nocase; http.host; content:"106.53.213.253"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1292958/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_03; classtype:trojan-activity; sid:91292958; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/push"; depth:5; nocase; http.host; content:"156.238.235.164"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1292957/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_03; classtype:trojan-activity; sid:91292957; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api/x"; depth:6; nocase; http.host; content:"1307777787-7caouzfrdq-bj.scf.tencentcs.com"; depth:42; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1292955/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_03; classtype:trojan-activity; sid:91292955; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"1307777787-7caouzfrdq-bj.scf.tencentcs.com"; depth:42; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1292956/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_03; classtype:trojan-activity; sid:91292956; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ga.js"; depth:6; nocase; http.host; content:"43.153.222.28"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1292954/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_03; classtype:trojan-activity; sid:91292954; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pixel"; depth:6; nocase; http.host; content:"185.117.0.43"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1292953/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_03; classtype:trojan-activity; sid:91292953; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/fwlink"; depth:7; nocase; http.host; content:"124.223.166.66"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1292952/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_03; classtype:trojan-activity; sid:91292952; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/__utm.gif"; depth:10; nocase; http.host; content:"1.92.89.193"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1292951/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_03; classtype:trojan-activity; sid:91292951; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dpixel"; depth:7; nocase; http.host; content:"49.235.118.195"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1292950/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_03; classtype:trojan-activity; sid:91292950; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/visit.js"; depth:9; nocase; http.host; content:"49.235.118.195"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1292949/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_03; classtype:trojan-activity; sid:91292949; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cx"; depth:3; nocase; http.host; content:"101.126.16.222"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1292948/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_03; classtype:trojan-activity; sid:91292948; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/vendorreact.dc6a29.chunk.js"; depth:28; nocase; http.host; content:"121.43.230.160"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1292947/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_03; classtype:trojan-activity; sid:91292947; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/themes/index.php"; depth:17; nocase; http.host; content:"116.196.82.90"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1292946/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_03; classtype:trojan-activity; sid:91292946; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/load"; depth:5; nocase; http.host; content:"8.134.139.130"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1292945/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_03; classtype:trojan-activity; sid:91292945; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/__utm.gif"; depth:10; nocase; http.host; content:"23.95.65.198"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1292944/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_03; classtype:trojan-activity; sid:91292944; rev:1;) alert tcp $HOME_NET any -> [103.40.161.76] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1292943/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_03; classtype:trojan-activity; sid:91292943; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/g.pixel"; depth:8; nocase; http.host; content:"101.35.42.157"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1292942/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_03; classtype:trojan-activity; sid:91292942; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/protecttrackdatalifeprivatecentral.php"; depth:39; nocase; http.host; content:"118621cm.n9shteam2.top"; depth:22; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1292940/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_03; classtype:trojan-activity; sid:91292940; rev:1;) alert tcp $HOME_NET any -> [103.212.81.159] 5207 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1292939/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_03; classtype:trojan-activity; sid:91292939; rev:1;) alert tcp $HOME_NET any -> [172.232.164.13] 6606 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1292933/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_03; classtype:trojan-activity; sid:91292933; rev:1;) alert tcp $HOME_NET any -> [18.171.15.157] 80 (msg:"ThreatFox WhiteSnake Stealer botnet C2 traffic (ip:port - confidence level: 49%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1292918/; target:src_ip; metadata: confidence_level 49, first_seen 2024_07_03; classtype:trojan-activity; sid:91292918; rev:1;) alert tcp $HOME_NET any -> [45.132.96.113] 80 (msg:"ThreatFox WhiteSnake Stealer botnet C2 traffic (ip:port - confidence level: 49%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1292919/; target:src_ip; metadata: confidence_level 49, first_seen 2024_07_03; classtype:trojan-activity; sid:91292919; rev:1;) alert tcp $HOME_NET any -> [5.181.12.94] 80 (msg:"ThreatFox WhiteSnake Stealer botnet C2 traffic (ip:port - confidence level: 49%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1292920/; target:src_ip; metadata: confidence_level 49, first_seen 2024_07_03; classtype:trojan-activity; sid:91292920; rev:1;) alert tcp $HOME_NET any -> [216.250.190.139] 80 (msg:"ThreatFox WhiteSnake Stealer botnet C2 traffic (ip:port - confidence level: 49%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1292921/; target:src_ip; metadata: confidence_level 49, first_seen 2024_07_03; classtype:trojan-activity; sid:91292921; rev:1;) alert tcp $HOME_NET any -> [66.42.56.128] 80 (msg:"ThreatFox WhiteSnake Stealer botnet C2 traffic (ip:port - confidence level: 49%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1292922/; target:src_ip; metadata: confidence_level 49, first_seen 2024_07_03; classtype:trojan-activity; sid:91292922; rev:1;) alert tcp $HOME_NET any -> [154.31.165.232] 80 (msg:"ThreatFox WhiteSnake Stealer botnet C2 traffic (ip:port - confidence level: 49%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1292923/; target:src_ip; metadata: confidence_level 49, first_seen 2024_07_03; classtype:trojan-activity; sid:91292923; rev:1;) alert tcp $HOME_NET any -> [85.8.181.218] 80 (msg:"ThreatFox WhiteSnake Stealer botnet C2 traffic (ip:port - confidence level: 49%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1292924/; target:src_ip; metadata: confidence_level 49, first_seen 2024_07_03; classtype:trojan-activity; sid:91292924; rev:1;) alert tcp $HOME_NET any -> [8.130.31.155] 80 (msg:"ThreatFox WhiteSnake Stealer botnet C2 traffic (ip:port - confidence level: 49%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1292925/; target:src_ip; metadata: confidence_level 49, first_seen 2024_07_03; classtype:trojan-activity; sid:91292925; rev:1;) alert tcp $HOME_NET any -> [106.3.136.82] 80 (msg:"ThreatFox WhiteSnake Stealer botnet C2 traffic (ip:port - confidence level: 49%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1292926/; target:src_ip; metadata: confidence_level 49, first_seen 2024_07_03; classtype:trojan-activity; sid:91292926; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/hidakibest.arm4"; depth:16; nocase; http.host; content:"194.233.78.47"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1292908/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_03; classtype:trojan-activity; sid:91292908; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/hidakibest.arm5"; depth:16; nocase; http.host; content:"194.233.78.47"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1292909/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_03; classtype:trojan-activity; sid:91292909; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/hidakibest.mips"; depth:16; nocase; http.host; content:"194.233.78.47"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1292910/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_03; classtype:trojan-activity; sid:91292910; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/hidakibest.mpsl"; depth:16; nocase; http.host; content:"194.233.78.47"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1292911/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_03; classtype:trojan-activity; sid:91292911; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/hidakibest.ppc"; depth:15; nocase; http.host; content:"194.233.78.47"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1292912/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_03; classtype:trojan-activity; sid:91292912; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/hidakibest.sh"; depth:14; nocase; http.host; content:"194.233.78.47"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1292913/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_03; classtype:trojan-activity; sid:91292913; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/hidakibest.sparc"; depth:17; nocase; http.host; content:"194.233.78.47"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1292914/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_03; classtype:trojan-activity; sid:91292914; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/hidakibest.x86"; depth:15; nocase; http.host; content:"194.233.78.47"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1292915/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_03; classtype:trojan-activity; sid:91292915; rev:1;) alert tcp $HOME_NET any -> [194.233.78.47] 4258 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1292916/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_03; classtype:trojan-activity; sid:91292916; rev:1;) alert tcp $HOME_NET any -> [77.91.77.81] 80 (msg:"ThreatFox Amadey botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1292917/; target:src_ip; metadata: confidence_level 50, first_seen 2024_07_03; classtype:trojan-activity; sid:91292917; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"downloaddining.com"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1292907/; target:src_ip; metadata: confidence_level 50, first_seen 2024_07_03; classtype:trojan-activity; sid:91292907; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pixel.gif"; depth:10; nocase; http.host; content:"79.124.40.106"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1292906/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_03; classtype:trojan-activity; sid:91292906; rev:1;) alert tcp $HOME_NET any -> [172.67.130.113] 80 (msg:"ThreatFox Loki Password Stealer (PWS) botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1292893/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_03; classtype:trojan-activity; sid:91292893; rev:1;) alert tcp $HOME_NET any -> [104.21.76.60] 80 (msg:"ThreatFox Loki Password Stealer (PWS) botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1292896/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_03; classtype:trojan-activity; sid:91292896; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/article.php"; depth:12; nocase; http.host; content:"www.facebook.ygdiw.com"; depth:22; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1292901/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_03; classtype:trojan-activity; sid:91292901; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/article.php"; depth:12; nocase; http.host; content:"www.fantasticomundodesunca.org"; depth:30; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1292904/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_03; classtype:trojan-activity; sid:91292904; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"qianxinnbplus.xyz"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1292905/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_03; classtype:trojan-activity; sid:91292905; rev:1;) alert tcp $HOME_NET any -> [124.222.91.4] 2087 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1292899/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_03; classtype:trojan-activity; sid:91292899; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"abc.nbch1na.com"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1292898/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_03; classtype:trojan-activity; sid:91292898; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jquery-3.3.1.min.js"; depth:20; nocase; http.host; content:"abc.nbch1na.com"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1292897/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_03; classtype:trojan-activity; sid:91292897; rev:1;) alert tcp $HOME_NET any -> [77.105.132.31] 15647 (msg:"ThreatFox SectopRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1292895/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_03; classtype:trojan-activity; sid:91292895; rev:1;) alert tcp $HOME_NET any -> [194.55.186.180] 55123 (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1292894/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_03; classtype:trojan-activity; sid:91292894; rev:1;) alert tcp $HOME_NET any -> [178.23.190.118] 1912 (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1292882/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_03; classtype:trojan-activity; sid:91292882; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/index.php/modify.php"; depth:21; nocase; http.host; content:"104.248.205.66"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1292881/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_03; classtype:trojan-activity; sid:91292881; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/index.php/modify.php"; depth:21; nocase; http.host; content:"104.248.205.66"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1292880/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_03; classtype:trojan-activity; sid:91292880; rev:1;) alert tcp $HOME_NET any -> [179.49.112.238] 3085 (msg:"ThreatFox NetSupportManager RAT botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1292879/; target:src_ip; metadata: confidence_level 50, first_seen 2024_07_03; classtype:trojan-activity; sid:91292879; rev:1;) alert tcp $HOME_NET any -> [186.0.139.220] 443 (msg:"ThreatFox NetSupportManager RAT botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1292878/; target:src_ip; metadata: confidence_level 50, first_seen 2024_07_03; classtype:trojan-activity; sid:91292878; rev:1;) alert tcp $HOME_NET any -> [210.249.114.154] 80 (msg:"ThreatFox NetSupportManager RAT botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1292877/; target:src_ip; metadata: confidence_level 50, first_seen 2024_07_03; classtype:trojan-activity; sid:91292877; rev:1;) alert tcp $HOME_NET any -> [193.26.115.30] 8808 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1292876/; target:src_ip; metadata: confidence_level 50, first_seen 2024_07_03; classtype:trojan-activity; sid:91292876; rev:1;) alert tcp $HOME_NET any -> [46.246.84.10] 2000 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1292875/; target:src_ip; metadata: confidence_level 50, first_seen 2024_07_03; classtype:trojan-activity; sid:91292875; rev:1;) alert tcp $HOME_NET any -> [90.112.70.19] 8080 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1292874/; target:src_ip; metadata: confidence_level 50, first_seen 2024_07_03; classtype:trojan-activity; sid:91292874; rev:1;) alert tcp $HOME_NET any -> [94.156.79.26] 80 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1292873/; target:src_ip; metadata: confidence_level 50, first_seen 2024_07_03; classtype:trojan-activity; sid:91292873; rev:1;) alert tcp $HOME_NET any -> [65.38.121.194] 80 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1292872/; target:src_ip; metadata: confidence_level 50, first_seen 2024_07_03; classtype:trojan-activity; sid:91292872; rev:1;) alert tcp $HOME_NET any -> [195.200.14.160] 80 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1292871/; target:src_ip; metadata: confidence_level 50, first_seen 2024_07_03; classtype:trojan-activity; sid:91292871; rev:1;) alert tcp $HOME_NET any -> [109.120.176.15] 80 (msg:"ThreatFox Meduza Stealer botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1292870/; target:src_ip; metadata: confidence_level 50, first_seen 2024_07_03; classtype:trojan-activity; sid:91292870; rev:1;) alert tcp $HOME_NET any -> [5.42.99.0] 80 (msg:"ThreatFox Meduza Stealer botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1292869/; target:src_ip; metadata: confidence_level 50, first_seen 2024_07_03; classtype:trojan-activity; sid:91292869; rev:1;) alert tcp $HOME_NET any -> [154.88.6.224] 10000 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1292868/; target:src_ip; metadata: confidence_level 50, first_seen 2024_07_03; classtype:trojan-activity; sid:91292868; rev:1;) alert tcp $HOME_NET any -> [47.98.125.153] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1292867/; target:src_ip; metadata: confidence_level 50, first_seen 2024_07_03; classtype:trojan-activity; sid:91292867; rev:1;) alert tcp $HOME_NET any -> [45.144.136.94] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1292866/; target:src_ip; metadata: confidence_level 50, first_seen 2024_07_03; classtype:trojan-activity; sid:91292866; rev:1;) alert tcp $HOME_NET any -> [91.238.203.71] 8762 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1292865/; target:src_ip; metadata: confidence_level 50, first_seen 2024_07_03; classtype:trojan-activity; sid:91292865; rev:1;) alert tcp $HOME_NET any -> [46.246.80.11] 2222 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1292864/; target:src_ip; metadata: confidence_level 50, first_seen 2024_07_03; classtype:trojan-activity; sid:91292864; rev:1;) alert tcp $HOME_NET any -> [70.27.138.222] 2222 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1292863/; target:src_ip; metadata: confidence_level 50, first_seen 2024_07_03; classtype:trojan-activity; sid:91292863; rev:1;) alert tcp $HOME_NET any -> [64.176.180.215] 443 (msg:"ThreatFox pupy botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1292862/; target:src_ip; metadata: confidence_level 50, first_seen 2024_07_03; classtype:trojan-activity; sid:91292862; rev:1;) alert tcp $HOME_NET any -> [144.24.16.54] 443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1292861/; target:src_ip; metadata: confidence_level 50, first_seen 2024_07_03; classtype:trojan-activity; sid:91292861; rev:1;) alert tcp $HOME_NET any -> [59.103.81.85] 443 (msg:"ThreatFox Deimos botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1292860/; target:src_ip; metadata: confidence_level 50, first_seen 2024_07_03; classtype:trojan-activity; sid:91292860; rev:1;) alert tcp $HOME_NET any -> [45.154.3.150] 7443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1292859/; target:src_ip; metadata: confidence_level 50, first_seen 2024_07_03; classtype:trojan-activity; sid:91292859; rev:1;) alert tcp $HOME_NET any -> [64.227.142.233] 7443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1292858/; target:src_ip; metadata: confidence_level 50, first_seen 2024_07_03; classtype:trojan-activity; sid:91292858; rev:1;) alert tcp $HOME_NET any -> [66.85.26.234] 7888 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1292857/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_03; classtype:trojan-activity; sid:91292857; rev:1;) alert tcp $HOME_NET any -> [212.162.149.42] 7118 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1292856/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_03; classtype:trojan-activity; sid:91292856; rev:1;) alert tcp $HOME_NET any -> [157.254.236.96] 2404 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1292855/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_03; classtype:trojan-activity; sid:91292855; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pws2/fre.php"; depth:13; nocase; http.host; content:"altaskifer.sbs"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1292854/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_03; classtype:trojan-activity; sid:91292854; rev:1;) alert tcp $HOME_NET any -> [23.95.190.180] 808 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1292853/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_03; classtype:trojan-activity; sid:91292853; rev:1;) alert tcp $HOME_NET any -> [192.227.245.187] 808 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1292851/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_03; classtype:trojan-activity; sid:91292851; rev:1;) alert tcp $HOME_NET any -> [23.94.245.123] 808 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1292852/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_03; classtype:trojan-activity; sid:91292852; rev:1;) alert tcp $HOME_NET any -> [23.95.248.195] 808 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1292849/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_03; classtype:trojan-activity; sid:91292849; rev:1;) alert tcp $HOME_NET any -> [107.173.9.198] 808 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1292850/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_03; classtype:trojan-activity; sid:91292850; rev:1;) alert tcp $HOME_NET any -> [198.46.145.139] 808 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1292848/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_03; classtype:trojan-activity; sid:91292848; rev:1;) alert tcp $HOME_NET any -> [198.46.182.57] 808 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1292846/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_03; classtype:trojan-activity; sid:91292846; rev:1;) alert tcp $HOME_NET any -> [23.94.245.118] 808 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1292847/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_03; classtype:trojan-activity; sid:91292847; rev:1;) alert tcp $HOME_NET any -> [192.227.245.189] 808 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1292845/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_03; classtype:trojan-activity; sid:91292845; rev:1;) alert tcp $HOME_NET any -> [198.46.182.61] 808 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1292843/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_03; classtype:trojan-activity; sid:91292843; rev:1;) alert tcp $HOME_NET any -> [192.227.245.190] 808 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1292844/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_03; classtype:trojan-activity; sid:91292844; rev:1;) alert tcp $HOME_NET any -> [23.94.230.184] 808 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1292841/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_03; classtype:trojan-activity; sid:91292841; rev:1;) alert tcp $HOME_NET any -> [23.95.243.22] 808 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1292842/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_03; classtype:trojan-activity; sid:91292842; rev:1;) alert tcp $HOME_NET any -> [192.227.238.85] 808 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1292840/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_03; classtype:trojan-activity; sid:91292840; rev:1;) alert tcp $HOME_NET any -> [23.94.245.125] 808 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1292838/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_03; classtype:trojan-activity; sid:91292838; rev:1;) alert tcp $HOME_NET any -> [23.95.248.198] 808 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1292839/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_03; classtype:trojan-activity; sid:91292839; rev:1;) alert tcp $HOME_NET any -> [192.227.245.181] 808 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1292836/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_03; classtype:trojan-activity; sid:91292836; rev:1;) alert tcp $HOME_NET any -> [192.227.238.90] 808 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1292837/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_03; classtype:trojan-activity; sid:91292837; rev:1;) alert tcp $HOME_NET any -> [198.46.182.62] 808 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1292834/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_03; classtype:trojan-activity; sid:91292834; rev:1;) alert tcp $HOME_NET any -> [23.94.230.181] 808 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1292835/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_03; classtype:trojan-activity; sid:91292835; rev:1;) alert tcp $HOME_NET any -> [192.227.245.188] 808 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1292833/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_03; classtype:trojan-activity; sid:91292833; rev:1;) alert tcp $HOME_NET any -> [23.94.234.89] 808 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1292831/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_03; classtype:trojan-activity; sid:91292831; rev:1;) alert tcp $HOME_NET any -> [198.46.145.133] 808 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1292832/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_03; classtype:trojan-activity; sid:91292832; rev:1;) alert tcp $HOME_NET any -> [23.94.234.94] 808 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1292829/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_03; classtype:trojan-activity; sid:91292829; rev:1;) alert tcp $HOME_NET any -> [192.227.238.84] 808 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1292830/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_03; classtype:trojan-activity; sid:91292830; rev:1;) alert tcp $HOME_NET any -> [107.173.11.27] 808 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1292828/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_03; classtype:trojan-activity; sid:91292828; rev:1;) alert tcp $HOME_NET any -> [192.210.216.220] 808 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1292826/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_03; classtype:trojan-activity; sid:91292826; rev:1;) alert tcp $HOME_NET any -> [23.95.243.18] 808 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1292827/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_03; classtype:trojan-activity; sid:91292827; rev:1;) alert tcp $HOME_NET any -> [192.210.216.214] 808 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1292824/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_03; classtype:trojan-activity; sid:91292824; rev:1;) alert tcp $HOME_NET any -> [198.46.145.141] 808 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1292825/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_03; classtype:trojan-activity; sid:91292825; rev:1;) alert tcp $HOME_NET any -> [107.173.9.200] 808 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1292823/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_03; classtype:trojan-activity; sid:91292823; rev:1;) alert tcp $HOME_NET any -> [192.210.149.126] 808 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1292821/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_03; classtype:trojan-activity; sid:91292821; rev:1;) alert tcp $HOME_NET any -> [23.95.243.26] 808 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1292822/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_03; classtype:trojan-activity; sid:91292822; rev:1;) alert tcp $HOME_NET any -> [107.173.9.195] 808 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1292819/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_03; classtype:trojan-activity; sid:91292819; rev:1;) alert tcp $HOME_NET any -> [23.95.190.184] 808 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1292820/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_03; classtype:trojan-activity; sid:91292820; rev:1;) alert tcp $HOME_NET any -> [23.95.181.150] 808 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1292817/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_03; classtype:trojan-activity; sid:91292817; rev:1;) alert tcp $HOME_NET any -> [23.95.243.19] 808 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1292818/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_03; classtype:trojan-activity; sid:91292818; rev:1;) alert tcp $HOME_NET any -> [198.46.145.130] 808 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1292815/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_03; classtype:trojan-activity; sid:91292815; rev:1;) alert tcp $HOME_NET any -> [192.210.149.121] 808 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1292816/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_03; classtype:trojan-activity; sid:91292816; rev:1;) alert tcp $HOME_NET any -> [198.46.182.55] 808 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1292813/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_03; classtype:trojan-activity; sid:91292813; rev:1;) alert tcp $HOME_NET any -> [192.210.149.119] 808 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1292814/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_03; classtype:trojan-activity; sid:91292814; rev:1;) alert tcp $HOME_NET any -> [23.94.230.178] 808 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1292812/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_03; classtype:trojan-activity; sid:91292812; rev:1;) alert tcp $HOME_NET any -> [118.89.119.86] 3000 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1292811/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_03; classtype:trojan-activity; sid:91292811; rev:1;) alert tcp $HOME_NET any -> [47.116.213.137] 9999 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1292810/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_03; classtype:trojan-activity; sid:91292810; rev:1;) alert tcp $HOME_NET any -> [107.175.115.91] 2083 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1292808/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_03; classtype:trojan-activity; sid:91292808; rev:1;) alert tcp $HOME_NET any -> [89.213.239.112] 8888 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1292809/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_03; classtype:trojan-activity; sid:91292809; rev:1;) alert tcp $HOME_NET any -> [39.100.101.55] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1292807/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_03; classtype:trojan-activity; sid:91292807; rev:1;) alert tcp $HOME_NET any -> [154.9.230.70] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1292806/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_03; classtype:trojan-activity; sid:91292806; rev:1;) alert tcp $HOME_NET any -> [172.86.124.64] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1292805/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_03; classtype:trojan-activity; sid:91292805; rev:1;) alert tcp $HOME_NET any -> [204.13.153.138] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1292804/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_03; classtype:trojan-activity; sid:91292804; rev:1;) alert tcp $HOME_NET any -> [23.95.243.28] 808 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1292803/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_03; classtype:trojan-activity; sid:91292803; rev:1;) alert tcp $HOME_NET any -> [192.227.244.222] 808 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1292801/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_03; classtype:trojan-activity; sid:91292801; rev:1;) alert tcp $HOME_NET any -> [192.210.194.46] 808 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1292802/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_03; classtype:trojan-activity; sid:91292802; rev:1;) alert tcp $HOME_NET any -> [192.210.149.123] 808 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1292799/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_03; classtype:trojan-activity; sid:91292799; rev:1;) alert tcp $HOME_NET any -> [23.95.243.27] 808 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1292800/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_03; classtype:trojan-activity; sid:91292800; rev:1;) alert tcp $HOME_NET any -> [23.95.181.152] 808 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1292796/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_03; classtype:trojan-activity; sid:91292796; rev:1;) alert tcp $HOME_NET any -> [192.210.216.217] 808 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1292797/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_03; classtype:trojan-activity; sid:91292797; rev:1;) alert tcp $HOME_NET any -> [23.95.243.21] 808 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1292798/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_03; classtype:trojan-activity; sid:91292798; rev:1;) alert tcp $HOME_NET any -> [107.173.9.199] 808 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1292794/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_03; classtype:trojan-activity; sid:91292794; rev:1;) alert tcp $HOME_NET any -> [192.210.149.117] 808 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1292795/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_03; classtype:trojan-activity; sid:91292795; rev:1;) alert tcp $HOME_NET any -> [192.227.238.87] 808 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1292792/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_03; classtype:trojan-activity; sid:91292792; rev:1;) alert tcp $HOME_NET any -> [192.210.149.122] 808 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1292793/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_03; classtype:trojan-activity; sid:91292793; rev:1;) alert tcp $HOME_NET any -> [23.95.190.178] 808 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1292790/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_03; classtype:trojan-activity; sid:91292790; rev:1;) alert tcp $HOME_NET any -> [198.46.182.56] 808 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1292791/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_03; classtype:trojan-activity; sid:91292791; rev:1;) alert tcp $HOME_NET any -> [192.210.216.218] 808 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1292788/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_03; classtype:trojan-activity; sid:91292788; rev:1;) alert tcp $HOME_NET any -> [192.227.244.219] 808 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1292789/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_03; classtype:trojan-activity; sid:91292789; rev:1;) alert tcp $HOME_NET any -> [198.46.182.59] 808 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1292786/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_03; classtype:trojan-activity; sid:91292786; rev:1;) alert tcp $HOME_NET any -> [23.95.190.181] 808 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1292787/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_03; classtype:trojan-activity; sid:91292787; rev:1;) alert tcp $HOME_NET any -> [23.94.245.114] 808 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1292784/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_03; classtype:trojan-activity; sid:91292784; rev:1;) alert tcp $HOME_NET any -> [192.210.149.116] 808 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1292785/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_03; classtype:trojan-activity; sid:91292785; rev:1;) alert tcp $HOME_NET any -> [198.46.145.135] 808 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1292781/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_03; classtype:trojan-activity; sid:91292781; rev:1;) alert tcp $HOME_NET any -> [192.227.238.82] 808 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1292782/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_03; classtype:trojan-activity; sid:91292782; rev:1;) alert tcp $HOME_NET any -> [198.46.145.136] 808 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1292783/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_03; classtype:trojan-activity; sid:91292783; rev:1;) alert tcp $HOME_NET any -> [192.227.244.210] 808 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1292779/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_03; classtype:trojan-activity; sid:91292779; rev:1;) alert tcp $HOME_NET any -> [23.95.190.189] 808 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1292780/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_03; classtype:trojan-activity; sid:91292780; rev:1;) alert tcp $HOME_NET any -> [198.46.182.54] 808 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1292777/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_03; classtype:trojan-activity; sid:91292777; rev:1;) alert tcp $HOME_NET any -> [192.210.194.44] 808 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1292778/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_03; classtype:trojan-activity; sid:91292778; rev:1;) alert tcp $HOME_NET any -> [107.173.9.202] 808 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1292775/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_03; classtype:trojan-activity; sid:91292775; rev:1;) alert tcp $HOME_NET any -> [23.94.245.117] 808 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1292776/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_03; classtype:trojan-activity; sid:91292776; rev:1;) alert tcp $HOME_NET any -> [107.173.11.28] 808 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1292772/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_03; classtype:trojan-activity; sid:91292772; rev:1;) alert tcp $HOME_NET any -> [198.46.182.58] 808 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1292773/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_03; classtype:trojan-activity; sid:91292773; rev:1;) alert tcp $HOME_NET any -> [192.210.149.115] 808 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1292774/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_03; classtype:trojan-activity; sid:91292774; rev:1;) alert tcp $HOME_NET any -> [192.210.216.210] 808 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1292770/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_03; classtype:trojan-activity; sid:91292770; rev:1;) alert tcp $HOME_NET any -> [23.94.245.119] 808 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1292771/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_03; classtype:trojan-activity; sid:91292771; rev:1;) alert tcp $HOME_NET any -> [23.95.190.187] 808 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1292769/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_03; classtype:trojan-activity; sid:91292769; rev:1;) alert tcp $HOME_NET any -> [192.210.216.221] 808 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1292767/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_03; classtype:trojan-activity; sid:91292767; rev:1;) alert tcp $HOME_NET any -> [192.227.245.178] 808 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1292768/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_03; classtype:trojan-activity; sid:91292768; rev:1;) alert tcp $HOME_NET any -> [121.41.130.38] 8888 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1292765/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_03; classtype:trojan-activity; sid:91292765; rev:1;) alert tcp $HOME_NET any -> [8.130.16.92] 9999 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1292766/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_03; classtype:trojan-activity; sid:91292766; rev:1;) alert tcp $HOME_NET any -> [101.43.109.204] 8888 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1292764/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_03; classtype:trojan-activity; sid:91292764; rev:1;) alert tcp $HOME_NET any -> [1.12.181.224] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1292763/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_03; classtype:trojan-activity; sid:91292763; rev:1;) alert tcp $HOME_NET any -> [121.43.174.203] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1292762/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_03; classtype:trojan-activity; sid:91292762; rev:1;) alert tcp $HOME_NET any -> [139.159.191.73] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1292761/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_03; classtype:trojan-activity; sid:91292761; rev:1;) alert tcp $HOME_NET any -> [47.106.93.26] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1292760/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_03; classtype:trojan-activity; sid:91292760; rev:1;) alert tcp $HOME_NET any -> [62.234.38.165] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1292758/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_03; classtype:trojan-activity; sid:91292758; rev:1;) alert tcp $HOME_NET any -> [111.229.75.194] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1292759/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_03; classtype:trojan-activity; sid:91292759; rev:1;) alert tcp $HOME_NET any -> [185.22.152.167] 9876 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1292757/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_03; classtype:trojan-activity; sid:91292757; rev:1;) alert tcp $HOME_NET any -> [192.227.238.83] 808 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1292755/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_03; classtype:trojan-activity; sid:91292755; rev:1;) alert tcp $HOME_NET any -> [192.227.238.94] 808 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1292756/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_03; classtype:trojan-activity; sid:91292756; rev:1;) alert tcp $HOME_NET any -> [192.227.244.217] 808 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1292752/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_03; classtype:trojan-activity; sid:91292752; rev:1;) alert tcp $HOME_NET any -> [23.95.190.179] 808 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1292753/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_03; classtype:trojan-activity; sid:91292753; rev:1;) alert tcp $HOME_NET any -> [192.227.244.221] 808 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1292754/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_03; classtype:trojan-activity; sid:91292754; rev:1;) alert tcp $HOME_NET any -> [23.94.230.182] 808 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1292750/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_03; classtype:trojan-activity; sid:91292750; rev:1;) alert tcp $HOME_NET any -> [192.210.194.42] 808 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1292751/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_03; classtype:trojan-activity; sid:91292751; rev:1;) alert tcp $HOME_NET any -> [192.227.244.218] 808 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1292748/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_03; classtype:trojan-activity; sid:91292748; rev:1;) alert tcp $HOME_NET any -> [23.95.181.155] 808 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1292749/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_03; classtype:trojan-activity; sid:91292749; rev:1;) alert tcp $HOME_NET any -> [23.94.230.190] 808 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1292746/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_03; classtype:trojan-activity; sid:91292746; rev:1;) alert tcp $HOME_NET any -> [23.95.181.148] 808 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1292747/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_03; classtype:trojan-activity; sid:91292747; rev:1;) alert tcp $HOME_NET any -> [23.95.248.205] 808 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1292744/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_03; classtype:trojan-activity; sid:91292744; rev:1;) alert tcp $HOME_NET any -> [23.95.190.185] 808 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1292745/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_03; classtype:trojan-activity; sid:91292745; rev:1;) alert tcp $HOME_NET any -> [23.95.190.183] 808 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1292741/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_03; classtype:trojan-activity; sid:91292741; rev:1;) alert tcp $HOME_NET any -> [198.46.182.60] 808 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1292742/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_03; classtype:trojan-activity; sid:91292742; rev:1;) alert tcp $HOME_NET any -> [107.173.11.22] 808 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1292743/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_03; classtype:trojan-activity; sid:91292743; rev:1;) alert tcp $HOME_NET any -> [23.95.190.188] 808 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1292739/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_03; classtype:trojan-activity; sid:91292739; rev:1;) alert tcp $HOME_NET any -> [192.210.216.211] 808 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1292740/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_03; classtype:trojan-activity; sid:91292740; rev:1;) alert tcp $HOME_NET any -> [192.227.238.92] 808 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1292737/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_03; classtype:trojan-activity; sid:91292737; rev:1;) alert tcp $HOME_NET any -> [23.95.243.25] 808 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1292738/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_03; classtype:trojan-activity; sid:91292738; rev:1;) alert tcp $HOME_NET any -> [23.94.234.93] 808 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1292735/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_03; classtype:trojan-activity; sid:91292735; rev:1;) alert tcp $HOME_NET any -> [192.210.149.118] 808 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1292736/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_03; classtype:trojan-activity; sid:91292736; rev:1;) alert tcp $HOME_NET any -> [107.173.11.18] 808 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1292733/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_03; classtype:trojan-activity; sid:91292733; rev:1;) alert tcp $HOME_NET any -> [23.94.245.121] 808 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1292734/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_03; classtype:trojan-activity; sid:91292734; rev:1;) alert tcp $HOME_NET any -> [107.173.9.204] 808 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1292731/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_03; classtype:trojan-activity; sid:91292731; rev:1;) alert tcp $HOME_NET any -> [23.95.248.196] 808 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1292732/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_03; classtype:trojan-activity; sid:91292732; rev:1;) alert tcp $HOME_NET any -> [198.46.182.51] 808 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1292729/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_03; classtype:trojan-activity; sid:91292729; rev:1;) alert tcp $HOME_NET any -> [23.94.234.83] 808 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1292730/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_03; classtype:trojan-activity; sid:91292730; rev:1;) alert tcp $HOME_NET any -> [23.94.234.92] 808 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1292727/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_03; classtype:trojan-activity; sid:91292727; rev:1;) alert tcp $HOME_NET any -> [192.227.244.212] 808 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1292728/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_03; classtype:trojan-activity; sid:91292728; rev:1;) alert tcp $HOME_NET any -> [23.95.248.199] 808 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1292724/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_03; classtype:trojan-activity; sid:91292724; rev:1;) alert tcp $HOME_NET any -> [107.173.11.25] 808 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1292725/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_03; classtype:trojan-activity; sid:91292725; rev:1;) alert tcp $HOME_NET any -> [192.210.216.215] 808 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1292726/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_03; classtype:trojan-activity; sid:91292726; rev:1;) alert tcp $HOME_NET any -> [23.95.248.201] 808 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1292722/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_03; classtype:trojan-activity; sid:91292722; rev:1;) alert tcp $HOME_NET any -> [23.95.248.204] 808 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1292723/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_03; classtype:trojan-activity; sid:91292723; rev:1;) alert tcp $HOME_NET any -> [23.95.190.186] 808 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1292720/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_03; classtype:trojan-activity; sid:91292720; rev:1;) alert tcp $HOME_NET any -> [23.94.234.90] 808 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1292721/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_03; classtype:trojan-activity; sid:91292721; rev:1;) alert tcp $HOME_NET any -> [23.95.248.197] 808 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1292717/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_03; classtype:trojan-activity; sid:91292717; rev:1;) alert tcp $HOME_NET any -> [23.95.248.194] 808 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1292718/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_03; classtype:trojan-activity; sid:91292718; rev:1;) alert tcp $HOME_NET any -> [198.46.145.138] 808 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1292719/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_03; classtype:trojan-activity; sid:91292719; rev:1;) alert tcp $HOME_NET any -> [107.173.9.201] 808 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1292716/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_03; classtype:trojan-activity; sid:91292716; rev:1;) alert tcp $HOME_NET any -> [23.94.230.183] 808 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1292714/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_03; classtype:trojan-activity; sid:91292714; rev:1;) alert tcp $HOME_NET any -> [107.173.11.26] 808 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1292715/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_03; classtype:trojan-activity; sid:91292715; rev:1;) alert tcp $HOME_NET any -> [192.227.238.93] 808 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1292712/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_03; classtype:trojan-activity; sid:91292712; rev:1;) alert tcp $HOME_NET any -> [107.173.11.30] 808 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1292713/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_03; classtype:trojan-activity; sid:91292713; rev:1;) alert tcp $HOME_NET any -> [120.78.74.63] 9999 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1292711/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_03; classtype:trojan-activity; sid:91292711; rev:1;) alert tcp $HOME_NET any -> [123.57.186.159] 81 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1292710/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_03; classtype:trojan-activity; sid:91292710; rev:1;) alert tcp $HOME_NET any -> [64.69.36.15] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1292709/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_03; classtype:trojan-activity; sid:91292709; rev:1;) alert tcp $HOME_NET any -> [192.227.245.180] 808 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1292708/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_03; classtype:trojan-activity; sid:91292708; rev:1;) alert tcp $HOME_NET any -> [192.227.245.184] 808 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1292706/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_03; classtype:trojan-activity; sid:91292706; rev:1;) alert tcp $HOME_NET any -> [23.94.234.88] 808 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1292707/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_03; classtype:trojan-activity; sid:91292707; rev:1;) alert tcp $HOME_NET any -> [107.173.11.19] 808 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1292704/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_03; classtype:trojan-activity; sid:91292704; rev:1;) alert tcp $HOME_NET any -> [23.94.245.115] 808 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1292705/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_03; classtype:trojan-activity; sid:91292705; rev:1;) alert tcp $HOME_NET any -> [198.46.145.137] 808 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1292702/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_03; classtype:trojan-activity; sid:91292702; rev:1;) alert tcp $HOME_NET any -> [23.94.230.187] 808 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1292703/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_03; classtype:trojan-activity; sid:91292703; rev:1;) alert tcp $HOME_NET any -> [192.210.194.43] 808 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1292699/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_03; classtype:trojan-activity; sid:91292699; rev:1;) alert tcp $HOME_NET any -> [192.210.216.216] 808 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1292700/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_03; classtype:trojan-activity; sid:91292700; rev:1;) alert tcp $HOME_NET any -> [107.173.9.206] 808 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1292701/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_03; classtype:trojan-activity; sid:91292701; rev:1;) alert tcp $HOME_NET any -> [192.227.244.216] 808 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1292697/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_03; classtype:trojan-activity; sid:91292697; rev:1;) alert tcp $HOME_NET any -> [107.173.9.194] 808 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1292698/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_03; classtype:trojan-activity; sid:91292698; rev:1;) alert tcp $HOME_NET any -> [23.94.230.185] 808 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1292695/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_03; classtype:trojan-activity; sid:91292695; rev:1;) alert tcp $HOME_NET any -> [198.46.145.140] 808 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1292696/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_03; classtype:trojan-activity; sid:91292696; rev:1;) alert tcp $HOME_NET any -> [192.227.238.89] 808 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1292693/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_03; classtype:trojan-activity; sid:91292693; rev:1;) alert tcp $HOME_NET any -> [107.173.9.203] 808 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1292694/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_03; classtype:trojan-activity; sid:91292694; rev:1;) alert tcp $HOME_NET any -> [23.94.245.122] 808 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1292691/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_03; classtype:trojan-activity; sid:91292691; rev:1;) alert tcp $HOME_NET any -> [23.95.248.200] 808 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1292692/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_03; classtype:trojan-activity; sid:91292692; rev:1;) alert tcp $HOME_NET any -> [23.95.248.202] 808 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1292689/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_03; classtype:trojan-activity; sid:91292689; rev:1;) alert tcp $HOME_NET any -> [23.95.243.24] 808 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1292690/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_03; classtype:trojan-activity; sid:91292690; rev:1;) alert tcp $HOME_NET any -> [23.95.248.206] 808 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1292686/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_03; classtype:trojan-activity; sid:91292686; rev:1;) alert tcp $HOME_NET any -> [23.94.230.186] 808 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1292687/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_03; classtype:trojan-activity; sid:91292687; rev:1;) alert tcp $HOME_NET any -> [192.227.238.88] 808 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1292688/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_03; classtype:trojan-activity; sid:91292688; rev:1;) alert tcp $HOME_NET any -> [23.95.243.29] 808 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1292684/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_03; classtype:trojan-activity; sid:91292684; rev:1;) alert tcp $HOME_NET any -> [23.94.230.180] 808 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1292685/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_03; classtype:trojan-activity; sid:91292685; rev:1;) alert tcp $HOME_NET any -> [23.95.181.146] 808 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1292682/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_03; classtype:trojan-activity; sid:91292682; rev:1;) alert tcp $HOME_NET any -> [23.95.243.20] 808 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1292683/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_03; classtype:trojan-activity; sid:91292683; rev:1;) alert tcp $HOME_NET any -> [198.46.182.53] 808 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1292680/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_03; classtype:trojan-activity; sid:91292680; rev:1;) alert tcp $HOME_NET any -> [23.95.248.203] 808 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1292681/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_03; classtype:trojan-activity; sid:91292681; rev:1;) alert tcp $HOME_NET any -> [192.210.149.125] 808 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1292678/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_03; classtype:trojan-activity; sid:91292678; rev:1;) alert tcp $HOME_NET any -> [192.210.216.213] 808 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1292679/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_03; classtype:trojan-activity; sid:91292679; rev:1;) alert tcp $HOME_NET any -> [23.94.234.84] 808 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1292676/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_03; classtype:trojan-activity; sid:91292676; rev:1;) alert tcp $HOME_NET any -> [192.227.245.182] 808 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1292677/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_03; classtype:trojan-activity; sid:91292677; rev:1;) alert tcp $HOME_NET any -> [192.210.149.124] 808 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1292674/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_03; classtype:trojan-activity; sid:91292674; rev:1;) alert tcp $HOME_NET any -> [107.173.9.196] 808 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1292675/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_03; classtype:trojan-activity; sid:91292675; rev:1;) alert tcp $HOME_NET any -> [23.94.234.85] 808 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1292672/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_03; classtype:trojan-activity; sid:91292672; rev:1;) alert tcp $HOME_NET any -> [192.227.238.91] 808 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1292673/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_03; classtype:trojan-activity; sid:91292673; rev:1;) alert tcp $HOME_NET any -> [107.173.11.23] 808 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1292670/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_03; classtype:trojan-activity; sid:91292670; rev:1;) alert tcp $HOME_NET any -> [23.95.181.147] 808 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1292671/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_03; classtype:trojan-activity; sid:91292671; rev:1;) alert tcp $HOME_NET any -> [23.94.234.86] 808 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1292668/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_03; classtype:trojan-activity; sid:91292668; rev:1;) alert tcp $HOME_NET any -> [192.227.245.185] 808 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1292669/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_03; classtype:trojan-activity; sid:91292669; rev:1;) alert tcp $HOME_NET any -> [23.94.230.188] 808 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1292666/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_03; classtype:trojan-activity; sid:91292666; rev:1;) alert tcp $HOME_NET any -> [23.95.181.157] 808 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1292667/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_03; classtype:trojan-activity; sid:91292667; rev:1;) alert tcp $HOME_NET any -> [107.173.11.21] 808 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1292663/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_03; classtype:trojan-activity; sid:91292663; rev:1;) alert tcp $HOME_NET any -> [23.94.230.179] 808 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1292664/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_03; classtype:trojan-activity; sid:91292664; rev:1;) alert tcp $HOME_NET any -> [23.95.243.23] 808 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1292665/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_03; classtype:trojan-activity; sid:91292665; rev:1;) alert tcp $HOME_NET any -> [23.95.181.156] 808 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1292661/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_03; classtype:trojan-activity; sid:91292661; rev:1;) alert tcp $HOME_NET any -> [23.95.181.149] 808 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1292662/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_03; classtype:trojan-activity; sid:91292662; rev:1;) alert tcp $HOME_NET any -> [101.43.53.103] 8080 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1292660/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_03; classtype:trojan-activity; sid:91292660; rev:1;) alert tcp $HOME_NET any -> [124.223.166.66] 8081 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1292659/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_03; classtype:trojan-activity; sid:91292659; rev:1;) alert tcp $HOME_NET any -> [149.104.19.81] 85 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1292658/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_03; classtype:trojan-activity; sid:91292658; rev:1;) alert tcp $HOME_NET any -> [101.35.44.164] 7777 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1292657/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_03; classtype:trojan-activity; sid:91292657; rev:1;) alert tcp $HOME_NET any -> [119.28.159.21] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1292656/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_03; classtype:trojan-activity; sid:91292656; rev:1;) alert tcp $HOME_NET any -> [192.227.245.183] 808 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1292654/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_03; classtype:trojan-activity; sid:91292654; rev:1;) alert tcp $HOME_NET any -> [23.94.245.120] 808 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1292655/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_03; classtype:trojan-activity; sid:91292655; rev:1;) alert tcp $HOME_NET any -> [107.173.11.24] 808 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1292651/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_03; classtype:trojan-activity; sid:91292651; rev:1;) alert tcp $HOME_NET any -> [107.173.11.29] 808 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1292652/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_03; classtype:trojan-activity; sid:91292652; rev:1;) alert tcp $HOME_NET any -> [192.210.194.45] 808 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1292653/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_03; classtype:trojan-activity; sid:91292653; rev:1;) alert tcp $HOME_NET any -> [192.210.216.212] 808 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1292649/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_03; classtype:trojan-activity; sid:91292649; rev:1;) alert tcp $HOME_NET any -> [192.210.216.219] 808 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1292650/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_03; classtype:trojan-activity; sid:91292650; rev:1;) alert tcp $HOME_NET any -> [23.94.234.82] 808 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1292647/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_03; classtype:trojan-activity; sid:91292647; rev:1;) alert tcp $HOME_NET any -> [198.46.145.134] 808 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1292648/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_03; classtype:trojan-activity; sid:91292648; rev:1;) alert tcp $HOME_NET any -> [23.95.243.30] 808 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1292645/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_03; classtype:trojan-activity; sid:91292645; rev:1;) alert tcp $HOME_NET any -> [23.95.181.158] 808 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1292646/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_03; classtype:trojan-activity; sid:91292646; rev:1;) alert tcp $HOME_NET any -> [192.210.216.222] 808 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1292643/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_03; classtype:trojan-activity; sid:91292643; rev:1;) alert tcp $HOME_NET any -> [23.94.230.189] 808 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1292644/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_03; classtype:trojan-activity; sid:91292644; rev:1;) alert tcp $HOME_NET any -> [192.227.245.179] 808 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1292640/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_03; classtype:trojan-activity; sid:91292640; rev:1;) alert tcp $HOME_NET any -> [192.227.244.211] 808 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1292641/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_03; classtype:trojan-activity; sid:91292641; rev:1;) alert tcp $HOME_NET any -> [23.95.190.190] 808 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1292642/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_03; classtype:trojan-activity; sid:91292642; rev:1;) alert tcp $HOME_NET any -> [198.46.182.52] 808 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1292638/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_03; classtype:trojan-activity; sid:91292638; rev:1;) alert tcp $HOME_NET any -> [23.94.245.124] 808 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1292639/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_03; classtype:trojan-activity; sid:91292639; rev:1;) alert tcp $HOME_NET any -> [23.95.190.182] 808 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1292636/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_03; classtype:trojan-activity; sid:91292636; rev:1;) alert tcp $HOME_NET any -> [23.94.234.87] 808 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1292637/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_03; classtype:trojan-activity; sid:91292637; rev:1;) alert tcp $HOME_NET any -> [192.227.245.186] 808 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1292634/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_03; classtype:trojan-activity; sid:91292634; rev:1;) alert tcp $HOME_NET any -> [192.227.244.213] 808 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1292635/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_03; classtype:trojan-activity; sid:91292635; rev:1;) alert tcp $HOME_NET any -> [107.173.9.197] 808 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1292631/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_03; classtype:trojan-activity; sid:91292631; rev:1;) alert tcp $HOME_NET any -> [23.95.181.154] 808 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1292632/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_03; classtype:trojan-activity; sid:91292632; rev:1;) alert tcp $HOME_NET any -> [192.227.238.86] 808 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1292633/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_03; classtype:trojan-activity; sid:91292633; rev:1;) alert tcp $HOME_NET any -> [192.227.244.220] 808 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1292629/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_03; classtype:trojan-activity; sid:91292629; rev:1;) alert tcp $HOME_NET any -> [23.95.181.151] 808 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1292630/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_03; classtype:trojan-activity; sid:91292630; rev:1;) alert tcp $HOME_NET any -> [198.46.145.132] 808 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1292627/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_03; classtype:trojan-activity; sid:91292627; rev:1;) alert tcp $HOME_NET any -> [192.210.149.114] 808 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1292628/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_03; classtype:trojan-activity; sid:91292628; rev:1;) alert tcp $HOME_NET any -> [23.94.245.126] 808 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1292624/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_03; classtype:trojan-activity; sid:91292624; rev:1;) alert tcp $HOME_NET any -> [23.94.245.116] 808 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1292625/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_03; classtype:trojan-activity; sid:91292625; rev:1;) alert tcp $HOME_NET any -> [107.173.9.205] 808 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1292626/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_03; classtype:trojan-activity; sid:91292626; rev:1;) alert tcp $HOME_NET any -> [198.46.145.131] 808 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1292622/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_03; classtype:trojan-activity; sid:91292622; rev:1;) alert tcp $HOME_NET any -> [198.46.182.50] 808 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1292623/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_03; classtype:trojan-activity; sid:91292623; rev:1;) alert tcp $HOME_NET any -> [192.227.244.215] 808 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1292620/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_03; classtype:trojan-activity; sid:91292620; rev:1;) alert tcp $HOME_NET any -> [23.95.181.153] 808 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1292621/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_03; classtype:trojan-activity; sid:91292621; rev:1;) alert tcp $HOME_NET any -> [107.173.11.20] 808 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1292617/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_03; classtype:trojan-activity; sid:91292617; rev:1;) alert tcp $HOME_NET any -> [192.227.244.214] 808 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1292618/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_03; classtype:trojan-activity; sid:91292618; rev:1;) alert tcp $HOME_NET any -> [192.210.149.120] 808 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1292619/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_03; classtype:trojan-activity; sid:91292619; rev:1;) alert tcp $HOME_NET any -> [23.94.234.91] 808 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1292615/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_03; classtype:trojan-activity; sid:91292615; rev:1;) alert tcp $HOME_NET any -> [198.46.145.142] 808 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1292616/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_03; classtype:trojan-activity; sid:91292616; rev:1;) alert tcp $HOME_NET any -> [47.100.16.83] 9999 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1292614/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_03; classtype:trojan-activity; sid:91292614; rev:1;) alert tcp $HOME_NET any -> [35.198.215.60] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1292613/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_03; classtype:trojan-activity; sid:91292613; rev:1;) alert tcp $HOME_NET any -> [147.78.47.228] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1292612/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_03; classtype:trojan-activity; sid:91292612; rev:1;) alert tcp $HOME_NET any -> [121.43.174.203] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1292611/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_03; classtype:trojan-activity; sid:91292611; rev:1;) alert tcp $HOME_NET any -> [111.230.72.242] 89 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1292610/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_03; classtype:trojan-activity; sid:91292610; rev:1;) alert tcp $HOME_NET any -> [113.45.224.31] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1292609/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_03; classtype:trojan-activity; sid:91292609; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/adcount.js"; depth:11; nocase; http.host; content:"edveha.com"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1292555/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_03; classtype:trojan-activity; sid:91292555; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/js.php"; depth:7; nocase; http.host; content:"edveha.com"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1292556/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_03; classtype:trojan-activity; sid:91292556; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/stat.php"; depth:9; nocase; http.host; content:"edveha.com"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1292557/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_03; classtype:trojan-activity; sid:91292557; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-includes/pomo/update.php"; depth:28; nocase; http.host; content:"comingoutcovenant.com"; depth:21; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1292558/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_03; classtype:trojan-activity; sid:91292558; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ui_static.js"; depth:13; nocase; http.host; content:"jswebcloud.net"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1292559/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_03; classtype:trojan-activity; sid:91292559; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"premium.davidabostic.com"; depth:24; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1292560/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_03; classtype:trojan-activity; sid:91292560; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"fans.smalladventureguide.com"; depth:28; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1292561/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_03; classtype:trojan-activity; sid:91292561; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"point.readytocheckline.com"; depth:26; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1292562/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_03; classtype:trojan-activity; sid:91292562; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"start.readytocheckline.com"; depth:26; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1292563/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_03; classtype:trojan-activity; sid:91292563; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"partners.gloriadeicr.com"; depth:24; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1292564/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_03; classtype:trojan-activity; sid:91292564; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin/watchdog"; depth:13; nocase; http.host; content:"89.117.146.230"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1292608/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_03; classtype:trojan-activity; sid:91292608; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/x86_64"; depth:7; nocase; http.host; content:"89.117.146.230"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1292607/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_03; classtype:trojan-activity; sid:91292607; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/spc"; depth:4; nocase; http.host; content:"89.117.146.230"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1292606/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_03; classtype:trojan-activity; sid:91292606; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/skra.sparc"; depth:11; nocase; http.host; content:"89.117.146.230"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1292605/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_03; classtype:trojan-activity; sid:91292605; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ppc"; depth:4; nocase; http.host; content:"89.117.146.230"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1292604/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_03; classtype:trojan-activity; sid:91292604; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mpsl"; depth:5; nocase; http.host; content:"89.117.146.230"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1292603/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_03; classtype:trojan-activity; sid:91292603; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mips"; depth:5; nocase; http.host; content:"89.117.146.230"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1292602/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_03; classtype:trojan-activity; sid:91292602; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/arm6"; depth:5; nocase; http.host; content:"89.117.146.230"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1292601/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_03; classtype:trojan-activity; sid:91292601; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/arm5"; depth:5; nocase; http.host; content:"89.117.146.230"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1292600/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_03; classtype:trojan-activity; sid:91292600; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/arm"; depth:4; nocase; http.host; content:"89.117.146.230"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1292599/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_03; classtype:trojan-activity; sid:91292599; rev:1;) alert tcp $HOME_NET any -> [91.92.240.69] 80 (msg:"ThreatFox Loki Password Stealer (PWS) botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1292598/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_03; classtype:trojan-activity; sid:91292598; rev:1;) alert tcp $HOME_NET any -> [198.244.238.111] 44670 (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1292590/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_03; classtype:trojan-activity; sid:91292590; rev:1;) alert tcp $HOME_NET any -> [147.45.78.229] 43674 (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1292589/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_03; classtype:trojan-activity; sid:91292589; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/agreement-to-terms-and-conditions-wording/"; depth:43; nocase; http.host; content:"udfa.techeva.co.in"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1292579/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_03; classtype:trojan-activity; sid:91292579; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/article.php"; depth:12; nocase; http.host; content:"www.dariosc.pro-linuxpl.com"; depth:27; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1292580/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_03; classtype:trojan-activity; sid:91292580; rev:1;) alert tcp $HOME_NET any -> [121.40.117.196] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1292597/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_03; classtype:trojan-activity; sid:91292597; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/updates.rss"; depth:12; nocase; http.host; content:"cs.love520.us.kg"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1292596/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_03; classtype:trojan-activity; sid:91292596; rev:1;) alert tcp $HOME_NET any -> [154.83.13.161] 8080 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1292595/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_03; classtype:trojan-activity; sid:91292595; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"www.unionpaying.top"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1292594/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_03; classtype:trojan-activity; sid:91292594; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api/v1/getiting"; depth:16; nocase; http.host; content:"www.unionpaying.top"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1292593/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_03; classtype:trojan-activity; sid:91292593; rev:1;) alert tcp $HOME_NET any -> [154.83.13.161] 8088 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1292592/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_03; classtype:trojan-activity; sid:91292592; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api/v1/getiting"; depth:16; nocase; http.host; content:"service-6xro0ifb-1253442149.bj.tencentapigw.com.cn"; depth:50; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1292591/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_03; classtype:trojan-activity; sid:91292591; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"95.217.240.75"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1292588/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_02; classtype:trojan-activity; sid:91292588; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"116.202.180.70"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1292587/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_02; classtype:trojan-activity; sid:91292587; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/profiles/76561199730044335"; depth:27; nocase; http.host; content:"steamcommunity.com"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1292586/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_02; classtype:trojan-activity; sid:91292586; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bu77un"; depth:7; nocase; http.host; content:"t.me"; depth:4; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1292585/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_02; classtype:trojan-activity; sid:91292585; rev:1;) alert tcp $HOME_NET any -> [95.217.240.75] 443 (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1292584/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_02; classtype:trojan-activity; sid:91292584; rev:1;) alert tcp $HOME_NET any -> [116.202.180.70] 5432 (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1292583/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_02; classtype:trojan-activity; sid:91292583; rev:1;) alert tcp $HOME_NET any -> [105.157.150.238] 10000 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1292582/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_02; classtype:trojan-activity; sid:91292582; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/secureuniversal.php"; depth:20; nocase; http.host; content:"coolray.top"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1292581/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_02; classtype:trojan-activity; sid:91292581; rev:1;) alert tcp $HOME_NET any -> [185.117.0.43] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1292578/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_02; classtype:trojan-activity; sid:91292578; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"gokoo.live"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1292577/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_02; classtype:trojan-activity; sid:91292577; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/faq"; depth:4; nocase; http.host; content:"gokoo.live"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1292576/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_02; classtype:trojan-activity; sid:91292576; rev:1;) alert tcp $HOME_NET any -> [128.90.128.115] 9999 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1292575/; target:src_ip; metadata: confidence_level 50, first_seen 2024_07_02; classtype:trojan-activity; sid:91292575; rev:1;) alert tcp $HOME_NET any -> [94.156.64.188] 5555 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1292574/; target:src_ip; metadata: confidence_level 50, first_seen 2024_07_02; classtype:trojan-activity; sid:91292574; rev:1;) alert tcp $HOME_NET any -> [93.123.85.133] 1337 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1292573/; target:src_ip; metadata: confidence_level 50, first_seen 2024_07_02; classtype:trojan-activity; sid:91292573; rev:1;) alert tcp $HOME_NET any -> [5.42.107.78] 80 (msg:"ThreatFox Meduza Stealer botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1292572/; target:src_ip; metadata: confidence_level 50, first_seen 2024_07_02; classtype:trojan-activity; sid:91292572; rev:1;) alert tcp $HOME_NET any -> [13.68.199.77] 8443 (msg:"ThreatFox Pikabot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1292571/; target:src_ip; metadata: confidence_level 50, first_seen 2024_07_02; classtype:trojan-activity; sid:91292571; rev:1;) alert tcp $HOME_NET any -> [49.113.73.150] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1292570/; target:src_ip; metadata: confidence_level 50, first_seen 2024_07_02; classtype:trojan-activity; sid:91292570; rev:1;) alert tcp $HOME_NET any -> [154.88.30.3] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1292569/; target:src_ip; metadata: confidence_level 50, first_seen 2024_07_02; classtype:trojan-activity; sid:91292569; rev:1;) alert tcp $HOME_NET any -> [2.50.32.14] 22 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1292568/; target:src_ip; metadata: confidence_level 50, first_seen 2024_07_02; classtype:trojan-activity; sid:91292568; rev:1;) alert tcp $HOME_NET any -> [94.198.50.195] 20000 (msg:"ThreatFox BianLian botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1292567/; target:src_ip; metadata: confidence_level 50, first_seen 2024_07_02; classtype:trojan-activity; sid:91292567; rev:1;) alert tcp $HOME_NET any -> [107.172.87.135] 443 (msg:"ThreatFox Deimos botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1292566/; target:src_ip; metadata: confidence_level 50, first_seen 2024_07_02; classtype:trojan-activity; sid:91292566; rev:1;) alert tcp $HOME_NET any -> [180.130.102.89] 4506 (msg:"ThreatFox Deimos botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1292565/; target:src_ip; metadata: confidence_level 50, first_seen 2024_07_02; classtype:trojan-activity; sid:91292565; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"filesoftdownload.com"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1292553/; target:src_ip; metadata: confidence_level 50, first_seen 2024_07_02; classtype:trojan-activity; sid:91292553; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"o7labs.top"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1292554/; target:src_ip; metadata: confidence_level 50, first_seen 2024_07_02; classtype:trojan-activity; sid:91292554; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"downloadfilesoft.com"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1292552/; target:src_ip; metadata: confidence_level 50, first_seen 2024_07_02; classtype:trojan-activity; sid:91292552; rev:1;) alert tcp $HOME_NET any -> [95.142.39.217] 4522 (msg:"ThreatFox DanaBot botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1292551/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_02; classtype:trojan-activity; sid:91292551; rev:1;) alert tcp $HOME_NET any -> [46.30.45.192] 4522 (msg:"ThreatFox DanaBot botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1292550/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_02; classtype:trojan-activity; sid:91292550; rev:1;) alert tcp $HOME_NET any -> [91.92.246.63] 4522 (msg:"ThreatFox DanaBot botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1292549/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_02; classtype:trojan-activity; sid:91292549; rev:1;) alert tcp $HOME_NET any -> [185.196.9.11] 47925 (msg:"ThreatFox MooBot botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1292539/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_02; classtype:trojan-activity; sid:91292539; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"www.botnet123.cc"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1292540/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_02; classtype:trojan-activity; sid:91292540; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/online/support/index.php"; depth:25; nocase; http.host; content:"o7labs.top"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1292541/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_02; classtype:trojan-activity; sid:91292541; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/h9fmdw5/index.php"; depth:18; nocase; http.host; content:"filesoftdownload.com"; depth:20; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1292542/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_02; classtype:trojan-activity; sid:91292542; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/h9fmdw5/index.php"; depth:18; nocase; http.host; content:"downloadfilesoft.com"; depth:20; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1292543/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_02; classtype:trojan-activity; sid:91292543; rev:1;) alert tcp $HOME_NET any -> [173.249.34.252] 1357 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1292547/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_02; classtype:trojan-activity; sid:91292547; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"anything.line.pm"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1292548/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_02; classtype:trojan-activity; sid:91292548; rev:1;) alert tcp $HOME_NET any -> [77.105.135.11] 48396 (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1292546/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_02; classtype:trojan-activity; sid:91292546; rev:1;) alert tcp $HOME_NET any -> [23.88.39.249] 443 (msg:"ThreatFox Unidentified 111 (Latrodectus) botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1292544/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_02; classtype:trojan-activity; sid:91292544; rev:1;) alert tcp $HOME_NET any -> [91.242.163.64] 443 (msg:"ThreatFox Unidentified 111 (Latrodectus) botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1292545/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_02; classtype:trojan-activity; sid:91292545; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/article.php"; depth:12; nocase; http.host; content:"www.billbelsey.com"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1292538/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_02; classtype:trojan-activity; sid:91292538; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/article.php"; depth:12; nocase; http.host; content:"www.betonades.com"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1292537/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_02; classtype:trojan-activity; sid:91292537; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/article.php"; depth:12; nocase; http.host; content:"www.billbelsey.com"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1292536/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_02; classtype:trojan-activity; sid:91292536; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/hun4ko/index.php"; depth:17; nocase; http.host; content:"77.91.77.82"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1292535/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_02; classtype:trojan-activity; sid:91292535; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"arritswpoewroso.shop"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1292534/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_02; classtype:trojan-activity; sid:91292534; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"arritswpoewroso.shop"; depth:20; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1292533/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_02; classtype:trojan-activity; sid:91292533; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"byorn.us"; depth:8; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1292530/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_02; classtype:trojan-activity; sid:91292530; rev:1;) alert tcp $HOME_NET any -> [103.224.212.214] 80 (msg:"ThreatFox Loki Password Stealer (PWS) botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1292529/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_02; classtype:trojan-activity; sid:91292529; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api/firecom.php"; depth:16; nocase; http.host; content:"5.42.99.177"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1292474/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_02; classtype:trojan-activity; sid:91292474; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api/flash.php"; depth:14; nocase; http.host; content:"5.42.99.177"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1292475/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_02; classtype:trojan-activity; sid:91292475; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/article.php"; depth:12; nocase; http.host; content:"www.benspencermusic.com"; depth:23; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1292480/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_02; classtype:trojan-activity; sid:91292480; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api/twofish.php"; depth:16; nocase; http.host; content:"5.42.99.177"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1292473/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_02; classtype:trojan-activity; sid:91292473; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api/firepro.php"; depth:16; nocase; http.host; content:"5.42.99.177"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1292472/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_02; classtype:trojan-activity; sid:91292472; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mozi.m"; depth:7; nocase; http.host; content:"61.52.158.38"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1292532/; target:src_ip; metadata: confidence_level 50, first_seen 2024_07_02; classtype:trojan-activity; sid:91292532; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"dashboardproducts.info"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1292531/; target:src_ip; metadata: confidence_level 50, first_seen 2024_07_02; classtype:trojan-activity; sid:91292531; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jquery-3.3.1.min.js"; depth:20; nocase; http.host; content:"101.126.91.145"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1292479/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_02; classtype:trojan-activity; sid:91292479; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"d2ihtjoradhy1i.cloudfront.net"; depth:29; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1292477/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_02; classtype:trojan-activity; sid:91292477; rev:1;) alert tcp $HOME_NET any -> [18.211.244.254] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1292478/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_02; classtype:trojan-activity; sid:91292478; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/html.css"; depth:9; nocase; http.host; content:"d2ihtjoradhy1i.cloudfront.net"; depth:29; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1292476/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_02; classtype:trojan-activity; sid:91292476; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/index.php/gyr.php"; depth:18; nocase; http.host; content:"45.61.136.239"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1292471/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_02; classtype:trojan-activity; sid:91292471; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/index.php/gyr.php"; depth:18; nocase; http.host; content:"45.61.136.239"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1292470/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_02; classtype:trojan-activity; sid:91292470; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"blacktds.vip"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1292452/; target:src_ip; metadata: confidence_level 50, first_seen 2024_07_02; classtype:trojan-activity; sid:91292452; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"service-9cjgv9d1-1327547884.bj.tencentapigw.com.cn"; depth:50; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1292469/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_02; classtype:trojan-activity; sid:91292469; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api/x"; depth:6; nocase; http.host; content:"service-9cjgv9d1-1327547884.bj.tencentapigw.com.cn"; depth:50; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1292468/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_02; classtype:trojan-activity; sid:91292468; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/updates.rss"; depth:12; nocase; http.host; content:"103.225.196.210"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1292467/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_02; classtype:trojan-activity; sid:91292467; rev:1;) alert tcp $HOME_NET any -> [60.204.134.21] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1292466/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_02; classtype:trojan-activity; sid:91292466; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/match"; depth:6; nocase; http.host; content:"60.204.134.21"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1292465/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_02; classtype:trojan-activity; sid:91292465; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/visit.js"; depth:9; nocase; http.host; content:"106.15.184.255"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1292464/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_02; classtype:trojan-activity; sid:91292464; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/js/jquery-3.3.1.min.js"; depth:23; nocase; http.host; content:"45.148.120.161"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1292463/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_02; classtype:trojan-activity; sid:91292463; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/fwlink"; depth:7; nocase; http.host; content:"38.147.171.167"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1292462/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_02; classtype:trojan-activity; sid:91292462; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/load"; depth:5; nocase; http.host; content:"106.52.45.88"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1292461/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_02; classtype:trojan-activity; sid:91292461; rev:1;) alert tcp $HOME_NET any -> [68.110.122.25] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1292460/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_02; classtype:trojan-activity; sid:91292460; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pixel"; depth:6; nocase; http.host; content:"68.110.122.25"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1292459/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_02; classtype:trojan-activity; sid:91292459; rev:1;) alert tcp $HOME_NET any -> [101.126.91.145] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1292458/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_02; classtype:trojan-activity; sid:91292458; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jquery-3.3.1.min.js"; depth:20; nocase; http.host; content:"101.126.91.145"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1292457/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_02; classtype:trojan-activity; sid:91292457; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ga.js"; depth:6; nocase; http.host; content:"121.37.0.167"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1292456/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_02; classtype:trojan-activity; sid:91292456; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/fwlink"; depth:7; nocase; http.host; content:"155.94.204.114"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1292455/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_02; classtype:trojan-activity; sid:91292455; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"cs.love520.us.kg"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1292454/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_02; classtype:trojan-activity; sid:91292454; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pixel.gif"; depth:10; nocase; http.host; content:"cs.love520.us.kg"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1292453/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_02; classtype:trojan-activity; sid:91292453; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/article.php"; depth:12; nocase; http.host; content:"www.bellapizzact.com"; depth:20; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1292440/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_02; classtype:trojan-activity; sid:91292440; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"notion.ilusofficial.com"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1292448/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_02; classtype:trojan-activity; sid:91292448; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"brow-ser-update.top"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1292449/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_02; classtype:trojan-activity; sid:91292449; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"photoshop-adobe.shop"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1292450/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_02; classtype:trojan-activity; sid:91292450; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"app.getmess.io"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1292451/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_02; classtype:trojan-activity; sid:91292451; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"amydlesk.com"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1292441/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_02; classtype:trojan-activity; sid:91292441; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"notilon.co"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1292442/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_02; classtype:trojan-activity; sid:91292442; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"notliion.com"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1292443/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_02; classtype:trojan-activity; sid:91292443; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"notlon.top"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1292444/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_02; classtype:trojan-activity; sid:91292444; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"notlilon.co"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1292445/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_02; classtype:trojan-activity; sid:91292445; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"notion.findreaders.com"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1292446/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_02; classtype:trojan-activity; sid:91292446; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"findreaders.com"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1292447/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_02; classtype:trojan-activity; sid:91292447; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"utr-jopass.com"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1292435/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_02; classtype:trojan-activity; sid:91292435; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"utr-krubz.com"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1292436/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_02; classtype:trojan-activity; sid:91292436; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"utr-provit.com"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1292437/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_02; classtype:trojan-activity; sid:91292437; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ads-work.site"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1292417/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_02; classtype:trojan-activity; sid:91292417; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ads-work.top"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1292418/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_02; classtype:trojan-activity; sid:91292418; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ads-work.xyz"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1292419/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_02; classtype:trojan-activity; sid:91292419; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"udr-offdips.com"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1292420/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_02; classtype:trojan-activity; sid:91292420; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"urd-apdaps.com"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1292421/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_02; classtype:trojan-activity; sid:91292421; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"usm-pontic.com"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1292422/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_02; classtype:trojan-activity; sid:91292422; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"utd-corts.com"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1292423/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_02; classtype:trojan-activity; sid:91292423; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"utd-forts.com"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1292424/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_02; classtype:trojan-activity; sid:91292424; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"utd-gochisu.com"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1292425/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_02; classtype:trojan-activity; sid:91292425; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"utd-horipsy.com"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1292426/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_02; classtype:trojan-activity; sid:91292426; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"utm-adrooz.com"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1292427/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_02; classtype:trojan-activity; sid:91292427; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"utm-adschuk.com"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1292428/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_02; classtype:trojan-activity; sid:91292428; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"utm-adsgoogle.com"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1292429/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_02; classtype:trojan-activity; sid:91292429; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"utm-advrez.com"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1292430/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_02; classtype:trojan-activity; sid:91292430; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"utm-drmka.com"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1292431/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_02; classtype:trojan-activity; sid:91292431; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"utm-fukap.com"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1292432/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_02; classtype:trojan-activity; sid:91292432; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"utm-msh.com"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1292433/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_02; classtype:trojan-activity; sid:91292433; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"utr-gavlup.com"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1292434/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_02; classtype:trojan-activity; sid:91292434; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ads-eagle.top"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1292399/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_02; classtype:trojan-activity; sid:91292399; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ads-eagle.xyz"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1292400/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_02; classtype:trojan-activity; sid:91292400; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ads-forget.top"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1292401/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_02; classtype:trojan-activity; sid:91292401; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ads-hoop.top"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1292402/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_02; classtype:trojan-activity; sid:91292402; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ads-hoop.xyz"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1292403/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_02; classtype:trojan-activity; sid:91292403; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ads-moon.top"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1292404/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_02; classtype:trojan-activity; sid:91292404; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ads-moon.xyz"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1292405/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_02; classtype:trojan-activity; sid:91292405; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ads-pill.top"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1292406/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_02; classtype:trojan-activity; sid:91292406; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ads-pill.xyz"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1292407/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_02; classtype:trojan-activity; sid:91292407; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ads-star.online"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1292408/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_02; classtype:trojan-activity; sid:91292408; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ads-star.site"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1292409/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_02; classtype:trojan-activity; sid:91292409; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ads-star.top"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1292410/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_02; classtype:trojan-activity; sid:91292410; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ads-star.xyz"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1292411/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_02; classtype:trojan-activity; sid:91292411; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ads-strong.online"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1292412/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_02; classtype:trojan-activity; sid:91292412; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ads-strong.site"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1292413/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_02; classtype:trojan-activity; sid:91292413; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ads-strong.top"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1292414/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_02; classtype:trojan-activity; sid:91292414; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ads-strong.xyz"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1292415/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_02; classtype:trojan-activity; sid:91292415; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ads-tooth.xyz"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1292416/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_02; classtype:trojan-activity; sid:91292416; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ads-analyze.online"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1292389/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_02; classtype:trojan-activity; sid:91292389; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ads-analyze.site"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1292390/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_02; classtype:trojan-activity; sid:91292390; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ads-analyze.top"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1292391/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_02; classtype:trojan-activity; sid:91292391; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ads-analyze.xyz"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1292392/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_02; classtype:trojan-activity; sid:91292392; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ads-change.online"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1292393/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_02; classtype:trojan-activity; sid:91292393; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ads-change.site"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1292394/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_02; classtype:trojan-activity; sid:91292394; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ads-change.top"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1292395/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_02; classtype:trojan-activity; sid:91292395; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ads-change.xyz"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1292396/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_02; classtype:trojan-activity; sid:91292396; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ads-creep.top"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1292397/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_02; classtype:trojan-activity; sid:91292397; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ads-creep.xyz"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1292398/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_02; classtype:trojan-activity; sid:91292398; rev:1;) alert tcp $HOME_NET any -> [193.36.119.207] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1292388/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_02; classtype:trojan-activity; sid:91292388; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jquery-3.3.1.min.js"; depth:20; nocase; http.host; content:"193.36.119.207"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1292387/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_02; classtype:trojan-activity; sid:91292387; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jquery-3.3.1.min.js"; depth:20; nocase; http.host; content:"193.36.119.207"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1292386/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_02; classtype:trojan-activity; sid:91292386; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"jswebcloud.net"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1292385/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_02; classtype:trojan-activity; sid:91292385; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"pcvvf.xyz"; depth:9; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1292384/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_02; classtype:trojan-activity; sid:91292384; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/hjgs.apk"; depth:9; nocase; http.host; content:"109.173.236.128"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1292355/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_02; classtype:trojan-activity; sid:91292355; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/google.apk"; depth:11; nocase; http.host; content:"109.173.236.128"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1292356/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_02; classtype:trojan-activity; sid:91292356; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/h"; depth:2; nocase; http.host; content:"109.173.236.128"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1292357/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_02; classtype:trojan-activity; sid:91292357; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/s.exe"; depth:6; nocase; http.host; content:"109.173.236.128"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1292358/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_02; classtype:trojan-activity; sid:91292358; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ssdfsa"; depth:7; nocase; http.host; content:"109.173.236.128"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1292359/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_02; classtype:trojan-activity; sid:91292359; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/zdalne"; depth:7; nocase; http.host; content:"109.173.236.128"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1292360/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_02; classtype:trojan-activity; sid:91292360; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/zdalne.exe"; depth:11; nocase; http.host; content:"109.173.236.128"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1292361/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_02; classtype:trojan-activity; sid:91292361; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/zdalnne.exe"; depth:12; nocase; http.host; content:"109.173.236.128"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1292362/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_02; classtype:trojan-activity; sid:91292362; rev:1;) alert tcp $HOME_NET any -> [181.116.72.52] 5609 (msg:"ThreatFox NetSupportManager RAT botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1292383/; target:src_ip; metadata: confidence_level 50, first_seen 2024_07_02; classtype:trojan-activity; sid:91292383; rev:1;) alert tcp $HOME_NET any -> [82.71.120.166] 443 (msg:"ThreatFox NetSupportManager RAT botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1292382/; target:src_ip; metadata: confidence_level 50, first_seen 2024_07_02; classtype:trojan-activity; sid:91292382; rev:1;) alert tcp $HOME_NET any -> [189.203.156.164] 3085 (msg:"ThreatFox NetSupportManager RAT botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1292381/; target:src_ip; metadata: confidence_level 50, first_seen 2024_07_02; classtype:trojan-activity; sid:91292381; rev:1;) alert tcp $HOME_NET any -> [200.116.185.173] 3085 (msg:"ThreatFox NetSupportManager RAT botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1292380/; target:src_ip; metadata: confidence_level 50, first_seen 2024_07_02; classtype:trojan-activity; sid:91292380; rev:1;) alert tcp $HOME_NET any -> [186.0.139.220] 444 (msg:"ThreatFox NetSupportManager RAT botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1292379/; target:src_ip; metadata: confidence_level 50, first_seen 2024_07_02; classtype:trojan-activity; sid:91292379; rev:1;) alert tcp $HOME_NET any -> [185.216.70.112] 7777 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1292378/; target:src_ip; metadata: confidence_level 50, first_seen 2024_07_02; classtype:trojan-activity; sid:91292378; rev:1;) alert tcp $HOME_NET any -> [94.156.79.148] 80 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1292377/; target:src_ip; metadata: confidence_level 50, first_seen 2024_07_02; classtype:trojan-activity; sid:91292377; rev:1;) alert tcp $HOME_NET any -> [94.156.79.168] 80 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1292376/; target:src_ip; metadata: confidence_level 50, first_seen 2024_07_02; classtype:trojan-activity; sid:91292376; rev:1;) alert tcp $HOME_NET any -> [94.156.79.169] 80 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1292375/; target:src_ip; metadata: confidence_level 50, first_seen 2024_07_02; classtype:trojan-activity; sid:91292375; rev:1;) alert tcp $HOME_NET any -> [176.111.174.221] 80 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1292374/; target:src_ip; metadata: confidence_level 50, first_seen 2024_07_02; classtype:trojan-activity; sid:91292374; rev:1;) alert tcp $HOME_NET any -> [159.65.232.99] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1292373/; target:src_ip; metadata: confidence_level 50, first_seen 2024_07_02; classtype:trojan-activity; sid:91292373; rev:1;) alert tcp $HOME_NET any -> [77.221.157.163] 80 (msg:"ThreatFox Meduza Stealer botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1292372/; target:src_ip; metadata: confidence_level 50, first_seen 2024_07_02; classtype:trojan-activity; sid:91292372; rev:1;) alert tcp $HOME_NET any -> [77.105.146.8] 80 (msg:"ThreatFox Meduza Stealer botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1292371/; target:src_ip; metadata: confidence_level 50, first_seen 2024_07_02; classtype:trojan-activity; sid:91292371; rev:1;) alert tcp $HOME_NET any -> [46.246.6.14] 8000 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1292370/; target:src_ip; metadata: confidence_level 50, first_seen 2024_07_02; classtype:trojan-activity; sid:91292370; rev:1;) alert tcp $HOME_NET any -> [201.124.100.22] 995 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1292369/; target:src_ip; metadata: confidence_level 50, first_seen 2024_07_02; classtype:trojan-activity; sid:91292369; rev:1;) alert tcp $HOME_NET any -> [185.208.158.176] 443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1292368/; target:src_ip; metadata: confidence_level 50, first_seen 2024_07_02; classtype:trojan-activity; sid:91292368; rev:1;) alert tcp $HOME_NET any -> [77.105.142.52] 443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1292367/; target:src_ip; metadata: confidence_level 50, first_seen 2024_07_02; classtype:trojan-activity; sid:91292367; rev:1;) alert tcp $HOME_NET any -> [94.154.34.100] 443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1292366/; target:src_ip; metadata: confidence_level 50, first_seen 2024_07_02; classtype:trojan-activity; sid:91292366; rev:1;) alert tcp $HOME_NET any -> [185.181.219.211] 7443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1292365/; target:src_ip; metadata: confidence_level 50, first_seen 2024_07_02; classtype:trojan-activity; sid:91292365; rev:1;) alert tcp $HOME_NET any -> [18.197.239.5] 18409 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1292364/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_02; classtype:trojan-activity; sid:91292364; rev:1;) alert tcp $HOME_NET any -> [85.117.242.77] 8848 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1292363/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_02; classtype:trojan-activity; sid:91292363; rev:1;) alert tcp $HOME_NET any -> [49.13.159.121] 443 (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1292352/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_02; classtype:trojan-activity; sid:91292352; rev:1;) alert tcp $HOME_NET any -> [37.27.31.150] 9000 (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1292353/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_02; classtype:trojan-activity; sid:91292353; rev:1;) alert tcp $HOME_NET any -> [37.27.31.150] 443 (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1292354/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_02; classtype:trojan-activity; sid:91292354; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"37.27.31.150"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1292350/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_02; classtype:trojan-activity; sid:91292350; rev:1;) alert tcp $HOME_NET any -> [49.13.159.121] 9000 (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1292351/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_02; classtype:trojan-activity; sid:91292351; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"37.27.31.150"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1292349/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_02; classtype:trojan-activity; sid:91292349; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"49.13.159.121"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1292348/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_02; classtype:trojan-activity; sid:91292348; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"49.13.159.121"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1292347/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_02; classtype:trojan-activity; sid:91292347; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/article.php"; depth:12; nocase; http.host; content:"www.audrey-drenthen-art.nl"; depth:26; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1292345/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_02; classtype:trojan-activity; sid:91292345; rev:1;) alert tcp $HOME_NET any -> [62.72.191.203] 777 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1292344/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_02; classtype:trojan-activity; sid:91292344; rev:1;) alert tcp $HOME_NET any -> [195.85.205.47] 777 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1292343/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_02; classtype:trojan-activity; sid:91292343; rev:1;) alert tcp $HOME_NET any -> [103.237.87.32] 1999 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1292342/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_02; classtype:trojan-activity; sid:91292342; rev:1;) alert tcp $HOME_NET any -> [103.237.87.161] 1993 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1292341/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_02; classtype:trojan-activity; sid:91292341; rev:1;) alert tcp $HOME_NET any -> [103.237.87.156] 1993 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1292340/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_02; classtype:trojan-activity; sid:91292340; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/qkdjdjj22.i586"; depth:15; nocase; http.host; content:"195.85.205.47"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1292331/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_02; classtype:trojan-activity; sid:91292331; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/qkdjdjj22.m68k"; depth:15; nocase; http.host; content:"195.85.205.47"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1292332/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_02; classtype:trojan-activity; sid:91292332; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/qkdjdjj22.arm6"; depth:15; nocase; http.host; content:"195.85.205.47"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1292330/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_02; classtype:trojan-activity; sid:91292330; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/qkdjdjj22.arm4"; depth:15; nocase; http.host; content:"195.85.205.47"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1292329/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_02; classtype:trojan-activity; sid:91292329; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/qkdjdjj22.x86"; depth:14; nocase; http.host; content:"62.72.191.203"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1292328/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_02; classtype:trojan-activity; sid:91292328; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/qkdjdjj22.x32"; depth:14; nocase; http.host; content:"62.72.191.203"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1292327/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_02; classtype:trojan-activity; sid:91292327; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/qkdjdjj22.mips"; depth:15; nocase; http.host; content:"195.85.205.47"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1292333/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_02; classtype:trojan-activity; sid:91292333; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/qkdjdjj22.mpsl"; depth:15; nocase; http.host; content:"195.85.205.47"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1292334/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_02; classtype:trojan-activity; sid:91292334; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/qkdjdjj22.sh"; depth:13; nocase; http.host; content:"195.85.205.47"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1292336/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_02; classtype:trojan-activity; sid:91292336; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/qkdjdjj22.ppc"; depth:14; nocase; http.host; content:"195.85.205.47"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1292335/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_02; classtype:trojan-activity; sid:91292335; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/qkdjdjj22.sh4"; depth:14; nocase; http.host; content:"195.85.205.47"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1292337/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_02; classtype:trojan-activity; sid:91292337; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/qkdjdjj22.x32"; depth:14; nocase; http.host; content:"195.85.205.47"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1292338/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_02; classtype:trojan-activity; sid:91292338; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/qkdjdjj22.x86"; depth:14; nocase; http.host; content:"195.85.205.47"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1292339/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_02; classtype:trojan-activity; sid:91292339; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/qkdjdjj22.sh4"; depth:14; nocase; http.host; content:"62.72.191.203"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1292326/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_02; classtype:trojan-activity; sid:91292326; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/qkdjdjj22.sh"; depth:13; nocase; http.host; content:"62.72.191.203"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1292325/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_02; classtype:trojan-activity; sid:91292325; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/qkdjdjj22.ppc"; depth:14; nocase; http.host; content:"62.72.191.203"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1292324/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_02; classtype:trojan-activity; sid:91292324; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/qkdjdjj22.mpsl"; depth:15; nocase; http.host; content:"62.72.191.203"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1292323/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_02; classtype:trojan-activity; sid:91292323; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/qkdjdjj22.mips"; depth:15; nocase; http.host; content:"62.72.191.203"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1292322/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_02; classtype:trojan-activity; sid:91292322; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/qkdjdjj22.m68k"; depth:15; nocase; http.host; content:"62.72.191.203"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1292321/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_02; classtype:trojan-activity; sid:91292321; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/qkdjdjj22.arm6"; depth:15; nocase; http.host; content:"62.72.191.203"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1292319/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_02; classtype:trojan-activity; sid:91292319; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/qkdjdjj22.i586"; depth:15; nocase; http.host; content:"62.72.191.203"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1292320/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_02; classtype:trojan-activity; sid:91292320; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/qkdjdjj22.arm4"; depth:15; nocase; http.host; content:"62.72.191.203"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1292318/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_02; classtype:trojan-activity; sid:91292318; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/servermanager.exe"; depth:18; nocase; http.host; content:"89.213.177.81"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1292314/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_02; classtype:trojan-activity; sid:91292314; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/microsoftservice.exe"; depth:21; nocase; http.host; content:"89.213.177.81"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1292315/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_02; classtype:trojan-activity; sid:91292315; rev:1;) alert tcp $HOME_NET any -> [89.213.177.81] 7000 (msg:"ThreatFox XWorm botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1292317/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_02; classtype:trojan-activity; sid:91292317; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/108e010e8f91c38c.php"; depth:21; nocase; http.host; content:"40.86.87.10"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1292316/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_02; classtype:trojan-activity; sid:91292316; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mirai.arm"; depth:10; nocase; http.host; content:"93.123.85.239"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1292268/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_02; classtype:trojan-activity; sid:91292268; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mirai.arm5n"; depth:12; nocase; http.host; content:"93.123.85.239"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1292269/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_02; classtype:trojan-activity; sid:91292269; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mirai.arm7"; depth:11; nocase; http.host; content:"93.123.85.239"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1292270/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_02; classtype:trojan-activity; sid:91292270; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mirai.m68k"; depth:11; nocase; http.host; content:"93.123.85.239"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1292271/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_02; classtype:trojan-activity; sid:91292271; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mirai.mips"; depth:11; nocase; http.host; content:"93.123.85.239"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1292272/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_02; classtype:trojan-activity; sid:91292272; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mirai.mpsl"; depth:11; nocase; http.host; content:"93.123.85.239"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1292273/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_02; classtype:trojan-activity; sid:91292273; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mirai.ppc"; depth:10; nocase; http.host; content:"93.123.85.239"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1292274/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_02; classtype:trojan-activity; sid:91292274; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mirai.sh4"; depth:10; nocase; http.host; content:"93.123.85.239"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1292275/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_02; classtype:trojan-activity; sid:91292275; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mirai.spc"; depth:10; nocase; http.host; content:"93.123.85.239"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1292276/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_02; classtype:trojan-activity; sid:91292276; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mirai.x86"; depth:10; nocase; http.host; content:"93.123.85.239"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1292277/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_02; classtype:trojan-activity; sid:91292277; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/miraint.arm"; depth:12; nocase; http.host; content:"93.123.85.239"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1292278/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_02; classtype:trojan-activity; sid:91292278; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/miraint.arm5n"; depth:14; nocase; http.host; content:"93.123.85.239"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1292279/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_02; classtype:trojan-activity; sid:91292279; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/miraint.arm7"; depth:13; nocase; http.host; content:"93.123.85.239"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1292280/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_02; classtype:trojan-activity; sid:91292280; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/miraint.m68k"; depth:13; nocase; http.host; content:"93.123.85.239"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1292281/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_02; classtype:trojan-activity; sid:91292281; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/miraint.mips"; depth:13; nocase; http.host; content:"93.123.85.239"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1292282/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_02; classtype:trojan-activity; sid:91292282; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/miraint.mpsl"; depth:13; nocase; http.host; content:"93.123.85.239"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1292283/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_02; classtype:trojan-activity; sid:91292283; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/miraint.ppc"; depth:12; nocase; http.host; content:"93.123.85.239"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1292284/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_02; classtype:trojan-activity; sid:91292284; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/miraint.sh4"; depth:12; nocase; http.host; content:"93.123.85.239"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1292285/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_02; classtype:trojan-activity; sid:91292285; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/miraint.spc"; depth:12; nocase; http.host; content:"93.123.85.239"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1292286/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_02; classtype:trojan-activity; sid:91292286; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/miraint.x86"; depth:12; nocase; http.host; content:"93.123.85.239"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1292287/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_02; classtype:trojan-activity; sid:91292287; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins.sh"; depth:8; nocase; http.host; content:"93.123.85.239"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1292288/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_02; classtype:trojan-activity; sid:91292288; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/hidakibest.arm4"; depth:16; nocase; http.host; content:"45.93.200.174"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1292289/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_02; classtype:trojan-activity; sid:91292289; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/hidakibest.arm5"; depth:16; nocase; http.host; content:"45.93.200.174"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1292290/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_02; classtype:trojan-activity; sid:91292290; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/hidakibest.arm6"; depth:16; nocase; http.host; content:"45.93.200.174"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1292291/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_02; classtype:trojan-activity; sid:91292291; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/hidakibest.mips"; depth:16; nocase; http.host; content:"45.93.200.174"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1292292/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_02; classtype:trojan-activity; sid:91292292; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/hidakibest.mpsl"; depth:16; nocase; http.host; content:"45.93.200.174"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1292293/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_02; classtype:trojan-activity; sid:91292293; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/hidakibest.ppc"; depth:15; nocase; http.host; content:"45.93.200.174"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1292294/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_02; classtype:trojan-activity; sid:91292294; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/hidakibest.sh"; depth:14; nocase; http.host; content:"45.93.200.174"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1292295/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_02; classtype:trojan-activity; sid:91292295; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/hidakibest.sparc"; depth:17; nocase; http.host; content:"45.93.200.174"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1292296/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_02; classtype:trojan-activity; sid:91292296; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/hidakibest.x86"; depth:15; nocase; http.host; content:"45.93.200.174"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1292297/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_02; classtype:trojan-activity; sid:91292297; rev:1;) alert tcp $HOME_NET any -> [45.93.200.174] 4258 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1292298/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_02; classtype:trojan-activity; sid:91292298; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/article.php"; depth:12; nocase; http.host; content:"www.anordestdiche.com"; depth:21; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1292076/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_02; classtype:trojan-activity; sid:91292076; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"fortnite.cryptoinvest.black"; depth:27; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1292018/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_02; classtype:trojan-activity; sid:91292018; rev:1;) alert tcp $HOME_NET any -> [91.92.255.163] 38241 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1292017/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_02; classtype:trojan-activity; sid:91292017; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 80%)"; dns_query; content:"mistasktrin.space"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1292016/; target:src_ip; metadata: confidence_level 80, first_seen 2024_07_02; classtype:trojan-activity; sid:91292016; rev:1;) alert tcp $HOME_NET any -> [38.6.221.41] 1234 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1292313/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_02; classtype:trojan-activity; sid:91292313; rev:1;) alert tcp $HOME_NET any -> [8.130.119.184] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1292312/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_02; classtype:trojan-activity; sid:91292312; rev:1;) alert tcp $HOME_NET any -> [152.136.109.213] 81 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1292311/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_02; classtype:trojan-activity; sid:91292311; rev:1;) alert tcp $HOME_NET any -> [43.248.188.77] 8088 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1292310/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_02; classtype:trojan-activity; sid:91292310; rev:1;) alert tcp $HOME_NET any -> [43.198.87.72] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1292309/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_02; classtype:trojan-activity; sid:91292309; rev:1;) alert tcp $HOME_NET any -> [159.75.164.94] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1292308/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_02; classtype:trojan-activity; sid:91292308; rev:1;) alert tcp $HOME_NET any -> [39.100.132.142] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1292307/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_02; classtype:trojan-activity; sid:91292307; rev:1;) alert tcp $HOME_NET any -> [8.220.192.59] 8080 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1292306/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_02; classtype:trojan-activity; sid:91292306; rev:1;) alert tcp $HOME_NET any -> [112.74.95.85] 8888 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1292305/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_02; classtype:trojan-activity; sid:91292305; rev:1;) alert tcp $HOME_NET any -> [47.109.149.105] 8090 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1292304/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_02; classtype:trojan-activity; sid:91292304; rev:1;) alert tcp $HOME_NET any -> [101.43.68.65] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1292303/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_02; classtype:trojan-activity; sid:91292303; rev:1;) alert tcp $HOME_NET any -> [121.37.0.167] 8080 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1292302/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_02; classtype:trojan-activity; sid:91292302; rev:1;) alert tcp $HOME_NET any -> [60.205.144.130] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1292301/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_02; classtype:trojan-activity; sid:91292301; rev:1;) alert tcp $HOME_NET any -> [39.101.77.9] 7777 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1292300/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_02; classtype:trojan-activity; sid:91292300; rev:1;) alert tcp $HOME_NET any -> [116.204.42.20] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1292299/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_02; classtype:trojan-activity; sid:91292299; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/4a2f3b5b.php"; depth:13; nocase; http.host; content:"a0995213.xsph.ru"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1292078/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_02; classtype:trojan-activity; sid:91292078; rev:1;) alert tcp $HOME_NET any -> [101.33.225.206] 8080 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1292075/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_01; classtype:trojan-activity; sid:91292075; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ci-wiki.cn"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1292074/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_01; classtype:trojan-activity; sid:91292074; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/js/jquery-3.4.1.min.js"; depth:23; nocase; http.host; content:"ci-wiki.cn"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1292073/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_01; classtype:trojan-activity; sid:91292073; rev:1;) alert tcp $HOME_NET any -> [181.116.72.52] 5802 (msg:"ThreatFox NetSupportManager RAT botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1292072/; target:src_ip; metadata: confidence_level 50, first_seen 2024_07_01; classtype:trojan-activity; sid:91292072; rev:1;) alert tcp $HOME_NET any -> [195.174.240.3] 25 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1292071/; target:src_ip; metadata: confidence_level 50, first_seen 2024_07_01; classtype:trojan-activity; sid:91292071; rev:1;) alert tcp $HOME_NET any -> [137.184.90.144] 4000 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1292070/; target:src_ip; metadata: confidence_level 50, first_seen 2024_07_01; classtype:trojan-activity; sid:91292070; rev:1;) alert tcp $HOME_NET any -> [5.163.244.86] 443 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1292069/; target:src_ip; metadata: confidence_level 50, first_seen 2024_07_01; classtype:trojan-activity; sid:91292069; rev:1;) alert tcp $HOME_NET any -> [185.236.78.56] 80 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1292068/; target:src_ip; metadata: confidence_level 50, first_seen 2024_07_01; classtype:trojan-activity; sid:91292068; rev:1;) alert tcp $HOME_NET any -> [57.128.166.214] 80 (msg:"ThreatFox Rhysida botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1292067/; target:src_ip; metadata: confidence_level 50, first_seen 2024_07_01; classtype:trojan-activity; sid:91292067; rev:1;) alert tcp $HOME_NET any -> [57.128.166.214] 443 (msg:"ThreatFox Rhysida botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1292066/; target:src_ip; metadata: confidence_level 50, first_seen 2024_07_01; classtype:trojan-activity; sid:91292066; rev:1;) alert tcp $HOME_NET any -> [65.108.49.36] 443 (msg:"ThreatFox Rhysida botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1292065/; target:src_ip; metadata: confidence_level 50, first_seen 2024_07_01; classtype:trojan-activity; sid:91292065; rev:1;) alert tcp $HOME_NET any -> [65.108.49.36] 80 (msg:"ThreatFox Rhysida botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1292064/; target:src_ip; metadata: confidence_level 50, first_seen 2024_07_01; classtype:trojan-activity; sid:91292064; rev:1;) alert tcp $HOME_NET any -> [37.59.205.5] 80 (msg:"ThreatFox Rhysida botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1292063/; target:src_ip; metadata: confidence_level 50, first_seen 2024_07_01; classtype:trojan-activity; sid:91292063; rev:1;) alert tcp $HOME_NET any -> [37.59.205.5] 443 (msg:"ThreatFox Rhysida botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1292062/; target:src_ip; metadata: confidence_level 50, first_seen 2024_07_01; classtype:trojan-activity; sid:91292062; rev:1;) alert tcp $HOME_NET any -> [78.47.60.67] 80 (msg:"ThreatFox Rhysida botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1292061/; target:src_ip; metadata: confidence_level 50, first_seen 2024_07_01; classtype:trojan-activity; sid:91292061; rev:1;) alert tcp $HOME_NET any -> [78.47.60.67] 443 (msg:"ThreatFox Rhysida botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1292060/; target:src_ip; metadata: confidence_level 50, first_seen 2024_07_01; classtype:trojan-activity; sid:91292060; rev:1;) alert tcp $HOME_NET any -> [5.161.252.127] 80 (msg:"ThreatFox Rhysida botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1292059/; target:src_ip; metadata: confidence_level 50, first_seen 2024_07_01; classtype:trojan-activity; sid:91292059; rev:1;) alert tcp $HOME_NET any -> [5.161.252.127] 443 (msg:"ThreatFox Rhysida botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1292058/; target:src_ip; metadata: confidence_level 50, first_seen 2024_07_01; classtype:trojan-activity; sid:91292058; rev:1;) alert tcp $HOME_NET any -> [216.74.123.41] 80 (msg:"ThreatFox Rhysida botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1292057/; target:src_ip; metadata: confidence_level 50, first_seen 2024_07_01; classtype:trojan-activity; sid:91292057; rev:1;) alert tcp $HOME_NET any -> [216.74.123.41] 443 (msg:"ThreatFox Rhysida botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1292056/; target:src_ip; metadata: confidence_level 50, first_seen 2024_07_01; classtype:trojan-activity; sid:91292056; rev:1;) alert tcp $HOME_NET any -> [185.216.144.51] 443 (msg:"ThreatFox Rhysida botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1292054/; target:src_ip; metadata: confidence_level 50, first_seen 2024_07_01; classtype:trojan-activity; sid:91292054; rev:1;) alert tcp $HOME_NET any -> [185.216.144.51] 80 (msg:"ThreatFox Rhysida botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1292055/; target:src_ip; metadata: confidence_level 50, first_seen 2024_07_01; classtype:trojan-activity; sid:91292055; rev:1;) alert tcp $HOME_NET any -> [159.100.6.103] 80 (msg:"ThreatFox Rhysida botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1292053/; target:src_ip; metadata: confidence_level 50, first_seen 2024_07_01; classtype:trojan-activity; sid:91292053; rev:1;) alert tcp $HOME_NET any -> [159.100.6.103] 443 (msg:"ThreatFox Rhysida botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1292052/; target:src_ip; metadata: confidence_level 50, first_seen 2024_07_01; classtype:trojan-activity; sid:91292052; rev:1;) alert tcp $HOME_NET any -> [85.239.53.94] 80 (msg:"ThreatFox Rhysida botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1292050/; target:src_ip; metadata: confidence_level 50, first_seen 2024_07_01; classtype:trojan-activity; sid:91292050; rev:1;) alert tcp $HOME_NET any -> [85.239.53.94] 443 (msg:"ThreatFox Rhysida botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1292051/; target:src_ip; metadata: confidence_level 50, first_seen 2024_07_01; classtype:trojan-activity; sid:91292051; rev:1;) alert tcp $HOME_NET any -> [51.89.137.8] 443 (msg:"ThreatFox Rhysida botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1292049/; target:src_ip; metadata: confidence_level 50, first_seen 2024_07_01; classtype:trojan-activity; sid:91292049; rev:1;) alert tcp $HOME_NET any -> [51.89.137.8] 80 (msg:"ThreatFox Rhysida botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1292048/; target:src_ip; metadata: confidence_level 50, first_seen 2024_07_01; classtype:trojan-activity; sid:91292048; rev:1;) alert tcp $HOME_NET any -> [51.68.216.13] 80 (msg:"ThreatFox Rhysida botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1292047/; target:src_ip; metadata: confidence_level 50, first_seen 2024_07_01; classtype:trojan-activity; sid:91292047; rev:1;) alert tcp $HOME_NET any -> [51.68.216.13] 443 (msg:"ThreatFox Rhysida botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1292046/; target:src_ip; metadata: confidence_level 50, first_seen 2024_07_01; classtype:trojan-activity; sid:91292046; rev:1;) alert tcp $HOME_NET any -> [139.64.133.194] 443 (msg:"ThreatFox Rhysida botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1292044/; target:src_ip; metadata: confidence_level 50, first_seen 2024_07_01; classtype:trojan-activity; sid:91292044; rev:1;) alert tcp $HOME_NET any -> [139.64.133.194] 80 (msg:"ThreatFox Rhysida botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1292045/; target:src_ip; metadata: confidence_level 50, first_seen 2024_07_01; classtype:trojan-activity; sid:91292045; rev:1;) alert tcp $HOME_NET any -> [173.46.80.206] 80 (msg:"ThreatFox Rhysida botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1292043/; target:src_ip; metadata: confidence_level 50, first_seen 2024_07_01; classtype:trojan-activity; sid:91292043; rev:1;) alert tcp $HOME_NET any -> [173.46.80.206] 443 (msg:"ThreatFox Rhysida botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1292042/; target:src_ip; metadata: confidence_level 50, first_seen 2024_07_01; classtype:trojan-activity; sid:91292042; rev:1;) alert tcp $HOME_NET any -> [109.176.207.22] 443 (msg:"ThreatFox Rhysida botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1292040/; target:src_ip; metadata: confidence_level 50, first_seen 2024_07_01; classtype:trojan-activity; sid:91292040; rev:1;) alert tcp $HOME_NET any -> [109.176.207.22] 80 (msg:"ThreatFox Rhysida botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1292041/; target:src_ip; metadata: confidence_level 50, first_seen 2024_07_01; classtype:trojan-activity; sid:91292041; rev:1;) alert tcp $HOME_NET any -> [139.59.86.97] 7443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1292039/; target:src_ip; metadata: confidence_level 50, first_seen 2024_07_01; classtype:trojan-activity; sid:91292039; rev:1;) alert tcp $HOME_NET any -> [13.112.130.229] 80 (msg:"ThreatFox Brute Ratel C4 botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1292038/; target:src_ip; metadata: confidence_level 50, first_seen 2024_07_01; classtype:trojan-activity; sid:91292038; rev:1;) alert tcp $HOME_NET any -> [147.185.221.20] 54251 (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1292037/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_01; classtype:trojan-activity; sid:91292037; rev:1;) alert tcp $HOME_NET any -> [193.187.173.74] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1292036/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_01; classtype:trojan-activity; sid:91292036; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jquery-3.3.1.min.js"; depth:20; nocase; http.host; content:"heart-direct.online"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1292034/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_01; classtype:trojan-activity; sid:91292034; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"heart-direct.online"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1292035/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_01; classtype:trojan-activity; sid:91292035; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ca"; depth:3; nocase; http.host; content:"79.124.40.106"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1292033/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_01; classtype:trojan-activity; sid:91292033; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bally/fre.php"; depth:14; nocase; http.host; content:"dashboardproducts.info"; depth:22; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1292032/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_01; classtype:trojan-activity; sid:91292032; rev:1;) alert tcp $HOME_NET any -> [62.119.81.101] 58573 (msg:"ThreatFox NetSupportManager RAT botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1292031/; target:src_ip; metadata: confidence_level 50, first_seen 2024_07_01; classtype:trojan-activity; sid:91292031; rev:1;) alert tcp $HOME_NET any -> [94.156.64.188] 6006 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1292030/; target:src_ip; metadata: confidence_level 50, first_seen 2024_07_01; classtype:trojan-activity; sid:91292030; rev:1;) alert tcp $HOME_NET any -> [51.81.24.83] 3333 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1292029/; target:src_ip; metadata: confidence_level 50, first_seen 2024_07_01; classtype:trojan-activity; sid:91292029; rev:1;) alert tcp $HOME_NET any -> [54.255.147.4] 6000 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1292028/; target:src_ip; metadata: confidence_level 50, first_seen 2024_07_01; classtype:trojan-activity; sid:91292028; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/linepython_processgamemultiwindowsgeneratordatalifedle.php"; depth:59; nocase; http.host; content:"offsetupdater.top"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1292027/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_01; classtype:trojan-activity; sid:91292027; rev:1;) alert tcp $HOME_NET any -> [147.124.209.128] 7847 (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1292026/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_01; classtype:trojan-activity; sid:91292026; rev:1;) alert tcp $HOME_NET any -> [91.92.242.81] 80 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1292025/; target:src_ip; metadata: confidence_level 50, first_seen 2024_07_01; classtype:trojan-activity; sid:91292025; rev:1;) alert tcp $HOME_NET any -> [78.166.52.150] 443 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1292024/; target:src_ip; metadata: confidence_level 50, first_seen 2024_07_01; classtype:trojan-activity; sid:91292024; rev:1;) alert tcp $HOME_NET any -> [74.214.59.50] 443 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1292023/; target:src_ip; metadata: confidence_level 50, first_seen 2024_07_01; classtype:trojan-activity; sid:91292023; rev:1;) alert tcp $HOME_NET any -> [189.140.37.137] 443 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1292022/; target:src_ip; metadata: confidence_level 50, first_seen 2024_07_01; classtype:trojan-activity; sid:91292022; rev:1;) alert tcp $HOME_NET any -> [18.163.129.171] 443 (msg:"ThreatFox pupy botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1292021/; target:src_ip; metadata: confidence_level 50, first_seen 2024_07_01; classtype:trojan-activity; sid:91292021; rev:1;) alert tcp $HOME_NET any -> [185.236.78.56] 443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1292020/; target:src_ip; metadata: confidence_level 50, first_seen 2024_07_01; classtype:trojan-activity; sid:91292020; rev:1;) alert tcp $HOME_NET any -> [128.14.237.188] 8080 (msg:"ThreatFox BianLian botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1292019/; target:src_ip; metadata: confidence_level 50, first_seen 2024_07_01; classtype:trojan-activity; sid:91292019; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/private/asyncrequestprotect/apiuniversal/http1/datalife/linuxuploads/protect/datalifeupdatephplocal/base0/linuxbigload/python/basesqlline/update8/protectasyncprivatetemptemporary.php"; depth:183; nocase; http.host; content:"185.177.59.141"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1292015/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_01; classtype:trojan-activity; sid:91292015; rev:1;) alert tcp $HOME_NET any -> [103.144.139.160] 443 (msg:"ThreatFox Unidentified 111 (Latrodectus) botnet C2 traffic (ip:port - confidence level: 85%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1292014/; target:src_ip; metadata: confidence_level 85, first_seen 2024_07_01; classtype:trojan-activity; sid:91292014; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 85%)"; dns_query; content:"brithcaymo.com"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1292006/; target:src_ip; metadata: confidence_level 85, first_seen 2024_07_01; classtype:trojan-activity; sid:91292006; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 85%)"; dns_query; content:"ernofilosta.com"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1292007/; target:src_ip; metadata: confidence_level 85, first_seen 2024_07_01; classtype:trojan-activity; sid:91292007; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 85%)"; dns_query; content:"lofirenqveg.com"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1292008/; target:src_ip; metadata: confidence_level 85, first_seen 2024_07_01; classtype:trojan-activity; sid:91292008; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 85%)"; dns_query; content:"manclinoste.website"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1292009/; target:src_ip; metadata: confidence_level 85, first_seen 2024_07_01; classtype:trojan-activity; sid:91292009; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 85%)"; dns_query; content:"prodetanoes.com"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1292010/; target:src_ip; metadata: confidence_level 85, first_seen 2024_07_01; classtype:trojan-activity; sid:91292010; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 85%)"; dns_query; content:"prufkespotr.com"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1292011/; target:src_ip; metadata: confidence_level 85, first_seen 2024_07_01; classtype:trojan-activity; sid:91292011; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 85%)"; dns_query; content:"shopboksret.com"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1292012/; target:src_ip; metadata: confidence_level 85, first_seen 2024_07_01; classtype:trojan-activity; sid:91292012; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 85%)"; dns_query; content:"trymeakafr.com"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1292013/; target:src_ip; metadata: confidence_level 85, first_seen 2024_07_01; classtype:trojan-activity; sid:91292013; rev:1;) alert tcp $HOME_NET any -> [94.156.79.13] 47925 (msg:"ThreatFox MooBot botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1292005/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_01; classtype:trojan-activity; sid:91292005; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"lmfaololxdlmfaolmfao.xyz"; depth:24; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1292004/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_01; classtype:trojan-activity; sid:91292004; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"joeyrichl.top"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1291992/; target:src_ip; metadata: confidence_level 50, first_seen 2024_07_01; classtype:trojan-activity; sid:91291992; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cdn-vs/original.js"; depth:19; nocase; http.host; content:"beetrootculture.com"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1291997/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_01; classtype:trojan-activity; sid:91291997; rev:1;) alert tcp $HOME_NET any -> [80.85.154.121] 1980 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1291786/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_01; classtype:trojan-activity; sid:91291786; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cdn-vs/cache.php"; depth:17; nocase; http.host; content:"propertyclosings.com"; depth:20; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1291790/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_01; classtype:trojan-activity; sid:91291790; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cdn-vs/original.js"; depth:19; nocase; http.host; content:"propertyclosings.com"; depth:20; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1291788/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_01; classtype:trojan-activity; sid:91291788; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"vegetachcnc.com"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1291769/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_01; classtype:trojan-activity; sid:91291769; rev:1;) alert tcp $HOME_NET any -> [107.173.4.18] 2556 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1291770/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_01; classtype:trojan-activity; sid:91291770; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 49%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"webman.w3school.cloudns.nz"; depth:26; nocase; reference:url, threatfox.abuse.ch/ioc/1291751/; target:src_ip; metadata: confidence_level 49, first_seen 2024_07_01; classtype:trojan-activity; sid:91291751; rev:1;) alert tcp $HOME_NET any -> [173.255.204.62] 2556 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1291771/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_01; classtype:trojan-activity; sid:91291771; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"propertyclosings.com"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1291789/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_01; classtype:trojan-activity; sid:91291789; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cdn-vs/33per.php"; depth:17; nocase; http.host; content:"propertyclosings.com"; depth:20; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1291791/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_01; classtype:trojan-activity; sid:91291791; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/vldqvwysjm0bkvt1dmtty9ne54urfdvg3s-h6mqd4xox"; depth:45; nocase; http.host; content:"speedchaoptimise.com"; depth:20; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1291793/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_01; classtype:trojan-activity; sid:91291793; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"speedchaoptimise.com"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1291794/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_01; classtype:trojan-activity; sid:91291794; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"frontendcodingtips.com"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1291795/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_01; classtype:trojan-activity; sid:91291795; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"tppen-op.one"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1291991/; target:src_ip; metadata: confidence_level 50, first_seen 2024_07_01; classtype:trojan-activity; sid:91291991; rev:1;) alert tcp $HOME_NET any -> [193.161.193.99] 39182 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1291994/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_01; classtype:trojan-activity; sid:91291994; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"gard-ner-toyota.com"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1291993/; target:src_ip; metadata: confidence_level 50, first_seen 2024_07_01; classtype:trojan-activity; sid:91291993; rev:1;) alert tcp $HOME_NET any -> [185.68.93.221] 443 (msg:"ThreatFox FAKEUPDATES payload delivery (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1291995/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_01; classtype:trojan-activity; sid:91291995; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"daslkjfhi2.shop"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1291996/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_01; classtype:trojan-activity; sid:91291996; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"beetrootculture.com"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1291998/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_01; classtype:trojan-activity; sid:91291998; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cdn-vs/cache.php"; depth:17; nocase; http.host; content:"beetrootculture.com"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1291999/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_01; classtype:trojan-activity; sid:91291999; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cdn-vs/33per.php"; depth:17; nocase; http.host; content:"beetrootculture.com"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1292000/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_01; classtype:trojan-activity; sid:91292000; rev:1;) alert tcp $HOME_NET any -> [185.29.9.108] 15135 (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1292003/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_01; classtype:trojan-activity; sid:91292003; rev:1;) alert tcp $HOME_NET any -> [196.65.173.92] 10000 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1292002/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_01; classtype:trojan-activity; sid:91292002; rev:1;) alert tcp $HOME_NET any -> [172.232.164.13] 1177 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1292001/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_01; classtype:trojan-activity; sid:91292001; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tojavascriptpollcpupublicprivate.php"; depth:37; nocase; http.host; content:"054717cm.n9shteam3.top"; depth:22; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1291792/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_01; classtype:trojan-activity; sid:91291792; rev:1;) alert tcp $HOME_NET any -> [77.221.153.197] 80 (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1291787/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_01; classtype:trojan-activity; sid:91291787; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"zug-login.com"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1291785/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_01; classtype:trojan-activity; sid:91291785; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"agovaccess-ch.com"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1291775/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_01; classtype:trojan-activity; sid:91291775; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"b2cidp-mobilier.com"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1291776/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_01; classtype:trojan-activity; sid:91291776; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"eportal-be.com"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1291777/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_01; classtype:trojan-activity; sid:91291777; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"eportal-bs.com"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1291778/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_01; classtype:trojan-activity; sid:91291778; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"finanzportal-vermogenzsentrum.com"; depth:33; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1291779/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_01; classtype:trojan-activity; sid:91291779; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"finanzportal-vermogenzsentrum.net"; depth:33; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1291780/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_01; classtype:trojan-activity; sid:91291780; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"getgrammerly.com"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1291781/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_01; classtype:trojan-activity; sid:91291781; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"loginzug.com"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1291782/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_01; classtype:trojan-activity; sid:91291782; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"portals-swisslife.com"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1291783/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_01; classtype:trojan-activity; sid:91291783; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"sso-geneveid.com"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1291784/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_01; classtype:trojan-activity; sid:91291784; rev:1;) alert tcp $HOME_NET any -> [186.2.171.54] 443 (msg:"ThreatFox Poseidon payload delivery (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1291774/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_01; classtype:trojan-activity; sid:91291774; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/d4065b26.php"; depth:13; nocase; http.host; content:"a1000048.xsph.ru"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1291773/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_01; classtype:trojan-activity; sid:91291773; rev:1;) alert tcp $HOME_NET any -> [57.129.38.73] 41038 (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1291772/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_01; classtype:trojan-activity; sid:91291772; rev:1;) alert tcp $HOME_NET any -> [206.238.43.211] 6666 (msg:"ThreatFox Ghost RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1291768/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_01; classtype:trojan-activity; sid:91291768; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/agov/"; depth:6; nocase; http.host; content:"pipp.seo7sry.com"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1291766/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_01; classtype:trojan-activity; sid:91291766; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/agov/"; depth:6; nocase; http.host; content:"pipp.showroomilgiornodopo.it"; depth:28; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1291767/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_01; classtype:trojan-activity; sid:91291767; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/agov/"; depth:6; nocase; http.host; content:"pipp.retromad1.ro"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1291765/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_01; classtype:trojan-activity; sid:91291765; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/agov/"; depth:6; nocase; http.host; content:"pipp.laofix.com.tr"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1291763/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_01; classtype:trojan-activity; sid:91291763; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/agov/"; depth:6; nocase; http.host; content:"pipp.nsaservices.com.br"; depth:23; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1291764/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_01; classtype:trojan-activity; sid:91291764; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/agov/"; depth:6; nocase; http.host; content:"pipp.eshaqlaw.com"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1291761/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_01; classtype:trojan-activity; sid:91291761; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/agov/"; depth:6; nocase; http.host; content:"pipp.japanbangladeshhospital.com"; depth:32; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1291762/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_01; classtype:trojan-activity; sid:91291762; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/agov/"; depth:6; nocase; http.host; content:"pipp.dipankardey.com"; depth:20; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1291760/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_01; classtype:trojan-activity; sid:91291760; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/agov/"; depth:6; nocase; http.host; content:"pipp.diasecampos.com.br"; depth:23; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1291758/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_01; classtype:trojan-activity; sid:91291758; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/agov/"; depth:6; nocase; http.host; content:"pipp.dilagosburguer.com.br"; depth:26; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1291759/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_01; classtype:trojan-activity; sid:91291759; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/agov/"; depth:6; nocase; http.host; content:"pipp.agauto.co.ke"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1291756/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_01; classtype:trojan-activity; sid:91291756; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/agov/"; depth:6; nocase; http.host; content:"pipp.debellis.com.br"; depth:20; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1291757/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_01; classtype:trojan-activity; sid:91291757; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/agov/"; depth:6; nocase; http.host; content:"panda.superdreadi.com"; depth:21; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1291754/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_01; classtype:trojan-activity; sid:91291754; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/agov/"; depth:6; nocase; http.host; content:"panda.tafca.cl"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1291755/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_01; classtype:trojan-activity; sid:91291755; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/agov/"; depth:6; nocase; http.host; content:"panda.lojaniq.com"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1291752/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_01; classtype:trojan-activity; sid:91291752; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/agov/"; depth:6; nocase; http.host; content:"panda.sixfibras.com.br"; depth:22; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1291753/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_01; classtype:trojan-activity; sid:91291753; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/agov/"; depth:6; nocase; http.host; content:"panda.laofix.com.tr"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1291750/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_01; classtype:trojan-activity; sid:91291750; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/agov/"; depth:6; nocase; http.host; content:"panda.dilagosburguer.com.br"; depth:27; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1291748/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_01; classtype:trojan-activity; sid:91291748; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/agov/"; depth:6; nocase; http.host; content:"panda.japanbangladeshhospital.com"; depth:33; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1291749/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_01; classtype:trojan-activity; sid:91291749; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/agov/"; depth:6; nocase; http.host; content:"newscp.xpresscard.info"; depth:22; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1291746/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_01; classtype:trojan-activity; sid:91291746; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/agov/"; depth:6; nocase; http.host; content:"panda.creativeeventsbd.com"; depth:26; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1291747/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_01; classtype:trojan-activity; sid:91291747; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/agov/"; depth:6; nocase; http.host; content:"newscp.top2stay.com"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1291744/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_01; classtype:trojan-activity; sid:91291744; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/agov/"; depth:6; nocase; http.host; content:"newscp.tracymasonmedia.com"; depth:26; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1291745/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_01; classtype:trojan-activity; sid:91291745; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/agov/"; depth:6; nocase; http.host; content:"newscp.thirtyline.com.my"; depth:24; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1291743/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_01; classtype:trojan-activity; sid:91291743; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/agov/"; depth:6; nocase; http.host; content:"newscp.srprof.com"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1291741/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_01; classtype:trojan-activity; sid:91291741; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/agov/"; depth:6; nocase; http.host; content:"newscp.superanimalpet.com"; depth:25; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1291742/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_01; classtype:trojan-activity; sid:91291742; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/agov/"; depth:6; nocase; http.host; content:"newscp.sc3bhgr7781.universe.wf"; depth:30; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1291739/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_01; classtype:trojan-activity; sid:91291739; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/agov/"; depth:6; nocase; http.host; content:"newscp.slagveld.co.za"; depth:21; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1291740/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_01; classtype:trojan-activity; sid:91291740; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/agov/"; depth:6; nocase; http.host; content:"newscp.sc1dsnb7288.universe.wf"; depth:30; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1291737/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_01; classtype:trojan-activity; sid:91291737; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/agov/"; depth:6; nocase; http.host; content:"newscp.sc1tmtd4794.universe.wf"; depth:30; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1291738/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_01; classtype:trojan-activity; sid:91291738; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/agov/"; depth:6; nocase; http.host; content:"newscp.savannah.sd"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1291736/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_01; classtype:trojan-activity; sid:91291736; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/agov/"; depth:6; nocase; http.host; content:"newscp.sacs.ec"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1291734/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_01; classtype:trojan-activity; sid:91291734; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/agov/"; depth:6; nocase; http.host; content:"newscp.sagarsprings.com"; depth:23; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1291735/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_01; classtype:trojan-activity; sid:91291735; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/agov/"; depth:6; nocase; http.host; content:"newscp.roborave.mx"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1291732/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_01; classtype:trojan-activity; sid:91291732; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/agov/"; depth:6; nocase; http.host; content:"newscp.romalogistics.com.pe"; depth:27; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1291733/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_01; classtype:trojan-activity; sid:91291733; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/agov/"; depth:6; nocase; http.host; content:"newscp.posdata-si.com"; depth:21; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1291730/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_01; classtype:trojan-activity; sid:91291730; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/agov/"; depth:6; nocase; http.host; content:"newscp.ranasariagroup.com"; depth:25; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1291731/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_01; classtype:trojan-activity; sid:91291731; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/agov/"; depth:6; nocase; http.host; content:"newscp.officialrtv.com"; depth:22; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1291729/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_01; classtype:trojan-activity; sid:91291729; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/agov/"; depth:6; nocase; http.host; content:"newscp.myindiamall.in"; depth:21; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1291727/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_01; classtype:trojan-activity; sid:91291727; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/agov/"; depth:6; nocase; http.host; content:"newscp.nextsol.com.br"; depth:21; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1291728/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_01; classtype:trojan-activity; sid:91291728; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/agov/"; depth:6; nocase; http.host; content:"newscp.laboratoriomacruzfarma.com"; depth:33; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1291725/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_01; classtype:trojan-activity; sid:91291725; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/agov/"; depth:6; nocase; http.host; content:"newscp.machaquila.com"; depth:21; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1291726/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_01; classtype:trojan-activity; sid:91291726; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/agov/"; depth:6; nocase; http.host; content:"newscp.junoindia.com"; depth:20; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1291723/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_01; classtype:trojan-activity; sid:91291723; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/agov/"; depth:6; nocase; http.host; content:"newscp.kashier365.com"; depth:21; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1291724/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_01; classtype:trojan-activity; sid:91291724; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/agov/"; depth:6; nocase; http.host; content:"newscp.inncomex.com.mx"; depth:22; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1291721/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_01; classtype:trojan-activity; sid:91291721; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/agov/"; depth:6; nocase; http.host; content:"newscp.janeladedramaturgia.com"; depth:30; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1291722/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_01; classtype:trojan-activity; sid:91291722; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/agov/"; depth:6; nocase; http.host; content:"newscp.hotelultimafrontiera.com"; depth:31; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1291720/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_01; classtype:trojan-activity; sid:91291720; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/agov/"; depth:6; nocase; http.host; content:"newscp.hchemical.sd"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1291718/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_01; classtype:trojan-activity; sid:91291718; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/agov/"; depth:6; nocase; http.host; content:"newscp.hospitaldesanluis.com.co"; depth:31; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1291719/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_01; classtype:trojan-activity; sid:91291719; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/agov/"; depth:6; nocase; http.host; content:"newscp.geliankft.hu"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1291716/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_01; classtype:trojan-activity; sid:91291716; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/agov/"; depth:6; nocase; http.host; content:"newscp.grupomv.com.py"; depth:21; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1291717/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_01; classtype:trojan-activity; sid:91291717; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/agov/"; depth:6; nocase; http.host; content:"newscp.entreprisesdavenir.fr"; depth:28; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1291714/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_01; classtype:trojan-activity; sid:91291714; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/agov/"; depth:6; nocase; http.host; content:"newscp.geber.com.mx"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1291715/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_01; classtype:trojan-activity; sid:91291715; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/agov/"; depth:6; nocase; http.host; content:"newscp.dolphinmanagement.ro"; depth:27; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1291712/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_01; classtype:trojan-activity; sid:91291712; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/agov/"; depth:6; nocase; http.host; content:"newscp.ebitan.com.bd"; depth:20; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1291713/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_01; classtype:trojan-activity; sid:91291713; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/agov/"; depth:6; nocase; http.host; content:"newscp.debambu.es"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1291711/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_01; classtype:trojan-activity; sid:91291711; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/agov/"; depth:6; nocase; http.host; content:"newscp.colbiomor.org"; depth:20; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1291709/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_01; classtype:trojan-activity; sid:91291709; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/agov/"; depth:6; nocase; http.host; content:"newscp.contechprojects.com"; depth:26; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1291710/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_01; classtype:trojan-activity; sid:91291710; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/agov/"; depth:6; nocase; http.host; content:"newscp.bariel.co.id"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1291707/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_01; classtype:trojan-activity; sid:91291707; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/agov/"; depth:6; nocase; http.host; content:"newscp.cgsbim.cl"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1291708/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_01; classtype:trojan-activity; sid:91291708; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/agov/"; depth:6; nocase; http.host; content:"newscp.area14st.com"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1291705/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_01; classtype:trojan-activity; sid:91291705; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/agov/"; depth:6; nocase; http.host; content:"newscp.atiliomarola.com.ar"; depth:26; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1291706/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_01; classtype:trojan-activity; sid:91291706; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/agov/"; depth:6; nocase; http.host; content:"newscp.arabic.du.ac.bd"; depth:22; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1291704/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_01; classtype:trojan-activity; sid:91291704; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/agov/"; depth:6; nocase; http.host; content:"newscp.academicindia.in"; depth:23; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1291702/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_01; classtype:trojan-activity; sid:91291702; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/agov/"; depth:6; nocase; http.host; content:"newscp.allkemie.com"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1291703/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_01; classtype:trojan-activity; sid:91291703; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/agov/"; depth:6; nocase; http.host; content:"newcp.urunstand.com"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1291700/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_01; classtype:trojan-activity; sid:91291700; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/agov/"; depth:6; nocase; http.host; content:"newscp.aaptiroots.in"; depth:20; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1291701/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_01; classtype:trojan-activity; sid:91291701; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/agov/"; depth:6; nocase; http.host; content:"newcp.termomecconsultoria.com.br"; depth:32; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1291698/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_01; classtype:trojan-activity; sid:91291698; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/agov/"; depth:6; nocase; http.host; content:"newcp.thebestbodrumtemizlik.com"; depth:31; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1291699/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_01; classtype:trojan-activity; sid:91291699; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/agov/"; depth:6; nocase; http.host; content:"newcp.sosgestion.com.co"; depth:23; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1291696/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_01; classtype:trojan-activity; sid:91291696; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/agov/"; depth:6; nocase; http.host; content:"newcp.techcube.in"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1291697/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_01; classtype:trojan-activity; sid:91291697; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/agov/"; depth:6; nocase; http.host; content:"newcp.smartlabor.it"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1291695/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_01; classtype:trojan-activity; sid:91291695; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/agov/"; depth:6; nocase; http.host; content:"newcp.recubplast.com.co"; depth:23; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1291693/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_01; classtype:trojan-activity; sid:91291693; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/agov/"; depth:6; nocase; http.host; content:"newcp.seo7sry.com"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1291694/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_01; classtype:trojan-activity; sid:91291694; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/agov/"; depth:6; nocase; http.host; content:"newcpp.wychelmconnect.com.ng"; depth:28; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1291691/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_01; classtype:trojan-activity; sid:91291691; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/agov/"; depth:6; nocase; http.host; content:"newcp.qadricaterers.com"; depth:23; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1291692/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_01; classtype:trojan-activity; sid:91291692; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/agov/"; depth:6; nocase; http.host; content:"newcpp.wecarefamilydentistry.com"; depth:32; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1291689/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_01; classtype:trojan-activity; sid:91291689; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/agov/"; depth:6; nocase; http.host; content:"newcpp.wpsuperlink.online"; depth:25; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1291690/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_01; classtype:trojan-activity; sid:91291690; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/agov/"; depth:6; nocase; http.host; content:"newcpp.vanguardaamazonense.com.br"; depth:33; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1291688/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_01; classtype:trojan-activity; sid:91291688; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/agov/"; depth:6; nocase; http.host; content:"newcpp.uns-kikaku.com"; depth:21; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1291686/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_01; classtype:trojan-activity; sid:91291686; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/agov/"; depth:6; nocase; http.host; content:"newcpp.upvs.com.ng"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1291687/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_01; classtype:trojan-activity; sid:91291687; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/agov/"; depth:6; nocase; http.host; content:"newcpp.themavvel.co.ke"; depth:22; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1291684/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_01; classtype:trojan-activity; sid:91291684; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/agov/"; depth:6; nocase; http.host; content:"newcpp.tracymasonmedia.com"; depth:26; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1291685/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_01; classtype:trojan-activity; sid:91291685; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/agov/"; depth:6; nocase; http.host; content:"newcpp.techtrust.pt"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1291682/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_01; classtype:trojan-activity; sid:91291682; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/agov/"; depth:6; nocase; http.host; content:"newcpp.tecsoluciones.com.pe"; depth:27; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1291683/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_01; classtype:trojan-activity; sid:91291683; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/agov/"; depth:6; nocase; http.host; content:"newcpp.tabledemassagepliante.fr"; depth:31; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1291681/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_01; classtype:trojan-activity; sid:91291681; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/agov/"; depth:6; nocase; http.host; content:"newcpp.stayeasyplus.com"; depth:23; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1291679/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_01; classtype:trojan-activity; sid:91291679; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/agov/"; depth:6; nocase; http.host; content:"newcpp.streakk.com.ng"; depth:21; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1291680/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_01; classtype:trojan-activity; sid:91291680; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/agov/"; depth:6; nocase; http.host; content:"newcpp.smartzone.sa"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1291677/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_01; classtype:trojan-activity; sid:91291677; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/agov/"; depth:6; nocase; http.host; content:"newcpp.spiegelenergy.com"; depth:24; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1291678/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_01; classtype:trojan-activity; sid:91291678; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/agov/"; depth:6; nocase; http.host; content:"newcpp.scotiaperu.pe"; depth:20; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1291675/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_01; classtype:trojan-activity; sid:91291675; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/agov/"; depth:6; nocase; http.host; content:"newcpp.seguroautoagora.com.br"; depth:29; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1291676/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_01; classtype:trojan-activity; sid:91291676; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/agov/"; depth:6; nocase; http.host; content:"newcpp.saamtrek.co.za"; depth:21; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1291673/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_01; classtype:trojan-activity; sid:91291673; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/agov/"; depth:6; nocase; http.host; content:"newcpp.sbtabriz.com"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1291674/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_01; classtype:trojan-activity; sid:91291674; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/agov/"; depth:6; nocase; http.host; content:"newcpp.recettecuisinegastronomie.fr"; depth:35; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1291672/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_01; classtype:trojan-activity; sid:91291672; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/agov/"; depth:6; nocase; http.host; content:"newcpp.quantum-ev.co"; depth:20; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1291670/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_01; classtype:trojan-activity; sid:91291670; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/agov/"; depth:6; nocase; http.host; content:"newcpp.quasar.sa"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1291671/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_01; classtype:trojan-activity; sid:91291671; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/agov/"; depth:6; nocase; http.host; content:"newcpp.princekushwaha.com.np"; depth:28; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1291669/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_01; classtype:trojan-activity; sid:91291669; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/agov/"; depth:6; nocase; http.host; content:"newcpp.payall.com.ng"; depth:20; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1291667/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_01; classtype:trojan-activity; sid:91291667; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/agov/"; depth:6; nocase; http.host; content:"newcpp.powerunits.ng"; depth:20; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1291668/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_01; classtype:trojan-activity; sid:91291668; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/agov/"; depth:6; nocase; http.host; content:"newcpp.ontrace.id"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1291665/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_01; classtype:trojan-activity; sid:91291665; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/agov/"; depth:6; nocase; http.host; content:"newcpp.park-systems.net"; depth:23; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1291666/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_01; classtype:trojan-activity; sid:91291666; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/agov/"; depth:6; nocase; http.host; content:"newcpp.nonisec.com"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1291663/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_01; classtype:trojan-activity; sid:91291663; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/agov/"; depth:6; nocase; http.host; content:"newcpp.nonisec.com.ar"; depth:21; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1291664/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_01; classtype:trojan-activity; sid:91291664; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/agov/"; depth:6; nocase; http.host; content:"newcp.pnmls.cd"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1291662/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_01; classtype:trojan-activity; sid:91291662; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/agov/"; depth:6; nocase; http.host; content:"newcpp.natroglobal.com"; depth:22; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1291660/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_01; classtype:trojan-activity; sid:91291660; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/agov/"; depth:6; nocase; http.host; content:"newcpp.news.co.tz"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1291661/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_01; classtype:trojan-activity; sid:91291661; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/agov/"; depth:6; nocase; http.host; content:"newcpp.musamwaky.co.tz"; depth:22; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1291658/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_01; classtype:trojan-activity; sid:91291658; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/agov/"; depth:6; nocase; http.host; content:"newcpp.nationaltemps.co.uk"; depth:26; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1291659/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_01; classtype:trojan-activity; sid:91291659; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/agov/"; depth:6; nocase; http.host; content:"newcpp.moralesalducin.com"; depth:25; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1291656/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_01; classtype:trojan-activity; sid:91291656; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/agov/"; depth:6; nocase; http.host; content:"newcpp.movie.co.tz"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1291657/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_01; classtype:trojan-activity; sid:91291657; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/agov/"; depth:6; nocase; http.host; content:"newcpp.moimoveis.com.br"; depth:23; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1291655/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_01; classtype:trojan-activity; sid:91291655; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/agov/"; depth:6; nocase; http.host; content:"newcpp.meadvilleorthodontics.com"; depth:32; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1291653/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_01; classtype:trojan-activity; sid:91291653; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/agov/"; depth:6; nocase; http.host; content:"newcpp.medicalmedia.com.mx"; depth:26; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1291654/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_01; classtype:trojan-activity; sid:91291654; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/agov/"; depth:6; nocase; http.host; content:"newcpp.mahtokitchencare.com"; depth:27; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1291652/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_01; classtype:trojan-activity; sid:91291652; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/agov/"; depth:6; nocase; http.host; content:"newcpp.levinesolutions.net"; depth:26; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1291650/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_01; classtype:trojan-activity; sid:91291650; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/agov/"; depth:6; nocase; http.host; content:"newcpp.ludotenis.com"; depth:20; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1291651/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_01; classtype:trojan-activity; sid:91291651; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/agov/"; depth:6; nocase; http.host; content:"newcpp.lacitavilla.com"; depth:22; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1291649/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_01; classtype:trojan-activity; sid:91291649; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/agov/"; depth:6; nocase; http.host; content:"newcpp.kgcdiary.com"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1291647/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_01; classtype:trojan-activity; sid:91291647; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/agov/"; depth:6; nocase; http.host; content:"newcpp.ktktech.my.id"; depth:20; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1291648/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_01; classtype:trojan-activity; sid:91291648; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/agov/"; depth:6; nocase; http.host; content:"newcpp.inversionesllort.com"; depth:27; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1291645/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_01; classtype:trojan-activity; sid:91291645; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/agov/"; depth:6; nocase; http.host; content:"newcpp.isabelaayrosa.adv.br"; depth:27; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1291646/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_01; classtype:trojan-activity; sid:91291646; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/agov/"; depth:6; nocase; http.host; content:"newcpp.imcbgten4.org"; depth:20; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1291644/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_01; classtype:trojan-activity; sid:91291644; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/agov/"; depth:6; nocase; http.host; content:"newcpp.hotel.co.tz"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1291642/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_01; classtype:trojan-activity; sid:91291642; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/agov/"; depth:6; nocase; http.host; content:"newcpp.ilutex.com.br"; depth:20; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1291643/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_01; classtype:trojan-activity; sid:91291643; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/agov/"; depth:6; nocase; http.host; content:"newcpp.gridedgenews.com"; depth:23; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1291640/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_01; classtype:trojan-activity; sid:91291640; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/agov/"; depth:6; nocase; http.host; content:"newcpp.harmonyvillage.gr"; depth:24; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1291641/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_01; classtype:trojan-activity; sid:91291641; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/agov/"; depth:6; nocase; http.host; content:"newcpp.fridaybd.com"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1291638/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_01; classtype:trojan-activity; sid:91291638; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/agov/"; depth:6; nocase; http.host; content:"newcpp.gridedge.com.au"; depth:22; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1291639/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_01; classtype:trojan-activity; sid:91291639; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/agov/"; depth:6; nocase; http.host; content:"newcpp.faybd.com"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1291637/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_01; classtype:trojan-activity; sid:91291637; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/agov/"; depth:6; nocase; http.host; content:"newcpp.faforon.com.ng"; depth:21; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1291635/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_01; classtype:trojan-activity; sid:91291635; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/agov/"; depth:6; nocase; http.host; content:"newcpp.fatp.co.tz"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1291636/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_01; classtype:trojan-activity; sid:91291636; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/agov/"; depth:6; nocase; http.host; content:"newcpp.faforlife.com.ng"; depth:23; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1291633/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_01; classtype:trojan-activity; sid:91291633; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/agov/"; depth:6; nocase; http.host; content:"newcpp.faforon.com"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1291634/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_01; classtype:trojan-activity; sid:91291634; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/agov/"; depth:6; nocase; http.host; content:"newcpp.dungnguyenarchi.com"; depth:26; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1291631/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_01; classtype:trojan-activity; sid:91291631; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/agov/"; depth:6; nocase; http.host; content:"newcpp.embassydevelopments.com"; depth:30; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1291632/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_01; classtype:trojan-activity; sid:91291632; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/agov/"; depth:6; nocase; http.host; content:"newcpp.dktravel.com.ec"; depth:22; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1291629/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_01; classtype:trojan-activity; sid:91291629; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/agov/"; depth:6; nocase; http.host; content:"newcpp.dsts-immigration.com"; depth:27; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1291630/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_01; classtype:trojan-activity; sid:91291630; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/agov/"; depth:6; nocase; http.host; content:"newcpp.dilagosburguer.com.br"; depth:28; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1291628/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_01; classtype:trojan-activity; sid:91291628; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/agov/"; depth:6; nocase; http.host; content:"newcpp.damaskin.ro"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1291626/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_01; classtype:trojan-activity; sid:91291626; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/agov/"; depth:6; nocase; http.host; content:"newcpp.danmartin.ro"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1291627/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_01; classtype:trojan-activity; sid:91291627; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/agov/"; depth:6; nocase; http.host; content:"newcpp.confidable.com"; depth:21; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1291624/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_01; classtype:trojan-activity; sid:91291624; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/agov/"; depth:6; nocase; http.host; content:"newcpp.credencewatches.com"; depth:26; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1291625/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_01; classtype:trojan-activity; sid:91291625; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/agov/"; depth:6; nocase; http.host; content:"newcpp.casamagdalenapublicidad.com.co"; depth:37; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1291622/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_01; classtype:trojan-activity; sid:91291622; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/agov/"; depth:6; nocase; http.host; content:"newcpp.cncmorelos.org"; depth:21; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1291623/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_01; classtype:trojan-activity; sid:91291623; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/agov/"; depth:6; nocase; http.host; content:"newcpp.billionairesestate.com"; depth:29; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1291620/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_01; classtype:trojan-activity; sid:91291620; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/agov/"; depth:6; nocase; http.host; content:"newcpp.bocadosdeamor.com"; depth:24; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1291621/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_01; classtype:trojan-activity; sid:91291621; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/agov/"; depth:6; nocase; http.host; content:"newcpp.banjarkode.com"; depth:21; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1291619/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_01; classtype:trojan-activity; sid:91291619; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/agov/"; depth:6; nocase; http.host; content:"newcpp.aurespa.ca"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1291617/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_01; classtype:trojan-activity; sid:91291617; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/agov/"; depth:6; nocase; http.host; content:"newcpp.balebuku.my.id"; depth:21; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1291618/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_01; classtype:trojan-activity; sid:91291618; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/agov/"; depth:6; nocase; http.host; content:"newcpp.altaymediaalbania.org"; depth:28; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1291615/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_01; classtype:trojan-activity; sid:91291615; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/agov/"; depth:6; nocase; http.host; content:"newcpp.apa.ba"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1291616/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_01; classtype:trojan-activity; sid:91291616; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/agov/"; depth:6; nocase; http.host; content:"newcpp.almoajel.sa"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1291614/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_01; classtype:trojan-activity; sid:91291614; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/agov/"; depth:6; nocase; http.host; content:"newcpp.afrokulchagroup.com"; depth:26; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1291612/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_01; classtype:trojan-activity; sid:91291612; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/agov/"; depth:6; nocase; http.host; content:"newcpp.afrokulchatravel.co.za"; depth:29; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1291613/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_01; classtype:trojan-activity; sid:91291613; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/agov/"; depth:6; nocase; http.host; content:"newcpp.activelifemd.com"; depth:23; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1291610/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_01; classtype:trojan-activity; sid:91291610; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/agov/"; depth:6; nocase; http.host; content:"newcpp.afrokulcha.co.za"; depth:23; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1291611/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_01; classtype:trojan-activity; sid:91291611; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/agov/"; depth:6; nocase; http.host; content:"newcpp.3dsurf.ir"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1291608/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_01; classtype:trojan-activity; sid:91291608; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/agov/"; depth:6; nocase; http.host; content:"newcpp.abrakadabra.com.pe"; depth:25; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1291609/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_01; classtype:trojan-activity; sid:91291609; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/agov/"; depth:6; nocase; http.host; content:"newcp.olivrodapatria.online"; depth:27; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1291606/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_01; classtype:trojan-activity; sid:91291606; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/agov/"; depth:6; nocase; http.host; content:"newcpp.1ihost.com.br"; depth:20; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1291607/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_01; classtype:trojan-activity; sid:91291607; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/agov/"; depth:6; nocase; http.host; content:"newcp.oiltanker.com.ng"; depth:22; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1291605/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_01; classtype:trojan-activity; sid:91291605; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/agov/"; depth:6; nocase; http.host; content:"newcp.liderford.com"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1291603/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_01; classtype:trojan-activity; sid:91291603; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/agov/"; depth:6; nocase; http.host; content:"newcp.lourencoviajante.pt"; depth:25; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1291604/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_01; classtype:trojan-activity; sid:91291604; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/agov/"; depth:6; nocase; http.host; content:"newcp.japeto.ro"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1291601/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_01; classtype:trojan-activity; sid:91291601; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/agov/"; depth:6; nocase; http.host; content:"newcp.jcgama.com"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1291602/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_01; classtype:trojan-activity; sid:91291602; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/agov/"; depth:6; nocase; http.host; content:"newcp.icredes.com"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1291599/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_01; classtype:trojan-activity; sid:91291599; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/agov/"; depth:6; nocase; http.host; content:"newcp.iluminate.com.mx"; depth:22; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1291600/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_01; classtype:trojan-activity; sid:91291600; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/agov/"; depth:6; nocase; http.host; content:"newcp.hypercctv.org"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1291598/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_01; classtype:trojan-activity; sid:91291598; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/agov/"; depth:6; nocase; http.host; content:"newcp.grid-edge.com.au"; depth:22; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1291596/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_01; classtype:trojan-activity; sid:91291596; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/agov/"; depth:6; nocase; http.host; content:"newcp.gridedgenews.com"; depth:22; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1291597/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_01; classtype:trojan-activity; sid:91291597; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/agov/"; depth:6; nocase; http.host; content:"newcp.gaziemircicekciler.com"; depth:28; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1291594/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_01; classtype:trojan-activity; sid:91291594; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/agov/"; depth:6; nocase; http.host; content:"newcp.ghdemo.com.tr"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1291595/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_01; classtype:trojan-activity; sid:91291595; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/agov/"; depth:6; nocase; http.host; content:"newcp.frederic-monereau.com"; depth:27; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1291593/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_01; classtype:trojan-activity; sid:91291593; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/agov/"; depth:6; nocase; http.host; content:"newcp.dominantlegaltrans.com"; depth:28; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1291591/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_01; classtype:trojan-activity; sid:91291591; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/agov/"; depth:6; nocase; http.host; content:"newcp.essentemizlik.com"; depth:23; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1291592/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_01; classtype:trojan-activity; sid:91291592; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/agov/"; depth:6; nocase; http.host; content:"newcp.coliturcusco.com.pe"; depth:25; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1291589/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_01; classtype:trojan-activity; sid:91291589; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/agov/"; depth:6; nocase; http.host; content:"newcp.departamentosenpueblolibre.com"; depth:36; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1291590/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_01; classtype:trojan-activity; sid:91291590; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/agov/"; depth:6; nocase; http.host; content:"newcp.bitezeventwedding.com"; depth:27; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1291588/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_01; classtype:trojan-activity; sid:91291588; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/agov/"; depth:6; nocase; http.host; content:"newcp.atlasfizyoterapi.com.tr"; depth:29; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1291586/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_01; classtype:trojan-activity; sid:91291586; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/agov/"; depth:6; nocase; http.host; content:"newcp.aurejewelry.ca"; depth:20; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1291587/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_01; classtype:trojan-activity; sid:91291587; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/agov/"; depth:6; nocase; http.host; content:"newcp.ankarasevkattesisat.com"; depth:29; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1291585/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_01; classtype:trojan-activity; sid:91291585; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/agov/"; depth:6; nocase; http.host; content:"newcp.americansports.com"; depth:24; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1291583/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_01; classtype:trojan-activity; sid:91291583; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/agov/"; depth:6; nocase; http.host; content:"newcp.ankaracilingirci.com"; depth:26; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1291584/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_01; classtype:trojan-activity; sid:91291584; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/agov/"; depth:6; nocase; http.host; content:"dibbadu.sulmov.com.br"; depth:21; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1291581/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_01; classtype:trojan-activity; sid:91291581; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/agov/"; depth:6; nocase; http.host; content:"dibbadu.trujilloserrano.com"; depth:27; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1291582/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_01; classtype:trojan-activity; sid:91291582; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/agov/"; depth:6; nocase; http.host; content:"dibbadu.sscmcc.cl"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1291580/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_01; classtype:trojan-activity; sid:91291580; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/agov/"; depth:6; nocase; http.host; content:"dibbadu.promoveazaonline.com"; depth:28; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1291578/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_01; classtype:trojan-activity; sid:91291578; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/agov/"; depth:6; nocase; http.host; content:"dibbadu.smartfuture.co.za"; depth:25; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1291579/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_01; classtype:trojan-activity; sid:91291579; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/agov/"; depth:6; nocase; http.host; content:"dibbadu.proexcon.com"; depth:20; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1291577/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_01; classtype:trojan-activity; sid:91291577; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/agov/"; depth:6; nocase; http.host; content:"dibbadu.nextsol.com.br"; depth:22; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1291575/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_01; classtype:trojan-activity; sid:91291575; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/agov/"; depth:6; nocase; http.host; content:"dibbadu.planamoveis.com.br"; depth:26; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1291576/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_01; classtype:trojan-activity; sid:91291576; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/agov/"; depth:6; nocase; http.host; content:"dibbadu.myportfolio.com.co"; depth:26; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1291574/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_01; classtype:trojan-activity; sid:91291574; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/agov/"; depth:6; nocase; http.host; content:"dibbadu.institutointei.com"; depth:26; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1291572/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_01; classtype:trojan-activity; sid:91291572; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/agov/"; depth:6; nocase; http.host; content:"dibbadu.millennialstourandtravel.co.ke"; depth:38; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1291573/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_01; classtype:trojan-activity; sid:91291573; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/agov/"; depth:6; nocase; http.host; content:"dibbadu.geofieldp.com"; depth:21; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1291571/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_01; classtype:trojan-activity; sid:91291571; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/agov/"; depth:6; nocase; http.host; content:"dibbadu.dolphinmanagement.ro"; depth:28; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1291569/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_01; classtype:trojan-activity; sid:91291569; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/agov/"; depth:6; nocase; http.host; content:"dibbadu.evergraphics.com"; depth:24; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1291570/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_01; classtype:trojan-activity; sid:91291570; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/agov/"; depth:6; nocase; http.host; content:"dibbadu.ciptransfer.com"; depth:23; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1291568/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_01; classtype:trojan-activity; sid:91291568; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/agov/"; depth:6; nocase; http.host; content:"dibbadu.caelectrons.com.br"; depth:26; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1291566/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_01; classtype:trojan-activity; sid:91291566; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/agov/"; depth:6; nocase; http.host; content:"dibbadu.carboneralabanda.com.co"; depth:31; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1291567/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_01; classtype:trojan-activity; sid:91291567; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/agov/"; depth:6; nocase; http.host; content:"dibbadu.arkaconstructores.com"; depth:29; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1291565/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_01; classtype:trojan-activity; sid:91291565; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/agov/"; depth:6; nocase; http.host; content:"bp.worldcup.co.tz"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1291563/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_01; classtype:trojan-activity; sid:91291563; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/agov/"; depth:6; nocase; http.host; content:"dibbadu.absoluteitbd.com"; depth:24; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1291564/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_01; classtype:trojan-activity; sid:91291564; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/agov/"; depth:6; nocase; http.host; content:"bp.wocrimestoppers.org"; depth:22; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1291562/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_01; classtype:trojan-activity; sid:91291562; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/agov/"; depth:6; nocase; http.host; content:"bp.wheelsofwilliamsport.com"; depth:27; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1291560/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_01; classtype:trojan-activity; sid:91291560; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/agov/"; depth:6; nocase; http.host; content:"bp.wheelsofwilliamsport.net"; depth:27; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1291561/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_01; classtype:trojan-activity; sid:91291561; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/agov/"; depth:6; nocase; http.host; content:"bp.wegolions.org"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1291559/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_01; classtype:trojan-activity; sid:91291559; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/agov/"; depth:6; nocase; http.host; content:"bp.watertownctlions.org"; depth:23; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1291558/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_01; classtype:trojan-activity; sid:91291558; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/agov/"; depth:6; nocase; http.host; content:"bp.trueearthchanges.com"; depth:23; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1291556/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_01; classtype:trojan-activity; sid:91291556; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/agov/"; depth:6; nocase; http.host; content:"bp.video.co.tz"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1291557/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_01; classtype:trojan-activity; sid:91291557; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/agov/"; depth:6; nocase; http.host; content:"bp.sygenpharma.com"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1291554/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_01; classtype:trojan-activity; sid:91291554; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/agov/"; depth:6; nocase; http.host; content:"bp.tdsorsta.ro"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1291555/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_01; classtype:trojan-activity; sid:91291555; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/agov/"; depth:6; nocase; http.host; content:"bp.stasy-union.gr"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1291553/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_01; classtype:trojan-activity; sid:91291553; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/agov/"; depth:6; nocase; http.host; content:"bp.seo7sry.com"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1291551/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_01; classtype:trojan-activity; sid:91291551; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/agov/"; depth:6; nocase; http.host; content:"bp.shivaagorealty.com"; depth:21; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1291552/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_01; classtype:trojan-activity; sid:91291552; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/agov/"; depth:6; nocase; http.host; content:"bp.segurobligatorio.pro"; depth:23; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1291550/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_01; classtype:trojan-activity; sid:91291550; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/agov/"; depth:6; nocase; http.host; content:"bp.saleseconomic.com"; depth:20; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1291548/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_01; classtype:trojan-activity; sid:91291548; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/agov/"; depth:6; nocase; http.host; content:"bp.sc1jtfu9765.universe.wf"; depth:26; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1291549/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_01; classtype:trojan-activity; sid:91291549; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/agov/"; depth:6; nocase; http.host; content:"bp.riscasvicosas.pt"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1291547/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_01; classtype:trojan-activity; sid:91291547; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/agov/"; depth:6; nocase; http.host; content:"bp.rafikidodomahotel.com"; depth:24; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1291545/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_01; classtype:trojan-activity; sid:91291545; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/agov/"; depth:6; nocase; http.host; content:"bp.richardobenton.com"; depth:21; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1291546/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_01; classtype:trojan-activity; sid:91291546; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/agov/"; depth:6; nocase; http.host; content:"bp.petersparre.com"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1291544/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_01; classtype:trojan-activity; sid:91291544; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/agov/"; depth:6; nocase; http.host; content:"bp.niceguyrebrands.xyz"; depth:22; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1291542/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_01; classtype:trojan-activity; sid:91291542; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/agov/"; depth:6; nocase; http.host; content:"bp.paltouchsystems.net"; depth:22; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1291543/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_01; classtype:trojan-activity; sid:91291543; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/agov/"; depth:6; nocase; http.host; content:"bp.news.co.tz"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1291541/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_01; classtype:trojan-activity; sid:91291541; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/agov/"; depth:6; nocase; http.host; content:"bp.natenrjs.com"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1291539/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_01; classtype:trojan-activity; sid:91291539; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/agov/"; depth:6; nocase; http.host; content:"bp.nationalbeatpoetryfoundation.org"; depth:35; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1291540/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_01; classtype:trojan-activity; sid:91291540; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/agov/"; depth:6; nocase; http.host; content:"bp.myindiamall.in"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1291538/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_01; classtype:trojan-activity; sid:91291538; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/agov/"; depth:6; nocase; http.host; content:"bp.moimoveis.com.br"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1291536/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_01; classtype:trojan-activity; sid:91291536; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/agov/"; depth:6; nocase; http.host; content:"bp.movie.co.tz"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1291537/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_01; classtype:trojan-activity; sid:91291537; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/agov/"; depth:6; nocase; http.host; content:"bp.mibenditoadolescente.com"; depth:27; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1291535/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_01; classtype:trojan-activity; sid:91291535; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/agov/"; depth:6; nocase; http.host; content:"bp.marthareingold.com"; depth:21; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1291533/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_01; classtype:trojan-activity; sid:91291533; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/agov/"; depth:6; nocase; http.host; content:"bp.mgcsw.gov.ss"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1291534/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_01; classtype:trojan-activity; sid:91291534; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/agov/"; depth:6; nocase; http.host; content:"bp.littleleafstudio.co.uk"; depth:25; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1291531/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_01; classtype:trojan-activity; sid:91291531; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/agov/"; depth:6; nocase; http.host; content:"bp.lyctechnologies.com"; depth:22; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1291532/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_01; classtype:trojan-activity; sid:91291532; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/agov/"; depth:6; nocase; http.host; content:"bp.linenessentials.com"; depth:22; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1291530/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_01; classtype:trojan-activity; sid:91291530; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/agov/"; depth:6; nocase; http.host; content:"bp.kidsightusa.org"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1291528/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_01; classtype:trojan-activity; sid:91291528; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/agov/"; depth:6; nocase; http.host; content:"bp.killerworkdev.com"; depth:20; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1291529/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_01; classtype:trojan-activity; sid:91291529; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/agov/"; depth:6; nocase; http.host; content:"bp.kgcdiary.com"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1291527/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_01; classtype:trojan-activity; sid:91291527; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/agov/"; depth:6; nocase; http.host; content:"bp.isap-union.gr"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1291525/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_01; classtype:trojan-activity; sid:91291525; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/agov/"; depth:6; nocase; http.host; content:"bp.jpxhelmet.com"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1291526/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_01; classtype:trojan-activity; sid:91291526; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/agov/"; depth:6; nocase; http.host; content:"bp.innovatalks.com"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1291524/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_01; classtype:trojan-activity; sid:91291524; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/agov/"; depth:6; nocase; http.host; content:"bp.fursforus.net"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1291522/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_01; classtype:trojan-activity; sid:91291522; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/agov/"; depth:6; nocase; http.host; content:"bp.hotelultimafrontiera.com"; depth:27; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1291523/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_01; classtype:trojan-activity; sid:91291523; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/agov/"; depth:6; nocase; http.host; content:"bp.fortclean.net"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1291521/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_01; classtype:trojan-activity; sid:91291521; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/agov/"; depth:6; nocase; http.host; content:"bp.fatp.co.tz"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1291519/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_01; classtype:trojan-activity; sid:91291519; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/agov/"; depth:6; nocase; http.host; content:"bp.flyingdonvstg.franciaim.net"; depth:30; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1291520/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_01; classtype:trojan-activity; sid:91291520; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/agov/"; depth:6; nocase; http.host; content:"bp.emporioecuador.com"; depth:21; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1291518/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_01; classtype:trojan-activity; sid:91291518; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/agov/"; depth:6; nocase; http.host; content:"bp.easthartfordinterfaith.org"; depth:29; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1291516/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_01; classtype:trojan-activity; sid:91291516; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/agov/"; depth:6; nocase; http.host; content:"bp.edgenetworks.rs"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1291517/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_01; classtype:trojan-activity; sid:91291517; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/agov/"; depth:6; nocase; http.host; content:"bp.dumbeg.com"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1291515/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_01; classtype:trojan-activity; sid:91291515; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/agov/"; depth:6; nocase; http.host; content:"bp.davidliving.com"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1291513/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_01; classtype:trojan-activity; sid:91291513; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/agov/"; depth:6; nocase; http.host; content:"bp.dieterforjudge.com"; depth:21; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1291514/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_01; classtype:trojan-activity; sid:91291514; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/agov/"; depth:6; nocase; http.host; content:"bp.ctvidamelhor.com.br"; depth:22; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1291512/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_01; classtype:trojan-activity; sid:91291512; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/agov/"; depth:6; nocase; http.host; content:"bp.celebratebloomfield.org"; depth:26; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1291510/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_01; classtype:trojan-activity; sid:91291510; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/agov/"; depth:6; nocase; http.host; content:"bp.celloxwatches.com"; depth:20; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1291511/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_01; classtype:trojan-activity; sid:91291511; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/agov/"; depth:6; nocase; http.host; content:"bp.car.co.tz"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1291509/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_01; classtype:trojan-activity; sid:91291509; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/agov/"; depth:6; nocase; http.host; content:"bp.brankenattorneys.co.tz"; depth:25; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1291507/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_01; classtype:trojan-activity; sid:91291507; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/agov/"; depth:6; nocase; http.host; content:"bp.cairnhillwatches.com"; depth:23; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1291508/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_01; classtype:trojan-activity; sid:91291508; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/agov/"; depth:6; nocase; http.host; content:"bp.blogcanadiense.com"; depth:21; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1291506/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_01; classtype:trojan-activity; sid:91291506; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/agov/"; depth:6; nocase; http.host; content:"bp.appoemn.org"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1291504/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_01; classtype:trojan-activity; sid:91291504; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/agov/"; depth:6; nocase; http.host; content:"bp.bernard-bourcy.net"; depth:21; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1291505/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_01; classtype:trojan-activity; sid:91291505; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/agov/"; depth:6; nocase; http.host; content:"bp.aminadabelago.com.br"; depth:23; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1291503/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_01; classtype:trojan-activity; sid:91291503; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/agov/"; depth:6; nocase; http.host; content:"bp.afrokulchagroup.com"; depth:22; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1291501/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_01; classtype:trojan-activity; sid:91291501; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/agov/"; depth:6; nocase; http.host; content:"bp.americansports.com"; depth:21; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1291502/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_01; classtype:trojan-activity; sid:91291502; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/agov/"; depth:6; nocase; http.host; content:"bp.absolutairarcondicionado.com.br"; depth:34; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1291500/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_01; classtype:trojan-activity; sid:91291500; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/agov/"; depth:6; nocase; http.host; content:"bitp.weltpropiedades.cl"; depth:23; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1291498/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_01; classtype:trojan-activity; sid:91291498; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/agov/"; depth:6; nocase; http.host; content:"bp.4dpayme.com"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1291499/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_01; classtype:trojan-activity; sid:91291499; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/agov/"; depth:6; nocase; http.host; content:"bitp.tilakhighfiji.com"; depth:22; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1291497/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_01; classtype:trojan-activity; sid:91291497; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/agov/"; depth:6; nocase; http.host; content:"bitp.tami8849.odns.fr"; depth:21; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1291495/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_01; classtype:trojan-activity; sid:91291495; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/agov/"; depth:6; nocase; http.host; content:"bitp.tiedyeromania.ro"; depth:21; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1291496/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_01; classtype:trojan-activity; sid:91291496; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/agov/"; depth:6; nocase; http.host; content:"bitp.sviat21.com"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1291494/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_01; classtype:trojan-activity; sid:91291494; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/agov/"; depth:6; nocase; http.host; content:"bitp.siupk.net"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1291492/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_01; classtype:trojan-activity; sid:91291492; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/agov/"; depth:6; nocase; http.host; content:"bitp.smslogin.xyz"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1291493/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_01; classtype:trojan-activity; sid:91291493; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/agov/"; depth:6; nocase; http.host; content:"bitp.raagifts.com"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1291491/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_01; classtype:trojan-activity; sid:91291491; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/agov/"; depth:6; nocase; http.host; content:"bitp.quasar.sa"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1291489/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_01; classtype:trojan-activity; sid:91291489; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/agov/"; depth:6; nocase; http.host; content:"bitp.quick-eg.com"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1291490/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_01; classtype:trojan-activity; sid:91291490; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/agov/"; depth:6; nocase; http.host; content:"bitp.pouradhwani.com"; depth:20; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1291488/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_01; classtype:trojan-activity; sid:91291488; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/agov/"; depth:6; nocase; http.host; content:"bitp.phrapitta.com"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1291486/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_01; classtype:trojan-activity; sid:91291486; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/agov/"; depth:6; nocase; http.host; content:"bitp.pisuka.com"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1291487/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_01; classtype:trojan-activity; sid:91291487; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/agov/"; depth:6; nocase; http.host; content:"bitp.ontech.co.zm"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1291485/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_01; classtype:trojan-activity; sid:91291485; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/agov/"; depth:6; nocase; http.host; content:"bitp.nwg.com.pk"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1291483/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_01; classtype:trojan-activity; sid:91291483; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/agov/"; depth:6; nocase; http.host; content:"bitp.olivrodapatria.online"; depth:26; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1291484/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_01; classtype:trojan-activity; sid:91291484; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/agov/"; depth:6; nocase; http.host; content:"bitp.navihost.in"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1291482/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_01; classtype:trojan-activity; sid:91291482; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/agov/"; depth:6; nocase; http.host; content:"bitp.idealindustryltd.com"; depth:25; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1291480/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_01; classtype:trojan-activity; sid:91291480; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/agov/"; depth:6; nocase; http.host; content:"bitp.kkenterprises.pk"; depth:21; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1291481/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_01; classtype:trojan-activity; sid:91291481; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/agov/"; depth:6; nocase; http.host; content:"bitp.htechs.com"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1291479/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_01; classtype:trojan-activity; sid:91291479; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/agov/"; depth:6; nocase; http.host; content:"bitp.heavenconstruction.pk"; depth:26; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1291477/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_01; classtype:trojan-activity; sid:91291477; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/agov/"; depth:6; nocase; http.host; content:"bitp.heavenmarketing.pk"; depth:23; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1291478/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_01; classtype:trojan-activity; sid:91291478; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/agov/"; depth:6; nocase; http.host; content:"bitp.hapa5387.odns.fr"; depth:21; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1291476/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_01; classtype:trojan-activity; sid:91291476; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/agov/"; depth:6; nocase; http.host; content:"bitp.fromagetambourin.fr"; depth:24; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1291474/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_01; classtype:trojan-activity; sid:91291474; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/agov/"; depth:6; nocase; http.host; content:"bitp.grantindonesia.com"; depth:23; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1291475/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_01; classtype:trojan-activity; sid:91291475; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/agov/"; depth:6; nocase; http.host; content:"bitp.ebibote.com"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1291473/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_01; classtype:trojan-activity; sid:91291473; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/agov/"; depth:6; nocase; http.host; content:"bitp.clementinasketchbook.com"; depth:29; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1291471/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_01; classtype:trojan-activity; sid:91291471; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/agov/"; depth:6; nocase; http.host; content:"bitp.dicoar.com"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1291472/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_01; classtype:trojan-activity; sid:91291472; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/agov/"; depth:6; nocase; http.host; content:"bitp.blueroselb.com"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1291470/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_01; classtype:trojan-activity; sid:91291470; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/agov/"; depth:6; nocase; http.host; content:"bitpa.vendotuttonline.com"; depth:25; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1291468/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_01; classtype:trojan-activity; sid:91291468; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/agov/"; depth:6; nocase; http.host; content:"bitpa.vissnatech.ir"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1291469/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_01; classtype:trojan-activity; sid:91291469; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/agov/"; depth:6; nocase; http.host; content:"bitpa.toel4298.odns.fr"; depth:22; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1291466/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_01; classtype:trojan-activity; sid:91291466; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/agov/"; depth:6; nocase; http.host; content:"bitp.avansisgroup.com"; depth:21; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1291467/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_01; classtype:trojan-activity; sid:91291467; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/agov/"; depth:6; nocase; http.host; content:"bitpa.tigercampcorbett.com"; depth:26; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1291465/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_01; classtype:trojan-activity; sid:91291465; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/agov/"; depth:6; nocase; http.host; content:"bitpa.soltita.com"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1291463/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_01; classtype:trojan-activity; sid:91291463; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/agov/"; depth:6; nocase; http.host; content:"bitpa.tatlibuketi.com"; depth:21; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1291464/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_01; classtype:trojan-activity; sid:91291464; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/agov/"; depth:6; nocase; http.host; content:"bitpa.socialobserver.in"; depth:23; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1291462/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_01; classtype:trojan-activity; sid:91291462; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/agov/"; depth:6; nocase; http.host; content:"bitpa.sarshipping.net"; depth:21; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1291460/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_01; classtype:trojan-activity; sid:91291460; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/agov/"; depth:6; nocase; http.host; content:"bitpa.smsfi.com"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1291461/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_01; classtype:trojan-activity; sid:91291461; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/agov/"; depth:6; nocase; http.host; content:"bitpa.remoteprints.com"; depth:22; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1291459/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_01; classtype:trojan-activity; sid:91291459; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/agov/"; depth:6; nocase; http.host; content:"bitpa.professoranagida.online"; depth:29; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1291457/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_01; classtype:trojan-activity; sid:91291457; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/agov/"; depth:6; nocase; http.host; content:"bitpa.pta-greece.gr"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1291458/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_01; classtype:trojan-activity; sid:91291458; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/agov/"; depth:6; nocase; http.host; content:"bitpa.planethair.gr"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1291456/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_01; classtype:trojan-activity; sid:91291456; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/agov/"; depth:6; nocase; http.host; content:"bitpa.owanbefood.com.ng"; depth:23; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1291454/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_01; classtype:trojan-activity; sid:91291454; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/agov/"; depth:6; nocase; http.host; content:"bitpa.palms77hotel.com"; depth:22; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1291455/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_01; classtype:trojan-activity; sid:91291455; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/agov/"; depth:6; nocase; http.host; content:"bitpa.newestrealty.com"; depth:22; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1291453/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_01; classtype:trojan-activity; sid:91291453; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/agov/"; depth:6; nocase; http.host; content:"bitpa.nationaltemps.co.uk"; depth:25; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1291451/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_01; classtype:trojan-activity; sid:91291451; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/agov/"; depth:6; nocase; http.host; content:"bitpa.neebs.edu.np"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1291452/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_01; classtype:trojan-activity; sid:91291452; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/agov/"; depth:6; nocase; http.host; content:"bitpa.mydreamsltd.com"; depth:21; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1291450/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_01; classtype:trojan-activity; sid:91291450; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/agov/"; depth:6; nocase; http.host; content:"bitpa.miogatto.gr"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1291448/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_01; classtype:trojan-activity; sid:91291448; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/agov/"; depth:6; nocase; http.host; content:"bitpa.moralesalducin.com"; depth:24; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1291449/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_01; classtype:trojan-activity; sid:91291449; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/agov/"; depth:6; nocase; http.host; content:"bitpa.mejoresconsejosvida.online"; depth:32; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1291447/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_01; classtype:trojan-activity; sid:91291447; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/agov/"; depth:6; nocase; http.host; content:"bitp.alkareemimport.com"; depth:23; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1291445/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_01; classtype:trojan-activity; sid:91291445; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/agov/"; depth:6; nocase; http.host; content:"bitpa.mathinmaps.net"; depth:20; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1291446/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_01; classtype:trojan-activity; sid:91291446; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/agov/"; depth:6; nocase; http.host; content:"bitp.alan.my"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1291444/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_01; classtype:trojan-activity; sid:91291444; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/agov/"; depth:6; nocase; http.host; content:"bitp.alamri-ip.com"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1291443/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_01; classtype:trojan-activity; sid:91291443; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/agov/"; depth:6; nocase; http.host; content:"bitpa.innovatalks.com"; depth:21; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1291441/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_01; classtype:trojan-activity; sid:91291441; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/agov/"; depth:6; nocase; http.host; content:"bitpa.jcaisse-dev.org"; depth:21; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1291442/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_01; classtype:trojan-activity; sid:91291442; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/agov/"; depth:6; nocase; http.host; content:"bitpa.hostpinas.com"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1291440/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_01; classtype:trojan-activity; sid:91291440; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/agov/"; depth:6; nocase; http.host; content:"bitpa.elshamel.online"; depth:21; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1291438/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_01; classtype:trojan-activity; sid:91291438; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/agov/"; depth:6; nocase; http.host; content:"bitpa.guptavedika.com"; depth:21; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1291439/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_01; classtype:trojan-activity; sid:91291439; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/agov/"; depth:6; nocase; http.host; content:"bitpa.eamarseba.com"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1291437/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_01; classtype:trojan-activity; sid:91291437; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/agov/"; depth:6; nocase; http.host; content:"bitpa.dogfestival.gr"; depth:20; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1291435/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_01; classtype:trojan-activity; sid:91291435; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/agov/"; depth:6; nocase; http.host; content:"bitpa.drcaraccessories.com"; depth:26; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1291436/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_01; classtype:trojan-activity; sid:91291436; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/agov/"; depth:6; nocase; http.host; content:"bitpa.dctcbd.com"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1291433/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_01; classtype:trojan-activity; sid:91291433; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/agov/"; depth:6; nocase; http.host; content:"bitpa.desipolska.pl"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1291434/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_01; classtype:trojan-activity; sid:91291434; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/agov/"; depth:6; nocase; http.host; content:"bitpa.combienemetmonargent.info"; depth:31; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1291432/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_01; classtype:trojan-activity; sid:91291432; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/agov/"; depth:6; nocase; http.host; content:"bitpa.bicoman.net"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1291430/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_01; classtype:trojan-activity; sid:91291430; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/agov/"; depth:6; nocase; http.host; content:"bitpa.casamagdalenapublicidad.com.co"; depth:36; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1291431/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_01; classtype:trojan-activity; sid:91291431; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/agov/"; depth:6; nocase; http.host; content:"bitpa.bghbd.com"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1291429/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_01; classtype:trojan-activity; sid:91291429; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/agov/"; depth:6; nocase; http.host; content:"bitpa.beautifulbooze.com"; depth:24; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1291428/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_01; classtype:trojan-activity; sid:91291428; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/agov/"; depth:6; nocase; http.host; content:"bitpa.bariel.co.id"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1291427/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_01; classtype:trojan-activity; sid:91291427; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/agov/"; depth:6; nocase; http.host; content:"bitpa.athleticshub.co.uk"; depth:24; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1291425/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_01; classtype:trojan-activity; sid:91291425; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/agov/"; depth:6; nocase; http.host; content:"bitpa.babajani.com"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1291426/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_01; classtype:trojan-activity; sid:91291426; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/agov/"; depth:6; nocase; http.host; content:"bitpa.artemilenario.fr"; depth:22; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1291424/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_01; classtype:trojan-activity; sid:91291424; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/agov/"; depth:6; nocase; http.host; content:"bitpa.ananyajain.com"; depth:20; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1291423/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_01; classtype:trojan-activity; sid:91291423; rev:1;) alert tcp $HOME_NET any -> [195.50.242.110] 8080 (msg:"ThreatFox HOTCROISSANT botnet C2 traffic (ip:port - confidence level: 49%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1291420/; target:src_ip; metadata: confidence_level 49, first_seen 2024_07_01; classtype:trojan-activity; sid:91291420; rev:1;) alert tcp $HOME_NET any -> [147.45.44.12] 13830 (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1291421/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_01; classtype:trojan-activity; sid:91291421; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/a17861b9cb6f1a53.php"; depth:21; nocase; http.host; content:"147.45.78.162"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1291422/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_01; classtype:trojan-activity; sid:91291422; rev:1;) alert tcp $HOME_NET any -> [93.188.122.139] 4433 (msg:"ThreatFox NetSupportManager RAT botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1291419/; target:src_ip; metadata: confidence_level 50, first_seen 2024_07_01; classtype:trojan-activity; sid:91291419; rev:1;) alert tcp $HOME_NET any -> [83.48.66.207] 3085 (msg:"ThreatFox NetSupportManager RAT botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1291418/; target:src_ip; metadata: confidence_level 50, first_seen 2024_07_01; classtype:trojan-activity; sid:91291418; rev:1;) alert tcp $HOME_NET any -> [198.244.197.118] 9443 (msg:"ThreatFox NetSupportManager RAT botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1291417/; target:src_ip; metadata: confidence_level 50, first_seen 2024_07_01; classtype:trojan-activity; sid:91291417; rev:1;) alert tcp $HOME_NET any -> [2.139.253.110] 3085 (msg:"ThreatFox NetSupportManager RAT botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1291416/; target:src_ip; metadata: confidence_level 50, first_seen 2024_07_01; classtype:trojan-activity; sid:91291416; rev:1;) alert tcp $HOME_NET any -> [186.225.10.251] 3085 (msg:"ThreatFox NetSupportManager RAT botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1291415/; target:src_ip; metadata: confidence_level 50, first_seen 2024_07_01; classtype:trojan-activity; sid:91291415; rev:1;) alert tcp $HOME_NET any -> [206.210.123.104] 8888 (msg:"ThreatFox NetSupportManager RAT botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1291414/; target:src_ip; metadata: confidence_level 50, first_seen 2024_07_01; classtype:trojan-activity; sid:91291414; rev:1;) alert tcp $HOME_NET any -> [95.189.100.119] 443 (msg:"ThreatFox NetSupportManager RAT botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1291413/; target:src_ip; metadata: confidence_level 50, first_seen 2024_07_01; classtype:trojan-activity; sid:91291413; rev:1;) alert tcp $HOME_NET any -> [179.159.167.251] 3085 (msg:"ThreatFox NetSupportManager RAT botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1291412/; target:src_ip; metadata: confidence_level 50, first_seen 2024_07_01; classtype:trojan-activity; sid:91291412; rev:1;) alert tcp $HOME_NET any -> [61.96.204.117] 443 (msg:"ThreatFox NetSupportManager RAT botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1291411/; target:src_ip; metadata: confidence_level 50, first_seen 2024_07_01; classtype:trojan-activity; sid:91291411; rev:1;) alert tcp $HOME_NET any -> [185.23.192.33] 444 (msg:"ThreatFox NetSupportManager RAT botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1291410/; target:src_ip; metadata: confidence_level 50, first_seen 2024_07_01; classtype:trojan-activity; sid:91291410; rev:1;) alert tcp $HOME_NET any -> [2.136.235.200] 3085 (msg:"ThreatFox NetSupportManager RAT botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1291409/; target:src_ip; metadata: confidence_level 50, first_seen 2024_07_01; classtype:trojan-activity; sid:91291409; rev:1;) alert tcp $HOME_NET any -> [103.237.87.159] 9462 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1291408/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_01; classtype:trojan-activity; sid:91291408; rev:1;) alert tcp $HOME_NET any -> [200.152.101.176] 9090 (msg:"ThreatFox NetSupportManager RAT botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1291407/; target:src_ip; metadata: confidence_level 50, first_seen 2024_07_01; classtype:trojan-activity; sid:91291407; rev:1;) alert tcp $HOME_NET any -> [186.236.112.114] 3085 (msg:"ThreatFox NetSupportManager RAT botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1291406/; target:src_ip; metadata: confidence_level 50, first_seen 2024_07_01; classtype:trojan-activity; sid:91291406; rev:1;) alert tcp $HOME_NET any -> [93.232.107.227] 82 (msg:"ThreatFox NetSupportManager RAT botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1291405/; target:src_ip; metadata: confidence_level 50, first_seen 2024_07_01; classtype:trojan-activity; sid:91291405; rev:1;) alert tcp $HOME_NET any -> [93.232.107.227] 81 (msg:"ThreatFox NetSupportManager RAT botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1291404/; target:src_ip; metadata: confidence_level 50, first_seen 2024_07_01; classtype:trojan-activity; sid:91291404; rev:1;) alert tcp $HOME_NET any -> [200.243.0.50] 443 (msg:"ThreatFox NetSupportManager RAT botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1291403/; target:src_ip; metadata: confidence_level 50, first_seen 2024_07_01; classtype:trojan-activity; sid:91291403; rev:1;) alert tcp $HOME_NET any -> [62.156.170.137] 1111 (msg:"ThreatFox NetSupportManager RAT botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1291402/; target:src_ip; metadata: confidence_level 50, first_seen 2024_07_01; classtype:trojan-activity; sid:91291402; rev:1;) alert tcp $HOME_NET any -> [212.170.14.98] 443 (msg:"ThreatFox NetSupportManager RAT botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1291401/; target:src_ip; metadata: confidence_level 50, first_seen 2024_07_01; classtype:trojan-activity; sid:91291401; rev:1;) alert tcp $HOME_NET any -> [189.115.194.186] 9990 (msg:"ThreatFox NetSupportManager RAT botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1291400/; target:src_ip; metadata: confidence_level 50, first_seen 2024_07_01; classtype:trojan-activity; sid:91291400; rev:1;) alert tcp $HOME_NET any -> [101.108.13.204] 7443 (msg:"ThreatFox NetSupportManager RAT botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1291399/; target:src_ip; metadata: confidence_level 50, first_seen 2024_07_01; classtype:trojan-activity; sid:91291399; rev:1;) alert tcp $HOME_NET any -> [200.180.67.154] 9444 (msg:"ThreatFox NetSupportManager RAT botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1291398/; target:src_ip; metadata: confidence_level 50, first_seen 2024_07_01; classtype:trojan-activity; sid:91291398; rev:1;) alert tcp $HOME_NET any -> [210.249.114.153] 443 (msg:"ThreatFox NetSupportManager RAT botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1291397/; target:src_ip; metadata: confidence_level 50, first_seen 2024_07_01; classtype:trojan-activity; sid:91291397; rev:1;) alert tcp $HOME_NET any -> [178.188.188.212] 5500 (msg:"ThreatFox NetSupportManager RAT botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1291396/; target:src_ip; metadata: confidence_level 50, first_seen 2024_07_01; classtype:trojan-activity; sid:91291396; rev:1;) alert tcp $HOME_NET any -> [39.40.167.160] 995 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1291395/; target:src_ip; metadata: confidence_level 50, first_seen 2024_07_01; classtype:trojan-activity; sid:91291395; rev:1;) alert tcp $HOME_NET any -> [85.215.215.94] 41057 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1291394/; target:src_ip; metadata: confidence_level 50, first_seen 2024_07_01; classtype:trojan-activity; sid:91291394; rev:1;) alert tcp $HOME_NET any -> [75.2.71.143] 443 (msg:"ThreatFox Deimos botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1291393/; target:src_ip; metadata: confidence_level 50, first_seen 2024_07_01; classtype:trojan-activity; sid:91291393; rev:1;) alert tcp $HOME_NET any -> [35.220.201.119] 443 (msg:"ThreatFox Deimos botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1291392/; target:src_ip; metadata: confidence_level 50, first_seen 2024_07_01; classtype:trojan-activity; sid:91291392; rev:1;) alert tcp $HOME_NET any -> [82.153.138.128] 7443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1291391/; target:src_ip; metadata: confidence_level 50, first_seen 2024_07_01; classtype:trojan-activity; sid:91291391; rev:1;) alert tcp $HOME_NET any -> [94.237.59.129] 30570 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1291390/; target:src_ip; metadata: confidence_level 50, first_seen 2024_07_01; classtype:trojan-activity; sid:91291390; rev:1;) alert tcp $HOME_NET any -> [94.237.59.129] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1291389/; target:src_ip; metadata: confidence_level 50, first_seen 2024_07_01; classtype:trojan-activity; sid:91291389; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmp/index.php"; depth:14; nocase; http.host; content:"cx5519.com"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1291388/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_01; classtype:trojan-activity; sid:91291388; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmp/index.php"; depth:14; nocase; http.host; content:"office-techs.biz"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1291387/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_01; classtype:trojan-activity; sid:91291387; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmp/index.php"; depth:14; nocase; http.host; content:"gebeus.ru"; depth:9; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1291386/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_01; classtype:trojan-activity; sid:91291386; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmp/index.php"; depth:14; nocase; http.host; content:"evilos.cc"; depth:9; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1291385/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_01; classtype:trojan-activity; sid:91291385; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"cx5519.com"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1291381/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_01; classtype:trojan-activity; sid:91291381; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"evilos.cc"; depth:9; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1291382/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_01; classtype:trojan-activity; sid:91291382; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"gebeus.ru"; depth:9; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1291383/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_01; classtype:trojan-activity; sid:91291383; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"office-techs.biz"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1291384/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_01; classtype:trojan-activity; sid:91291384; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/article.php"; depth:12; nocase; http.host; content:"www.clinicachirurgie3.ro"; depth:24; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1291350/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_01; classtype:trojan-activity; sid:91291350; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"asdaryder.duckdns.org"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1291353/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_01; classtype:trojan-activity; sid:91291353; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/article.php"; depth:12; nocase; http.host; content:"www.colourful-decor.be"; depth:22; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1291355/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_01; classtype:trojan-activity; sid:91291355; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mch.html"; depth:9; nocase; http.host; content:"anmon.name"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1291356/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_01; classtype:trojan-activity; sid:91291356; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"anmon.name"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1291357/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_01; classtype:trojan-activity; sid:91291357; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"indepahote.com"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1291376/; target:src_ip; metadata: confidence_level 50, first_seen 2024_07_01; classtype:trojan-activity; sid:91291376; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"movegomove.com"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1291377/; target:src_ip; metadata: confidence_level 50, first_seen 2024_07_01; classtype:trojan-activity; sid:91291377; rev:1;) alert tcp $HOME_NET any -> [62.173.141.99] 139 (msg:"ThreatFox QakBot payload delivery (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1291378/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_01; classtype:trojan-activity; sid:91291378; rev:1;) alert tcp $HOME_NET any -> [62.173.141.99] 445 (msg:"ThreatFox QakBot payload delivery (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1291379/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_01; classtype:trojan-activity; sid:91291379; rev:1;) alert tcp $HOME_NET any -> [103.237.87.40] 1993 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1291380/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_01; classtype:trojan-activity; sid:91291380; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/activity"; depth:9; nocase; http.host; content:"49.235.118.195"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1291375/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_01; classtype:trojan-activity; sid:91291375; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/activity"; depth:9; nocase; http.host; content:"43.153.222.28"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1291374/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_01; classtype:trojan-activity; sid:91291374; rev:1;) alert tcp $HOME_NET any -> [116.205.233.25] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1291373/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_01; classtype:trojan-activity; sid:91291373; rev:1;) alert tcp $HOME_NET any -> [159.75.110.16] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1291372/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_01; classtype:trojan-activity; sid:91291372; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pixel"; depth:6; nocase; http.host; content:"service-d27o3nmv-1324720265.sh.tencentapigw.com"; depth:47; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1291371/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_01; classtype:trojan-activity; sid:91291371; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/match"; depth:6; nocase; http.host; content:"185.22.152.167"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1291370/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_01; classtype:trojan-activity; sid:91291370; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/match"; depth:6; nocase; http.host; content:"64.7.198.173"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1291369/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_01; classtype:trojan-activity; sid:91291369; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/push"; depth:5; nocase; http.host; content:"192.252.182.98"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1291368/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_01; classtype:trojan-activity; sid:91291368; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/fwlink"; depth:7; nocase; http.host; content:"43.140.200.250"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1291367/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_01; classtype:trojan-activity; sid:91291367; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ptj"; depth:4; nocase; http.host; content:"39.100.91.89"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1291366/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_01; classtype:trojan-activity; sid:91291366; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/j.ad"; depth:5; nocase; http.host; content:"54.237.218.187"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1291365/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_01; classtype:trojan-activity; sid:91291365; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/g.pixel"; depth:8; nocase; http.host; content:"112.126.85.180"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1291364/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_01; classtype:trojan-activity; sid:91291364; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ie9compatviewlist.xml"; depth:22; nocase; http.host; content:"81.71.18.114"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1291363/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_01; classtype:trojan-activity; sid:91291363; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/g.pixel"; depth:8; nocase; http.host; content:"60.204.217.11"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1291362/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_01; classtype:trojan-activity; sid:91291362; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/en_us/all.js"; depth:13; nocase; http.host; content:"43.153.222.28"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1291361/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_01; classtype:trojan-activity; sid:91291361; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cx"; depth:3; nocase; http.host; content:"81.71.18.114"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1291360/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_01; classtype:trojan-activity; sid:91291360; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pixel.gif"; depth:10; nocase; http.host; content:"23.95.65.198"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1291359/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_01; classtype:trojan-activity; sid:91291359; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/match"; depth:6; nocase; http.host; content:"116.198.247.52"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1291358/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_01; classtype:trojan-activity; sid:91291358; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"pcvcf.xyz"; depth:9; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1291351/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_01; classtype:trojan-activity; sid:91291351; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"padrf.xyz"; depth:9; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1291352/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_01; classtype:trojan-activity; sid:91291352; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/kdmapper.exe"; depth:13; nocase; http.host; content:"213.238.177.108"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1291346/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_01; classtype:trojan-activity; sid:91291346; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/log1.exe"; depth:9; nocase; http.host; content:"213.238.177.108"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1291347/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_01; classtype:trojan-activity; sid:91291347; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/log2.exe"; depth:9; nocase; http.host; content:"213.238.177.108"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1291348/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_01; classtype:trojan-activity; sid:91291348; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/spoofer.sys"; depth:12; nocase; http.host; content:"213.238.177.108"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1291349/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_01; classtype:trojan-activity; sid:91291349; rev:1;) alert tcp $HOME_NET any -> [136.243.111.71] 20001 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1291345/; target:src_ip; metadata: confidence_level 50, first_seen 2024_07_01; classtype:trojan-activity; sid:91291345; rev:1;) alert tcp $HOME_NET any -> [157.20.182.5] 9898 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1291344/; target:src_ip; metadata: confidence_level 50, first_seen 2024_07_01; classtype:trojan-activity; sid:91291344; rev:1;) alert tcp $HOME_NET any -> [94.156.64.188] 7777 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1291342/; target:src_ip; metadata: confidence_level 50, first_seen 2024_07_01; classtype:trojan-activity; sid:91291342; rev:1;) alert tcp $HOME_NET any -> [94.156.64.188] 8008 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1291343/; target:src_ip; metadata: confidence_level 50, first_seen 2024_07_01; classtype:trojan-activity; sid:91291343; rev:1;) alert tcp $HOME_NET any -> [185.223.77.217] 80 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1291341/; target:src_ip; metadata: confidence_level 50, first_seen 2024_07_01; classtype:trojan-activity; sid:91291341; rev:1;) alert tcp $HOME_NET any -> [47.98.177.117] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1291340/; target:src_ip; metadata: confidence_level 50, first_seen 2024_07_01; classtype:trojan-activity; sid:91291340; rev:1;) alert tcp $HOME_NET any -> [196.77.36.25] 995 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1291339/; target:src_ip; metadata: confidence_level 50, first_seen 2024_07_01; classtype:trojan-activity; sid:91291339; rev:1;) alert tcp $HOME_NET any -> [91.92.241.103] 8081 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1291338/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_01; classtype:trojan-activity; sid:91291338; rev:1;) alert tcp $HOME_NET any -> [83.220.172.119] 8843 (msg:"ThreatFox Deimos botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1291337/; target:src_ip; metadata: confidence_level 50, first_seen 2024_07_01; classtype:trojan-activity; sid:91291337; rev:1;) alert tcp $HOME_NET any -> [159.223.0.196] 8081 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1291336/; target:src_ip; metadata: confidence_level 50, first_seen 2024_07_01; classtype:trojan-activity; sid:91291336; rev:1;) alert tcp $HOME_NET any -> [107.172.78.188] 7443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1291335/; target:src_ip; metadata: confidence_level 50, first_seen 2024_07_01; classtype:trojan-activity; sid:91291335; rev:1;) alert tcp $HOME_NET any -> [18.210.161.224] 3436 (msg:"ThreatFox Nanocore RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1291281/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_01; classtype:trojan-activity; sid:91291281; rev:1;) alert tcp $HOME_NET any -> [104.243.242.166] 1620 (msg:"ThreatFox Nanocore RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1291282/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_01; classtype:trojan-activity; sid:91291282; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"googledocs.duckdns.org"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1291283/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_01; classtype:trojan-activity; sid:91291283; rev:1;) alert tcp $HOME_NET any -> [147.185.221.20] 22517 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1291284/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_01; classtype:trojan-activity; sid:91291284; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"provided-existence.gl.at.ply.gg"; depth:31; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1291285/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_01; classtype:trojan-activity; sid:91291285; rev:1;) alert tcp $HOME_NET any -> [147.185.221.20] 37993 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1291286/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_01; classtype:trojan-activity; sid:91291286; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"them-recommended.gl.at.ply.gg"; depth:29; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1291287/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_01; classtype:trojan-activity; sid:91291287; rev:1;) alert tcp $HOME_NET any -> [147.185.221.20] 50199 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1291288/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_01; classtype:trojan-activity; sid:91291288; rev:1;) alert tcp $HOME_NET any -> [4.185.56.82] 42687 (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1291290/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_01; classtype:trojan-activity; sid:91291290; rev:1;) alert tcp $HOME_NET any -> [144.172.122.232] 20131 (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1291291/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_01; classtype:trojan-activity; sid:91291291; rev:1;) alert tcp $HOME_NET any -> [195.189.227.105] 48367 (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1291301/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_01; classtype:trojan-activity; sid:91291301; rev:1;) alert tcp $HOME_NET any -> [15.204.88.244] 23 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1291305/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_01; classtype:trojan-activity; sid:91291305; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/hidakibest.arm4"; depth:16; nocase; http.host; content:"37.156.29.141"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1291310/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_01; classtype:trojan-activity; sid:91291310; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/hidakibest.arm5"; depth:16; nocase; http.host; content:"37.156.29.141"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1291311/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_01; classtype:trojan-activity; sid:91291311; rev:1;) alert tcp $HOME_NET any -> [3.125.102.39] 19060 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1291299/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_01; classtype:trojan-activity; sid:91291299; rev:1;) alert tcp $HOME_NET any -> [18.158.249.75] 19060 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1291300/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_01; classtype:trojan-activity; sid:91291300; rev:1;) alert tcp $HOME_NET any -> [103.162.20.166] 3007 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1291298/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_01; classtype:trojan-activity; sid:91291298; rev:1;) alert tcp $HOME_NET any -> [39.99.34.125] 8443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1291334/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_01; classtype:trojan-activity; sid:91291334; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/hidakibest.arm6"; depth:16; nocase; http.host; content:"37.156.29.141"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1291312/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_01; classtype:trojan-activity; sid:91291312; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/hidakibest.mips"; depth:16; nocase; http.host; content:"37.156.29.141"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1291313/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_01; classtype:trojan-activity; sid:91291313; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/hidakibest.mpsl"; depth:16; nocase; http.host; content:"37.156.29.141"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1291314/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_01; classtype:trojan-activity; sid:91291314; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/hidakibest.ppc"; depth:15; nocase; http.host; content:"37.156.29.141"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1291315/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_01; classtype:trojan-activity; sid:91291315; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/hidakibest.sh"; depth:14; nocase; http.host; content:"37.156.29.141"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1291316/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_01; classtype:trojan-activity; sid:91291316; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/hidakibest.sparc"; depth:17; nocase; http.host; content:"37.156.29.141"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1291317/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_01; classtype:trojan-activity; sid:91291317; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/hidakibest.x86"; depth:15; nocase; http.host; content:"37.156.29.141"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1291318/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_01; classtype:trojan-activity; sid:91291318; rev:1;) alert tcp $HOME_NET any -> [37.156.29.141] 4258 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1291319/; target:src_ip; metadata: confidence_level 50, first_seen 2024_07_01; classtype:trojan-activity; sid:91291319; rev:1;) alert tcp $HOME_NET any -> [77.105.135.107] 3445 (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1291321/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_01; classtype:trojan-activity; sid:91291321; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bot7095863454:aafghbqqjxy7rfzi0ct99qzpvrwqpki6r1a/sendmessage"; depth:62; nocase; http.host; content:"api.telegram.org"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1291324/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_01; classtype:trojan-activity; sid:91291324; rev:1;) alert tcp $HOME_NET any -> [5.161.190.139] 8732 (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1291333/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_01; classtype:trojan-activity; sid:91291333; rev:1;) alert tcp $HOME_NET any -> [154.211.98.3] 1234 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1291332/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_01; classtype:trojan-activity; sid:91291332; rev:1;) alert tcp $HOME_NET any -> [58.87.103.109] 8088 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1291331/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_01; classtype:trojan-activity; sid:91291331; rev:1;) alert tcp $HOME_NET any -> [141.98.10.72] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1291330/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_01; classtype:trojan-activity; sid:91291330; rev:1;) alert tcp $HOME_NET any -> [121.40.117.196] 8080 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1291329/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_01; classtype:trojan-activity; sid:91291329; rev:1;) alert tcp $HOME_NET any -> [159.75.169.189] 8080 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1291328/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_01; classtype:trojan-activity; sid:91291328; rev:1;) alert tcp $HOME_NET any -> [123.207.5.253] 8080 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1291327/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_01; classtype:trojan-activity; sid:91291327; rev:1;) alert tcp $HOME_NET any -> [45.148.120.161] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1291326/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_01; classtype:trojan-activity; sid:91291326; rev:1;) alert tcp $HOME_NET any -> [123.56.153.39] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1291325/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_01; classtype:trojan-activity; sid:91291325; rev:1;) alert tcp $HOME_NET any -> [94.156.69.93] 2973 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1291323/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_01; classtype:trojan-activity; sid:91291323; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/l1nc0in.php"; depth:12; nocase; http.host; content:"cd40479.tw1.ru"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1291322/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_01; classtype:trojan-activity; sid:91291322; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/linux03/8/externaleternaltophpjsrequestservertrafficuniversaldatalife.php"; depth:74; nocase; http.host; content:"62.109.22.14"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1291320/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_01; classtype:trojan-activity; sid:91291320; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/phpflowergenerator.php"; depth:23; nocase; http.host; content:"000366cm.nyashka.top"; depth:20; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1291309/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_01; classtype:trojan-activity; sid:91291309; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cskaocncansodf44s65d4f.jpg"; depth:27; nocase; http.host; content:"110.41.14.58"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1291308/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_01; classtype:trojan-activity; sid:91291308; rev:1;) alert tcp $HOME_NET any -> [110.41.14.58] 7931 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1291307/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_01; classtype:trojan-activity; sid:91291307; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verchk/verchk_"; depth:15; nocase; http.host; content:"43.143.58.212"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1291306/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_01; classtype:trojan-activity; sid:91291306; rev:1;) alert tcp $HOME_NET any -> [79.110.62.113] 1912 (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1291304/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_01; classtype:trojan-activity; sid:91291304; rev:1;) alert tcp $HOME_NET any -> [196.65.155.135] 10000 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1291303/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_01; classtype:trojan-activity; sid:91291303; rev:1;) alert tcp $HOME_NET any -> [147.45.47.35] 5607 (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1291302/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_30; classtype:trojan-activity; sid:91291302; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"londopas.com"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1291297/; target:src_ip; metadata: confidence_level 75, first_seen 2024_06_30; classtype:trojan-activity; sid:91291297; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"berjimek.com"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1291296/; target:src_ip; metadata: confidence_level 75, first_seen 2024_06_30; classtype:trojan-activity; sid:91291296; rev:1;) alert tcp $HOME_NET any -> [3.125.223.134] 19060 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1291295/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_30; classtype:trojan-activity; sid:91291295; rev:1;) alert tcp $HOME_NET any -> [3.125.209.94] 19060 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1291294/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_30; classtype:trojan-activity; sid:91291294; rev:1;) alert tcp $HOME_NET any -> [3.124.142.205] 19060 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1291293/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_30; classtype:trojan-activity; sid:91291293; rev:1;) alert tcp $HOME_NET any -> [18.192.31.165] 19060 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1291292/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_30; classtype:trojan-activity; sid:91291292; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"tydyjtdfjhtf.con-ip.com"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1291289/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_30; classtype:trojan-activity; sid:91291289; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"kaylen.xyz"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1291277/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_30; classtype:trojan-activity; sid:91291277; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ymuren.top"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1291278/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_30; classtype:trojan-activity; sid:91291278; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"corysy.xyz"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1291279/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_30; classtype:trojan-activity; sid:91291279; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"soterios.xyz"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1291280/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_30; classtype:trojan-activity; sid:91291280; rev:1;) alert tcp $HOME_NET any -> [128.140.53.5] 443 (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1291270/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_30; classtype:trojan-activity; sid:91291270; rev:1;) alert tcp $HOME_NET any -> [128.140.53.5] 9000 (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1291271/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_30; classtype:trojan-activity; sid:91291271; rev:1;) alert tcp $HOME_NET any -> [168.119.118.92] 443 (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1291272/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_30; classtype:trojan-activity; sid:91291272; rev:1;) alert tcp $HOME_NET any -> [168.119.118.92] 9000 (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1291273/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_30; classtype:trojan-activity; sid:91291273; rev:1;) alert tcp $HOME_NET any -> [77.221.158.54] 80 (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1291274/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_30; classtype:trojan-activity; sid:91291274; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"kotawa.top"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1291275/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_30; classtype:trojan-activity; sid:91291275; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"aliszon.xyz"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1291276/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_30; classtype:trojan-activity; sid:91291276; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"soterios.xyz"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1291266/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_30; classtype:trojan-activity; sid:91291266; rev:1;) alert tcp $HOME_NET any -> [195.201.251.214] 9000 (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1291267/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_30; classtype:trojan-activity; sid:91291267; rev:1;) alert tcp $HOME_NET any -> [195.201.251.214] 443 (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1291268/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_30; classtype:trojan-activity; sid:91291268; rev:1;) alert tcp $HOME_NET any -> [65.109.243.105] 443 (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1291269/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_30; classtype:trojan-activity; sid:91291269; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"corysy.xyz"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1291265/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_30; classtype:trojan-activity; sid:91291265; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"ymuren.top"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1291264/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_30; classtype:trojan-activity; sid:91291264; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"kaylen.xyz"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1291263/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_30; classtype:trojan-activity; sid:91291263; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"77.221.158.54"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1291262/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_30; classtype:trojan-activity; sid:91291262; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"aliszon.xyz"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1291261/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_30; classtype:trojan-activity; sid:91291261; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"kotawa.top"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1291260/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_30; classtype:trojan-activity; sid:91291260; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"168.119.118.92"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1291259/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_30; classtype:trojan-activity; sid:91291259; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"168.119.118.92"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1291258/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_30; classtype:trojan-activity; sid:91291258; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"128.140.53.5"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1291257/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_30; classtype:trojan-activity; sid:91291257; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"128.140.53.5"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1291256/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_30; classtype:trojan-activity; sid:91291256; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"65.109.243.105"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1291255/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_30; classtype:trojan-activity; sid:91291255; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"195.201.251.214"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1291254/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_30; classtype:trojan-activity; sid:91291254; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"api.chinacec.top"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1291253/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_30; classtype:trojan-activity; sid:91291253; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/admin-apis/"; depth:12; nocase; http.host; content:"api.chinacec.top"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1291252/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_30; classtype:trojan-activity; sid:91291252; rev:1;) alert tcp $HOME_NET any -> [94.156.69.27] 6606 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1291250/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_30; classtype:trojan-activity; sid:91291250; rev:1;) alert tcp $HOME_NET any -> [94.156.69.27] 7707 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1291251/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_30; classtype:trojan-activity; sid:91291251; rev:1;) alert tcp $HOME_NET any -> [136.243.111.71] 20000 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1291249/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_30; classtype:trojan-activity; sid:91291249; rev:1;) alert tcp $HOME_NET any -> [197.0.49.10] 80 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1291248/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_30; classtype:trojan-activity; sid:91291248; rev:1;) alert tcp $HOME_NET any -> [91.151.89.25] 80 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1291247/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_30; classtype:trojan-activity; sid:91291247; rev:1;) alert tcp $HOME_NET any -> [152.32.172.190] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1291246/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_30; classtype:trojan-activity; sid:91291246; rev:1;) alert tcp $HOME_NET any -> [124.220.222.35] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1291245/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_30; classtype:trojan-activity; sid:91291245; rev:1;) alert tcp $HOME_NET any -> [65.109.183.189] 443 (msg:"ThreatFox Responder botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1291244/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_30; classtype:trojan-activity; sid:91291244; rev:1;) alert tcp $HOME_NET any -> [36.131.128.111] 4506 (msg:"ThreatFox Deimos botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1291243/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_30; classtype:trojan-activity; sid:91291243; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jspollcpuupdategamelongpollsqltestdletemporary.php"; depth:51; nocase; http.host; content:"89.23.97.228"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1291242/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_30; classtype:trojan-activity; sid:91291242; rev:1;) alert tcp $HOME_NET any -> [51.195.206.227] 38719 (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1291241/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_30; classtype:trojan-activity; sid:91291241; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"poliyhedira.network"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1291058/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_30; classtype:trojan-activity; sid:91291058; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"nightciows.com"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1291056/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_30; classtype:trojan-activity; sid:91291056; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"nightcirows.com"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1291057/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_30; classtype:trojan-activity; sid:91291057; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"modoe.network"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1291054/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_30; classtype:trojan-activity; sid:91291054; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"network.polyhedrao.com"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1291055/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_30; classtype:trojan-activity; sid:91291055; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"modeu.network"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1291051/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_30; classtype:trojan-activity; sid:91291051; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"modew.network"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1291052/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_30; classtype:trojan-activity; sid:91291052; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"modne.network"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1291053/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_30; classtype:trojan-activity; sid:91291053; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"m.chainlirst.com"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1291050/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_30; classtype:trojan-activity; sid:91291050; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"jitou.network"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1291047/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_30; classtype:trojan-activity; sid:91291047; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"jitoz.network"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1291048/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_30; classtype:trojan-activity; sid:91291048; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"kr.nightciows.com"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1291049/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_30; classtype:trojan-activity; sid:91291049; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"jitco.network"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1291045/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_30; classtype:trojan-activity; sid:91291045; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"jitot.network"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1291046/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_30; classtype:trojan-activity; sid:91291046; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"finance.aerodirome.com"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1291043/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_30; classtype:trojan-activity; sid:91291043; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"io.dedusit.io"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1291044/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_30; classtype:trojan-activity; sid:91291044; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"chainlirst.com"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1291030/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_30; classtype:trojan-activity; sid:91291030; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"chaimlstr.com"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1291029/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_30; classtype:trojan-activity; sid:91291029; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"chainlirstr.com"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1291031/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_30; classtype:trojan-activity; sid:91291031; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"chainlistr.com"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1291032/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_30; classtype:trojan-activity; sid:91291032; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"chairnlirst.com"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1291033/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_30; classtype:trojan-activity; sid:91291033; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"chairnlist.com"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1291034/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_30; classtype:trojan-activity; sid:91291034; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"co.kr.nightciows.com"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1291035/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_30; classtype:trojan-activity; sid:91291035; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"dediust.com"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1291036/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_30; classtype:trojan-activity; sid:91291036; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"dedlust.com"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1291037/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_30; classtype:trojan-activity; sid:91291037; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"dedrust.com"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1291038/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_30; classtype:trojan-activity; sid:91291038; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"dedusit.com"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1291039/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_30; classtype:trojan-activity; sid:91291039; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"dedusit.io"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1291040/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_30; classtype:trojan-activity; sid:91291040; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"dedust.io.dedusit.io"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1291041/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_30; classtype:trojan-activity; sid:91291041; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ere.yesis-store.com"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1291042/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_30; classtype:trojan-activity; sid:91291042; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"aerodrome.finance.aerodirome.com"; depth:32; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1291026/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_30; classtype:trojan-activity; sid:91291026; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"aerodromr.com"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1291027/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_30; classtype:trojan-activity; sid:91291027; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"chaimlistr.com"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1291028/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_30; classtype:trojan-activity; sid:91291028; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"aerodomc.com"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1291024/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_30; classtype:trojan-activity; sid:91291024; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"aerodomr.com"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1291025/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_30; classtype:trojan-activity; sid:91291025; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"aerodirome.com"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1291022/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_30; classtype:trojan-activity; sid:91291022; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"aerodiromr.com"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1291023/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_30; classtype:trojan-activity; sid:91291023; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"aerodiomc.com"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1291021/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_30; classtype:trojan-activity; sid:91291021; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"seeditfyu.com"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1291077/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_30; classtype:trojan-activity; sid:91291077; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"seeditfyr.com"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1291076/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_30; classtype:trojan-activity; sid:91291076; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"seeditfyv.com"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1291078/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_30; classtype:trojan-activity; sid:91291078; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"seeditfyn.com"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1291075/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_30; classtype:trojan-activity; sid:91291075; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"seeditfyc.com"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1291072/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_30; classtype:trojan-activity; sid:91291072; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"seeditfyi.com"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1291073/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_30; classtype:trojan-activity; sid:91291073; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"seeditfym.com"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1291074/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_30; classtype:trojan-activity; sid:91291074; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"raydiuv.com"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1291069/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_30; classtype:trojan-activity; sid:91291069; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"raydiux.com"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1291070/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_30; classtype:trojan-activity; sid:91291070; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"raydiuz.com"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1291071/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_30; classtype:trojan-activity; sid:91291071; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"raydiur.com"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1291067/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_30; classtype:trojan-activity; sid:91291067; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"raydiuu.com"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1291068/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_30; classtype:trojan-activity; sid:91291068; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"raydiue.com"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1291064/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_30; classtype:trojan-activity; sid:91291064; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"raydiui.com"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1291065/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_30; classtype:trojan-activity; sid:91291065; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"raydiul.com"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1291066/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_30; classtype:trojan-activity; sid:91291066; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"raydima.com"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1291063/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_30; classtype:trojan-activity; sid:91291063; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"polyhedra.network.polyhedrao.com"; depth:32; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1291059/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_30; classtype:trojan-activity; sid:91291059; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"polyhedrao.com"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1291060/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_30; classtype:trojan-activity; sid:91291060; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"polyhedrao.network"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1291061/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_30; classtype:trojan-activity; sid:91291061; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"polyhiadira.network"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1291062/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_30; classtype:trojan-activity; sid:91291062; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"stream.pascalsoftware.com"; depth:25; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1291081/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_30; classtype:trojan-activity; sid:91291081; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"sitemaps.chainlistr.com"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1291079/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_30; classtype:trojan-activity; sid:91291079; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"specialdrilling38.ru"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1291080/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_30; classtype:trojan-activity; sid:91291080; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"synflntues.com"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1291082/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_30; classtype:trojan-activity; sid:91291082; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"synfntueis.com"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1291083/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_30; classtype:trojan-activity; sid:91291083; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"nsafabole.store"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1291085/; target:src_ip; metadata: confidence_level 75, first_seen 2024_06_30; classtype:trojan-activity; sid:91291085; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"synfntuies.com"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1291084/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_30; classtype:trojan-activity; sid:91291084; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"sanchezandmore.shop"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1291086/; target:src_ip; metadata: confidence_level 75, first_seen 2024_06_30; classtype:trojan-activity; sid:91291086; rev:1;) alert tcp $HOME_NET any -> [94.103.83.129] 80 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1291087/; target:src_ip; metadata: confidence_level 75, first_seen 2024_06_30; classtype:trojan-activity; sid:91291087; rev:1;) alert tcp $HOME_NET any -> [77.238.242.152] 80 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1291088/; target:src_ip; metadata: confidence_level 75, first_seen 2024_06_30; classtype:trojan-activity; sid:91291088; rev:1;) alert tcp $HOME_NET any -> [78.153.139.18] 80 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1291089/; target:src_ip; metadata: confidence_level 75, first_seen 2024_06_30; classtype:trojan-activity; sid:91291089; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"77-220-212-71.netherlands-2.vps.ac"; depth:34; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1291095/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_30; classtype:trojan-activity; sid:91291095; rev:1;) alert tcp $HOME_NET any -> [176.57.212.127] 80 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1291096/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_30; classtype:trojan-activity; sid:91291096; rev:1;) alert tcp $HOME_NET any -> [89.116.110.165] 80 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1291097/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_30; classtype:trojan-activity; sid:91291097; rev:1;) alert tcp $HOME_NET any -> [94.158.244.72] 666 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1291138/; target:src_ip; metadata: confidence_level 75, first_seen 2024_06_30; classtype:trojan-activity; sid:91291138; rev:1;) alert tcp $HOME_NET any -> [108.170.52.131] 13587 (msg:"ThreatFox BianLian botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1291240/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_30; classtype:trojan-activity; sid:91291240; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/understanding-wave-contracts-legal-considerations-implications"; depth:63; nocase; http.host; content:"produtoresflorestais.pt"; depth:23; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1291004/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_30; classtype:trojan-activity; sid:91291004; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"82-147-85-159.networktube.net"; depth:29; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1291020/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_30; classtype:trojan-activity; sid:91291020; rev:1;) alert tcp $HOME_NET any -> [198.7.114.191] 33966 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1291015/; target:src_ip; metadata: confidence_level 75, first_seen 2024_06_30; classtype:trojan-activity; sid:91291015; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"boats.cloudboats.vip"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1291016/; target:src_ip; metadata: confidence_level 75, first_seen 2024_06_30; classtype:trojan-activity; sid:91291016; rev:1;) alert tcp $HOME_NET any -> [84.32.41.112] 443 (msg:"ThreatFox Unidentified 111 (Latrodectus) botnet C2 traffic (ip:port - confidence level: 60%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1291101/; target:src_ip; metadata: confidence_level 60, first_seen 2024_06_30; classtype:trojan-activity; sid:91291101; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/l1nc0in.php"; depth:12; nocase; http.host; content:"a1000383.xsph.ru"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1291100/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_30; classtype:trojan-activity; sid:91291100; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/externalimagevmrequestlongpollsqldblocal.php"; depth:45; nocase; http.host; content:"228282cm.nyashka.top"; depth:20; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1291099/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_30; classtype:trojan-activity; sid:91291099; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/providereternallinephprequestsecurepacketprocessauthwordpress.php"; depth:66; nocase; http.host; content:"445798cm.nyashka.top"; depth:20; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1291098/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_30; classtype:trojan-activity; sid:91291098; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/match"; depth:6; nocase; http.host; content:"91.149.236.162"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1291094/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_30; classtype:trojan-activity; sid:91291094; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ga.js"; depth:6; nocase; http.host; content:"47.109.186.179"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1291093/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_30; classtype:trojan-activity; sid:91291093; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bootstrap-5.3.1.min.js"; depth:23; nocase; http.host; content:"47.94.42.245"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1291092/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_30; classtype:trojan-activity; sid:91291092; rev:1;) alert tcp $HOME_NET any -> [124.222.91.4] 8080 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1291091/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_30; classtype:trojan-activity; sid:91291091; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jquery-3.3.1.min.js"; depth:20; nocase; http.host; content:"www.nbch1na.com"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1291090/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_30; classtype:trojan-activity; sid:91291090; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/74e37122.php"; depth:13; nocase; http.host; content:"a0999045.xsph.ru"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1291019/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_30; classtype:trojan-activity; sid:91291019; rev:1;) alert tcp $HOME_NET any -> [77.91.77.82] 80 (msg:"ThreatFox Amadey botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1291018/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_30; classtype:trojan-activity; sid:91291018; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/l1nc0in.php"; depth:12; nocase; http.host; content:"mortilove9.temp.swtest.ru"; depth:25; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1291017/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_30; classtype:trojan-activity; sid:91291017; rev:1;) alert tcp $HOME_NET any -> [107.148.146.30] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1291014/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_30; classtype:trojan-activity; sid:91291014; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"c2.yuyake.top"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1291013/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_30; classtype:trojan-activity; sid:91291013; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/www/handle/doc"; depth:15; nocase; http.host; content:"c2.yuyake.top"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1291012/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_30; classtype:trojan-activity; sid:91291012; rev:1;) alert tcp $HOME_NET any -> [162.251.94.192] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1291011/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_30; classtype:trojan-activity; sid:91291011; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"www.qianxinnbplus.xyz"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1291010/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_30; classtype:trojan-activity; sid:91291010; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/fam_cart.html"; depth:14; nocase; http.host; content:"www.qianxinnbplus.xyz"; depth:21; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1291009/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_30; classtype:trojan-activity; sid:91291009; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/_defaultwindows.php"; depth:20; nocase; http.host; content:"a0988906.xsph.ru"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1291008/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_30; classtype:trojan-activity; sid:91291008; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ptj"; depth:4; nocase; http.host; content:"1.92.91.192"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1291007/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_30; classtype:trojan-activity; sid:91291007; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/g.pixel"; depth:8; nocase; http.host; content:"110.41.21.173"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1291006/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_30; classtype:trojan-activity; sid:91291006; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api/3"; depth:6; nocase; http.host; content:"yuanruicn.top"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1291005/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_30; classtype:trojan-activity; sid:91291005; rev:1;) alert tcp $HOME_NET any -> [47.109.51.223] 50050 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1290998/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_30; classtype:trojan-activity; sid:91290998; rev:1;) alert tcp $HOME_NET any -> [95.214.27.187] 443 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1291001/; target:src_ip; metadata: confidence_level 75, first_seen 2024_06_30; classtype:trojan-activity; sid:91291001; rev:1;) alert tcp $HOME_NET any -> [95.214.27.160] 443 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1291002/; target:src_ip; metadata: confidence_level 75, first_seen 2024_06_30; classtype:trojan-activity; sid:91291002; rev:1;) alert tcp $HOME_NET any -> [37.44.238.67] 443 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1291003/; target:src_ip; metadata: confidence_level 75, first_seen 2024_06_30; classtype:trojan-activity; sid:91291003; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"conn.masjesu.zip"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1291000/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_30; classtype:trojan-activity; sid:91291000; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/l1nc0in.php"; depth:12; nocase; http.host; content:"a1000492.xsph.ru"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1290999/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_30; classtype:trojan-activity; sid:91290999; rev:1;) alert tcp $HOME_NET any -> [194.113.74.24] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1290996/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_30; classtype:trojan-activity; sid:91290996; rev:1;) alert tcp $HOME_NET any -> [4.213.168.254] 35456 (msg:"ThreatFox MooBot botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1290995/; target:src_ip; metadata: confidence_level 75, first_seen 2024_06_30; classtype:trojan-activity; sid:91290995; rev:1;) alert tcp $HOME_NET any -> [91.92.244.163] 88 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1290994/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_30; classtype:trojan-activity; sid:91290994; rev:1;) alert tcp $HOME_NET any -> [103.234.72.208] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1290993/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_30; classtype:trojan-activity; sid:91290993; rev:1;) alert tcp $HOME_NET any -> [101.42.247.112] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1290992/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_30; classtype:trojan-activity; sid:91290992; rev:1;) alert tcp $HOME_NET any -> [23.95.65.198] 2222 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1290991/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_30; classtype:trojan-activity; sid:91290991; rev:1;) alert tcp $HOME_NET any -> [159.75.169.189] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1290990/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_30; classtype:trojan-activity; sid:91290990; rev:1;) alert tcp $HOME_NET any -> [47.109.186.179] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1290989/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_30; classtype:trojan-activity; sid:91290989; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"connect.bolo-botnet.net"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1290988/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_30; classtype:trojan-activity; sid:91290988; rev:1;) alert tcp $HOME_NET any -> [47.95.31.143] 4433 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1290987/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_30; classtype:trojan-activity; sid:91290987; rev:1;) alert tcp $HOME_NET any -> [47.238.48.116] 8089 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1290986/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_30; classtype:trojan-activity; sid:91290986; rev:1;) alert tcp $HOME_NET any -> [172.245.110.33] 8080 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1290985/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_30; classtype:trojan-activity; sid:91290985; rev:1;) alert tcp $HOME_NET any -> [45.61.138.167] 4443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1290984/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_30; classtype:trojan-activity; sid:91290984; rev:1;) alert tcp $HOME_NET any -> [39.106.83.74] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1290983/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_30; classtype:trojan-activity; sid:91290983; rev:1;) alert tcp $HOME_NET any -> [46.183.27.41] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1290982/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_30; classtype:trojan-activity; sid:91290982; rev:1;) alert tcp $HOME_NET any -> [43.207.204.175] 88 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1290981/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_30; classtype:trojan-activity; sid:91290981; rev:1;) alert tcp $HOME_NET any -> [46.183.27.41] 8443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1290980/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_30; classtype:trojan-activity; sid:91290980; rev:1;) alert tcp $HOME_NET any -> [134.122.75.115] 87 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1290979/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_30; classtype:trojan-activity; sid:91290979; rev:1;) alert tcp $HOME_NET any -> [106.14.69.133] 88 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1290978/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_30; classtype:trojan-activity; sid:91290978; rev:1;) alert tcp $HOME_NET any -> [176.109.109.84] 4444 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1290977/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_30; classtype:trojan-activity; sid:91290977; rev:1;) alert tcp $HOME_NET any -> [134.122.75.115] 86 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1290976/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_30; classtype:trojan-activity; sid:91290976; rev:1;) alert tcp $HOME_NET any -> [18.183.19.253] 81 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1290975/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_30; classtype:trojan-activity; sid:91290975; rev:1;) alert tcp $HOME_NET any -> [114.55.250.233] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1290972/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_30; classtype:trojan-activity; sid:91290972; rev:1;) alert tcp $HOME_NET any -> [34.132.104.7] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1290973/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_30; classtype:trojan-activity; sid:91290973; rev:1;) alert tcp $HOME_NET any -> [39.100.182.56] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1290974/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_30; classtype:trojan-activity; sid:91290974; rev:1;) alert tcp $HOME_NET any -> [112.126.85.180] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1290970/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_30; classtype:trojan-activity; sid:91290970; rev:1;) alert tcp $HOME_NET any -> [49.232.199.246] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1290971/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_30; classtype:trojan-activity; sid:91290971; rev:1;) alert tcp $HOME_NET any -> [110.40.138.5] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1290968/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_30; classtype:trojan-activity; sid:91290968; rev:1;) alert tcp $HOME_NET any -> [114.55.57.77] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1290969/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_30; classtype:trojan-activity; sid:91290969; rev:1;) alert tcp $HOME_NET any -> [49.232.227.129] 8080 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1290965/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_30; classtype:trojan-activity; sid:91290965; rev:1;) alert tcp $HOME_NET any -> [150.158.113.86] 8080 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1290966/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_30; classtype:trojan-activity; sid:91290966; rev:1;) alert tcp $HOME_NET any -> [199.195.252.200] 2096 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1290967/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_30; classtype:trojan-activity; sid:91290967; rev:1;) alert tcp $HOME_NET any -> [43.136.218.157] 8888 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1290963/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_30; classtype:trojan-activity; sid:91290963; rev:1;) alert tcp $HOME_NET any -> [47.76.67.52] 8080 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1290964/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_30; classtype:trojan-activity; sid:91290964; rev:1;) alert tcp $HOME_NET any -> [43.139.107.157] 5555 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1290961/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_30; classtype:trojan-activity; sid:91290961; rev:1;) alert tcp $HOME_NET any -> [117.50.196.200] 8443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1290962/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_30; classtype:trojan-activity; sid:91290962; rev:1;) alert tcp $HOME_NET any -> [64.7.198.173] 81 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1290959/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_30; classtype:trojan-activity; sid:91290959; rev:1;) alert tcp $HOME_NET any -> [123.58.220.97] 8087 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1290960/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_30; classtype:trojan-activity; sid:91290960; rev:1;) alert tcp $HOME_NET any -> [47.121.123.96] 81 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1290958/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_30; classtype:trojan-activity; sid:91290958; rev:1;) alert tcp $HOME_NET any -> [139.9.205.12] 8080 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1290956/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_30; classtype:trojan-activity; sid:91290956; rev:1;) alert tcp $HOME_NET any -> [43.153.222.28] 433 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1290957/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_30; classtype:trojan-activity; sid:91290957; rev:1;) alert tcp $HOME_NET any -> [97.64.18.185] 3333 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1290955/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_30; classtype:trojan-activity; sid:91290955; rev:1;) alert tcp $HOME_NET any -> [121.43.124.191] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1290953/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_30; classtype:trojan-activity; sid:91290953; rev:1;) alert tcp $HOME_NET any -> [120.53.236.103] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1290954/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_30; classtype:trojan-activity; sid:91290954; rev:1;) alert tcp $HOME_NET any -> [111.231.20.220] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1290952/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_30; classtype:trojan-activity; sid:91290952; rev:1;) alert tcp $HOME_NET any -> [64.7.198.173] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1290951/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_30; classtype:trojan-activity; sid:91290951; rev:1;) alert tcp $HOME_NET any -> [119.91.144.105] 2095 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1290950/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_30; classtype:trojan-activity; sid:91290950; rev:1;) alert tcp $HOME_NET any -> [134.175.229.118] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1290949/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_30; classtype:trojan-activity; sid:91290949; rev:1;) alert tcp $HOME_NET any -> [47.108.106.118] 8001 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1290948/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_30; classtype:trojan-activity; sid:91290948; rev:1;) alert tcp $HOME_NET any -> [8.219.146.174] 8080 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1290947/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_30; classtype:trojan-activity; sid:91290947; rev:1;) alert tcp $HOME_NET any -> [206.237.24.135] 8888 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1290945/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_30; classtype:trojan-activity; sid:91290945; rev:1;) alert tcp $HOME_NET any -> [43.139.107.157] 8888 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1290946/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_30; classtype:trojan-activity; sid:91290946; rev:1;) alert tcp $HOME_NET any -> [154.221.24.44] 8098 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1290944/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_30; classtype:trojan-activity; sid:91290944; rev:1;) alert tcp $HOME_NET any -> [8.217.137.245] 50000 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1290943/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_30; classtype:trojan-activity; sid:91290943; rev:1;) alert tcp $HOME_NET any -> [8.219.146.174] 1337 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1290942/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_30; classtype:trojan-activity; sid:91290942; rev:1;) alert tcp $HOME_NET any -> [8.141.13.130] 8098 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1290941/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_30; classtype:trojan-activity; sid:91290941; rev:1;) alert tcp $HOME_NET any -> [47.121.112.235] 4567 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1290940/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_30; classtype:trojan-activity; sid:91290940; rev:1;) alert tcp $HOME_NET any -> [47.236.74.146] 9999 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1290939/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_30; classtype:trojan-activity; sid:91290939; rev:1;) alert tcp $HOME_NET any -> [47.113.107.52] 8099 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1290938/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_30; classtype:trojan-activity; sid:91290938; rev:1;) alert tcp $HOME_NET any -> [43.138.132.137] 7777 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1290937/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_30; classtype:trojan-activity; sid:91290937; rev:1;) alert tcp $HOME_NET any -> [39.108.220.93] 3333 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1290936/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_30; classtype:trojan-activity; sid:91290936; rev:1;) alert tcp $HOME_NET any -> [185.117.0.43] 8887 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1290935/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_30; classtype:trojan-activity; sid:91290935; rev:1;) alert tcp $HOME_NET any -> [185.201.226.192] 4001 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1290934/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_30; classtype:trojan-activity; sid:91290934; rev:1;) alert tcp $HOME_NET any -> [154.221.24.44] 8099 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1290933/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_30; classtype:trojan-activity; sid:91290933; rev:1;) alert tcp $HOME_NET any -> [123.58.220.97] 8089 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1290932/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_30; classtype:trojan-activity; sid:91290932; rev:1;) alert tcp $HOME_NET any -> [119.45.21.247] 9000 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1290931/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_30; classtype:trojan-activity; sid:91290931; rev:1;) alert tcp $HOME_NET any -> [115.159.50.50] 8089 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1290930/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_30; classtype:trojan-activity; sid:91290930; rev:1;) alert tcp $HOME_NET any -> [112.124.6.100] 6789 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1290929/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_30; classtype:trojan-activity; sid:91290929; rev:1;) alert tcp $HOME_NET any -> [106.54.236.42] 3306 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1290928/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_30; classtype:trojan-activity; sid:91290928; rev:1;) alert tcp $HOME_NET any -> [106.75.249.81] 7777 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1290927/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_30; classtype:trojan-activity; sid:91290927; rev:1;) alert tcp $HOME_NET any -> [101.200.120.13] 8099 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1290926/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_30; classtype:trojan-activity; sid:91290926; rev:1;) alert tcp $HOME_NET any -> [124.222.37.211] 9090 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1290925/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_30; classtype:trojan-activity; sid:91290925; rev:1;) alert tcp $HOME_NET any -> [211.149.252.96] 8088 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1290924/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_30; classtype:trojan-activity; sid:91290924; rev:1;) alert tcp $HOME_NET any -> [124.222.72.51] 8088 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1290923/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_30; classtype:trojan-activity; sid:91290923; rev:1;) alert tcp $HOME_NET any -> [91.92.248.235] 81 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1290922/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_30; classtype:trojan-activity; sid:91290922; rev:1;) alert tcp $HOME_NET any -> [120.26.139.208] 8000 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1290920/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_30; classtype:trojan-activity; sid:91290920; rev:1;) alert tcp $HOME_NET any -> [103.146.159.3] 9999 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1290921/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_30; classtype:trojan-activity; sid:91290921; rev:1;) alert tcp $HOME_NET any -> [54.237.218.187] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1290918/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_30; classtype:trojan-activity; sid:91290918; rev:1;) alert tcp $HOME_NET any -> [120.79.8.117] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1290919/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_30; classtype:trojan-activity; sid:91290919; rev:1;) alert tcp $HOME_NET any -> [18.138.122.192] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1290917/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_30; classtype:trojan-activity; sid:91290917; rev:1;) alert tcp $HOME_NET any -> [185.77.226.142] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1290916/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_30; classtype:trojan-activity; sid:91290916; rev:1;) alert tcp $HOME_NET any -> [47.109.77.9] 9001 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1290915/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_30; classtype:trojan-activity; sid:91290915; rev:1;) alert tcp $HOME_NET any -> [103.225.9.174] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1290913/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_30; classtype:trojan-activity; sid:91290913; rev:1;) alert tcp $HOME_NET any -> [39.100.91.89] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1290914/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_30; classtype:trojan-activity; sid:91290914; rev:1;) alert tcp $HOME_NET any -> [106.53.22.217] 1080 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1290912/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_30; classtype:trojan-activity; sid:91290912; rev:1;) alert tcp $HOME_NET any -> [220.249.191.101] 8888 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1290911/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_30; classtype:trojan-activity; sid:91290911; rev:1;) alert tcp $HOME_NET any -> [116.204.75.247] 8088 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1290910/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_30; classtype:trojan-activity; sid:91290910; rev:1;) alert tcp $HOME_NET any -> [43.138.150.207] 8080 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1290909/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_30; classtype:trojan-activity; sid:91290909; rev:1;) alert tcp $HOME_NET any -> [154.44.10.182] 8000 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1290908/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_30; classtype:trojan-activity; sid:91290908; rev:1;) alert tcp $HOME_NET any -> [47.97.100.26] 8000 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1290907/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_30; classtype:trojan-activity; sid:91290907; rev:1;) alert tcp $HOME_NET any -> [121.37.226.97] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1290906/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_30; classtype:trojan-activity; sid:91290906; rev:1;) alert tcp $HOME_NET any -> [35.238.182.197] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1290905/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_30; classtype:trojan-activity; sid:91290905; rev:1;) alert tcp $HOME_NET any -> [124.223.101.175] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1290903/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_30; classtype:trojan-activity; sid:91290903; rev:1;) alert tcp $HOME_NET any -> [95.214.234.74] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1290904/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_30; classtype:trojan-activity; sid:91290904; rev:1;) alert tcp $HOME_NET any -> [111.231.74.72] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1290901/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_30; classtype:trojan-activity; sid:91290901; rev:1;) alert tcp $HOME_NET any -> [43.138.0.7] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1290902/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_30; classtype:trojan-activity; sid:91290902; rev:1;) alert tcp $HOME_NET any -> [124.221.22.144] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1290900/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_30; classtype:trojan-activity; sid:91290900; rev:1;) alert tcp $HOME_NET any -> [62.234.34.114] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1290899/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_30; classtype:trojan-activity; sid:91290899; rev:1;) alert tcp $HOME_NET any -> [43.138.0.7] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1290897/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_30; classtype:trojan-activity; sid:91290897; rev:1;) alert tcp $HOME_NET any -> [129.211.214.71] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1290898/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_30; classtype:trojan-activity; sid:91290898; rev:1;) alert tcp $HOME_NET any -> [103.225.196.210] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1290895/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_30; classtype:trojan-activity; sid:91290895; rev:1;) alert tcp $HOME_NET any -> [47.92.70.19] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1290896/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_30; classtype:trojan-activity; sid:91290896; rev:1;) alert tcp $HOME_NET any -> [85.209.153.114] 8081 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1290894/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_30; classtype:trojan-activity; sid:91290894; rev:1;) alert tcp $HOME_NET any -> [106.54.197.233] 8080 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1290892/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_30; classtype:trojan-activity; sid:91290892; rev:1;) alert tcp $HOME_NET any -> [8.134.163.72] 801 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1290893/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_30; classtype:trojan-activity; sid:91290893; rev:1;) alert tcp $HOME_NET any -> [107.172.34.126] 8001 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1290890/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_30; classtype:trojan-activity; sid:91290890; rev:1;) alert tcp $HOME_NET any -> [47.97.96.79] 8080 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1290891/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_30; classtype:trojan-activity; sid:91290891; rev:1;) alert tcp $HOME_NET any -> [8.137.87.159] 8443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1290888/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_30; classtype:trojan-activity; sid:91290888; rev:1;) alert tcp $HOME_NET any -> [47.108.164.45] 8888 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1290889/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_30; classtype:trojan-activity; sid:91290889; rev:1;) alert tcp $HOME_NET any -> [47.97.22.116] 7777 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1290887/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_30; classtype:trojan-activity; sid:91290887; rev:1;) alert tcp $HOME_NET any -> [8.134.139.130] 9999 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1290886/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_30; classtype:trojan-activity; sid:91290886; rev:1;) alert tcp $HOME_NET any -> [47.92.30.116] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1290885/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_30; classtype:trojan-activity; sid:91290885; rev:1;) alert tcp $HOME_NET any -> [120.26.139.208] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1290884/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_30; classtype:trojan-activity; sid:91290884; rev:1;) alert tcp $HOME_NET any -> [155.94.204.114] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1290883/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_30; classtype:trojan-activity; sid:91290883; rev:1;) alert tcp $HOME_NET any -> [155.94.204.114] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1290881/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_30; classtype:trojan-activity; sid:91290881; rev:1;) alert tcp $HOME_NET any -> [106.75.15.3] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1290882/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_30; classtype:trojan-activity; sid:91290882; rev:1;) alert tcp $HOME_NET any -> [91.149.236.162] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1290880/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_30; classtype:trojan-activity; sid:91290880; rev:1;) alert tcp $HOME_NET any -> [107.189.13.28] 800 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1290878/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_30; classtype:trojan-activity; sid:91290878; rev:1;) alert tcp $HOME_NET any -> [154.9.253.110] 8080 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1290879/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_30; classtype:trojan-activity; sid:91290879; rev:1;) alert tcp $HOME_NET any -> [112.124.33.134] 8888 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1290877/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_30; classtype:trojan-activity; sid:91290877; rev:1;) alert tcp $HOME_NET any -> [8.134.137.100] 8888 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1290876/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_30; classtype:trojan-activity; sid:91290876; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ellaboratepwsz.xyz"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1290809/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_30; classtype:trojan-activity; sid:91290809; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"penetratedpoopp.xyz"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1290805/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_30; classtype:trojan-activity; sid:91290805; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/profiles/76561199724331900"; depth:27; nocase; http.host; content:"steamcommunity.com"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1290806/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_30; classtype:trojan-activity; sid:91290806; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"swellfrrgwwos.xyz"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1290807/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_30; classtype:trojan-activity; sid:91290807; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"towerxxuytwi.xyz"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1290808/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_30; classtype:trojan-activity; sid:91290808; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"ellaboratepwsz.xyz"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1290803/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_30; classtype:trojan-activity; sid:91290803; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"contintnetksows.shop"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1290800/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_30; classtype:trojan-activity; sid:91290800; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"reinforcedirectorywd.shop"; depth:25; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1290801/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_30; classtype:trojan-activity; sid:91290801; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"potterryisiw.shop"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1290798/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_30; classtype:trojan-activity; sid:91290798; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"foodypannyjsud.shop"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1290799/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_30; classtype:trojan-activity; sid:91290799; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"contintnetksows.shop"; depth:20; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1290795/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_30; classtype:trojan-activity; sid:91290795; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"reinforcedirectorywd.shop"; depth:25; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1290796/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_30; classtype:trojan-activity; sid:91290796; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"piedsiggnycliquieaw.shop"; depth:24; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1290797/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_30; classtype:trojan-activity; sid:91290797; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"piedsiggnycliquieaw.shop"; depth:24; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1290792/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_30; classtype:trojan-activity; sid:91290792; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"potterryisiw.shop"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1290793/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_30; classtype:trojan-activity; sid:91290793; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"foodypannyjsud.shop"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1290794/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_30; classtype:trojan-activity; sid:91290794; rev:1;) alert tcp $HOME_NET any -> [103.139.1.202] 3434 (msg:"ThreatFox ERMAC botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1290541/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_30; classtype:trojan-activity; sid:91290541; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"botnet.4gnekoland.top"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1290511/; target:src_ip; metadata: confidence_level 75, first_seen 2024_06_30; classtype:trojan-activity; sid:91290511; rev:1;) alert tcp $HOME_NET any -> [15.235.209.194] 19990 (msg:"ThreatFox MooBot botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1290510/; target:src_ip; metadata: confidence_level 75, first_seen 2024_06_30; classtype:trojan-activity; sid:91290510; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"pedestriankodwu.xyz"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1290804/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_30; classtype:trojan-activity; sid:91290804; rev:1;) alert tcp $HOME_NET any -> [5.59.248.220] 38241 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1290802/; target:src_ip; metadata: confidence_level 75, first_seen 2024_06_30; classtype:trojan-activity; sid:91290802; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"pedestriankodwu.xyz"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1290810/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_30; classtype:trojan-activity; sid:91290810; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"penetratedpoopp.xyz"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1290811/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_30; classtype:trojan-activity; sid:91290811; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"swellfrrgwwos.xyz"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1290812/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_30; classtype:trojan-activity; sid:91290812; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"towerxxuytwi.xyz"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1290813/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_30; classtype:trojan-activity; sid:91290813; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/article.php"; depth:12; nocase; http.host; content:"www.bunkomania.net"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1290828/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_30; classtype:trojan-activity; sid:91290828; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/providereternalgamewindowstest.php"; depth:35; nocase; http.host; content:"640740cm.nyashka.top"; depth:20; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1290875/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_30; classtype:trojan-activity; sid:91290875; rev:1;) alert tcp $HOME_NET any -> [213.195.117.131] 5000 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1290874/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_30; classtype:trojan-activity; sid:91290874; rev:1;) alert tcp $HOME_NET any -> [185.241.208.181] 9090 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1290873/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_30; classtype:trojan-activity; sid:91290873; rev:1;) alert tcp $HOME_NET any -> [46.246.6.14] 2000 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1290872/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_30; classtype:trojan-activity; sid:91290872; rev:1;) alert tcp $HOME_NET any -> [91.92.240.70] 50555 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1290871/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_30; classtype:trojan-activity; sid:91290871; rev:1;) alert tcp $HOME_NET any -> [176.32.38.11] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1290870/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_30; classtype:trojan-activity; sid:91290870; rev:1;) alert tcp $HOME_NET any -> [46.246.4.17] 9000 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1290869/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_30; classtype:trojan-activity; sid:91290869; rev:1;) alert tcp $HOME_NET any -> [79.107.142.212] 995 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1290868/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_30; classtype:trojan-activity; sid:91290868; rev:1;) alert tcp $HOME_NET any -> [37.111.183.34] 443 (msg:"ThreatFox Deimos botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1290867/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_30; classtype:trojan-activity; sid:91290867; rev:1;) alert tcp $HOME_NET any -> [52.183.57.173] 7443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1290866/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_30; classtype:trojan-activity; sid:91290866; rev:1;) alert tcp $HOME_NET any -> [178.18.254.10] 7443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1290865/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_30; classtype:trojan-activity; sid:91290865; rev:1;) alert tcp $HOME_NET any -> [52.196.181.68] 8888 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1290864/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_30; classtype:trojan-activity; sid:91290864; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/l1nc0in.php"; depth:12; nocase; http.host; content:"a1000330.xsph.ru"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1290863/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_30; classtype:trojan-activity; sid:91290863; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/c7cfea12.php"; depth:13; nocase; http.host; content:"cr94982.tw1.ru"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1290862/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_30; classtype:trojan-activity; sid:91290862; rev:1;) alert tcp $HOME_NET any -> [4.185.58.68] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1290861/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_30; classtype:trojan-activity; sid:91290861; rev:1;) alert tcp $HOME_NET any -> [101.36.111.47] 9999 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1290860/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_30; classtype:trojan-activity; sid:91290860; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"188.130.207.35"; depth:14; nocase; reference:url, threatfox.abuse.ch/ioc/1290835/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_30; classtype:trojan-activity; sid:91290835; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"citizencenturygoodwk.shop"; depth:25; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1290834/; target:src_ip; metadata: confidence_level 75, first_seen 2024_06_30; classtype:trojan-activity; sid:91290834; rev:1;) alert tcp $HOME_NET any -> [147.185.221.17] 14348 (msg:"ThreatFox XWorm botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1290832/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_30; classtype:trojan-activity; sid:91290832; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"ghostghostcom.000webhostapp.com"; depth:31; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1290831/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_30; classtype:trojan-activity; sid:91290831; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/hzol"; depth:5; nocase; http.host; content:"117.50.177.53"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1290830/; target:src_ip; metadata: confidence_level 75, first_seen 2024_06_30; classtype:trojan-activity; sid:91290830; rev:1;) alert tcp $HOME_NET any -> [117.50.177.53] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1290829/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_30; classtype:trojan-activity; sid:91290829; rev:1;) alert tcp $HOME_NET any -> [120.78.7.92] 8443 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1290826/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_30; classtype:trojan-activity; sid:91290826; rev:1;) alert tcp $HOME_NET any -> [91.92.240.220] 81 (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1290825/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_29; classtype:trojan-activity; sid:91290825; rev:1;) alert tcp $HOME_NET any -> [20.199.8.16] 1726 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1290824/; target:src_ip; metadata: confidence_level 75, first_seen 2024_06_29; classtype:trojan-activity; sid:91290824; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/l1nc0in.php"; depth:12; nocase; http.host; content:"a0999840.xsph.ru"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1290823/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_29; classtype:trojan-activity; sid:91290823; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/0b92e7ab19e861f9.php"; depth:21; nocase; http.host; content:"188.130.207.35"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1290822/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_29; classtype:trojan-activity; sid:91290822; rev:1;) alert tcp $HOME_NET any -> [47.108.142.95] 64535 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1290821/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_29; classtype:trojan-activity; sid:91290821; rev:1;) alert tcp $HOME_NET any -> [202.95.15.212] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1290820/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_29; classtype:trojan-activity; sid:91290820; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ga.js"; depth:6; nocase; http.host; content:"202.95.15.212"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1290819/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_29; classtype:trojan-activity; sid:91290819; rev:1;) alert tcp $HOME_NET any -> [185.196.8.93] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1290818/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_29; classtype:trojan-activity; sid:91290818; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mk"; depth:3; nocase; http.host; content:"185.196.8.93"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1290817/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_29; classtype:trojan-activity; sid:91290817; rev:1;) alert tcp $HOME_NET any -> [116.198.247.52] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1290816/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_29; classtype:trojan-activity; sid:91290816; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/j.ad"; depth:5; nocase; http.host; content:"116.198.247.52"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1290815/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_29; classtype:trojan-activity; sid:91290815; rev:1;) alert tcp $HOME_NET any -> [18.136.148.247] 16674 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1290814/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_29; classtype:trojan-activity; sid:91290814; rev:1;) alert tcp $HOME_NET any -> [185.91.69.98] 443 (msg:"ThreatFox Unidentified 111 (Latrodectus) botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1290791/; target:src_ip; metadata: confidence_level 75, first_seen 2024_06_29; classtype:trojan-activity; sid:91290791; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jquery-3.3.1.min.js"; depth:20; nocase; http.host; content:"baidenyes.net"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1290539/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_29; classtype:trojan-activity; sid:91290539; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"baidenyes.net"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1290540/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_29; classtype:trojan-activity; sid:91290540; rev:1;) alert tcp $HOME_NET any -> [94.156.69.27] 8808 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1290538/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_29; classtype:trojan-activity; sid:91290538; rev:1;) alert tcp $HOME_NET any -> [154.12.229.73] 1994 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1290537/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_29; classtype:trojan-activity; sid:91290537; rev:1;) alert tcp $HOME_NET any -> [142.11.201.123] 8713 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1290536/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_29; classtype:trojan-activity; sid:91290536; rev:1;) alert tcp $HOME_NET any -> [142.11.201.126] 8713 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1290535/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_29; classtype:trojan-activity; sid:91290535; rev:1;) alert tcp $HOME_NET any -> [142.11.201.122] 8713 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1290534/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_29; classtype:trojan-activity; sid:91290534; rev:1;) alert tcp $HOME_NET any -> [91.92.254.113] 80 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1290533/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_29; classtype:trojan-activity; sid:91290533; rev:1;) alert tcp $HOME_NET any -> [195.133.201.106] 80 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1290532/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_29; classtype:trojan-activity; sid:91290532; rev:1;) alert tcp $HOME_NET any -> [82.97.249.127] 80 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1290531/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_29; classtype:trojan-activity; sid:91290531; rev:1;) alert tcp $HOME_NET any -> [154.12.60.78] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1290530/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_29; classtype:trojan-activity; sid:91290530; rev:1;) alert tcp $HOME_NET any -> [219.157.177.120] 8000 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1290529/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_29; classtype:trojan-activity; sid:91290529; rev:1;) alert tcp $HOME_NET any -> [43.129.83.221] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1290528/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_29; classtype:trojan-activity; sid:91290528; rev:1;) alert tcp $HOME_NET any -> [111.229.193.40] 38888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1290527/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_29; classtype:trojan-activity; sid:91290527; rev:1;) alert tcp $HOME_NET any -> [46.246.84.25] 8000 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1290526/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_29; classtype:trojan-activity; sid:91290526; rev:1;) alert tcp $HOME_NET any -> [23.93.90.25] 443 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1290525/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_29; classtype:trojan-activity; sid:91290525; rev:1;) alert tcp $HOME_NET any -> [64.229.116.44] 2222 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1290524/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_29; classtype:trojan-activity; sid:91290524; rev:1;) alert tcp $HOME_NET any -> [78.166.52.204] 443 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1290523/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_29; classtype:trojan-activity; sid:91290523; rev:1;) alert tcp $HOME_NET any -> [1.161.66.179] 443 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1290522/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_29; classtype:trojan-activity; sid:91290522; rev:1;) alert tcp $HOME_NET any -> [43.198.114.188] 443 (msg:"ThreatFox pupy botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1290521/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_29; classtype:trojan-activity; sid:91290521; rev:1;) alert tcp $HOME_NET any -> [40.69.149.188] 445 (msg:"ThreatFox Responder botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1290520/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_29; classtype:trojan-activity; sid:91290520; rev:1;) alert tcp $HOME_NET any -> [174.138.125.95] 445 (msg:"ThreatFox Responder botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1290519/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_29; classtype:trojan-activity; sid:91290519; rev:1;) alert tcp $HOME_NET any -> [103.252.116.243] 443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1290518/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_29; classtype:trojan-activity; sid:91290518; rev:1;) alert tcp $HOME_NET any -> [38.147.162.174] 443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1290517/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_29; classtype:trojan-activity; sid:91290517; rev:1;) alert tcp $HOME_NET any -> [88.2.202.148] 443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1290516/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_29; classtype:trojan-activity; sid:91290516; rev:1;) alert tcp $HOME_NET any -> [92.38.160.73] 8080 (msg:"ThreatFox BianLian botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1290515/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_29; classtype:trojan-activity; sid:91290515; rev:1;) alert tcp $HOME_NET any -> [164.90.241.207] 2053 (msg:"ThreatFox Deimos botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1290514/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_29; classtype:trojan-activity; sid:91290514; rev:1;) alert tcp $HOME_NET any -> [66.78.40.31] 443 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1290513/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_29; classtype:trojan-activity; sid:91290513; rev:1;) alert tcp $HOME_NET any -> [66.78.40.31] 31785 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1290512/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_29; classtype:trojan-activity; sid:91290512; rev:1;) alert tcp $HOME_NET any -> [172.232.164.13] 8808 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1290509/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_29; classtype:trojan-activity; sid:91290509; rev:1;) alert tcp $HOME_NET any -> [192.169.69.25] 1316 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1290508/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_29; classtype:trojan-activity; sid:91290508; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xgfx"; depth:5; nocase; http.host; content:"8.130.111.241"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1290507/; target:src_ip; metadata: confidence_level 75, first_seen 2024_06_29; classtype:trojan-activity; sid:91290507; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/load"; depth:5; nocase; http.host; content:"114.132.87.9"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1290506/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_29; classtype:trojan-activity; sid:91290506; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ga.js"; depth:6; nocase; http.host; content:"funny-sam.online"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1290504/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_29; classtype:trojan-activity; sid:91290504; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"funny-sam.online"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1290505/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_29; classtype:trojan-activity; sid:91290505; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/match"; depth:6; nocase; http.host; content:"43.153.222.28"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1290503/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_29; classtype:trojan-activity; sid:91290503; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ptj"; depth:4; nocase; http.host; content:"43.138.30.109"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1290502/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_29; classtype:trojan-activity; sid:91290502; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/g.pixel"; depth:8; nocase; http.host; content:"23.95.65.198"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1290501/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_29; classtype:trojan-activity; sid:91290501; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/visit.js"; depth:9; nocase; http.host; content:"134.122.75.115"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1290500/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_29; classtype:trojan-activity; sid:91290500; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/g.pixel"; depth:8; nocase; http.host; content:"202.95.13.230"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1290499/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_29; classtype:trojan-activity; sid:91290499; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bot6110313252:aae6ffozbefhnbent-1dwxi9ebezqtxbygk/sendmessage"; depth:62; nocase; http.host; content:"api.telegram.org"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1290498/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_29; classtype:trojan-activity; sid:91290498; rev:1;) alert tcp $HOME_NET any -> [185.243.181.82] 80 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1290493/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_29; classtype:trojan-activity; sid:91290493; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/2022/11/26/pls-00208-identifier-is-not-a-legal-cursor-attribute"; depth:64; nocase; http.host; content:"trustadvisorygroup.com"; depth:22; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1290494/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_29; classtype:trojan-activity; sid:91290494; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/article.php"; depth:12; nocase; http.host; content:"www.bultecappelle.fr"; depth:20; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1290495/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_29; classtype:trojan-activity; sid:91290495; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"login-auth-office.com"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1290489/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_29; classtype:trojan-activity; sid:91290489; rev:1;) alert tcp $HOME_NET any -> [217.195.197.36] 80 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1290492/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_29; classtype:trojan-activity; sid:91290492; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/p2p"; depth:4; nocase; http.host; content:"login-auth-office.com"; depth:21; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1290487/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_29; classtype:trojan-activity; sid:91290487; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"login-auth-office.com"; depth:21; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1290488/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_29; classtype:trojan-activity; sid:91290488; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api/webhooks/1253689379948593173/lzph5ddd7etwylrpmt2m_ml82ys42yxolytwbwldi4nxulovpmphz7alftfln1rxcqac"; depth:102; nocase; http.host; content:"discord.com"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1290497/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_29; classtype:trojan-activity; sid:91290497; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"football-emily.gl.at.ply.gg"; depth:27; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1290496/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_29; classtype:trojan-activity; sid:91290496; rev:1;) alert tcp $HOME_NET any -> [47.121.123.96] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1290491/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_29; classtype:trojan-activity; sid:91290491; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ie9compatviewlist.xml"; depth:22; nocase; http.host; content:"47.121.123.96"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1290490/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_29; classtype:trojan-activity; sid:91290490; rev:1;) alert tcp $HOME_NET any -> [119.8.162.77] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1290486/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_29; classtype:trojan-activity; sid:91290486; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"www.windowsuserapi.com"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1290485/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_29; classtype:trojan-activity; sid:91290485; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/_/scs/mail-static/_/js/z"; depth:25; nocase; http.host; content:"www.windowsuserapi.com"; depth:22; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1290484/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_29; classtype:trojan-activity; sid:91290484; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/j.ad"; depth:5; nocase; http.host; content:"47.98.247.113"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1290483/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_29; classtype:trojan-activity; sid:91290483; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jqueryuiv12.js"; depth:15; nocase; http.host; content:"47.121.141.245"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1290482/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_29; classtype:trojan-activity; sid:91290482; rev:1;) alert tcp $HOME_NET any -> [54.165.22.205] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1290481/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_29; classtype:trojan-activity; sid:91290481; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ptj"; depth:4; nocase; http.host; content:"54.165.22.205"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1290480/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_29; classtype:trojan-activity; sid:91290480; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ga.js"; depth:6; nocase; http.host; content:"47.121.123.96"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1290478/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_29; classtype:trojan-activity; sid:91290478; rev:1;) alert tcp $HOME_NET any -> [47.121.123.96] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1290479/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_29; classtype:trojan-activity; sid:91290479; rev:1;) alert tcp $HOME_NET any -> [47.109.51.223] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1290477/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_29; classtype:trojan-activity; sid:91290477; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/updates.rss"; depth:12; nocase; http.host; content:"47.109.51.223"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1290476/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_29; classtype:trojan-activity; sid:91290476; rev:1;) alert tcp $HOME_NET any -> [47.236.96.238] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1290475/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_29; classtype:trojan-activity; sid:91290475; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/fwlink"; depth:7; nocase; http.host; content:"47.236.96.238"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1290474/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_29; classtype:trojan-activity; sid:91290474; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/l1nc0in.php"; depth:12; nocase; http.host; content:"a0999337.xsph.ru"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1290473/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_29; classtype:trojan-activity; sid:91290473; rev:1;) alert tcp $HOME_NET any -> [147.45.45.3] 1912 (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1290472/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_29; classtype:trojan-activity; sid:91290472; rev:1;) alert tcp $HOME_NET any -> [209.90.234.57] 1913 (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1290471/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_29; classtype:trojan-activity; sid:91290471; rev:1;) alert tcp $HOME_NET any -> [148.135.115.35] 443 (msg:"ThreatFox Deimos botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1290468/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_29; classtype:trojan-activity; sid:91290468; rev:1;) alert tcp $HOME_NET any -> [211.95.133.87] 49084 (msg:"ThreatFox Deimos botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1290467/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_29; classtype:trojan-activity; sid:91290467; rev:1;) alert tcp $HOME_NET any -> [143.92.42.200] 8443 (msg:"ThreatFox Brute Ratel C4 botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1290466/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_29; classtype:trojan-activity; sid:91290466; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/agov/lounge"; depth:12; nocase; http.host; content:"newcp.thebestbodrumtemizlik.com"; depth:31; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1290465/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_29; classtype:trojan-activity; sid:91290465; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/agov/apostolic"; depth:15; nocase; http.host; content:"newcpp.constructoraharr.cl"; depth:26; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1290464/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_29; classtype:trojan-activity; sid:91290464; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"robsheraldry.com"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1290452/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_29; classtype:trojan-activity; sid:91290452; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/p2p"; depth:4; nocase; http.host; content:"osheafarm.com"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1290448/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_29; classtype:trojan-activity; sid:91290448; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/p2p"; depth:4; nocase; http.host; content:"lascolinasresortdalas.com"; depth:25; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1290449/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_29; classtype:trojan-activity; sid:91290449; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/p2p"; depth:4; nocase; http.host; content:"robsheraldry.com"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1290447/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_29; classtype:trojan-activity; sid:91290447; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"lascolinasresortdalas.com"; depth:25; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1290445/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_29; classtype:trojan-activity; sid:91290445; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"poseidon.cool"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1290446/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_29; classtype:trojan-activity; sid:91290446; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"xortoprojectnew.xyz"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1290434/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_29; classtype:trojan-activity; sid:91290434; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"robsheraldry.com"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1290443/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_29; classtype:trojan-activity; sid:91290443; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"osheafarm.com"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1290444/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_29; classtype:trojan-activity; sid:91290444; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/p2p"; depth:4; nocase; http.host; content:"poseidon.cool"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1290450/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_29; classtype:trojan-activity; sid:91290450; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"poseidon.cool"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1290451/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_29; classtype:trojan-activity; sid:91290451; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"osheafarm.com"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1290453/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_29; classtype:trojan-activity; sid:91290453; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"lascolinasresortdalas.com"; depth:25; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1290454/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_29; classtype:trojan-activity; sid:91290454; rev:1;) alert tcp $HOME_NET any -> [91.206.178.85] 9000 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1290459/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_29; classtype:trojan-activity; sid:91290459; rev:1;) alert tcp $HOME_NET any -> [160.19.78.131] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1290460/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_29; classtype:trojan-activity; sid:91290460; rev:1;) alert tcp $HOME_NET any -> [92.246.138.36] 41426 (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1290463/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_29; classtype:trojan-activity; sid:91290463; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/44e38142.php"; depth:13; nocase; http.host; content:"a0996046.xsph.ru"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1290462/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_29; classtype:trojan-activity; sid:91290462; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/l1nc0in.php"; depth:12; nocase; http.host; content:"a0999792.xsph.ru"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1290461/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_29; classtype:trojan-activity; sid:91290461; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mozi.m"; depth:7; nocase; http.host; content:"117.208.220.244"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1290458/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_29; classtype:trojan-activity; sid:91290458; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api/x"; depth:6; nocase; http.host; content:"8.134.130.147"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1290457/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_28; classtype:trojan-activity; sid:91290457; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api/x"; depth:6; nocase; http.host; content:"service-iktxibt6-1305682303.gz.tencentapigw.com.cn"; depth:50; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1290455/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_28; classtype:trojan-activity; sid:91290455; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"service-iktxibt6-1305682303.gz.tencentapigw.com.cn"; depth:50; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1290456/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_28; classtype:trojan-activity; sid:91290456; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/push"; depth:5; nocase; http.host; content:"blacksys.deltadefenses.com"; depth:26; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1290442/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_28; classtype:trojan-activity; sid:91290442; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cm"; depth:3; nocase; http.host; content:"47.93.216.2"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1290441/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_28; classtype:trojan-activity; sid:91290441; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/updates.rss"; depth:12; nocase; http.host; content:"43.138.30.109"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1290440/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_28; classtype:trojan-activity; sid:91290440; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dpixel"; depth:7; nocase; http.host; content:"43.138.30.109"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1290439/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_28; classtype:trojan-activity; sid:91290439; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/fwlink"; depth:7; nocase; http.host; content:"43.153.222.28"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1290438/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_28; classtype:trojan-activity; sid:91290438; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/updates.rss"; depth:12; nocase; http.host; content:"47.113.107.52"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1290437/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_28; classtype:trojan-activity; sid:91290437; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dot.gif"; depth:8; nocase; http.host; content:"176.58.127.16"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1290436/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_28; classtype:trojan-activity; sid:91290436; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/users.jsp"; depth:10; nocase; http.host; content:"121.37.206.148"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1290435/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_28; classtype:trojan-activity; sid:91290435; rev:1;) alert tcp $HOME_NET any -> [84.44.148.177] 4782 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1290433/; target:src_ip; metadata: confidence_level 75, first_seen 2024_06_28; classtype:trojan-activity; sid:91290433; rev:1;) alert tcp $HOME_NET any -> [176.174.54.18] 4449 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1290432/; target:src_ip; metadata: confidence_level 75, first_seen 2024_06_28; classtype:trojan-activity; sid:91290432; rev:1;) alert tcp $HOME_NET any -> [147.185.221.20] 36797 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1290431/; target:src_ip; metadata: confidence_level 75, first_seen 2024_06_28; classtype:trojan-activity; sid:91290431; rev:1;) alert tcp $HOME_NET any -> [5.59.248.206] 43957 (msg:"ThreatFox MooBot botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1290430/; target:src_ip; metadata: confidence_level 75, first_seen 2024_06_28; classtype:trojan-activity; sid:91290430; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"net.icdns.online"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1290429/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_28; classtype:trojan-activity; sid:91290429; rev:1;) alert tcp $HOME_NET any -> [193.26.115.132] 6606 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1290427/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_28; classtype:trojan-activity; sid:91290427; rev:1;) alert tcp $HOME_NET any -> [193.26.115.132] 7707 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1290428/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_28; classtype:trojan-activity; sid:91290428; rev:1;) alert tcp $HOME_NET any -> [193.26.115.132] 8808 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1290426/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_28; classtype:trojan-activity; sid:91290426; rev:1;) alert tcp $HOME_NET any -> [45.88.186.43] 8808 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1290425/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_28; classtype:trojan-activity; sid:91290425; rev:1;) alert tcp $HOME_NET any -> [45.88.186.43] 7707 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1290424/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_28; classtype:trojan-activity; sid:91290424; rev:1;) alert tcp $HOME_NET any -> [45.88.186.43] 6606 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1290423/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_28; classtype:trojan-activity; sid:91290423; rev:1;) alert tcp $HOME_NET any -> [77.105.161.171] 8808 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1290422/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_28; classtype:trojan-activity; sid:91290422; rev:1;) alert tcp $HOME_NET any -> [8.220.204.78] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1290421/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_28; classtype:trojan-activity; sid:91290421; rev:1;) alert tcp $HOME_NET any -> [164.92.158.48] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1290420/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_28; classtype:trojan-activity; sid:91290420; rev:1;) alert tcp $HOME_NET any -> [118.89.66.70] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1290419/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_28; classtype:trojan-activity; sid:91290419; rev:1;) alert tcp $HOME_NET any -> [175.24.198.41] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1290418/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_28; classtype:trojan-activity; sid:91290418; rev:1;) alert tcp $HOME_NET any -> [89.148.151.98] 2222 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1290417/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_28; classtype:trojan-activity; sid:91290417; rev:1;) alert tcp $HOME_NET any -> [85.107.13.76] 443 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1290416/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_28; classtype:trojan-activity; sid:91290416; rev:1;) alert tcp $HOME_NET any -> [71.255.230.137] 443 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1290415/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_28; classtype:trojan-activity; sid:91290415; rev:1;) alert tcp $HOME_NET any -> [52.88.83.125] 443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1290414/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_28; classtype:trojan-activity; sid:91290414; rev:1;) alert tcp $HOME_NET any -> [111.13.104.234] 4505 (msg:"ThreatFox Deimos botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1290413/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_28; classtype:trojan-activity; sid:91290413; rev:1;) alert tcp $HOME_NET any -> [183.220.149.148] 4505 (msg:"ThreatFox Deimos botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1290412/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_28; classtype:trojan-activity; sid:91290412; rev:1;) alert tcp $HOME_NET any -> [16.170.163.148] 7443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1290411/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_28; classtype:trojan-activity; sid:91290411; rev:1;) alert tcp $HOME_NET any -> [82.153.138.168] 7443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1290410/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_28; classtype:trojan-activity; sid:91290410; rev:1;) alert tcp $HOME_NET any -> [135.148.132.167] 7443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1290409/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_28; classtype:trojan-activity; sid:91290409; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mozi.m"; depth:7; nocase; http.host; content:"112.239.97.165"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1290408/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_28; classtype:trojan-activity; sid:91290408; rev:1;) alert tcp $HOME_NET any -> [176.97.114.45] 666 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1290402/; target:src_ip; metadata: confidence_level 75, first_seen 2024_06_28; classtype:trojan-activity; sid:91290402; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"botnetddos.zapto.org"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1290404/; target:src_ip; metadata: confidence_level 75, first_seen 2024_06_28; classtype:trojan-activity; sid:91290404; rev:1;) alert tcp $HOME_NET any -> [160.177.56.173] 10000 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1290407/; target:src_ip; metadata: confidence_level 75, first_seen 2024_06_28; classtype:trojan-activity; sid:91290407; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/l1nc0in.php"; depth:12; nocase; http.host; content:"a0997235.xsph.ru"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1290406/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_28; classtype:trojan-activity; sid:91290406; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/l1nc0in.php"; depth:12; nocase; http.host; content:"an.cloudto.ru"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1290405/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_28; classtype:trojan-activity; sid:91290405; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/l1nc0in.php"; depth:12; nocase; http.host; content:"a1000056.xsph.ru"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1290403/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_28; classtype:trojan-activity; sid:91290403; rev:1;) alert tcp $HOME_NET any -> [107.173.62.181] 17120 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1290401/; target:src_ip; metadata: confidence_level 75, first_seen 2024_06_28; classtype:trojan-activity; sid:91290401; rev:1;) alert tcp $HOME_NET any -> [114.116.244.244] 4495 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1290400/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_28; classtype:trojan-activity; sid:91290400; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pixel"; depth:6; nocase; http.host; content:"47.95.31.143"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1290399/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_28; classtype:trojan-activity; sid:91290399; rev:1;) alert tcp $HOME_NET any -> [43.163.235.40] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1290398/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_28; classtype:trojan-activity; sid:91290398; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/release_notes"; depth:14; nocase; http.host; content:"43.163.235.40"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1290397/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_28; classtype:trojan-activity; sid:91290397; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cm"; depth:3; nocase; http.host; content:"47.76.67.52"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1290396/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_28; classtype:trojan-activity; sid:91290396; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/agov-access.dmg"; depth:16; nocase; http.host; content:"186.2.171.60"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1290123/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_28; classtype:trojan-activity; sid:91290123; rev:1;) alert tcp $HOME_NET any -> [186.2.171.60] 443 (msg:"ThreatFox Poseidon payload delivery (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1290124/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_28; classtype:trojan-activity; sid:91290124; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"panda.superdreadi.com"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1290387/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_28; classtype:trojan-activity; sid:91290387; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"panda.vifurni.com"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1290388/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_28; classtype:trojan-activity; sid:91290388; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"panda.viralhab.com"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1290389/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_28; classtype:trojan-activity; sid:91290389; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"panda.vuacanvas.com"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1290390/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_28; classtype:trojan-activity; sid:91290390; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"pipp.dilagosburguer.com.br"; depth:26; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1290391/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_28; classtype:trojan-activity; sid:91290391; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"pipp.japanbangladeshhospital.com"; depth:32; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1290392/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_28; classtype:trojan-activity; sid:91290392; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"pipp.laofix.com.tr"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1290393/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_28; classtype:trojan-activity; sid:91290393; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"pipp.pantallita.com"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1290394/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_28; classtype:trojan-activity; sid:91290394; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"pipp.sixfibras.com.br"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1290395/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_28; classtype:trojan-activity; sid:91290395; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"newscp.sagarsprings.com"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1290363/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_28; classtype:trojan-activity; sid:91290363; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"newscp.sc3bhgr7781.universe.wf"; depth:30; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1290364/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_28; classtype:trojan-activity; sid:91290364; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"newscp.seotoronto.company"; depth:25; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1290365/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_28; classtype:trojan-activity; sid:91290365; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"newscp.siarabd.com"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1290366/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_28; classtype:trojan-activity; sid:91290366; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"newscp.soltani-shopping.com"; depth:27; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1290367/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_28; classtype:trojan-activity; sid:91290367; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"newscp.superanimalpet.com"; depth:25; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1290368/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_28; classtype:trojan-activity; sid:91290368; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"newscp.swammovers.com"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1290369/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_28; classtype:trojan-activity; sid:91290369; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"newscp.tora-ks.com"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1290370/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_28; classtype:trojan-activity; sid:91290370; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"newscp.tracymasonmedia.com"; depth:26; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1290371/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_28; classtype:trojan-activity; sid:91290371; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"newscp.trimitrateknikmandiri.com"; depth:32; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1290372/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_28; classtype:trojan-activity; sid:91290372; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"newscp.universalauto2000.it"; depth:27; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1290373/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_28; classtype:trojan-activity; sid:91290373; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"newscp.usgonline.mx"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1290374/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_28; classtype:trojan-activity; sid:91290374; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"newscp.valledelinka.com.pe"; depth:26; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1290375/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_28; classtype:trojan-activity; sid:91290375; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"newscp.webhostingneo.co.id"; depth:26; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1290376/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_28; classtype:trojan-activity; sid:91290376; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"newscp.xmartechpro.com"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1290377/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_28; classtype:trojan-activity; sid:91290377; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"newscp.xpresscard.info"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1290378/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_28; classtype:trojan-activity; sid:91290378; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"newscp.youthtuko.org"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1290379/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_28; classtype:trojan-activity; sid:91290379; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"panda.arcaem.com"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1290380/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_28; classtype:trojan-activity; sid:91290380; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"panda.ckinam.com"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1290381/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_28; classtype:trojan-activity; sid:91290381; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"panda.ffde.com.br"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1290382/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_28; classtype:trojan-activity; sid:91290382; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"panda.fxtransportation.com"; depth:26; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1290383/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_28; classtype:trojan-activity; sid:91290383; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"panda.grupoqueiroz.pt"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1290384/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_28; classtype:trojan-activity; sid:91290384; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"panda.levinesolutions.net"; depth:25; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1290385/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_28; classtype:trojan-activity; sid:91290385; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"panda.lojaniq.com"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1290386/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_28; classtype:trojan-activity; sid:91290386; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"newscp.exideinverterbattery.in"; depth:30; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1290335/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_28; classtype:trojan-activity; sid:91290335; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"newscp.fatp.co.tz"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1290336/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_28; classtype:trojan-activity; sid:91290336; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"newscp.gclenterprises.in"; depth:24; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1290337/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_28; classtype:trojan-activity; sid:91290337; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"newscp.geber.com.mx"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1290338/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_28; classtype:trojan-activity; sid:91290338; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"newscp.grupoempresarialvasram.com"; depth:33; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1290339/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_28; classtype:trojan-activity; sid:91290339; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"newscp.heefhotel.com"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1290340/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_28; classtype:trojan-activity; sid:91290340; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"newscp.hydrosolutions.pe"; depth:24; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1290341/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_28; classtype:trojan-activity; sid:91290341; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"newscp.ibis-inspection.com"; depth:26; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1290342/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_28; classtype:trojan-activity; sid:91290342; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"newscp.internetareal.net.br"; depth:27; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1290343/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_28; classtype:trojan-activity; sid:91290343; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"newscp.janeladedramaturgia.com"; depth:30; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1290344/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_28; classtype:trojan-activity; sid:91290344; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"newscp.junoindia.com"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1290345/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_28; classtype:trojan-activity; sid:91290345; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"newscp.khulumameals.co.za"; depth:25; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1290346/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_28; classtype:trojan-activity; sid:91290346; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"newscp.lf21.my.id"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1290347/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_28; classtype:trojan-activity; sid:91290347; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"newscp.mappingcanvasser.com"; depth:27; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1290348/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_28; classtype:trojan-activity; sid:91290348; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"newscp.maridadymotors.co.ke"; depth:27; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1290349/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_28; classtype:trojan-activity; sid:91290349; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"newscp.mexicodemaria.mx"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1290350/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_28; classtype:trojan-activity; sid:91290350; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"newscp.mgglobalinvest.com"; depth:25; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1290351/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_28; classtype:trojan-activity; sid:91290351; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"newscp.myportodigital.site"; depth:26; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1290352/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_28; classtype:trojan-activity; sid:91290352; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"newscp.ndwc.com.py"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1290353/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_28; classtype:trojan-activity; sid:91290353; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"newscp.nppp.pk"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1290354/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_28; classtype:trojan-activity; sid:91290354; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"newscp.nsaservices.com.br"; depth:25; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1290355/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_28; classtype:trojan-activity; sid:91290355; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"newscp.oanachivu.ro"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1290356/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_28; classtype:trojan-activity; sid:91290356; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"newscp.oiltanker.com.ng"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1290357/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_28; classtype:trojan-activity; sid:91290357; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"newscp.ontrace.id"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1290358/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_28; classtype:trojan-activity; sid:91290358; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"newscp.posdata-si.com"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1290359/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_28; classtype:trojan-activity; sid:91290359; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"newscp.psiqo.com.pe"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1290360/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_28; classtype:trojan-activity; sid:91290360; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"newscp.rafaelhsouza.com.br"; depth:26; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1290361/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_28; classtype:trojan-activity; sid:91290361; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"newscp.sacs.ec"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1290362/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_28; classtype:trojan-activity; sid:91290362; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"newscp.akia.com.mx"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1290311/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_28; classtype:trojan-activity; sid:91290311; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"newscp.alauddinsweetmeat.com.bd"; depth:31; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1290312/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_28; classtype:trojan-activity; sid:91290312; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"newscp.almastudio.pe"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1290313/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_28; classtype:trojan-activity; sid:91290313; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"newscp.antaema.com"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1290314/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_28; classtype:trojan-activity; sid:91290314; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"newscp.arabic.du.ac.bd"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1290315/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_28; classtype:trojan-activity; sid:91290315; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"newscp.aromatherapyacademy.com"; depth:30; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1290316/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_28; classtype:trojan-activity; sid:91290316; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"newscp.atiliomarola.com.ar"; depth:26; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1290317/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_28; classtype:trojan-activity; sid:91290317; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"newscp.aunurrafiqofficial.com"; depth:29; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1290318/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_28; classtype:trojan-activity; sid:91290318; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"newscp.bangfirmanofficial.com"; depth:29; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1290319/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_28; classtype:trojan-activity; sid:91290319; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"newscp.blueheadfilms.com"; depth:24; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1290320/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_28; classtype:trojan-activity; sid:91290320; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"newscp.botchats.in"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1290321/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_28; classtype:trojan-activity; sid:91290321; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"newscp.carboneralabanda.com.co"; depth:30; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1290322/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_28; classtype:trojan-activity; sid:91290322; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"newscp.carvalhocruz.com.br"; depth:26; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1290323/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_28; classtype:trojan-activity; sid:91290323; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"newscp.chaucatotoursperu.com"; depth:28; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1290324/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_28; classtype:trojan-activity; sid:91290324; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"newscp.clay.net.in"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1290325/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_28; classtype:trojan-activity; sid:91290325; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"newscp.cncmorelos.org"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1290326/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_28; classtype:trojan-activity; sid:91290326; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"newscp.colbachabierto.com"; depth:25; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1290327/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_28; classtype:trojan-activity; sid:91290327; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"newscp.computertechsperts.com"; depth:29; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1290328/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_28; classtype:trojan-activity; sid:91290328; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"newscp.danmartin.ro"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1290329/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_28; classtype:trojan-activity; sid:91290329; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"newscp.darfurfm.sd"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1290330/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_28; classtype:trojan-activity; sid:91290330; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"newscp.debellis.com.br"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1290331/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_28; classtype:trojan-activity; sid:91290331; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"newscp.digitalmaster.ro"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1290332/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_28; classtype:trojan-activity; sid:91290332; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"newscp.dominioarquitectura.com"; depth:30; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1290333/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_28; classtype:trojan-activity; sid:91290333; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"newscp.ebitan.com.bd"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1290334/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_28; classtype:trojan-activity; sid:91290334; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"newcpp.pkmkaranganyar.com"; depth:25; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1290283/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_28; classtype:trojan-activity; sid:91290283; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"newcpp.pmkt.ao"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1290284/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_28; classtype:trojan-activity; sid:91290284; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"newcpp.polomilano.com"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1290285/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_28; classtype:trojan-activity; sid:91290285; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"newcpp.polyvin.com.br"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1290286/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_28; classtype:trojan-activity; sid:91290286; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"newcpp.powerunits.com.ng"; depth:24; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1290287/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_28; classtype:trojan-activity; sid:91290287; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"newcpp.protrans.com.ph"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1290288/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_28; classtype:trojan-activity; sid:91290288; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"newcpp.quasarful.com"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1290289/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_28; classtype:trojan-activity; sid:91290289; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"newcpp.revenueacademy.it"; depth:24; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1290290/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_28; classtype:trojan-activity; sid:91290290; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"newcpp.sagarsprings.com"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1290291/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_28; classtype:trojan-activity; sid:91290291; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"newcpp.sandrasperling.com"; depth:25; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1290292/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_28; classtype:trojan-activity; sid:91290292; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"newcpp.sc1jtfu9765.universe.wf"; depth:30; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1290293/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_28; classtype:trojan-activity; sid:91290293; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"newcpp.seguroautoagora.com.br"; depth:29; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1290294/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_28; classtype:trojan-activity; sid:91290294; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"newcpp.seis.co.ke"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1290295/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_28; classtype:trojan-activity; sid:91290295; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"newcpp.sketchersdesign.co.ke"; depth:28; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1290296/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_28; classtype:trojan-activity; sid:91290296; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"newcpp.sscmcc.cl"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1290297/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_28; classtype:trojan-activity; sid:91290297; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"newcpp.stratwood-gs.ro"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1290298/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_28; classtype:trojan-activity; sid:91290298; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"newcpp.streakk.com.ng"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1290299/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_28; classtype:trojan-activity; sid:91290299; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"newcpp.tdsorsta.ro"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1290300/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_28; classtype:trojan-activity; sid:91290300; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"newcpp.techtrust.pt"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1290301/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_28; classtype:trojan-activity; sid:91290301; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"newcpp.tecsoluciones.com.pe"; depth:27; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1290302/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_28; classtype:trojan-activity; sid:91290302; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"newcpp.testabeko.mamaquette.fr"; depth:30; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1290303/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_28; classtype:trojan-activity; sid:91290303; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"newcpp.thehumanitarianfund.org"; depth:30; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1290304/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_28; classtype:trojan-activity; sid:91290304; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"newcpp.uptourismguide.com"; depth:25; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1290305/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_28; classtype:trojan-activity; sid:91290305; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"newcpp.urushomestay.com"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1290306/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_28; classtype:trojan-activity; sid:91290306; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"newcpp.xyfinity.co.za"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1290307/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_28; classtype:trojan-activity; sid:91290307; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"newscp.aeni-script.my.id"; depth:24; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1290308/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_28; classtype:trojan-activity; sid:91290308; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"newscp.agenciazurc.com.br"; depth:25; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1290309/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_28; classtype:trojan-activity; sid:91290309; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"newscp.ainirentcar.com"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1290310/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_28; classtype:trojan-activity; sid:91290310; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"newcpp.fundacionequiterra.org"; depth:29; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1290261/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_28; classtype:trojan-activity; sid:91290261; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"newcpp.gemsinnovation.com"; depth:25; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1290262/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_28; classtype:trojan-activity; sid:91290262; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"newcpp.h-bsofwares.com"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1290263/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_28; classtype:trojan-activity; sid:91290263; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"newcpp.huncanlit.com"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1290264/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_28; classtype:trojan-activity; sid:91290264; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"newcpp.husamekhrawesh.com"; depth:25; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1290265/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_28; classtype:trojan-activity; sid:91290265; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"newcpp.ibis-inspection.com"; depth:26; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1290266/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_28; classtype:trojan-activity; sid:91290266; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"newcpp.institutoiba.org.br"; depth:26; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1290267/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_28; classtype:trojan-activity; sid:91290267; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"newcpp.johnballis.com"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1290268/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_28; classtype:trojan-activity; sid:91290268; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"newcpp.khabarworld.com"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1290269/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_28; classtype:trojan-activity; sid:91290269; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"newcpp.killerworkdev.com"; depth:24; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1290270/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_28; classtype:trojan-activity; sid:91290270; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"newcpp.kotok.net"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1290271/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_28; classtype:trojan-activity; sid:91290271; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"newcpp.ktktech.my.id"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1290272/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_28; classtype:trojan-activity; sid:91290272; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"newcpp.kystibbi.com.tr"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1290273/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_28; classtype:trojan-activity; sid:91290273; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"newcpp.lacitavilla.com"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1290274/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_28; classtype:trojan-activity; sid:91290274; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"newcpp.lakcards.lk"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1290275/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_28; classtype:trojan-activity; sid:91290275; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"newcpp.lenterdit.com.ar"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1290276/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_28; classtype:trojan-activity; sid:91290276; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"newcpp.lindaballis.com"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1290277/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_28; classtype:trojan-activity; sid:91290277; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"newcpp.logdist.ma"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1290278/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_28; classtype:trojan-activity; sid:91290278; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"newcpp.luicreativestudio.com"; depth:28; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1290279/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_28; classtype:trojan-activity; sid:91290279; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"newcpp.magyarkoltok.com"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1290280/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_28; classtype:trojan-activity; sid:91290280; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"newcpp.meiya.co.ke"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1290281/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_28; classtype:trojan-activity; sid:91290281; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"newcpp.ontrace.id"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1290282/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_28; classtype:trojan-activity; sid:91290282; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"newcpp.aceleraventas.com"; depth:24; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1290234/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_28; classtype:trojan-activity; sid:91290234; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"newcpp.addisbasketball.com"; depth:26; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1290235/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_28; classtype:trojan-activity; sid:91290235; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"newcpp.adrenalinanet.com.br"; depth:27; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1290236/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_28; classtype:trojan-activity; sid:91290236; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"newcpp.afrokulchatravel.co.za"; depth:29; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1290237/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_28; classtype:trojan-activity; sid:91290237; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"newcpp.aminadabelago.com.br"; depth:27; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1290238/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_28; classtype:trojan-activity; sid:91290238; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"newcpp.aurejewelry.ca"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1290239/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_28; classtype:trojan-activity; sid:91290239; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"newcpp.averynigeria.com"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1290240/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_28; classtype:trojan-activity; sid:91290240; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"newcpp.balebuku.my.id"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1290241/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_28; classtype:trojan-activity; sid:91290241; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"newcpp.bandamuveegroov.com.br"; depth:29; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1290242/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_28; classtype:trojan-activity; sid:91290242; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"newcpp.better-gpt.org"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1290243/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_28; classtype:trojan-activity; sid:91290243; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"newcpp.build-2-suit.com"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1290244/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_28; classtype:trojan-activity; sid:91290244; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"newcpp.casadefriossaobenedito.com.br"; depth:36; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1290245/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_28; classtype:trojan-activity; sid:91290245; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"newcpp.confidable.com"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1290246/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_28; classtype:trojan-activity; sid:91290246; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"newcpp.conquermark.com"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1290247/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_28; classtype:trojan-activity; sid:91290247; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"newcpp.damaskin.ro"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1290248/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_28; classtype:trojan-activity; sid:91290248; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"newcpp.ditsaambiental.com"; depth:25; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1290249/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_28; classtype:trojan-activity; sid:91290249; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"newcpp.doncellafem.com"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1290250/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_28; classtype:trojan-activity; sid:91290250; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"newcpp.dungnguyenarchi.com"; depth:26; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1290251/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_28; classtype:trojan-activity; sid:91290251; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"newcpp.durumdelight.com"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1290252/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_28; classtype:trojan-activity; sid:91290252; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"newcpp.easthartfordinterfaith.org"; depth:33; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1290253/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_28; classtype:trojan-activity; sid:91290253; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"newcpp.education21kulimpku.com"; depth:30; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1290254/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_28; classtype:trojan-activity; sid:91290254; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"newcpp.espace-food.com"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1290255/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_28; classtype:trojan-activity; sid:91290255; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"newcpp.espinhoserosas.com.br"; depth:28; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1290256/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_28; classtype:trojan-activity; sid:91290256; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"newcpp.exactcolor.co.ke"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1290257/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_28; classtype:trojan-activity; sid:91290257; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"newcpp.falahatishop.com"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1290258/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_28; classtype:trojan-activity; sid:91290258; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"newcpp.fitnessupbeat.com"; depth:24; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1290259/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_28; classtype:trojan-activity; sid:91290259; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"newcpp.fridaybd.com"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1290260/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_28; classtype:trojan-activity; sid:91290260; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"newcp.recubplast.com.co"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1290202/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_28; classtype:trojan-activity; sid:91290202; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"newcp.royalcontingencia.com"; depth:27; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1290203/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_28; classtype:trojan-activity; sid:91290203; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"newcp.rsquad.co.ke"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1290204/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_28; classtype:trojan-activity; sid:91290204; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"newcp.safipompe.ma"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1290205/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_28; classtype:trojan-activity; sid:91290205; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"newcp.sagarsprings.com"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1290206/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_28; classtype:trojan-activity; sid:91290206; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"newcp.sbaqala.pk"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1290207/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_28; classtype:trojan-activity; sid:91290207; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"newcp.sc3bhgr7781.universe.wf"; depth:29; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1290208/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_28; classtype:trojan-activity; sid:91290208; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"newcp.seo7sry.com"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1290209/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_28; classtype:trojan-activity; sid:91290209; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"newcp.skinorra.com"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1290210/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_28; classtype:trojan-activity; sid:91290210; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"newcp.smartlabor.it"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1290211/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_28; classtype:trojan-activity; sid:91290211; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"newcp.solarib.com"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1290212/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_28; classtype:trojan-activity; sid:91290212; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"newcp.sosgestion.com.co"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1290213/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_28; classtype:trojan-activity; sid:91290213; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"newcp.spiegelenergy.com"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1290214/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_28; classtype:trojan-activity; sid:91290214; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"newcp.spiegelenergy.com.au"; depth:26; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1290215/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_28; classtype:trojan-activity; sid:91290215; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"newcp.stargazemining.co.za"; depth:26; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1290216/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_28; classtype:trojan-activity; sid:91290216; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"newcp.superanimalpet.com"; depth:24; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1290217/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_28; classtype:trojan-activity; sid:91290217; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"newcp.tamilankadai.com"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1290218/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_28; classtype:trojan-activity; sid:91290218; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"newcp.tamminguyen.co.uk"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1290219/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_28; classtype:trojan-activity; sid:91290219; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"newcp.tammisnaps.com"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1290220/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_28; classtype:trojan-activity; sid:91290220; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"newcp.thebestbodrumtemizlik.com"; depth:31; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1290221/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_28; classtype:trojan-activity; sid:91290221; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"newcp.thisisafricas.com"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1290222/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_28; classtype:trojan-activity; sid:91290222; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"newcp.tuintiadmin.com"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1290223/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_28; classtype:trojan-activity; sid:91290223; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"newcp.ultisol.co.za"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1290224/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_28; classtype:trojan-activity; sid:91290224; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"newcp.universal-kikaku.com"; depth:26; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1290225/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_28; classtype:trojan-activity; sid:91290225; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"newcp.uns-kikaku.com"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1290226/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_28; classtype:trojan-activity; sid:91290226; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"newcp.urunstand.com"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1290227/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_28; classtype:trojan-activity; sid:91290227; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"newcp.visualmakers.com.pk"; depth:25; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1290228/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_28; classtype:trojan-activity; sid:91290228; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"newcp.vozminera.mx"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1290229/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_28; classtype:trojan-activity; sid:91290229; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"newcp.wine-ar.com"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1290230/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_28; classtype:trojan-activity; sid:91290230; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"newcp.youknowpeople.com"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1290231/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_28; classtype:trojan-activity; sid:91290231; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"newcpp.4182-0006ac95072f.wptiger.fr"; depth:35; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1290232/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_28; classtype:trojan-activity; sid:91290232; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"newcpp.abarclinic.com"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1290233/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_28; classtype:trojan-activity; sid:91290233; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"newcp.induslab.net"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1290172/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_28; classtype:trojan-activity; sid:91290172; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"newcp.inkopau-rentcar.com"; depth:25; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1290173/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_28; classtype:trojan-activity; sid:91290173; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"newcp.ithalatcimiz.com"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1290174/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_28; classtype:trojan-activity; sid:91290174; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"newcp.japeto.ro"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1290175/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_28; classtype:trojan-activity; sid:91290175; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"newcp.johnballis.com"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1290176/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_28; classtype:trojan-activity; sid:91290176; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"newcp.karyacorp.com"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1290177/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_28; classtype:trojan-activity; sid:91290177; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"newcp.libuinsi.my.id"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1290178/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_28; classtype:trojan-activity; sid:91290178; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"newcp.liderford.com"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1290179/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_28; classtype:trojan-activity; sid:91290179; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"newcp.lindaballis.com"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1290180/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_28; classtype:trojan-activity; sid:91290180; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"newcp.lojaflordocerrado.com.br"; depth:30; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1290181/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_28; classtype:trojan-activity; sid:91290181; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"newcp.lourencoviajante.pt"; depth:25; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1290182/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_28; classtype:trojan-activity; sid:91290182; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"newcp.maeslanden.nl"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1290183/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_28; classtype:trojan-activity; sid:91290183; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"newcp.maskinsoftware.com"; depth:24; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1290184/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_28; classtype:trojan-activity; sid:91290184; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"newcp.maxxcontrol.com.tr"; depth:24; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1290185/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_28; classtype:trojan-activity; sid:91290185; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"newcp.medyapm.com"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1290186/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_28; classtype:trojan-activity; sid:91290186; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"newcp.meiya.co.ke"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1290187/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_28; classtype:trojan-activity; sid:91290187; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"newcp.metse.co.bw"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1290188/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_28; classtype:trojan-activity; sid:91290188; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"newcp.mexicodemaria.mx"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1290189/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_28; classtype:trojan-activity; sid:91290189; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"newcp.multipolarsolution.com"; depth:28; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1290190/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_28; classtype:trojan-activity; sid:91290190; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"newcp.naseemtravels.com"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1290191/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_28; classtype:trojan-activity; sid:91290191; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"newcp.neutown.com"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1290192/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_28; classtype:trojan-activity; sid:91290192; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"newcp.ngopicoding.com"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1290193/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_28; classtype:trojan-activity; sid:91290193; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"newcp.niceguyrebrands.xyz"; depth:25; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1290194/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_28; classtype:trojan-activity; sid:91290194; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"newcp.nirmalexpertsolutions.com"; depth:31; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1290195/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_28; classtype:trojan-activity; sid:91290195; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"newcp.perapeyzaj.com"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1290196/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_28; classtype:trojan-activity; sid:91290196; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"newcp.piolinspa.cl"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1290197/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_28; classtype:trojan-activity; sid:91290197; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"newcp.plastikiniai-langai.eu"; depth:28; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1290198/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_28; classtype:trojan-activity; sid:91290198; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"newcp.pnmls.cd"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1290199/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_28; classtype:trojan-activity; sid:91290199; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"newcp.posdata-si.com"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1290200/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_28; classtype:trojan-activity; sid:91290200; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"newcp.ram-service.cl"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1290201/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_28; classtype:trojan-activity; sid:91290201; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"newcp.frederic-monereau.com"; depth:27; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1290159/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_28; classtype:trojan-activity; sid:91290159; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"newcp.freud.radi0.im"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1290160/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_28; classtype:trojan-activity; sid:91290160; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"newcp.fxtransportation.com"; depth:26; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1290161/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_28; classtype:trojan-activity; sid:91290161; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"newcp.gaziemircicekciler.com"; depth:28; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1290162/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_28; classtype:trojan-activity; sid:91290162; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"newcp.generation-green.ma"; depth:25; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1290163/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_28; classtype:trojan-activity; sid:91290163; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"newcp.geofieldp.com"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1290164/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_28; classtype:trojan-activity; sid:91290164; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"newcp.ghdemo.com.tr"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1290165/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_28; classtype:trojan-activity; sid:91290165; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"newcp.gridedgenews.com"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1290166/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_28; classtype:trojan-activity; sid:91290166; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"newcp.gssgroup.co.ke"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1290167/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_28; classtype:trojan-activity; sid:91290167; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"newcp.h-bsofwares.com"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1290168/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_28; classtype:trojan-activity; sid:91290168; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"newcp.harasselection.com.br"; depth:27; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1290169/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_28; classtype:trojan-activity; sid:91290169; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"newcp.hiraotomatikkapi.com"; depth:26; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1290170/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_28; classtype:trojan-activity; sid:91290170; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"newcp.hypercctv.org"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1290171/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_28; classtype:trojan-activity; sid:91290171; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"newcp.aurejewelry.ca"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1290137/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_28; classtype:trojan-activity; sid:91290137; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"newcp.avalanche-store.com"; depth:25; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1290138/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_28; classtype:trojan-activity; sid:91290138; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"newcp.balcovacicekciler.com"; depth:27; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1290139/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_28; classtype:trojan-activity; sid:91290139; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"newcp.bayraklicicekciler.com"; depth:28; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1290140/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_28; classtype:trojan-activity; sid:91290140; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"newcp.bazis-t.uz"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1290141/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_28; classtype:trojan-activity; sid:91290141; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"newcp.beyondxgroup.online"; depth:25; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1290142/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_28; classtype:trojan-activity; sid:91290142; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"newcp.bitezeventwedding.com"; depth:27; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1290143/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_28; classtype:trojan-activity; sid:91290143; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"newcp.bizaccord.com.pk"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1290144/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_28; classtype:trojan-activity; sid:91290144; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"newcp.bnkilaclama.com"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1290145/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_28; classtype:trojan-activity; sid:91290145; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"newcp.bonggayon.com"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1290146/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_28; classtype:trojan-activity; sid:91290146; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"newcp.bornovacicekciler.com"; depth:27; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1290147/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_28; classtype:trojan-activity; sid:91290147; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"newcp.boscosoft.ae"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1290148/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_28; classtype:trojan-activity; sid:91290148; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"newcp.botchats.in"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1290149/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_28; classtype:trojan-activity; sid:91290149; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"newcp.brntemizlik.com"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1290150/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_28; classtype:trojan-activity; sid:91290150; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"newcp.clay.net.in"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1290151/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_28; classtype:trojan-activity; sid:91290151; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"newcp.colegioburiti.com.br"; depth:26; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1290152/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_28; classtype:trojan-activity; sid:91290152; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"newcp.departamentosenpueblolibre.com"; depth:36; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1290153/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_28; classtype:trojan-activity; sid:91290153; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"newcp.dihucar.com"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1290154/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_28; classtype:trojan-activity; sid:91290154; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"newcp.dominantlegaltrans.com"; depth:28; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1290155/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_28; classtype:trojan-activity; sid:91290155; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"newcp.essasattire.com"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1290156/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_28; classtype:trojan-activity; sid:91290156; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"newcp.fahadengineerings.com"; depth:27; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1290157/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_28; classtype:trojan-activity; sid:91290157; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"newcp.franciaim.net"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1290158/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_28; classtype:trojan-activity; sid:91290158; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"newcp.abagenciamarketingdigital.com"; depth:35; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1290128/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_28; classtype:trojan-activity; sid:91290128; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"newcp.adrenalinanet.com.br"; depth:26; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1290129/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_28; classtype:trojan-activity; sid:91290129; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"newcp.afrikwebacademy.com"; depth:25; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1290130/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_28; classtype:trojan-activity; sid:91290130; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"newcp.americansports.com"; depth:24; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1290131/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_28; classtype:trojan-activity; sid:91290131; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"newcp.amtech.sd"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1290132/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_28; classtype:trojan-activity; sid:91290132; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"newcp.andersonconstantino.com.br"; depth:32; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1290133/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_28; classtype:trojan-activity; sid:91290133; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"newcp.ankaradatemizliksirketi.com"; depth:33; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1290134/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_28; classtype:trojan-activity; sid:91290134; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"newcp.arteimparables.online"; depth:27; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1290135/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_28; classtype:trojan-activity; sid:91290135; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"newcp.aurcleaning.com"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1290136/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_28; classtype:trojan-activity; sid:91290136; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/agov/wittily"; depth:13; nocase; http.host; content:"newcpp.powerunits.com.ng"; depth:24; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1290126/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_28; classtype:trojan-activity; sid:91290126; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/agov/effectual"; depth:15; nocase; http.host; content:"bitpa.miogatto.gr"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1290127/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_28; classtype:trojan-activity; sid:91290127; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"79.137.192.4"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1290102/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_28; classtype:trojan-activity; sid:91290102; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/arc12645413.dmg"; depth:16; nocase; http.host; content:"zestyahhdog.com"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1290104/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_28; classtype:trojan-activity; sid:91290104; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/arc12645413.dmg"; depth:16; nocase; http.host; content:"zestyahhdog.com"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1290105/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_28; classtype:trojan-activity; sid:91290105; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/arc12645413.dmg"; depth:16; nocase; http.host; content:"37.27.82.196"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1290106/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_28; classtype:trojan-activity; sid:91290106; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/arc12645413.dmg"; depth:16; nocase; http.host; content:"37.27.82.196"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1290107/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_28; classtype:trojan-activity; sid:91290107; rev:1;) alert tcp $HOME_NET any -> [37.27.82.196] 80 (msg:"ThreatFox Poseidon payload delivery (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1290109/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_28; classtype:trojan-activity; sid:91290109; rev:1;) alert tcp $HOME_NET any -> [37.27.82.196] 443 (msg:"ThreatFox Poseidon payload delivery (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1290110/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_28; classtype:trojan-activity; sid:91290110; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"zestyahhdog.com"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1290111/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_28; classtype:trojan-activity; sid:91290111; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cdn-vs/original.js"; depth:19; nocase; http.host; content:"jaipurstylo.com"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1290112/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_28; classtype:trojan-activity; sid:91290112; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"jaipurstylo.com"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1290113/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_28; classtype:trojan-activity; sid:91290113; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cdn-vs/cache.php"; depth:17; nocase; http.host; content:"jaipurstylo.com"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1290114/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_28; classtype:trojan-activity; sid:91290114; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cdn-vs/33per.php"; depth:17; nocase; http.host; content:"jaipurstylo.com"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1290115/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_28; classtype:trojan-activity; sid:91290115; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/help.php"; depth:9; nocase; http.host; content:"helpcenter.cyou"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1290116/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_28; classtype:trojan-activity; sid:91290116; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"www.zestyahhdog.com"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1290119/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_28; classtype:trojan-activity; sid:91290119; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/arc12645413.dmg"; depth:16; nocase; http.host; content:"www.zestyahhdog.com"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1290118/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_28; classtype:trojan-activity; sid:91290118; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/arc12645413.dmg"; depth:16; nocase; http.host; content:"www.zestyahhdog.com"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1290117/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_28; classtype:trojan-activity; sid:91290117; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/arc12645413.dmg"; depth:16; nocase; http.host; content:"static.196.82.27.37.clients.your-server.de"; depth:42; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1290120/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_28; classtype:trojan-activity; sid:91290120; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"static.196.82.27.37.clients.your-server.de"; depth:42; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1290122/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_28; classtype:trojan-activity; sid:91290122; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/arc12645413.dmg"; depth:16; nocase; http.host; content:"static.196.82.27.37.clients.your-server.de"; depth:42; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1290121/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_28; classtype:trojan-activity; sid:91290121; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/agov-access.dmg"; depth:16; nocase; http.host; content:"ip.tvguzel.com"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1290098/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_28; classtype:trojan-activity; sid:91290098; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"ip.tvguzel.com"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1290099/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_28; classtype:trojan-activity; sid:91290099; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/agov-access.dmg"; depth:16; nocase; http.host; content:"agov-access.com"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1290100/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_28; classtype:trojan-activity; sid:91290100; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"agov-access.com"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1290101/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_28; classtype:trojan-activity; sid:91290101; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/agov-access.dmg"; depth:16; nocase; http.host; content:"agov-ch.com"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1290069/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_28; classtype:trojan-activity; sid:91290069; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/agov-access.dmg"; depth:16; nocase; http.host; content:"agov-ch.net"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1290070/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_28; classtype:trojan-activity; sid:91290070; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/agov-access.dmg"; depth:16; nocase; http.host; content:"extraiptv.giize.com"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1290071/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_28; classtype:trojan-activity; sid:91290071; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/agov-access.dmg"; depth:16; nocase; http.host; content:"hd.hdweb2.pw"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1290072/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_28; classtype:trojan-activity; sid:91290072; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/agov-access.dmg"; depth:16; nocase; http.host; content:"register-agov.com"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1290073/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_28; classtype:trojan-activity; sid:91290073; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/agov-access.dmg"; depth:16; nocase; http.host; content:"tv.surebettr.com"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1290074/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_28; classtype:trojan-activity; sid:91290074; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/agov-access.dmg"; depth:16; nocase; http.host; content:"tv.yayins.com"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1290075/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_28; classtype:trojan-activity; sid:91290075; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/agov-access.dmg"; depth:16; nocase; http.host; content:"www.agov-access.com"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1290076/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_28; classtype:trojan-activity; sid:91290076; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/agov-access.dmg"; depth:16; nocase; http.host; content:"www.agov-access.net"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1290077/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_28; classtype:trojan-activity; sid:91290077; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/agov-access.dmg"; depth:16; nocase; http.host; content:"www.agov-ch.com"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1290078/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_28; classtype:trojan-activity; sid:91290078; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/agov-access.dmg"; depth:16; nocase; http.host; content:"www.extraiptv.giize.com"; depth:23; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1290080/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_28; classtype:trojan-activity; sid:91290080; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/agov-access.dmg"; depth:16; nocase; http.host; content:"www.agov-ch.net"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1290079/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_28; classtype:trojan-activity; sid:91290079; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"hd.hdweb2.pw"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1290084/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_28; classtype:trojan-activity; sid:91290084; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/agov-access.dmg"; depth:16; nocase; http.host; content:"www.register-agov.com"; depth:21; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1290081/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_28; classtype:trojan-activity; sid:91290081; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"agov-ch.net"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1290082/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_28; classtype:trojan-activity; sid:91290082; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"extraiptv.giize.com"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1290083/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_28; classtype:trojan-activity; sid:91290083; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"register-agov.com"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1290085/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_28; classtype:trojan-activity; sid:91290085; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"tv.surebettr.com"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1290086/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_28; classtype:trojan-activity; sid:91290086; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"tv.yayins.com"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1290087/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_28; classtype:trojan-activity; sid:91290087; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"www.agov-access.com"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1290088/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_28; classtype:trojan-activity; sid:91290088; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"www.agov-ch.com"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1290090/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_28; classtype:trojan-activity; sid:91290090; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"www.agov-access.net"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1290089/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_28; classtype:trojan-activity; sid:91290089; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"www.agov-ch.net"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1290091/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_28; classtype:trojan-activity; sid:91290091; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"www.extraiptv.giize.com"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1290092/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_28; classtype:trojan-activity; sid:91290092; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"www.register-agov.com"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1290093/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_28; classtype:trojan-activity; sid:91290093; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"agov-access.net"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1290094/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_28; classtype:trojan-activity; sid:91290094; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/agov-access.dmg"; depth:16; nocase; http.host; content:"agov-access.net"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1290095/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_28; classtype:trojan-activity; sid:91290095; rev:1;) alert tcp $HOME_NET any -> [5.188.88.218] 443 (msg:"ThreatFox FAKEUPDATES payload delivery (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1290096/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_28; classtype:trojan-activity; sid:91290096; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mozi.m"; depth:7; nocase; http.host; content:"175.107.3.179"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1290097/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_28; classtype:trojan-activity; sid:91290097; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"288583cm.n9shteam2.top"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1290064/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_28; classtype:trojan-activity; sid:91290064; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"392065cm.n9shteam2.top"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1290065/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_28; classtype:trojan-activity; sid:91290065; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"466037cm.n9shteam2.top"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1290066/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_28; classtype:trojan-activity; sid:91290066; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"918938cm.n9shteam2.top"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1290067/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_28; classtype:trojan-activity; sid:91290067; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"n9shteam2.top"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1290068/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_28; classtype:trojan-activity; sid:91290068; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"415566cm.n9shteam2.top"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1290050/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_28; classtype:trojan-activity; sid:91290050; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"297037cm.n9shteam2.top"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1290051/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_28; classtype:trojan-activity; sid:91290051; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"113304cm.n9shteam2.top"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1290052/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_28; classtype:trojan-activity; sid:91290052; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"421820cm.n9shteam2.top"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1290053/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_28; classtype:trojan-activity; sid:91290053; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"356137cm.n9shteam2.top"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1290054/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_28; classtype:trojan-activity; sid:91290054; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"445443cm.n9shteam2.top"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1290055/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_28; classtype:trojan-activity; sid:91290055; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"791660cm.n9shteam2.top"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1290056/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_28; classtype:trojan-activity; sid:91290056; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"474452cm.n9shteam2.top"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1290057/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_28; classtype:trojan-activity; sid:91290057; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"115583cm.n9shteam2.top"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1290058/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_28; classtype:trojan-activity; sid:91290058; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"042506cm.n9shteam2.top"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1290059/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_28; classtype:trojan-activity; sid:91290059; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"234540cm.n9shteam2.top"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1290060/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_28; classtype:trojan-activity; sid:91290060; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"815156cm.n9shteam2.top"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1290061/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_28; classtype:trojan-activity; sid:91290061; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"272450cm.n9shteam2.top"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1290062/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_28; classtype:trojan-activity; sid:91290062; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"810755cm.n9shteam2.top"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1290063/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_28; classtype:trojan-activity; sid:91290063; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"502647cm.n9shteam2.top"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1290036/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_28; classtype:trojan-activity; sid:91290036; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"560216cm.n9shteam2.top"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1290037/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_28; classtype:trojan-activity; sid:91290037; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"784334cm.n9shteam2.top"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1290038/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_28; classtype:trojan-activity; sid:91290038; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"800453cm.n9shteam2.top"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1290039/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_28; classtype:trojan-activity; sid:91290039; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"351866cm.n9shteam2.top"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1290040/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_28; classtype:trojan-activity; sid:91290040; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"545735cm.n9shteam2.top"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1290041/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_28; classtype:trojan-activity; sid:91290041; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"024460cm.n9shteam2.top"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1290042/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_28; classtype:trojan-activity; sid:91290042; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"256435cm.n9shteam2.top"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1290043/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_28; classtype:trojan-activity; sid:91290043; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"113313cm.n9shteam2.top"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1290044/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_28; classtype:trojan-activity; sid:91290044; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"476258cm.n9shteam2.top"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1290045/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_28; classtype:trojan-activity; sid:91290045; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"452132cm.n9shteam2.top"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1290046/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_28; classtype:trojan-activity; sid:91290046; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"112880cm.n9shteam2.top"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1290047/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_28; classtype:trojan-activity; sid:91290047; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"478925cm.n9shteam2.top"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1290048/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_28; classtype:trojan-activity; sid:91290048; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"739668cm.n9shteam2.top"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1290049/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_28; classtype:trojan-activity; sid:91290049; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"318907cm.n9shteam2.top"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1290022/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_28; classtype:trojan-activity; sid:91290022; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"218629cm.n9shteam2.top"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1290023/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_28; classtype:trojan-activity; sid:91290023; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"378418cm.n9shteam2.top"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1290024/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_28; classtype:trojan-activity; sid:91290024; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"796367cm.n9shteam2.top"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1290025/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_28; classtype:trojan-activity; sid:91290025; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"373430cm.n9shteam2.top"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1290026/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_28; classtype:trojan-activity; sid:91290026; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"055442cm.n9shteam2.top"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1290027/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_28; classtype:trojan-activity; sid:91290027; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"901329cm.n9shteam2.top"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1290028/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_28; classtype:trojan-activity; sid:91290028; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"550515cm.n9shteam2.top"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1290029/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_28; classtype:trojan-activity; sid:91290029; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"044913cm.n9shteam2.top"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1290030/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_28; classtype:trojan-activity; sid:91290030; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"994609cm.n9shteam2.top"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1290031/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_28; classtype:trojan-activity; sid:91290031; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"677846cm.n9shteam2.top"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1290032/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_28; classtype:trojan-activity; sid:91290032; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"842614cm.n9shteam2.top"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1290033/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_28; classtype:trojan-activity; sid:91290033; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"130727cm.n9shteam2.top"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1290034/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_28; classtype:trojan-activity; sid:91290034; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"741211cm.n9shteam2.top"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1290035/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_28; classtype:trojan-activity; sid:91290035; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"505732cm.n9shteam2.top"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1290007/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_28; classtype:trojan-activity; sid:91290007; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"462708cm.n9shteam2.top"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1290008/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_28; classtype:trojan-activity; sid:91290008; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"797441cm.n9shteam2.top"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1290009/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_28; classtype:trojan-activity; sid:91290009; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"080864cm.n9shteam2.top"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1290010/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_28; classtype:trojan-activity; sid:91290010; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"865461cm.n9shteam2.top"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1290011/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_28; classtype:trojan-activity; sid:91290011; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"751120cm.n9shteam2.top"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1290012/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_28; classtype:trojan-activity; sid:91290012; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"463281cm.n9shteam2.top"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1290013/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_28; classtype:trojan-activity; sid:91290013; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"596048cm.n9shteam2.top"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1290014/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_28; classtype:trojan-activity; sid:91290014; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"466329cm.n9shteam2.top"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1290015/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_28; classtype:trojan-activity; sid:91290015; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"041018cm.n9shteam2.top"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1290016/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_28; classtype:trojan-activity; sid:91290016; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"956330cm.n9shteam2.top"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1290017/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_28; classtype:trojan-activity; sid:91290017; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"034928cm.n9shteam2.top"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1290018/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_28; classtype:trojan-activity; sid:91290018; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"913987cm.n9shteam2.top"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1290019/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_28; classtype:trojan-activity; sid:91290019; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"587986cm.n9shteam2.top"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1290020/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_28; classtype:trojan-activity; sid:91290020; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"946663cm.n9shteam2.top"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1290021/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_28; classtype:trojan-activity; sid:91290021; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"040943cm.n9shteam2.top"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1289992/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_28; classtype:trojan-activity; sid:91289992; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"931740cm.n9shteam2.top"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1289993/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_28; classtype:trojan-activity; sid:91289993; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"656709cm.n9shteam2.top"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1289994/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_28; classtype:trojan-activity; sid:91289994; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"096241cm.n9shteam2.top"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1289995/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_28; classtype:trojan-activity; sid:91289995; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"851594cm.n9shteam2.top"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1289996/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_28; classtype:trojan-activity; sid:91289996; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"314172cm.n9shteam2.top"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1289997/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_28; classtype:trojan-activity; sid:91289997; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"118621cm.n9shteam2.top"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1289998/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_28; classtype:trojan-activity; sid:91289998; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"338453cm.n9shteam2.top"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1289999/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_28; classtype:trojan-activity; sid:91289999; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"621287cm.n9shteam2.top"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1290000/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_28; classtype:trojan-activity; sid:91290000; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"826969cm.n9shteam2.top"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1290001/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_28; classtype:trojan-activity; sid:91290001; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"226037cm.n9shteam2.top"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1290002/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_28; classtype:trojan-activity; sid:91290002; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"382119cm.n9shteam2.top"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1290003/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_28; classtype:trojan-activity; sid:91290003; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"173920cm.n9shteam2.top"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1290004/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_28; classtype:trojan-activity; sid:91290004; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"625492cm.n9shteam2.top"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1290005/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_28; classtype:trojan-activity; sid:91290005; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"367191cm.n9shteam2.top"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1290006/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_28; classtype:trojan-activity; sid:91290006; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"047138cm.n9shteam2.top"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1289986/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_28; classtype:trojan-activity; sid:91289986; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"473366cm.n9shteam2.top"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1289987/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_28; classtype:trojan-activity; sid:91289987; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"235566cm.n9shteam2.top"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1289988/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_28; classtype:trojan-activity; sid:91289988; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"206481cm.n9shteam2.top"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1289989/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_28; classtype:trojan-activity; sid:91289989; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"424673cm.n9shteam2.top"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1289990/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_28; classtype:trojan-activity; sid:91289990; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"306003cm.n9shteam2.top"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1289991/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_28; classtype:trojan-activity; sid:91289991; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/visit.js"; depth:9; nocase; http.host; content:"120.46.204.11"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1289984/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_28; classtype:trojan-activity; sid:91289984; rev:1;) alert tcp $HOME_NET any -> [120.46.204.11] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1289985/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_28; classtype:trojan-activity; sid:91289985; rev:1;) alert tcp $HOME_NET any -> [45.40.96.164] 3232 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1289983/; target:src_ip; metadata: confidence_level 75, first_seen 2024_06_28; classtype:trojan-activity; sid:91289983; rev:1;) alert tcp $HOME_NET any -> [147.45.47.83] 7622 (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1289982/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_28; classtype:trojan-activity; sid:91289982; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/vmrequestupdateapibigloaddblinuxtest.php"; depth:41; nocase; http.host; content:"040943cm.n9shteam2.top"; depth:22; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1289981/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_28; classtype:trojan-activity; sid:91289981; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/l1nc0in.php"; depth:12; nocase; http.host; content:"a0999929.xsph.ru"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1289980/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_28; classtype:trojan-activity; sid:91289980; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cm"; depth:3; nocase; http.host; content:"176.58.127.16"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1289979/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_28; classtype:trojan-activity; sid:91289979; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/__utm.gif"; depth:10; nocase; http.host; content:"202.95.13.230"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1289978/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_28; classtype:trojan-activity; sid:91289978; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pixel"; depth:6; nocase; http.host; content:"23.95.65.198"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1289977/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_28; classtype:trojan-activity; sid:91289977; rev:1;) alert tcp $HOME_NET any -> [107.173.140.2] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1289976/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_28; classtype:trojan-activity; sid:91289976; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/develop/messaging/w5jk7inlq"; depth:28; nocase; http.host; content:"cscs.beauty"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1289975/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_28; classtype:trojan-activity; sid:91289975; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/owa/"; depth:5; nocase; http.host; content:"104.243.27.95"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1289974/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_28; classtype:trojan-activity; sid:91289974; rev:1;) alert tcp $HOME_NET any -> [104.243.27.95] 8889 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1289973/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_28; classtype:trojan-activity; sid:91289973; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jquery-3.3.1.min.js"; depth:20; nocase; http.host; content:"121.40.63.121"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1289972/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_28; classtype:trojan-activity; sid:91289972; rev:1;) alert tcp $HOME_NET any -> [39.99.34.125] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1289971/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_28; classtype:trojan-activity; sid:91289971; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/lib/v2/wcp-consent.js"; depth:22; nocase; http.host; content:"122.51.216.157"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1289970/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_28; classtype:trojan-activity; sid:91289970; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/__utm.gif"; depth:10; nocase; http.host; content:"184.73.109.149"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1289968/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_28; classtype:trojan-activity; sid:91289968; rev:1;) alert tcp $HOME_NET any -> [184.73.109.149] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1289969/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_28; classtype:trojan-activity; sid:91289969; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books"; depth:60; nocase; http.host; content:"www.micorosoft-ai.com"; depth:21; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1289966/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_28; classtype:trojan-activity; sid:91289966; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"www.micorosoft-ai.com"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1289967/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_28; classtype:trojan-activity; sid:91289967; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/lib/v2/wcp-consent.js"; depth:22; nocase; http.host; content:"39.99.34.125"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1289965/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_28; classtype:trojan-activity; sid:91289965; rev:1;) alert tcp $HOME_NET any -> [101.201.178.197] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1289964/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_28; classtype:trojan-activity; sid:91289964; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ie9compatviewlist.xml"; depth:22; nocase; http.host; content:"101.201.178.197"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1289963/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_28; classtype:trojan-activity; sid:91289963; rev:1;) alert tcp $HOME_NET any -> [39.103.236.200] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1289962/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_28; classtype:trojan-activity; sid:91289962; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/visit.js"; depth:9; nocase; http.host; content:"39.103.236.200"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1289961/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_28; classtype:trojan-activity; sid:91289961; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jquery-3.3.1.min.js"; depth:20; nocase; http.host; content:"1.94.13.86"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1289960/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_28; classtype:trojan-activity; sid:91289960; rev:1;) alert tcp $HOME_NET any -> [5.59.248.211] 1302 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1289952/; target:src_ip; metadata: confidence_level 75, first_seen 2024_06_28; classtype:trojan-activity; sid:91289952; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"agov-access.com"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1289954/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_28; classtype:trojan-activity; sid:91289954; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"agov-access.net"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1289955/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_28; classtype:trojan-activity; sid:91289955; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"agov-ch.com"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1289956/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_28; classtype:trojan-activity; sid:91289956; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"agov-ch.net"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1289957/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_28; classtype:trojan-activity; sid:91289957; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"register-agov.com"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1289958/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_28; classtype:trojan-activity; sid:91289958; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"register-agov.net"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1289959/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_28; classtype:trojan-activity; sid:91289959; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/p2p"; depth:4; nocase; http.host; content:"79.137.192.4"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1289953/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_28; classtype:trojan-activity; sid:91289953; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/a066a53ea1064ac7.php"; depth:21; nocase; http.host; content:"94.156.68.153"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1289951/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_28; classtype:trojan-activity; sid:91289951; rev:1;) alert tcp $HOME_NET any -> [94.232.249.111] 8808 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1289947/; target:src_ip; metadata: confidence_level 75, first_seen 2024_06_28; classtype:trojan-activity; sid:91289947; rev:1;) alert tcp $HOME_NET any -> [94.232.249.111] 7707 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1289946/; target:src_ip; metadata: confidence_level 75, first_seen 2024_06_28; classtype:trojan-activity; sid:91289946; rev:1;) alert tcp $HOME_NET any -> [94.232.249.111] 6606 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1289945/; target:src_ip; metadata: confidence_level 75, first_seen 2024_06_28; classtype:trojan-activity; sid:91289945; rev:1;) alert tcp $HOME_NET any -> [185.104.195.215] 2003 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1289936/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_28; classtype:trojan-activity; sid:91289936; rev:1;) alert tcp $HOME_NET any -> [193.26.115.226] 8808 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1289935/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_28; classtype:trojan-activity; sid:91289935; rev:1;) alert tcp $HOME_NET any -> [193.26.115.226] 7707 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1289934/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_28; classtype:trojan-activity; sid:91289934; rev:1;) alert tcp $HOME_NET any -> [193.26.115.226] 6606 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1289933/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_28; classtype:trojan-activity; sid:91289933; rev:1;) alert tcp $HOME_NET any -> [185.196.11.252] 1339 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1289932/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_28; classtype:trojan-activity; sid:91289932; rev:1;) alert tcp $HOME_NET any -> [142.11.201.125] 8713 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1289931/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_28; classtype:trojan-activity; sid:91289931; rev:1;) alert tcp $HOME_NET any -> [128.90.128.201] 9999 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1289930/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_28; classtype:trojan-activity; sid:91289930; rev:1;) alert tcp $HOME_NET any -> [94.156.68.158] 80 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1289929/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_28; classtype:trojan-activity; sid:91289929; rev:1;) alert tcp $HOME_NET any -> [18.166.31.133] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1289928/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_28; classtype:trojan-activity; sid:91289928; rev:1;) alert tcp $HOME_NET any -> [150.129.82.129] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1289927/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_28; classtype:trojan-activity; sid:91289927; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tftp"; depth:5; nocase; http.host; content:"122.3.195.178"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1289767/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_28; classtype:trojan-activity; sid:91289767; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tftp"; depth:5; nocase; http.host; content:"122.52.177.244"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1289768/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_28; classtype:trojan-activity; sid:91289768; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tftp"; depth:5; nocase; http.host; content:"122.52.177.244"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1289769/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_28; classtype:trojan-activity; sid:91289769; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tftp"; depth:5; nocase; http.host; content:"122.52.233.104"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1289770/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_28; classtype:trojan-activity; sid:91289770; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tftp"; depth:5; nocase; http.host; content:"124.105.81.130"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1289771/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_28; classtype:trojan-activity; sid:91289771; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tftp"; depth:5; nocase; http.host; content:"14.142.209.198"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1289772/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_28; classtype:trojan-activity; sid:91289772; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tftp"; depth:5; nocase; http.host; content:"170.210.81.101"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1289773/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_28; classtype:trojan-activity; sid:91289773; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tftp"; depth:5; nocase; http.host; content:"170.210.81.104"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1289774/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_28; classtype:trojan-activity; sid:91289774; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tftp"; depth:5; nocase; http.host; content:"182.72.167.124"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1289775/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_28; classtype:trojan-activity; sid:91289775; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tftp"; depth:5; nocase; http.host; content:"185.224.107.4"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1289776/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_28; classtype:trojan-activity; sid:91289776; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tftp"; depth:5; nocase; http.host; content:"190.108.63.242"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1289777/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_28; classtype:trojan-activity; sid:91289777; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tftp"; depth:5; nocase; http.host; content:"200.123.251.66"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1289778/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_28; classtype:trojan-activity; sid:91289778; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tftp"; depth:5; nocase; http.host; content:"202.57.39.194"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1289779/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_28; classtype:trojan-activity; sid:91289779; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tftp"; depth:5; nocase; http.host; content:"202.57.44.122"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1289781/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_28; classtype:trojan-activity; sid:91289781; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tftp"; depth:5; nocase; http.host; content:"202.57.39.2"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1289780/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_28; classtype:trojan-activity; sid:91289780; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tftp"; depth:5; nocase; http.host; content:"202.57.50.194"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1289782/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_28; classtype:trojan-activity; sid:91289782; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tftp"; depth:5; nocase; http.host; content:"202.57.50.194"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1289783/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_28; classtype:trojan-activity; sid:91289783; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tftp"; depth:5; nocase; http.host; content:"202.57.51.34"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1289784/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_28; classtype:trojan-activity; sid:91289784; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tftp"; depth:5; nocase; http.host; content:"202.57.55.10"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1289785/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_28; classtype:trojan-activity; sid:91289785; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tftp"; depth:5; nocase; http.host; content:"202.93.228.170"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1289786/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_28; classtype:trojan-activity; sid:91289786; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tftp"; depth:5; nocase; http.host; content:"211.192.113.231"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1289787/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_28; classtype:trojan-activity; sid:91289787; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tftp"; depth:5; nocase; http.host; content:"211.192.113.232"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1289788/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_28; classtype:trojan-activity; sid:91289788; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tftp"; depth:5; nocase; http.host; content:"211.40.16.243"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1289789/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_28; classtype:trojan-activity; sid:91289789; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tftp"; depth:5; nocase; http.host; content:"223.25.14.122"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1289790/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_28; classtype:trojan-activity; sid:91289790; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tftp"; depth:5; nocase; http.host; content:"223.25.14.122"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1289791/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_28; classtype:trojan-activity; sid:91289791; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tftp"; depth:5; nocase; http.host; content:"223.25.21.62"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1289792/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_28; classtype:trojan-activity; sid:91289792; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tftp"; depth:5; nocase; http.host; content:"45.118.79.103"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1289793/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_28; classtype:trojan-activity; sid:91289793; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tftp"; depth:5; nocase; http.host; content:"103.134.214.139"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1289765/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_28; classtype:trojan-activity; sid:91289765; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tftp"; depth:5; nocase; http.host; content:"12.196.184.34"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1289766/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_28; classtype:trojan-activity; sid:91289766; rev:1;) alert tcp $HOME_NET any -> [79.107.150.48] 995 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1289926/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_28; classtype:trojan-activity; sid:91289926; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"kiolok.duckdns.org"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1289763/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_28; classtype:trojan-activity; sid:91289763; rev:1;) alert tcp $HOME_NET any -> [94.156.68.221] 2424 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1289764/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_28; classtype:trojan-activity; sid:91289764; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tftp"; depth:5; nocase; http.host; content:"82.77.65.195"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1289794/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_28; classtype:trojan-activity; sid:91289794; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tftp"; depth:5; nocase; http.host; content:"89.184.185.198"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1289795/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_28; classtype:trojan-activity; sid:91289795; rev:1;) alert tcp $HOME_NET any -> [202.57.55.10] 19001 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1289817/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_28; classtype:trojan-activity; sid:91289817; rev:1;) alert tcp $HOME_NET any -> [202.57.50.194] 19001 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1289814/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_28; classtype:trojan-activity; sid:91289814; rev:1;) alert tcp $HOME_NET any -> [202.57.50.194] 19002 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1289815/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_28; classtype:trojan-activity; sid:91289815; rev:1;) alert tcp $HOME_NET any -> [202.57.51.34] 19001 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1289816/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_28; classtype:trojan-activity; sid:91289816; rev:1;) alert tcp $HOME_NET any -> [202.57.39.2] 19001 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1289812/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_28; classtype:trojan-activity; sid:91289812; rev:1;) alert tcp $HOME_NET any -> [202.57.44.122] 19001 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1289813/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_28; classtype:trojan-activity; sid:91289813; rev:1;) alert tcp $HOME_NET any -> [70.27.138.141] 2222 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1289925/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_28; classtype:trojan-activity; sid:91289925; rev:1;) alert tcp $HOME_NET any -> [190.108.63.242] 80 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1289809/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_28; classtype:trojan-activity; sid:91289809; rev:1;) alert tcp $HOME_NET any -> [200.123.251.66] 80 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1289810/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_28; classtype:trojan-activity; sid:91289810; rev:1;) alert tcp $HOME_NET any -> [202.57.39.194] 19001 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1289811/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_28; classtype:trojan-activity; sid:91289811; rev:1;) alert tcp $HOME_NET any -> [185.224.107.4] 8580 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1289808/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_28; classtype:trojan-activity; sid:91289808; rev:1;) alert tcp $HOME_NET any -> [170.210.81.104] 80 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1289806/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_28; classtype:trojan-activity; sid:91289806; rev:1;) alert tcp $HOME_NET any -> [182.72.167.124] 80 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1289807/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_28; classtype:trojan-activity; sid:91289807; rev:1;) alert tcp $HOME_NET any -> [187.170.246.38] 995 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1289924/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_28; classtype:trojan-activity; sid:91289924; rev:1;) alert tcp $HOME_NET any -> [170.210.81.101] 80 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1289805/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_28; classtype:trojan-activity; sid:91289805; rev:1;) alert tcp $HOME_NET any -> [14.142.209.198] 80 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1289804/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_28; classtype:trojan-activity; sid:91289804; rev:1;) alert tcp $HOME_NET any -> [124.105.81.130] 19001 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1289803/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_28; classtype:trojan-activity; sid:91289803; rev:1;) alert tcp $HOME_NET any -> [122.52.177.244] 19002 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1289801/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_28; classtype:trojan-activity; sid:91289801; rev:1;) alert tcp $HOME_NET any -> [122.52.233.104] 19001 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1289802/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_28; classtype:trojan-activity; sid:91289802; rev:1;) alert tcp $HOME_NET any -> [122.3.195.178] 19001 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1289799/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_28; classtype:trojan-activity; sid:91289799; rev:1;) alert tcp $HOME_NET any -> [122.52.177.244] 19001 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1289800/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_28; classtype:trojan-activity; sid:91289800; rev:1;) alert tcp $HOME_NET any -> [12.196.184.34] 80 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1289798/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_28; classtype:trojan-activity; sid:91289798; rev:1;) alert tcp $HOME_NET any -> [103.134.214.139] 80 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1289797/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_28; classtype:trojan-activity; sid:91289797; rev:1;) alert tcp $HOME_NET any -> [202.93.228.170] 8877 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1289818/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_28; classtype:trojan-activity; sid:91289818; rev:1;) alert tcp $HOME_NET any -> [211.192.113.231] 80 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1289819/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_28; classtype:trojan-activity; sid:91289819; rev:1;) alert tcp $HOME_NET any -> [211.192.113.232] 80 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1289820/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_28; classtype:trojan-activity; sid:91289820; rev:1;) alert tcp $HOME_NET any -> [211.40.16.243] 80 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1289821/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_28; classtype:trojan-activity; sid:91289821; rev:1;) alert tcp $HOME_NET any -> [223.25.14.122] 19001 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1289822/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_28; classtype:trojan-activity; sid:91289822; rev:1;) alert tcp $HOME_NET any -> [223.25.14.122] 19002 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1289823/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_28; classtype:trojan-activity; sid:91289823; rev:1;) alert tcp $HOME_NET any -> [223.25.21.62] 19002 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1289824/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_28; classtype:trojan-activity; sid:91289824; rev:1;) alert tcp $HOME_NET any -> [45.118.79.103] 8892 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1289825/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_28; classtype:trojan-activity; sid:91289825; rev:1;) alert tcp $HOME_NET any -> [82.77.65.195] 830 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1289826/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_28; classtype:trojan-activity; sid:91289826; rev:1;) alert tcp $HOME_NET any -> [77.221.154.30] 445 (msg:"ThreatFox Responder botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1289923/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_28; classtype:trojan-activity; sid:91289923; rev:1;) alert tcp $HOME_NET any -> [5.42.221.151] 60606 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1289922/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_28; classtype:trojan-activity; sid:91289922; rev:1;) alert tcp $HOME_NET any -> [204.13.232.251] 443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1289921/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_28; classtype:trojan-activity; sid:91289921; rev:1;) alert tcp $HOME_NET any -> [81.169.158.60] 8443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1289920/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_28; classtype:trojan-activity; sid:91289920; rev:1;) alert tcp $HOME_NET any -> [91.92.241.13] 8443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1289919/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_28; classtype:trojan-activity; sid:91289919; rev:1;) alert tcp $HOME_NET any -> [92.118.112.10] 443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1289918/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_28; classtype:trojan-activity; sid:91289918; rev:1;) alert tcp $HOME_NET any -> [92.118.112.10] 80 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1289917/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_28; classtype:trojan-activity; sid:91289917; rev:1;) alert tcp $HOME_NET any -> [163.172.136.161] 443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1289916/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_28; classtype:trojan-activity; sid:91289916; rev:1;) alert tcp $HOME_NET any -> [185.229.9.27] 21 (msg:"ThreatFox BianLian botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1289915/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_28; classtype:trojan-activity; sid:91289915; rev:1;) alert tcp $HOME_NET any -> [120.26.192.87] 443 (msg:"ThreatFox BianLian botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1289914/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_28; classtype:trojan-activity; sid:91289914; rev:1;) alert tcp $HOME_NET any -> [121.91.37.98] 443 (msg:"ThreatFox Deimos botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1289913/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_28; classtype:trojan-activity; sid:91289913; rev:1;) alert tcp $HOME_NET any -> [182.91.252.41] 4506 (msg:"ThreatFox Deimos botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1289912/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_28; classtype:trojan-activity; sid:91289912; rev:1;) alert tcp $HOME_NET any -> [119.96.62.178] 4505 (msg:"ThreatFox Deimos botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1289911/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_28; classtype:trojan-activity; sid:91289911; rev:1;) alert tcp $HOME_NET any -> [144.86.159.57] 7443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1289910/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_28; classtype:trojan-activity; sid:91289910; rev:1;) alert tcp $HOME_NET any -> [195.10.205.102] 1912 (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1289909/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_28; classtype:trojan-activity; sid:91289909; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dfddc22e.php"; depth:13; nocase; http.host; content:"a0998701.xsph.ru"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1289908/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_28; classtype:trojan-activity; sid:91289908; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/_defaultwindows.php"; depth:20; nocase; http.host; content:"ci15096.tw1.ru"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1289907/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_28; classtype:trojan-activity; sid:91289907; rev:1;) alert tcp $HOME_NET any -> [51.15.254.78] 8888 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1289906/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_28; classtype:trojan-activity; sid:91289906; rev:1;) alert tcp $HOME_NET any -> [194.26.192.92] 5552 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1289828/; target:src_ip; metadata: confidence_level 75, first_seen 2024_06_28; classtype:trojan-activity; sid:91289828; rev:1;) alert tcp $HOME_NET any -> [45.74.8.236] 5355 (msg:"ThreatFox XWorm botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1289829/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_28; classtype:trojan-activity; sid:91289829; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"harmfullyelobardek.shop"; depth:23; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1289830/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_28; classtype:trojan-activity; sid:91289830; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"xortoproject1.duckdns.org"; depth:25; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1289831/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_28; classtype:trojan-activity; sid:91289831; rev:1;) alert tcp $HOME_NET any -> [45.90.13.207] 59666 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1289761/; target:src_ip; metadata: confidence_level 75, first_seen 2024_06_28; classtype:trojan-activity; sid:91289761; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"clients.kaitenc2.de"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1289762/; target:src_ip; metadata: confidence_level 75, first_seen 2024_06_28; classtype:trojan-activity; sid:91289762; rev:1;) alert tcp $HOME_NET any -> [185.200.221.15] 443 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1289902/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_28; classtype:trojan-activity; sid:91289902; rev:1;) alert tcp $HOME_NET any -> [47.76.140.7] 33337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1289903/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_28; classtype:trojan-activity; sid:91289903; rev:1;) alert tcp $HOME_NET any -> [200.58.103.229] 443 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1289904/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_28; classtype:trojan-activity; sid:91289904; rev:1;) alert tcp $HOME_NET any -> [180.184.69.31] 8080 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1289905/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_28; classtype:trojan-activity; sid:91289905; rev:1;) alert tcp $HOME_NET any -> [18.191.57.224] 443 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1289900/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_28; classtype:trojan-activity; sid:91289900; rev:1;) alert tcp $HOME_NET any -> [172.96.137.224] 9443 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1289901/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_28; classtype:trojan-activity; sid:91289901; rev:1;) alert tcp $HOME_NET any -> [134.209.191.240] 443 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1289898/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_28; classtype:trojan-activity; sid:91289898; rev:1;) alert tcp $HOME_NET any -> [213.183.73.220] 443 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1289899/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_28; classtype:trojan-activity; sid:91289899; rev:1;) alert tcp $HOME_NET any -> [13.112.55.132] 443 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1289896/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_28; classtype:trojan-activity; sid:91289896; rev:1;) alert tcp $HOME_NET any -> [157.230.15.195] 443 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1289897/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_28; classtype:trojan-activity; sid:91289897; rev:1;) alert tcp $HOME_NET any -> [38.150.34.181] 2000 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1289893/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_28; classtype:trojan-activity; sid:91289893; rev:1;) alert tcp $HOME_NET any -> [45.63.26.220] 8443 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1289894/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_28; classtype:trojan-activity; sid:91289894; rev:1;) alert tcp $HOME_NET any -> [202.182.106.2] 8888 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1289895/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_28; classtype:trojan-activity; sid:91289895; rev:1;) alert tcp $HOME_NET any -> [148.113.5.49] 443 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1289892/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_28; classtype:trojan-activity; sid:91289892; rev:1;) alert tcp $HOME_NET any -> [3.235.7.20] 443 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1289889/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_28; classtype:trojan-activity; sid:91289889; rev:1;) alert tcp $HOME_NET any -> [20.212.244.216] 443 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1289890/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_28; classtype:trojan-activity; sid:91289890; rev:1;) alert tcp $HOME_NET any -> [23.22.218.218] 443 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1289891/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_28; classtype:trojan-activity; sid:91289891; rev:1;) alert tcp $HOME_NET any -> [140.99.164.226] 443 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1289888/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_28; classtype:trojan-activity; sid:91289888; rev:1;) alert tcp $HOME_NET any -> [151.236.216.235] 8080 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1289885/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_28; classtype:trojan-activity; sid:91289885; rev:1;) alert tcp $HOME_NET any -> [4.185.109.49] 8888 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1289886/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_28; classtype:trojan-activity; sid:91289886; rev:1;) alert tcp $HOME_NET any -> [118.25.103.251] 60000 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1289887/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_28; classtype:trojan-activity; sid:91289887; rev:1;) alert tcp $HOME_NET any -> [147.45.251.185] 443 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1289884/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_28; classtype:trojan-activity; sid:91289884; rev:1;) alert tcp $HOME_NET any -> [35.188.65.13] 443 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1289882/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_28; classtype:trojan-activity; sid:91289882; rev:1;) alert tcp $HOME_NET any -> [94.198.54.98] 443 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1289883/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_28; classtype:trojan-activity; sid:91289883; rev:1;) alert tcp $HOME_NET any -> [194.113.75.209] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1289880/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_28; classtype:trojan-activity; sid:91289880; rev:1;) alert tcp $HOME_NET any -> [194.113.75.242] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1289881/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_28; classtype:trojan-activity; sid:91289881; rev:1;) alert tcp $HOME_NET any -> [194.113.74.252] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1289875/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_28; classtype:trojan-activity; sid:91289875; rev:1;) alert tcp $HOME_NET any -> [194.113.75.97] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1289876/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_28; classtype:trojan-activity; sid:91289876; rev:1;) alert tcp $HOME_NET any -> [194.113.75.152] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1289877/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_28; classtype:trojan-activity; sid:91289877; rev:1;) alert tcp $HOME_NET any -> [194.113.75.179] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1289878/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_28; classtype:trojan-activity; sid:91289878; rev:1;) alert tcp $HOME_NET any -> [194.113.75.194] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1289879/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_28; classtype:trojan-activity; sid:91289879; rev:1;) alert tcp $HOME_NET any -> [194.113.74.140] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1289870/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_28; classtype:trojan-activity; sid:91289870; rev:1;) alert tcp $HOME_NET any -> [194.113.74.150] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1289871/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_28; classtype:trojan-activity; sid:91289871; rev:1;) alert tcp $HOME_NET any -> [194.113.74.185] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1289872/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_28; classtype:trojan-activity; sid:91289872; rev:1;) alert tcp $HOME_NET any -> [194.113.74.248] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1289873/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_28; classtype:trojan-activity; sid:91289873; rev:1;) alert tcp $HOME_NET any -> [194.113.74.250] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1289874/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_28; classtype:trojan-activity; sid:91289874; rev:1;) alert tcp $HOME_NET any -> [194.113.74.82] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1289865/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_28; classtype:trojan-activity; sid:91289865; rev:1;) alert tcp $HOME_NET any -> [194.113.74.102] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1289866/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_28; classtype:trojan-activity; sid:91289866; rev:1;) alert tcp $HOME_NET any -> [194.113.74.107] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1289867/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_28; classtype:trojan-activity; sid:91289867; rev:1;) alert tcp $HOME_NET any -> [194.113.74.121] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1289868/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_28; classtype:trojan-activity; sid:91289868; rev:1;) alert tcp $HOME_NET any -> [194.113.74.138] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1289869/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_28; classtype:trojan-activity; sid:91289869; rev:1;) alert tcp $HOME_NET any -> [194.113.74.3] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1289858/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_28; classtype:trojan-activity; sid:91289858; rev:1;) alert tcp $HOME_NET any -> [194.113.74.11] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1289859/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_28; classtype:trojan-activity; sid:91289859; rev:1;) alert tcp $HOME_NET any -> [194.113.74.32] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1289860/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_28; classtype:trojan-activity; sid:91289860; rev:1;) alert tcp $HOME_NET any -> [194.113.74.48] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1289861/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_28; classtype:trojan-activity; sid:91289861; rev:1;) alert tcp $HOME_NET any -> [194.113.74.49] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1289862/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_28; classtype:trojan-activity; sid:91289862; rev:1;) alert tcp $HOME_NET any -> [194.113.74.55] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1289863/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_28; classtype:trojan-activity; sid:91289863; rev:1;) alert tcp $HOME_NET any -> [194.113.74.65] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1289864/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_28; classtype:trojan-activity; sid:91289864; rev:1;) alert tcp $HOME_NET any -> [194.113.73.209] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1289854/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_28; classtype:trojan-activity; sid:91289854; rev:1;) alert tcp $HOME_NET any -> [194.113.73.226] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1289855/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_28; classtype:trojan-activity; sid:91289855; rev:1;) alert tcp $HOME_NET any -> [194.113.73.249] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1289856/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_28; classtype:trojan-activity; sid:91289856; rev:1;) alert tcp $HOME_NET any -> [194.113.74.0] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1289857/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_28; classtype:trojan-activity; sid:91289857; rev:1;) alert tcp $HOME_NET any -> [194.113.73.23] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1289849/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_28; classtype:trojan-activity; sid:91289849; rev:1;) alert tcp $HOME_NET any -> [194.113.73.40] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1289850/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_28; classtype:trojan-activity; sid:91289850; rev:1;) alert tcp $HOME_NET any -> [194.113.73.101] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1289851/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_28; classtype:trojan-activity; sid:91289851; rev:1;) alert tcp $HOME_NET any -> [194.113.73.117] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1289852/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_28; classtype:trojan-activity; sid:91289852; rev:1;) alert tcp $HOME_NET any -> [194.113.73.179] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1289853/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_28; classtype:trojan-activity; sid:91289853; rev:1;) alert tcp $HOME_NET any -> [194.113.72.29] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1289845/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_28; classtype:trojan-activity; sid:91289845; rev:1;) alert tcp $HOME_NET any -> [194.113.72.34] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1289846/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_28; classtype:trojan-activity; sid:91289846; rev:1;) alert tcp $HOME_NET any -> [194.113.72.136] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1289847/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_28; classtype:trojan-activity; sid:91289847; rev:1;) alert tcp $HOME_NET any -> [194.113.72.191] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1289848/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_28; classtype:trojan-activity; sid:91289848; rev:1;) alert tcp $HOME_NET any -> [194.113.72.24] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1289844/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_28; classtype:trojan-activity; sid:91289844; rev:1;) alert tcp $HOME_NET any -> [104.248.176.230] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1289843/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_28; classtype:trojan-activity; sid:91289843; rev:1;) alert tcp $HOME_NET any -> [45.156.26.36] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1289839/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_28; classtype:trojan-activity; sid:91289839; rev:1;) alert tcp $HOME_NET any -> [50.116.32.159] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1289840/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_28; classtype:trojan-activity; sid:91289840; rev:1;) alert tcp $HOME_NET any -> [51.15.254.78] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1289841/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_28; classtype:trojan-activity; sid:91289841; rev:1;) alert tcp $HOME_NET any -> [52.196.181.68] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1289842/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_28; classtype:trojan-activity; sid:91289842; rev:1;) alert tcp $HOME_NET any -> [43.154.18.143] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1289836/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_28; classtype:trojan-activity; sid:91289836; rev:1;) alert tcp $HOME_NET any -> [45.154.14.228] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1289837/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_28; classtype:trojan-activity; sid:91289837; rev:1;) alert tcp $HOME_NET any -> [45.154.14.249] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1289838/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_28; classtype:trojan-activity; sid:91289838; rev:1;) alert tcp $HOME_NET any -> [23.95.48.151] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1289835/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_28; classtype:trojan-activity; sid:91289835; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cx"; depth:3; nocase; http.host; content:"162.244.82.35"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1289834/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_28; classtype:trojan-activity; sid:91289834; rev:1;) alert tcp $HOME_NET any -> [202.95.13.230] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1289833/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_28; classtype:trojan-activity; sid:91289833; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mozi.m"; depth:7; nocase; http.host; content:"59.97.114.90"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1289832/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_28; classtype:trojan-activity; sid:91289832; rev:1;) alert tcp $HOME_NET any -> [87.121.61.91] 443 (msg:"ThreatFox Unidentified 111 (Latrodectus) botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1289796/; target:src_ip; metadata: confidence_level 75, first_seen 2024_06_27; classtype:trojan-activity; sid:91289796; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ee2a3208.php"; depth:13; nocase; http.host; content:"a0998932.xsph.ru"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1289760/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_27; classtype:trojan-activity; sid:91289760; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/2cfc1dec.php"; depth:13; nocase; http.host; content:"a0998535.xsph.ru"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1289759/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_27; classtype:trojan-activity; sid:91289759; rev:1;) alert tcp $HOME_NET any -> [95.214.27.183] 15096 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1289643/; target:src_ip; metadata: confidence_level 75, first_seen 2024_06_27; classtype:trojan-activity; sid:91289643; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"andrebadi.top"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1289712/; target:src_ip; metadata: confidence_level 75, first_seen 2024_06_27; classtype:trojan-activity; sid:91289712; rev:1;) alert tcp $HOME_NET any -> [172.93.111.165] 6666 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1289713/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_27; classtype:trojan-activity; sid:91289713; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"backwork07.ddns.net"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1289714/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_27; classtype:trojan-activity; sid:91289714; rev:1;) alert tcp $HOME_NET any -> [13.60.33.38] 4449 (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1289716/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_27; classtype:trojan-activity; sid:91289716; rev:1;) alert tcp $HOME_NET any -> [3.68.171.119] 11492 (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1289717/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_27; classtype:trojan-activity; sid:91289717; rev:1;) alert tcp $HOME_NET any -> [35.157.111.131] 11619 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1289724/; target:src_ip; metadata: confidence_level 75, first_seen 2024_06_27; classtype:trojan-activity; sid:91289724; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"monimaturast.com"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1289739/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_27; classtype:trojan-activity; sid:91289739; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"operaconuka.com"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1289740/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_27; classtype:trojan-activity; sid:91289740; rev:1;) alert tcp $HOME_NET any -> [185.104.195.215] 7070 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1289758/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_27; classtype:trojan-activity; sid:91289758; rev:1;) alert tcp $HOME_NET any -> [128.90.129.74] 9999 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1289757/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_27; classtype:trojan-activity; sid:91289757; rev:1;) alert tcp $HOME_NET any -> [35.194.215.14] 111 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1289756/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_27; classtype:trojan-activity; sid:91289756; rev:1;) alert tcp $HOME_NET any -> [94.156.68.6] 80 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1289755/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_27; classtype:trojan-activity; sid:91289755; rev:1;) alert tcp $HOME_NET any -> [212.113.100.91] 80 (msg:"ThreatFox Meduza Stealer botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1289754/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_27; classtype:trojan-activity; sid:91289754; rev:1;) alert tcp $HOME_NET any -> [40.76.5.235] 8443 (msg:"ThreatFox Pikabot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1289753/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_27; classtype:trojan-activity; sid:91289753; rev:1;) alert tcp $HOME_NET any -> [222.112.248.181] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1289752/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_27; classtype:trojan-activity; sid:91289752; rev:1;) alert tcp $HOME_NET any -> [89.148.149.203] 2222 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1289751/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_27; classtype:trojan-activity; sid:91289751; rev:1;) alert tcp $HOME_NET any -> [217.165.15.9] 443 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1289750/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_27; classtype:trojan-activity; sid:91289750; rev:1;) alert tcp $HOME_NET any -> [5.181.47.175] 445 (msg:"ThreatFox Responder botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1289749/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_27; classtype:trojan-activity; sid:91289749; rev:1;) alert tcp $HOME_NET any -> [91.245.253.10] 443 (msg:"ThreatFox BianLian botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1289747/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_27; classtype:trojan-activity; sid:91289747; rev:1;) alert tcp $HOME_NET any -> [185.238.250.143] 443 (msg:"ThreatFox Deimos botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1289746/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_27; classtype:trojan-activity; sid:91289746; rev:1;) alert tcp $HOME_NET any -> [109.123.231.134] 7443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1289745/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_27; classtype:trojan-activity; sid:91289745; rev:1;) alert tcp $HOME_NET any -> [194.163.168.80] 7443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1289744/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_27; classtype:trojan-activity; sid:91289744; rev:1;) alert tcp $HOME_NET any -> [84.21.171.55] 7443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1289743/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_27; classtype:trojan-activity; sid:91289743; rev:1;) alert tcp $HOME_NET any -> [52.87.231.174] 7443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1289742/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_27; classtype:trojan-activity; sid:91289742; rev:1;) alert tcp $HOME_NET any -> [163.69.88.244] 10002 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1289741/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_27; classtype:trojan-activity; sid:91289741; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/fwlink"; depth:7; nocase; http.host; content:"43.153.222.28"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1289738/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_27; classtype:trojan-activity; sid:91289738; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/g.pixel"; depth:8; nocase; http.host; content:"43.153.222.28"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1289737/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_27; classtype:trojan-activity; sid:91289737; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/match"; depth:6; nocase; http.host; content:"74.91.27.202"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1289736/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_27; classtype:trojan-activity; sid:91289736; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/updates.rss"; depth:12; nocase; http.host; content:"114.115.174.131"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1289735/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_27; classtype:trojan-activity; sid:91289735; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/static/woodpecker.js"; depth:21; nocase; http.host; content:"8.134.249.161"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1289734/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_27; classtype:trojan-activity; sid:91289734; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/j.ad"; depth:5; nocase; http.host; content:"150.158.41.176"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1289733/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_27; classtype:trojan-activity; sid:91289733; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/visit.js"; depth:9; nocase; http.host; content:"139.198.187.234"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1289732/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_27; classtype:trojan-activity; sid:91289732; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/activity"; depth:9; nocase; http.host; content:"123.57.85.206"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1289731/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_27; classtype:trojan-activity; sid:91289731; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pixel"; depth:6; nocase; http.host; content:"180.76.99.119"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1289730/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_27; classtype:trojan-activity; sid:91289730; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pixel"; depth:6; nocase; http.host; content:"43.136.40.231"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1289729/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_27; classtype:trojan-activity; sid:91289729; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/match"; depth:6; nocase; http.host; content:"156.251.162.29"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1289728/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_27; classtype:trojan-activity; sid:91289728; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/fwlink"; depth:7; nocase; http.host; content:"134.122.75.115"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1289727/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_27; classtype:trojan-activity; sid:91289727; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cm"; depth:3; nocase; http.host; content:"118.107.4.157"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1289726/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_27; classtype:trojan-activity; sid:91289726; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/__utm.gif"; depth:10; nocase; http.host; content:"134.122.75.115"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1289725/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_27; classtype:trojan-activity; sid:91289725; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cx"; depth:3; nocase; http.host; content:"79.124.40.106"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1289723/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_27; classtype:trojan-activity; sid:91289723; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"about.swemei.com"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1289722/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_27; classtype:trojan-activity; sid:91289722; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jquery-3.3.1.min.js"; depth:20; nocase; http.host; content:"about.swemei.com"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1289721/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_27; classtype:trojan-activity; sid:91289721; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/g.pixel"; depth:8; nocase; http.host; content:"79.124.40.106"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1289720/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_27; classtype:trojan-activity; sid:91289720; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/l1nc0in.php"; depth:12; nocase; http.host; content:"f0999352.xsph.ru"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1289719/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_27; classtype:trojan-activity; sid:91289719; rev:1;) alert tcp $HOME_NET any -> [13.60.33.38] 60120 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1289718/; target:src_ip; metadata: confidence_level 75, first_seen 2024_06_27; classtype:trojan-activity; sid:91289718; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/l1nc0in.php"; depth:12; nocase; http.host; content:"a0990027.xsph.ru"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1289715/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_27; classtype:trojan-activity; sid:91289715; rev:1;) alert tcp $HOME_NET any -> [160.177.73.220] 10000 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1289710/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_27; classtype:trojan-activity; sid:91289710; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ugopounds/five/fre.php"; depth:23; nocase; http.host; content:"andrebadi.top"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1289709/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_27; classtype:trojan-activity; sid:91289709; rev:1;) alert tcp $HOME_NET any -> [5.78.82.186] 2405 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1289708/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_27; classtype:trojan-activity; sid:91289708; rev:1;) alert tcp $HOME_NET any -> [193.111.249.133] 2404 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1289699/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_27; classtype:trojan-activity; sid:91289699; rev:1;) alert tcp $HOME_NET any -> [193.142.146.101] 2404 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1289700/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_27; classtype:trojan-activity; sid:91289700; rev:1;) alert tcp $HOME_NET any -> [194.59.30.46] 2404 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1289701/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_27; classtype:trojan-activity; sid:91289701; rev:1;) alert tcp $HOME_NET any -> [195.201.87.182] 2404 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1289702/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_27; classtype:trojan-activity; sid:91289702; rev:1;) alert tcp $HOME_NET any -> [198.23.227.212] 2404 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1289703/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_27; classtype:trojan-activity; sid:91289703; rev:1;) alert tcp $HOME_NET any -> [204.9.187.48] 2404 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1289704/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_27; classtype:trojan-activity; sid:91289704; rev:1;) alert tcp $HOME_NET any -> [213.238.177.144] 2404 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1289705/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_27; classtype:trojan-activity; sid:91289705; rev:1;) alert tcp $HOME_NET any -> [213.252.247.119] 2404 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1289706/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_27; classtype:trojan-activity; sid:91289706; rev:1;) alert tcp $HOME_NET any -> [217.76.56.205] 2404 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1289707/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_27; classtype:trojan-activity; sid:91289707; rev:1;) alert tcp $HOME_NET any -> [185.174.101.15] 2404 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1289692/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_27; classtype:trojan-activity; sid:91289692; rev:1;) alert tcp $HOME_NET any -> [185.214.10.55] 2404 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1289693/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_27; classtype:trojan-activity; sid:91289693; rev:1;) alert tcp $HOME_NET any -> [185.241.208.66] 2404 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1289694/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_27; classtype:trojan-activity; sid:91289694; rev:1;) alert tcp $HOME_NET any -> [185.255.114.122] 2404 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1289695/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_27; classtype:trojan-activity; sid:91289695; rev:1;) alert tcp $HOME_NET any -> [191.252.153.239] 2404 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1289696/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_27; classtype:trojan-activity; sid:91289696; rev:1;) alert tcp $HOME_NET any -> [192.3.101.18] 2404 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1289697/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_27; classtype:trojan-activity; sid:91289697; rev:1;) alert tcp $HOME_NET any -> [192.210.214.9] 2404 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1289698/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_27; classtype:trojan-activity; sid:91289698; rev:1;) alert tcp $HOME_NET any -> [172.111.139.125] 2404 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1289685/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_27; classtype:trojan-activity; sid:91289685; rev:1;) alert tcp $HOME_NET any -> [172.111.186.144] 2404 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1289686/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_27; classtype:trojan-activity; sid:91289686; rev:1;) alert tcp $HOME_NET any -> [177.255.84.124] 2404 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1289687/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_27; classtype:trojan-activity; sid:91289687; rev:1;) alert tcp $HOME_NET any -> [181.41.200.209] 2404 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1289688/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_27; classtype:trojan-activity; sid:91289688; rev:1;) alert tcp $HOME_NET any -> [181.141.41.63] 2404 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1289689/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_27; classtype:trojan-activity; sid:91289689; rev:1;) alert tcp $HOME_NET any -> [185.157.162.103] 2404 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1289690/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_27; classtype:trojan-activity; sid:91289690; rev:1;) alert tcp $HOME_NET any -> [185.157.162.126] 2404 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1289691/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_27; classtype:trojan-activity; sid:91289691; rev:1;) alert tcp $HOME_NET any -> [94.156.68.216] 2404 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1289675/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_27; classtype:trojan-activity; sid:91289675; rev:1;) alert tcp $HOME_NET any -> [103.77.243.159] 2404 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1289676/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_27; classtype:trojan-activity; sid:91289676; rev:1;) alert tcp $HOME_NET any -> [104.243.32.42] 2404 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1289677/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_27; classtype:trojan-activity; sid:91289677; rev:1;) alert tcp $HOME_NET any -> [107.173.4.16] 2404 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1289678/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_27; classtype:trojan-activity; sid:91289678; rev:1;) alert tcp $HOME_NET any -> [109.248.151.170] 2404 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1289679/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_27; classtype:trojan-activity; sid:91289679; rev:1;) alert tcp $HOME_NET any -> [118.31.63.89] 2404 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1289680/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_27; classtype:trojan-activity; sid:91289680; rev:1;) alert tcp $HOME_NET any -> [145.239.230.233] 2404 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1289681/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_27; classtype:trojan-activity; sid:91289681; rev:1;) alert tcp $HOME_NET any -> [147.124.210.13] 2404 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1289682/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_27; classtype:trojan-activity; sid:91289682; rev:1;) alert tcp $HOME_NET any -> [158.220.98.130] 2404 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1289683/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_27; classtype:trojan-activity; sid:91289683; rev:1;) alert tcp $HOME_NET any -> [167.88.166.237] 2404 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1289684/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_27; classtype:trojan-activity; sid:91289684; rev:1;) alert tcp $HOME_NET any -> [78.142.18.111] 2404 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1289663/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_27; classtype:trojan-activity; sid:91289663; rev:1;) alert tcp $HOME_NET any -> [78.142.18.221] 2404 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1289664/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_27; classtype:trojan-activity; sid:91289664; rev:1;) alert tcp $HOME_NET any -> [83.147.37.144] 2404 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1289665/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_27; classtype:trojan-activity; sid:91289665; rev:1;) alert tcp $HOME_NET any -> [86.104.73.215] 2404 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1289666/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_27; classtype:trojan-activity; sid:91289666; rev:1;) alert tcp $HOME_NET any -> [88.119.170.153] 2404 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1289667/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_27; classtype:trojan-activity; sid:91289667; rev:1;) alert tcp $HOME_NET any -> [91.92.247.170] 2404 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1289668/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_27; classtype:trojan-activity; sid:91289668; rev:1;) alert tcp $HOME_NET any -> [91.92.249.174] 2404 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1289669/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_27; classtype:trojan-activity; sid:91289669; rev:1;) alert tcp $HOME_NET any -> [92.53.65.66] 2404 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1289670/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_27; classtype:trojan-activity; sid:91289670; rev:1;) alert tcp $HOME_NET any -> [92.204.171.198] 2404 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1289671/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_27; classtype:trojan-activity; sid:91289671; rev:1;) alert tcp $HOME_NET any -> [94.130.249.123] 2404 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1289672/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_27; classtype:trojan-activity; sid:91289672; rev:1;) alert tcp $HOME_NET any -> [94.156.67.171] 2404 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1289673/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_27; classtype:trojan-activity; sid:91289673; rev:1;) alert tcp $HOME_NET any -> [94.156.67.174] 2404 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1289674/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_27; classtype:trojan-activity; sid:91289674; rev:1;) alert tcp $HOME_NET any -> [20.161.82.217] 2404 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1289649/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_27; classtype:trojan-activity; sid:91289649; rev:1;) alert tcp $HOME_NET any -> [23.227.183.122] 2404 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1289650/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_27; classtype:trojan-activity; sid:91289650; rev:1;) alert tcp $HOME_NET any -> [24.152.36.221] 2404 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1289651/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_27; classtype:trojan-activity; sid:91289651; rev:1;) alert tcp $HOME_NET any -> [45.40.96.164] 2404 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1289652/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_27; classtype:trojan-activity; sid:91289652; rev:1;) alert tcp $HOME_NET any -> [45.74.37.70] 2404 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1289653/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_27; classtype:trojan-activity; sid:91289653; rev:1;) alert tcp $HOME_NET any -> [45.74.37.97] 2404 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1289654/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_27; classtype:trojan-activity; sid:91289654; rev:1;) alert tcp $HOME_NET any -> [45.77.115.93] 2404 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1289655/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_27; classtype:trojan-activity; sid:91289655; rev:1;) alert tcp $HOME_NET any -> [45.133.174.54] 2404 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1289656/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_27; classtype:trojan-activity; sid:91289656; rev:1;) alert tcp $HOME_NET any -> [45.156.86.26] 2404 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1289657/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_27; classtype:trojan-activity; sid:91289657; rev:1;) alert tcp $HOME_NET any -> [45.156.86.27] 2404 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1289658/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_27; classtype:trojan-activity; sid:91289658; rev:1;) alert tcp $HOME_NET any -> [46.246.4.212] 2404 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1289659/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_27; classtype:trojan-activity; sid:91289659; rev:1;) alert tcp $HOME_NET any -> [65.21.134.79] 2404 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1289660/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_27; classtype:trojan-activity; sid:91289660; rev:1;) alert tcp $HOME_NET any -> [78.142.18.109] 2404 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1289661/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_27; classtype:trojan-activity; sid:91289661; rev:1;) alert tcp $HOME_NET any -> [78.142.18.110] 2404 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1289662/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_27; classtype:trojan-activity; sid:91289662; rev:1;) alert tcp $HOME_NET any -> [5.34.182.173] 2404 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1289645/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_27; classtype:trojan-activity; sid:91289645; rev:1;) alert tcp $HOME_NET any -> [5.206.224.223] 2404 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1289646/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_27; classtype:trojan-activity; sid:91289646; rev:1;) alert tcp $HOME_NET any -> [5.230.75.50] 2404 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1289647/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_27; classtype:trojan-activity; sid:91289647; rev:1;) alert tcp $HOME_NET any -> [8.213.216.15] 2404 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1289648/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_27; classtype:trojan-activity; sid:91289648; rev:1;) alert tcp $HOME_NET any -> [94.156.68.105] 7256 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1289644/; target:src_ip; metadata: confidence_level 75, first_seen 2024_06_27; classtype:trojan-activity; sid:91289644; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"interactiveuidevelopment.com"; depth:28; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1289640/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_27; classtype:trojan-activity; sid:91289640; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"data.nicrosoft.fr"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1289642/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_27; classtype:trojan-activity; sid:91289642; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/c/msdownload/update/others/2016/12/29136388_"; depth:45; nocase; http.host; content:"data.nicrosoft.fr"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1289641/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_27; classtype:trojan-activity; sid:91289641; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/unionpay/index"; depth:15; nocase; http.host; content:"58.220.52.240"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1289639/; target:src_ip; metadata: confidence_level 75, first_seen 2024_06_27; classtype:trojan-activity; sid:91289639; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/unionpay/index"; depth:15; nocase; http.host; content:"36.158.224.101"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1289638/; target:src_ip; metadata: confidence_level 75, first_seen 2024_06_27; classtype:trojan-activity; sid:91289638; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/unionpay/index"; depth:15; nocase; http.host; content:"36.102.212.117"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1289637/; target:src_ip; metadata: confidence_level 75, first_seen 2024_06_27; classtype:trojan-activity; sid:91289637; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/unionpay/index"; depth:15; nocase; http.host; content:"182.40.78.250"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1289636/; target:src_ip; metadata: confidence_level 75, first_seen 2024_06_27; classtype:trojan-activity; sid:91289636; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/unionpay/index"; depth:15; nocase; http.host; content:"122.228.223.248"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1289635/; target:src_ip; metadata: confidence_level 75, first_seen 2024_06_27; classtype:trojan-activity; sid:91289635; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/unionpay/index"; depth:15; nocase; http.host; content:"121.207.229.248"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1289634/; target:src_ip; metadata: confidence_level 75, first_seen 2024_06_27; classtype:trojan-activity; sid:91289634; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/unionpay/index"; depth:15; nocase; http.host; content:"113.200.137.226"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1289633/; target:src_ip; metadata: confidence_level 75, first_seen 2024_06_27; classtype:trojan-activity; sid:91289633; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/unionpay/index"; depth:15; nocase; http.host; content:"111.170.24.248"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1289632/; target:src_ip; metadata: confidence_level 75, first_seen 2024_06_27; classtype:trojan-activity; sid:91289632; rev:1;) alert tcp $HOME_NET any -> [91.222.173.170] 80 (msg:"ThreatFox DarkGate botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1289631/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_27; classtype:trojan-activity; sid:91289631; rev:1;) alert tcp $HOME_NET any -> [91.246.41.200] 5554 (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1289630/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_27; classtype:trojan-activity; sid:91289630; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/108e010e8f91c38c.php"; depth:21; nocase; http.host; content:"65.21.175.0"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1289629/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_27; classtype:trojan-activity; sid:91289629; rev:1;) alert tcp $HOME_NET any -> [147.185.221.19] 48615 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1289627/; target:src_ip; metadata: confidence_level 75, first_seen 2024_06_27; classtype:trojan-activity; sid:91289627; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"photos-money.gl.at.ply.gg"; depth:25; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1289628/; target:src_ip; metadata: confidence_level 75, first_seen 2024_06_27; classtype:trojan-activity; sid:91289628; rev:1;) alert tcp $HOME_NET any -> [184.73.109.149] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1289626/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_27; classtype:trojan-activity; sid:91289626; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/__utm.gif"; depth:10; nocase; http.host; content:"184.73.109.149"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1289625/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_27; classtype:trojan-activity; sid:91289625; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/load"; depth:5; nocase; http.host; content:"47.101.147.34"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1289623/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_27; classtype:trojan-activity; sid:91289623; rev:1;) alert tcp $HOME_NET any -> [47.101.147.34] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1289624/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_27; classtype:trojan-activity; sid:91289624; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/match"; depth:6; nocase; http.host; content:"154.221.24.44"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1289622/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_27; classtype:trojan-activity; sid:91289622; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/__utm.gif"; depth:10; nocase; http.host; content:"112.124.33.134"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1289621/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_27; classtype:trojan-activity; sid:91289621; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api/getit"; depth:10; nocase; http.host; content:"154.9.253.110"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1289620/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_27; classtype:trojan-activity; sid:91289620; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/fwlink"; depth:7; nocase; http.host; content:"160.1.47.82"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1289618/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_27; classtype:trojan-activity; sid:91289618; rev:1;) alert tcp $HOME_NET any -> [3.31.238.78] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1289619/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_27; classtype:trojan-activity; sid:91289619; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/__utm.gif"; depth:10; nocase; http.host; content:"176.58.127.16"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1289617/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_27; classtype:trojan-activity; sid:91289617; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/visit.js"; depth:9; nocase; http.host; content:"39.103.236.200"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1289616/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_27; classtype:trojan-activity; sid:91289616; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/__utm.gif"; depth:10; nocase; http.host; content:"81.70.93.58"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1289615/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_27; classtype:trojan-activity; sid:91289615; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/heatmaps/fleshlights/6407/2467/4437aa96434ade021bef08371cf2ea22"; depth:64; nocase; http.host; content:"lifebalancemissouri.com"; depth:23; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1289613/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_27; classtype:trojan-activity; sid:91289613; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"lifebalancemissouri.com"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1289614/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_27; classtype:trojan-activity; sid:91289614; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/load"; depth:5; nocase; http.host; content:"91.92.245.161"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1289612/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_27; classtype:trojan-activity; sid:91289612; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/activity"; depth:9; nocase; http.host; content:"8.134.137.100"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1289611/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_27; classtype:trojan-activity; sid:91289611; rev:1;) alert tcp $HOME_NET any -> [107.173.140.2] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1289610/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_27; classtype:trojan-activity; sid:91289610; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/develop/messaging/w5jk7inlq"; depth:28; nocase; http.host; content:"cscs.beauty"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1289608/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_27; classtype:trojan-activity; sid:91289608; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"cscs.beauty"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1289609/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_27; classtype:trojan-activity; sid:91289609; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"rasprod.biz"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1289606/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_27; classtype:trojan-activity; sid:91289606; rev:1;) alert tcp $HOME_NET any -> [162.33.178.207] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1289607/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_27; classtype:trojan-activity; sid:91289607; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/communicate/v10.26/icmp6dyxap5"; depth:31; nocase; http.host; content:"rasprod.biz"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1289605/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_27; classtype:trojan-activity; sid:91289605; rev:1;) alert tcp $HOME_NET any -> [123.207.55.181] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1289604/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_27; classtype:trojan-activity; sid:91289604; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/match"; depth:6; nocase; http.host; content:"123.207.55.181"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1289603/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_27; classtype:trojan-activity; sid:91289603; rev:1;) alert tcp $HOME_NET any -> [43.163.235.40] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1289602/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_27; classtype:trojan-activity; sid:91289602; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/release_notes"; depth:14; nocase; http.host; content:"api.frameeservicere.live"; depth:24; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1289600/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_27; classtype:trojan-activity; sid:91289600; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"api.frameeservicere.live"; depth:24; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1289601/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_27; classtype:trojan-activity; sid:91289601; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ptj"; depth:4; nocase; http.host; content:"47.95.31.143"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1289599/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_27; classtype:trojan-activity; sid:91289599; rev:1;) alert tcp $HOME_NET any -> [45.88.79.124] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1289598/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_27; classtype:trojan-activity; sid:91289598; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/forums"; depth:7; nocase; http.host; content:"45.88.79.124"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1289597/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_27; classtype:trojan-activity; sid:91289597; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/understanding-wave-contracts-legal-considerations-implications/"; depth:64; nocase; http.host; content:"produtoresflorestais.pt"; depth:23; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1289593/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_27; classtype:trojan-activity; sid:91289593; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/article.php"; depth:12; nocase; http.host; content:"www.e-add.pl"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1289596/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_27; classtype:trojan-activity; sid:91289596; rev:1;) alert tcp $HOME_NET any -> [194.55.186.155] 2424 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1289592/; target:src_ip; metadata: confidence_level 75, first_seen 2024_06_27; classtype:trojan-activity; sid:91289592; rev:1;) alert tcp $HOME_NET any -> [120.46.69.195] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1289591/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_27; classtype:trojan-activity; sid:91289591; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pixel.gif"; depth:10; nocase; http.host; content:"120.46.69.195"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1289590/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_27; classtype:trojan-activity; sid:91289590; rev:1;) alert tcp $HOME_NET any -> [162.244.82.35] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1289589/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_27; classtype:trojan-activity; sid:91289589; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ie9compatviewlist.xml"; depth:22; nocase; http.host; content:"162.244.82.35"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1289588/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_27; classtype:trojan-activity; sid:91289588; rev:1;) alert tcp $HOME_NET any -> [47.108.143.71] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1289587/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_27; classtype:trojan-activity; sid:91289587; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/search/"; depth:8; nocase; http.host; content:"47.108.143.71"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1289586/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_27; classtype:trojan-activity; sid:91289586; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/6259fdc16222e061.php"; depth:21; nocase; http.host; content:"68.183.108.129"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1289585/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_27; classtype:trojan-activity; sid:91289585; rev:1;) alert tcp $HOME_NET any -> [45.66.231.69] 7777 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1289584/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_27; classtype:trojan-activity; sid:91289584; rev:1;) alert tcp $HOME_NET any -> [142.11.201.124] 8713 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1289583/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_27; classtype:trojan-activity; sid:91289583; rev:1;) alert tcp $HOME_NET any -> [139.196.199.232] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1289582/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_27; classtype:trojan-activity; sid:91289582; rev:1;) alert tcp $HOME_NET any -> [39.98.201.125] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1289581/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_27; classtype:trojan-activity; sid:91289581; rev:1;) alert tcp $HOME_NET any -> [36.212.144.244] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1289580/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_27; classtype:trojan-activity; sid:91289580; rev:1;) alert tcp $HOME_NET any -> [39.97.52.57] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1289579/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_27; classtype:trojan-activity; sid:91289579; rev:1;) alert tcp $HOME_NET any -> [154.247.152.21] 443 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1289578/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_27; classtype:trojan-activity; sid:91289578; rev:1;) alert tcp $HOME_NET any -> [142.154.206.58] 443 (msg:"ThreatFox Responder botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1289577/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_27; classtype:trojan-activity; sid:91289577; rev:1;) alert tcp $HOME_NET any -> [38.180.7.161] 443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1289576/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_27; classtype:trojan-activity; sid:91289576; rev:1;) alert tcp $HOME_NET any -> [94.156.68.252] 8443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1289575/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_27; classtype:trojan-activity; sid:91289575; rev:1;) alert tcp $HOME_NET any -> [164.90.128.199] 443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1289574/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_27; classtype:trojan-activity; sid:91289574; rev:1;) alert tcp $HOME_NET any -> [164.90.128.199] 80 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1289573/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_27; classtype:trojan-activity; sid:91289573; rev:1;) alert tcp $HOME_NET any -> [185.229.9.27] 8888 (msg:"ThreatFox BianLian botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1289572/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_27; classtype:trojan-activity; sid:91289572; rev:1;) alert tcp $HOME_NET any -> [216.238.73.7] 80 (msg:"ThreatFox BianLian botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1289571/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_27; classtype:trojan-activity; sid:91289571; rev:1;) alert tcp $HOME_NET any -> [159.65.174.201] 1433 (msg:"ThreatFox BianLian botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1289570/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_27; classtype:trojan-activity; sid:91289570; rev:1;) alert tcp $HOME_NET any -> [159.65.174.201] 443 (msg:"ThreatFox BianLian botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1289569/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_27; classtype:trojan-activity; sid:91289569; rev:1;) alert tcp $HOME_NET any -> [146.70.80.94] 20013 (msg:"ThreatFox BianLian botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1289568/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_27; classtype:trojan-activity; sid:91289568; rev:1;) alert tcp $HOME_NET any -> [78.111.2.53] 10022 (msg:"ThreatFox Deimos botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1289567/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_27; classtype:trojan-activity; sid:91289567; rev:1;) alert tcp $HOME_NET any -> [185.245.182.209] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1289566/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_27; classtype:trojan-activity; sid:91289566; rev:1;) alert tcp $HOME_NET any -> [45.156.24.8] 7443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1289565/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_27; classtype:trojan-activity; sid:91289565; rev:1;) alert tcp $HOME_NET any -> [52.3.251.97] 7443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1289564/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_27; classtype:trojan-activity; sid:91289564; rev:1;) alert tcp $HOME_NET any -> [67.217.62.106] 8888 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1289563/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_27; classtype:trojan-activity; sid:91289563; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"gloomopiniosnforuw.xyz"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1289512/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_27; classtype:trojan-activity; sid:91289512; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"compilecoppydkewsw.xyz"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1289513/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_27; classtype:trojan-activity; sid:91289513; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"exertcreatedadnndjw.xyz"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1289514/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_27; classtype:trojan-activity; sid:91289514; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"depositybounceddwk.xyz"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1289515/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_27; classtype:trojan-activity; sid:91289515; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"slammyslideplanntywks.xyz"; depth:25; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1289516/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_27; classtype:trojan-activity; sid:91289516; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"manufactiredowreachhd.xyz"; depth:25; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1289517/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_27; classtype:trojan-activity; sid:91289517; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"aplointexhausdh.xyz"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1289518/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_27; classtype:trojan-activity; sid:91289518; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"proffyrobharborye.xyz"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1289519/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_27; classtype:trojan-activity; sid:91289519; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"gloomopiniosnforuw.xyz"; depth:22; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1289521/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_27; classtype:trojan-activity; sid:91289521; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"panameradovkews.xyz"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1289520/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_27; classtype:trojan-activity; sid:91289520; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"compilecoppydkewsw.xyz"; depth:22; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1289522/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_27; classtype:trojan-activity; sid:91289522; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"depositybounceddwk.xyz"; depth:22; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1289524/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_27; classtype:trojan-activity; sid:91289524; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"exertcreatedadnndjw.xyz"; depth:23; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1289523/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_27; classtype:trojan-activity; sid:91289523; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"slammyslideplanntywks.xyz"; depth:25; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1289525/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_27; classtype:trojan-activity; sid:91289525; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"manufactiredowreachhd.xyz"; depth:25; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1289526/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_27; classtype:trojan-activity; sid:91289526; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"aplointexhausdh.xyz"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1289527/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_27; classtype:trojan-activity; sid:91289527; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"proffyrobharborye.xyz"; depth:21; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1289528/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_27; classtype:trojan-activity; sid:91289528; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"panameradovkews.xyz"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1289529/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_27; classtype:trojan-activity; sid:91289529; rev:1;) alert tcp $HOME_NET any -> [138.201.150.244] 3984 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1289530/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_27; classtype:trojan-activity; sid:91289530; rev:1;) alert tcp $HOME_NET any -> [3.124.142.205] 16163 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1289551/; target:src_ip; metadata: confidence_level 75, first_seen 2024_06_27; classtype:trojan-activity; sid:91289551; rev:1;) alert tcp $HOME_NET any -> [45.154.99.245] 13799 (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1289553/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_27; classtype:trojan-activity; sid:91289553; rev:1;) alert tcp $HOME_NET any -> [74.137.248.199] 4338 (msg:"ThreatFox Nanocore RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1289506/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_27; classtype:trojan-activity; sid:91289506; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"senaclient.ddns.net"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1289507/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_27; classtype:trojan-activity; sid:91289507; rev:1;) alert tcp $HOME_NET any -> [5.53.125.205] 443 (msg:"ThreatFox FAKEUPDATES payload delivery (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1289509/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_27; classtype:trojan-activity; sid:91289509; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/65228853.php"; depth:13; nocase; http.host; content:"a0999396.xsph.ru"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1289562/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_27; classtype:trojan-activity; sid:91289562; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pythonlowupdatebigloadbasewppublic.php"; depth:39; nocase; http.host; content:"182785cm.n9shteam3.top"; depth:22; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1289561/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_27; classtype:trojan-activity; sid:91289561; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/l1nc0in.php"; depth:12; nocase; http.host; content:"f0999297.xsph.ru"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1289560/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_27; classtype:trojan-activity; sid:91289560; rev:1;) alert tcp $HOME_NET any -> [101.33.225.206] 8443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1289559/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_27; classtype:trojan-activity; sid:91289559; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"www.1234wu.com"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1289558/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_27; classtype:trojan-activity; sid:91289558; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/js/jquery-3.4.1.min.js"; depth:23; nocase; http.host; content:"www.1234wu.com"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1289557/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_27; classtype:trojan-activity; sid:91289557; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/index.php"; depth:10; nocase; http.host; content:"mnbgba.ac.ug"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1289556/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_27; classtype:trojan-activity; sid:91289556; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/8770cce4.php"; depth:13; nocase; http.host; content:"a0999252.xsph.ru"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1289555/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_27; classtype:trojan-activity; sid:91289555; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ed9df87b.php"; depth:13; nocase; http.host; content:"unsight-pistons.000webhostapp.com"; depth:33; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1289554/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_27; classtype:trojan-activity; sid:91289554; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/_defaultwindows.php"; depth:20; nocase; http.host; content:"a0996805.xsph.ru"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1289552/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_27; classtype:trojan-activity; sid:91289552; rev:1;) alert tcp $HOME_NET any -> [3.125.209.94] 16163 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1289550/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_26; classtype:trojan-activity; sid:91289550; rev:1;) alert tcp $HOME_NET any -> [18.158.249.75] 16163 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1289549/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_26; classtype:trojan-activity; sid:91289549; rev:1;) alert tcp $HOME_NET any -> [18.192.31.165] 16163 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1289548/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_26; classtype:trojan-activity; sid:91289548; rev:1;) alert tcp $HOME_NET any -> [3.125.102.39] 16163 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1289547/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_26; classtype:trojan-activity; sid:91289547; rev:1;) alert tcp $HOME_NET any -> [3.125.223.134] 16163 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1289546/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_26; classtype:trojan-activity; sid:91289546; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/providerlowauthapibigloadprotectflower.php"; depth:43; nocase; http.host; content:"yenot.top"; depth:9; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1289545/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_26; classtype:trojan-activity; sid:91289545; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/695c2999.php"; depth:13; nocase; http.host; content:"a0999075.xsph.ru"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1289544/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_26; classtype:trojan-activity; sid:91289544; rev:1;) alert tcp $HOME_NET any -> [47.116.166.81] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1289543/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_26; classtype:trojan-activity; sid:91289543; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/search/"; depth:8; nocase; http.host; content:"47.116.166.81"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1289542/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_26; classtype:trojan-activity; sid:91289542; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"s3dpsid.shop"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1289540/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_26; classtype:trojan-activity; sid:91289540; rev:1;) alert tcp $HOME_NET any -> [23.95.216.234] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1289541/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_26; classtype:trojan-activity; sid:91289541; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jquery-3.7.1.min.js"; depth:20; nocase; http.host; content:"s3dpsid.shop"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1289539/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_26; classtype:trojan-activity; sid:91289539; rev:1;) alert tcp $HOME_NET any -> [58.87.78.60] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1289538/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_26; classtype:trojan-activity; sid:91289538; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dot.gif"; depth:8; nocase; http.host; content:"58.87.78.60"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1289537/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_26; classtype:trojan-activity; sid:91289537; rev:1;) alert tcp $HOME_NET any -> [8.138.8.240] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1289536/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_26; classtype:trojan-activity; sid:91289536; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ie9compatviewlist.xml"; depth:22; nocase; http.host; content:"8.138.8.240"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1289535/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_26; classtype:trojan-activity; sid:91289535; rev:1;) alert tcp $HOME_NET any -> [101.33.225.206] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1289534/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_26; classtype:trojan-activity; sid:91289534; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"google-logs.top"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1289533/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_26; classtype:trojan-activity; sid:91289533; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/js/jquery-3.4.1.min.js"; depth:23; nocase; http.host; content:"google-logs.top"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1289532/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_26; classtype:trojan-activity; sid:91289532; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/4ab36374.php"; depth:13; nocase; http.host; content:"a0994587.xsph.ru"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1289531/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_26; classtype:trojan-activity; sid:91289531; rev:1;) alert tcp $HOME_NET any -> [41.249.242.121] 10000 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1289511/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_26; classtype:trojan-activity; sid:91289511; rev:1;) alert tcp $HOME_NET any -> [204.10.160.132] 2404 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1289510/; target:src_ip; metadata: confidence_level 75, first_seen 2024_06_26; classtype:trojan-activity; sid:91289510; rev:1;) alert tcp $HOME_NET any -> [194.55.186.87] 4483 (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1289508/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_26; classtype:trojan-activity; sid:91289508; rev:1;) alert tcp $HOME_NET any -> [216.225.202.59] 2005 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1289505/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_26; classtype:trojan-activity; sid:91289505; rev:1;) alert tcp $HOME_NET any -> [141.8.198.131] 80 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1289504/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_26; classtype:trojan-activity; sid:91289504; rev:1;) alert tcp $HOME_NET any -> [152.32.213.110] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1289503/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_26; classtype:trojan-activity; sid:91289503; rev:1;) alert tcp $HOME_NET any -> [154.88.26.223] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1289502/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_26; classtype:trojan-activity; sid:91289502; rev:1;) alert tcp $HOME_NET any -> [20.19.36.45] 1024 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1289501/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_26; classtype:trojan-activity; sid:91289501; rev:1;) alert tcp $HOME_NET any -> [46.246.14.9] 9000 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1289500/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_26; classtype:trojan-activity; sid:91289500; rev:1;) alert tcp $HOME_NET any -> [70.27.138.141] 2078 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1289499/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_26; classtype:trojan-activity; sid:91289499; rev:1;) alert tcp $HOME_NET any -> [34.30.185.227] 443 (msg:"ThreatFox pupy botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1289498/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_26; classtype:trojan-activity; sid:91289498; rev:1;) alert tcp $HOME_NET any -> [194.87.79.109] 443 (msg:"ThreatFox Responder botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1289497/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_26; classtype:trojan-activity; sid:91289497; rev:1;) alert tcp $HOME_NET any -> [34.155.186.128] 443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1289496/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_26; classtype:trojan-activity; sid:91289496; rev:1;) alert tcp $HOME_NET any -> [91.236.230.33] 4511 (msg:"ThreatFox BianLian botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1289495/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_26; classtype:trojan-activity; sid:91289495; rev:1;) alert tcp $HOME_NET any -> [159.65.174.201] 5060 (msg:"ThreatFox BianLian botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1289494/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_26; classtype:trojan-activity; sid:91289494; rev:1;) alert tcp $HOME_NET any -> [111.13.104.234] 4506 (msg:"ThreatFox Deimos botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1289493/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_26; classtype:trojan-activity; sid:91289493; rev:1;) alert tcp $HOME_NET any -> [120.220.47.242] 4506 (msg:"ThreatFox Deimos botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1289492/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_26; classtype:trojan-activity; sid:91289492; rev:1;) alert tcp $HOME_NET any -> [99.112.198.250] 8080 (msg:"ThreatFox Deimos botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1289491/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_26; classtype:trojan-activity; sid:91289491; rev:1;) alert tcp $HOME_NET any -> [119.76.173.60] 7443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1289490/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_26; classtype:trojan-activity; sid:91289490; rev:1;) alert tcp $HOME_NET any -> [195.154.43.21] 7443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1289489/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_26; classtype:trojan-activity; sid:91289489; rev:1;) alert tcp $HOME_NET any -> [8.220.197.83] 60001 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1289488/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_26; classtype:trojan-activity; sid:91289488; rev:1;) alert tcp $HOME_NET any -> [67.217.62.106] 41337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1289487/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_26; classtype:trojan-activity; sid:91289487; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"cejecuu4.xyz"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1289484/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_26; classtype:trojan-activity; sid:91289484; rev:1;) alert tcp $HOME_NET any -> [18.192.31.165] 12493 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1289485/; target:src_ip; metadata: confidence_level 75, first_seen 2024_06_26; classtype:trojan-activity; sid:91289485; rev:1;) alert tcp $HOME_NET any -> [3.124.142.205] 12493 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1289486/; target:src_ip; metadata: confidence_level 75, first_seen 2024_06_26; classtype:trojan-activity; sid:91289486; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/33963b08.php"; depth:13; nocase; http.host; content:"loxlas.000webhostapp.com"; depth:24; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1289483/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_26; classtype:trojan-activity; sid:91289483; rev:1;) alert tcp $HOME_NET any -> [3.125.223.134] 12493 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1289482/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_26; classtype:trojan-activity; sid:91289482; rev:1;) alert tcp $HOME_NET any -> [109.196.166.188] 4482 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1289481/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_26; classtype:trojan-activity; sid:91289481; rev:1;) alert tcp $HOME_NET any -> [115.77.241.73] 8443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1289480/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_26; classtype:trojan-activity; sid:91289480; rev:1;) alert tcp $HOME_NET any -> [89.116.48.173] 9999 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1289478/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_26; classtype:trojan-activity; sid:91289478; rev:1;) alert tcp $HOME_NET any -> [172.84.93.210] 8443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1289479/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_26; classtype:trojan-activity; sid:91289479; rev:1;) alert tcp $HOME_NET any -> [54.157.34.54] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1289477/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_26; classtype:trojan-activity; sid:91289477; rev:1;) alert tcp $HOME_NET any -> [206.119.167.114] 8443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1289476/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_26; classtype:trojan-activity; sid:91289476; rev:1;) alert tcp $HOME_NET any -> [216.245.184.159] 8080 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1289473/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_26; classtype:trojan-activity; sid:91289473; rev:1;) alert tcp $HOME_NET any -> [38.147.171.35] 8080 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1289474/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_26; classtype:trojan-activity; sid:91289474; rev:1;) alert tcp $HOME_NET any -> [154.64.231.108] 8888 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1289475/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_26; classtype:trojan-activity; sid:91289475; rev:1;) alert tcp $HOME_NET any -> [38.147.171.208] 8081 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1289471/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_26; classtype:trojan-activity; sid:91289471; rev:1;) alert tcp $HOME_NET any -> [107.173.203.208] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1289472/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_26; classtype:trojan-activity; sid:91289472; rev:1;) alert tcp $HOME_NET any -> [192.3.86.166] 2087 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1289469/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_26; classtype:trojan-activity; sid:91289469; rev:1;) alert tcp $HOME_NET any -> [104.238.183.19] 800 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1289470/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_26; classtype:trojan-activity; sid:91289470; rev:1;) alert tcp $HOME_NET any -> [142.171.214.90] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1289468/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_26; classtype:trojan-activity; sid:91289468; rev:1;) alert tcp $HOME_NET any -> [154.9.253.57] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1289466/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_26; classtype:trojan-activity; sid:91289466; rev:1;) alert tcp $HOME_NET any -> [38.147.170.143] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1289467/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_26; classtype:trojan-activity; sid:91289467; rev:1;) alert tcp $HOME_NET any -> [165.154.135.78] 4433 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1289465/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_26; classtype:trojan-activity; sid:91289465; rev:1;) alert tcp $HOME_NET any -> [206.233.133.151] 8989 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1289463/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_26; classtype:trojan-activity; sid:91289463; rev:1;) alert tcp $HOME_NET any -> [50.116.12.237] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1289464/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_26; classtype:trojan-activity; sid:91289464; rev:1;) alert tcp $HOME_NET any -> [137.184.97.84] 8989 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1289461/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_26; classtype:trojan-activity; sid:91289461; rev:1;) alert tcp $HOME_NET any -> [142.171.200.25] 25565 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1289462/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_26; classtype:trojan-activity; sid:91289462; rev:1;) alert tcp $HOME_NET any -> [154.12.19.142] 8123 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1289460/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_26; classtype:trojan-activity; sid:91289460; rev:1;) alert tcp $HOME_NET any -> [74.48.147.144] 1234 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1289459/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_26; classtype:trojan-activity; sid:91289459; rev:1;) alert tcp $HOME_NET any -> [192.3.55.45] 9999 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1289457/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_26; classtype:trojan-activity; sid:91289457; rev:1;) alert tcp $HOME_NET any -> [198.46.233.11] 4433 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1289458/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_26; classtype:trojan-activity; sid:91289458; rev:1;) alert tcp $HOME_NET any -> [154.12.29.28] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1289456/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_26; classtype:trojan-activity; sid:91289456; rev:1;) alert tcp $HOME_NET any -> [104.245.34.247] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1289455/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_26; classtype:trojan-activity; sid:91289455; rev:1;) alert tcp $HOME_NET any -> [23.95.193.152] 9001 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1289454/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_26; classtype:trojan-activity; sid:91289454; rev:1;) alert tcp $HOME_NET any -> [107.172.32.178] 4433 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1289453/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_26; classtype:trojan-activity; sid:91289453; rev:1;) alert tcp $HOME_NET any -> [23.95.44.80] 8080 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1289451/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_26; classtype:trojan-activity; sid:91289451; rev:1;) alert tcp $HOME_NET any -> [74.91.17.194] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1289452/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_26; classtype:trojan-activity; sid:91289452; rev:1;) alert tcp $HOME_NET any -> [46.21.153.155] 5443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1289450/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_26; classtype:trojan-activity; sid:91289450; rev:1;) alert tcp $HOME_NET any -> [18.219.156.119] 8080 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1289449/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_26; classtype:trojan-activity; sid:91289449; rev:1;) alert tcp $HOME_NET any -> [176.58.127.16] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1289448/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_26; classtype:trojan-activity; sid:91289448; rev:1;) alert tcp $HOME_NET any -> [45.152.64.245] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1289446/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_26; classtype:trojan-activity; sid:91289446; rev:1;) alert tcp $HOME_NET any -> [45.152.64.167] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1289447/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_26; classtype:trojan-activity; sid:91289447; rev:1;) alert tcp $HOME_NET any -> [77.238.227.125] 8443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1289444/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_26; classtype:trojan-activity; sid:91289444; rev:1;) alert tcp $HOME_NET any -> [91.92.243.127] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1289445/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_26; classtype:trojan-activity; sid:91289445; rev:1;) alert tcp $HOME_NET any -> [185.196.8.107] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1289443/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_26; classtype:trojan-activity; sid:91289443; rev:1;) alert tcp $HOME_NET any -> [185.196.9.60] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1289442/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_26; classtype:trojan-activity; sid:91289442; rev:1;) alert tcp $HOME_NET any -> [51.12.249.109] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1289441/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_26; classtype:trojan-activity; sid:91289441; rev:1;) alert tcp $HOME_NET any -> [144.24.89.162] 8081 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1289439/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_26; classtype:trojan-activity; sid:91289439; rev:1;) alert tcp $HOME_NET any -> [152.67.221.25] 8090 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1289440/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_26; classtype:trojan-activity; sid:91289440; rev:1;) alert tcp $HOME_NET any -> [104.194.153.54] 3555 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1289438/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_26; classtype:trojan-activity; sid:91289438; rev:1;) alert tcp $HOME_NET any -> [167.71.215.63] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1289437/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_26; classtype:trojan-activity; sid:91289437; rev:1;) alert tcp $HOME_NET any -> [128.1.40.125] 50000 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1289435/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_26; classtype:trojan-activity; sid:91289435; rev:1;) alert tcp $HOME_NET any -> [8.219.204.94] 7777 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1289436/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_26; classtype:trojan-activity; sid:91289436; rev:1;) alert tcp $HOME_NET any -> [207.148.125.4] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1289434/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_26; classtype:trojan-activity; sid:91289434; rev:1;) alert tcp $HOME_NET any -> [8.219.228.10] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1289432/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_26; classtype:trojan-activity; sid:91289432; rev:1;) alert tcp $HOME_NET any -> [18.143.88.183] 86 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1289433/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_26; classtype:trojan-activity; sid:91289433; rev:1;) alert tcp $HOME_NET any -> [206.238.115.243] 8080 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1289431/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_26; classtype:trojan-activity; sid:91289431; rev:1;) alert tcp $HOME_NET any -> [80.85.155.18] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1289430/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_26; classtype:trojan-activity; sid:91289430; rev:1;) alert tcp $HOME_NET any -> [185.241.194.184] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1289428/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_26; classtype:trojan-activity; sid:91289428; rev:1;) alert tcp $HOME_NET any -> [185.22.152.167] 8868 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1289429/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_26; classtype:trojan-activity; sid:91289429; rev:1;) alert tcp $HOME_NET any -> [64.7.199.88] 10443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1289427/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_26; classtype:trojan-activity; sid:91289427; rev:1;) alert tcp $HOME_NET any -> [109.107.140.195] 8081 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1289426/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_26; classtype:trojan-activity; sid:91289426; rev:1;) alert tcp $HOME_NET any -> [34.146.210.28] 8080 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1289425/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_26; classtype:trojan-activity; sid:91289425; rev:1;) alert tcp $HOME_NET any -> [152.32.202.240] 8443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1289423/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_26; classtype:trojan-activity; sid:91289423; rev:1;) alert tcp $HOME_NET any -> [202.144.194.110] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1289424/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_26; classtype:trojan-activity; sid:91289424; rev:1;) alert tcp $HOME_NET any -> [36.89.252.50] 8099 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1289421/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_26; classtype:trojan-activity; sid:91289421; rev:1;) alert tcp $HOME_NET any -> [124.156.213.14] 801 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1289422/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_26; classtype:trojan-activity; sid:91289422; rev:1;) alert tcp $HOME_NET any -> [154.86.116.17] 84 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1289419/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_26; classtype:trojan-activity; sid:91289419; rev:1;) alert tcp $HOME_NET any -> [20.244.96.7] 4444 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1289420/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_26; classtype:trojan-activity; sid:91289420; rev:1;) alert tcp $HOME_NET any -> [38.181.78.45] 8088 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1289418/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_26; classtype:trojan-activity; sid:91289418; rev:1;) alert tcp $HOME_NET any -> [47.76.111.10] 8000 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1289417/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_26; classtype:trojan-activity; sid:91289417; rev:1;) alert tcp $HOME_NET any -> [156.238.235.164] 8080 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1289416/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_26; classtype:trojan-activity; sid:91289416; rev:1;) alert tcp $HOME_NET any -> [47.243.26.247] 5001 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1289415/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_26; classtype:trojan-activity; sid:91289415; rev:1;) alert tcp $HOME_NET any -> [34.92.139.96] 2095 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1289413/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_26; classtype:trojan-activity; sid:91289413; rev:1;) alert tcp $HOME_NET any -> [156.224.20.147] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1289414/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_26; classtype:trojan-activity; sid:91289414; rev:1;) alert tcp $HOME_NET any -> [103.146.140.99] 81 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1289412/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_26; classtype:trojan-activity; sid:91289412; rev:1;) alert tcp $HOME_NET any -> [34.92.25.154] 8443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1289411/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_26; classtype:trojan-activity; sid:91289411; rev:1;) alert tcp $HOME_NET any -> [154.12.88.29] 1234 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1289410/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_26; classtype:trojan-activity; sid:91289410; rev:1;) alert tcp $HOME_NET any -> [202.95.19.243] 1234 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1289409/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_26; classtype:trojan-activity; sid:91289409; rev:1;) alert tcp $HOME_NET any -> [47.242.22.64] 8080 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1289407/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_26; classtype:trojan-activity; sid:91289407; rev:1;) alert tcp $HOME_NET any -> [123.58.220.97] 8088 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1289408/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_26; classtype:trojan-activity; sid:91289408; rev:1;) alert tcp $HOME_NET any -> [193.134.210.189] 801 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1289406/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_26; classtype:trojan-activity; sid:91289406; rev:1;) alert tcp $HOME_NET any -> [149.104.31.36] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1289405/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_26; classtype:trojan-activity; sid:91289405; rev:1;) alert tcp $HOME_NET any -> [34.92.137.73] 8443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1289404/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_26; classtype:trojan-activity; sid:91289404; rev:1;) alert tcp $HOME_NET any -> [206.237.23.119] 8080 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1289403/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_26; classtype:trojan-activity; sid:91289403; rev:1;) alert tcp $HOME_NET any -> [154.201.83.170] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1289402/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_26; classtype:trojan-activity; sid:91289402; rev:1;) alert tcp $HOME_NET any -> [206.237.24.135] 4444 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1289401/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_26; classtype:trojan-activity; sid:91289401; rev:1;) alert tcp $HOME_NET any -> [134.122.75.115] 89 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1289400/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_26; classtype:trojan-activity; sid:91289400; rev:1;) alert tcp $HOME_NET any -> [91.238.181.230] 8443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1289399/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_26; classtype:trojan-activity; sid:91289399; rev:1;) alert tcp $HOME_NET any -> [124.223.9.21] 8086 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1289397/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_26; classtype:trojan-activity; sid:91289397; rev:1;) alert tcp $HOME_NET any -> [185.255.178.186] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1289398/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_26; classtype:trojan-activity; sid:91289398; rev:1;) alert tcp $HOME_NET any -> [62.234.171.193] 7777 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1289395/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_26; classtype:trojan-activity; sid:91289395; rev:1;) alert tcp $HOME_NET any -> [124.223.33.83] 8443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1289396/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_26; classtype:trojan-activity; sid:91289396; rev:1;) alert tcp $HOME_NET any -> [81.70.93.58] 8080 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1289393/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_26; classtype:trojan-activity; sid:91289393; rev:1;) alert tcp $HOME_NET any -> [82.156.218.23] 4444 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1289394/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_26; classtype:trojan-activity; sid:91289394; rev:1;) alert tcp $HOME_NET any -> [62.234.18.252] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1289392/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_26; classtype:trojan-activity; sid:91289392; rev:1;) alert tcp $HOME_NET any -> [124.223.29.131] 7777 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1289391/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_26; classtype:trojan-activity; sid:91289391; rev:1;) alert tcp $HOME_NET any -> [43.138.246.207] 8443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1289389/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_26; classtype:trojan-activity; sid:91289389; rev:1;) alert tcp $HOME_NET any -> [175.178.179.183] 808 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1289390/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_26; classtype:trojan-activity; sid:91289390; rev:1;) alert tcp $HOME_NET any -> [47.120.31.73] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1289388/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_26; classtype:trojan-activity; sid:91289388; rev:1;) alert tcp $HOME_NET any -> [182.43.247.172] 9090 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1289386/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_26; classtype:trojan-activity; sid:91289386; rev:1;) alert tcp $HOME_NET any -> [116.62.17.187] 8081 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1289387/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_26; classtype:trojan-activity; sid:91289387; rev:1;) alert tcp $HOME_NET any -> [122.152.209.229] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1289384/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_26; classtype:trojan-activity; sid:91289384; rev:1;) alert tcp $HOME_NET any -> [8.130.170.47] 5555 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1289385/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_26; classtype:trojan-activity; sid:91289385; rev:1;) alert tcp $HOME_NET any -> [39.105.197.88] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1289383/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_26; classtype:trojan-activity; sid:91289383; rev:1;) alert tcp $HOME_NET any -> [47.94.224.55] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1289381/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_26; classtype:trojan-activity; sid:91289381; rev:1;) alert tcp $HOME_NET any -> [110.41.53.51] 8080 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1289382/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_26; classtype:trojan-activity; sid:91289382; rev:1;) alert tcp $HOME_NET any -> [146.56.228.191] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1289379/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_26; classtype:trojan-activity; sid:91289379; rev:1;) alert tcp $HOME_NET any -> [101.43.201.136] 1234 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1289380/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_26; classtype:trojan-activity; sid:91289380; rev:1;) alert tcp $HOME_NET any -> [118.178.92.87] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1289378/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_26; classtype:trojan-activity; sid:91289378; rev:1;) alert tcp $HOME_NET any -> [47.98.195.217] 8088 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1289376/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_26; classtype:trojan-activity; sid:91289376; rev:1;) alert tcp $HOME_NET any -> [140.246.254.45] 8088 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1289377/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_26; classtype:trojan-activity; sid:91289377; rev:1;) alert tcp $HOME_NET any -> [120.24.90.39] 7474 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1289374/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_26; classtype:trojan-activity; sid:91289374; rev:1;) alert tcp $HOME_NET any -> [8.138.150.209] 7777 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1289375/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_26; classtype:trojan-activity; sid:91289375; rev:1;) alert tcp $HOME_NET any -> [106.75.191.162] 5555 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1289372/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_26; classtype:trojan-activity; sid:91289372; rev:1;) alert tcp $HOME_NET any -> [47.92.98.169] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1289373/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_26; classtype:trojan-activity; sid:91289373; rev:1;) alert tcp $HOME_NET any -> [8.149.135.10] 10001 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1289370/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_26; classtype:trojan-activity; sid:91289370; rev:1;) alert tcp $HOME_NET any -> [47.121.133.136] 9876 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1289371/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_26; classtype:trojan-activity; sid:91289371; rev:1;) alert tcp $HOME_NET any -> [113.125.179.13] 8111 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1289368/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_26; classtype:trojan-activity; sid:91289368; rev:1;) alert tcp $HOME_NET any -> [114.115.130.34] 8888 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1289369/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_26; classtype:trojan-activity; sid:91289369; rev:1;) alert tcp $HOME_NET any -> [60.204.224.105] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1289367/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_26; classtype:trojan-activity; sid:91289367; rev:1;) alert tcp $HOME_NET any -> [47.120.73.216] 7777 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1289365/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_26; classtype:trojan-activity; sid:91289365; rev:1;) alert tcp $HOME_NET any -> [139.159.143.40] 8080 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1289366/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_26; classtype:trojan-activity; sid:91289366; rev:1;) alert tcp $HOME_NET any -> [47.92.194.21] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1289363/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_26; classtype:trojan-activity; sid:91289363; rev:1;) alert tcp $HOME_NET any -> [106.53.64.229] 90 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1289364/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_26; classtype:trojan-activity; sid:91289364; rev:1;) alert tcp $HOME_NET any -> [62.234.27.146] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1289362/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_26; classtype:trojan-activity; sid:91289362; rev:1;) alert tcp $HOME_NET any -> [39.104.230.184] 6668 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1289361/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_26; classtype:trojan-activity; sid:91289361; rev:1;) alert tcp $HOME_NET any -> [43.140.214.44] 7777 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1289359/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_26; classtype:trojan-activity; sid:91289359; rev:1;) alert tcp $HOME_NET any -> [8.141.93.66] 9001 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1289360/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_26; classtype:trojan-activity; sid:91289360; rev:1;) alert tcp $HOME_NET any -> [62.234.36.48] 8088 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1289357/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_26; classtype:trojan-activity; sid:91289357; rev:1;) alert tcp $HOME_NET any -> [150.158.137.47] 9999 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1289358/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_26; classtype:trojan-activity; sid:91289358; rev:1;) alert tcp $HOME_NET any -> [112.124.5.135] 1234 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1289356/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_26; classtype:trojan-activity; sid:91289356; rev:1;) alert tcp $HOME_NET any -> [114.55.100.165] 9999 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1289355/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_26; classtype:trojan-activity; sid:91289355; rev:1;) alert tcp $HOME_NET any -> [47.120.18.197] 8888 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1289353/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_26; classtype:trojan-activity; sid:91289353; rev:1;) alert tcp $HOME_NET any -> [159.75.104.157] 8880 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1289354/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_26; classtype:trojan-activity; sid:91289354; rev:1;) alert tcp $HOME_NET any -> [112.126.73.241] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1289352/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_26; classtype:trojan-activity; sid:91289352; rev:1;) alert tcp $HOME_NET any -> [118.31.0.110] 8090 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1289350/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_26; classtype:trojan-activity; sid:91289350; rev:1;) alert tcp $HOME_NET any -> [47.94.157.42] 1234 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1289351/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_26; classtype:trojan-activity; sid:91289351; rev:1;) alert tcp $HOME_NET any -> [47.120.40.27] 1234 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1289349/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_26; classtype:trojan-activity; sid:91289349; rev:1;) alert tcp $HOME_NET any -> [47.102.106.155] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1289348/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_26; classtype:trojan-activity; sid:91289348; rev:1;) alert tcp $HOME_NET any -> [152.136.11.91] 83 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1289346/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_26; classtype:trojan-activity; sid:91289346; rev:1;) alert tcp $HOME_NET any -> [110.41.1.216] 8080 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1289347/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_26; classtype:trojan-activity; sid:91289347; rev:1;) alert tcp $HOME_NET any -> [124.220.148.63] 9001 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1289344/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_26; classtype:trojan-activity; sid:91289344; rev:1;) alert tcp $HOME_NET any -> [1.116.78.105] 9999 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1289345/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_26; classtype:trojan-activity; sid:91289345; rev:1;) alert tcp $HOME_NET any -> [124.223.166.66] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1289343/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_26; classtype:trojan-activity; sid:91289343; rev:1;) alert tcp $HOME_NET any -> [43.139.120.180] 90 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1289341/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_26; classtype:trojan-activity; sid:91289341; rev:1;) alert tcp $HOME_NET any -> [39.105.113.249] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1289342/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_26; classtype:trojan-activity; sid:91289342; rev:1;) alert tcp $HOME_NET any -> [43.140.37.228] 4433 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1289339/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_26; classtype:trojan-activity; sid:91289339; rev:1;) alert tcp $HOME_NET any -> [106.54.201.63] 4444 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1289340/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_26; classtype:trojan-activity; sid:91289340; rev:1;) alert tcp $HOME_NET any -> [121.43.113.38] 8443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1289337/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_26; classtype:trojan-activity; sid:91289337; rev:1;) alert tcp $HOME_NET any -> [121.40.127.134] 8443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1289338/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_26; classtype:trojan-activity; sid:91289338; rev:1;) alert tcp $HOME_NET any -> [103.97.58.105] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1289336/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_26; classtype:trojan-activity; sid:91289336; rev:1;) alert tcp $HOME_NET any -> [111.231.51.250] 9090 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1289334/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_26; classtype:trojan-activity; sid:91289334; rev:1;) alert tcp $HOME_NET any -> [134.175.107.219] 8888 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1289335/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_26; classtype:trojan-activity; sid:91289335; rev:1;) alert tcp $HOME_NET any -> [39.100.106.193] 8443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1289333/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_26; classtype:trojan-activity; sid:91289333; rev:1;) alert tcp $HOME_NET any -> [43.138.101.9] 4444 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1289332/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_26; classtype:trojan-activity; sid:91289332; rev:1;) alert tcp $HOME_NET any -> [175.27.132.251] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1289331/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_26; classtype:trojan-activity; sid:91289331; rev:1;) alert tcp $HOME_NET any -> [49.232.129.71] 7777 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1289330/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_26; classtype:trojan-activity; sid:91289330; rev:1;) alert tcp $HOME_NET any -> [1.94.9.76] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1289329/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_26; classtype:trojan-activity; sid:91289329; rev:1;) alert tcp $HOME_NET any -> [106.55.181.108] 8443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1289328/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_26; classtype:trojan-activity; sid:91289328; rev:1;) alert tcp $HOME_NET any -> [82.156.206.157] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1289326/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_26; classtype:trojan-activity; sid:91289326; rev:1;) alert tcp $HOME_NET any -> [120.48.124.220] 8080 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1289327/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_26; classtype:trojan-activity; sid:91289327; rev:1;) alert tcp $HOME_NET any -> [123.57.85.206] 50000 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1289325/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_26; classtype:trojan-activity; sid:91289325; rev:1;) alert tcp $HOME_NET any -> [139.155.134.117] 8443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1289324/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_26; classtype:trojan-activity; sid:91289324; rev:1;) alert tcp $HOME_NET any -> [124.222.129.148] 10000 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1289323/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_26; classtype:trojan-activity; sid:91289323; rev:1;) alert tcp $HOME_NET any -> [123.57.192.94] 99 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1289322/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_26; classtype:trojan-activity; sid:91289322; rev:1;) alert tcp $HOME_NET any -> [1.12.69.169] 801 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1289321/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_26; classtype:trojan-activity; sid:91289321; rev:1;) alert tcp $HOME_NET any -> [116.204.107.116] 8443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1289319/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_26; classtype:trojan-activity; sid:91289319; rev:1;) alert tcp $HOME_NET any -> [106.52.130.164] 8080 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1289320/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_26; classtype:trojan-activity; sid:91289320; rev:1;) alert tcp $HOME_NET any -> [139.224.188.165] 81 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1289317/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_26; classtype:trojan-activity; sid:91289317; rev:1;) alert tcp $HOME_NET any -> [42.193.53.72] 8443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1289318/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_26; classtype:trojan-activity; sid:91289318; rev:1;) alert tcp $HOME_NET any -> [121.40.137.139] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1289316/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_26; classtype:trojan-activity; sid:91289316; rev:1;) alert tcp $HOME_NET any -> [47.108.77.135] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1289314/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_26; classtype:trojan-activity; sid:91289314; rev:1;) alert tcp $HOME_NET any -> [59.110.140.224] 9999 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1289315/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_26; classtype:trojan-activity; sid:91289315; rev:1;) alert tcp $HOME_NET any -> [42.194.129.182] 8088 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1289312/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_26; classtype:trojan-activity; sid:91289312; rev:1;) alert tcp $HOME_NET any -> [120.26.128.96] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1289313/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_26; classtype:trojan-activity; sid:91289313; rev:1;) alert tcp $HOME_NET any -> [1.92.156.179] 5555 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1289311/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_26; classtype:trojan-activity; sid:91289311; rev:1;) alert tcp $HOME_NET any -> [47.120.49.109] 1234 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1289309/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_26; classtype:trojan-activity; sid:91289309; rev:1;) alert tcp $HOME_NET any -> [101.33.198.179] 9999 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1289310/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_26; classtype:trojan-activity; sid:91289310; rev:1;) alert tcp $HOME_NET any -> [118.195.216.54] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1289308/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_26; classtype:trojan-activity; sid:91289308; rev:1;) alert tcp $HOME_NET any -> [47.113.223.135] 81 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1289307/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_26; classtype:trojan-activity; sid:91289307; rev:1;) alert tcp $HOME_NET any -> [47.103.155.164] 7777 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1289306/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_26; classtype:trojan-activity; sid:91289306; rev:1;) alert tcp $HOME_NET any -> [152.136.99.26] 5555 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1289305/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_26; classtype:trojan-activity; sid:91289305; rev:1;) alert tcp $HOME_NET any -> [123.56.152.207] 1234 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1289304/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_26; classtype:trojan-activity; sid:91289304; rev:1;) alert tcp $HOME_NET any -> [47.120.63.120] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1289302/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_26; classtype:trojan-activity; sid:91289302; rev:1;) alert tcp $HOME_NET any -> [8.130.210.138] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1289303/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_26; classtype:trojan-activity; sid:91289303; rev:1;) alert tcp $HOME_NET any -> [106.15.184.255] 8001 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1289301/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_26; classtype:trojan-activity; sid:91289301; rev:1;) alert tcp $HOME_NET any -> [121.36.95.33] 8080 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1289299/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_26; classtype:trojan-activity; sid:91289299; rev:1;) alert tcp $HOME_NET any -> [120.24.179.84] 8080 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1289300/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_26; classtype:trojan-activity; sid:91289300; rev:1;) alert tcp $HOME_NET any -> [112.126.80.83] 8080 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1289298/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_26; classtype:trojan-activity; sid:91289298; rev:1;) alert tcp $HOME_NET any -> [124.71.177.31] 8888 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1289297/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_26; classtype:trojan-activity; sid:91289297; rev:1;) alert tcp $HOME_NET any -> [106.14.254.135] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1289296/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_26; classtype:trojan-activity; sid:91289296; rev:1;) alert tcp $HOME_NET any -> [1.92.96.35] 8080 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1289295/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_26; classtype:trojan-activity; sid:91289295; rev:1;) alert tcp $HOME_NET any -> [120.46.202.105] 88 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1289294/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_26; classtype:trojan-activity; sid:91289294; rev:1;) alert tcp $HOME_NET any -> [47.96.183.241] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1289293/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_26; classtype:trojan-activity; sid:91289293; rev:1;) alert tcp $HOME_NET any -> [121.196.196.236] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1289292/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_26; classtype:trojan-activity; sid:91289292; rev:1;) alert tcp $HOME_NET any -> [39.100.103.175] 8088 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1289291/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_26; classtype:trojan-activity; sid:91289291; rev:1;) alert tcp $HOME_NET any -> [49.232.249.109] 81 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1289290/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_26; classtype:trojan-activity; sid:91289290; rev:1;) alert tcp $HOME_NET any -> [101.43.202.135] 4444 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1289289/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_26; classtype:trojan-activity; sid:91289289; rev:1;) alert tcp $HOME_NET any -> [47.113.150.236] 7777 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1289287/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_26; classtype:trojan-activity; sid:91289287; rev:1;) alert tcp $HOME_NET any -> [47.103.218.35] 7777 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1289288/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_26; classtype:trojan-activity; sid:91289288; rev:1;) alert tcp $HOME_NET any -> [42.51.38.108] 7777 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1289286/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_26; classtype:trojan-activity; sid:91289286; rev:1;) alert tcp $HOME_NET any -> [106.75.75.24] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1289285/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_26; classtype:trojan-activity; sid:91289285; rev:1;) alert tcp $HOME_NET any -> [121.40.196.250] 8081 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1289284/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_26; classtype:trojan-activity; sid:91289284; rev:1;) alert tcp $HOME_NET any -> [221.234.36.116] 8888 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1289283/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_26; classtype:trojan-activity; sid:91289283; rev:1;) alert tcp $HOME_NET any -> [1.94.29.182] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1289282/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_26; classtype:trojan-activity; sid:91289282; rev:1;) alert tcp $HOME_NET any -> [121.40.19.66] 8080 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1289280/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_26; classtype:trojan-activity; sid:91289280; rev:1;) alert tcp $HOME_NET any -> [39.99.136.38] 8080 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1289281/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_26; classtype:trojan-activity; sid:91289281; rev:1;) alert tcp $HOME_NET any -> [8.134.163.72] 800 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1289278/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_26; classtype:trojan-activity; sid:91289278; rev:1;) alert tcp $HOME_NET any -> [111.231.140.197] 8080 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1289279/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_26; classtype:trojan-activity; sid:91289279; rev:1;) alert tcp $HOME_NET any -> [106.53.193.159] 7777 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1289277/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_26; classtype:trojan-activity; sid:91289277; rev:1;) alert tcp $HOME_NET any -> [106.54.18.174] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1289275/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_26; classtype:trojan-activity; sid:91289275; rev:1;) alert tcp $HOME_NET any -> [58.53.128.67] 82 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1289276/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_26; classtype:trojan-activity; sid:91289276; rev:1;) alert tcp $HOME_NET any -> [47.96.174.24] 9999 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1289274/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_26; classtype:trojan-activity; sid:91289274; rev:1;) alert tcp $HOME_NET any -> [47.97.191.156] 8080 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1289273/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_26; classtype:trojan-activity; sid:91289273; rev:1;) alert tcp $HOME_NET any -> [8.142.5.148] 801 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1289272/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_26; classtype:trojan-activity; sid:91289272; rev:1;) alert tcp $HOME_NET any -> [124.221.76.197] 5555 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1289270/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_26; classtype:trojan-activity; sid:91289270; rev:1;) alert tcp $HOME_NET any -> [117.72.36.227] 7777 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1289271/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_26; classtype:trojan-activity; sid:91289271; rev:1;) alert tcp $HOME_NET any -> [150.158.113.86] 89 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1289269/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_26; classtype:trojan-activity; sid:91289269; rev:1;) alert tcp $HOME_NET any -> [139.129.26.51] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1289268/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_26; classtype:trojan-activity; sid:91289268; rev:1;) alert tcp $HOME_NET any -> [119.3.82.4] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1289267/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_26; classtype:trojan-activity; sid:91289267; rev:1;) alert tcp $HOME_NET any -> [119.3.157.129] 9001 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1289266/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_26; classtype:trojan-activity; sid:91289266; rev:1;) alert tcp $HOME_NET any -> [139.198.30.159] 8080 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1289264/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_26; classtype:trojan-activity; sid:91289264; rev:1;) alert tcp $HOME_NET any -> [47.115.230.159] 8088 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1289265/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_26; classtype:trojan-activity; sid:91289265; rev:1;) alert tcp $HOME_NET any -> [119.45.158.137] 808 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1289262/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_26; classtype:trojan-activity; sid:91289262; rev:1;) alert tcp $HOME_NET any -> [43.136.177.143] 8080 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1289263/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_26; classtype:trojan-activity; sid:91289263; rev:1;) alert tcp $HOME_NET any -> [8.134.160.8] 7777 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1289261/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_26; classtype:trojan-activity; sid:91289261; rev:1;) alert tcp $HOME_NET any -> [124.221.113.199] 8000 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1289260/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_26; classtype:trojan-activity; sid:91289260; rev:1;) alert tcp $HOME_NET any -> [124.70.99.224] 800 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1289259/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_26; classtype:trojan-activity; sid:91289259; rev:1;) alert tcp $HOME_NET any -> [104.129.20.76] 443 (msg:"ThreatFox Unidentified 111 (Latrodectus) botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1289257/; target:src_ip; metadata: confidence_level 75, first_seen 2024_06_26; classtype:trojan-activity; sid:91289257; rev:1;) alert tcp $HOME_NET any -> [193.200.16.134] 443 (msg:"ThreatFox Unidentified 111 (Latrodectus) botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1289258/; target:src_ip; metadata: confidence_level 75, first_seen 2024_06_26; classtype:trojan-activity; sid:91289258; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"duplevo.com"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1289254/; target:src_ip; metadata: confidence_level 75, first_seen 2024_06_26; classtype:trojan-activity; sid:91289254; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"restolazo.com"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1289255/; target:src_ip; metadata: confidence_level 75, first_seen 2024_06_26; classtype:trojan-activity; sid:91289255; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"somedax.com"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1289256/; target:src_ip; metadata: confidence_level 75, first_seen 2024_06_26; classtype:trojan-activity; sid:91289256; rev:1;) alert tcp $HOME_NET any -> [147.185.221.20] 17341 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1289031/; target:src_ip; metadata: confidence_level 75, first_seen 2024_06_26; classtype:trojan-activity; sid:91289031; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"press-higher.gl.at.ply.gg"; depth:25; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1289032/; target:src_ip; metadata: confidence_level 75, first_seen 2024_06_26; classtype:trojan-activity; sid:91289032; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/~eric/wp/masterddl/2023/07/23/paypal-billing-agreement-cancelled-facebook/"; depth:75; nocase; http.host; content:"experimentation.univ-littoral.fr"; depth:32; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1289034/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_26; classtype:trojan-activity; sid:91289034; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/article.php"; depth:12; nocase; http.host; content:"www.duendealhambra.com"; depth:22; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1289035/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_26; classtype:trojan-activity; sid:91289035; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cdn-vs/cache.php"; depth:17; nocase; http.host; content:"trollsburninginhell.com"; depth:23; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1289237/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_26; classtype:trojan-activity; sid:91289237; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"trollsburninginhell.com"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1289238/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_26; classtype:trojan-activity; sid:91289238; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cdn-vs/33per.php"; depth:17; nocase; http.host; content:"trollsburninginhell.com"; depth:23; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1289239/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_26; classtype:trojan-activity; sid:91289239; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"elastsolek1.duckdns.org"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1289241/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_26; classtype:trojan-activity; sid:91289241; rev:1;) alert tcp $HOME_NET any -> [154.13.163.54] 4787 (msg:"ThreatFox STRRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1289242/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_26; classtype:trojan-activity; sid:91289242; rev:1;) alert tcp $HOME_NET any -> [37.120.199.54] 4787 (msg:"ThreatFox STRRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1289243/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_26; classtype:trojan-activity; sid:91289243; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"jbfrost.live"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1289244/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_26; classtype:trojan-activity; sid:91289244; rev:1;) alert tcp $HOME_NET any -> [5.253.84.218] 8787 (msg:"ThreatFox DynamicStealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1289249/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_26; classtype:trojan-activity; sid:91289249; rev:1;) alert tcp $HOME_NET any -> [31.192.239.29] 80 (msg:"ThreatFox Loki Password Stealer (PWS) botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1289250/; target:src_ip; metadata: confidence_level 75, first_seen 2024_06_26; classtype:trojan-activity; sid:91289250; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"vauxhall.top"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1289251/; target:src_ip; metadata: confidence_level 75, first_seen 2024_06_26; classtype:trojan-activity; sid:91289251; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ozi2/five/fre.php"; depth:18; nocase; http.host; content:"31.192.239.29"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1289252/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_26; classtype:trojan-activity; sid:91289252; rev:1;) alert tcp $HOME_NET any -> [154.91.90.216] 6666 (msg:"ThreatFox Ghost RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1289253/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_26; classtype:trojan-activity; sid:91289253; rev:1;) alert tcp $HOME_NET any -> [206.123.148.196] 3980 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1289248/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_26; classtype:trojan-activity; sid:91289248; rev:1;) alert tcp $HOME_NET any -> [194.67.193.114] 443 (msg:"ThreatFox Matanbuchus botnet C2 traffic (ip:port - confidence level: 60%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1289247/; target:src_ip; metadata: confidence_level 60, first_seen 2024_06_26; classtype:trojan-activity; sid:91289247; rev:1;) alert tcp $HOME_NET any -> [194.67.193.113] 443 (msg:"ThreatFox Matanbuchus botnet C2 traffic (ip:port - confidence level: 60%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1289245/; target:src_ip; metadata: confidence_level 60, first_seen 2024_06_26; classtype:trojan-activity; sid:91289245; rev:1;) alert tcp $HOME_NET any -> [194.67.193.112] 443 (msg:"ThreatFox Matanbuchus botnet C2 traffic (ip:port - confidence level: 60%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1289246/; target:src_ip; metadata: confidence_level 60, first_seen 2024_06_26; classtype:trojan-activity; sid:91289246; rev:1;) alert tcp $HOME_NET any -> [206.123.148.194] 3980 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1289240/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_26; classtype:trojan-activity; sid:91289240; rev:1;) alert tcp $HOME_NET any -> [94.156.69.12] 1912 (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1289033/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_26; classtype:trojan-activity; sid:91289033; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/395ca7fb.php"; depth:13; nocase; http.host; content:"a0998834.xsph.ru"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1289030/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_26; classtype:trojan-activity; sid:91289030; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cdn-vs/original.js"; depth:19; nocase; http.host; content:"performanscore.com"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1289026/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_26; classtype:trojan-activity; sid:91289026; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"performanscore.com"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1289027/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_26; classtype:trojan-activity; sid:91289027; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cdn-vs/cache.php"; depth:17; nocase; http.host; content:"performanscore.com"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1289028/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_26; classtype:trojan-activity; sid:91289028; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cdn-vs/33per.php"; depth:17; nocase; http.host; content:"performanscore.com"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1289029/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_26; classtype:trojan-activity; sid:91289029; rev:1;) alert tcp $HOME_NET any -> [91.222.173.89] 80 (msg:"ThreatFox DarkGate botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1289025/; target:src_ip; metadata: confidence_level 75, first_seen 2024_06_26; classtype:trojan-activity; sid:91289025; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"applylawofattraction.com"; depth:24; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1289024/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_26; classtype:trojan-activity; sid:91289024; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"applylawofattraction.com"; depth:24; nocase; reference:url, threatfox.abuse.ch/ioc/1289023/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_26; classtype:trojan-activity; sid:91289023; rev:1;) alert tcp $HOME_NET any -> [79.132.135.153] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1289022/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_26; classtype:trojan-activity; sid:91289022; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/html.css"; depth:9; nocase; http.host; content:"79.132.135.153"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1289021/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_26; classtype:trojan-activity; sid:91289021; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cx"; depth:3; nocase; http.host; content:"141.98.10.70"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1289019/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_26; classtype:trojan-activity; sid:91289019; rev:1;) alert tcp $HOME_NET any -> [141.98.10.70] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1289020/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_26; classtype:trojan-activity; sid:91289020; rev:1;) alert tcp $HOME_NET any -> [103.207.68.65] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1289018/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_26; classtype:trojan-activity; sid:91289018; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cx"; depth:3; nocase; http.host; content:"103.207.68.65"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1289017/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_26; classtype:trojan-activity; sid:91289017; rev:1;) alert tcp $HOME_NET any -> [159.75.177.85] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1289016/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_26; classtype:trojan-activity; sid:91289016; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jquery-3.3.1.min.js"; depth:20; nocase; http.host; content:"159.75.177.85"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1289015/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_26; classtype:trojan-activity; sid:91289015; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dpixel"; depth:7; nocase; http.host; content:"91.92.248.235"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1289014/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_26; classtype:trojan-activity; sid:91289014; rev:1;) alert tcp $HOME_NET any -> [8.130.111.241] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1289013/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_26; classtype:trojan-activity; sid:91289013; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/visit.js"; depth:9; nocase; http.host; content:"8.130.111.241"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1289012/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_26; classtype:trojan-activity; sid:91289012; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/updates.rss"; depth:12; nocase; http.host; content:"8.219.146.174"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1289011/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_26; classtype:trojan-activity; sid:91289011; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"amateur-locket-gw.aws-use1.cloud-ara.tyk.io"; depth:43; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1289009/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_26; classtype:trojan-activity; sid:91289009; rev:1;) alert tcp $HOME_NET any -> [147.45.178.94] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1289010/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_26; classtype:trojan-activity; sid:91289010; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api/v2/login"; depth:13; nocase; http.host; content:"amateur-locket-gw.aws-use1.cloud-ara.tyk.io"; depth:43; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1289008/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_26; classtype:trojan-activity; sid:91289008; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dot.gif"; depth:8; nocase; http.host; content:"114.55.100.165"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1289007/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_26; classtype:trojan-activity; sid:91289007; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/updates.rss"; depth:12; nocase; http.host; content:"111.229.217.32"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1289006/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_26; classtype:trojan-activity; sid:91289006; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/js/jquery/jquery-3.3.1.min.js"; depth:30; nocase; http.host; content:"47.98.154.34"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1289005/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_26; classtype:trojan-activity; sid:91289005; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/load"; depth:5; nocase; http.host; content:"8.219.146.174"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1289004/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_26; classtype:trojan-activity; sid:91289004; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/en_us/all.js"; depth:13; nocase; http.host; content:"8.219.146.174"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1289003/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_26; classtype:trojan-activity; sid:91289003; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/fwlink"; depth:7; nocase; http.host; content:"101.43.201.136"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1289002/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_26; classtype:trojan-activity; sid:91289002; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/g.pixel"; depth:8; nocase; http.host; content:"74.91.27.202"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1289000/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_26; classtype:trojan-activity; sid:91289000; rev:1;) alert tcp $HOME_NET any -> [74.91.27.202] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1289001/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_26; classtype:trojan-activity; sid:91289001; rev:1;) alert tcp $HOME_NET any -> [64.23.246.134] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1288999/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_26; classtype:trojan-activity; sid:91288999; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/git.asp"; depth:8; nocase; http.host; content:"networkhealth.azureedge.net"; depth:27; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1288997/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_26; classtype:trojan-activity; sid:91288997; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"networkhealth.azureedge.net"; depth:27; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1288998/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_26; classtype:trojan-activity; sid:91288998; rev:1;) alert tcp $HOME_NET any -> [47.242.58.27] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1288996/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_26; classtype:trojan-activity; sid:91288996; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dot.gif"; depth:8; nocase; http.host; content:"47.242.58.27"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1288995/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_26; classtype:trojan-activity; sid:91288995; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cx"; depth:3; nocase; http.host; content:"106.75.249.81"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1288994/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_26; classtype:trojan-activity; sid:91288994; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"bookings.catomeister.com"; depth:24; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1288992/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_26; classtype:trojan-activity; sid:91288992; rev:1;) alert tcp $HOME_NET any -> [218.101.19.50] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1288993/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_26; classtype:trojan-activity; sid:91288993; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books"; depth:60; nocase; http.host; content:"bookings.catomeister.com"; depth:24; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1288991/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_26; classtype:trojan-activity; sid:91288991; rev:1;) alert tcp $HOME_NET any -> [60.205.115.67] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1288990/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_26; classtype:trojan-activity; sid:91288990; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ptj"; depth:4; nocase; http.host; content:"60.205.115.67"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1288989/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_26; classtype:trojan-activity; sid:91288989; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/article.php"; depth:12; nocase; http.host; content:"www.diavolino.ch"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1288986/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_26; classtype:trojan-activity; sid:91288986; rev:1;) alert tcp $HOME_NET any -> [147.185.221.20] 24735 (msg:"ThreatFox Nanocore RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1288987/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_26; classtype:trojan-activity; sid:91288987; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"t-protecting.gl.at.ply.gg"; depth:25; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1288988/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_26; classtype:trojan-activity; sid:91288988; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/fwlink"; depth:7; nocase; http.host; content:"192.144.219.118"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1288983/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_26; classtype:trojan-activity; sid:91288983; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/g.pixel"; depth:8; nocase; http.host; content:"123.57.59.76"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1288982/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_26; classtype:trojan-activity; sid:91288982; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/j.ad"; depth:5; nocase; http.host; content:"124.70.180.22"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1288981/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_26; classtype:trojan-activity; sid:91288981; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ie9compatviewlist.xml"; depth:22; nocase; http.host; content:"110.40.184.247"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1288980/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_26; classtype:trojan-activity; sid:91288980; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ie9compatviewlist.xml"; depth:22; nocase; http.host; content:"175.178.99.133"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1288979/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_26; classtype:trojan-activity; sid:91288979; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ga.js"; depth:6; nocase; http.host; content:"43.139.107.157"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1288978/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_26; classtype:trojan-activity; sid:91288978; rev:1;) alert tcp $HOME_NET any -> [193.26.115.22] 8888 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1288977/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_26; classtype:trojan-activity; sid:91288977; rev:1;) alert tcp $HOME_NET any -> [193.26.115.22] 2222 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1288976/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_26; classtype:trojan-activity; sid:91288976; rev:1;) alert tcp $HOME_NET any -> [197.0.103.174] 80 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1288975/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_26; classtype:trojan-activity; sid:91288975; rev:1;) alert tcp $HOME_NET any -> [108.174.200.80] 7707 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1288974/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_26; classtype:trojan-activity; sid:91288974; rev:1;) alert tcp $HOME_NET any -> [108.174.200.80] 6606 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1288973/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_26; classtype:trojan-activity; sid:91288973; rev:1;) alert tcp $HOME_NET any -> [147.135.165.29] 6666 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1288972/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_26; classtype:trojan-activity; sid:91288972; rev:1;) alert tcp $HOME_NET any -> [45.66.231.69] 8008 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1288971/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_26; classtype:trojan-activity; sid:91288971; rev:1;) alert tcp $HOME_NET any -> [45.66.231.69] 6006 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1288970/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_26; classtype:trojan-activity; sid:91288970; rev:1;) alert tcp $HOME_NET any -> [194.62.157.160] 4444 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1288969/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_26; classtype:trojan-activity; sid:91288969; rev:1;) alert tcp $HOME_NET any -> [89.39.106.35] 1337 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1288968/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_26; classtype:trojan-activity; sid:91288968; rev:1;) alert tcp $HOME_NET any -> [82.165.74.190] 7707 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1288967/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_26; classtype:trojan-activity; sid:91288967; rev:1;) alert tcp $HOME_NET any -> [82.165.74.190] 6606 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1288966/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_26; classtype:trojan-activity; sid:91288966; rev:1;) alert tcp $HOME_NET any -> [94.156.79.166] 50555 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1288965/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_26; classtype:trojan-activity; sid:91288965; rev:1;) alert tcp $HOME_NET any -> [64.23.136.10] 4000 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1288964/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_26; classtype:trojan-activity; sid:91288964; rev:1;) alert tcp $HOME_NET any -> [68.183.126.146] 4000 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1288963/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_26; classtype:trojan-activity; sid:91288963; rev:1;) alert tcp $HOME_NET any -> [67.207.88.196] 4000 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1288962/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_26; classtype:trojan-activity; sid:91288962; rev:1;) alert tcp $HOME_NET any -> [8.137.114.224] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1288961/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_26; classtype:trojan-activity; sid:91288961; rev:1;) alert tcp $HOME_NET any -> [121.196.221.251] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1288960/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_26; classtype:trojan-activity; sid:91288960; rev:1;) alert tcp $HOME_NET any -> [43.242.202.189] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1288959/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_26; classtype:trojan-activity; sid:91288959; rev:1;) alert tcp $HOME_NET any -> [46.246.84.26] 8000 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1288958/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_26; classtype:trojan-activity; sid:91288958; rev:1;) alert tcp $HOME_NET any -> [81.69.247.188] 8848 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1288957/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_26; classtype:trojan-activity; sid:91288957; rev:1;) alert tcp $HOME_NET any -> [46.246.84.29] 9000 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1288956/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_26; classtype:trojan-activity; sid:91288956; rev:1;) alert tcp $HOME_NET any -> [189.175.197.252] 443 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1288955/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_26; classtype:trojan-activity; sid:91288955; rev:1;) alert tcp $HOME_NET any -> [104.168.146.71] 443 (msg:"ThreatFox pupy botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1288954/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_26; classtype:trojan-activity; sid:91288954; rev:1;) alert tcp $HOME_NET any -> [52.59.102.101] 23175 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1288953/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_26; classtype:trojan-activity; sid:91288953; rev:1;) alert tcp $HOME_NET any -> [185.234.216.209] 20082 (msg:"ThreatFox BianLian botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1288952/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_26; classtype:trojan-activity; sid:91288952; rev:1;) alert tcp $HOME_NET any -> [210.76.62.50] 4506 (msg:"ThreatFox Deimos botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1288951/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_26; classtype:trojan-activity; sid:91288951; rev:1;) alert tcp $HOME_NET any -> [13.49.76.223] 7443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1288950/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_26; classtype:trojan-activity; sid:91288950; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/upload"; depth:7; nocase; http.host; content:"93.190.8.37"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1288917/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_26; classtype:trojan-activity; sid:91288917; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/inject"; depth:7; nocase; http.host; content:"93.190.8.37"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1288918/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_26; classtype:trojan-activity; sid:91288918; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/autofill"; depth:9; nocase; http.host; content:"93.190.8.37"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1288919/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_26; classtype:trojan-activity; sid:91288919; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/passwords"; depth:10; nocase; http.host; content:"93.190.8.37"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1288920/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_26; classtype:trojan-activity; sid:91288920; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/upload"; depth:7; nocase; http.host; content:"xortoproject.duckdns.org"; depth:24; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1288921/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_26; classtype:trojan-activity; sid:91288921; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/autofill"; depth:9; nocase; http.host; content:"xortoproject.duckdns.org"; depth:24; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1288923/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_26; classtype:trojan-activity; sid:91288923; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/inject"; depth:7; nocase; http.host; content:"xortoproject.duckdns.org"; depth:24; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1288922/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_26; classtype:trojan-activity; sid:91288922; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/passwords"; depth:10; nocase; http.host; content:"xortoproject.duckdns.org"; depth:24; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1288924/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_26; classtype:trojan-activity; sid:91288924; rev:1;) alert tcp $HOME_NET any -> [160.179.71.4] 10000 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1288925/; target:src_ip; metadata: confidence_level 75, first_seen 2024_06_26; classtype:trojan-activity; sid:91288925; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"boats.dogmuncher.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1288926/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_26; classtype:trojan-activity; sid:91288926; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"dogmuncher.xyz"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1288927/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_26; classtype:trojan-activity; sid:91288927; rev:1;) alert tcp $HOME_NET any -> [89.190.156.145] 7733 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1288928/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_26; classtype:trojan-activity; sid:91288928; rev:1;) alert tcp $HOME_NET any -> [5.42.64.56] 80 (msg:"ThreatFox GCleaner botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1288929/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_26; classtype:trojan-activity; sid:91288929; rev:1;) alert tcp $HOME_NET any -> [185.172.128.69] 80 (msg:"ThreatFox GCleaner botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1288930/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_26; classtype:trojan-activity; sid:91288930; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/article.php"; depth:12; nocase; http.host; content:"www.crappel.co"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1288941/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_26; classtype:trojan-activity; sid:91288941; rev:1;) alert tcp $HOME_NET any -> [117.18.7.76] 3782 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1288949/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_26; classtype:trojan-activity; sid:91288949; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/l1nc0in.php"; depth:12; nocase; http.host; content:"a0998491.xsph.ru"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1288948/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_26; classtype:trojan-activity; sid:91288948; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/129edec4272dc2c8.php"; depth:21; nocase; http.host; content:"93.123.39.132"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1288947/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_26; classtype:trojan-activity; sid:91288947; rev:1;) alert tcp $HOME_NET any -> [91.92.241.104] 28744 (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1288946/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_26; classtype:trojan-activity; sid:91288946; rev:1;) alert tcp $HOME_NET any -> [193.109.120.223] 443 (msg:"ThreatFox Unidentified 111 (Latrodectus) botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1288945/; target:src_ip; metadata: confidence_level 75, first_seen 2024_06_26; classtype:trojan-activity; sid:91288945; rev:1;) alert tcp $HOME_NET any -> [94.156.68.252] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1288944/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_26; classtype:trojan-activity; sid:91288944; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jquery-3.3.1.min.js"; depth:20; nocase; http.host; content:"4628eea2b0b6.ngrok.app"; depth:22; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1288942/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_26; classtype:trojan-activity; sid:91288942; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"4628eea2b0b6.ngrok.app"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1288943/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_26; classtype:trojan-activity; sid:91288943; rev:1;) alert tcp $HOME_NET any -> [154.26.192.57] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1288938/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_25; classtype:trojan-activity; sid:91288938; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pixel.gif"; depth:10; nocase; http.host; content:"154.26.192.57"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1288937/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_25; classtype:trojan-activity; sid:91288937; rev:1;) alert tcp $HOME_NET any -> [78.24.217.218] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1288936/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_25; classtype:trojan-activity; sid:91288936; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"swemei.com"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1288935/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_25; classtype:trojan-activity; sid:91288935; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jquery-3.3.1.min.js"; depth:20; nocase; http.host; content:"swemei.com"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1288934/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_25; classtype:trojan-activity; sid:91288934; rev:1;) alert tcp $HOME_NET any -> [43.136.96.90] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1288933/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_25; classtype:trojan-activity; sid:91288933; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"service-c394iukq-1327454768.gz.tencentapigw.com.cn"; depth:50; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1288932/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_25; classtype:trojan-activity; sid:91288932; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/index.jsp"; depth:10; nocase; http.host; content:"service-c394iukq-1327454768.gz.tencentapigw.com.cn"; depth:50; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1288931/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_25; classtype:trojan-activity; sid:91288931; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"spitechallengddwlsv.xyz"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1288915/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_25; classtype:trojan-activity; sid:91288915; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"voyagedprivillywk.xyz"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1288913/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_25; classtype:trojan-activity; sid:91288913; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"fiondationkvowos.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1288914/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_25; classtype:trojan-activity; sid:91288914; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"surprisedscaledowp.xyz"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1288910/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_25; classtype:trojan-activity; sid:91288910; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"xortoproject.duckdns.org"; depth:24; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1288887/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_25; classtype:trojan-activity; sid:91288887; rev:1;) alert tcp $HOME_NET any -> [147.185.221.20] 42975 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1288908/; target:src_ip; metadata: confidence_level 75, first_seen 2024_06_25; classtype:trojan-activity; sid:91288908; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"singerreasonnbasldd.xyz"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1288909/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_25; classtype:trojan-activity; sid:91288909; rev:1;) alert tcp $HOME_NET any -> [46.0.47.77] 25565 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1288890/; target:src_ip; metadata: confidence_level 75, first_seen 2024_06_25; classtype:trojan-activity; sid:91288890; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"voper.onthewifi.com"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1288891/; target:src_ip; metadata: confidence_level 75, first_seen 2024_06_25; classtype:trojan-activity; sid:91288891; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"varitycookypowerw.xyz"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1288916/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_25; classtype:trojan-activity; sid:91288916; rev:1;) alert tcp $HOME_NET any -> [128.90.128.88] 9999 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1288907/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_25; classtype:trojan-activity; sid:91288907; rev:1;) alert tcp $HOME_NET any -> [108.174.200.80] 222 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1288906/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_25; classtype:trojan-activity; sid:91288906; rev:1;) alert tcp $HOME_NET any -> [46.246.12.8] 2000 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1288905/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_25; classtype:trojan-activity; sid:91288905; rev:1;) alert tcp $HOME_NET any -> [45.66.231.69] 4444 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1288904/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_25; classtype:trojan-activity; sid:91288904; rev:1;) alert tcp $HOME_NET any -> [159.223.31.192] 80 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1288903/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_25; classtype:trojan-activity; sid:91288903; rev:1;) alert tcp $HOME_NET any -> [62.72.57.7] 80 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1288902/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_25; classtype:trojan-activity; sid:91288902; rev:1;) alert tcp $HOME_NET any -> [91.202.233.138] 80 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1288901/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_25; classtype:trojan-activity; sid:91288901; rev:1;) alert tcp $HOME_NET any -> [139.159.144.245] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1288900/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_25; classtype:trojan-activity; sid:91288900; rev:1;) alert tcp $HOME_NET any -> [206.238.42.216] 8848 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1288899/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_25; classtype:trojan-activity; sid:91288899; rev:1;) alert tcp $HOME_NET any -> [171.80.249.15] 25565 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1288898/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_25; classtype:trojan-activity; sid:91288898; rev:1;) alert tcp $HOME_NET any -> [39.40.129.100] 995 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1288897/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_25; classtype:trojan-activity; sid:91288897; rev:1;) alert tcp $HOME_NET any -> [70.31.125.13] 2078 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1288895/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_25; classtype:trojan-activity; sid:91288895; rev:1;) alert tcp $HOME_NET any -> [70.31.125.13] 2222 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1288896/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_25; classtype:trojan-activity; sid:91288896; rev:1;) alert tcp $HOME_NET any -> [3.104.43.231] 445 (msg:"ThreatFox Responder botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1288894/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_25; classtype:trojan-activity; sid:91288894; rev:1;) alert tcp $HOME_NET any -> [34.163.119.131] 443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1288893/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_25; classtype:trojan-activity; sid:91288893; rev:1;) alert tcp $HOME_NET any -> [92.116.88.156] 443 (msg:"ThreatFox Deimos botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1288892/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_25; classtype:trojan-activity; sid:91288892; rev:1;) alert tcp $HOME_NET any -> [46.226.167.14] 10859 (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1288889/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_25; classtype:trojan-activity; sid:91288889; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/linephpgeoupdateprocessgeneratoruniversaldleprivate.php"; depth:56; nocase; http.host; content:"abort.top"; depth:9; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1288888/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_25; classtype:trojan-activity; sid:91288888; rev:1;) alert tcp $HOME_NET any -> [196.217.71.18] 10000 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1288634/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_25; classtype:trojan-activity; sid:91288634; rev:1;) alert tcp $HOME_NET any -> [93.190.8.37] 80 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1288633/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_25; classtype:trojan-activity; sid:91288633; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"bheuiyo.com"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1288631/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_25; classtype:trojan-activity; sid:91288631; rev:1;) alert tcp $HOME_NET any -> [177.255.84.124] 4041 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1288632/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_25; classtype:trojan-activity; sid:91288632; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dot.gif"; depth:8; nocase; http.host; content:"89.117.59.92"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1288630/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_25; classtype:trojan-activity; sid:91288630; rev:1;) alert tcp $HOME_NET any -> [85.28.47.7] 17210 (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1288629/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_25; classtype:trojan-activity; sid:91288629; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cdn-vs/original.js"; depth:19; nocase; http.host; content:"jonmesserartwork.com"; depth:20; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1288625/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_25; classtype:trojan-activity; sid:91288625; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"jonmesserartwork.com"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1288626/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_25; classtype:trojan-activity; sid:91288626; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cdn-vs/cache.php"; depth:17; nocase; http.host; content:"jonmesserartwork.com"; depth:20; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1288627/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_25; classtype:trojan-activity; sid:91288627; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cdn-vs/33per.php"; depth:17; nocase; http.host; content:"jonmesserartwork.com"; depth:20; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1288628/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_25; classtype:trojan-activity; sid:91288628; rev:1;) alert tcp $HOME_NET any -> [147.185.221.20] 42900 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1288624/; target:src_ip; metadata: confidence_level 75, first_seen 2024_06_25; classtype:trojan-activity; sid:91288624; rev:1;) alert tcp $HOME_NET any -> [194.55.186.121] 1313 (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1288620/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_25; classtype:trojan-activity; sid:91288620; rev:1;) alert tcp $HOME_NET any -> [45.143.94.2] 443 (msg:"ThreatFox FAKEUPDATES payload delivery (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1288621/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_25; classtype:trojan-activity; sid:91288621; rev:1;) alert tcp $HOME_NET any -> [204.10.160.230] 7983 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1288623/; target:src_ip; metadata: confidence_level 75, first_seen 2024_06_25; classtype:trojan-activity; sid:91288623; rev:1;) alert tcp $HOME_NET any -> [213.227.129.32] 4483 (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1288622/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_25; classtype:trojan-activity; sid:91288622; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/8otabr/"; depth:8; nocase; http.host; content:"divyjai2.xyz"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1288607/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_25; classtype:trojan-activity; sid:91288607; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"sssteell-com.pro"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1288615/; target:src_ip; metadata: confidence_level 75, first_seen 2024_06_25; classtype:trojan-activity; sid:91288615; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bvxny6r6"; depth:9; nocase; http.host; content:"divyjai2.xyz"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1288608/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_25; classtype:trojan-activity; sid:91288608; rev:1;) alert tcp $HOME_NET any -> [31.192.235.101] 80 (msg:"ThreatFox Loki Password Stealer (PWS) botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1288614/; target:src_ip; metadata: confidence_level 75, first_seen 2024_06_25; classtype:trojan-activity; sid:91288614; rev:1;) alert tcp $HOME_NET any -> [147.185.221.20] 29565 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1288616/; target:src_ip; metadata: confidence_level 75, first_seen 2024_06_25; classtype:trojan-activity; sid:91288616; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"known-girls.gl.at.ply.gg"; depth:24; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1288617/; target:src_ip; metadata: confidence_level 75, first_seen 2024_06_25; classtype:trojan-activity; sid:91288617; rev:1;) alert tcp $HOME_NET any -> [147.185.221.20] 38826 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1288618/; target:src_ip; metadata: confidence_level 75, first_seen 2024_06_25; classtype:trojan-activity; sid:91288618; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"park-curve.gl.at.ply.gg"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1288619/; target:src_ip; metadata: confidence_level 75, first_seen 2024_06_25; classtype:trojan-activity; sid:91288619; rev:1;) alert tcp $HOME_NET any -> [82.157.137.77] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1288613/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_25; classtype:trojan-activity; sid:91288613; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dot.gif"; depth:8; nocase; http.host; content:"82.157.137.77"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1288612/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_25; classtype:trojan-activity; sid:91288612; rev:1;) alert tcp $HOME_NET any -> [209.97.145.9] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1288611/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_25; classtype:trojan-activity; sid:91288611; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"securenetwork.azureedge.net"; depth:27; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1288610/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_25; classtype:trojan-activity; sid:91288610; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/gopher.xml"; depth:11; nocase; http.host; content:"securenetwork.azureedge.net"; depth:27; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1288609/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_25; classtype:trojan-activity; sid:91288609; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/kedu/fre.php"; depth:13; nocase; http.host; content:"sssteell-com.pro"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1288606/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_25; classtype:trojan-activity; sid:91288606; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/j.ad"; depth:5; nocase; http.host; content:"39.107.242.125"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1288605/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_25; classtype:trojan-activity; sid:91288605; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ca"; depth:3; nocase; http.host; content:"134.122.75.115"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1288604/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_25; classtype:trojan-activity; sid:91288604; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cx"; depth:3; nocase; http.host; content:"110.41.134.233"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1288603/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_25; classtype:trojan-activity; sid:91288603; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/j.ad"; depth:5; nocase; http.host; content:"192.227.234.164"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1288602/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_25; classtype:trojan-activity; sid:91288602; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cx"; depth:3; nocase; http.host; content:"service-4iisjdnk-1314135568.gz.tencentapigw.com.cn"; depth:50; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1288601/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_25; classtype:trojan-activity; sid:91288601; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/en_us/all.js"; depth:13; nocase; http.host; content:"43.139.107.157"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1288600/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_25; classtype:trojan-activity; sid:91288600; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/j.ad"; depth:5; nocase; http.host; content:"114.115.174.131"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1288599/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_25; classtype:trojan-activity; sid:91288599; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ie9compatviewlist.xml"; depth:22; nocase; http.host; content:"47.238.48.116"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1288598/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_25; classtype:trojan-activity; sid:91288598; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/load"; depth:5; nocase; http.host; content:"43.138.30.109"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1288597/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_25; classtype:trojan-activity; sid:91288597; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ie9compatviewlist.xml"; depth:22; nocase; http.host; content:"97.64.18.185"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1288596/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_25; classtype:trojan-activity; sid:91288596; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/s"; depth:2; nocase; http.host; content:"194.233.88.218"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1288595/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_25; classtype:trojan-activity; sid:91288595; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/assets/lang/en-us/lang.js"; depth:26; nocase; http.host; content:"8.137.121.171"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1288594/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_25; classtype:trojan-activity; sid:91288594; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cm"; depth:3; nocase; http.host; content:"43.138.30.109"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1288593/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_25; classtype:trojan-activity; sid:91288593; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/g.pixel"; depth:8; nocase; http.host; content:"43.138.30.109"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1288592/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_25; classtype:trojan-activity; sid:91288592; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"filomeranta.com"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1288589/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_25; classtype:trojan-activity; sid:91288589; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"divyjai2.xyz"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1288591/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_25; classtype:trojan-activity; sid:91288591; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/fwlink"; depth:7; nocase; http.host; content:"79.124.40.106"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1288590/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_25; classtype:trojan-activity; sid:91288590; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 85%)"; dns_query; content:"loskawist.pics"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1288587/; target:src_ip; metadata: confidence_level 85, first_seen 2024_06_25; classtype:trojan-activity; sid:91288587; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 85%)"; dns_query; content:"tristgodfert.com"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1288588/; target:src_ip; metadata: confidence_level 85, first_seen 2024_06_25; classtype:trojan-activity; sid:91288588; rev:1;) alert tcp $HOME_NET any -> [203.161.50.120] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1288586/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_25; classtype:trojan-activity; sid:91288586; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/g.pixel"; depth:8; nocase; http.host; content:"203.161.50.120"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1288585/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_25; classtype:trojan-activity; sid:91288585; rev:1;) alert tcp $HOME_NET any -> [116.114.20.180] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1288584/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_25; classtype:trojan-activity; sid:91288584; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/fwlink"; depth:7; nocase; http.host; content:"116.114.20.180"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1288583/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_25; classtype:trojan-activity; sid:91288583; rev:1;) alert tcp $HOME_NET any -> [47.108.136.59] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1288582/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_25; classtype:trojan-activity; sid:91288582; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/search/"; depth:8; nocase; http.host; content:"47.108.136.59"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1288581/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_25; classtype:trojan-activity; sid:91288581; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/en_us/all.js"; depth:13; nocase; http.host; content:"117.50.179.15"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1288580/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_25; classtype:trojan-activity; sid:91288580; rev:1;) alert tcp $HOME_NET any -> [136.244.76.249] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1288579/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_25; classtype:trojan-activity; sid:91288579; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/g.pixel"; depth:8; nocase; http.host; content:"136.244.76.249"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1288578/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_25; classtype:trojan-activity; sid:91288578; rev:1;) alert tcp $HOME_NET any -> [47.108.136.59] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1288577/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_25; classtype:trojan-activity; sid:91288577; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/search/"; depth:8; nocase; http.host; content:"47.108.136.59"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1288576/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_25; classtype:trojan-activity; sid:91288576; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/g.pixel"; depth:8; nocase; http.host; content:"81.70.190.25"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1288575/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_25; classtype:trojan-activity; sid:91288575; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"d1m4ettuq4ezj0.cloudfront.net"; depth:29; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1288574/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_25; classtype:trojan-activity; sid:91288574; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books"; depth:60; nocase; http.host; content:"d1m4ettuq4ezj0.cloudfront.net"; depth:29; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1288573/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_25; classtype:trojan-activity; sid:91288573; rev:1;) alert tcp $HOME_NET any -> [116.114.20.180] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1288572/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_25; classtype:trojan-activity; sid:91288572; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/__utm.gif"; depth:10; nocase; http.host; content:"116.114.20.180"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1288571/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_25; classtype:trojan-activity; sid:91288571; rev:1;) alert tcp $HOME_NET any -> [47.120.61.164] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1288570/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_25; classtype:trojan-activity; sid:91288570; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ca"; depth:3; nocase; http.host; content:"47.120.61.164"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1288569/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_25; classtype:trojan-activity; sid:91288569; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cx"; depth:3; nocase; http.host; content:"apistudio.xyz"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1288567/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_25; classtype:trojan-activity; sid:91288567; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"apistudio.xyz"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1288568/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_25; classtype:trojan-activity; sid:91288568; rev:1;) alert tcp $HOME_NET any -> [203.161.50.120] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1288566/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_25; classtype:trojan-activity; sid:91288566; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/fwlink"; depth:7; nocase; http.host; content:"203.161.50.120"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1288565/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_25; classtype:trojan-activity; sid:91288565; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cx"; depth:3; nocase; http.host; content:"101.201.46.105"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1288564/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_25; classtype:trojan-activity; sid:91288564; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/en_us/all.js"; depth:13; nocase; http.host; content:"220.249.191.101"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1288563/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_25; classtype:trojan-activity; sid:91288563; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ie9compatviewlist.xml"; depth:22; nocase; http.host; content:"47.97.96.79"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1288562/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_25; classtype:trojan-activity; sid:91288562; rev:1;) alert tcp $HOME_NET any -> [94.156.68.252] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1288561/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_25; classtype:trojan-activity; sid:91288561; rev:1;) alert tcp $HOME_NET any -> [91.92.242.80] 4782 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1288560/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_25; classtype:trojan-activity; sid:91288560; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/article.php"; depth:12; nocase; http.host; content:"www.colorinkbook.com"; depth:20; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1288536/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_25; classtype:trojan-activity; sid:91288536; rev:1;) alert tcp $HOME_NET any -> [77.91.77.81] 80 (msg:"ThreatFox Unknown malware payload delivery (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1288556/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_25; classtype:trojan-activity; sid:91288556; rev:1;) alert tcp $HOME_NET any -> [185.172.128.116] 80 (msg:"ThreatFox Unknown malware payload delivery (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1288557/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_25; classtype:trojan-activity; sid:91288557; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/article.php"; depth:12; nocase; http.host; content:"www.crappel.com"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1288559/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_25; classtype:trojan-activity; sid:91288559; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"65.109.242.170"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1288555/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_25; classtype:trojan-activity; sid:91288555; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"49.13.33.235"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1288554/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_25; classtype:trojan-activity; sid:91288554; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/profiles/76561199707802586"; depth:27; nocase; http.host; content:"steamcommunity.com"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1288553/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_25; classtype:trojan-activity; sid:91288553; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/g067n"; depth:6; nocase; http.host; content:"t.me"; depth:4; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1288552/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_25; classtype:trojan-activity; sid:91288552; rev:1;) alert tcp $HOME_NET any -> [49.13.33.235] 9000 (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1288550/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_25; classtype:trojan-activity; sid:91288550; rev:1;) alert tcp $HOME_NET any -> [65.109.242.170] 443 (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1288551/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_25; classtype:trojan-activity; sid:91288551; rev:1;) alert tcp $HOME_NET any -> [104.238.179.144] 443 (msg:"ThreatFox FAKEUPDATES botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1288549/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_25; classtype:trojan-activity; sid:91288549; rev:1;) alert tcp $HOME_NET any -> [193.26.115.22] 8088 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1288548/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_25; classtype:trojan-activity; sid:91288548; rev:1;) alert tcp $HOME_NET any -> [193.26.115.22] 4444 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1288547/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_25; classtype:trojan-activity; sid:91288547; rev:1;) alert tcp $HOME_NET any -> [45.88.186.63] 7707 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1288546/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_25; classtype:trojan-activity; sid:91288546; rev:1;) alert tcp $HOME_NET any -> [94.156.8.54] 4444 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1288545/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_25; classtype:trojan-activity; sid:91288545; rev:1;) alert tcp $HOME_NET any -> [5.42.105.59] 6606 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1288544/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_25; classtype:trojan-activity; sid:91288544; rev:1;) alert tcp $HOME_NET any -> [194.62.157.160] 8888 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1288543/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_25; classtype:trojan-activity; sid:91288543; rev:1;) alert tcp $HOME_NET any -> [198.50.167.20] 80 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1288542/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_25; classtype:trojan-activity; sid:91288542; rev:1;) alert tcp $HOME_NET any -> [139.162.46.102] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1288541/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_25; classtype:trojan-activity; sid:91288541; rev:1;) alert tcp $HOME_NET any -> [46.246.86.6] 8000 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1288540/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_25; classtype:trojan-activity; sid:91288540; rev:1;) alert tcp $HOME_NET any -> [20.19.32.238] 1024 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1288539/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_25; classtype:trojan-activity; sid:91288539; rev:1;) alert tcp $HOME_NET any -> [189.140.26.77] 443 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1288538/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_25; classtype:trojan-activity; sid:91288538; rev:1;) alert tcp $HOME_NET any -> [85.215.215.94] 8443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1288537/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_25; classtype:trojan-activity; sid:91288537; rev:1;) alert tcp $HOME_NET any -> [91.92.241.139] 56400 (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1288535/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_25; classtype:trojan-activity; sid:91288535; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/traffic4uploads/basetestto/protonpoll/externaltojavascriptflowerasynctraffic.php"; depth:81; nocase; http.host; content:"94.228.166.75"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1288534/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_25; classtype:trojan-activity; sid:91288534; rev:1;) alert tcp $HOME_NET any -> [60.205.132.75] 13155 (msg:"ThreatFox Ghost RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1288533/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_25; classtype:trojan-activity; sid:91288533; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/subject-verb-agreement-example-sentences/"; depth:42; nocase; http.host; content:"safarcranes.com"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1288525/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_25; classtype:trojan-activity; sid:91288525; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"gg.jjkk567.com"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1288523/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_25; classtype:trojan-activity; sid:91288523; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"gg.nnmm234.com"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1288524/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_25; classtype:trojan-activity; sid:91288524; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"gg.aass654.com"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1288520/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_25; classtype:trojan-activity; sid:91288520; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"gg.vvbb321.com"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1288522/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_25; classtype:trojan-activity; sid:91288522; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"gg.xxcc789.com"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1288521/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_25; classtype:trojan-activity; sid:91288521; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"xortoproject.online"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1288514/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_25; classtype:trojan-activity; sid:91288514; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"upwork999.com"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1288517/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_25; classtype:trojan-activity; sid:91288517; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/article.php"; depth:12; nocase; http.host; content:"www.cichaz.com"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1288511/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_25; classtype:trojan-activity; sid:91288511; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"rightwaycleaninginc.com"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1288507/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_25; classtype:trojan-activity; sid:91288507; rev:1;) alert tcp $HOME_NET any -> [4.184.236.127] 1110 (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1288510/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_25; classtype:trojan-activity; sid:91288510; rev:1;) alert tcp $HOME_NET any -> [195.2.75.12] 7000 (msg:"ThreatFox XWorm botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1288482/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_25; classtype:trojan-activity; sid:91288482; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/engr/mail.php"; depth:14; nocase; http.host; content:"velocityfundpartners.com"; depth:24; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1288499/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_25; classtype:trojan-activity; sid:91288499; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/p1dd/"; depth:6; nocase; http.host; content:"www.778981.com"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1288291/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_25; classtype:trojan-activity; sid:91288291; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"www.778981.com"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1288292/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_25; classtype:trojan-activity; sid:91288292; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"778981.com"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1288293/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_25; classtype:trojan-activity; sid:91288293; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 85%)"; dns_query; content:"finjuiceer.com"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1288294/; target:src_ip; metadata: confidence_level 85, first_seen 2024_06_25; classtype:trojan-activity; sid:91288294; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 85%)"; dns_query; content:"jucemaster.space"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1288295/; target:src_ip; metadata: confidence_level 85, first_seen 2024_06_25; classtype:trojan-activity; sid:91288295; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 85%)"; dns_query; content:"meakdgahup.com"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1288296/; target:src_ip; metadata: confidence_level 85, first_seen 2024_06_25; classtype:trojan-activity; sid:91288296; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 85%)"; dns_query; content:"moprewaldon.com"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1288297/; target:src_ip; metadata: confidence_level 85, first_seen 2024_06_25; classtype:trojan-activity; sid:91288297; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 85%)"; dns_query; content:"oswalfeen.com"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1288298/; target:src_ip; metadata: confidence_level 85, first_seen 2024_06_25; classtype:trojan-activity; sid:91288298; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 85%)"; dns_query; content:"speedohasti.shop"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1288299/; target:src_ip; metadata: confidence_level 85, first_seen 2024_06_25; classtype:trojan-activity; sid:91288299; rev:1;) alert tcp $HOME_NET any -> [79.110.49.209] 37552 (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1288532/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_25; classtype:trojan-activity; sid:91288532; rev:1;) alert tcp $HOME_NET any -> [185.222.58.234] 55615 (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1288531/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_25; classtype:trojan-activity; sid:91288531; rev:1;) alert tcp $HOME_NET any -> [78.47.64.127] 3306 (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1288530/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_25; classtype:trojan-activity; sid:91288530; rev:1;) alert tcp $HOME_NET any -> [35.205.161.130] 443 (msg:"ThreatFox DanaBot botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1288529/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_25; classtype:trojan-activity; sid:91288529; rev:1;) alert tcp $HOME_NET any -> [34.125.60.23] 443 (msg:"ThreatFox DanaBot botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1288528/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_25; classtype:trojan-activity; sid:91288528; rev:1;) alert tcp $HOME_NET any -> [35.240.15.226] 443 (msg:"ThreatFox DanaBot botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1288527/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_25; classtype:trojan-activity; sid:91288527; rev:1;) alert tcp $HOME_NET any -> [34.83.149.74] 443 (msg:"ThreatFox DanaBot botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1288526/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_25; classtype:trojan-activity; sid:91288526; rev:1;) alert tcp $HOME_NET any -> [105.156.33.223] 10000 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1288519/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_25; classtype:trojan-activity; sid:91288519; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/58fade9f.php"; depth:13; nocase; http.host; content:"a0997287.xsph.ru"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1288518/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_25; classtype:trojan-activity; sid:91288518; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/d0fcab2e.php"; depth:13; nocase; http.host; content:"a0998803.xsph.ru"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1288516/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_25; classtype:trojan-activity; sid:91288516; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/920475a59bac849d.php"; depth:21; nocase; http.host; content:"85.28.47.4"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1288515/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_24; classtype:trojan-activity; sid:91288515; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/91d0d159.php"; depth:13; nocase; http.host; content:"a0997235.xsph.ru"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1288513/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_24; classtype:trojan-activity; sid:91288513; rev:1;) alert tcp $HOME_NET any -> [104.243.242.163] 1620 (msg:"ThreatFox Nanocore RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1288512/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_24; classtype:trojan-activity; sid:91288512; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/faefed89.php"; depth:13; nocase; http.host; content:"a0997718.xsph.ru"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1288509/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_24; classtype:trojan-activity; sid:91288509; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/912f0a1e.php"; depth:13; nocase; http.host; content:"a0996277.xsph.ru"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1288508/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_24; classtype:trojan-activity; sid:91288508; rev:1;) alert tcp $HOME_NET any -> [185.222.58.79] 55615 (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1288506/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_24; classtype:trojan-activity; sid:91288506; rev:1;) alert tcp $HOME_NET any -> [123.57.143.169] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1288505/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_24; classtype:trojan-activity; sid:91288505; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/vendorreact.dc6a29.chunk.js"; depth:28; nocase; http.host; content:"mcrkqm.cn"; depth:9; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1288503/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_24; classtype:trojan-activity; sid:91288503; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"mcrkqm.cn"; depth:9; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1288504/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_24; classtype:trojan-activity; sid:91288504; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"clever-steadily-duckling.ngrok-free.app"; depth:39; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1288501/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_24; classtype:trojan-activity; sid:91288501; rev:1;) alert tcp $HOME_NET any -> [94.156.69.3] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1288502/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_24; classtype:trojan-activity; sid:91288502; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jquery-3.3.1.min.js"; depth:20; nocase; http.host; content:"clever-steadily-duckling.ngrok-free.app"; depth:39; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1288500/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_24; classtype:trojan-activity; sid:91288500; rev:1;) alert tcp $HOME_NET any -> [45.88.186.63] 8808 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1288498/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_24; classtype:trojan-activity; sid:91288498; rev:1;) alert tcp $HOME_NET any -> [45.88.186.63] 6606 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1288497/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_24; classtype:trojan-activity; sid:91288497; rev:1;) alert tcp $HOME_NET any -> [193.26.115.22] 8808 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1288495/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_24; classtype:trojan-activity; sid:91288495; rev:1;) alert tcp $HOME_NET any -> [193.26.115.22] 9999 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1288496/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_24; classtype:trojan-activity; sid:91288496; rev:1;) alert tcp $HOME_NET any -> [104.41.153.168] 8443 (msg:"ThreatFox Pikabot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1288494/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_24; classtype:trojan-activity; sid:91288494; rev:1;) alert tcp $HOME_NET any -> [47.243.38.68] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1288493/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_24; classtype:trojan-activity; sid:91288493; rev:1;) alert tcp $HOME_NET any -> [219.157.181.89] 8000 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1288492/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_24; classtype:trojan-activity; sid:91288492; rev:1;) alert tcp $HOME_NET any -> [122.51.52.109] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1288491/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_24; classtype:trojan-activity; sid:91288491; rev:1;) alert tcp $HOME_NET any -> [47.237.10.128] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1288490/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_24; classtype:trojan-activity; sid:91288490; rev:1;) alert tcp $HOME_NET any -> [94.49.199.199] 443 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1288489/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_24; classtype:trojan-activity; sid:91288489; rev:1;) alert tcp $HOME_NET any -> [154.247.10.179] 443 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1288488/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_24; classtype:trojan-activity; sid:91288488; rev:1;) alert tcp $HOME_NET any -> [172.104.79.95] 445 (msg:"ThreatFox Responder botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1288487/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_24; classtype:trojan-activity; sid:91288487; rev:1;) alert tcp $HOME_NET any -> [47.94.110.53] 9999 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1288486/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_24; classtype:trojan-activity; sid:91288486; rev:1;) alert tcp $HOME_NET any -> [5.252.176.46] 8443 (msg:"ThreatFox BianLian botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1288485/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_24; classtype:trojan-activity; sid:91288485; rev:1;) alert tcp $HOME_NET any -> [185.234.216.209] 20078 (msg:"ThreatFox BianLian botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1288484/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_24; classtype:trojan-activity; sid:91288484; rev:1;) alert tcp $HOME_NET any -> [111.12.212.218] 4506 (msg:"ThreatFox Deimos botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1288483/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_24; classtype:trojan-activity; sid:91288483; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/l1nc0in.php"; depth:12; nocase; http.host; content:"a0997452.xsph.ru"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1288481/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_24; classtype:trojan-activity; sid:91288481; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmp/"; depth:5; nocase; http.host; content:"qeqei.xyz"; depth:9; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1288303/; target:src_ip; metadata: confidence_level 75, first_seen 2024_06_24; classtype:trojan-activity; sid:91288303; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmp/"; depth:5; nocase; http.host; content:"movlat.com"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1288302/; target:src_ip; metadata: confidence_level 75, first_seen 2024_06_24; classtype:trojan-activity; sid:91288302; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmp/"; depth:5; nocase; http.host; content:"llcbc.org"; depth:9; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1288301/; target:src_ip; metadata: confidence_level 75, first_seen 2024_06_24; classtype:trojan-activity; sid:91288301; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmp/"; depth:5; nocase; http.host; content:"lindex24.ru"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1288300/; target:src_ip; metadata: confidence_level 75, first_seen 2024_06_24; classtype:trojan-activity; sid:91288300; rev:1;) alert tcp $HOME_NET any -> [4.233.218.3] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1288289/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_24; classtype:trojan-activity; sid:91288289; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/5a549f96.php"; depth:13; nocase; http.host; content:"a0990904.xsph.ru"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1288290/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_24; classtype:trojan-activity; sid:91288290; rev:1;) alert tcp $HOME_NET any -> [185.196.9.97] 3000 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1288286/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_24; classtype:trojan-activity; sid:91288286; rev:1;) alert tcp $HOME_NET any -> [185.196.9.97] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1288287/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_24; classtype:trojan-activity; sid:91288287; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ieatpoop.info"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1288288/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_24; classtype:trojan-activity; sid:91288288; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cdn-vs/original.js"; depth:19; nocase; http.host; content:"intensedefense300.com"; depth:21; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1288251/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_24; classtype:trojan-activity; sid:91288251; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"intensedefense300.com"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1288252/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_24; classtype:trojan-activity; sid:91288252; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cdn-vs/cache.php"; depth:17; nocase; http.host; content:"intensedefense300.com"; depth:21; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1288253/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_24; classtype:trojan-activity; sid:91288253; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cdn-vs/33per.php"; depth:17; nocase; http.host; content:"intensedefense300.com"; depth:21; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1288254/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_24; classtype:trojan-activity; sid:91288254; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/help.php"; depth:9; nocase; http.host; content:"bynx.store"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1288255/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_24; classtype:trojan-activity; sid:91288255; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cdn-vs/original.js"; depth:19; nocase; http.host; content:"myoptimasunlab.com"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1288260/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_24; classtype:trojan-activity; sid:91288260; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"myoptimasunlab.com"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1288261/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_24; classtype:trojan-activity; sid:91288261; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cdn-vs/cache.php"; depth:17; nocase; http.host; content:"myoptimasunlab.com"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1288262/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_24; classtype:trojan-activity; sid:91288262; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cdn-vs/33per.php"; depth:17; nocase; http.host; content:"myoptimasunlab.com"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1288263/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_24; classtype:trojan-activity; sid:91288263; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"swiftandfast.net"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1288264/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_24; classtype:trojan-activity; sid:91288264; rev:1;) alert tcp $HOME_NET any -> [202.61.136.158] 8443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1288273/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_24; classtype:trojan-activity; sid:91288273; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"redroseproject.xyz"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1288274/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_24; classtype:trojan-activity; sid:91288274; rev:1;) alert tcp $HOME_NET any -> [160.20.109.168] 80 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1288275/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_24; classtype:trojan-activity; sid:91288275; rev:1;) alert tcp $HOME_NET any -> [18.192.93.86] 17906 (msg:"ThreatFox Nanocore RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1288276/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_24; classtype:trojan-activity; sid:91288276; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/live/"; depth:6; nocase; http.host; content:"filomeranta.com"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1288285/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_24; classtype:trojan-activity; sid:91288285; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/live/"; depth:6; nocase; http.host; content:"kalopvard.com"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1288284/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_24; classtype:trojan-activity; sid:91288284; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"mdasidy72.pics"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1288282/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_24; classtype:trojan-activity; sid:91288282; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"mdasidy72.shop"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1288283/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_24; classtype:trojan-activity; sid:91288283; rev:1;) alert tcp $HOME_NET any -> [18.156.13.209] 17906 (msg:"ThreatFox Nanocore RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1288277/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_24; classtype:trojan-activity; sid:91288277; rev:1;) alert tcp $HOME_NET any -> [18.197.239.5] 17906 (msg:"ThreatFox Nanocore RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1288278/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_24; classtype:trojan-activity; sid:91288278; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"test-1627838.shop"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1288281/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_24; classtype:trojan-activity; sid:91288281; rev:1;) alert tcp $HOME_NET any -> [3.127.138.57] 17906 (msg:"ThreatFox Nanocore RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1288279/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_24; classtype:trojan-activity; sid:91288279; rev:1;) alert tcp $HOME_NET any -> [18.157.68.73] 17906 (msg:"ThreatFox Nanocore RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1288280/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_24; classtype:trojan-activity; sid:91288280; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/l1nc0in.php"; depth:12; nocase; http.host; content:"a0997464.xsph.ru"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1288272/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_24; classtype:trojan-activity; sid:91288272; rev:1;) alert tcp $HOME_NET any -> [52.144.47.245] 27667 (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1288271/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_24; classtype:trojan-activity; sid:91288271; rev:1;) alert tcp $HOME_NET any -> [49.235.118.195] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1288270/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_24; classtype:trojan-activity; sid:91288270; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/push"; depth:5; nocase; http.host; content:"49.235.118.195"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1288269/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_24; classtype:trojan-activity; sid:91288269; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"cdn.biliblli.team"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1288267/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_24; classtype:trojan-activity; sid:91288267; rev:1;) alert tcp $HOME_NET any -> [47.122.5.2] 2096 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1288268/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_24; classtype:trojan-activity; sid:91288268; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jquery-3.3.1.min.js"; depth:20; nocase; http.host; content:"cdn.biliblli.team"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1288266/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_24; classtype:trojan-activity; sid:91288266; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/l1nc0in.php"; depth:12; nocase; http.host; content:"a0996803.xsph.ru"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1288265/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_24; classtype:trojan-activity; sid:91288265; rev:1;) alert tcp $HOME_NET any -> [147.45.47.127] 32372 (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1288259/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_24; classtype:trojan-activity; sid:91288259; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/vkdnawxjs"; depth:10; nocase; http.host; content:"t.me"; depth:4; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1288258/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_24; classtype:trojan-activity; sid:91288258; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"5.42.72.36"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1288257/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_24; classtype:trojan-activity; sid:91288257; rev:1;) alert tcp $HOME_NET any -> [5.42.72.36] 80 (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1288256/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_24; classtype:trojan-activity; sid:91288256; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/match"; depth:6; nocase; http.host; content:"89.116.128.246"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1288250/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_24; classtype:trojan-activity; sid:91288250; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/googleapis/33"; depth:14; nocase; http.host; content:"8.222.156.244"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1288249/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_24; classtype:trojan-activity; sid:91288249; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ptj"; depth:4; nocase; http.host; content:"134.122.75.115"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1288248/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_24; classtype:trojan-activity; sid:91288248; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/endpoint"; depth:9; nocase; http.host; content:"mdasidy72.lol"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1288244/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_24; classtype:trojan-activity; sid:91288244; rev:1;) alert tcp $HOME_NET any -> [5.59.248.211] 2700 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1288237/; target:src_ip; metadata: confidence_level 75, first_seen 2024_06_24; classtype:trojan-activity; sid:91288237; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ptj"; depth:4; nocase; http.host; content:"134.122.75.115"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1288247/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_24; classtype:trojan-activity; sid:91288247; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pixel"; depth:6; nocase; http.host; content:"192.227.234.164"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1288246/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_24; classtype:trojan-activity; sid:91288246; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pixel.gif"; depth:10; nocase; http.host; content:"188.166.210.23"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1288245/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_24; classtype:trojan-activity; sid:91288245; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/googleapis/33"; depth:14; nocase; http.host; content:"ww2.jji.cz"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1288243/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_24; classtype:trojan-activity; sid:91288243; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/googleapis/33"; depth:14; nocase; http.host; content:"8.222.156.244"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1288242/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_24; classtype:trojan-activity; sid:91288242; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cm"; depth:3; nocase; http.host; content:"43.153.222.28"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1288241/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_24; classtype:trojan-activity; sid:91288241; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pixel.gif"; depth:10; nocase; http.host; content:"185.243.242.44"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1288240/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_24; classtype:trojan-activity; sid:91288240; rev:1;) alert tcp $HOME_NET any -> [84.38.135.9] 64468 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1288239/; target:src_ip; metadata: confidence_level 75, first_seen 2024_06_24; classtype:trojan-activity; sid:91288239; rev:1;) alert tcp $HOME_NET any -> [185.29.9.102] 7711 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1288238/; target:src_ip; metadata: confidence_level 75, first_seen 2024_06_24; classtype:trojan-activity; sid:91288238; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"mdasidy72.lol"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1288236/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_24; classtype:trojan-activity; sid:91288236; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cea9a149.php"; depth:13; nocase; http.host; content:"a0997564.xsph.ru"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1288235/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_24; classtype:trojan-activity; sid:91288235; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pl341/index.php"; depth:16; nocase; http.host; content:"hqt3.shop"; depth:9; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1288234/; target:src_ip; metadata: confidence_level 75, first_seen 2024_06_24; classtype:trojan-activity; sid:91288234; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jquery-3.3.1.min.js"; depth:20; nocase; http.host; content:"47.122.5.2"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1288233/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_24; classtype:trojan-activity; sid:91288233; rev:1;) alert tcp $HOME_NET any -> [192.3.243.155] 7643 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1288232/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_24; classtype:trojan-activity; sid:91288232; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/53c8478e.php"; depth:13; nocase; http.host; content:"a0997029.xsph.ru"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1288231/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_24; classtype:trojan-activity; sid:91288231; rev:1;) alert tcp $HOME_NET any -> [88.168.211.65] 6522 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1288213/; target:src_ip; metadata: confidence_level 75, first_seen 2024_06_24; classtype:trojan-activity; sid:91288213; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/article.php"; depth:12; nocase; http.host; content:"www.chunjack.nl"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1288218/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_24; classtype:trojan-activity; sid:91288218; rev:1;) alert tcp $HOME_NET any -> [23.94.203.70] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1288230/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_24; classtype:trojan-activity; sid:91288230; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api/x"; depth:6; nocase; http.host; content:"service-q3mcrtfk-1321877838.gz.tencentapigw.com.cn"; depth:50; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1288229/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_24; classtype:trojan-activity; sid:91288229; rev:1;) alert tcp $HOME_NET any -> [8.137.121.171] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1288228/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_24; classtype:trojan-activity; sid:91288228; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/assets/font/font-awesome.font"; depth:30; nocase; http.host; content:"8.137.121.171"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1288227/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_24; classtype:trojan-activity; sid:91288227; rev:1;) alert tcp $HOME_NET any -> [8.137.121.171] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1288226/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_24; classtype:trojan-activity; sid:91288226; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/assets/js/jsencrypt.min.js"; depth:27; nocase; http.host; content:"8.137.121.171"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1288225/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_24; classtype:trojan-activity; sid:91288225; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jquery-3.3.1.min.js"; depth:20; nocase; http.host; content:"8.130.32.36"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1288224/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_24; classtype:trojan-activity; sid:91288224; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jquery-3.3.1.min.js"; depth:20; nocase; http.host; content:"8.130.32.36"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1288223/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_24; classtype:trojan-activity; sid:91288223; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/j.ad"; depth:5; nocase; http.host; content:"134.122.75.115"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1288222/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_24; classtype:trojan-activity; sid:91288222; rev:1;) alert tcp $HOME_NET any -> [101.33.227.96] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1288221/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_24; classtype:trojan-activity; sid:91288221; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jquery-3.3.1.min.js"; depth:20; nocase; http.host; content:"101.33.227.96"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1288220/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_24; classtype:trojan-activity; sid:91288220; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cx"; depth:3; nocase; http.host; content:"101.200.120.13"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1288219/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_24; classtype:trojan-activity; sid:91288219; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jquery-3.3.1.min.js"; depth:20; nocase; http.host; content:"124.223.9.21"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1288214/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_24; classtype:trojan-activity; sid:91288214; rev:1;) alert tcp $HOME_NET any -> [116.203.14.27] 443 (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1288208/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_24; classtype:trojan-activity; sid:91288208; rev:1;) alert tcp $HOME_NET any -> [116.203.14.27] 9000 (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1288209/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_24; classtype:trojan-activity; sid:91288209; rev:1;) alert tcp $HOME_NET any -> [65.109.241.229] 443 (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1288210/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_24; classtype:trojan-activity; sid:91288210; rev:1;) alert tcp $HOME_NET any -> [65.109.241.229] 9000 (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1288211/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_24; classtype:trojan-activity; sid:91288211; rev:1;) alert tcp $HOME_NET any -> [49.13.227.249] 443 (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1288212/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_24; classtype:trojan-activity; sid:91288212; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"guillerme.xyz"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1288201/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_24; classtype:trojan-activity; sid:91288201; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"sosimo.xyz"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1288202/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_24; classtype:trojan-activity; sid:91288202; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"antiochus.xyz"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1288203/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_24; classtype:trojan-activity; sid:91288203; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"aibek.xyz"; depth:9; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1288204/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_24; classtype:trojan-activity; sid:91288204; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"paulu.xyz"; depth:9; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1288205/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_24; classtype:trojan-activity; sid:91288205; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"aramazd.xyz"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1288206/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_24; classtype:trojan-activity; sid:91288206; rev:1;) alert tcp $HOME_NET any -> [116.203.13.231] 443 (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1288207/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_24; classtype:trojan-activity; sid:91288207; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"49.13.227.249"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1288200/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_24; classtype:trojan-activity; sid:91288200; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"65.109.241.229"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1288199/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_24; classtype:trojan-activity; sid:91288199; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"65.109.241.229"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1288198/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_24; classtype:trojan-activity; sid:91288198; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"116.203.14.27"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1288197/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_24; classtype:trojan-activity; sid:91288197; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"116.203.14.27"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1288196/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_24; classtype:trojan-activity; sid:91288196; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"116.203.13.254"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1288195/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_24; classtype:trojan-activity; sid:91288195; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"116.203.13.231"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1288194/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_24; classtype:trojan-activity; sid:91288194; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"aramazd.xyz"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1288193/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_24; classtype:trojan-activity; sid:91288193; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"paulu.xyz"; depth:9; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1288192/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_24; classtype:trojan-activity; sid:91288192; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"aibek.xyz"; depth:9; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1288191/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_24; classtype:trojan-activity; sid:91288191; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"antiochus.xyz"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1288190/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_24; classtype:trojan-activity; sid:91288190; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"sosimo.xyz"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1288189/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_24; classtype:trojan-activity; sid:91288189; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"guillerme.xyz"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1288188/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_24; classtype:trojan-activity; sid:91288188; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"downloaddining.rest"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1288017/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_24; classtype:trojan-activity; sid:91288017; rev:1;) alert tcp $HOME_NET any -> [150.158.13.117] 22222 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1288142/; target:src_ip; metadata: confidence_level 75, first_seen 2024_06_24; classtype:trojan-activity; sid:91288142; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/df/enc"; depth:7; nocase; http.host; content:"downloaddining.rest"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1288016/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_24; classtype:trojan-activity; sid:91288016; rev:1;) alert tcp $HOME_NET any -> [35.204.170.221] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1288143/; target:src_ip; metadata: confidence_level 75, first_seen 2024_06_24; classtype:trojan-activity; sid:91288143; rev:1;) alert tcp $HOME_NET any -> [96.126.96.104] 8081 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1288144/; target:src_ip; metadata: confidence_level 75, first_seen 2024_06_24; classtype:trojan-activity; sid:91288144; rev:1;) alert tcp $HOME_NET any -> [201.68.131.71] 8081 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1288145/; target:src_ip; metadata: confidence_level 75, first_seen 2024_06_24; classtype:trojan-activity; sid:91288145; rev:1;) alert tcp $HOME_NET any -> [18.192.31.165] 19145 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1288149/; target:src_ip; metadata: confidence_level 75, first_seen 2024_06_24; classtype:trojan-activity; sid:91288149; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/df/blue"; depth:8; nocase; http.host; content:"downloaddining.rest"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1288153/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_24; classtype:trojan-activity; sid:91288153; rev:1;) alert tcp $HOME_NET any -> [193.161.193.99] 38311 (msg:"ThreatFox LimeRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1288158/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_24; classtype:trojan-activity; sid:91288158; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"78.47.205.62"; depth:12; nocase; reference:url, threatfox.abuse.ch/ioc/1288159/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_24; classtype:trojan-activity; sid:91288159; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"95.216.142.162"; depth:14; nocase; reference:url, threatfox.abuse.ch/ioc/1288160/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_24; classtype:trojan-activity; sid:91288160; rev:1;) alert tcp $HOME_NET any -> [3.124.142.205] 11457 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1288161/; target:src_ip; metadata: confidence_level 75, first_seen 2024_06_24; classtype:trojan-activity; sid:91288161; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/article.php"; depth:12; nocase; http.host; content:"www.ccga.com"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1288167/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_24; classtype:trojan-activity; sid:91288167; rev:1;) alert tcp $HOME_NET any -> [85.28.47.7] 1757 (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1288187/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_24; classtype:trojan-activity; sid:91288187; rev:1;) alert tcp $HOME_NET any -> [209.145.56.0] 2000 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1288186/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_24; classtype:trojan-activity; sid:91288186; rev:1;) alert tcp $HOME_NET any -> [193.26.115.22] 7707 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1288185/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_24; classtype:trojan-activity; sid:91288185; rev:1;) alert tcp $HOME_NET any -> [193.26.115.22] 6606 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1288184/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_24; classtype:trojan-activity; sid:91288184; rev:1;) alert tcp $HOME_NET any -> [194.62.157.160] 9999 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1288183/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_24; classtype:trojan-activity; sid:91288183; rev:1;) alert tcp $HOME_NET any -> [94.156.8.54] 2222 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1288182/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_24; classtype:trojan-activity; sid:91288182; rev:1;) alert tcp $HOME_NET any -> [138.201.113.11] 80 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1288181/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_24; classtype:trojan-activity; sid:91288181; rev:1;) alert tcp $HOME_NET any -> [49.113.77.227] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1288180/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_24; classtype:trojan-activity; sid:91288180; rev:1;) alert tcp $HOME_NET any -> [103.116.245.65] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1288179/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_24; classtype:trojan-activity; sid:91288179; rev:1;) alert tcp $HOME_NET any -> [49.113.72.239] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1288178/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_24; classtype:trojan-activity; sid:91288178; rev:1;) alert tcp $HOME_NET any -> [101.43.23.71] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1288177/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_24; classtype:trojan-activity; sid:91288177; rev:1;) alert tcp $HOME_NET any -> [119.152.6.82] 443 (msg:"ThreatFox Deimos botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1288176/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_24; classtype:trojan-activity; sid:91288176; rev:1;) alert tcp $HOME_NET any -> [125.74.19.26] 4505 (msg:"ThreatFox Deimos botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1288175/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_24; classtype:trojan-activity; sid:91288175; rev:1;) alert tcp $HOME_NET any -> [16.16.66.176] 7443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1288174/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_24; classtype:trojan-activity; sid:91288174; rev:1;) alert tcp $HOME_NET any -> [162.55.189.20] 7443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1288173/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_24; classtype:trojan-activity; sid:91288173; rev:1;) alert tcp $HOME_NET any -> [4.145.106.87] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1288172/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_24; classtype:trojan-activity; sid:91288172; rev:1;) alert tcp $HOME_NET any -> [4.145.106.87] 8888 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1288171/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_24; classtype:trojan-activity; sid:91288171; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/083b111c.php"; depth:13; nocase; http.host; content:"cl14041.tw1.ru"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1288170/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_24; classtype:trojan-activity; sid:91288170; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/4474e3be.php"; depth:13; nocase; http.host; content:"a0997621.xsph.ru"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1288169/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_24; classtype:trojan-activity; sid:91288169; rev:1;) alert tcp $HOME_NET any -> [185.222.58.70] 55615 (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1288168/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_24; classtype:trojan-activity; sid:91288168; rev:1;) alert tcp $HOME_NET any -> [41.249.244.52] 10000 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1288165/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_24; classtype:trojan-activity; sid:91288165; rev:1;) alert tcp $HOME_NET any -> [39.100.74.192] 4443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1288164/; target:src_ip; metadata: confidence_level 80, first_seen 2024_06_24; classtype:trojan-activity; sid:91288164; rev:1;) alert tcp $HOME_NET any -> [47.116.216.157] 4433 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1288163/; target:src_ip; metadata: confidence_level 80, first_seen 2024_06_24; classtype:trojan-activity; sid:91288163; rev:1;) alert tcp $HOME_NET any -> [43.138.23.98] 7443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1288162/; target:src_ip; metadata: confidence_level 80, first_seen 2024_06_24; classtype:trojan-activity; sid:91288162; rev:1;) alert tcp $HOME_NET any -> [18.192.31.165] 11457 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1288157/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_23; classtype:trojan-activity; sid:91288157; rev:1;) alert tcp $HOME_NET any -> [3.125.223.134] 11457 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1288156/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_23; classtype:trojan-activity; sid:91288156; rev:1;) alert tcp $HOME_NET any -> [3.125.102.39] 11457 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1288155/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_23; classtype:trojan-activity; sid:91288155; rev:1;) alert tcp $HOME_NET any -> [18.158.249.75] 11457 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1288154/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_23; classtype:trojan-activity; sid:91288154; rev:1;) alert tcp $HOME_NET any -> [195.54.160.237] 443 (msg:"ThreatFox Unidentified 111 (Latrodectus) botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1288151/; target:src_ip; metadata: confidence_level 75, first_seen 2024_06_23; classtype:trojan-activity; sid:91288151; rev:1;) alert tcp $HOME_NET any -> [104.129.20.229] 443 (msg:"ThreatFox Unidentified 111 (Latrodectus) botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1288152/; target:src_ip; metadata: confidence_level 75, first_seen 2024_06_23; classtype:trojan-activity; sid:91288152; rev:1;) alert tcp $HOME_NET any -> [87.121.61.197] 443 (msg:"ThreatFox Unidentified 111 (Latrodectus) botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1288150/; target:src_ip; metadata: confidence_level 75, first_seen 2024_06_23; classtype:trojan-activity; sid:91288150; rev:1;) alert tcp $HOME_NET any -> [34.83.210.13] 6606 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1288148/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_23; classtype:trojan-activity; sid:91288148; rev:1;) alert tcp $HOME_NET any -> [31.128.42.2] 80 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1288147/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_23; classtype:trojan-activity; sid:91288147; rev:1;) alert tcp $HOME_NET any -> [51.211.209.1] 443 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1288146/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_23; classtype:trojan-activity; sid:91288146; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/6f9d90a8.php"; depth:13; nocase; http.host; content:"a0995880.xsph.ru"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1288141/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_23; classtype:trojan-activity; sid:91288141; rev:1;) alert tcp $HOME_NET any -> [2.58.56.168] 4449 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1288140/; target:src_ip; metadata: confidence_level 75, first_seen 2024_06_23; classtype:trojan-activity; sid:91288140; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ca"; depth:3; nocase; http.host; content:"81.71.18.114"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1288139/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_23; classtype:trojan-activity; sid:91288139; rev:1;) alert tcp $HOME_NET any -> [124.223.15.17] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1288138/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_23; classtype:trojan-activity; sid:91288138; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ca"; depth:3; nocase; http.host; content:"124.223.15.17"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1288137/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_23; classtype:trojan-activity; sid:91288137; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/l1nc0in.php"; depth:12; nocase; http.host; content:"485006.prohoster.biz"; depth:20; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1288136/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_23; classtype:trojan-activity; sid:91288136; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/__utm.gif"; depth:10; nocase; http.host; content:"43.153.222.28"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1288135/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_23; classtype:trojan-activity; sid:91288135; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/load"; depth:5; nocase; http.host; content:"43.153.222.28"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1288134/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_23; classtype:trojan-activity; sid:91288134; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/push"; depth:5; nocase; http.host; content:"43.138.30.109"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1288133/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_23; classtype:trojan-activity; sid:91288133; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/activity"; depth:9; nocase; http.host; content:"111.67.195.152"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1288132/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_23; classtype:trojan-activity; sid:91288132; rev:1;) alert tcp $HOME_NET any -> [94.156.65.2] 80 (msg:"ThreatFox Hook botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1288015/; target:src_ip; metadata: confidence_level 80, first_seen 2024_06_23; classtype:trojan-activity; sid:91288015; rev:1;) alert tcp $HOME_NET any -> [47.96.174.24] 808 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1288014/; target:src_ip; metadata: confidence_level 80, first_seen 2024_06_23; classtype:trojan-activity; sid:91288014; rev:1;) alert tcp $HOME_NET any -> [119.29.227.204] 8088 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1288013/; target:src_ip; metadata: confidence_level 80, first_seen 2024_06_23; classtype:trojan-activity; sid:91288013; rev:1;) alert tcp $HOME_NET any -> [207.246.79.58] 4443 (msg:"ThreatFox Orcus RAT botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1288012/; target:src_ip; metadata: confidence_level 80, first_seen 2024_06_23; classtype:trojan-activity; sid:91288012; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/l1nc0in.php"; depth:12; nocase; http.host; content:"a0996330.xsph.ru"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1288011/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_23; classtype:trojan-activity; sid:91288011; rev:1;) alert tcp $HOME_NET any -> [212.73.150.194] 443 (msg:"ThreatFox Unidentified 111 (Latrodectus) botnet C2 traffic (ip:port - confidence level: 60%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1288010/; target:src_ip; metadata: confidence_level 60, first_seen 2024_06_23; classtype:trojan-activity; sid:91288010; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pixel"; depth:6; nocase; http.host; content:"113.125.179.13"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1288009/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_23; classtype:trojan-activity; sid:91288009; rev:1;) alert tcp $HOME_NET any -> [172.93.189.41] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1288008/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_23; classtype:trojan-activity; sid:91288008; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jquery-3.3.1.min.js"; depth:20; nocase; http.host; content:"172.93.189.41"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1288007/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_23; classtype:trojan-activity; sid:91288007; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/index.jsp"; depth:10; nocase; http.host; content:"121.37.206.148"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1288006/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_23; classtype:trojan-activity; sid:91288006; rev:1;) alert tcp $HOME_NET any -> [193.149.176.121] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1288005/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_23; classtype:trojan-activity; sid:91288005; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"atlasanimationstudios.com"; depth:25; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1288004/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_23; classtype:trojan-activity; sid:91288004; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/list/v5.29/a1jx1z0kt4"; depth:22; nocase; http.host; content:"atlasanimationstudios.com"; depth:25; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1288003/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_23; classtype:trojan-activity; sid:91288003; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cm"; depth:3; nocase; http.host; content:"188.166.210.23"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1288002/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_23; classtype:trojan-activity; sid:91288002; rev:1;) alert tcp $HOME_NET any -> [128.140.1.57] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1288001/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_23; classtype:trojan-activity; sid:91288001; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jquery-3.3.1.min.js"; depth:20; nocase; http.host; content:"128.140.1.57"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1288000/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_23; classtype:trojan-activity; sid:91288000; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"www.e-enroll-benefits.com"; depth:25; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1287998/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_23; classtype:trojan-activity; sid:91287998; rev:1;) alert tcp $HOME_NET any -> [3.85.36.113] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1287999/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_23; classtype:trojan-activity; sid:91287999; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books"; depth:60; nocase; http.host; content:"www.e-enroll-benefits.com"; depth:25; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1287997/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_23; classtype:trojan-activity; sid:91287997; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/__utm.gif"; depth:10; nocase; http.host; content:"8.217.137.245"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1287996/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_23; classtype:trojan-activity; sid:91287996; rev:1;) alert tcp $HOME_NET any -> [147.185.221.20] 38177 (msg:"ThreatFox Nanocore RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1287960/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_23; classtype:trojan-activity; sid:91287960; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"care-somewhere.gl.at.ply.gg"; depth:27; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1287961/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_23; classtype:trojan-activity; sid:91287961; rev:1;) alert tcp $HOME_NET any -> [147.185.221.20] 38713 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1287988/; target:src_ip; metadata: confidence_level 75, first_seen 2024_06_23; classtype:trojan-activity; sid:91287988; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"delivery-cookie.gl.at.ply.gg"; depth:28; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1287989/; target:src_ip; metadata: confidence_level 75, first_seen 2024_06_23; classtype:trojan-activity; sid:91287989; rev:1;) alert tcp $HOME_NET any -> [101.33.197.178] 53 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1287995/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_23; classtype:trojan-activity; sid:91287995; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ns1.norincogroup.site"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1287994/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_23; classtype:trojan-activity; sid:91287994; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ns2.norincogroup.site"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1287993/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_23; classtype:trojan-activity; sid:91287993; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ns3.norincogroup.site"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1287992/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_23; classtype:trojan-activity; sid:91287992; rev:1;) alert tcp $HOME_NET any -> [185.243.242.44] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1287991/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_23; classtype:trojan-activity; sid:91287991; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ca"; depth:3; nocase; http.host; content:"185.243.242.44"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1287990/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_23; classtype:trojan-activity; sid:91287990; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"llcbc.org"; depth:9; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1287977/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_23; classtype:trojan-activity; sid:91287977; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"movlat.com"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1287978/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_23; classtype:trojan-activity; sid:91287978; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"qeqei.xyz"; depth:9; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1287979/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_23; classtype:trojan-activity; sid:91287979; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"facilitycoursedw.shop"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1287980/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_23; classtype:trojan-activity; sid:91287980; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"doughtdrillyksow.shop"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1287981/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_23; classtype:trojan-activity; sid:91287981; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"disappointcredisotw.shop"; depth:24; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1287982/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_23; classtype:trojan-activity; sid:91287982; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"bargainnygroandjwk.shop"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1287983/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_23; classtype:trojan-activity; sid:91287983; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"injurypiggyoewirog.shop"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1287984/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_23; classtype:trojan-activity; sid:91287984; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"leafcalfconflcitw.shop"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1287985/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_23; classtype:trojan-activity; sid:91287985; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"computerexcudesp.shop"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1287986/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_23; classtype:trojan-activity; sid:91287986; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"publicitycharetew.shop"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1287987/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_23; classtype:trojan-activity; sid:91287987; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"lindex24.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1287976/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_23; classtype:trojan-activity; sid:91287976; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ga.js"; depth:6; nocase; http.host; content:"jkbs168.top"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1287975/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_23; classtype:trojan-activity; sid:91287975; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/__utm.gif"; depth:10; nocase; http.host; content:"8.138.150.198"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1287974/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_23; classtype:trojan-activity; sid:91287974; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cx"; depth:3; nocase; http.host; content:"43.136.218.157"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1287973/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_23; classtype:trojan-activity; sid:91287973; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ca"; depth:3; nocase; http.host; content:"service-2rawgstq-1306320113.gz.apigw.tencentcs.com"; depth:50; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1287971/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_23; classtype:trojan-activity; sid:91287971; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"service-2rawgstq-1306320113.gz.apigw.tencentcs.com"; depth:50; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1287972/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_23; classtype:trojan-activity; sid:91287972; rev:1;) alert tcp $HOME_NET any -> [120.25.190.37] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1287970/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_23; classtype:trojan-activity; sid:91287970; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jquery-3.3.1.min.js"; depth:20; nocase; http.host; content:"120.25.190.37"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1287969/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_23; classtype:trojan-activity; sid:91287969; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pixel"; depth:6; nocase; http.host; content:"8.137.76.34"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1287968/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_23; classtype:trojan-activity; sid:91287968; rev:1;) alert tcp $HOME_NET any -> [121.37.156.225] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1287967/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_23; classtype:trojan-activity; sid:91287967; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/match"; depth:6; nocase; http.host; content:"121.37.156.225"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1287966/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_23; classtype:trojan-activity; sid:91287966; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"pty.su"; depth:6; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1287964/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_23; classtype:trojan-activity; sid:91287964; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"bins.pty.su"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1287965/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_23; classtype:trojan-activity; sid:91287965; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"152.89.244.142"; depth:14; nocase; reference:url, threatfox.abuse.ch/ioc/1287963/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_23; classtype:trojan-activity; sid:91287963; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"pty.su"; depth:6; nocase; reference:url, threatfox.abuse.ch/ioc/1287962/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_23; classtype:trojan-activity; sid:91287962; rev:1;) alert tcp $HOME_NET any -> [88.119.175.231] 333 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1287959/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_23; classtype:trojan-activity; sid:91287959; rev:1;) alert tcp $HOME_NET any -> [154.12.229.73] 1995 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1287958/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_23; classtype:trojan-activity; sid:91287958; rev:1;) alert tcp $HOME_NET any -> [47.129.39.120] 6606 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1287957/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_23; classtype:trojan-activity; sid:91287957; rev:1;) alert tcp $HOME_NET any -> [172.99.189.221] 80 (msg:"ThreatFox Meduza Stealer botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1287956/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_23; classtype:trojan-activity; sid:91287956; rev:1;) alert tcp $HOME_NET any -> [124.223.15.41] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1287955/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_23; classtype:trojan-activity; sid:91287955; rev:1;) alert tcp $HOME_NET any -> [46.246.84.4] 9000 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1287954/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_23; classtype:trojan-activity; sid:91287954; rev:1;) alert tcp $HOME_NET any -> [50.35.129.110] 443 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1287953/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_23; classtype:trojan-activity; sid:91287953; rev:1;) alert tcp $HOME_NET any -> [69.115.197.2] 443 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1287952/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_23; classtype:trojan-activity; sid:91287952; rev:1;) alert tcp $HOME_NET any -> [185.234.216.209] 20076 (msg:"ThreatFox BianLian botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1287951/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_23; classtype:trojan-activity; sid:91287951; rev:1;) alert tcp $HOME_NET any -> [217.79.255.137] 7443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1287950/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_23; classtype:trojan-activity; sid:91287950; rev:1;) alert tcp $HOME_NET any -> [80.78.25.152] 42753 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1287949/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_23; classtype:trojan-activity; sid:91287949; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/fc575d96.php"; depth:13; nocase; http.host; content:"a0997172.xsph.ru"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1287948/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_23; classtype:trojan-activity; sid:91287948; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/yjnlm2zhmjlhnjni/"; depth:18; nocase; http.host; content:"aglayancivciv3.com"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1287880/; target:src_ip; metadata: confidence_level 80, first_seen 2024_06_23; classtype:trojan-activity; sid:91287880; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/yjnlm2zhmjlhnjni/"; depth:18; nocase; http.host; content:"benyemekyememihtiyar2.com"; depth:25; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1287881/; target:src_ip; metadata: confidence_level 80, first_seen 2024_06_23; classtype:trojan-activity; sid:91287881; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ytkzzjfhnde3ymrm/"; depth:18; nocase; http.host; content:"aciktimlanb3en51.com"; depth:20; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1287877/; target:src_ip; metadata: confidence_level 80, first_seen 2024_06_23; classtype:trojan-activity; sid:91287877; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ytkzzjfhnde3ymrm/"; depth:18; nocase; http.host; content:"kebapyokmulaaan51.com"; depth:21; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1287878/; target:src_ip; metadata: confidence_level 80, first_seen 2024_06_23; classtype:trojan-activity; sid:91287878; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/yjnlm2zhmjlhnjni/"; depth:18; nocase; http.host; content:"sinirlicivciv.com"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1287879/; target:src_ip; metadata: confidence_level 80, first_seen 2024_06_23; classtype:trojan-activity; sid:91287879; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ytkzzjfhnde3ymrm/"; depth:18; nocase; http.host; content:"sirma5sodaas.com"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1287874/; target:src_ip; metadata: confidence_level 80, first_seen 2024_06_23; classtype:trojan-activity; sid:91287874; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ytkzzjfhnde3ymrm/"; depth:18; nocase; http.host; content:"bardaktakolakeyf34.com"; depth:22; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1287875/; target:src_ip; metadata: confidence_level 80, first_seen 2024_06_23; classtype:trojan-activity; sid:91287875; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ytkzzjfhnde3ymrm/"; depth:18; nocase; http.host; content:"cehennemiyasiyoz251.com"; depth:23; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1287876/; target:src_ip; metadata: confidence_level 80, first_seen 2024_06_23; classtype:trojan-activity; sid:91287876; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ytkzzjfhnde3ymrm/"; depth:18; nocase; http.host; content:"gurcistanlicruel331144.com"; depth:26; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1287873/; target:src_ip; metadata: confidence_level 80, first_seen 2024_06_23; classtype:trojan-activity; sid:91287873; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/yjnlm2zhmjlhnjni/"; depth:18; nocase; http.host; content:"benkolaicmemihtiyar51.com"; depth:25; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1287882/; target:src_ip; metadata: confidence_level 80, first_seen 2024_06_23; classtype:trojan-activity; sid:91287882; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/yjnlm2zhmjlhnjni/"; depth:18; nocase; http.host; content:"mutlucivciv25.com"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1287883/; target:src_ip; metadata: confidence_level 80, first_seen 2024_06_23; classtype:trojan-activity; sid:91287883; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ytkzzjfhnde3ymrm/"; depth:18; nocase; http.host; content:"basgaan24.com"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1287884/; target:src_ip; metadata: confidence_level 80, first_seen 2024_06_23; classtype:trojan-activity; sid:91287884; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ytkzzjfhnde3ymrm/"; depth:18; nocase; http.host; content:"hayatsuic24.com"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1287885/; target:src_ip; metadata: confidence_level 80, first_seen 2024_06_23; classtype:trojan-activity; sid:91287885; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ytkzzjfhnde3ymrm/"; depth:18; nocase; http.host; content:"sirmasokahojdurloo34.com"; depth:24; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1287886/; target:src_ip; metadata: confidence_level 80, first_seen 2024_06_23; classtype:trojan-activity; sid:91287886; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ytkzzjfhnde3ymrm/"; depth:18; nocase; http.host; content:"sirmaicinmutluolun.com"; depth:22; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1287887/; target:src_ip; metadata: confidence_level 80, first_seen 2024_06_23; classtype:trojan-activity; sid:91287887; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ytkzzjfhnde3ymrm/"; depth:18; nocase; http.host; content:"bibertursusu3424.com"; depth:20; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1287888/; target:src_ip; metadata: confidence_level 80, first_seen 2024_06_23; classtype:trojan-activity; sid:91287888; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ytkzzjfhnde3ymrm/"; depth:18; nocase; http.host; content:"selambasgann2.com"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1287889/; target:src_ip; metadata: confidence_level 80, first_seen 2024_06_23; classtype:trojan-activity; sid:91287889; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"deadsec69-52782.portmap.host"; depth:28; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1287906/; target:src_ip; metadata: confidence_level 75, first_seen 2024_06_23; classtype:trojan-activity; sid:91287906; rev:1;) alert tcp $HOME_NET any -> [147.185.221.20] 21472 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1287918/; target:src_ip; metadata: confidence_level 75, first_seen 2024_06_23; classtype:trojan-activity; sid:91287918; rev:1;) alert tcp $HOME_NET any -> [18.158.249.75] 14500 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1287841/; target:src_ip; metadata: confidence_level 75, first_seen 2024_06_23; classtype:trojan-activity; sid:91287841; rev:1;) alert tcp $HOME_NET any -> [18.192.31.165] 14500 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1287840/; target:src_ip; metadata: confidence_level 75, first_seen 2024_06_23; classtype:trojan-activity; sid:91287840; rev:1;) alert tcp $HOME_NET any -> [3.127.138.57] 11166 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1287842/; target:src_ip; metadata: confidence_level 75, first_seen 2024_06_23; classtype:trojan-activity; sid:91287842; rev:1;) alert tcp $HOME_NET any -> [3.126.37.18] 11166 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1287843/; target:src_ip; metadata: confidence_level 75, first_seen 2024_06_23; classtype:trojan-activity; sid:91287843; rev:1;) alert tcp $HOME_NET any -> [199.59.243.226] 8888 (msg:"ThreatFox Nanocore RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1287851/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_23; classtype:trojan-activity; sid:91287851; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"hz.instapoller.info"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1287852/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_23; classtype:trojan-activity; sid:91287852; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/endpoint"; depth:9; nocase; http.host; content:"mdasidy72.mom"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1287868/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_23; classtype:trojan-activity; sid:91287868; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/chao/baby/cow.html"; depth:19; nocase; http.host; content:"weoleycastletaxis.co.uk"; depth:23; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1287869/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_23; classtype:trojan-activity; sid:91287869; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"weoleycastletaxis.co.uk"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1287870/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_23; classtype:trojan-activity; sid:91287870; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/chao/baby/omgsoft.zip"; depth:22; nocase; http.host; content:"weoleycastletaxis.co.uk"; depth:23; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1287871/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_23; classtype:trojan-activity; sid:91287871; rev:1;) alert tcp $HOME_NET any -> [41.47.231.58] 5552 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1287872/; target:src_ip; metadata: confidence_level 75, first_seen 2024_06_23; classtype:trojan-activity; sid:91287872; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cdn-vs/cache.php"; depth:17; nocase; http.host; content:"chemsentinel.com"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1287890/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_23; classtype:trojan-activity; sid:91287890; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"chemsentinel.com"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1287891/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_23; classtype:trojan-activity; sid:91287891; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cdn-vs/33per.php"; depth:17; nocase; http.host; content:"chemsentinel.com"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1287892/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_23; classtype:trojan-activity; sid:91287892; rev:1;) alert tcp $HOME_NET any -> [193.161.193.99] 25730 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1287905/; target:src_ip; metadata: confidence_level 75, first_seen 2024_06_23; classtype:trojan-activity; sid:91287905; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"christian-printed.gl.at.ply.gg"; depth:30; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1287919/; target:src_ip; metadata: confidence_level 75, first_seen 2024_06_23; classtype:trojan-activity; sid:91287919; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/l1nc0in.php"; depth:12; nocase; http.host; content:"ck66916.tw1.ru"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1287947/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_23; classtype:trojan-activity; sid:91287947; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"antfly50.sytes.net"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1287921/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_23; classtype:trojan-activity; sid:91287921; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/41539eaa.php"; depth:13; nocase; http.host; content:"a0996585.xsph.ru"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1287920/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_23; classtype:trojan-activity; sid:91287920; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/_defaultwindows.php"; depth:20; nocase; http.host; content:"cj01132.tw1.ru"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1287917/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_23; classtype:trojan-activity; sid:91287917; rev:1;) alert tcp $HOME_NET any -> [23.94.197.108] 8808 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1287916/; target:src_ip; metadata: confidence_level 75, first_seen 2024_06_23; classtype:trojan-activity; sid:91287916; rev:1;) alert tcp $HOME_NET any -> [23.94.197.108] 7707 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1287915/; target:src_ip; metadata: confidence_level 75, first_seen 2024_06_23; classtype:trojan-activity; sid:91287915; rev:1;) alert tcp $HOME_NET any -> [23.94.197.108] 6606 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1287914/; target:src_ip; metadata: confidence_level 75, first_seen 2024_06_23; classtype:trojan-activity; sid:91287914; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mozi.m"; depth:7; nocase; http.host; content:"59.89.2.40"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1287913/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_23; classtype:trojan-activity; sid:91287913; rev:1;) alert tcp $HOME_NET any -> [139.198.30.159] 9991 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1287912/; target:src_ip; metadata: confidence_level 80, first_seen 2024_06_23; classtype:trojan-activity; sid:91287912; rev:1;) alert tcp $HOME_NET any -> [43.139.52.213] 1200 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1287911/; target:src_ip; metadata: confidence_level 80, first_seen 2024_06_23; classtype:trojan-activity; sid:91287911; rev:1;) alert tcp $HOME_NET any -> [114.55.119.159] 51234 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1287910/; target:src_ip; metadata: confidence_level 80, first_seen 2024_06_23; classtype:trojan-activity; sid:91287910; rev:1;) alert tcp $HOME_NET any -> [85.215.215.94] 41056 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1287909/; target:src_ip; metadata: confidence_level 80, first_seen 2024_06_23; classtype:trojan-activity; sid:91287909; rev:1;) alert tcp $HOME_NET any -> [45.58.184.140] 80 (msg:"ThreatFox Hook botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1287908/; target:src_ip; metadata: confidence_level 80, first_seen 2024_06_23; classtype:trojan-activity; sid:91287908; rev:1;) alert tcp $HOME_NET any -> [23.96.242.60] 80 (msg:"ThreatFox Hook botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1287907/; target:src_ip; metadata: confidence_level 80, first_seen 2024_06_23; classtype:trojan-activity; sid:91287907; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/asynccentral/pythonprocesseternal/542/generator/jssql.php"; depth:58; nocase; http.host; content:"82.146.46.5"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1287904/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_22; classtype:trojan-activity; sid:91287904; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/claim/v5.6/zz1qb9mls"; depth:21; nocase; http.host; content:"106.54.236.42"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1287903/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_22; classtype:trojan-activity; sid:91287903; rev:1;) alert tcp $HOME_NET any -> [185.87.51.126] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1287902/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_22; classtype:trojan-activity; sid:91287902; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/config"; depth:7; nocase; http.host; content:"asevn.com"; depth:9; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1287900/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_22; classtype:trojan-activity; sid:91287900; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"asevn.com"; depth:9; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1287901/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_22; classtype:trojan-activity; sid:91287901; rev:1;) alert tcp $HOME_NET any -> [103.122.164.98] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1287899/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_22; classtype:trojan-activity; sid:91287899; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/divide/mail/suvvjrqo8qrc"; depth:25; nocase; http.host; content:"103.122.164.98"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1287898/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_22; classtype:trojan-activity; sid:91287898; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/f429cba3.php"; depth:13; nocase; http.host; content:"a0948642.xsph.ru"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1287897/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_22; classtype:trojan-activity; sid:91287897; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"dns.topinvestmentusa.net"; depth:24; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1287895/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_22; classtype:trojan-activity; sid:91287895; rev:1;) alert tcp $HOME_NET any -> [45.77.197.103] 53 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1287896/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_22; classtype:trojan-activity; sid:91287896; rev:1;) alert tcp $HOME_NET any -> [103.144.139.152] 443 (msg:"ThreatFox Unidentified 111 (Latrodectus) botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1287894/; target:src_ip; metadata: confidence_level 75, first_seen 2024_06_22; classtype:trojan-activity; sid:91287894; rev:1;) alert tcp $HOME_NET any -> [141.95.84.40] 2404 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1287893/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_22; classtype:trojan-activity; sid:91287893; rev:1;) alert tcp $HOME_NET any -> [94.156.68.118] 8008 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1287867/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_22; classtype:trojan-activity; sid:91287867; rev:1;) alert tcp $HOME_NET any -> [193.26.115.34] 6606 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1287866/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_22; classtype:trojan-activity; sid:91287866; rev:1;) alert tcp $HOME_NET any -> [46.246.4.15] 2000 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1287865/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_22; classtype:trojan-activity; sid:91287865; rev:1;) alert tcp $HOME_NET any -> [206.238.199.17] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1287864/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_22; classtype:trojan-activity; sid:91287864; rev:1;) alert tcp $HOME_NET any -> [45.79.219.111] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1287863/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_22; classtype:trojan-activity; sid:91287863; rev:1;) alert tcp $HOME_NET any -> [4.233.217.53] 1024 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1287862/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_22; classtype:trojan-activity; sid:91287862; rev:1;) alert tcp $HOME_NET any -> [46.246.12.12] 8000 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1287861/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_22; classtype:trojan-activity; sid:91287861; rev:1;) alert tcp $HOME_NET any -> [216.83.46.43] 8080 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1287860/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_22; classtype:trojan-activity; sid:91287860; rev:1;) alert tcp $HOME_NET any -> [1.161.70.149] 443 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1287859/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_22; classtype:trojan-activity; sid:91287859; rev:1;) alert tcp $HOME_NET any -> [39.40.164.86] 995 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1287858/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_22; classtype:trojan-activity; sid:91287858; rev:1;) alert tcp $HOME_NET any -> [188.49.80.240] 443 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1287857/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_22; classtype:trojan-activity; sid:91287857; rev:1;) alert tcp $HOME_NET any -> [201.124.19.156] 995 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1287856/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_22; classtype:trojan-activity; sid:91287856; rev:1;) alert tcp $HOME_NET any -> [167.71.47.133] 443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1287855/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_22; classtype:trojan-activity; sid:91287855; rev:1;) alert tcp $HOME_NET any -> [185.229.9.27] 445 (msg:"ThreatFox BianLian botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1287854/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_22; classtype:trojan-activity; sid:91287854; rev:1;) alert tcp $HOME_NET any -> [54.230.60.211] 443 (msg:"ThreatFox Deimos botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1287853/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_22; classtype:trojan-activity; sid:91287853; rev:1;) alert tcp $HOME_NET any -> [66.165.246.70] 50050 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1287850/; target:src_ip; metadata: confidence_level 80, first_seen 2024_06_22; classtype:trojan-activity; sid:91287850; rev:1;) alert tcp $HOME_NET any -> [168.100.10.40] 443 (msg:"ThreatFox Nimplant botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1287849/; target:src_ip; metadata: confidence_level 80, first_seen 2024_06_22; classtype:trojan-activity; sid:91287849; rev:1;) alert tcp $HOME_NET any -> [106.54.198.187] 50050 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1287848/; target:src_ip; metadata: confidence_level 80, first_seen 2024_06_22; classtype:trojan-activity; sid:91287848; rev:1;) alert tcp $HOME_NET any -> [142.171.67.205] 80 (msg:"ThreatFox Hook botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1287847/; target:src_ip; metadata: confidence_level 80, first_seen 2024_06_22; classtype:trojan-activity; sid:91287847; rev:1;) alert tcp $HOME_NET any -> [101.42.139.171] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1287846/; target:src_ip; metadata: confidence_level 80, first_seen 2024_06_22; classtype:trojan-activity; sid:91287846; rev:1;) alert tcp $HOME_NET any -> [194.67.193.55] 443 (msg:"ThreatFox Matanbuchus botnet C2 traffic (ip:port - confidence level: 60%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1287845/; target:src_ip; metadata: confidence_level 60, first_seen 2024_06_22; classtype:trojan-activity; sid:91287845; rev:1;) alert tcp $HOME_NET any -> [194.67.193.56] 443 (msg:"ThreatFox Matanbuchus botnet C2 traffic (ip:port - confidence level: 60%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1287844/; target:src_ip; metadata: confidence_level 60, first_seen 2024_06_22; classtype:trojan-activity; sid:91287844; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/article.php"; depth:12; nocase; http.host; content:"www.celinecuypers.be"; depth:20; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1287716/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_22; classtype:trojan-activity; sid:91287716; rev:1;) alert tcp $HOME_NET any -> [147.185.221.20] 36706 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1287697/; target:src_ip; metadata: confidence_level 75, first_seen 2024_06_22; classtype:trojan-activity; sid:91287697; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"bar-fri.gl.at.ply.gg"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1287698/; target:src_ip; metadata: confidence_level 75, first_seen 2024_06_22; classtype:trojan-activity; sid:91287698; rev:1;) alert tcp $HOME_NET any -> [8.222.156.244] 8880 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1287715/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_22; classtype:trojan-activity; sid:91287715; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api/3"; depth:6; nocase; http.host; content:"ww2.jji.cz"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1287714/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_22; classtype:trojan-activity; sid:91287714; rev:1;) alert tcp $HOME_NET any -> [43.143.58.212] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1287713/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_22; classtype:trojan-activity; sid:91287713; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verchk/verchk_"; depth:15; nocase; http.host; content:"43.143.58.212"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1287712/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_22; classtype:trojan-activity; sid:91287712; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cm"; depth:3; nocase; http.host; content:"185.201.226.192"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1287711/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_22; classtype:trojan-activity; sid:91287711; rev:1;) alert tcp $HOME_NET any -> [175.178.88.48] 9999 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1287710/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_22; classtype:trojan-activity; sid:91287710; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/fwlink"; depth:7; nocase; http.host; content:"185.117.0.43"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1287709/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_22; classtype:trojan-activity; sid:91287709; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api/getit"; depth:10; nocase; http.host; content:"175.178.88.48"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1287708/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_22; classtype:trojan-activity; sid:91287708; rev:1;) alert tcp $HOME_NET any -> [132.232.109.225] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1287707/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_22; classtype:trojan-activity; sid:91287707; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp06/wp-includes/po.php"; depth:24; nocase; http.host; content:"service-1w88bdif-1300276284.cd.tencentapigw.com"; depth:47; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1287705/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_22; classtype:trojan-activity; sid:91287705; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"service-1w88bdif-1300276284.cd.tencentapigw.com"; depth:47; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1287706/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_22; classtype:trojan-activity; sid:91287706; rev:1;) alert tcp $HOME_NET any -> [106.54.198.187] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1287704/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_22; classtype:trojan-activity; sid:91287704; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/load"; depth:5; nocase; http.host; content:"106.54.198.187"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1287703/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_22; classtype:trojan-activity; sid:91287703; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"service-nsxtuf5s-1252551592.gz.tencentapigw.com.cn"; depth:50; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1287701/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_22; classtype:trojan-activity; sid:91287701; rev:1;) alert tcp $HOME_NET any -> [175.178.88.48] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1287702/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_22; classtype:trojan-activity; sid:91287702; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api/getit"; depth:10; nocase; http.host; content:"service-nsxtuf5s-1252551592.gz.tencentapigw.com.cn"; depth:50; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1287700/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_22; classtype:trojan-activity; sid:91287700; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/s/search/goods/details.html"; depth:28; nocase; http.host; content:"103.36.196.60"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1287699/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_22; classtype:trojan-activity; sid:91287699; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/yzblnzk4nmvlzda0/"; depth:18; nocase; http.host; content:"mamudoilekeyfyap.com"; depth:20; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1287684/; target:src_ip; metadata: confidence_level 80, first_seen 2024_06_22; classtype:trojan-activity; sid:91287684; rev:1;) alert tcp $HOME_NET any -> [148.163.56.241] 19081 (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1287689/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_22; classtype:trojan-activity; sid:91287689; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/yzblnzk4nmvlzda0/"; depth:18; nocase; http.host; content:"mamudoiledostadogru.com"; depth:23; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1287685/; target:src_ip; metadata: confidence_level 80, first_seen 2024_06_22; classtype:trojan-activity; sid:91287685; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/yzblnzk4nmvlzda0/"; depth:18; nocase; http.host; content:"sigaracokhojdur1.com"; depth:20; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1287686/; target:src_ip; metadata: confidence_level 80, first_seen 2024_06_22; classtype:trojan-activity; sid:91287686; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/yzblnzk4nmvlzda0/"; depth:18; nocase; http.host; content:"dertlikaygisiz04.com"; depth:20; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1287687/; target:src_ip; metadata: confidence_level 80, first_seen 2024_06_22; classtype:trojan-activity; sid:91287687; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/yzblnzk4nmvlzda0/"; depth:18; nocase; http.host; content:"kaygisizamamutlu04.com"; depth:22; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1287688/; target:src_ip; metadata: confidence_level 80, first_seen 2024_06_22; classtype:trojan-activity; sid:91287688; rev:1;) alert tcp $HOME_NET any -> [147.45.45.219] 1912 (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1287696/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_22; classtype:trojan-activity; sid:91287696; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/g.pixel"; depth:8; nocase; http.host; content:"104.214.168.71"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1287695/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_22; classtype:trojan-activity; sid:91287695; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/push"; depth:5; nocase; http.host; content:"89.116.128.246"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1287694/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_22; classtype:trojan-activity; sid:91287694; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cx"; depth:3; nocase; http.host; content:"120.78.155.42"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1287693/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_22; classtype:trojan-activity; sid:91287693; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/match"; depth:6; nocase; http.host; content:"101.35.141.80"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1287692/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_22; classtype:trojan-activity; sid:91287692; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/updates.rss"; depth:12; nocase; http.host; content:"blacksys.deltadefenses.com"; depth:26; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1287691/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_22; classtype:trojan-activity; sid:91287691; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/link/shit/clyx4hg2zi"; depth:21; nocase; http.host; content:"cs1.dbgblack.com"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1287690/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_22; classtype:trojan-activity; sid:91287690; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/aapk"; depth:5; nocase; http.host; content:"116.114.20.180"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1287683/; target:src_ip; metadata: confidence_level 75, first_seen 2024_06_22; classtype:trojan-activity; sid:91287683; rev:1;) alert tcp $HOME_NET any -> [157.90.5.250] 18637 (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1287682/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_22; classtype:trojan-activity; sid:91287682; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/df/enc"; depth:7; nocase; http.host; content:"execresource.ltd"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1287633/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_22; classtype:trojan-activity; sid:91287633; rev:1;) alert tcp $HOME_NET any -> [109.187.163.140] 12550 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1287648/; target:src_ip; metadata: confidence_level 75, first_seen 2024_06_22; classtype:trojan-activity; sid:91287648; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"execresource.ltd"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1287632/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_22; classtype:trojan-activity; sid:91287632; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/8otabr/"; depth:8; nocase; http.host; content:"ryruhuu3.xyz"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1287629/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_22; classtype:trojan-activity; sid:91287629; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bvxny6r6"; depth:9; nocase; http.host; content:"ryruhuu3.xyz"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1287630/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_22; classtype:trojan-activity; sid:91287630; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/df/blue"; depth:8; nocase; http.host; content:"execresource.ltd"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1287631/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_22; classtype:trojan-activity; sid:91287631; rev:1;) alert tcp $HOME_NET any -> [3.125.223.134] 10148 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1287624/; target:src_ip; metadata: confidence_level 75, first_seen 2024_06_22; classtype:trojan-activity; sid:91287624; rev:1;) alert tcp $HOME_NET any -> [3.69.157.220] 18942 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1287621/; target:src_ip; metadata: confidence_level 75, first_seen 2024_06_22; classtype:trojan-activity; sid:91287621; rev:1;) alert tcp $HOME_NET any -> [52.28.247.255] 17524 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1287622/; target:src_ip; metadata: confidence_level 75, first_seen 2024_06_22; classtype:trojan-activity; sid:91287622; rev:1;) alert tcp $HOME_NET any -> [3.66.38.117] 18942 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1287617/; target:src_ip; metadata: confidence_level 75, first_seen 2024_06_22; classtype:trojan-activity; sid:91287617; rev:1;) alert tcp $HOME_NET any -> [3.69.115.178] 18942 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1287618/; target:src_ip; metadata: confidence_level 75, first_seen 2024_06_22; classtype:trojan-activity; sid:91287618; rev:1;) alert tcp $HOME_NET any -> [18.197.239.109] 18942 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1287619/; target:src_ip; metadata: confidence_level 75, first_seen 2024_06_22; classtype:trojan-activity; sid:91287619; rev:1;) alert tcp $HOME_NET any -> [3.68.171.119] 18942 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1287620/; target:src_ip; metadata: confidence_level 75, first_seen 2024_06_22; classtype:trojan-activity; sid:91287620; rev:1;) alert tcp $HOME_NET any -> [94.228.166.68] 80 (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1287610/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_22; classtype:trojan-activity; sid:91287610; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/rblxshaders1.0.2.rar"; depth:21; nocase; http.host; content:"files.rblxshaders.com"; depth:21; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1287612/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_22; classtype:trojan-activity; sid:91287612; rev:1;) alert tcp $HOME_NET any -> [18.197.239.109] 14452 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1287623/; target:src_ip; metadata: confidence_level 75, first_seen 2024_06_22; classtype:trojan-activity; sid:91287623; rev:1;) alert tcp $HOME_NET any -> [18.192.31.165] 10148 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1287625/; target:src_ip; metadata: confidence_level 75, first_seen 2024_06_22; classtype:trojan-activity; sid:91287625; rev:1;) alert tcp $HOME_NET any -> [91.92.255.143] 45786 (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1287626/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_22; classtype:trojan-activity; sid:91287626; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"mdasidy72.mom"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1287627/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_22; classtype:trojan-activity; sid:91287627; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/l1nc0in.php"; depth:12; nocase; http.host; content:"a0995598.xsph.ru"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1287681/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_22; classtype:trojan-activity; sid:91287681; rev:1;) alert tcp $HOME_NET any -> [128.90.129.79] 9999 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1287680/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_22; classtype:trojan-activity; sid:91287680; rev:1;) alert tcp $HOME_NET any -> [149.102.147.106] 80 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1287679/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_22; classtype:trojan-activity; sid:91287679; rev:1;) alert tcp $HOME_NET any -> [154.12.229.73] 2000 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1287678/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_22; classtype:trojan-activity; sid:91287678; rev:1;) alert tcp $HOME_NET any -> [35.172.35.42] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1287677/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_22; classtype:trojan-activity; sid:91287677; rev:1;) alert tcp $HOME_NET any -> [67.0.227.25] 443 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1287676/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_22; classtype:trojan-activity; sid:91287676; rev:1;) alert tcp $HOME_NET any -> [64.229.116.2] 2222 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1287675/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_22; classtype:trojan-activity; sid:91287675; rev:1;) alert tcp $HOME_NET any -> [2.50.37.55] 22 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1287674/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_22; classtype:trojan-activity; sid:91287674; rev:1;) alert tcp $HOME_NET any -> [23.27.52.110] 443 (msg:"ThreatFox pupy botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1287673/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_22; classtype:trojan-activity; sid:91287673; rev:1;) alert tcp $HOME_NET any -> [64.7.199.244] 443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1287672/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_22; classtype:trojan-activity; sid:91287672; rev:1;) alert tcp $HOME_NET any -> [118.107.7.146] 443 (msg:"ThreatFox Brute Ratel C4 botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1287671/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_22; classtype:trojan-activity; sid:91287671; rev:1;) alert tcp $HOME_NET any -> [91.199.154.103] 34211 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1287670/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_22; classtype:trojan-activity; sid:91287670; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"janbours92harbu02.duckdns.org"; depth:29; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1287659/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_22; classtype:trojan-activity; sid:91287659; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"janbours92harbu03.duckdns.org"; depth:29; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1287660/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_22; classtype:trojan-activity; sid:91287660; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"facilitycoursedw.shop"; depth:21; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1287658/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_22; classtype:trojan-activity; sid:91287658; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"doughtdrillyksow.shop"; depth:21; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1287657/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_22; classtype:trojan-activity; sid:91287657; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"disappointcredisotw.shop"; depth:24; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1287656/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_22; classtype:trojan-activity; sid:91287656; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"bargainnygroandjwk.shop"; depth:23; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1287655/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_22; classtype:trojan-activity; sid:91287655; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"injurypiggyoewirog.shop"; depth:23; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1287654/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_22; classtype:trojan-activity; sid:91287654; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"leafcalfconflcitw.shop"; depth:22; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1287653/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_22; classtype:trojan-activity; sid:91287653; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"computerexcudesp.shop"; depth:21; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1287652/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_22; classtype:trojan-activity; sid:91287652; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"publicitycharetew.shop"; depth:22; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1287651/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_22; classtype:trojan-activity; sid:91287651; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"backcreammykiel.shop"; depth:20; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1287650/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_22; classtype:trojan-activity; sid:91287650; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/windows/tempdle/php/bigloadhttpauth/cpuserver/secureexternal18/temp/datalifevm/0/datalifetemporaryjavascript3/6dump/phpdownloadsmariadbgeo/temporary3/packet/8/default5proton/linejslongpolluniversalcentraluploadstemporary.php"; depth:225; nocase; http.host; content:"212.57.118.94"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1287649/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_22; classtype:trojan-activity; sid:91287649; rev:1;) alert tcp $HOME_NET any -> [47.112.227.200] 50050 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1287647/; target:src_ip; metadata: confidence_level 80, first_seen 2024_06_22; classtype:trojan-activity; sid:91287647; rev:1;) alert tcp $HOME_NET any -> [85.208.108.12] 34568 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1287646/; target:src_ip; metadata: confidence_level 80, first_seen 2024_06_22; classtype:trojan-activity; sid:91287646; rev:1;) alert tcp $HOME_NET any -> [85.31.239.93] 50050 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1287645/; target:src_ip; metadata: confidence_level 80, first_seen 2024_06_22; classtype:trojan-activity; sid:91287645; rev:1;) alert tcp $HOME_NET any -> [94.228.168.216] 80 (msg:"ThreatFox Meduza Stealer botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1287644/; target:src_ip; metadata: confidence_level 80, first_seen 2024_06_22; classtype:trojan-activity; sid:91287644; rev:1;) alert tcp $HOME_NET any -> [31.220.17.227] 80 (msg:"ThreatFox Hook botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1287643/; target:src_ip; metadata: confidence_level 80, first_seen 2024_06_22; classtype:trojan-activity; sid:91287643; rev:1;) alert tcp $HOME_NET any -> [136.244.76.249] 8888 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1287642/; target:src_ip; metadata: confidence_level 80, first_seen 2024_06_22; classtype:trojan-activity; sid:91287642; rev:1;) alert tcp $HOME_NET any -> [139.196.226.108] 44 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1287641/; target:src_ip; metadata: confidence_level 80, first_seen 2024_06_22; classtype:trojan-activity; sid:91287641; rev:1;) alert tcp $HOME_NET any -> [212.23.222.48] 8888 (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1287640/; target:src_ip; metadata: confidence_level 80, first_seen 2024_06_22; classtype:trojan-activity; sid:91287640; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/visit.js"; depth:9; nocase; http.host; content:"122.51.68.179"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1287639/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_21; classtype:trojan-activity; sid:91287639; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/0eternalrequest/httpwptemp/bossesgeneratesbmw.php"; depth:50; nocase; http.host; content:"195.3.223.218"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1287638/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_21; classtype:trojan-activity; sid:91287638; rev:1;) alert tcp $HOME_NET any -> [185.172.128.116] 80 (msg:"ThreatFox Amadey botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1287637/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_21; classtype:trojan-activity; sid:91287637; rev:1;) alert tcp $HOME_NET any -> [95.142.46.3] 7000 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1287636/; target:src_ip; metadata: confidence_level 75, first_seen 2024_06_21; classtype:trojan-activity; sid:91287636; rev:1;) alert tcp $HOME_NET any -> [95.142.46.3] 4449 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1287635/; target:src_ip; metadata: confidence_level 75, first_seen 2024_06_21; classtype:trojan-activity; sid:91287635; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/7cd7172a.php"; depth:13; nocase; http.host; content:"a0995830.xsph.ru"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1287634/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_21; classtype:trojan-activity; sid:91287634; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mb3gvqs8/index.php"; depth:19; nocase; http.host; content:"185.172.128.116"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1287628/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_21; classtype:trojan-activity; sid:91287628; rev:1;) alert tcp $HOME_NET any -> [5.255.117.46] 443 (msg:"ThreatFox Unidentified 111 (Latrodectus) botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1287616/; target:src_ip; metadata: confidence_level 75, first_seen 2024_06_21; classtype:trojan-activity; sid:91287616; rev:1;) alert tcp $HOME_NET any -> [162.19.135.156] 443 (msg:"ThreatFox Unidentified 111 (Latrodectus) botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1287615/; target:src_ip; metadata: confidence_level 75, first_seen 2024_06_21; classtype:trojan-activity; sid:91287615; rev:1;) alert tcp $HOME_NET any -> [181.131.217.255] 1524 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1287614/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_21; classtype:trojan-activity; sid:91287614; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jquery-3.3.2.slim.min.js"; depth:25; nocase; http.host; content:"134.122.130.181"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1287611/; target:src_ip; metadata: confidence_level 75, first_seen 2024_06_21; classtype:trojan-activity; sid:91287611; rev:1;) alert tcp $HOME_NET any -> [94.156.68.118] 5555 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1287609/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_21; classtype:trojan-activity; sid:91287609; rev:1;) alert tcp $HOME_NET any -> [94.156.68.118] 8808 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1287608/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_21; classtype:trojan-activity; sid:91287608; rev:1;) alert tcp $HOME_NET any -> [94.156.68.118] 7777 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1287607/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_21; classtype:trojan-activity; sid:91287607; rev:1;) alert tcp $HOME_NET any -> [94.156.68.118] 7707 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1287606/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_21; classtype:trojan-activity; sid:91287606; rev:1;) alert tcp $HOME_NET any -> [94.156.68.118] 6606 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1287605/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_21; classtype:trojan-activity; sid:91287605; rev:1;) alert tcp $HOME_NET any -> [193.26.115.85] 8808 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1287604/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_21; classtype:trojan-activity; sid:91287604; rev:1;) alert tcp $HOME_NET any -> [193.26.115.85] 6606 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1287603/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_21; classtype:trojan-activity; sid:91287603; rev:1;) alert tcp $HOME_NET any -> [207.174.26.115] 7707 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1287602/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_21; classtype:trojan-activity; sid:91287602; rev:1;) alert tcp $HOME_NET any -> [23.94.197.108] 8080 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1287601/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_21; classtype:trojan-activity; sid:91287601; rev:1;) alert tcp $HOME_NET any -> [23.94.197.108] 80 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1287600/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_21; classtype:trojan-activity; sid:91287600; rev:1;) alert tcp $HOME_NET any -> [193.26.115.139] 8888 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1287599/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_21; classtype:trojan-activity; sid:91287599; rev:1;) alert tcp $HOME_NET any -> [46.246.86.24] 8000 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1287598/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_21; classtype:trojan-activity; sid:91287598; rev:1;) alert tcp $HOME_NET any -> [39.40.212.144] 995 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1287597/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_21; classtype:trojan-activity; sid:91287597; rev:1;) alert tcp $HOME_NET any -> [16.163.52.26] 443 (msg:"ThreatFox pupy botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1287596/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_21; classtype:trojan-activity; sid:91287596; rev:1;) alert tcp $HOME_NET any -> [20.51.213.216] 443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1287595/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_21; classtype:trojan-activity; sid:91287595; rev:1;) alert tcp $HOME_NET any -> [98.66.154.97] 443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1287594/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_21; classtype:trojan-activity; sid:91287594; rev:1;) alert tcp $HOME_NET any -> [207.154.199.92] 443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1287593/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_21; classtype:trojan-activity; sid:91287593; rev:1;) alert tcp $HOME_NET any -> [144.34.163.218] 443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1287592/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_21; classtype:trojan-activity; sid:91287592; rev:1;) alert tcp $HOME_NET any -> [176.97.124.217] 443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1287591/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_21; classtype:trojan-activity; sid:91287591; rev:1;) alert tcp $HOME_NET any -> [106.225.243.115] 4505 (msg:"ThreatFox Deimos botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1287590/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_21; classtype:trojan-activity; sid:91287590; rev:1;) alert tcp $HOME_NET any -> [172.104.153.104] 7443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1287589/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_21; classtype:trojan-activity; sid:91287589; rev:1;) alert tcp $HOME_NET any -> [43.135.3.17] 7443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1287588/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_21; classtype:trojan-activity; sid:91287588; rev:1;) alert tcp $HOME_NET any -> [51.222.30.120] 7443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1287587/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_21; classtype:trojan-activity; sid:91287587; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/webhooks"; depth:9; nocase; http.host; content:"bettershaders.xyz"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1287583/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_21; classtype:trojan-activity; sid:91287583; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"bettershaders.xyz"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1287579/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_21; classtype:trojan-activity; sid:91287579; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/article.php"; depth:12; nocase; http.host; content:"www.cap-berriat.com"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1287577/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_21; classtype:trojan-activity; sid:91287577; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"file.rblxshaders.com"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1287580/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_21; classtype:trojan-activity; sid:91287580; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"rblxshaders.com"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1287581/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_21; classtype:trojan-activity; sid:91287581; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/rblxshaders1.0.2.rar"; depth:21; nocase; http.host; content:"file.rblxshaders.com"; depth:20; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1287582/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_21; classtype:trojan-activity; sid:91287582; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/creditcards"; depth:12; nocase; http.host; content:"bettershaders.xyz"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1287584/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_21; classtype:trojan-activity; sid:91287584; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/autofill"; depth:9; nocase; http.host; content:"bettershaders.xyz"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1287586/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_21; classtype:trojan-activity; sid:91287586; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/passwords"; depth:10; nocase; http.host; content:"bettershaders.xyz"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1287585/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_21; classtype:trojan-activity; sid:91287585; rev:1;) alert tcp $HOME_NET any -> [147.185.221.19] 14127 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1287578/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_21; classtype:trojan-activity; sid:91287578; rev:1;) alert tcp $HOME_NET any -> [18.158.249.75] 15809 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1287280/; target:src_ip; metadata: confidence_level 75, first_seen 2024_06_21; classtype:trojan-activity; sid:91287280; rev:1;) alert tcp $HOME_NET any -> [3.125.209.94] 15809 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1287281/; target:src_ip; metadata: confidence_level 75, first_seen 2024_06_21; classtype:trojan-activity; sid:91287281; rev:1;) alert tcp $HOME_NET any -> [3.125.102.39] 15809 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1287282/; target:src_ip; metadata: confidence_level 75, first_seen 2024_06_21; classtype:trojan-activity; sid:91287282; rev:1;) alert tcp $HOME_NET any -> [147.185.221.20] 33823 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1287283/; target:src_ip; metadata: confidence_level 75, first_seen 2024_06_21; classtype:trojan-activity; sid:91287283; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"remember-sail.gl.at.ply.gg"; depth:26; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1287284/; target:src_ip; metadata: confidence_level 75, first_seen 2024_06_21; classtype:trojan-activity; sid:91287284; rev:1;) alert tcp $HOME_NET any -> [185.68.93.9] 443 (msg:"ThreatFox FAKEUPDATES payload delivery (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1287288/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_21; classtype:trojan-activity; sid:91287288; rev:1;) alert tcp $HOME_NET any -> [147.185.221.20] 33475 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1287285/; target:src_ip; metadata: confidence_level 75, first_seen 2024_06_21; classtype:trojan-activity; sid:91287285; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"minutes-nirvana.gl.at.ply.gg"; depth:28; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1287286/; target:src_ip; metadata: confidence_level 75, first_seen 2024_06_21; classtype:trojan-activity; sid:91287286; rev:1;) alert tcp $HOME_NET any -> [45.159.210.127] 47925 (msg:"ThreatFox MooBot botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1287576/; target:src_ip; metadata: confidence_level 80, first_seen 2024_06_21; classtype:trojan-activity; sid:91287576; rev:1;) alert tcp $HOME_NET any -> [147.45.124.206] 47925 (msg:"ThreatFox MooBot botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1287575/; target:src_ip; metadata: confidence_level 80, first_seen 2024_06_21; classtype:trojan-activity; sid:91287575; rev:1;) alert tcp $HOME_NET any -> [45.155.76.231] 47925 (msg:"ThreatFox MooBot botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1287574/; target:src_ip; metadata: confidence_level 80, first_seen 2024_06_21; classtype:trojan-activity; sid:91287574; rev:1;) alert tcp $HOME_NET any -> [107.173.203.208] 111 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1287573/; target:src_ip; metadata: confidence_level 80, first_seen 2024_06_21; classtype:trojan-activity; sid:91287573; rev:1;) alert tcp $HOME_NET any -> [47.120.45.94] 8888 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1287572/; target:src_ip; metadata: confidence_level 80, first_seen 2024_06_21; classtype:trojan-activity; sid:91287572; rev:1;) alert tcp $HOME_NET any -> [82.157.183.183] 3389 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1287571/; target:src_ip; metadata: confidence_level 80, first_seen 2024_06_21; classtype:trojan-activity; sid:91287571; rev:1;) alert tcp $HOME_NET any -> [185.243.240.45] 9876 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1287570/; target:src_ip; metadata: confidence_level 80, first_seen 2024_06_21; classtype:trojan-activity; sid:91287570; rev:1;) alert tcp $HOME_NET any -> [146.190.149.217] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1287569/; target:src_ip; metadata: confidence_level 80, first_seen 2024_06_21; classtype:trojan-activity; sid:91287569; rev:1;) alert tcp $HOME_NET any -> [118.107.244.100] 50555 (msg:"ThreatFox Hook botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1287568/; target:src_ip; metadata: confidence_level 80, first_seen 2024_06_21; classtype:trojan-activity; sid:91287568; rev:1;) alert tcp $HOME_NET any -> [176.32.33.229] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1287547/; target:src_ip; metadata: confidence_level 80, first_seen 2024_06_21; classtype:trojan-activity; sid:91287547; rev:1;) alert tcp $HOME_NET any -> [143.198.73.116] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1287543/; target:src_ip; metadata: confidence_level 80, first_seen 2024_06_21; classtype:trojan-activity; sid:91287543; rev:1;) alert tcp $HOME_NET any -> [47.113.199.110] 4433 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1287534/; target:src_ip; metadata: confidence_level 80, first_seen 2024_06_21; classtype:trojan-activity; sid:91287534; rev:1;) alert tcp $HOME_NET any -> [120.27.143.174] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1287531/; target:src_ip; metadata: confidence_level 80, first_seen 2024_06_21; classtype:trojan-activity; sid:91287531; rev:1;) alert tcp $HOME_NET any -> [103.36.196.60] 9999 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1287528/; target:src_ip; metadata: confidence_level 80, first_seen 2024_06_21; classtype:trojan-activity; sid:91287528; rev:1;) alert tcp $HOME_NET any -> [185.208.158.154] 444 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1287523/; target:src_ip; metadata: confidence_level 80, first_seen 2024_06_21; classtype:trojan-activity; sid:91287523; rev:1;) alert tcp $HOME_NET any -> [162.14.105.213] 46151 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1287517/; target:src_ip; metadata: confidence_level 80, first_seen 2024_06_21; classtype:trojan-activity; sid:91287517; rev:1;) alert tcp $HOME_NET any -> [111.90.158.59] 8089 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1287509/; target:src_ip; metadata: confidence_level 80, first_seen 2024_06_21; classtype:trojan-activity; sid:91287509; rev:1;) alert tcp $HOME_NET any -> [147.45.47.176] 8081 (msg:"ThreatFox RisePro botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1287493/; target:src_ip; metadata: confidence_level 80, first_seen 2024_06_21; classtype:trojan-activity; sid:91287493; rev:1;) alert tcp $HOME_NET any -> [147.45.47.134] 8081 (msg:"ThreatFox RisePro botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1287486/; target:src_ip; metadata: confidence_level 80, first_seen 2024_06_21; classtype:trojan-activity; sid:91287486; rev:1;) alert tcp $HOME_NET any -> [147.45.44.48] 8081 (msg:"ThreatFox RisePro botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1287473/; target:src_ip; metadata: confidence_level 80, first_seen 2024_06_21; classtype:trojan-activity; sid:91287473; rev:1;) alert tcp $HOME_NET any -> [188.25.167.44] 8080 (msg:"ThreatFox Orcus RAT botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1287460/; target:src_ip; metadata: confidence_level 80, first_seen 2024_06_21; classtype:trojan-activity; sid:91287460; rev:1;) alert tcp $HOME_NET any -> [94.228.166.19] 80 (msg:"ThreatFox RecordBreaker botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1287408/; target:src_ip; metadata: confidence_level 80, first_seen 2024_06_21; classtype:trojan-activity; sid:91287408; rev:1;) alert tcp $HOME_NET any -> [116.203.13.254] 443 (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1287311/; target:src_ip; metadata: confidence_level 80, first_seen 2024_06_21; classtype:trojan-activity; sid:91287311; rev:1;) alert tcp $HOME_NET any -> [116.203.13.254] 80 (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1287308/; target:src_ip; metadata: confidence_level 80, first_seen 2024_06_21; classtype:trojan-activity; sid:91287308; rev:1;) alert tcp $HOME_NET any -> [2.58.84.229] 80 (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1287296/; target:src_ip; metadata: confidence_level 80, first_seen 2024_06_21; classtype:trojan-activity; sid:91287296; rev:1;) alert tcp $HOME_NET any -> [146.19.213.22] 9090 (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1287295/; target:src_ip; metadata: confidence_level 80, first_seen 2024_06_21; classtype:trojan-activity; sid:91287295; rev:1;) alert tcp $HOME_NET any -> [128.90.108.187] 4433 (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1287294/; target:src_ip; metadata: confidence_level 80, first_seen 2024_06_21; classtype:trojan-activity; sid:91287294; rev:1;) alert tcp $HOME_NET any -> [148.113.165.11] 82 (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1287293/; target:src_ip; metadata: confidence_level 80, first_seen 2024_06_21; classtype:trojan-activity; sid:91287293; rev:1;) alert tcp $HOME_NET any -> [194.67.193.44] 443 (msg:"ThreatFox Matanbuchus botnet C2 traffic (ip:port - confidence level: 60%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1287292/; target:src_ip; metadata: confidence_level 60, first_seen 2024_06_21; classtype:trojan-activity; sid:91287292; rev:1;) alert tcp $HOME_NET any -> [194.67.193.42] 443 (msg:"ThreatFox Matanbuchus botnet C2 traffic (ip:port - confidence level: 60%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1287290/; target:src_ip; metadata: confidence_level 60, first_seen 2024_06_21; classtype:trojan-activity; sid:91287290; rev:1;) alert tcp $HOME_NET any -> [194.67.193.43] 443 (msg:"ThreatFox Matanbuchus botnet C2 traffic (ip:port - confidence level: 60%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1287291/; target:src_ip; metadata: confidence_level 60, first_seen 2024_06_21; classtype:trojan-activity; sid:91287291; rev:1;) alert tcp $HOME_NET any -> [194.67.193.33] 443 (msg:"ThreatFox Matanbuchus botnet C2 traffic (ip:port - confidence level: 60%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1287289/; target:src_ip; metadata: confidence_level 60, first_seen 2024_06_21; classtype:trojan-activity; sid:91287289; rev:1;) alert tcp $HOME_NET any -> [185.38.142.10] 7474 (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1287287/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_21; classtype:trojan-activity; sid:91287287; rev:1;) alert tcp $HOME_NET any -> [52.169.196.156] 7766 (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1287279/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_21; classtype:trojan-activity; sid:91287279; rev:1;) alert tcp $HOME_NET any -> [120.78.155.42] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1287278/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_21; classtype:trojan-activity; sid:91287278; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/__utm.gif"; depth:10; nocase; http.host; content:"120.78.155.42"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1287277/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_21; classtype:trojan-activity; sid:91287277; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/match"; depth:6; nocase; http.host; content:"ongmanibeimeihong.cdnaliyun.top"; depth:31; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1287276/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_21; classtype:trojan-activity; sid:91287276; rev:1;) alert tcp $HOME_NET any -> [111.230.28.217] 8443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1287275/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_21; classtype:trojan-activity; sid:91287275; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/introduction/edr"; depth:17; nocase; http.host; content:"123.207.66.117"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1287274/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_21; classtype:trojan-activity; sid:91287274; rev:1;) alert tcp $HOME_NET any -> [47.108.142.204] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1287273/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_21; classtype:trojan-activity; sid:91287273; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/search/"; depth:8; nocase; http.host; content:"47.108.142.204"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1287272/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_21; classtype:trojan-activity; sid:91287272; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/search/"; depth:8; nocase; http.host; content:"1.14.18.173"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1287271/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_21; classtype:trojan-activity; sid:91287271; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"gsearch.duckdns.org"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1287270/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_21; classtype:trojan-activity; sid:91287270; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mozi.m"; depth:7; nocase; http.host; content:"175.107.3.153"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1287269/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_21; classtype:trojan-activity; sid:91287269; rev:1;) alert tcp $HOME_NET any -> [104.21.8.118] 80 (msg:"ThreatFox Loki Password Stealer (PWS) botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1287268/; target:src_ip; metadata: confidence_level 75, first_seen 2024_06_21; classtype:trojan-activity; sid:91287268; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"comarmo.com"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1287264/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_21; classtype:trojan-activity; sid:91287264; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"monesam.com"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1287265/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_21; classtype:trojan-activity; sid:91287265; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"seburax.com"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1287266/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_21; classtype:trojan-activity; sid:91287266; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"yerifest.com"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1287267/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_21; classtype:trojan-activity; sid:91287267; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"dolipox.com"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1287260/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_21; classtype:trojan-activity; sid:91287260; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"fedelize.com"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1287261/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_21; classtype:trojan-activity; sid:91287261; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"maduroma.com"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1287262/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_21; classtype:trojan-activity; sid:91287262; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"ardoelur.com"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1287263/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_21; classtype:trojan-activity; sid:91287263; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"duigore.com"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1287259/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_21; classtype:trojan-activity; sid:91287259; rev:1;) alert tcp $HOME_NET any -> [77.91.77.6] 24186 (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1287258/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_21; classtype:trojan-activity; sid:91287258; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/_defaultwindows.php"; depth:20; nocase; http.host; content:"gotsuspended.000webhostapp.com"; depth:30; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1287257/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_21; classtype:trojan-activity; sid:91287257; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api/3"; depth:6; nocase; http.host; content:"8.222.156.244"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1287256/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_21; classtype:trojan-activity; sid:91287256; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ga.js"; depth:6; nocase; http.host; content:"8.138.150.198"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1287255/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_21; classtype:trojan-activity; sid:91287255; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/j.ad"; depth:5; nocase; http.host; content:"134.122.75.115"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1287254/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_21; classtype:trojan-activity; sid:91287254; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dpixel"; depth:7; nocase; http.host; content:"106.55.102.97"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1287253/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_21; classtype:trojan-activity; sid:91287253; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/updates.rss"; depth:12; nocase; http.host; content:"101.35.141.80"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1287252/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_21; classtype:trojan-activity; sid:91287252; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/static/icon/iconfont/kuaishou.js"; depth:33; nocase; http.host; content:"vip.zto.com"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1287251/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_21; classtype:trojan-activity; sid:91287251; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dot.gif"; depth:8; nocase; http.host; content:"ms-update-cs1.azureedge.net"; depth:27; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1287249/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_21; classtype:trojan-activity; sid:91287249; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ms-update-cs1.azureedge.net"; depth:27; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1287250/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_21; classtype:trojan-activity; sid:91287250; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dot.gif"; depth:8; nocase; http.host; content:"49.232.129.71"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1287248/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_21; classtype:trojan-activity; sid:91287248; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cx"; depth:3; nocase; http.host; content:"104.214.168.71"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1287247/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_21; classtype:trojan-activity; sid:91287247; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ga.js"; depth:6; nocase; http.host; content:"47.92.205.12"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1287246/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_21; classtype:trojan-activity; sid:91287246; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ie9compatviewlist.xml"; depth:22; nocase; http.host; content:"43.153.222.28"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1287245/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_21; classtype:trojan-activity; sid:91287245; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cx"; depth:3; nocase; http.host; content:"134.122.75.115"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1287244/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_21; classtype:trojan-activity; sid:91287244; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pixel"; depth:6; nocase; http.host; content:"134.122.75.115"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1287243/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_21; classtype:trojan-activity; sid:91287243; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/__utm.gif"; depth:10; nocase; http.host; content:"43.138.218.97"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1287242/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_21; classtype:trojan-activity; sid:91287242; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/safebrowsing/fp/gu4wkyzltjvwetfp-njnw"; depth:38; nocase; http.host; content:"8.138.23.74"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1287241/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_21; classtype:trojan-activity; sid:91287241; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/__utm.gif"; depth:10; nocase; http.host; content:"79.124.40.106"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1287240/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_21; classtype:trojan-activity; sid:91287240; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/functionalstatus/kuztarmhqb9clzlpfu1kzg2-fzaot"; depth:47; nocase; http.host; content:"sydnc.net"; depth:9; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1287239/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_21; classtype:trojan-activity; sid:91287239; rev:1;) alert tcp $HOME_NET any -> [124.70.77.173] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1287238/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_21; classtype:trojan-activity; sid:91287238; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/maps/overlaybfpr"; depth:17; nocase; http.host; content:"124.70.77.173"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1287237/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_21; classtype:trojan-activity; sid:91287237; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dpixel"; depth:7; nocase; http.host; content:"47.113.107.52"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1287236/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_21; classtype:trojan-activity; sid:91287236; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ie9compatviewlist.xml"; depth:22; nocase; http.host; content:"185.196.8.107"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1287234/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_21; classtype:trojan-activity; sid:91287234; rev:1;) alert tcp $HOME_NET any -> [185.196.8.107] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1287235/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_21; classtype:trojan-activity; sid:91287235; rev:1;) alert tcp $HOME_NET any -> [194.156.99.171] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1287233/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_21; classtype:trojan-activity; sid:91287233; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/aaaaaaaaa"; depth:10; nocase; http.host; content:"194.156.99.171"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1287232/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_21; classtype:trojan-activity; sid:91287232; rev:1;) alert tcp $HOME_NET any -> [38.147.186.101] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1287231/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_21; classtype:trojan-activity; sid:91287231; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pixel.gif"; depth:10; nocase; http.host; content:"38.147.186.101"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1287230/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_21; classtype:trojan-activity; sid:91287230; rev:1;) alert tcp $HOME_NET any -> [101.132.192.106] 2082 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1287229/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_21; classtype:trojan-activity; sid:91287229; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ca"; depth:3; nocase; http.host; content:"admin.eneroco.com"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1287227/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_21; classtype:trojan-activity; sid:91287227; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"admin.eneroco.com"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1287228/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_21; classtype:trojan-activity; sid:91287228; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api/x"; depth:6; nocase; http.host; content:"101.35.173.226"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1287226/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_21; classtype:trojan-activity; sid:91287226; rev:1;) alert tcp $HOME_NET any -> [39.108.94.252] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1287225/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_21; classtype:trojan-activity; sid:91287225; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"smtp2.servicebio.com"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1287224/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_21; classtype:trojan-activity; sid:91287224; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sys/ui/js/base.js"; depth:18; nocase; http.host; content:"smtp2.servicebio.com"; depth:20; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1287223/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_21; classtype:trojan-activity; sid:91287223; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sys/ui/js/base.js"; depth:18; nocase; http.host; content:"mailgate.servicebio.com"; depth:23; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1287221/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_21; classtype:trojan-activity; sid:91287221; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"mailgate.servicebio.com"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1287222/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_21; classtype:trojan-activity; sid:91287222; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"authsmtp.servicebio.com"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1287220/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_21; classtype:trojan-activity; sid:91287220; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sys/ui/js/base.js"; depth:18; nocase; http.host; content:"authsmtp.servicebio.com"; depth:23; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1287219/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_21; classtype:trojan-activity; sid:91287219; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sys/ui/js/base.js"; depth:18; nocase; http.host; content:"www2.servicebio.com"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1287217/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_21; classtype:trojan-activity; sid:91287217; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"www2.servicebio.com"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1287218/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_21; classtype:trojan-activity; sid:91287218; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"www.kuromipg.im"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1287216/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_21; classtype:trojan-activity; sid:91287216; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sys/ui/js/base.js"; depth:18; nocase; http.host; content:"www.kuromipg.im"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1287215/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_21; classtype:trojan-activity; sid:91287215; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"china-yqs.com"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1287214/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_21; classtype:trojan-activity; sid:91287214; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sys/ui/js/base.js"; depth:18; nocase; http.host; content:"china-yqs.com"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1287213/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_21; classtype:trojan-activity; sid:91287213; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/__utm.gif"; depth:10; nocase; http.host; content:"1.117.79.251"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1287212/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_21; classtype:trojan-activity; sid:91287212; rev:1;) alert tcp $HOME_NET any -> [62.133.60.12] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1287211/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_21; classtype:trojan-activity; sid:91287211; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"past-dryer-gw.aws-apse2.cloud-ara.tyk.io"; depth:40; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1287210/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_21; classtype:trojan-activity; sid:91287210; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api/v2/login"; depth:13; nocase; http.host; content:"past-dryer-gw.aws-apse2.cloud-ara.tyk.io"; depth:40; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1287209/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_21; classtype:trojan-activity; sid:91287209; rev:1;) alert tcp $HOME_NET any -> [38.207.176.115] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1287208/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_21; classtype:trojan-activity; sid:91287208; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pixel"; depth:6; nocase; http.host; content:"38.207.176.115"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1287207/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_21; classtype:trojan-activity; sid:91287207; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api/3"; depth:6; nocase; http.host; content:"ww2.jji.cz"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1287206/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_21; classtype:trojan-activity; sid:91287206; rev:1;) alert tcp $HOME_NET any -> [47.108.142.204] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1287205/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_21; classtype:trojan-activity; sid:91287205; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/search/"; depth:8; nocase; http.host; content:"47.108.142.204"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1287204/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_21; classtype:trojan-activity; sid:91287204; rev:1;) alert tcp $HOME_NET any -> [85.215.213.71] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1287203/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_21; classtype:trojan-activity; sid:91287203; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"scam.cuntcloud.com"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1287202/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_21; classtype:trojan-activity; sid:91287202; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/_/scs/mail-static/_/js/"; depth:24; nocase; http.host; content:"scam.cuntcloud.com"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1287201/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_21; classtype:trojan-activity; sid:91287201; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jquery-3.3.1.min.js"; depth:20; nocase; http.host; content:"154.31.25.27"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1287200/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_21; classtype:trojan-activity; sid:91287200; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/endpoint"; depth:9; nocase; http.host; content:"ndas8m92.shop"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1287198/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_21; classtype:trojan-activity; sid:91287198; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"ndas8m92.shop"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1287199/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_21; classtype:trojan-activity; sid:91287199; rev:1;) alert tcp $HOME_NET any -> [193.26.115.78] 8808 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1287197/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_21; classtype:trojan-activity; sid:91287197; rev:1;) alert tcp $HOME_NET any -> [193.26.115.78] 6606 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1287196/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_21; classtype:trojan-activity; sid:91287196; rev:1;) alert tcp $HOME_NET any -> [94.156.68.10] 8808 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1287195/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_21; classtype:trojan-activity; sid:91287195; rev:1;) alert tcp $HOME_NET any -> [94.156.68.10] 7707 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1287194/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_21; classtype:trojan-activity; sid:91287194; rev:1;) alert tcp $HOME_NET any -> [94.156.68.10] 6606 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1287193/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_21; classtype:trojan-activity; sid:91287193; rev:1;) alert tcp $HOME_NET any -> [185.62.86.134] 333 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1287192/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_21; classtype:trojan-activity; sid:91287192; rev:1;) alert tcp $HOME_NET any -> [158.220.83.114] 8808 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1287191/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_21; classtype:trojan-activity; sid:91287191; rev:1;) alert tcp $HOME_NET any -> [161.97.151.222] 113 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1287190/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_21; classtype:trojan-activity; sid:91287190; rev:1;) alert tcp $HOME_NET any -> [207.174.26.115] 5505 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1287189/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_21; classtype:trojan-activity; sid:91287189; rev:1;) alert tcp $HOME_NET any -> [94.156.68.59] 8808 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1287188/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_21; classtype:trojan-activity; sid:91287188; rev:1;) alert tcp $HOME_NET any -> [94.156.68.59] 7707 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1287187/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_21; classtype:trojan-activity; sid:91287187; rev:1;) alert tcp $HOME_NET any -> [94.156.68.59] 6606 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1287186/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_21; classtype:trojan-activity; sid:91287186; rev:1;) alert tcp $HOME_NET any -> [94.156.68.118] 4444 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1287185/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_21; classtype:trojan-activity; sid:91287185; rev:1;) alert tcp $HOME_NET any -> [118.107.244.99] 50555 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1287184/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_21; classtype:trojan-activity; sid:91287184; rev:1;) alert tcp $HOME_NET any -> [46.246.4.12] 8000 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1287183/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_21; classtype:trojan-activity; sid:91287183; rev:1;) alert tcp $HOME_NET any -> [212.251.109.161] 995 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1287182/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_21; classtype:trojan-activity; sid:91287182; rev:1;) alert tcp $HOME_NET any -> [187.224.5.254] 443 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1287181/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_21; classtype:trojan-activity; sid:91287181; rev:1;) alert tcp $HOME_NET any -> [70.31.125.88] 2222 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1287180/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_21; classtype:trojan-activity; sid:91287180; rev:1;) alert tcp $HOME_NET any -> [72.66.32.219] 443 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1287179/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_21; classtype:trojan-activity; sid:91287179; rev:1;) alert tcp $HOME_NET any -> [45.32.128.142] 80 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1287178/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_21; classtype:trojan-activity; sid:91287178; rev:1;) alert tcp $HOME_NET any -> [194.156.98.101] 443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1287177/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_21; classtype:trojan-activity; sid:91287177; rev:1;) alert tcp $HOME_NET any -> [172.86.75.53] 7443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1287176/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_21; classtype:trojan-activity; sid:91287176; rev:1;) alert tcp $HOME_NET any -> [61.14.210.209] 7443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1287175/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_21; classtype:trojan-activity; sid:91287175; rev:1;) alert tcp $HOME_NET any -> [41.234.57.93] 7443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1287174/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_21; classtype:trojan-activity; sid:91287174; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 49%)"; dns_query; content:"wizarr.manate.ch"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1287172/; target:src_ip; metadata: confidence_level 49, first_seen 2024_06_21; classtype:trojan-activity; sid:91287172; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 49%)"; dns_query; content:"go-sw6-02.adventos.de"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1287173/; target:src_ip; metadata: confidence_level 49, first_seen 2024_06_21; classtype:trojan-activity; sid:91287173; rev:1;) alert tcp $HOME_NET any -> [94.156.68.54] 87 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1287171/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_21; classtype:trojan-activity; sid:91287171; rev:1;) alert tcp $HOME_NET any -> [193.161.193.99] 34880 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1287165/; target:src_ip; metadata: confidence_level 75, first_seen 2024_06_21; classtype:trojan-activity; sid:91287165; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"deadsecc-34880.portmap.host"; depth:27; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1287166/; target:src_ip; metadata: confidence_level 75, first_seen 2024_06_21; classtype:trojan-activity; sid:91287166; rev:1;) alert tcp $HOME_NET any -> [3.127.253.86] 17778 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1287164/; target:src_ip; metadata: confidence_level 75, first_seen 2024_06_21; classtype:trojan-activity; sid:91287164; rev:1;) alert tcp $HOME_NET any -> [3.125.102.39] 10935 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1287161/; target:src_ip; metadata: confidence_level 75, first_seen 2024_06_21; classtype:trojan-activity; sid:91287161; rev:1;) alert tcp $HOME_NET any -> [18.198.77.177] 17778 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1287162/; target:src_ip; metadata: confidence_level 75, first_seen 2024_06_21; classtype:trojan-activity; sid:91287162; rev:1;) alert tcp $HOME_NET any -> [3.121.139.82] 17778 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1287163/; target:src_ip; metadata: confidence_level 75, first_seen 2024_06_21; classtype:trojan-activity; sid:91287163; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"lake-french.gl.at.ply.gg"; depth:24; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1287158/; target:src_ip; metadata: confidence_level 75, first_seen 2024_06_21; classtype:trojan-activity; sid:91287158; rev:1;) alert tcp $HOME_NET any -> [3.124.142.205] 10935 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1287159/; target:src_ip; metadata: confidence_level 75, first_seen 2024_06_21; classtype:trojan-activity; sid:91287159; rev:1;) alert tcp $HOME_NET any -> [3.125.223.134] 10935 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1287160/; target:src_ip; metadata: confidence_level 75, first_seen 2024_06_21; classtype:trojan-activity; sid:91287160; rev:1;) alert tcp $HOME_NET any -> [147.185.221.20] 33694 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1287157/; target:src_ip; metadata: confidence_level 75, first_seen 2024_06_21; classtype:trojan-activity; sid:91287157; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/article.php"; depth:12; nocase; http.host; content:"www.btini.net"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1287151/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_21; classtype:trojan-activity; sid:91287151; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/article.php"; depth:12; nocase; http.host; content:"www.btini.net"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1287152/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_21; classtype:trojan-activity; sid:91287152; rev:1;) alert tcp $HOME_NET any -> [41.249.49.248] 10000 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1287156/; target:src_ip; metadata: confidence_level 75, first_seen 2024_06_21; classtype:trojan-activity; sid:91287156; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/article.php"; depth:12; nocase; http.host; content:"www.btini.net"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1287153/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_21; classtype:trojan-activity; sid:91287153; rev:1;) alert tcp $HOME_NET any -> [147.185.221.20] 16906 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1287167/; target:src_ip; metadata: confidence_level 75, first_seen 2024_06_21; classtype:trojan-activity; sid:91287167; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"grade-excellence.gl.at.ply.gg"; depth:29; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1287168/; target:src_ip; metadata: confidence_level 75, first_seen 2024_06_21; classtype:trojan-activity; sid:91287168; rev:1;) alert tcp $HOME_NET any -> [41.249.109.189] 10000 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1287169/; target:src_ip; metadata: confidence_level 75, first_seen 2024_06_21; classtype:trojan-activity; sid:91287169; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/load"; depth:5; nocase; http.host; content:"47.115.203.204"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1287170/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_21; classtype:trojan-activity; sid:91287170; rev:1;) alert tcp $HOME_NET any -> [107.175.101.198] 1912 (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1287155/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_21; classtype:trojan-activity; sid:91287155; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jquery-3.3.1.min.js"; depth:20; nocase; http.host; content:"156.247.14.253"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1287149/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_20; classtype:trojan-activity; sid:91287149; rev:1;) alert tcp $HOME_NET any -> [156.247.14.253] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1287150/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_20; classtype:trojan-activity; sid:91287150; rev:1;) alert tcp $HOME_NET any -> [185.11.61.242] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1287148/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_20; classtype:trojan-activity; sid:91287148; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/activity"; depth:9; nocase; http.host; content:"185.11.61.242"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1287147/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_20; classtype:trojan-activity; sid:91287147; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/plugins/search/contacts/chrndi.php"; depth:35; nocase; http.host; content:"arbeitsschutz-mmk.de"; depth:20; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1287146/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_20; classtype:trojan-activity; sid:91287146; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-content/themes/twentytwentyfour/44snwx.php"; depth:46; nocase; http.host; content:"elpgtextil.com"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1287145/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_20; classtype:trojan-activity; sid:91287145; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-content/themes/twentytwentyfour/zca2ck.php"; depth:46; nocase; http.host; content:"jlholgado.com"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1287144/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_20; classtype:trojan-activity; sid:91287144; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-content/themes/twentytwentyfour/rleoec.php"; depth:46; nocase; http.host; content:"carniceriamartinezadria.com"; depth:27; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1287143/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_20; classtype:trojan-activity; sid:91287143; rev:1;) alert tcp $HOME_NET any -> [193.23.161.147] 7777 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1287142/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_20; classtype:trojan-activity; sid:91287142; rev:1;) alert tcp $HOME_NET any -> [136.243.151.123] 200 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1287141/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_20; classtype:trojan-activity; sid:91287141; rev:1;) alert tcp $HOME_NET any -> [185.208.158.113] 8010 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1287140/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_20; classtype:trojan-activity; sid:91287140; rev:1;) alert tcp $HOME_NET any -> [194.26.192.214] 8808 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1287139/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_20; classtype:trojan-activity; sid:91287139; rev:1;) alert tcp $HOME_NET any -> [194.26.192.214] 7707 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1287138/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_20; classtype:trojan-activity; sid:91287138; rev:1;) alert tcp $HOME_NET any -> [128.90.128.218] 9999 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1287137/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_20; classtype:trojan-activity; sid:91287137; rev:1;) alert tcp $HOME_NET any -> [94.156.68.118] 6006 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1287136/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_20; classtype:trojan-activity; sid:91287136; rev:1;) alert tcp $HOME_NET any -> [46.246.4.4] 2000 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1287135/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_20; classtype:trojan-activity; sid:91287135; rev:1;) alert tcp $HOME_NET any -> [46.226.167.205] 80 (msg:"ThreatFox Meduza Stealer botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1287134/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_20; classtype:trojan-activity; sid:91287134; rev:1;) alert tcp $HOME_NET any -> [192.3.44.150] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1287133/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_20; classtype:trojan-activity; sid:91287133; rev:1;) alert tcp $HOME_NET any -> [112.124.5.76] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1287132/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_20; classtype:trojan-activity; sid:91287132; rev:1;) alert tcp $HOME_NET any -> [142.171.225.72] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1287131/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_20; classtype:trojan-activity; sid:91287131; rev:1;) alert tcp $HOME_NET any -> [46.246.84.24] 9000 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1287130/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_20; classtype:trojan-activity; sid:91287130; rev:1;) alert tcp $HOME_NET any -> [149.109.116.223] 443 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1287129/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_20; classtype:trojan-activity; sid:91287129; rev:1;) alert tcp $HOME_NET any -> [195.123.219.150] 443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1287128/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_20; classtype:trojan-activity; sid:91287128; rev:1;) alert tcp $HOME_NET any -> [5.181.159.86] 443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1287127/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_20; classtype:trojan-activity; sid:91287127; rev:1;) alert tcp $HOME_NET any -> [149.28.153.80] 80 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1287126/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_20; classtype:trojan-activity; sid:91287126; rev:1;) alert tcp $HOME_NET any -> [74.119.193.120] 443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1287125/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_20; classtype:trojan-activity; sid:91287125; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cdn-vs/cache.php"; depth:17; nocase; http.host; content:"onecapitalresidences.com"; depth:24; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1287115/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_20; classtype:trojan-activity; sid:91287115; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cdn-vs/original.js"; depth:19; nocase; http.host; content:"onecapitalresidences.com"; depth:24; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1287113/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_20; classtype:trojan-activity; sid:91287113; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"onecapitalresidences.com"; depth:24; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1287114/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_20; classtype:trojan-activity; sid:91287114; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cdn-vs/33per.php"; depth:17; nocase; http.host; content:"onecapitalresidences.com"; depth:24; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1287116/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_20; classtype:trojan-activity; sid:91287116; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/help.php"; depth:9; nocase; http.host; content:"daveiz.top"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1287117/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_20; classtype:trojan-activity; sid:91287117; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/article.php"; depth:12; nocase; http.host; content:"www.brandontucker.com"; depth:21; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1287118/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_20; classtype:trojan-activity; sid:91287118; rev:1;) alert tcp $HOME_NET any -> [184.174.96.179] 443 (msg:"ThreatFox Unidentified 111 (Latrodectus) botnet C2 traffic (ip:port - confidence level: 85%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1287107/; target:src_ip; metadata: confidence_level 85, first_seen 2024_06_20; classtype:trojan-activity; sid:91287107; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 85%)"; dns_query; content:"pirkomagar.com"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1287108/; target:src_ip; metadata: confidence_level 85, first_seen 2024_06_20; classtype:trojan-activity; sid:91287108; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 85%)"; dns_query; content:"ggrastyal.live"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1287109/; target:src_ip; metadata: confidence_level 85, first_seen 2024_06_20; classtype:trojan-activity; sid:91287109; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"ryruhuu3.xyz"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1287111/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_20; classtype:trojan-activity; sid:91287111; rev:1;) alert tcp $HOME_NET any -> [89.185.85.206] 7443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1287124/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_20; classtype:trojan-activity; sid:91287124; rev:1;) alert tcp $HOME_NET any -> [172.94.53.132] 7443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1287123/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_20; classtype:trojan-activity; sid:91287123; rev:1;) alert tcp $HOME_NET any -> [8.138.104.216] 7443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1287122/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_20; classtype:trojan-activity; sid:91287122; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mozi.m"; depth:7; nocase; http.host; content:"115.51.102.19"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1287121/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_20; classtype:trojan-activity; sid:91287121; rev:1;) alert tcp $HOME_NET any -> [1.12.44.34] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1287120/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_20; classtype:trojan-activity; sid:91287120; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ie9compatviewlist.xml"; depth:22; nocase; http.host; content:"1.12.44.34"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1287119/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_20; classtype:trojan-activity; sid:91287119; rev:1;) alert tcp $HOME_NET any -> [45.141.87.218] 15647 (msg:"ThreatFox SectopRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1287112/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_20; classtype:trojan-activity; sid:91287112; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/l1nc0in.php"; depth:12; nocase; http.host; content:"j282895d.beget.tech"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1287110/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_20; classtype:trojan-activity; sid:91287110; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/index.php/54596186971079"; depth:25; nocase; http.host; content:"45.61.136.239"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1287106/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_20; classtype:trojan-activity; sid:91287106; rev:1;) alert tcp $HOME_NET any -> [95.181.151.121] 1912 (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1287105/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_20; classtype:trojan-activity; sid:91287105; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/94903f819d758732.php"; depth:21; nocase; http.host; content:"5.42.104.211"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1287104/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_20; classtype:trojan-activity; sid:91287104; rev:1;) alert tcp $HOME_NET any -> [18.210.161.224] 3637 (msg:"ThreatFox Nanocore RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1287102/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_20; classtype:trojan-activity; sid:91287102; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"munan.duckdns.org"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1287103/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_20; classtype:trojan-activity; sid:91287103; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/index.php/ajax.php"; depth:19; nocase; http.host; content:"45.61.136.239"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1287101/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_20; classtype:trojan-activity; sid:91287101; rev:1;) alert tcp $HOME_NET any -> [64.7.198.158] 443 (msg:"ThreatFox Unidentified 111 (Latrodectus) botnet C2 traffic (ip:port - confidence level: 60%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1286932/; target:src_ip; metadata: confidence_level 60, first_seen 2024_06_20; classtype:trojan-activity; sid:91286932; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/raw/w5qc7zcd"; depth:13; nocase; http.host; content:"pastebin.com"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1286930/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_20; classtype:trojan-activity; sid:91286930; rev:1;) alert tcp $HOME_NET any -> [207.154.230.90] 4782 (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1286931/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_20; classtype:trojan-activity; sid:91286931; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/index.php/posts.php"; depth:20; nocase; http.host; content:"45.61.136.239"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1286929/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_20; classtype:trojan-activity; sid:91286929; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/article.php"; depth:12; nocase; http.host; content:"www.bordingfriluftsbad.dk"; depth:25; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1286876/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_20; classtype:trojan-activity; sid:91286876; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/article.php"; depth:12; nocase; http.host; content:"www.bordingfriluftsbad.dk"; depth:25; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1286877/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_20; classtype:trojan-activity; sid:91286877; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/endpoint"; depth:9; nocase; http.host; content:"ndas8m92.lol"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1286925/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_20; classtype:trojan-activity; sid:91286925; rev:1;) alert tcp $HOME_NET any -> [45.95.169.146] 666 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1286879/; target:src_ip; metadata: confidence_level 75, first_seen 2024_06_20; classtype:trojan-activity; sid:91286879; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/hell/you/goback.html"; depth:21; nocase; http.host; content:"flynews.us"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1286926/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_20; classtype:trojan-activity; sid:91286926; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"flynews.us"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1286927/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_20; classtype:trojan-activity; sid:91286927; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/hell/you/rare.zip"; depth:18; nocase; http.host; content:"flynews.us"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1286928/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_20; classtype:trojan-activity; sid:91286928; rev:1;) alert tcp $HOME_NET any -> [119.29.227.52] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1286924/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_20; classtype:trojan-activity; sid:91286924; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api/x"; depth:6; nocase; http.host; content:"service-jjtluhvu-1308426789.gz.tencentapigw.com.cn"; depth:50; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1286922/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_20; classtype:trojan-activity; sid:91286922; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"service-jjtluhvu-1308426789.gz.tencentapigw.com.cn"; depth:50; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1286923/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_20; classtype:trojan-activity; sid:91286923; rev:1;) alert tcp $HOME_NET any -> [206.188.196.16] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1286921/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_20; classtype:trojan-activity; sid:91286921; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jquery-3.3.1.min.js"; depth:20; nocase; http.host; content:"www.tiasjdwwd.shop"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1286919/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_20; classtype:trojan-activity; sid:91286919; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"www.tiasjdwwd.shop"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1286920/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_20; classtype:trojan-activity; sid:91286920; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api/x"; depth:6; nocase; http.host; content:"47.238.48.116"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1286918/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_20; classtype:trojan-activity; sid:91286918; rev:1;) alert tcp $HOME_NET any -> [92.118.112.189] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1286917/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_20; classtype:trojan-activity; sid:91286917; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"distinctive-highlight-gw.aws-euw2.cloud-ara.tyk.io"; depth:50; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1286916/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_20; classtype:trojan-activity; sid:91286916; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api/v2/login"; depth:13; nocase; http.host; content:"distinctive-highlight-gw.aws-euw2.cloud-ara.tyk.io"; depth:50; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1286915/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_20; classtype:trojan-activity; sid:91286915; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/logo.jpg"; depth:9; nocase; http.host; content:"8.134.249.161"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1286914/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_20; classtype:trojan-activity; sid:91286914; rev:1;) alert tcp $HOME_NET any -> [47.97.22.116] 9999 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1286913/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_20; classtype:trojan-activity; sid:91286913; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cx"; depth:3; nocase; http.host; content:"83.229.127.20"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1286911/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_20; classtype:trojan-activity; sid:91286911; rev:1;) alert tcp $HOME_NET any -> [83.229.127.20] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1286912/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_20; classtype:trojan-activity; sid:91286912; rev:1;) alert tcp $HOME_NET any -> [202.95.13.230] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1286910/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_20; classtype:trojan-activity; sid:91286910; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/updates.rss"; depth:12; nocase; http.host; content:"202.95.13.230"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1286909/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_20; classtype:trojan-activity; sid:91286909; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cx"; depth:3; nocase; http.host; content:"47.97.22.116"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1286908/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_20; classtype:trojan-activity; sid:91286908; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/match"; depth:6; nocase; http.host; content:"47.236.74.146"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1286907/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_20; classtype:trojan-activity; sid:91286907; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/updates.rss"; depth:12; nocase; http.host; content:"1.12.44.34"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1286905/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_20; classtype:trojan-activity; sid:91286905; rev:1;) alert tcp $HOME_NET any -> [1.12.44.34] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1286906/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_20; classtype:trojan-activity; sid:91286906; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/introduction/edr"; depth:17; nocase; http.host; content:"106.52.102.35"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1286904/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_20; classtype:trojan-activity; sid:91286904; rev:1;) alert tcp $HOME_NET any -> [54.224.97.58] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1286903/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_20; classtype:trojan-activity; sid:91286903; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/match"; depth:6; nocase; http.host; content:"54.224.97.58"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1286902/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_20; classtype:trojan-activity; sid:91286902; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api/x"; depth:6; nocase; http.host; content:"service-4iisjdnk-1314135568.gz.tencentapigw.com.cn"; depth:50; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1286900/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_20; classtype:trojan-activity; sid:91286900; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"service-4iisjdnk-1314135568.gz.tencentapigw.com.cn"; depth:50; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1286901/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_20; classtype:trojan-activity; sid:91286901; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"blacksys.deltadefenses.com"; depth:26; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1286898/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_20; classtype:trojan-activity; sid:91286898; rev:1;) alert tcp $HOME_NET any -> [62.162.9.18] 8443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1286899/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_20; classtype:trojan-activity; sid:91286899; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dot.gif"; depth:8; nocase; http.host; content:"blacksys.deltadefenses.com"; depth:26; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1286897/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_20; classtype:trojan-activity; sid:91286897; rev:1;) alert tcp $HOME_NET any -> [151.236.16.221] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1286896/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_20; classtype:trojan-activity; sid:91286896; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/match"; depth:6; nocase; http.host; content:"151.236.16.221"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1286895/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_20; classtype:trojan-activity; sid:91286895; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/fwlink"; depth:7; nocase; http.host; content:"206.237.23.119"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1286894/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_20; classtype:trojan-activity; sid:91286894; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api/x"; depth:6; nocase; http.host; content:"119.29.227.52"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1286893/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_20; classtype:trojan-activity; sid:91286893; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/updates.rss"; depth:12; nocase; http.host; content:"202.95.13.230"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1286892/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_20; classtype:trojan-activity; sid:91286892; rev:1;) alert tcp $HOME_NET any -> [83.229.127.20] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1286891/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_20; classtype:trojan-activity; sid:91286891; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pixel"; depth:6; nocase; http.host; content:"83.229.127.20"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1286890/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_20; classtype:trojan-activity; sid:91286890; rev:1;) alert tcp $HOME_NET any -> [47.76.67.52] 90 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1286889/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_20; classtype:trojan-activity; sid:91286889; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/activity"; depth:9; nocase; http.host; content:"47.76.67.52"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1286888/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_20; classtype:trojan-activity; sid:91286888; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cm"; depth:3; nocase; http.host; content:"47.121.112.235"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1286887/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_20; classtype:trojan-activity; sid:91286887; rev:1;) alert tcp $HOME_NET any -> [116.202.14.187] 443 (msg:"ThreatFox Unidentified 111 (Latrodectus) botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1286885/; target:src_ip; metadata: confidence_level 75, first_seen 2024_06_20; classtype:trojan-activity; sid:91286885; rev:1;) alert tcp $HOME_NET any -> [92.249.48.43] 443 (msg:"ThreatFox Unidentified 111 (Latrodectus) botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1286886/; target:src_ip; metadata: confidence_level 75, first_seen 2024_06_20; classtype:trojan-activity; sid:91286886; rev:1;) alert tcp $HOME_NET any -> [194.67.193.32] 443 (msg:"ThreatFox Matanbuchus botnet C2 traffic (ip:port - confidence level: 60%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1286884/; target:src_ip; metadata: confidence_level 60, first_seen 2024_06_20; classtype:trojan-activity; sid:91286884; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"gosuslugi.zilab.ru"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1286883/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_20; classtype:trojan-activity; sid:91286883; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jquery-3.3.1.min.js"; depth:20; nocase; http.host; content:"gosuslugi.zilab.ru"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1286882/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_20; classtype:trojan-activity; sid:91286882; rev:1;) alert tcp $HOME_NET any -> [111.230.28.217] 7001 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1286881/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_20; classtype:trojan-activity; sid:91286881; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/introduction/edr"; depth:17; nocase; http.host; content:"123.207.66.117"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1286880/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_20; classtype:trojan-activity; sid:91286880; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/l1nc0in.php"; depth:12; nocase; http.host; content:"cudohub.ru"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1286878/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_20; classtype:trojan-activity; sid:91286878; rev:1;) alert tcp $HOME_NET any -> [128.90.129.85] 9999 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1286875/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_20; classtype:trojan-activity; sid:91286875; rev:1;) alert tcp $HOME_NET any -> [34.41.177.91] 80 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1286874/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_20; classtype:trojan-activity; sid:91286874; rev:1;) alert tcp $HOME_NET any -> [93.123.39.241] 80 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1286873/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_20; classtype:trojan-activity; sid:91286873; rev:1;) alert tcp $HOME_NET any -> [46.29.162.49] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1286872/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_20; classtype:trojan-activity; sid:91286872; rev:1;) alert tcp $HOME_NET any -> [49.113.76.1] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1286871/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_20; classtype:trojan-activity; sid:91286871; rev:1;) alert tcp $HOME_NET any -> [107.172.8.49] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1286870/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_20; classtype:trojan-activity; sid:91286870; rev:1;) alert tcp $HOME_NET any -> [54.214.177.108] 445 (msg:"ThreatFox Responder botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1286869/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_20; classtype:trojan-activity; sid:91286869; rev:1;) alert tcp $HOME_NET any -> [149.28.147.99] 443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1286868/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_20; classtype:trojan-activity; sid:91286868; rev:1;) alert tcp $HOME_NET any -> [149.28.153.80] 443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1286867/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_20; classtype:trojan-activity; sid:91286867; rev:1;) alert tcp $HOME_NET any -> [172.233.121.249] 443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1286866/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_20; classtype:trojan-activity; sid:91286866; rev:1;) alert tcp $HOME_NET any -> [185.29.10.248] 8080 (msg:"ThreatFox BianLian botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1286865/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_20; classtype:trojan-activity; sid:91286865; rev:1;) alert tcp $HOME_NET any -> [185.234.216.209] 20077 (msg:"ThreatFox BianLian botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1286864/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_20; classtype:trojan-activity; sid:91286864; rev:1;) alert tcp $HOME_NET any -> [185.234.216.209] 20069 (msg:"ThreatFox BianLian botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1286863/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_20; classtype:trojan-activity; sid:91286863; rev:1;) alert tcp $HOME_NET any -> [116.206.166.212] 443 (msg:"ThreatFox Deimos botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1286862/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_20; classtype:trojan-activity; sid:91286862; rev:1;) alert tcp $HOME_NET any -> [15.197.146.59] 443 (msg:"ThreatFox Deimos botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1286861/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_20; classtype:trojan-activity; sid:91286861; rev:1;) alert tcp $HOME_NET any -> [163.181.100.96] 4506 (msg:"ThreatFox Deimos botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1286860/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_20; classtype:trojan-activity; sid:91286860; rev:1;) alert tcp $HOME_NET any -> [144.202.12.174] 7443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1286859/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_20; classtype:trojan-activity; sid:91286859; rev:1;) alert tcp $HOME_NET any -> [158.247.250.154] 7443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1286858/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_20; classtype:trojan-activity; sid:91286858; rev:1;) alert tcp $HOME_NET any -> [185.221.198.94] 48367 (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1286857/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_20; classtype:trojan-activity; sid:91286857; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cdn-vs/original.js"; depth:19; nocase; http.host; content:"pelicanbcnsolutions.com"; depth:23; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1286797/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_20; classtype:trojan-activity; sid:91286797; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"pelicanbcnsolutions.com"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1286798/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_20; classtype:trojan-activity; sid:91286798; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cdn-vs/cache.php"; depth:17; nocase; http.host; content:"pelicanbcnsolutions.com"; depth:23; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1286799/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_20; classtype:trojan-activity; sid:91286799; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cdn-vs/33per.php"; depth:17; nocase; http.host; content:"pelicanbcnsolutions.com"; depth:23; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1286800/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_20; classtype:trojan-activity; sid:91286800; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/article.php"; depth:12; nocase; http.host; content:"www.femmetech.org"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1286815/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_20; classtype:trojan-activity; sid:91286815; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"ndas8m92.lol"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1286854/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_20; classtype:trojan-activity; sid:91286854; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ca"; depth:3; nocase; http.host; content:"206.119.171.239"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1286855/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_20; classtype:trojan-activity; sid:91286855; rev:1;) alert tcp $HOME_NET any -> [206.119.171.239] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1286856/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_20; classtype:trojan-activity; sid:91286856; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api/webhooks/1251490311834828870/bqerh7nm_ktafdik4zykv8xpncvkaxxhfpdvbb95og9m0gjecfaslf1yjaqjattinicp"; depth:102; nocase; http.host; content:"discord.com"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1286853/; target:src_ip; metadata: confidence_level 75, first_seen 2024_06_20; classtype:trojan-activity; sid:91286853; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"iwarsut775laudrye3.duckdns.org"; depth:30; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1286822/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_20; classtype:trojan-activity; sid:91286822; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"hjnourt38haoust1.duckdns.org"; depth:28; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1286823/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_20; classtype:trojan-activity; sid:91286823; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"bossnacarpet.com"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1286819/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_20; classtype:trojan-activity; sid:91286819; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"oriondedjdissd.con-ip.com"; depth:25; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1286820/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_20; classtype:trojan-activity; sid:91286820; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"iwarsut775laudrye2.duckdns.org"; depth:30; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1286821/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_20; classtype:trojan-activity; sid:91286821; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/imagelinepython_httpdbgeneratorpublicdownloads.php"; depth:51; nocase; http.host; content:"951669cm.n9shteam1.top"; depth:22; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1286818/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_20; classtype:trojan-activity; sid:91286818; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/l1nc0in.php"; depth:12; nocase; http.host; content:"f0996251.xsph.ru"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1286817/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_20; classtype:trojan-activity; sid:91286817; rev:1;) alert tcp $HOME_NET any -> [77.91.77.66] 58709 (msg:"ThreatFox RisePro botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1286816/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_19; classtype:trojan-activity; sid:91286816; rev:1;) alert tcp $HOME_NET any -> [49.232.185.51] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1286814/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_19; classtype:trojan-activity; sid:91286814; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api/x"; depth:6; nocase; http.host; content:"service-e5obcthn-1301549065.bj.tencentapigw.com.cn"; depth:50; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1286812/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_19; classtype:trojan-activity; sid:91286812; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"service-e5obcthn-1301549065.bj.tencentapigw.com.cn"; depth:50; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1286813/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_19; classtype:trojan-activity; sid:91286813; rev:1;) alert tcp $HOME_NET any -> [206.119.171.239] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1286811/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_19; classtype:trojan-activity; sid:91286811; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/match"; depth:6; nocase; http.host; content:"206.119.171.239"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1286810/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_19; classtype:trojan-activity; sid:91286810; rev:1;) alert tcp $HOME_NET any -> [8.138.150.121] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1286809/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_19; classtype:trojan-activity; sid:91286809; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/claim/servlets-examples/i2i52xqkqqzf"; depth:37; nocase; http.host; content:"8.138.150.121"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1286808/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_19; classtype:trojan-activity; sid:91286808; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/visit.js"; depth:9; nocase; http.host; content:"81.71.18.114"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1286807/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_19; classtype:trojan-activity; sid:91286807; rev:1;) alert tcp $HOME_NET any -> [49.232.217.206] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1286806/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_19; classtype:trojan-activity; sid:91286806; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/image/"; depth:7; nocase; http.host; content:"49.232.217.206"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1286805/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_19; classtype:trojan-activity; sid:91286805; rev:1;) alert tcp $HOME_NET any -> [101.200.237.247] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1286804/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_19; classtype:trojan-activity; sid:91286804; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ga.js"; depth:6; nocase; http.host; content:"101.200.237.247"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1286803/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_19; classtype:trojan-activity; sid:91286803; rev:1;) alert tcp $HOME_NET any -> [114.115.183.119] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1286802/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_19; classtype:trojan-activity; sid:91286802; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/push"; depth:5; nocase; http.host; content:"114.115.183.119"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1286801/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_19; classtype:trojan-activity; sid:91286801; rev:1;) alert tcp $HOME_NET any -> [92.249.48.6] 443 (msg:"ThreatFox Unidentified 111 (Latrodectus) botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1286796/; target:src_ip; metadata: confidence_level 75, first_seen 2024_06_19; classtype:trojan-activity; sid:91286796; rev:1;) alert tcp $HOME_NET any -> [94.156.68.100] 6666 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1286795/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_19; classtype:trojan-activity; sid:91286795; rev:1;) alert tcp $HOME_NET any -> [94.156.68.100] 8808 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1286794/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_19; classtype:trojan-activity; sid:91286794; rev:1;) alert tcp $HOME_NET any -> [94.156.68.100] 7777 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1286793/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_19; classtype:trojan-activity; sid:91286793; rev:1;) alert tcp $HOME_NET any -> [94.156.68.100] 6606 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1286791/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_19; classtype:trojan-activity; sid:91286791; rev:1;) alert tcp $HOME_NET any -> [94.156.68.100] 7707 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1286792/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_19; classtype:trojan-activity; sid:91286792; rev:1;) alert tcp $HOME_NET any -> [94.156.68.100] 5555 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1286790/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_19; classtype:trojan-activity; sid:91286790; rev:1;) alert tcp $HOME_NET any -> [193.26.115.78] 9999 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1286788/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_19; classtype:trojan-activity; sid:91286788; rev:1;) alert tcp $HOME_NET any -> [193.26.115.78] 4444 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1286789/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_19; classtype:trojan-activity; sid:91286789; rev:1;) alert tcp $HOME_NET any -> [43.154.134.124] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1286787/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_19; classtype:trojan-activity; sid:91286787; rev:1;) alert tcp $HOME_NET any -> [185.229.9.27] 8080 (msg:"ThreatFox BianLian botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1286786/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_19; classtype:trojan-activity; sid:91286786; rev:1;) alert tcp $HOME_NET any -> [104.225.129.140] 59393 (msg:"ThreatFox BianLian botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1286785/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_19; classtype:trojan-activity; sid:91286785; rev:1;) alert tcp $HOME_NET any -> [162.212.154.121] 7443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1286784/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_19; classtype:trojan-activity; sid:91286784; rev:1;) alert tcp $HOME_NET any -> [13.60.5.73] 7443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1286783/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_19; classtype:trojan-activity; sid:91286783; rev:1;) alert tcp $HOME_NET any -> [16.171.113.25] 7443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1286782/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_19; classtype:trojan-activity; sid:91286782; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api/3"; depth:6; nocase; http.host; content:"ww2.jji.cz"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1286781/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_19; classtype:trojan-activity; sid:91286781; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"service-povdf8ll-1257331363.sh.tencentapigw.com"; depth:47; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1286780/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_19; classtype:trojan-activity; sid:91286780; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api/x"; depth:6; nocase; http.host; content:"service-povdf8ll-1257331363.sh.tencentapigw.com"; depth:47; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1286779/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_19; classtype:trojan-activity; sid:91286779; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ptj"; depth:4; nocase; http.host; content:"81.19.136.252"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1286778/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_19; classtype:trojan-activity; sid:91286778; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cx"; depth:3; nocase; http.host; content:"81.19.136.252"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1286777/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_19; classtype:trojan-activity; sid:91286777; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api/3"; depth:6; nocase; http.host; content:"ww2.jji.cz"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1286776/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_19; classtype:trojan-activity; sid:91286776; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/g.pixel"; depth:8; nocase; http.host; content:"43.136.43.49"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1286775/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_19; classtype:trojan-activity; sid:91286775; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/j.ad"; depth:5; nocase; http.host; content:"119.3.253.250"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1286774/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_19; classtype:trojan-activity; sid:91286774; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ga.js"; depth:6; nocase; http.host; content:"60.204.217.11"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1286773/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_19; classtype:trojan-activity; sid:91286773; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pixel"; depth:6; nocase; http.host; content:"124.222.140.151"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1286772/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_19; classtype:trojan-activity; sid:91286772; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/load"; depth:5; nocase; http.host; content:"118.178.105.142"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1286771/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_19; classtype:trojan-activity; sid:91286771; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pixel.gif"; depth:10; nocase; http.host; content:"119.3.253.250"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1286770/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_19; classtype:trojan-activity; sid:91286770; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tenancy-agreement-sample-guyana/"; depth:33; nocase; http.host; content:"eberlie.ca"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1286768/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_19; classtype:trojan-activity; sid:91286768; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/article.php"; depth:12; nocase; http.host; content:"www.almik.com"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1286769/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_19; classtype:trojan-activity; sid:91286769; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cdn-vs/data.php"; depth:16; nocase; http.host; content:"newmarketofficecleaning.com"; depth:27; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1286571/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_19; classtype:trojan-activity; sid:91286571; rev:1;) alert tcp $HOME_NET any -> [172.67.212.234] 80 (msg:"ThreatFox Loki Password Stealer (PWS) botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1286572/; target:src_ip; metadata: confidence_level 75, first_seen 2024_06_19; classtype:trojan-activity; sid:91286572; rev:1;) alert tcp $HOME_NET any -> [104.21.23.190] 80 (msg:"ThreatFox Loki Password Stealer (PWS) botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1286573/; target:src_ip; metadata: confidence_level 75, first_seen 2024_06_19; classtype:trojan-activity; sid:91286573; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"midwestsoil.top"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1286574/; target:src_ip; metadata: confidence_level 75, first_seen 2024_06_19; classtype:trojan-activity; sid:91286574; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cdn-vs/original.js"; depth:19; nocase; http.host; content:"rvandccc.com"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1286567/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_19; classtype:trojan-activity; sid:91286567; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"rvandccc.com"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1286568/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_19; classtype:trojan-activity; sid:91286568; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cdn-vs/cache.php"; depth:17; nocase; http.host; content:"rvandccc.com"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1286569/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_19; classtype:trojan-activity; sid:91286569; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cdn-vs/33per.php"; depth:17; nocase; http.host; content:"rvandccc.com"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1286570/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_19; classtype:trojan-activity; sid:91286570; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"x8f7a89.pics"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1286565/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_19; classtype:trojan-activity; sid:91286565; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"jsincloud.com"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1286566/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_19; classtype:trojan-activity; sid:91286566; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"lifestylechoices.us"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1286575/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_19; classtype:trojan-activity; sid:91286575; rev:1;) alert tcp $HOME_NET any -> [45.9.73.82] 12345 (msg:"ThreatFox STRRAT botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1286537/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_19; classtype:trojan-activity; sid:91286537; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"jswebcache.com"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1286561/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_19; classtype:trojan-activity; sid:91286561; rev:1;) alert tcp $HOME_NET any -> [94.131.115.191] 15643 (msg:"ThreatFox DanaBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1286563/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_19; classtype:trojan-activity; sid:91286563; rev:1;) alert tcp $HOME_NET any -> [45.77.80.158] 443 (msg:"ThreatFox DanaBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1286562/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_19; classtype:trojan-activity; sid:91286562; rev:1;) alert tcp $HOME_NET any -> [77.221.149.178] 443 (msg:"ThreatFox DanaBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1286560/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_19; classtype:trojan-activity; sid:91286560; rev:1;) alert tcp $HOME_NET any -> [116.203.252.168] 443 (msg:"ThreatFox DanaBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1286559/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_19; classtype:trojan-activity; sid:91286559; rev:1;) alert tcp $HOME_NET any -> [185.208.158.50] 443 (msg:"ThreatFox DanaBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1286558/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_19; classtype:trojan-activity; sid:91286558; rev:1;) alert tcp $HOME_NET any -> [45.55.36.222] 443 (msg:"ThreatFox DanaBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1286557/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_19; classtype:trojan-activity; sid:91286557; rev:1;) alert tcp $HOME_NET any -> [34.83.108.106] 443 (msg:"ThreatFox DanaBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1286556/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_19; classtype:trojan-activity; sid:91286556; rev:1;) alert tcp $HOME_NET any -> [5.161.245.54] 443 (msg:"ThreatFox DanaBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1286555/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_19; classtype:trojan-activity; sid:91286555; rev:1;) alert tcp $HOME_NET any -> [104.194.143.5] 443 (msg:"ThreatFox DanaBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1286554/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_19; classtype:trojan-activity; sid:91286554; rev:1;) alert tcp $HOME_NET any -> [34.16.215.110] 443 (msg:"ThreatFox DanaBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1286553/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_19; classtype:trojan-activity; sid:91286553; rev:1;) alert tcp $HOME_NET any -> [34.130.217.52] 443 (msg:"ThreatFox DanaBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1286552/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_19; classtype:trojan-activity; sid:91286552; rev:1;) alert tcp $HOME_NET any -> [34.130.221.34] 443 (msg:"ThreatFox DanaBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1286551/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_19; classtype:trojan-activity; sid:91286551; rev:1;) alert tcp $HOME_NET any -> [5.9.247.137] 443 (msg:"ThreatFox DanaBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1286550/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_19; classtype:trojan-activity; sid:91286550; rev:1;) alert tcp $HOME_NET any -> [47.74.9.201] 443 (msg:"ThreatFox DanaBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1286549/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_19; classtype:trojan-activity; sid:91286549; rev:1;) alert tcp $HOME_NET any -> [69.49.244.37] 443 (msg:"ThreatFox DanaBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1286548/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_19; classtype:trojan-activity; sid:91286548; rev:1;) alert tcp $HOME_NET any -> [194.26.29.140] 15643 (msg:"ThreatFox DanaBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1286547/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_19; classtype:trojan-activity; sid:91286547; rev:1;) alert tcp $HOME_NET any -> [193.26.115.78] 8888 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1286546/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_19; classtype:trojan-activity; sid:91286546; rev:1;) alert tcp $HOME_NET any -> [194.233.73.183] 80 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1286545/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_19; classtype:trojan-activity; sid:91286545; rev:1;) alert tcp $HOME_NET any -> [94.156.8.158] 80 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1286544/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_19; classtype:trojan-activity; sid:91286544; rev:1;) alert tcp $HOME_NET any -> [194.55.186.119] 80 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1286543/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_19; classtype:trojan-activity; sid:91286543; rev:1;) alert tcp $HOME_NET any -> [104.168.54.191] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1286542/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_19; classtype:trojan-activity; sid:91286542; rev:1;) alert tcp $HOME_NET any -> [50.60.139.168] 443 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1286541/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_19; classtype:trojan-activity; sid:91286541; rev:1;) alert tcp $HOME_NET any -> [149.28.147.99] 80 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1286540/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_19; classtype:trojan-activity; sid:91286540; rev:1;) alert tcp $HOME_NET any -> [91.207.183.16] 25 (msg:"ThreatFox BianLian botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1286539/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_19; classtype:trojan-activity; sid:91286539; rev:1;) alert tcp $HOME_NET any -> [54.234.100.124] 7443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1286538/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_19; classtype:trojan-activity; sid:91286538; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jsupdatedefaulttrafficcentral.php"; depth:34; nocase; http.host; content:"235566cm.n9shteam2.top"; depth:22; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1286536/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_19; classtype:trojan-activity; sid:91286536; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/alpha/five/fre.php"; depth:19; nocase; http.host; content:"midwestsoil.top"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1286535/; target:src_ip; metadata: confidence_level 75, first_seen 2024_06_19; classtype:trojan-activity; sid:91286535; rev:1;) alert tcp $HOME_NET any -> [83.147.17.46] 443 (msg:"ThreatFox Unidentified 111 (Latrodectus) botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1286533/; target:src_ip; metadata: confidence_level 75, first_seen 2024_06_19; classtype:trojan-activity; sid:91286533; rev:1;) alert tcp $HOME_NET any -> [5.42.221.10] 443 (msg:"ThreatFox Unidentified 111 (Latrodectus) botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1286534/; target:src_ip; metadata: confidence_level 75, first_seen 2024_06_19; classtype:trojan-activity; sid:91286534; rev:1;) alert tcp $HOME_NET any -> [5.255.117.240] 443 (msg:"ThreatFox Unidentified 111 (Latrodectus) botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1286531/; target:src_ip; metadata: confidence_level 75, first_seen 2024_06_19; classtype:trojan-activity; sid:91286531; rev:1;) alert tcp $HOME_NET any -> [193.168.143.17] 443 (msg:"ThreatFox Unidentified 111 (Latrodectus) botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1286532/; target:src_ip; metadata: confidence_level 75, first_seen 2024_06_19; classtype:trojan-activity; sid:91286532; rev:1;) alert tcp $HOME_NET any -> [91.242.163.63] 443 (msg:"ThreatFox Unidentified 111 (Latrodectus) botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1286530/; target:src_ip; metadata: confidence_level 75, first_seen 2024_06_19; classtype:trojan-activity; sid:91286530; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/hidakibest.arm4"; depth:16; nocase; http.host; content:"87.251.79.242"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1286520/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_19; classtype:trojan-activity; sid:91286520; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/hidakibest.arm5"; depth:16; nocase; http.host; content:"87.251.79.242"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1286521/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_19; classtype:trojan-activity; sid:91286521; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/hidakibest.arm6"; depth:16; nocase; http.host; content:"87.251.79.242"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1286522/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_19; classtype:trojan-activity; sid:91286522; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/hidakibest.mips"; depth:16; nocase; http.host; content:"87.251.79.242"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1286523/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_19; classtype:trojan-activity; sid:91286523; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/hidakibest.ppc"; depth:15; nocase; http.host; content:"87.251.79.242"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1286525/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_19; classtype:trojan-activity; sid:91286525; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/hidakibest.mpsl"; depth:16; nocase; http.host; content:"87.251.79.242"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1286524/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_19; classtype:trojan-activity; sid:91286524; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/hidakibest.sh"; depth:14; nocase; http.host; content:"87.251.79.242"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1286526/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_19; classtype:trojan-activity; sid:91286526; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/hidakibest.sparc"; depth:17; nocase; http.host; content:"87.251.79.242"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1286527/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_19; classtype:trojan-activity; sid:91286527; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/hidakibest.x86"; depth:15; nocase; http.host; content:"87.251.79.242"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1286528/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_19; classtype:trojan-activity; sid:91286528; rev:1;) alert tcp $HOME_NET any -> [87.251.79.242] 4258 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1286529/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_19; classtype:trojan-activity; sid:91286529; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/awawawa.ppc"; depth:12; nocase; http.host; content:"45.87.247.120"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1286516/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_19; classtype:trojan-activity; sid:91286516; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/awawawa.sparc"; depth:14; nocase; http.host; content:"45.87.247.120"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1286517/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_19; classtype:trojan-activity; sid:91286517; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/awawawa.mips"; depth:13; nocase; http.host; content:"45.87.247.120"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1286514/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_19; classtype:trojan-activity; sid:91286514; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/awawawa.mpsl"; depth:13; nocase; http.host; content:"45.87.247.120"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1286515/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_19; classtype:trojan-activity; sid:91286515; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/awawawa.arm4"; depth:13; nocase; http.host; content:"45.87.247.120"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1286511/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_19; classtype:trojan-activity; sid:91286511; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/awawawa.arm6"; depth:13; nocase; http.host; content:"45.87.247.120"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1286513/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_19; classtype:trojan-activity; sid:91286513; rev:1;) alert tcp $HOME_NET any -> [45.87.247.120] 4258 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1286510/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_19; classtype:trojan-activity; sid:91286510; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/awawawa.arm5"; depth:13; nocase; http.host; content:"45.87.247.120"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1286512/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_19; classtype:trojan-activity; sid:91286512; rev:1;) alert tcp $HOME_NET any -> [107.189.14.198] 1312 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1286486/; target:src_ip; metadata: confidence_level 75, first_seen 2024_06_19; classtype:trojan-activity; sid:91286486; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"test-1627838.shop"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1286505/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_19; classtype:trojan-activity; sid:91286505; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/awawawa.x86"; depth:12; nocase; http.host; content:"45.87.247.120"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1286518/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_19; classtype:trojan-activity; sid:91286518; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/hidakibest.sh"; depth:14; nocase; http.host; content:"45.87.247.120"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1286519/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_19; classtype:trojan-activity; sid:91286519; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/g.pixel"; depth:8; nocase; http.host; content:"134.122.75.115"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1286509/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_19; classtype:trojan-activity; sid:91286509; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/match"; depth:6; nocase; http.host; content:"43.153.222.28"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1286508/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_19; classtype:trojan-activity; sid:91286508; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/86ffacb9.php"; depth:13; nocase; http.host; content:"a0995830.xsph.ru"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1286507/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_19; classtype:trojan-activity; sid:91286507; rev:1;) alert tcp $HOME_NET any -> [94.156.67.163] 1912 (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1286506/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_19; classtype:trojan-activity; sid:91286506; rev:1;) alert tcp $HOME_NET any -> [192.253.251.227] 57484 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1286504/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_19; classtype:trojan-activity; sid:91286504; rev:1;) alert tcp $HOME_NET any -> [8.222.156.244] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1286503/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_19; classtype:trojan-activity; sid:91286503; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api/3"; depth:6; nocase; http.host; content:"8.222.156.244"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1286502/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_19; classtype:trojan-activity; sid:91286502; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api/x"; depth:6; nocase; http.host; content:"service-qvjas1rh-1309482226.bj.tencentapigw.com.cn"; depth:50; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1286500/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_19; classtype:trojan-activity; sid:91286500; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"service-qvjas1rh-1309482226.bj.tencentapigw.com.cn"; depth:50; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1286501/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_19; classtype:trojan-activity; sid:91286501; rev:1;) alert tcp $HOME_NET any -> [194.233.88.218] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1286499/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_19; classtype:trojan-activity; sid:91286499; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/__utm.gif"; depth:10; nocase; http.host; content:"194.233.88.218"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1286498/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_19; classtype:trojan-activity; sid:91286498; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/j.ad"; depth:5; nocase; http.host; content:"180.210.220.75"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1286497/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_19; classtype:trojan-activity; sid:91286497; rev:1;) alert tcp $HOME_NET any -> [192.121.162.12] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1286496/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_19; classtype:trojan-activity; sid:91286496; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/owa/"; depth:5; nocase; http.host; content:"192.121.162.12"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1286495/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_19; classtype:trojan-activity; sid:91286495; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ie9compatviewlist.xml"; depth:22; nocase; http.host; content:"111.231.51.250"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1286494/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_19; classtype:trojan-activity; sid:91286494; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dpixel"; depth:7; nocase; http.host; content:"79.124.40.106"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1286493/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_19; classtype:trojan-activity; sid:91286493; rev:1;) alert tcp $HOME_NET any -> [8.130.65.156] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1286492/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_19; classtype:trojan-activity; sid:91286492; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api/x"; depth:6; nocase; http.host; content:"service-80zid8ci-1317810329.gz.tencentapigw.com.cn"; depth:50; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1286490/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_19; classtype:trojan-activity; sid:91286490; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"service-80zid8ci-1317810329.gz.tencentapigw.com.cn"; depth:50; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1286491/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_19; classtype:trojan-activity; sid:91286491; rev:1;) alert tcp $HOME_NET any -> [159.75.110.16] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1286489/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_19; classtype:trojan-activity; sid:91286489; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"service-d27o3nmv-1324720265.sh.tencentapigw.com"; depth:47; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1286488/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_19; classtype:trojan-activity; sid:91286488; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api/getit"; depth:10; nocase; http.host; content:"service-d27o3nmv-1324720265.sh.tencentapigw.com"; depth:47; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1286487/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_19; classtype:trojan-activity; sid:91286487; rev:1;) alert tcp $HOME_NET any -> [154.204.178.164] 61189 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1286485/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_19; classtype:trojan-activity; sid:91286485; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"botnet.91av.live"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1286484/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_19; classtype:trojan-activity; sid:91286484; rev:1;) alert tcp $HOME_NET any -> [94.156.68.149] 15170 (msg:"ThreatFox Nanocore RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1286448/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_19; classtype:trojan-activity; sid:91286448; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"2023endofyear.duckdns.org"; depth:25; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1286449/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_19; classtype:trojan-activity; sid:91286449; rev:1;) alert tcp $HOME_NET any -> [94.156.68.149] 15230 (msg:"ThreatFox Nanocore RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1286450/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_19; classtype:trojan-activity; sid:91286450; rev:1;) alert tcp $HOME_NET any -> [147.185.221.20] 26704 (msg:"ThreatFox Nanocore RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1286451/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_19; classtype:trojan-activity; sid:91286451; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"local-quote.gl.at.ply.gg"; depth:24; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1286452/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_19; classtype:trojan-activity; sid:91286452; rev:1;) alert tcp $HOME_NET any -> [2.58.149.83] 443 (msg:"ThreatFox Nanocore RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1286454/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_19; classtype:trojan-activity; sid:91286454; rev:1;) alert tcp $HOME_NET any -> [184.105.192.5] 2669 (msg:"ThreatFox Nanocore RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1286453/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_19; classtype:trojan-activity; sid:91286453; rev:1;) alert tcp $HOME_NET any -> [160.177.58.73] 10000 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1286455/; target:src_ip; metadata: confidence_level 75, first_seen 2024_06_19; classtype:trojan-activity; sid:91286455; rev:1;) alert tcp $HOME_NET any -> [18.158.249.75] 12876 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1286456/; target:src_ip; metadata: confidence_level 75, first_seen 2024_06_19; classtype:trojan-activity; sid:91286456; rev:1;) alert tcp $HOME_NET any -> [3.125.223.134] 10651 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1286457/; target:src_ip; metadata: confidence_level 75, first_seen 2024_06_19; classtype:trojan-activity; sid:91286457; rev:1;) alert tcp $HOME_NET any -> [18.158.249.75] 12984 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1286458/; target:src_ip; metadata: confidence_level 75, first_seen 2024_06_19; classtype:trojan-activity; sid:91286458; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"windows-app.ddns.net"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1286460/; target:src_ip; metadata: confidence_level 75, first_seen 2024_06_19; classtype:trojan-activity; sid:91286460; rev:1;) alert tcp $HOME_NET any -> [3.125.102.39] 19650 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1286461/; target:src_ip; metadata: confidence_level 75, first_seen 2024_06_19; classtype:trojan-activity; sid:91286461; rev:1;) alert tcp $HOME_NET any -> [3.125.209.94] 15683 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1286459/; target:src_ip; metadata: confidence_level 75, first_seen 2024_06_19; classtype:trojan-activity; sid:91286459; rev:1;) alert tcp $HOME_NET any -> [18.192.31.165] 19650 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1286462/; target:src_ip; metadata: confidence_level 75, first_seen 2024_06_19; classtype:trojan-activity; sid:91286462; rev:1;) alert tcp $HOME_NET any -> [3.124.142.205] 19650 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1286463/; target:src_ip; metadata: confidence_level 75, first_seen 2024_06_19; classtype:trojan-activity; sid:91286463; rev:1;) alert tcp $HOME_NET any -> [147.185.221.20] 25701 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1286464/; target:src_ip; metadata: confidence_level 75, first_seen 2024_06_19; classtype:trojan-activity; sid:91286464; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"month-luxembourg.gl.at.ply.gg"; depth:29; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1286465/; target:src_ip; metadata: confidence_level 75, first_seen 2024_06_19; classtype:trojan-activity; sid:91286465; rev:1;) alert tcp $HOME_NET any -> [179.13.6.213] 2019 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1286466/; target:src_ip; metadata: confidence_level 75, first_seen 2024_06_19; classtype:trojan-activity; sid:91286466; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"carlitosmoreno1794.duckdns.org"; depth:30; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1286467/; target:src_ip; metadata: confidence_level 75, first_seen 2024_06_19; classtype:trojan-activity; sid:91286467; rev:1;) alert tcp $HOME_NET any -> [147.185.221.20] 30481 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1286468/; target:src_ip; metadata: confidence_level 75, first_seen 2024_06_19; classtype:trojan-activity; sid:91286468; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"20.ip.gl.ply.gg"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1286469/; target:src_ip; metadata: confidence_level 75, first_seen 2024_06_19; classtype:trojan-activity; sid:91286469; rev:1;) alert tcp $HOME_NET any -> [3.125.188.168] 17799 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1286470/; target:src_ip; metadata: confidence_level 75, first_seen 2024_06_19; classtype:trojan-activity; sid:91286470; rev:1;) alert tcp $HOME_NET any -> [154.204.178.164] 80 (msg:"ThreatFox Mirai payload delivery (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1286434/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_19; classtype:trojan-activity; sid:91286434; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/curl.sh"; depth:8; nocase; http.host; content:"154.204.178.164"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1286435/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_19; classtype:trojan-activity; sid:91286435; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/nginx.arm4"; depth:11; nocase; http.host; content:"154.204.178.164"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1286436/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_19; classtype:trojan-activity; sid:91286436; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/nginx.arm5"; depth:11; nocase; http.host; content:"154.204.178.164"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1286437/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_19; classtype:trojan-activity; sid:91286437; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/nginx.arm6"; depth:11; nocase; http.host; content:"154.204.178.164"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1286438/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_19; classtype:trojan-activity; sid:91286438; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/nginx.arm7"; depth:11; nocase; http.host; content:"154.204.178.164"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1286439/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_19; classtype:trojan-activity; sid:91286439; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/nginx.mips"; depth:11; nocase; http.host; content:"154.204.178.164"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1286440/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_19; classtype:trojan-activity; sid:91286440; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/nginx.mpsl"; depth:11; nocase; http.host; content:"154.204.178.164"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1286441/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_19; classtype:trojan-activity; sid:91286441; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/nginx.ppc"; depth:10; nocase; http.host; content:"154.204.178.164"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1286442/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_19; classtype:trojan-activity; sid:91286442; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/nginx.sparc"; depth:12; nocase; http.host; content:"154.204.178.164"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1286444/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_19; classtype:trojan-activity; sid:91286444; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/nginx.sh"; depth:9; nocase; http.host; content:"154.204.178.164"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1286443/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_19; classtype:trojan-activity; sid:91286443; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/nginx.x86"; depth:10; nocase; http.host; content:"154.204.178.164"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1286445/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_19; classtype:trojan-activity; sid:91286445; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wget.sh"; depth:8; nocase; http.host; content:"154.204.178.164"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1286446/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_19; classtype:trojan-activity; sid:91286446; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/x.sh"; depth:5; nocase; http.host; content:"154.204.178.164"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1286447/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_19; classtype:trojan-activity; sid:91286447; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"www.sarele.com"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1286429/; target:src_ip; metadata: confidence_level 75, first_seen 2024_06_19; classtype:trojan-activity; sid:91286429; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"fortindo-fsm.com"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1286433/; target:src_ip; metadata: confidence_level 75, first_seen 2024_06_19; classtype:trojan-activity; sid:91286433; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"mygreencity.in"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1286431/; target:src_ip; metadata: confidence_level 75, first_seen 2024_06_19; classtype:trojan-activity; sid:91286431; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/article.php"; depth:12; nocase; http.host; content:"www.alisa-nails-koeln.de"; depth:24; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1286413/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_19; classtype:trojan-activity; sid:91286413; rev:1;) alert tcp $HOME_NET any -> [5.59.248.211] 38241 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1286377/; target:src_ip; metadata: confidence_level 75, first_seen 2024_06_19; classtype:trojan-activity; sid:91286377; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 80%)"; dns_query; content:"krestaop.com"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1286378/; target:src_ip; metadata: confidence_level 80, first_seen 2024_06_19; classtype:trojan-activity; sid:91286378; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 80%)"; dns_query; content:"lustrafeel.com"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1286379/; target:src_ip; metadata: confidence_level 80, first_seen 2024_06_19; classtype:trojan-activity; sid:91286379; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 80%)"; dns_query; content:"pumcarcheto.red"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1286380/; target:src_ip; metadata: confidence_level 80, first_seen 2024_06_19; classtype:trojan-activity; sid:91286380; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 80%)"; dns_query; content:"mastgonzo.com"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1286381/; target:src_ip; metadata: confidence_level 80, first_seen 2024_06_19; classtype:trojan-activity; sid:91286381; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 80%)"; dns_query; content:"loolsena.shop"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1286382/; target:src_ip; metadata: confidence_level 80, first_seen 2024_06_19; classtype:trojan-activity; sid:91286382; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 80%)"; dns_query; content:"riscoarchez.com"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1286383/; target:src_ip; metadata: confidence_level 80, first_seen 2024_06_19; classtype:trojan-activity; sid:91286383; rev:1;) alert tcp $HOME_NET any -> [85.239.61.165] 443 (msg:"ThreatFox Unidentified 111 (Latrodectus) botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1286384/; target:src_ip; metadata: confidence_level 80, first_seen 2024_06_19; classtype:trojan-activity; sid:91286384; rev:1;) alert tcp $HOME_NET any -> [192.153.57.136] 443 (msg:"ThreatFox Unidentified 111 (Latrodectus) botnet C2 traffic (ip:port - confidence level: 85%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1286394/; target:src_ip; metadata: confidence_level 85, first_seen 2024_06_19; classtype:trojan-activity; sid:91286394; rev:1;) alert tcp $HOME_NET any -> [192.236.160.230] 443 (msg:"ThreatFox Unidentified 111 (Latrodectus) botnet C2 traffic (ip:port - confidence level: 85%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1286395/; target:src_ip; metadata: confidence_level 85, first_seen 2024_06_19; classtype:trojan-activity; sid:91286395; rev:1;) alert tcp $HOME_NET any -> [45.83.31.253] 8808 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1286483/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_19; classtype:trojan-activity; sid:91286483; rev:1;) alert tcp $HOME_NET any -> [45.83.31.253] 7707 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1286482/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_19; classtype:trojan-activity; sid:91286482; rev:1;) alert tcp $HOME_NET any -> [45.83.31.253] 6606 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1286481/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_19; classtype:trojan-activity; sid:91286481; rev:1;) alert tcp $HOME_NET any -> [193.26.115.78] 7707 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1286480/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_19; classtype:trojan-activity; sid:91286480; rev:1;) alert tcp $HOME_NET any -> [128.90.129.55] 9999 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1286479/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_19; classtype:trojan-activity; sid:91286479; rev:1;) alert tcp $HOME_NET any -> [207.246.119.249] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1286478/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_19; classtype:trojan-activity; sid:91286478; rev:1;) alert tcp $HOME_NET any -> [124.220.133.70] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1286477/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_19; classtype:trojan-activity; sid:91286477; rev:1;) alert tcp $HOME_NET any -> [46.246.4.17] 8000 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1286476/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_19; classtype:trojan-activity; sid:91286476; rev:1;) alert tcp $HOME_NET any -> [46.246.84.3] 9000 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1286475/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_19; classtype:trojan-activity; sid:91286475; rev:1;) alert tcp $HOME_NET any -> [171.80.217.247] 25565 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1286474/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_19; classtype:trojan-activity; sid:91286474; rev:1;) alert tcp $HOME_NET any -> [159.65.114.122] 8443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1286473/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_19; classtype:trojan-activity; sid:91286473; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mozi.m"; depth:7; nocase; http.host; content:"115.59.57.13"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1286472/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_19; classtype:trojan-activity; sid:91286472; rev:1;) alert tcp $HOME_NET any -> [80.76.49.148] 4545 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1286471/; target:src_ip; metadata: confidence_level 75, first_seen 2024_06_19; classtype:trojan-activity; sid:91286471; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"alvinclayman.com"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1286426/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_19; classtype:trojan-activity; sid:91286426; rev:1;) alert tcp $HOME_NET any -> [194.67.193.26] 443 (msg:"ThreatFox Matanbuchus botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1286424/; target:src_ip; metadata: confidence_level 75, first_seen 2024_06_19; classtype:trojan-activity; sid:91286424; rev:1;) alert tcp $HOME_NET any -> [194.67.193.28] 443 (msg:"ThreatFox Matanbuchus botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1286425/; target:src_ip; metadata: confidence_level 75, first_seen 2024_06_19; classtype:trojan-activity; sid:91286425; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/g.pixel"; depth:8; nocase; http.host; content:"124.222.140.151"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1286423/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_19; classtype:trojan-activity; sid:91286423; rev:1;) alert tcp $HOME_NET any -> [194.67.193.205] 443 (msg:"ThreatFox Matanbuchus botnet C2 traffic (ip:port - confidence level: 60%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1286421/; target:src_ip; metadata: confidence_level 60, first_seen 2024_06_19; classtype:trojan-activity; sid:91286421; rev:1;) alert tcp $HOME_NET any -> [194.67.193.247] 443 (msg:"ThreatFox Matanbuchus botnet C2 traffic (ip:port - confidence level: 60%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1286422/; target:src_ip; metadata: confidence_level 60, first_seen 2024_06_19; classtype:trojan-activity; sid:91286422; rev:1;) alert tcp $HOME_NET any -> [194.67.193.206] 443 (msg:"ThreatFox Matanbuchus botnet C2 traffic (ip:port - confidence level: 60%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1286419/; target:src_ip; metadata: confidence_level 60, first_seen 2024_06_19; classtype:trojan-activity; sid:91286419; rev:1;) alert tcp $HOME_NET any -> [194.67.193.246] 443 (msg:"ThreatFox Matanbuchus botnet C2 traffic (ip:port - confidence level: 60%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1286420/; target:src_ip; metadata: confidence_level 60, first_seen 2024_06_19; classtype:trojan-activity; sid:91286420; rev:1;) alert tcp $HOME_NET any -> [194.67.193.245] 443 (msg:"ThreatFox Matanbuchus botnet C2 traffic (ip:port - confidence level: 60%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1286418/; target:src_ip; metadata: confidence_level 60, first_seen 2024_06_19; classtype:trojan-activity; sid:91286418; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"ahaamthuc.com"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1286417/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_19; classtype:trojan-activity; sid:91286417; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"barusake.com"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1286409/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_19; classtype:trojan-activity; sid:91286409; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"aberzing.com"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1286410/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_19; classtype:trojan-activity; sid:91286410; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"marusto.com"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1286411/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_19; classtype:trojan-activity; sid:91286411; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"sekubar.com"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1286412/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_19; classtype:trojan-activity; sid:91286412; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"rebusand.com"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1286407/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_19; classtype:trojan-activity; sid:91286407; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"lameruka.com"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1286408/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_19; classtype:trojan-activity; sid:91286408; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"reliseti.com"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1286406/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_19; classtype:trojan-activity; sid:91286406; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"pentefaith.com"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1286405/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_19; classtype:trojan-activity; sid:91286405; rev:1;) alert tcp $HOME_NET any -> [194.67.193.205] 80 (msg:"ThreatFox Matanbuchus botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1286403/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_18; classtype:trojan-activity; sid:91286403; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"chubcharm.com"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1286404/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_18; classtype:trojan-activity; sid:91286404; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"ahazko.com"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1286401/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_18; classtype:trojan-activity; sid:91286401; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"ricoshea.com"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1286402/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_18; classtype:trojan-activity; sid:91286402; rev:1;) alert tcp $HOME_NET any -> [185.31.200.215] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1286400/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_18; classtype:trojan-activity; sid:91286400; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/push"; depth:5; nocase; http.host; content:"teleshow.space"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1286398/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_18; classtype:trojan-activity; sid:91286398; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"teleshow.space"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1286399/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_18; classtype:trojan-activity; sid:91286399; rev:1;) alert tcp $HOME_NET any -> [43.139.124.158] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1286397/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_18; classtype:trojan-activity; sid:91286397; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jquery-3.3.1.min.js"; depth:20; nocase; http.host; content:"43.139.124.158"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1286396/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_18; classtype:trojan-activity; sid:91286396; rev:1;) alert tcp $HOME_NET any -> [193.168.143.169] 443 (msg:"ThreatFox Unidentified 111 (Latrodectus) botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1286393/; target:src_ip; metadata: confidence_level 75, first_seen 2024_06_18; classtype:trojan-activity; sid:91286393; rev:1;) alert tcp $HOME_NET any -> [8.138.118.107] 443 (msg:"ThreatFox DoomedLoader botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1286392/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_18; classtype:trojan-activity; sid:91286392; rev:1;) alert tcp $HOME_NET any -> [123.57.90.204] 443 (msg:"ThreatFox DoomedLoader botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1286391/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_18; classtype:trojan-activity; sid:91286391; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/up/b"; depth:5; nocase; http.host; content:"kwqislxk.xyz"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1286388/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_18; classtype:trojan-activity; sid:91286388; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"fastsecurityup.com"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1286389/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_18; classtype:trojan-activity; sid:91286389; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"kwqislxk.xyz"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1286390/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_18; classtype:trojan-activity; sid:91286390; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/up"; depth:3; nocase; http.host; content:"kwqislxk.xyz"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1286387/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_18; classtype:trojan-activity; sid:91286387; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/up/b"; depth:5; nocase; http.host; content:"fastsecurityup.com"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1286386/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_18; classtype:trojan-activity; sid:91286386; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/up"; depth:3; nocase; http.host; content:"fastsecurityup.com"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1286385/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_18; classtype:trojan-activity; sid:91286385; rev:1;) alert tcp $HOME_NET any -> [47.97.31.229] 3333 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1286376/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_18; classtype:trojan-activity; sid:91286376; rev:1;) alert tcp $HOME_NET any -> [212.86.114.67] 42666 (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1286375/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_18; classtype:trojan-activity; sid:91286375; rev:1;) alert tcp $HOME_NET any -> [94.156.68.100] 8008 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1286374/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_18; classtype:trojan-activity; sid:91286374; rev:1;) alert tcp $HOME_NET any -> [94.156.68.100] 6006 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1286373/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_18; classtype:trojan-activity; sid:91286373; rev:1;) alert tcp $HOME_NET any -> [45.138.16.66] 9090 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1286372/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_18; classtype:trojan-activity; sid:91286372; rev:1;) alert tcp $HOME_NET any -> [194.26.192.214] 6606 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1286371/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_18; classtype:trojan-activity; sid:91286371; rev:1;) alert tcp $HOME_NET any -> [193.124.115.63] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1286369/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_18; classtype:trojan-activity; sid:91286369; rev:1;) alert tcp $HOME_NET any -> [43.134.118.131] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1286368/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_18; classtype:trojan-activity; sid:91286368; rev:1;) alert tcp $HOME_NET any -> [154.9.229.182] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1286367/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_18; classtype:trojan-activity; sid:91286367; rev:1;) alert tcp $HOME_NET any -> [47.119.22.47] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1286366/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_18; classtype:trojan-activity; sid:91286366; rev:1;) alert tcp $HOME_NET any -> [23.94.168.52] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1286365/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_18; classtype:trojan-activity; sid:91286365; rev:1;) alert tcp $HOME_NET any -> [91.92.248.143] 1011 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1286364/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_18; classtype:trojan-activity; sid:91286364; rev:1;) alert tcp $HOME_NET any -> [69.157.7.226] 2222 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1286363/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_18; classtype:trojan-activity; sid:91286363; rev:1;) alert tcp $HOME_NET any -> [65.20.79.2] 443 (msg:"ThreatFox pupy botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1286362/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_18; classtype:trojan-activity; sid:91286362; rev:1;) alert tcp $HOME_NET any -> [38.180.83.85] 443 (msg:"ThreatFox Responder botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1286361/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_18; classtype:trojan-activity; sid:91286361; rev:1;) alert tcp $HOME_NET any -> [195.123.219.150] 80 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1286360/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_18; classtype:trojan-activity; sid:91286360; rev:1;) alert tcp $HOME_NET any -> [5.252.177.220] 443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1286359/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_18; classtype:trojan-activity; sid:91286359; rev:1;) alert tcp $HOME_NET any -> [35.209.99.39] 443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1286358/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_18; classtype:trojan-activity; sid:91286358; rev:1;) alert tcp $HOME_NET any -> [81.43.20.223] 443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1286357/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_18; classtype:trojan-activity; sid:91286357; rev:1;) alert tcp $HOME_NET any -> [206.237.28.231] 8443 (msg:"ThreatFox BianLian botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1286356/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_18; classtype:trojan-activity; sid:91286356; rev:1;) alert tcp $HOME_NET any -> [65.153.151.50] 10011 (msg:"ThreatFox Deimos botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1286355/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_18; classtype:trojan-activity; sid:91286355; rev:1;) alert tcp $HOME_NET any -> [13.60.91.126] 7443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1286354/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_18; classtype:trojan-activity; sid:91286354; rev:1;) alert tcp $HOME_NET any -> [51.20.134.151] 7443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1286353/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_18; classtype:trojan-activity; sid:91286353; rev:1;) alert tcp $HOME_NET any -> [103.117.101.73] 7443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1286352/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_18; classtype:trojan-activity; sid:91286352; rev:1;) alert tcp $HOME_NET any -> [152.42.198.168] 7443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1286351/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_18; classtype:trojan-activity; sid:91286351; rev:1;) alert tcp $HOME_NET any -> [72.5.43.15] 4449 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1286350/; target:src_ip; metadata: confidence_level 75, first_seen 2024_06_18; classtype:trojan-activity; sid:91286350; rev:1;) alert tcp $HOME_NET any -> [94.228.166.40] 4782 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1286349/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_18; classtype:trojan-activity; sid:91286349; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dot.gif"; depth:8; nocase; http.host; content:"91.92.254.84"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1286177/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_18; classtype:trojan-activity; sid:91286177; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/visit.js"; depth:9; nocase; http.host; content:"www.thaiticketmajor.com"; depth:23; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1286176/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_18; classtype:trojan-activity; sid:91286176; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pixel.gif"; depth:10; nocase; http.host; content:"121.37.214.255"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1286175/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_18; classtype:trojan-activity; sid:91286175; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/af/fgjds2u"; depth:11; nocase; http.host; content:"20.83.148.22"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1286174/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_18; classtype:trojan-activity; sid:91286174; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api/x"; depth:6; nocase; http.host; content:"service-rfgb6jer-1257331363.sh.tencentapigw.com"; depth:47; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1286172/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_18; classtype:trojan-activity; sid:91286172; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"service-rfgb6jer-1257331363.sh.tencentapigw.com"; depth:47; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1286173/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_18; classtype:trojan-activity; sid:91286173; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/fwlink"; depth:7; nocase; http.host; content:"58.185.25.6"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1286171/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_18; classtype:trojan-activity; sid:91286171; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/server.php"; depth:11; nocase; http.host; content:"45.9.74.176"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1286170/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_18; classtype:trojan-activity; sid:91286170; rev:1;) alert tcp $HOME_NET any -> [185.172.128.110] 80 (msg:"ThreatFox AMOS botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1286169/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_18; classtype:trojan-activity; sid:91286169; rev:1;) alert tcp $HOME_NET any -> [103.198.26.130] 56765 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1286168/; target:src_ip; metadata: confidence_level 75, first_seen 2024_06_18; classtype:trojan-activity; sid:91286168; rev:1;) alert tcp $HOME_NET any -> [103.198.26.130] 45645 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1286167/; target:src_ip; metadata: confidence_level 75, first_seen 2024_06_18; classtype:trojan-activity; sid:91286167; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ie9compatviewlist.xml"; depth:22; nocase; http.host; content:"154.12.19.142"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1286166/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_18; classtype:trojan-activity; sid:91286166; rev:1;) alert tcp $HOME_NET any -> [39.100.66.199] 7443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1286165/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_18; classtype:trojan-activity; sid:91286165; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api/3"; depth:6; nocase; http.host; content:"www.xincyun.com"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1286163/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_18; classtype:trojan-activity; sid:91286163; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"www.xincyun.com"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1286164/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_18; classtype:trojan-activity; sid:91286164; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pixel.gif"; depth:10; nocase; http.host; content:"193.239.86.156"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1286162/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_18; classtype:trojan-activity; sid:91286162; rev:1;) alert tcp $HOME_NET any -> [39.100.74.192] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1286161/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_18; classtype:trojan-activity; sid:91286161; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mall_100_100.html"; depth:18; nocase; http.host; content:"39.100.74.192"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1286160/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_18; classtype:trojan-activity; sid:91286160; rev:1;) alert tcp $HOME_NET any -> [58.185.25.6] 8585 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1286159/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_18; classtype:trojan-activity; sid:91286159; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cm"; depth:3; nocase; http.host; content:"114.115.174.131"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1286158/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_18; classtype:trojan-activity; sid:91286158; rev:1;) alert tcp $HOME_NET any -> [136.144.240.165] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1286157/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_18; classtype:trojan-activity; sid:91286157; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/questions/32251816/c-sharp-directives-compilation-error"; depth:56; nocase; http.host; content:"magnitogorsk.nl"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1286155/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_18; classtype:trojan-activity; sid:91286155; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"magnitogorsk.nl"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1286156/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_18; classtype:trojan-activity; sid:91286156; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/release"; depth:8; nocase; http.host; content:"ww2.jji.cz"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1286154/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_18; classtype:trojan-activity; sid:91286154; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"flynotion.com"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1286152/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_18; classtype:trojan-activity; sid:91286152; rev:1;) alert tcp $HOME_NET any -> [54.226.186.244] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1286153/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_18; classtype:trojan-activity; sid:91286153; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/___utm.gif"; depth:11; nocase; http.host; content:"flynotion.com"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1286151/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_18; classtype:trojan-activity; sid:91286151; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"evokvm.eu.org"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1286149/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_18; classtype:trojan-activity; sid:91286149; rev:1;) alert tcp $HOME_NET any -> [142.171.234.248] 8443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1286150/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_18; classtype:trojan-activity; sid:91286150; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/avatars"; depth:8; nocase; http.host; content:"evokvm.eu.org"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1286148/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_18; classtype:trojan-activity; sid:91286148; rev:1;) alert tcp $HOME_NET any -> [1.92.96.35] 9090 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1286147/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_18; classtype:trojan-activity; sid:91286147; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/compare/v2.66/g6ebs8vjr0"; depth:25; nocase; http.host; content:"47.115.53.113"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1286146/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_18; classtype:trojan-activity; sid:91286146; rev:1;) alert tcp $HOME_NET any -> [120.78.217.180] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1286145/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_18; classtype:trojan-activity; sid:91286145; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jquery-3.3.1.min.js"; depth:20; nocase; http.host; content:"120.78.217.180"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1286144/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_18; classtype:trojan-activity; sid:91286144; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"updatel2.com"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1286143/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_18; classtype:trojan-activity; sid:91286143; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"anexchange.xyz"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1286142/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_18; classtype:trojan-activity; sid:91286142; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"callias.xyz"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1286141/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_18; classtype:trojan-activity; sid:91286141; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"plagmat.store"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1286140/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_18; classtype:trojan-activity; sid:91286140; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"bugday.site"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1286139/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_18; classtype:trojan-activity; sid:91286139; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"95.216.142.162"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1286138/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_18; classtype:trojan-activity; sid:91286138; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"162.55.53.18"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1286137/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_18; classtype:trojan-activity; sid:91286137; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"78.47.205.62"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1286136/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_18; classtype:trojan-activity; sid:91286136; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"78.47.205.62"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1286135/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_18; classtype:trojan-activity; sid:91286135; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"95.216.182.224"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1286134/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_18; classtype:trojan-activity; sid:91286134; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"95.216.182.224"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1286133/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_18; classtype:trojan-activity; sid:91286133; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"theemir.xyz"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1286132/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_18; classtype:trojan-activity; sid:91286132; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"poocoin.online"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1286131/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_18; classtype:trojan-activity; sid:91286131; rev:1;) alert tcp $HOME_NET any -> [95.216.182.224] 443 (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1286125/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_18; classtype:trojan-activity; sid:91286125; rev:1;) alert tcp $HOME_NET any -> [95.216.182.224] 9000 (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1286126/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_18; classtype:trojan-activity; sid:91286126; rev:1;) alert tcp $HOME_NET any -> [78.47.205.62] 9000 (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1286128/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_18; classtype:trojan-activity; sid:91286128; rev:1;) alert tcp $HOME_NET any -> [162.55.53.18] 443 (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1286129/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_18; classtype:trojan-activity; sid:91286129; rev:1;) alert tcp $HOME_NET any -> [95.216.142.162] 9000 (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1286130/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_18; classtype:trojan-activity; sid:91286130; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"poocoin.online"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1286119/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_18; classtype:trojan-activity; sid:91286119; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"theemir.xyz"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1286120/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_18; classtype:trojan-activity; sid:91286120; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"bugday.site"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1286121/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_18; classtype:trojan-activity; sid:91286121; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"plagmat.store"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1286122/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_18; classtype:trojan-activity; sid:91286122; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"callias.xyz"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1286123/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_18; classtype:trojan-activity; sid:91286123; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"anexchange.xyz"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1286124/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_18; classtype:trojan-activity; sid:91286124; rev:1;) alert tcp $HOME_NET any -> [94.156.68.100] 4444 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1286118/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_18; classtype:trojan-activity; sid:91286118; rev:1;) alert tcp $HOME_NET any -> [46.246.14.14] 2000 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1286117/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_18; classtype:trojan-activity; sid:91286117; rev:1;) alert tcp $HOME_NET any -> [207.174.26.69] 5505 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1286116/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_18; classtype:trojan-activity; sid:91286116; rev:1;) alert tcp $HOME_NET any -> [34.67.130.7] 80 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1286115/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_18; classtype:trojan-activity; sid:91286115; rev:1;) alert tcp $HOME_NET any -> [101.35.228.105] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1286114/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_18; classtype:trojan-activity; sid:91286114; rev:1;) alert tcp $HOME_NET any -> [139.180.156.234] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1286113/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_18; classtype:trojan-activity; sid:91286113; rev:1;) alert tcp $HOME_NET any -> [46.246.12.19] 8000 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1286112/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_18; classtype:trojan-activity; sid:91286112; rev:1;) alert tcp $HOME_NET any -> [198.23.173.178] 60012 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1286111/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_18; classtype:trojan-activity; sid:91286111; rev:1;) alert tcp $HOME_NET any -> [121.45.71.8] 443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1286110/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_18; classtype:trojan-activity; sid:91286110; rev:1;) alert tcp $HOME_NET any -> [182.30.23.115] 443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1286109/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_18; classtype:trojan-activity; sid:91286109; rev:1;) alert tcp $HOME_NET any -> [45.61.135.31] 443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1286108/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_18; classtype:trojan-activity; sid:91286108; rev:1;) alert tcp $HOME_NET any -> [185.38.142.151] 443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1286107/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_18; classtype:trojan-activity; sid:91286107; rev:1;) alert tcp $HOME_NET any -> [185.29.8.219] 8080 (msg:"ThreatFox BianLian botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1286106/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_18; classtype:trojan-activity; sid:91286106; rev:1;) alert tcp $HOME_NET any -> [202.69.47.95] 443 (msg:"ThreatFox Deimos botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1286105/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_18; classtype:trojan-activity; sid:91286105; rev:1;) alert tcp $HOME_NET any -> [102.44.180.221] 7443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1286104/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_18; classtype:trojan-activity; sid:91286104; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 49%)"; dns_query; content:"goalcempiz.com"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1286054/; target:src_ip; metadata: confidence_level 49, first_seen 2024_06_18; classtype:trojan-activity; sid:91286054; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 49%)"; dns_query; content:"grizmotras.com"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1286055/; target:src_ip; metadata: confidence_level 49, first_seen 2024_06_18; classtype:trojan-activity; sid:91286055; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 49%)"; dns_query; content:"grunzalom.fun"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1286056/; target:src_ip; metadata: confidence_level 49, first_seen 2024_06_18; classtype:trojan-activity; sid:91286056; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 49%)"; dns_query; content:"jertacco.com"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1286058/; target:src_ip; metadata: confidence_level 49, first_seen 2024_06_18; classtype:trojan-activity; sid:91286058; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 49%)"; dns_query; content:"jarinamaers.shop"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1286057/; target:src_ip; metadata: confidence_level 49, first_seen 2024_06_18; classtype:trojan-activity; sid:91286057; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 49%)"; dns_query; content:"kokcheez.website"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1286059/; target:src_ip; metadata: confidence_level 49, first_seen 2024_06_18; classtype:trojan-activity; sid:91286059; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 49%)"; dns_query; content:"mastralakkot.live"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1286060/; target:src_ip; metadata: confidence_level 49, first_seen 2024_06_18; classtype:trojan-activity; sid:91286060; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 49%)"; dns_query; content:"miistoria.com"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1286061/; target:src_ip; metadata: confidence_level 49, first_seen 2024_06_18; classtype:trojan-activity; sid:91286061; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 49%)"; dns_query; content:"minndarespo.icu"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1286062/; target:src_ip; metadata: confidence_level 49, first_seen 2024_06_18; classtype:trojan-activity; sid:91286062; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 49%)"; dns_query; content:"niceburlat.me"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1286063/; target:src_ip; metadata: confidence_level 49, first_seen 2024_06_18; classtype:trojan-activity; sid:91286063; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 49%)"; dns_query; content:"pewwhranet.com"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1286064/; target:src_ip; metadata: confidence_level 49, first_seen 2024_06_18; classtype:trojan-activity; sid:91286064; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 49%)"; dns_query; content:"plwskoret.top"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1286065/; target:src_ip; metadata: confidence_level 49, first_seen 2024_06_18; classtype:trojan-activity; sid:91286065; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 49%)"; dns_query; content:"popfealt.one"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1286066/; target:src_ip; metadata: confidence_level 49, first_seen 2024_06_18; classtype:trojan-activity; sid:91286066; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 49%)"; dns_query; content:"postolwepok.tech"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1286067/; target:src_ip; metadata: confidence_level 49, first_seen 2024_06_18; classtype:trojan-activity; sid:91286067; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 49%)"; dns_query; content:"scifimond.com"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1286068/; target:src_ip; metadata: confidence_level 49, first_seen 2024_06_18; classtype:trojan-activity; sid:91286068; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 49%)"; dns_query; content:"startmast.shop"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1286070/; target:src_ip; metadata: confidence_level 49, first_seen 2024_06_18; classtype:trojan-activity; sid:91286070; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 49%)"; dns_query; content:"titnovacrion.top"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1286071/; target:src_ip; metadata: confidence_level 49, first_seen 2024_06_18; classtype:trojan-activity; sid:91286071; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 49%)"; dns_query; content:"ganowernis.com"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1286051/; target:src_ip; metadata: confidence_level 49, first_seen 2024_06_18; classtype:trojan-activity; sid:91286051; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 49%)"; dns_query; content:"ginzbargatey.tech"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1286053/; target:src_ip; metadata: confidence_level 49, first_seen 2024_06_18; classtype:trojan-activity; sid:91286053; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 49%)"; dns_query; content:"fasestarkalim.com"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1286048/; target:src_ip; metadata: confidence_level 49, first_seen 2024_06_18; classtype:trojan-activity; sid:91286048; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 49%)"; dns_query; content:"fluraresto.me"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1286049/; target:src_ip; metadata: confidence_level 49, first_seen 2024_06_18; classtype:trojan-activity; sid:91286049; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 49%)"; dns_query; content:"frotneels.shop"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1286050/; target:src_ip; metadata: confidence_level 49, first_seen 2024_06_18; classtype:trojan-activity; sid:91286050; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 49%)"; dns_query; content:"ganstaeraop.shop"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1286052/; target:src_ip; metadata: confidence_level 49, first_seen 2024_06_18; classtype:trojan-activity; sid:91286052; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 49%)"; dns_query; content:"drifajizo.fun"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1286047/; target:src_ip; metadata: confidence_level 49, first_seen 2024_06_18; classtype:trojan-activity; sid:91286047; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 49%)"; dns_query; content:"aytobusesre.com"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1286045/; target:src_ip; metadata: confidence_level 49, first_seen 2024_06_18; classtype:trojan-activity; sid:91286045; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 49%)"; dns_query; content:"drendormedia.com"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1286046/; target:src_ip; metadata: confidence_level 49, first_seen 2024_06_18; classtype:trojan-activity; sid:91286046; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 49%)"; dns_query; content:"aplihartom.com"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1286044/; target:src_ip; metadata: confidence_level 49, first_seen 2024_06_18; classtype:trojan-activity; sid:91286044; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 49%)"; dns_query; content:"skinnyjeanso.com"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1286069/; target:src_ip; metadata: confidence_level 49, first_seen 2024_06_18; classtype:trojan-activity; sid:91286069; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 49%)"; dns_query; content:"trasenanoyr.best"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1286072/; target:src_ip; metadata: confidence_level 49, first_seen 2024_06_18; classtype:trojan-activity; sid:91286072; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 49%)"; dns_query; content:"wikistarhmania.com"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1286073/; target:src_ip; metadata: confidence_level 49, first_seen 2024_06_18; classtype:trojan-activity; sid:91286073; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 49%)"; dns_query; content:"wrankaget.site"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1286074/; target:src_ip; metadata: confidence_level 49, first_seen 2024_06_18; classtype:trojan-activity; sid:91286074; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 49%)"; dns_query; content:"zumkoshapsret.com"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1286075/; target:src_ip; metadata: confidence_level 49, first_seen 2024_06_18; classtype:trojan-activity; sid:91286075; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cdn-vs/original.js"; depth:19; nocase; http.host; content:"upstatesunflowerfestival.com"; depth:28; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1286089/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_18; classtype:trojan-activity; sid:91286089; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"upstatesunflowerfestival.com"; depth:28; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1286090/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_18; classtype:trojan-activity; sid:91286090; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cdn-vs/cache.php"; depth:17; nocase; http.host; content:"upstatesunflowerfestival.com"; depth:28; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1286091/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_18; classtype:trojan-activity; sid:91286091; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cdn-vs/33per.php"; depth:17; nocase; http.host; content:"upstatesunflowerfestival.com"; depth:28; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1286092/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_18; classtype:trojan-activity; sid:91286092; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/article.php"; depth:12; nocase; http.host; content:"www.aalborgfaegteklub.dk"; depth:24; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1286094/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_18; classtype:trojan-activity; sid:91286094; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/article.php"; depth:12; nocase; http.host; content:"www.ackesbilservice.se"; depth:22; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1286095/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_18; classtype:trojan-activity; sid:91286095; rev:1;) alert tcp $HOME_NET any -> [185.196.9.26] 6302 (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1286103/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_18; classtype:trojan-activity; sid:91286103; rev:1;) alert tcp $HOME_NET any -> [34.65.245.112] 443 (msg:"ThreatFox DanaBot botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1286102/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_18; classtype:trojan-activity; sid:91286102; rev:1;) alert tcp $HOME_NET any -> [34.125.95.100] 443 (msg:"ThreatFox DanaBot botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1286101/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_18; classtype:trojan-activity; sid:91286101; rev:1;) alert tcp $HOME_NET any -> [35.237.76.147] 443 (msg:"ThreatFox DanaBot botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1286099/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_18; classtype:trojan-activity; sid:91286099; rev:1;) alert tcp $HOME_NET any -> [173.44.141.66] 3121 (msg:"ThreatFox NetSupportManager RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1286098/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_18; classtype:trojan-activity; sid:91286098; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/linepacketgeoasyncuniversal.php"; depth:32; nocase; http.host; content:"a0994812.xsph.ru"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1286097/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_18; classtype:trojan-activity; sid:91286097; rev:1;) alert tcp $HOME_NET any -> [105.154.97.216] 10000 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1286096/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_18; classtype:trojan-activity; sid:91286096; rev:1;) alert tcp $HOME_NET any -> [79.137.205.182] 80 (msg:"ThreatFox Meduza Stealer botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1286093/; target:src_ip; metadata: confidence_level 80, first_seen 2024_06_18; classtype:trojan-activity; sid:91286093; rev:1;) alert tcp $HOME_NET any -> [94.156.65.5] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1286088/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_17; classtype:trojan-activity; sid:91286088; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"opensecurity-legacy.com"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1286087/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_17; classtype:trojan-activity; sid:91286087; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jquery-3.3.1.min.js"; depth:20; nocase; http.host; content:"opensecurity-legacy.com"; depth:23; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1286086/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_17; classtype:trojan-activity; sid:91286086; rev:1;) alert tcp $HOME_NET any -> [8.138.23.74] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1286085/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_17; classtype:trojan-activity; sid:91286085; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/safebrowsing/fp/283vv1fh6lymwufjad8ftwr8ztbgsxicow3wrgg"; depth:56; nocase; http.host; content:"8.138.23.74"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1286084/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_17; classtype:trojan-activity; sid:91286084; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/claim/servlets-examples/i2i52xqkqqzf"; depth:37; nocase; http.host; content:"103.97.59.115"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1286082/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_17; classtype:trojan-activity; sid:91286082; rev:1;) alert tcp $HOME_NET any -> [103.97.59.115] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1286083/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_17; classtype:trojan-activity; sid:91286083; rev:1;) alert tcp $HOME_NET any -> [104.129.20.167] 443 (msg:"ThreatFox Unidentified 111 (Latrodectus) botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1286079/; target:src_ip; metadata: confidence_level 75, first_seen 2024_06_17; classtype:trojan-activity; sid:91286079; rev:1;) alert tcp $HOME_NET any -> [190.211.254.153] 443 (msg:"ThreatFox Unidentified 111 (Latrodectus) botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1286080/; target:src_ip; metadata: confidence_level 75, first_seen 2024_06_17; classtype:trojan-activity; sid:91286080; rev:1;) alert tcp $HOME_NET any -> [5.230.34.68] 443 (msg:"ThreatFox Unidentified 111 (Latrodectus) botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1286081/; target:src_ip; metadata: confidence_level 75, first_seen 2024_06_17; classtype:trojan-activity; sid:91286081; rev:1;) alert tcp $HOME_NET any -> [5.255.113.173] 443 (msg:"ThreatFox Unidentified 111 (Latrodectus) botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1286078/; target:src_ip; metadata: confidence_level 75, first_seen 2024_06_17; classtype:trojan-activity; sid:91286078; rev:1;) alert tcp $HOME_NET any -> [47.94.11.195] 443 (msg:"ThreatFox DoomedLoader botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1286077/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_17; classtype:trojan-activity; sid:91286077; rev:1;) alert tcp $HOME_NET any -> [47.93.190.162] 443 (msg:"ThreatFox DoomedLoader botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1286076/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_17; classtype:trojan-activity; sid:91286076; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"vip.zto.com"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1286043/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_17; classtype:trojan-activity; sid:91286043; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mall_100_100.html"; depth:18; nocase; http.host; content:"vip.zto.com"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1286042/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_17; classtype:trojan-activity; sid:91286042; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/eo"; depth:3; nocase; http.host; content:"79.110.49.175"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1286041/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_17; classtype:trojan-activity; sid:91286041; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/push"; depth:5; nocase; http.host; content:"119.45.21.247"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1286040/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_17; classtype:trojan-activity; sid:91286040; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/visit.js"; depth:9; nocase; http.host; content:"103.143.248.179"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1286039/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_17; classtype:trojan-activity; sid:91286039; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cx"; depth:3; nocase; http.host; content:"microsoftsoftwave.com"; depth:21; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1286038/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_17; classtype:trojan-activity; sid:91286038; rev:1;) alert tcp $HOME_NET any -> [194.26.192.194] 6606 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1286037/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_17; classtype:trojan-activity; sid:91286037; rev:1;) alert tcp $HOME_NET any -> [194.26.192.194] 8088 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1286036/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_17; classtype:trojan-activity; sid:91286036; rev:1;) alert tcp $HOME_NET any -> [47.121.120.18] 6606 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1286035/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_17; classtype:trojan-activity; sid:91286035; rev:1;) alert tcp $HOME_NET any -> [157.20.182.5] 4443 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1286034/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_17; classtype:trojan-activity; sid:91286034; rev:1;) alert tcp $HOME_NET any -> [106.54.2.149] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1286033/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_17; classtype:trojan-activity; sid:91286033; rev:1;) alert tcp $HOME_NET any -> [103.30.78.8] 80 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1286032/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_17; classtype:trojan-activity; sid:91286032; rev:1;) alert tcp $HOME_NET any -> [35.181.4.33] 445 (msg:"ThreatFox Responder botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1286031/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_17; classtype:trojan-activity; sid:91286031; rev:1;) alert tcp $HOME_NET any -> [178.163.140.156] 445 (msg:"ThreatFox Responder botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1286030/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_17; classtype:trojan-activity; sid:91286030; rev:1;) alert tcp $HOME_NET any -> [20.25.175.214] 80 (msg:"ThreatFox Responder botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1286029/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_17; classtype:trojan-activity; sid:91286029; rev:1;) alert tcp $HOME_NET any -> [185.229.9.27] 8090 (msg:"ThreatFox BianLian botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1286028/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_17; classtype:trojan-activity; sid:91286028; rev:1;) alert tcp $HOME_NET any -> [45.41.187.137] 7613 (msg:"ThreatFox BianLian botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1286027/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_17; classtype:trojan-activity; sid:91286027; rev:1;) alert tcp $HOME_NET any -> [16.16.185.182] 7443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1286026/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_17; classtype:trojan-activity; sid:91286026; rev:1;) alert tcp $HOME_NET any -> [3.125.209.94] 12876 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1286025/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_17; classtype:trojan-activity; sid:91286025; rev:1;) alert tcp $HOME_NET any -> [18.192.31.165] 12876 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1286023/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_17; classtype:trojan-activity; sid:91286023; rev:1;) alert tcp $HOME_NET any -> [3.124.142.205] 12876 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1286024/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_17; classtype:trojan-activity; sid:91286024; rev:1;) alert tcp $HOME_NET any -> [3.125.102.39] 12876 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1286022/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_17; classtype:trojan-activity; sid:91286022; rev:1;) alert tcp $HOME_NET any -> [3.125.223.134] 12876 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1286021/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_17; classtype:trojan-activity; sid:91286021; rev:1;) alert tcp $HOME_NET any -> [85.208.108.4] 34568 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1286020/; target:src_ip; metadata: confidence_level 80, first_seen 2024_06_17; classtype:trojan-activity; sid:91286020; rev:1;) alert tcp $HOME_NET any -> [8.134.146.35] 60000 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1286019/; target:src_ip; metadata: confidence_level 80, first_seen 2024_06_17; classtype:trojan-activity; sid:91286019; rev:1;) alert tcp $HOME_NET any -> [39.165.218.230] 22223 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1286018/; target:src_ip; metadata: confidence_level 80, first_seen 2024_06_17; classtype:trojan-activity; sid:91286018; rev:1;) alert tcp $HOME_NET any -> [54.226.186.244] 50050 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1286017/; target:src_ip; metadata: confidence_level 80, first_seen 2024_06_17; classtype:trojan-activity; sid:91286017; rev:1;) alert tcp $HOME_NET any -> [38.207.178.199] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1286016/; target:src_ip; metadata: confidence_level 80, first_seen 2024_06_17; classtype:trojan-activity; sid:91286016; rev:1;) alert tcp $HOME_NET any -> [45.149.92.100] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1286015/; target:src_ip; metadata: confidence_level 80, first_seen 2024_06_17; classtype:trojan-activity; sid:91286015; rev:1;) alert tcp $HOME_NET any -> [47.238.48.116] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1286014/; target:src_ip; metadata: confidence_level 80, first_seen 2024_06_17; classtype:trojan-activity; sid:91286014; rev:1;) alert tcp $HOME_NET any -> [94.156.68.38] 4444 (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1285909/; target:src_ip; metadata: confidence_level 80, first_seen 2024_06_17; classtype:trojan-activity; sid:91285909; rev:1;) alert tcp $HOME_NET any -> [185.237.165.53] 80 (msg:"ThreatFox Socks5 Systemz botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1285769/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_17; classtype:trojan-activity; sid:91285769; rev:1;) alert tcp $HOME_NET any -> [45.155.250.89] 80 (msg:"ThreatFox Socks5 Systemz botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1285768/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_17; classtype:trojan-activity; sid:91285768; rev:1;) alert tcp $HOME_NET any -> [185.237.206.119] 80 (msg:"ThreatFox Socks5 Systemz botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1285767/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_17; classtype:trojan-activity; sid:91285767; rev:1;) alert tcp $HOME_NET any -> [31.214.157.103] 80 (msg:"ThreatFox Socks5 Systemz botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1285766/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_17; classtype:trojan-activity; sid:91285766; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"proresupdate.com"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1285765/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_17; classtype:trojan-activity; sid:91285765; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cdn-vs/original.js"; depth:19; nocase; http.host; content:"icarusairlines.com"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1285734/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_17; classtype:trojan-activity; sid:91285734; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"icarusairlines.com"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1285735/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_17; classtype:trojan-activity; sid:91285735; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cdn-vs/cache.php"; depth:17; nocase; http.host; content:"icarusairlines.com"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1285736/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_17; classtype:trojan-activity; sid:91285736; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cdn-vs/33per.php"; depth:17; nocase; http.host; content:"icarusairlines.com"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1285737/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_17; classtype:trojan-activity; sid:91285737; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/data.php"; depth:9; nocase; http.host; content:"hamaraneta.com"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1285738/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_17; classtype:trojan-activity; sid:91285738; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"businessdownloads.ltd"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1285764/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_17; classtype:trojan-activity; sid:91285764; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/369eea3a.php"; depth:13; nocase; http.host; content:"a0995485.xsph.ru"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1285763/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_17; classtype:trojan-activity; sid:91285763; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/h9fmdw5/index.php"; depth:18; nocase; http.host; content:"proresupdate.com"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1285762/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_17; classtype:trojan-activity; sid:91285762; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/g.pixel"; depth:8; nocase; http.host; content:"154.221.24.44"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1285761/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_17; classtype:trojan-activity; sid:91285761; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pixel.gif"; depth:10; nocase; http.host; content:"8.134.75.9"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1285759/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_17; classtype:trojan-activity; sid:91285759; rev:1;) alert tcp $HOME_NET any -> [8.134.75.9] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1285760/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_17; classtype:trojan-activity; sid:91285760; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/introduction/edr"; depth:17; nocase; http.host; content:"106.52.102.35"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1285758/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_17; classtype:trojan-activity; sid:91285758; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ie9compatviewlist.xml"; depth:22; nocase; http.host; content:"156.238.235.164"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1285757/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_17; classtype:trojan-activity; sid:91285757; rev:1;) alert tcp $HOME_NET any -> [119.3.190.209] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1285756/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_17; classtype:trojan-activity; sid:91285756; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/__utm.gif"; depth:10; nocase; http.host; content:"119.3.190.209"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1285755/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_17; classtype:trojan-activity; sid:91285755; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/en_us/all.js"; depth:13; nocase; http.host; content:"154.221.24.44"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1285754/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_17; classtype:trojan-activity; sid:91285754; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ie9compatviewlist.xml"; depth:22; nocase; http.host; content:"112.124.6.100"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1285753/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_17; classtype:trojan-activity; sid:91285753; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/www/handle/doc"; depth:15; nocase; http.host; content:"120.78.131.143"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1285752/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_17; classtype:trojan-activity; sid:91285752; rev:1;) alert tcp $HOME_NET any -> [89.116.128.246] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1285751/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_17; classtype:trojan-activity; sid:91285751; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cx"; depth:3; nocase; http.host; content:"89.116.128.246"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1285750/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_17; classtype:trojan-activity; sid:91285750; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ca"; depth:3; nocase; http.host; content:"124.71.111.64"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1285749/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_17; classtype:trojan-activity; sid:91285749; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/load"; depth:5; nocase; http.host; content:"106.55.181.108"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1285748/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_17; classtype:trojan-activity; sid:91285748; rev:1;) alert tcp $HOME_NET any -> [49.235.122.75] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1285747/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_17; classtype:trojan-activity; sid:91285747; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jquery-3.3.10.min.js"; depth:21; nocase; http.host; content:"39.101.193.22"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1285745/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_17; classtype:trojan-activity; sid:91285745; rev:1;) alert tcp $HOME_NET any -> [39.101.193.22] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1285746/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_17; classtype:trojan-activity; sid:91285746; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/en_us/all.js"; depth:13; nocase; http.host; content:"83.229.122.102"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1285744/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_17; classtype:trojan-activity; sid:91285744; rev:1;) alert tcp $HOME_NET any -> [107.173.89.211] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1285743/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_17; classtype:trojan-activity; sid:91285743; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api/x"; depth:6; nocase; http.host; content:"107.173.89.211"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1285742/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_17; classtype:trojan-activity; sid:91285742; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ie9compatviewlist.xml"; depth:22; nocase; http.host; content:"152.67.221.25"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1285741/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_17; classtype:trojan-activity; sid:91285741; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/introduction/edr"; depth:17; nocase; http.host; content:"106.52.102.35"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1285740/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_17; classtype:trojan-activity; sid:91285740; rev:1;) alert tcp $HOME_NET any -> [49.235.122.75] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1285739/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_17; classtype:trojan-activity; sid:91285739; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/l1nc0in.php"; depth:12; nocase; http.host; content:"a0994622.xsph.ru"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1285733/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_17; classtype:trojan-activity; sid:91285733; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"x99y.xyz"; depth:8; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1285732/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_17; classtype:trojan-activity; sid:91285732; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ea7887ac.php"; depth:13; nocase; http.host; content:"cq11142.tw1.ru"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1285731/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_17; classtype:trojan-activity; sid:91285731; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/yzrmzmjjztg1zmvj/"; depth:18; nocase; http.host; content:"biricruelidurdursunn.com"; depth:24; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1285692/; target:src_ip; metadata: confidence_level 80, first_seen 2024_06_17; classtype:trojan-activity; sid:91285692; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/yzrmzmjjztg1zmvj/"; depth:18; nocase; http.host; content:"gurcistancruell33.com"; depth:21; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1285693/; target:src_ip; metadata: confidence_level 80, first_seen 2024_06_17; classtype:trojan-activity; sid:91285693; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/yzrmzmjjztg1zmvj/"; depth:18; nocase; http.host; content:"cruelveblack32.com"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1285694/; target:src_ip; metadata: confidence_level 80, first_seen 2024_06_17; classtype:trojan-activity; sid:91285694; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/yzrmzmjjztg1zmvj/"; depth:18; nocase; http.host; content:"cruelgurcistandaaaa42.com"; depth:25; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1285695/; target:src_ip; metadata: confidence_level 80, first_seen 2024_06_17; classtype:trojan-activity; sid:91285695; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/yzrmzmjjztg1zmvj/"; depth:18; nocase; http.host; content:"lalagkcvagurcuuuu.com"; depth:21; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1285696/; target:src_ip; metadata: confidence_level 80, first_seen 2024_06_17; classtype:trojan-activity; sid:91285696; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/yzrmzmjjztg1zmvj/"; depth:18; nocase; http.host; content:"biricruelidurdursunloo.com"; depth:26; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1285697/; target:src_ip; metadata: confidence_level 80, first_seen 2024_06_17; classtype:trojan-activity; sid:91285697; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/zjm0njuxndm5mmvi/"; depth:18; nocase; http.host; content:"senanlamazsndili.xyz"; depth:20; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1285698/; target:src_ip; metadata: confidence_level 80, first_seen 2024_06_17; classtype:trojan-activity; sid:91285698; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/zjm0njuxndm5mmvi/"; depth:18; nocase; http.host; content:"keskinbaltadndu.top"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1285699/; target:src_ip; metadata: confidence_level 80, first_seen 2024_06_17; classtype:trojan-activity; sid:91285699; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/zjm0njuxndm5mmvi/"; depth:18; nocase; http.host; content:"zatenacikmisttm.xyz"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1285700/; target:src_ip; metadata: confidence_level 80, first_seen 2024_06_17; classtype:trojan-activity; sid:91285700; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/zjm0njuxndm5mmvi/"; depth:18; nocase; http.host; content:"sokakdaldiregibas.xyz"; depth:21; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1285701/; target:src_ip; metadata: confidence_level 80, first_seen 2024_06_17; classtype:trojan-activity; sid:91285701; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/zjm0njuxndm5mmvi/"; depth:18; nocase; http.host; content:"chennemburasialmnya.xyz"; depth:23; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1285703/; target:src_ip; metadata: confidence_level 80, first_seen 2024_06_17; classtype:trojan-activity; sid:91285703; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/zjm0njuxndm5mmvi/"; depth:18; nocase; http.host; content:"avmevsimibsladikk.top"; depth:21; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1285702/; target:src_ip; metadata: confidence_level 80, first_seen 2024_06_17; classtype:trojan-activity; sid:91285702; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/zjm0njuxndm5mmvi/"; depth:18; nocase; http.host; content:"verelmsnieldenele.xyz"; depth:21; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1285705/; target:src_ip; metadata: confidence_level 80, first_seen 2024_06_17; classtype:trojan-activity; sid:91285705; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/zjm0njuxndm5mmvi/"; depth:18; nocase; http.host; content:"amagibikertenkeellee.top"; depth:24; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1285706/; target:src_ip; metadata: confidence_level 80, first_seen 2024_06_17; classtype:trojan-activity; sid:91285706; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/zjm0njuxndm5mmvi/"; depth:18; nocase; http.host; content:"gldigimyerchennmindibi.top"; depth:26; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1285704/; target:src_ip; metadata: confidence_level 80, first_seen 2024_06_17; classtype:trojan-activity; sid:91285704; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/zjm0njuxndm5mmvi/"; depth:18; nocase; http.host; content:"kraltacikralmisinhaci.xyz"; depth:25; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1285707/; target:src_ip; metadata: confidence_level 80, first_seen 2024_06_17; classtype:trojan-activity; sid:91285707; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/zjm0njuxndm5mmvi/"; depth:18; nocase; http.host; content:"ustuneyagdimrmi.xyz"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1285708/; target:src_ip; metadata: confidence_level 80, first_seen 2024_06_17; classtype:trojan-activity; sid:91285708; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/zjm0njuxndm5mmvi/"; depth:18; nocase; http.host; content:"bedelniodedkicmzynayna.top"; depth:26; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1285709/; target:src_ip; metadata: confidence_level 80, first_seen 2024_06_17; classtype:trojan-activity; sid:91285709; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/zjm0njuxndm5mmvi/"; depth:18; nocase; http.host; content:"tlefondingalokimo.xyz"; depth:21; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1285710/; target:src_ip; metadata: confidence_level 80, first_seen 2024_06_17; classtype:trojan-activity; sid:91285710; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/zjm0njuxndm5mmvi/"; depth:18; nocase; http.host; content:"birdnbireoluvrdihrsy.xyz"; depth:24; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1285711/; target:src_ip; metadata: confidence_level 80, first_seen 2024_06_17; classtype:trojan-activity; sid:91285711; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/zjm0njuxndm5mmvi/"; depth:18; nocase; http.host; content:"sefernakliatfln.xyz"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1285714/; target:src_ip; metadata: confidence_level 80, first_seen 2024_06_17; classtype:trojan-activity; sid:91285714; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/zjm0njuxndm5mmvi/"; depth:18; nocase; http.host; content:"bilereklermibildiler.top"; depth:24; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1285713/; target:src_ip; metadata: confidence_level 80, first_seen 2024_06_17; classtype:trojan-activity; sid:91285713; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/zjm0njuxndm5mmvi/"; depth:18; nocase; http.host; content:"uzanrmigokyuzuneumutlarm.xyz"; depth:28; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1285715/; target:src_ip; metadata: confidence_level 80, first_seen 2024_06_17; classtype:trojan-activity; sid:91285715; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/zjm0njuxndm5mmvi/"; depth:18; nocase; http.host; content:"gozlermkankrmizisi.xyz"; depth:22; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1285712/; target:src_ip; metadata: confidence_level 80, first_seen 2024_06_17; classtype:trojan-activity; sid:91285712; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/zjm0njuxndm5mmvi/"; depth:18; nocase; http.host; content:"dardidardomama.top"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1285716/; target:src_ip; metadata: confidence_level 80, first_seen 2024_06_17; classtype:trojan-activity; sid:91285716; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/zjm0njuxndm5mmvi/"; depth:18; nocase; http.host; content:"giydirbilirfren.xyz"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1285717/; target:src_ip; metadata: confidence_level 80, first_seen 2024_06_17; classtype:trojan-activity; sid:91285717; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/yjnlm2zhmjlhnjni/"; depth:18; nocase; http.host; content:"multipay-3d.website"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1285718/; target:src_ip; metadata: confidence_level 80, first_seen 2024_06_17; classtype:trojan-activity; sid:91285718; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/yjnlm2zhmjlhnjni/"; depth:18; nocase; http.host; content:"novediaben52.com"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1285719/; target:src_ip; metadata: confidence_level 80, first_seen 2024_06_17; classtype:trojan-activity; sid:91285719; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/yjnlm2zhmjlhnjni/"; depth:18; nocase; http.host; content:"novediayladostadogru3.com"; depth:25; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1285720/; target:src_ip; metadata: confidence_level 80, first_seen 2024_06_17; classtype:trojan-activity; sid:91285720; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/yjnlm2zhmjlhnjni/"; depth:18; nocase; http.host; content:"kolaicmiyorumlanben3.com"; depth:24; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1285721/; target:src_ip; metadata: confidence_level 80, first_seen 2024_06_17; classtype:trojan-activity; sid:91285721; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/yjnlm2zhmjlhnjni/"; depth:18; nocase; http.host; content:"uyumuyorumlanben2.com"; depth:21; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1285722/; target:src_ip; metadata: confidence_level 80, first_seen 2024_06_17; classtype:trojan-activity; sid:91285722; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/yjnlm2zhmjlhnjni/"; depth:18; nocase; http.host; content:"yemekyoksuyok42.com"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1285723/; target:src_ip; metadata: confidence_level 80, first_seen 2024_06_17; classtype:trojan-activity; sid:91285723; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/yjk4yza3mgnhzjfl/"; depth:18; nocase; http.host; content:"guvenli-odeme.xyz"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1285724/; target:src_ip; metadata: confidence_level 80, first_seen 2024_06_17; classtype:trojan-activity; sid:91285724; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/yjk4yza3mgnhzjfl/"; depth:18; nocase; http.host; content:"merhabalarlao55.com"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1285725/; target:src_ip; metadata: confidence_level 80, first_seen 2024_06_17; classtype:trojan-activity; sid:91285725; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/yjk4yza3mgnhzjfl/"; depth:18; nocase; http.host; content:"kirmizibalikgolde34.com"; depth:23; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1285726/; target:src_ip; metadata: confidence_level 80, first_seen 2024_06_17; classtype:trojan-activity; sid:91285726; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/yjk4yza3mgnhzjfl/"; depth:18; nocase; http.host; content:"selamkralhg5.com"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1285727/; target:src_ip; metadata: confidence_level 80, first_seen 2024_06_17; classtype:trojan-activity; sid:91285727; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/yjk4yza3mgnhzjfl/"; depth:18; nocase; http.host; content:"uiyynuripapacum55.com"; depth:21; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1285728/; target:src_ip; metadata: confidence_level 80, first_seen 2024_06_17; classtype:trojan-activity; sid:91285728; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/yjk4yza3mgnhzjfl/"; depth:18; nocase; http.host; content:"selamcanim2361.com"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1285729/; target:src_ip; metadata: confidence_level 80, first_seen 2024_06_17; classtype:trojan-activity; sid:91285729; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/yjk4yza3mgnhzjfl/"; depth:18; nocase; http.host; content:"naberbebekbenkelebek34.com"; depth:26; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1285730/; target:src_ip; metadata: confidence_level 80, first_seen 2024_06_17; classtype:trojan-activity; sid:91285730; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/e10fc428.php"; depth:13; nocase; http.host; content:"a0995122.xsph.ru"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1285691/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_17; classtype:trojan-activity; sid:91285691; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/raud/get.php"; depth:13; nocase; http.host; content:"cajgtus.com"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1285690/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_17; classtype:trojan-activity; sid:91285690; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/zx29"; depth:5; nocase; http.host; content:"101.133.148.66"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1285689/; target:src_ip; metadata: confidence_level 75, first_seen 2024_06_17; classtype:trojan-activity; sid:91285689; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api/x"; depth:6; nocase; http.host; content:"service-8gtq0019-1257331363.sh.tencentapigw.com"; depth:47; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1285687/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_17; classtype:trojan-activity; sid:91285687; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"service-8gtq0019-1257331363.sh.tencentapigw.com"; depth:47; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1285688/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_17; classtype:trojan-activity; sid:91285688; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/en_us/all.js"; depth:13; nocase; http.host; content:"47.116.33.203"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1285686/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_17; classtype:trojan-activity; sid:91285686; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"www.thaiticketmajor.com"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1285685/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_17; classtype:trojan-activity; sid:91285685; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cx"; depth:3; nocase; http.host; content:"www.thaiticketmajor.com"; depth:23; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1285684/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_17; classtype:trojan-activity; sid:91285684; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pixel"; depth:6; nocase; http.host; content:"meetlak.link"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1285683/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_17; classtype:trojan-activity; sid:91285683; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cx"; depth:3; nocase; http.host; content:"47.120.67.163"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1285682/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_17; classtype:trojan-activity; sid:91285682; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/_defaultwindows.php"; depth:20; nocase; http.host; content:"cz61028.tw1.ru"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1285681/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_17; classtype:trojan-activity; sid:91285681; rev:1;) alert tcp $HOME_NET any -> [91.92.255.172] 15170 (msg:"ThreatFox Nanocore RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1285680/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_17; classtype:trojan-activity; sid:91285680; rev:1;) alert tcp $HOME_NET any -> [47.236.149.142] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1285679/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_17; classtype:trojan-activity; sid:91285679; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/panel"; depth:6; nocase; http.host; content:"47.236.149.142"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1285678/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_17; classtype:trojan-activity; sid:91285678; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/l1nc0in.php"; depth:12; nocase; http.host; content:"a0987400.xsph.ru"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1285677/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_17; classtype:trojan-activity; sid:91285677; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/article.php"; depth:12; nocase; http.host; content:"welfare.sjp.ac.lk"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1285597/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_17; classtype:trojan-activity; sid:91285597; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/article.php"; depth:12; nocase; http.host; content:"welfare.sjp.ac.lk"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1285598/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_17; classtype:trojan-activity; sid:91285598; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/article.php"; depth:12; nocase; http.host; content:"wp.henko.nu"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1285635/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_17; classtype:trojan-activity; sid:91285635; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/article.php"; depth:12; nocase; http.host; content:"wp.henko.nu"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1285636/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_17; classtype:trojan-activity; sid:91285636; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/article.php"; depth:12; nocase; http.host; content:"wp.snowbombing.com"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1285637/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_17; classtype:trojan-activity; sid:91285637; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/article.php"; depth:12; nocase; http.host; content:"wp.snowbombing.com"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1285638/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_17; classtype:trojan-activity; sid:91285638; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/b674edbb.php"; depth:13; nocase; http.host; content:"a0994533.xsph.ru"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1285676/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_17; classtype:trojan-activity; sid:91285676; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"arcf-sj.org"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1285675/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_17; classtype:trojan-activity; sid:91285675; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/_defaultwindows.php"; depth:20; nocase; http.host; content:"a0986195.xsph.ru"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1285674/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_17; classtype:trojan-activity; sid:91285674; rev:1;) alert tcp $HOME_NET any -> [95.216.142.162] 443 (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1285670/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_17; classtype:trojan-activity; sid:91285670; rev:1;) alert tcp $HOME_NET any -> [162.55.53.18] 9000 (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1285671/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_17; classtype:trojan-activity; sid:91285671; rev:1;) alert tcp $HOME_NET any -> [195.201.47.189] 443 (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1285672/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_17; classtype:trojan-activity; sid:91285672; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"feeldog.xyz"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1285673/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_17; classtype:trojan-activity; sid:91285673; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"195.201.47.189"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1285669/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_17; classtype:trojan-activity; sid:91285669; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"feeldog.xyz"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1285668/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_17; classtype:trojan-activity; sid:91285668; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"162.55.53.18"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1285667/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_17; classtype:trojan-activity; sid:91285667; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"95.216.142.162"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1285666/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_17; classtype:trojan-activity; sid:91285666; rev:1;) alert tcp $HOME_NET any -> [3.125.209.94] 10651 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1285665/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_17; classtype:trojan-activity; sid:91285665; rev:1;) alert tcp $HOME_NET any -> [3.124.142.205] 10651 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1285663/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_17; classtype:trojan-activity; sid:91285663; rev:1;) alert tcp $HOME_NET any -> [3.125.102.39] 10651 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1285664/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_17; classtype:trojan-activity; sid:91285664; rev:1;) alert tcp $HOME_NET any -> [18.158.249.75] 10651 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1285662/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_17; classtype:trojan-activity; sid:91285662; rev:1;) alert tcp $HOME_NET any -> [5.42.65.92] 27953 (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1285661/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_17; classtype:trojan-activity; sid:91285661; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/index.php/935156794695"; depth:23; nocase; http.host; content:"104.248.205.66"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1285660/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_17; classtype:trojan-activity; sid:91285660; rev:1;) alert tcp $HOME_NET any -> [93.123.39.249] 50555 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1285659/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_17; classtype:trojan-activity; sid:91285659; rev:1;) alert tcp $HOME_NET any -> [101.33.226.198] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1285658/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_17; classtype:trojan-activity; sid:91285658; rev:1;) alert tcp $HOME_NET any -> [114.132.46.191] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1285657/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_17; classtype:trojan-activity; sid:91285657; rev:1;) alert tcp $HOME_NET any -> [175.178.90.5] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1285656/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_17; classtype:trojan-activity; sid:91285656; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pws/fre.php"; depth:12; nocase; http.host; content:"ulysse-cazabonne.cam"; depth:20; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1285655/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_17; classtype:trojan-activity; sid:91285655; rev:1;) alert tcp $HOME_NET any -> [118.25.150.250] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1285654/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_17; classtype:trojan-activity; sid:91285654; rev:1;) alert tcp $HOME_NET any -> [103.99.178.15] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1285653/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_17; classtype:trojan-activity; sid:91285653; rev:1;) alert tcp $HOME_NET any -> [45.241.42.55] 995 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1285652/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_17; classtype:trojan-activity; sid:91285652; rev:1;) alert tcp $HOME_NET any -> [139.59.161.102] 443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1285651/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_17; classtype:trojan-activity; sid:91285651; rev:1;) alert tcp $HOME_NET any -> [45.77.190.71] 443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1285650/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_17; classtype:trojan-activity; sid:91285650; rev:1;) alert tcp $HOME_NET any -> [45.32.128.142] 443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1285649/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_17; classtype:trojan-activity; sid:91285649; rev:1;) alert tcp $HOME_NET any -> [91.231.186.203] 443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1285648/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_17; classtype:trojan-activity; sid:91285648; rev:1;) alert tcp $HOME_NET any -> [185.234.216.209] 20075 (msg:"ThreatFox BianLian botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1285647/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_17; classtype:trojan-activity; sid:91285647; rev:1;) alert tcp $HOME_NET any -> [51.15.227.211] 7443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1285646/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_17; classtype:trojan-activity; sid:91285646; rev:1;) alert tcp $HOME_NET any -> [51.20.76.114] 7443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1285645/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_17; classtype:trojan-activity; sid:91285645; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/d8625e85.php"; depth:13; nocase; http.host; content:"a0992097.xsph.ru"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1285644/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_17; classtype:trojan-activity; sid:91285644; rev:1;) alert tcp $HOME_NET any -> [91.92.255.172] 15230 (msg:"ThreatFox Nanocore RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1285643/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_17; classtype:trojan-activity; sid:91285643; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/32f05f31.php"; depth:13; nocase; http.host; content:"a0994900.xsph.ru"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1285642/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_17; classtype:trojan-activity; sid:91285642; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/l1nc0in.php"; depth:12; nocase; http.host; content:"host1871899.hostland.pro"; depth:24; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1285641/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_17; classtype:trojan-activity; sid:91285641; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/index.php/882842611"; depth:20; nocase; http.host; content:"104.248.205.66"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1285640/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_17; classtype:trojan-activity; sid:91285640; rev:1;) alert tcp $HOME_NET any -> [94.228.166.59] 1441 (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1285639/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_17; classtype:trojan-activity; sid:91285639; rev:1;) alert tcp $HOME_NET any -> [124.70.99.224] 50050 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1285634/; target:src_ip; metadata: confidence_level 80, first_seen 2024_06_17; classtype:trojan-activity; sid:91285634; rev:1;) alert tcp $HOME_NET any -> [8.131.50.94] 50050 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1285633/; target:src_ip; metadata: confidence_level 80, first_seen 2024_06_17; classtype:trojan-activity; sid:91285633; rev:1;) alert tcp $HOME_NET any -> [101.201.54.74] 50050 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1285632/; target:src_ip; metadata: confidence_level 80, first_seen 2024_06_17; classtype:trojan-activity; sid:91285632; rev:1;) alert tcp $HOME_NET any -> [116.62.197.217] 3663 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1285631/; target:src_ip; metadata: confidence_level 80, first_seen 2024_06_17; classtype:trojan-activity; sid:91285631; rev:1;) alert tcp $HOME_NET any -> [138.2.50.211] 4567 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1285630/; target:src_ip; metadata: confidence_level 80, first_seen 2024_06_17; classtype:trojan-activity; sid:91285630; rev:1;) alert tcp $HOME_NET any -> [5.188.86.216] 10518 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1285629/; target:src_ip; metadata: confidence_level 80, first_seen 2024_06_17; classtype:trojan-activity; sid:91285629; rev:1;) alert tcp $HOME_NET any -> [116.114.20.180] 8088 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1285628/; target:src_ip; metadata: confidence_level 80, first_seen 2024_06_17; classtype:trojan-activity; sid:91285628; rev:1;) alert tcp $HOME_NET any -> [8.134.146.35] 50001 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1285627/; target:src_ip; metadata: confidence_level 80, first_seen 2024_06_17; classtype:trojan-activity; sid:91285627; rev:1;) alert tcp $HOME_NET any -> [193.239.86.156] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1285626/; target:src_ip; metadata: confidence_level 80, first_seen 2024_06_17; classtype:trojan-activity; sid:91285626; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/a32875a6.php"; depth:13; nocase; http.host; content:"a0986288.xsph.ru"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1285625/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_16; classtype:trojan-activity; sid:91285625; rev:1;) alert tcp $HOME_NET any -> [165.154.33.10] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1285624/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_16; classtype:trojan-activity; sid:91285624; rev:1;) alert tcp $HOME_NET any -> [3.125.102.39] 12984 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1285623/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_16; classtype:trojan-activity; sid:91285623; rev:1;) alert tcp $HOME_NET any -> [3.125.223.134] 12984 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1285622/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_16; classtype:trojan-activity; sid:91285622; rev:1;) alert tcp $HOME_NET any -> [3.125.209.94] 12984 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1285621/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_16; classtype:trojan-activity; sid:91285621; rev:1;) alert tcp $HOME_NET any -> [3.124.142.205] 12984 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1285620/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_16; classtype:trojan-activity; sid:91285620; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"homeimageidea.com"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1285619/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_16; classtype:trojan-activity; sid:91285619; rev:1;) alert tcp $HOME_NET any -> [46.249.58.101] 443 (msg:"ThreatFox Unidentified 111 (Latrodectus) botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1285617/; target:src_ip; metadata: confidence_level 75, first_seen 2024_06_16; classtype:trojan-activity; sid:91285617; rev:1;) alert tcp $HOME_NET any -> [194.26.141.31] 443 (msg:"ThreatFox Unidentified 111 (Latrodectus) botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1285618/; target:src_ip; metadata: confidence_level 75, first_seen 2024_06_16; classtype:trojan-activity; sid:91285618; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/_central.php"; depth:13; nocase; http.host; content:"424673cm.n9shteam2.top"; depth:22; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1285616/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_16; classtype:trojan-activity; sid:91285616; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books"; depth:60; nocase; http.host; content:"150.158.13.117"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1285615/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_16; classtype:trojan-activity; sid:91285615; rev:1;) alert tcp $HOME_NET any -> [149.56.30.19] 7707 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1285614/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_16; classtype:trojan-activity; sid:91285614; rev:1;) alert tcp $HOME_NET any -> [149.56.30.19] 6606 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1285613/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_16; classtype:trojan-activity; sid:91285613; rev:1;) alert tcp $HOME_NET any -> [193.26.115.85] 7707 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1285612/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_16; classtype:trojan-activity; sid:91285612; rev:1;) alert tcp $HOME_NET any -> [45.83.31.241] 7707 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1285611/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_16; classtype:trojan-activity; sid:91285611; rev:1;) alert tcp $HOME_NET any -> [45.88.186.213] 7707 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1285610/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_16; classtype:trojan-activity; sid:91285610; rev:1;) alert tcp $HOME_NET any -> [45.88.186.213] 6606 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1285609/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_16; classtype:trojan-activity; sid:91285609; rev:1;) alert tcp $HOME_NET any -> [45.88.186.213] 8808 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1285608/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_16; classtype:trojan-activity; sid:91285608; rev:1;) alert tcp $HOME_NET any -> [31.124.151.250] 9000 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1285607/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_16; classtype:trojan-activity; sid:91285607; rev:1;) alert tcp $HOME_NET any -> [185.186.146.142] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1285606/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_16; classtype:trojan-activity; sid:91285606; rev:1;) alert tcp $HOME_NET any -> [114.132.61.132] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1285605/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_16; classtype:trojan-activity; sid:91285605; rev:1;) alert tcp $HOME_NET any -> [142.247.185.41] 443 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1285604/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_16; classtype:trojan-activity; sid:91285604; rev:1;) alert tcp $HOME_NET any -> [196.64.171.157] 995 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1285603/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_16; classtype:trojan-activity; sid:91285603; rev:1;) alert tcp $HOME_NET any -> [202.61.204.177] 443 (msg:"ThreatFox Responder botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1285602/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_16; classtype:trojan-activity; sid:91285602; rev:1;) alert tcp $HOME_NET any -> [110.175.49.3] 443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1285601/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_16; classtype:trojan-activity; sid:91285601; rev:1;) alert tcp $HOME_NET any -> [185.158.248.39] 443 (msg:"ThreatFox BianLian botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1285600/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_16; classtype:trojan-activity; sid:91285600; rev:1;) alert tcp $HOME_NET any -> [217.182.76.45] 8888 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1285599/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_16; classtype:trojan-activity; sid:91285599; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/528ed93e.php"; depth:13; nocase; http.host; content:"a0993996.xsph.ru"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1285596/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_16; classtype:trojan-activity; sid:91285596; rev:1;) alert tcp $HOME_NET any -> [43.138.181.202] 50050 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1285442/; target:src_ip; metadata: confidence_level 80, first_seen 2024_06_16; classtype:trojan-activity; sid:91285442; rev:1;) alert tcp $HOME_NET any -> [39.105.126.81] 50050 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1285441/; target:src_ip; metadata: confidence_level 80, first_seen 2024_06_16; classtype:trojan-activity; sid:91285441; rev:1;) alert tcp $HOME_NET any -> [47.121.117.100] 50050 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1285440/; target:src_ip; metadata: confidence_level 80, first_seen 2024_06_16; classtype:trojan-activity; sid:91285440; rev:1;) alert tcp $HOME_NET any -> [94.247.42.62] 443 (msg:"ThreatFox Gozi botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1285439/; target:src_ip; metadata: confidence_level 80, first_seen 2024_06_16; classtype:trojan-activity; sid:91285439; rev:1;) alert tcp $HOME_NET any -> [94.156.8.106] 50555 (msg:"ThreatFox Hook botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1285438/; target:src_ip; metadata: confidence_level 80, first_seen 2024_06_16; classtype:trojan-activity; sid:91285438; rev:1;) alert tcp $HOME_NET any -> [47.96.184.137] 8080 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1285437/; target:src_ip; metadata: confidence_level 80, first_seen 2024_06_16; classtype:trojan-activity; sid:91285437; rev:1;) alert tcp $HOME_NET any -> [117.72.41.241] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1285436/; target:src_ip; metadata: confidence_level 80, first_seen 2024_06_16; classtype:trojan-activity; sid:91285436; rev:1;) alert tcp $HOME_NET any -> [188.166.210.23] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1285435/; target:src_ip; metadata: confidence_level 80, first_seen 2024_06_16; classtype:trojan-activity; sid:91285435; rev:1;) alert tcp $HOME_NET any -> [149.0.1.32] 4444 (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1285434/; target:src_ip; metadata: confidence_level 80, first_seen 2024_06_16; classtype:trojan-activity; sid:91285434; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"ieee-ecce.info"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1285430/; target:src_ip; metadata: confidence_level 75, first_seen 2024_06_16; classtype:trojan-activity; sid:91285430; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"kauzalvip.com"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1285431/; target:src_ip; metadata: confidence_level 75, first_seen 2024_06_16; classtype:trojan-activity; sid:91285431; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"nakit-yok.org"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1285432/; target:src_ip; metadata: confidence_level 75, first_seen 2024_06_16; classtype:trojan-activity; sid:91285432; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"nathanhr.services"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1285433/; target:src_ip; metadata: confidence_level 75, first_seen 2024_06_16; classtype:trojan-activity; sid:91285433; rev:1;) alert tcp $HOME_NET any -> [103.185.248.178] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1285429/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_16; classtype:trojan-activity; sid:91285429; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ga.js"; depth:6; nocase; http.host; content:"103.185.248.178"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1285428/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_16; classtype:trojan-activity; sid:91285428; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jquery-3.3.1.min.js"; depth:20; nocase; http.host; content:"47.120.32.114"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1285427/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_16; classtype:trojan-activity; sid:91285427; rev:1;) alert tcp $HOME_NET any -> [5.188.88.20] 443 (msg:"ThreatFox FAKEUPDATES payload delivery (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1285426/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_16; classtype:trojan-activity; sid:91285426; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mozi.m"; depth:7; nocase; http.host; content:"42.239.152.112"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1285425/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_16; classtype:trojan-activity; sid:91285425; rev:1;) alert tcp $HOME_NET any -> [165.227.208.119] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1285424/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_16; classtype:trojan-activity; sid:91285424; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"evolved-fashion.azurewebsites.net"; depth:33; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1285423/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_16; classtype:trojan-activity; sid:91285423; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/geo.php"; depth:8; nocase; http.host; content:"evolved-fashion.azurewebsites.net"; depth:33; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1285422/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_16; classtype:trojan-activity; sid:91285422; rev:1;) alert tcp $HOME_NET any -> [103.185.248.178] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1285421/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_16; classtype:trojan-activity; sid:91285421; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/visit.js"; depth:9; nocase; http.host; content:"103.185.248.178"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1285420/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_16; classtype:trojan-activity; sid:91285420; rev:1;) alert tcp $HOME_NET any -> [45.141.87.16] 15647 (msg:"ThreatFox SectopRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1285419/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_16; classtype:trojan-activity; sid:91285419; rev:1;) alert tcp $HOME_NET any -> [134.175.233.55] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1285418/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_16; classtype:trojan-activity; sid:91285418; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dpixel"; depth:7; nocase; http.host; content:"134.175.233.55"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1285417/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_16; classtype:trojan-activity; sid:91285417; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pixel"; depth:6; nocase; http.host; content:"101.35.252.242"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1285415/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_16; classtype:trojan-activity; sid:91285415; rev:1;) alert tcp $HOME_NET any -> [101.35.252.242] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1285416/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_16; classtype:trojan-activity; sid:91285416; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"monitor.kdkz1213.icu"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1285414/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_16; classtype:trojan-activity; sid:91285414; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"api.kdkz1213.icu"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1285412/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_16; classtype:trojan-activity; sid:91285412; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api/get"; depth:8; nocase; http.host; content:"monitor.kdkz1213.icu"; depth:20; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1285413/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_16; classtype:trojan-activity; sid:91285413; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api/get"; depth:8; nocase; http.host; content:"api.kdkz1213.icu"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1285411/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_16; classtype:trojan-activity; sid:91285411; rev:1;) alert tcp $HOME_NET any -> [34.146.210.28] 2087 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1285410/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_16; classtype:trojan-activity; sid:91285410; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jquery-3.3.1.min.js"; depth:20; nocase; http.host; content:"appstore.windowsupdate.shop"; depth:27; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1285408/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_16; classtype:trojan-activity; sid:91285408; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"appstore.windowsupdate.shop"; depth:27; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1285409/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_16; classtype:trojan-activity; sid:91285409; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/j.ad"; depth:5; nocase; http.host; content:"139.198.187.234"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1285407/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_16; classtype:trojan-activity; sid:91285407; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jquery-3.3.1.min.js"; depth:20; nocase; http.host; content:"47.120.32.114"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1285406/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_16; classtype:trojan-activity; sid:91285406; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/activity"; depth:9; nocase; http.host; content:"43.153.222.28"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1285405/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_16; classtype:trojan-activity; sid:91285405; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ca"; depth:3; nocase; http.host; content:"43.153.222.28"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1285404/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_16; classtype:trojan-activity; sid:91285404; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/load"; depth:5; nocase; http.host; content:"47.108.239.86"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1285403/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_16; classtype:trojan-activity; sid:91285403; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/match"; depth:6; nocase; http.host; content:"103.150.10.45"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1285402/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_16; classtype:trojan-activity; sid:91285402; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/match"; depth:6; nocase; http.host; content:"47.108.239.86"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1285401/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_16; classtype:trojan-activity; sid:91285401; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jquery-3.3.1.min.js"; depth:20; nocase; http.host; content:"checkupgpt.net"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1285399/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_16; classtype:trojan-activity; sid:91285399; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"checkupgpt.net"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1285400/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_16; classtype:trojan-activity; sid:91285400; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/functionalstatus/aisigus9nhmsi6alwcxw9p"; depth:40; nocase; http.host; content:"sydnc.net"; depth:9; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1285397/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_16; classtype:trojan-activity; sid:91285397; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"sydnc.net"; depth:9; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1285398/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_16; classtype:trojan-activity; sid:91285398; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/12c5a512.php"; depth:13; nocase; http.host; content:"a0993445.xsph.ru"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1285396/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_16; classtype:trojan-activity; sid:91285396; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/zwu1ztrhmzu1zjdi/"; depth:18; nocase; http.host; content:"jaffioptru.me"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1285394/; target:src_ip; metadata: confidence_level 80, first_seen 2024_06_16; classtype:trojan-activity; sid:91285394; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/zwu1ztrhmzu1zjdi/"; depth:18; nocase; http.host; content:"jaffioptru.biz"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1285395/; target:src_ip; metadata: confidence_level 80, first_seen 2024_06_16; classtype:trojan-activity; sid:91285395; rev:1;) alert tcp $HOME_NET any -> [185.62.86.134] 1411 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1285393/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_16; classtype:trojan-activity; sid:91285393; rev:1;) alert tcp $HOME_NET any -> [94.156.8.137] 80 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1285392/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_16; classtype:trojan-activity; sid:91285392; rev:1;) alert tcp $HOME_NET any -> [185.216.70.62] 80 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1285391/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_16; classtype:trojan-activity; sid:91285391; rev:1;) alert tcp $HOME_NET any -> [2.50.34.69] 22 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1285390/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_16; classtype:trojan-activity; sid:91285390; rev:1;) alert tcp $HOME_NET any -> [175.10.44.100] 4432 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1285389/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_16; classtype:trojan-activity; sid:91285389; rev:1;) alert tcp $HOME_NET any -> [91.236.230.33] 80 (msg:"ThreatFox BianLian botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1285388/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_16; classtype:trojan-activity; sid:91285388; rev:1;) alert tcp $HOME_NET any -> [111.19.135.79] 4506 (msg:"ThreatFox Deimos botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1285387/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_16; classtype:trojan-activity; sid:91285387; rev:1;) alert tcp $HOME_NET any -> [36.159.60.161] 4505 (msg:"ThreatFox Deimos botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1285386/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_16; classtype:trojan-activity; sid:91285386; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/l1nc0in.php"; depth:12; nocase; http.host; content:"a0993651.xsph.ru"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1285385/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_16; classtype:trojan-activity; sid:91285385; rev:1;) alert tcp $HOME_NET any -> [192.227.228.34] 4782 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1285384/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_16; classtype:trojan-activity; sid:91285384; rev:1;) alert tcp $HOME_NET any -> [192.227.228.34] 1124 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1285383/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_16; classtype:trojan-activity; sid:91285383; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/l1nc0in.php"; depth:12; nocase; http.host; content:"a0994027.xsph.ru"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1285382/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_16; classtype:trojan-activity; sid:91285382; rev:1;) alert tcp $HOME_NET any -> [185.222.58.77] 55615 (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1285381/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_16; classtype:trojan-activity; sid:91285381; rev:1;) alert tcp $HOME_NET any -> [41.249.109.69] 10000 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1285380/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_16; classtype:trojan-activity; sid:91285380; rev:1;) alert tcp $HOME_NET any -> [173.44.141.117] 50050 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1285379/; target:src_ip; metadata: confidence_level 80, first_seen 2024_06_16; classtype:trojan-activity; sid:91285379; rev:1;) alert tcp $HOME_NET any -> [93.95.225.24] 4093 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1285378/; target:src_ip; metadata: confidence_level 80, first_seen 2024_06_16; classtype:trojan-activity; sid:91285378; rev:1;) alert tcp $HOME_NET any -> [156.242.43.210] 50050 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1285377/; target:src_ip; metadata: confidence_level 80, first_seen 2024_06_16; classtype:trojan-activity; sid:91285377; rev:1;) alert tcp $HOME_NET any -> [91.92.255.159] 34568 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1285376/; target:src_ip; metadata: confidence_level 80, first_seen 2024_06_16; classtype:trojan-activity; sid:91285376; rev:1;) alert tcp $HOME_NET any -> [5.182.87.173] 80 (msg:"ThreatFox Meduza Stealer botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1285375/; target:src_ip; metadata: confidence_level 80, first_seen 2024_06_16; classtype:trojan-activity; sid:91285375; rev:1;) alert tcp $HOME_NET any -> [194.180.191.6] 26996 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1285374/; target:src_ip; metadata: confidence_level 80, first_seen 2024_06_16; classtype:trojan-activity; sid:91285374; rev:1;) alert tcp $HOME_NET any -> [185.200.221.19] 443 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1285373/; target:src_ip; metadata: confidence_level 80, first_seen 2024_06_16; classtype:trojan-activity; sid:91285373; rev:1;) alert tcp $HOME_NET any -> [5.252.176.30] 443 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1285372/; target:src_ip; metadata: confidence_level 80, first_seen 2024_06_16; classtype:trojan-activity; sid:91285372; rev:1;) alert tcp $HOME_NET any -> [94.156.65.236] 80 (msg:"ThreatFox Hook botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1285371/; target:src_ip; metadata: confidence_level 80, first_seen 2024_06_16; classtype:trojan-activity; sid:91285371; rev:1;) alert tcp $HOME_NET any -> [8.134.102.18] 8282 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1285370/; target:src_ip; metadata: confidence_level 80, first_seen 2024_06_16; classtype:trojan-activity; sid:91285370; rev:1;) alert tcp $HOME_NET any -> [58.87.70.252] 4449 (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1285369/; target:src_ip; metadata: confidence_level 80, first_seen 2024_06_16; classtype:trojan-activity; sid:91285369; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/l1nc0in.php"; depth:12; nocase; http.host; content:"l0sscommun.temp.swtest.ru"; depth:25; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1285368/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_15; classtype:trojan-activity; sid:91285368; rev:1;) alert tcp $HOME_NET any -> [79.110.49.175] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1285367/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_15; classtype:trojan-activity; sid:91285367; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tab_home_active"; depth:16; nocase; http.host; content:"79.110.49.175"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1285366/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_15; classtype:trojan-activity; sid:91285366; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"www.glamourstorepa.com.br"; depth:25; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1285365/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_15; classtype:trojan-activity; sid:91285365; rev:1;) alert tcp $HOME_NET any -> [45.83.31.241] 8808 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1285364/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_15; classtype:trojan-activity; sid:91285364; rev:1;) alert tcp $HOME_NET any -> [45.83.31.241] 6606 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1285363/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_15; classtype:trojan-activity; sid:91285363; rev:1;) alert tcp $HOME_NET any -> [207.174.26.70] 5505 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1285362/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_15; classtype:trojan-activity; sid:91285362; rev:1;) alert tcp $HOME_NET any -> [104.243.34.3] 6669 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1285361/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_15; classtype:trojan-activity; sid:91285361; rev:1;) alert tcp $HOME_NET any -> [104.243.34.3] 6668 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1285360/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_15; classtype:trojan-activity; sid:91285360; rev:1;) alert tcp $HOME_NET any -> [37.44.244.201] 80 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1285359/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_15; classtype:trojan-activity; sid:91285359; rev:1;) alert tcp $HOME_NET any -> [108.142.155.132] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1285358/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_15; classtype:trojan-activity; sid:91285358; rev:1;) alert tcp $HOME_NET any -> [124.222.164.235] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1285357/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_15; classtype:trojan-activity; sid:91285357; rev:1;) alert tcp $HOME_NET any -> [1.161.70.172] 443 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1285356/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_15; classtype:trojan-activity; sid:91285356; rev:1;) alert tcp $HOME_NET any -> [15.164.161.42] 4443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1285355/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_15; classtype:trojan-activity; sid:91285355; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/polllongpollasyncdleuploads.php"; depth:32; nocase; http.host; content:"196844cm.n9shteam1.top"; depth:22; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1285354/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_15; classtype:trojan-activity; sid:91285354; rev:1;) alert tcp $HOME_NET any -> [45.137.22.67] 55615 (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1285353/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_15; classtype:trojan-activity; sid:91285353; rev:1;) alert tcp $HOME_NET any -> [3.124.142.205] 15683 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1285352/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_15; classtype:trojan-activity; sid:91285352; rev:1;) alert tcp $HOME_NET any -> [18.158.249.75] 15683 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1285351/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_15; classtype:trojan-activity; sid:91285351; rev:1;) alert tcp $HOME_NET any -> [3.125.102.39] 15683 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1285350/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_15; classtype:trojan-activity; sid:91285350; rev:1;) alert tcp $HOME_NET any -> [47.113.107.52] 50050 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1285160/; target:src_ip; metadata: confidence_level 80, first_seen 2024_06_15; classtype:trojan-activity; sid:91285160; rev:1;) alert tcp $HOME_NET any -> [124.156.166.78] 8765 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1285159/; target:src_ip; metadata: confidence_level 80, first_seen 2024_06_15; classtype:trojan-activity; sid:91285159; rev:1;) alert tcp $HOME_NET any -> [92.118.170.81] 63845 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1285158/; target:src_ip; metadata: confidence_level 80, first_seen 2024_06_15; classtype:trojan-activity; sid:91285158; rev:1;) alert tcp $HOME_NET any -> [47.243.57.229] 50050 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1285157/; target:src_ip; metadata: confidence_level 80, first_seen 2024_06_15; classtype:trojan-activity; sid:91285157; rev:1;) alert tcp $HOME_NET any -> [123.249.11.152] 6443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1285156/; target:src_ip; metadata: confidence_level 80, first_seen 2024_06_15; classtype:trojan-activity; sid:91285156; rev:1;) alert tcp $HOME_NET any -> [123.249.11.152] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1285155/; target:src_ip; metadata: confidence_level 80, first_seen 2024_06_15; classtype:trojan-activity; sid:91285155; rev:1;) alert tcp $HOME_NET any -> [156.242.47.220] 4396 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1285154/; target:src_ip; metadata: confidence_level 80, first_seen 2024_06_15; classtype:trojan-activity; sid:91285154; rev:1;) alert tcp $HOME_NET any -> [185.236.228.125] 15140 (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1285153/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_15; classtype:trojan-activity; sid:91285153; rev:1;) alert tcp $HOME_NET any -> [90.188.254.248] 5655 (msg:"ThreatFox RMS botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1285152/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_15; classtype:trojan-activity; sid:91285152; rev:1;) alert tcp $HOME_NET any -> [5.35.98.86] 4444 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1285151/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_15; classtype:trojan-activity; sid:91285151; rev:1;) alert tcp $HOME_NET any -> [136.243.151.21] 9999 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1285150/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_15; classtype:trojan-activity; sid:91285150; rev:1;) alert tcp $HOME_NET any -> [136.243.151.21] 6606 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1285148/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_15; classtype:trojan-activity; sid:91285148; rev:1;) alert tcp $HOME_NET any -> [136.243.151.21] 9990 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1285149/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_15; classtype:trojan-activity; sid:91285149; rev:1;) alert tcp $HOME_NET any -> [136.243.151.21] 2000 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1285147/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_15; classtype:trojan-activity; sid:91285147; rev:1;) alert tcp $HOME_NET any -> [98.67.161.144] 80 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1285146/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_15; classtype:trojan-activity; sid:91285146; rev:1;) alert tcp $HOME_NET any -> [213.252.247.202] 8808 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1285145/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_15; classtype:trojan-activity; sid:91285145; rev:1;) alert tcp $HOME_NET any -> [213.252.247.202] 555 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1285144/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_15; classtype:trojan-activity; sid:91285144; rev:1;) alert tcp $HOME_NET any -> [213.195.117.131] 8808 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1285143/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_15; classtype:trojan-activity; sid:91285143; rev:1;) alert tcp $HOME_NET any -> [213.195.117.131] 7707 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1285142/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_15; classtype:trojan-activity; sid:91285142; rev:1;) alert tcp $HOME_NET any -> [213.195.117.131] 6606 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1285141/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_15; classtype:trojan-activity; sid:91285141; rev:1;) alert tcp $HOME_NET any -> [213.195.117.131] 5003 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1285140/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_15; classtype:trojan-activity; sid:91285140; rev:1;) alert tcp $HOME_NET any -> [213.195.117.131] 4001 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1285138/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_15; classtype:trojan-activity; sid:91285138; rev:1;) alert tcp $HOME_NET any -> [213.195.117.131] 4002 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1285139/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_15; classtype:trojan-activity; sid:91285139; rev:1;) alert tcp $HOME_NET any -> [103.195.102.21] 5555 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1285137/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_15; classtype:trojan-activity; sid:91285137; rev:1;) alert tcp $HOME_NET any -> [192.250.225.3] 5020 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1285136/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_15; classtype:trojan-activity; sid:91285136; rev:1;) alert tcp $HOME_NET any -> [185.212.47.40] 5000 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1285135/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_15; classtype:trojan-activity; sid:91285135; rev:1;) alert tcp $HOME_NET any -> [185.212.47.40] 1998 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1285133/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_15; classtype:trojan-activity; sid:91285133; rev:1;) alert tcp $HOME_NET any -> [185.212.47.40] 2000 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1285134/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_15; classtype:trojan-activity; sid:91285134; rev:1;) alert tcp $HOME_NET any -> [185.212.47.40] 20000 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1285132/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_15; classtype:trojan-activity; sid:91285132; rev:1;) alert tcp $HOME_NET any -> [185.212.47.40] 8888 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1285131/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_15; classtype:trojan-activity; sid:91285131; rev:1;) alert tcp $HOME_NET any -> [185.212.47.40] 5555 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1285130/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_15; classtype:trojan-activity; sid:91285130; rev:1;) alert tcp $HOME_NET any -> [38.180.92.22] 2222 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1285128/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_15; classtype:trojan-activity; sid:91285128; rev:1;) alert tcp $HOME_NET any -> [38.180.92.22] 3333 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1285129/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_15; classtype:trojan-activity; sid:91285129; rev:1;) alert tcp $HOME_NET any -> [157.20.182.6] 4443 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1285127/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_15; classtype:trojan-activity; sid:91285127; rev:1;) alert tcp $HOME_NET any -> [46.4.37.212] 82 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1285126/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_15; classtype:trojan-activity; sid:91285126; rev:1;) alert tcp $HOME_NET any -> [45.80.158.22] 9090 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1285125/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_15; classtype:trojan-activity; sid:91285125; rev:1;) alert tcp $HOME_NET any -> [66.225.254.182] 8808 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1285124/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_15; classtype:trojan-activity; sid:91285124; rev:1;) alert tcp $HOME_NET any -> [66.225.254.182] 7707 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1285123/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_15; classtype:trojan-activity; sid:91285123; rev:1;) alert tcp $HOME_NET any -> [66.225.254.182] 6606 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1285122/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_15; classtype:trojan-activity; sid:91285122; rev:1;) alert tcp $HOME_NET any -> [193.26.115.74] 8808 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1285121/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_15; classtype:trojan-activity; sid:91285121; rev:1;) alert tcp $HOME_NET any -> [193.26.115.74] 6606 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1285119/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_15; classtype:trojan-activity; sid:91285119; rev:1;) alert tcp $HOME_NET any -> [193.26.115.74] 7707 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1285120/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_15; classtype:trojan-activity; sid:91285120; rev:1;) alert tcp $HOME_NET any -> [154.17.167.74] 7707 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1285118/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_15; classtype:trojan-activity; sid:91285118; rev:1;) alert tcp $HOME_NET any -> [51.81.105.250] 6606 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1285116/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_15; classtype:trojan-activity; sid:91285116; rev:1;) alert tcp $HOME_NET any -> [51.81.105.250] 7707 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1285117/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_15; classtype:trojan-activity; sid:91285117; rev:1;) alert tcp $HOME_NET any -> [192.250.226.28] 7066 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1285115/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_15; classtype:trojan-activity; sid:91285115; rev:1;) alert tcp $HOME_NET any -> [162.244.210.96] 8808 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1285114/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_15; classtype:trojan-activity; sid:91285114; rev:1;) alert tcp $HOME_NET any -> [162.244.210.96] 7707 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1285113/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_15; classtype:trojan-activity; sid:91285113; rev:1;) alert tcp $HOME_NET any -> [162.244.210.96] 6606 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1285112/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_15; classtype:trojan-activity; sid:91285112; rev:1;) alert tcp $HOME_NET any -> [66.225.254.222] 6606 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1285110/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_15; classtype:trojan-activity; sid:91285110; rev:1;) alert tcp $HOME_NET any -> [66.225.254.222] 7707 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1285111/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_15; classtype:trojan-activity; sid:91285111; rev:1;) alert tcp $HOME_NET any -> [66.225.254.222] 8808 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1285109/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_15; classtype:trojan-activity; sid:91285109; rev:1;) alert tcp $HOME_NET any -> [185.62.86.134] 555 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1285108/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_15; classtype:trojan-activity; sid:91285108; rev:1;) alert tcp $HOME_NET any -> [185.16.38.38] 7707 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1285107/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_15; classtype:trojan-activity; sid:91285107; rev:1;) alert tcp $HOME_NET any -> [185.16.38.38] 6606 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1285106/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_15; classtype:trojan-activity; sid:91285106; rev:1;) alert tcp $HOME_NET any -> [185.16.38.38] 8808 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1285105/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_15; classtype:trojan-activity; sid:91285105; rev:1;) alert tcp $HOME_NET any -> [94.156.69.169] 7707 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1285104/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_15; classtype:trojan-activity; sid:91285104; rev:1;) alert tcp $HOME_NET any -> [94.156.69.169] 6006 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1285102/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_15; classtype:trojan-activity; sid:91285102; rev:1;) alert tcp $HOME_NET any -> [94.156.69.169] 6666 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1285103/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_15; classtype:trojan-activity; sid:91285103; rev:1;) alert tcp $HOME_NET any -> [94.156.69.169] 7777 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1285101/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_15; classtype:trojan-activity; sid:91285101; rev:1;) alert tcp $HOME_NET any -> [94.156.69.169] 6606 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1285100/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_15; classtype:trojan-activity; sid:91285100; rev:1;) alert tcp $HOME_NET any -> [94.156.69.169] 4444 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1285098/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_15; classtype:trojan-activity; sid:91285098; rev:1;) alert tcp $HOME_NET any -> [94.156.69.169] 5555 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1285099/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_15; classtype:trojan-activity; sid:91285099; rev:1;) alert tcp $HOME_NET any -> [94.156.69.169] 8808 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1285097/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_15; classtype:trojan-activity; sid:91285097; rev:1;) alert tcp $HOME_NET any -> [94.156.69.169] 8008 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1285096/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_15; classtype:trojan-activity; sid:91285096; rev:1;) alert tcp $HOME_NET any -> [45.94.31.124] 8808 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1285095/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_15; classtype:trojan-activity; sid:91285095; rev:1;) alert tcp $HOME_NET any -> [45.94.31.124] 7707 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1285094/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_15; classtype:trojan-activity; sid:91285094; rev:1;) alert tcp $HOME_NET any -> [45.94.31.124] 6606 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1285093/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_15; classtype:trojan-activity; sid:91285093; rev:1;) alert tcp $HOME_NET any -> [162.244.210.92] 8808 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1285091/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_15; classtype:trojan-activity; sid:91285091; rev:1;) alert tcp $HOME_NET any -> [162.244.210.92] 6606 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1285092/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_15; classtype:trojan-activity; sid:91285092; rev:1;) alert tcp $HOME_NET any -> [162.244.210.92] 7707 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1285090/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_15; classtype:trojan-activity; sid:91285090; rev:1;) alert tcp $HOME_NET any -> [185.25.51.99] 8808 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1285089/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_15; classtype:trojan-activity; sid:91285089; rev:1;) alert tcp $HOME_NET any -> [185.25.51.99] 5555 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1285088/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_15; classtype:trojan-activity; sid:91285088; rev:1;) alert tcp $HOME_NET any -> [185.241.208.213] 8080 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1285087/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_15; classtype:trojan-activity; sid:91285087; rev:1;) alert tcp $HOME_NET any -> [142.11.201.126] 8716 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1285086/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_15; classtype:trojan-activity; sid:91285086; rev:1;) alert tcp $HOME_NET any -> [142.11.201.126] 8715 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1285085/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_15; classtype:trojan-activity; sid:91285085; rev:1;) alert tcp $HOME_NET any -> [51.77.113.177] 6606 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1285084/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_15; classtype:trojan-activity; sid:91285084; rev:1;) alert tcp $HOME_NET any -> [51.77.113.177] 888 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1285082/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_15; classtype:trojan-activity; sid:91285082; rev:1;) alert tcp $HOME_NET any -> [51.77.113.177] 2222 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1285083/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_15; classtype:trojan-activity; sid:91285083; rev:1;) alert tcp $HOME_NET any -> [51.77.113.177] 222 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1285081/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_15; classtype:trojan-activity; sid:91285081; rev:1;) alert tcp $HOME_NET any -> [51.77.113.177] 8888 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1285080/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_15; classtype:trojan-activity; sid:91285080; rev:1;) alert tcp $HOME_NET any -> [51.77.113.177] 8808 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1285079/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_15; classtype:trojan-activity; sid:91285079; rev:1;) alert tcp $HOME_NET any -> [54.39.216.104] 7777 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1285077/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_15; classtype:trojan-activity; sid:91285077; rev:1;) alert tcp $HOME_NET any -> [54.39.216.104] 222 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1285078/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_15; classtype:trojan-activity; sid:91285078; rev:1;) alert tcp $HOME_NET any -> [54.39.216.104] 5555 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1285076/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_15; classtype:trojan-activity; sid:91285076; rev:1;) alert tcp $HOME_NET any -> [54.39.216.104] 777 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1285075/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_15; classtype:trojan-activity; sid:91285075; rev:1;) alert tcp $HOME_NET any -> [54.39.216.104] 555 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1285074/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_15; classtype:trojan-activity; sid:91285074; rev:1;) alert tcp $HOME_NET any -> [158.220.83.114] 6606 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1285072/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_15; classtype:trojan-activity; sid:91285072; rev:1;) alert tcp $HOME_NET any -> [158.220.83.114] 7707 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1285073/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_15; classtype:trojan-activity; sid:91285073; rev:1;) alert tcp $HOME_NET any -> [45.126.209.67] 8808 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1285071/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_15; classtype:trojan-activity; sid:91285071; rev:1;) alert tcp $HOME_NET any -> [45.126.209.67] 6606 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1285070/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_15; classtype:trojan-activity; sid:91285070; rev:1;) alert tcp $HOME_NET any -> [185.196.11.252] 1338 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1285069/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_15; classtype:trojan-activity; sid:91285069; rev:1;) alert tcp $HOME_NET any -> [185.196.11.252] 1999 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1285068/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_15; classtype:trojan-activity; sid:91285068; rev:1;) alert tcp $HOME_NET any -> [142.11.201.123] 8716 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1285067/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_15; classtype:trojan-activity; sid:91285067; rev:1;) alert tcp $HOME_NET any -> [142.11.201.123] 8715 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1285066/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_15; classtype:trojan-activity; sid:91285066; rev:1;) alert tcp $HOME_NET any -> [186.137.33.82] 2113 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1285065/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_15; classtype:trojan-activity; sid:91285065; rev:1;) alert tcp $HOME_NET any -> [162.244.210.243] 8808 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1285064/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_15; classtype:trojan-activity; sid:91285064; rev:1;) alert tcp $HOME_NET any -> [162.244.210.243] 6606 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1285062/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_15; classtype:trojan-activity; sid:91285062; rev:1;) alert tcp $HOME_NET any -> [162.244.210.243] 7707 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1285063/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_15; classtype:trojan-activity; sid:91285063; rev:1;) alert tcp $HOME_NET any -> [149.56.30.19] 8808 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1285061/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_15; classtype:trojan-activity; sid:91285061; rev:1;) alert tcp $HOME_NET any -> [45.88.186.241] 4848 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1285060/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_15; classtype:trojan-activity; sid:91285060; rev:1;) alert tcp $HOME_NET any -> [45.88.186.241] 7707 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1285058/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_15; classtype:trojan-activity; sid:91285058; rev:1;) alert tcp $HOME_NET any -> [45.88.186.241] 8808 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1285059/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_15; classtype:trojan-activity; sid:91285059; rev:1;) alert tcp $HOME_NET any -> [108.174.200.80] 8808 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1285057/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_15; classtype:trojan-activity; sid:91285057; rev:1;) alert tcp $HOME_NET any -> [108.174.200.80] 80 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1285056/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_15; classtype:trojan-activity; sid:91285056; rev:1;) alert tcp $HOME_NET any -> [142.11.201.122] 8716 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1285055/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_15; classtype:trojan-activity; sid:91285055; rev:1;) alert tcp $HOME_NET any -> [142.11.201.122] 8715 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1285054/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_15; classtype:trojan-activity; sid:91285054; rev:1;) alert tcp $HOME_NET any -> [147.135.165.29] 8808 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1285053/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_15; classtype:trojan-activity; sid:91285053; rev:1;) alert tcp $HOME_NET any -> [142.11.201.124] 8715 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1285051/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_15; classtype:trojan-activity; sid:91285051; rev:1;) alert tcp $HOME_NET any -> [142.11.201.124] 8716 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1285052/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_15; classtype:trojan-activity; sid:91285052; rev:1;) alert tcp $HOME_NET any -> [134.255.217.251] 7707 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1285050/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_15; classtype:trojan-activity; sid:91285050; rev:1;) alert tcp $HOME_NET any -> [194.26.192.194] 6666 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1285048/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_15; classtype:trojan-activity; sid:91285048; rev:1;) alert tcp $HOME_NET any -> [194.26.192.194] 9999 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1285049/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_15; classtype:trojan-activity; sid:91285049; rev:1;) alert tcp $HOME_NET any -> [194.26.192.34] 222 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1285047/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_15; classtype:trojan-activity; sid:91285047; rev:1;) alert tcp $HOME_NET any -> [207.174.26.100] 5505 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1285046/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_15; classtype:trojan-activity; sid:91285046; rev:1;) alert tcp $HOME_NET any -> [115.223.43.224] 8888 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1285045/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_15; classtype:trojan-activity; sid:91285045; rev:1;) alert tcp $HOME_NET any -> [61.14.233.130] 8808 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1285044/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_15; classtype:trojan-activity; sid:91285044; rev:1;) alert tcp $HOME_NET any -> [61.14.233.130] 7707 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1285043/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_15; classtype:trojan-activity; sid:91285043; rev:1;) alert tcp $HOME_NET any -> [61.14.233.130] 6606 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1285042/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_15; classtype:trojan-activity; sid:91285042; rev:1;) alert tcp $HOME_NET any -> [163.5.64.209] 8000 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1285041/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_15; classtype:trojan-activity; sid:91285041; rev:1;) alert tcp $HOME_NET any -> [163.5.64.209] 6000 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1285039/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_15; classtype:trojan-activity; sid:91285039; rev:1;) alert tcp $HOME_NET any -> [163.5.64.209] 7000 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1285040/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_15; classtype:trojan-activity; sid:91285040; rev:1;) alert tcp $HOME_NET any -> [128.90.113.119] 9999 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1285038/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_15; classtype:trojan-activity; sid:91285038; rev:1;) alert tcp $HOME_NET any -> [104.223.22.86] 7777 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1285036/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_15; classtype:trojan-activity; sid:91285036; rev:1;) alert tcp $HOME_NET any -> [104.223.22.86] 8888 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1285037/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_15; classtype:trojan-activity; sid:91285037; rev:1;) alert tcp $HOME_NET any -> [207.32.218.51] 8080 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1285035/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_15; classtype:trojan-activity; sid:91285035; rev:1;) alert tcp $HOME_NET any -> [178.73.192.10] 2000 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1285034/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_15; classtype:trojan-activity; sid:91285034; rev:1;) alert tcp $HOME_NET any -> [128.90.113.241] 9999 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1285033/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_15; classtype:trojan-activity; sid:91285033; rev:1;) alert tcp $HOME_NET any -> [94.156.8.181] 8888 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1285032/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_15; classtype:trojan-activity; sid:91285032; rev:1;) alert tcp $HOME_NET any -> [94.156.8.181] 7777 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1285031/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_15; classtype:trojan-activity; sid:91285031; rev:1;) alert tcp $HOME_NET any -> [142.11.201.125] 8716 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1285030/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_15; classtype:trojan-activity; sid:91285030; rev:1;) alert tcp $HOME_NET any -> [142.11.201.125] 8715 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1285029/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_15; classtype:trojan-activity; sid:91285029; rev:1;) alert tcp $HOME_NET any -> [142.202.240.93] 8888 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1285028/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_15; classtype:trojan-activity; sid:91285028; rev:1;) alert tcp $HOME_NET any -> [142.202.240.93] 7777 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1285027/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_15; classtype:trojan-activity; sid:91285027; rev:1;) alert tcp $HOME_NET any -> [136.243.111.71] 3000 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1285026/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_15; classtype:trojan-activity; sid:91285026; rev:1;) alert tcp $HOME_NET any -> [136.243.111.71] 888 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1285025/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_15; classtype:trojan-activity; sid:91285025; rev:1;) alert tcp $HOME_NET any -> [45.83.31.241] 80 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1285024/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_15; classtype:trojan-activity; sid:91285024; rev:1;) alert tcp $HOME_NET any -> [95.216.41.33] 83 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1285023/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_15; classtype:trojan-activity; sid:91285023; rev:1;) alert tcp $HOME_NET any -> [172.81.60.16] 443 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1285022/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_15; classtype:trojan-activity; sid:91285022; rev:1;) alert tcp $HOME_NET any -> [93.123.39.166] 2222 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1285021/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_15; classtype:trojan-activity; sid:91285021; rev:1;) alert tcp $HOME_NET any -> [45.126.209.49] 5555 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1285020/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_15; classtype:trojan-activity; sid:91285020; rev:1;) alert tcp $HOME_NET any -> [108.165.237.196] 7707 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1285019/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_15; classtype:trojan-activity; sid:91285019; rev:1;) alert tcp $HOME_NET any -> [51.89.207.240] 8088 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1285018/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_15; classtype:trojan-activity; sid:91285018; rev:1;) alert tcp $HOME_NET any -> [154.194.50.163] 6606 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1285017/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_15; classtype:trojan-activity; sid:91285017; rev:1;) alert tcp $HOME_NET any -> [135.181.65.141] 4099 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1285016/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_15; classtype:trojan-activity; sid:91285016; rev:1;) alert tcp $HOME_NET any -> [104.238.173.66] 6606 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1285015/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_15; classtype:trojan-activity; sid:91285015; rev:1;) alert tcp $HOME_NET any -> [94.156.8.54] 9999 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1285014/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_15; classtype:trojan-activity; sid:91285014; rev:1;) alert tcp $HOME_NET any -> [157.254.223.212] 80 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1285013/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_15; classtype:trojan-activity; sid:91285013; rev:1;) alert tcp $HOME_NET any -> [41.216.188.58] 8808 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1285012/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_15; classtype:trojan-activity; sid:91285012; rev:1;) alert tcp $HOME_NET any -> [3.26.159.73] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1285011/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_15; classtype:trojan-activity; sid:91285011; rev:1;) alert tcp $HOME_NET any -> [185.228.235.158] 443 (msg:"ThreatFox Deimos botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1285010/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_15; classtype:trojan-activity; sid:91285010; rev:1;) alert tcp $HOME_NET any -> [185.237.165.180] 47454 (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1285009/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_15; classtype:trojan-activity; sid:91285009; rev:1;) alert tcp $HOME_NET any -> [8.217.21.161] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1285008/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_15; classtype:trojan-activity; sid:91285008; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jquery-3.3.1.min.js"; depth:20; nocase; http.host; content:"8.217.21.161"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1285007/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_15; classtype:trojan-activity; sid:91285007; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pixel"; depth:6; nocase; http.host; content:"119.28.153.200"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1285006/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_15; classtype:trojan-activity; sid:91285006; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mall_100_100.html"; depth:18; nocase; http.host; content:"39.100.103.175"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1285005/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_15; classtype:trojan-activity; sid:91285005; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pixel"; depth:6; nocase; http.host; content:"38.14.250.235"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1285004/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_15; classtype:trojan-activity; sid:91285004; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/push"; depth:5; nocase; http.host; content:"47.108.182.174"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1285003/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_15; classtype:trojan-activity; sid:91285003; rev:1;) alert tcp $HOME_NET any -> [34.146.210.28] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1285002/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_15; classtype:trojan-activity; sid:91285002; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jquery-3.3.1.min.js"; depth:20; nocase; http.host; content:"web.windowsupdate.shop"; depth:22; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1285001/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_15; classtype:trojan-activity; sid:91285001; rev:1;) alert tcp $HOME_NET any -> [116.205.189.153] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1285000/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_15; classtype:trojan-activity; sid:91285000; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pixel"; depth:6; nocase; http.host; content:"116.205.189.153"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1284999/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_15; classtype:trojan-activity; sid:91284999; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/load"; depth:5; nocase; http.host; content:"123.58.220.97"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1284998/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_15; classtype:trojan-activity; sid:91284998; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/match"; depth:6; nocase; http.host; content:"119.28.153.200"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1284997/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_15; classtype:trojan-activity; sid:91284997; rev:1;) alert tcp $HOME_NET any -> [45.32.52.84] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1284996/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_15; classtype:trojan-activity; sid:91284996; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/updates.rss"; depth:12; nocase; http.host; content:"45.32.52.84"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1284995/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_15; classtype:trojan-activity; sid:91284995; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cx"; depth:3; nocase; http.host; content:"124.220.167.247"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1284994/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_15; classtype:trojan-activity; sid:91284994; rev:1;) alert tcp $HOME_NET any -> [92.118.112.188] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1284993/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_15; classtype:trojan-activity; sid:91284993; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api/v2/login"; depth:13; nocase; http.host; content:"whole-girl-gw.aws-usw2.cloud-ara.tyk.io"; depth:39; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1284991/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_15; classtype:trojan-activity; sid:91284991; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"whole-girl-gw.aws-usw2.cloud-ara.tyk.io"; depth:39; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1284992/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_15; classtype:trojan-activity; sid:91284992; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ptj"; depth:4; nocase; http.host; content:"123.58.220.97"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1284990/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_15; classtype:trojan-activity; sid:91284990; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mgi1mty1owrjmdc4/"; depth:18; nocase; http.host; content:"fabguk.top"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1284963/; target:src_ip; metadata: confidence_level 80, first_seen 2024_06_15; classtype:trojan-activity; sid:91284963; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mgi1mty1owrjmdc4/"; depth:18; nocase; http.host; content:"jowqem.xyz"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1284964/; target:src_ip; metadata: confidence_level 80, first_seen 2024_06_15; classtype:trojan-activity; sid:91284964; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mgi1mty1owrjmdc4/"; depth:18; nocase; http.host; content:"kozwix.top"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1284965/; target:src_ip; metadata: confidence_level 80, first_seen 2024_06_15; classtype:trojan-activity; sid:91284965; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mgi1mty1owrjmdc4/"; depth:18; nocase; http.host; content:"zubpiq.xyz"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1284966/; target:src_ip; metadata: confidence_level 80, first_seen 2024_06_15; classtype:trojan-activity; sid:91284966; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mgi1mty1owrjmdc4/"; depth:18; nocase; http.host; content:"lofyam.top"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1284967/; target:src_ip; metadata: confidence_level 80, first_seen 2024_06_15; classtype:trojan-activity; sid:91284967; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mgi1mty1owrjmdc4/"; depth:18; nocase; http.host; content:"rexqaf.xyz"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1284968/; target:src_ip; metadata: confidence_level 80, first_seen 2024_06_15; classtype:trojan-activity; sid:91284968; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mgi1mty1owrjmdc4/"; depth:18; nocase; http.host; content:"wojvuz.top"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1284969/; target:src_ip; metadata: confidence_level 80, first_seen 2024_06_15; classtype:trojan-activity; sid:91284969; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mgi1mty1owrjmdc4/"; depth:18; nocase; http.host; content:"kipfeg.xyz"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1284970/; target:src_ip; metadata: confidence_level 80, first_seen 2024_06_15; classtype:trojan-activity; sid:91284970; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mgi1mty1owrjmdc4/"; depth:18; nocase; http.host; content:"zembix.top"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1284971/; target:src_ip; metadata: confidence_level 80, first_seen 2024_06_15; classtype:trojan-activity; sid:91284971; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mgi1mty1owrjmdc4/"; depth:18; nocase; http.host; content:"juvqat.xyz"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1284972/; target:src_ip; metadata: confidence_level 80, first_seen 2024_06_15; classtype:trojan-activity; sid:91284972; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mgi1mty1owrjmdc4/"; depth:18; nocase; http.host; content:"kezxof.top"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1284973/; target:src_ip; metadata: confidence_level 80, first_seen 2024_06_15; classtype:trojan-activity; sid:91284973; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mgi1mty1owrjmdc4/"; depth:18; nocase; http.host; content:"podguf.xyz"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1284974/; target:src_ip; metadata: confidence_level 80, first_seen 2024_06_15; classtype:trojan-activity; sid:91284974; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mgi1mty1owrjmdc4/"; depth:18; nocase; http.host; content:"zuclav.top"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1284975/; target:src_ip; metadata: confidence_level 80, first_seen 2024_06_15; classtype:trojan-activity; sid:91284975; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mgi1mty1owrjmdc4/"; depth:18; nocase; http.host; content:"yubtaz.xyz"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1284976/; target:src_ip; metadata: confidence_level 80, first_seen 2024_06_15; classtype:trojan-activity; sid:91284976; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mgi1mty1owrjmdc4/"; depth:18; nocase; http.host; content:"fuxjeb.xyz"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1284978/; target:src_ip; metadata: confidence_level 80, first_seen 2024_06_15; classtype:trojan-activity; sid:91284978; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mgi1mty1owrjmdc4/"; depth:18; nocase; http.host; content:"qexwip.top"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1284977/; target:src_ip; metadata: confidence_level 80, first_seen 2024_06_15; classtype:trojan-activity; sid:91284977; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mgi1mty1owrjmdc4/"; depth:18; nocase; http.host; content:"vopriz.top"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1284979/; target:src_ip; metadata: confidence_level 80, first_seen 2024_06_15; classtype:trojan-activity; sid:91284979; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mgi1mty1owrjmdc4/"; depth:18; nocase; http.host; content:"jizxeb.top"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1284981/; target:src_ip; metadata: confidence_level 80, first_seen 2024_06_15; classtype:trojan-activity; sid:91284981; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mgi1mty1owrjmdc4/"; depth:18; nocase; http.host; content:"gupbey.xyz"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1284980/; target:src_ip; metadata: confidence_level 80, first_seen 2024_06_15; classtype:trojan-activity; sid:91284980; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mgi1mty1owrjmdc4/"; depth:18; nocase; http.host; content:"qunloz.xyz"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1284982/; target:src_ip; metadata: confidence_level 80, first_seen 2024_06_15; classtype:trojan-activity; sid:91284982; rev:1;) alert tcp $HOME_NET any -> [51.77.113.177] 7707 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1284989/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_15; classtype:trojan-activity; sid:91284989; rev:1;) alert tcp $HOME_NET any -> [145.239.230.233] 4040 (msg:"ThreatFox STRRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1284988/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_15; classtype:trojan-activity; sid:91284988; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/fwlink"; depth:7; nocase; http.host; content:"60.204.134.21"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1284987/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_15; classtype:trojan-activity; sid:91284987; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/visit.js"; depth:9; nocase; http.host; content:"134.122.75.115"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1284986/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_15; classtype:trojan-activity; sid:91284986; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/claim/servlets-examples/i2i52xqkqqzf"; depth:37; nocase; http.host; content:"121.36.105.186"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1284985/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_15; classtype:trojan-activity; sid:91284985; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mlu/forum.php"; depth:14; nocase; http.host; content:"20.83.148.22"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1284984/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_15; classtype:trojan-activity; sid:91284984; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/nqtj"; depth:5; nocase; http.host; content:"82.156.199.229"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1284983/; target:src_ip; metadata: confidence_level 75, first_seen 2024_06_15; classtype:trojan-activity; sid:91284983; rev:1;) alert tcp $HOME_NET any -> [82.156.199.229] 40001 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1284962/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_15; classtype:trojan-activity; sid:91284962; rev:1;) alert tcp $HOME_NET any -> [57.155.50.252] 443 (msg:"ThreatFox Pikabot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1284961/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_15; classtype:trojan-activity; sid:91284961; rev:1;) alert tcp $HOME_NET any -> [119.42.146.179] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1284960/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_15; classtype:trojan-activity; sid:91284960; rev:1;) alert tcp $HOME_NET any -> [43.132.120.112] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1284959/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_15; classtype:trojan-activity; sid:91284959; rev:1;) alert tcp $HOME_NET any -> [46.246.4.13] 8000 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1284958/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_15; classtype:trojan-activity; sid:91284958; rev:1;) alert tcp $HOME_NET any -> [196.64.174.125] 995 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1284957/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_15; classtype:trojan-activity; sid:91284957; rev:1;) alert tcp $HOME_NET any -> [5.252.176.53] 443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1284956/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_15; classtype:trojan-activity; sid:91284956; rev:1;) alert tcp $HOME_NET any -> [52.170.209.28] 443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1284955/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_15; classtype:trojan-activity; sid:91284955; rev:1;) alert tcp $HOME_NET any -> [100.27.0.53] 443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1284954/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_15; classtype:trojan-activity; sid:91284954; rev:1;) alert tcp $HOME_NET any -> [45.88.91.78] 8443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1284953/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_15; classtype:trojan-activity; sid:91284953; rev:1;) alert tcp $HOME_NET any -> [94.156.67.3] 8080 (msg:"ThreatFox BianLian botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1284952/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_15; classtype:trojan-activity; sid:91284952; rev:1;) alert tcp $HOME_NET any -> [121.227.168.77] 10250 (msg:"ThreatFox Deimos botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1284951/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_15; classtype:trojan-activity; sid:91284951; rev:1;) alert tcp $HOME_NET any -> [121.227.168.76] 10250 (msg:"ThreatFox Deimos botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1284950/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_15; classtype:trojan-activity; sid:91284950; rev:1;) alert tcp $HOME_NET any -> [44.234.240.58] 7443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1284949/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_15; classtype:trojan-activity; sid:91284949; rev:1;) alert tcp $HOME_NET any -> [163.69.88.244] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1284948/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_15; classtype:trojan-activity; sid:91284948; rev:1;) alert tcp $HOME_NET any -> [163.69.88.244] 10001 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1284947/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_15; classtype:trojan-activity; sid:91284947; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mozi.m"; depth:7; nocase; http.host; content:"220.165.229.239"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1284946/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_15; classtype:trojan-activity; sid:91284946; rev:1;) alert tcp $HOME_NET any -> [173.195.100.190] 1912 (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1284945/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_15; classtype:trojan-activity; sid:91284945; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/torequestauthlongpollserversqlasyncuniversalpublic.php"; depth:55; nocase; http.host; content:"751120cm.n9shteam2.top"; depth:22; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1284944/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_15; classtype:trojan-activity; sid:91284944; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/28ebda70.php"; depth:13; nocase; http.host; content:"a0992098.xsph.ru"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1284943/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_15; classtype:trojan-activity; sid:91284943; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"finasterideanswers.com"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1284940/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_15; classtype:trojan-activity; sid:91284940; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"abecopiers.com"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1284941/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_15; classtype:trojan-activity; sid:91284941; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"tigermm.com"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1284942/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_15; classtype:trojan-activity; sid:91284942; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/23eae96c.php"; depth:13; nocase; http.host; content:"a0993204.xsph.ru"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1284939/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_15; classtype:trojan-activity; sid:91284939; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/_defaultwindows.php"; depth:20; nocase; http.host; content:"cq83230.tw1.ru"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1284938/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_15; classtype:trojan-activity; sid:91284938; rev:1;) alert tcp $HOME_NET any -> [45.61.59.110] 14462 (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1284937/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_15; classtype:trojan-activity; sid:91284937; rev:1;) alert tcp $HOME_NET any -> [156.242.43.195] 50050 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1284936/; target:src_ip; metadata: confidence_level 80, first_seen 2024_06_15; classtype:trojan-activity; sid:91284936; rev:1;) alert tcp $HOME_NET any -> [156.242.47.213] 50050 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1284935/; target:src_ip; metadata: confidence_level 80, first_seen 2024_06_15; classtype:trojan-activity; sid:91284935; rev:1;) alert tcp $HOME_NET any -> [49.232.29.245] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1284934/; target:src_ip; metadata: confidence_level 80, first_seen 2024_06_15; classtype:trojan-activity; sid:91284934; rev:1;) alert tcp $HOME_NET any -> [208.85.22.155] 443 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1284933/; target:src_ip; metadata: confidence_level 80, first_seen 2024_06_15; classtype:trojan-activity; sid:91284933; rev:1;) alert tcp $HOME_NET any -> [175.178.236.113] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1284932/; target:src_ip; metadata: confidence_level 80, first_seen 2024_06_15; classtype:trojan-activity; sid:91284932; rev:1;) alert tcp $HOME_NET any -> [156.242.45.205] 4396 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1284931/; target:src_ip; metadata: confidence_level 80, first_seen 2024_06_15; classtype:trojan-activity; sid:91284931; rev:1;) alert tcp $HOME_NET any -> [38.147.171.208] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1284930/; target:src_ip; metadata: confidence_level 80, first_seen 2024_06_15; classtype:trojan-activity; sid:91284930; rev:1;) alert tcp $HOME_NET any -> [156.242.40.202] 4396 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1284929/; target:src_ip; metadata: confidence_level 80, first_seen 2024_06_15; classtype:trojan-activity; sid:91284929; rev:1;) alert tcp $HOME_NET any -> [139.155.68.35] 1521 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1284928/; target:src_ip; metadata: confidence_level 80, first_seen 2024_06_15; classtype:trojan-activity; sid:91284928; rev:1;) alert tcp $HOME_NET any -> [91.92.241.103] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1284927/; target:src_ip; metadata: confidence_level 80, first_seen 2024_06_15; classtype:trojan-activity; sid:91284927; rev:1;) alert tcp $HOME_NET any -> [47.121.116.135] 8081 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1284926/; target:src_ip; metadata: confidence_level 80, first_seen 2024_06_15; classtype:trojan-activity; sid:91284926; rev:1;) alert tcp $HOME_NET any -> [47.121.116.135] 8080 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1284925/; target:src_ip; metadata: confidence_level 80, first_seen 2024_06_15; classtype:trojan-activity; sid:91284925; rev:1;) alert tcp $HOME_NET any -> [176.218.133.216] 4444 (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1284924/; target:src_ip; metadata: confidence_level 80, first_seen 2024_06_15; classtype:trojan-activity; sid:91284924; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ca"; depth:3; nocase; http.host; content:"47.108.239.86"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1284923/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_14; classtype:trojan-activity; sid:91284923; rev:1;) alert tcp $HOME_NET any -> [154.247.143.197] 5552 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1284922/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_14; classtype:trojan-activity; sid:91284922; rev:1;) alert tcp $HOME_NET any -> [3.125.209.94] 19650 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1284921/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_14; classtype:trojan-activity; sid:91284921; rev:1;) alert tcp $HOME_NET any -> [3.125.223.134] 19650 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1284920/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_14; classtype:trojan-activity; sid:91284920; rev:1;) alert tcp $HOME_NET any -> [18.158.249.75] 19650 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1284919/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_14; classtype:trojan-activity; sid:91284919; rev:1;) alert tcp $HOME_NET any -> [45.137.22.68] 55615 (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1284918/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_14; classtype:trojan-activity; sid:91284918; rev:1;) alert tcp $HOME_NET any -> [198.244.224.83] 443 (msg:"ThreatFox Unidentified 111 (Latrodectus) botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1284916/; target:src_ip; metadata: confidence_level 75, first_seen 2024_06_14; classtype:trojan-activity; sid:91284916; rev:1;) alert tcp $HOME_NET any -> [5.230.45.229] 443 (msg:"ThreatFox Unidentified 111 (Latrodectus) botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1284917/; target:src_ip; metadata: confidence_level 75, first_seen 2024_06_14; classtype:trojan-activity; sid:91284917; rev:1;) alert tcp $HOME_NET any -> [104.129.21.52] 443 (msg:"ThreatFox Unidentified 111 (Latrodectus) botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1284915/; target:src_ip; metadata: confidence_level 75, first_seen 2024_06_14; classtype:trojan-activity; sid:91284915; rev:1;) alert tcp $HOME_NET any -> [120.46.132.72] 443 (msg:"ThreatFox DoomedLoader botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1284912/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_14; classtype:trojan-activity; sid:91284912; rev:1;) alert tcp $HOME_NET any -> [47.94.167.208] 443 (msg:"ThreatFox DoomedLoader botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1284913/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_14; classtype:trojan-activity; sid:91284913; rev:1;) alert tcp $HOME_NET any -> [8.137.149.188] 443 (msg:"ThreatFox DoomedLoader botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1284914/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_14; classtype:trojan-activity; sid:91284914; rev:1;) alert tcp $HOME_NET any -> [8.141.14.176] 443 (msg:"ThreatFox DoomedLoader botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1284911/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_14; classtype:trojan-activity; sid:91284911; rev:1;) alert tcp $HOME_NET any -> [119.28.159.21] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1284910/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_14; classtype:trojan-activity; sid:91284910; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/j.ad"; depth:5; nocase; http.host; content:"119.28.159.21"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1284909/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_14; classtype:trojan-activity; sid:91284909; rev:1;) alert tcp $HOME_NET any -> [185.172.129.208] 8708 (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1284908/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_14; classtype:trojan-activity; sid:91284908; rev:1;) alert tcp $HOME_NET any -> [46.246.12.14] 9000 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1284907/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_14; classtype:trojan-activity; sid:91284907; rev:1;) alert tcp $HOME_NET any -> [39.40.210.126] 995 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1284906/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_14; classtype:trojan-activity; sid:91284906; rev:1;) alert tcp $HOME_NET any -> [66.131.154.213] 443 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1284905/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_14; classtype:trojan-activity; sid:91284905; rev:1;) alert tcp $HOME_NET any -> [14.19.144.236] 8443 (msg:"ThreatFox pupy botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1284904/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_14; classtype:trojan-activity; sid:91284904; rev:1;) alert tcp $HOME_NET any -> [121.127.33.107] 53 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1284903/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_14; classtype:trojan-activity; sid:91284903; rev:1;) alert tcp $HOME_NET any -> [91.92.245.65] 4433 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1284902/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_14; classtype:trojan-activity; sid:91284902; rev:1;) alert tcp $HOME_NET any -> [157.245.117.178] 443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1284901/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_14; classtype:trojan-activity; sid:91284901; rev:1;) alert tcp $HOME_NET any -> [185.170.212.17] 443 (msg:"ThreatFox BianLian botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1284900/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_14; classtype:trojan-activity; sid:91284900; rev:1;) alert tcp $HOME_NET any -> [38.242.198.230] 7443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1284899/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_14; classtype:trojan-activity; sid:91284899; rev:1;) alert tcp $HOME_NET any -> [192.169.69.26] 54880 (msg:"ThreatFox Nanocore RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1284898/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_14; classtype:trojan-activity; sid:91284898; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/claim/servlets-examples/i2i52xqkqqzf"; depth:37; nocase; http.host; content:"104.21.11.106"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1284896/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_14; classtype:trojan-activity; sid:91284896; rev:1;) alert tcp $HOME_NET any -> [121.36.105.186] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1284897/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_14; classtype:trojan-activity; sid:91284897; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/claim/servlets-examples/i2i52xqkqqzf"; depth:37; nocase; http.host; content:"172.67.148.197"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1284895/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_14; classtype:trojan-activity; sid:91284895; rev:1;) alert tcp $HOME_NET any -> [57.128.162.39] 33966 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1284893/; target:src_ip; metadata: confidence_level 75, first_seen 2024_06_14; classtype:trojan-activity; sid:91284893; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"slq.onlyslq.lol"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1284894/; target:src_ip; metadata: confidence_level 75, first_seen 2024_06_14; classtype:trojan-activity; sid:91284894; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pixel.gif"; depth:10; nocase; http.host; content:"106.53.181.113"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1284892/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_14; classtype:trojan-activity; sid:91284892; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/visit.js"; depth:9; nocase; http.host; content:"47.116.33.203"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1284891/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_14; classtype:trojan-activity; sid:91284891; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ie9compatviewlist.xml"; depth:22; nocase; http.host; content:"152.32.202.240"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1284890/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_14; classtype:trojan-activity; sid:91284890; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/help.scr"; depth:9; nocase; http.host; content:"118.178.133.241"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1284466/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_14; classtype:trojan-activity; sid:91284466; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/help.scr"; depth:9; nocase; http.host; content:"119.45.173.126"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1284467/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_14; classtype:trojan-activity; sid:91284467; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/help.scr"; depth:9; nocase; http.host; content:"203.2.65.29"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1284468/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_14; classtype:trojan-activity; sid:91284468; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/help.scr"; depth:9; nocase; http.host; content:"112.27.189.32"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1284469/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_14; classtype:trojan-activity; sid:91284469; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/help.scr"; depth:9; nocase; http.host; content:"203.2.65.29"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1284470/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_14; classtype:trojan-activity; sid:91284470; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/help.scr"; depth:9; nocase; http.host; content:"202.155.196.152"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1284471/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_14; classtype:trojan-activity; sid:91284471; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/help.scr"; depth:9; nocase; http.host; content:"203.2.65.29"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1284472/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_14; classtype:trojan-activity; sid:91284472; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/help.scr"; depth:9; nocase; http.host; content:"60.164.246.250"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1284473/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_14; classtype:trojan-activity; sid:91284473; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/help.scr"; depth:9; nocase; http.host; content:"183.178.124.31"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1284474/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_14; classtype:trojan-activity; sid:91284474; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/help.scr"; depth:9; nocase; http.host; content:"117.72.68.197"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1284475/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_14; classtype:trojan-activity; sid:91284475; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/help.scr"; depth:9; nocase; http.host; content:"110.40.185.110"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1284476/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_14; classtype:trojan-activity; sid:91284476; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/help.scr"; depth:9; nocase; http.host; content:"42.200.209.195"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1284477/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_14; classtype:trojan-activity; sid:91284477; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/help.scr"; depth:9; nocase; http.host; content:"220.246.84.200"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1284478/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_14; classtype:trojan-activity; sid:91284478; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/help.scr"; depth:9; nocase; http.host; content:"42.192.21.226"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1284479/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_14; classtype:trojan-activity; sid:91284479; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/help.scr"; depth:9; nocase; http.host; content:"203.142.91.39"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1284481/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_14; classtype:trojan-activity; sid:91284481; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/help.scr"; depth:9; nocase; http.host; content:"115.28.26.10"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1284480/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_14; classtype:trojan-activity; sid:91284480; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/help.scr"; depth:9; nocase; http.host; content:"49.232.150.208"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1284482/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_14; classtype:trojan-activity; sid:91284482; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/help.scr"; depth:9; nocase; http.host; content:"203.2.65.29"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1284483/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_14; classtype:trojan-activity; sid:91284483; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/help.scr"; depth:9; nocase; http.host; content:"124.67.254.109"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1284484/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_14; classtype:trojan-activity; sid:91284484; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/help.scr"; depth:9; nocase; http.host; content:"61.182.69.190"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1284485/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_14; classtype:trojan-activity; sid:91284485; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/help.scr"; depth:9; nocase; http.host; content:"218.4.199.122"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1284486/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_14; classtype:trojan-activity; sid:91284486; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/help.scr"; depth:9; nocase; http.host; content:"139.159.155.204"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1284487/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_14; classtype:trojan-activity; sid:91284487; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/help.scr"; depth:9; nocase; http.host; content:"81.70.35.72"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1284488/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_14; classtype:trojan-activity; sid:91284488; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/help.scr"; depth:9; nocase; http.host; content:"139.159.155.204"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1284489/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_14; classtype:trojan-activity; sid:91284489; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/help.scr"; depth:9; nocase; http.host; content:"49.232.150.208"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1284490/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_14; classtype:trojan-activity; sid:91284490; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/help.scr"; depth:9; nocase; http.host; content:"112.26.186.56"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1284491/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_14; classtype:trojan-activity; sid:91284491; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/help.scr"; depth:9; nocase; http.host; content:"43.135.169.132"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1284492/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_14; classtype:trojan-activity; sid:91284492; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/help.scr"; depth:9; nocase; http.host; content:"1.4.210.149"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1284493/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_14; classtype:trojan-activity; sid:91284493; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/help.scr"; depth:9; nocase; http.host; content:"61.163.102.174"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1284494/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_14; classtype:trojan-activity; sid:91284494; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/help.scr"; depth:9; nocase; http.host; content:"117.157.17.194"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1284495/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_14; classtype:trojan-activity; sid:91284495; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/help.scr"; depth:9; nocase; http.host; content:"61.144.96.223"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1284496/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_14; classtype:trojan-activity; sid:91284496; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/help.scr"; depth:9; nocase; http.host; content:"182.93.54.42"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1284497/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_14; classtype:trojan-activity; sid:91284497; rev:1;) alert tcp $HOME_NET any -> [47.250.148.5] 80 (msg:"ThreatFox Coinminer payload delivery (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1284498/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_14; classtype:trojan-activity; sid:91284498; rev:1;) alert tcp $HOME_NET any -> [139.199.99.188] 80 (msg:"ThreatFox Coinminer payload delivery (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1284499/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_14; classtype:trojan-activity; sid:91284499; rev:1;) alert tcp $HOME_NET any -> [101.32.29.172] 80 (msg:"ThreatFox Coinminer payload delivery (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1284500/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_14; classtype:trojan-activity; sid:91284500; rev:1;) alert tcp $HOME_NET any -> [47.109.103.199] 80 (msg:"ThreatFox Coinminer payload delivery (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1284501/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_14; classtype:trojan-activity; sid:91284501; rev:1;) alert tcp $HOME_NET any -> [210.71.232.162] 80 (msg:"ThreatFox Coinminer payload delivery (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1284503/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_14; classtype:trojan-activity; sid:91284503; rev:1;) alert tcp $HOME_NET any -> [103.97.178.52] 80 (msg:"ThreatFox Coinminer payload delivery (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1284502/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_14; classtype:trojan-activity; sid:91284502; rev:1;) alert tcp $HOME_NET any -> [140.143.142.124] 80 (msg:"ThreatFox Coinminer payload delivery (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1284504/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_14; classtype:trojan-activity; sid:91284504; rev:1;) alert tcp $HOME_NET any -> [47.121.131.92] 80 (msg:"ThreatFox Coinminer payload delivery (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1284505/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_14; classtype:trojan-activity; sid:91284505; rev:1;) alert tcp $HOME_NET any -> [106.166.173.36] 80 (msg:"ThreatFox Coinminer payload delivery (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1284506/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_14; classtype:trojan-activity; sid:91284506; rev:1;) alert tcp $HOME_NET any -> [123.207.244.148] 80 (msg:"ThreatFox Coinminer payload delivery (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1284507/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_14; classtype:trojan-activity; sid:91284507; rev:1;) alert tcp $HOME_NET any -> [117.33.131.234] 8000 (msg:"ThreatFox Coinminer payload delivery (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1284508/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_14; classtype:trojan-activity; sid:91284508; rev:1;) alert tcp $HOME_NET any -> [119.45.129.101] 80 (msg:"ThreatFox Coinminer payload delivery (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1284509/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_14; classtype:trojan-activity; sid:91284509; rev:1;) alert tcp $HOME_NET any -> [42.192.201.191] 80 (msg:"ThreatFox Coinminer payload delivery (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1284511/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_14; classtype:trojan-activity; sid:91284511; rev:1;) alert tcp $HOME_NET any -> [114.115.130.53] 80 (msg:"ThreatFox Coinminer payload delivery (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1284510/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_14; classtype:trojan-activity; sid:91284510; rev:1;) alert tcp $HOME_NET any -> [101.43.24.3] 80 (msg:"ThreatFox Coinminer payload delivery (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1284512/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_14; classtype:trojan-activity; sid:91284512; rev:1;) alert tcp $HOME_NET any -> [122.114.79.17] 80 (msg:"ThreatFox Coinminer payload delivery (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1284513/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_14; classtype:trojan-activity; sid:91284513; rev:1;) alert tcp $HOME_NET any -> [114.132.232.37] 80 (msg:"ThreatFox Coinminer payload delivery (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1284514/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_14; classtype:trojan-activity; sid:91284514; rev:1;) alert tcp $HOME_NET any -> [49.232.26.114] 80 (msg:"ThreatFox Coinminer payload delivery (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1284515/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_14; classtype:trojan-activity; sid:91284515; rev:1;) alert tcp $HOME_NET any -> [124.70.76.239] 80 (msg:"ThreatFox Coinminer payload delivery (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1284516/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_14; classtype:trojan-activity; sid:91284516; rev:1;) alert tcp $HOME_NET any -> [101.43.97.202] 80 (msg:"ThreatFox Coinminer payload delivery (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1284517/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_14; classtype:trojan-activity; sid:91284517; rev:1;) alert tcp $HOME_NET any -> [119.3.45.160] 80 (msg:"ThreatFox Coinminer payload delivery (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1284518/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_14; classtype:trojan-activity; sid:91284518; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/help.scr"; depth:9; nocase; http.host; content:"183.230.20.189"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1284464/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_14; classtype:trojan-activity; sid:91284464; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/help.scr"; depth:9; nocase; http.host; content:"113.28.105.178"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1284465/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_14; classtype:trojan-activity; sid:91284465; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/help.scr"; depth:9; nocase; http.host; content:"112.74.189.44"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1284463/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_14; classtype:trojan-activity; sid:91284463; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/help.scr"; depth:9; nocase; http.host; content:"8.218.40.158"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1284462/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_14; classtype:trojan-activity; sid:91284462; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/help.scr"; depth:9; nocase; http.host; content:"175.178.35.16"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1284459/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_14; classtype:trojan-activity; sid:91284459; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/help.scr"; depth:9; nocase; http.host; content:"222.244.110.238"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1284460/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_14; classtype:trojan-activity; sid:91284460; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/help.scr"; depth:9; nocase; http.host; content:"8.218.40.158"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1284461/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_14; classtype:trojan-activity; sid:91284461; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/help.scr"; depth:9; nocase; http.host; content:"106.52.247.30"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1284458/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_14; classtype:trojan-activity; sid:91284458; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/help.scr"; depth:9; nocase; http.host; content:"119.3.45.218"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1284457/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_14; classtype:trojan-activity; sid:91284457; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/help.scr"; depth:9; nocase; http.host; content:"1.117.230.49"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1284456/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_14; classtype:trojan-activity; sid:91284456; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/help.scr"; depth:9; nocase; http.host; content:"113.160.249.9"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1284454/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_14; classtype:trojan-activity; sid:91284454; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/help.scr"; depth:9; nocase; http.host; content:"203.2.65.29"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1284455/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_14; classtype:trojan-activity; sid:91284455; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/help.scr"; depth:9; nocase; http.host; content:"59.175.183.106"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1284452/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_14; classtype:trojan-activity; sid:91284452; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/help.scr"; depth:9; nocase; http.host; content:"1.32.57.145"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1284453/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_14; classtype:trojan-activity; sid:91284453; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/help.scr"; depth:9; nocase; http.host; content:"124.71.73.181"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1284449/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_14; classtype:trojan-activity; sid:91284449; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/help.scr"; depth:9; nocase; http.host; content:"58.215.245.2"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1284450/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_14; classtype:trojan-activity; sid:91284450; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/help.scr"; depth:9; nocase; http.host; content:"218.200.155.204"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1284451/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_14; classtype:trojan-activity; sid:91284451; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/help.scr"; depth:9; nocase; http.host; content:"103.35.99.88"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1284448/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_14; classtype:trojan-activity; sid:91284448; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/help.scr"; depth:9; nocase; http.host; content:"27.82.11.178"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1284446/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_14; classtype:trojan-activity; sid:91284446; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/help.scr"; depth:9; nocase; http.host; content:"203.70.224.72"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1284447/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_14; classtype:trojan-activity; sid:91284447; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/help.scr"; depth:9; nocase; http.host; content:"113.28.244.231"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1284444/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_14; classtype:trojan-activity; sid:91284444; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/help.scr"; depth:9; nocase; http.host; content:"107.173.111.4"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1284445/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_14; classtype:trojan-activity; sid:91284445; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/help.scr"; depth:9; nocase; http.host; content:"39.103.200.155"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1284442/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_14; classtype:trojan-activity; sid:91284442; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/help.scr"; depth:9; nocase; http.host; content:"60.205.158.103"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1284443/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_14; classtype:trojan-activity; sid:91284443; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/help.scr"; depth:9; nocase; http.host; content:"101.43.112.41"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1284440/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_14; classtype:trojan-activity; sid:91284440; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/help.scr"; depth:9; nocase; http.host; content:"43.233.124.116"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1284441/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_14; classtype:trojan-activity; sid:91284441; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/help.scr"; depth:9; nocase; http.host; content:"58.87.89.254"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1284438/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_14; classtype:trojan-activity; sid:91284438; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/help.scr"; depth:9; nocase; http.host; content:"180.222.182.49"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1284439/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_14; classtype:trojan-activity; sid:91284439; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/help.scr"; depth:9; nocase; http.host; content:"119.3.45.160"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1284435/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_14; classtype:trojan-activity; sid:91284435; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/help.scr"; depth:9; nocase; http.host; content:"104.234.180.208"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1284436/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_14; classtype:trojan-activity; sid:91284436; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/help.scr"; depth:9; nocase; http.host; content:"123.249.4.124"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1284437/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_14; classtype:trojan-activity; sid:91284437; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/help.scr"; depth:9; nocase; http.host; content:"124.70.76.239"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1284433/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_14; classtype:trojan-activity; sid:91284433; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/help.scr"; depth:9; nocase; http.host; content:"101.43.97.202"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1284434/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_14; classtype:trojan-activity; sid:91284434; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/help.scr"; depth:9; nocase; http.host; content:"49.232.26.114"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1284432/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_14; classtype:trojan-activity; sid:91284432; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/help.scr"; depth:9; nocase; http.host; content:"122.114.79.17"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1284430/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_14; classtype:trojan-activity; sid:91284430; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/help.scr"; depth:9; nocase; http.host; content:"114.132.232.37"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1284431/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_14; classtype:trojan-activity; sid:91284431; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/help.scr"; depth:9; nocase; http.host; content:"42.192.201.191"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1284428/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_14; classtype:trojan-activity; sid:91284428; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/help.scr"; depth:9; nocase; http.host; content:"101.43.24.3"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1284429/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_14; classtype:trojan-activity; sid:91284429; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/help.scr"; depth:9; nocase; http.host; content:"117.33.131.234"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1284425/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_14; classtype:trojan-activity; sid:91284425; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/help.scr"; depth:9; nocase; http.host; content:"119.45.129.101"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1284426/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_14; classtype:trojan-activity; sid:91284426; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/help.scr"; depth:9; nocase; http.host; content:"114.115.130.53"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1284427/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_14; classtype:trojan-activity; sid:91284427; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/help.scr"; depth:9; nocase; http.host; content:"106.166.173.36"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1284423/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_14; classtype:trojan-activity; sid:91284423; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/help.scr"; depth:9; nocase; http.host; content:"123.207.244.148"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1284424/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_14; classtype:trojan-activity; sid:91284424; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/help.scr"; depth:9; nocase; http.host; content:"47.121.131.92"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1284422/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_14; classtype:trojan-activity; sid:91284422; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/help.scr"; depth:9; nocase; http.host; content:"140.143.142.124"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1284421/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_14; classtype:trojan-activity; sid:91284421; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/help.scr"; depth:9; nocase; http.host; content:"210.71.232.162"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1284420/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_14; classtype:trojan-activity; sid:91284420; rev:1;) alert tcp $HOME_NET any -> [104.234.180.208] 80 (msg:"ThreatFox Coinminer payload delivery (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1284519/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_14; classtype:trojan-activity; sid:91284519; rev:1;) alert tcp $HOME_NET any -> [123.249.4.124] 80 (msg:"ThreatFox Coinminer payload delivery (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1284520/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_14; classtype:trojan-activity; sid:91284520; rev:1;) alert tcp $HOME_NET any -> [58.87.89.254] 80 (msg:"ThreatFox Coinminer payload delivery (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1284521/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_14; classtype:trojan-activity; sid:91284521; rev:1;) alert tcp $HOME_NET any -> [180.222.182.49] 80 (msg:"ThreatFox Coinminer payload delivery (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1284522/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_14; classtype:trojan-activity; sid:91284522; rev:1;) alert tcp $HOME_NET any -> [101.43.112.41] 80 (msg:"ThreatFox Coinminer payload delivery (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1284523/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_14; classtype:trojan-activity; sid:91284523; rev:1;) alert tcp $HOME_NET any -> [43.233.124.116] 80 (msg:"ThreatFox Coinminer payload delivery (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1284524/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_14; classtype:trojan-activity; sid:91284524; rev:1;) alert tcp $HOME_NET any -> [39.103.200.155] 80 (msg:"ThreatFox Coinminer payload delivery (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1284525/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_14; classtype:trojan-activity; sid:91284525; rev:1;) alert tcp $HOME_NET any -> [60.205.158.103] 80 (msg:"ThreatFox Coinminer payload delivery (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1284526/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_14; classtype:trojan-activity; sid:91284526; rev:1;) alert tcp $HOME_NET any -> [113.28.244.231] 80 (msg:"ThreatFox Coinminer payload delivery (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1284527/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_14; classtype:trojan-activity; sid:91284527; rev:1;) alert tcp $HOME_NET any -> [107.173.111.4] 80 (msg:"ThreatFox Coinminer payload delivery (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1284528/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_14; classtype:trojan-activity; sid:91284528; rev:1;) alert tcp $HOME_NET any -> [27.82.11.178] 80 (msg:"ThreatFox Coinminer payload delivery (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1284529/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_14; classtype:trojan-activity; sid:91284529; rev:1;) alert tcp $HOME_NET any -> [203.70.224.72] 80 (msg:"ThreatFox Coinminer payload delivery (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1284530/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_14; classtype:trojan-activity; sid:91284530; rev:1;) alert tcp $HOME_NET any -> [103.35.99.88] 8080 (msg:"ThreatFox Coinminer payload delivery (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1284531/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_14; classtype:trojan-activity; sid:91284531; rev:1;) alert tcp $HOME_NET any -> [124.71.73.181] 83 (msg:"ThreatFox Coinminer payload delivery (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1284532/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_14; classtype:trojan-activity; sid:91284532; rev:1;) alert tcp $HOME_NET any -> [58.215.245.2] 9000 (msg:"ThreatFox Coinminer payload delivery (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1284533/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_14; classtype:trojan-activity; sid:91284533; rev:1;) alert tcp $HOME_NET any -> [218.200.155.204] 8164 (msg:"ThreatFox Coinminer payload delivery (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1284534/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_14; classtype:trojan-activity; sid:91284534; rev:1;) alert tcp $HOME_NET any -> [59.175.183.106] 6713 (msg:"ThreatFox Coinminer payload delivery (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1284535/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_14; classtype:trojan-activity; sid:91284535; rev:1;) alert tcp $HOME_NET any -> [1.32.57.145] 8080 (msg:"ThreatFox Coinminer payload delivery (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1284536/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_14; classtype:trojan-activity; sid:91284536; rev:1;) alert tcp $HOME_NET any -> [113.160.249.9] 80 (msg:"ThreatFox Coinminer payload delivery (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1284537/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_14; classtype:trojan-activity; sid:91284537; rev:1;) alert tcp $HOME_NET any -> [203.2.65.29] 8088 (msg:"ThreatFox Coinminer payload delivery (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1284538/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_14; classtype:trojan-activity; sid:91284538; rev:1;) alert tcp $HOME_NET any -> [1.117.230.49] 7080 (msg:"ThreatFox Coinminer payload delivery (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1284539/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_14; classtype:trojan-activity; sid:91284539; rev:1;) alert tcp $HOME_NET any -> [119.3.45.218] 80 (msg:"ThreatFox Coinminer payload delivery (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1284540/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_14; classtype:trojan-activity; sid:91284540; rev:1;) alert tcp $HOME_NET any -> [106.52.247.30] 6080 (msg:"ThreatFox Coinminer payload delivery (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1284541/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_14; classtype:trojan-activity; sid:91284541; rev:1;) alert tcp $HOME_NET any -> [175.178.35.16] 8081 (msg:"ThreatFox Coinminer payload delivery (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1284542/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_14; classtype:trojan-activity; sid:91284542; rev:1;) alert tcp $HOME_NET any -> [222.244.110.238] 8089 (msg:"ThreatFox Coinminer payload delivery (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1284543/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_14; classtype:trojan-activity; sid:91284543; rev:1;) alert tcp $HOME_NET any -> [8.218.40.158] 8088 (msg:"ThreatFox Coinminer payload delivery (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1284544/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_14; classtype:trojan-activity; sid:91284544; rev:1;) alert tcp $HOME_NET any -> [8.218.40.158] 4433 (msg:"ThreatFox Coinminer payload delivery (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1284545/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_14; classtype:trojan-activity; sid:91284545; rev:1;) alert tcp $HOME_NET any -> [112.74.189.44] 80 (msg:"ThreatFox Coinminer payload delivery (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1284546/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_14; classtype:trojan-activity; sid:91284546; rev:1;) alert tcp $HOME_NET any -> [183.230.20.189] 8088 (msg:"ThreatFox Coinminer payload delivery (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1284547/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_14; classtype:trojan-activity; sid:91284547; rev:1;) alert tcp $HOME_NET any -> [113.28.105.178] 8081 (msg:"ThreatFox Coinminer payload delivery (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1284548/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_14; classtype:trojan-activity; sid:91284548; rev:1;) alert tcp $HOME_NET any -> [118.178.133.241] 65500 (msg:"ThreatFox Coinminer payload delivery (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1284549/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_14; classtype:trojan-activity; sid:91284549; rev:1;) alert tcp $HOME_NET any -> [119.45.173.126] 8080 (msg:"ThreatFox Coinminer payload delivery (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1284550/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_14; classtype:trojan-activity; sid:91284550; rev:1;) alert tcp $HOME_NET any -> [203.2.65.29] 8087 (msg:"ThreatFox Coinminer payload delivery (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1284551/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_14; classtype:trojan-activity; sid:91284551; rev:1;) alert tcp $HOME_NET any -> [112.27.189.32] 8090 (msg:"ThreatFox Coinminer payload delivery (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1284552/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_14; classtype:trojan-activity; sid:91284552; rev:1;) alert tcp $HOME_NET any -> [203.2.65.29] 8081 (msg:"ThreatFox Coinminer payload delivery (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1284553/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_14; classtype:trojan-activity; sid:91284553; rev:1;) alert tcp $HOME_NET any -> [202.155.196.152] 8080 (msg:"ThreatFox Coinminer payload delivery (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1284554/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_14; classtype:trojan-activity; sid:91284554; rev:1;) alert tcp $HOME_NET any -> [203.2.65.29] 8086 (msg:"ThreatFox Coinminer payload delivery (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1284555/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_14; classtype:trojan-activity; sid:91284555; rev:1;) alert tcp $HOME_NET any -> [60.164.246.250] 8081 (msg:"ThreatFox Coinminer payload delivery (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1284556/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_14; classtype:trojan-activity; sid:91284556; rev:1;) alert tcp $HOME_NET any -> [183.178.124.31] 8899 (msg:"ThreatFox Coinminer payload delivery (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1284557/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_14; classtype:trojan-activity; sid:91284557; rev:1;) alert tcp $HOME_NET any -> [117.72.68.197] 80 (msg:"ThreatFox Coinminer payload delivery (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1284558/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_14; classtype:trojan-activity; sid:91284558; rev:1;) alert tcp $HOME_NET any -> [110.40.185.110] 80 (msg:"ThreatFox Coinminer payload delivery (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1284559/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_14; classtype:trojan-activity; sid:91284559; rev:1;) alert tcp $HOME_NET any -> [42.200.209.195] 8001 (msg:"ThreatFox Coinminer payload delivery (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1284560/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_14; classtype:trojan-activity; sid:91284560; rev:1;) alert tcp $HOME_NET any -> [220.246.84.200] 8088 (msg:"ThreatFox Coinminer payload delivery (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1284561/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_14; classtype:trojan-activity; sid:91284561; rev:1;) alert tcp $HOME_NET any -> [42.192.21.226] 8080 (msg:"ThreatFox Coinminer payload delivery (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1284562/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_14; classtype:trojan-activity; sid:91284562; rev:1;) alert tcp $HOME_NET any -> [115.28.26.10] 8080 (msg:"ThreatFox Coinminer payload delivery (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1284563/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_14; classtype:trojan-activity; sid:91284563; rev:1;) alert tcp $HOME_NET any -> [203.142.91.39] 8121 (msg:"ThreatFox Coinminer payload delivery (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1284564/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_14; classtype:trojan-activity; sid:91284564; rev:1;) alert tcp $HOME_NET any -> [49.232.150.208] 8002 (msg:"ThreatFox Coinminer payload delivery (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1284565/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_14; classtype:trojan-activity; sid:91284565; rev:1;) alert tcp $HOME_NET any -> [203.2.65.29] 8085 (msg:"ThreatFox Coinminer payload delivery (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1284566/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_14; classtype:trojan-activity; sid:91284566; rev:1;) alert tcp $HOME_NET any -> [124.67.254.109] 61234 (msg:"ThreatFox Coinminer payload delivery (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1284567/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_14; classtype:trojan-activity; sid:91284567; rev:1;) alert tcp $HOME_NET any -> [61.182.69.190] 11111 (msg:"ThreatFox Coinminer payload delivery (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1284568/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_14; classtype:trojan-activity; sid:91284568; rev:1;) alert tcp $HOME_NET any -> [218.4.199.122] 8090 (msg:"ThreatFox Coinminer payload delivery (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1284569/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_14; classtype:trojan-activity; sid:91284569; rev:1;) alert tcp $HOME_NET any -> [139.159.155.204] 88 (msg:"ThreatFox Coinminer payload delivery (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1284570/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_14; classtype:trojan-activity; sid:91284570; rev:1;) alert tcp $HOME_NET any -> [81.70.35.72] 80 (msg:"ThreatFox Coinminer payload delivery (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1284571/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_14; classtype:trojan-activity; sid:91284571; rev:1;) alert tcp $HOME_NET any -> [139.159.155.204] 81 (msg:"ThreatFox Coinminer payload delivery (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1284572/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_14; classtype:trojan-activity; sid:91284572; rev:1;) alert tcp $HOME_NET any -> [49.232.150.208] 444 (msg:"ThreatFox Coinminer payload delivery (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1284573/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_14; classtype:trojan-activity; sid:91284573; rev:1;) alert tcp $HOME_NET any -> [112.26.186.56] 8090 (msg:"ThreatFox Coinminer payload delivery (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1284574/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_14; classtype:trojan-activity; sid:91284574; rev:1;) alert tcp $HOME_NET any -> [43.135.169.132] 80 (msg:"ThreatFox Coinminer payload delivery (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1284575/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_14; classtype:trojan-activity; sid:91284575; rev:1;) alert tcp $HOME_NET any -> [1.4.210.149] 8081 (msg:"ThreatFox Coinminer payload delivery (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1284576/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_14; classtype:trojan-activity; sid:91284576; rev:1;) alert tcp $HOME_NET any -> [61.163.102.174] 9999 (msg:"ThreatFox Coinminer payload delivery (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1284577/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_14; classtype:trojan-activity; sid:91284577; rev:1;) alert tcp $HOME_NET any -> [117.157.17.194] 9999 (msg:"ThreatFox Coinminer payload delivery (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1284578/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_14; classtype:trojan-activity; sid:91284578; rev:1;) alert tcp $HOME_NET any -> [61.144.96.223] 888 (msg:"ThreatFox Coinminer payload delivery (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1284579/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_14; classtype:trojan-activity; sid:91284579; rev:1;) alert tcp $HOME_NET any -> [182.93.54.42] 8081 (msg:"ThreatFox Coinminer payload delivery (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1284580/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_14; classtype:trojan-activity; sid:91284580; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/help.scr"; depth:9; nocase; http.host; content:"77.58.156.127"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1284598/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_14; classtype:trojan-activity; sid:91284598; rev:1;) alert tcp $HOME_NET any -> [103.142.87.174] 80 (msg:"ThreatFox Coinminer payload delivery (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1284599/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_14; classtype:trojan-activity; sid:91284599; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/help.scr"; depth:9; nocase; http.host; content:"171.109.52.222"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1284597/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_14; classtype:trojan-activity; sid:91284597; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/help.scr"; depth:9; nocase; http.host; content:"116.198.32.42"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1284594/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_14; classtype:trojan-activity; sid:91284594; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/help.scr"; depth:9; nocase; http.host; content:"210.87.198.112"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1284595/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_14; classtype:trojan-activity; sid:91284595; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/help.scr"; depth:9; nocase; http.host; content:"150.138.79.154"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1284596/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_14; classtype:trojan-activity; sid:91284596; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/help.scr"; depth:9; nocase; http.host; content:"159.75.83.162"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1284588/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_14; classtype:trojan-activity; sid:91284588; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/help.scr"; depth:9; nocase; http.host; content:"118.104.146.106"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1284590/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_14; classtype:trojan-activity; sid:91284590; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/help.scr"; depth:9; nocase; http.host; content:"114.33.53.141"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1284591/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_14; classtype:trojan-activity; sid:91284591; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/help.scr"; depth:9; nocase; http.host; content:"114.115.141.157"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1284592/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_14; classtype:trojan-activity; sid:91284592; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/help.scr"; depth:9; nocase; http.host; content:"120.46.35.129"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1284593/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_14; classtype:trojan-activity; sid:91284593; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/help.scr"; depth:9; nocase; http.host; content:"211.159.172.120"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1284587/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_14; classtype:trojan-activity; sid:91284587; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/help.scr"; depth:9; nocase; http.host; content:"1.94.5.103"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1284589/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_14; classtype:trojan-activity; sid:91284589; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/help.scr"; depth:9; nocase; http.host; content:"156.232.9.208"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1284584/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_14; classtype:trojan-activity; sid:91284584; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/help.scr"; depth:9; nocase; http.host; content:"124.222.81.43"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1284585/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_14; classtype:trojan-activity; sid:91284585; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/help.scr"; depth:9; nocase; http.host; content:"103.143.10.73"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1284586/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_14; classtype:trojan-activity; sid:91284586; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bvxny6r6"; depth:9; nocase; http.host; content:"cococuy8.xyz"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1284582/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_14; classtype:trojan-activity; sid:91284582; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/help.scr"; depth:9; nocase; http.host; content:"103.142.87.174"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1284583/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_14; classtype:trojan-activity; sid:91284583; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/8otabr/"; depth:8; nocase; http.host; content:"cococuy8.xyz"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1284581/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_14; classtype:trojan-activity; sid:91284581; rev:1;) alert tcp $HOME_NET any -> [156.232.9.208] 80 (msg:"ThreatFox Coinminer payload delivery (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1284600/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_14; classtype:trojan-activity; sid:91284600; rev:1;) alert tcp $HOME_NET any -> [124.222.81.43] 80 (msg:"ThreatFox Coinminer payload delivery (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1284601/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_14; classtype:trojan-activity; sid:91284601; rev:1;) alert tcp $HOME_NET any -> [103.143.10.73] 80 (msg:"ThreatFox Coinminer payload delivery (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1284602/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_14; classtype:trojan-activity; sid:91284602; rev:1;) alert tcp $HOME_NET any -> [211.159.172.120] 80 (msg:"ThreatFox Coinminer payload delivery (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1284603/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_14; classtype:trojan-activity; sid:91284603; rev:1;) alert tcp $HOME_NET any -> [159.75.83.162] 80 (msg:"ThreatFox Coinminer payload delivery (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1284604/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_14; classtype:trojan-activity; sid:91284604; rev:1;) alert tcp $HOME_NET any -> [1.94.5.103] 80 (msg:"ThreatFox Coinminer payload delivery (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1284605/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_14; classtype:trojan-activity; sid:91284605; rev:1;) alert tcp $HOME_NET any -> [118.104.146.106] 80 (msg:"ThreatFox Coinminer payload delivery (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1284606/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_14; classtype:trojan-activity; sid:91284606; rev:1;) alert tcp $HOME_NET any -> [114.33.53.141] 80 (msg:"ThreatFox Coinminer payload delivery (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1284607/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_14; classtype:trojan-activity; sid:91284607; rev:1;) alert tcp $HOME_NET any -> [114.115.141.157] 80 (msg:"ThreatFox Coinminer payload delivery (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1284608/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_14; classtype:trojan-activity; sid:91284608; rev:1;) alert tcp $HOME_NET any -> [120.46.35.129] 80 (msg:"ThreatFox Coinminer payload delivery (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1284609/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_14; classtype:trojan-activity; sid:91284609; rev:1;) alert tcp $HOME_NET any -> [116.198.32.42] 80 (msg:"ThreatFox Coinminer payload delivery (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1284610/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_14; classtype:trojan-activity; sid:91284610; rev:1;) alert tcp $HOME_NET any -> [210.87.198.112] 80 (msg:"ThreatFox Coinminer payload delivery (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1284611/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_14; classtype:trojan-activity; sid:91284611; rev:1;) alert tcp $HOME_NET any -> [150.138.79.154] 80 (msg:"ThreatFox Coinminer payload delivery (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1284612/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_14; classtype:trojan-activity; sid:91284612; rev:1;) alert tcp $HOME_NET any -> [171.109.52.222] 8000 (msg:"ThreatFox Coinminer payload delivery (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1284613/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_14; classtype:trojan-activity; sid:91284613; rev:1;) alert tcp $HOME_NET any -> [77.58.156.127] 80 (msg:"ThreatFox Coinminer payload delivery (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1284614/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_14; classtype:trojan-activity; sid:91284614; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/uploadlogs"; depth:11; nocase; http.host; content:"20.199.87.174"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1284615/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_14; classtype:trojan-activity; sid:91284615; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api/injection"; depth:14; nocase; http.host; content:"20.199.87.174"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1284616/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_14; classtype:trojan-activity; sid:91284616; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/filelogs"; depth:9; nocase; http.host; content:"api.ilovecats.life"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1284617/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_14; classtype:trojan-activity; sid:91284617; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"api.ilovecats.life"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1284618/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_14; classtype:trojan-activity; sid:91284618; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ilovecats.life"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1284619/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_14; classtype:trojan-activity; sid:91284619; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cdn-vs/original.js"; depth:19; nocase; http.host; content:"feckwear.com"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1284621/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_14; classtype:trojan-activity; sid:91284621; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"feckwear.com"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1284622/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_14; classtype:trojan-activity; sid:91284622; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cdn-vs/cache.php"; depth:17; nocase; http.host; content:"feckwear.com"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1284623/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_14; classtype:trojan-activity; sid:91284623; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cdn-vs/22per.php"; depth:17; nocase; http.host; content:"feckwear.com"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1284624/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_14; classtype:trojan-activity; sid:91284624; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cdn-vs/data.php"; depth:16; nocase; http.host; content:"santapubcrawlchattanooga.com"; depth:28; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1284625/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_14; classtype:trojan-activity; sid:91284625; rev:1;) alert tcp $HOME_NET any -> [147.185.221.20] 23193 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1284868/; target:src_ip; metadata: confidence_level 75, first_seen 2024_06_14; classtype:trojan-activity; sid:91284868; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"america-dividend.gl.at.ply.gg"; depth:29; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1284869/; target:src_ip; metadata: confidence_level 75, first_seen 2024_06_14; classtype:trojan-activity; sid:91284869; rev:1;) alert tcp $HOME_NET any -> [185.91.127.219] 33455 (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1284871/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_14; classtype:trojan-activity; sid:91284871; rev:1;) alert tcp $HOME_NET any -> [80.209.225.170] 80 (msg:"ThreatFox Loki Password Stealer (PWS) botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1284874/; target:src_ip; metadata: confidence_level 75, first_seen 2024_06_14; classtype:trojan-activity; sid:91284874; rev:1;) alert tcp $HOME_NET any -> [77.91.77.38] 80 (msg:"ThreatFox AMOS botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1284867/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_14; classtype:trojan-activity; sid:91284867; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 80%)"; dns_query; content:"kalopvard.com"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1284888/; target:src_ip; metadata: confidence_level 80, first_seen 2024_06_14; classtype:trojan-activity; sid:91284888; rev:1;) alert tcp $HOME_NET any -> [185.93.221.108] 443 (msg:"ThreatFox Unidentified 111 (Latrodectus) botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1284887/; target:src_ip; metadata: confidence_level 80, first_seen 2024_06_14; classtype:trojan-activity; sid:91284887; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 80%)"; dns_query; content:"lettecoft.com"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1284889/; target:src_ip; metadata: confidence_level 80, first_seen 2024_06_14; classtype:trojan-activity; sid:91284889; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/help.scr"; depth:9; nocase; http.host; content:"47.109.103.199"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1284418/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_14; classtype:trojan-activity; sid:91284418; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/help.scr"; depth:9; nocase; http.host; content:"103.97.178.52"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1284419/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_14; classtype:trojan-activity; sid:91284419; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/help.scr"; depth:9; nocase; http.host; content:"139.199.99.188"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1284416/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_14; classtype:trojan-activity; sid:91284416; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/help.scr"; depth:9; nocase; http.host; content:"101.32.29.172"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1284417/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_14; classtype:trojan-activity; sid:91284417; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"cococuy8.xyz"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1284414/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_14; classtype:trojan-activity; sid:91284414; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/help.scr"; depth:9; nocase; http.host; content:"47.250.148.5"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1284415/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_14; classtype:trojan-activity; sid:91284415; rev:1;) alert tcp $HOME_NET any -> [77.91.77.140] 80 (msg:"ThreatFox Amadey botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1284886/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_14; classtype:trojan-activity; sid:91284886; rev:1;) alert tcp $HOME_NET any -> [156.242.43.203] 50050 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1284885/; target:src_ip; metadata: confidence_level 80, first_seen 2024_06_14; classtype:trojan-activity; sid:91284885; rev:1;) alert tcp $HOME_NET any -> [139.155.68.35] 63909 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1284884/; target:src_ip; metadata: confidence_level 80, first_seen 2024_06_14; classtype:trojan-activity; sid:91284884; rev:1;) alert tcp $HOME_NET any -> [34.220.26.176] 22222 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1284883/; target:src_ip; metadata: confidence_level 80, first_seen 2024_06_14; classtype:trojan-activity; sid:91284883; rev:1;) alert tcp $HOME_NET any -> [89.110.76.194] 80 (msg:"ThreatFox Hook botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1284882/; target:src_ip; metadata: confidence_level 80, first_seen 2024_06_14; classtype:trojan-activity; sid:91284882; rev:1;) alert tcp $HOME_NET any -> [156.242.46.200] 4396 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1284881/; target:src_ip; metadata: confidence_level 80, first_seen 2024_06_14; classtype:trojan-activity; sid:91284881; rev:1;) alert tcp $HOME_NET any -> [209.97.160.90] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1284880/; target:src_ip; metadata: confidence_level 80, first_seen 2024_06_14; classtype:trojan-activity; sid:91284880; rev:1;) alert tcp $HOME_NET any -> [104.234.240.171] 8443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1284879/; target:src_ip; metadata: confidence_level 80, first_seen 2024_06_14; classtype:trojan-activity; sid:91284879; rev:1;) alert tcp $HOME_NET any -> [47.108.182.174] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1284878/; target:src_ip; metadata: confidence_level 80, first_seen 2024_06_14; classtype:trojan-activity; sid:91284878; rev:1;) alert tcp $HOME_NET any -> [154.9.225.100] 4444 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1284877/; target:src_ip; metadata: confidence_level 80, first_seen 2024_06_14; classtype:trojan-activity; sid:91284877; rev:1;) alert tcp $HOME_NET any -> [123.57.85.206] 50001 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1284876/; target:src_ip; metadata: confidence_level 80, first_seen 2024_06_14; classtype:trojan-activity; sid:91284876; rev:1;) alert tcp $HOME_NET any -> [82.157.99.208] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1284875/; target:src_ip; metadata: confidence_level 80, first_seen 2024_06_14; classtype:trojan-activity; sid:91284875; rev:1;) alert tcp $HOME_NET any -> [147.78.103.60] 2525 (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1284873/; target:src_ip; metadata: confidence_level 80, first_seen 2024_06_14; classtype:trojan-activity; sid:91284873; rev:1;) alert tcp $HOME_NET any -> [94.156.8.15] 4443 (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1284872/; target:src_ip; metadata: confidence_level 80, first_seen 2024_06_14; classtype:trojan-activity; sid:91284872; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/g9bkfkwf/index.php"; depth:19; nocase; http.host; content:"77.91.77.140"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1284870/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_14; classtype:trojan-activity; sid:91284870; rev:1;) alert tcp $HOME_NET any -> [65.109.240.138] 9000 (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1284626/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_14; classtype:trojan-activity; sid:91284626; rev:1;) alert tcp $HOME_NET any -> [45.61.132.128] 1952 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1284620/; target:src_ip; metadata: confidence_level 75, first_seen 2024_06_14; classtype:trojan-activity; sid:91284620; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/_defaultwindows.php"; depth:20; nocase; http.host; content:"a0993016.xsph.ru"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1284413/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_14; classtype:trojan-activity; sid:91284413; rev:1;) alert tcp $HOME_NET any -> [20.199.87.174] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1284406/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_14; classtype:trojan-activity; sid:91284406; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"biwumii5.xyz"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1284366/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_14; classtype:trojan-activity; sid:91284366; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"malivscute.lol"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1284412/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_14; classtype:trojan-activity; sid:91284412; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"jegyfuy0.xyz"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1284367/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_14; classtype:trojan-activity; sid:91284367; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"ginidue5.xyz"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1284368/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_14; classtype:trojan-activity; sid:91284368; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"disypoy4.xyz"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1284369/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_14; classtype:trojan-activity; sid:91284369; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cx"; depth:3; nocase; http.host; content:"97.64.18.185"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1284411/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_14; classtype:trojan-activity; sid:91284411; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cm"; depth:3; nocase; http.host; content:"97.64.18.185"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1284410/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_14; classtype:trojan-activity; sid:91284410; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/updates.rss"; depth:12; nocase; http.host; content:"8.220.192.59"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1284409/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_14; classtype:trojan-activity; sid:91284409; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/fwlink"; depth:7; nocase; http.host; content:"134.122.75.115"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1284408/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_14; classtype:trojan-activity; sid:91284408; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/match"; depth:6; nocase; http.host; content:"103.143.248.179"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1284407/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_14; classtype:trojan-activity; sid:91284407; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/match"; depth:6; nocase; http.host; content:"106.53.181.113"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1284405/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_14; classtype:trojan-activity; sid:91284405; rev:1;) alert tcp $HOME_NET any -> [107.149.241.7] 8443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1284404/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_14; classtype:trojan-activity; sid:91284404; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jquery-3.7.1.min.js"; depth:20; nocase; http.host; content:"www.deerllt.store"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1284403/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_14; classtype:trojan-activity; sid:91284403; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jquery-3.7.1.min.js"; depth:20; nocase; http.host; content:"www-deer.deerllt.store"; depth:22; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1284402/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_14; classtype:trojan-activity; sid:91284402; rev:1;) alert tcp $HOME_NET any -> [107.175.218.216] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1284401/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_14; classtype:trojan-activity; sid:91284401; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pixel"; depth:6; nocase; http.host; content:"jkbs168.top"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1284400/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_14; classtype:trojan-activity; sid:91284400; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/load"; depth:5; nocase; http.host; content:"39.108.220.93"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1284399/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_14; classtype:trojan-activity; sid:91284399; rev:1;) alert tcp $HOME_NET any -> [47.108.239.86] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1284398/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_14; classtype:trojan-activity; sid:91284398; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cm"; depth:3; nocase; http.host; content:"47.108.239.86"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1284397/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_14; classtype:trojan-activity; sid:91284397; rev:1;) alert tcp $HOME_NET any -> [120.53.250.9] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1284396/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_14; classtype:trojan-activity; sid:91284396; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cwonajlbo/vtneww11212/"; depth:23; nocase; http.host; content:"120.53.250.9"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1284395/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_14; classtype:trojan-activity; sid:91284395; rev:1;) alert tcp $HOME_NET any -> [139.199.216.201] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1284394/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_14; classtype:trojan-activity; sid:91284394; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/fwlink"; depth:7; nocase; http.host; content:"101.42.10.139"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1284393/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_14; classtype:trojan-activity; sid:91284393; rev:1;) alert tcp $HOME_NET any -> [124.222.91.4] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1284392/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_14; classtype:trojan-activity; sid:91284392; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jquery-3.3.1.min.js"; depth:20; nocase; http.host; content:"www.nbch1na.com"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1284390/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_14; classtype:trojan-activity; sid:91284390; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"www.nbch1na.com"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1284391/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_14; classtype:trojan-activity; sid:91284391; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/__utm.gif"; depth:10; nocase; http.host; content:"117.72.45.41"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1284388/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_14; classtype:trojan-activity; sid:91284388; rev:1;) alert tcp $HOME_NET any -> [117.72.45.41] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1284389/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_14; classtype:trojan-activity; sid:91284389; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ga.js"; depth:6; nocase; http.host; content:"47.93.87.164"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1284386/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_14; classtype:trojan-activity; sid:91284386; rev:1;) alert tcp $HOME_NET any -> [47.93.87.164] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1284387/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_14; classtype:trojan-activity; sid:91284387; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cx"; depth:3; nocase; http.host; content:"103.245.39.66"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1284384/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_14; classtype:trojan-activity; sid:91284384; rev:1;) alert tcp $HOME_NET any -> [103.245.39.66] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1284385/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_14; classtype:trojan-activity; sid:91284385; rev:1;) alert tcp $HOME_NET any -> [107.149.241.7] 8880 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1284383/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_14; classtype:trojan-activity; sid:91284383; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jquery-3.7.1.min.js"; depth:20; nocase; http.host; content:"www.deerllt.store"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1284381/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_14; classtype:trojan-activity; sid:91284381; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"www.deerllt.store"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1284382/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_14; classtype:trojan-activity; sid:91284382; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"www-deer.deerllt.store"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1284380/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_14; classtype:trojan-activity; sid:91284380; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jquery-3.7.1.min.js"; depth:20; nocase; http.host; content:"www-deer.deerllt.store"; depth:22; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1284379/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_14; classtype:trojan-activity; sid:91284379; rev:1;) alert tcp $HOME_NET any -> [20.2.209.212] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1284378/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_14; classtype:trojan-activity; sid:91284378; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/visit.js"; depth:9; nocase; http.host; content:"20.2.209.212"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1284377/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_14; classtype:trojan-activity; sid:91284377; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ca"; depth:3; nocase; http.host; content:"152.136.11.91"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1284376/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_14; classtype:trojan-activity; sid:91284376; rev:1;) alert tcp $HOME_NET any -> [107.175.218.216] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1284375/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_14; classtype:trojan-activity; sid:91284375; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"jkbs168.top"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1284374/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_14; classtype:trojan-activity; sid:91284374; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/visit.js"; depth:9; nocase; http.host; content:"jkbs168.top"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1284373/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_14; classtype:trojan-activity; sid:91284373; rev:1;) alert tcp $HOME_NET any -> [172.245.53.132] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1284372/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_14; classtype:trojan-activity; sid:91284372; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"api.chinaunion.info"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1284371/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_14; classtype:trojan-activity; sid:91284371; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api/v1/docs/"; depth:13; nocase; http.host; content:"api.chinaunion.info"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1284370/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_14; classtype:trojan-activity; sid:91284370; rev:1;) alert tcp $HOME_NET any -> [82.153.68.38] 3778 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1284365/; target:src_ip; metadata: confidence_level 75, first_seen 2024_06_14; classtype:trojan-activity; sid:91284365; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"mnbvcxz.biz"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1284334/; target:src_ip; metadata: confidence_level 75, first_seen 2024_06_14; classtype:trojan-activity; sid:91284334; rev:1;) alert tcp $HOME_NET any -> [41.249.41.241] 10000 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1284340/; target:src_ip; metadata: confidence_level 75, first_seen 2024_06_14; classtype:trojan-activity; sid:91284340; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"businessresources.ltd"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1284320/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_14; classtype:trojan-activity; sid:91284320; rev:1;) alert tcp $HOME_NET any -> [216.55.179.28] 80 (msg:"ThreatFox Loki Password Stealer (PWS) botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1284333/; target:src_ip; metadata: confidence_level 75, first_seen 2024_06_14; classtype:trojan-activity; sid:91284333; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bvxny6r6"; depth:9; nocase; http.host; content:"x52op6gt0i.xyz"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1284318/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_14; classtype:trojan-activity; sid:91284318; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/df/data.zip"; depth:12; nocase; http.host; content:"businessresources.ltd"; depth:21; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1284319/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_14; classtype:trojan-activity; sid:91284319; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/8otabr/"; depth:8; nocase; http.host; content:"x52op6gt0i.xyz"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1284317/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_14; classtype:trojan-activity; sid:91284317; rev:1;) alert tcp $HOME_NET any -> [91.199.154.172] 15486 (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1284283/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_14; classtype:trojan-activity; sid:91284283; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"x52op6gt0i.xyz"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1284294/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_14; classtype:trojan-activity; sid:91284294; rev:1;) alert tcp $HOME_NET any -> [85.31.224.201] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1284364/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_14; classtype:trojan-activity; sid:91284364; rev:1;) alert tcp $HOME_NET any -> [47.76.67.52] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1284363/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_14; classtype:trojan-activity; sid:91284363; rev:1;) alert tcp $HOME_NET any -> [119.42.146.178] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1284362/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_14; classtype:trojan-activity; sid:91284362; rev:1;) alert tcp $HOME_NET any -> [37.107.29.70] 443 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1284361/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_14; classtype:trojan-activity; sid:91284361; rev:1;) alert tcp $HOME_NET any -> [34.89.109.34] 445 (msg:"ThreatFox Responder botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1284360/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_14; classtype:trojan-activity; sid:91284360; rev:1;) alert tcp $HOME_NET any -> [66.228.59.65] 443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1284359/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_14; classtype:trojan-activity; sid:91284359; rev:1;) alert tcp $HOME_NET any -> [121.227.168.78] 10250 (msg:"ThreatFox Deimos botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1284358/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_14; classtype:trojan-activity; sid:91284358; rev:1;) alert tcp $HOME_NET any -> [3.19.59.206] 7443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1284357/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_14; classtype:trojan-activity; sid:91284357; rev:1;) alert tcp $HOME_NET any -> [51.20.127.177] 7443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1284356/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_14; classtype:trojan-activity; sid:91284356; rev:1;) alert tcp $HOME_NET any -> [3.9.82.206] 7443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1284355/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_14; classtype:trojan-activity; sid:91284355; rev:1;) alert tcp $HOME_NET any -> [3.15.156.228] 7443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1284354/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_14; classtype:trojan-activity; sid:91284354; rev:1;) alert tcp $HOME_NET any -> [51.20.119.112] 7443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1284353/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_14; classtype:trojan-activity; sid:91284353; rev:1;) alert tcp $HOME_NET any -> [139.84.217.198] 7443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1284352/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_14; classtype:trojan-activity; sid:91284352; rev:1;) alert tcp $HOME_NET any -> [18.177.14.165] 80 (msg:"ThreatFox Brute Ratel C4 botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1284351/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_14; classtype:trojan-activity; sid:91284351; rev:1;) alert tcp $HOME_NET any -> [64.226.91.223] 8443 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1284350/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_14; classtype:trojan-activity; sid:91284350; rev:1;) alert tcp $HOME_NET any -> [193.161.193.99] 51379 (msg:"ThreatFox STRRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1284349/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_14; classtype:trojan-activity; sid:91284349; rev:1;) alert tcp $HOME_NET any -> [193.161.193.99] 46694 (msg:"ThreatFox STRRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1284348/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_14; classtype:trojan-activity; sid:91284348; rev:1;) alert tcp $HOME_NET any -> [107.175.31.172] 6606 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1284347/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_14; classtype:trojan-activity; sid:91284347; rev:1;) alert tcp $HOME_NET any -> [107.175.31.172] 7707 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1284346/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_14; classtype:trojan-activity; sid:91284346; rev:1;) alert tcp $HOME_NET any -> [107.175.31.172] 5552 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1284345/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_14; classtype:trojan-activity; sid:91284345; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mozi.m"; depth:7; nocase; http.host; content:"218.29.30.54"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1284344/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_14; classtype:trojan-activity; sid:91284344; rev:1;) alert tcp $HOME_NET any -> [193.233.75.241] 8080 (msg:"ThreatFox Nimplant botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1284343/; target:src_ip; metadata: confidence_level 80, first_seen 2024_06_14; classtype:trojan-activity; sid:91284343; rev:1;) alert tcp $HOME_NET any -> [92.143.110.175] 1716 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1284342/; target:src_ip; metadata: confidence_level 80, first_seen 2024_06_14; classtype:trojan-activity; sid:91284342; rev:1;) alert tcp $HOME_NET any -> [72.5.43.196] 80 (msg:"ThreatFox Hook botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1284341/; target:src_ip; metadata: confidence_level 80, first_seen 2024_06_14; classtype:trojan-activity; sid:91284341; rev:1;) alert tcp $HOME_NET any -> [8.137.144.130] 8089 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1284339/; target:src_ip; metadata: confidence_level 80, first_seen 2024_06_14; classtype:trojan-activity; sid:91284339; rev:1;) alert tcp $HOME_NET any -> [156.242.45.217] 4396 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1284338/; target:src_ip; metadata: confidence_level 80, first_seen 2024_06_14; classtype:trojan-activity; sid:91284338; rev:1;) alert tcp $HOME_NET any -> [107.151.240.224] 7788 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1284337/; target:src_ip; metadata: confidence_level 80, first_seen 2024_06_14; classtype:trojan-activity; sid:91284337; rev:1;) alert tcp $HOME_NET any -> [156.242.41.200] 4396 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1284336/; target:src_ip; metadata: confidence_level 80, first_seen 2024_06_14; classtype:trojan-activity; sid:91284336; rev:1;) alert tcp $HOME_NET any -> [156.242.40.211] 4396 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1284335/; target:src_ip; metadata: confidence_level 80, first_seen 2024_06_14; classtype:trojan-activity; sid:91284335; rev:1;) alert tcp $HOME_NET any -> [185.29.9.101] 9098 (msg:"ThreatFox STRRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1284332/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_13; classtype:trojan-activity; sid:91284332; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ie9compatviewlist.xml"; depth:22; nocase; http.host; content:"106.75.155.80"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1284330/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_13; classtype:trojan-activity; sid:91284330; rev:1;) alert tcp $HOME_NET any -> [106.75.155.80] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1284331/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_13; classtype:trojan-activity; sid:91284331; rev:1;) alert tcp $HOME_NET any -> [43.134.59.76] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1284329/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_13; classtype:trojan-activity; sid:91284329; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cx"; depth:3; nocase; http.host; content:"43.134.59.76"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1284328/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_13; classtype:trojan-activity; sid:91284328; rev:1;) alert tcp $HOME_NET any -> [5.181.202.127] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1284327/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_13; classtype:trojan-activity; sid:91284327; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/visit.js"; depth:9; nocase; http.host; content:"5.181.202.127"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1284326/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_13; classtype:trojan-activity; sid:91284326; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/claim/servlets-examples/i2i52xqkqqzf"; depth:37; nocase; http.host; content:"103.97.59.121"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1284324/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_13; classtype:trojan-activity; sid:91284324; rev:1;) alert tcp $HOME_NET any -> [103.97.59.121] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1284325/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_13; classtype:trojan-activity; sid:91284325; rev:1;) alert tcp $HOME_NET any -> [8.134.160.65] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1284323/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_13; classtype:trojan-activity; sid:91284323; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"qax1.top"; depth:8; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1284322/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_13; classtype:trojan-activity; sid:91284322; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jquery-3.3.1.min.js"; depth:20; nocase; http.host; content:"qax1.top"; depth:8; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1284321/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_13; classtype:trojan-activity; sid:91284321; rev:1;) alert tcp $HOME_NET any -> [38.114.102.6] 443 (msg:"ThreatFox Unidentified 111 (Latrodectus) botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1284316/; target:src_ip; metadata: confidence_level 75, first_seen 2024_06_13; classtype:trojan-activity; sid:91284316; rev:1;) alert tcp $HOME_NET any -> [47.93.172.239] 443 (msg:"ThreatFox DoomedLoader botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1284315/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_13; classtype:trojan-activity; sid:91284315; rev:1;) alert tcp $HOME_NET any -> [60.205.104.45] 443 (msg:"ThreatFox DoomedLoader botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1284312/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_13; classtype:trojan-activity; sid:91284312; rev:1;) alert tcp $HOME_NET any -> [1.94.198.82] 443 (msg:"ThreatFox DoomedLoader botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1284313/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_13; classtype:trojan-activity; sid:91284313; rev:1;) alert tcp $HOME_NET any -> [1.92.68.1] 443 (msg:"ThreatFox DoomedLoader botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1284314/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_13; classtype:trojan-activity; sid:91284314; rev:1;) alert tcp $HOME_NET any -> [8.147.109.58] 443 (msg:"ThreatFox DoomedLoader botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1284311/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_13; classtype:trojan-activity; sid:91284311; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cm"; depth:3; nocase; http.host; content:"111.67.195.152"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1284310/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_13; classtype:trojan-activity; sid:91284310; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cx"; depth:3; nocase; http.host; content:"8.222.230.186"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1284309/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_13; classtype:trojan-activity; sid:91284309; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/g.pixel"; depth:8; nocase; http.host; content:"156.251.162.29"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1284308/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_13; classtype:trojan-activity; sid:91284308; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/push"; depth:5; nocase; http.host; content:"103.143.248.179"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1284307/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_13; classtype:trojan-activity; sid:91284307; rev:1;) alert tcp $HOME_NET any -> [18.158.249.75] 10942 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1284306/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_13; classtype:trojan-activity; sid:91284306; rev:1;) alert tcp $HOME_NET any -> [3.125.209.94] 10942 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1284305/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_13; classtype:trojan-activity; sid:91284305; rev:1;) alert tcp $HOME_NET any -> [3.125.223.134] 10942 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1284304/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_13; classtype:trojan-activity; sid:91284304; rev:1;) alert tcp $HOME_NET any -> [3.125.102.39] 10942 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1284303/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_13; classtype:trojan-activity; sid:91284303; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/match"; depth:6; nocase; http.host; content:"134.122.75.115"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1284302/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_13; classtype:trojan-activity; sid:91284302; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/feedapi/v1/newsserver/api/getusername"; depth:38; nocase; http.host; content:"59.80.47.124"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1284301/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_13; classtype:trojan-activity; sid:91284301; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/hp/api/v1/carousel"; depth:19; nocase; http.host; content:"61.170.44.194"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1284300/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_13; classtype:trojan-activity; sid:91284300; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/feedapi/v1/newsserver/api/getusername"; depth:38; nocase; http.host; content:"111.6.56.138"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1284299/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_13; classtype:trojan-activity; sid:91284299; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/feedapi/v1/newsserver/api/getpassword"; depth:38; nocase; http.host; content:"111.51.156.247"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1284298/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_13; classtype:trojan-activity; sid:91284298; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/feedapi/v1/newsserver/api/getusername"; depth:38; nocase; http.host; content:"183.232.189.148"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1284297/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_13; classtype:trojan-activity; sid:91284297; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/activity"; depth:9; nocase; http.host; content:"79.124.40.106"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1284296/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_13; classtype:trojan-activity; sid:91284296; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jquery-3.3.1.min.js"; depth:20; nocase; http.host; content:"service-b0kt7bkd-1307485220.cd.tencentapigw.com"; depth:47; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1284295/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_13; classtype:trojan-activity; sid:91284295; rev:1;) alert tcp $HOME_NET any -> [193.164.5.111] 80 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1284293/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_13; classtype:trojan-activity; sid:91284293; rev:1;) alert tcp $HOME_NET any -> [4.157.252.211] 8443 (msg:"ThreatFox Pikabot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1284292/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_13; classtype:trojan-activity; sid:91284292; rev:1;) alert tcp $HOME_NET any -> [8.210.100.19] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1284291/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_13; classtype:trojan-activity; sid:91284291; rev:1;) alert tcp $HOME_NET any -> [86.98.9.55] 443 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1284290/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_13; classtype:trojan-activity; sid:91284290; rev:1;) alert tcp $HOME_NET any -> [88.232.103.32] 443 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1284289/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_13; classtype:trojan-activity; sid:91284289; rev:1;) alert tcp $HOME_NET any -> [45.241.44.65] 995 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1284288/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_13; classtype:trojan-activity; sid:91284288; rev:1;) alert tcp $HOME_NET any -> [47.236.116.179] 443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1284287/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_13; classtype:trojan-activity; sid:91284287; rev:1;) alert tcp $HOME_NET any -> [174.138.23.208] 443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1284286/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_13; classtype:trojan-activity; sid:91284286; rev:1;) alert tcp $HOME_NET any -> [166.88.159.17] 8443 (msg:"ThreatFox BianLian botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1284285/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_13; classtype:trojan-activity; sid:91284285; rev:1;) alert tcp $HOME_NET any -> [45.133.195.90] 443 (msg:"ThreatFox BianLian botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1284284/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_13; classtype:trojan-activity; sid:91284284; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"shaderify.xyz"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1284277/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_13; classtype:trojan-activity; sid:91284277; rev:1;) alert tcp $HOME_NET any -> [93.190.8.212] 80 (msg:"ThreatFox Unknown malware payload delivery (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1284278/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_13; classtype:trojan-activity; sid:91284278; rev:1;) alert tcp $HOME_NET any -> [93.190.8.212] 443 (msg:"ThreatFox Unknown malware payload delivery (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1284279/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_13; classtype:trojan-activity; sid:91284279; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"bettershaders.com"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1284280/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_13; classtype:trojan-activity; sid:91284280; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"shaderify.com"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1284281/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_13; classtype:trojan-activity; sid:91284281; rev:1;) alert tcp $HOME_NET any -> [106.250.166.45] 5726 (msg:"ThreatFox RMS botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1284282/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_13; classtype:trojan-activity; sid:91284282; rev:1;) alert tcp $HOME_NET any -> [147.185.221.20] 21936 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1284275/; target:src_ip; metadata: confidence_level 75, first_seen 2024_06_13; classtype:trojan-activity; sid:91284275; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"license-reception.gl.at.ply.gg"; depth:30; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1284276/; target:src_ip; metadata: confidence_level 75, first_seen 2024_06_13; classtype:trojan-activity; sid:91284276; rev:1;) alert tcp $HOME_NET any -> [147.45.78.162] 22 (msg:"ThreatFox Stealc botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1284274/; target:src_ip; metadata: confidence_level 80, first_seen 2024_06_13; classtype:trojan-activity; sid:91284274; rev:1;) alert tcp $HOME_NET any -> [147.45.78.162] 80 (msg:"ThreatFox Stealc botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1284273/; target:src_ip; metadata: confidence_level 80, first_seen 2024_06_13; classtype:trojan-activity; sid:91284273; rev:1;) alert tcp $HOME_NET any -> [156.242.46.207] 50050 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1284272/; target:src_ip; metadata: confidence_level 80, first_seen 2024_06_13; classtype:trojan-activity; sid:91284272; rev:1;) alert tcp $HOME_NET any -> [156.242.43.212] 50050 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1284271/; target:src_ip; metadata: confidence_level 80, first_seen 2024_06_13; classtype:trojan-activity; sid:91284271; rev:1;) alert tcp $HOME_NET any -> [116.205.188.138] 50050 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1284270/; target:src_ip; metadata: confidence_level 80, first_seen 2024_06_13; classtype:trojan-activity; sid:91284270; rev:1;) alert tcp $HOME_NET any -> [42.193.53.72] 7751 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1284269/; target:src_ip; metadata: confidence_level 80, first_seen 2024_06_13; classtype:trojan-activity; sid:91284269; rev:1;) alert tcp $HOME_NET any -> [89.169.54.70] 80 (msg:"ThreatFox Meduza Stealer botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1284268/; target:src_ip; metadata: confidence_level 80, first_seen 2024_06_13; classtype:trojan-activity; sid:91284268; rev:1;) alert tcp $HOME_NET any -> [45.11.181.128] 443 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1284267/; target:src_ip; metadata: confidence_level 80, first_seen 2024_06_13; classtype:trojan-activity; sid:91284267; rev:1;) alert tcp $HOME_NET any -> [117.72.68.194] 33389 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1284266/; target:src_ip; metadata: confidence_level 80, first_seen 2024_06_13; classtype:trojan-activity; sid:91284266; rev:1;) alert tcp $HOME_NET any -> [18.212.125.154] 443 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1284265/; target:src_ip; metadata: confidence_level 80, first_seen 2024_06_13; classtype:trojan-activity; sid:91284265; rev:1;) alert tcp $HOME_NET any -> [35.226.167.237] 443 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1284264/; target:src_ip; metadata: confidence_level 80, first_seen 2024_06_13; classtype:trojan-activity; sid:91284264; rev:1;) alert tcp $HOME_NET any -> [24.199.88.54] 443 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1284263/; target:src_ip; metadata: confidence_level 80, first_seen 2024_06_13; classtype:trojan-activity; sid:91284263; rev:1;) alert tcp $HOME_NET any -> [64.227.65.209] 443 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1284262/; target:src_ip; metadata: confidence_level 80, first_seen 2024_06_13; classtype:trojan-activity; sid:91284262; rev:1;) alert tcp $HOME_NET any -> [91.92.251.201] 80 (msg:"ThreatFox Hook botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1284261/; target:src_ip; metadata: confidence_level 80, first_seen 2024_06_13; classtype:trojan-activity; sid:91284261; rev:1;) alert tcp $HOME_NET any -> [156.242.45.204] 4396 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1284260/; target:src_ip; metadata: confidence_level 80, first_seen 2024_06_13; classtype:trojan-activity; sid:91284260; rev:1;) alert tcp $HOME_NET any -> [191.101.15.138] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1284259/; target:src_ip; metadata: confidence_level 80, first_seen 2024_06_13; classtype:trojan-activity; sid:91284259; rev:1;) alert tcp $HOME_NET any -> [1.92.121.68] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1284258/; target:src_ip; metadata: confidence_level 80, first_seen 2024_06_13; classtype:trojan-activity; sid:91284258; rev:1;) alert tcp $HOME_NET any -> [62.234.70.74] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1284257/; target:src_ip; metadata: confidence_level 80, first_seen 2024_06_13; classtype:trojan-activity; sid:91284257; rev:1;) alert tcp $HOME_NET any -> [156.242.45.220] 4396 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1284256/; target:src_ip; metadata: confidence_level 80, first_seen 2024_06_13; classtype:trojan-activity; sid:91284256; rev:1;) alert tcp $HOME_NET any -> [156.242.41.215] 4396 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1284255/; target:src_ip; metadata: confidence_level 80, first_seen 2024_06_13; classtype:trojan-activity; sid:91284255; rev:1;) alert tcp $HOME_NET any -> [147.45.44.49] 8081 (msg:"ThreatFox RisePro botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1284254/; target:src_ip; metadata: confidence_level 80, first_seen 2024_06_13; classtype:trojan-activity; sid:91284254; rev:1;) alert tcp $HOME_NET any -> [5.181.159.42] 2083 (msg:"ThreatFox solarmarker botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1284253/; target:src_ip; metadata: confidence_level 80, first_seen 2024_06_13; classtype:trojan-activity; sid:91284253; rev:1;) alert tcp $HOME_NET any -> [5.181.159.42] 80 (msg:"ThreatFox RecordBreaker botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1284252/; target:src_ip; metadata: confidence_level 80, first_seen 2024_06_13; classtype:trojan-activity; sid:91284252; rev:1;) alert tcp $HOME_NET any -> [116.202.177.206] 443 (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1284251/; target:src_ip; metadata: confidence_level 80, first_seen 2024_06_13; classtype:trojan-activity; sid:91284251; rev:1;) alert tcp $HOME_NET any -> [116.202.177.206] 80 (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1284250/; target:src_ip; metadata: confidence_level 80, first_seen 2024_06_13; classtype:trojan-activity; sid:91284250; rev:1;) alert tcp $HOME_NET any -> [172.203.104.154] 4444 (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1284249/; target:src_ip; metadata: confidence_level 80, first_seen 2024_06_13; classtype:trojan-activity; sid:91284249; rev:1;) alert tcp $HOME_NET any -> [178.215.236.251] 717 (msg:"ThreatFox XWorm botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1284248/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_13; classtype:trojan-activity; sid:91284248; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"app-login.top"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1284246/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_13; classtype:trojan-activity; sid:91284246; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/l1nc0in.php"; depth:12; nocase; http.host; content:"a0992844.xsph.ru"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1284247/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_13; classtype:trojan-activity; sid:91284247; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/activity"; depth:9; nocase; http.host; content:"106.15.62.124"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1284245/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_13; classtype:trojan-activity; sid:91284245; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"hw2.chintelecom.com.cn"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1284244/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_13; classtype:trojan-activity; sid:91284244; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/j.ad"; depth:5; nocase; http.host; content:"101.43.12.111"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1284243/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_13; classtype:trojan-activity; sid:91284243; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/j.ad"; depth:5; nocase; http.host; content:"134.122.75.115"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1284242/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_13; classtype:trojan-activity; sid:91284242; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/g.pixel"; depth:8; nocase; http.host; content:"172.81.211.162"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1284241/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_13; classtype:trojan-activity; sid:91284241; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/fwlink"; depth:7; nocase; http.host; content:"113.250.188.15"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1284240/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_13; classtype:trojan-activity; sid:91284240; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ie9compatviewlist.xml"; depth:22; nocase; http.host; content:"134.122.75.115"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1284239/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_13; classtype:trojan-activity; sid:91284239; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/updates.rss"; depth:12; nocase; http.host; content:"118.107.4.157"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1284238/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_13; classtype:trojan-activity; sid:91284238; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/visit.js"; depth:9; nocase; http.host; content:"172.81.211.162"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1284237/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_13; classtype:trojan-activity; sid:91284237; rev:1;) alert tcp $HOME_NET any -> [116.204.118.96] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1284236/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_13; classtype:trojan-activity; sid:91284236; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/recite/v9.52/6fcq3uvd9"; depth:23; nocase; http.host; content:"116.204.118.96"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1284235/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_13; classtype:trojan-activity; sid:91284235; rev:1;) alert tcp $HOME_NET any -> [8.134.160.65] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1284234/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_13; classtype:trojan-activity; sid:91284234; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jquery-3.3.1.min.js"; depth:20; nocase; http.host; content:"8.134.160.65"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1284233/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_13; classtype:trojan-activity; sid:91284233; rev:1;) alert tcp $HOME_NET any -> [18.208.156.248] 80 (msg:"ThreatFox Loki Password Stealer (PWS) botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1284232/; target:src_ip; metadata: confidence_level 75, first_seen 2024_06_13; classtype:trojan-activity; sid:91284232; rev:1;) alert tcp $HOME_NET any -> [147.185.221.20] 21854 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1284231/; target:src_ip; metadata: confidence_level 75, first_seen 2024_06_13; classtype:trojan-activity; sid:91284231; rev:1;) alert tcp $HOME_NET any -> [101.200.152.191] 46287 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1284229/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_13; classtype:trojan-activity; sid:91284229; rev:1;) alert tcp $HOME_NET any -> [110.117.95.0] 0 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1284230/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_13; classtype:trojan-activity; sid:91284230; rev:1;) alert tcp $HOME_NET any -> [162.74.55.118] 4571 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1284227/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_13; classtype:trojan-activity; sid:91284227; rev:1;) alert tcp $HOME_NET any -> [9.252.189.253] 60714 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1284228/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_13; classtype:trojan-activity; sid:91284228; rev:1;) alert tcp $HOME_NET any -> [73.23.253.56] 17393 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1284226/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_13; classtype:trojan-activity; sid:91284226; rev:1;) alert tcp $HOME_NET any -> [214.9.213.13] 12523 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1284224/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_13; classtype:trojan-activity; sid:91284224; rev:1;) alert tcp $HOME_NET any -> [117.180.92.184] 46633 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1284225/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_13; classtype:trojan-activity; sid:91284225; rev:1;) alert tcp $HOME_NET any -> [48.220.224.248] 32917 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1284222/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_13; classtype:trojan-activity; sid:91284222; rev:1;) alert tcp $HOME_NET any -> [224.87.85.180] 40164 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1284223/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_13; classtype:trojan-activity; sid:91284223; rev:1;) alert tcp $HOME_NET any -> [96.117.66.72] 0 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1284221/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_13; classtype:trojan-activity; sid:91284221; rev:1;) alert tcp $HOME_NET any -> [108.87.254.103] 36138 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1284220/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_13; classtype:trojan-activity; sid:91284220; rev:1;) alert tcp $HOME_NET any -> [218.86.11.123] 62100 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1284219/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_13; classtype:trojan-activity; sid:91284219; rev:1;) alert tcp $HOME_NET any -> [64.184.233.29] 48193 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1284218/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_13; classtype:trojan-activity; sid:91284218; rev:1;) alert tcp $HOME_NET any -> [194.127.196.112] 59762 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1284217/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_13; classtype:trojan-activity; sid:91284217; rev:1;) alert tcp $HOME_NET any -> [75.86.4.24] 35165 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1284215/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_13; classtype:trojan-activity; sid:91284215; rev:1;) alert tcp $HOME_NET any -> [106.146.239.56] 49679 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1284216/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_13; classtype:trojan-activity; sid:91284216; rev:1;) alert tcp $HOME_NET any -> [167.159.67.2] 42455 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1284213/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_13; classtype:trojan-activity; sid:91284213; rev:1;) alert tcp $HOME_NET any -> [80.214.112.151] 9618 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1284214/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_13; classtype:trojan-activity; sid:91284214; rev:1;) alert tcp $HOME_NET any -> [173.210.161.232] 27188 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1284211/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_13; classtype:trojan-activity; sid:91284211; rev:1;) alert tcp $HOME_NET any -> [22.155.219.162] 29117 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1284212/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_13; classtype:trojan-activity; sid:91284212; rev:1;) alert tcp $HOME_NET any -> [71.182.193.130] 5327 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1284209/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_13; classtype:trojan-activity; sid:91284209; rev:1;) alert tcp $HOME_NET any -> [111.143.132.167] 9985 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1284210/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_13; classtype:trojan-activity; sid:91284210; rev:1;) alert tcp $HOME_NET any -> [29.119.168.182] 51370 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1284206/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_13; classtype:trojan-activity; sid:91284206; rev:1;) alert tcp $HOME_NET any -> [54.106.172.208] 21101 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1284207/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_13; classtype:trojan-activity; sid:91284207; rev:1;) alert tcp $HOME_NET any -> [76.55.174.209] 2746 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1284208/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_13; classtype:trojan-activity; sid:91284208; rev:1;) alert tcp $HOME_NET any -> [102.51.5.67] 47820 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1284204/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_13; classtype:trojan-activity; sid:91284204; rev:1;) alert tcp $HOME_NET any -> [43.190.241.127] 50708 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1284205/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_13; classtype:trojan-activity; sid:91284205; rev:1;) alert tcp $HOME_NET any -> [74.234.32.185] 42698 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1284203/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_13; classtype:trojan-activity; sid:91284203; rev:1;) alert tcp $HOME_NET any -> [192.1.213.104] 14212 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1284201/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_13; classtype:trojan-activity; sid:91284201; rev:1;) alert tcp $HOME_NET any -> [145.3.120.239] 20068 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1284202/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_13; classtype:trojan-activity; sid:91284202; rev:1;) alert tcp $HOME_NET any -> [124.230.27.11] 44408 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1284199/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_13; classtype:trojan-activity; sid:91284199; rev:1;) alert tcp $HOME_NET any -> [205.255.39.94] 54675 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1284200/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_13; classtype:trojan-activity; sid:91284200; rev:1;) alert tcp $HOME_NET any -> [162.117.200.91] 29984 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1284194/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_13; classtype:trojan-activity; sid:91284194; rev:1;) alert tcp $HOME_NET any -> [31.248.76.23] 24072 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1284197/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_13; classtype:trojan-activity; sid:91284197; rev:1;) alert tcp $HOME_NET any -> [224.77.182.18] 55579 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1284198/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_13; classtype:trojan-activity; sid:91284198; rev:1;) alert tcp $HOME_NET any -> [11.239.81.233] 37 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1284196/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_13; classtype:trojan-activity; sid:91284196; rev:1;) alert tcp $HOME_NET any -> [187.144.110.117] 36330 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1284193/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_13; classtype:trojan-activity; sid:91284193; rev:1;) alert tcp $HOME_NET any -> [159.254.223.192] 31154 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1284195/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_13; classtype:trojan-activity; sid:91284195; rev:1;) alert tcp $HOME_NET any -> [124.77.95.5] 46163 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1284191/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_13; classtype:trojan-activity; sid:91284191; rev:1;) alert tcp $HOME_NET any -> [196.90.29.190] 30693 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1284192/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_13; classtype:trojan-activity; sid:91284192; rev:1;) alert tcp $HOME_NET any -> [201.136.101.182] 38323 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1284190/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_13; classtype:trojan-activity; sid:91284190; rev:1;) alert tcp $HOME_NET any -> [78.94.148.92] 1753 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1284188/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_13; classtype:trojan-activity; sid:91284188; rev:1;) alert tcp $HOME_NET any -> [134.180.185.240] 32987 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1284189/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_13; classtype:trojan-activity; sid:91284189; rev:1;) alert tcp $HOME_NET any -> [3.125.209.94] 19605 (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1284187/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_13; classtype:trojan-activity; sid:91284187; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cdn-vs/original.js"; depth:19; nocase; http.host; content:"newmarketofficecleaning.com"; depth:27; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1283948/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_13; classtype:trojan-activity; sid:91283948; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"newmarketofficecleaning.com"; depth:27; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1283949/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_13; classtype:trojan-activity; sid:91283949; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cdn-vs/cache.php"; depth:17; nocase; http.host; content:"newmarketofficecleaning.com"; depth:27; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1283950/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_13; classtype:trojan-activity; sid:91283950; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cdn-vs/22per.php"; depth:17; nocase; http.host; content:"newmarketofficecleaning.com"; depth:27; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1283951/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_13; classtype:trojan-activity; sid:91283951; rev:1;) alert tcp $HOME_NET any -> [147.185.221.18] 27425 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1283987/; target:src_ip; metadata: confidence_level 75, first_seen 2024_06_13; classtype:trojan-activity; sid:91283987; rev:1;) alert tcp $HOME_NET any -> [192.169.69.25] 2089 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1283997/; target:src_ip; metadata: confidence_level 75, first_seen 2024_06_13; classtype:trojan-activity; sid:91283997; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"duckduck2021.duckdns.org"; depth:24; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1283998/; target:src_ip; metadata: confidence_level 75, first_seen 2024_06_13; classtype:trojan-activity; sid:91283998; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"balm.4rt.eu"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1284013/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_13; classtype:trojan-activity; sid:91284013; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"table.fastplot.net"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1284014/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_13; classtype:trojan-activity; sid:91284014; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"ashleypuerner.com"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1284015/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_13; classtype:trojan-activity; sid:91284015; rev:1;) alert tcp $HOME_NET any -> [173.44.141.108] 80 (msg:"ThreatFox WarmCookie botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1284016/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_13; classtype:trojan-activity; sid:91284016; rev:1;) alert tcp $HOME_NET any -> [170.130.55.242] 80 (msg:"ThreatFox WarmCookie botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1284017/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_13; classtype:trojan-activity; sid:91284017; rev:1;) alert tcp $HOME_NET any -> [85.234.6.210] 1337 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1284018/; target:src_ip; metadata: confidence_level 75, first_seen 2024_06_13; classtype:trojan-activity; sid:91284018; rev:1;) alert tcp $HOME_NET any -> [147.185.221.20] 21552 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1284033/; target:src_ip; metadata: confidence_level 75, first_seen 2024_06_13; classtype:trojan-activity; sid:91284033; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"different-been.gl.at.ply.gg"; depth:27; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1284034/; target:src_ip; metadata: confidence_level 75, first_seen 2024_06_13; classtype:trojan-activity; sid:91284034; rev:1;) alert tcp $HOME_NET any -> [147.185.221.18] 53098 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1284035/; target:src_ip; metadata: confidence_level 75, first_seen 2024_06_13; classtype:trojan-activity; sid:91284035; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"northern-suggested.gl.at.ply.gg"; depth:31; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1284036/; target:src_ip; metadata: confidence_level 75, first_seen 2024_06_13; classtype:trojan-activity; sid:91284036; rev:1;) alert tcp $HOME_NET any -> [103.226.155.59] 881 (msg:"ThreatFox FatalRat botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1284037/; target:src_ip; metadata: confidence_level 75, first_seen 2024_06_13; classtype:trojan-activity; sid:91284037; rev:1;) alert tcp $HOME_NET any -> [3.125.209.94] 13022 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1284038/; target:src_ip; metadata: confidence_level 75, first_seen 2024_06_13; classtype:trojan-activity; sid:91284038; rev:1;) alert tcp $HOME_NET any -> [18.158.249.75] 13022 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1284039/; target:src_ip; metadata: confidence_level 75, first_seen 2024_06_13; classtype:trojan-activity; sid:91284039; rev:1;) alert tcp $HOME_NET any -> [93.123.85.120] 4252 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1284053/; target:src_ip; metadata: confidence_level 75, first_seen 2024_06_13; classtype:trojan-activity; sid:91284053; rev:1;) alert tcp $HOME_NET any -> [79.132.130.191] 80 (msg:"ThreatFox WarmCookie botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1284153/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_13; classtype:trojan-activity; sid:91284153; rev:1;) alert tcp $HOME_NET any -> [103.233.255.176] 443 (msg:"ThreatFox Unknown malware payload delivery (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1283941/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_13; classtype:trojan-activity; sid:91283941; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/f/666993516fb8bcf3e9a2416b"; depth:27; nocase; http.host; content:"nocodeform.io"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1283942/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_13; classtype:trojan-activity; sid:91283942; rev:1;) alert tcp $HOME_NET any -> [103.102.228.188] 4449 (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1283943/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_13; classtype:trojan-activity; sid:91283943; rev:1;) alert tcp $HOME_NET any -> [119.59.98.116] 7812 (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1283944/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_13; classtype:trojan-activity; sid:91283944; rev:1;) alert tcp $HOME_NET any -> [194.55.186.49] 2424 (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1283945/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_13; classtype:trojan-activity; sid:91283945; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 80%)"; dns_query; content:"kokmausrest.online"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1283946/; target:src_ip; metadata: confidence_level 80, first_seen 2024_06_13; classtype:trojan-activity; sid:91283946; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 80%)"; dns_query; content:"ultroawest.com"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1283947/; target:src_ip; metadata: confidence_level 80, first_seen 2024_06_13; classtype:trojan-activity; sid:91283947; rev:1;) alert tcp $HOME_NET any -> [103.158.37.147] 443 (msg:"ThreatFox Ghost RAT payload delivery (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1283940/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_13; classtype:trojan-activity; sid:91283940; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cdn-vs/22per.php"; depth:17; nocase; http.host; content:"santapubcrawlchattanooga.com"; depth:28; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1283937/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_13; classtype:trojan-activity; sid:91283937; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/data.php"; depth:9; nocase; http.host; content:"r6pedihosi.website"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1283938/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_13; classtype:trojan-activity; sid:91283938; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 49%)"; dns_query; content:"kongtuke.com"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1283911/; target:src_ip; metadata: confidence_level 49, first_seen 2024_06_13; classtype:trojan-activity; sid:91283911; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cdn-vs/cache.php"; depth:17; nocase; http.host; content:"santapubcrawlchattanooga.com"; depth:28; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1283936/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_13; classtype:trojan-activity; sid:91283936; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"santapubcrawlchattanooga.com"; depth:28; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1283935/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_13; classtype:trojan-activity; sid:91283935; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cdn-vs/original.js"; depth:19; nocase; http.host; content:"santapubcrawlchattanooga.com"; depth:28; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1283934/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_13; classtype:trojan-activity; sid:91283934; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"missingandfound.com.my"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1283908/; target:src_ip; metadata: confidence_level 75, first_seen 2024_06_13; classtype:trojan-activity; sid:91283908; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 49%)"; dns_query; content:"uhsee.com"; depth:9; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1283910/; target:src_ip; metadata: confidence_level 49, first_seen 2024_06_13; classtype:trojan-activity; sid:91283910; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/otmwmza1yjq0ndmy"; depth:17; nocase; http.host; content:"biripildiridurdursunlaan.com"; depth:28; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1283896/; target:src_ip; metadata: confidence_level 80, first_seen 2024_06_13; classtype:trojan-activity; sid:91283896; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/otmwmza1yjq0ndmy"; depth:17; nocase; http.host; content:"sonykulaklik61.com"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1283900/; target:src_ip; metadata: confidence_level 80, first_seen 2024_06_13; classtype:trojan-activity; sid:91283900; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/otmwmza1yjq0ndmy"; depth:17; nocase; http.host; content:"evdesuyok51x.com"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1283898/; target:src_ip; metadata: confidence_level 80, first_seen 2024_06_13; classtype:trojan-activity; sid:91283898; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/otmwmza1yjq0ndmy"; depth:17; nocase; http.host; content:"dizaynmalikane61.com"; depth:20; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1283897/; target:src_ip; metadata: confidence_level 80, first_seen 2024_06_13; classtype:trojan-activity; sid:91283897; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/otmwmza1yjq0ndmy"; depth:17; nocase; http.host; content:"aritmasuyux2.com"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1283899/; target:src_ip; metadata: confidence_level 80, first_seen 2024_06_13; classtype:trojan-activity; sid:91283899; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/otmwmza1yjq0ndmy"; depth:17; nocase; http.host; content:"bumberceket56.com"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1283901/; target:src_ip; metadata: confidence_level 80, first_seen 2024_06_13; classtype:trojan-activity; sid:91283901; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/otmwmza1yjq0ndmy"; depth:17; nocase; http.host; content:"sedakavanozkapagix1.com"; depth:23; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1283902/; target:src_ip; metadata: confidence_level 80, first_seen 2024_06_13; classtype:trojan-activity; sid:91283902; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/otmwmza1yjq0ndmy"; depth:17; nocase; http.host; content:"mariooyunoynuyorx.com"; depth:21; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1283903/; target:src_ip; metadata: confidence_level 80, first_seen 2024_06_13; classtype:trojan-activity; sid:91283903; rev:1;) alert tcp $HOME_NET any -> [206.238.220.206] 7777 (msg:"ThreatFox Ghost RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1283905/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_13; classtype:trojan-activity; sid:91283905; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/otmwmza1yjq0ndmy/"; depth:18; nocase; http.host; content:"haberlersvar01.com"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1283894/; target:src_ip; metadata: confidence_level 80, first_seen 2024_06_13; classtype:trojan-activity; sid:91283894; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/otmwmza1yjq0ndmy"; depth:17; nocase; http.host; content:"biripildiridur32.com"; depth:20; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1283895/; target:src_ip; metadata: confidence_level 80, first_seen 2024_06_13; classtype:trojan-activity; sid:91283895; rev:1;) alert tcp $HOME_NET any -> [3.125.223.134] 11331 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1283881/; target:src_ip; metadata: confidence_level 75, first_seen 2024_06_13; classtype:trojan-activity; sid:91283881; rev:1;) alert tcp $HOME_NET any -> [3.125.209.94] 11331 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1283882/; target:src_ip; metadata: confidence_level 75, first_seen 2024_06_13; classtype:trojan-activity; sid:91283882; rev:1;) alert tcp $HOME_NET any -> [18.158.249.75] 11331 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1283883/; target:src_ip; metadata: confidence_level 75, first_seen 2024_06_13; classtype:trojan-activity; sid:91283883; rev:1;) alert tcp $HOME_NET any -> [45.94.168.134] 443 (msg:"ThreatFox FAKEUPDATES payload delivery (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1283891/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_13; classtype:trojan-activity; sid:91283891; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"collar.agrcwv.org"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1283892/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_13; classtype:trojan-activity; sid:91283892; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jquery-3.3.1.min.js"; depth:20; nocase; http.host; content:"104.194.153.54"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1284186/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_13; classtype:trojan-activity; sid:91284186; rev:1;) alert tcp $HOME_NET any -> [34.146.210.28] 2086 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1284185/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_13; classtype:trojan-activity; sid:91284185; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jquery-3.3.1.min.js"; depth:20; nocase; http.host; content:"web.windowsupdate.shop"; depth:22; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1284183/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_13; classtype:trojan-activity; sid:91284183; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"web.windowsupdate.shop"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1284184/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_13; classtype:trojan-activity; sid:91284184; rev:1;) alert tcp $HOME_NET any -> [47.120.60.201] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1284182/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_13; classtype:trojan-activity; sid:91284182; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/j.ad"; depth:5; nocase; http.host; content:"47.120.60.201"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1284181/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_13; classtype:trojan-activity; sid:91284181; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/load"; depth:5; nocase; http.host; content:"47.242.22.64"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1284180/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_13; classtype:trojan-activity; sid:91284180; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ptj"; depth:4; nocase; http.host; content:"60.204.171.143"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1284179/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_13; classtype:trojan-activity; sid:91284179; rev:1;) alert tcp $HOME_NET any -> [134.175.235.98] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1284178/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_13; classtype:trojan-activity; sid:91284178; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/analytics/v1_upload"; depth:20; nocase; http.host; content:"111.230.207.222"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1284177/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_13; classtype:trojan-activity; sid:91284177; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/hp/api/v1/carousel"; depth:19; nocase; http.host; content:"139.199.216.201"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1284176/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_13; classtype:trojan-activity; sid:91284176; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/feedapi/v1/newsserver/api/getpassword"; depth:38; nocase; http.host; content:"134.175.235.98"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1284175/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_13; classtype:trojan-activity; sid:91284175; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/load"; depth:5; nocase; http.host; content:"117.72.45.41"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1284173/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_13; classtype:trojan-activity; sid:91284173; rev:1;) alert tcp $HOME_NET any -> [117.72.45.41] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1284174/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_13; classtype:trojan-activity; sid:91284174; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cwonajlbo/vtneww11212/"; depth:23; nocase; http.host; content:"120.53.250.9"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1284172/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_13; classtype:trojan-activity; sid:91284172; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/updates"; depth:8; nocase; http.host; content:"43.138.20.240"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1284171/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_13; classtype:trojan-activity; sid:91284171; rev:1;) alert tcp $HOME_NET any -> [47.120.60.201] 8443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1284170/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_13; classtype:trojan-activity; sid:91284170; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/__utm.gif"; depth:10; nocase; http.host; content:"liolio.cn"; depth:9; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1284168/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_13; classtype:trojan-activity; sid:91284168; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"liolio.cn"; depth:9; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1284169/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_13; classtype:trojan-activity; sid:91284169; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"sportsmensgifts.com"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1284167/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_13; classtype:trojan-activity; sid:91284167; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"tourbigs.com"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1284166/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_13; classtype:trojan-activity; sid:91284166; rev:1;) alert tcp $HOME_NET any -> [45.8.146.124] 2005 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1284165/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_13; classtype:trojan-activity; sid:91284165; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tempproton/2baseprivate/datalifeserverlow/0lowdlesecure/4generatordownloadsserver/4geohttp/mariadb/wordpress/eternalvmtojavascriptprocessprotectflower.php"; depth:155; nocase; http.host; content:"5.42.104.243"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1284164/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_13; classtype:trojan-activity; sid:91284164; rev:1;) alert tcp $HOME_NET any -> [152.42.224.53] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1284163/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_13; classtype:trojan-activity; sid:91284163; rev:1;) alert tcp $HOME_NET any -> [103.84.90.252] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1284162/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_13; classtype:trojan-activity; sid:91284162; rev:1;) alert tcp $HOME_NET any -> [107.175.0.202] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1284161/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_13; classtype:trojan-activity; sid:91284161; rev:1;) alert tcp $HOME_NET any -> [46.246.4.3] 9000 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1284160/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_13; classtype:trojan-activity; sid:91284160; rev:1;) alert tcp $HOME_NET any -> [46.246.4.3] 6000 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1284159/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_13; classtype:trojan-activity; sid:91284159; rev:1;) alert tcp $HOME_NET any -> [216.137.228.229] 443 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1284158/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_13; classtype:trojan-activity; sid:91284158; rev:1;) alert tcp $HOME_NET any -> [189.140.13.100] 443 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1284157/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_13; classtype:trojan-activity; sid:91284157; rev:1;) alert tcp $HOME_NET any -> [189.175.208.222] 443 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1284156/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_13; classtype:trojan-activity; sid:91284156; rev:1;) alert tcp $HOME_NET any -> [155.138.144.27] 80 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1284155/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_13; classtype:trojan-activity; sid:91284155; rev:1;) alert tcp $HOME_NET any -> [155.138.144.27] 443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1284154/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_13; classtype:trojan-activity; sid:91284154; rev:1;) alert tcp $HOME_NET any -> [79.141.173.238] 443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1284152/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_13; classtype:trojan-activity; sid:91284152; rev:1;) alert tcp $HOME_NET any -> [18.206.197.222] 443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1284151/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_13; classtype:trojan-activity; sid:91284151; rev:1;) alert tcp $HOME_NET any -> [116.203.4.20] 443 (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1284147/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_13; classtype:trojan-activity; sid:91284147; rev:1;) alert tcp $HOME_NET any -> [195.201.46.4] 443 (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1284148/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_13; classtype:trojan-activity; sid:91284148; rev:1;) alert tcp $HOME_NET any -> [195.201.248.182] 443 (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1284149/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_13; classtype:trojan-activity; sid:91284149; rev:1;) alert tcp $HOME_NET any -> [116.203.13.51] 443 (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1284150/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_13; classtype:trojan-activity; sid:91284150; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"116.203.13.51"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1284144/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_13; classtype:trojan-activity; sid:91284144; rev:1;) alert tcp $HOME_NET any -> [65.109.240.138] 443 (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1284145/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_13; classtype:trojan-activity; sid:91284145; rev:1;) alert tcp $HOME_NET any -> [195.201.251.58] 9000 (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1284146/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_13; classtype:trojan-activity; sid:91284146; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"195.201.248.182"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1284143/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_13; classtype:trojan-activity; sid:91284143; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"195.201.46.4"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1284142/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_13; classtype:trojan-activity; sid:91284142; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"116.203.4.20"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1284141/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_13; classtype:trojan-activity; sid:91284141; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"195.201.251.58"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1284140/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_13; classtype:trojan-activity; sid:91284140; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"65.109.240.138"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1284139/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_13; classtype:trojan-activity; sid:91284139; rev:1;) alert tcp $HOME_NET any -> [99.83.171.148] 443 (msg:"ThreatFox Deimos botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1284138/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_13; classtype:trojan-activity; sid:91284138; rev:1;) alert tcp $HOME_NET any -> [13.60.6.180] 7443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1284137/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_13; classtype:trojan-activity; sid:91284137; rev:1;) alert tcp $HOME_NET any -> [100.25.159.142] 7443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1284136/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_13; classtype:trojan-activity; sid:91284136; rev:1;) alert tcp $HOME_NET any -> [13.53.216.241] 7443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1284135/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_13; classtype:trojan-activity; sid:91284135; rev:1;) alert tcp $HOME_NET any -> [16.171.181.75] 7443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1284134/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_13; classtype:trojan-activity; sid:91284134; rev:1;) alert tcp $HOME_NET any -> [38.147.171.173] 33389 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1284133/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_13; classtype:trojan-activity; sid:91284133; rev:1;) alert tcp $HOME_NET any -> [89.23.97.100] 15799 (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1284132/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_13; classtype:trojan-activity; sid:91284132; rev:1;) alert tcp $HOME_NET any -> [117.72.16.69] 8888 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1284131/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_13; classtype:trojan-activity; sid:91284131; rev:1;) alert tcp $HOME_NET any -> [117.72.16.69] 60000 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1284130/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_13; classtype:trojan-activity; sid:91284130; rev:1;) alert tcp $HOME_NET any -> [93.123.39.135] 22 (msg:"ThreatFox Stealc botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1284129/; target:src_ip; metadata: confidence_level 80, first_seen 2024_06_13; classtype:trojan-activity; sid:91284129; rev:1;) alert tcp $HOME_NET any -> [93.123.39.135] 80 (msg:"ThreatFox Stealc botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1284128/; target:src_ip; metadata: confidence_level 80, first_seen 2024_06_13; classtype:trojan-activity; sid:91284128; rev:1;) alert tcp $HOME_NET any -> [93.123.39.132] 80 (msg:"ThreatFox Stealc botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1284127/; target:src_ip; metadata: confidence_level 80, first_seen 2024_06_13; classtype:trojan-activity; sid:91284127; rev:1;) alert tcp $HOME_NET any -> [93.123.39.132] 22 (msg:"ThreatFox Stealc botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1284126/; target:src_ip; metadata: confidence_level 80, first_seen 2024_06_13; classtype:trojan-activity; sid:91284126; rev:1;) alert tcp $HOME_NET any -> [57.181.170.149] 80 (msg:"ThreatFox Stealc botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1284125/; target:src_ip; metadata: confidence_level 80, first_seen 2024_06_13; classtype:trojan-activity; sid:91284125; rev:1;) alert tcp $HOME_NET any -> [57.181.170.149] 22 (msg:"ThreatFox Stealc botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1284124/; target:src_ip; metadata: confidence_level 80, first_seen 2024_06_13; classtype:trojan-activity; sid:91284124; rev:1;) alert tcp $HOME_NET any -> [93.123.39.138] 80 (msg:"ThreatFox Stealc botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1284123/; target:src_ip; metadata: confidence_level 80, first_seen 2024_06_13; classtype:trojan-activity; sid:91284123; rev:1;) alert tcp $HOME_NET any -> [93.123.39.138] 22 (msg:"ThreatFox Stealc botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1284122/; target:src_ip; metadata: confidence_level 80, first_seen 2024_06_13; classtype:trojan-activity; sid:91284122; rev:1;) alert tcp $HOME_NET any -> [103.77.246.53] 47925 (msg:"ThreatFox MooBot botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1284121/; target:src_ip; metadata: confidence_level 80, first_seen 2024_06_13; classtype:trojan-activity; sid:91284121; rev:1;) alert tcp $HOME_NET any -> [93.123.85.103] 47925 (msg:"ThreatFox MooBot botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1284120/; target:src_ip; metadata: confidence_level 80, first_seen 2024_06_13; classtype:trojan-activity; sid:91284120; rev:1;) alert tcp $HOME_NET any -> [141.98.152.165] 47925 (msg:"ThreatFox MooBot botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1284119/; target:src_ip; metadata: confidence_level 80, first_seen 2024_06_13; classtype:trojan-activity; sid:91284119; rev:1;) alert tcp $HOME_NET any -> [103.151.238.184] 47925 (msg:"ThreatFox MooBot botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1284118/; target:src_ip; metadata: confidence_level 80, first_seen 2024_06_13; classtype:trojan-activity; sid:91284118; rev:1;) alert tcp $HOME_NET any -> [116.62.189.237] 50050 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1284117/; target:src_ip; metadata: confidence_level 80, first_seen 2024_06_13; classtype:trojan-activity; sid:91284117; rev:1;) alert tcp $HOME_NET any -> [104.208.65.22] 50050 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1284116/; target:src_ip; metadata: confidence_level 80, first_seen 2024_06_13; classtype:trojan-activity; sid:91284116; rev:1;) alert tcp $HOME_NET any -> [156.242.47.214] 50050 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1284115/; target:src_ip; metadata: confidence_level 80, first_seen 2024_06_13; classtype:trojan-activity; sid:91284115; rev:1;) alert tcp $HOME_NET any -> [47.99.151.161] 50050 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1284114/; target:src_ip; metadata: confidence_level 80, first_seen 2024_06_13; classtype:trojan-activity; sid:91284114; rev:1;) alert tcp $HOME_NET any -> [156.242.45.205] 50050 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1284113/; target:src_ip; metadata: confidence_level 80, first_seen 2024_06_13; classtype:trojan-activity; sid:91284113; rev:1;) alert tcp $HOME_NET any -> [156.242.41.204] 50050 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1284112/; target:src_ip; metadata: confidence_level 80, first_seen 2024_06_13; classtype:trojan-activity; sid:91284112; rev:1;) alert tcp $HOME_NET any -> [173.44.141.6] 50050 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1284111/; target:src_ip; metadata: confidence_level 80, first_seen 2024_06_13; classtype:trojan-activity; sid:91284111; rev:1;) alert tcp $HOME_NET any -> [156.242.41.195] 50050 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1284110/; target:src_ip; metadata: confidence_level 80, first_seen 2024_06_13; classtype:trojan-activity; sid:91284110; rev:1;) alert tcp $HOME_NET any -> [156.242.42.220] 50050 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1284109/; target:src_ip; metadata: confidence_level 80, first_seen 2024_06_13; classtype:trojan-activity; sid:91284109; rev:1;) alert tcp $HOME_NET any -> [103.146.158.113] 9000 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1284108/; target:src_ip; metadata: confidence_level 80, first_seen 2024_06_13; classtype:trojan-activity; sid:91284108; rev:1;) alert tcp $HOME_NET any -> [114.132.98.252] 50050 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1284107/; target:src_ip; metadata: confidence_level 80, first_seen 2024_06_13; classtype:trojan-activity; sid:91284107; rev:1;) alert tcp $HOME_NET any -> [212.113.122.131] 9000 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1284106/; target:src_ip; metadata: confidence_level 80, first_seen 2024_06_13; classtype:trojan-activity; sid:91284106; rev:1;) alert tcp $HOME_NET any -> [47.106.154.91] 10443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1284105/; target:src_ip; metadata: confidence_level 80, first_seen 2024_06_13; classtype:trojan-activity; sid:91284105; rev:1;) alert tcp $HOME_NET any -> [154.198.245.62] 3389 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1284104/; target:src_ip; metadata: confidence_level 80, first_seen 2024_06_13; classtype:trojan-activity; sid:91284104; rev:1;) alert tcp $HOME_NET any -> [103.15.91.9] 10086 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1284103/; target:src_ip; metadata: confidence_level 80, first_seen 2024_06_13; classtype:trojan-activity; sid:91284103; rev:1;) alert tcp $HOME_NET any -> [64.176.35.5] 62299 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1284102/; target:src_ip; metadata: confidence_level 80, first_seen 2024_06_13; classtype:trojan-activity; sid:91284102; rev:1;) alert tcp $HOME_NET any -> [74.48.89.54] 23 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1284101/; target:src_ip; metadata: confidence_level 80, first_seen 2024_06_13; classtype:trojan-activity; sid:91284101; rev:1;) alert tcp $HOME_NET any -> [47.238.44.41] 8443 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1284100/; target:src_ip; metadata: confidence_level 80, first_seen 2024_06_13; classtype:trojan-activity; sid:91284100; rev:1;) alert tcp $HOME_NET any -> [93.95.97.102] 443 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1284099/; target:src_ip; metadata: confidence_level 80, first_seen 2024_06_13; classtype:trojan-activity; sid:91284099; rev:1;) alert tcp $HOME_NET any -> [20.2.18.117] 4433 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1284098/; target:src_ip; metadata: confidence_level 80, first_seen 2024_06_13; classtype:trojan-activity; sid:91284098; rev:1;) alert tcp $HOME_NET any -> [45.87.247.63] 443 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1284097/; target:src_ip; metadata: confidence_level 80, first_seen 2024_06_13; classtype:trojan-activity; sid:91284097; rev:1;) alert tcp $HOME_NET any -> [103.168.67.9] 57395 (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1284096/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_13; classtype:trojan-activity; sid:91284096; rev:1;) alert tcp $HOME_NET any -> [82.157.184.100] 8081 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1284095/; target:src_ip; metadata: confidence_level 80, first_seen 2024_06_13; classtype:trojan-activity; sid:91284095; rev:1;) alert tcp $HOME_NET any -> [156.242.41.195] 4396 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1284094/; target:src_ip; metadata: confidence_level 80, first_seen 2024_06_13; classtype:trojan-activity; sid:91284094; rev:1;) alert tcp $HOME_NET any -> [212.192.15.37] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1284093/; target:src_ip; metadata: confidence_level 80, first_seen 2024_06_13; classtype:trojan-activity; sid:91284093; rev:1;) alert tcp $HOME_NET any -> [79.132.232.232] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1284092/; target:src_ip; metadata: confidence_level 80, first_seen 2024_06_13; classtype:trojan-activity; sid:91284092; rev:1;) alert tcp $HOME_NET any -> [39.105.130.70] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1284091/; target:src_ip; metadata: confidence_level 80, first_seen 2024_06_13; classtype:trojan-activity; sid:91284091; rev:1;) alert tcp $HOME_NET any -> [156.242.47.212] 4396 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1284090/; target:src_ip; metadata: confidence_level 80, first_seen 2024_06_13; classtype:trojan-activity; sid:91284090; rev:1;) alert tcp $HOME_NET any -> [120.53.250.9] 9999 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1284089/; target:src_ip; metadata: confidence_level 80, first_seen 2024_06_13; classtype:trojan-activity; sid:91284089; rev:1;) alert tcp $HOME_NET any -> [120.53.250.9] 9090 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1284088/; target:src_ip; metadata: confidence_level 80, first_seen 2024_06_13; classtype:trojan-activity; sid:91284088; rev:1;) alert tcp $HOME_NET any -> [112.124.71.123] 60443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1284087/; target:src_ip; metadata: confidence_level 80, first_seen 2024_06_13; classtype:trojan-activity; sid:91284087; rev:1;) alert tcp $HOME_NET any -> [77.91.77.95] 8081 (msg:"ThreatFox RisePro botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1284086/; target:src_ip; metadata: confidence_level 80, first_seen 2024_06_13; classtype:trojan-activity; sid:91284086; rev:1;) alert tcp $HOME_NET any -> [77.91.77.65] 8081 (msg:"ThreatFox RisePro botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1284085/; target:src_ip; metadata: confidence_level 80, first_seen 2024_06_13; classtype:trojan-activity; sid:91284085; rev:1;) alert tcp $HOME_NET any -> [77.91.77.51] 8081 (msg:"ThreatFox RisePro botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1284084/; target:src_ip; metadata: confidence_level 80, first_seen 2024_06_13; classtype:trojan-activity; sid:91284084; rev:1;) alert tcp $HOME_NET any -> [193.233.254.16] 8081 (msg:"ThreatFox RisePro botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1284083/; target:src_ip; metadata: confidence_level 80, first_seen 2024_06_13; classtype:trojan-activity; sid:91284083; rev:1;) alert tcp $HOME_NET any -> [77.91.77.66] 8081 (msg:"ThreatFox RisePro botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1284082/; target:src_ip; metadata: confidence_level 80, first_seen 2024_06_13; classtype:trojan-activity; sid:91284082; rev:1;) alert tcp $HOME_NET any -> [188.27.165.223] 8080 (msg:"ThreatFox Orcus RAT botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1284081/; target:src_ip; metadata: confidence_level 80, first_seen 2024_06_13; classtype:trojan-activity; sid:91284081; rev:1;) alert tcp $HOME_NET any -> [45.88.91.213] 4443 (msg:"ThreatFox Orcus RAT botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1284080/; target:src_ip; metadata: confidence_level 80, first_seen 2024_06_13; classtype:trojan-activity; sid:91284080; rev:1;) alert tcp $HOME_NET any -> [154.212.149.63] 446 (msg:"ThreatFox Orcus RAT botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1284079/; target:src_ip; metadata: confidence_level 80, first_seen 2024_06_13; classtype:trojan-activity; sid:91284079; rev:1;) alert tcp $HOME_NET any -> [77.91.77.116] 80 (msg:"ThreatFox RecordBreaker botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1284078/; target:src_ip; metadata: confidence_level 80, first_seen 2024_06_13; classtype:trojan-activity; sid:91284078; rev:1;) alert tcp $HOME_NET any -> [77.91.77.96] 80 (msg:"ThreatFox RecordBreaker botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1284077/; target:src_ip; metadata: confidence_level 80, first_seen 2024_06_13; classtype:trojan-activity; sid:91284077; rev:1;) alert tcp $HOME_NET any -> [89.38.135.28] 80 (msg:"ThreatFox RecordBreaker botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1284076/; target:src_ip; metadata: confidence_level 80, first_seen 2024_06_13; classtype:trojan-activity; sid:91284076; rev:1;) alert tcp $HOME_NET any -> [79.133.51.249] 80 (msg:"ThreatFox RecordBreaker botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1284075/; target:src_ip; metadata: confidence_level 80, first_seen 2024_06_13; classtype:trojan-activity; sid:91284075; rev:1;) alert tcp $HOME_NET any -> [94.228.166.22] 80 (msg:"ThreatFox RecordBreaker botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1284074/; target:src_ip; metadata: confidence_level 80, first_seen 2024_06_13; classtype:trojan-activity; sid:91284074; rev:1;) alert tcp $HOME_NET any -> [77.91.77.54] 80 (msg:"ThreatFox RecordBreaker botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1284073/; target:src_ip; metadata: confidence_level 80, first_seen 2024_06_13; classtype:trojan-activity; sid:91284073; rev:1;) alert tcp $HOME_NET any -> [77.91.77.137] 80 (msg:"ThreatFox RecordBreaker botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1284072/; target:src_ip; metadata: confidence_level 80, first_seen 2024_06_13; classtype:trojan-activity; sid:91284072; rev:1;) alert tcp $HOME_NET any -> [147.45.44.2] 80 (msg:"ThreatFox RecordBreaker botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1284071/; target:src_ip; metadata: confidence_level 80, first_seen 2024_06_13; classtype:trojan-activity; sid:91284071; rev:1;) alert tcp $HOME_NET any -> [88.99.127.107] 80 (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1284070/; target:src_ip; metadata: confidence_level 80, first_seen 2024_06_13; classtype:trojan-activity; sid:91284070; rev:1;) alert tcp $HOME_NET any -> [188.245.35.23] 80 (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1284069/; target:src_ip; metadata: confidence_level 80, first_seen 2024_06_13; classtype:trojan-activity; sid:91284069; rev:1;) alert tcp $HOME_NET any -> [188.245.35.23] 443 (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1284068/; target:src_ip; metadata: confidence_level 80, first_seen 2024_06_13; classtype:trojan-activity; sid:91284068; rev:1;) alert tcp $HOME_NET any -> [116.202.5.195] 443 (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1284067/; target:src_ip; metadata: confidence_level 80, first_seen 2024_06_13; classtype:trojan-activity; sid:91284067; rev:1;) alert tcp $HOME_NET any -> [116.202.5.195] 80 (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1284066/; target:src_ip; metadata: confidence_level 80, first_seen 2024_06_13; classtype:trojan-activity; sid:91284066; rev:1;) alert tcp $HOME_NET any -> [115.74.42.106] 4449 (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1284065/; target:src_ip; metadata: confidence_level 80, first_seen 2024_06_13; classtype:trojan-activity; sid:91284065; rev:1;) alert tcp $HOME_NET any -> [115.74.42.106] 9999 (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1284064/; target:src_ip; metadata: confidence_level 80, first_seen 2024_06_13; classtype:trojan-activity; sid:91284064; rev:1;) alert tcp $HOME_NET any -> [115.74.42.106] 8000 (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1284063/; target:src_ip; metadata: confidence_level 80, first_seen 2024_06_13; classtype:trojan-activity; sid:91284063; rev:1;) alert tcp $HOME_NET any -> [115.74.42.106] 5002 (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1284062/; target:src_ip; metadata: confidence_level 80, first_seen 2024_06_13; classtype:trojan-activity; sid:91284062; rev:1;) alert tcp $HOME_NET any -> [115.74.42.106] 5001 (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1284061/; target:src_ip; metadata: confidence_level 80, first_seen 2024_06_13; classtype:trojan-activity; sid:91284061; rev:1;) alert tcp $HOME_NET any -> [115.74.42.106] 5000 (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1284060/; target:src_ip; metadata: confidence_level 80, first_seen 2024_06_13; classtype:trojan-activity; sid:91284060; rev:1;) alert tcp $HOME_NET any -> [178.20.42.245] 4449 (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1284059/; target:src_ip; metadata: confidence_level 80, first_seen 2024_06_13; classtype:trojan-activity; sid:91284059; rev:1;) alert tcp $HOME_NET any -> [93.123.39.16] 4443 (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1284058/; target:src_ip; metadata: confidence_level 80, first_seen 2024_06_13; classtype:trojan-activity; sid:91284058; rev:1;) alert tcp $HOME_NET any -> [91.92.246.193] 4444 (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1284057/; target:src_ip; metadata: confidence_level 80, first_seen 2024_06_13; classtype:trojan-activity; sid:91284057; rev:1;) alert tcp $HOME_NET any -> [87.248.157.236] 8080 (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1284056/; target:src_ip; metadata: confidence_level 80, first_seen 2024_06_13; classtype:trojan-activity; sid:91284056; rev:1;) alert tcp $HOME_NET any -> [107.175.101.155] 4449 (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1284055/; target:src_ip; metadata: confidence_level 80, first_seen 2024_06_13; classtype:trojan-activity; sid:91284055; rev:1;) alert tcp $HOME_NET any -> [5.75.215.90] 80 (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1284054/; target:src_ip; metadata: confidence_level 80, first_seen 2024_06_13; classtype:trojan-activity; sid:91284054; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/push"; depth:5; nocase; http.host; content:"140.238.27.183"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1284052/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_13; classtype:trojan-activity; sid:91284052; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"bsrc.baidusec.top"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1284051/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_13; classtype:trojan-activity; sid:91284051; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"as.baidusec.top"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1284049/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_13; classtype:trojan-activity; sid:91284049; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/lu.js"; depth:6; nocase; http.host; content:"bsrc.baidusec.top"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1284050/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_13; classtype:trojan-activity; sid:91284050; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"b2b.baidusec.top"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1284047/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_13; classtype:trojan-activity; sid:91284047; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/lu.js"; depth:6; nocase; http.host; content:"as.baidusec.top"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1284048/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_13; classtype:trojan-activity; sid:91284048; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"tag.baidusec.top"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1284045/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_13; classtype:trojan-activity; sid:91284045; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/lu.js"; depth:6; nocase; http.host; content:"b2b.baidusec.top"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1284046/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_13; classtype:trojan-activity; sid:91284046; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/lu.js"; depth:6; nocase; http.host; content:"tag.baidusec.top"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1284044/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_13; classtype:trojan-activity; sid:91284044; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/lu.js"; depth:6; nocase; http.host; content:"www.baidusec.top"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1284043/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_13; classtype:trojan-activity; sid:91284043; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/lu.js"; depth:6; nocase; http.host; content:"baidusec.top"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1284042/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_13; classtype:trojan-activity; sid:91284042; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jquery-3.3.1.min.js"; depth:20; nocase; http.host; content:"alphormo.servequake.com"; depth:23; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1284040/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_13; classtype:trojan-activity; sid:91284040; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"alphormo.servequake.com"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1284041/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_13; classtype:trojan-activity; sid:91284041; rev:1;) alert tcp $HOME_NET any -> [18.158.58.205] 13687 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1284032/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_13; classtype:trojan-activity; sid:91284032; rev:1;) alert tcp $HOME_NET any -> [3.67.62.142] 13687 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1284031/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_13; classtype:trojan-activity; sid:91284031; rev:1;) alert tcp $HOME_NET any -> [3.64.4.198] 13687 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1284030/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_13; classtype:trojan-activity; sid:91284030; rev:1;) alert tcp $HOME_NET any -> [3.67.112.102] 13687 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1284029/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_13; classtype:trojan-activity; sid:91284029; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mozi.m"; depth:7; nocase; http.host; content:"117.213.86.61"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1284028/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_13; classtype:trojan-activity; sid:91284028; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mozi.m"; depth:7; nocase; http.host; content:"117.247.189.148"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1284027/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_13; classtype:trojan-activity; sid:91284027; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/load"; depth:5; nocase; http.host; content:"47.104.230.173"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1284025/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_12; classtype:trojan-activity; sid:91284025; rev:1;) alert tcp $HOME_NET any -> [47.104.230.173] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1284026/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_12; classtype:trojan-activity; sid:91284026; rev:1;) alert tcp $HOME_NET any -> [45.150.65.209] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1284024/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_12; classtype:trojan-activity; sid:91284024; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/image/"; depth:7; nocase; http.host; content:"fix.sougou87.top"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1284022/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_12; classtype:trojan-activity; sid:91284022; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"fix.sougou87.top"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1284023/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_12; classtype:trojan-activity; sid:91284023; rev:1;) alert tcp $HOME_NET any -> [140.238.27.183] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1284021/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_12; classtype:trojan-activity; sid:91284021; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pixel.gif"; depth:10; nocase; http.host; content:"cstrike.webroot.top"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1284019/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_12; classtype:trojan-activity; sid:91284019; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"cstrike.webroot.top"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1284020/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_12; classtype:trojan-activity; sid:91284020; rev:1;) alert tcp $HOME_NET any -> [39.105.131.206] 443 (msg:"ThreatFox DoomedLoader botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1284011/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_12; classtype:trojan-activity; sid:91284011; rev:1;) alert tcp $HOME_NET any -> [47.121.113.121] 443 (msg:"ThreatFox DoomedLoader botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1284012/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_12; classtype:trojan-activity; sid:91284012; rev:1;) alert tcp $HOME_NET any -> [39.106.79.101] 443 (msg:"ThreatFox DoomedLoader botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1284008/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_12; classtype:trojan-activity; sid:91284008; rev:1;) alert tcp $HOME_NET any -> [123.249.19.46] 443 (msg:"ThreatFox DoomedLoader botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1284009/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_12; classtype:trojan-activity; sid:91284009; rev:1;) alert tcp $HOME_NET any -> [39.104.49.52] 443 (msg:"ThreatFox DoomedLoader botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1284010/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_12; classtype:trojan-activity; sid:91284010; rev:1;) alert tcp $HOME_NET any -> [77.91.77.6] 44911 (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1284007/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_12; classtype:trojan-activity; sid:91284007; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/compare/v2.66/g6ebs8vjr0"; depth:25; nocase; http.host; content:"service-i4ipkrwm-1317712796.gz.tencentapigw.com.cn"; depth:50; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1284006/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_12; classtype:trojan-activity; sid:91284006; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/activity"; depth:9; nocase; http.host; content:"106.14.75.240"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1284005/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_12; classtype:trojan-activity; sid:91284005; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pixel"; depth:6; nocase; http.host; content:"106.14.75.240"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1284004/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_12; classtype:trojan-activity; sid:91284004; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pixel"; depth:6; nocase; http.host; content:"cs.h1ll0.cs.in"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1284003/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_12; classtype:trojan-activity; sid:91284003; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ca"; depth:3; nocase; http.host; content:"35.74.6.169"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1284002/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_12; classtype:trojan-activity; sid:91284002; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dot.gif"; depth:8; nocase; http.host; content:"43.153.222.28"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1284001/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_12; classtype:trojan-activity; sid:91284001; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api/x"; depth:6; nocase; http.host; content:"service-opql05nu-1253504731.gz.tencentapigw.com.cn"; depth:50; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1283999/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_12; classtype:trojan-activity; sid:91283999; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"service-opql05nu-1253504731.gz.tencentapigw.com.cn"; depth:50; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1284000/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_12; classtype:trojan-activity; sid:91284000; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cx"; depth:3; nocase; http.host; content:"35.74.6.169"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1283996/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_12; classtype:trojan-activity; sid:91283996; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp08/wp-includes/dtcla.php"; depth:27; nocase; http.host; content:"47.243.26.247"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1283995/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_12; classtype:trojan-activity; sid:91283995; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp06/wp-includes/po.php"; depth:24; nocase; http.host; content:"47.243.26.247"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1283994/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_12; classtype:trojan-activity; sid:91283994; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cm"; depth:3; nocase; http.host; content:"service-hzdzk12c-1318485841.gz.apigw.tencentcs.com"; depth:50; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1283993/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_12; classtype:trojan-activity; sid:91283993; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/en_us/all.js"; depth:13; nocase; http.host; content:"43.153.222.28"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1283992/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_12; classtype:trojan-activity; sid:91283992; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/compare/v2.66/g6ebs8vjr0"; depth:25; nocase; http.host; content:"service-i4ipkrwm-1317712796.gz.tencentapigw.com.cn"; depth:50; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1283990/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_12; classtype:trojan-activity; sid:91283990; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"service-i4ipkrwm-1317712796.gz.tencentapigw.com.cn"; depth:50; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1283991/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_12; classtype:trojan-activity; sid:91283991; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/visit.js"; depth:9; nocase; http.host; content:"139.159.203.44"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1283989/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_12; classtype:trojan-activity; sid:91283989; rev:1;) alert tcp $HOME_NET any -> [52.242.20.137] 1912 (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1283988/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_12; classtype:trojan-activity; sid:91283988; rev:1;) alert tcp $HOME_NET any -> [89.23.99.151] 1912 (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1283986/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_12; classtype:trojan-activity; sid:91283986; rev:1;) alert tcp $HOME_NET any -> [41.142.208.122] 10000 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1283985/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_12; classtype:trojan-activity; sid:91283985; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/push"; depth:5; nocase; http.host; content:"146.70.149.42"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1283984/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_12; classtype:trojan-activity; sid:91283984; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/__utm.gif"; depth:10; nocase; http.host; content:"79.124.40.106"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1283983/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_12; classtype:trojan-activity; sid:91283983; rev:1;) alert tcp $HOME_NET any -> [94.156.79.68] 80 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1283982/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_12; classtype:trojan-activity; sid:91283982; rev:1;) alert tcp $HOME_NET any -> [103.142.8.173] 80 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1283981/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_12; classtype:trojan-activity; sid:91283981; rev:1;) alert tcp $HOME_NET any -> [94.156.8.81] 50555 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1283980/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_12; classtype:trojan-activity; sid:91283980; rev:1;) alert tcp $HOME_NET any -> [103.142.8.150] 80 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1283979/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_12; classtype:trojan-activity; sid:91283979; rev:1;) alert tcp $HOME_NET any -> [154.212.148.132] 80 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1283978/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_12; classtype:trojan-activity; sid:91283978; rev:1;) alert tcp $HOME_NET any -> [84.106.85.6] 80 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1283977/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_12; classtype:trojan-activity; sid:91283977; rev:1;) alert tcp $HOME_NET any -> [45.89.53.197] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1283976/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_12; classtype:trojan-activity; sid:91283976; rev:1;) alert tcp $HOME_NET any -> [40.85.178.51] 8443 (msg:"ThreatFox Pikabot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1283975/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_12; classtype:trojan-activity; sid:91283975; rev:1;) alert tcp $HOME_NET any -> [38.147.171.173] 28888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1283974/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_12; classtype:trojan-activity; sid:91283974; rev:1;) alert tcp $HOME_NET any -> [185.238.248.214] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1283973/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_12; classtype:trojan-activity; sid:91283973; rev:1;) alert tcp $HOME_NET any -> [38.147.186.117] 80 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1283972/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_12; classtype:trojan-activity; sid:91283972; rev:1;) alert tcp $HOME_NET any -> [46.246.86.17] 6000 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1283971/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_12; classtype:trojan-activity; sid:91283971; rev:1;) alert tcp $HOME_NET any -> [103.30.78.218] 80 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1283970/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_12; classtype:trojan-activity; sid:91283970; rev:1;) alert tcp $HOME_NET any -> [197.3.219.97] 443 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1283969/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_12; classtype:trojan-activity; sid:91283969; rev:1;) alert tcp $HOME_NET any -> [103.79.76.166] 8443 (msg:"ThreatFox pupy botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1283968/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_12; classtype:trojan-activity; sid:91283968; rev:1;) alert tcp $HOME_NET any -> [103.152.255.69] 80 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1283967/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_12; classtype:trojan-activity; sid:91283967; rev:1;) alert tcp $HOME_NET any -> [138.2.135.17] 8080 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1283966/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_12; classtype:trojan-activity; sid:91283966; rev:1;) alert tcp $HOME_NET any -> [193.149.189.27] 443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1283965/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_12; classtype:trojan-activity; sid:91283965; rev:1;) alert tcp $HOME_NET any -> [54.71.125.251] 7443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1283964/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_12; classtype:trojan-activity; sid:91283964; rev:1;) alert tcp $HOME_NET any -> [13.60.75.58] 7443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1283963/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_12; classtype:trojan-activity; sid:91283963; rev:1;) alert tcp $HOME_NET any -> [58.8.255.53] 7443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1283962/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_12; classtype:trojan-activity; sid:91283962; rev:1;) alert tcp $HOME_NET any -> [51.20.108.241] 7443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1283961/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_12; classtype:trojan-activity; sid:91283961; rev:1;) alert tcp $HOME_NET any -> [13.48.128.36] 7443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1283960/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_12; classtype:trojan-activity; sid:91283960; rev:1;) alert tcp $HOME_NET any -> [43.206.219.14] 7443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1283959/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_12; classtype:trojan-activity; sid:91283959; rev:1;) alert tcp $HOME_NET any -> [159.65.42.191] 7443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1283958/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_12; classtype:trojan-activity; sid:91283958; rev:1;) alert tcp $HOME_NET any -> [62.106.66.222] 7443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1283957/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_12; classtype:trojan-activity; sid:91283957; rev:1;) alert tcp $HOME_NET any -> [106.53.181.113] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1283956/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_12; classtype:trojan-activity; sid:91283956; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dpixel"; depth:7; nocase; http.host; content:"106.53.181.113"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1283955/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_12; classtype:trojan-activity; sid:91283955; rev:1;) alert tcp $HOME_NET any -> [43.242.200.159] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1283954/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_12; classtype:trojan-activity; sid:91283954; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/visit.js"; depth:9; nocase; http.host; content:"43.242.200.159"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1283953/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_12; classtype:trojan-activity; sid:91283953; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ca"; depth:3; nocase; http.host; content:"124.222.176.39"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1283952/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_12; classtype:trojan-activity; sid:91283952; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/l1nc0in.php"; depth:12; nocase; http.host; content:"f0992583.xsph.ru"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1283939/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_12; classtype:trojan-activity; sid:91283939; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ga.js"; depth:6; nocase; http.host; content:"60.204.134.21"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1283933/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_12; classtype:trojan-activity; sid:91283933; rev:1;) alert tcp $HOME_NET any -> [124.222.176.39] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1283932/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_12; classtype:trojan-activity; sid:91283932; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/g.pixel"; depth:8; nocase; http.host; content:"124.222.176.39"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1283931/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_12; classtype:trojan-activity; sid:91283931; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/fwlink"; depth:7; nocase; http.host; content:"139.198.30.159"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1283930/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_12; classtype:trojan-activity; sid:91283930; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"www.qtvnews.com"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1283928/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_12; classtype:trojan-activity; sid:91283928; rev:1;) alert tcp $HOME_NET any -> [1.12.227.144] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1283929/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_12; classtype:trojan-activity; sid:91283929; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/static/js/jquery-3.fca2a8c137.10.1.slim.min.js"; depth:47; nocase; http.host; content:"www.qtvnews.com"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1283927/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_12; classtype:trojan-activity; sid:91283927; rev:1;) alert tcp $HOME_NET any -> [8.138.150.198] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1283926/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_12; classtype:trojan-activity; sid:91283926; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pixel.gif"; depth:10; nocase; http.host; content:"8.138.150.198"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1283925/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_12; classtype:trojan-activity; sid:91283925; rev:1;) alert tcp $HOME_NET any -> [173.44.141.207] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1283924/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_12; classtype:trojan-activity; sid:91283924; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jquery-3.3.1.min.js"; depth:20; nocase; http.host; content:"173.44.141.207"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1283923/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_12; classtype:trojan-activity; sid:91283923; rev:1;) alert tcp $HOME_NET any -> [43.134.231.228] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1283922/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_12; classtype:trojan-activity; sid:91283922; rev:1;) alert tcp $HOME_NET any -> [111.230.5.199] 8443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1283921/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_12; classtype:trojan-activity; sid:91283921; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/antdesign3.js"; depth:14; nocase; http.host; content:"api.sftech.one"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1283919/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_12; classtype:trojan-activity; sid:91283919; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"api.sftech.one"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1283920/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_12; classtype:trojan-activity; sid:91283920; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ptj"; depth:4; nocase; http.host; content:"47.96.184.137"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1283918/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_12; classtype:trojan-activity; sid:91283918; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/__utm.gif"; depth:10; nocase; http.host; content:"139.155.68.35"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1283917/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_12; classtype:trojan-activity; sid:91283917; rev:1;) alert tcp $HOME_NET any -> [52.180.147.200] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1283916/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_12; classtype:trojan-activity; sid:91283916; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/owa/"; depth:5; nocase; http.host; content:"52.180.147.200"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1283915/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_12; classtype:trojan-activity; sid:91283915; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jquery-3.3.1.min.js"; depth:20; nocase; http.host; content:"173.44.141.207"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1283913/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_12; classtype:trojan-activity; sid:91283913; rev:1;) alert tcp $HOME_NET any -> [173.44.141.207] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1283914/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_12; classtype:trojan-activity; sid:91283914; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/index.php/9460648709801952970"; depth:30; nocase; http.host; content:"45.61.136.239"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1283912/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_12; classtype:trojan-activity; sid:91283912; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/a01f7e32.php"; depth:13; nocase; http.host; content:"a0992229.xsph.ru"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1283909/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_12; classtype:trojan-activity; sid:91283909; rev:1;) alert tcp $HOME_NET any -> [172.232.239.216] 8808 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1283906/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_12; classtype:trojan-activity; sid:91283906; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/processorbaseuniversal.php"; depth:27; nocase; http.host; content:"901329cm.n9shteam2.top"; depth:22; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1283904/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_12; classtype:trojan-activity; sid:91283904; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/5server/pythongame/cdn/pythondefaultjavascript/2voiddb/mariadbprivate/tempwpmulti/packet/voiddb2/vmpacket0/baseapi8update/uploadsprocessorvoiddb/phpapidle.php"; depth:159; nocase; http.host; content:"5.35.98.20"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1283893/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_12; classtype:trojan-activity; sid:91283893; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ad-ed.xyz"; depth:9; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1283887/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_12; classtype:trojan-activity; sid:91283887; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"asd-e.xyz"; depth:9; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1283888/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_12; classtype:trojan-activity; sid:91283888; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ad-es.xyz"; depth:9; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1283889/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_12; classtype:trojan-activity; sid:91283889; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ab-cc.xyz"; depth:9; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1283890/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_12; classtype:trojan-activity; sid:91283890; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"a-bcd.xyz"; depth:9; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1283886/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_12; classtype:trojan-activity; sid:91283886; rev:1;) alert tcp $HOME_NET any -> [5.180.155.40] 4782 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1283885/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_12; classtype:trojan-activity; sid:91283885; rev:1;) alert tcp $HOME_NET any -> [107.175.229.139] 8823 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1283884/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_12; classtype:trojan-activity; sid:91283884; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/94d487b2.php"; depth:13; nocase; http.host; content:"a0991598.xsph.ru"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1283880/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_12; classtype:trojan-activity; sid:91283880; rev:1;) alert tcp $HOME_NET any -> [41.248.117.232] 10000 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1283858/; target:src_ip; metadata: confidence_level 75, first_seen 2024_06_12; classtype:trojan-activity; sid:91283858; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"born-administrative.gl.at.ply.gg"; depth:32; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1283866/; target:src_ip; metadata: confidence_level 75, first_seen 2024_06_12; classtype:trojan-activity; sid:91283866; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/en_us/all.js"; depth:13; nocase; http.host; content:"107.174.253.49"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1283879/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_12; classtype:trojan-activity; sid:91283879; rev:1;) alert tcp $HOME_NET any -> [185.93.221.101] 443 (msg:"ThreatFox Unidentified 111 (Latrodectus) botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1283878/; target:src_ip; metadata: confidence_level 75, first_seen 2024_06_12; classtype:trojan-activity; sid:91283878; rev:1;) alert tcp $HOME_NET any -> [8.138.131.251] 443 (msg:"ThreatFox DoomedLoader botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1283876/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_12; classtype:trojan-activity; sid:91283876; rev:1;) alert tcp $HOME_NET any -> [47.94.95.22] 443 (msg:"ThreatFox DoomedLoader botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1283877/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_12; classtype:trojan-activity; sid:91283877; rev:1;) alert tcp $HOME_NET any -> [8.147.105.128] 443 (msg:"ThreatFox DoomedLoader botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1283873/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_12; classtype:trojan-activity; sid:91283873; rev:1;) alert tcp $HOME_NET any -> [47.116.191.243] 443 (msg:"ThreatFox DoomedLoader botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1283874/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_12; classtype:trojan-activity; sid:91283874; rev:1;) alert tcp $HOME_NET any -> [106.14.248.223] 443 (msg:"ThreatFox DoomedLoader botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1283875/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_12; classtype:trojan-activity; sid:91283875; rev:1;) alert tcp $HOME_NET any -> [38.180.9.93] 4782 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1283872/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_12; classtype:trojan-activity; sid:91283872; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/6d4a22a1.php"; depth:13; nocase; http.host; content:"a0992445.xsph.ru"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1283871/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_12; classtype:trojan-activity; sid:91283871; rev:1;) alert tcp $HOME_NET any -> [216.250.255.226] 3731 (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1283870/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_12; classtype:trojan-activity; sid:91283870; rev:1;) alert tcp $HOME_NET any -> [77.91.77.119] 80 (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1283869/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_12; classtype:trojan-activity; sid:91283869; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ca"; depth:3; nocase; http.host; content:"47.109.49.229"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1283868/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_11; classtype:trojan-activity; sid:91283868; rev:1;) alert tcp $HOME_NET any -> [20.201.106.233] 1912 (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1283867/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_11; classtype:trojan-activity; sid:91283867; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/new/roko/gate.php"; depth:18; nocase; http.host; content:"devotionrehab.com"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1283865/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_11; classtype:trojan-activity; sid:91283865; rev:1;) alert tcp $HOME_NET any -> [147.185.221.20] 10324 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1283864/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_11; classtype:trojan-activity; sid:91283864; rev:1;) alert tcp $HOME_NET any -> [38.60.253.49] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1283863/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_11; classtype:trojan-activity; sid:91283863; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/media"; depth:6; nocase; http.host; content:"api.vnaillslivns.shop"; depth:21; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1283862/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_11; classtype:trojan-activity; sid:91283862; rev:1;) alert tcp $HOME_NET any -> [148.135.56.71] 26745 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1283861/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_11; classtype:trojan-activity; sid:91283861; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"img.vdtuconsole.online"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1283860/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_11; classtype:trojan-activity; sid:91283860; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/abc/def/"; depth:9; nocase; http.host; content:"img.vdtuconsole.online"; depth:22; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1283859/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_11; classtype:trojan-activity; sid:91283859; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/l1nc0in.php"; depth:12; nocase; http.host; content:"37.46.130.54"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1283857/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_11; classtype:trojan-activity; sid:91283857; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/visit.js"; depth:9; nocase; http.host; content:"47.206.167.222"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1283856/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_11; classtype:trojan-activity; sid:91283856; rev:1;) alert tcp $HOME_NET any -> [193.149.176.37] 80 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1283855/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_11; classtype:trojan-activity; sid:91283855; rev:1;) alert tcp $HOME_NET any -> [78.185.193.7] 443 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1283854/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_11; classtype:trojan-activity; sid:91283854; rev:1;) alert tcp $HOME_NET any -> [2.88.155.150] 443 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1283853/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_11; classtype:trojan-activity; sid:91283853; rev:1;) alert tcp $HOME_NET any -> [91.254.214.149] 443 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1283852/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_11; classtype:trojan-activity; sid:91283852; rev:1;) alert tcp $HOME_NET any -> [13.55.48.44] 443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1283851/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_11; classtype:trojan-activity; sid:91283851; rev:1;) alert tcp $HOME_NET any -> [46.250.255.162] 8080 (msg:"ThreatFox BianLian botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1283850/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_11; classtype:trojan-activity; sid:91283850; rev:1;) alert tcp $HOME_NET any -> [121.40.69.44] 443 (msg:"ThreatFox BianLian botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1283849/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_11; classtype:trojan-activity; sid:91283849; rev:1;) alert tcp $HOME_NET any -> [45.8.99.215] 7443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1283848/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_11; classtype:trojan-activity; sid:91283848; rev:1;) alert tcp $HOME_NET any -> [3.36.173.8] 8081 (msg:"ThreatFox RisePro botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1283847/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_11; classtype:trojan-activity; sid:91283847; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/conditional-contract-meaning/"; depth:30; nocase; http.host; content:"goodstos.com"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1283846/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_11; classtype:trojan-activity; sid:91283846; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"nuevos2024.duckdns.org"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1283843/; target:src_ip; metadata: confidence_level 75, first_seen 2024_06_11; classtype:trojan-activity; sid:91283843; rev:1;) alert tcp $HOME_NET any -> [41.44.209.185] 5552 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1283844/; target:src_ip; metadata: confidence_level 75, first_seen 2024_06_11; classtype:trojan-activity; sid:91283844; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"jokarrrrr333322.ddns.net"; depth:24; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1283845/; target:src_ip; metadata: confidence_level 75, first_seen 2024_06_11; classtype:trojan-activity; sid:91283845; rev:1;) alert tcp $HOME_NET any -> [46.246.6.8] 2054 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1283842/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_11; classtype:trojan-activity; sid:91283842; rev:1;) alert tcp $HOME_NET any -> [3.36.173.8] 50500 (msg:"ThreatFox RisePro botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1283841/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_11; classtype:trojan-activity; sid:91283841; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/4ydl"; depth:5; nocase; http.host; content:"124.71.111.64"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1283840/; target:src_ip; metadata: confidence_level 75, first_seen 2024_06_11; classtype:trojan-activity; sid:91283840; rev:1;) alert tcp $HOME_NET any -> [124.71.111.64] 8888 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1283839/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_11; classtype:trojan-activity; sid:91283839; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"nymsportsmen.com"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1283837/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_11; classtype:trojan-activity; sid:91283837; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"truckingaccidentattorneyblog.com"; depth:32; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1283838/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_11; classtype:trojan-activity; sid:91283838; rev:1;) alert tcp $HOME_NET any -> [5.42.67.8] 5953 (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1283833/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_11; classtype:trojan-activity; sid:91283833; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/l1nc0in.php"; depth:12; nocase; http.host; content:"d1namias.beget.tech"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1283832/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_11; classtype:trojan-activity; sid:91283832; rev:1;) alert tcp $HOME_NET any -> [94.156.66.207] 63882 (msg:"ThreatFox Nanocore RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1283831/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_11; classtype:trojan-activity; sid:91283831; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"lechiavetteusb.it"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1283817/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_11; classtype:trojan-activity; sid:91283817; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/imgs/usb/logo/spiralitykszkj.exe"; depth:33; nocase; http.host; content:"lechiavetteusb.it"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1283816/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_11; classtype:trojan-activity; sid:91283816; rev:1;) alert tcp $HOME_NET any -> [89.251.22.227] 80 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1283815/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_11; classtype:trojan-activity; sid:91283815; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/guacos.php"; depth:11; nocase; http.host; content:"89.251.22.227"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1283814/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_11; classtype:trojan-activity; sid:91283814; rev:1;) alert tcp $HOME_NET any -> [38.110.1.69] 993 (msg:"ThreatFox Kimsuky botnet C2 traffic (ip:port - confidence level: 49%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1283802/; target:src_ip; metadata: confidence_level 49, first_seen 2024_06_11; classtype:trojan-activity; sid:91283802; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 49%)"; dns_query; content:"www.yah00.o-r.kr"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1283803/; target:src_ip; metadata: confidence_level 49, first_seen 2024_06_11; classtype:trojan-activity; sid:91283803; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 49%)"; dns_query; content:"www.aslark.kro.kr"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1283804/; target:src_ip; metadata: confidence_level 49, first_seen 2024_06_11; classtype:trojan-activity; sid:91283804; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 49%)"; dns_query; content:"www.aslark1.kro.kr"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1283805/; target:src_ip; metadata: confidence_level 49, first_seen 2024_06_11; classtype:trojan-activity; sid:91283805; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 49%)"; dns_query; content:"www.lazor.kro.kr"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1283806/; target:src_ip; metadata: confidence_level 49, first_seen 2024_06_11; classtype:trojan-activity; sid:91283806; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 49%)"; dns_query; content:"www.devf.n-e.kr"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1283807/; target:src_ip; metadata: confidence_level 49, first_seen 2024_06_11; classtype:trojan-activity; sid:91283807; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 49%)"; dns_query; content:"www.lfgu.n-e.kr"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1283808/; target:src_ip; metadata: confidence_level 49, first_seen 2024_06_11; classtype:trojan-activity; sid:91283808; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 49%)"; dns_query; content:"www.luvb.n-b.kr"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1283809/; target:src_ip; metadata: confidence_level 49, first_seen 2024_06_11; classtype:trojan-activity; sid:91283809; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 49%)"; dns_query; content:"www.navver.o-r.kr"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1283810/; target:src_ip; metadata: confidence_level 49, first_seen 2024_06_11; classtype:trojan-activity; sid:91283810; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 49%)"; dns_query; content:"w3.navver.o-r.kr"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1283811/; target:src_ip; metadata: confidence_level 49, first_seen 2024_06_11; classtype:trojan-activity; sid:91283811; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 49%)"; dns_query; content:"www.kepir.p-e.kr"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1283812/; target:src_ip; metadata: confidence_level 49, first_seen 2024_06_11; classtype:trojan-activity; sid:91283812; rev:1;) alert tcp $HOME_NET any -> [104.168.145.83] 993 (msg:"ThreatFox Kimsuky botnet C2 traffic (ip:port - confidence level: 49%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1283801/; target:src_ip; metadata: confidence_level 49, first_seen 2024_06_11; classtype:trojan-activity; sid:91283801; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/file/dfpublishfile.aspx/fileid11362523730/key98sgla2a2tap/689/827546472/329736746804680/tuengrqlxvpd/securitybank-bankdeposit.txt.jar"; depth:134; nocase; http.host; content:"66.220.9.57"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1283799/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_11; classtype:trojan-activity; sid:91283799; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/file/dfpublishfile.aspx/fileid11362523730/key98sgla2a2tap/689/827546472/329736746804680/tuengrqlxvpd/securitybank-bankdeposit.txt.jar"; depth:134; nocase; http.host; content:"www.drivehq.com"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1283798/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_11; classtype:trojan-activity; sid:91283798; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/file/dfpublishfile.aspx/fileid11362523730/key98sgla2a2tap/689/827546472/329736746804680/tuengrqlxvpd/securitybank-bankdeposit.txt.jar"; depth:134; nocase; http.host; content:"66.220.9.57"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1283797/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_11; classtype:trojan-activity; sid:91283797; rev:1;) alert tcp $HOME_NET any -> [185.255.114.28] 1000 (msg:"ThreatFox QRat botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1283794/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_11; classtype:trojan-activity; sid:91283794; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sample-house-rules-for-tenants-creating-a-fair-and-legal-living-environment/"; depth:77; nocase; http.host; content:"regyan.com"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1283791/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_11; classtype:trojan-activity; sid:91283791; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/armistice-agreement-1953/"; depth:26; nocase; http.host; content:"goodstos.com"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1283751/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_11; classtype:trojan-activity; sid:91283751; rev:1;) alert tcp $HOME_NET any -> [108.181.115.133] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 60%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1283829/; target:src_ip; metadata: confidence_level 60, first_seen 2024_06_11; classtype:trojan-activity; sid:91283829; rev:1;) alert tcp $HOME_NET any -> [45.8.146.142] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 60%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1283830/; target:src_ip; metadata: confidence_level 60, first_seen 2024_06_11; classtype:trojan-activity; sid:91283830; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/698d3620.php"; depth:13; nocase; http.host; content:"a0991799.xsph.ru"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1283828/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_11; classtype:trojan-activity; sid:91283828; rev:1;) alert tcp $HOME_NET any -> [49.13.32.109] 443 (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1283827/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_11; classtype:trojan-activity; sid:91283827; rev:1;) alert tcp $HOME_NET any -> [116.203.14.211] 9000 (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1283825/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_11; classtype:trojan-activity; sid:91283825; rev:1;) alert tcp $HOME_NET any -> [65.109.243.78] 443 (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1283826/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_11; classtype:trojan-activity; sid:91283826; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"49.13.32.109"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1283824/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_11; classtype:trojan-activity; sid:91283824; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"65.109.243.78"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1283823/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_11; classtype:trojan-activity; sid:91283823; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"116.203.14.211"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1283822/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_11; classtype:trojan-activity; sid:91283822; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/memve4erin"; depth:11; nocase; http.host; content:"t.me"; depth:4; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1283821/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_11; classtype:trojan-activity; sid:91283821; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/profiles/76561199699680841"; depth:27; nocase; http.host; content:"steamcommunity.com"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1283820/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_11; classtype:trojan-activity; sid:91283820; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/63ab30c8.php"; depth:13; nocase; http.host; content:"a0991129.xsph.ru"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1283819/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_11; classtype:trojan-activity; sid:91283819; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/456773bf.php"; depth:13; nocase; http.host; content:"a0991200.xsph.ru"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1283813/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_11; classtype:trojan-activity; sid:91283813; rev:1;) alert tcp $HOME_NET any -> [144.202.69.96] 22868 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1283796/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_11; classtype:trojan-activity; sid:91283796; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/f98ca1bd.php"; depth:13; nocase; http.host; content:"egorostroux.000webhostapp.com"; depth:29; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1283795/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_11; classtype:trojan-activity; sid:91283795; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mozi.m"; depth:7; nocase; http.host; content:"117.200.84.243"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1283793/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_11; classtype:trojan-activity; sid:91283793; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/serverapiflower/wordpress5/vmuniversaldbmariadb/dumpmariadb/8dbprivate/processorpython/1centralauth/externalimagevmjavascriptdbbasedle.php"; depth:139; nocase; http.host; content:"185.180.231.214"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1283792/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_11; classtype:trojan-activity; sid:91283792; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"dr-networks.com"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1283790/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_11; classtype:trojan-activity; sid:91283790; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ptj"; depth:4; nocase; http.host; content:"82.156.145.233"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1283789/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_11; classtype:trojan-activity; sid:91283789; rev:1;) alert tcp $HOME_NET any -> [103.186.214.199] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1283788/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_11; classtype:trojan-activity; sid:91283788; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/en_us/all.js"; depth:13; nocase; http.host; content:"103.186.214.199"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1283787/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_11; classtype:trojan-activity; sid:91283787; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/q2/index.php"; depth:13; nocase; http.host; content:"20.83.148.22"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1283786/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_11; classtype:trojan-activity; sid:91283786; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ga.js"; depth:6; nocase; http.host; content:"124.222.52.190"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1283785/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_11; classtype:trojan-activity; sid:91283785; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/en_us/all.js"; depth:13; nocase; http.host; content:"123.57.85.206"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1283784/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_11; classtype:trojan-activity; sid:91283784; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/index.php/public/login"; depth:23; nocase; http.host; content:"service-l24muftx-1251354025.bj.tencentapigw.com.cn"; depth:50; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1283783/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_11; classtype:trojan-activity; sid:91283783; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/match"; depth:6; nocase; http.host; content:"97.64.18.185"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1283782/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_11; classtype:trojan-activity; sid:91283782; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/transaction"; depth:12; nocase; http.host; content:"action-winds.cfd"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1283781/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_11; classtype:trojan-activity; sid:91283781; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/complete"; depth:9; nocase; http.host; content:"microstar.cfd"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1283780/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_11; classtype:trojan-activity; sid:91283780; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/error"; depth:6; nocase; http.host; content:"1c-marketing.top"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1283779/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_11; classtype:trojan-activity; sid:91283779; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/fwlink"; depth:7; nocase; http.host; content:"124.222.52.190"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1283778/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_11; classtype:trojan-activity; sid:91283778; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ptj"; depth:4; nocase; http.host; content:"146.70.149.42"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1283777/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_11; classtype:trojan-activity; sid:91283777; rev:1;) alert tcp $HOME_NET any -> [154.91.64.22] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1283776/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_11; classtype:trojan-activity; sid:91283776; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cx"; depth:3; nocase; http.host; content:"154.91.64.22"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1283775/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_11; classtype:trojan-activity; sid:91283775; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/g.pixel"; depth:8; nocase; http.host; content:"101.34.240.87"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1283773/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_11; classtype:trojan-activity; sid:91283773; rev:1;) alert tcp $HOME_NET any -> [101.34.240.87] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1283774/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_11; classtype:trojan-activity; sid:91283774; rev:1;) alert tcp $HOME_NET any -> [39.100.103.175] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1283772/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_11; classtype:trojan-activity; sid:91283772; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mall_100_100.html"; depth:18; nocase; http.host; content:"39.100.103.175"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1283771/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_11; classtype:trojan-activity; sid:91283771; rev:1;) alert tcp $HOME_NET any -> [154.91.64.22] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1283770/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_11; classtype:trojan-activity; sid:91283770; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cx"; depth:3; nocase; http.host; content:"154.91.64.22"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1283769/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_11; classtype:trojan-activity; sid:91283769; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/updates.rss"; depth:12; nocase; http.host; content:"97.64.18.185"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1283768/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_11; classtype:trojan-activity; sid:91283768; rev:1;) alert tcp $HOME_NET any -> [8.134.90.1] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1283767/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_11; classtype:trojan-activity; sid:91283767; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/visit.js"; depth:9; nocase; http.host; content:"8.134.90.1"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1283766/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_11; classtype:trojan-activity; sid:91283766; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/g.pixel"; depth:8; nocase; http.host; content:"47.128.255.192"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1283764/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_11; classtype:trojan-activity; sid:91283764; rev:1;) alert tcp $HOME_NET any -> [47.128.255.192] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1283765/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_11; classtype:trojan-activity; sid:91283765; rev:1;) alert tcp $HOME_NET any -> [89.23.108.208] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1283763/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_11; classtype:trojan-activity; sid:91283763; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api/v2/login"; depth:13; nocase; http.host; content:"organic-satire-gw.aws-euc1.cloud-ara.tyk.io"; depth:43; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1283761/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_11; classtype:trojan-activity; sid:91283761; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"organic-satire-gw.aws-euc1.cloud-ara.tyk.io"; depth:43; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1283762/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_11; classtype:trojan-activity; sid:91283762; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/visit.js"; depth:9; nocase; http.host; content:"101.34.240.87"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1283760/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_11; classtype:trojan-activity; sid:91283760; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/load"; depth:5; nocase; http.host; content:"106.75.191.162"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1283759/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_11; classtype:trojan-activity; sid:91283759; rev:1;) alert tcp $HOME_NET any -> [47.120.45.94] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1283758/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_11; classtype:trojan-activity; sid:91283758; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/updates.rss"; depth:12; nocase; http.host; content:"47.120.45.94"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1283757/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_11; classtype:trojan-activity; sid:91283757; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab"; depth:62; nocase; http.host; content:"v2.events.data.microsoftsubmit.com"; depth:34; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1283755/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_11; classtype:trojan-activity; sid:91283755; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"v2.events.data.microsoftsubmit.com"; depth:34; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1283756/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_11; classtype:trojan-activity; sid:91283756; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dot.gif"; depth:8; nocase; http.host; content:"120.24.90.39"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1283754/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_11; classtype:trojan-activity; sid:91283754; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/feedapi/v1/newsserver/api/getpassword"; depth:38; nocase; http.host; content:"119.91.253.86"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1283752/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_11; classtype:trojan-activity; sid:91283752; rev:1;) alert tcp $HOME_NET any -> [101.33.193.195] 31845 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1283753/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_11; classtype:trojan-activity; sid:91283753; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/vmpythonpollsecureauthwindowstracktempuploadsdownloads.php"; depth:59; nocase; http.host; content:"972464cm.nyashkoon.top"; depth:22; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1283750/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_11; classtype:trojan-activity; sid:91283750; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/51638e12.php"; depth:13; nocase; http.host; content:"a0988426.xsph.ru"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1283749/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_11; classtype:trojan-activity; sid:91283749; rev:1;) alert tcp $HOME_NET any -> [49.113.77.245] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1283748/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_11; classtype:trojan-activity; sid:91283748; rev:1;) alert tcp $HOME_NET any -> [74.48.115.132] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1283747/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_11; classtype:trojan-activity; sid:91283747; rev:1;) alert tcp $HOME_NET any -> [86.48.7.17] 443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1283746/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_11; classtype:trojan-activity; sid:91283746; rev:1;) alert tcp $HOME_NET any -> [107.174.188.48] 8443 (msg:"ThreatFox Deimos botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1283745/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_11; classtype:trojan-activity; sid:91283745; rev:1;) alert tcp $HOME_NET any -> [172.236.65.158] 7443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1283744/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_11; classtype:trojan-activity; sid:91283744; rev:1;) alert tcp $HOME_NET any -> [15.235.166.83] 8888 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1283743/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_11; classtype:trojan-activity; sid:91283743; rev:1;) alert tcp $HOME_NET any -> [94.156.8.14] 80 (msg:"ThreatFox Socks5 Systemz botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1283742/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_11; classtype:trojan-activity; sid:91283742; rev:1;) alert tcp $HOME_NET any -> [105.155.171.91] 10000 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1283694/; target:src_ip; metadata: confidence_level 75, first_seen 2024_06_11; classtype:trojan-activity; sid:91283694; rev:1;) alert tcp $HOME_NET any -> [147.185.221.20] 15337 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1283720/; target:src_ip; metadata: confidence_level 75, first_seen 2024_06_11; classtype:trojan-activity; sid:91283720; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"listing-trackbacks.gl.at.ply.gg"; depth:31; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1283721/; target:src_ip; metadata: confidence_level 75, first_seen 2024_06_11; classtype:trojan-activity; sid:91283721; rev:1;) alert tcp $HOME_NET any -> [3.125.102.39] 19926 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1283729/; target:src_ip; metadata: confidence_level 75, first_seen 2024_06_11; classtype:trojan-activity; sid:91283729; rev:1;) alert tcp $HOME_NET any -> [3.127.253.86] 18227 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1283730/; target:src_ip; metadata: confidence_level 75, first_seen 2024_06_11; classtype:trojan-activity; sid:91283730; rev:1;) alert tcp $HOME_NET any -> [3.127.59.75] 18227 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1283731/; target:src_ip; metadata: confidence_level 75, first_seen 2024_06_11; classtype:trojan-activity; sid:91283731; rev:1;) alert tcp $HOME_NET any -> [18.198.77.177] 18227 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1283732/; target:src_ip; metadata: confidence_level 75, first_seen 2024_06_11; classtype:trojan-activity; sid:91283732; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/reports.php"; depth:12; nocase; http.host; content:"javelinmarketing.nl"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1283736/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_11; classtype:trojan-activity; sid:91283736; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/reports.php"; depth:12; nocase; http.host; content:"larandeteknik.se"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1283740/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_11; classtype:trojan-activity; sid:91283740; rev:1;) alert tcp $HOME_NET any -> [194.163.162.213] 4000 (msg:"ThreatFox Loda botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1283741/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_11; classtype:trojan-activity; sid:91283741; rev:1;) alert tcp $HOME_NET any -> [176.10.125.23] 80 (msg:"ThreatFox Socks5 Systemz botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1283738/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_11; classtype:trojan-activity; sid:91283738; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mozi.m"; depth:7; nocase; http.host; content:"102.33.37.196"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1283737/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_11; classtype:trojan-activity; sid:91283737; rev:1;) alert tcp $HOME_NET any -> [165.3.87.196] 2083 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1283734/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_10; classtype:trojan-activity; sid:91283734; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jquery-3.3.1.min.js"; depth:20; nocase; http.host; content:"sanhaozhifu.top"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1283733/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_10; classtype:trojan-activity; sid:91283733; rev:1;) alert tcp $HOME_NET any -> [3.125.223.134] 19926 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1283728/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_10; classtype:trojan-activity; sid:91283728; rev:1;) alert tcp $HOME_NET any -> [3.125.209.94] 19926 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1283727/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_10; classtype:trojan-activity; sid:91283727; rev:1;) alert tcp $HOME_NET any -> [18.192.31.165] 19926 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1283726/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_10; classtype:trojan-activity; sid:91283726; rev:1;) alert tcp $HOME_NET any -> [190.211.254.187] 443 (msg:"ThreatFox Unidentified 111 (Latrodectus) botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1283724/; target:src_ip; metadata: confidence_level 75, first_seen 2024_06_10; classtype:trojan-activity; sid:91283724; rev:1;) alert tcp $HOME_NET any -> [66.63.189.102] 443 (msg:"ThreatFox Unidentified 111 (Latrodectus) botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1283725/; target:src_ip; metadata: confidence_level 75, first_seen 2024_06_10; classtype:trojan-activity; sid:91283725; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"jkshb.su"; depth:8; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1283723/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_10; classtype:trojan-activity; sid:91283723; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/forum/index.php"; depth:16; nocase; http.host; content:"jkshb.su"; depth:8; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1283722/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_10; classtype:trojan-activity; sid:91283722; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dpixel"; depth:7; nocase; http.host; content:"43.242.200.159"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1283719/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_10; classtype:trojan-activity; sid:91283719; rev:1;) alert tcp $HOME_NET any -> [147.78.103.114] 8082 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1283718/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_10; classtype:trojan-activity; sid:91283718; rev:1;) alert tcp $HOME_NET any -> [89.23.101.213] 50555 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1283717/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_10; classtype:trojan-activity; sid:91283717; rev:1;) alert tcp $HOME_NET any -> [74.50.89.62] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1283716/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_10; classtype:trojan-activity; sid:91283716; rev:1;) alert tcp $HOME_NET any -> [118.25.102.204] 18888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1283715/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_10; classtype:trojan-activity; sid:91283715; rev:1;) alert tcp $HOME_NET any -> [46.246.6.17] 9000 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1283714/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_10; classtype:trojan-activity; sid:91283714; rev:1;) alert tcp $HOME_NET any -> [88.253.72.170] 443 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1283713/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_10; classtype:trojan-activity; sid:91283713; rev:1;) alert tcp $HOME_NET any -> [2.50.38.96] 22 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1283712/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_10; classtype:trojan-activity; sid:91283712; rev:1;) alert tcp $HOME_NET any -> [1.161.72.11] 443 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1283711/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_10; classtype:trojan-activity; sid:91283711; rev:1;) alert tcp $HOME_NET any -> [91.132.95.28] 10443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1283710/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_10; classtype:trojan-activity; sid:91283710; rev:1;) alert tcp $HOME_NET any -> [104.248.34.11] 443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1283709/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_10; classtype:trojan-activity; sid:91283709; rev:1;) alert tcp $HOME_NET any -> [159.65.114.122] 443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1283708/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_10; classtype:trojan-activity; sid:91283708; rev:1;) alert tcp $HOME_NET any -> [91.245.255.99] 443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1283707/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_10; classtype:trojan-activity; sid:91283707; rev:1;) alert tcp $HOME_NET any -> [81.43.27.250] 443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1283706/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_10; classtype:trojan-activity; sid:91283706; rev:1;) alert tcp $HOME_NET any -> [5.104.80.155] 27564 (msg:"ThreatFox BianLian botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1283705/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_10; classtype:trojan-activity; sid:91283705; rev:1;) alert tcp $HOME_NET any -> [158.160.82.115] 8443 (msg:"ThreatFox BianLian botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1283704/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_10; classtype:trojan-activity; sid:91283704; rev:1;) alert tcp $HOME_NET any -> [185.59.74.254] 8080 (msg:"ThreatFox BianLian botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1283703/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_10; classtype:trojan-activity; sid:91283703; rev:1;) alert tcp $HOME_NET any -> [180.117.162.14] 3443 (msg:"ThreatFox Deimos botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1283702/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_10; classtype:trojan-activity; sid:91283702; rev:1;) alert tcp $HOME_NET any -> [115.87.213.147] 7443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1283701/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_10; classtype:trojan-activity; sid:91283701; rev:1;) alert tcp $HOME_NET any -> [92.204.83.36] 7443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1283700/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_10; classtype:trojan-activity; sid:91283700; rev:1;) alert tcp $HOME_NET any -> [114.55.230.1] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1283698/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_10; classtype:trojan-activity; sid:91283698; rev:1;) alert tcp $HOME_NET any -> [114.55.230.1] 8888 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1283699/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_10; classtype:trojan-activity; sid:91283699; rev:1;) alert tcp $HOME_NET any -> [123.57.150.35] 443 (msg:"ThreatFox DoomedLoader botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1283695/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_10; classtype:trojan-activity; sid:91283695; rev:1;) alert tcp $HOME_NET any -> [121.37.42.20] 443 (msg:"ThreatFox DoomedLoader botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1283696/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_10; classtype:trojan-activity; sid:91283696; rev:1;) alert tcp $HOME_NET any -> [47.94.113.161] 443 (msg:"ThreatFox DoomedLoader botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1283697/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_10; classtype:trojan-activity; sid:91283697; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"xiao.spicn.xyz"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1283692/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_10; classtype:trojan-activity; sid:91283692; rev:1;) alert tcp $HOME_NET any -> [23.94.94.149] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1283693/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_10; classtype:trojan-activity; sid:91283693; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/en_us/all.js"; depth:13; nocase; http.host; content:"xiao.spicn.xyz"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1283691/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_10; classtype:trojan-activity; sid:91283691; rev:1;) alert tcp $HOME_NET any -> [165.3.87.196] 2087 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1283690/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_10; classtype:trojan-activity; sid:91283690; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jquery-3.3.1.min.js"; depth:20; nocase; http.host; content:"sanhaozhifu.top"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1283689/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_10; classtype:trojan-activity; sid:91283689; rev:1;) alert tcp $HOME_NET any -> [168.119.119.140] 8808 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1283688/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_10; classtype:trojan-activity; sid:91283688; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"megacitta190004.duckdns.org"; depth:27; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1283684/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_10; classtype:trojan-activity; sid:91283684; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/reports.php"; depth:12; nocase; http.host; content:"djinfo.pl"; depth:9; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1283687/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_10; classtype:trojan-activity; sid:91283687; rev:1;) alert tcp $HOME_NET any -> [147.45.79.91] 443 (msg:"ThreatFox FAKEUPDATES payload delivery (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1283683/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_10; classtype:trojan-activity; sid:91283683; rev:1;) alert tcp $HOME_NET any -> [18.158.58.205] 16307 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1283682/; target:src_ip; metadata: confidence_level 75, first_seen 2024_06_10; classtype:trojan-activity; sid:91283682; rev:1;) alert tcp $HOME_NET any -> [60.204.235.186] 80 (msg:"ThreatFox Ghost RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1283681/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_10; classtype:trojan-activity; sid:91283681; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"vnaillslivns.shop"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1283680/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_10; classtype:trojan-activity; sid:91283680; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/lv"; depth:3; nocase; http.host; content:"vnaillslivns.shop"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1283679/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_10; classtype:trojan-activity; sid:91283679; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/lv"; depth:3; nocase; http.host; content:"api.vnaillslivns.shop"; depth:21; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1283677/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_10; classtype:trojan-activity; sid:91283677; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"api.vnaillslivns.shop"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1283678/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_10; classtype:trojan-activity; sid:91283678; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ns3.collegel.top"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1283676/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_10; classtype:trojan-activity; sid:91283676; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ns2.collegel.top"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1283675/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_10; classtype:trojan-activity; sid:91283675; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ns1.collegel.top"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1283674/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_10; classtype:trojan-activity; sid:91283674; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cm"; depth:3; nocase; http.host; content:"64.7.199.88"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1283673/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_10; classtype:trojan-activity; sid:91283673; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dot.gif"; depth:8; nocase; http.host; content:"62.204.41.11"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1283672/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_10; classtype:trojan-activity; sid:91283672; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jquery-3.3.1.min.js"; depth:20; nocase; http.host; content:"111.229.142.238"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1283671/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_10; classtype:trojan-activity; sid:91283671; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jquery-3.3.1.min.js"; depth:20; nocase; http.host; content:"senkiv.ru"; depth:9; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1283670/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_10; classtype:trojan-activity; sid:91283670; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/l1nc0in.php"; depth:12; nocase; http.host; content:"bbill.freehostpro.com"; depth:21; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1283669/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_10; classtype:trojan-activity; sid:91283669; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"gpsuser.net"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1283667/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_10; classtype:trojan-activity; sid:91283667; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/push"; depth:5; nocase; http.host; content:"gpsuser.net"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1283666/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_10; classtype:trojan-activity; sid:91283666; rev:1;) alert tcp $HOME_NET any -> [106.52.102.35] 8443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1283665/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_10; classtype:trojan-activity; sid:91283665; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/introduction/edr"; depth:17; nocase; http.host; content:"42.193.130.155"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1283664/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_10; classtype:trojan-activity; sid:91283664; rev:1;) alert tcp $HOME_NET any -> [134.175.213.82] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1283663/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_10; classtype:trojan-activity; sid:91283663; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/rewardsapp/ncfooter"; depth:20; nocase; http.host; content:"134.175.213.82"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1283662/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_10; classtype:trojan-activity; sid:91283662; rev:1;) alert tcp $HOME_NET any -> [54.179.250.192] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1283661/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_10; classtype:trojan-activity; sid:91283661; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cm"; depth:3; nocase; http.host; content:"yk.test2024.sbs"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1283659/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_10; classtype:trojan-activity; sid:91283659; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"yk.test2024.sbs"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1283660/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_10; classtype:trojan-activity; sid:91283660; rev:1;) alert tcp $HOME_NET any -> [107.148.1.188] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1283658/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_10; classtype:trojan-activity; sid:91283658; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"support.whatsappsignup.com"; depth:26; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1283657/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_10; classtype:trojan-activity; sid:91283657; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jquery-4.8.1.min.js"; depth:20; nocase; http.host; content:"support.whatsappsignup.com"; depth:26; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1283656/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_10; classtype:trojan-activity; sid:91283656; rev:1;) alert tcp $HOME_NET any -> [23.94.94.149] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1283655/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_10; classtype:trojan-activity; sid:91283655; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ga.js"; depth:6; nocase; http.host; content:"s1.botdash.app"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1283653/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_10; classtype:trojan-activity; sid:91283653; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"s1.botdash.app"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1283654/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_10; classtype:trojan-activity; sid:91283654; rev:1;) alert tcp $HOME_NET any -> [154.44.28.49] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1283652/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_10; classtype:trojan-activity; sid:91283652; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/visit.js"; depth:9; nocase; http.host; content:"47.121.133.136"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1283651/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_10; classtype:trojan-activity; sid:91283651; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/fwlink"; depth:7; nocase; http.host; content:"49.232.129.71"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1283650/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_10; classtype:trojan-activity; sid:91283650; rev:1;) alert tcp $HOME_NET any -> [106.52.102.35] 7001 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1283649/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_10; classtype:trojan-activity; sid:91283649; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/introduction/edr"; depth:17; nocase; http.host; content:"42.193.130.155"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1283648/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_10; classtype:trojan-activity; sid:91283648; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/~eric/wp/masterddl/2022/09/10/hot-cargo-agreement-define/"; depth:58; nocase; http.host; content:"experimentation.univ-littoral.fr"; depth:32; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1283646/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_10; classtype:trojan-activity; sid:91283646; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/reports.php"; depth:12; nocase; http.host; content:"francesmacve.com"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1283647/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_10; classtype:trojan-activity; sid:91283647; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/reports.php"; depth:12; nocase; http.host; content:"docsjapan.xsrv.jp"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1283645/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_10; classtype:trojan-activity; sid:91283645; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"alphabetllc.top"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1283643/; target:src_ip; metadata: confidence_level 75, first_seen 2024_06_10; classtype:trojan-activity; sid:91283643; rev:1;) alert tcp $HOME_NET any -> [95.217.135.112] 443 (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1283640/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_10; classtype:trojan-activity; sid:91283640; rev:1;) alert tcp $HOME_NET any -> [49.13.235.244] 5432 (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1283641/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_10; classtype:trojan-activity; sid:91283641; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"49.13.235.244"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1283639/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_10; classtype:trojan-activity; sid:91283639; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"95.217.135.112"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1283638/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_10; classtype:trojan-activity; sid:91283638; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/alpha/five/fre.php"; depth:19; nocase; http.host; content:"alphabetllc.top"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1283637/; target:src_ip; metadata: confidence_level 75, first_seen 2024_06_10; classtype:trojan-activity; sid:91283637; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/profiles/76561199619916287"; depth:27; nocase; http.host; content:"steamcommunity.com"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1283636/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_10; classtype:trojan-activity; sid:91283636; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/profiles/76561199619157993"; depth:27; nocase; http.host; content:"steamcommunity.com"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1283635/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_10; classtype:trojan-activity; sid:91283635; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/profiles/76561199619938930"; depth:27; nocase; http.host; content:"steamcommunity.com"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1283634/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_10; classtype:trojan-activity; sid:91283634; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/profiles/76561199619927938"; depth:27; nocase; http.host; content:"steamcommunity.com"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1283633/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_10; classtype:trojan-activity; sid:91283633; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/profiles/76561199619855608"; depth:27; nocase; http.host; content:"steamcommunity.com"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1283632/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_10; classtype:trojan-activity; sid:91283632; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/profiles/76561199619915856"; depth:27; nocase; http.host; content:"steamcommunity.com"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1283631/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_10; classtype:trojan-activity; sid:91283631; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/profiles/76561199620444957"; depth:27; nocase; http.host; content:"steamcommunity.com"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1283630/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_10; classtype:trojan-activity; sid:91283630; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/profiles/76561199619564077"; depth:27; nocase; http.host; content:"steamcommunity.com"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1283629/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_10; classtype:trojan-activity; sid:91283629; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/profiles/76561199620058328"; depth:27; nocase; http.host; content:"steamcommunity.com"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1283628/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_10; classtype:trojan-activity; sid:91283628; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/profiles/76561199618998288"; depth:27; nocase; http.host; content:"steamcommunity.com"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1283627/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_10; classtype:trojan-activity; sid:91283627; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/profiles/76561199620788109"; depth:27; nocase; http.host; content:"steamcommunity.com"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1283626/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_10; classtype:trojan-activity; sid:91283626; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/profiles/76561199619525937"; depth:27; nocase; http.host; content:"steamcommunity.com"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1283625/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_10; classtype:trojan-activity; sid:91283625; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/profiles/76561199619987302"; depth:27; nocase; http.host; content:"steamcommunity.com"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1283624/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_10; classtype:trojan-activity; sid:91283624; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/profiles/76561199619729848"; depth:27; nocase; http.host; content:"steamcommunity.com"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1283623/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_10; classtype:trojan-activity; sid:91283623; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/profiles/76561199619383712"; depth:27; nocase; http.host; content:"steamcommunity.com"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1283622/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_10; classtype:trojan-activity; sid:91283622; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ctze.xyz"; depth:8; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1283617/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_10; classtype:trojan-activity; sid:91283617; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"a-bc.xyz"; depth:8; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1283618/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_10; classtype:trojan-activity; sid:91283618; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"dd-d.xyz"; depth:8; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1283619/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_10; classtype:trojan-activity; sid:91283619; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"llzl.xyz"; depth:8; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1283620/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_10; classtype:trojan-activity; sid:91283620; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"nafiskaran.com"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1283621/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_10; classtype:trojan-activity; sid:91283621; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ddbc.xyz"; depth:8; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1283616/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_10; classtype:trojan-activity; sid:91283616; rev:1;) alert tcp $HOME_NET any -> [194.59.30.174] 80 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1283615/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_10; classtype:trojan-activity; sid:91283615; rev:1;) alert tcp $HOME_NET any -> [31.177.108.30] 80 (msg:"ThreatFox Meduza Stealer botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1283614/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_10; classtype:trojan-activity; sid:91283614; rev:1;) alert tcp $HOME_NET any -> [94.49.204.101] 443 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1283613/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_10; classtype:trojan-activity; sid:91283613; rev:1;) alert tcp $HOME_NET any -> [162.238.154.3] 2000 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1283612/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_10; classtype:trojan-activity; sid:91283612; rev:1;) alert tcp $HOME_NET any -> [192.3.86.166] 2096 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1283611/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_10; classtype:trojan-activity; sid:91283611; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/zjm0njuxndm5mmvi/"; depth:18; nocase; http.host; content:"hyatyumrukgibi.top"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1283571/; target:src_ip; metadata: confidence_level 80, first_seen 2024_06_10; classtype:trojan-activity; sid:91283571; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/zjm0njuxndm5mmvi/"; depth:18; nocase; http.host; content:"dnliyomsadeceuzaktan.xyz"; depth:24; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1283572/; target:src_ip; metadata: confidence_level 80, first_seen 2024_06_10; classtype:trojan-activity; sid:91283572; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/zjm0njuxndm5mmvi/"; depth:18; nocase; http.host; content:"gecicekyramatuzatma.top"; depth:23; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1283573/; target:src_ip; metadata: confidence_level 80, first_seen 2024_06_10; classtype:trojan-activity; sid:91283573; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/zjm0njuxndm5mmvi/"; depth:18; nocase; http.host; content:"birgunolucakelbeet.xyz"; depth:22; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1283574/; target:src_ip; metadata: confidence_level 80, first_seen 2024_06_10; classtype:trojan-activity; sid:91283574; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/zjm0njuxndm5mmvi/"; depth:18; nocase; http.host; content:"sankioguncokuzakk.top"; depth:21; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1283575/; target:src_ip; metadata: confidence_level 80, first_seen 2024_06_10; classtype:trojan-activity; sid:91283575; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/zjm0njuxndm5mmvi/"; depth:18; nocase; http.host; content:"snayatkatalicam.xyz"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1283576/; target:src_ip; metadata: confidence_level 80, first_seen 2024_06_10; classtype:trojan-activity; sid:91283576; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/zjm0njuxndm5mmvi/"; depth:18; nocase; http.host; content:"olanlarigoruceez.xyz"; depth:20; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1283577/; target:src_ip; metadata: confidence_level 80, first_seen 2024_06_10; classtype:trojan-activity; sid:91283577; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/zjm0njuxndm5mmvi/"; depth:18; nocase; http.host; content:"kfamhepkarambol.top"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1283578/; target:src_ip; metadata: confidence_level 80, first_seen 2024_06_10; classtype:trojan-activity; sid:91283578; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/zjm0njuxndm5mmvi/"; depth:18; nocase; http.host; content:"birbirbirdenikidir.top"; depth:22; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1283579/; target:src_ip; metadata: confidence_level 80, first_seen 2024_06_10; classtype:trojan-activity; sid:91283579; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/zjm0njuxndm5mmvi/"; depth:18; nocase; http.host; content:"fesatlarafesatkk.xyz"; depth:20; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1283580/; target:src_ip; metadata: confidence_level 80, first_seen 2024_06_10; classtype:trojan-activity; sid:91283580; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/zjm0njuxndm5mmvi/"; depth:18; nocase; http.host; content:"bitmeztukenmezbuenerjj.xyz"; depth:26; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1283581/; target:src_ip; metadata: confidence_level 80, first_seen 2024_06_10; classtype:trojan-activity; sid:91283581; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/zjm0njuxndm5mmvi/"; depth:18; nocase; http.host; content:"kirmizimavigelldii.xyz"; depth:22; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1283583/; target:src_ip; metadata: confidence_level 80, first_seen 2024_06_10; classtype:trojan-activity; sid:91283583; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/zjm0njuxndm5mmvi/"; depth:18; nocase; http.host; content:"ckinsanaffettmm.top"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1283582/; target:src_ip; metadata: confidence_level 80, first_seen 2024_06_10; classtype:trojan-activity; sid:91283582; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/zjm0njuxndm5mmvi/"; depth:18; nocase; http.host; content:"dememelalemnedeerr.top"; depth:22; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1283584/; target:src_ip; metadata: confidence_level 80, first_seen 2024_06_10; classtype:trojan-activity; sid:91283584; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/zjm0njuxndm5mmvi/"; depth:18; nocase; http.host; content:"savuryadarsavuun.xyz"; depth:20; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1283585/; target:src_ip; metadata: confidence_level 80, first_seen 2024_06_10; classtype:trojan-activity; sid:91283585; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/zjm0njuxndm5mmvi/"; depth:18; nocase; http.host; content:"taktmkafayikapattmkafayi.xyz"; depth:28; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1283586/; target:src_ip; metadata: confidence_level 80, first_seen 2024_06_10; classtype:trojan-activity; sid:91283586; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/zjm0njuxndm5mmvi/"; depth:18; nocase; http.host; content:"taktimbirtipayivedekovayi.top"; depth:29; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1283587/; target:src_ip; metadata: confidence_level 80, first_seen 2024_06_10; classtype:trojan-activity; sid:91283587; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/zjm0njuxndm5mmvi/"; depth:18; nocase; http.host; content:"bileneaferinbilmeyeneketamn.xyz"; depth:31; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1283588/; target:src_ip; metadata: confidence_level 80, first_seen 2024_06_10; classtype:trojan-activity; sid:91283588; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/zjm0njuxndm5mmvi/"; depth:18; nocase; http.host; content:"gormedenglenlereslm.xyz"; depth:23; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1283589/; target:src_ip; metadata: confidence_level 80, first_seen 2024_06_10; classtype:trojan-activity; sid:91283589; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/zjm0njuxndm5mmvi/"; depth:18; nocase; http.host; content:"saffetsafmigerckten.top"; depth:23; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1283590/; target:src_ip; metadata: confidence_level 80, first_seen 2024_06_10; classtype:trojan-activity; sid:91283590; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/zdqyn2nmogezotlk/"; depth:18; nocase; http.host; content:"vypzjiqv.top"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1283591/; target:src_ip; metadata: confidence_level 80, first_seen 2024_06_10; classtype:trojan-activity; sid:91283591; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/zdqyn2nmogezotlk/"; depth:18; nocase; http.host; content:"qunxbliv.xyz"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1283592/; target:src_ip; metadata: confidence_level 80, first_seen 2024_06_10; classtype:trojan-activity; sid:91283592; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/zdqyn2nmogezotlk/"; depth:18; nocase; http.host; content:"zoxkfwem.top"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1283593/; target:src_ip; metadata: confidence_level 80, first_seen 2024_06_10; classtype:trojan-activity; sid:91283593; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/zdqyn2nmogezotlk/"; depth:18; nocase; http.host; content:"kuzpjynx.xyz"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1283594/; target:src_ip; metadata: confidence_level 80, first_seen 2024_06_10; classtype:trojan-activity; sid:91283594; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/zdqyn2nmogezotlk/"; depth:18; nocase; http.host; content:"qlizfuvp.top"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1283595/; target:src_ip; metadata: confidence_level 80, first_seen 2024_06_10; classtype:trojan-activity; sid:91283595; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/zdqyn2nmogezotlk/"; depth:18; nocase; http.host; content:"pluxzwik.top"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1283597/; target:src_ip; metadata: confidence_level 80, first_seen 2024_06_10; classtype:trojan-activity; sid:91283597; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/zdqyn2nmogezotlk/"; depth:18; nocase; http.host; content:"jylxqizm.xyz"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1283596/; target:src_ip; metadata: confidence_level 80, first_seen 2024_06_10; classtype:trojan-activity; sid:91283596; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/zdqyn2nmogezotlk/"; depth:18; nocase; http.host; content:"qyphfipx.xyz"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1283598/; target:src_ip; metadata: confidence_level 80, first_seen 2024_06_10; classtype:trojan-activity; sid:91283598; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/zdqyn2nmogezotlk/"; depth:18; nocase; http.host; content:"jorzklyv.top"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1283599/; target:src_ip; metadata: confidence_level 80, first_seen 2024_06_10; classtype:trojan-activity; sid:91283599; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/zdqyn2nmogezotlk/"; depth:18; nocase; http.host; content:"qubzzimp.xyz"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1283600/; target:src_ip; metadata: confidence_level 80, first_seen 2024_06_10; classtype:trojan-activity; sid:91283600; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/zdqyn2nmogezotlk/"; depth:18; nocase; http.host; content:"fynxqolp.top"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1283601/; target:src_ip; metadata: confidence_level 80, first_seen 2024_06_10; classtype:trojan-activity; sid:91283601; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/zdqyn2nmogezotlk/"; depth:18; nocase; http.host; content:"jikmzyrf.xyz"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1283602/; target:src_ip; metadata: confidence_level 80, first_seen 2024_06_10; classtype:trojan-activity; sid:91283602; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/zdqyn2nmogezotlk/"; depth:18; nocase; http.host; content:"plukqerj.top"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1283603/; target:src_ip; metadata: confidence_level 80, first_seen 2024_06_10; classtype:trojan-activity; sid:91283603; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/zdqyn2nmogezotlk/"; depth:18; nocase; http.host; content:"jopzblix.xyz"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1283604/; target:src_ip; metadata: confidence_level 80, first_seen 2024_06_10; classtype:trojan-activity; sid:91283604; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/zdqyn2nmogezotlk/"; depth:18; nocase; http.host; content:"quvmfuzj.top"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1283605/; target:src_ip; metadata: confidence_level 80, first_seen 2024_06_10; classtype:trojan-activity; sid:91283605; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/zdqyn2nmogezotlk/"; depth:18; nocase; http.host; content:"zytkqapv.xyz"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1283606/; target:src_ip; metadata: confidence_level 80, first_seen 2024_06_10; classtype:trojan-activity; sid:91283606; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/zdqyn2nmogezotlk/"; depth:18; nocase; http.host; content:"jizqkuwp.top"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1283607/; target:src_ip; metadata: confidence_level 80, first_seen 2024_06_10; classtype:trojan-activity; sid:91283607; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/zdqyn2nmogezotlk/"; depth:18; nocase; http.host; content:"zivxfqim.xyz"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1283608/; target:src_ip; metadata: confidence_level 80, first_seen 2024_06_10; classtype:trojan-activity; sid:91283608; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/zdqyn2nmogezotlk/"; depth:18; nocase; http.host; content:"jypzquzx.top"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1283609/; target:src_ip; metadata: confidence_level 80, first_seen 2024_06_10; classtype:trojan-activity; sid:91283609; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/zdqyn2nmogezotlk/"; depth:18; nocase; http.host; content:"blifqevp.xyz"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1283610/; target:src_ip; metadata: confidence_level 80, first_seen 2024_06_10; classtype:trojan-activity; sid:91283610; rev:1;) alert tcp $HOME_NET any -> [172.96.137.224] 8888 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1283570/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_10; classtype:trojan-activity; sid:91283570; rev:1;) alert tcp $HOME_NET any -> [144.202.2.143] 7995 (msg:"ThreatFox STRRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1283569/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_10; classtype:trojan-activity; sid:91283569; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cdn-vs/22per.php"; depth:17; nocase; http.host; content:"elvesofiax.com"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1283567/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_10; classtype:trojan-activity; sid:91283567; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/reports.php"; depth:12; nocase; http.host; content:"imaginaria.pl"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1283568/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_10; classtype:trojan-activity; sid:91283568; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cdn-vs/original.js"; depth:19; nocase; http.host; content:"elvesofiax.com"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1283564/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_10; classtype:trojan-activity; sid:91283564; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"elvesofiax.com"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1283565/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_10; classtype:trojan-activity; sid:91283565; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/reports.php"; depth:12; nocase; http.host; content:"devblog.ludikreation.com"; depth:24; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1283563/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_10; classtype:trojan-activity; sid:91283563; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/reports.php"; depth:12; nocase; http.host; content:"detforening.dk"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1283560/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_10; classtype:trojan-activity; sid:91283560; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/reports.php"; depth:12; nocase; http.host; content:"dresstherapist.sakura.ne.jp"; depth:27; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1283562/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_10; classtype:trojan-activity; sid:91283562; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cdn-vs/cache.php"; depth:17; nocase; http.host; content:"elvesofiax.com"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1283566/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_10; classtype:trojan-activity; sid:91283566; rev:1;) alert tcp $HOME_NET any -> [3.6.30.85] 17831 (msg:"ThreatFox Nanocore RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1283554/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_10; classtype:trojan-activity; sid:91283554; rev:1;) alert tcp $HOME_NET any -> [3.6.115.64] 17831 (msg:"ThreatFox Nanocore RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1283555/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_10; classtype:trojan-activity; sid:91283555; rev:1;) alert tcp $HOME_NET any -> [3.6.115.182] 17831 (msg:"ThreatFox Nanocore RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1283556/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_10; classtype:trojan-activity; sid:91283556; rev:1;) alert tcp $HOME_NET any -> [3.6.98.232] 17831 (msg:"ThreatFox Nanocore RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1283557/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_10; classtype:trojan-activity; sid:91283557; rev:1;) alert tcp $HOME_NET any -> [3.6.122.107] 17831 (msg:"ThreatFox Nanocore RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1283558/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_10; classtype:trojan-activity; sid:91283558; rev:1;) alert tcp $HOME_NET any -> [4.185.27.237] 13528 (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1283535/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_09; classtype:trojan-activity; sid:91283535; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/alert/v6.04/wwuf3e1d"; depth:21; nocase; http.host; content:"216.245.184.159"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1283553/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_09; classtype:trojan-activity; sid:91283553; rev:1;) alert tcp $HOME_NET any -> [149.88.93.193] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1283552/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_09; classtype:trojan-activity; sid:91283552; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/lv"; depth:3; nocase; http.host; content:"149.88.93.193"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1283551/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_09; classtype:trojan-activity; sid:91283551; rev:1;) alert tcp $HOME_NET any -> [18.229.248.167] 11262 (msg:"ThreatFox LimeRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1283550/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_09; classtype:trojan-activity; sid:91283550; rev:1;) alert tcp $HOME_NET any -> [194.62.250.122] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1283549/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_09; classtype:trojan-activity; sid:91283549; rev:1;) alert tcp $HOME_NET any -> [89.110.78.222] 80 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1283548/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_09; classtype:trojan-activity; sid:91283548; rev:1;) alert tcp $HOME_NET any -> [91.92.255.83] 80 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1283547/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_09; classtype:trojan-activity; sid:91283547; rev:1;) alert tcp $HOME_NET any -> [94.228.166.50] 80 (msg:"ThreatFox Meduza Stealer botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1283546/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_09; classtype:trojan-activity; sid:91283546; rev:1;) alert tcp $HOME_NET any -> [203.104.42.92] 2233 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1283545/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_09; classtype:trojan-activity; sid:91283545; rev:1;) alert tcp $HOME_NET any -> [1.161.82.10] 443 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1283544/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_09; classtype:trojan-activity; sid:91283544; rev:1;) alert tcp $HOME_NET any -> [188.54.56.236] 443 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1283543/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_09; classtype:trojan-activity; sid:91283543; rev:1;) alert tcp $HOME_NET any -> [157.245.248.231] 445 (msg:"ThreatFox Responder botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1283542/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_09; classtype:trojan-activity; sid:91283542; rev:1;) alert tcp $HOME_NET any -> [192.46.232.196] 443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1283541/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_09; classtype:trojan-activity; sid:91283541; rev:1;) alert tcp $HOME_NET any -> [180.117.162.14] 380 (msg:"ThreatFox Deimos botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1283540/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_09; classtype:trojan-activity; sid:91283540; rev:1;) alert tcp $HOME_NET any -> [137.175.113.92] 443 (msg:"ThreatFox Deimos botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1283539/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_09; classtype:trojan-activity; sid:91283539; rev:1;) alert tcp $HOME_NET any -> [163.181.140.108] 4505 (msg:"ThreatFox Deimos botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1283538/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_09; classtype:trojan-activity; sid:91283538; rev:1;) alert tcp $HOME_NET any -> [208.123.119.159] 443 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1283537/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_09; classtype:trojan-activity; sid:91283537; rev:1;) alert tcp $HOME_NET any -> [208.123.119.159] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1283536/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_09; classtype:trojan-activity; sid:91283536; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/eternalsecurebase.php"; depth:22; nocase; http.host; content:"securitytransfer.top"; depth:20; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1283534/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_09; classtype:trojan-activity; sid:91283534; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/service-level-agreement-laboratory/"; depth:36; nocase; http.host; content:"goodstos.com"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1283532/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_09; classtype:trojan-activity; sid:91283532; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/reports.php"; depth:12; nocase; http.host; content:"lamperdingen.ch"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1283533/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_09; classtype:trojan-activity; sid:91283533; rev:1;) alert tcp $HOME_NET any -> [185.140.53.144] 8691 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1283531/; target:src_ip; metadata: confidence_level 75, first_seen 2024_06_09; classtype:trojan-activity; sid:91283531; rev:1;) alert tcp $HOME_NET any -> [89.23.107.91] 35077 (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1283530/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_09; classtype:trojan-activity; sid:91283530; rev:1;) alert tcp $HOME_NET any -> [39.105.27.160] 53 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1283529/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_09; classtype:trojan-activity; sid:91283529; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"download.netuse1.eu.org"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1283528/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_09; classtype:trojan-activity; sid:91283528; rev:1;) alert tcp $HOME_NET any -> [37.152.57.102] 80 (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1283527/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_09; classtype:trojan-activity; sid:91283527; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/reports.php"; depth:12; nocase; http.host; content:"hukukarastirmavakfi.com"; depth:23; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1283512/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_09; classtype:trojan-activity; sid:91283512; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/post.php"; depth:9; nocase; http.host; content:"rsmbscm.wikilogistics.wiki"; depth:26; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1283525/; target:src_ip; metadata: confidence_level 75, first_seen 2024_06_09; classtype:trojan-activity; sid:91283525; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 75%)"; dns_query; content:"rsmbscm.wikilogistics.wiki"; depth:26; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1283526/; target:src_ip; metadata: confidence_level 75, first_seen 2024_06_09; classtype:trojan-activity; sid:91283526; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ie9compatviewlist.xml"; depth:22; nocase; http.host; content:"31.128.39.137"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1283524/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_09; classtype:trojan-activity; sid:91283524; rev:1;) alert tcp $HOME_NET any -> [47.92.162.69] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1283523/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_09; classtype:trojan-activity; sid:91283523; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mall_100_100.html"; depth:18; nocase; http.host; content:"47.92.162.69"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1283522/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_09; classtype:trojan-activity; sid:91283522; rev:1;) alert tcp $HOME_NET any -> [154.44.29.15] 8080 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1283521/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_09; classtype:trojan-activity; sid:91283521; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/en_us/all.js"; depth:13; nocase; http.host; content:"154.44.28.49"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1283520/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_09; classtype:trojan-activity; sid:91283520; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ca"; depth:3; nocase; http.host; content:"128.1.40.125"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1283519/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_09; classtype:trojan-activity; sid:91283519; rev:1;) alert tcp $HOME_NET any -> [154.44.29.15] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1283518/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_09; classtype:trojan-activity; sid:91283518; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/match"; depth:6; nocase; http.host; content:"154.44.28.49"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1283517/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_09; classtype:trojan-activity; sid:91283517; rev:1;) alert tcp $HOME_NET any -> [1.92.96.35] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1283516/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_09; classtype:trojan-activity; sid:91283516; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api/x"; depth:6; nocase; http.host; content:"service-79k3uwa0-1317712796.gz.tencentapigw.com.cn"; depth:50; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1283515/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_09; classtype:trojan-activity; sid:91283515; rev:1;) alert tcp $HOME_NET any -> [165.3.87.196] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1283514/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_09; classtype:trojan-activity; sid:91283514; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jquery-3.3.1.min.js"; depth:20; nocase; http.host; content:"sanhaozhifu.top"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1283513/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_09; classtype:trojan-activity; sid:91283513; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dykkyhj8rwcvwqha/"; depth:18; nocase; http.host; content:"renklidunyalarinrenkleriolsun.top"; depth:33; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1283492/; target:src_ip; metadata: confidence_level 80, first_seen 2024_06_09; classtype:trojan-activity; sid:91283492; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dykkyhj8rwcvwqha/"; depth:18; nocase; http.host; content:"sevdaninsarkisigibigelsin.top"; depth:29; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1283493/; target:src_ip; metadata: confidence_level 80, first_seen 2024_06_09; classtype:trojan-activity; sid:91283493; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dykkyhj8rwcvwqha/"; depth:18; nocase; http.host; content:"umutkutusuilehayatolsun.top"; depth:27; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1283490/; target:src_ip; metadata: confidence_level 80, first_seen 2024_06_09; classtype:trojan-activity; sid:91283490; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dykkyhj8rwcvwqha/"; depth:18; nocase; http.host; content:"mutlulukyolculuguguzelolsun.xyz"; depth:31; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1283491/; target:src_ip; metadata: confidence_level 80, first_seen 2024_06_09; classtype:trojan-activity; sid:91283491; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dykkyhj8rwcvwqha/"; depth:18; nocase; http.host; content:"sevgidansarkilarigelsin.xyz"; depth:27; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1283488/; target:src_ip; metadata: confidence_level 80, first_seen 2024_06_09; classtype:trojan-activity; sid:91283488; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dykkyhj8rwcvwqha/"; depth:18; nocase; http.host; content:"huzurunadresigizemliolsun.top"; depth:29; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1283489/; target:src_ip; metadata: confidence_level 80, first_seen 2024_06_09; classtype:trojan-activity; sid:91283489; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dykkyhj8rwcvwqha/"; depth:18; nocase; http.host; content:"anilarinpeksimdihayatolsun.top"; depth:30; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1283486/; target:src_ip; metadata: confidence_level 80, first_seen 2024_06_09; classtype:trojan-activity; sid:91283486; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dykkyhj8rwcvwqha/"; depth:18; nocase; http.host; content:"guzelliklerinpekisiolsun.xyz"; depth:28; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1283487/; target:src_ip; metadata: confidence_level 80, first_seen 2024_06_09; classtype:trojan-activity; sid:91283487; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dykkyhj8rwcvwqha/"; depth:18; nocase; http.host; content:"masalsendromuduygusugelsin.top"; depth:30; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1283484/; target:src_ip; metadata: confidence_level 80, first_seen 2024_06_09; classtype:trojan-activity; sid:91283484; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dykkyhj8rwcvwqha/"; depth:18; nocase; http.host; content:"ruyalarinyoluyolculukolsun.top"; depth:30; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1283485/; target:src_ip; metadata: confidence_level 80, first_seen 2024_06_09; classtype:trojan-activity; sid:91283485; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dykkyhj8rwcvwqha/"; depth:18; nocase; http.host; content:"sonsuzlukhikayesibaslasin.xyz"; depth:29; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1283483/; target:src_ip; metadata: confidence_level 80, first_seen 2024_06_09; classtype:trojan-activity; sid:91283483; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dykkyhj8rwcvwqha/"; depth:18; nocase; http.host; content:"gizemlisularinsirriacilsin.top"; depth:30; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1283480/; target:src_ip; metadata: confidence_level 80, first_seen 2024_06_09; classtype:trojan-activity; sid:91283480; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dykkyhj8rwcvwqha/"; depth:18; nocase; http.host; content:"yildizlararasindayolculukolsun.top"; depth:34; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1283482/; target:src_ip; metadata: confidence_level 80, first_seen 2024_06_09; classtype:trojan-activity; sid:91283482; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dykkyhj8rwcvwqha/"; depth:18; nocase; http.host; content:"mutluluklimanlarigibiyolculuk.top"; depth:33; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1283494/; target:src_ip; metadata: confidence_level 80, first_seen 2024_06_09; classtype:trojan-activity; sid:91283494; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dykkyhj8rwcvwqha/"; depth:18; nocase; http.host; content:"umutkaynaklarihayatinolsun.xyz"; depth:30; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1283495/; target:src_ip; metadata: confidence_level 80, first_seen 2024_06_09; classtype:trojan-activity; sid:91283495; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dykkyhj8rwcvwqha/"; depth:18; nocase; http.host; content:"ruyalarindabulusmakolsun.top"; depth:28; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1283496/; target:src_ip; metadata: confidence_level 80, first_seen 2024_06_09; classtype:trojan-activity; sid:91283496; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dykkyhj8rwcvwqha/"; depth:18; nocase; http.host; content:"sevgiyoluolusturmakolsun.xyz"; depth:28; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1283497/; target:src_ip; metadata: confidence_level 80, first_seen 2024_06_09; classtype:trojan-activity; sid:91283497; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dykkyhj8rwcvwqha/"; depth:18; nocase; http.host; content:"hayatrenklidirnefesolsun.top"; depth:28; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1283498/; target:src_ip; metadata: confidence_level 80, first_seen 2024_06_09; classtype:trojan-activity; sid:91283498; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dykkyhj8rwcvwqha/"; depth:18; nocase; http.host; content:"mutlulukyolculugudanolsun.top"; depth:29; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1283499/; target:src_ip; metadata: confidence_level 80, first_seen 2024_06_09; classtype:trojan-activity; sid:91283499; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dykkyhj8rwcvwqha/"; depth:18; nocase; http.host; content:"sonsuzlukyolculugundanolsun.top"; depth:31; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1283500/; target:src_ip; metadata: confidence_level 80, first_seen 2024_06_09; classtype:trojan-activity; sid:91283500; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dykkyhj8rwcvwqha/"; depth:18; nocase; http.host; content:"huzurunkaynaginagidenolsun.top"; depth:30; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1283501/; target:src_ip; metadata: confidence_level 80, first_seen 2024_06_09; classtype:trojan-activity; sid:91283501; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dykkyhj8rwcvwqha/"; depth:18; nocase; http.host; content:"sevgiyuregimizdeyerolsun.top"; depth:28; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1283502/; target:src_ip; metadata: confidence_level 80, first_seen 2024_06_09; classtype:trojan-activity; sid:91283502; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dykkyhj8rwcvwqha/"; depth:18; nocase; http.host; content:"umutharitasiguzelolsun.top"; depth:26; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1283503/; target:src_ip; metadata: confidence_level 80, first_seen 2024_06_09; classtype:trojan-activity; sid:91283503; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dykkyhj8rwcvwqha/"; depth:18; nocase; http.host; content:"hayalperestdunyalarindanolsun.top"; depth:33; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1283504/; target:src_ip; metadata: confidence_level 80, first_seen 2024_06_09; classtype:trojan-activity; sid:91283504; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dykkyhj8rwcvwqha/"; depth:18; nocase; http.host; content:"guzelliklerinpesindeyizolsun.top"; depth:32; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1283505/; target:src_ip; metadata: confidence_level 80, first_seen 2024_06_09; classtype:trojan-activity; sid:91283505; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dykkyhj8rwcvwqha/"; depth:18; nocase; http.host; content:"anilariniziunutmayinolsun.xyz"; depth:29; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1283506/; target:src_ip; metadata: confidence_level 80, first_seen 2024_06_09; classtype:trojan-activity; sid:91283506; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dykkyhj8rwcvwqha/"; depth:18; nocase; http.host; content:"gizemlihayallerkurmakolsun.xyz"; depth:30; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1283507/; target:src_ip; metadata: confidence_level 80, first_seen 2024_06_09; classtype:trojan-activity; sid:91283507; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dykkyhj8rwcvwqha/"; depth:18; nocase; http.host; content:"umutgunesindeyizolsun.top"; depth:25; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1283508/; target:src_ip; metadata: confidence_level 80, first_seen 2024_06_09; classtype:trojan-activity; sid:91283508; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dykkyhj8rwcvwqha/"; depth:18; nocase; http.host; content:"umutseslerimutlulukgelsin.top"; depth:29; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1283477/; target:src_ip; metadata: confidence_level 80, first_seen 2024_06_09; classtype:trojan-activity; sid:91283477; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dykkyhj8rwcvwqha/"; depth:18; nocase; http.host; content:"huzurunsirrikeyifles.xyz"; depth:24; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1283476/; target:src_ip; metadata: confidence_level 80, first_seen 2024_06_09; classtype:trojan-activity; sid:91283476; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dykkyhj8rwcvwqha/"; depth:18; nocase; http.host; content:"hayalperestdunyamagazinolsun.xyz"; depth:32; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1283481/; target:src_ip; metadata: confidence_level 80, first_seen 2024_06_09; classtype:trojan-activity; sid:91283481; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dykkyhj8rwcvwqha/"; depth:18; nocase; http.host; content:"sevgiyolculugugibioxyzgelsin.top"; depth:32; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1283474/; target:src_ip; metadata: confidence_level 80, first_seen 2024_06_09; classtype:trojan-activity; sid:91283474; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dykkyhj8rwcvwqha/"; depth:18; nocase; http.host; content:"maceraperestdunyagezin.xyz"; depth:26; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1283475/; target:src_ip; metadata: confidence_level 80, first_seen 2024_06_09; classtype:trojan-activity; sid:91283475; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dykkyhj8rwcvwqha/"; depth:18; nocase; http.host; content:"mutlulukkutusuhediyeolsun.xyz"; depth:29; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1283478/; target:src_ip; metadata: confidence_level 80, first_seen 2024_06_09; classtype:trojan-activity; sid:91283478; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dykkyhj8rwcvwqha/"; depth:18; nocase; http.host; content:"renklikalemlerimagidolsun.top"; depth:29; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1283479/; target:src_ip; metadata: confidence_level 80, first_seen 2024_06_09; classtype:trojan-activity; sid:91283479; rev:1;) alert tcp $HOME_NET any -> [185.164.138.158] 80 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1283461/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_09; classtype:trojan-activity; sid:91283461; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/reports.php"; depth:12; nocase; http.host; content:"health.sjp.ac.lk"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1283469/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_09; classtype:trojan-activity; sid:91283469; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"activecode.work"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1283462/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_09; classtype:trojan-activity; sid:91283462; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"blacktds.black"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1283463/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_09; classtype:trojan-activity; sid:91283463; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"blacktds.cloud"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1283464/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_09; classtype:trojan-activity; sid:91283464; rev:1;) alert tcp $HOME_NET any -> [43.143.245.43] 7002 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1283510/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_09; classtype:trojan-activity; sid:91283510; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/introduction/edr"; depth:17; nocase; http.host; content:"1.12.45.242"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1283509/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_09; classtype:trojan-activity; sid:91283509; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jquery-3.3.1.min.js"; depth:20; nocase; http.host; content:"116.62.232.222"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1283473/; target:src_ip; metadata: confidence_level 75, first_seen 2024_06_09; classtype:trojan-activity; sid:91283473; rev:1;) alert tcp $HOME_NET any -> [1.92.96.35] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1283472/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_09; classtype:trojan-activity; sid:91283472; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api/x"; depth:6; nocase; http.host; content:"service-79k3uwa0-1317712796.gz.tencentapigw.com.cn"; depth:50; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1283470/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_09; classtype:trojan-activity; sid:91283470; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"service-79k3uwa0-1317712796.gz.tencentapigw.com.cn"; depth:50; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1283471/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_09; classtype:trojan-activity; sid:91283471; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"lebohdc.com"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1283466/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_09; classtype:trojan-activity; sid:91283466; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"pinaylizzie.com"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1283467/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_09; classtype:trojan-activity; sid:91283467; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"somlwebtactics.com"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1283468/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_09; classtype:trojan-activity; sid:91283468; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"cloudsafeuae.com"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1283465/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_09; classtype:trojan-activity; sid:91283465; rev:1;) alert tcp $HOME_NET any -> [196.217.71.182] 10000 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1283424/; target:src_ip; metadata: confidence_level 75, first_seen 2024_06_09; classtype:trojan-activity; sid:91283424; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cdn-vs/original.js"; depth:19; nocase; http.host; content:"coffeecrumbs.com"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1283454/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_09; classtype:trojan-activity; sid:91283454; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"coffeecrumbs.com"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1283455/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_09; classtype:trojan-activity; sid:91283455; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cdn-vs/cache.php"; depth:17; nocase; http.host; content:"coffeecrumbs.com"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1283456/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_09; classtype:trojan-activity; sid:91283456; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cdn-vs/22per.php"; depth:17; nocase; http.host; content:"coffeecrumbs.com"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1283457/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_09; classtype:trojan-activity; sid:91283457; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/help.php"; depth:9; nocase; http.host; content:"psk777.casa"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1283458/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_09; classtype:trojan-activity; sid:91283458; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/reports.php"; depth:12; nocase; http.host; content:"georaldc.com"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1283460/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_09; classtype:trojan-activity; sid:91283460; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/reports.php"; depth:12; nocase; http.host; content:"dmboxing.com"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1283417/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_09; classtype:trojan-activity; sid:91283417; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wisconsin-tax-installment-agreement"; depth:36; nocase; http.host; content:"platypus-verlag.ch"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1283426/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_09; classtype:trojan-activity; sid:91283426; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/reports.php"; depth:12; nocase; http.host; content:"ecoledebatteriejonathandesrumeaux.fr"; depth:36; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1283430/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_09; classtype:trojan-activity; sid:91283430; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"experience-apart.gl.at.ply.gg"; depth:29; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1283431/; target:src_ip; metadata: confidence_level 75, first_seen 2024_06_09; classtype:trojan-activity; sid:91283431; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/reports.php"; depth:12; nocase; http.host; content:"enhornabatklubb.se"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1283433/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_09; classtype:trojan-activity; sid:91283433; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/reports.php"; depth:12; nocase; http.host; content:"geomatikkbedriftene.no"; depth:22; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1283436/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_09; classtype:trojan-activity; sid:91283436; rev:1;) alert tcp $HOME_NET any -> [45.74.25.39] 6606 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1283459/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_09; classtype:trojan-activity; sid:91283459; rev:1;) alert tcp $HOME_NET any -> [45.94.168.134] 443 (msg:"ThreatFox FAKEUPDATES botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1283453/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_09; classtype:trojan-activity; sid:91283453; rev:1;) alert tcp $HOME_NET any -> [147.78.103.114] 80 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1283452/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_09; classtype:trojan-activity; sid:91283452; rev:1;) alert tcp $HOME_NET any -> [64.227.156.18] 80 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1283451/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_09; classtype:trojan-activity; sid:91283451; rev:1;) alert tcp $HOME_NET any -> [5.42.106.219] 50555 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1283450/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_09; classtype:trojan-activity; sid:91283450; rev:1;) alert tcp $HOME_NET any -> [89.116.159.203] 80 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1283449/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_09; classtype:trojan-activity; sid:91283449; rev:1;) alert tcp $HOME_NET any -> [147.45.71.7] 80 (msg:"ThreatFox Meduza Stealer botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1283448/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_09; classtype:trojan-activity; sid:91283448; rev:1;) alert tcp $HOME_NET any -> [45.157.233.27] 2222 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1283447/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_09; classtype:trojan-activity; sid:91283447; rev:1;) alert tcp $HOME_NET any -> [216.137.234.175] 443 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1283446/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_09; classtype:trojan-activity; sid:91283446; rev:1;) alert tcp $HOME_NET any -> [70.31.125.48] 2222 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1283445/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_09; classtype:trojan-activity; sid:91283445; rev:1;) alert tcp $HOME_NET any -> [144.76.91.151] 8080 (msg:"ThreatFox BianLian botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1283444/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_09; classtype:trojan-activity; sid:91283444; rev:1;) alert tcp $HOME_NET any -> [46.167.129.231] 15596 (msg:"ThreatFox Deimos botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1283443/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_09; classtype:trojan-activity; sid:91283443; rev:1;) alert tcp $HOME_NET any -> [103.85.74.193] 443 (msg:"ThreatFox Deimos botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1283442/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_09; classtype:trojan-activity; sid:91283442; rev:1;) alert tcp $HOME_NET any -> [183.214.129.157] 4505 (msg:"ThreatFox Deimos botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1283441/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_09; classtype:trojan-activity; sid:91283441; rev:1;) alert tcp $HOME_NET any -> [124.239.234.175] 4506 (msg:"ThreatFox Deimos botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1283440/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_09; classtype:trojan-activity; sid:91283440; rev:1;) alert tcp $HOME_NET any -> [52.74.20.24] 5000 (msg:"ThreatFox Deimos botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1283439/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_09; classtype:trojan-activity; sid:91283439; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mozi.m"; depth:7; nocase; http.host; content:"117.204.193.125"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1283438/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_09; classtype:trojan-activity; sid:91283438; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mozi.m"; depth:7; nocase; http.host; content:"117.204.192.241"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1283437/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_09; classtype:trojan-activity; sid:91283437; rev:1;) alert tcp $HOME_NET any -> [188.127.247.28] 36800 (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1283435/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_09; classtype:trojan-activity; sid:91283435; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/43a214c8.php"; depth:13; nocase; http.host; content:"a0991246.xsph.ru"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1283434/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_09; classtype:trojan-activity; sid:91283434; rev:1;) alert tcp $HOME_NET any -> [147.185.221.20] 7974 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1283425/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_09; classtype:trojan-activity; sid:91283425; rev:1;) alert tcp $HOME_NET any -> [45.137.22.111] 55615 (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1283423/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_08; classtype:trojan-activity; sid:91283423; rev:1;) alert tcp $HOME_NET any -> [18.231.93.153] 15352 (msg:"ThreatFox LimeRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1283422/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_08; classtype:trojan-activity; sid:91283422; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/updatesqldb.php"; depth:16; nocase; http.host; content:"505732cm.n9shteam2.top"; depth:22; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1283421/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_08; classtype:trojan-activity; sid:91283421; rev:1;) alert tcp $HOME_NET any -> [5.180.148.45] 7159 (msg:"ThreatFox CyberGate botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1283420/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_08; classtype:trojan-activity; sid:91283420; rev:1;) alert tcp $HOME_NET any -> [18.229.248.167] 15352 (msg:"ThreatFox LimeRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1283419/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_08; classtype:trojan-activity; sid:91283419; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/7providerlinux/cdngenerator/jspacketupdateprocessorserverprotecttraffictestdatalifeuploads.php"; depth:95; nocase; http.host; content:"38.180.165.153"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1283418/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_08; classtype:trojan-activity; sid:91283418; rev:1;) alert tcp $HOME_NET any -> [77.83.196.180] 443 (msg:"ThreatFox Unidentified 111 (Latrodectus) botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1283416/; target:src_ip; metadata: confidence_level 75, first_seen 2024_06_08; classtype:trojan-activity; sid:91283416; rev:1;) alert tcp $HOME_NET any -> [101.126.91.145] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1283415/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_08; classtype:trojan-activity; sid:91283415; rev:1;) alert tcp $HOME_NET any -> [185.119.196.100] 80 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1283414/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_08; classtype:trojan-activity; sid:91283414; rev:1;) alert tcp $HOME_NET any -> [124.71.102.140] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1283413/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_08; classtype:trojan-activity; sid:91283413; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/load"; depth:5; nocase; http.host; content:"124.71.102.140"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1283412/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_08; classtype:trojan-activity; sid:91283412; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cx"; depth:3; nocase; http.host; content:"49.232.249.109"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1283411/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_08; classtype:trojan-activity; sid:91283411; rev:1;) alert tcp $HOME_NET any -> [77.221.157.6] 80 (msg:"ThreatFox Meduza Stealer botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1283410/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_08; classtype:trojan-activity; sid:91283410; rev:1;) alert tcp $HOME_NET any -> [58.137.140.238] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1283409/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_08; classtype:trojan-activity; sid:91283409; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/g.pixel"; depth:8; nocase; http.host; content:"58.137.140.238"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1283408/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_08; classtype:trojan-activity; sid:91283408; rev:1;) alert tcp $HOME_NET any -> [74.48.45.204] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1283407/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_08; classtype:trojan-activity; sid:91283407; rev:1;) alert tcp $HOME_NET any -> [54.169.254.221] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1283406/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_08; classtype:trojan-activity; sid:91283406; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/j.ad"; depth:5; nocase; http.host; content:"54.169.254.221"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1283405/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_08; classtype:trojan-activity; sid:91283405; rev:1;) alert tcp $HOME_NET any -> [47.92.162.69] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1283404/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_08; classtype:trojan-activity; sid:91283404; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mall_100_100.html"; depth:18; nocase; http.host; content:"47.92.162.69"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1283403/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_08; classtype:trojan-activity; sid:91283403; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"sanhaozhifu.top"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1283401/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_08; classtype:trojan-activity; sid:91283401; rev:1;) alert tcp $HOME_NET any -> [165.3.87.196] 8443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1283402/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_08; classtype:trojan-activity; sid:91283402; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jquery-3.3.1.min.js"; depth:20; nocase; http.host; content:"sanhaozhifu.top"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1283400/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_08; classtype:trojan-activity; sid:91283400; rev:1;) alert tcp $HOME_NET any -> [46.246.84.18] 9000 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1283399/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_08; classtype:trojan-activity; sid:91283399; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cx"; depth:3; nocase; http.host; content:"185.22.152.167"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1283398/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_08; classtype:trojan-activity; sid:91283398; rev:1;) alert tcp $HOME_NET any -> [78.178.72.163] 443 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1283397/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_08; classtype:trojan-activity; sid:91283397; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/activity"; depth:9; nocase; http.host; content:"118.89.200.169"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1283395/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_08; classtype:trojan-activity; sid:91283395; rev:1;) alert tcp $HOME_NET any -> [118.89.200.169] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1283396/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_08; classtype:trojan-activity; sid:91283396; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ca"; depth:3; nocase; http.host; content:"97.64.18.185"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1283394/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_08; classtype:trojan-activity; sid:91283394; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/j.ad"; depth:5; nocase; http.host; content:"146.70.149.42"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1283393/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_08; classtype:trojan-activity; sid:91283393; rev:1;) alert tcp $HOME_NET any -> [20.244.96.7] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1283392/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_08; classtype:trojan-activity; sid:91283392; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books"; depth:60; nocase; http.host; content:"20.244.96.7"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1283391/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_08; classtype:trojan-activity; sid:91283391; rev:1;) alert tcp $HOME_NET any -> [13.49.238.38] 443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1283390/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_08; classtype:trojan-activity; sid:91283390; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/fwlink"; depth:7; nocase; http.host; content:"58.53.128.67"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1283389/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_08; classtype:trojan-activity; sid:91283389; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"bad-week-gw.aws-usw2.cloud-ara.tyk.io"; depth:37; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1283388/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_08; classtype:trojan-activity; sid:91283388; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api/v2/login"; depth:13; nocase; http.host; content:"bad-week-gw.aws-usw2.cloud-ara.tyk.io"; depth:37; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1283387/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_08; classtype:trojan-activity; sid:91283387; rev:1;) alert tcp $HOME_NET any -> [193.124.33.239] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1283386/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_08; classtype:trojan-activity; sid:91283386; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/remove"; depth:7; nocase; http.host; content:"candycappa.store"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1283384/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_08; classtype:trojan-activity; sid:91283384; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"candycappa.store"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1283385/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_08; classtype:trojan-activity; sid:91283385; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/match"; depth:6; nocase; http.host; content:"34.92.25.154"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1283383/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_08; classtype:trojan-activity; sid:91283383; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"hospitalstorage.azureedge.net"; depth:29; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1283381/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_08; classtype:trojan-activity; sid:91283381; rev:1;) alert tcp $HOME_NET any -> [159.89.46.205] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1283382/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_08; classtype:trojan-activity; sid:91283382; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/git.asp"; depth:8; nocase; http.host; content:"hospitalstorage.azureedge.net"; depth:29; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1283380/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_08; classtype:trojan-activity; sid:91283380; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jquery-3.3.1.min.js"; depth:20; nocase; http.host; content:"110.42.249.222"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1283379/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_08; classtype:trojan-activity; sid:91283379; rev:1;) alert tcp $HOME_NET any -> [84.129.151.24] 3389 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1283378/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_08; classtype:trojan-activity; sid:91283378; rev:1;) alert tcp $HOME_NET any -> [152.53.20.106] 8888 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1283377/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_08; classtype:trojan-activity; sid:91283377; rev:1;) alert tcp $HOME_NET any -> [152.53.20.106] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1283376/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_08; classtype:trojan-activity; sid:91283376; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/agreement-side-effects/"; depth:24; nocase; http.host; content:"goodstos.com"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1283374/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_08; classtype:trojan-activity; sid:91283374; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/reports.php"; depth:12; nocase; http.host; content:"lilabrand.com"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1283375/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_08; classtype:trojan-activity; sid:91283375; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/6a9f8e2503d99c04.php"; depth:21; nocase; http.host; content:"23.88.106.134"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1283373/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_08; classtype:trojan-activity; sid:91283373; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"b9y3b7ner2.xyz"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1283372/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_08; classtype:trojan-activity; sid:91283372; rev:1;) alert tcp $HOME_NET any -> [18.157.68.73] 17435 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1283370/; target:src_ip; metadata: confidence_level 75, first_seen 2024_06_08; classtype:trojan-activity; sid:91283370; rev:1;) alert tcp $HOME_NET any -> [18.156.13.209] 17435 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1283371/; target:src_ip; metadata: confidence_level 75, first_seen 2024_06_08; classtype:trojan-activity; sid:91283371; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"cv2b8uz46e.xyz"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1283369/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_08; classtype:trojan-activity; sid:91283369; rev:1;) alert tcp $HOME_NET any -> [51.81.30.54] 7707 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1283368/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_08; classtype:trojan-activity; sid:91283368; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"chamadoregional.solutions"; depth:25; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1283360/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_08; classtype:trojan-activity; sid:91283360; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"cuidadofinanceiro.agency"; depth:24; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1283361/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_08; classtype:trojan-activity; sid:91283361; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"fazenda-sps.one"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1283362/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_08; classtype:trojan-activity; sid:91283362; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"maxtel.solutions"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1283363/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_08; classtype:trojan-activity; sid:91283363; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"nenaviste.org"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1283364/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_08; classtype:trojan-activity; sid:91283364; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"neskodny.builders"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1283365/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_08; classtype:trojan-activity; sid:91283365; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"prestador-xp.services"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1283366/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_08; classtype:trojan-activity; sid:91283366; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"vistoriaveicular.chat"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1283367/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_08; classtype:trojan-activity; sid:91283367; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"abastecimentoonline.chat"; depth:24; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1283357/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_08; classtype:trojan-activity; sid:91283357; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"atende-br.chat"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1283358/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_08; classtype:trojan-activity; sid:91283358; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"businessgreat.one"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1283359/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_08; classtype:trojan-activity; sid:91283359; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"drosonfinfel.nenaviste.org"; depth:26; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1283356/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_08; classtype:trojan-activity; sid:91283356; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"dromonnancal.atende-br.chat"; depth:27; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1283355/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_08; classtype:trojan-activity; sid:91283355; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"dromongongor.businessgreat.one"; depth:30; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1283354/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_08; classtype:trojan-activity; sid:91283354; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"drocansal.fazenda-sps.one"; depth:25; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1283353/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_08; classtype:trojan-activity; sid:91283353; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"drocangoncol.businessgreat.one"; depth:30; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1283352/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_08; classtype:trojan-activity; sid:91283352; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"dresonnal4.abastecimentoonline.chat"; depth:35; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1283351/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_08; classtype:trojan-activity; sid:91283351; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"drelunral38.maxtel.solutions"; depth:28; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1283350/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_08; classtype:trojan-activity; sid:91283350; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"drejal.chamadoregional.solutions"; depth:32; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1283349/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_08; classtype:trojan-activity; sid:91283349; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"dratunmintil.fazenda-sps.one"; depth:28; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1283348/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_08; classtype:trojan-activity; sid:91283348; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"dratunlinfil.fazenda-sps.one"; depth:28; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1283347/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_08; classtype:trojan-activity; sid:91283347; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"dralundinnal.chamadoregional.solutions"; depth:38; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1283346/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_08; classtype:trojan-activity; sid:91283346; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"drabel4.maxtel.solutions"; depth:24; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1283345/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_08; classtype:trojan-activity; sid:91283345; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"crovaz.abastecimentoonline.chat"; depth:31; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1283344/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_08; classtype:trojan-activity; sid:91283344; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"crotunlinder.chamadoregional.solutions"; depth:38; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1283343/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_08; classtype:trojan-activity; sid:91283343; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"crotal.maxtel.solutions"; depth:23; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1283342/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_08; classtype:trojan-activity; sid:91283342; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"crosonpal.businessgreat.one"; depth:27; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1283341/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_08; classtype:trojan-activity; sid:91283341; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"croronqual225.vistoriaveicular.chat"; depth:35; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1283340/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_08; classtype:trojan-activity; sid:91283340; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"croringungem.vistoriaveicular.chat"; depth:34; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1283339/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_08; classtype:trojan-activity; sid:91283339; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"cronanbel.vistoriaveicular.chat"; depth:31; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1283338/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_08; classtype:trojan-activity; sid:91283338; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"crojal.cuidadofinanceiro.agency"; depth:31; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1283337/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_08; classtype:trojan-activity; sid:91283337; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"crohal.fazenda-sps.one"; depth:22; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1283336/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_08; classtype:trojan-activity; sid:91283336; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"crofer.prestador-xp.services"; depth:28; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1283335/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_08; classtype:trojan-activity; sid:91283335; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"crocal3.fazenda-sps.one"; depth:23; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1283334/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_08; classtype:trojan-activity; sid:91283334; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"crisonlinder.neskodny.builders"; depth:30; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1283333/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_08; classtype:trojan-activity; sid:91283333; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"crironnonbil3.businessgreat.one"; depth:31; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1283332/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_08; classtype:trojan-activity; sid:91283332; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"crironcindor3.vistoriaveicular.chat"; depth:35; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1283331/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_08; classtype:trojan-activity; sid:91283331; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"criel.cuidadofinanceiro.agency"; depth:30; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1283330/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_08; classtype:trojan-activity; sid:91283330; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"crical.chamadoregional.solutions"; depth:32; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1283329/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_08; classtype:trojan-activity; sid:91283329; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"cretonpaz.vistoriaveicular.chat"; depth:31; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1283328/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_08; classtype:trojan-activity; sid:91283328; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"cresonrol761.vistoriaveicular.chat"; depth:34; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1283327/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_08; classtype:trojan-activity; sid:91283327; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"crediz.atende-br.chat"; depth:21; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1283326/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_08; classtype:trojan-activity; sid:91283326; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"crasonqual.atende-br.chat"; depth:25; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1283325/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_08; classtype:trojan-activity; sid:91283325; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"crasonnal.cuidadofinanceiro.agency"; depth:34; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1283324/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_08; classtype:trojan-activity; sid:91283324; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"crapennal24.prestador-xp.services"; depth:33; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1283323/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_08; classtype:trojan-activity; sid:91283323; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"cramengonwel143.businessgreat.one"; depth:33; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1283322/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_08; classtype:trojan-activity; sid:91283322; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"cracal.nenaviste.org"; depth:20; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1283321/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_08; classtype:trojan-activity; sid:91283321; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"cracal.cuidadofinanceiro.agency"; depth:31; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1283320/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_08; classtype:trojan-activity; sid:91283320; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"clesonqual.vistoriaveicular.chat"; depth:32; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1283319/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_08; classtype:trojan-activity; sid:91283319; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"cleriz.prestador-xp.services"; depth:28; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1283318/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_08; classtype:trojan-activity; sid:91283318; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"clegongor2.prestador-xp.services"; depth:32; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1283317/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_08; classtype:trojan-activity; sid:91283317; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"clananbel.neskodny.builders"; depth:27; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1283316/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_08; classtype:trojan-activity; sid:91283316; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"clahenkil037.fazenda-sps.one"; depth:28; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1283315/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_08; classtype:trojan-activity; sid:91283315; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"brutonlinjal.nenaviste.org"; depth:26; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1283314/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_08; classtype:trojan-activity; sid:91283314; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"brutonlanfer.maxtel.solutions"; depth:29; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1283313/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_08; classtype:trojan-activity; sid:91283313; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"brusonroncol.chamadoregional.solutions"; depth:38; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1283312/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_08; classtype:trojan-activity; sid:91283312; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"brumol164.fazenda-sps.one"; depth:25; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1283311/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_08; classtype:trojan-activity; sid:91283311; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"brumengonwel.abastecimentoonline.chat"; depth:37; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1283310/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_08; classtype:trojan-activity; sid:91283310; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"brudiz.vistoriaveicular.chat"; depth:28; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1283309/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_08; classtype:trojan-activity; sid:91283309; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"brudiz.neskodny.builders"; depth:24; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1283308/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_08; classtype:trojan-activity; sid:91283308; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"brudensintal.vistoriaveicular.chat"; depth:34; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1283307/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_08; classtype:trojan-activity; sid:91283307; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"brucal.nenaviste.org"; depth:20; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1283306/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_08; classtype:trojan-activity; sid:91283306; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"brubenbonzol183.prestador-xp.services"; depth:37; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1283305/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_08; classtype:trojan-activity; sid:91283305; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"bluronpal.maxtel.solutions"; depth:26; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1283304/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_08; classtype:trojan-activity; sid:91283304; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"bluronbonxil.cuidadofinanceiro.agency"; depth:37; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1283303/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_08; classtype:trojan-activity; sid:91283303; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"blumol3.maxtel.solutions"; depth:24; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1283302/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_08; classtype:trojan-activity; sid:91283302; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"blulunwinim.neskodny.builders"; depth:29; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1283301/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_08; classtype:trojan-activity; sid:91283301; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"blufel2.nenaviste.org"; depth:21; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1283300/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_08; classtype:trojan-activity; sid:91283300; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"bloriz.prestador-xp.services"; depth:28; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1283299/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_08; classtype:trojan-activity; sid:91283299; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wisconsin-tax-installment-agreement/"; depth:37; nocase; http.host; content:"www.platypus-verlag.ch"; depth:22; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1283295/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_08; classtype:trojan-activity; sid:91283295; rev:1;) alert tcp $HOME_NET any -> [3.125.102.39] 17046 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1283293/; target:src_ip; metadata: confidence_level 75, first_seen 2024_06_08; classtype:trojan-activity; sid:91283293; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/reports.php"; depth:12; nocase; http.host; content:"ktweb.home.pl"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1283298/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_08; classtype:trojan-activity; sid:91283298; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/reports.php"; depth:12; nocase; http.host; content:"labstyl.nazwa.pl"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1283297/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_08; classtype:trojan-activity; sid:91283297; rev:1;) alert tcp $HOME_NET any -> [37.44.238.75] 81 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1283284/; target:src_ip; metadata: confidence_level 75, first_seen 2024_06_08; classtype:trojan-activity; sid:91283284; rev:1;) alert tcp $HOME_NET any -> [3.64.4.198] 13678 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1283292/; target:src_ip; metadata: confidence_level 75, first_seen 2024_06_08; classtype:trojan-activity; sid:91283292; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"assets.rdntocdns.com"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1283242/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_08; classtype:trojan-activity; sid:91283242; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"cdn.rdntocdns.com"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1283243/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_08; classtype:trojan-activity; sid:91283243; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"css.rdntocdns.com"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1283244/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_08; classtype:trojan-activity; sid:91283244; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"rest1.rdntocdns.com"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1283245/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_08; classtype:trojan-activity; sid:91283245; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"rest2.rdntocdns.com"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1283246/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_08; classtype:trojan-activity; sid:91283246; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/reports.php"; depth:12; nocase; http.host; content:"intranat.vhfk.se"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1283253/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_08; classtype:trojan-activity; sid:91283253; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"v7yen47u2e.xyz"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1283280/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_08; classtype:trojan-activity; sid:91283280; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/read-agreement-of-being-gay-for-30-days"; depth:40; nocase; http.host; content:"exotours.in"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1283281/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_08; classtype:trojan-activity; sid:91283281; rev:1;) alert tcp $HOME_NET any -> [158.160.11.208] 443 (msg:"ThreatFox FAKEUPDATES payload delivery (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1283287/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_08; classtype:trojan-activity; sid:91283287; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/fwlink"; depth:7; nocase; http.host; content:"iheartredteams.com"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1283294/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_08; classtype:trojan-activity; sid:91283294; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/g.pixel"; depth:8; nocase; http.host; content:"23.95.65.198"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1283291/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_08; classtype:trojan-activity; sid:91283291; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/push"; depth:5; nocase; http.host; content:"134.122.75.115"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1283290/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_08; classtype:trojan-activity; sid:91283290; rev:1;) alert tcp $HOME_NET any -> [154.198.245.62] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1283289/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_08; classtype:trojan-activity; sid:91283289; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/visit.js"; depth:9; nocase; http.host; content:"154.198.245.62"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1283288/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_08; classtype:trojan-activity; sid:91283288; rev:1;) alert tcp $HOME_NET any -> [105.105.234.158] 555 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1283286/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_08; classtype:trojan-activity; sid:91283286; rev:1;) alert tcp $HOME_NET any -> [47.103.52.146] 443 (msg:"ThreatFox N-W0rm botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1283285/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_08; classtype:trojan-activity; sid:91283285; rev:1;) alert tcp $HOME_NET any -> [154.12.26.80] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1283283/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_08; classtype:trojan-activity; sid:91283283; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/g.pixel"; depth:8; nocase; http.host; content:"cs.xfdaili.com"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1283282/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_08; classtype:trojan-activity; sid:91283282; rev:1;) alert tcp $HOME_NET any -> [185.186.146.25] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1283279/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_08; classtype:trojan-activity; sid:91283279; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ca"; depth:3; nocase; http.host; content:"185.186.146.25"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1283278/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_08; classtype:trojan-activity; sid:91283278; rev:1;) alert tcp $HOME_NET any -> [47.97.79.97] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1283277/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_08; classtype:trojan-activity; sid:91283277; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jquery-3.3.1.min.js"; depth:20; nocase; http.host; content:"101.226.26.147"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1283276/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_08; classtype:trojan-activity; sid:91283276; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jquery-3.3.1.min.js"; depth:20; nocase; http.host; content:"27.37.200.237"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1283275/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_08; classtype:trojan-activity; sid:91283275; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jquery-3.3.1.min.js"; depth:20; nocase; http.host; content:"61.170.81.233"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1283274/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_08; classtype:trojan-activity; sid:91283274; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jquery-3.3.1.min.js"; depth:20; nocase; http.host; content:"118.182.226.161"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1283273/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_08; classtype:trojan-activity; sid:91283273; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jquery-3.3.1.min.js"; depth:20; nocase; http.host; content:"120.195.185.112"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1283272/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_08; classtype:trojan-activity; sid:91283272; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jquery-3.3.1.min.js"; depth:20; nocase; http.host; content:"180.213.179.141"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1283271/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_08; classtype:trojan-activity; sid:91283271; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jquery-3.3.1.min.js"; depth:20; nocase; http.host; content:"61.170.80.230"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1283270/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_08; classtype:trojan-activity; sid:91283270; rev:1;) alert tcp $HOME_NET any -> [124.71.153.115] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1283269/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_08; classtype:trojan-activity; sid:91283269; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pixel"; depth:6; nocase; http.host; content:"124.71.153.115"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1283268/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_08; classtype:trojan-activity; sid:91283268; rev:1;) alert tcp $HOME_NET any -> [124.71.153.149] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1283267/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_08; classtype:trojan-activity; sid:91283267; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/assets/css/font-awesome.css"; depth:28; nocase; http.host; content:"124.71.153.149"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1283266/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_08; classtype:trojan-activity; sid:91283266; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dpixel"; depth:7; nocase; http.host; content:"4.191.74.1"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1283265/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_08; classtype:trojan-activity; sid:91283265; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jquery-3.3.1.min.js"; depth:20; nocase; http.host; content:"47.239.1.232"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1283263/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_08; classtype:trojan-activity; sid:91283263; rev:1;) alert tcp $HOME_NET any -> [47.239.1.232] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1283264/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_08; classtype:trojan-activity; sid:91283264; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/updates"; depth:8; nocase; http.host; content:"106.52.130.164"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1283262/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_08; classtype:trojan-activity; sid:91283262; rev:1;) alert tcp $HOME_NET any -> [124.71.153.115] 4444 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1283261/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_08; classtype:trojan-activity; sid:91283261; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ie9compatviewlist.xml"; depth:22; nocase; http.host; content:"112.124.5.135"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1283260/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_08; classtype:trojan-activity; sid:91283260; rev:1;) alert tcp $HOME_NET any -> [43.138.143.146] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1283259/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_08; classtype:trojan-activity; sid:91283259; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api/x"; depth:6; nocase; http.host; content:"service-o1dc3wx3-1311799005.bj.tencentapigw.com.cn"; depth:50; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1283257/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_08; classtype:trojan-activity; sid:91283257; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"service-o1dc3wx3-1311799005.bj.tencentapigw.com.cn"; depth:50; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1283258/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_08; classtype:trojan-activity; sid:91283258; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pixel.gif"; depth:10; nocase; http.host; content:"89.116.48.173"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1283256/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_08; classtype:trojan-activity; sid:91283256; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/activity"; depth:9; nocase; http.host; content:"111.231.51.250"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1283255/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_08; classtype:trojan-activity; sid:91283255; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ga.js"; depth:6; nocase; http.host; content:"39.104.230.184"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1283254/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_08; classtype:trojan-activity; sid:91283254; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/load"; depth:5; nocase; http.host; content:"101.35.42.157"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1283249/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_08; classtype:trojan-activity; sid:91283249; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/activity"; depth:9; nocase; http.host; content:"23.95.65.198"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1283248/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_08; classtype:trojan-activity; sid:91283248; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pixel.gif"; depth:10; nocase; http.host; content:"content.microsoft.com.w.kunlunca.com"; depth:36; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1283247/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_08; classtype:trojan-activity; sid:91283247; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/push"; depth:5; nocase; http.host; content:"23.95.65.198"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1283241/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_08; classtype:trojan-activity; sid:91283241; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/load"; depth:5; nocase; http.host; content:"213.109.202.188"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1283240/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_08; classtype:trojan-activity; sid:91283240; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dot.gif"; depth:8; nocase; http.host; content:"64.7.199.88"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1283239/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_08; classtype:trojan-activity; sid:91283239; rev:1;) alert tcp $HOME_NET any -> [16.16.206.231] 4444 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1283238/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_08; classtype:trojan-activity; sid:91283238; rev:1;) alert tcp $HOME_NET any -> [46.246.14.21] 9000 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1283237/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_08; classtype:trojan-activity; sid:91283237; rev:1;) alert tcp $HOME_NET any -> [39.96.169.89] 443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1283236/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_08; classtype:trojan-activity; sid:91283236; rev:1;) alert tcp $HOME_NET any -> [82.168.162.65] 443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1283234/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_08; classtype:trojan-activity; sid:91283234; rev:1;) alert tcp $HOME_NET any -> [93.123.39.194] 443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1283233/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_08; classtype:trojan-activity; sid:91283233; rev:1;) alert tcp $HOME_NET any -> [104.238.61.20] 80 (msg:"ThreatFox BianLian botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1283232/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_08; classtype:trojan-activity; sid:91283232; rev:1;) alert tcp $HOME_NET any -> [92.243.64.130] 31205 (msg:"ThreatFox BianLian botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1283231/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_08; classtype:trojan-activity; sid:91283231; rev:1;) alert tcp $HOME_NET any -> [136.144.162.236] 8888 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1283230/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_08; classtype:trojan-activity; sid:91283230; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ytyxnjljzdi1yzfh/"; depth:18; nocase; http.host; content:"pq2trelsquu44xbpritocamel.store"; depth:31; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1283207/; target:src_ip; metadata: confidence_level 80, first_seen 2024_06_08; classtype:trojan-activity; sid:91283207; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ytyxnjljzdi1yzfh/"; depth:18; nocase; http.host; content:"k6fvq8c11dqqjd446ck9camel.store"; depth:31; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1283205/; target:src_ip; metadata: confidence_level 80, first_seen 2024_06_08; classtype:trojan-activity; sid:91283205; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ytyxnjljzdi1yzfh/"; depth:18; nocase; http.host; content:"7l19jlu5trkqndh24li4camel.store"; depth:31; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1283206/; target:src_ip; metadata: confidence_level 80, first_seen 2024_06_08; classtype:trojan-activity; sid:91283206; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ytyxnjljzdi1yzfh/"; depth:18; nocase; http.host; content:"brfw0g97s9mwun8juhb0camel.store"; depth:31; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1283203/; target:src_ip; metadata: confidence_level 80, first_seen 2024_06_08; classtype:trojan-activity; sid:91283203; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ytyxnjljzdi1yzfh/"; depth:18; nocase; http.host; content:"re5bvyc4l6004tqmtzp4camel.store"; depth:31; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1283204/; target:src_ip; metadata: confidence_level 80, first_seen 2024_06_08; classtype:trojan-activity; sid:91283204; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ytyxnjljzdi1yzfh/"; depth:18; nocase; http.host; content:"6zimks6know8jihvtoa8camel.store"; depth:31; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1283201/; target:src_ip; metadata: confidence_level 80, first_seen 2024_06_08; classtype:trojan-activity; sid:91283201; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ytyxnjljzdi1yzfh/"; depth:18; nocase; http.host; content:"3w0mi18gkfrf6l8a8d09camel.store"; depth:31; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1283202/; target:src_ip; metadata: confidence_level 80, first_seen 2024_06_08; classtype:trojan-activity; sid:91283202; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ytyxnjljzdi1yzfh/"; depth:18; nocase; http.host; content:"83.97.73.39"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1283199/; target:src_ip; metadata: confidence_level 80, first_seen 2024_06_08; classtype:trojan-activity; sid:91283199; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ytyxnjljzdi1yzfh/"; depth:18; nocase; http.host; content:"97felu2ehv0r5iff3cslcamel.store"; depth:31; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1283200/; target:src_ip; metadata: confidence_level 80, first_seen 2024_06_08; classtype:trojan-activity; sid:91283200; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 49%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/login/tologin"; depth:14; nocase; http.host; content:"dcc.olcrv.com"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1283180/; target:src_ip; metadata: confidence_level 49, first_seen 2024_06_08; classtype:trojan-activity; sid:91283180; rev:1;) alert tcp $HOME_NET any -> [3.125.223.134] 12374 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1283185/; target:src_ip; metadata: confidence_level 75, first_seen 2024_06_08; classtype:trojan-activity; sid:91283185; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ytyxnjljzdi1yzfh/"; depth:18; nocase; http.host; content:"wlw7obu15d6ru3eqy3o8camel.store"; depth:31; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1283208/; target:src_ip; metadata: confidence_level 80, first_seen 2024_06_08; classtype:trojan-activity; sid:91283208; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ytyxnjljzdi1yzfh/"; depth:18; nocase; http.host; content:"hqj6lhsgcnuxfnlj5y95camel.store"; depth:31; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1283209/; target:src_ip; metadata: confidence_level 80, first_seen 2024_06_08; classtype:trojan-activity; sid:91283209; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ytyxnjljzdi1yzfh/"; depth:18; nocase; http.host; content:"inat-protv-box.net.tr"; depth:21; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1283210/; target:src_ip; metadata: confidence_level 80, first_seen 2024_06_08; classtype:trojan-activity; sid:91283210; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/reports.php"; depth:12; nocase; http.host; content:"hvamkulturogforsamlingshus.dk"; depth:29; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1283218/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_08; classtype:trojan-activity; sid:91283218; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/reports.php"; depth:12; nocase; http.host; content:"hvamkulturogforsamlingshus.dk"; depth:29; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1283219/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_08; classtype:trojan-activity; sid:91283219; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/reports.php"; depth:12; nocase; http.host; content:"hvamkulturogforsamlingshus.dk"; depth:29; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1283220/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_08; classtype:trojan-activity; sid:91283220; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/reports.php"; depth:12; nocase; http.host; content:"hvamkulturogforsamlingshus.dk"; depth:29; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1283221/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_08; classtype:trojan-activity; sid:91283221; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/stamping-fee-for-sp-agreement"; depth:30; nocase; http.host; content:"saasfeerentals.com"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1283222/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_08; classtype:trojan-activity; sid:91283222; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/reports.php"; depth:12; nocase; http.host; content:"i-likeitalot.com"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1283224/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_08; classtype:trojan-activity; sid:91283224; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/reports.php"; depth:12; nocase; http.host; content:"ikenouedojo.com"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1283226/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_08; classtype:trojan-activity; sid:91283226; rev:1;) alert tcp $HOME_NET any -> [138.162.7.28] 8000 (msg:"ThreatFox Sliver payload delivery (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1283229/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_08; classtype:trojan-activity; sid:91283229; rev:1;) alert tcp $HOME_NET any -> [4.203.104.98] 1024 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1283228/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_08; classtype:trojan-activity; sid:91283228; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pixel"; depth:6; nocase; http.host; content:"47.92.24.58"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1283227/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_08; classtype:trojan-activity; sid:91283227; rev:1;) alert tcp $HOME_NET any -> [154.12.93.14] 1153 (msg:"ThreatFox Ghost RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1283225/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_08; classtype:trojan-activity; sid:91283225; rev:1;) alert tcp $HOME_NET any -> [93.123.39.193] 80 (msg:"ThreatFox Socks5 Systemz botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1283216/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_07; classtype:trojan-activity; sid:91283216; rev:1;) alert tcp $HOME_NET any -> [94.142.138.6] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1283215/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_07; classtype:trojan-activity; sid:91283215; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ca"; depth:3; nocase; http.host; content:"94.142.138.6"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1283214/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_07; classtype:trojan-activity; sid:91283214; rev:1;) alert tcp $HOME_NET any -> [81.69.242.80] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1283213/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_07; classtype:trojan-activity; sid:91283213; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ca"; depth:3; nocase; http.host; content:"81.69.242.80"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1283212/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_07; classtype:trojan-activity; sid:91283212; rev:1;) alert tcp $HOME_NET any -> [45.152.65.65] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1283198/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_07; classtype:trojan-activity; sid:91283198; rev:1;) alert tcp $HOME_NET any -> [107.173.83.222] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1283197/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_07; classtype:trojan-activity; sid:91283197; rev:1;) alert tcp $HOME_NET any -> [121.127.245.224] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1283196/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_07; classtype:trojan-activity; sid:91283196; rev:1;) alert tcp $HOME_NET any -> [103.145.191.123] 80 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1283195/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_07; classtype:trojan-activity; sid:91283195; rev:1;) alert tcp $HOME_NET any -> [70.31.125.208] 2222 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1283194/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_07; classtype:trojan-activity; sid:91283194; rev:1;) alert tcp $HOME_NET any -> [93.123.39.194] 80 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1283193/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_07; classtype:trojan-activity; sid:91283193; rev:1;) alert tcp $HOME_NET any -> [91.92.255.178] 443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1283192/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_07; classtype:trojan-activity; sid:91283192; rev:1;) alert tcp $HOME_NET any -> [128.14.237.188] 83 (msg:"ThreatFox BianLian botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1283191/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_07; classtype:trojan-activity; sid:91283191; rev:1;) alert tcp $HOME_NET any -> [151.236.16.18] 25184 (msg:"ThreatFox BianLian botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1283190/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_07; classtype:trojan-activity; sid:91283190; rev:1;) alert tcp $HOME_NET any -> [172.104.162.22] 16033 (msg:"ThreatFox Deimos botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1283189/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_07; classtype:trojan-activity; sid:91283189; rev:1;) alert tcp $HOME_NET any -> [116.142.245.94] 4505 (msg:"ThreatFox Deimos botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1283188/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_07; classtype:trojan-activity; sid:91283188; rev:1;) alert tcp $HOME_NET any -> [5.42.100.30] 7443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1283187/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_07; classtype:trojan-activity; sid:91283187; rev:1;) alert tcp $HOME_NET any -> [54.173.147.137] 8443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1283186/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_07; classtype:trojan-activity; sid:91283186; rev:1;) alert tcp $HOME_NET any -> [186.99.155.196] 8093 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1283181/; target:src_ip; metadata: confidence_level 75, first_seen 2024_06_07; classtype:trojan-activity; sid:91283181; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"njnegro8093.duckdns.org"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1283182/; target:src_ip; metadata: confidence_level 75, first_seen 2024_06_07; classtype:trojan-activity; sid:91283182; rev:1;) alert tcp $HOME_NET any -> [103.140.186.8] 58091 (msg:"ThreatFox BlueShell botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1283183/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_07; classtype:trojan-activity; sid:91283183; rev:1;) alert tcp $HOME_NET any -> [52.77.230.248] 80 (msg:"ThreatFox BlueShell botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1283184/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_07; classtype:trojan-activity; sid:91283184; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/~druel10/wordpress/"; depth:20; nocase; http.host; content:"experimentation.univ-littoral.fr"; depth:32; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1283176/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_07; classtype:trojan-activity; sid:91283176; rev:1;) alert tcp $HOME_NET any -> [185.251.91.214] 443 (msg:"ThreatFox FAKEUPDATES payload delivery (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1283179/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_07; classtype:trojan-activity; sid:91283179; rev:1;) alert tcp $HOME_NET any -> [77.91.77.122] 8081 (msg:"ThreatFox RisePro botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1283177/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_07; classtype:trojan-activity; sid:91283177; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"check-ftp.ru"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1283178/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_07; classtype:trojan-activity; sid:91283178; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/phantom-equity-plan-agreement"; depth:30; nocase; http.host; content:"yorkbrooks.com"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1283171/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_07; classtype:trojan-activity; sid:91283171; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/reports.php"; depth:12; nocase; http.host; content:"firebirdimages.com"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1283173/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_07; classtype:trojan-activity; sid:91283173; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"xxydncg.xyz"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1283175/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_07; classtype:trojan-activity; sid:91283175; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/faq"; depth:4; nocase; http.host; content:"xxydncg.xyz"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1283174/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_07; classtype:trojan-activity; sid:91283174; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/forum/index.php"; depth:16; nocase; http.host; content:"check-ftp.ru"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1283170/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_07; classtype:trojan-activity; sid:91283170; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/2023/08/10/how-can-i-cancel-my-internet-contract-without-paying/"; depth:65; nocase; http.host; content:"selwoodconsultants.co.ke"; depth:24; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1283169/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_07; classtype:trojan-activity; sid:91283169; rev:1;) alert tcp $HOME_NET any -> [77.91.77.122] 50500 (msg:"ThreatFox RisePro botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1283168/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_07; classtype:trojan-activity; sid:91283168; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pas0uqnfi0zec8kvhkn8cmhkhpai3u/fusionclientdownloader.exe"; depth:58; nocase; http.host; content:"prodfindfeatures.com"; depth:20; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1283137/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_07; classtype:trojan-activity; sid:91283137; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api/session"; depth:12; nocase; http.host; content:"206.166.251.114"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1283132/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_07; classtype:trojan-activity; sid:91283132; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api/session"; depth:12; nocase; http.host; content:"206.166.251.114"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1283133/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_07; classtype:trojan-activity; sid:91283133; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api/session"; depth:12; nocase; http.host; content:"retdirectyourman.eu"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1283134/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_07; classtype:trojan-activity; sid:91283134; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pas0uqnfi0zec8kvhkn8cmhkhpai3u/fusionclientdownloader.exe"; depth:58; nocase; http.host; content:"206.71.149.46"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1283135/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_07; classtype:trojan-activity; sid:91283135; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pas0uqnfi0zec8kvhkn8cmhkhpai3u/fusionclientdownloader.exe"; depth:58; nocase; http.host; content:"206.71.149.46"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1283136/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_07; classtype:trojan-activity; sid:91283136; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"prodfindfeatures.com"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1283138/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_07; classtype:trojan-activity; sid:91283138; rev:1;) alert tcp $HOME_NET any -> [206.71.149.46] 80 (msg:"ThreatFox Unknown malware payload delivery (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1283139/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_07; classtype:trojan-activity; sid:91283139; rev:1;) alert tcp $HOME_NET any -> [206.71.149.46] 443 (msg:"ThreatFox Unknown malware payload delivery (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1283140/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_07; classtype:trojan-activity; sid:91283140; rev:1;) alert tcp $HOME_NET any -> [206.166.251.114] 80 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1283142/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_07; classtype:trojan-activity; sid:91283142; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"retdirectyourman.eu"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1283141/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_07; classtype:trojan-activity; sid:91283141; rev:1;) alert tcp $HOME_NET any -> [206.166.251.114] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1283143/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_07; classtype:trojan-activity; sid:91283143; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/reports.php"; depth:12; nocase; http.host; content:"erhvervsundhed.dk"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1283153/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_07; classtype:trojan-activity; sid:91283153; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api/connect"; depth:12; nocase; http.host; content:"retdirectyourman.eu"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1283154/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_07; classtype:trojan-activity; sid:91283154; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api/connect"; depth:12; nocase; http.host; content:"206.166.251.114"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1283155/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_07; classtype:trojan-activity; sid:91283155; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api/connect"; depth:12; nocase; http.host; content:"206.166.251.114"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1283156/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_07; classtype:trojan-activity; sid:91283156; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/imagens/bo/inspecionando.php"; depth:29; nocase; http.host; content:"ebaoffice.com.br"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1283157/; target:src_ip; metadata: confidence_level 75, first_seen 2024_06_07; classtype:trojan-activity; sid:91283157; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/exercito/inspecionando.php"; depth:27; nocase; http.host; content:"109.110.184.31"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1283158/; target:src_ip; metadata: confidence_level 75, first_seen 2024_06_07; classtype:trojan-activity; sid:91283158; rev:1;) alert tcp $HOME_NET any -> [109.110.184.31] 80 (msg:"ThreatFox Ousaban botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1283159/; target:src_ip; metadata: confidence_level 75, first_seen 2024_06_07; classtype:trojan-activity; sid:91283159; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"ebaoffice.com.br"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1283160/; target:src_ip; metadata: confidence_level 75, first_seen 2024_06_07; classtype:trojan-activity; sid:91283160; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/push"; depth:5; nocase; http.host; content:"8.210.9.201"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1283167/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_07; classtype:trojan-activity; sid:91283167; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/j.ad"; depth:5; nocase; http.host; content:"206.233.133.151"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1283166/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_07; classtype:trojan-activity; sid:91283166; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/g.pixel"; depth:8; nocase; http.host; content:"118.107.4.157"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1283165/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_07; classtype:trojan-activity; sid:91283165; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/list/hx28/config.php"; depth:21; nocase; http.host; content:"20.83.148.22"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1283164/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_07; classtype:trojan-activity; sid:91283164; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/j.ad"; depth:5; nocase; http.host; content:"192.144.219.118"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1283163/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_07; classtype:trojan-activity; sid:91283163; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ptj"; depth:4; nocase; http.host; content:"103.150.10.45"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1283162/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_07; classtype:trojan-activity; sid:91283162; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/updates.rss"; depth:12; nocase; http.host; content:"23.95.65.198"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1283161/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_07; classtype:trojan-activity; sid:91283161; rev:1;) alert tcp $HOME_NET any -> [47.92.24.58] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1283150/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_07; classtype:trojan-activity; sid:91283150; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pixel.gif"; depth:10; nocase; http.host; content:"47.92.24.58"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1283149/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_07; classtype:trojan-activity; sid:91283149; rev:1;) alert tcp $HOME_NET any -> [116.204.73.173] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1283148/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_07; classtype:trojan-activity; sid:91283148; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api/xxx"; depth:8; nocase; http.host; content:"116.204.73.173"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1283147/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_07; classtype:trojan-activity; sid:91283147; rev:1;) alert tcp $HOME_NET any -> [64.94.84.44] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1283146/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_07; classtype:trojan-activity; sid:91283146; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"atlanticshoresresort.com"; depth:24; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1283145/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_07; classtype:trojan-activity; sid:91283145; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/alert/v6.04/wwuf3e1d"; depth:21; nocase; http.host; content:"atlanticshoresresort.com"; depth:24; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1283144/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_07; classtype:trojan-activity; sid:91283144; rev:1;) alert tcp $HOME_NET any -> [162.14.116.25] 8082 (msg:"ThreatFox VBREVSHELL botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1283131/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_07; classtype:trojan-activity; sid:91283131; rev:1;) alert tcp $HOME_NET any -> [103.253.43.175] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1283130/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_07; classtype:trojan-activity; sid:91283130; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/_/scs/mail-static/_/js/"; depth:24; nocase; http.host; content:"103.253.43.175"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1283129/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_07; classtype:trojan-activity; sid:91283129; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cm"; depth:3; nocase; http.host; content:"1.92.96.35"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1283128/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_07; classtype:trojan-activity; sid:91283128; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/g.pixel"; depth:8; nocase; http.host; content:"193.53.126.234"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1283126/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_07; classtype:trojan-activity; sid:91283126; rev:1;) alert tcp $HOME_NET any -> [193.53.126.234] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1283127/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_07; classtype:trojan-activity; sid:91283127; rev:1;) alert tcp $HOME_NET any -> [107.172.32.178] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1283125/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_07; classtype:trojan-activity; sid:91283125; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pixel.gif"; depth:10; nocase; http.host; content:"107.172.32.178"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1283124/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_07; classtype:trojan-activity; sid:91283124; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pixel"; depth:6; nocase; http.host; content:"35.74.6.169"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1283122/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_07; classtype:trojan-activity; sid:91283122; rev:1;) alert tcp $HOME_NET any -> [35.74.6.169] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1283123/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_07; classtype:trojan-activity; sid:91283123; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/updates.rss"; depth:12; nocase; http.host; content:"35.74.6.169"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1283120/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_07; classtype:trojan-activity; sid:91283120; rev:1;) alert tcp $HOME_NET any -> [35.74.6.169] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1283121/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_07; classtype:trojan-activity; sid:91283121; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ptj"; depth:4; nocase; http.host; content:"8.137.182.218"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1283119/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_07; classtype:trojan-activity; sid:91283119; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/airline-baggage-agreement/"; depth:27; nocase; http.host; content:"goodstos.com"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1283114/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_07; classtype:trojan-activity; sid:91283114; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/reports.php"; depth:12; nocase; http.host; content:"ependyseis.com.gr"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1283118/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_07; classtype:trojan-activity; sid:91283118; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/stamping-fee-for-sp-agreement/"; depth:31; nocase; http.host; content:"saasfeerentals.com"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1283097/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_07; classtype:trojan-activity; sid:91283097; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/reports.php"; depth:12; nocase; http.host; content:"energotechnika.com.pl"; depth:21; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1283098/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_07; classtype:trojan-activity; sid:91283098; rev:1;) alert tcp $HOME_NET any -> [91.214.78.27] 50555 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1283113/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_07; classtype:trojan-activity; sid:91283113; rev:1;) alert tcp $HOME_NET any -> [129.211.13.156] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1283112/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_07; classtype:trojan-activity; sid:91283112; rev:1;) alert tcp $HOME_NET any -> [104.168.152.144] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1283111/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_07; classtype:trojan-activity; sid:91283111; rev:1;) alert tcp $HOME_NET any -> [179.13.2.154] 2250 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1283110/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_07; classtype:trojan-activity; sid:91283110; rev:1;) alert tcp $HOME_NET any -> [187.147.96.86] 443 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1283109/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_07; classtype:trojan-activity; sid:91283109; rev:1;) alert tcp $HOME_NET any -> [67.0.216.104] 443 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1283108/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_07; classtype:trojan-activity; sid:91283108; rev:1;) alert tcp $HOME_NET any -> [91.105.3.223] 995 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1283107/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_07; classtype:trojan-activity; sid:91283107; rev:1;) alert tcp $HOME_NET any -> [2.50.35.165] 22 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1283106/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_07; classtype:trojan-activity; sid:91283106; rev:1;) alert tcp $HOME_NET any -> [95.164.7.183] 445 (msg:"ThreatFox Responder botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1283105/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_07; classtype:trojan-activity; sid:91283105; rev:1;) alert tcp $HOME_NET any -> [54.219.6.25] 445 (msg:"ThreatFox Responder botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1283104/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_07; classtype:trojan-activity; sid:91283104; rev:1;) alert tcp $HOME_NET any -> [181.237.195.93] 8443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1283103/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_07; classtype:trojan-activity; sid:91283103; rev:1;) alert tcp $HOME_NET any -> [20.56.35.166] 9443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1283101/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_07; classtype:trojan-activity; sid:91283101; rev:1;) alert tcp $HOME_NET any -> [162.55.63.241] 7443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1283100/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_07; classtype:trojan-activity; sid:91283100; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mozi.m"; depth:7; nocase; http.host; content:"117.204.196.132"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1283099/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_07; classtype:trojan-activity; sid:91283099; rev:1;) alert tcp $HOME_NET any -> [54.254.91.191] 3790 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1283085/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_07; classtype:trojan-activity; sid:91283085; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/reports.php"; depth:12; nocase; http.host; content:"dressyrsnack.se"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1282715/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_07; classtype:trojan-activity; sid:91282715; rev:1;) alert tcp $HOME_NET any -> [41.216.182.178] 655 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1283082/; target:src_ip; metadata: confidence_level 75, first_seen 2024_06_07; classtype:trojan-activity; sid:91283082; rev:1;) alert tcp $HOME_NET any -> [62.72.45.179] 22222 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1283083/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_07; classtype:trojan-activity; sid:91283083; rev:1;) alert tcp $HOME_NET any -> [43.134.17.236] 3790 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1283084/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_07; classtype:trojan-activity; sid:91283084; rev:1;) alert tcp $HOME_NET any -> [194.233.90.144] 3790 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1283086/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_07; classtype:trojan-activity; sid:91283086; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/reports.php"; depth:12; nocase; http.host; content:"edu.ngoinhatienganh.com"; depth:23; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1283094/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_07; classtype:trojan-activity; sid:91283094; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/phantom-equity-plan-agreement/"; depth:31; nocase; http.host; content:"yorkbrooks.com"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1283095/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_07; classtype:trojan-activity; sid:91283095; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/reports.php"; depth:12; nocase; http.host; content:"embracethewater.wondermeeting.se"; depth:32; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1283096/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_07; classtype:trojan-activity; sid:91283096; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/reports.php"; depth:12; nocase; http.host; content:"dressyrsnack.se"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1282714/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_07; classtype:trojan-activity; sid:91282714; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"moderncssframeworks.com"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1282630/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_07; classtype:trojan-activity; sid:91282630; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ocvupwbr7dfirxmf/"; depth:18; nocase; http.host; content:"hediyesepetcidepoz.top"; depth:22; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1282372/; target:src_ip; metadata: confidence_level 80, first_seen 2024_06_07; classtype:trojan-activity; sid:91282372; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ocvupwbr7dfirxmf/"; depth:18; nocase; http.host; content:"cocuklukankarakoc.top"; depth:21; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1282373/; target:src_ip; metadata: confidence_level 80, first_seen 2024_06_07; classtype:trojan-activity; sid:91282373; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ocvupwbr7dfirxmf/"; depth:18; nocase; http.host; content:"evsizlikmerkezvaz.top"; depth:21; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1282374/; target:src_ip; metadata: confidence_level 80, first_seen 2024_06_07; classtype:trojan-activity; sid:91282374; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ocvupwbr7dfirxmf/"; depth:18; nocase; http.host; content:"sagliklidayanikliq.top"; depth:22; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1282375/; target:src_ip; metadata: confidence_level 80, first_seen 2024_06_07; classtype:trojan-activity; sid:91282375; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ocvupwbr7dfirxmf/"; depth:18; nocase; http.host; content:"huzursuzoyundunqa.xyz"; depth:21; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1282376/; target:src_ip; metadata: confidence_level 80, first_seen 2024_06_07; classtype:trojan-activity; sid:91282376; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ocvupwbr7dfirxmf/"; depth:18; nocase; http.host; content:"sevgiliaskcekilis.top"; depth:21; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1282377/; target:src_ip; metadata: confidence_level 80, first_seen 2024_06_07; classtype:trojan-activity; sid:91282377; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ocvupwbr7dfirxmf/"; depth:18; nocase; http.host; content:"hatirlaunutmauyan.top"; depth:21; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1282378/; target:src_ip; metadata: confidence_level 80, first_seen 2024_06_07; classtype:trojan-activity; sid:91282378; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ocvupwbr7dfirxmf/"; depth:18; nocase; http.host; content:"guzelresimlerqazan.top"; depth:22; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1282379/; target:src_ip; metadata: confidence_level 80, first_seen 2024_06_07; classtype:trojan-activity; sid:91282379; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ocvupwbr7dfirxmf/"; depth:18; nocase; http.host; content:"sogukkanlifirtina.top"; depth:21; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1282380/; target:src_ip; metadata: confidence_level 80, first_seen 2024_06_07; classtype:trojan-activity; sid:91282380; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ocvupwbr7dfirxmf/"; depth:18; nocase; http.host; content:"kelimelermekaniq.top"; depth:20; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1282381/; target:src_ip; metadata: confidence_level 80, first_seen 2024_06_07; classtype:trojan-activity; sid:91282381; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ocvupwbr7dfirxmf/"; depth:18; nocase; http.host; content:"cikaracolukcagiz.top"; depth:20; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1282382/; target:src_ip; metadata: confidence_level 80, first_seen 2024_06_07; classtype:trojan-activity; sid:91282382; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ocvupwbr7dfirxmf/"; depth:18; nocase; http.host; content:"kahvehanekeyfian.top"; depth:20; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1282386/; target:src_ip; metadata: confidence_level 80, first_seen 2024_06_07; classtype:trojan-activity; sid:91282386; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ocvupwbr7dfirxmf/"; depth:18; nocase; http.host; content:"baslayalimcalism.top"; depth:20; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1282383/; target:src_ip; metadata: confidence_level 80, first_seen 2024_06_07; classtype:trojan-activity; sid:91282383; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ocvupwbr7dfirxmf/"; depth:18; nocase; http.host; content:"kelebekortulerqoq.top"; depth:21; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1282384/; target:src_ip; metadata: confidence_level 80, first_seen 2024_06_07; classtype:trojan-activity; sid:91282384; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ocvupwbr7dfirxmf/"; depth:18; nocase; http.host; content:"sorunludavranisvu.top"; depth:21; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1282385/; target:src_ip; metadata: confidence_level 80, first_seen 2024_06_07; classtype:trojan-activity; sid:91282385; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ocvupwbr7dfirxmf/"; depth:18; nocase; http.host; content:"nehirkenariyozca.top"; depth:20; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1282387/; target:src_ip; metadata: confidence_level 80, first_seen 2024_06_07; classtype:trojan-activity; sid:91282387; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ocvupwbr7dfirxmf/"; depth:18; nocase; http.host; content:"mutlusunakyollar.top"; depth:20; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1282388/; target:src_ip; metadata: confidence_level 80, first_seen 2024_06_07; classtype:trojan-activity; sid:91282388; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ocvupwbr7dfirxmf/"; depth:18; nocase; http.host; content:"buyuluaynalarqizq.top"; depth:21; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1282389/; target:src_ip; metadata: confidence_level 80, first_seen 2024_06_07; classtype:trojan-activity; sid:91282389; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ocvupwbr7dfirxmf/"; depth:18; nocase; http.host; content:"hafizadondurucuq.top"; depth:20; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1282390/; target:src_ip; metadata: confidence_level 80, first_seen 2024_06_07; classtype:trojan-activity; sid:91282390; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ocvupwbr7dfirxmf/"; depth:18; nocase; http.host; content:"gizlimucizelervar.top"; depth:21; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1282391/; target:src_ip; metadata: confidence_level 80, first_seen 2024_06_07; classtype:trojan-activity; sid:91282391; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ocvupwbr7dfirxmf/"; depth:18; nocase; http.host; content:"inandiricibakisvu.top"; depth:21; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1282392/; target:src_ip; metadata: confidence_level 80, first_seen 2024_06_07; classtype:trojan-activity; sid:91282392; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ocvupwbr7dfirxmf/"; depth:18; nocase; http.host; content:"kelebekleroyunuq.top"; depth:20; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1282394/; target:src_ip; metadata: confidence_level 80, first_seen 2024_06_07; classtype:trojan-activity; sid:91282394; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ocvupwbr7dfirxmf/"; depth:18; nocase; http.host; content:"vazgecilmezlikvur.top"; depth:21; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1282393/; target:src_ip; metadata: confidence_level 80, first_seen 2024_06_07; classtype:trojan-activity; sid:91282393; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ocvupwbr7dfirxmf/"; depth:18; nocase; http.host; content:"hayattansikayetim.top"; depth:21; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1282395/; target:src_ip; metadata: confidence_level 80, first_seen 2024_06_07; classtype:trojan-activity; sid:91282395; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ocvupwbr7dfirxmf/"; depth:18; nocase; http.host; content:"nefeskesenfirtina.top"; depth:21; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1282396/; target:src_ip; metadata: confidence_level 80, first_seen 2024_06_07; classtype:trojan-activity; sid:91282396; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ocvupwbr7dfirxmf/"; depth:18; nocase; http.host; content:"keskecokdileyipto.top"; depth:21; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1282398/; target:src_ip; metadata: confidence_level 80, first_seen 2024_06_07; classtype:trojan-activity; sid:91282398; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ocvupwbr7dfirxmf/"; depth:18; nocase; http.host; content:"guzelliklervarqac.top"; depth:21; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1282397/; target:src_ip; metadata: confidence_level 80, first_seen 2024_06_07; classtype:trojan-activity; sid:91282397; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ocvupwbr7dfirxmf/"; depth:18; nocase; http.host; content:"isteklergelirgiz.top"; depth:20; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1282399/; target:src_ip; metadata: confidence_level 80, first_seen 2024_06_07; classtype:trojan-activity; sid:91282399; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ocvupwbr7dfirxmf/"; depth:18; nocase; http.host; content:"saskinalacagimiz.top"; depth:20; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1282400/; target:src_ip; metadata: confidence_level 80, first_seen 2024_06_07; classtype:trojan-activity; sid:91282400; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ocvupwbr7dfirxmf/"; depth:18; nocase; http.host; content:"sabirsizlaniyorum.top"; depth:21; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1282401/; target:src_ip; metadata: confidence_level 80, first_seen 2024_06_07; classtype:trojan-activity; sid:91282401; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ocvupwbr7dfirxmf/"; depth:18; nocase; http.host; content:"rahatlikbuyukuyar.top"; depth:21; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1282402/; target:src_ip; metadata: confidence_level 80, first_seen 2024_06_07; classtype:trojan-activity; sid:91282402; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ocvupwbr7dfirxmf/"; depth:18; nocase; http.host; content:"kalptenbagnazimi.top"; depth:20; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1282403/; target:src_ip; metadata: confidence_level 80, first_seen 2024_06_07; classtype:trojan-activity; sid:91282403; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ocvupwbr7dfirxmf/"; depth:18; nocase; http.host; content:"gucunuzetkilerqo.top"; depth:20; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1282404/; target:src_ip; metadata: confidence_level 80, first_seen 2024_06_07; classtype:trojan-activity; sid:91282404; rev:1;) alert tcp $HOME_NET any -> [3.124.67.191] 15023 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1282405/; target:src_ip; metadata: confidence_level 75, first_seen 2024_06_07; classtype:trojan-activity; sid:91282405; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"profilepimpz.com"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1283092/; target:src_ip; metadata: confidence_level 75, first_seen 2024_06_07; classtype:trojan-activity; sid:91283092; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"versaillesinfo.com"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1283093/; target:src_ip; metadata: confidence_level 75, first_seen 2024_06_07; classtype:trojan-activity; sid:91283093; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"ankokunews.com"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1283087/; target:src_ip; metadata: confidence_level 75, first_seen 2024_06_07; classtype:trojan-activity; sid:91283087; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"bkller.com"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1283088/; target:src_ip; metadata: confidence_level 75, first_seen 2024_06_07; classtype:trojan-activity; sid:91283088; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"calgarycarfinancing.com"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1283089/; target:src_ip; metadata: confidence_level 75, first_seen 2024_06_07; classtype:trojan-activity; sid:91283089; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"epsross.com"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1283090/; target:src_ip; metadata: confidence_level 75, first_seen 2024_06_07; classtype:trojan-activity; sid:91283090; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"jorzineonline.com"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1283091/; target:src_ip; metadata: confidence_level 75, first_seen 2024_06_07; classtype:trojan-activity; sid:91283091; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"mad.jabils.com"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1283079/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91283079; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"gentradings007.duckdns.org"; depth:26; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1283080/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91283080; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"wrzn.duckdns.org"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1283081/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91283081; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"43030warzone.warzonedns.com"; depth:27; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1283076/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91283076; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"bossnew.ddns.net"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1283077/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91283077; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"itself-lf.gl.at.ply.gg"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1283078/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91283078; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"mad.unicornsupplychains.com"; depth:27; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1283074/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91283074; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"securenetwindows.ddns.net"; depth:25; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1283075/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91283075; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"kolaw.duckdns.org"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1283072/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91283072; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"innomac.duckdns.org"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1283073/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91283073; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"qrat2021.ddns.net"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1283071/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91283071; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"mrrichie.ddnsfree.com"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1283068/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91283068; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"warzonlogs.duckdns.org"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1283069/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91283069; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"suitehvd2.home-webserver.de"; depth:27; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1283070/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91283070; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"projex0192.rapiddns.ru"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1283065/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91283065; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"avira-antivirus.ydns.eu"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1283066/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91283066; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"khan041.freeddns.org"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1283067/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91283067; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"wz-lk.giftsbybierd.com"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1283063/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91283063; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"qoldwold.zanity.net"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1283064/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91283064; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"eurolord.duckdns.org"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1283061/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91283061; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"website-racing.at.playit.gg"; depth:27; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1283062/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91283062; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"dultrasolutions.duckdns.org"; depth:27; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1283059/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91283059; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"akwz.mypets.ws"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1283060/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91283060; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"comblinez.ignorelist.com"; depth:24; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1283057/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91283057; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"princeofperkia.ddns.net"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1283058/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91283058; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"glotreobmoenry.sytes.net"; depth:24; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1283055/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91283055; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"win64pooldrv.ddns.net"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1283056/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91283056; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"akcay.duckdns.org"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1283053/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91283053; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"recieviblrggg.duckdns.org"; depth:25; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1283054/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91283054; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"spectrami12.ddns.net"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1283051/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91283051; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"love.pure-luck.xyz"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1283052/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91283052; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"halal.home-webserver.de"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1283049/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91283049; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"23543254365-58443.portmap.host"; depth:30; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1283050/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91283050; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"crypterfile.com"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1283047/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91283047; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"newbroobi.duckdns.org"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1283048/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91283048; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"windowsupdate2024.duckdns.org"; depth:29; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1283043/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91283043; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"srvzone.gleeze.com"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1283044/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91283044; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"benzkartel.duckdns.org"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1283045/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91283045; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"oxb2021.ddns.net"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1283046/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91283046; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"linelink-linesn.com"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1283041/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91283041; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"newone1.duckdns.org"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1283042/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91283042; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"sgh2024.ddns.net"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1283040/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91283040; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"tonnersturma-31352.portmap.host"; depth:31; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1283039/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91283039; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"zakriexports.com"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1283038/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91283038; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"alpraz.ddns.net"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1283035/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91283035; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"burger042.ddnsfree.com"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1283036/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91283036; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"kingbecld.duckdns.org"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1283037/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91283037; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"su8z3r0.myvnc.com"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1283034/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91283034; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"kabillo.linkpc.net"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1283032/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91283032; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"apostlejob2.duckdns.org"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1283033/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91283033; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ccduckdonald.duckdns.org"; depth:24; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1283030/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91283030; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"makatti.duckdns.org"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1283031/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91283031; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"virtuallogoprepaidmax.duckdns.org"; depth:33; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1283029/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91283029; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"dansjueis.3utilities.com"; depth:24; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1283028/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91283028; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"subal7.duckdns.org"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1283026/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91283026; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"chenchecnnn.duckdns.org"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1283027/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91283027; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"mcwillis.duckdns.org"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1283025/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91283025; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"mangomanga.ddns.net"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1283023/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91283023; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"thebeast415.duckdns.org"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1283024/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91283024; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"sept06.ddns.net"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1283022/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91283022; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"rebelxxd2.publicvm.com"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1283021/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91283021; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"boldwold.home.kg"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1283019/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91283019; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"mobibaobobo.duckdns.org"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1283020/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91283020; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"wz-patient001.duckdns.org"; depth:25; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1283018/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91283018; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"l34d3r.duckdns.org"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1283017/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91283017; rev:1;) alert tcp $HOME_NET any -> [109.248.151.69] 42255 (msg:"ThreatFox Ave Maria botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1283015/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91283015; rev:1;) alert tcp $HOME_NET any -> [103.199.17.61] 5200 (msg:"ThreatFox Ave Maria botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1283016/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91283016; rev:1;) alert tcp $HOME_NET any -> [191.101.193.159] 3800 (msg:"ThreatFox Ave Maria botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1283012/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91283012; rev:1;) alert tcp $HOME_NET any -> [194.49.68.246] 8912 (msg:"ThreatFox Ave Maria botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1283013/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91283013; rev:1;) alert tcp $HOME_NET any -> [173.212.199.134] 6611 (msg:"ThreatFox Ave Maria botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1283014/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91283014; rev:1;) alert tcp $HOME_NET any -> [178.124.140.145] 28199 (msg:"ThreatFox Ave Maria botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1283010/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91283010; rev:1;) alert tcp $HOME_NET any -> [194.5.97.8] 5200 (msg:"ThreatFox Ave Maria botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1283011/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91283011; rev:1;) alert tcp $HOME_NET any -> [23.106.121.172] 3200 (msg:"ThreatFox Ave Maria botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1283009/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91283009; rev:1;) alert tcp $HOME_NET any -> [185.140.53.185] 2844 (msg:"ThreatFox Ave Maria botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1283006/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91283006; rev:1;) alert tcp $HOME_NET any -> [185.19.85.183] 5208 (msg:"ThreatFox Ave Maria botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1283007/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91283007; rev:1;) alert tcp $HOME_NET any -> [172.93.222.206] 61134 (msg:"ThreatFox Ave Maria botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1283008/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91283008; rev:1;) alert tcp $HOME_NET any -> [172.98.71.154] 59226 (msg:"ThreatFox Ave Maria botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1283003/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91283003; rev:1;) alert tcp $HOME_NET any -> [108.62.118.131] 5200 (msg:"ThreatFox Ave Maria botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1283004/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91283004; rev:1;) alert tcp $HOME_NET any -> [192.236.249.173] 2709 (msg:"ThreatFox Ave Maria botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1283005/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91283005; rev:1;) alert tcp $HOME_NET any -> [84.38.130.205] 40209 (msg:"ThreatFox Ave Maria botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1283000/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91283000; rev:1;) alert tcp $HOME_NET any -> [79.134.225.11] 3839 (msg:"ThreatFox Ave Maria botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1283001/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91283001; rev:1;) alert tcp $HOME_NET any -> [5.253.84.218] 6500 (msg:"ThreatFox Ave Maria botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1283002/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91283002; rev:1;) alert tcp $HOME_NET any -> [167.94.7.143] 3456 (msg:"ThreatFox Ave Maria botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1282998/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282998; rev:1;) alert tcp $HOME_NET any -> [64.188.13.46] 13372 (msg:"ThreatFox Ave Maria botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1282999/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282999; rev:1;) alert tcp $HOME_NET any -> [2.56.59.221] 5215 (msg:"ThreatFox Ave Maria botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1282997/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282997; rev:1;) alert tcp $HOME_NET any -> [161.129.36.61] 2312 (msg:"ThreatFox Ave Maria botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1282995/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282995; rev:1;) alert tcp $HOME_NET any -> [94.131.110.60] 5200 (msg:"ThreatFox Ave Maria botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1282996/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282996; rev:1;) alert tcp $HOME_NET any -> [38.255.43.179] 6789 (msg:"ThreatFox Ave Maria botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1282994/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282994; rev:1;) alert tcp $HOME_NET any -> [65.108.26.146] 5200 (msg:"ThreatFox Ave Maria botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1282991/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282991; rev:1;) alert tcp $HOME_NET any -> [194.5.97.52] 11101 (msg:"ThreatFox Ave Maria botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1282992/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282992; rev:1;) alert tcp $HOME_NET any -> [3.137.210.150] 5200 (msg:"ThreatFox Ave Maria botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1282993/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282993; rev:1;) alert tcp $HOME_NET any -> [45.143.146.112] 7865 (msg:"ThreatFox Ave Maria botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1282988/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282988; rev:1;) alert tcp $HOME_NET any -> [103.212.81.155] 1916 (msg:"ThreatFox Ave Maria botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1282989/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282989; rev:1;) alert tcp $HOME_NET any -> [161.97.88.42] 45266 (msg:"ThreatFox Ave Maria botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1282990/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282990; rev:1;) alert tcp $HOME_NET any -> [193.142.58.28] 53698 (msg:"ThreatFox Ave Maria botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1282985/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282985; rev:1;) alert tcp $HOME_NET any -> [185.140.53.91] 1866 (msg:"ThreatFox Ave Maria botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1282986/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282986; rev:1;) alert tcp $HOME_NET any -> [185.29.9.45] 49173 (msg:"ThreatFox Ave Maria botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1282987/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282987; rev:1;) alert tcp $HOME_NET any -> [109.248.151.213] 5200 (msg:"ThreatFox Ave Maria botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1282983/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282983; rev:1;) alert tcp $HOME_NET any -> [147.124.214.249] 65210 (msg:"ThreatFox Ave Maria botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1282984/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282984; rev:1;) alert tcp $HOME_NET any -> [45.74.4.244] 5205 (msg:"ThreatFox Ave Maria botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1282980/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282980; rev:1;) alert tcp $HOME_NET any -> [45.124.54.94] 5590 (msg:"ThreatFox Ave Maria botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1282981/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282981; rev:1;) alert tcp $HOME_NET any -> [45.138.16.138] 5200 (msg:"ThreatFox Ave Maria botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1282982/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282982; rev:1;) alert tcp $HOME_NET any -> [96.9.225.105] 61861 (msg:"ThreatFox Ave Maria botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1282977/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282977; rev:1;) alert tcp $HOME_NET any -> [172.94.14.49] 5200 (msg:"ThreatFox Ave Maria botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1282978/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282978; rev:1;) alert tcp $HOME_NET any -> [23.106.121.172] 1964 (msg:"ThreatFox Ave Maria botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1282979/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282979; rev:1;) alert tcp $HOME_NET any -> [37.120.159.243] 11904 (msg:"ThreatFox Ave Maria botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1282975/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282975; rev:1;) alert tcp $HOME_NET any -> [51.143.13.25] 4400 (msg:"ThreatFox Ave Maria botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1282976/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282976; rev:1;) alert tcp $HOME_NET any -> [84.38.132.126] 59937 (msg:"ThreatFox Ave Maria botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1282973/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282973; rev:1;) alert tcp $HOME_NET any -> [192.3.152.217] 48974 (msg:"ThreatFox Ave Maria botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1282974/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282974; rev:1;) alert tcp $HOME_NET any -> [194.5.97.10] 3638 (msg:"ThreatFox Ave Maria botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1282971/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282971; rev:1;) alert tcp $HOME_NET any -> [109.248.144.183] 60567 (msg:"ThreatFox Ave Maria botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1282972/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282972; rev:1;) alert tcp $HOME_NET any -> [172.245.244.106] 7889 (msg:"ThreatFox Ave Maria botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1282968/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282968; rev:1;) alert tcp $HOME_NET any -> [185.140.53.188] 4020 (msg:"ThreatFox Ave Maria botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1282969/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282969; rev:1;) alert tcp $HOME_NET any -> [140.82.17.48] 5100 (msg:"ThreatFox Ave Maria botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1282970/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282970; rev:1;) alert tcp $HOME_NET any -> [45.137.22.105] 4821 (msg:"ThreatFox Ave Maria botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1282967/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282967; rev:1;) alert tcp $HOME_NET any -> [38.153.157.23] 2202 (msg:"ThreatFox Ave Maria botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1282964/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282964; rev:1;) alert tcp $HOME_NET any -> [185.223.28.102] 5252 (msg:"ThreatFox Ave Maria botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1282965/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282965; rev:1;) alert tcp $HOME_NET any -> [144.172.72.234] 2221 (msg:"ThreatFox Ave Maria botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1282966/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282966; rev:1;) alert tcp $HOME_NET any -> [194.147.140.135] 8247 (msg:"ThreatFox Ave Maria botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1282961/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282961; rev:1;) alert tcp $HOME_NET any -> [185.140.53.13] 3431 (msg:"ThreatFox Ave Maria botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1282962/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282962; rev:1;) alert tcp $HOME_NET any -> [217.151.98.163] 6093 (msg:"ThreatFox Ave Maria botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1282963/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282963; rev:1;) alert tcp $HOME_NET any -> [107.173.4.16] 5200 (msg:"ThreatFox Ave Maria botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1282958/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282958; rev:1;) alert tcp $HOME_NET any -> [193.22.99.92] 5599 (msg:"ThreatFox Ave Maria botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1282959/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282959; rev:1;) alert tcp $HOME_NET any -> [185.45.193.18] 5200 (msg:"ThreatFox Ave Maria botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1282960/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282960; rev:1;) alert tcp $HOME_NET any -> [173.212.199.134] 2121 (msg:"ThreatFox Ave Maria botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1282956/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282956; rev:1;) alert tcp $HOME_NET any -> [46.183.222.92] 5200 (msg:"ThreatFox Ave Maria botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1282957/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282957; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"fontdrvhost.xyz"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1282955/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282955; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"prepepe.ac.ug"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1282952/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282952; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"jimmy.axfree.com"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1282953/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282953; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"equipemaverick.com.br"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1282954/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282954; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"o.oteqprojects.co.in"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1282949/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282949; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"veronikaa.ac.ug"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1282950/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282950; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"morasergiov.ac.ug"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1282951/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282951; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"erolbasa.ac.ug"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1282947/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282947; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"marktravel.top"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1282948/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282948; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"evans1990.xyz"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1282944/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282944; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"gconnect.pro"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1282945/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282945; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"carecureco.com"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1282946/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282946; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"secureredirectinfo.com"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1282942/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282942; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"solarhomesflorida.com"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1282943/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282943; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"mazooyaar.ac.ug"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1282940/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282940; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"collegesboard.org"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1282941/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282941; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"vtqt.xyz"; depth:8; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1282938/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282938; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"kcee1990.xyz"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1282939/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282939; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"gimermarkett.de"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1282936/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282936; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"vu.zzux.com"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1282937/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282937; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"tel4s6.xyz"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1282933/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282933; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ndy.cloudbot.top"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1282934/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282934; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ibroot.com"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1282935/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282935; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ggtyyu.pw"; depth:9; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1282931/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282931; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"turkcoder.com.tr.ht"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1282932/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282932; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"cgibin.online"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1282928/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282928; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"yungfang.co.vu"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1282929/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282929; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"pretorian.ug"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1282930/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282930; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"fair.le-pearl.com"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1282926/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282926; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"hanxlas.ac.ug"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1282927/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282927; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"courtneysdv.ac.ug"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1282923/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282923; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"spamcxcs.com"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1282924/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282924; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"aaaonyisi.xyz"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1282925/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282925; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"zvv.asia"; depth:8; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1282922/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282922; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"kapsengineers.cf"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1282920/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282920; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"malcacnba.ac.ug"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1282921/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282921; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"morasegio.ug"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1282918/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282918; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"almed-trading.xyz"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1282919/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282919; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"bradaltman.com"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1282913/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282913; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"fsefsfeg.xyz"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1282914/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282914; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"fieldhockeygoalies.com"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1282915/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282915; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"danielmax.ac.ug"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1282916/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282916; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"kckark.xyz"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1282917/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282917; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"malarcvgs.ac.ug"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1282908/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282908; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"st4q2p.xyz"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1282909/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282909; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"singsing.ug"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1282910/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282910; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"mark02.xyz"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1282911/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282911; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"zubroxmack.cf"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1282912/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282912; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"chrisupdated.xyz"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1282903/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282903; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"projecty.ug"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1282904/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282904; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"sl9xa73g7u3eo07wt42n7f4vin5fzh.biz"; depth:34; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1282905/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282905; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ademg.ug"; depth:8; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1282906/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282906; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"v.m-fit.biz"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1282907/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282907; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"golfhomexpresx.ir"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1282898/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282898; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"virzx.xyz"; depth:9; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1282899/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282899; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"eesss.online"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1282900/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282900; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"jamesrlon.ug"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1282901/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282901; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"aleaiasko.ug"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1282902/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282902; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"reteroporino.pw"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1282895/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282895; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"hp-tv.tk"; depth:8; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1282896/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282896; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"osiq.club"; depth:9; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1282897/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282897; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"secureconnection.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1282889/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282889; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"92g938uextmgvb7rllv8wcad.biz"; depth:28; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1282890/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282890; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"5llion.com"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1282891/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282891; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ndy.derg.tech"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1282892/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282892; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"glancehcs.com"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1282893/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282893; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"manguerassorna.com"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1282894/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282894; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"linm.thetxt.xyz"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1282884/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282884; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"hersheystyles.com"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1282885/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282885; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"destad.axfree.com"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1282886/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282886; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"odminponel.com"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1282887/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282887; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"lg-tvproducts.xyz"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1282888/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282888; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"timecforgoodnes.ml"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1282879/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282879; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"notedemo.axfree.com"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1282880/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282880; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"clemody.duckdns.org"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1282881/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282881; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"gemsbundle.com"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1282882/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282882; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"hikark.xyz"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1282883/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282883; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"kiwipl.com"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1282873/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282873; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"raslack.axwebsite.com"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1282874/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282874; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"projectblackhat.com"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1282875/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282875; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"bhd9999.online"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1282876/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282876; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ck7.mooo.com"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1282877/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282877; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"colonna.ac.ug"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1282878/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282878; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"centarcrkva.rs"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1282868/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282868; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"try.divendesign.in"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1282869/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282869; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"tgp.opcache.xyz"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1282870/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282870; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"tuscan-travel.com"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1282871/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282871; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"thekurva.xyz"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1282872/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282872; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"irk1990.xyz"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1282863/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282863; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"hjggvbc.ru"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1282864/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282864; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"agencybro.tech"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1282865/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282865; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"8.crabdance.com"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1282866/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282866; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"3ssq.xyz"; depth:8; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1282867/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282867; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"nedu1994.xyz"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1282857/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282857; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"nmorbertomo.ac.ug"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1282858/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282858; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"dllion.xyz"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1282859/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282859; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"4llion.com"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1282860/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282860; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"cmdevelopment.tech"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1282861/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282861; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"maurizio.ug"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1282862/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282862; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"f0575754.xsph.ru"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1282852/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282852; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"gisfvui.bankfab.biz"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1282853/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282853; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"samkoproducts.xyz"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1282854/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282854; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"cabvui.xyz"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1282855/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282855; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"alazlfa.cf"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1282856/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282856; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"gordonhk.ac.ug"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1282846/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282846; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"gervenez.xyz"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1282847/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282847; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"gfbrice.ac.ug"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1282848/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282848; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"samsungprod.xyz"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1282849/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282849; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"cubicatransport.net"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1282850/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282850; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"spetralnet2.com"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1282851/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282851; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"aaaegchigruigb.xyz"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1282841/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282841; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"archosk.xyz"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1282842/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282842; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"zaragoza.ug"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1282843/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282843; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"stanelectronics.xyz"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1282844/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282844; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"irkark.xyz"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1282845/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282845; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"panel.blsasco.com"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1282835/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282835; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"fine.le-pearl.com"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1282836/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282836; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"chikkark.xyz"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1282837/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282837; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"bebeksarayi.net"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1282838/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282838; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"masterwork.me"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1282839/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282839; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"mast3r.shop"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1282840/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282840; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"fredarlessonmark.com"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1282830/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282830; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"e4v5sa.xyz"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1282831/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282831; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"kullasa.ac.ug"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1282832/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282832; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"tecnomedica.com.py"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1282833/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282833; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"duiy.xyz"; depth:8; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1282834/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282834; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"2tril.com"; depth:9; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1282824/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282824; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ra.adriansbruce.com"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1282825/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282825; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"yrhealth.life"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1282826/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282826; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"vpsthree.xyz"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1282827/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282827; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"tomasisa.ug"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1282828/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282828; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"gagaggahehehqwe.net"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1282829/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282829; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"hostisgerhg.tk"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1282819/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282819; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"darkangel.ac.ug"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1282820/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282820; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"giuseppex.ug"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1282821/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282821; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"4hzq.club"; depth:9; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1282822/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282822; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"pabloq.ug"; depth:9; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1282823/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282823; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"support121.ddns.net"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1282813/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282813; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"tikwish.com"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1282814/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282814; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"orisinlog.com"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1282815/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282815; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"fragly.top"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1282816/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282816; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"bestbundledealer.com"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1282817/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282817; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"zzz.divendesign.in"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1282818/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282818; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"msdd.x24hr.com"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1282809/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282809; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ivchenkosvetlana.online"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1282810/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282810; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"21slg.xyz"; depth:9; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1282811/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282811; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"madamongo.gq"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1282812/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282812; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"edkark.xyz"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1282804/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282804; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"brakiporodica.org"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1282805/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282805; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"spacelogsapp.com"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1282806/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282806; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"oilproduce.xyz"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1282807/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282807; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"any.anycarservice.ae"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1282808/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282808; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"quisha.axwebsite.com"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1282800/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282800; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"worthknowing.us"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1282801/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282801; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"friktomb.cf"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1282802/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282802; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"masterwork2.co.vu"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1282803/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282803; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"taenaiaa.ac.ug"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1282795/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282795; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"v.oteqprojects.co.in"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1282796/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282796; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"dreamyviolet.com"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1282797/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282797; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"letitburns.ug"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1282798/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282798; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"buck-mhe.cf"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1282799/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282799; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"serhuwadwtr.xyz"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1282790/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282790; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"evakark.xyz"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1282791/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282791; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"str1str2.xyz"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1282792/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282792; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"luckydaddy.club"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1282793/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282793; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"zdd.divendesign.in"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1282794/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282794; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"mastercard.ru.com"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1282785/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282785; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"foodcircus.ro"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1282786/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282786; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"raymond.ug"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1282787/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282787; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"shivabhaiji.in"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1282788/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282788; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"chika1995.xyz"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1282789/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282789; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"cybersd.axfree.com"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1282780/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282780; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"5azc.xyz"; depth:8; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1282781/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282781; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"a343345.me"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1282782/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282782; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"osiq.icu"; depth:8; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1282783/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282783; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"4hzq.xyz"; depth:8; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1282784/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282784; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"levitt.ug"; depth:9; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1282774/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282774; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"floorsatregency.com"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1282775/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282775; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"notedrives.tr.ht"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1282776/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282776; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"vegas2e.xyz"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1282777/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282777; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"internetstores.co.vu"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1282778/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282778; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"regay.ac.ug"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1282779/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282779; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"vtgtradings.com"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1282769/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282769; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"tvscreen.co.vu"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1282770/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282770; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"dellproductz.xyz"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1282771/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282771; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"accdemo.axwebsite.com"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1282772/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282772; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"robbmaterials.xyz"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1282773/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282773; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"aboliki.xyz"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1282764/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282764; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"xxxze.co.nu"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1282765/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282765; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"12345678987654321.link"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1282766/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282766; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"master101work.co"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1282767/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282767; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"notedemo.com.tr.ht"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1282768/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282768; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"dzworx.com"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1282759/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282759; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"5azc.club"; depth:9; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1282760/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282760; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"onenote.com.tr.ht"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1282761/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282761; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"modexdeals.ir"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1282762/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282762; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ebatsosatpizdec.com"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1282763/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282763; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"chika1992.xyz"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1282754/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282754; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"hsagoi.ac.ug"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1282755/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282755; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"lettingos.co.vu"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1282756/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282756; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"mantis.ug"; depth:9; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1282757/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282757; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"vegas1e.xyz"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1282758/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282758; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"k6vq28tbjbz5rhjsgtm3gmsy.xyz"; depth:28; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1282749/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282749; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"wellsfargocs.ddns.us"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1282750/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282750; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ratienoinino.pw"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1282751/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282751; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"califood.net"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1282752/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282752; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"takpo.biz"; depth:9; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1282753/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282753; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"eurob.xyz"; depth:9; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1282744/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282744; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"scarsa.ac.ug"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1282745/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282745; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"sailent.xyz"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1282746/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282746; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"www.emailonlinechase.com"; depth:24; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1282747/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282747; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"payddes.axfree.com"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1282748/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282748; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"bakas1e.xyz"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1282739/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282739; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"jessecoltd.ir"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1282740/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282740; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"postalresolve.com"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1282741/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282741; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"corinthiano.ug"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1282742/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282742; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"paulahensingor.com"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1282743/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282743; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"domazy.ga"; depth:9; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1282734/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282734; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"novget.com"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1282735/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282735; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"tycoonelite.com"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1282736/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282736; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ikramonayparibuda.com"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1282737/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282737; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"milsom.ug"; depth:9; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1282738/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282738; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"augmentinprod.ir"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1282729/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282729; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"jehovah-reigns.co.za"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1282730/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282730; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"zbd.divendesign.in"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1282731/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282731; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"twinsoul.co.za"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1282732/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282732; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"datafishers.club"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1282733/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282733; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ratinonanuere.pw"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1282724/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282724; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"nadia.ac.ug"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1282725/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282725; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"kelbro.xyz"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1282726/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282726; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"www.bin1101oski.ru"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1282727/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282727; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"amazon3.serveuser.com"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1282728/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282728; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"777.ultihost.net"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1282719/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282719; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"unitech.co.vu"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1282720/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282720; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"carding.axfree.com"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1282721/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282721; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"osiq.xyz"; depth:8; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1282722/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282722; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"marianne.ac.ug"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1282723/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282723; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"lizzard.ac.ug"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1282716/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282716; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ourfirm.com"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1282717/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282717; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"malscxa.ac.ug"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1282718/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282718; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"sunwindz.in.net"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1282705/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282705; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"tunqyuindia.com"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1282706/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282706; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ipc-nena.net"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1282707/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282707; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"9enternecera.ru.com"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1282708/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282708; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"9entrevera.sa.com"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1282709/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282709; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"soitaab.co"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1282710/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282710; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"no1geekfun.com"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1282711/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282711; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"aegismd.ca"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1282712/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282712; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"de4mon-p4nel.site"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1282713/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282713; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"rgjeweller.mu"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1282692/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282692; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"mmcjo.com"; depth:9; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1282693/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282693; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"trafficbadassery.com"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1282694/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282694; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"dimensionluz.cl"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1282695/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282695; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"b1xz.duckdns.org"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1282696/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282696; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"web24host.com"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1282697/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282697; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"zenginler.online"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1282698/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282698; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"marbellacabs.com"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1282699/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282699; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"adwa2tv.com"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1282700/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282700; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"elsantos.co"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1282701/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282701; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"mcharglaw.com"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1282702/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282702; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"smarteyecare.in"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1282703/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282703; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"pplonline.org"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1282704/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282704; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"dantsechs.net"; depth:13; nocase; reference:url, threatfox.abuse.ch/ioc/1282691/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282691; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"tel9e.xyz"; depth:9; nocase; reference:url, threatfox.abuse.ch/ioc/1282688/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282688; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"lomidut.tk"; depth:10; nocase; reference:url, threatfox.abuse.ch/ioc/1282689/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282689; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"45.85.90.220"; depth:12; nocase; reference:url, threatfox.abuse.ch/ioc/1282690/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282690; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"xpensive.xyz"; depth:12; nocase; reference:url, threatfox.abuse.ch/ioc/1282685/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282685; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"boeinq.co"; depth:9; nocase; reference:url, threatfox.abuse.ch/ioc/1282686/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282686; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"bsig99.xyz"; depth:10; nocase; reference:url, threatfox.abuse.ch/ioc/1282687/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282687; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"bctpump.us"; depth:10; nocase; reference:url, threatfox.abuse.ch/ioc/1282682/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282682; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"185.206.214.130"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1282683/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282683; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"sbrenind.com"; depth:12; nocase; reference:url, threatfox.abuse.ch/ioc/1282684/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282684; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"tel1e4.xyz"; depth:10; nocase; reference:url, threatfox.abuse.ch/ioc/1282680/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282680; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"basig5.xyz"; depth:10; nocase; reference:url, threatfox.abuse.ch/ioc/1282681/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282681; rev:1;) alert tcp $HOME_NET any -> [52.70.77.94] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1282679/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282679; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/btn_bg.html"; depth:12; nocase; http.host; content:"bimnall.com"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1282678/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282678; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"d18j3cpsvifpk9.cloudfront.net"; depth:29; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1282677/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282677; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/btn_bg.html"; depth:12; nocase; http.host; content:"d18j3cpsvifpk9.cloudfront.net"; depth:29; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1282676/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282676; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cx"; depth:3; nocase; http.host; content:"158.247.222.223"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1282675/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282675; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"binaryassassins2.online"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1282674/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282674; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"conflicker-35081.portmap.host"; depth:29; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1282671/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282671; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"s7vety-47274.portmap.host"; depth:25; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1282672/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282672; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"independent-cartoons.gl.at.ply.gg"; depth:33; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1282673/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282673; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"bigtitties.hopto.org"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1282667/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282667; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"user5698921.ddns.net"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1282668/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282668; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"vam0vsem0pizda.ddns.net"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1282669/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282669; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"kissmyasshole.myddns.me"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1282670/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282670; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"sulumantest.duckdns.org"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1282664/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282664; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"anime.ddnsking.com"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1282665/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282665; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"loocarpoint.duckdns.org"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1282666/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282666; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"mvncentral.zapto.org"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1282660/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282660; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"owo-whats-this.duckdns.org"; depth:26; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1282661/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282661; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"laraloveu-49133.portmap.host"; depth:28; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1282662/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282662; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"dontreachme2.ddns.net"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1282663/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282663; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"increased-religious.at.ply.gg"; depth:29; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1282655/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282655; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"try-belly.gl.at.ply.gg"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1282656/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282656; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"title-connectors.gl.at.ply.gg"; depth:29; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1282657/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282657; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"general5555-46584.portmap.host"; depth:30; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1282658/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282658; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"nanonana24.ddns.net"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1282659/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282659; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"alternative-residents.gl.at.ply.gg"; depth:34; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1282653/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282653; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"bambuvn.webhop.info"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1282654/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282654; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"solution-fiscal.at.ply.gg"; depth:25; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1282649/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282649; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ligeon.ddns.net"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1282650/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282650; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"graphics-absorption.at.ply.gg"; depth:29; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1282651/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282651; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"asd1ad2.duckdns.org"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1282652/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282652; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"live-promotions.gl.at.ply.gg"; depth:28; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1282646/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282646; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"malwaretest.ddns.net"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1282647/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282647; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"femboy.serveminecraft.net"; depth:25; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1282648/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282648; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"nonamedc.mcv.kr"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1282642/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282642; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"riskama.online"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1282643/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282643; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"following-s.gl.at.ply.gg"; depth:24; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1282644/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282644; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"story-towers.gl.at.ply.gg"; depth:25; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1282645/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282645; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"centre-shaped.gl.at.ply.gg"; depth:26; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1282638/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282638; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"mrgrayhat.duckdns.org"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1282639/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282639; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"search-mrs.gl.at.ply.gg"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1282640/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282640; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"period-disabilities.gl.at.ply.gg"; depth:32; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1282641/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282641; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"growtopiagame1.ddns.net"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1282636/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282636; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"kmoukoun.ddns.net"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1282637/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282637; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"uhhusk.duckdns.org"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1282632/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282632; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"galrov2.ddns.net"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1282633/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282633; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"medicine-pushing.gl.at.ply.gg"; depth:29; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1282634/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282634; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"obfuscated.us"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1282635/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282635; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"us-dux-53.pointtoserver.com"; depth:27; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1282631/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282631; rev:1;) alert tcp $HOME_NET any -> [37.115.42.57] 12332 (msg:"ThreatFox Orcus RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1282618/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282618; rev:1;) alert tcp $HOME_NET any -> [94.103.83.231] 1379 (msg:"ThreatFox Orcus RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1282619/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282619; rev:1;) alert tcp $HOME_NET any -> [31.44.184.52] 56938 (msg:"ThreatFox Orcus RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1282620/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282620; rev:1;) alert tcp $HOME_NET any -> [31.44.184.52] 19705 (msg:"ThreatFox Orcus RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1282621/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282621; rev:1;) alert tcp $HOME_NET any -> [185.154.14.217] 10134 (msg:"ThreatFox Orcus RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1282622/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282622; rev:1;) alert tcp $HOME_NET any -> [172.94.54.88] 1756 (msg:"ThreatFox Orcus RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1282623/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282623; rev:1;) alert tcp $HOME_NET any -> [36.68.21.159] 1134 (msg:"ThreatFox Orcus RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1282624/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282624; rev:1;) alert tcp $HOME_NET any -> [31.44.184.52] 34332 (msg:"ThreatFox Orcus RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1282625/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282625; rev:1;) alert tcp $HOME_NET any -> [77.105.161.143] 1268 (msg:"ThreatFox Orcus RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1282626/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282626; rev:1;) alert tcp $HOME_NET any -> [147.185.221.16] 46469 (msg:"ThreatFox Orcus RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1282627/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282627; rev:1;) alert tcp $HOME_NET any -> [188.119.113.64] 1604 (msg:"ThreatFox Orcus RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1282628/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282628; rev:1;) alert tcp $HOME_NET any -> [31.44.184.52] 58576 (msg:"ThreatFox Orcus RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1282629/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282629; rev:1;) alert tcp $HOME_NET any -> [147.185.221.19] 4747 (msg:"ThreatFox Orcus RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1282603/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282603; rev:1;) alert tcp $HOME_NET any -> [31.44.184.52] 13642 (msg:"ThreatFox Orcus RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1282604/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282604; rev:1;) alert tcp $HOME_NET any -> [194.33.87.67] 7707 (msg:"ThreatFox Orcus RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1282605/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282605; rev:1;) alert tcp $HOME_NET any -> [31.44.184.52] 58029 (msg:"ThreatFox Orcus RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1282606/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282606; rev:1;) alert tcp $HOME_NET any -> [26.65.233.242] 10135 (msg:"ThreatFox Orcus RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1282607/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282607; rev:1;) alert tcp $HOME_NET any -> [92.240.245.161] 8010 (msg:"ThreatFox Orcus RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1282608/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282608; rev:1;) alert tcp $HOME_NET any -> [107.175.178.6] 30030 (msg:"ThreatFox Orcus RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1282609/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282609; rev:1;) alert tcp $HOME_NET any -> [31.44.184.52] 54431 (msg:"ThreatFox Orcus RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1282610/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282610; rev:1;) alert tcp $HOME_NET any -> [58.172.73.190] 10134 (msg:"ThreatFox Orcus RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1282611/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282611; rev:1;) alert tcp $HOME_NET any -> [31.44.184.52] 29613 (msg:"ThreatFox Orcus RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1282612/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282612; rev:1;) alert tcp $HOME_NET any -> [31.44.184.52] 43660 (msg:"ThreatFox Orcus RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1282613/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282613; rev:1;) alert tcp $HOME_NET any -> [80.85.140.103] 10134 (msg:"ThreatFox Orcus RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1282614/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282614; rev:1;) alert tcp $HOME_NET any -> [94.156.8.26] 10134 (msg:"ThreatFox Orcus RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1282615/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282615; rev:1;) alert tcp $HOME_NET any -> [26.98.233.13] 4433 (msg:"ThreatFox Orcus RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1282616/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282616; rev:1;) alert tcp $HOME_NET any -> [31.44.184.52] 65246 (msg:"ThreatFox Orcus RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1282617/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282617; rev:1;) alert tcp $HOME_NET any -> [31.220.90.137] 10134 (msg:"ThreatFox Orcus RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1282592/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282592; rev:1;) alert tcp $HOME_NET any -> [91.109.186.2] 1194 (msg:"ThreatFox Orcus RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1282593/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282593; rev:1;) alert tcp $HOME_NET any -> [100.114.145.122] 7777 (msg:"ThreatFox Orcus RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1282594/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282594; rev:1;) alert tcp $HOME_NET any -> [178.200.180.146] 10134 (msg:"ThreatFox Orcus RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1282595/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282595; rev:1;) alert tcp $HOME_NET any -> [31.44.184.52] 36598 (msg:"ThreatFox Orcus RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1282596/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282596; rev:1;) alert tcp $HOME_NET any -> [39.114.81.81] 10134 (msg:"ThreatFox Orcus RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1282597/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282597; rev:1;) alert tcp $HOME_NET any -> [191.101.34.192] 58038 (msg:"ThreatFox Orcus RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1282598/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282598; rev:1;) alert tcp $HOME_NET any -> [84.145.55.225] 5061 (msg:"ThreatFox Orcus RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1282599/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282599; rev:1;) alert tcp $HOME_NET any -> [193.161.193.99] 35081 (msg:"ThreatFox Orcus RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1282600/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282600; rev:1;) alert tcp $HOME_NET any -> [31.44.184.52] 63367 (msg:"ThreatFox Orcus RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1282601/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282601; rev:1;) alert tcp $HOME_NET any -> [79.139.133.118] 10134 (msg:"ThreatFox Orcus RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1282602/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282602; rev:1;) alert tcp $HOME_NET any -> [31.44.184.52] 61815 (msg:"ThreatFox Orcus RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1282587/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282587; rev:1;) alert tcp $HOME_NET any -> [78.101.85.87] 4444 (msg:"ThreatFox Orcus RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1282588/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282588; rev:1;) alert tcp $HOME_NET any -> [31.44.184.52] 10996 (msg:"ThreatFox Orcus RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1282589/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282589; rev:1;) alert tcp $HOME_NET any -> [74.118.139.67] 10134 (msg:"ThreatFox Orcus RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1282590/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282590; rev:1;) alert tcp $HOME_NET any -> [31.44.184.52] 40772 (msg:"ThreatFox Orcus RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1282591/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282591; rev:1;) alert tcp $HOME_NET any -> [109.195.6.203] 10134 (msg:"ThreatFox Orcus RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1282573/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282573; rev:1;) alert tcp $HOME_NET any -> [84.32.231.109] 10134 (msg:"ThreatFox Orcus RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1282574/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282574; rev:1;) alert tcp $HOME_NET any -> [147.185.221.17] 54772 (msg:"ThreatFox Orcus RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1282575/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282575; rev:1;) alert tcp $HOME_NET any -> [158.247.250.127] 10134 (msg:"ThreatFox Orcus RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1282576/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282576; rev:1;) alert tcp $HOME_NET any -> [193.124.65.108] 10134 (msg:"ThreatFox Orcus RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1282577/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282577; rev:1;) alert tcp $HOME_NET any -> [104.250.175.179] 1756 (msg:"ThreatFox Orcus RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1282578/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282578; rev:1;) alert tcp $HOME_NET any -> [31.44.184.52] 23303 (msg:"ThreatFox Orcus RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1282579/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282579; rev:1;) alert tcp $HOME_NET any -> [5.180.106.95] 1337 (msg:"ThreatFox Orcus RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1282580/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282580; rev:1;) alert tcp $HOME_NET any -> [74.208.235.52] 27016 (msg:"ThreatFox Orcus RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1282581/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282581; rev:1;) alert tcp $HOME_NET any -> [31.44.184.52] 32154 (msg:"ThreatFox Orcus RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1282582/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282582; rev:1;) alert tcp $HOME_NET any -> [93.157.168.72] 27667 (msg:"ThreatFox Orcus RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1282583/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282583; rev:1;) alert tcp $HOME_NET any -> [31.44.184.52] 64770 (msg:"ThreatFox Orcus RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1282584/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282584; rev:1;) alert tcp $HOME_NET any -> [194.33.87.67] 50010 (msg:"ThreatFox Orcus RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1282585/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282585; rev:1;) alert tcp $HOME_NET any -> [26.122.164.110] 10110 (msg:"ThreatFox Orcus RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1282586/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282586; rev:1;) alert tcp $HOME_NET any -> [91.151.89.167] 1208 (msg:"ThreatFox Orcus RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1282567/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282567; rev:1;) alert tcp $HOME_NET any -> [147.185.221.18] 43279 (msg:"ThreatFox Orcus RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1282568/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282568; rev:1;) alert tcp $HOME_NET any -> [47.37.131.144] 10134 (msg:"ThreatFox Orcus RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1282569/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282569; rev:1;) alert tcp $HOME_NET any -> [147.185.221.17] 64220 (msg:"ThreatFox Orcus RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1282570/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282570; rev:1;) alert tcp $HOME_NET any -> [147.185.221.18] 52251 (msg:"ThreatFox Orcus RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1282571/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282571; rev:1;) alert tcp $HOME_NET any -> [147.185.221.17] 59285 (msg:"ThreatFox Orcus RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1282572/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282572; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/siv/index.php"; depth:14; nocase; http.host; content:"piontx.ga"; depth:9; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1282566/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282566; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/index.php"; depth:10; nocase; http.host; content:"loqiworou7213.icu"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1282564/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282564; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/index.php"; depth:10; nocase; http.host; content:"abnmz.akrn12.com"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1282565/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282565; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/index.php"; depth:10; nocase; http.host; content:"207.154.254.218"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1282563/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282563; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/index.php"; depth:10; nocase; http.host; content:"185.202.175.53"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1282561/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282561; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/index.php"; depth:10; nocase; http.host; content:"rakaka.om-nom-nom.li"; depth:20; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1282562/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282562; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/index.php"; depth:10; nocase; http.host; content:"hellokitty.services"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1282560/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282560; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ya/index.php"; depth:13; nocase; http.host; content:"egonla.futbol"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1282559/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282559; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/index.php"; depth:10; nocase; http.host; content:"lizard.pw"; depth:9; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1282557/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282557; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/index.php"; depth:10; nocase; http.host; content:"u-ri.icu"; depth:8; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1282558/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282558; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/index.php"; depth:10; nocase; http.host; content:"invalid666.zzz.com.ua"; depth:21; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1282556/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282556; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/img/panel/index.php"; depth:20; nocase; http.host; content:"aquavictus.hr"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1282554/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282554; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/index.php"; depth:10; nocase; http.host; content:"45.88.78.37"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1282555/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282555; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/index.php"; depth:10; nocase; http.host; content:"46.17.46.109"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1282553/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282553; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/~ygnwgnrp/gate.php"; depth:19; nocase; http.host; content:"mike.rivalserver.com"; depth:20; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1282552/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282552; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/petit/index.php"; depth:16; nocase; http.host; content:"petitbox.top"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1282550/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282550; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/index.php"; depth:10; nocase; http.host; content:"clusterpro.site"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1282551/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282551; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/disk/index.php"; depth:15; nocase; http.host; content:"vitani.tk"; depth:9; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1282549/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282549; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/index.php"; depth:10; nocase; http.host; content:"pyttyu.info"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1282548/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282548; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/index.php"; depth:10; nocase; http.host; content:"sdf41.club"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1282546/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282546; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/andromache/index.php"; depth:21; nocase; http.host; content:"mahnatkin.site"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1282547/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282547; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/index.php"; depth:10; nocase; http.host; content:"noforcingcarttf.com"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1282545/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282545; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/azo/gate.php"; depth:13; nocase; http.host; content:"siteverification.site"; depth:21; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1282544/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282544; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/index.php"; depth:10; nocase; http.host; content:"51.15.76.235"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1282542/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282542; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/index.php"; depth:10; nocase; http.host; content:"hostname.vip"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1282543/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282543; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sti/gate.php"; depth:13; nocase; http.host; content:"b-cointrade.com"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1282541/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282541; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/index.php"; depth:10; nocase; http.host; content:"cashouts.tk"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1282539/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282539; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/547d5c/index.php"; depth:17; nocase; http.host; content:"baran.live"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1282540/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282540; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/1/index.php"; depth:12; nocase; http.host; content:"bronze2.hk"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1282538/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282538; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/index.php"; depth:10; nocase; http.host; content:"au.tanto.pro"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1282537/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282537; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/index.php"; depth:10; nocase; http.host; content:"kinotoday.ug"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1282535/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282535; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/index.php"; depth:10; nocase; http.host; content:"gebbatrip.club"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1282536/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282536; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/index.php"; depth:10; nocase; http.host; content:"2019-new.tk"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1282534/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282534; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/1gw3/index.php"; depth:15; nocase; http.host; content:"185.195.236.168"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1282533/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282533; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/gray/index.php"; depth:15; nocase; http.host; content:"ciuj.ir"; depth:7; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1282532/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282532; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/kc/panel/index.php"; depth:19; nocase; http.host; content:"172.245.142.200"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1282531/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282531; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/index.php"; depth:10; nocase; http.host; content:"84.38.132.137"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1282529/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282529; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/1a6b3831-a96d-4936-815a-6f7c904ef9c0/index.php"; depth:47; nocase; http.host; content:"163.172.175.132"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1282530/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282530; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/au/gate.php"; depth:12; nocase; http.host; content:"mcgua.com.ua"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1282528/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282528; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/index.php"; depth:10; nocase; http.host; content:"185.70.107.85"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1282527/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282527; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/index.php"; depth:10; nocase; http.host; content:"178.128.120.2"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1282526/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282526; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/index.php"; depth:10; nocase; http.host; content:"docusign.bit"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1282524/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282524; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/showmoney/index.php"; depth:20; nocase; http.host; content:"ciuj.ir"; depth:7; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1282525/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282525; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/obinna/index.php"; depth:17; nocase; http.host; content:"jahblessus.gq"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1282522/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282522; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/lekon/index.php"; depth:16; nocase; http.host; content:"141.105.64.136"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1282523/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282523; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/index.php"; depth:10; nocase; http.host; content:"5.101.78.169"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1282521/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282521; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/8a16f818-e5a3-49ae-bf99-250e1f00b04e/index.php"; depth:47; nocase; http.host; content:"217.8.117.235"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1282520/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282520; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/x/index.php"; depth:12; nocase; http.host; content:"185.195.236.162"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1282518/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282518; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/~zadmin/amark/xplora/index.php"; depth:31; nocase; http.host; content:"physdigitech.com"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1282519/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282519; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/modez/3.2/index.php"; depth:20; nocase; http.host; content:"t1t2.xyz"; depth:8; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1282517/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282517; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/index.php"; depth:10; nocase; http.host; content:"bulbukito.ru"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1282516/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282516; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/8205729e-d49f-49c3-831f-b7f116560634/index.php"; depth:47; nocase; http.host; content:"51.15.199.75"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1282515/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282515; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/index.php"; depth:10; nocase; http.host; content:"fyreplittgothin.pw"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1282514/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282514; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/045ba308-0877-4f9a-935d-9f1a174f7d38/index.php"; depth:47; nocase; http.host; content:"51.15.235.182"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1282513/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282513; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/goml/panel3/index.php"; depth:22; nocase; http.host; content:"193.56.28.129"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1282512/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282512; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mag/index.php"; depth:14; nocase; http.host; content:"stastports.com"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1282511/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282511; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"purefinishonerbrothsjke.shop"; depth:28; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1282509/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282509; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"economelogainyjusk.shop"; depth:23; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1282510/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282510; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"alcojoldwograpciw.shop"; depth:22; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1282508/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282508; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"patternapplauderw.shop"; depth:22; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1282507/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282507; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"disagreemenywyws.shop"; depth:21; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1282506/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282506; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"pearcyworkeronej.shop"; depth:21; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1282505/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282505; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"messtimetabledkolvk.shop"; depth:24; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1282504/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282504; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"preachbusstyoiwo.shop"; depth:21; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1282503/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282503; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"poledoverglazedkilio.shop"; depth:25; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1282502/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282502; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"handbreeadretwaiw.shop"; depth:22; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1282501/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282501; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"biographyfirmtrisie.shop"; depth:24; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1282500/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282500; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"wastwfulldashiwnjs.shop"; depth:23; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1282499/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282499; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"horsedwollfedrwos.shop"; depth:22; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1282498/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282498; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"tigerrfunerlariro.shop"; depth:22; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1282497/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282497; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"corruptioncrackywosp.shop"; depth:25; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1282496/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282496; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"surpriserangeloggypo.fun"; depth:24; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1282495/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282495; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"rightchampionieo.shop"; depth:21; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1282494/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282494; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"counterrailcrwu.shop"; depth:20; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1282493/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282493; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"survivalpersisttww.shop"; depth:23; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1282492/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282492; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"roleprofittypleasw.shop"; depth:23; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1282491/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282491; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"churchemipircasowl.shop"; depth:23; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1282490/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282490; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"portaircoveragejsuk.shop"; depth:24; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1282489/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282489; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"tubewelfaredopw.shop"; depth:20; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1282488/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282488; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"glossydecentjuskwos.shop"; depth:24; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1282487/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282487; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"chunkylopsidedwos.shop"; depth:22; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1282486/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282486; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"rankrandomotherwjsui.shop"; depth:25; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1282485/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282485; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"allowbloodythinkews.shop"; depth:24; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1282484/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282484; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"stingmisplacedelivrrw.shop"; depth:26; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1282483/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282483; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"declineforntyuekw.shop"; depth:22; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1282482/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282482; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"geneticsockkdwlsaw.shop"; depth:23; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1282481/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282481; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"surprisemakedjukenw.shop"; depth:24; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1282480/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282480; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"refundemobxyyeols.shop"; depth:22; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1282479/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282479; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"rejectbettysmartws.shop"; depth:23; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1282478/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282478; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"warmstrawcounwyhj.shop"; depth:22; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1282477/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282477; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"questionconservawuts.shop"; depth:25; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1282476/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282476; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"pollutiofactwoijk.shop"; depth:22; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1282475/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282475; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"understanndtytonyguw.shop"; depth:25; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1282474/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282474; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"comedyhorizonbedwus.shop"; depth:24; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1282473/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282473; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"catlackjellyodwps.shop"; depth:22; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1282472/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282472; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"conceptionextortyosw.shop"; depth:25; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1282471/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282471; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"burnfamesoilratewo.shop"; depth:23; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1282470/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282470; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"kitchenreviewbewrwsa.shop"; depth:25; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1282469/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282469; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"jobbyshysinduksowp.shop"; depth:23; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1282468/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282468; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"pilothardwarreodsi.shop"; depth:23; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1282467/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282467; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"cassetteprodueiwo.shop"; depth:22; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1282466/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282466; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"cinemaclinicttanwk.shop"; depth:23; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1282465/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282465; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"deprivedrinkyfaiir.shop"; depth:23; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1282464/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282464; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"ensureclackexcatwi.shop"; depth:23; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1282463/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282463; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"rocketmusclesksj.shop"; depth:21; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1282462/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282462; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"fantasticabnormally.shop"; depth:24; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1282461/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282461; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"adoptionalbumgesw.shop"; depth:22; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1282460/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282460; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"quitdigitalplatforwi.shop"; depth:25; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1282459/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282459; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"hushedsombkereos.shop"; depth:21; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1282458/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282458; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"tropicalironexpressiw.shop"; depth:26; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1282457/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282457; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"templecharteredowis.shop"; depth:24; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1282456/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282456; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"routinecontoradwjsk.shop"; depth:24; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1282455/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282455; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"declarationlastyj.shop"; depth:22; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1282454/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282454; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"greetclassifytalk.shop"; depth:22; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1282453/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282453; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"vehicledropliberwls.shop"; depth:24; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1282452/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282452; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"methodgreenglassdatw.shop"; depth:25; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1282451/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282451; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"museumtespaceorsp.shop"; depth:22; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1282450/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282450; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"pumpkindribblewo.shop"; depth:21; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1282448/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282448; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"considerrycurrentyws.shop"; depth:25; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1282449/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282449; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"recognizestainsw.shop"; depth:21; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1282447/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282447; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"despairphtsograpgp.shop"; depth:23; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1282446/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282446; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"valuablestraigwhi.shop"; depth:22; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1282445/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282445; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"relaxtionflouwerwi.shop"; depth:23; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1282444/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282444; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"bettynoticecovej.shop"; depth:21; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1282443/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282443; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"nimkishraddedrew.shop"; depth:21; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1282442/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282442; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"libertyliebindywv.shop"; depth:22; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1282441/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282441; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"arrangementyforumekw.shop"; depth:25; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1282440/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282440; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"voicelighterrrepso.shop"; depth:23; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1282439/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282439; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"souptapedentisttactiwe.shop"; depth:27; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1282438/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282438; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"seasonaldemonstradojs.shop"; depth:26; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1282437/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282437; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"uncertaintyrestsju.shop"; depth:23; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1282436/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282436; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"stripmarrystresew.shop"; depth:22; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1282435/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282435; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"fireplacecheckwi.shop"; depth:21; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1282434/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282434; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"preocucupationssk.shop"; depth:22; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1282433/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282433; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"footflexibleacts.shop"; depth:21; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1282432/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282432; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"explocommisiowsa.shop"; depth:21; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1282431/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282431; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"simplicitynegotiatiw.shop"; depth:25; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1282430/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282430; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"grazeinnocenttyyek.shop"; depth:23; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1282429/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282429; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"colorprioritytubbew.shop"; depth:24; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1282428/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282428; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"fixturewordbakewos.shop"; depth:23; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1282427/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282427; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"varianntyfeecterd.shop"; depth:22; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1282426/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282426; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"detailbaconroollyws.shop"; depth:24; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1282425/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282425; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"palacetilecomplew.shop"; depth:22; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1282424/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282424; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"fragmentyperspowp.shop"; depth:22; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1282423/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282423; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"distributopsuoprs.shop"; depth:22; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1282422/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282422; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"accountasifkwosov.shop"; depth:22; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1282421/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282421; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"abuselinenaidwjuew.shop"; depth:23; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1282420/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282420; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"negotitatiojdsuktoos.shop"; depth:25; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1282419/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282419; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"descriptionappleoj.shop"; depth:23; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1282418/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282418; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"evokeoutlooklits.shop"; depth:21; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1282417/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282417; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"penetratedworrsyw.shop"; depth:22; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1282416/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282416; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"ticketgradiencomfj.shop"; depth:23; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1282415/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282415; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"textureshallodsjk.shop"; depth:22; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1282413/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282413; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"bowelunitrydoorsko.shop"; depth:23; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1282414/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282414; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"phobicgiddyfivverr.shop"; depth:23; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1282412/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282412; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"paininsrertymarshwke.shop"; depth:25; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1282411/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282411; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"slamcopynammeks.shop"; depth:20; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1282410/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282410; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"demonstratedesighw.shop"; depth:23; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1282409/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282409; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"joblkessprosgeow.shop"; depth:21; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1282408/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282408; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"listenmoutioncow.shop"; depth:21; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1282407/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282407; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"exceptionwillapews.shop"; depth:23; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1282406/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282406; rev:1;) alert tcp $HOME_NET any -> [13.54.165.166] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1282371/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_06; classtype:trojan-activity; sid:91282371; rev:1;) alert tcp $HOME_NET any -> [52.242.23.54] 5000 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1282370/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_06; classtype:trojan-activity; sid:91282370; rev:1;) alert tcp $HOME_NET any -> [91.103.252.124] 80 (msg:"ThreatFox Meduza Stealer botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1282369/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_06; classtype:trojan-activity; sid:91282369; rev:1;) alert tcp $HOME_NET any -> [34.146.210.28] 2095 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1282368/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_06; classtype:trojan-activity; sid:91282368; rev:1;) alert tcp $HOME_NET any -> [217.165.78.126] 22 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1282367/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_06; classtype:trojan-activity; sid:91282367; rev:1;) alert tcp $HOME_NET any -> [167.71.92.12] 445 (msg:"ThreatFox Responder botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1282366/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_06; classtype:trojan-activity; sid:91282366; rev:1;) alert tcp $HOME_NET any -> [158.140.133.56] 443 (msg:"ThreatFox Responder botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1282365/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_06; classtype:trojan-activity; sid:91282365; rev:1;) alert tcp $HOME_NET any -> [35.90.91.89] 443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1282364/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_06; classtype:trojan-activity; sid:91282364; rev:1;) alert tcp $HOME_NET any -> [185.234.216.209] 20064 (msg:"ThreatFox BianLian botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1282362/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_06; classtype:trojan-activity; sid:91282362; rev:1;) alert tcp $HOME_NET any -> [194.163.160.254] 53 (msg:"ThreatFox BianLian botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1282363/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_06; classtype:trojan-activity; sid:91282363; rev:1;) alert tcp $HOME_NET any -> [97.74.94.45] 7443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1282361/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_06; classtype:trojan-activity; sid:91282361; rev:1;) alert tcp $HOME_NET any -> [194.113.75.56] 7443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1282360/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_06; classtype:trojan-activity; sid:91282360; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/reports.php"; depth:12; nocase; http.host; content:"dmboxing.co"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1282359/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282359; rev:1;) alert tcp $HOME_NET any -> [80.253.239.170] 31089 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1282351/; target:src_ip; metadata: confidence_level 75, first_seen 2024_06_06; classtype:trojan-activity; sid:91282351; rev:1;) alert tcp $HOME_NET any -> [18.192.93.86] 11520 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1282354/; target:src_ip; metadata: confidence_level 75, first_seen 2024_06_06; classtype:trojan-activity; sid:91282354; rev:1;) alert tcp $HOME_NET any -> [3.6.122.107] 10680 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1282355/; target:src_ip; metadata: confidence_level 75, first_seen 2024_06_06; classtype:trojan-activity; sid:91282355; rev:1;) alert tcp $HOME_NET any -> [165.154.58.22] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1282358/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282358; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/_/scs/mail-static/_/js/"; depth:24; nocase; http.host; content:"www.163microsoft.com"; depth:20; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1282356/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282356; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"www.163microsoft.com"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1282357/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282357; rev:1;) alert tcp $HOME_NET any -> [165.154.58.22] 3332 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1282353/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282353; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/_/scs/mail-static/_/js/"; depth:24; nocase; http.host; content:"165.154.33.10"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1282352/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282352; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dot.gif"; depth:8; nocase; http.host; content:"47.99.194.96"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1282350/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282350; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/claim/servlets-examples/i2i52xqkqqzf"; depth:37; nocase; http.host; content:"111.92.243.236"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1282349/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282349; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"buyinginfo.org"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1282334/; target:src_ip; metadata: confidence_level 75, first_seen 2024_06_06; classtype:trojan-activity; sid:91282334; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"comparetextbook.com"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1282335/; target:src_ip; metadata: confidence_level 75, first_seen 2024_06_06; classtype:trojan-activity; sid:91282335; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"dmfarmnews.com"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1282336/; target:src_ip; metadata: confidence_level 75, first_seen 2024_06_06; classtype:trojan-activity; sid:91282336; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"flaworkcomp.com"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1282337/; target:src_ip; metadata: confidence_level 75, first_seen 2024_06_06; classtype:trojan-activity; sid:91282337; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"glassdoog.org"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1282338/; target:src_ip; metadata: confidence_level 75, first_seen 2024_06_06; classtype:trojan-activity; sid:91282338; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"goodrapp.com"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1282339/; target:src_ip; metadata: confidence_level 75, first_seen 2024_06_06; classtype:trojan-activity; sid:91282339; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"gulfesolutions.com"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1282340/; target:src_ip; metadata: confidence_level 75, first_seen 2024_06_06; classtype:trojan-activity; sid:91282340; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"indiinfo.com"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1282341/; target:src_ip; metadata: confidence_level 75, first_seen 2024_06_06; classtype:trojan-activity; sid:91282341; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"iplanforamerica.com"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1282342/; target:src_ip; metadata: confidence_level 75, first_seen 2024_06_06; classtype:trojan-activity; sid:91282342; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"londonisthereason.com"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1282343/; target:src_ip; metadata: confidence_level 75, first_seen 2024_06_06; classtype:trojan-activity; sid:91282343; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"mongolianshipregistrar.com"; depth:26; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1282344/; target:src_ip; metadata: confidence_level 75, first_seen 2024_06_06; classtype:trojan-activity; sid:91282344; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"onmnews.com"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1282345/; target:src_ip; metadata: confidence_level 75, first_seen 2024_06_06; classtype:trojan-activity; sid:91282345; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"shreyaninfotech.com"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1282346/; target:src_ip; metadata: confidence_level 75, first_seen 2024_06_06; classtype:trojan-activity; sid:91282346; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"starlightstar.com"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1282347/; target:src_ip; metadata: confidence_level 75, first_seen 2024_06_06; classtype:trojan-activity; sid:91282347; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"unixhonpo.com"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1282348/; target:src_ip; metadata: confidence_level 75, first_seen 2024_06_06; classtype:trojan-activity; sid:91282348; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"7gzi.com"; depth:8; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1282332/; target:src_ip; metadata: confidence_level 75, first_seen 2024_06_06; classtype:trojan-activity; sid:91282332; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"bramjtop.com"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1282333/; target:src_ip; metadata: confidence_level 75, first_seen 2024_06_06; classtype:trojan-activity; sid:91282333; rev:1;) alert tcp $HOME_NET any -> [3.125.102.39] 17739 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1282331/; target:src_ip; metadata: confidence_level 75, first_seen 2024_06_06; classtype:trojan-activity; sid:91282331; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/reports.php"; depth:12; nocase; http.host; content:"denisburns.com"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1282330/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282330; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mtewmwe4odfhnzhl/"; depth:18; nocase; http.host; content:"estankaralar.shop"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1282316/; target:src_ip; metadata: confidence_level 80, first_seen 2024_06_06; classtype:trojan-activity; sid:91282316; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mtewmwe4odfhnzhl/"; depth:18; nocase; http.host; content:"mahalleestankaralar.shop"; depth:24; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1282317/; target:src_ip; metadata: confidence_level 80, first_seen 2024_06_06; classtype:trojan-activity; sid:91282317; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mtewmwe4odfhnzhl/"; depth:18; nocase; http.host; content:"mahallekaradakal.shop"; depth:21; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1282318/; target:src_ip; metadata: confidence_level 80, first_seen 2024_06_06; classtype:trojan-activity; sid:91282318; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mtewmwe4odfhnzhl/"; depth:18; nocase; http.host; content:"karayakder2.shop"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1282319/; target:src_ip; metadata: confidence_level 80, first_seen 2024_06_06; classtype:trojan-activity; sid:91282319; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mtewmwe4odfhnzhl/"; depth:18; nocase; http.host; content:"laleneredeler.shop"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1282321/; target:src_ip; metadata: confidence_level 80, first_seen 2024_06_06; classtype:trojan-activity; sid:91282321; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mtewmwe4odfhnzhl/"; depth:18; nocase; http.host; content:"larnakdalar3.shop"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1282320/; target:src_ip; metadata: confidence_level 80, first_seen 2024_06_06; classtype:trojan-activity; sid:91282320; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mtewmwe4odfhnzhl/"; depth:18; nocase; http.host; content:"karekeldeds.shop"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1282322/; target:src_ip; metadata: confidence_level 80, first_seen 2024_06_06; classtype:trojan-activity; sid:91282322; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mtewmwe4odfhnzhl/"; depth:18; nocase; http.host; content:"hasretkalmanav.shop"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1282323/; target:src_ip; metadata: confidence_level 80, first_seen 2024_06_06; classtype:trojan-activity; sid:91282323; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mtewmwe4odfhnzhl/"; depth:18; nocase; http.host; content:"kamelyanat5.shop"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1282324/; target:src_ip; metadata: confidence_level 80, first_seen 2024_06_06; classtype:trojan-activity; sid:91282324; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mtewmwe4odfhnzhl/"; depth:18; nocase; http.host; content:"karedekalan.shop"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1282325/; target:src_ip; metadata: confidence_level 80, first_seen 2024_06_06; classtype:trojan-activity; sid:91282325; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mtewmwe4odfhnzhl"; depth:17; nocase; http.host; content:"hasretkalmanavdas3.shop"; depth:23; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1282327/; target:src_ip; metadata: confidence_level 80, first_seen 2024_06_06; classtype:trojan-activity; sid:91282327; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mtewmwe4odfhnzhl/"; depth:18; nocase; http.host; content:"karekeldeds4.shop"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1282326/; target:src_ip; metadata: confidence_level 80, first_seen 2024_06_06; classtype:trojan-activity; sid:91282326; rev:1;) alert tcp $HOME_NET any -> [18.192.31.165] 17739 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1282328/; target:src_ip; metadata: confidence_level 75, first_seen 2024_06_06; classtype:trojan-activity; sid:91282328; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/reports.php"; depth:12; nocase; http.host; content:"libet-kielce.pl"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1282310/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282310; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/reports.php"; depth:12; nocase; http.host; content:"licorice.uz"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1282315/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282315; rev:1;) alert tcp $HOME_NET any -> [103.35.191.158] 46231 (msg:"ThreatFox Loda botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1282314/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282314; rev:1;) alert tcp $HOME_NET any -> [118.70.125.152] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1282313/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282313; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"iheartredteams.com"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1282312/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282312; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/match"; depth:6; nocase; http.host; content:"iheartredteams.com"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1282311/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282311; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/reports.php"; depth:12; nocase; http.host; content:"levaho.fr"; depth:9; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1282302/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282302; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/__utm.gif"; depth:10; nocase; http.host; content:"47.99.194.96"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1282309/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282309; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/__utm.gif"; depth:10; nocase; http.host; content:"103.116.245.79"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1282308/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282308; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"getcloudsolutions.dev"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1282307/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_06; classtype:trojan-activity; sid:91282307; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/g.pixel"; depth:8; nocase; http.host; content:"43.136.218.157"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1282306/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282306; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/fwlink"; depth:7; nocase; http.host; content:"118.89.125.171"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1282305/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282305; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dpixel"; depth:7; nocase; http.host; content:"172.81.211.162"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1282304/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282304; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/fwlink"; depth:7; nocase; http.host; content:"62.234.19.7"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1282303/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282303; rev:1;) alert tcp $HOME_NET any -> [31.128.39.137] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1282298/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282298; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dot.gif"; depth:8; nocase; http.host; content:"31.128.39.137"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1282296/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282296; rev:1;) alert tcp $HOME_NET any -> [8.222.250.105] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1282295/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282295; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cm"; depth:3; nocase; http.host; content:"8.222.250.105"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1282294/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282294; rev:1;) alert tcp $HOME_NET any -> [31.128.39.137] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1282293/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282293; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/visit.js"; depth:9; nocase; http.host; content:"31.128.39.137"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1282292/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282292; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pixel"; depth:6; nocase; http.host; content:"134.175.107.219"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1282291/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282291; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ptj"; depth:4; nocase; http.host; content:"106.75.75.24"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1282290/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282290; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/load"; depth:5; nocase; http.host; content:"121.40.127.134"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1282289/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282289; rev:1;) alert tcp $HOME_NET any -> [8.130.175.231] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1282288/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282288; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cm"; depth:3; nocase; http.host; content:"qq.jjxy.link"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1282286/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282286; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"qq.jjxy.link"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1282287/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282287; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/c/msdownload/update/others/2024/05/9dv7ayhg1ag2kwo30_"; depth:54; nocase; http.host; content:"117.72.35.30"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1282285/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282285; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dot.gif"; depth:8; nocase; http.host; content:"1.92.96.35"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1282284/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282284; rev:1;) alert tcp $HOME_NET any -> [101.42.4.160] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1282283/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282283; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api/x"; depth:6; nocase; http.host; content:"service-l24muftx-1251354025.bj.tencentapigw.com.cn"; depth:50; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1282281/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282281; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"service-l24muftx-1251354025.bj.tencentapigw.com.cn"; depth:50; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1282282/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282282; rev:1;) alert tcp $HOME_NET any -> [120.46.208.63] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1282280/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282280; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/__utm.gif"; depth:10; nocase; http.host; content:"120.46.208.63"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1282279/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282279; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pixel.gif"; depth:10; nocase; http.host; content:"43.136.218.157"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1282278/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282278; rev:1;) alert tcp $HOME_NET any -> [106.54.42.56] 8443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1282277/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282277; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api/v1/getdata"; depth:15; nocase; http.host; content:"damousese.xyz"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1282276/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282276; rev:1;) alert tcp $HOME_NET any -> [147.45.41.171] 50555 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1282275/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_06; classtype:trojan-activity; sid:91282275; rev:1;) alert tcp $HOME_NET any -> [172.214.254.115] 80 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1282274/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_06; classtype:trojan-activity; sid:91282274; rev:1;) alert tcp $HOME_NET any -> [94.156.8.171] 50555 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1282273/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_06; classtype:trojan-activity; sid:91282273; rev:1;) alert tcp $HOME_NET any -> [47.120.40.27] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1282272/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_06; classtype:trojan-activity; sid:91282272; rev:1;) alert tcp $HOME_NET any -> [75.161.225.3] 443 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1282271/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_06; classtype:trojan-activity; sid:91282271; rev:1;) alert tcp $HOME_NET any -> [75.161.228.223] 443 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1282270/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_06; classtype:trojan-activity; sid:91282270; rev:1;) alert tcp $HOME_NET any -> [160.176.132.123] 995 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1282269/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_06; classtype:trojan-activity; sid:91282269; rev:1;) alert tcp $HOME_NET any -> [217.164.83.209] 443 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1282268/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_06; classtype:trojan-activity; sid:91282268; rev:1;) alert tcp $HOME_NET any -> [192.53.174.141] 443 (msg:"ThreatFox pupy botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1282267/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_06; classtype:trojan-activity; sid:91282267; rev:1;) alert tcp $HOME_NET any -> [103.245.39.231] 443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1282266/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_06; classtype:trojan-activity; sid:91282266; rev:1;) alert tcp $HOME_NET any -> [91.92.245.27] 443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1282265/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_06; classtype:trojan-activity; sid:91282265; rev:1;) alert tcp $HOME_NET any -> [52.194.213.46] 443 (msg:"ThreatFox Deimos botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1282264/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_06; classtype:trojan-activity; sid:91282264; rev:1;) alert tcp $HOME_NET any -> [163.181.128.95] 4506 (msg:"ThreatFox Deimos botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1282263/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_06; classtype:trojan-activity; sid:91282263; rev:1;) alert tcp $HOME_NET any -> [176.32.68.83] 7443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1282262/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_06; classtype:trojan-activity; sid:91282262; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"49.13.214.194"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1282261/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282261; rev:1;) alert tcp $HOME_NET any -> [49.13.214.194] 443 (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1282260/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282260; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pmcw4fd/index.php"; depth:18; nocase; http.host; content:"getcloudsolutions.dev"; depth:21; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1282259/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282259; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cdn-vs/original.js"; depth:19; nocase; http.host; content:"24f1989.com"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1279482/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91279482; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"24f1989.com"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1279483/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91279483; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cdn-vs/cache.php"; depth:17; nocase; http.host; content:"24f1989.com"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1279484/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91279484; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cdn-vs/2per.php"; depth:16; nocase; http.host; content:"24f1989.com"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1279485/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91279485; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/reports.php"; depth:12; nocase; http.host; content:"les-dessous-de-karen.com"; depth:24; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1282221/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282221; rev:1;) alert tcp $HOME_NET any -> [93.123.39.185] 1312 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1282222/; target:src_ip; metadata: confidence_level 75, first_seen 2024_06_06; classtype:trojan-activity; sid:91282222; rev:1;) alert tcp $HOME_NET any -> [164.92.254.4] 1111 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1282254/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282254; rev:1;) alert tcp $HOME_NET any -> [45.131.111.48] 5555 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1279165/; target:src_ip; metadata: confidence_level 75, first_seen 2024_06_06; classtype:trojan-activity; sid:91279165; rev:1;) alert tcp $HOME_NET any -> [209.141.60.86] 47925 (msg:"ThreatFox MooBot botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1279166/; target:src_ip; metadata: confidence_level 75, first_seen 2024_06_06; classtype:trojan-activity; sid:91279166; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"js.ddcc.bf"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1279167/; target:src_ip; metadata: confidence_level 75, first_seen 2024_06_06; classtype:trojan-activity; sid:91279167; rev:1;) alert tcp $HOME_NET any -> [185.49.70.98] 80 (msg:"ThreatFox WarmCookie botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1282257/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_06; classtype:trojan-activity; sid:91282257; rev:1;) alert tcp $HOME_NET any -> [87.251.67.92] 80 (msg:"ThreatFox WarmCookie botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1282258/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_06; classtype:trojan-activity; sid:91282258; rev:1;) alert tcp $HOME_NET any -> [80.66.88.146] 80 (msg:"ThreatFox WarmCookie botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1282255/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282255; rev:1;) alert tcp $HOME_NET any -> [185.49.69.41] 80 (msg:"ThreatFox WarmCookie botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1282256/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282256; rev:1;) alert tcp $HOME_NET any -> [91.204.163.19] 8090 (msg:"ThreatFox Emotet botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1282252/; target:src_ip; metadata: confidence_level 75, first_seen 2024_06_06; classtype:trojan-activity; sid:91282252; rev:1;) alert tcp $HOME_NET any -> [94.177.183.28] 8080 (msg:"ThreatFox Emotet botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1282253/; target:src_ip; metadata: confidence_level 75, first_seen 2024_06_06; classtype:trojan-activity; sid:91282253; rev:1;) alert tcp $HOME_NET any -> [79.127.57.43] 80 (msg:"ThreatFox Emotet botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1282251/; target:src_ip; metadata: confidence_level 75, first_seen 2024_06_06; classtype:trojan-activity; sid:91282251; rev:1;) alert tcp $HOME_NET any -> [69.163.33.84] 8080 (msg:"ThreatFox Emotet botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1282250/; target:src_ip; metadata: confidence_level 75, first_seen 2024_06_06; classtype:trojan-activity; sid:91282250; rev:1;) alert tcp $HOME_NET any -> [60.52.64.122] 80 (msg:"ThreatFox Emotet botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1282249/; target:src_ip; metadata: confidence_level 75, first_seen 2024_06_06; classtype:trojan-activity; sid:91282249; rev:1;) alert tcp $HOME_NET any -> [45.56.79.249] 443 (msg:"ThreatFox Emotet botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1282247/; target:src_ip; metadata: confidence_level 75, first_seen 2024_06_06; classtype:trojan-activity; sid:91282247; rev:1;) alert tcp $HOME_NET any -> [42.190.4.92] 443 (msg:"ThreatFox Emotet botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1282246/; target:src_ip; metadata: confidence_level 75, first_seen 2024_06_06; classtype:trojan-activity; sid:91282246; rev:1;) alert tcp $HOME_NET any -> [220.241.38.226] 50000 (msg:"ThreatFox Emotet botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1282244/; target:src_ip; metadata: confidence_level 75, first_seen 2024_06_06; classtype:trojan-activity; sid:91282244; rev:1;) alert tcp $HOME_NET any -> [41.75.135.93] 7080 (msg:"ThreatFox Emotet botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1282245/; target:src_ip; metadata: confidence_level 75, first_seen 2024_06_06; classtype:trojan-activity; sid:91282245; rev:1;) alert tcp $HOME_NET any -> [207.154.204.40] 8080 (msg:"ThreatFox Emotet botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1282243/; target:src_ip; metadata: confidence_level 75, first_seen 2024_06_06; classtype:trojan-activity; sid:91282243; rev:1;) alert tcp $HOME_NET any -> [201.190.133.235] 8080 (msg:"ThreatFox Emotet botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1282241/; target:src_ip; metadata: confidence_level 75, first_seen 2024_06_06; classtype:trojan-activity; sid:91282241; rev:1;) alert tcp $HOME_NET any -> [201.213.32.59] 80 (msg:"ThreatFox Emotet botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1282242/; target:src_ip; metadata: confidence_level 75, first_seen 2024_06_06; classtype:trojan-activity; sid:91282242; rev:1;) alert tcp $HOME_NET any -> [200.113.106.18] 80 (msg:"ThreatFox Emotet botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1282239/; target:src_ip; metadata: confidence_level 75, first_seen 2024_06_06; classtype:trojan-activity; sid:91282239; rev:1;) alert tcp $HOME_NET any -> [200.58.83.179] 80 (msg:"ThreatFox Emotet botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1282240/; target:src_ip; metadata: confidence_level 75, first_seen 2024_06_06; classtype:trojan-activity; sid:91282240; rev:1;) alert tcp $HOME_NET any -> [190.96.118.15] 443 (msg:"ThreatFox Emotet botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1282238/; target:src_ip; metadata: confidence_level 75, first_seen 2024_06_06; classtype:trojan-activity; sid:91282238; rev:1;) alert tcp $HOME_NET any -> [190.79.228.89] 443 (msg:"ThreatFox Emotet botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1282237/; target:src_ip; metadata: confidence_level 75, first_seen 2024_06_06; classtype:trojan-activity; sid:91282237; rev:1;) alert tcp $HOME_NET any -> [190.217.1.149] 80 (msg:"ThreatFox Emotet botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1282236/; target:src_ip; metadata: confidence_level 75, first_seen 2024_06_06; classtype:trojan-activity; sid:91282236; rev:1;) alert tcp $HOME_NET any -> [190.182.161.7] 8080 (msg:"ThreatFox Emotet botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1282234/; target:src_ip; metadata: confidence_level 75, first_seen 2024_06_06; classtype:trojan-activity; sid:91282234; rev:1;) alert tcp $HOME_NET any -> [190.210.184.138] 995 (msg:"ThreatFox Emotet botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1282235/; target:src_ip; metadata: confidence_level 75, first_seen 2024_06_06; classtype:trojan-activity; sid:91282235; rev:1;) alert tcp $HOME_NET any -> [190.146.131.105] 8080 (msg:"ThreatFox Emotet botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1282233/; target:src_ip; metadata: confidence_level 75, first_seen 2024_06_06; classtype:trojan-activity; sid:91282233; rev:1;) alert tcp $HOME_NET any -> [190.120.104.21] 443 (msg:"ThreatFox Emotet botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1282232/; target:src_ip; metadata: confidence_level 75, first_seen 2024_06_06; classtype:trojan-activity; sid:91282232; rev:1;) alert tcp $HOME_NET any -> [187.131.128.238] 50000 (msg:"ThreatFox Emotet botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1282231/; target:src_ip; metadata: confidence_level 75, first_seen 2024_06_06; classtype:trojan-activity; sid:91282231; rev:1;) alert tcp $HOME_NET any -> [186.23.132.93] 990 (msg:"ThreatFox Emotet botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1282230/; target:src_ip; metadata: confidence_level 75, first_seen 2024_06_06; classtype:trojan-activity; sid:91282230; rev:1;) alert tcp $HOME_NET any -> [181.16.17.210] 443 (msg:"ThreatFox Emotet botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1282229/; target:src_ip; metadata: confidence_level 75, first_seen 2024_06_06; classtype:trojan-activity; sid:91282229; rev:1;) alert tcp $HOME_NET any -> [181.135.153.203] 443 (msg:"ThreatFox Emotet botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1282228/; target:src_ip; metadata: confidence_level 75, first_seen 2024_06_06; classtype:trojan-activity; sid:91282228; rev:1;) alert tcp $HOME_NET any -> [170.130.31.177] 8080 (msg:"ThreatFox Emotet botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1282227/; target:src_ip; metadata: confidence_level 75, first_seen 2024_06_06; classtype:trojan-activity; sid:91282227; rev:1;) alert tcp $HOME_NET any -> [163.172.40.218] 7080 (msg:"ThreatFox Emotet botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1282226/; target:src_ip; metadata: confidence_level 75, first_seen 2024_06_06; classtype:trojan-activity; sid:91282226; rev:1;) alert tcp $HOME_NET any -> [144.139.158.155] 80 (msg:"ThreatFox Emotet botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1282225/; target:src_ip; metadata: confidence_level 75, first_seen 2024_06_06; classtype:trojan-activity; sid:91282225; rev:1;) alert tcp $HOME_NET any -> [142.93.114.137] 8080 (msg:"ThreatFox Emotet botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1282224/; target:src_ip; metadata: confidence_level 75, first_seen 2024_06_06; classtype:trojan-activity; sid:91282224; rev:1;) alert tcp $HOME_NET any -> [111.119.233.65] 80 (msg:"ThreatFox Emotet botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1282223/; target:src_ip; metadata: confidence_level 75, first_seen 2024_06_06; classtype:trojan-activity; sid:91282223; rev:1;) alert tcp $HOME_NET any -> [103.114.107.28] 80 (msg:"ThreatFox Oski Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1282218/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282218; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ponychin/gate.php"; depth:18; nocase; http.host; content:"174.140.171.178"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1282216/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91282216; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/forum/viewtopic.php"; depth:20; nocase; http.host; content:"198.74.51.164"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1282217/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91282217; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/forum/viewtopic.php"; depth:20; nocase; http.host; content:"216.119.142.158"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1282214/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91282214; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mbb/foolishtrump/paneltwotwo/gate.php"; depth:38; nocase; http.host; content:"accsandalye.com"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1282215/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91282215; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/trip/gate.php"; depth:14; nocase; http.host; content:"rhombus-rolen.com"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1282211/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91282211; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pony/gate.php"; depth:14; nocase; http.host; content:"5.39.15.199"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1282212/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91282212; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ponyd/gate.php"; depth:15; nocase; http.host; content:"213.155.112.84"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1282213/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91282213; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/gate.php"; depth:9; nocase; http.host; content:"biledroben.ru"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1282208/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91282208; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/panel/gate.php"; depth:15; nocase; http.host; content:"usviktory.de"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1282209/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91282209; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ponychin/gate.php"; depth:18; nocase; http.host; content:"200.72.183.54"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1282210/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91282210; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/exuss14rwww.php"; depth:16; nocase; http.host; content:"shiftcontrol.biz"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1282206/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91282206; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/default.php"; depth:12; nocase; http.host; content:"syracuseporsche.com"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1282207/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91282207; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mayor/gate.php"; depth:15; nocase; http.host; content:"accexx.space"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1282204/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91282204; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pony/gate.php"; depth:14; nocase; http.host; content:"216.52.143.36"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1282205/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91282205; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/fav/gate.php"; depth:13; nocase; http.host; content:"co58724.tmweb.ru"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1282201/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91282201; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/abukh/cpanels/panel/gate.php"; depth:29; nocase; http.host; content:"www.stritaschools.com"; depth:21; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1282202/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91282202; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ero.php"; depth:8; nocase; http.host; content:"flexyin.info"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1282203/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91282203; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pony/gate.php"; depth:14; nocase; http.host; content:"174.140.163.141"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1282200/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91282200; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wish/panel/gate.php"; depth:20; nocase; http.host; content:"banizeusz.com"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1282198/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91282198; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pony/gate.php"; depth:14; nocase; http.host; content:"184.154.70.68"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1282199/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91282199; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ponychin/gate.php"; depth:18; nocase; http.host; content:"69.194.196.39"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1282197/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91282197; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/db/p/gate.php"; depth:14; nocase; http.host; content:"hivamusic.ir"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1282195/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91282195; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/8bd7d5194/wergwrg3gwer"; depth:23; nocase; http.host; content:"209.236.67.163"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1282196/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91282196; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pony/gate.php"; depth:14; nocase; http.host; content:"spna.ca"; depth:7; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1282193/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91282193; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pony/gate.php"; depth:14; nocase; http.host; content:"kpresident.com"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1282194/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91282194; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-includes/css/panel/gate.php"; depth:31; nocase; http.host; content:"tcoolonline.mobi"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1282192/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91282192; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/buky/gate.php"; depth:14; nocase; http.host; content:"engrseltevs.com"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1282191/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91282191; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xm/coreserver/gate.php"; depth:23; nocase; http.host; content:"handtmann-de.com"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1282188/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91282188; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/default.php"; depth:12; nocase; http.host; content:"semtly.com"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1282189/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91282189; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/gate.php"; depth:9; nocase; http.host; content:"sofharrefen.ru"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1282190/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91282190; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pony/gate.php"; depth:14; nocase; http.host; content:"salesxpert.info"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1282187/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91282187; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/forum/viewtopic.php"; depth:20; nocase; http.host; content:"64.85.169.189"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1282186/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91282186; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/office/gate.php"; depth:16; nocase; http.host; content:"webgozar.win"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1282185/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91282185; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/panel/gate.php"; depth:15; nocase; http.host; content:"sp-co.cf"; depth:8; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1282182/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91282182; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ghhg/mypage/gate.php"; depth:21; nocase; http.host; content:"faradaxa.com"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1282183/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91282183; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pony/gate.php"; depth:14; nocase; http.host; content:"95.154.250.191"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1282184/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91282184; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/panel/gate.php"; depth:15; nocase; http.host; content:"192.241.130.124"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1282177/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91282177; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp/wp_nows/gate.php"; depth:20; nocase; http.host; content:"vs-t.eu.com"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1282178/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91282178; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/forum/viewtopic.php"; depth:20; nocase; http.host; content:"whitesnowpussy.org"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1282179/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91282179; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"//easybrands.ml/lorenz/web/gate.php"; depth:35; nocase; http.host; content:"htttp"; depth:5; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1282180/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91282180; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/default.php"; depth:12; nocase; http.host; content:"topprofessionalphotographer.com"; depth:31; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1282181/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91282181; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pony/gate.php"; depth:14; nocase; http.host; content:"50.56.223.113"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1282173/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91282173; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dome/mega/gate.php"; depth:19; nocase; http.host; content:"overider.ml"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1282174/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91282174; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mw/p/gate.php"; depth:14; nocase; http.host; content:"dapurslkm.co.id"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1282175/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91282175; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/forum/viewtopic.php"; depth:20; nocase; http.host; content:"74.91.112.81"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1282176/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91282176; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/oo/panelnew/gate.php"; depth:21; nocase; http.host; content:"mci-consultant.id"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1282169/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91282169; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/gate.php"; depth:9; nocase; http.host; content:"fouseevenghedt.ru"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1282170/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91282170; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/kz/panel/gate.php"; depth:18; nocase; http.host; content:"seganag.com"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1282171/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91282171; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ponyb/gate.php"; depth:15; nocase; http.host; content:"uksonlinedating.com"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1282172/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91282172; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/light/admin/gate.php"; depth:21; nocase; http.host; content:"cm02584.tmweb.ru"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1282165/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91282165; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sweed/gate.php"; depth:15; nocase; http.host; content:"sweed-viki.ru"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1282166/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91282166; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/chuksgoogle/gate.php"; depth:21; nocase; http.host; content:"acgfinancial.gq"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1282167/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91282167; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/www/gate.php"; depth:13; nocase; http.host; content:"genic-enterprises.website"; depth:25; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1282168/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91282168; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ero.php"; depth:8; nocase; http.host; content:"ctasyus.info"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1282161/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91282161; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sy/test/gate.php"; depth:17; nocase; http.host; content:"inmrvogurin.ru"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1282162/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91282162; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/insane/head.php"; depth:16; nocase; http.host; content:"184.82.133.187"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1282163/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91282163; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ghhg/mypage/gate.php"; depth:21; nocase; http.host; content:"www.faradaxa.com"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1282164/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91282164; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pony/gate.php"; depth:14; nocase; http.host; content:"174.140.171.147"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1282157/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91282157; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/eze/panelnew/gate.php"; depth:22; nocase; http.host; content:"209.222.110.181"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1282158/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91282158; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/forum/viewtopic.php"; depth:20; nocase; http.host; content:"21.harnessingsystems.com"; depth:24; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1282159/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91282159; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/forum/viewtopic.php"; depth:20; nocase; http.host; content:"21.multiplexvehiclesystems.com"; depth:30; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1282160/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91282160; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/k/panelnew/gate.php"; depth:20; nocase; http.host; content:"clubdemadrespompiglos.com"; depth:25; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1282153/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91282153; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/fend/bolt/gate.php"; depth:19; nocase; http.host; content:"sandstrucks.com"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1282154/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91282154; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/web-content/log/log/file/gate.php"; depth:34; nocase; http.host; content:"www.janabaalicheck.com"; depth:22; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1282155/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91282155; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dee/gate.php"; depth:13; nocase; http.host; content:"grnthost.icu"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1282156/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91282156; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ponyd/gate.php"; depth:15; nocase; http.host; content:"212.58.15.3"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1282149/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91282149; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pony/gate.php"; depth:14; nocase; http.host; content:"zelia.net"; depth:9; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1282150/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91282150; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xc/panel/gate.php"; depth:18; nocase; http.host; content:"xdrppped.com.ng"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1282151/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91282151; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/nedum/gate.php"; depth:15; nocase; http.host; content:"hawkresultbox.net"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1282152/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91282152; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"//zjgcdab5.beget.tech/panel/path/gate.php"; depth:41; nocase; http.host; content:"rhttp"; depth:5; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1282145/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91282145; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/images/img/png/panelx/gate.php"; depth:31; nocase; http.host; content:"grupoalfra.cl"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1282146/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91282146; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/awumen/panel/gate.php"; depth:22; nocase; http.host; content:"sp-co.cf"; depth:8; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1282147/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91282147; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/default.php"; depth:12; nocase; http.host; content:"seosuccess.net16.net"; depth:20; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1282148/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91282148; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/forum/viewtopic.php"; depth:20; nocase; http.host; content:"212.58.15.2"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1282141/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91282141; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/panel/gate.php"; depth:15; nocase; http.host; content:"mocnid.com"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1282142/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91282142; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/gate.php"; depth:9; nocase; http.host; content:"heshedhowpa.ru"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1282143/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91282143; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ponyd/gate.php"; depth:15; nocase; http.host; content:"213.155.112.92"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1282144/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91282144; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/setupslyp/setupslyp/gate.php"; depth:29; nocase; http.host; content:"gamestoredownload.download"; depth:26; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1282136/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91282136; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/apple/server/gate.php"; depth:22; nocase; http.host; content:"successoryzones.biz"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1282137/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91282137; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/z/pony/panel/gate.php"; depth:22; nocase; http.host; content:"guata.com.br"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1282138/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91282138; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/data/jnt/panel/gate.php"; depth:24; nocase; http.host; content:"empireacoustical.com"; depth:20; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1282139/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91282139; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bubu/gate.php"; depth:14; nocase; http.host; content:"kosii.org"; depth:9; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1282140/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91282140; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-admin/css/panel/gate.php"; depth:28; nocase; http.host; content:"krungonline.com"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1282132/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91282132; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/setupcrossp/setupcrossp/gate.php"; depth:33; nocase; http.host; content:"gamestoredownload.download"; depth:26; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1282133/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91282133; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bit/panel/gate.php"; depth:19; nocase; http.host; content:"leatherbulletin.com"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1282134/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91282134; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/forum/viewtopic.php"; depth:20; nocase; http.host; content:"bullonthewall.com"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1282135/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91282135; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/temp/paul-20june-20july/gate.php"; depth:33; nocase; http.host; content:"libertize.ru"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1282128/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91282128; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pond/gate.php"; depth:14; nocase; http.host; content:"whitey.comlu.com"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1282129/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91282129; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ponyd/gate.php"; depth:15; nocase; http.host; content:"212.58.15.2"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1282130/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91282130; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ponyb/gate.php"; depth:15; nocase; http.host; content:"siteseoguide.com"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1282131/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91282131; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-includes/id3/panel/gate.php"; depth:31; nocase; http.host; content:"www.tcoolonline.mobi"; depth:20; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1282124/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91282124; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/panel/gate.php"; depth:15; nocase; http.host; content:"monkey.5bello.com"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1282125/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91282125; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/default.php"; depth:12; nocase; http.host; content:"e3pos.com"; depth:9; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1282126/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91282126; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/lovenow/eng/gate.php"; depth:21; nocase; http.host; content:"microsoftoutlook.ga"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1282127/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91282127; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tola/gate.php"; depth:14; nocase; http.host; content:"tolain.ru"; depth:9; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1282121/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91282121; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/nonso/gate.php"; depth:15; nocase; http.host; content:"mitsumidistrlbution.com"; depth:23; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1282122/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91282122; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ponyb/gate.php"; depth:15; nocase; http.host; content:"199.59.56.105"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1282123/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91282123; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/server/gate.php"; depth:16; nocase; http.host; content:"ukaytrades.tk"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1282117/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91282117; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/by/back/gate.php"; depth:17; nocase; http.host; content:"4maat.com"; depth:9; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1282118/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91282118; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/marlon/wossy.php"; depth:17; nocase; http.host; content:"185.11.146.179"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1282119/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91282119; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/fanta/panel/gate.php"; depth:21; nocase; http.host; content:"updateguru.xyz"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1282120/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91282120; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/rector/gate.php"; depth:16; nocase; http.host; content:"tekinkgroup.com"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1282114/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91282114; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/default.php"; depth:12; nocase; http.host; content:"dlhrecording.com"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1282115/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91282115; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/gate.php"; depth:9; nocase; http.host; content:"tertpertoru.ru"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1282116/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91282116; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp/wp-content/uploads/tony/panel/gate.php"; depth:42; nocase; http.host; content:"mammerzo.com"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1282110/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91282110; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pony2/gate.php"; depth:15; nocase; http.host; content:"iwillmakeitbigtime.cf"; depth:21; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1282111/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91282111; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pony/nef9ihsvidvghdikn.php"; depth:27; nocase; http.host; content:"ns8iafosjnfuihkcnidkl.org"; depth:25; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1282112/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91282112; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/default.php"; depth:12; nocase; http.host; content:"tradelinkengineering.com"; depth:24; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1282113/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91282113; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/~admin/maindomainkid009_net/ajuk/fire/gate.php"; depth:47; nocase; http.host; content:"45.58.116.102"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1282106/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91282106; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pony/gate.php"; depth:14; nocase; http.host; content:"83.174.131.142"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1282107/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91282107; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-includes/pomo/sima/eng/gate.php"; depth:35; nocase; http.host; content:"s67884.smrtp.ru"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1282108/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91282108; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/1/gate.php"; depth:11; nocase; http.host; content:"zpanel123.com"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1282109/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91282109; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/333.cab"; depth:8; nocase; http.host; content:"palitosdepan.com"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1282102/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91282102; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/~blininfo/temp/gate.php"; depth:24; nocase; http.host; content:"139.99.8.218"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1282103/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91282103; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/~catchusnot/panel/gate.php"; depth:27; nocase; http.host; content:"199.192.25.237"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1282104/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91282104; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/way/like.php"; depth:13; nocase; http.host; content:"bdhkmts.pw"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1282105/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91282105; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/5101fcf84/vsdfb45wret"; depth:22; nocase; http.host; content:"5.135.8.71"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1282097/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91282097; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/8bd7d5194/rebhg542"; depth:19; nocase; http.host; content:"209.236.67.163"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1282098/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91282098; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/js/pony/mac.php"; depth:16; nocase; http.host; content:"ponyls.in"; depth:9; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1282099/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91282099; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pn1/gate.php"; depth:13; nocase; http.host; content:"productmetro.club"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1282100/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91282100; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dp/adm/adm1/gate.php"; depth:21; nocase; http.host; content:"whizzpackage.com"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1282101/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91282101; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/panel/gate.php"; depth:15; nocase; http.host; content:"christojati.com"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1282093/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91282093; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"//zjgcdab5.beget.tech/panel/gate.php"; depth:36; nocase; http.host; content:"http"; depth:4; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1282094/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91282094; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/forum/viewtopic.php"; depth:20; nocase; http.host; content:"199.71.212.114"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1282095/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91282095; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/file/panel/gate.php"; depth:20; nocase; http.host; content:"www.funfreecasinogames.com"; depth:26; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1282096/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91282096; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/images/css/site-logo/gate.php"; depth:30; nocase; http.host; content:"clinique-sainte-marie.top"; depth:25; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1282089/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91282089; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/5101fcf84/43ggewvefbwerg"; depth:25; nocase; http.host; content:"5.135.8.71"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1282090/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91282090; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/new/panel/gate.php"; depth:19; nocase; http.host; content:"szevargrows.com"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1282091/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91282091; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tiny/lele/gate.php"; depth:19; nocase; http.host; content:"minddosentshe.com"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1282092/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91282092; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/js/pony/mac.php"; depth:16; nocase; http.host; content:"fipony.in"; depth:9; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1282085/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91282085; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/8bd7d5194/werghw45gwe"; depth:22; nocase; http.host; content:"209.236.67.163"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1282086/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91282086; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/gate.php"; depth:9; nocase; http.host; content:"rohironrof.ru"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1282087/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91282087; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/way/like.php"; depth:13; nocase; http.host; content:"bdujyr.pw"; depth:9; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1282088/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91282088; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/forum/viewtopic.php"; depth:20; nocase; http.host; content:"64.85.169.190"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1282081/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91282081; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/buch-a2/gate.php"; depth:17; nocase; http.host; content:"untablesix.ru"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1282082/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91282082; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-admin/network/anyipanelnew/gate.php"; depth:39; nocase; http.host; content:"detailingpro.co.in"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1282083/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91282083; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/8bd7d5194/brgn424t235"; depth:22; nocase; http.host; content:"209.236.67.163"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1282084/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91282084; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/8bd7d5194/wert34g45ht"; depth:22; nocase; http.host; content:"209.236.67.163"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1282077/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91282077; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/temp/panel/gate.php"; depth:20; nocase; http.host; content:"spokengezraee.idv.am"; depth:20; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1282078/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91282078; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/valopsy/gate.php"; depth:17; nocase; http.host; content:"kenthalls.com"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1282079/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91282079; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pony/gate.php"; depth:14; nocase; http.host; content:"62.112.130.165"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1282080/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91282080; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/moneylong/benzes/gate.php"; depth:26; nocase; http.host; content:"cb94336.tmweb.ru"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1282073/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91282073; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/333.cab"; depth:8; nocase; http.host; content:"ethostraining.es"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1282074/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91282074; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pony/gate.php"; depth:14; nocase; http.host; content:"119.110.72.195"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1282075/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91282075; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cms/old2/gate.php"; depth:18; nocase; http.host; content:"topratesforextoyou.biz"; depth:22; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1282076/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91282076; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/forum/viewtopic.php"; depth:20; nocase; http.host; content:"198.74.59.66"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1282070/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91282070; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/panel/gate.php"; depth:15; nocase; http.host; content:"donsnookie.club"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1282071/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91282071; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ifamandiebyaccident/gate.php"; depth:29; nocase; http.host; content:"gregorian.club"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1282072/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91282072; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/fif/gate.php"; depth:13; nocase; http.host; content:"theonlygoodman.com"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1282066/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91282066; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/water/panelnew/gate.php"; depth:24; nocase; http.host; content:"balsamar.org"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1282067/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91282067; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/333.cab"; depth:8; nocase; http.host; content:"www.van-der-leest.nl"; depth:20; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1282068/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91282068; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pony/gate.php"; depth:14; nocase; http.host; content:"108.178.59.19"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1282069/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91282069; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/lorenz/gate.php"; depth:16; nocase; http.host; content:"easybrands.ml"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1282062/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91282062; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wordpress/wp-includes/images/media/office/microsoft/gate.php"; depth:61; nocase; http.host; content:"simdisposable.info"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1282063/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91282063; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/marlon/gate.php"; depth:16; nocase; http.host; content:"185.11.146.179"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1282064/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91282064; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/css/gate.php"; depth:13; nocase; http.host; content:"mdi-pk.com"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1282065/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91282065; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/panel/gate.php"; depth:15; nocase; http.host; content:"cryodiffusion.cf"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1282060/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91282060; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/beef/sult/gate.php"; depth:19; nocase; http.host; content:"anixtier.com"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1282061/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91282061; rev:1;) alert tcp $HOME_NET any -> [185.132.53.236] 1111 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1282059/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91282059; rev:1;) alert tcp $HOME_NET any -> [104.248.151.229] 16164 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1282056/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91282056; rev:1;) alert tcp $HOME_NET any -> [173.82.168.101] 8031 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1282057/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91282057; rev:1;) alert tcp $HOME_NET any -> [185.62.188.19] 23 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1282058/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91282058; rev:1;) alert tcp $HOME_NET any -> [54.39.126.228] 100 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1282053/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91282053; rev:1;) alert tcp $HOME_NET any -> [198.98.58.235] 53800 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1282054/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91282054; rev:1;) alert tcp $HOME_NET any -> [51.68.65.174] 839 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1282055/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91282055; rev:1;) alert tcp $HOME_NET any -> [178.62.21.111] 23 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1282051/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91282051; rev:1;) alert tcp $HOME_NET any -> [185.101.105.185] 666 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1282052/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91282052; rev:1;) alert tcp $HOME_NET any -> [205.185.118.175] 23 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1282048/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91282048; rev:1;) alert tcp $HOME_NET any -> [104.168.171.186] 23 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1282049/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91282049; rev:1;) alert tcp $HOME_NET any -> [139.59.11.206] 666 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1282050/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91282050; rev:1;) alert tcp $HOME_NET any -> [204.48.16.27] 666 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1282044/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91282044; rev:1;) alert tcp $HOME_NET any -> [104.244.77.163] 311 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1282045/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91282045; rev:1;) alert tcp $HOME_NET any -> [159.65.91.172] 812 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1282046/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91282046; rev:1;) alert tcp $HOME_NET any -> [139.59.41.236] 666 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1282047/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91282047; rev:1;) alert tcp $HOME_NET any -> [45.95.168.127] 666 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1282041/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91282041; rev:1;) alert tcp $HOME_NET any -> [107.172.196.160] 23 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1282042/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91282042; rev:1;) alert tcp $HOME_NET any -> [45.95.147.69] 812 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1282043/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91282043; rev:1;) alert tcp $HOME_NET any -> [159.203.160.13] 23 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1282039/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91282039; rev:1;) alert tcp $HOME_NET any -> [102.165.50.10] 282 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1282040/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91282040; rev:1;) alert tcp $HOME_NET any -> [149.56.228.32] 252 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1282036/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91282036; rev:1;) alert tcp $HOME_NET any -> [185.244.25.154] 8888 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1282037/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91282037; rev:1;) alert tcp $HOME_NET any -> [104.244.77.52] 666 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1282038/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91282038; rev:1;) alert tcp $HOME_NET any -> [185.132.53.64] 23 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1282033/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91282033; rev:1;) alert tcp $HOME_NET any -> [185.244.25.133] 45 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1282034/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91282034; rev:1;) alert tcp $HOME_NET any -> [50.115.174.106] 61234 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1282035/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91282035; rev:1;) alert tcp $HOME_NET any -> [185.11.146.237] 3301 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1282030/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91282030; rev:1;) alert tcp $HOME_NET any -> [80.211.184.72] 500 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1282031/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91282031; rev:1;) alert tcp $HOME_NET any -> [185.244.25.248] 252 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1282032/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91282032; rev:1;) alert tcp $HOME_NET any -> [66.172.33.195] 13337 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1282027/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91282027; rev:1;) alert tcp $HOME_NET any -> [188.166.58.42] 13 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1282028/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91282028; rev:1;) alert tcp $HOME_NET any -> [94.242.58.245] 48263 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1282029/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91282029; rev:1;) alert tcp $HOME_NET any -> [155.138.221.227] 23 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1282024/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91282024; rev:1;) alert tcp $HOME_NET any -> [158.69.57.188] 23 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1282025/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91282025; rev:1;) alert tcp $HOME_NET any -> [104.168.141.144] 656 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1282026/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91282026; rev:1;) alert tcp $HOME_NET any -> [178.62.243.26] 23 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1282021/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91282021; rev:1;) alert tcp $HOME_NET any -> [185.222.202.68] 22922 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1282022/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91282022; rev:1;) alert tcp $HOME_NET any -> [209.141.40.185] 794 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1282023/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91282023; rev:1;) alert tcp $HOME_NET any -> [193.35.18.187] 64599 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1282018/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91282018; rev:1;) alert tcp $HOME_NET any -> [176.32.33.134] 42516 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1282019/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91282019; rev:1;) alert tcp $HOME_NET any -> [142.93.119.170] 282 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1282020/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91282020; rev:1;) alert tcp $HOME_NET any -> [198.23.137.142] 839 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1282016/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91282016; rev:1;) alert tcp $HOME_NET any -> [23.95.225.127] 6967 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1282017/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91282017; rev:1;) alert tcp $HOME_NET any -> [192.3.131.30] 51351 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1282013/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91282013; rev:1;) alert tcp $HOME_NET any -> [31.192.106.250] 1209 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1282014/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91282014; rev:1;) alert tcp $HOME_NET any -> [194.156.120.5] 879 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1282015/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91282015; rev:1;) alert tcp $HOME_NET any -> [185.101.105.173] 1337 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1282011/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91282011; rev:1;) alert tcp $HOME_NET any -> [185.112.248.58] 23 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1282012/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91282012; rev:1;) alert tcp $HOME_NET any -> [167.71.184.8] 666 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1282008/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91282008; rev:1;) alert tcp $HOME_NET any -> [164.68.115.166] 61271 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1282009/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91282009; rev:1;) alert tcp $HOME_NET any -> [95.123.85.55] 839 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1282010/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91282010; rev:1;) alert tcp $HOME_NET any -> [185.101.107.127] 645 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1282005/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91282005; rev:1;) alert tcp $HOME_NET any -> [80.87.206.123] 1111 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1282006/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91282006; rev:1;) alert tcp $HOME_NET any -> [206.189.69.103] 1749 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1282007/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91282007; rev:1;) alert tcp $HOME_NET any -> [185.244.25.73] 81 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1282003/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91282003; rev:1;) alert tcp $HOME_NET any -> [198.12.97.71] 8899 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1282004/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91282004; rev:1;) alert tcp $HOME_NET any -> [46.29.164.240] 666 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1282000/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91282000; rev:1;) alert tcp $HOME_NET any -> [91.196.149.73] 766 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1282001/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91282001; rev:1;) alert tcp $HOME_NET any -> [185.112.249.102] 23 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1282002/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91282002; rev:1;) alert tcp $HOME_NET any -> [134.122.113.143] 6982 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281997/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281997; rev:1;) alert tcp $HOME_NET any -> [107.173.114.24] 839 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281998/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281998; rev:1;) alert tcp $HOME_NET any -> [192.119.66.148] 23 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281999/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281999; rev:1;) alert tcp $HOME_NET any -> [185.101.105.141] 6543 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281993/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281993; rev:1;) alert tcp $HOME_NET any -> [89.34.26.152] 23 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281994/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281994; rev:1;) alert tcp $HOME_NET any -> [93.123.85.78] 55 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281995/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281995; rev:1;) alert tcp $HOME_NET any -> [87.120.254.160] 100 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281996/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281996; rev:1;) alert tcp $HOME_NET any -> [198.27.127.44] 123 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281991/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281991; rev:1;) alert tcp $HOME_NET any -> [46.17.45.226] 666 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281992/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281992; rev:1;) alert tcp $HOME_NET any -> [93.123.85.88] 1111 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281988/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281988; rev:1;) alert tcp $HOME_NET any -> [167.99.231.107] 812 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281989/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281989; rev:1;) alert tcp $HOME_NET any -> [185.101.105.129] 23 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281990/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281990; rev:1;) alert tcp $HOME_NET any -> [198.199.84.119] 6969 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281986/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281986; rev:1;) alert tcp $HOME_NET any -> [185.244.25.165] 69 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281987/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281987; rev:1;) alert tcp $HOME_NET any -> [45.76.83.37] 123 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281983/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281983; rev:1;) alert tcp $HOME_NET any -> [159.65.227.17] 54 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281984/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281984; rev:1;) alert tcp $HOME_NET any -> [45.92.108.35] 1337 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281985/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281985; rev:1;) alert tcp $HOME_NET any -> [165.22.85.252] 1209 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281980/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281980; rev:1;) alert tcp $HOME_NET any -> [103.109.37.185] 6969 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281981/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281981; rev:1;) alert tcp $HOME_NET any -> [46.29.167.240] 415 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281982/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281982; rev:1;) alert tcp $HOME_NET any -> [46.17.45.73] 23 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281977/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281977; rev:1;) alert tcp $HOME_NET any -> [185.158.248.87] 58380 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281978/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281978; rev:1;) alert tcp $HOME_NET any -> [108.174.197.102] 60000 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281979/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281979; rev:1;) alert tcp $HOME_NET any -> [185.172.110.206] 23 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281974/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281974; rev:1;) alert tcp $HOME_NET any -> [162.144.64.110] 666 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281975/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281975; rev:1;) alert tcp $HOME_NET any -> [46.29.163.124] 51029 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281976/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281976; rev:1;) alert tcp $HOME_NET any -> [94.103.124.162] 420 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281971/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281971; rev:1;) alert tcp $HOME_NET any -> [176.123.26.89] 23 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281972/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281972; rev:1;) alert tcp $HOME_NET any -> [142.93.130.222] 23 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281973/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281973; rev:1;) alert tcp $HOME_NET any -> [80.211.70.174] 23 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281968/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281968; rev:1;) alert tcp $HOME_NET any -> [68.183.75.210] 812 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281969/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281969; rev:1;) alert tcp $HOME_NET any -> [209.141.48.138] 23 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281970/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281970; rev:1;) alert tcp $HOME_NET any -> [138.68.40.36] 282 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281965/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281965; rev:1;) alert tcp $HOME_NET any -> [46.29.164.240] 6577 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281966/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281966; rev:1;) alert tcp $HOME_NET any -> [142.93.178.226] 23 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281967/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281967; rev:1;) alert tcp $HOME_NET any -> [192.227.131.125] 31392 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281962/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281962; rev:1;) alert tcp $HOME_NET any -> [198.167.140.148] 252 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281963/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281963; rev:1;) alert tcp $HOME_NET any -> [192.241.128.165] 23 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281964/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281964; rev:1;) alert tcp $HOME_NET any -> [46.166.185.161] 666 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281959/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281959; rev:1;) alert tcp $HOME_NET any -> [159.203.108.157] 920 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281960/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281960; rev:1;) alert tcp $HOME_NET any -> [209.141.55.254] 28713 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281961/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281961; rev:1;) alert tcp $HOME_NET any -> [159.69.156.219] 4258 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281956/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281956; rev:1;) alert tcp $HOME_NET any -> [51.81.0.241] 666 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281957/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281957; rev:1;) alert tcp $HOME_NET any -> [185.212.47.32] 23 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281958/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281958; rev:1;) alert tcp $HOME_NET any -> [77.73.69.13] 839 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281954/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281954; rev:1;) alert tcp $HOME_NET any -> [185.244.25.110] 1098 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281955/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281955; rev:1;) alert tcp $HOME_NET any -> [91.209.70.120] 17737 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281951/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281951; rev:1;) alert tcp $HOME_NET any -> [93.123.85.79] 4258 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281952/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281952; rev:1;) alert tcp $HOME_NET any -> [37.49.230.53] 1111 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281953/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281953; rev:1;) alert tcp $HOME_NET any -> [212.237.58.51] 812 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281948/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281948; rev:1;) alert tcp $HOME_NET any -> [46.17.43.203] 812 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281949/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281949; rev:1;) alert tcp $HOME_NET any -> [45.145.42.90] 4444 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281950/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281950; rev:1;) alert tcp $HOME_NET any -> [158.69.217.240] 23 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281945/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281945; rev:1;) alert tcp $HOME_NET any -> [142.11.215.254] 23 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281946/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281946; rev:1;) alert tcp $HOME_NET any -> [94.156.144.79] 4258 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281947/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281947; rev:1;) alert tcp $HOME_NET any -> [209.141.59.55] 23 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281942/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281942; rev:1;) alert tcp $HOME_NET any -> [51.79.55.3] 23 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281943/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281943; rev:1;) alert tcp $HOME_NET any -> [157.230.173.29] 23 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281944/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281944; rev:1;) alert tcp $HOME_NET any -> [46.29.167.53] 27 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281939/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281939; rev:1;) alert tcp $HOME_NET any -> [192.99.167.213] 420 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281940/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281940; rev:1;) alert tcp $HOME_NET any -> [107.172.195.181] 4258 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281941/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281941; rev:1;) alert tcp $HOME_NET any -> [199.38.243.9] 23 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281936/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281936; rev:1;) alert tcp $HOME_NET any -> [107.175.240.121] 1111 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281937/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281937; rev:1;) alert tcp $HOME_NET any -> [185.244.25.216] 8052 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281938/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281938; rev:1;) alert tcp $HOME_NET any -> [185.35.138.173] 9999 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281933/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281933; rev:1;) alert tcp $HOME_NET any -> [68.183.126.172] 666 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281934/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281934; rev:1;) alert tcp $HOME_NET any -> [185.244.25.92] 23 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281935/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281935; rev:1;) alert tcp $HOME_NET any -> [174.138.53.91] 252 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281931/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281931; rev:1;) alert tcp $HOME_NET any -> [51.254.176.77] 666 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281932/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281932; rev:1;) alert tcp $HOME_NET any -> [94.177.187.66] 38883 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281928/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281928; rev:1;) alert tcp $HOME_NET any -> [94.156.79.48] 23 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281929/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281929; rev:1;) alert tcp $HOME_NET any -> [185.244.25.145] 840 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281930/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281930; rev:1;) alert tcp $HOME_NET any -> [68.183.156.139] 23 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281925/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281925; rev:1;) alert tcp $HOME_NET any -> [45.95.147.24] 42516 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281926/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281926; rev:1;) alert tcp $HOME_NET any -> [71.19.148.92] 23 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281927/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281927; rev:1;) alert tcp $HOME_NET any -> [157.230.62.160] 23 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281922/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281922; rev:1;) alert tcp $HOME_NET any -> [134.209.13.51] 1028 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281923/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281923; rev:1;) alert tcp $HOME_NET any -> [146.71.76.136] 23 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281924/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281924; rev:1;) alert tcp $HOME_NET any -> [178.128.43.76] 23 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281919/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281919; rev:1;) alert tcp $HOME_NET any -> [107.182.225.125] 23 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281920/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281920; rev:1;) alert tcp $HOME_NET any -> [51.79.55.3] 666 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281921/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281921; rev:1;) alert tcp $HOME_NET any -> [142.11.212.47] 808 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281916/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281916; rev:1;) alert tcp $HOME_NET any -> [205.185.121.51] 23 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281917/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281917; rev:1;) alert tcp $HOME_NET any -> [172.98.199.121] 64 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281918/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281918; rev:1;) alert tcp $HOME_NET any -> [46.29.166.33] 23 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281913/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281913; rev:1;) alert tcp $HOME_NET any -> [87.236.212.240] 444 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281914/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281914; rev:1;) alert tcp $HOME_NET any -> [217.61.16.74] 23 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281915/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281915; rev:1;) alert tcp $HOME_NET any -> [194.147.32.206] 505 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281910/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281910; rev:1;) alert tcp $HOME_NET any -> [94.156.71.205] 4258 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281911/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281911; rev:1;) alert tcp $HOME_NET any -> [178.128.109.190] 23 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281912/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281912; rev:1;) alert tcp $HOME_NET any -> [107.172.141.115] 1337 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281906/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281906; rev:1;) alert tcp $HOME_NET any -> [107.175.17.147] 1111 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281907/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281907; rev:1;) alert tcp $HOME_NET any -> [178.62.109.206] 23 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281908/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281908; rev:1;) alert tcp $HOME_NET any -> [45.128.232.215] 3074 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281909/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281909; rev:1;) alert tcp $HOME_NET any -> [172.245.52.170] 42516 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281903/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281903; rev:1;) alert tcp $HOME_NET any -> [194.37.82.252] 281 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281904/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281904; rev:1;) alert tcp $HOME_NET any -> [138.197.215.81] 13 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281905/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281905; rev:1;) alert tcp $HOME_NET any -> [185.244.25.109] 69 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281900/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281900; rev:1;) alert tcp $HOME_NET any -> [209.141.50.57] 3312 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281901/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281901; rev:1;) alert tcp $HOME_NET any -> [206.189.131.31] 69 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281902/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281902; rev:1;) alert tcp $HOME_NET any -> [209.141.56.13] 871 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281897/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281897; rev:1;) alert tcp $HOME_NET any -> [142.93.102.204] 23 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281898/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281898; rev:1;) alert tcp $HOME_NET any -> [107.174.13.128] 444 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281899/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281899; rev:1;) alert tcp $HOME_NET any -> [165.227.68.28] 23 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281895/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281895; rev:1;) alert tcp $HOME_NET any -> [112.213.32.109] 46216 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281896/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281896; rev:1;) alert tcp $HOME_NET any -> [195.231.4.214] 23 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281892/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281892; rev:1;) alert tcp $HOME_NET any -> [185.244.25.229] 8013 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281893/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281893; rev:1;) alert tcp $HOME_NET any -> [178.33.181.19] 850 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281894/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281894; rev:1;) alert tcp $HOME_NET any -> [104.207.130.67] 42516 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281889/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281889; rev:1;) alert tcp $HOME_NET any -> [185.22.154.112] 917 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281890/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281890; rev:1;) alert tcp $HOME_NET any -> [68.183.147.224] 9175 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281891/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281891; rev:1;) alert tcp $HOME_NET any -> [178.62.67.250] 23 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281887/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281887; rev:1;) alert tcp $HOME_NET any -> [185.132.53.222] 23 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281888/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281888; rev:1;) alert tcp $HOME_NET any -> [178.128.7.76] 23 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281884/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281884; rev:1;) alert tcp $HOME_NET any -> [185.244.25.111] 8888 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281885/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281885; rev:1;) alert tcp $HOME_NET any -> [207.154.220.45] 1749 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281886/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281886; rev:1;) alert tcp $HOME_NET any -> [142.11.212.167] 666 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281881/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281881; rev:1;) alert tcp $HOME_NET any -> [103.214.6.199] 36363 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281882/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281882; rev:1;) alert tcp $HOME_NET any -> [185.17.27.112] 57162 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281883/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281883; rev:1;) alert tcp $HOME_NET any -> [194.147.35.56] 29 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281879/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281879; rev:1;) alert tcp $HOME_NET any -> [23.254.215.52] 80 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281880/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281880; rev:1;) alert tcp $HOME_NET any -> [85.239.34.70] 606 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281876/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281876; rev:1;) alert tcp $HOME_NET any -> [80.211.6.4] 53883 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281877/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281877; rev:1;) alert tcp $HOME_NET any -> [5.196.159.52] 23 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281878/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281878; rev:1;) alert tcp $HOME_NET any -> [103.60.13.195] 7070 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281873/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281873; rev:1;) alert tcp $HOME_NET any -> [206.189.167.81] 23 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281874/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281874; rev:1;) alert tcp $HOME_NET any -> [157.230.152.211] 69 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281875/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281875; rev:1;) alert tcp $HOME_NET any -> [2.57.122.214] 1111 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281870/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281870; rev:1;) alert tcp $HOME_NET any -> [134.209.125.4] 1352 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281871/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281871; rev:1;) alert tcp $HOME_NET any -> [23.160.193.184] 666 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281872/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281872; rev:1;) alert tcp $HOME_NET any -> [51.91.111.198] 920 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281867/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281867; rev:1;) alert tcp $HOME_NET any -> [107.172.248.172] 666 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281868/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281868; rev:1;) alert tcp $HOME_NET any -> [185.244.25.216] 1946 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281869/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281869; rev:1;) alert tcp $HOME_NET any -> [85.204.116.232] 12345 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281864/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281864; rev:1;) alert tcp $HOME_NET any -> [167.99.154.195] 666 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281865/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281865; rev:1;) alert tcp $HOME_NET any -> [188.138.100.8] 666 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281866/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281866; rev:1;) alert tcp $HOME_NET any -> [185.244.25.189] 443 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281861/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281861; rev:1;) alert tcp $HOME_NET any -> [198.46.160.136] 99 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281862/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281862; rev:1;) alert tcp $HOME_NET any -> [45.95.168.149] 777 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281863/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281863; rev:1;) alert tcp $HOME_NET any -> [168.235.103.65] 691 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281858/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281858; rev:1;) alert tcp $HOME_NET any -> [138.197.1.64] 23 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281859/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281859; rev:1;) alert tcp $HOME_NET any -> [80.211.82.185] 61271 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281860/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281860; rev:1;) alert tcp $HOME_NET any -> [78.128.114.66] 8888 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281855/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281855; rev:1;) alert tcp $HOME_NET any -> [185.101.105.129] 420 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281856/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281856; rev:1;) alert tcp $HOME_NET any -> [80.211.59.125] 424 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281857/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281857; rev:1;) alert tcp $HOME_NET any -> [104.244.76.190] 671 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281851/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281851; rev:1;) alert tcp $HOME_NET any -> [185.83.215.73] 812 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281852/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281852; rev:1;) alert tcp $HOME_NET any -> [173.82.168.101] 88 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281853/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281853; rev:1;) alert tcp $HOME_NET any -> [54.39.151.1] 100 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281854/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281854; rev:1;) alert tcp $HOME_NET any -> [185.132.53.213] 42516 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281849/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281849; rev:1;) alert tcp $HOME_NET any -> [161.97.162.103] 606 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281850/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281850; rev:1;) alert tcp $HOME_NET any -> [80.211.172.24] 818 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281846/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281846; rev:1;) alert tcp $HOME_NET any -> [80.211.48.128] 23 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281847/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281847; rev:1;) alert tcp $HOME_NET any -> [172.105.36.168] 839 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281848/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281848; rev:1;) alert tcp $HOME_NET any -> [104.168.102.194] 787 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281843/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281843; rev:1;) alert tcp $HOME_NET any -> [46.166.151.88] 432 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281844/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281844; rev:1;) alert tcp $HOME_NET any -> [142.93.188.49] 282 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281845/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281845; rev:1;) alert tcp $HOME_NET any -> [205.185.124.211] 1994 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281840/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281840; rev:1;) alert tcp $HOME_NET any -> [23.94.70.112] 42516 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281841/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281841; rev:1;) alert tcp $HOME_NET any -> [37.49.230.130] 666 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281842/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281842; rev:1;) alert tcp $HOME_NET any -> [149.91.89.105] 42516 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281838/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281838; rev:1;) alert tcp $HOME_NET any -> [91.209.70.120] 115 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281839/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281839; rev:1;) alert tcp $HOME_NET any -> [84.54.49.50] 760 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281834/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281834; rev:1;) alert tcp $HOME_NET any -> [66.172.11.120] 45645 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281835/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281835; rev:1;) alert tcp $HOME_NET any -> [45.129.3.105] 666 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281836/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281836; rev:1;) alert tcp $HOME_NET any -> [68.183.28.70] 5888 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281831/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281831; rev:1;) alert tcp $HOME_NET any -> [31.210.20.69] 606 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281832/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281832; rev:1;) alert tcp $HOME_NET any -> [139.59.215.189] 666 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281833/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281833; rev:1;) alert tcp $HOME_NET any -> [104.168.57.119] 23 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281828/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281828; rev:1;) alert tcp $HOME_NET any -> [68.183.26.74] 5888 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281829/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281829; rev:1;) alert tcp $HOME_NET any -> [68.183.47.77] 69 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281830/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281830; rev:1;) alert tcp $HOME_NET any -> [89.34.26.123] 576 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281825/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281825; rev:1;) alert tcp $HOME_NET any -> [83.97.20.165] 666 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281826/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281826; rev:1;) alert tcp $HOME_NET any -> [185.244.25.189] 10293 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281827/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281827; rev:1;) alert tcp $HOME_NET any -> [94.177.238.164] 555 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281822/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281822; rev:1;) alert tcp $HOME_NET any -> [185.101.105.141] 6700 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281823/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281823; rev:1;) alert tcp $HOME_NET any -> [62.171.138.253] 1111 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281824/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281824; rev:1;) alert tcp $HOME_NET any -> [104.248.32.222] 23 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281819/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281819; rev:1;) alert tcp $HOME_NET any -> [167.99.202.160] 282 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281820/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281820; rev:1;) alert tcp $HOME_NET any -> [157.230.50.242] 666 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281821/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281821; rev:1;) alert tcp $HOME_NET any -> [54.38.213.78] 23 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281816/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281816; rev:1;) alert tcp $HOME_NET any -> [192.241.144.221] 23 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281817/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281817; rev:1;) alert tcp $HOME_NET any -> [107.172.89.15] 1111 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281818/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281818; rev:1;) alert tcp $HOME_NET any -> [78.142.19.81] 23 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281813/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281813; rev:1;) alert tcp $HOME_NET any -> [45.128.232.2] 999 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281814/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281814; rev:1;) alert tcp $HOME_NET any -> [51.75.74.22] 8888 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281815/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281815; rev:1;) alert tcp $HOME_NET any -> [198.98.58.235] 42630 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281810/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281810; rev:1;) alert tcp $HOME_NET any -> [178.128.177.162] 374 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281811/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281811; rev:1;) alert tcp $HOME_NET any -> [80.211.172.24] 839 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281812/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281812; rev:1;) alert tcp $HOME_NET any -> [178.33.181.23] 3731 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281806/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281806; rev:1;) alert tcp $HOME_NET any -> [185.132.53.128] 839 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281807/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281807; rev:1;) alert tcp $HOME_NET any -> [54.37.44.67] 1209 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281808/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281808; rev:1;) alert tcp $HOME_NET any -> [91.134.252.221] 666 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281809/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281809; rev:1;) alert tcp $HOME_NET any -> [107.172.153.90] 1337 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281803/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281803; rev:1;) alert tcp $HOME_NET any -> [104.168.102.14] 58380 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281804/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281804; rev:1;) alert tcp $HOME_NET any -> [139.99.133.226] 1111 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281805/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281805; rev:1;) alert tcp $HOME_NET any -> [195.58.39.232] 23 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281801/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281801; rev:1;) alert tcp $HOME_NET any -> [93.123.85.170] 4444 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281802/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281802; rev:1;) alert tcp $HOME_NET any -> [46.101.74.107] 1111 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281798/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281798; rev:1;) alert tcp $HOME_NET any -> [185.244.25.150] 666 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281799/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281799; rev:1;) alert tcp $HOME_NET any -> [185.239.242.136] 4258 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281800/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281800; rev:1;) alert tcp $HOME_NET any -> [37.49.230.137] 60000 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281795/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281795; rev:1;) alert tcp $HOME_NET any -> [104.248.35.26] 23 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281796/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281796; rev:1;) alert tcp $HOME_NET any -> [54.38.213.78] 443 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281797/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281797; rev:1;) alert tcp $HOME_NET any -> [80.211.235.153] 23 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281792/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281792; rev:1;) alert tcp $HOME_NET any -> [185.244.25.228] 2545 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281793/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281793; rev:1;) alert tcp $HOME_NET any -> [45.76.4.186] 23 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281794/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281794; rev:1;) alert tcp $HOME_NET any -> [51.75.160.175] 23 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281788/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281788; rev:1;) alert tcp $HOME_NET any -> [142.93.193.198] 2545 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281789/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281789; rev:1;) alert tcp $HOME_NET any -> [104.248.113.246] 52468 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281790/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281790; rev:1;) alert tcp $HOME_NET any -> [142.11.241.222] 1859 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281791/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281791; rev:1;) alert tcp $HOME_NET any -> [205.185.113.210] 999 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281786/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281786; rev:1;) alert tcp $HOME_NET any -> [185.244.25.75] 5873 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281787/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281787; rev:1;) alert tcp $HOME_NET any -> [142.11.217.88] 51351 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281783/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281783; rev:1;) alert tcp $HOME_NET any -> [103.3.246.123] 42516 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281784/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281784; rev:1;) alert tcp $HOME_NET any -> [81.17.30.198] 23 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281785/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281785; rev:1;) alert tcp $HOME_NET any -> [78.128.114.66] 4849 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281780/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281780; rev:1;) alert tcp $HOME_NET any -> [46.29.165.143] 626 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281781/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281781; rev:1;) alert tcp $HOME_NET any -> [199.231.185.10] 999 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281782/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281782; rev:1;) alert tcp $HOME_NET any -> [185.101.105.180] 4554 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281778/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281778; rev:1;) alert tcp $HOME_NET any -> [185.244.25.253] 23 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281779/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281779; rev:1;) alert tcp $HOME_NET any -> [80.66.88.49] 7777 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281776/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281776; rev:1;) alert tcp $HOME_NET any -> [185.244.25.206] 100 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281777/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281777; rev:1;) alert tcp $HOME_NET any -> [173.249.51.121] 6667 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281773/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281773; rev:1;) alert tcp $HOME_NET any -> [107.173.251.132] 4258 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281774/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281774; rev:1;) alert tcp $HOME_NET any -> [68.183.99.201] 31337 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281775/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281775; rev:1;) alert tcp $HOME_NET any -> [167.114.98.153] 62434 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281771/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281771; rev:1;) alert tcp $HOME_NET any -> [185.244.25.165] 23 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281772/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281772; rev:1;) alert tcp $HOME_NET any -> [209.38.228.110] 666 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281769/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281769; rev:1;) alert tcp $HOME_NET any -> [139.59.139.165] 23 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281770/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281770; rev:1;) alert tcp $HOME_NET any -> [137.74.237.194] 23 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281767/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281767; rev:1;) alert tcp $HOME_NET any -> [107.172.168.143] 4258 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281768/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281768; rev:1;) alert tcp $HOME_NET any -> [104.237.255.248] 1111 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281766/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281766; rev:1;) alert tcp $HOME_NET any -> [23.94.190.101] 888 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281764/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281764; rev:1;) alert tcp $HOME_NET any -> [103.153.69.151] 42516 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281765/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281765; rev:1;) alert tcp $HOME_NET any -> [51.250.72.163] 839 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281763/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281763; rev:1;) alert tcp $HOME_NET any -> [67.205.128.131] 23 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281762/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281762; rev:1;) alert tcp $HOME_NET any -> [45.95.169.147] 42516 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281761/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281761; rev:1;) alert tcp $HOME_NET any -> [164.90.138.15] 666 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281759/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281759; rev:1;) alert tcp $HOME_NET any -> [165.227.72.10] 55 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281760/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281760; rev:1;) alert tcp $HOME_NET any -> [51.38.244.38] 23 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281758/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281758; rev:1;) alert tcp $HOME_NET any -> [46.17.43.75] 602 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281757/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281757; rev:1;) alert tcp $HOME_NET any -> [192.3.155.10] 23 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281756/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281756; rev:1;) alert tcp $HOME_NET any -> [192.3.155.14] 812 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281755/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281755; rev:1;) alert tcp $HOME_NET any -> [104.248.234.122] 40 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281753/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281753; rev:1;) alert tcp $HOME_NET any -> [185.164.72.111] 23 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281754/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281754; rev:1;) alert tcp $HOME_NET any -> [185.244.25.222] 100 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281752/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281752; rev:1;) alert tcp $HOME_NET any -> [195.58.38.73] 1111 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281751/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281751; rev:1;) alert tcp $HOME_NET any -> [209.141.49.76] 48263 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281750/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281750; rev:1;) alert tcp $HOME_NET any -> [46.101.213.240] 23 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281749/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281749; rev:1;) alert tcp $HOME_NET any -> [206.189.230.110] 666 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281747/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281747; rev:1;) alert tcp $HOME_NET any -> [185.233.186.130] 1111 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281748/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281748; rev:1;) alert tcp $HOME_NET any -> [157.230.54.252] 13 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281744/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281744; rev:1;) alert tcp $HOME_NET any -> [167.99.78.58] 23 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281745/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281745; rev:1;) alert tcp $HOME_NET any -> [205.185.113.127] 17769 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281746/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281746; rev:1;) alert tcp $HOME_NET any -> [206.189.21.255] 23 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281741/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281741; rev:1;) alert tcp $HOME_NET any -> [185.244.25.174] 23 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281742/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281742; rev:1;) alert tcp $HOME_NET any -> [37.49.230.112] 4789 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281743/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281743; rev:1;) alert tcp $HOME_NET any -> [51.79.71.170] 62434 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281737/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281737; rev:1;) alert tcp $HOME_NET any -> [194.182.66.134] 23 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281738/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281738; rev:1;) alert tcp $HOME_NET any -> [217.147.169.56] 545 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281739/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281739; rev:1;) alert tcp $HOME_NET any -> [142.93.234.128] 760 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281740/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281740; rev:1;) alert tcp $HOME_NET any -> [51.178.225.200] 8560 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281734/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281734; rev:1;) alert tcp $HOME_NET any -> [198.98.62.146] 23 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281735/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281735; rev:1;) alert tcp $HOME_NET any -> [107.173.114.12] 839 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281736/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281736; rev:1;) alert tcp $HOME_NET any -> [89.34.26.149] 6963 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281731/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281731; rev:1;) alert tcp $HOME_NET any -> [142.93.134.253] 23 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281732/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281732; rev:1;) alert tcp $HOME_NET any -> [78.40.117.227] 666 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281733/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281733; rev:1;) alert tcp $HOME_NET any -> [37.44.238.66] 2342 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281728/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281728; rev:1;) alert tcp $HOME_NET any -> [185.244.25.213] 51029 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281729/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281729; rev:1;) alert tcp $HOME_NET any -> [138.197.206.217] 23 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281730/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281730; rev:1;) alert tcp $HOME_NET any -> [51.255.16.202] 421 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281725/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281725; rev:1;) alert tcp $HOME_NET any -> [38.39.192.14] 89 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281726/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281726; rev:1;) alert tcp $HOME_NET any -> [91.121.226.122] 23 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281727/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281727; rev:1;) alert tcp $HOME_NET any -> [146.71.76.19] 23 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281722/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281722; rev:1;) alert tcp $HOME_NET any -> [45.67.14.165] 1446 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281723/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281723; rev:1;) alert tcp $HOME_NET any -> [174.138.1.149] 23 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281724/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281724; rev:1;) alert tcp $HOME_NET any -> [198.50.236.92] 212 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281719/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281719; rev:1;) alert tcp $HOME_NET any -> [45.8.159.7] 23 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281720/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281720; rev:1;) alert tcp $HOME_NET any -> [142.11.217.230] 23 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281721/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281721; rev:1;) alert tcp $HOME_NET any -> [99.106.146.200] 6969 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281716/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281716; rev:1;) alert tcp $HOME_NET any -> [51.79.71.170] 23 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281717/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281717; rev:1;) alert tcp $HOME_NET any -> [104.248.173.96] 23 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281718/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281718; rev:1;) alert tcp $HOME_NET any -> [45.77.207.51] 13 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281714/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281714; rev:1;) alert tcp $HOME_NET any -> [46.101.128.74] 812 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281715/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281715; rev:1;) alert tcp $HOME_NET any -> [171.22.25.97] 7894 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281711/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281711; rev:1;) alert tcp $HOME_NET any -> [159.65.65.255] 666 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281712/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281712; rev:1;) alert tcp $HOME_NET any -> [93.104.209.253] 3543 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281713/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281713; rev:1;) alert tcp $HOME_NET any -> [178.128.161.0] 23 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281709/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281709; rev:1;) alert tcp $HOME_NET any -> [23.254.224.213] 544 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281710/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281710; rev:1;) alert tcp $HOME_NET any -> [185.244.25.148] 111 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281706/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281706; rev:1;) alert tcp $HOME_NET any -> [159.203.163.171] 23 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281707/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281707; rev:1;) alert tcp $HOME_NET any -> [194.147.35.118] 333 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281708/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281708; rev:1;) alert tcp $HOME_NET any -> [68.183.208.195] 23 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281702/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281702; rev:1;) alert tcp $HOME_NET any -> [68.183.108.236] 23 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281703/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281703; rev:1;) alert tcp $HOME_NET any -> [185.244.25.242] 620 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281704/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281704; rev:1;) alert tcp $HOME_NET any -> [198.211.109.4] 626 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281705/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281705; rev:1;) alert tcp $HOME_NET any -> [185.244.25.212] 594 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281699/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281699; rev:1;) alert tcp $HOME_NET any -> [185.244.25.153] 420 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281700/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281700; rev:1;) alert tcp $HOME_NET any -> [103.109.37.155] 4258 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281701/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281701; rev:1;) alert tcp $HOME_NET any -> [64.227.188.134] 606 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281696/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281696; rev:1;) alert tcp $HOME_NET any -> [31.192.106.240] 1209 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281697/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281697; rev:1;) alert tcp $HOME_NET any -> [80.211.5.210] 23 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281698/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281698; rev:1;) alert tcp $HOME_NET any -> [37.49.224.155] 40345 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281694/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281694; rev:1;) alert tcp $HOME_NET any -> [185.101.105.129] 174 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281695/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281695; rev:1;) alert tcp $HOME_NET any -> [147.135.99.147] 666 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281691/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281691; rev:1;) alert tcp $HOME_NET any -> [37.49.230.233] 60000 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281692/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281692; rev:1;) alert tcp $HOME_NET any -> [192.3.41.116] 6666 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281693/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281693; rev:1;) alert tcp $HOME_NET any -> [147.185.221.19] 30455 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281688/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281688; rev:1;) alert tcp $HOME_NET any -> [71.19.150.93] 42516 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281689/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281689; rev:1;) alert tcp $HOME_NET any -> [45.95.168.213] 12345 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281690/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281690; rev:1;) alert tcp $HOME_NET any -> [185.244.25.147] 1337 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281685/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281685; rev:1;) alert tcp $HOME_NET any -> [157.230.30.10] 444 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281686/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281686; rev:1;) alert tcp $HOME_NET any -> [109.201.143.182] 9175 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281687/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281687; rev:1;) alert tcp $HOME_NET any -> [74.91.125.176] 839 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281682/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281682; rev:1;) alert tcp $HOME_NET any -> [185.244.25.75] 1148 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281683/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281683; rev:1;) alert tcp $HOME_NET any -> [206.189.167.201] 2222 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281684/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281684; rev:1;) alert tcp $HOME_NET any -> [185.196.8.143] 2737 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281679/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281679; rev:1;) alert tcp $HOME_NET any -> [185.22.152.182] 8888 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281680/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281680; rev:1;) alert tcp $HOME_NET any -> [142.93.67.223] 23 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281681/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281681; rev:1;) alert tcp $HOME_NET any -> [157.230.165.111] 2930 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281676/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281676; rev:1;) alert tcp $HOME_NET any -> [51.79.66.236] 87 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281677/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281677; rev:1;) alert tcp $HOME_NET any -> [142.93.184.108] 23 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281678/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281678; rev:1;) alert tcp $HOME_NET any -> [78.142.19.171] 1738 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281673/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281673; rev:1;) alert tcp $HOME_NET any -> [66.70.225.220] 666 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281674/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281674; rev:1;) alert tcp $HOME_NET any -> [192.3.12.113] 1111 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281675/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281675; rev:1;) alert tcp $HOME_NET any -> [168.235.67.246] 1337 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281669/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281669; rev:1;) alert tcp $HOME_NET any -> [134.209.156.65] 23 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281670/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281670; rev:1;) alert tcp $HOME_NET any -> [45.67.14.165] 4414 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281671/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281671; rev:1;) alert tcp $HOME_NET any -> [68.183.97.132] 23 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281672/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281672; rev:1;) alert tcp $HOME_NET any -> [176.223.132.161] 812 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281667/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281667; rev:1;) alert tcp $HOME_NET any -> [205.185.123.217] 998 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281668/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281668; rev:1;) alert tcp $HOME_NET any -> [185.165.29.47] 444 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281666/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281666; rev:1;) alert tcp $HOME_NET any -> [45.84.196.253] 1111 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281664/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281664; rev:1;) alert tcp $HOME_NET any -> [91.121.226.126] 252 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281665/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281665; rev:1;) alert tcp $HOME_NET any -> [157.90.231.69] 839 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281660/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281660; rev:1;) alert tcp $HOME_NET any -> [134.19.188.108] 123 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281661/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281661; rev:1;) alert tcp $HOME_NET any -> [185.244.25.123] 69 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281662/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281662; rev:1;) alert tcp $HOME_NET any -> [94.156.79.152] 666 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281663/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281663; rev:1;) alert tcp $HOME_NET any -> [209.141.50.55] 984 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281658/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281658; rev:1;) alert tcp $HOME_NET any -> [91.188.223.158] 717 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281659/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281659; rev:1;) alert tcp $HOME_NET any -> [93.123.85.188] 4258 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281655/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281655; rev:1;) alert tcp $HOME_NET any -> [176.32.33.25] 818 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281656/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281656; rev:1;) alert tcp $HOME_NET any -> [192.3.182.220] 51351 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281657/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281657; rev:1;) alert tcp $HOME_NET any -> [68.183.166.199] 23 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281652/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281652; rev:1;) alert tcp $HOME_NET any -> [89.34.26.155] 879 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281653/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281653; rev:1;) alert tcp $HOME_NET any -> [185.244.25.253] 1337 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281654/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281654; rev:1;) alert tcp $HOME_NET any -> [185.165.29.41] 444 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281649/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281649; rev:1;) alert tcp $HOME_NET any -> [80.211.103.184] 666 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281650/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281650; rev:1;) alert tcp $HOME_NET any -> [167.99.107.136] 666 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281651/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281651; rev:1;) alert tcp $HOME_NET any -> [45.128.232.143] 1111 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281646/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281646; rev:1;) alert tcp $HOME_NET any -> [45.9.148.35] 23 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281647/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281647; rev:1;) alert tcp $HOME_NET any -> [142.93.46.170] 666 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281648/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281648; rev:1;) alert tcp $HOME_NET any -> [157.230.91.126] 61271 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281642/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281642; rev:1;) alert tcp $HOME_NET any -> [209.97.187.164] 666 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281643/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281643; rev:1;) alert tcp $HOME_NET any -> [80.211.91.145] 23 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281644/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281644; rev:1;) alert tcp $HOME_NET any -> [185.196.9.5] 12345 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281645/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281645; rev:1;) alert tcp $HOME_NET any -> [192.236.161.84] 1111 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281639/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281639; rev:1;) alert tcp $HOME_NET any -> [51.77.213.109] 620 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281640/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281640; rev:1;) alert tcp $HOME_NET any -> [46.101.159.88] 777 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281641/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281641; rev:1;) alert tcp $HOME_NET any -> [185.132.53.7] 12345 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281636/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281636; rev:1;) alert tcp $HOME_NET any -> [217.182.177.96] 420 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281637/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281637; rev:1;) alert tcp $HOME_NET any -> [46.36.40.66] 415 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281638/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281638; rev:1;) alert tcp $HOME_NET any -> [185.244.39.147] 9005 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281633/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281633; rev:1;) alert tcp $HOME_NET any -> [142.11.214.46] 62434 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281634/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281634; rev:1;) alert tcp $HOME_NET any -> [185.244.25.211] 51029 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281635/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281635; rev:1;) alert tcp $HOME_NET any -> [46.101.63.5] 2545 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281630/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281630; rev:1;) alert tcp $HOME_NET any -> [5.2.76.197] 10476 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281631/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281631; rev:1;) alert tcp $HOME_NET any -> [120.55.76.1] 23 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281632/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281632; rev:1;) alert tcp $HOME_NET any -> [185.101.105.227] 20159 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281627/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281627; rev:1;) alert tcp $HOME_NET any -> [205.185.113.44] 6636 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281628/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281628; rev:1;) alert tcp $HOME_NET any -> [167.99.7.113] 666 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281629/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281629; rev:1;) alert tcp $HOME_NET any -> [194.87.138.103] 666 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281624/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281624; rev:1;) alert tcp $HOME_NET any -> [164.68.116.122] 65535 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281625/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281625; rev:1;) alert tcp $HOME_NET any -> [185.62.190.159] 13 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281626/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281626; rev:1;) alert tcp $HOME_NET any -> [107.174.14.12] 1863 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281621/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281621; rev:1;) alert tcp $HOME_NET any -> [142.93.205.254] 61271 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281622/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281622; rev:1;) alert tcp $HOME_NET any -> [142.11.210.100] 666 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281623/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281623; rev:1;) alert tcp $HOME_NET any -> [205.185.120.241] 987 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281618/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281618; rev:1;) alert tcp $HOME_NET any -> [206.189.196.216] 666 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281619/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281619; rev:1;) alert tcp $HOME_NET any -> [46.17.47.73] 935 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281620/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281620; rev:1;) alert tcp $HOME_NET any -> [185.244.25.135] 100 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281615/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281615; rev:1;) alert tcp $HOME_NET any -> [54.38.220.94] 50 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281616/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281616; rev:1;) alert tcp $HOME_NET any -> [134.209.172.118] 23 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281617/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281617; rev:1;) alert tcp $HOME_NET any -> [134.209.107.87] 812 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281612/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281612; rev:1;) alert tcp $HOME_NET any -> [46.17.40.224] 139 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281613/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281613; rev:1;) alert tcp $HOME_NET any -> [167.71.75.37] 1209 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281614/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281614; rev:1;) alert tcp $HOME_NET any -> [185.165.29.39] 444 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281609/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281609; rev:1;) alert tcp $HOME_NET any -> [78.135.81.61] 23 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281610/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281610; rev:1;) alert tcp $HOME_NET any -> [80.211.34.102] 41179 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281611/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281611; rev:1;) alert tcp $HOME_NET any -> [107.174.14.12] 1995 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281605/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281605; rev:1;) alert tcp $HOME_NET any -> [185.101.105.141] 747 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281606/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281606; rev:1;) alert tcp $HOME_NET any -> [194.15.36.31] 1111 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281607/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281607; rev:1;) alert tcp $HOME_NET any -> [157.230.175.134] 23 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281608/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281608; rev:1;) alert tcp $HOME_NET any -> [185.172.110.230] 191 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281602/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281602; rev:1;) alert tcp $HOME_NET any -> [104.206.252.66] 42516 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281603/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281603; rev:1;) alert tcp $HOME_NET any -> [185.132.53.229] 23 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281604/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281604; rev:1;) alert tcp $HOME_NET any -> [46.36.40.171] 1749 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281599/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281599; rev:1;) alert tcp $HOME_NET any -> [185.233.186.144] 1111 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281600/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281600; rev:1;) alert tcp $HOME_NET any -> [54.38.213.78] 231 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281601/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281601; rev:1;) alert tcp $HOME_NET any -> [209.141.42.145] 812 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281596/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281596; rev:1;) alert tcp $HOME_NET any -> [79.56.208.137] 5062 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281597/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281597; rev:1;) alert tcp $HOME_NET any -> [206.189.183.53] 666 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281598/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281598; rev:1;) alert tcp $HOME_NET any -> [81.4.103.152] 282 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281593/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281593; rev:1;) alert tcp $HOME_NET any -> [147.135.76.202] 23 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281594/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281594; rev:1;) alert tcp $HOME_NET any -> [185.101.105.164] 1994 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281595/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281595; rev:1;) alert tcp $HOME_NET any -> [67.205.154.43] 23 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281590/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281590; rev:1;) alert tcp $HOME_NET any -> [45.32.214.246] 23 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281591/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281591; rev:1;) alert tcp $HOME_NET any -> [185.244.25.242] 660 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281592/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281592; rev:1;) alert tcp $HOME_NET any -> [185.244.25.166] 341 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281586/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281586; rev:1;) alert tcp $HOME_NET any -> [188.166.62.237] 23 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281587/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281587; rev:1;) alert tcp $HOME_NET any -> [207.154.200.125] 23 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281588/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281588; rev:1;) alert tcp $HOME_NET any -> [93.123.85.101] 42516 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281589/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281589; rev:1;) alert tcp $HOME_NET any -> [167.88.161.145] 28713 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281583/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281583; rev:1;) alert tcp $HOME_NET any -> [50.115.166.132] 23 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281584/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281584; rev:1;) alert tcp $HOME_NET any -> [23.254.211.250] 23 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281585/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281585; rev:1;) alert tcp $HOME_NET any -> [185.244.30.151] 52 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281580/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281580; rev:1;) alert tcp $HOME_NET any -> [51.68.197.215] 23 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281581/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281581; rev:1;) alert tcp $HOME_NET any -> [165.22.69.255] 23 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281582/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281582; rev:1;) alert tcp $HOME_NET any -> [185.101.105.192] 873 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281577/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281577; rev:1;) alert tcp $HOME_NET any -> [157.230.15.90] 13 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281578/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281578; rev:1;) alert tcp $HOME_NET any -> [185.22.154.234] 23 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281579/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281579; rev:1;) alert tcp $HOME_NET any -> [45.76.127.2] 23 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281574/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281574; rev:1;) alert tcp $HOME_NET any -> [46.29.165.131] 17769 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281575/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281575; rev:1;) alert tcp $HOME_NET any -> [198.167.140.181] 232 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281576/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281576; rev:1;) alert tcp $HOME_NET any -> [206.189.181.143] 6666 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281571/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281571; rev:1;) alert tcp $HOME_NET any -> [14.1.29.67] 5888 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281572/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281572; rev:1;) alert tcp $HOME_NET any -> [51.68.213.103] 23 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281573/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281573; rev:1;) alert tcp $HOME_NET any -> [194.15.36.43] 42516 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281569/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281569; rev:1;) alert tcp $HOME_NET any -> [104.248.165.108] 23 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281570/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281570; rev:1;) alert tcp $HOME_NET any -> [65.21.186.30] 23 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281566/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281566; rev:1;) alert tcp $HOME_NET any -> [199.19.224.245] 999 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281567/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281567; rev:1;) alert tcp $HOME_NET any -> [45.95.168.156] 1337 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281568/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281568; rev:1;) alert tcp $HOME_NET any -> [185.132.53.159] 282 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281562/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281562; rev:1;) alert tcp $HOME_NET any -> [185.101.105.233] 667 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281563/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281563; rev:1;) alert tcp $HOME_NET any -> [185.172.110.214] 20 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281564/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281564; rev:1;) alert tcp $HOME_NET any -> [94.156.8.9] 23 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281565/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281565; rev:1;) alert tcp $HOME_NET any -> [206.189.180.152] 23 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281559/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281559; rev:1;) alert tcp $HOME_NET any -> [89.46.223.213] 213 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281560/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281560; rev:1;) alert tcp $HOME_NET any -> [104.168.99.220] 1341 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281561/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281561; rev:1;) alert tcp $HOME_NET any -> [142.93.243.117] 69 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281557/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281557; rev:1;) alert tcp $HOME_NET any -> [137.74.55.6] 23 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281558/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281558; rev:1;) alert tcp $HOME_NET any -> [167.71.107.219] 666 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281554/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281554; rev:1;) alert tcp $HOME_NET any -> [185.52.1.235] 4599 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281555/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281555; rev:1;) alert tcp $HOME_NET any -> [165.227.221.72] 674 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281556/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281556; rev:1;) alert tcp $HOME_NET any -> [185.244.25.216] 23 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281551/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281551; rev:1;) alert tcp $HOME_NET any -> [80.211.75.35] 1324 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281552/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281552; rev:1;) alert tcp $HOME_NET any -> [89.32.41.227] 1111 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281553/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281553; rev:1;) alert tcp $HOME_NET any -> [194.147.32.11] 626 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281549/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281549; rev:1;) alert tcp $HOME_NET any -> [203.159.80.40] 606 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281550/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281550; rev:1;) alert tcp $HOME_NET any -> [46.101.185.54] 23 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281545/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281545; rev:1;) alert tcp $HOME_NET any -> [207.180.237.101] 23 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281546/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281546; rev:1;) alert tcp $HOME_NET any -> [185.195.236.165] 7415 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281547/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281547; rev:1;) alert tcp $HOME_NET any -> [68.183.79.5] 23 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281548/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281548; rev:1;) alert tcp $HOME_NET any -> [185.22.152.239] 23 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281542/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281542; rev:1;) alert tcp $HOME_NET any -> [142.93.119.243] 23 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281543/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281543; rev:1;) alert tcp $HOME_NET any -> [46.101.15.84] 282 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281544/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281544; rev:1;) alert tcp $HOME_NET any -> [139.59.165.167] 23 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281539/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281539; rev:1;) alert tcp $HOME_NET any -> [216.218.192.170] 23 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281540/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281540; rev:1;) alert tcp $HOME_NET any -> [185.52.1.232] 920 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281541/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281541; rev:1;) alert tcp $HOME_NET any -> [209.141.35.230] 777 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281537/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281537; rev:1;) alert tcp $HOME_NET any -> [185.239.242.247] 33333 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281538/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281538; rev:1;) alert tcp $HOME_NET any -> [107.174.144.155] 999 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281534/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281534; rev:1;) alert tcp $HOME_NET any -> [205.185.114.87] 69 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281535/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281535; rev:1;) alert tcp $HOME_NET any -> [91.209.70.120] 20 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281536/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281536; rev:1;) alert tcp $HOME_NET any -> [185.172.110.224] 993 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281531/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281531; rev:1;) alert tcp $HOME_NET any -> [209.141.49.76] 23 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281532/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281532; rev:1;) alert tcp $HOME_NET any -> [142.93.251.82] 282 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281533/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281533; rev:1;) alert tcp $HOME_NET any -> [198.211.116.132] 23 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281527/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281527; rev:1;) alert tcp $HOME_NET any -> [68.183.106.233] 54 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281528/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281528; rev:1;) alert tcp $HOME_NET any -> [104.244.77.36] 69 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281529/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281529; rev:1;) alert tcp $HOME_NET any -> [159.65.80.188] 812 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281530/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281530; rev:1;) alert tcp $HOME_NET any -> [51.75.81.238] 666 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281524/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281524; rev:1;) alert tcp $HOME_NET any -> [45.84.196.147] 23 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281525/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281525; rev:1;) alert tcp $HOME_NET any -> [176.32.33.134] 523 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281526/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281526; rev:1;) alert tcp $HOME_NET any -> [188.165.58.128] 1111 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281521/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281521; rev:1;) alert tcp $HOME_NET any -> [91.209.70.108] 1337 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281522/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281522; rev:1;) alert tcp $HOME_NET any -> [193.228.91.105] 23 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281523/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281523; rev:1;) alert tcp $HOME_NET any -> [68.183.71.182] 69 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281518/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281518; rev:1;) alert tcp $HOME_NET any -> [185.244.25.119] 23 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281519/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281519; rev:1;) alert tcp $HOME_NET any -> [68.183.71.128] 23 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281520/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281520; rev:1;) alert tcp $HOME_NET any -> [178.128.185.89] 739 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281515/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281515; rev:1;) alert tcp $HOME_NET any -> [5.252.177.70] 23 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281516/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281516; rev:1;) alert tcp $HOME_NET any -> [144.217.12.66] 23 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281517/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281517; rev:1;) alert tcp $HOME_NET any -> [5.2.70.50] 666 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281512/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281512; rev:1;) alert tcp $HOME_NET any -> [183.81.33.153] 42516 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281513/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281513; rev:1;) alert tcp $HOME_NET any -> [42.192.172.230] 839 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281514/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281514; rev:1;) alert tcp $HOME_NET any -> [198.98.56.196] 23 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281509/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281509; rev:1;) alert tcp $HOME_NET any -> [198.199.81.90] 666 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281510/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281510; rev:1;) alert tcp $HOME_NET any -> [198.98.58.97] 476 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281511/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281511; rev:1;) alert tcp $HOME_NET any -> [107.189.10.171] 38221 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281506/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281506; rev:1;) alert tcp $HOME_NET any -> [209.141.62.119] 23 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281507/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281507; rev:1;) alert tcp $HOME_NET any -> [185.101.105.227] 101 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281508/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281508; rev:1;) alert tcp $HOME_NET any -> [206.189.229.119] 23 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281504/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281504; rev:1;) alert tcp $HOME_NET any -> [65.181.124.222] 987 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281505/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281505; rev:1;) alert tcp $HOME_NET any -> [83.97.20.147] 666 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281501/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281501; rev:1;) alert tcp $HOME_NET any -> [104.168.215.223] 8888 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281502/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281502; rev:1;) alert tcp $HOME_NET any -> [107.175.217.226] 51351 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281503/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281503; rev:1;) alert tcp $HOME_NET any -> [143.198.218.116] 666 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281498/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281498; rev:1;) alert tcp $HOME_NET any -> [142.93.219.170] 23 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281499/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281499; rev:1;) alert tcp $HOME_NET any -> [37.49.230.244] 42516 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281500/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281500; rev:1;) alert tcp $HOME_NET any -> [161.35.49.47] 282 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281495/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281495; rev:1;) alert tcp $HOME_NET any -> [134.19.188.108] 1212 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281496/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281496; rev:1;) alert tcp $HOME_NET any -> [81.4.106.148] 23 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281497/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281497; rev:1;) alert tcp $HOME_NET any -> [209.97.155.76] 562 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281491/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281491; rev:1;) alert tcp $HOME_NET any -> [185.22.154.125] 310 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281492/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281492; rev:1;) alert tcp $HOME_NET any -> [50.115.165.107] 23 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281493/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281493; rev:1;) alert tcp $HOME_NET any -> [46.101.243.231] 61271 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281494/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281494; rev:1;) alert tcp $HOME_NET any -> [206.189.167.201] 9999 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281488/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281488; rev:1;) alert tcp $HOME_NET any -> [104.236.224.5] 23 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281489/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281489; rev:1;) alert tcp $HOME_NET any -> [51.255.16.202] 413 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281490/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281490; rev:1;) alert tcp $HOME_NET any -> [15.204.245.61] 666 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281485/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281485; rev:1;) alert tcp $HOME_NET any -> [185.81.154.208] 23 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281486/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281486; rev:1;) alert tcp $HOME_NET any -> [185.126.179.154] 69 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281487/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281487; rev:1;) alert tcp $HOME_NET any -> [104.248.25.174] 23 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281482/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281482; rev:1;) alert tcp $HOME_NET any -> [142.93.218.157] 812 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281483/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281483; rev:1;) alert tcp $HOME_NET any -> [188.166.55.213] 23 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281484/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281484; rev:1;) alert tcp $HOME_NET any -> [159.65.217.254] 5445 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281479/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281479; rev:1;) alert tcp $HOME_NET any -> [173.0.52.108] 23 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281481/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281481; rev:1;) alert tcp $HOME_NET any -> [80.211.66.35] 69 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281476/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281476; rev:1;) alert tcp $HOME_NET any -> [195.231.4.166] 23 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281477/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281477; rev:1;) alert tcp $HOME_NET any -> [185.52.1.235] 3951 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281478/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281478; rev:1;) alert tcp $HOME_NET any -> [147.135.99.137] 666 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281472/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281472; rev:1;) alert tcp $HOME_NET any -> [37.221.65.177] 23 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281473/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281473; rev:1;) alert tcp $HOME_NET any -> [185.186.244.186] 23 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281474/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281474; rev:1;) alert tcp $HOME_NET any -> [185.244.25.148] 69 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281475/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281475; rev:1;) alert tcp $HOME_NET any -> [62.210.144.185] 23 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281470/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281470; rev:1;) alert tcp $HOME_NET any -> [142.93.202.209] 23 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281471/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281471; rev:1;) alert tcp $HOME_NET any -> [46.29.166.74] 23 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281468/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281468; rev:1;) alert tcp $HOME_NET any -> [172.245.211.58] 123 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281469/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281469; rev:1;) alert tcp $HOME_NET any -> [45.32.245.156] 23 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281465/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281465; rev:1;) alert tcp $HOME_NET any -> [198.98.61.169] 23 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281466/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281466; rev:1;) alert tcp $HOME_NET any -> [198.167.140.166] 812 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281467/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281467; rev:1;) alert tcp $HOME_NET any -> [167.99.198.11] 23 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281464/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281464; rev:1;) alert tcp $HOME_NET any -> [209.141.39.153] 839 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281460/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281460; rev:1;) alert tcp $HOME_NET any -> [89.46.223.236] 23 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281461/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281461; rev:1;) alert tcp $HOME_NET any -> [82.64.183.22] 8080 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281462/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281462; rev:1;) alert tcp $HOME_NET any -> [144.217.34.147] 60002 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281463/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281463; rev:1;) alert tcp $HOME_NET any -> [104.244.75.25] 813 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281457/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281457; rev:1;) alert tcp $HOME_NET any -> [68.183.79.93] 23 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281458/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281458; rev:1;) alert tcp $HOME_NET any -> [87.236.212.240] 666 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281459/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281459; rev:1;) alert tcp $HOME_NET any -> [205.185.116.94] 23 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281454/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281454; rev:1;) alert tcp $HOME_NET any -> [142.93.18.16] 23 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281455/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281455; rev:1;) alert tcp $HOME_NET any -> [51.15.228.132] 23 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281456/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281456; rev:1;) alert tcp $HOME_NET any -> [206.189.118.223] 777 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281451/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281451; rev:1;) alert tcp $HOME_NET any -> [149.56.122.12] 2545 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281452/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281452; rev:1;) alert tcp $HOME_NET any -> [45.144.165.227] 22 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281453/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281453; rev:1;) alert tcp $HOME_NET any -> [107.174.14.79] 1098 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281448/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281448; rev:1;) alert tcp $HOME_NET any -> [178.128.204.249] 999 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281449/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281449; rev:1;) alert tcp $HOME_NET any -> [104.248.54.3] 23 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281450/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281450; rev:1;) alert tcp $HOME_NET any -> [80.211.28.172] 61271 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281445/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281445; rev:1;) alert tcp $HOME_NET any -> [37.49.224.138] 998 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281446/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281446; rev:1;) alert tcp $HOME_NET any -> [142.93.89.55] 979 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281447/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281447; rev:1;) alert tcp $HOME_NET any -> [185.244.25.254] 6667 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281442/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281442; rev:1;) alert tcp $HOME_NET any -> [176.56.237.44] 660 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281443/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281443; rev:1;) alert tcp $HOME_NET any -> [45.95.168.144] 2222 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281444/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281444; rev:1;) alert tcp $HOME_NET any -> [163.172.233.78] 23 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281439/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281439; rev:1;) alert tcp $HOME_NET any -> [46.29.166.40] 534 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281440/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281440; rev:1;) alert tcp $HOME_NET any -> [139.162.183.77] 23 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281441/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281441; rev:1;) alert tcp $HOME_NET any -> [37.49.230.154] 1111 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281436/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281436; rev:1;) alert tcp $HOME_NET any -> [45.95.169.10] 666 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281437/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281437; rev:1;) alert tcp $HOME_NET any -> [207.148.19.82] 1558 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281438/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281438; rev:1;) alert tcp $HOME_NET any -> [103.82.20.50] 42516 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281433/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281433; rev:1;) alert tcp $HOME_NET any -> [138.197.153.211] 9235 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281434/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281434; rev:1;) alert tcp $HOME_NET any -> [51.178.225.200] 3224 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281435/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281435; rev:1;) alert tcp $HOME_NET any -> [185.62.189.64] 48263 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281432/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281432; rev:1;) alert tcp $HOME_NET any -> [45.95.168.86] 2222 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281429/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281429; rev:1;) alert tcp $HOME_NET any -> [104.168.102.145] 1111 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281430/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281430; rev:1;) alert tcp $HOME_NET any -> [14.1.29.67] 1234 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281431/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281431; rev:1;) alert tcp $HOME_NET any -> [205.185.119.101] 23 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281427/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281427; rev:1;) alert tcp $HOME_NET any -> [68.183.22.42] 812 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281428/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281428; rev:1;) alert tcp $HOME_NET any -> [80.211.61.21] 23 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281424/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281424; rev:1;) alert tcp $HOME_NET any -> [104.248.214.131] 23 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281425/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281425; rev:1;) alert tcp $HOME_NET any -> [167.114.13.156] 765 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281426/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281426; rev:1;) alert tcp $HOME_NET any -> [159.89.185.209] 23 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281422/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281422; rev:1;) alert tcp $HOME_NET any -> [198.98.59.57] 23 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281423/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281423; rev:1;) alert tcp $HOME_NET any -> [103.60.13.195] 1337 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281420/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281420; rev:1;) alert tcp $HOME_NET any -> [198.98.55.87] 23 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281421/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281421; rev:1;) alert tcp $HOME_NET any -> [139.99.113.2] 800 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281417/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281417; rev:1;) alert tcp $HOME_NET any -> [178.128.207.74] 812 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281418/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281418; rev:1;) alert tcp $HOME_NET any -> [185.231.68.60] 1024 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281419/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281419; rev:1;) alert tcp $HOME_NET any -> [37.46.150.72] 42 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281415/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281415; rev:1;) alert tcp $HOME_NET any -> [178.33.14.208] 666 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281416/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281416; rev:1;) alert tcp $HOME_NET any -> [89.46.223.213] 23 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281413/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281413; rev:1;) alert tcp $HOME_NET any -> [104.168.163.95] 23 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281414/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281414; rev:1;) alert tcp $HOME_NET any -> [142.93.126.147] 23 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281412/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281412; rev:1;) alert tcp $HOME_NET any -> [104.238.235.186] 666 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281409/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281409; rev:1;) alert tcp $HOME_NET any -> [188.166.1.47] 69 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281410/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281410; rev:1;) alert tcp $HOME_NET any -> [45.156.185.182] 1111 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281411/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281411; rev:1;) alert tcp $HOME_NET any -> [178.33.181.23] 964 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281406/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281406; rev:1;) alert tcp $HOME_NET any -> [151.80.209.229] 666 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281407/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281407; rev:1;) alert tcp $HOME_NET any -> [194.147.34.63] 23 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281408/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281408; rev:1;) alert tcp $HOME_NET any -> [167.99.206.96] 23 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281405/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281405; rev:1;) alert tcp $HOME_NET any -> [68.183.111.11] 23 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281402/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281402; rev:1;) alert tcp $HOME_NET any -> [185.244.25.153] 33 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281403/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281403; rev:1;) alert tcp $HOME_NET any -> [51.89.115.83] 6744 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281404/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281404; rev:1;) alert tcp $HOME_NET any -> [185.244.25.137] 100 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281399/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281399; rev:1;) alert tcp $HOME_NET any -> [5.181.80.233] 1111 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281400/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281400; rev:1;) alert tcp $HOME_NET any -> [31.7.62.115] 65000 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281401/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281401; rev:1;) alert tcp $HOME_NET any -> [198.199.68.142] 23 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281397/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281397; rev:1;) alert tcp $HOME_NET any -> [193.239.147.90] 42516 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281398/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281398; rev:1;) alert tcp $HOME_NET any -> [185.244.25.230] 23 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281395/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281395; rev:1;) alert tcp $HOME_NET any -> [178.62.27.198] 282 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281396/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281396; rev:1;) alert tcp $HOME_NET any -> [37.49.230.154] 2006 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281392/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281392; rev:1;) alert tcp $HOME_NET any -> [46.29.163.204] 323 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281393/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281393; rev:1;) alert tcp $HOME_NET any -> [104.248.229.149] 23 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281394/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281394; rev:1;) alert tcp $HOME_NET any -> [91.92.245.31] 67 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281389/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281389; rev:1;) alert tcp $HOME_NET any -> [89.34.237.211] 982 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281390/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281390; rev:1;) alert tcp $HOME_NET any -> [45.84.196.43] 839 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281391/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281391; rev:1;) alert tcp $HOME_NET any -> [185.244.25.168] 23 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281386/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281386; rev:1;) alert tcp $HOME_NET any -> [185.244.25.229] 8015 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281387/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281387; rev:1;) alert tcp $HOME_NET any -> [194.48.152.122] 60000 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281388/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281388; rev:1;) alert tcp $HOME_NET any -> [199.19.226.178] 282 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281382/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281382; rev:1;) alert tcp $HOME_NET any -> [185.52.1.235] 1026 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281383/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281383; rev:1;) alert tcp $HOME_NET any -> [45.61.185.83] 812 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281384/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281384; rev:1;) alert tcp $HOME_NET any -> [168.235.91.153] 666 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281385/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281385; rev:1;) alert tcp $HOME_NET any -> [104.248.63.86] 23 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281379/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281379; rev:1;) alert tcp $HOME_NET any -> [167.114.124.76] 112 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281380/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281380; rev:1;) alert tcp $HOME_NET any -> [51.255.16.207] 23 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281381/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281381; rev:1;) alert tcp $HOME_NET any -> [198.98.53.130] 83 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281376/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281376; rev:1;) alert tcp $HOME_NET any -> [51.75.156.134] 23 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281377/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281377; rev:1;) alert tcp $HOME_NET any -> [205.185.125.213] 23 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281378/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281378; rev:1;) alert tcp $HOME_NET any -> [157.230.23.235] 23 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281374/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281374; rev:1;) alert tcp $HOME_NET any -> [46.101.226.118] 23 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281375/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281375; rev:1;) alert tcp $HOME_NET any -> [147.135.23.231] 1722 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281371/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281371; rev:1;) alert tcp $HOME_NET any -> [141.98.7.233] 666 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281372/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281372; rev:1;) alert tcp $HOME_NET any -> [185.22.153.71] 626 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281373/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281373; rev:1;) alert tcp $HOME_NET any -> [185.10.68.191] 23 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281368/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281368; rev:1;) alert tcp $HOME_NET any -> [185.164.72.135] 839 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281369/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281369; rev:1;) alert tcp $HOME_NET any -> [94.103.124.162] 158 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281370/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281370; rev:1;) alert tcp $HOME_NET any -> [145.239.139.22] 1111 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281364/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281364; rev:1;) alert tcp $HOME_NET any -> [192.3.131.25] 51351 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281365/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281365; rev:1;) alert tcp $HOME_NET any -> [104.168.102.14] 360 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281366/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281366; rev:1;) alert tcp $HOME_NET any -> [167.114.97.208] 38465 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281367/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281367; rev:1;) alert tcp $HOME_NET any -> [62.210.189.131] 23 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281361/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281361; rev:1;) alert tcp $HOME_NET any -> [174.128.226.101] 411 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281362/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281362; rev:1;) alert tcp $HOME_NET any -> [158.69.103.149] 3456 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281363/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281363; rev:1;) alert tcp $HOME_NET any -> [107.173.2.141] 51351 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281359/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281359; rev:1;) alert tcp $HOME_NET any -> [194.48.152.17] 23 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281360/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281360; rev:1;) alert tcp $HOME_NET any -> [5.34.179.99] 23 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281356/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281356; rev:1;) alert tcp $HOME_NET any -> [51.255.4.54] 839 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281357/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281357; rev:1;) alert tcp $HOME_NET any -> [185.38.142.103] 666 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281358/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281358; rev:1;) alert tcp $HOME_NET any -> [45.95.168.207] 3485 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281354/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281354; rev:1;) alert tcp $HOME_NET any -> [23.254.211.227] 656 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281355/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281355; rev:1;) alert tcp $HOME_NET any -> [89.34.237.191] 282 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281351/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281351; rev:1;) alert tcp $HOME_NET any -> [178.128.152.57] 6669 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281352/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281352; rev:1;) alert tcp $HOME_NET any -> [46.29.165.33] 626 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281353/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281353; rev:1;) alert tcp $HOME_NET any -> [89.190.159.181] 1863 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281348/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281348; rev:1;) alert tcp $HOME_NET any -> [45.32.170.190] 23 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281349/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281349; rev:1;) alert tcp $HOME_NET any -> [46.166.133.165] 620 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281350/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281350; rev:1;) alert tcp $HOME_NET any -> [206.189.120.242] 2545 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281345/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281345; rev:1;) alert tcp $HOME_NET any -> [192.210.239.10] 1111 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281346/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281346; rev:1;) alert tcp $HOME_NET any -> [142.93.123.195] 23 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281347/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281347; rev:1;) alert tcp $HOME_NET any -> [23.254.226.31] 60000 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281343/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281343; rev:1;) alert tcp $HOME_NET any -> [194.15.36.246] 6149 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281344/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281344; rev:1;) alert tcp $HOME_NET any -> [51.75.161.114] 48263 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281340/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281340; rev:1;) alert tcp $HOME_NET any -> [107.191.110.161] 777 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281341/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281341; rev:1;) alert tcp $HOME_NET any -> [185.244.25.216] 69 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281342/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281342; rev:1;) alert tcp $HOME_NET any -> [199.19.225.161] 1994 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281337/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281337; rev:1;) alert tcp $HOME_NET any -> [23.94.21.90] 1111 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281338/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281338; rev:1;) alert tcp $HOME_NET any -> [37.49.224.132] 60000 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281339/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281339; rev:1;) alert tcp $HOME_NET any -> [46.17.41.41] 8888 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281334/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281334; rev:1;) alert tcp $HOME_NET any -> [46.17.46.22] 983 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281335/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281335; rev:1;) alert tcp $HOME_NET any -> [142.11.212.47] 23 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281336/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281336; rev:1;) alert tcp $HOME_NET any -> [157.230.94.197] 23 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281331/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281331; rev:1;) alert tcp $HOME_NET any -> [103.173.255.143] 23 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281332/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281332; rev:1;) alert tcp $HOME_NET any -> [147.182.181.206] 839 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281333/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281333; rev:1;) alert tcp $HOME_NET any -> [185.232.64.168] 999 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281327/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281327; rev:1;) alert tcp $HOME_NET any -> [157.230.165.111] 2698 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281328/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281328; rev:1;) alert tcp $HOME_NET any -> [80.211.139.209] 123 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281329/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281329; rev:1;) alert tcp $HOME_NET any -> [5.2.64.99] 717 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281330/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281330; rev:1;) alert tcp $HOME_NET any -> [50.115.166.165] 23 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281324/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281324; rev:1;) alert tcp $HOME_NET any -> [205.185.120.141] 3137 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281325/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281325; rev:1;) alert tcp $HOME_NET any -> [194.147.34.79] 23 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281321/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281321; rev:1;) alert tcp $HOME_NET any -> [102.165.48.81] 17769 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281322/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281322; rev:1;) alert tcp $HOME_NET any -> [103.1.186.242] 23 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281323/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281323; rev:1;) alert tcp $HOME_NET any -> [80.211.167.8] 23 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281318/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281318; rev:1;) alert tcp $HOME_NET any -> [51.75.30.207] 23 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281319/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281319; rev:1;) alert tcp $HOME_NET any -> [51.158.109.239] 379 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281320/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281320; rev:1;) alert tcp $HOME_NET any -> [185.224.131.155] 666 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281315/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281315; rev:1;) alert tcp $HOME_NET any -> [54.38.210.102] 666 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281316/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281316; rev:1;) alert tcp $HOME_NET any -> [135.125.27.200] 606 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281317/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281317; rev:1;) alert tcp $HOME_NET any -> [45.84.196.248] 839 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281312/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281312; rev:1;) alert tcp $HOME_NET any -> [46.29.164.93] 23 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281313/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281313; rev:1;) alert tcp $HOME_NET any -> [194.15.36.246] 23 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281314/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281314; rev:1;) alert tcp $HOME_NET any -> [149.56.122.12] 5888 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281309/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281309; rev:1;) alert tcp $HOME_NET any -> [2.58.95.76] 23 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281310/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281310; rev:1;) alert tcp $HOME_NET any -> [23.254.132.124] 666 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281311/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281311; rev:1;) alert tcp $HOME_NET any -> [46.29.160.102] 23 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281307/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281307; rev:1;) alert tcp $HOME_NET any -> [157.230.60.248] 23 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281308/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281308; rev:1;) alert tcp $HOME_NET any -> [107.173.176.160] 606 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281304/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281304; rev:1;) alert tcp $HOME_NET any -> [2.56.241.218] 8014 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281305/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281305; rev:1;) alert tcp $HOME_NET any -> [92.249.48.166] 23 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281306/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281306; rev:1;) alert tcp $HOME_NET any -> [45.148.121.98] 839 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281301/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281301; rev:1;) alert tcp $HOME_NET any -> [185.244.25.222] 23 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281302/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281302; rev:1;) alert tcp $HOME_NET any -> [66.70.225.223] 47 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281303/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281303; rev:1;) alert tcp $HOME_NET any -> [185.22.154.181] 666 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281298/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281298; rev:1;) alert tcp $HOME_NET any -> [46.29.167.55] 23 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281299/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281299; rev:1;) alert tcp $HOME_NET any -> [185.101.105.141] 54356 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281300/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281300; rev:1;) alert tcp $HOME_NET any -> [37.46.150.37] 7113 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281296/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281296; rev:1;) alert tcp $HOME_NET any -> [205.185.127.155] 1994 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281297/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281297; rev:1;) alert tcp $HOME_NET any -> [45.95.168.87] 23 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281292/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281292; rev:1;) alert tcp $HOME_NET any -> [107.175.189.41] 23 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281293/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281293; rev:1;) alert tcp $HOME_NET any -> [138.197.99.186] 666 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281294/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281294; rev:1;) alert tcp $HOME_NET any -> [95.174.91.180] 4258 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281295/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281295; rev:1;) alert tcp $HOME_NET any -> [91.209.70.120] 113 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281290/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281290; rev:1;) alert tcp $HOME_NET any -> [157.230.169.189] 23 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281291/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281291; rev:1;) alert tcp $HOME_NET any -> [142.93.164.211] 282 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281287/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281287; rev:1;) alert tcp $HOME_NET any -> [107.155.153.179] 666 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281288/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281288; rev:1;) alert tcp $HOME_NET any -> [68.183.66.143] 1994 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281289/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281289; rev:1;) alert tcp $HOME_NET any -> [185.244.25.189] 23 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281284/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281284; rev:1;) alert tcp $HOME_NET any -> [68.183.21.143] 23 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281285/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281285; rev:1;) alert tcp $HOME_NET any -> [107.172.137.175] 42516 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281286/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281286; rev:1;) alert tcp $HOME_NET any -> [163.172.185.153] 322 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281282/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281282; rev:1;) alert tcp $HOME_NET any -> [165.227.161.65] 1028 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281283/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281283; rev:1;) alert tcp $HOME_NET any -> [92.249.48.38] 606 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281279/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281279; rev:1;) alert tcp $HOME_NET any -> [138.68.103.230] 987 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281280/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281280; rev:1;) alert tcp $HOME_NET any -> [142.93.68.129] 562 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281281/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281281; rev:1;) alert tcp $HOME_NET any -> [89.34.237.189] 75 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281276/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281276; rev:1;) alert tcp $HOME_NET any -> [172.245.210.174] 839 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281277/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281277; rev:1;) alert tcp $HOME_NET any -> [205.185.124.211] 12 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281278/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281278; rev:1;) alert tcp $HOME_NET any -> [142.11.205.100] 43 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281274/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281274; rev:1;) alert tcp $HOME_NET any -> [209.141.61.187] 20 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281275/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281275; rev:1;) alert tcp $HOME_NET any -> [145.239.41.199] 4501 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281271/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281271; rev:1;) alert tcp $HOME_NET any -> [185.101.105.227] 282 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281272/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281272; rev:1;) alert tcp $HOME_NET any -> [37.44.238.66] 666 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281273/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281273; rev:1;) alert tcp $HOME_NET any -> [185.110.190.125] 3333 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281268/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281268; rev:1;) alert tcp $HOME_NET any -> [185.244.25.168] 52 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281269/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281269; rev:1;) alert tcp $HOME_NET any -> [68.183.172.32] 23 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281270/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281270; rev:1;) alert tcp $HOME_NET any -> [107.174.24.161] 248 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281266/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281266; rev:1;) alert tcp $HOME_NET any -> [185.244.25.153] 282 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281267/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281267; rev:1;) alert tcp $HOME_NET any -> [103.195.7.71] 1863 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281264/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281264; rev:1;) alert tcp $HOME_NET any -> [45.15.143.253] 44444 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281265/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281265; rev:1;) alert tcp $HOME_NET any -> [164.90.187.153] 23 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281260/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281260; rev:1;) alert tcp $HOME_NET any -> [195.154.77.155] 23 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281261/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281261; rev:1;) alert tcp $HOME_NET any -> [203.159.80.150] 606 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281262/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281262; rev:1;) alert tcp $HOME_NET any -> [51.89.115.83] 1111 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281263/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281263; rev:1;) alert tcp $HOME_NET any -> [109.201.143.178] 9175 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281258/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281258; rev:1;) alert tcp $HOME_NET any -> [205.185.120.140] 923 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281259/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281259; rev:1;) alert tcp $HOME_NET any -> [159.89.85.81] 1111 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281255/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281255; rev:1;) alert tcp $HOME_NET any -> [185.101.105.141] 737 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281256/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281256; rev:1;) alert tcp $HOME_NET any -> [185.172.110.230] 13337 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281257/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281257; rev:1;) alert tcp $HOME_NET any -> [206.189.138.82] 51351 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281252/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281252; rev:1;) alert tcp $HOME_NET any -> [79.124.40.47] 666 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281253/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281253; rev:1;) alert tcp $HOME_NET any -> [46.36.37.121] 415 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281254/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281254; rev:1;) alert tcp $HOME_NET any -> [104.244.77.36] 871 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281249/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281249; rev:1;) alert tcp $HOME_NET any -> [31.13.195.251] 3453 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281250/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281250; rev:1;) alert tcp $HOME_NET any -> [31.42.177.104] 10235 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281251/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281251; rev:1;) alert tcp $HOME_NET any -> [173.212.234.54] 2545 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281246/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281246; rev:1;) alert tcp $HOME_NET any -> [198.23.239.166] 839 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281247/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281247; rev:1;) alert tcp $HOME_NET any -> [198.211.113.55] 23 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281248/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281248; rev:1;) alert tcp $HOME_NET any -> [198.98.62.146] 922 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281243/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281243; rev:1;) alert tcp $HOME_NET any -> [185.132.53.229] 18 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281244/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281244; rev:1;) alert tcp $HOME_NET any -> [91.209.70.120] 177 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281245/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281245; rev:1;) alert tcp $HOME_NET any -> [194.147.35.134] 23 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281240/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281240; rev:1;) alert tcp $HOME_NET any -> [185.244.39.107] 17769 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281241/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281241; rev:1;) alert tcp $HOME_NET any -> [185.244.25.153] 422 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281242/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281242; rev:1;) alert tcp $HOME_NET any -> [37.49.230.232] 60000 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281238/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281238; rev:1;) alert tcp $HOME_NET any -> [167.114.115.119] 87 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281235/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281235; rev:1;) alert tcp $HOME_NET any -> [69.55.54.213] 812 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281236/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281236; rev:1;) alert tcp $HOME_NET any -> [51.91.202.137] 8811 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281237/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281237; rev:1;) alert tcp $HOME_NET any -> [142.93.63.144] 69 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281234/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281234; rev:1;) alert tcp $HOME_NET any -> [165.22.144.189] 51351 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281232/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281232; rev:1;) alert tcp $HOME_NET any -> [185.172.110.203] 52 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281233/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281233; rev:1;) alert tcp $HOME_NET any -> [5.2.77.227] 4849 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281229/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281229; rev:1;) alert tcp $HOME_NET any -> [68.183.71.182] 23 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281230/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281230; rev:1;) alert tcp $HOME_NET any -> [193.239.147.75] 617 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281231/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281231; rev:1;) alert tcp $HOME_NET any -> [45.151.68.222] 4258 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281225/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281225; rev:1;) alert tcp $HOME_NET any -> [185.244.25.84] 8010 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281226/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281226; rev:1;) alert tcp $HOME_NET any -> [165.22.128.163] 23 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281227/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281227; rev:1;) alert tcp $HOME_NET any -> [198.98.53.194] 23 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281228/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281228; rev:1;) alert tcp $HOME_NET any -> [104.248.6.196] 23 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281223/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281223; rev:1;) alert tcp $HOME_NET any -> [107.174.39.102] 839 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281224/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281224; rev:1;) alert tcp $HOME_NET any -> [206.189.17.155] 23 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281220/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281220; rev:1;) alert tcp $HOME_NET any -> [45.95.169.201] 4444 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281221/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281221; rev:1;) alert tcp $HOME_NET any -> [209.141.54.253] 23 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281222/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281222; rev:1;) alert tcp $HOME_NET any -> [45.84.196.211] 23 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281217/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281217; rev:1;) alert tcp $HOME_NET any -> [81.171.3.228] 982 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281218/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281218; rev:1;) alert tcp $HOME_NET any -> [2.59.116.62] 4258 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281219/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281219; rev:1;) alert tcp $HOME_NET any -> [151.80.209.229] 8888 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281214/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281214; rev:1;) alert tcp $HOME_NET any -> [142.93.108.170] 666 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281215/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281215; rev:1;) alert tcp $HOME_NET any -> [165.22.80.158] 23 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281216/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281216; rev:1;) alert tcp $HOME_NET any -> [159.89.229.38] 23 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281211/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281211; rev:1;) alert tcp $HOME_NET any -> [45.84.196.209] 23 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281212/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281212; rev:1;) alert tcp $HOME_NET any -> [45.80.37.125] 2245 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281213/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281213; rev:1;) alert tcp $HOME_NET any -> [104.248.231.103] 52468 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281208/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281208; rev:1;) alert tcp $HOME_NET any -> [68.183.140.225] 666 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281209/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281209; rev:1;) alert tcp $HOME_NET any -> [138.197.5.39] 23 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281210/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281210; rev:1;) alert tcp $HOME_NET any -> [185.246.116.179] 666 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281205/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281205; rev:1;) alert tcp $HOME_NET any -> [185.172.110.224] 777 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281206/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281206; rev:1;) alert tcp $HOME_NET any -> [45.95.168.117] 839 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281207/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281207; rev:1;) alert tcp $HOME_NET any -> [205.185.126.201] 23 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281202/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281202; rev:1;) alert tcp $HOME_NET any -> [157.230.92.196] 420 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281203/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281203; rev:1;) alert tcp $HOME_NET any -> [89.34.237.210] 922 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281204/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281204; rev:1;) alert tcp $HOME_NET any -> [209.141.54.9] 812 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281199/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281199; rev:1;) alert tcp $HOME_NET any -> [69.172.229.174] 10000 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281200/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281200; rev:1;) alert tcp $HOME_NET any -> [198.98.58.235] 23 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281201/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281201; rev:1;) alert tcp $HOME_NET any -> [157.230.221.85] 23 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281196/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281196; rev:1;) alert tcp $HOME_NET any -> [192.99.167.75] 666 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281197/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281197; rev:1;) alert tcp $HOME_NET any -> [199.38.245.231] 23 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281198/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281198; rev:1;) alert tcp $HOME_NET any -> [183.81.33.153] 4258 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281193/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281193; rev:1;) alert tcp $HOME_NET any -> [134.209.156.105] 23 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281194/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281194; rev:1;) alert tcp $HOME_NET any -> [198.12.76.151] 51351 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281195/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281195; rev:1;) alert tcp $HOME_NET any -> [212.237.29.81] 23 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281191/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281191; rev:1;) alert tcp $HOME_NET any -> [185.239.242.208] 666 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281192/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281192; rev:1;) alert tcp $HOME_NET any -> [50.115.170.108] 839 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281188/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281188; rev:1;) alert tcp $HOME_NET any -> [104.248.223.216] 23 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281189/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281189; rev:1;) alert tcp $HOME_NET any -> [185.172.110.224] 5515 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281190/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281190; rev:1;) alert tcp $HOME_NET any -> [172.245.112.72] 1234 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281185/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281185; rev:1;) alert tcp $HOME_NET any -> [194.87.138.44] 6780 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281186/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281186; rev:1;) alert tcp $HOME_NET any -> [185.132.53.191] 666 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281187/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281187; rev:1;) alert tcp $HOME_NET any -> [198.98.58.235] 53600 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281182/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281182; rev:1;) alert tcp $HOME_NET any -> [51.77.213.109] 9004 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281183/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281183; rev:1;) alert tcp $HOME_NET any -> [46.17.46.22] 8014 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281184/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281184; rev:1;) alert tcp $HOME_NET any -> [23.95.226.153] 1111 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281179/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281179; rev:1;) alert tcp $HOME_NET any -> [188.166.25.58] 23 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281180/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281180; rev:1;) alert tcp $HOME_NET any -> [209.141.41.58] 4532 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281181/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281181; rev:1;) alert tcp $HOME_NET any -> [92.249.48.140] 23 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281176/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281176; rev:1;) alert tcp $HOME_NET any -> [107.174.241.143] 311 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281177/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281177; rev:1;) alert tcp $HOME_NET any -> [104.248.132.154] 666 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281178/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281178; rev:1;) alert tcp $HOME_NET any -> [137.74.237.195] 1330 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281173/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281173; rev:1;) alert tcp $HOME_NET any -> [167.99.225.112] 666 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281174/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281174; rev:1;) alert tcp $HOME_NET any -> [87.107.146.227] 3391 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281175/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281175; rev:1;) alert tcp $HOME_NET any -> [45.95.147.78] 23 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281169/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281169; rev:1;) alert tcp $HOME_NET any -> [45.156.22.230] 1881 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281170/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281170; rev:1;) alert tcp $HOME_NET any -> [206.189.221.52] 626 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281171/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281171; rev:1;) alert tcp $HOME_NET any -> [185.165.29.111] 444 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281172/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281172; rev:1;) alert tcp $HOME_NET any -> [45.14.224.244] 666 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281166/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281166; rev:1;) alert tcp $HOME_NET any -> [198.98.52.167] 444 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281167/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281167; rev:1;) alert tcp $HOME_NET any -> [144.172.73.41] 713 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281168/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281168; rev:1;) alert tcp $HOME_NET any -> [178.128.125.114] 23 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281163/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281163; rev:1;) alert tcp $HOME_NET any -> [108.39.19.20] 2829 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281164/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281164; rev:1;) alert tcp $HOME_NET any -> [185.112.249.122] 23 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281165/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281165; rev:1;) alert tcp $HOME_NET any -> [107.173.213.43] 1111 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281160/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281160; rev:1;) alert tcp $HOME_NET any -> [46.29.167.56] 23 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281161/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281161; rev:1;) alert tcp $HOME_NET any -> [173.232.146.170] 4849 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281162/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281162; rev:1;) alert tcp $HOME_NET any -> [217.61.125.227] 979 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281157/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281157; rev:1;) alert tcp $HOME_NET any -> [192.3.194.124] 717 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281158/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281158; rev:1;) alert tcp $HOME_NET any -> [108.61.215.176] 23 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281159/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281159; rev:1;) alert tcp $HOME_NET any -> [104.248.231.250] 13 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281154/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281154; rev:1;) alert tcp $HOME_NET any -> [198.46.160.136] 812 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281155/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281155; rev:1;) alert tcp $HOME_NET any -> [185.10.68.191] 420 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281156/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281156; rev:1;) alert tcp $HOME_NET any -> [93.123.85.140] 777 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281151/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281151; rev:1;) alert tcp $HOME_NET any -> [185.244.25.93] 52160 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281152/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281152; rev:1;) alert tcp $HOME_NET any -> [209.141.34.113] 23 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281153/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281153; rev:1;) alert tcp $HOME_NET any -> [103.153.69.150] 839 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281148/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281148; rev:1;) alert tcp $HOME_NET any -> [46.17.44.44] 23 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281149/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281149; rev:1;) alert tcp $HOME_NET any -> [142.44.251.105] 65535 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281150/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281150; rev:1;) alert tcp $HOME_NET any -> [80.211.28.43] 23 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281145/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281145; rev:1;) alert tcp $HOME_NET any -> [213.32.95.48] 23 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281146/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281146; rev:1;) alert tcp $HOME_NET any -> [45.95.168.121] 666 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281147/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281147; rev:1;) alert tcp $HOME_NET any -> [37.49.230.103] 158 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281142/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281142; rev:1;) alert tcp $HOME_NET any -> [83.97.20.90] 23 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281143/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281143; rev:1;) alert tcp $HOME_NET any -> [206.189.157.235] 1991 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281139/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281139; rev:1;) alert tcp $HOME_NET any -> [185.101.105.141] 6536 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281140/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281140; rev:1;) alert tcp $HOME_NET any -> [80.211.184.72] 666 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281141/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281141; rev:1;) alert tcp $HOME_NET any -> [178.128.121.145] 23 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281136/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281136; rev:1;) alert tcp $HOME_NET any -> [142.93.153.19] 23 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281137/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281137; rev:1;) alert tcp $HOME_NET any -> [185.165.29.25] 444 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281138/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281138; rev:1;) alert tcp $HOME_NET any -> [185.244.25.126] 812 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281133/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281133; rev:1;) alert tcp $HOME_NET any -> [94.177.224.200] 247 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281134/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281134; rev:1;) alert tcp $HOME_NET any -> [162.243.167.162] 23 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281135/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281135; rev:1;) alert tcp $HOME_NET any -> [142.11.227.63] 23 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281130/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281130; rev:1;) alert tcp $HOME_NET any -> [37.49.227.109] 60001 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281131/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281131; rev:1;) alert tcp $HOME_NET any -> [216.218.192.170] 1337 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281132/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281132; rev:1;) alert tcp $HOME_NET any -> [46.166.133.165] 456 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281127/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281127; rev:1;) alert tcp $HOME_NET any -> [185.112.248.29] 7777 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281128/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281128; rev:1;) alert tcp $HOME_NET any -> [167.99.164.140] 666 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281129/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281129; rev:1;) alert tcp $HOME_NET any -> [45.141.58.180] 8888 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281124/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281124; rev:1;) alert tcp $HOME_NET any -> [37.49.225.241] 58215 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281125/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281125; rev:1;) alert tcp $HOME_NET any -> [137.74.237.193] 151 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281126/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281126; rev:1;) alert tcp $HOME_NET any -> [45.95.168.119] 12345 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281121/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281121; rev:1;) alert tcp $HOME_NET any -> [143.198.50.169] 999 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281122/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281122; rev:1;) alert tcp $HOME_NET any -> [103.159.188.34] 23 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281123/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281123; rev:1;) alert tcp $HOME_NET any -> [37.49.230.45] 23 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281118/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281118; rev:1;) alert tcp $HOME_NET any -> [93.123.85.139] 23 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281119/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281119; rev:1;) alert tcp $HOME_NET any -> [5.2.65.150] 999 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281120/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281120; rev:1;) alert tcp $HOME_NET any -> [159.89.239.212] 54 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281115/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281115; rev:1;) alert tcp $HOME_NET any -> [138.197.165.239] 999 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281116/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281116; rev:1;) alert tcp $HOME_NET any -> [67.21.68.148] 812 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281117/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281117; rev:1;) alert tcp $HOME_NET any -> [198.167.140.146] 23 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281112/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281112; rev:1;) alert tcp $HOME_NET any -> [51.77.245.82] 23 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281113/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281113; rev:1;) alert tcp $HOME_NET any -> [78.135.81.84] 23 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281114/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281114; rev:1;) alert tcp $HOME_NET any -> [209.97.136.123] 23 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281109/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281109; rev:1;) alert tcp $HOME_NET any -> [195.88.208.161] 872 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281110/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281110; rev:1;) alert tcp $HOME_NET any -> [192.241.136.213] 812 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281111/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281111; rev:1;) alert tcp $HOME_NET any -> [46.29.163.200] 871 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281106/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281106; rev:1;) alert tcp $HOME_NET any -> [104.248.231.103] 23 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281107/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281107; rev:1;) alert tcp $HOME_NET any -> [78.128.114.66] 353 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281108/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281108; rev:1;) alert tcp $HOME_NET any -> [93.123.85.43] 888 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281102/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281102; rev:1;) alert tcp $HOME_NET any -> [178.62.240.123] 1749 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281103/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281103; rev:1;) alert tcp $HOME_NET any -> [192.129.175.148] 23 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281104/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281104; rev:1;) alert tcp $HOME_NET any -> [206.189.140.181] 18184 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281105/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281105; rev:1;) alert tcp $HOME_NET any -> [178.128.195.57] 8346 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281099/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281099; rev:1;) alert tcp $HOME_NET any -> [142.93.5.233] 23 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281100/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281100; rev:1;) alert tcp $HOME_NET any -> [87.251.64.208] 606 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281101/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281101; rev:1;) alert tcp $HOME_NET any -> [68.183.30.66] 23 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281096/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281096; rev:1;) alert tcp $HOME_NET any -> [80.211.184.72] 1337 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281097/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281097; rev:1;) alert tcp $HOME_NET any -> [107.172.141.115] 6969 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281098/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281098; rev:1;) alert tcp $HOME_NET any -> [192.241.151.14] 374 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281093/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281093; rev:1;) alert tcp $HOME_NET any -> [45.84.196.166] 666 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281094/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281094; rev:1;) alert tcp $HOME_NET any -> [188.166.41.194] 80 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281095/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281095; rev:1;) alert tcp $HOME_NET any -> [80.211.40.217] 13 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281090/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281090; rev:1;) alert tcp $HOME_NET any -> [23.254.226.242] 1111 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281091/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281091; rev:1;) alert tcp $HOME_NET any -> [46.166.151.88] 453 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281092/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281092; rev:1;) alert tcp $HOME_NET any -> [80.211.234.123] 23 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281087/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281087; rev:1;) alert tcp $HOME_NET any -> [185.52.2.140] 9175 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281088/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281088; rev:1;) alert tcp $HOME_NET any -> [45.95.168.156] 8899 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281089/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281089; rev:1;) alert tcp $HOME_NET any -> [206.189.194.182] 23 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281084/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281084; rev:1;) alert tcp $HOME_NET any -> [185.244.25.242] 9175 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281085/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281085; rev:1;) alert tcp $HOME_NET any -> [209.141.57.94] 23 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281086/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281086; rev:1;) alert tcp $HOME_NET any -> [178.128.178.70] 23 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281081/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281081; rev:1;) alert tcp $HOME_NET any -> [94.156.8.161] 4444 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281082/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281082; rev:1;) alert tcp $HOME_NET any -> [198.98.61.186] 666 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281083/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281083; rev:1;) alert tcp $HOME_NET any -> [209.141.39.153] 11000 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281078/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281078; rev:1;) alert tcp $HOME_NET any -> [159.65.159.83] 23 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281079/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281079; rev:1;) alert tcp $HOME_NET any -> [159.89.222.5] 812 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281080/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281080; rev:1;) alert tcp $HOME_NET any -> [178.128.161.154] 23 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281075/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281075; rev:1;) alert tcp $HOME_NET any -> [51.79.55.3] 48263 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281076/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281076; rev:1;) alert tcp $HOME_NET any -> [50.115.174.102] 23 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281077/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281077; rev:1;) alert tcp $HOME_NET any -> [185.63.253.201] 801 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281072/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281072; rev:1;) alert tcp $HOME_NET any -> [185.101.105.167] 444 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281073/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281073; rev:1;) alert tcp $HOME_NET any -> [104.248.63.168] 23 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281074/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281074; rev:1;) alert tcp $HOME_NET any -> [45.84.196.164] 839 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281069/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281069; rev:1;) alert tcp $HOME_NET any -> [68.183.99.35] 23 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281070/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281070; rev:1;) alert tcp $HOME_NET any -> [23.254.202.208] 1111 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281071/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281071; rev:1;) alert tcp $HOME_NET any -> [70.185.41.153] 23 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281067/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281067; rev:1;) alert tcp $HOME_NET any -> [37.49.224.101] 1111 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281068/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281068; rev:1;) alert tcp $HOME_NET any -> [159.89.143.217] 23 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281065/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281065; rev:1;) alert tcp $HOME_NET any -> [205.185.126.14] 3074 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281066/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281066; rev:1;) alert tcp $HOME_NET any -> [185.101.105.189] 839 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281063/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281063; rev:1;) alert tcp $HOME_NET any -> [212.237.58.51] 979 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281064/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281064; rev:1;) alert tcp $HOME_NET any -> [192.243.101.212] 444 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281060/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281060; rev:1;) alert tcp $HOME_NET any -> [93.123.39.121] 671 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281061/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281061; rev:1;) alert tcp $HOME_NET any -> [134.209.115.74] 69 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281062/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281062; rev:1;) alert tcp $HOME_NET any -> [157.230.125.121] 23 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281058/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281058; rev:1;) alert tcp $HOME_NET any -> [192.3.131.23] 51351 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281059/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281059; rev:1;) alert tcp $HOME_NET any -> [157.230.243.41] 23 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281055/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281055; rev:1;) alert tcp $HOME_NET any -> [46.29.167.181] 2545 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281056/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281056; rev:1;) alert tcp $HOME_NET any -> [92.156.79.152] 666 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281057/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281057; rev:1;) alert tcp $HOME_NET any -> [157.230.220.41] 666 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281053/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281053; rev:1;) alert tcp $HOME_NET any -> [46.36.41.247] 812 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281054/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281054; rev:1;) alert tcp $HOME_NET any -> [78.135.81.84] 839 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281051/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281051; rev:1;) alert tcp $HOME_NET any -> [185.101.105.142] 282 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281052/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281052; rev:1;) alert tcp $HOME_NET any -> [45.143.223.42] 1111 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281048/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281048; rev:1;) alert tcp $HOME_NET any -> [50.115.172.117] 423 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281049/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281049; rev:1;) alert tcp $HOME_NET any -> [185.101.107.236] 562 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281050/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281050; rev:1;) alert tcp $HOME_NET any -> [185.244.219.116] 812 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281045/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281045; rev:1;) alert tcp $HOME_NET any -> [91.196.149.73] 211 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281046/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281046; rev:1;) alert tcp $HOME_NET any -> [173.82.168.101] 98 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281047/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281047; rev:1;) alert tcp $HOME_NET any -> [135.148.55.139] 606 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281043/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281043; rev:1;) alert tcp $HOME_NET any -> [45.89.230.8] 42516 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281044/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281044; rev:1;) alert tcp $HOME_NET any -> [51.254.176.79] 23 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281041/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281041; rev:1;) alert tcp $HOME_NET any -> [194.147.35.199] 310 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281042/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281042; rev:1;) alert tcp $HOME_NET any -> [172.245.153.123] 812 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281039/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281039; rev:1;) alert tcp $HOME_NET any -> [165.227.36.38] 23 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281040/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281040; rev:1;) alert tcp $HOME_NET any -> [93.123.85.149] 666 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281036/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281036; rev:1;) alert tcp $HOME_NET any -> [185.150.26.223] 606 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281037/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281037; rev:1;) alert tcp $HOME_NET any -> [45.131.108.174] 44 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281038/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281038; rev:1;) alert tcp $HOME_NET any -> [93.123.85.173] 4258 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281034/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281034; rev:1;) alert tcp $HOME_NET any -> [185.244.25.145] 9175 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281035/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281035; rev:1;) alert tcp $HOME_NET any -> [104.168.44.166] 3485 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281031/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281031; rev:1;) alert tcp $HOME_NET any -> [185.244.25.166] 888 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281032/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281032; rev:1;) alert tcp $HOME_NET any -> [23.254.224.66] 2545 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281033/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281033; rev:1;) alert tcp $HOME_NET any -> [46.101.54.107] 23 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281030/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281030; rev:1;) alert tcp $HOME_NET any -> [185.244.25.138] 879 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281028/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281028; rev:1;) alert tcp $HOME_NET any -> [80.211.142.26] 23 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281029/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281029; rev:1;) alert tcp $HOME_NET any -> [178.62.63.52] 666 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281027/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281027; rev:1;) alert tcp $HOME_NET any -> [157.230.209.246] 66 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281025/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281025; rev:1;) alert tcp $HOME_NET any -> [159.203.84.111] 23 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281026/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281026; rev:1;) alert tcp $HOME_NET any -> [165.22.185.127] 282 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281024/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281024; rev:1;) alert tcp $HOME_NET any -> [206.189.189.14] 666 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281022/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281022; rev:1;) alert tcp $HOME_NET any -> [107.173.91.168] 839 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281023/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281023; rev:1;) alert tcp $HOME_NET any -> [172.105.68.51] 345 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281020/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281020; rev:1;) alert tcp $HOME_NET any -> [91.92.251.251] 812 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281021/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281021; rev:1;) alert tcp $HOME_NET any -> [142.11.212.47] 123 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281018/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281018; rev:1;) alert tcp $HOME_NET any -> [188.166.58.42] 23 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281019/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281019; rev:1;) alert tcp $HOME_NET any -> [185.244.25.149] 23 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281017/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281017; rev:1;) alert tcp $HOME_NET any -> [46.29.164.93] 626 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281016/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281016; rev:1;) alert tcp $HOME_NET any -> [94.156.8.179] 671 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281015/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281015; rev:1;) alert tcp $HOME_NET any -> [209.97.183.24] 812 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281014/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281014; rev:1;) alert tcp $HOME_NET any -> [198.98.56.156] 12345 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281012/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281012; rev:1;) alert tcp $HOME_NET any -> [155.138.206.237] 23 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281013/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281013; rev:1;) alert tcp $HOME_NET any -> [194.147.35.186] 666 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281011/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281011; rev:1;) alert tcp $HOME_NET any -> [138.197.215.81] 911 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281010/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281010; rev:1;) alert tcp $HOME_NET any -> [104.168.102.194] 606 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281009/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281009; rev:1;) alert tcp $HOME_NET any -> [46.36.41.197] 1749 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281008/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281008; rev:1;) alert tcp $HOME_NET any -> [51.79.65.49] 839 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281007/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281007; rev:1;) alert tcp $HOME_NET any -> [199.19.225.2] 42516 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281006/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281006; rev:1;) alert tcp $HOME_NET any -> [185.22.152.249] 23 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281005/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281005; rev:1;) alert tcp $HOME_NET any -> [46.29.163.77] 415 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281004/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281004; rev:1;) alert tcp $HOME_NET any -> [45.95.168.91] 666 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281003/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281003; rev:1;) alert tcp $HOME_NET any -> [185.172.111.199] 1111 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281002/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281002; rev:1;) alert tcp $HOME_NET any -> [206.189.207.175] 282 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281001/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281001; rev:1;) alert tcp $HOME_NET any -> [207.246.123.143] 666 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1280999/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280999; rev:1;) alert tcp $HOME_NET any -> [51.178.81.75] 9004 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281000/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281000; rev:1;) alert tcp $HOME_NET any -> [194.147.32.226] 935 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1280998/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280998; rev:1;) alert tcp $HOME_NET any -> [194.87.138.10] 839 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1280997/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280997; rev:1;) alert tcp $HOME_NET any -> [37.49.227.202] 35678 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1280996/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280996; rev:1;) alert tcp $HOME_NET any -> [193.70.81.236] 23 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1280995/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280995; rev:1;) alert tcp $HOME_NET any -> [193.233.252.242] 4258 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1280994/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280994; rev:1;) alert tcp $HOME_NET any -> [178.33.181.23] 924 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1280993/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280993; rev:1;) alert tcp $HOME_NET any -> [159.65.227.17] 64 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1280992/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280992; rev:1;) alert tcp $HOME_NET any -> [76.74.170.204] 45645 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1280991/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280991; rev:1;) alert tcp $HOME_NET any -> [37.49.230.106] 1722 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1280990/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280990; rev:1;) alert tcp $HOME_NET any -> [93.123.85.170] 26586 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1280989/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280989; rev:1;) alert tcp $HOME_NET any -> [195.231.9.122] 5062 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1280987/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280987; rev:1;) alert tcp $HOME_NET any -> [139.59.95.206] 23 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1280988/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280988; rev:1;) alert tcp $HOME_NET any -> [185.232.64.168] 888 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1280985/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280985; rev:1;) alert tcp $HOME_NET any -> [185.172.110.224] 65531 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1280986/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280986; rev:1;) alert tcp $HOME_NET any -> [46.101.144.161] 23 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1280984/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280984; rev:1;) alert tcp $HOME_NET any -> [206.189.188.17] 23 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1280982/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280982; rev:1;) alert tcp $HOME_NET any -> [45.153.203.204] 666 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1280983/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280983; rev:1;) alert tcp $HOME_NET any -> [188.227.19.18] 812 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1280980/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280980; rev:1;) alert tcp $HOME_NET any -> [159.89.34.227] 252 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1280981/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280981; rev:1;) alert tcp $HOME_NET any -> [142.93.152.64] 666 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1280978/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280978; rev:1;) alert tcp $HOME_NET any -> [157.230.219.6] 554 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1280979/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280979; rev:1;) alert tcp $HOME_NET any -> [185.158.249.147] 812 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1280977/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280977; rev:1;) alert tcp $HOME_NET any -> [206.189.167.201] 6665 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1280974/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280974; rev:1;) alert tcp $HOME_NET any -> [46.173.219.118] 415 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1280975/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280975; rev:1;) alert tcp $HOME_NET any -> [151.236.38.234] 745 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1280976/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280976; rev:1;) alert tcp $HOME_NET any -> [167.88.124.204] 223 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1280971/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280971; rev:1;) alert tcp $HOME_NET any -> [199.195.252.101] 28713 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1280972/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280972; rev:1;) alert tcp $HOME_NET any -> [198.12.97.72] 60001 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1280973/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280973; rev:1;) alert tcp $HOME_NET any -> [51.38.83.30] 23 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1280969/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280969; rev:1;) alert tcp $HOME_NET any -> [194.147.32.75] 23 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1280970/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280970; rev:1;) alert tcp $HOME_NET any -> [194.15.36.4] 4849 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1280968/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280968; rev:1;) alert tcp $HOME_NET any -> [80.211.44.61] 48884 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1280965/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280965; rev:1;) alert tcp $HOME_NET any -> [46.29.161.247] 838 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1280966/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280966; rev:1;) alert tcp $HOME_NET any -> [159.65.185.61] 23 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1280967/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280967; rev:1;) alert tcp $HOME_NET any -> [147.182.249.167] 23 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1280963/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280963; rev:1;) alert tcp $HOME_NET any -> [45.32.59.173] 52468 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1280964/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280964; rev:1;) alert tcp $HOME_NET any -> [68.183.141.219] 23 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1280961/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280961; rev:1;) alert tcp $HOME_NET any -> [46.29.166.95] 985 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1280962/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280962; rev:1;) alert tcp $HOME_NET any -> [163.172.133.10] 544 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1280958/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280958; rev:1;) alert tcp $HOME_NET any -> [46.29.163.68] 13 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1280959/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280959; rev:1;) alert tcp $HOME_NET any -> [178.128.7.177] 666 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1280960/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280960; rev:1;) alert tcp $HOME_NET any -> [205.185.114.87] 671 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1280955/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280955; rev:1;) alert tcp $HOME_NET any -> [91.208.127.128] 1024 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1280956/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280956; rev:1;) alert tcp $HOME_NET any -> [68.183.98.153] 23 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1280957/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280957; rev:1;) alert tcp $HOME_NET any -> [157.230.48.173] 13 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1280953/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280953; rev:1;) alert tcp $HOME_NET any -> [198.46.249.213] 6666 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1280954/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280954; rev:1;) alert tcp $HOME_NET any -> [185.244.25.123] 80 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1280950/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280950; rev:1;) alert tcp $HOME_NET any -> [77.83.117.225] 158 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1280951/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280951; rev:1;) alert tcp $HOME_NET any -> [185.244.25.75] 23 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1280952/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280952; rev:1;) alert tcp $HOME_NET any -> [120.89.61.187] 23 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1280947/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280947; rev:1;) alert tcp $HOME_NET any -> [185.239.242.119] 839 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1280948/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280948; rev:1;) alert tcp $HOME_NET any -> [89.34.26.123] 23 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1280949/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280949; rev:1;) alert tcp $HOME_NET any -> [51.75.74.22] 87 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1280946/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280946; rev:1;) alert tcp $HOME_NET any -> [46.17.47.250] 666 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1280943/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280943; rev:1;) alert tcp $HOME_NET any -> [81.4.106.148] 374 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1280944/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280944; rev:1;) alert tcp $HOME_NET any -> [165.227.63.145] 1337 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1280945/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280945; rev:1;) alert tcp $HOME_NET any -> [23.94.136.122] 1738 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1280941/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280941; rev:1;) alert tcp $HOME_NET any -> [149.28.116.14] 23 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1280942/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280942; rev:1;) alert tcp $HOME_NET any -> [103.82.20.7] 42516 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1280938/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280938; rev:1;) alert tcp $HOME_NET any -> [198.144.190.22] 7777 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1280939/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280939; rev:1;) alert tcp $HOME_NET any -> [205.185.114.87] 760 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1280940/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280940; rev:1;) alert tcp $HOME_NET any -> [209.141.37.251] 48263 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1280936/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280936; rev:1;) alert tcp $HOME_NET any -> [206.189.68.108] 23 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1280937/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280937; rev:1;) alert tcp $HOME_NET any -> [185.101.105.141] 420 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1280933/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280933; rev:1;) alert tcp $HOME_NET any -> [172.245.135.186] 23 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1280934/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280934; rev:1;) alert tcp $HOME_NET any -> [178.128.227.2] 812 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1280935/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280935; rev:1;) alert tcp $HOME_NET any -> [46.36.41.247] 415 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1280931/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280931; rev:1;) alert tcp $HOME_NET any -> [108.174.199.188] 60000 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1280932/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280932; rev:1;) alert tcp $HOME_NET any -> [138.68.238.104] 1749 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1280928/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280928; rev:1;) alert tcp $HOME_NET any -> [149.56.228.32] 1411 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1280929/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280929; rev:1;) alert tcp $HOME_NET any -> [45.153.243.219] 9999 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1280930/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280930; rev:1;) alert tcp $HOME_NET any -> [104.168.102.14] 38221 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1280927/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280927; rev:1;) alert tcp $HOME_NET any -> [209.141.41.227] 23 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1280924/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280924; rev:1;) alert tcp $HOME_NET any -> [205.185.127.94] 6258 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1280925/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280925; rev:1;) alert tcp $HOME_NET any -> [174.138.13.156] 23 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1280926/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280926; rev:1;) alert tcp $HOME_NET any -> [195.123.245.205] 987 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1280922/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280922; rev:1;) alert tcp $HOME_NET any -> [185.232.64.140] 8010 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1280923/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280923; rev:1;) alert tcp $HOME_NET any -> [37.49.227.120] 60001 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1280920/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280920; rev:1;) alert tcp $HOME_NET any -> [142.93.13.73] 666 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1280921/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280921; rev:1;) alert tcp $HOME_NET any -> [168.235.66.17] 23 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1280918/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280918; rev:1;) alert tcp $HOME_NET any -> [185.172.110.224] 13337 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1280919/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280919; rev:1;) alert tcp $HOME_NET any -> [178.62.9.232] 23 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1280915/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280915; rev:1;) alert tcp $HOME_NET any -> [178.62.215.86] 23 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1280916/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280916; rev:1;) alert tcp $HOME_NET any -> [136.144.200.209] 4599 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1280917/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280917; rev:1;) alert tcp $HOME_NET any -> [164.90.191.187] 1111 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1280913/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280913; rev:1;) alert tcp $HOME_NET any -> [223.252.60.83] 4444 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1280914/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280914; rev:1;) alert tcp $HOME_NET any -> [198.167.140.121] 23 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1280911/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280911; rev:1;) alert tcp $HOME_NET any -> [207.154.249.73] 626 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1280912/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280912; rev:1;) alert tcp $HOME_NET any -> [68.183.222.39] 23 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1280908/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280908; rev:1;) alert tcp $HOME_NET any -> [2.57.122.213] 6969 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1280909/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280909; rev:1;) alert tcp $HOME_NET any -> [66.23.201.227] 656 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1280910/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280910; rev:1;) alert tcp $HOME_NET any -> [43.224.29.49] 23 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1280906/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280906; rev:1;) alert tcp $HOME_NET any -> [107.175.215.10] 1111 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1280907/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280907; rev:1;) alert tcp $HOME_NET any -> [185.244.25.222] 52 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1280904/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280904; rev:1;) alert tcp $HOME_NET any -> [142.11.219.202] 60000 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1280905/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280905; rev:1;) alert tcp $HOME_NET any -> [167.99.215.155] 777 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1280901/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280901; rev:1;) alert tcp $HOME_NET any -> [185.172.110.214] 888 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1280902/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280902; rev:1;) alert tcp $HOME_NET any -> [5.83.163.78] 23 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1280903/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280903; rev:1;) alert tcp $HOME_NET any -> [142.93.237.185] 23 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1280899/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280899; rev:1;) alert tcp $HOME_NET any -> [34.122.44.188] 42516 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1280900/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280900; rev:1;) alert tcp $HOME_NET any -> [128.199.197.79] 23 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1280897/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280897; rev:1;) alert tcp $HOME_NET any -> [209.97.191.100] 666 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1280898/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280898; rev:1;) alert tcp $HOME_NET any -> [107.152.35.182] 812 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1280894/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280894; rev:1;) alert tcp $HOME_NET any -> [23.95.221.126] 480 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1280895/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280895; rev:1;) alert tcp $HOME_NET any -> [199.180.134.125] 23 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1280896/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280896; rev:1;) alert tcp $HOME_NET any -> [23.254.244.138] 23 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1280891/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280891; rev:1;) alert tcp $HOME_NET any -> [94.140.125.9] 60000 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1280892/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280892; rev:1;) alert tcp $HOME_NET any -> [199.195.248.68] 7113 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1280893/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280893; rev:1;) alert tcp $HOME_NET any -> [94.103.124.89] 666 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1280889/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280889; rev:1;) alert tcp $HOME_NET any -> [80.211.223.70] 999 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1280890/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280890; rev:1;) alert tcp $HOME_NET any -> [209.141.48.246] 23 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1280886/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280886; rev:1;) alert tcp $HOME_NET any -> [51.195.236.169] 839 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1280887/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280887; rev:1;) alert tcp $HOME_NET any -> [107.172.141.163] 23 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1280888/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280888; rev:1;) alert tcp $HOME_NET any -> [83.166.249.119] 1263 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1280884/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280884; rev:1;) alert tcp $HOME_NET any -> [89.190.159.181] 1192 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1280885/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280885; rev:1;) alert tcp $HOME_NET any -> [156.96.46.21] 17769 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1280882/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280882; rev:1;) alert tcp $HOME_NET any -> [45.95.147.28] 1863 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1280883/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280883; rev:1;) alert tcp $HOME_NET any -> [91.92.252.130] 158 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1280880/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280880; rev:1;) alert tcp $HOME_NET any -> [167.99.91.177] 23 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1280881/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280881; rev:1;) alert tcp $HOME_NET any -> [104.248.162.109] 23 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1280877/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280877; rev:1;) alert tcp $HOME_NET any -> [107.172.196.116] 42516 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1280878/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280878; rev:1;) alert tcp $HOME_NET any -> [80.211.51.24] 60000 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1280879/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280879; rev:1;) alert tcp $HOME_NET any -> [198.98.49.8] 23 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1280874/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280874; rev:1;) alert tcp $HOME_NET any -> [159.65.170.5] 23 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1280875/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280875; rev:1;) alert tcp $HOME_NET any -> [94.102.63.74] 666 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1280876/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280876; rev:1;) alert tcp $HOME_NET any -> [85.255.1.93] 252 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1280872/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280872; rev:1;) alert tcp $HOME_NET any -> [209.141.42.145] 23 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1280873/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280873; rev:1;) alert tcp $HOME_NET any -> [23.95.94.228] 51351 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1280869/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280869; rev:1;) alert tcp $HOME_NET any -> [134.209.39.38] 23 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1280870/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280870; rev:1;) alert tcp $HOME_NET any -> [45.95.168.227] 12345 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1280871/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280871; rev:1;) alert tcp $HOME_NET any -> [23.95.55.45] 51351 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1280867/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280867; rev:1;) alert tcp $HOME_NET any -> [185.34.219.113] 620 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1280868/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280868; rev:1;) alert tcp $HOME_NET any -> [142.93.185.187] 562 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1280865/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280865; rev:1;) alert tcp $HOME_NET any -> [45.77.97.75] 158 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1280866/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280866; rev:1;) alert tcp $HOME_NET any -> [51.79.74.171] 666 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1280862/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280862; rev:1;) alert tcp $HOME_NET any -> [46.101.173.113] 23 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1280863/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280863; rev:1;) alert tcp $HOME_NET any -> [193.37.212.20] 6149 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1280864/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280864; rev:1;) alert tcp $HOME_NET any -> [104.168.144.8] 23 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1280860/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280860; rev:1;) alert tcp $HOME_NET any -> [104.168.149.180] 89 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1280861/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280861; rev:1;) alert tcp $HOME_NET any -> [107.173.42.115] 140 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1280858/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280858; rev:1;) alert tcp $HOME_NET any -> [142.93.232.131] 52614 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1280859/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280859; rev:1;) alert tcp $HOME_NET any -> [198.199.88.186] 23 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1280856/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280856; rev:1;) alert tcp $HOME_NET any -> [5.252.192.51] 666 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1280857/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280857; rev:1;) alert tcp $HOME_NET any -> [103.54.153.94] 42516 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1280855/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280855; rev:1;) alert tcp $HOME_NET any -> [157.230.11.49] 23 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1280853/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280853; rev:1;) alert tcp $HOME_NET any -> [178.128.225.101] 987 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1280854/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280854; rev:1;) alert tcp $HOME_NET any -> [185.132.53.161] 666 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1280850/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280850; rev:1;) alert tcp $HOME_NET any -> [94.103.124.162] 999 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1280851/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280851; rev:1;) alert tcp $HOME_NET any -> [95.214.52.33] 666 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1280852/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280852; rev:1;) alert tcp $HOME_NET any -> [185.62.190.159] 1336 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1280848/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280848; rev:1;) alert tcp $HOME_NET any -> [103.163.214.145] 42516 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1280849/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280849; rev:1;) alert tcp $HOME_NET any -> [167.99.145.134] 52468 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1280846/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280846; rev:1;) alert tcp $HOME_NET any -> [159.65.170.120] 23 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1280847/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280847; rev:1;) alert tcp $HOME_NET any -> [159.203.177.38] 23 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1280843/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280843; rev:1;) alert tcp $HOME_NET any -> [206.72.202.212] 23 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1280844/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280844; rev:1;) alert tcp $HOME_NET any -> [139.59.139.52] 23 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1280845/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280845; rev:1;) alert tcp $HOME_NET any -> [185.101.105.160] 9706 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1280841/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280841; rev:1;) alert tcp $HOME_NET any -> [142.93.156.161] 23 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1280842/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280842; rev:1;) alert tcp $HOME_NET any -> [192.54.57.69] 1749 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1280839/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280839; rev:1;) alert tcp $HOME_NET any -> [159.89.154.132] 23 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1280840/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280840; rev:1;) alert tcp $HOME_NET any -> [142.93.245.37] 282 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1280837/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280837; rev:1;) alert tcp $HOME_NET any -> [194.180.224.118] 839 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1280838/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280838; rev:1;) alert tcp $HOME_NET any -> [107.189.10.171] 2219 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1280836/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280836; rev:1;) alert tcp $HOME_NET any -> [68.183.104.27] 1749 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1280834/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280834; rev:1;) alert tcp $HOME_NET any -> [94.156.64.4] 42516 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1280835/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280835; rev:1;) alert tcp $HOME_NET any -> [185.244.25.73] 23 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1280832/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280832; rev:1;) alert tcp $HOME_NET any -> [185.101.105.206] 9706 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1280833/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280833; rev:1;) alert tcp $HOME_NET any -> [167.99.226.22] 23 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1280830/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280830; rev:1;) alert tcp $HOME_NET any -> [209.141.37.193] 871 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1280831/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280831; rev:1;) alert tcp $HOME_NET any -> [167.71.73.146] 321 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1280828/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280828; rev:1;) alert tcp $HOME_NET any -> [128.199.59.41] 23 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1280829/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280829; rev:1;) alert tcp $HOME_NET any -> [185.244.25.216] 59314 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1280826/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280826; rev:1;) alert tcp $HOME_NET any -> [185.244.25.155] 443 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1280827/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280827; rev:1;) alert tcp $HOME_NET any -> [45.85.90.203] 3478 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1280824/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280824; rev:1;) alert tcp $HOME_NET any -> [103.153.69.151] 839 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1280825/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280825; rev:1;) alert tcp $HOME_NET any -> [185.22.154.112] 925 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1280823/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280823; rev:1;) alert tcp $HOME_NET any -> [185.101.105.130] 505 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1280821/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280821; rev:1;) alert tcp $HOME_NET any -> [103.214.111.121] 5888 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1280822/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280822; rev:1;) alert tcp $HOME_NET any -> [45.63.2.149] 13 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1280819/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280819; rev:1;) alert tcp $HOME_NET any -> [46.29.160.252] 871 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1280820/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280820; rev:1;) alert tcp $HOME_NET any -> [159.89.114.171] 282 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1280816/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280816; rev:1;) alert tcp $HOME_NET any -> [142.93.138.130] 23 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1280817/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280817; rev:1;) alert tcp $HOME_NET any -> [178.62.109.153] 69 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1280818/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280818; rev:1;) alert tcp $HOME_NET any -> [91.92.244.11] 19302 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1280814/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280814; rev:1;) alert tcp $HOME_NET any -> [66.172.11.120] 13031 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1280815/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280815; rev:1;) alert tcp $HOME_NET any -> [167.172.233.67] 23 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1280812/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280812; rev:1;) alert tcp $HOME_NET any -> [159.203.170.126] 666 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1280813/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280813; rev:1;) alert tcp $HOME_NET any -> [178.128.63.99] 666 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1280810/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280810; rev:1;) alert tcp $HOME_NET any -> [217.61.108.108] 415 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1280811/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280811; rev:1;) alert tcp $HOME_NET any -> [51.77.95.121] 23 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1280807/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280807; rev:1;) alert tcp $HOME_NET any -> [23.226.231.5] 23 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1280808/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280808; rev:1;) alert tcp $HOME_NET any -> [46.29.160.137] 23 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1280809/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280809; rev:1;) alert tcp $HOME_NET any -> [80.211.48.128] 282 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1280805/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280805; rev:1;) alert tcp $HOME_NET any -> [107.174.14.12] 6464 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1280806/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280806; rev:1;) alert tcp $HOME_NET any -> [80.211.37.146] 23 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1280803/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280803; rev:1;) alert tcp $HOME_NET any -> [149.28.44.189] 23 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1280804/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280804; rev:1;) alert tcp $HOME_NET any -> [192.227.121.140] 42516 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1280800/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280800; rev:1;) alert tcp $HOME_NET any -> [65.21.58.252] 809 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1280801/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280801; rev:1;) alert tcp $HOME_NET any -> [45.84.196.161] 839 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1280802/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280802; rev:1;) alert tcp $HOME_NET any -> [142.93.183.131] 28 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1280797/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280797; rev:1;) alert tcp $HOME_NET any -> [46.101.11.245] 812 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1280798/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280798; rev:1;) alert tcp $HOME_NET any -> [138.68.94.252] 807 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1280799/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280799; rev:1;) alert tcp $HOME_NET any -> [107.173.213.43] 2222 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1280795/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280795; rev:1;) alert tcp $HOME_NET any -> [142.93.46.170] 23 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1280796/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280796; rev:1;) alert tcp $HOME_NET any -> [146.19.213.188] 137 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1280793/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280793; rev:1;) alert tcp $HOME_NET any -> [185.22.154.248] 626 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1280794/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280794; rev:1;) alert tcp $HOME_NET any -> [209.141.43.226] 600 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1280791/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280791; rev:1;) alert tcp $HOME_NET any -> [80.211.5.174] 23 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1280792/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280792; rev:1;) alert tcp $HOME_NET any -> [194.147.34.126] 20178 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1280788/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280788; rev:1;) alert tcp $HOME_NET any -> [134.209.4.184] 53821 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1280789/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280789; rev:1;) alert tcp $HOME_NET any -> [185.101.105.141] 24358 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1280790/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280790; rev:1;) alert tcp $HOME_NET any -> [198.199.74.43] 52468 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1280785/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280785; rev:1;) alert tcp $HOME_NET any -> [54.38.220.94] 23 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1280786/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280786; rev:1;) alert tcp $HOME_NET any -> [167.86.113.89] 1028 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1280787/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280787; rev:1;) alert tcp $HOME_NET any -> [185.244.25.145] 902 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1280783/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280783; rev:1;) alert tcp $HOME_NET any -> [23.254.230.38] 27 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1280784/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280784; rev:1;) alert tcp $HOME_NET any -> [78.142.29.118] 374 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1280781/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280781; rev:1;) alert tcp $HOME_NET any -> [170.130.172.42] 1111 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1280782/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280782; rev:1;) alert tcp $HOME_NET any -> [51.75.77.226] 523 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1280778/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280778; rev:1;) alert tcp $HOME_NET any -> [185.158.248.16] 1111 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1280779/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280779; rev:1;) alert tcp $HOME_NET any -> [68.183.192.227] 69 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1280780/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280780; rev:1;) alert tcp $HOME_NET any -> [37.49.230.154] 2985 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1280776/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280776; rev:1;) alert tcp $HOME_NET any -> [185.244.25.119] 123 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1280777/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280777; rev:1;) alert tcp $HOME_NET any -> [107.174.26.55] 69 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1280775/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280775; rev:1;) alert tcp $HOME_NET any -> [185.165.29.127] 666 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1280772/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280772; rev:1;) alert tcp $HOME_NET any -> [199.195.253.77] 23 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1280773/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280773; rev:1;) alert tcp $HOME_NET any -> [91.211.244.92] 13337 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1280774/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280774; rev:1;) alert tcp $HOME_NET any -> [192.99.221.230] 4258 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1280769/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280769; rev:1;) alert tcp $HOME_NET any -> [93.123.85.94] 606 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1280770/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280770; rev:1;) alert tcp $HOME_NET any -> [185.244.25.224] 935 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1280771/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280771; rev:1;) alert tcp $HOME_NET any -> [23.95.221.197] 839 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1280767/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280767; rev:1;) alert tcp $HOME_NET any -> [185.244.25.234] 139 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1280768/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280768; rev:1;) alert tcp $HOME_NET any -> [68.183.114.201] 23 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1280765/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280765; rev:1;) alert tcp $HOME_NET any -> [185.244.25.73] 25 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1280766/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280766; rev:1;) alert tcp $HOME_NET any -> [104.168.149.180] 500 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1280763/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280763; rev:1;) alert tcp $HOME_NET any -> [172.245.157.144] 6958 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1280764/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280764; rev:1;) alert tcp $HOME_NET any -> [157.230.140.145] 23 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1280760/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280760; rev:1;) alert tcp $HOME_NET any -> [45.61.184.168] 606 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1280761/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280761; rev:1;) alert tcp $HOME_NET any -> [158.69.103.149] 1337 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1280762/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280762; rev:1;) alert tcp $HOME_NET any -> [68.183.32.243] 23 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1280757/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280757; rev:1;) alert tcp $HOME_NET any -> [178.128.36.178] 876 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1280758/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280758; rev:1;) alert tcp $HOME_NET any -> [209.141.43.226] 332 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1280759/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280759; rev:1;) alert tcp $HOME_NET any -> [80.82.67.226] 5888 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1280755/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280755; rev:1;) alert tcp $HOME_NET any -> [185.244.30.141] 23 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1280756/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280756; rev:1;) alert tcp $HOME_NET any -> [104.168.151.198] 23 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1280752/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280752; rev:1;) alert tcp $HOME_NET any -> [54.37.196.166] 23 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1280753/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280753; rev:1;) alert tcp $HOME_NET any -> [31.7.62.49] 666 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1280754/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280754; rev:1;) alert tcp $HOME_NET any -> [198.167.140.181] 23 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1280750/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280750; rev:1;) alert tcp $HOME_NET any -> [209.141.40.185] 641 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1280751/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280751; rev:1;) alert tcp $HOME_NET any -> [203.248.197.10] 22 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1280748/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280748; rev:1;) alert tcp $HOME_NET any -> [194.36.173.82] 666 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1280749/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280749; rev:1;) alert tcp $HOME_NET any -> [142.11.237.148] 51351 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1280747/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280747; rev:1;) alert tcp $HOME_NET any -> [23.95.238.119] 6969 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1280744/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280744; rev:1;) alert tcp $HOME_NET any -> [167.88.124.204] 132 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1280745/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280745; rev:1;) alert tcp $HOME_NET any -> [178.33.83.75] 23 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1280746/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280746; rev:1;) alert tcp $HOME_NET any -> [51.38.125.88] 23 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1280742/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280742; rev:1;) alert tcp $HOME_NET any -> [198.167.140.31] 23 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1280743/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280743; rev:1;) alert tcp $HOME_NET any -> [107.175.184.4] 1111 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1280739/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280739; rev:1;) alert tcp $HOME_NET any -> [212.147.209.211] 839 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1280740/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280740; rev:1;) alert tcp $HOME_NET any -> [165.232.98.36] 42516 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1280741/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280741; rev:1;) alert tcp $HOME_NET any -> [188.166.168.170] 812 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1280737/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280737; rev:1;) alert tcp $HOME_NET any -> [51.178.166.165] 3333 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1280738/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280738; rev:1;) alert tcp $HOME_NET any -> [87.246.6.102] 1028 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1280734/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280734; rev:1;) alert tcp $HOME_NET any -> [185.244.25.133] 46 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1280735/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280735; rev:1;) alert tcp $HOME_NET any -> [2.57.122.213] 3074 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1280736/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280736; rev:1;) alert tcp $HOME_NET any -> [178.33.83.74] 158 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1280732/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280732; rev:1;) alert tcp $HOME_NET any -> [167.99.87.204] 282 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1280733/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280733; rev:1;) alert tcp $HOME_NET any -> [95.217.49.251] 2545 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1280729/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280729; rev:1;) alert tcp $HOME_NET any -> [107.175.197.135] 839 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1280730/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280730; rev:1;) alert tcp $HOME_NET any -> [46.29.165.135] 2545 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1280731/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280731; rev:1;) alert tcp $HOME_NET any -> [103.153.69.114] 42516 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1280726/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280726; rev:1;) alert tcp $HOME_NET any -> [87.120.254.160] 23 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1280727/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280727; rev:1;) alert tcp $HOME_NET any -> [80.211.223.70] 6666 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1280728/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280728; rev:1;) alert tcp $HOME_NET any -> [165.227.125.239] 282 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1280724/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280724; rev:1;) alert tcp $HOME_NET any -> [80.211.8.182] 4554 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1280725/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280725; rev:1;) alert tcp $HOME_NET any -> [64.227.2.138] 1111 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1280722/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280722; rev:1;) alert tcp $HOME_NET any -> [165.227.107.90] 23 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1280723/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280723; rev:1;) alert tcp $HOME_NET any -> [46.29.165.182] 626 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1280720/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280720; rev:1;) alert tcp $HOME_NET any -> [165.22.70.48] 23 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1280721/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280721; rev:1;) alert tcp $HOME_NET any -> [159.89.5.152] 666 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1280718/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280718; rev:1;) alert tcp $HOME_NET any -> [134.209.33.197] 23 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1280719/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280719; rev:1;) alert tcp $HOME_NET any -> [193.111.248.44] 23 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1280715/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280715; rev:1;) alert tcp $HOME_NET any -> [23.94.166.83] 23 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1280716/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280716; rev:1;) alert tcp $HOME_NET any -> [80.211.6.4] 53884 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1280717/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280717; rev:1;) alert tcp $HOME_NET any -> [137.74.148.234] 433 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1280713/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280713; rev:1;) alert tcp $HOME_NET any -> [185.101.105.185] 4849 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1280714/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280714; rev:1;) alert tcp $HOME_NET any -> [144.217.131.227] 23 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1280711/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280711; rev:1;) alert tcp $HOME_NET any -> [107.175.95.101] 2004 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1280712/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280712; rev:1;) alert tcp $HOME_NET any -> [178.128.198.202] 23 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1280709/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280709; rev:1;) alert tcp $HOME_NET any -> [185.58.225.28] 23 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1280710/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280710; rev:1;) alert tcp $HOME_NET any -> [206.189.114.159] 23 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1280707/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280707; rev:1;) alert tcp $HOME_NET any -> [209.97.139.160] 987 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1280708/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280708; rev:1;) alert tcp $HOME_NET any -> [37.49.227.176] 23 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1280705/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280705; rev:1;) alert tcp $HOME_NET any -> [109.201.143.179] 925 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1280706/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280706; rev:1;) alert tcp $HOME_NET any -> [198.46.205.89] 1111 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1280703/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280703; rev:1;) alert tcp $HOME_NET any -> [23.254.165.208] 89 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1280704/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280704; rev:1;) alert tcp $HOME_NET any -> [95.216.5.242] 1865 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1280701/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280701; rev:1;) alert tcp $HOME_NET any -> [134.209.206.162] 760 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1280702/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280702; rev:1;) alert tcp $HOME_NET any -> [51.79.66.236] 89 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1280699/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280699; rev:1;) alert tcp $HOME_NET any -> [68.66.233.69] 1847 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1280700/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280700; rev:1;) alert tcp $HOME_NET any -> [134.209.164.201] 1111 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1280698/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280698; rev:1;) alert tcp $HOME_NET any -> [209.141.39.50] 555 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1280697/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280697; rev:1;) alert tcp $HOME_NET any -> [93.104.209.253] 1542 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1280695/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280695; rev:1;) alert tcp $HOME_NET any -> [68.183.123.80] 1337 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1280696/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280696; rev:1;) alert tcp $HOME_NET any -> [159.65.136.187] 23 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1280692/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280692; rev:1;) alert tcp $HOME_NET any -> [87.246.6.100] 8888 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1280693/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280693; rev:1;) alert tcp $HOME_NET any -> [168.235.103.245] 1749 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1280694/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280694; rev:1;) alert tcp $HOME_NET any -> [68.183.208.152] 68 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1280690/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280690; rev:1;) alert tcp $HOME_NET any -> [165.22.130.136] 999 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1280691/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280691; rev:1;) alert tcp $HOME_NET any -> [80.211.4.5] 1337 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1280688/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280688; rev:1;) alert tcp $HOME_NET any -> [194.37.80.141] 666 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1280689/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280689; rev:1;) alert tcp $HOME_NET any -> [46.17.47.30] 626 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1280685/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280685; rev:1;) alert tcp $HOME_NET any -> [45.14.224.106] 45454 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1280686/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280686; rev:1;) alert tcp $HOME_NET any -> [84.54.49.50] 23 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1280687/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280687; rev:1;) alert tcp $HOME_NET any -> [159.203.96.141] 28 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1280683/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280683; rev:1;) alert tcp $HOME_NET any -> [185.244.25.75] 3185 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1280684/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280684; rev:1;) alert tcp $HOME_NET any -> [23.94.24.171] 9005 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1280680/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280680; rev:1;) alert tcp $HOME_NET any -> [185.101.107.127] 69 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1280681/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280681; rev:1;) alert tcp $HOME_NET any -> [51.15.225.204] 23 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1280682/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280682; rev:1;) alert tcp $HOME_NET any -> [80.211.134.83] 605 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1280678/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280678; rev:1;) alert tcp $HOME_NET any -> [198.144.181.11] 666 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1280679/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280679; rev:1;) alert tcp $HOME_NET any -> [137.74.55.0] 626 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1280676/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280676; rev:1;) alert tcp $HOME_NET any -> [192.227.209.32] 1111 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1280677/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280677; rev:1;) alert tcp $HOME_NET any -> [205.185.122.135] 23 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1280674/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280674; rev:1;) alert tcp $HOME_NET any -> [185.244.25.189] 666 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1280675/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280675; rev:1;) alert tcp $HOME_NET any -> [149.3.170.197] 548 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1280673/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280673; rev:1;) alert tcp $HOME_NET any -> [185.42.223.99] 606 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1280672/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280672; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ballsack.myftp.biz"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280668/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280668; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"everything1lol.no-ip.biz"; depth:24; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280669/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280669; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"sayborg007.no-ip.biz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280670/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280670; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"sdwirus.no-ip.org"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280671/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280671; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"crack.servemp3.com"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280661/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280661; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"thisisreal.zapto.org"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280662/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280662; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"aprendiz30.no-ip.org"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280663/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280663; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"darkbou.zapto.org"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280664/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280664; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"hfcrewratsetup1337.no-ip.biz"; depth:28; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280665/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280665; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"alaloum.no-ip.biz"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280666/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280666; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ratz.myftp.org"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280667/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280667; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"shamoo.no-ip.biz"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280655/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280655; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"new3style.no-ip.biz"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280656/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280656; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"mlx255.no-ip.org"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280657/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280657; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"darkcometadam.no-ip.org"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280658/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280658; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"cybergatecze.no-ip.biz"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280659/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280659; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"lasthack.no-ip.biz"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280660/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280660; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"wickeddick.no-ip.org"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280648/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280648; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"masteryodax.hopto.org"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280649/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280649; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"hackerbnc.no-ip.biz"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280650/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280650; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"meh123rawr.hopto.org"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280651/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280651; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"fuckmexicans.no-ip.org"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280652/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280652; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"paradoxsum.no-ip.biz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280653/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280653; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"abu-hssn.no-ip.biz"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280654/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280654; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"config-stats.servehttp.com"; depth:26; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280642/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280642; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"mrelectrox.no-ip.biz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280643/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280643; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"kompis.no-ip.info"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280644/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280644; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"metaflz27.no-ip.biz"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280645/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280645; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"cybergay1337.no-ip.biz"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280646/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280646; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"masonthomascalvin.no-ip.biz"; depth:27; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280647/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280647; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ujozlesa.zapto.org"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280636/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280636; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"jodg04.no-ip.biz"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280637/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280637; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"lololol.dyndns.biz"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280638/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280638; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"quintonmoney.no-ip.biz"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280639/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280639; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"alivecard.no-ip.org"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280640/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280640; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"pt-bit.tk"; depth:9; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280641/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280641; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"daveinihost.no-ip.biz"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280630/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280630; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"curtis50.no-ip.info"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280631/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280631; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"alashe07ksa.no-ip.org"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280632/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280632; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"habboflooder.no-ip.org"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280633/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280633; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"tinkiwinki.zapto.org"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280634/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280634; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"thisismyhost.no-ip.info"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280635/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280635; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"sh1kari0.no-ip.biz"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280623/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280623; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"l3asel.no-ip.org"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280624/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280624; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"invasor.zapto.org"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280625/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280625; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"biztr-44844.portmap.host"; depth:24; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280626/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280626; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"decrypted.no-ip.biz"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280627/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280627; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"qw7.no-ip.org"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280628/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280628; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"pozpoz.zapto.org"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280629/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280629; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"hotsa.no-ip.org"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280617/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280617; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"nhnh21.no-ip.biz"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280618/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280618; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"tim0.dyndns.org"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280619/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280619; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"windowsoriginal.vpndns.net"; depth:26; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280620/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280620; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"acbstyler.no-ip.biz"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280621/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280621; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"begazx.no-ip.org"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280622/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280622; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"suna93.zapto.org"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280610/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280610; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"t2011.zapto.org"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280611/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280611; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"wrawsec.no-ip.biz"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280612/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280612; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"t3htazz.no-ip.biz"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280613/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280613; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"joyn.zapto.org"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280614/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280614; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"freakfile.myftp.biz"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280615/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280615; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"m1ster.no-ip.biz"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280616/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280616; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"lainter.sytes.net"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280604/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280604; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"odnnrrhrh.no-ip.biz"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280605/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280605; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"killerblademaster.no-ip.biz"; depth:27; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280606/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280606; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"priiohack.zapto.org"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280607/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280607; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"devlin.no-ip.biz"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280608/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280608; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"auracraft.no-ip.biz"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280609/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280609; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"no.no-ip1414.tk"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280597/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280597; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"xuladas1.myftp.org"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280598/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280598; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"haxing.no-ip.biz"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280599/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280599; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"dsfser1337.no-ip.org"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280600/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280600; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"kingzaib.no-ip.biz"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280601/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280601; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"arenagods.servegame.com"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280602/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280602; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ajmosad.no-ip.biz"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280603/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280603; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"mussolini1995.no-ip.biz"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280591/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280591; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"slayerhost.no-ip.biz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280592/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280592; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"balek93.no-ip.org"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280593/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280593; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"m7mad.no-ip.biz"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280594/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280594; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"invisiblehacker.no-ip.biz"; depth:25; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280595/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280595; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"zehdi.sytes.net"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280596/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280596; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"m11m.no-ip.biz"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280584/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280584; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"trok2008.no-ip.biz"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280585/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280585; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"facilmen.ddns.net"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280586/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280586; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"blackhackv4.no-ip.org"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280587/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280587; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"maxilife.no-ip.biz"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280588/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280588; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"tctwarlock.no-ip.info"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280589/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280589; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"mzagy-mncy.zapto.org"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280590/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280590; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"alimohor.zapto.org"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280578/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280578; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"omg0nlyh3ks.no-ip.biz"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280579/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280579; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"assasintroy.no-ip.org"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280580/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280580; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"barbar3131.zapto.org"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280581/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280581; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"pickstyle.serveblog.net"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280582/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280582; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"angkung.dyndns.info"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280583/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280583; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"tirohacking.no-ip.org"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280571/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280571; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"kjrub.no-ip.org"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280572/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280572; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"hirochimasdu45.no-ip.org"; depth:24; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280573/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280573; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"wassimderbel.zapto.org"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280574/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280574; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ogi.ip-ip.biz"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280575/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280575; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"plaunsito.sytes.net"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280576/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280576; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"hacking500.no-ip.biz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280577/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280577; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"matrex0-0hacker.no-ip.biz"; depth:25; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280565/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280565; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"kafooooo.no-ip.biz"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280566/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280566; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"kita2011.zapto.org"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280567/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280567; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"bajbaj02.no-ip.biz"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280568/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280568; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"zsecsqasd.no-ip.biz"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280569/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280569; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"lindi001.zapto.org"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280570/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280570; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"skinnytrini.no-ip.org"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280559/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280559; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"jinidz.zapto.org"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280560/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280560; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"moresat.zapto.org"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280561/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280561; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"makingdents.no-ip.biz"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280562/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280562; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"refresher.no-ip.biz"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280563/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280563; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"melody.no-ip.biz"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280564/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280564; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"osamax55.no-ip.info"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280552/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280552; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"spy991.no-ip.org"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280553/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280553; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"enculator.no-ip.biz"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280554/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280554; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"naser1naser1.no-ip.biz"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280555/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280555; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"allahouakbar.no-ip.biz"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280556/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280556; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"dannyredfish.no-ip.biz"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280557/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280557; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"razoredwrist.no-ip.biz"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280558/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280558; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"cmtr.no-ip.biz"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280546/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280546; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"t411.no-ip.info"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280547/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280547; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"bayci.zapto.org"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280548/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280548; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"spynet-rat3.dyndns.org"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280549/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280549; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"zeke-peke.no-ip.biz"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280550/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280550; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"notspposetobehur.no-ip.biz"; depth:26; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280551/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280551; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"hackmemate.no-ip.info"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280539/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280539; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"monkeyishere.no-ip.biz"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280540/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280540; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"polohacker.no-ip.org"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280541/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280541; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"piratiava.no-ip.biz"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280542/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280542; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"myvictims2012.no-ip.org"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280543/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280543; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"hacback.no-ip.biz"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280544/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280544; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"swan.zapto.org"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280545/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280545; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"infosfenix.no-ip.org"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280533/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280533; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"aqwx995.no-ip.org"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280534/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280534; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"sparrowmanique.no-ip.org"; depth:24; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280535/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280535; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"thementor3.no-ip.biz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280536/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280536; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"almsup2.no-ip.biz"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280537/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280537; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"nasaki.no-ip.biz"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280538/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280538; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"lreznovl.no-ip.biz"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280526/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280526; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"bradwibbs.no-ip.org"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280527/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280527; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ratmenow.no-ip.biz"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280528/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280528; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"connecting.no-ip.info"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280529/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280529; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"dplom2010.sytes.net"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280530/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280530; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"pisliick.zapto.org"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280531/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280531; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ciberhack.no-ip.org"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280532/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280532; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"autonomousigwe.no-ip.biz"; depth:24; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280520/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280520; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"195.no-ip.biz"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280521/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280521; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"mihajlovo.no-ip.biz"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280522/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280522; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"crowzz.sytes.net"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280523/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280523; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"zufuric.no-ip.org"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280524/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280524; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"manmystery.no-ip.biz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280525/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280525; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"luquita.no-ip.org"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280513/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280513; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"someone78s.no-ip.biz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280514/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280514; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"havefun123.no-ip.biz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280515/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280515; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"priyagoshi.no-ip.org"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280516/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280516; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"op2.no-ip.biz"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280517/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280517; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"iuy.no-ip.info"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280518/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280518; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"igotbots.zapto.org"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280519/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280519; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"cheats-brasil.no-ip.org"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280507/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280507; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"kingzz.no-ip.org"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280508/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280508; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ignorelist.dhis.org"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280509/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280509; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"mrtrojanm.no-ip.org"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280510/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280510; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"hacker13700.no-ip.org"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280511/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280511; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"rjpc1.hopto.org"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280512/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280512; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"kabch.no-ip.org"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280500/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280500; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"dawizman.no-ip.biz"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280501/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280501; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"whoiswho100.no-ip.org"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280502/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280502; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"norman2011.no-ip.biz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280503/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280503; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"pssst.servemp3.com"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280504/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280504; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"zabagate.no-ip.biz"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280505/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280505; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"notebookmen.no-ip.org"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280506/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280506; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"0x16host.no-ip.biz"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280494/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280494; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"projectapril.no-ip.org"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280495/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280495; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"slashxxxx.no-ip.biz"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280496/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280496; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"helbertvm.no-ip.org"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280497/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280497; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"kingz.zapto.org"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280498/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280498; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"noregret.no-ip.org"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280499/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280499; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"spybruxinho.no-ip.biz"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280487/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280487; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"mslulz.no-ip.biz"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280488/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280488; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"imexhack.hopto.org"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280489/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280489; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"thezero.no-ip.org"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280490/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280490; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"msninfo.no-ip.biz"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280491/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280491; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"tieuphu91.dyndns.org"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280492/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280492; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"mylimy1.no-ip.biz"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280493/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280493; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"r3b8-1415.no-ip.biz"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280481/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280481; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"veremosqueago.sytes.net"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280482/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280482; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"pmupdater.no-ip.org"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280483/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280483; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"teriaki.no.ip.org"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280484/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280484; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"loginsystem.zapto.org"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280485/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280485; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"logao500.no-ip.org"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280486/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280486; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"machines123.no-ip.biz"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280474/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280474; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"lolxlolsasasasa.zapto.org"; depth:25; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280475/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280475; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"test123.dontexist.org"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280476/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280476; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"tutodereaperdark.no-ip.biz"; depth:26; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280477/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280477; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"meltemyaren.zapto.org"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280478/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280478; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"urinalmints.no-ip.biz"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280479/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280479; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"itsfifa.no-ip.info"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280480/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280480; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"nabihxp2.no-ip.biz"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280467/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280467; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"a2b123.zapto.org"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280468/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280468; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"a3tyhom.zapto.org"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280469/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280469; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"jda1992.no-ip.biz"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280470/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280470; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"dom.servemp3.com"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280471/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280471; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"anas12.zapto.org"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280472/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280472; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"operspicaz.no-ip.org"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280473/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280473; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"brujot.no-ip.org"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280461/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280461; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"hasansratting.no-ip.biz"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280462/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280462; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"emma2882.zapto.org"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280463/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280463; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"datacredito.ddns.net"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280464/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280464; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"turkojan440.no-ip.org"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280465/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280465; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"dasdasdas.zapto.org"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280466/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280466; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"lovetoto.no-ip.biz"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280454/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280454; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"henualdofus.no-ip.org"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280455/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280455; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"freedomtech.no-ip.biz"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280456/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280456; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"mnnww.no-ip.biz"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280457/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280457; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"laylaylom.no-ip.com"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280458/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280458; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"analista2014.no-ip.org"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280459/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280459; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"haso.ddns.net"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280460/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280460; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"worldofdecay.servegame.com"; depth:26; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280448/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280448; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"bigballinthemix.no-ip.biz"; depth:25; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280449/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280449; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"bifrost.dyndns.tv"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280450/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280450; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"t9m.no-ip.info"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280451/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280451; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"hell0updat3.no-ip.info"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280452/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280452; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"srspynet.zapto.org"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280453/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280453; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"bidness.no-ip.biz"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280441/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280441; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"wookys.homeip.net"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280442/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280442; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"x0xhackx0x.no-ip.biz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280443/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280443; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"tommaso.no-ip.biz"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280444/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280444; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"pgsb.no.ip-org"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280445/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280445; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"aktrom.no-ip.org"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280446/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280446; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"pure4pro.zapto.org"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280447/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280447; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"amendobobo.no-ip.org"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280435/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280435; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"poky.no-ip.info"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280436/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280436; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"laforcedz.no-ip.biz"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280437/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280437; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"biztr.duckdns.org"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280438/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280438; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ratisgreat.no-ip.biz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280439/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280439; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"240620111500.no-ip.org"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280440/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280440; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"hahababy.no-ip.biz"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280428/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280428; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"mrkira.no-ip.info"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280429/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280429; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"kliurkius.no-ip.biz"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280430/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280430; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"p0rn.no-ip.biz"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280431/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280431; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"uzmanwbh.no-ip.org"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280432/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280432; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"you4you.no-ip.biz"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280433/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280433; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"myli.mine.nu"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280434/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280434; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"devilhacker12.no-ip.biz"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280421/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280421; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"alsiraqaad.no-ip.biz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280422/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280422; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"7mode.no-ip.info"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280423/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280423; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"mi3a.hopto.org"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280424/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280424; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"hackerbypass.no-ip.biz"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280425/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280425; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"janio.servecounterstrike.com"; depth:28; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280426/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280426; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"e.godforums.net"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280427/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280427; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"yass123.no-ip.biz"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280415/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280415; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"infosystem.no-ip.biz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280416/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280416; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"143fadwa.no-ip.biz"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280417/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280417; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"heyklenenheykir.no-ip.org"; depth:25; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280418/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280418; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"james77.dyndns.org"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280419/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280419; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"bithacker.dyndns.biz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280420/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280420; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"rsnrhys.no-ip.biz"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280408/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280408; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"hurricane.no-ip.biz"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280409/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280409; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ashraf1975.no-ip.biz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280410/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280410; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"kernel32.zapto.org"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280411/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280411; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"spikeee32.no-ip.biz"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280412/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280412; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"pumpkinz.no-ip.biz"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280413/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280413; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"fallenpeace.no-ip.biz"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280414/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280414; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"tugceee.no-ip.biz"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280402/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280402; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"amadey88.no-ip.org"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280403/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280403; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"mfvfmava.duckdns.org"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280404/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280404; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"lepirateur.no-ip.org"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280405/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280405; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"alinh0.no-ip.info"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280406/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280406; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"pandorum.no-ip.biz"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280407/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280407; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"adixx.zapto.org"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280395/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280395; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"rattest25.zapto.org"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280396/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280396; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"adnanpk.no-ip.org"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280397/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280397; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"gilegileremaja.hopto.org"; depth:24; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280398/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280398; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"c4tnt.myftp.biz"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280399/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280399; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"noreply2014.no-ip.org"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280400/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280400; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ipnoip.zapto.org"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280401/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280401; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"xxdnsxx.serveftp.net"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280388/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280388; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"fml.no-ip.biz"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280389/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280389; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"hashemrnen.no-ip.biz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280390/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280390; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"dz-crypter.no-ip.info"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280391/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280391; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"tom69.no-ip.biz"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280392/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280392; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"gaareez.sytes.net"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280393/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280393; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"livemesenger.no-ip.biz"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280394/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280394; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"buscape.no-ip.org"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280385/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280385; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"spyonepepsico.no-ip.org"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280386/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280386; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"rshc.no-ip.org"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280387/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280387; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"kongrem.zapto.org"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280379/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280379; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"sexionzone.no-ip.org"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280380/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280380; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"magicpro.zapto.org"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280381/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280381; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"shs2011.no-ip.biz"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280382/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280382; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"aidsvlek.no-ip.org"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280383/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280383; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"takymusic.dyndns.org"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280384/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280384; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"joj.no-ip.org"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280372/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280372; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"eminvergil.zapto.org"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280373/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280373; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"bolundu2.no-ip.org"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280374/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280374; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"bboycent.zapto.org"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280375/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280375; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ieatpussy.no-ip.info"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280376/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280376; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"unflamedlogz3.no-ip.biz"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280377/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280377; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"patriphone.no-ip.info"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280378/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280378; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ahmad94.no-ip.org"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280366/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280366; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"antonio130.no-ip.org"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280367/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280367; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"lion007.no-ip.info"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280368/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280368; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ilovehacking.no-ip.biz"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280369/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280369; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"selec-only.hopto.org"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280370/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280370; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"peneloppe.no-ip.biz"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280371/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280371; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"jesuelchupachules.no-ip.org"; depth:27; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280359/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280359; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"darknessinthelight.no-ip.biz"; depth:28; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280360/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280360; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ver.zapto.org"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280361/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280361; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"gozgoz.zapto.org"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280362/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280362; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"loucoservegame.no-ip.org"; depth:24; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280363/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280363; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"fabinhohk.no-ip.org"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280364/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280364; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"facebookappli.no-ip.org"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280365/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280365; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"axiaxi.zapto.org"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280353/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280353; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"delinquente.no-ip.org"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280354/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280354; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"smokn.no-ip.org"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280355/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280355; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"decohex2010.no-ip.info"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280356/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280356; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"xdarkcoder.no-ip.org"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280357/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280357; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"voltatronics.no-ip.info"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280358/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280358; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"helpinfo.hopto.org"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280346/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280346; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ranoosh.no-ip.biz"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280347/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280347; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"meyk90.zapto.org"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280348/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280348; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"isra-scape.no-ip.biz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280349/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280349; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"pepo201000.no-ip.biz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280350/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280350; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"fenerli1907.no-ip.biz"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280351/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280351; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"undernet-hacker.no-ip.info"; depth:26; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280352/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280352; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"sanderb12.no-ip.biz"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280340/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280340; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"whyzzz.no-ip.biz"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280341/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280341; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"raymond1992.no-ip.biz"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280342/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280342; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"mayihacker.no-ip.org"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280343/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280343; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"slashxxx.no-ip.biz"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280344/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280344; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"w122.no-ip.biz"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280345/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280345; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"meziane10.zapto.org"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280333/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280333; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"6networm.no-ip.org"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280334/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280334; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"soos.zapto.org"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280335/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280335; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"pinoyhax.no-ip.biz"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280336/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280336; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"landdjoskull.zapto.org"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280337/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280337; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"dbp.no-ip.org"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280338/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280338; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"lionelle.sytes.net"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280339/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280339; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"aph.no-ip.biz"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280326/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280326; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"thorrat.no-ip.org"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280327/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280327; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"superxtremehacker.zapto.org"; depth:27; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280328/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280328; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"nzm.no-ip.biz"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280329/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280329; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"hockid.no-ip.biz"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280330/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280330; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"wakawaka.sytes.net"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280331/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280331; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"udic.no-ip.org"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280332/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280332; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ledodu.no-ip.info"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280319/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280319; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"hosting123.no-ip.biz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280320/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280320; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"spy-netester.no-ip.org"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280321/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280321; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"camaleao-h.zapto.org"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280322/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280322; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"securytbr4455.sytes.net"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280323/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280323; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"s8c.no-ip.info"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280324/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280324; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"moti.myftp.biz"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280325/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280325; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"wheredidyougo.no-ip.biz"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280313/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280313; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"soo1oos.linkpc.net"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280314/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280314; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"koenig.zapto.org"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280315/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280315; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"nuevobifrost.no-ip.biz"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280316/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280316; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"gntdaniel.no-ip.org"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280317/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280317; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"badrnr1428.no-ip.org"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280318/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280318; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"hackersgratis.no-ip.biz"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280306/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280306; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"bno0.no-ip.org"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280307/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280307; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"habibaa.no-ip.biz"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280308/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280308; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"prozess2.zapto.org"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280309/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280309; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"hothifah.no-ip.biz"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280310/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280310; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"crypto234.no-ip.org"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280311/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280311; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"system32.zapto.org"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280312/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280312; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"kod098.no-ip.biz"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280299/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280299; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"sentidos.no-ip.org"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280300/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280300; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"benzys-server.no-ip.org"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280301/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280301; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"metus.redirectme.net"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280302/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280302; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"steaven.dyndns.info"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280303/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280303; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"killy1.no-ip.biz"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280304/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280304; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"tunisia4ever.zapto.org"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280305/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280305; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"server-ht.sytes.net"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280293/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280293; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"blackshades.dyndns.org"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280294/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280294; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"rosenbaum.no-ip.org"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280295/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280295; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"julianveloso.no-ip.biz"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280296/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280296; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"freestuffz.dyndns-ip.com"; depth:24; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280297/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280297; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"hassank.no-ip.biz"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280298/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280298; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ilyessdu69.no-ip.org"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280286/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280286; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"rotca.zapto.org"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280287/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280287; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"hackandbots.zapto.org"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280288/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280288; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"bdu.no-ip.biz"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280289/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280289; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"vinkyman.no-ip.biz"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280290/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280290; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"wdf.no-ip.info"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280291/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280291; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"zippo.no-ip.biz"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280292/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280292; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"jrcraft.no-ip.org"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280279/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280279; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"starman.no-ip.biz"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280280/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280280; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"truehack.no-ip.biz"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280281/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280281; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"whois-server.no-ip.org"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280282/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280282; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"axf.no-ip.org"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280283/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280283; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"quickupload1.no-ip.org"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280284/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280284; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"csshost.servecounterstrike.com"; depth:30; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280285/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280285; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ssigs.zapto.org"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280273/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280273; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"cyberexample.no-ip.biz"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280274/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280274; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"johntravolta.no-ip.biz"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280275/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280275; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"kekenooblol.no-ip.info"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280276/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280276; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"vittimareturn11.no-ip.org"; depth:25; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280277/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280277; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"novrat2.no-ip.info"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280278/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280278; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"apaixonado.no-ip.org"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280266/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280266; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"xdarkcoder.zapto.org"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280267/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280267; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"qa06.no-ip.biz"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280268/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280268; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"pcfaker-g.no-ip.org"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280269/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280269; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"sayanora6.no-ip.org"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280270/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280270; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"google-analytics.3utilities.com"; depth:31; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280271/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280271; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"mensajes-facebook.no-ip.biz"; depth:27; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280272/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280272; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"trollfacelol.no-ip.biz"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280260/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280260; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"testet123.no-ip.org"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280261/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280261; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"casus.no-ip.biz"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280262/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280262; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"soufou1982.no-ip.biz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280263/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280263; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"codecub.no-ip.org"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280264/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280264; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"weedman.servegame.org"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280265/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280265; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"smaz145.no-ip.biz"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280254/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280254; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"thepanserver.no-ip.biz"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280255/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280255; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"geheim.no-ip.biz"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280256/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280256; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"mazika.servemp3.com"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280257/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280257; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"dodol.no-ip.biz"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280258/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280258; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"cybergate35700.no-ip.biz"; depth:24; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280259/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280259; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"theboyz.no-ip.org"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280248/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280248; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"yournameonyourhost.myftp.biz"; depth:28; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280249/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280249; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"basss.no-ip.info"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280250/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280250; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"sellitbuy.no-ip.org"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280251/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280251; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"kurubaglama.no-ip.biz"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280252/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280252; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"looloo.no-ip.org"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280253/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280253; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"wellerson1.sytes.net"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280241/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280241; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"microf.servegame.com"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280242/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280242; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"c4.no-ip.info"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280243/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280243; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"hot-theme.sytes.net"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280244/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280244; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"creditoshabbo.hopto.org"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280245/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280245; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"jodg.no-ip.biz"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280246/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280246; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ladyzman.bounceme.net"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280247/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280247; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"abcqwerty.no-ip.org"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280234/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280234; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"fatah.no-ip.biz"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280235/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280235; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"freeforfree.ddns.net"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280236/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280236; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"lun420.no-ip.info"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280237/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280237; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"dfh54gdhfj5j122.no-ip.org"; depth:25; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280238/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280238; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"akuhostsdn.sytes.net"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280239/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280239; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"watchyou.zapto.org"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280240/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280240; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ok-ok.no-ip.biz"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280228/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280228; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"matrixxx35.no-ip.biz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280229/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280229; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"44uu.no-ip.info"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280230/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280230; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"sysdll.no-ip.org"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280231/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280231; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"mexico-city.no-ip.biz"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280232/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280232; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"princejide.no-ip.biz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280233/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280233; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"cybergatecoldfire.zapto.org"; depth:27; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280221/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280221; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"9999996.zapto.org"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280222/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280222; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"neorix.no-ip.biz"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280223/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280223; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"wherethehoodat.no-ip.biz"; depth:24; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280224/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280224; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"capracammello.no-ip.biz"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280225/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280225; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"wawouchette.no-ip.org"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280226/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280226; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"videoaula.no-ip.org"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280227/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280227; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"wailfaraj.no-ip.biz"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280214/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280214; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"hftw-crew.no-ip.info"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280215/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280215; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"niushiwen88.3322.org"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280216/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280216; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"sunon.no-ip.org"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280217/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280217; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"bruxinhospy.no-ip.biz"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280218/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280218; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"sss2.podzone.org"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280219/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280219; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"brotm.no-ip.org"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280220/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280220; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"kavalye2.no-ip.org"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280208/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280208; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"exploere24.no-ip.org"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280209/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280209; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ganas.no-ip.biz"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280210/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280210; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"aqw123.myftp.org"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280211/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280211; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"hackeradminsoftwar.no-ip.org"; depth:28; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280212/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280212; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"samer77.no-ip.biz"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280213/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280213; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"dns2.zapto.org"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280201/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280201; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"servidor.no-ip.info"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280202/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280202; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"kimkhan1.no-ip.biz"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280203/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280203; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"bmw320ci.no-ip.biz"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280204/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280204; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"midomido.no-ip.biz"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280205/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280205; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"l00pb4ck.dyndns.org"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280206/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280206; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"guinaa.no-ip.org"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280207/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280207; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"franders37.dyndns.info"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280194/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280194; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"discoeder.no-ip.org"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280195/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280195; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"singed.no-ip.biz"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280196/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280196; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"epicloot.no-ip.biz"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280197/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280197; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"test22.no-ip.org"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280198/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280198; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"xsstrema.no-ip.org"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280199/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280199; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"testhostir.ddns.net"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280200/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280200; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"lolazoz.no-ip.org"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280188/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280188; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"yoel123456.no-ip.biz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280189/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280189; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"558.no-ip.info"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280190/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280190; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"m0ftares1.no-ip.biz"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280191/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280191; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"theshit.zapto.org"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280192/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280192; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ooo.no-ip.biz"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280193/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280193; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"bigpimpinsjm09.hopto.org"; depth:24; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280181/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280181; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"acehax.no-ip.biz"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280182/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280182; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"hostname33.no-ip.biz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280183/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280183; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"spyzer4.dyndns.org"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280184/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280184; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"hamza22.no-ip.biz"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280185/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280185; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"xxdnsxx.serveirc.com"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280186/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280186; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"hackers.zapto.org"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280187/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280187; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"bifrost-2011.no-ip.biz"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280174/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280174; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"pablohacker.no-ip.org"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280175/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280175; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ratts123.no-ip.biz"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280176/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280176; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"sdjf.no-ip.biz"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280177/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280177; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"evaltiere.no-ip.org"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280178/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280178; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"sarahblogdns.bounceme.net"; depth:25; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280179/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280179; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"alexpepito13.no-ip.info"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280180/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280180; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"hackers3.zapto.org"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280168/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280168; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"summontank.no-ip.biz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280169/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280169; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"toritoguay.no-ip.org"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280170/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280170; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"interrupt.no-ip.biz"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280171/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280171; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"conectorzero.no-ip.biz"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280172/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280172; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"thiosulfate.no-ip.biz"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280173/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280173; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"blackcomethost.zapto.org"; depth:24; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280161/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280161; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"rampy.no-ip.info"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280162/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280162; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"spyt.no-ip.biz"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280163/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280163; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"inor.no-ip.biz"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280164/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280164; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"aline.zapto.org"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280165/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280165; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"asylulz.no-ip.info"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280166/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280166; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"filopeti.zapto.org"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280167/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280167; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"4dc.no-ip.info"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280155/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280155; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"okulto.no-ip.biz"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280156/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280156; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ghaith.zapto.org"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280157/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280157; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"cheaterboy519.no-ip.info"; depth:24; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280158/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280158; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"morenita.no-ip.org"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280159/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280159; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ghraba.no-ip.info"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280160/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280160; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"bangalows.zapto.org"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280149/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280149; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"hacker.gearup.no-ip.biz"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280150/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280150; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"doubbleassxasx.no-ip.biz"; depth:24; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280151/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280151; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"wownp.zapto.org"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280152/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280152; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"3bood.zapto.org"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280153/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280153; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"microsoft11a.serveftp.com"; depth:25; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280154/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280154; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"jajejijoju.zapto.org"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280142/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280142; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"guillemix.no-ip.org"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280143/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280143; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"esneyder21.no-ip.org"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280144/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280144; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"by77.no-ip.biz"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280145/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280145; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"malabata.hopto.org"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280146/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280146; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"nohya6.no-ip.org"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280147/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280147; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"hamodeh1993.zapto.org"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280148/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280148; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"xxl.no-ip.info"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280136/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280136; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"longinos007.no-ip.org"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280137/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280137; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"absolut-spynet.zapto.org"; depth:24; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280138/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280138; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"xneonkingx.no-ip.biz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280139/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280139; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"blackstar001.no-ip.org"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280140/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280140; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"feardox.zapto.org"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280141/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280141; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"foryou1.no-ip.info"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280129/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280129; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"2179.zapto.org"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280130/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280130; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"trok2008.dyndns.org"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280131/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280131; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"first1.no-ip.biz"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280132/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280132; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"gotoel.no-ip.biz"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280133/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280133; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"hack-impact.no-ip.biz"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280134/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280134; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"victimas2012.no-ip.info"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280135/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280135; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"cxpride.sytes.net"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280123/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280123; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"plaugereborn.no-ip.biz"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280124/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280124; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"199.no-ip.info"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280125/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280125; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"p41n1337.dyndns-ip.com"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280126/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280126; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"torfc.no-ip.biz"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280127/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280127; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"skateeah.zapto.org"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280128/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280128; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"moon2009us.linkpc.net"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280117/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280117; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"mecamaniaco.no-ip.org"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280118/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280118; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"moenmek.no-ip.org"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280119/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280119; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"foward.no-ip.org"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280120/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280120; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"iboothostz.no-ip.biz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280121/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280121; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"spyrat.no-ip.org"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280122/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280122; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"terer.servebeer.com"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280110/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280110; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"mahsencoder.no-ip.org"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280111/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280111; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"jomeka.no-ip.biz"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280112/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280112; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"dbam.zapto.org"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280113/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280113; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"torsm.no-ip.biz"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280114/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280114; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"fhoo111.no-ip.biz"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280115/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280115; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"cybercrimearea51.no-ip.org"; depth:26; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280116/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280116; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"h4rrypott3r.no-ip.biz"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280104/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280104; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"miyachung.no-ip.org"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280105/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280105; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"test17903.zapto.org"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280106/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280106; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"spybruxinho.no-ip.org"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280107/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280107; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"alideretour.redirectme.net"; depth:26; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280108/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280108; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"goal88.no-ip.info"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280109/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280109; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"mcmisto.no-ip.info"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280098/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280098; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"sagemfat.zapto.org"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280099/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280099; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"getstonedat420.no-ip.biz"; depth:24; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280100/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280100; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"battlebudy.no-ip.biz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280101/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280101; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"megadaddy.no-ip.org"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280102/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280102; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"projectredemption.servegame.com"; depth:31; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280103/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280103; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"780.no-ip.info"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280091/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280091; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"jomeka.no-ip.org"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280092/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280092; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"tej-hamdi.no-ip.org"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280093/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280093; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"abodeeg.no-ip.org"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280094/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280094; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"miste.no-ip.biz"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280095/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280095; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"aktifdns.no-ip.biz"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280096/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280096; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"56292.no-ip.biz"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280097/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280097; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"synaptics.no-ip.biz"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280085/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280085; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"intra.hopto.org"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280086/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280086; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"biztr1.duckdns.org"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280087/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280087; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"kyrajack.no-ip.org"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280088/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280088; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ninhgiangbs.no-ip.org"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280089/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280089; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"besnik.no-ip.biz"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280090/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280090; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"luchito00.no-ip.org"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280079/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280079; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"premiumtesting.redirectme.net"; depth:29; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280080/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280080; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"parlakilic.zapto.org"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280081/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280081; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"floconvar.no-ip.biz"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280082/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280082; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"underdos.no-ip.biz"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280083/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280083; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"sajbergejt.myftp.org"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280084/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280084; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"curtis123.no-ip.biz"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280073/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280073; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"samt.no-ip.biz"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280074/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280074; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"wsb52000.no-ip.biz"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280075/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280075; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"nzz.no-ip.info"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280076/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280076; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"blast3r.no-ip.biz"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280077/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280077; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"hishamreda.no-ip.biz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280078/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280078; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"msharinono.zapto.org"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280067/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280067; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"imthegod.no-ip.org"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280068/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280068; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"spynet2000.no-ip.biz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280069/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280069; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"eragondaboss.zapto.org"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280070/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280070; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"alsa7er123.no-ip.biz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280071/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280071; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ipwnedx81.no-ip.org"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280072/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280072; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"p0w3rzz.no-ip.biz"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280061/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280061; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"hack3751.no-ip.biz"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280062/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280062; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"gueto.no-ip.org"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280063/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280063; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"abdodo.no-ip.org"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280064/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280064; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"azooz-hacker.no-ip.biz"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280065/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280065; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"mlbhouse.no-ip.org"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280066/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280066; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"mathewrat.no-ip.biz"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280054/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280054; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"soulkiller21.no-ip.biz"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280055/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280055; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"feiz.no-ip.org"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280056/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280056; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"slashxxxxx.no-ip.biz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280057/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280057; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"rached171.no-ip.biz"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280058/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280058; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"exex.no-ip.biz"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280059/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280059; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"xrjr.vicp.cc"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280060/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280060; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"spider32.no-ip.org"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280048/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280048; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"g61.no-ip.info"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280049/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280049; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"eewr.dyndns-ip.com"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280050/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280050; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"pegxus.myftp.biz"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280051/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280051; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"echelon.myftp.biz"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280052/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280052; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"promagic.zapto.org"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280053/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280053; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"harly.no-ip.biz"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280042/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280042; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"test312.no-ip.info"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280043/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280043; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"spynet23.no-ip.org"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280044/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280044; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"hackingrs.no-ip.org"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280045/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280045; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"a.statscounter.com.ua"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280046/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280046; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"trojanshacker.no-ip.org"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280047/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280047; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"xdsxx.no-ip.org"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280035/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280035; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ironsoilder.hopto.org"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280036/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280036; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"cybergate.sytes.net"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280037/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280037; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"i8y.no-ip.info"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280038/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280038; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"msprotocolstsv.servehttp.com"; depth:28; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280039/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280039; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"norky1337.zapto.org"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280040/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280040; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"sanalpusu.dyndns.org"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280041/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280041; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"binladen1337.dyndns.org"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280029/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280029; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"stinkbal.no-ip.biz"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280030/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280030; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"dddddd.zapto.org"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280031/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280031; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"perfect-hacker.no-ip.biz"; depth:24; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280032/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280032; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"mofkneaglez.sytes.net"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280033/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280033; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"fimdomundo.no-ip.org"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280034/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280034; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"fairs.no-ip.biz"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280023/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280023; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"serialmenace.no-ip.biz"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280024/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280024; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ahmetkara.duckdns.org"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280025/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280025; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"piratikvh.no-ip.org"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280026/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280026; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"mouadvilla.zapto.org"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280027/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280027; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"hackanerd.no-ip.biz"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280028/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280028; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"kyriospro.no-ip.biz"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280017/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280017; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"diecob.no-ip.org"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280018/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280018; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"erooio.no-ip.biz"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280019/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280019; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"lol77.no-ip.biz"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280020/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280020; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"arnold0515.no-ip.biz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280021/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280021; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"fox3li.no-ip.info"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280022/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280022; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"insidetm.no-ip.biz"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280011/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280011; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"xxcarpion.zapto.org"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280012/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280012; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"provement.zapto.org"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280013/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280013; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"amoli.no-ip.biz"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280014/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280014; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"null.no-ip.biz"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280015/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280015; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"o5q.no-ip.biz"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280016/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280016; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"toxicisleet.no-ip.biz"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280004/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280004; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"theslam.no-ip.biz"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280005/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280005; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"forum159.no-ip.biz"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280006/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280006; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"m3toh.dyndns.org"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280007/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280007; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"manstar111.no-ip.biz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280008/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280008; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"razor1991.no-ip.biz"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280009/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280009; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"benzwitich.no-ip.biz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280010/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280010; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"roxfox2.zapto.org"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1279998/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279998; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"hexrut.dlinkddns.com"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1279999/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279999; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"y32.no-ip.biz"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280000/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280000; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"adamsnipple.no-ip.biz"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280001/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280001; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"aboodybgd.no-ip.biz"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280002/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280002; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"yotshi.no-ip.biz"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280003/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280003; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"toxigon.no-ip.org"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1279994/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279994; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"hackedasm.no-ip.biz"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1279995/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279995; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"smellycatfish.no-ip.biz"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1279996/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279996; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"matz.zapto.org"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1279997/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279997; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"captainherp.no-ip.biz"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1279988/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279988; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"mikrox.servegame.com"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1279989/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279989; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"mand0.sytes.net"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1279990/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279990; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"only-security.no-ip.biz"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1279991/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279991; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"j49.no-ip.info"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1279992/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279992; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"d34d60x.no-ip.info"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1279993/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279993; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"lovewest.zapto.org"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1279982/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279982; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"microsoftdnsserver.no-ip.biz"; depth:28; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1279983/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279983; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"buseyorulmaz2.no-ip.biz"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1279984/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279984; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"gotyoucunty.zapto.org"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1279985/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279985; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"bt12345.no-ip.biz"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1279986/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279986; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"angkung.no-ip.info"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1279987/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279987; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"jonevansphotography.co.uk"; depth:25; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1279975/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279975; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"teks.no-ip.info"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1279976/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279976; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ynx.ath.cx"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1279977/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279977; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"mohmd444.no-ip.biz"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1279978/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279978; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"primaq.no-ip.biz"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1279979/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279979; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"zry0pwn.no-ip.info"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1279980/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279980; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"hh3.no-ip.biz"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1279981/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279981; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"skyblog.no-ip.org"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1279968/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279968; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"dangerlevel.zapto.org"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1279969/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279969; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"srsoor.no-ip.biz"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1279970/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279970; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"woaxpgm.zapto.org"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1279971/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279971; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"oommrr.zapto.org"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1279972/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279972; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"spy-net-update.no-ip.biz"; depth:24; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1279973/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279973; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"0o0o.no-ip.info"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1279974/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279974; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"mxintra.no-ip.biz"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1279962/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279962; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"hakersbg.no-ip.org"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1279963/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279963; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"crazyspies.no-ip.biz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1279964/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279964; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"dyenz.no-ip.org"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1279965/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279965; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"cr3dotw.no-ip.biz"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1279966/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279966; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"noteasy.no-ip.biz"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1279967/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279967; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"mrbassm.no-ip.biz"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1279956/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279956; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"jonahjameson.no-ip.biz"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1279957/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279957; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"abovegodz.no-ip.biz"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1279958/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279958; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"moustapha123.no-ip.info"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1279959/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279959; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"smr2.no-ip.biz"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1279960/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279960; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"trae.no-ip.biz"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1279961/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279961; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"thesilentassassin.no-ip.biz"; depth:27; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1279949/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279949; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ax0.no-ip.biz"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1279950/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279950; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ddosingz.no-ip.info"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1279951/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279951; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"b3nd.zapto.org"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1279952/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279952; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"cyber1495.no-ip.org"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1279953/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279953; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"mastertester.zapto.org"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1279954/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279954; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"r3x3rbot.no-ip.biz"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1279955/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279955; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ciz8jx.no-ip.org"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1279943/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279943; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"crackers.no-ip.org"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1279944/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279944; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"versalife.no-ip.biz"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1279945/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279945; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"badmash.no-ip.org"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1279946/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279946; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"dreamhacker.no-ip.biz"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1279947/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279947; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"silenthkold1.zapto.org"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1279948/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279948; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"asd22.no-ip.info"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1279936/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279936; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"dmc-jny.no-ip.org"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1279937/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279937; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"050420122037.no-ip.org"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1279938/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279938; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"illmatic.no-ip.biz"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1279939/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279939; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"desthorr123gate.no-ip.org"; depth:25; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1279940/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279940; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"sadw12345.zapto.org"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1279941/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279941; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"secretos505.no-ip.org"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1279942/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279942; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"al7rby.no-ip.biz"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1279929/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279929; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"xrsantoronlyforxr.no-ip.biz"; depth:27; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1279930/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279930; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"agoraestouaqui2.no-ip.org"; depth:25; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1279931/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279931; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"cybergate.dyndns.org"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1279932/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279932; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"originaldotroll.dnns.net"; depth:24; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1279933/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279933; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"faisl05531.no-ip.biz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1279934/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279934; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ineedwin.no-ip.biz"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1279935/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279935; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"svchost-net.serveblog.net"; depth:25; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1279923/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279923; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"zoomnationserver.no-ip.org"; depth:26; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1279924/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279924; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"kamikazgang.zapto.org"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1279925/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279925; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"dannygm11.no-ip.biz"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1279926/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279926; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"abode80.linkpc.net"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1279927/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279927; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"mobidik80.no-ip.org"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1279928/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279928; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"asdd.zapto.org"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1279916/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279916; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"altagoor.no-ip.biz"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1279917/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279917; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"cocox.no-ip.biz"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1279918/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279918; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"zipred.no-ip.org"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1279919/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279919; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"serverturko.no-ip.biz"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1279920/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279920; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"tinycam.no-ip.biz"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1279921/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279921; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"key1925hacks.no-ip.biz"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1279922/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279922; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"bilelnet2.no-ip.biz"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1279909/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279909; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"obaaa65.no-ip.info"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1279910/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279910; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"agraw.no-ip.biz"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1279911/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279911; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"kc5.no-ip.info"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1279912/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279912; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"menorhak.no-ip.org"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1279913/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279913; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"hackwahid.zapto.org"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1279914/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279914; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"six17.no-ip.biz"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1279915/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279915; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"darkddoser.no-ip.biz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1279903/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279903; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"marques444.no-ip.org"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1279904/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279904; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ali15.no-ip.biz"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1279905/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279905; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"sybreed.no-ip.biz"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1279906/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279906; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"houssamreckless.zapto.org"; depth:25; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1279907/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279907; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"hakimpower.no-ip.biz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1279908/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279908; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"guinaa13.no-ip.org"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1279896/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279896; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"otommyv.no-ip.biz"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1279897/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279897; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"happysoap.no-ip.info"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1279898/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279898; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"axo.no-ip.biz"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1279899/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279899; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"seesaw.no-ip.biz"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1279900/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279900; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"samuraix.no-ip.biz"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1279901/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279901; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"areindigo.no-ip.biz"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1279902/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279902; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"christian1995.no-ip.info"; depth:24; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1279889/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279889; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"breeman1.no-ip.org"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1279890/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279890; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"freewaybong.no-ip.info"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1279891/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279891; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"endlessilusions.no-ip.org"; depth:25; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1279892/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279892; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"spy2281.no-ip.org"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1279893/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279893; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"mrace.zapto.org"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1279894/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279894; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"fatomnan.no-ip.biz"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1279895/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279895; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"mikele.no-ip.org"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1279882/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279882; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"vardeath.zapto.org"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1279883/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279883; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"giftigeschlange.sytes.net"; depth:25; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1279884/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279884; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"splash2010.bounceme.net"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1279885/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279885; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"7ammo1.no-ip.biz"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1279886/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279886; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"barulay1.zapto.org"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1279887/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279887; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"cmere.no-ip.biz"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1279888/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279888; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"weww.sytes.net"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1279876/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279876; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"hellothere123234.zapto.org"; depth:26; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1279877/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279877; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"mystersatan.no-ip.org"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1279878/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279878; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"tijiuo.no-ip.info"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1279879/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279879; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"hhbros.no-ip.biz"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1279880/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279880; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"walid562.servebeer.com"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1279881/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279881; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"tdd.zapto.org"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1279870/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279870; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"b3480748.no-ip.org"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1279871/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279871; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"obsec.info"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1279872/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279872; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"telsec.no-ip.org"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1279873/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279873; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"tj888.no-ip.biz"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1279874/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279874; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"wrocha000.no-ip.org"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1279875/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279875; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"eltahan.no-ip.biz"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1279865/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279865; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"liquidised.no-ip.org"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1279866/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279866; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"mierda.no-ip.org"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1279867/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279867; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"nikkel.changeip.net"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1279868/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279868; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"hacktrust.no-ip.info"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1279869/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279869; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"lol12345678.zapto.org"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1279859/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279859; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"homexbox.zapto.org"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1279860/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279860; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"spawn007.no-ip.biz"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1279861/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279861; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"noobs123.no-ip.biz"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1279862/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279862; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"matrix-hacker.no-ip.biz"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1279863/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279863; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"gareeh.no-ip.biz"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1279864/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279864; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"wkdw1ll1ams.no-ip.biz"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1279853/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279853; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"spike16.no-ip.biz"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1279854/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279854; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"systematiq313131.dyndns.org"; depth:27; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1279855/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279855; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"smnn.no-ip.org"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1279856/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279856; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"kabala-532.no-ip.org"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1279857/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279857; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"kanuks.no-ip.biz"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1279858/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279858; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"xdarkcoder.no-ip.info"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1279847/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279847; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"anonymousx.no-ip.info"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1279848/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279848; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"h2ss.dyndns.biz"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1279849/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279849; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"downloadsite.no-ip.info"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1279850/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279850; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ksamapepito.no-ip.org"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1279851/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279851; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"winsmith.zapto.org"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1279852/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279852; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"zipper.sytes.net"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1279840/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279840; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"myhost.no-ip.biz"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1279841/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279841; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"fish24.no-ip.biz"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1279842/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279842; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"bobparkinson.myftp.biz"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1279843/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279843; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"keygoal.no-ip.info"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1279844/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279844; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"mysticdream.zapto.org"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1279845/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279845; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"akon934.no-ip.org"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1279846/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279846; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"3r9-hak.no-ip.org"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1279834/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279834; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"curisco04.no-ip.org"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1279835/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279835; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ihaxyocomputernga.no-ip.biz"; depth:27; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1279836/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279836; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"rustyshackleford.no-ip.biz"; depth:26; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1279837/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279837; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"albertiq4.no-ip.biz"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1279838/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279838; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"estoesunaputanoip.no-ip.org"; depth:27; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1279839/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279839; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ghostman1.no-ip.org"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1279828/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279828; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"xxphantomxx.no-ip.biz"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1279829/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279829; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"corehacker.no-ip.biz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1279830/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279830; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"wintwint.zapto.org"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1279831/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279831; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"xddoser.no-ip.biz"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1279832/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279832; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"kooparat.no-ip.biz"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1279833/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279833; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"hasn.no-ip.org"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1279821/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279821; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"lordnikon2012.zapto.org"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1279822/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279822; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"shoman22.no-ip.org"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1279823/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279823; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"limtred1.no-ip.biz"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1279824/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279824; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"wtfemail.dyndns.org"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1279825/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279825; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"christinaginns.servepics.com"; depth:28; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1279826/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279826; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"bruxinhospy.no-ip.org"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1279827/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279827; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"teamxrat.no-ip.biz"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1279814/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279814; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"penisgrandegrosso.no-ip.info"; depth:28; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1279815/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279815; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"majskolv.no-ip.biz"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1279816/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279816; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"abokkhaled.no-ip.org"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1279817/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279817; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"teddypause.no-ip.org"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1279818/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279818; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"volkancan.no-ip.biz"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1279819/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279819; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"modam3r.no-ip.org"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1279820/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279820; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"darkcomet33.zapto.org"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1279808/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279808; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"fearrusty.no-ip.info"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1279809/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279809; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"asil.no-ip.biz"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1279810/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279810; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ghostsquads.no-ip.biz"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1279811/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279811; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ykjfh.no-ip.biz"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1279812/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279812; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"balonmd.no-ip.org"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1279813/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279813; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"divineflame.no-ip.biz"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1279801/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279801; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"hhy554.zapto.org"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1279802/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279802; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"rewqeeqw.zapto.org"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1279803/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279803; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"bilelstil.no-ip.biz"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1279804/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279804; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"hackforumsjake.no-ip.biz"; depth:24; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1279805/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279805; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"karimsol.no-ip.org"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1279806/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279806; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"bestdesigns.no-ip.org"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1279807/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279807; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"mursutaistelija.no-ip.biz"; depth:25; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1279795/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279795; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"yougotowned2333.no-ip.biz"; depth:25; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1279796/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279796; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"antivir.no-ip.biz"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1279797/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279797; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"nicolas69.no-ip.biz"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1279798/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279798; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"baloch123.no-ip.info"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1279799/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279799; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"deubomberalbania.zapto.org"; depth:26; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1279800/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279800; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"kimissard.no-ip.org"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1279788/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279788; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"b4p.dyndns.org"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1279789/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279789; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"op9.no-ip.biz"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1279790/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279790; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"talalm.no-ip.biz"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1279791/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279791; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"juliobian.no-ip.org"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1279792/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279792; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"sayfforza.no-ip.biz"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1279793/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279793; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"noun1.wowip.kr"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1279794/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279794; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"spoolsv.servehttp.com"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1279782/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279782; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"topcompte.no-ip.biz"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1279783/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279783; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"stockholm.no-ip.org"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1279784/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279784; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"silentdownloads.no-ip.org"; depth:25; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1279785/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279785; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"paebac.zapto.org"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1279786/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279786; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"gunitx55.zapto.org"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1279787/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279787; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"realrat517012.no-ip.info"; depth:24; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1279775/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279775; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"omarkam24.no-ip.org"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1279776/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279776; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"fuckedupdns.no-ip.biz"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1279777/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279777; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"shouky.no-ip.info"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1279778/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279778; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"eren.zapto.org"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1279779/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279779; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ossseeant-16.zapto.org"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1279780/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279780; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"rice-owl.no-ip.org"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1279781/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279781; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"x1222.zapto.org"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1279769/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279769; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"yop111.zapto.org"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1279770/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279770; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"magicfuny12.publicvm.com"; depth:24; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1279771/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279771; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"testneptune.zapto.org"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1279772/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279772; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"cybertest.no-ip.org"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1279773/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279773; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"thephantom.no-ip.biz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1279774/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279774; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"kettaval.zapto.org"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1279762/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279762; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"deneme05.zapto.org"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1279763/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279763; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"iveshack.zapto.org"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1279764/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279764; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"conhecimento2.no-ip.org"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1279765/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279765; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"vamdos1.no-ip.biz"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1279766/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279766; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"fluttershy.no-ip.biz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1279767/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279767; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"zerut.zapto.org"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1279768/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279768; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"tonnes.zapto.org"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1279755/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279755; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"algeny0.no-ip.biz"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1279756/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279756; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"snofex.no-ip.info"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1279757/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279757; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"testseyho.no-ip.org"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1279758/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279758; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"beykozbelam.duckdns.org"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1279759/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279759; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"rustyslaves.zapto.org"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1279760/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279760; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"lolol.no-ip.org"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1279761/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279761; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"kingzaib.no-ip.info"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1279750/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279750; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ipconfig3.no-ip.org"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1279751/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279751; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"grilo123123.no-ip.org"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1279752/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279752; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"worldhacker20.no-ip.biz"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1279753/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279753; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"habbofanz.sytes.net"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1279754/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279754; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"sandboxing.no-ip.org"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1279743/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279743; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"server-1.servebeer.com"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1279744/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279744; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"7r0.no-ip.info"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1279745/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279745; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"wouterafca.no-ip.biz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1279746/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279746; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"terimt.no-ip.biz"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1279747/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279747; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"getrolled.no-ip.org"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1279748/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279748; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"chacha.no-ip.biz"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1279749/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279749; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"cybergateepic.no-ip.biz"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1279737/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279737; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"tunisie.no-ip.info"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1279738/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279738; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"meri.no-ip.org"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1279739/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279739; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"cheesepuffmguff.no-ip.org"; depth:25; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1279740/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279740; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"sadece.no-ip.org"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1279741/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279741; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"aw.no-ip.biz"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1279742/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279742; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"crsi88.no-ip.org"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1279730/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279730; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"bilelweb.no-ip.biz"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1279731/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279731; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"seondesk.dyndns.org"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1279732/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279732; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"hjadmin.zapto.org"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1279733/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279733; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"rappakhan.no-ip.org"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1279734/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279734; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"anonymous101.serveblog.net"; depth:26; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1279735/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279735; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"bott.zapto.org"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1279736/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279736; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"xcxz.no-ip.biz"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1279724/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279724; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"naturis1979.no-ip.biz"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1279725/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279725; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"microsoftusers.servehttp.com"; depth:28; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1279726/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279726; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"sambax.zapto.org"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1279727/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279727; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ns3.ematome.com"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1279728/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279728; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ouedzami2011.no-ip.biz"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1279729/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279729; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"azoz-arar.no-ip.biz"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1279717/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279717; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"hfrat.no-ip.biz"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1279718/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279718; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"otech.no-ip.biz"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1279719/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279719; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"quantumcyber.no-ip.biz"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1279720/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279720; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"country.zapto.org"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1279721/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279721; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"skyline1.serveftp.com"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1279722/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279722; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"jrshacker.no-ip.org"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1279723/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279723; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"solitario1.no-ip.biz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1279711/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279711; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"rizkrisk.ddns.net"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1279712/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279712; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"moof1.no-ip.org"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1279713/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279713; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"wxw-wxw.no-ip.org"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1279714/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279714; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"team-mediabox.no-ip.org"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1279715/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279715; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"charfy.no-ip.org"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1279716/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279716; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ragebo.no-ip.biz"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1279704/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279704; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"hackerquito.zapto.org"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1279705/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279705; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"damsjeli.no-ip.biz"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1279706/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279706; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"windowslauncher.duckdns.org"; depth:27; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1279707/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279707; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"testbomb.no-ip.biz"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1279708/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279708; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"bornwild321.no-ip.biz"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1279709/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279709; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"maom1.no-ip.org"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1279710/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279710; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"bradleyftwlol.no-ip.org"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1279697/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279697; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"abajoy.ddns.net"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1279698/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279698; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"hackdarkcomet.no-ip.org"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1279699/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279699; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"microsoft11a.dyndns.org"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1279700/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279700; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"sameerhacker.no-ip.biz"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1279701/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279701; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"quexlo.servehttp.com"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1279702/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279702; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"pkurls.myftp.org"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1279703/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279703; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"me2.no-ip.biz"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1279691/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279691; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"sky92130.no-ip.biz"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1279692/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279692; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"modikana.no-ip.biz"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1279693/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279693; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"kabuntuhacker.no-ip.org"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1279694/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279694; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"svchostt.ddns.net"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1279695/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279695; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"hookserver.no-ip.biz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1279696/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279696; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"sofiamurcia1.no-ip.org"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1279684/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279684; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"subertje.no-ip.biz"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1279685/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279685; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"shoppal.no-ip.biz"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1279686/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279686; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"maom.dyndns.biz"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1279687/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279687; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"hackers2.zapto.org"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1279688/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279688; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"debacle.no-ip.org"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1279689/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279689; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"sataredsliid.bounceme.net"; depth:25; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1279690/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279690; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"taayyaabb.no-ip.biz"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1279677/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279677; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"sickman.no-ip.info"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1279678/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279678; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"love.myftp.biz"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1279679/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279679; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"hgyvdf.no-ip.biz"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1279680/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279680; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"enterkinq2.dyndns.org"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1279681/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279681; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"cgseb.no-ip.biz"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1279682/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279682; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"martimtoni.no-ip.biz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1279683/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279683; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"stx-team.no-ip.org"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1279671/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279671; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"1234host.no-ip.org"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1279672/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279672; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"xkingx.no-ip.biz"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1279673/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279673; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"faridbang.zapto.org"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1279674/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279674; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"freemembership.no-ip.biz"; depth:24; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1279675/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279675; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"pi-on.no-ip.biz"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1279676/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279676; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"boubou39.no-ip.org"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1279664/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279664; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"b.statscounter.com.ua"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1279665/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279665; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"rastafare9090.ddns.net"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1279666/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279666; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"morenita.no-ip.biz"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1279667/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279667; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"darbexteam.no-ip.biz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1279668/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279668; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"tyfnanl.zapto.org"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1279669/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279669; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"erhabix.no-ip.info"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1279670/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279670; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"computertech.no-ip.biz"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1279657/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279657; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"foolhardy.no-ip.biz"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1279658/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279658; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"rk-jose17-x4.no-ip.biz"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1279659/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279659; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"rattest.no-ip.info"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1279660/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279660; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"1000keder.no-ip.org"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1279661/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279661; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"chemdog.no-ip.biz"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1279662/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279662; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"mixlolz.no-ip.biz"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1279663/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279663; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"drhzn.zapto.org"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1279651/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279651; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"az3ar-sweet.no-ip.org"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1279652/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279652; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"mitarbeiter.zapto.org"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1279653/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279653; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"abbreviate.no-ip.biz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1279654/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279654; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"manga123.no-ip.org"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1279655/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279655; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"magic09.no-ip.org"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1279656/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279656; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"algamde.no-ip.biz"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1279644/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279644; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"lawliet.no-ip.biz"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1279645/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279645; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"proxpn12345.no-ip.org"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1279646/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279646; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"iwillkillyou.no-ip.biz"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1279647/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279647; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"rat321.dyndns.info"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1279648/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279648; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"pepebotella.no-ip.org"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1279649/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279649; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"zazohoster.no-ip.biz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1279650/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279650; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"sp6.no-ip.biz"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1279637/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279637; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"cybergate333.no-ip.info"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1279638/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279638; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"d4ffs.no-ip.biz"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1279639/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279639; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"microsi.zapto.org"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1279640/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279640; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"zxf6x6qx.no-ip.org"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1279641/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279641; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"bjzacjb123.3322.org"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1279642/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279642; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"mrtrojann.no-ip.biz"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1279643/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279643; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"mhacks.no-ip.org"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1279631/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279631; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"p2p4me.no-ip.org"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1279632/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279632; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"r70.no-ip.info"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1279633/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279633; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"byatmaca.no-ip.biz"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1279634/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279634; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"devious.no-ip.biz"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1279635/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279635; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"abbc.no-ip.info"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1279636/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279636; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"030420112218.no-ip.org"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1279624/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279624; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"msconfig.sytes.net"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1279625/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279625; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"fahad-vip.zapto.org"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1279626/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279626; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"servercheck.no-ip.biz"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1279627/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279627; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"shadowsun.no-ip.biz"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1279628/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279628; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"trollton.no-ip.biz"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1279629/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279629; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"spuelmittel.kicks-ass.org"; depth:25; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1279630/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279630; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"irune.zapto.org"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1279618/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279618; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"bikini.no-ip.info"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1279619/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279619; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"dsv.sytes.net"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1279620/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279620; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"nnwz.zapto.org"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1279621/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279621; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"woodstock1969.no-ip.org"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1279622/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279622; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ratsystem32.no-ip.info"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1279623/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279623; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"pendexxx.no-ip.info"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1279614/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279614; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"dizniggahavok.no-ip.biz"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1279615/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279615; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"muffin.no-ip.biz"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1279616/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279616; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"sexyina.no-ip.biz"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1279617/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279617; rev:1;) alert tcp $HOME_NET any -> [99.172.6.198] 80 (msg:"ThreatFox CyberGate botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1279606/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279606; rev:1;) alert tcp $HOME_NET any -> [109.95.210.166] 81 (msg:"ThreatFox CyberGate botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1279607/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279607; rev:1;) alert tcp $HOME_NET any -> [92.241.164.86] 1732 (msg:"ThreatFox CyberGate botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1279608/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279608; rev:1;) alert tcp $HOME_NET any -> [5.112.170.98] 100 (msg:"ThreatFox CyberGate botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1279609/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279609; rev:1;) alert tcp $HOME_NET any -> [109.110.98.3] 1704 (msg:"ThreatFox CyberGate botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1279610/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279610; rev:1;) alert tcp $HOME_NET any -> [5.187.78.241] 1600 (msg:"ThreatFox CyberGate botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1279611/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279611; rev:1;) alert tcp $HOME_NET any -> [173.0.0.107] 999 (msg:"ThreatFox CyberGate botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1279612/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279612; rev:1;) alert tcp $HOME_NET any -> [173.254.223.102] 1000 (msg:"ThreatFox CyberGate botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1279613/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279613; rev:1;) alert tcp $HOME_NET any -> [189.81.208.153] 2000 (msg:"ThreatFox CyberGate botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1279593/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279593; rev:1;) alert tcp $HOME_NET any -> [109.236.61.60] 120 (msg:"ThreatFox CyberGate botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1279594/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279594; rev:1;) alert tcp $HOME_NET any -> [173.0.5.104] 998 (msg:"ThreatFox CyberGate botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1279595/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279595; rev:1;) alert tcp $HOME_NET any -> [83.202.245.223] 81 (msg:"ThreatFox CyberGate botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1279596/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279596; rev:1;) alert tcp $HOME_NET any -> [178.162.47.28] 59065 (msg:"ThreatFox CyberGate botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1279597/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279597; rev:1;) alert tcp $HOME_NET any -> [82.242.250.193] 83 (msg:"ThreatFox CyberGate botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1279598/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279598; rev:1;) alert tcp $HOME_NET any -> [82.242.250.193] 82 (msg:"ThreatFox CyberGate botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1279599/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279599; rev:1;) alert tcp $HOME_NET any -> [92.54.209.12] 3085 (msg:"ThreatFox CyberGate botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1279600/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279600; rev:1;) alert tcp $HOME_NET any -> [109.236.61.60] 80 (msg:"ThreatFox CyberGate botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1279601/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279601; rev:1;) alert tcp $HOME_NET any -> [109.169.17.194] 81 (msg:"ThreatFox CyberGate botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1279602/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279602; rev:1;) alert tcp $HOME_NET any -> [5.2.166.137] 288 (msg:"ThreatFox CyberGate botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1279603/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279603; rev:1;) alert tcp $HOME_NET any -> [77.64.84.132] 288 (msg:"ThreatFox CyberGate botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1279604/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279604; rev:1;) alert tcp $HOME_NET any -> [91.200.201.108] 81 (msg:"ThreatFox CyberGate botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1279605/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279605; rev:1;) alert tcp $HOME_NET any -> [5.245.29.177] 288 (msg:"ThreatFox CyberGate botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1279577/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279577; rev:1;) alert tcp $HOME_NET any -> [122.3.6.9] 9667 (msg:"ThreatFox CyberGate botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1279578/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279578; rev:1;) alert tcp $HOME_NET any -> [109.95.210.166] 5253 (msg:"ThreatFox CyberGate botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1279579/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279579; rev:1;) alert tcp $HOME_NET any -> [192.162.100.209] 3128 (msg:"ThreatFox CyberGate botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1279580/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279580; rev:1;) alert tcp $HOME_NET any -> [64.27.3.109] 6666 (msg:"ThreatFox CyberGate botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1279581/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279581; rev:1;) alert tcp $HOME_NET any -> [189.5.87.27] 81 (msg:"ThreatFox CyberGate botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1279582/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279582; rev:1;) alert tcp $HOME_NET any -> [85.104.6.37] 587 (msg:"ThreatFox CyberGate botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1279583/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279583; rev:1;) alert tcp $HOME_NET any -> [79.132.181.169] 100 (msg:"ThreatFox CyberGate botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1279584/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279584; rev:1;) alert tcp $HOME_NET any -> [88.181.34.80] 1776 (msg:"ThreatFox CyberGate botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1279585/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279585; rev:1;) alert tcp $HOME_NET any -> [5.98.48.197] 82 (msg:"ThreatFox CyberGate botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1279586/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279586; rev:1;) alert tcp $HOME_NET any -> [88.191.93.39] 16590 (msg:"ThreatFox CyberGate botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1279587/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279587; rev:1;) alert tcp $HOME_NET any -> [109.236.61.60] 800 (msg:"ThreatFox CyberGate botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1279588/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279588; rev:1;) alert tcp $HOME_NET any -> [50.41.149.212] 75 (msg:"ThreatFox CyberGate botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1279589/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279589; rev:1;) alert tcp $HOME_NET any -> [188.86.123.141] 81 (msg:"ThreatFox CyberGate botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1279590/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279590; rev:1;) alert tcp $HOME_NET any -> [46.118.186.231] 1600 (msg:"ThreatFox CyberGate botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1279591/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279591; rev:1;) alert tcp $HOME_NET any -> [98.242.110.116] 100 (msg:"ThreatFox CyberGate botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1279592/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279592; rev:1;) alert tcp $HOME_NET any -> [94.43.161.71] 900 (msg:"ThreatFox CyberGate botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1279560/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279560; rev:1;) alert tcp $HOME_NET any -> [79.87.14.23] 999 (msg:"ThreatFox CyberGate botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1279561/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279561; rev:1;) alert tcp $HOME_NET any -> [62.176.21.49] 82 (msg:"ThreatFox CyberGate botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1279562/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279562; rev:1;) alert tcp $HOME_NET any -> [71.128.69.86] 1337 (msg:"ThreatFox CyberGate botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1279563/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279563; rev:1;) alert tcp $HOME_NET any -> [94.170.208.173] 5151 (msg:"ThreatFox CyberGate botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1279564/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279564; rev:1;) alert tcp $HOME_NET any -> [69.143.17.87] 5050 (msg:"ThreatFox CyberGate botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1279565/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279565; rev:1;) alert tcp $HOME_NET any -> [5.9.255.80] 1604 (msg:"ThreatFox CyberGate botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1279566/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279566; rev:1;) alert tcp $HOME_NET any -> [5.2.151.76] 288 (msg:"ThreatFox CyberGate botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1279567/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279567; rev:1;) alert tcp $HOME_NET any -> [187.67.209.111] 2000 (msg:"ThreatFox CyberGate botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1279568/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279568; rev:1;) alert tcp $HOME_NET any -> [81.221.161.147] 83 (msg:"ThreatFox CyberGate botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1279569/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279569; rev:1;) alert tcp $HOME_NET any -> [196.202.69.234] 11772 (msg:"ThreatFox CyberGate botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1279570/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279570; rev:1;) alert tcp $HOME_NET any -> [5.135.69.89] 82 (msg:"ThreatFox CyberGate botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1279571/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279571; rev:1;) alert tcp $HOME_NET any -> [5.2.164.19] 80 (msg:"ThreatFox CyberGate botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1279572/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279572; rev:1;) alert tcp $HOME_NET any -> [186.107.8.198] 80 (msg:"ThreatFox CyberGate botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1279573/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279573; rev:1;) alert tcp $HOME_NET any -> [200.77.77.235] 81 (msg:"ThreatFox CyberGate botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1279574/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279574; rev:1;) alert tcp $HOME_NET any -> [122.6.3.5] 9800 (msg:"ThreatFox CyberGate botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1279575/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279575; rev:1;) alert tcp $HOME_NET any -> [94.25.205.106] 81 (msg:"ThreatFox CyberGate botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1279576/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279576; rev:1;) alert tcp $HOME_NET any -> [74.141.121.202] 100 (msg:"ThreatFox CyberGate botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1279547/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279547; rev:1;) alert tcp $HOME_NET any -> [198.168.1.25] 81 (msg:"ThreatFox CyberGate botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1279548/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279548; rev:1;) alert tcp $HOME_NET any -> [109.95.210.166] 8188 (msg:"ThreatFox CyberGate botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1279549/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279549; rev:1;) alert tcp $HOME_NET any -> [78.90.25.193] 100 (msg:"ThreatFox CyberGate botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1279550/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279550; rev:1;) alert tcp $HOME_NET any -> [188.162.83.119] 82 (msg:"ThreatFox CyberGate botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1279551/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279551; rev:1;) alert tcp $HOME_NET any -> [184.91.113.121] 187 (msg:"ThreatFox CyberGate botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1279552/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279552; rev:1;) alert tcp $HOME_NET any -> [5.135.69.89] 81 (msg:"ThreatFox CyberGate botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1279553/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279553; rev:1;) alert tcp $HOME_NET any -> [217.23.3.45] 741 (msg:"ThreatFox CyberGate botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1279554/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279554; rev:1;) alert tcp $HOME_NET any -> [50.41.149.212] 85 (msg:"ThreatFox CyberGate botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1279555/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279555; rev:1;) alert tcp $HOME_NET any -> [82.242.250.193] 81 (msg:"ThreatFox CyberGate botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1279556/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279556; rev:1;) alert tcp $HOME_NET any -> [25.81.16.132] 81 (msg:"ThreatFox CyberGate botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1279557/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279557; rev:1;) alert tcp $HOME_NET any -> [81.56.84.181] 81 (msg:"ThreatFox CyberGate botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1279558/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279558; rev:1;) alert tcp $HOME_NET any -> [188.162.83.119] 8080 (msg:"ThreatFox CyberGate botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1279559/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279559; rev:1;) alert tcp $HOME_NET any -> [83.254.238.175] 81 (msg:"ThreatFox CyberGate botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1279542/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279542; rev:1;) alert tcp $HOME_NET any -> [109.95.210.166] 3128 (msg:"ThreatFox CyberGate botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1279543/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279543; rev:1;) alert tcp $HOME_NET any -> [77.78.83.203] 206 (msg:"ThreatFox CyberGate botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1279544/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279544; rev:1;) alert tcp $HOME_NET any -> [74.55.40.227] 433 (msg:"ThreatFox CyberGate botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1279545/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279545; rev:1;) alert tcp $HOME_NET any -> [46.37.180.197] 2300 (msg:"ThreatFox CyberGate botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1279546/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279546; rev:1;) alert tcp $HOME_NET any -> [165.154.220.237] 8808 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1279541/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279541; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"offices365.org"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1279540/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279540; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ie9compatviewlist.xml"; depth:22; nocase; http.host; content:"offices365.org"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1279539/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279539; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dpixel"; depth:7; nocase; http.host; content:"45.144.30.253"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1279537/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279537; rev:1;) alert tcp $HOME_NET any -> [45.144.30.253] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1279538/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279538; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"7ix5nfolcp4ta4mk2dtihev73rw7d2edpbd5tp7sf7zgmpv66fpxnwqd.onion"; depth:62; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1279531/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279531; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"madehamozza.ddns.net"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1279532/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279532; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"mybtrpub.dynuddns.com"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1279533/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279533; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"uccqm6p3b2uqka6elyimvq7hiancgmhymprzgrxd6i6u3ovwentsolqd.onion"; depth:62; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1279534/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279534; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"blackid-51579.portmap.host"; depth:26; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1279535/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279535; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"postal-23.ioomoo.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1279536/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279536; rev:1;) alert tcp $HOME_NET any -> [194.5.98.113] 1234 (msg:"ThreatFox BitRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1279527/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279527; rev:1;) alert tcp $HOME_NET any -> [158.58.168.61] 1337 (msg:"ThreatFox BitRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1279528/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279528; rev:1;) alert tcp $HOME_NET any -> [93.115.35.146] 9887 (msg:"ThreatFox BitRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1279529/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279529; rev:1;) alert tcp $HOME_NET any -> [23.105.131.193] 100 (msg:"ThreatFox BitRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1279530/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279530; rev:1;) alert tcp $HOME_NET any -> [136.144.41.26] 4444 (msg:"ThreatFox BitRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1279524/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279524; rev:1;) alert tcp $HOME_NET any -> [106.69.2.59] 6637 (msg:"ThreatFox BitRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1279525/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279525; rev:1;) alert tcp $HOME_NET any -> [193.233.132.136] 4404 (msg:"ThreatFox BitRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1279526/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279526; rev:1;) alert tcp $HOME_NET any -> [185.250.148.54] 4898 (msg:"ThreatFox BitRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1279522/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279522; rev:1;) alert tcp $HOME_NET any -> [23.105.131.220] 4898 (msg:"ThreatFox BitRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1279523/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279523; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pixel"; depth:6; nocase; http.host; content:"79.124.40.106"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1279521/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279521; rev:1;) alert tcp $HOME_NET any -> [3.133.149.211] 8080 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1279520/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279520; rev:1;) alert tcp $HOME_NET any -> [52.70.77.94] 53 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1279519/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279519; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ns1.bimnall.com"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1279518/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279518; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"88.99.127.107"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1279517/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279517; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"95.217.28.33"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1279516/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279516; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"116.202.190.18"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1279515/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279515; rev:1;) alert tcp $HOME_NET any -> [95.217.28.33] 443 (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1279513/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279513; rev:1;) alert tcp $HOME_NET any -> [88.99.127.107] 443 (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1279514/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279514; rev:1;) alert tcp $HOME_NET any -> [116.202.190.18] 5432 (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1279512/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279512; rev:1;) alert tcp $HOME_NET any -> [95.216.24.238] 15647 (msg:"ThreatFox SectopRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1279511/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279511; rev:1;) alert tcp $HOME_NET any -> [147.45.47.40] 80 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1279510/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_05; classtype:trojan-activity; sid:91279510; rev:1;) alert tcp $HOME_NET any -> [147.78.103.233] 50555 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1279509/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_05; classtype:trojan-activity; sid:91279509; rev:1;) alert tcp $HOME_NET any -> [47.120.19.56] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1279508/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_05; classtype:trojan-activity; sid:91279508; rev:1;) alert tcp $HOME_NET any -> [101.42.4.160] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1279507/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_05; classtype:trojan-activity; sid:91279507; rev:1;) alert tcp $HOME_NET any -> [46.17.44.94] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1279506/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_05; classtype:trojan-activity; sid:91279506; rev:1;) alert tcp $HOME_NET any -> [81.70.93.58] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1279505/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_05; classtype:trojan-activity; sid:91279505; rev:1;) alert tcp $HOME_NET any -> [129.211.221.211] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1279504/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_05; classtype:trojan-activity; sid:91279504; rev:1;) alert tcp $HOME_NET any -> [38.147.171.208] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1279503/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_05; classtype:trojan-activity; sid:91279503; rev:1;) alert tcp $HOME_NET any -> [23.224.89.118] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1279502/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_05; classtype:trojan-activity; sid:91279502; rev:1;) alert tcp $HOME_NET any -> [67.71.30.199] 2078 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1279501/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_05; classtype:trojan-activity; sid:91279501; rev:1;) alert tcp $HOME_NET any -> [85.99.31.113] 443 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1279500/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_05; classtype:trojan-activity; sid:91279500; rev:1;) alert tcp $HOME_NET any -> [71.79.177.75] 443 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1279499/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_05; classtype:trojan-activity; sid:91279499; rev:1;) alert tcp $HOME_NET any -> [92.99.50.242] 443 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1279498/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_05; classtype:trojan-activity; sid:91279498; rev:1;) alert tcp $HOME_NET any -> [172.206.49.104] 8443 (msg:"ThreatFox pupy botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1279497/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_05; classtype:trojan-activity; sid:91279497; rev:1;) alert tcp $HOME_NET any -> [74.235.204.9] 443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1279496/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_05; classtype:trojan-activity; sid:91279496; rev:1;) alert tcp $HOME_NET any -> [63.250.56.156] 8088 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1279495/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_05; classtype:trojan-activity; sid:91279495; rev:1;) alert tcp $HOME_NET any -> [91.245.255.64] 443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1279494/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_05; classtype:trojan-activity; sid:91279494; rev:1;) alert tcp $HOME_NET any -> [86.104.72.20] 443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1279493/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_05; classtype:trojan-activity; sid:91279493; rev:1;) alert tcp $HOME_NET any -> [43.134.38.211] 7443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1279492/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_05; classtype:trojan-activity; sid:91279492; rev:1;) alert tcp $HOME_NET any -> [172.104.157.108] 7443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1279491/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_05; classtype:trojan-activity; sid:91279491; rev:1;) alert tcp $HOME_NET any -> [94.198.216.204] 7443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1279490/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_05; classtype:trojan-activity; sid:91279490; rev:1;) alert tcp $HOME_NET any -> [31.27.187.236] 9002 (msg:"ThreatFox Brute Ratel C4 botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1279489/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_05; classtype:trojan-activity; sid:91279489; rev:1;) alert tcp $HOME_NET any -> [136.144.162.237] 8888 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1279488/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_05; classtype:trojan-activity; sid:91279488; rev:1;) alert tcp $HOME_NET any -> [136.144.162.237] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1279487/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_05; classtype:trojan-activity; sid:91279487; rev:1;) alert tcp $HOME_NET any -> [192.121.87.111] 8888 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1279486/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_05; classtype:trojan-activity; sid:91279486; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/g.pixel"; depth:8; nocase; http.host; content:"152.136.100.26"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1279481/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279481; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/en_us/all.js"; depth:13; nocase; http.host; content:"64.7.199.88"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1279480/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279480; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ldrpolka.casa"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1279469/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279469; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ldrstar.casa"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1279470/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279470; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"sipmptomsledy.top"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1279471/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279471; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ldrspace.casa"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1279472/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279472; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ldrphound.casa"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1279473/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279473; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ldrpeso.casa"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1279474/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279474; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ldrshekel.casa"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1279475/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279475; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"allpikoloserdzwe.cyou"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1279476/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279476; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"americansoldat.link"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1279477/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279477; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ldrruble.casa"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1279478/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279478; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"loadwe4.casa"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1279479/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279479; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"aiac.f3322.net"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1279461/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279461; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"nnmz.e3.luyouxia.net"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1279462/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279462; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"zhangkedong.u1.luyouxia.net"; depth:27; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1279463/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279463; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"newyk5.e3.luyouxia.net"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1279464/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279464; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"post.f2pool.info"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1279465/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279465; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"kinh.xmcxmr.com"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1279466/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279466; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"12123das.f3322.net"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1279467/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279467; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"jjjj7371.e1.luyouxia.net"; depth:24; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1279468/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279468; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"honchengkeji.f3322.net"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1279450/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279450; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"hackerinvasion.f3322.net"; depth:24; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1279451/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279451; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"q596110.3322.org"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1279452/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279452; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"fwq.kuai-go.com"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1279453/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279453; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"12512.e3.luyouxia.net"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1279454/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279454; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"xisafjasfjip.u1.luyouxia.net"; depth:28; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1279455/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279455; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"cf1549064127.f3322.net"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1279456/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279456; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"24365426.e3.luyouxia.net"; depth:24; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1279457/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279457; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"zxww.e3.luyouxia.net"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1279458/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279458; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"www.twrata.com"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1279459/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279459; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"dgz.se1f.cc"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1279460/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279460; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"u22.zgwl.eu.org"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1279446/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279446; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"bj.caobibibi.com"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1279447/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279447; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"microsoftel.com"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1279448/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279448; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"sy12311.e3.luyouxia.net"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1279449/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279449; rev:1;) alert tcp $HOME_NET any -> [123.57.51.44] 443 (msg:"ThreatFox DoomedLoader botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1279445/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_05; classtype:trojan-activity; sid:91279445; rev:1;) alert tcp $HOME_NET any -> [8.147.114.220] 443 (msg:"ThreatFox DoomedLoader botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1279442/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_05; classtype:trojan-activity; sid:91279442; rev:1;) alert tcp $HOME_NET any -> [124.71.8.94] 443 (msg:"ThreatFox DoomedLoader botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1279443/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_05; classtype:trojan-activity; sid:91279443; rev:1;) alert tcp $HOME_NET any -> [101.200.228.27] 443 (msg:"ThreatFox DoomedLoader botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1279444/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_05; classtype:trojan-activity; sid:91279444; rev:1;) alert tcp $HOME_NET any -> [123.57.184.42] 443 (msg:"ThreatFox DoomedLoader botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1279439/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_05; classtype:trojan-activity; sid:91279439; rev:1;) alert tcp $HOME_NET any -> [39.106.155.56] 443 (msg:"ThreatFox DoomedLoader botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1279440/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_05; classtype:trojan-activity; sid:91279440; rev:1;) alert tcp $HOME_NET any -> [182.92.123.99] 443 (msg:"ThreatFox DoomedLoader botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1279441/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_05; classtype:trojan-activity; sid:91279441; rev:1;) alert tcp $HOME_NET any -> [47.108.142.100] 443 (msg:"ThreatFox DoomedLoader botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1279436/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_05; classtype:trojan-activity; sid:91279436; rev:1;) alert tcp $HOME_NET any -> [139.196.200.80] 443 (msg:"ThreatFox DoomedLoader botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1279437/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_05; classtype:trojan-activity; sid:91279437; rev:1;) alert tcp $HOME_NET any -> [47.106.165.142] 443 (msg:"ThreatFox DoomedLoader botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1279438/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_05; classtype:trojan-activity; sid:91279438; rev:1;) alert tcp $HOME_NET any -> [8.147.107.117] 443 (msg:"ThreatFox DoomedLoader botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1279433/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_05; classtype:trojan-activity; sid:91279433; rev:1;) alert tcp $HOME_NET any -> [123.57.154.171] 443 (msg:"ThreatFox DoomedLoader botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1279434/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_05; classtype:trojan-activity; sid:91279434; rev:1;) alert tcp $HOME_NET any -> [39.106.47.128] 443 (msg:"ThreatFox DoomedLoader botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1279435/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_05; classtype:trojan-activity; sid:91279435; rev:1;) alert tcp $HOME_NET any -> [121.40.79.201] 443 (msg:"ThreatFox DoomedLoader botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1279430/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_05; classtype:trojan-activity; sid:91279430; rev:1;) alert tcp $HOME_NET any -> [39.96.177.84] 443 (msg:"ThreatFox DoomedLoader botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1279431/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_05; classtype:trojan-activity; sid:91279431; rev:1;) alert tcp $HOME_NET any -> [8.138.149.110] 443 (msg:"ThreatFox DoomedLoader botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1279432/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_05; classtype:trojan-activity; sid:91279432; rev:1;) alert tcp $HOME_NET any -> [39.106.50.206] 443 (msg:"ThreatFox DoomedLoader botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1279427/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_05; classtype:trojan-activity; sid:91279427; rev:1;) alert tcp $HOME_NET any -> [8.141.9.64] 443 (msg:"ThreatFox DoomedLoader botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1279428/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_05; classtype:trojan-activity; sid:91279428; rev:1;) alert tcp $HOME_NET any -> [60.205.176.230] 443 (msg:"ThreatFox DoomedLoader botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1279429/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_05; classtype:trojan-activity; sid:91279429; rev:1;) alert tcp $HOME_NET any -> [8.138.111.32] 443 (msg:"ThreatFox DoomedLoader botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1279423/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_05; classtype:trojan-activity; sid:91279423; rev:1;) alert tcp $HOME_NET any -> [39.104.60.160] 443 (msg:"ThreatFox DoomedLoader botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1279424/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_05; classtype:trojan-activity; sid:91279424; rev:1;) alert tcp $HOME_NET any -> [60.205.124.33] 443 (msg:"ThreatFox DoomedLoader botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1279425/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_05; classtype:trojan-activity; sid:91279425; rev:1;) alert tcp $HOME_NET any -> [39.105.204.46] 443 (msg:"ThreatFox DoomedLoader botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1279426/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_05; classtype:trojan-activity; sid:91279426; rev:1;) alert tcp $HOME_NET any -> [107.173.248.41] 443 (msg:"ThreatFox DoomedLoader botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1279420/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_05; classtype:trojan-activity; sid:91279420; rev:1;) alert tcp $HOME_NET any -> [182.92.21.95] 443 (msg:"ThreatFox DoomedLoader botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1279421/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_05; classtype:trojan-activity; sid:91279421; rev:1;) alert tcp $HOME_NET any -> [8.138.0.214] 443 (msg:"ThreatFox DoomedLoader botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1279422/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_05; classtype:trojan-activity; sid:91279422; rev:1;) alert tcp $HOME_NET any -> [123.56.110.20] 443 (msg:"ThreatFox DoomedLoader botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1279417/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_05; classtype:trojan-activity; sid:91279417; rev:1;) alert tcp $HOME_NET any -> [123.57.90.198] 443 (msg:"ThreatFox DoomedLoader botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1279418/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_05; classtype:trojan-activity; sid:91279418; rev:1;) alert tcp $HOME_NET any -> [101.200.78.167] 443 (msg:"ThreatFox DoomedLoader botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1279419/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_05; classtype:trojan-activity; sid:91279419; rev:1;) alert tcp $HOME_NET any -> [8.147.108.206] 443 (msg:"ThreatFox DoomedLoader botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1279413/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_05; classtype:trojan-activity; sid:91279413; rev:1;) alert tcp $HOME_NET any -> [139.9.48.177] 443 (msg:"ThreatFox DoomedLoader botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1279414/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_05; classtype:trojan-activity; sid:91279414; rev:1;) alert tcp $HOME_NET any -> [101.201.72.126] 443 (msg:"ThreatFox DoomedLoader botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1279415/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_05; classtype:trojan-activity; sid:91279415; rev:1;) alert tcp $HOME_NET any -> [82.156.184.108] 443 (msg:"ThreatFox DoomedLoader botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1279416/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_05; classtype:trojan-activity; sid:91279416; rev:1;) alert tcp $HOME_NET any -> [123.56.226.32] 443 (msg:"ThreatFox DoomedLoader botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1279410/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_05; classtype:trojan-activity; sid:91279410; rev:1;) alert tcp $HOME_NET any -> [8.147.119.99] 443 (msg:"ThreatFox DoomedLoader botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1279411/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_05; classtype:trojan-activity; sid:91279411; rev:1;) alert tcp $HOME_NET any -> [182.92.189.66] 443 (msg:"ThreatFox DoomedLoader botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1279412/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_05; classtype:trojan-activity; sid:91279412; rev:1;) alert tcp $HOME_NET any -> [47.94.234.19] 443 (msg:"ThreatFox DoomedLoader botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1279407/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_05; classtype:trojan-activity; sid:91279407; rev:1;) alert tcp $HOME_NET any -> [8.147.113.111] 443 (msg:"ThreatFox DoomedLoader botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1279408/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_05; classtype:trojan-activity; sid:91279408; rev:1;) alert tcp $HOME_NET any -> [112.126.85.225] 443 (msg:"ThreatFox DoomedLoader botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1279409/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_05; classtype:trojan-activity; sid:91279409; rev:1;) alert tcp $HOME_NET any -> [47.94.104.161] 443 (msg:"ThreatFox DoomedLoader botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1279405/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_05; classtype:trojan-activity; sid:91279405; rev:1;) alert tcp $HOME_NET any -> [47.94.227.173] 443 (msg:"ThreatFox DoomedLoader botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1279406/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_05; classtype:trojan-activity; sid:91279406; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"cede04.info"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1279401/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279401; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"vvz01.pro"; depth:9; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1279402/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279402; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"biss01.info"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1279403/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279403; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"veotyc21.top"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1279404/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279404; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"haiusm13.top"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1279384/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279384; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"veorfg11.top"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1279385/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279385; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"oct5m.top"; depth:9; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1279386/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279386; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"bube01.info"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1279387/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279387; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"verf02.top"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1279388/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279388; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"cemnek45.top"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1279389/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279389; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"rifat05.info"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1279390/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279390; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"cemujq44.top"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1279391/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279391; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"nife04.info"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1279392/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279392; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ewaqly46.top"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1279393/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279393; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"pacdpo22.top"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1279394/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279394; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"haijys18.top"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1279395/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279395; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"oct5e.top"; depth:9; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1279396/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279396; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"verf01.top"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1279397/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279397; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"lyspoh51.top"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1279398/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279398; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"cede01.info"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1279399/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279399; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"moreil02.top"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1279400/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279400; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"hbv01.info"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1279383/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279383; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"masterokrwh.duckdns.org"; depth:23; nocase; reference:url, threatfox.abuse.ch/ioc/1279382/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279382; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"46.183.223.73"; depth:13; nocase; reference:url, threatfox.abuse.ch/ioc/1279381/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279381; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"wwsh427.duckdns.org"; depth:19; nocase; reference:url, threatfox.abuse.ch/ioc/1279380/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279380; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"paulrdp02.duckdns.org"; depth:21; nocase; reference:url, threatfox.abuse.ch/ioc/1279379/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279379; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"94.156.79.116"; depth:13; nocase; reference:url, threatfox.abuse.ch/ioc/1279201/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279201; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"185.172.128.62"; depth:14; nocase; reference:url, threatfox.abuse.ch/ioc/1279199/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279199; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"185.172.128.150"; depth:15; nocase; reference:url, threatfox.abuse.ch/ioc/1279200/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279200; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"89.23.103.159"; depth:13; nocase; reference:url, threatfox.abuse.ch/ioc/1279198/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279198; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"185.172.128.170"; depth:15; nocase; reference:url, threatfox.abuse.ch/ioc/1279196/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279196; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"5.161.191.146"; depth:13; nocase; reference:url, threatfox.abuse.ch/ioc/1279197/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279197; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"45.88.79.153"; depth:12; nocase; reference:url, threatfox.abuse.ch/ioc/1279195/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279195; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"185.172.128.76"; depth:14; nocase; reference:url, threatfox.abuse.ch/ioc/1279194/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279194; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"89.105.198.59"; depth:13; nocase; reference:url, threatfox.abuse.ch/ioc/1279192/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279192; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"5.161.203.102"; depth:13; nocase; reference:url, threatfox.abuse.ch/ioc/1279193/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279193; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"94.156.79.32"; depth:12; nocase; reference:url, threatfox.abuse.ch/ioc/1279190/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279190; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"147.45.47.150"; depth:13; nocase; reference:url, threatfox.abuse.ch/ioc/1279191/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279191; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"91.212.166.50"; depth:13; nocase; reference:url, threatfox.abuse.ch/ioc/1279188/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279188; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"89.105.198.253"; depth:14; nocase; reference:url, threatfox.abuse.ch/ioc/1279189/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279189; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"185.172.128.23"; depth:14; nocase; reference:url, threatfox.abuse.ch/ioc/1279187/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279187; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"185.172.128.111"; depth:15; nocase; reference:url, threatfox.abuse.ch/ioc/1279186/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279186; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"94.156.79.164"; depth:13; nocase; reference:url, threatfox.abuse.ch/ioc/1279185/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279185; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"45.11.92.124"; depth:12; nocase; reference:url, threatfox.abuse.ch/ioc/1279184/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279184; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"193.163.7.39"; depth:12; nocase; reference:url, threatfox.abuse.ch/ioc/1279183/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279183; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"193.163.7.88"; depth:12; nocase; reference:url, threatfox.abuse.ch/ioc/1279181/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279181; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"80.66.84.6"; depth:10; nocase; reference:url, threatfox.abuse.ch/ioc/1279182/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279182; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"192.121.87.173"; depth:14; nocase; reference:url, threatfox.abuse.ch/ioc/1279179/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279179; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"89.105.198.116"; depth:14; nocase; reference:url, threatfox.abuse.ch/ioc/1279180/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279180; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"okkolus.com"; depth:11; nocase; reference:url, threatfox.abuse.ch/ioc/1279177/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279177; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"23.88.106.134"; depth:13; nocase; reference:url, threatfox.abuse.ch/ioc/1279178/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279178; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"185.172.128.151"; depth:15; nocase; reference:url, threatfox.abuse.ch/ioc/1279175/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279175; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"haveastory.info"; depth:15; nocase; reference:url, threatfox.abuse.ch/ioc/1279176/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279176; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"49.13.229.86"; depth:12; nocase; reference:url, threatfox.abuse.ch/ioc/1279174/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279174; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"89.105.198.134"; depth:14; nocase; reference:url, threatfox.abuse.ch/ioc/1279172/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279172; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"193.163.7.82"; depth:12; nocase; reference:url, threatfox.abuse.ch/ioc/1279173/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279173; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"62.133.60.205"; depth:13; nocase; reference:url, threatfox.abuse.ch/ioc/1279171/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279171; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"top-adobe.site"; depth:14; nocase; reference:url, threatfox.abuse.ch/ioc/1279169/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279169; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"89.23.103.129"; depth:13; nocase; reference:url, threatfox.abuse.ch/ioc/1279170/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279170; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"95.164.2.59"; depth:11; nocase; reference:url, threatfox.abuse.ch/ioc/1279168/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279168; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/index.php/"; depth:11; nocase; http.host; content:"www.saveinfoval.com"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1279164/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279164; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/reports.php"; depth:12; nocase; http.host; content:"lab.damianobeducci.com"; depth:22; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1279161/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279161; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/reports.php"; depth:12; nocase; http.host; content:"lab.damianobeducci.com"; depth:22; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1279162/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279162; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"modernwebframework.com"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1279160/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279160; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"webapidevelopment.com"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1279159/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279159; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api/x"; depth:6; nocase; http.host; content:"service-hcwhjzdb-1316933071.sh.tencentapigw.com"; depth:47; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1279163/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279163; rev:1;) alert tcp $HOME_NET any -> [176.56.237.211] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1279158/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279158; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ga.js"; depth:6; nocase; http.host; content:"176.56.237.211"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1279157/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279157; rev:1;) alert tcp $HOME_NET any -> [185.52.1.46] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1279156/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279156; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/fwlink"; depth:7; nocase; http.host; content:"185.52.1.46"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1279155/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279155; rev:1;) alert tcp $HOME_NET any -> [84.46.22.158] 7000 (msg:"ThreatFox Monero Miner botnet C2 traffic (ip:port - confidence level: 49%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1279150/; target:src_ip; metadata: confidence_level 49, first_seen 2024_06_05; classtype:trojan-activity; sid:91279150; rev:1;) alert tcp $HOME_NET any -> [46.59.214.14] 7000 (msg:"ThreatFox Monero Miner botnet C2 traffic (ip:port - confidence level: 49%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1279151/; target:src_ip; metadata: confidence_level 49, first_seen 2024_06_05; classtype:trojan-activity; sid:91279151; rev:1;) alert tcp $HOME_NET any -> [46.59.210.69] 7000 (msg:"ThreatFox Monero Miner botnet C2 traffic (ip:port - confidence level: 49%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1279152/; target:src_ip; metadata: confidence_level 49, first_seen 2024_06_05; classtype:trojan-activity; sid:91279152; rev:1;) alert tcp $HOME_NET any -> [94.156.67.67] 46629 (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1279154/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279154; rev:1;) alert tcp $HOME_NET any -> [45.138.16.219] 61995 (msg:"ThreatFox Ave Maria botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1279153/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279153; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/read-agreement-of-being-gay-for-30-days/"; depth:41; nocase; http.host; content:"exotours.in"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1279148/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279148; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/reports.php"; depth:12; nocase; http.host; content:"kfzsoeder.de"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1279149/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279149; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"service-hcwhjzdb-1316933071.sh.tencentapigw.com"; depth:47; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1279147/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279147; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api/x"; depth:6; nocase; http.host; content:"service-hcwhjzdb-1316933071.sh.tencentapigw.com"; depth:47; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1279146/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279146; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ie9compatviewlist.xml"; depth:22; nocase; http.host; content:"120.48.124.220"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1279145/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279145; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ptj"; depth:4; nocase; http.host; content:"23.94.202.223"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1279143/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279143; rev:1;) alert tcp $HOME_NET any -> [23.94.202.223] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1279144/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279144; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cx"; depth:3; nocase; http.host; content:"124.70.99.224"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1279142/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279142; rev:1;) alert tcp $HOME_NET any -> [118.195.216.54] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1279141/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279141; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/__utm.gif"; depth:10; nocase; http.host; content:"118.195.216.54"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1279140/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279140; rev:1;) alert tcp $HOME_NET any -> [106.54.42.56] 8080 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1279139/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279139; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api/v1/getdata"; depth:15; nocase; http.host; content:"damousese.xyz"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1279137/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279137; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"damousese.xyz"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1279138/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279138; rev:1;) alert tcp $HOME_NET any -> [43.155.31.253] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1279136/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279136; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ie9compatviewlist.xml"; depth:22; nocase; http.host; content:"43.155.31.253"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1279135/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279135; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cm"; depth:3; nocase; http.host; content:"18.219.156.119"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1279134/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279134; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/updates.rss"; depth:12; nocase; http.host; content:"47.98.247.113"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1279133/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279133; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/load"; depth:5; nocase; http.host; content:"23.94.202.223"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1279131/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279131; rev:1;) alert tcp $HOME_NET any -> [23.94.202.223] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1279132/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279132; rev:1;) alert tcp $HOME_NET any -> [106.54.42.56] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1279130/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279130; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api/v1/getdata"; depth:15; nocase; http.host; content:"106.54.42.56"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1279129/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279129; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jquery-3.3.1.min.js"; depth:20; nocase; http.host; content:"119.45.251.182"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1279128/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279128; rev:1;) alert tcp $HOME_NET any -> [182.92.154.226] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1279127/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279127; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pixel.gif"; depth:10; nocase; http.host; content:"182.92.154.226"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1279126/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279126; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp06/wp-includes/po.php"; depth:24; nocase; http.host; content:"47.120.65.94"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1279125/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279125; rev:1;) alert tcp $HOME_NET any -> [147.185.221.19] 43028 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1279104/; target:src_ip; metadata: confidence_level 75, first_seen 2024_06_05; classtype:trojan-activity; sid:91279104; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"an-taxi.gl.at.ply.gg"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1279105/; target:src_ip; metadata: confidence_level 75, first_seen 2024_06_05; classtype:trojan-activity; sid:91279105; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/reports.php"; depth:12; nocase; http.host; content:"kampermazury.pl"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1279124/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279124; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/updates.rss"; depth:12; nocase; http.host; content:"meetlak.link"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1279122/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279122; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/visit.js"; depth:9; nocase; http.host; content:"60.204.220.208"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1279121/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279121; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/g.pixel"; depth:8; nocase; http.host; content:"47.99.194.96"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1279120/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279120; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dpixel"; depth:7; nocase; http.host; content:"106.55.181.108"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1279119/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279119; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cx"; depth:3; nocase; http.host; content:"123.57.85.206"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1279118/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279118; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ptj"; depth:4; nocase; http.host; content:"101.33.198.179"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1279117/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279117; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/j.ad"; depth:5; nocase; http.host; content:"43.136.40.231"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1279116/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279116; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"llxl.xyz"; depth:8; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1279115/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279115; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"llpl.xyz"; depth:8; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1279112/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279112; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"llml.xyz"; depth:8; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1279113/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279113; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"llnl.xyz"; depth:8; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1279114/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279114; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ca"; depth:3; nocase; http.host; content:"106.55.181.108"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1279111/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279111; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dhl"; depth:4; nocase; http.host; content:"zakat.dompetdhuaafa.biz.id"; depth:26; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1279110/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279110; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/en_us/all.js"; depth:13; nocase; http.host; content:"118.107.4.157"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1279109/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279109; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"zakat.dompetdhuaafa.biz.id"; depth:26; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1279108/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279108; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dhl"; depth:4; nocase; http.host; content:"zakat.dompetdhuaafa.biz.id"; depth:26; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1279107/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279107; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dhl"; depth:4; nocase; http.host; content:"baznas.dompetdhuaafa.biz.id"; depth:27; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1279106/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279106; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"jqueryupdate1.housereynoldsfaust.com"; depth:36; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1279103/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279103; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jquery-3.3.1.min.js"; depth:20; nocase; http.host; content:"jqueryupdate1.housereynoldsfaust.com"; depth:36; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1279102/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279102; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"progressivewebappsdev.com"; depth:25; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1279096/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279096; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"alphadex.io"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1279097/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_05; classtype:trojan-activity; sid:91279097; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"labs.plutonians.tech"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1279100/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_05; classtype:trojan-activity; sid:91279100; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/reports.php"; depth:12; nocase; http.host; content:"justinpgrier.com"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1279098/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279098; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"remcoss2024feb.duckdns.org"; depth:26; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1279101/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279101; rev:1;) alert tcp $HOME_NET any -> [190.123.44.254] 80 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1279095/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_05; classtype:trojan-activity; sid:91279095; rev:1;) alert tcp $HOME_NET any -> [89.23.107.39] 50555 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1279094/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_05; classtype:trojan-activity; sid:91279094; rev:1;) alert tcp $HOME_NET any -> [94.156.8.11] 50555 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1279093/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_05; classtype:trojan-activity; sid:91279093; rev:1;) alert tcp $HOME_NET any -> [110.41.17.183] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1279092/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_05; classtype:trojan-activity; sid:91279092; rev:1;) alert tcp $HOME_NET any -> [111.229.128.243] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1279091/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_05; classtype:trojan-activity; sid:91279091; rev:1;) alert tcp $HOME_NET any -> [117.72.74.197] 8080 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1279090/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_05; classtype:trojan-activity; sid:91279090; rev:1;) alert tcp $HOME_NET any -> [8.130.175.231] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1279089/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_05; classtype:trojan-activity; sid:91279089; rev:1;) alert tcp $HOME_NET any -> [46.246.86.19] 9000 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1279088/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_05; classtype:trojan-activity; sid:91279088; rev:1;) alert tcp $HOME_NET any -> [135.148.144.97] 445 (msg:"ThreatFox Responder botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1279087/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_05; classtype:trojan-activity; sid:91279087; rev:1;) alert tcp $HOME_NET any -> [35.87.11.232] 443 (msg:"ThreatFox Responder botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1279086/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_05; classtype:trojan-activity; sid:91279086; rev:1;) alert tcp $HOME_NET any -> [62.234.162.181] 8443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1279085/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_05; classtype:trojan-activity; sid:91279085; rev:1;) alert tcp $HOME_NET any -> [79.137.117.24] 443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1279084/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_05; classtype:trojan-activity; sid:91279084; rev:1;) alert tcp $HOME_NET any -> [158.160.64.178] 8443 (msg:"ThreatFox BianLian botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1279083/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_05; classtype:trojan-activity; sid:91279083; rev:1;) alert tcp $HOME_NET any -> [97.64.33.33] 443 (msg:"ThreatFox Deimos botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1279082/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_05; classtype:trojan-activity; sid:91279082; rev:1;) alert tcp $HOME_NET any -> [74.207.229.59] 7443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1279081/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_05; classtype:trojan-activity; sid:91279081; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/~eric/wp/masterddl/2023/03/05/agreement-sayings/"; depth:49; nocase; http.host; content:"experimentation.univ-littoral.fr"; depth:32; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1278826/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91278826; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/reports.php"; depth:12; nocase; http.host; content:"ictnieuws.nl"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1279036/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279036; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/breach-contract-law/"; depth:21; nocase; http.host; content:"goodstos.com"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1278824/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91278824; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/reports.php"; depth:12; nocase; http.host; content:"goodferry.pl"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1278825/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91278825; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cdn-vs/original.js"; depth:19; nocase; http.host; content:"mamajekisrecording.com"; depth:22; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1278806/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91278806; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"mamajekisrecording.com"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1278807/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91278807; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cdn-vs/cache.php"; depth:17; nocase; http.host; content:"mamajekisrecording.com"; depth:22; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1278808/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91278808; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cdn-vs/2per.php"; depth:16; nocase; http.host; content:"mamajekisrecording.com"; depth:22; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1278809/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91278809; rev:1;) alert tcp $HOME_NET any -> [3.64.4.198] 15212 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1278811/; target:src_ip; metadata: confidence_level 75, first_seen 2024_06_05; classtype:trojan-activity; sid:91278811; rev:1;) alert tcp $HOME_NET any -> [18.158.58.205] 15212 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1278810/; target:src_ip; metadata: confidence_level 75, first_seen 2024_06_05; classtype:trojan-activity; sid:91278810; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/reports.php"; depth:12; nocase; http.host; content:"iantucker.ca"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1278827/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91278827; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/df/tt"; depth:6; nocase; http.host; content:"fufug.enterprisedownloads.ltd"; depth:29; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1279045/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279045; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"fufug.enterprisedownloads.ltd"; depth:29; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1279046/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279046; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/reports.php"; depth:12; nocase; http.host; content:"intellectualpirates.net"; depth:23; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1279059/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279059; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"giampaolidolciaria.cfd"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1279070/; target:src_ip; metadata: confidence_level 75, first_seen 2024_06_05; classtype:trojan-activity; sid:91279070; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/reports.php"; depth:12; nocase; http.host; content:"izj.unsa.ba"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1279074/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279074; rev:1;) alert tcp $HOME_NET any -> [31.192.235.208] 80 (msg:"ThreatFox Loki Password Stealer (PWS) botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1279077/; target:src_ip; metadata: confidence_level 75, first_seen 2024_06_05; classtype:trojan-activity; sid:91279077; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"mtuogioanis.com"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1279078/; target:src_ip; metadata: confidence_level 75, first_seen 2024_06_05; classtype:trojan-activity; sid:91279078; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/reports.php"; depth:12; nocase; http.host; content:"jensenauto.no"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1279080/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279080; rev:1;) alert tcp $HOME_NET any -> [192.169.69.25] 54989 (msg:"ThreatFox Nanocore RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1278802/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91278802; rev:1;) alert tcp $HOME_NET any -> [84.38.182.217] 443 (msg:"ThreatFox FAKEUPDATES payload delivery (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1278803/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91278803; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mad/fre.php"; depth:12; nocase; http.host; content:"mtuogioanis.com"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1279076/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279076; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mozi.m"; depth:7; nocase; http.host; content:"41.143.84.19"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1279075/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_05; classtype:trojan-activity; sid:91279075; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dv2/pws/fre.php"; depth:16; nocase; http.host; content:"giampaolidolciaria.cfd"; depth:22; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1279068/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_04; classtype:trojan-activity; sid:91279068; rev:1;) alert tcp $HOME_NET any -> [42.194.249.150] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1279067/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_04; classtype:trojan-activity; sid:91279067; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cm"; depth:3; nocase; http.host; content:"42.194.249.150"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1279066/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_04; classtype:trojan-activity; sid:91279066; rev:1;) alert tcp $HOME_NET any -> [45.144.137.45] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1279065/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_04; classtype:trojan-activity; sid:91279065; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"service-62fercq6-1314780031.nj.apigw.tencentcs.com"; depth:50; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1279064/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_04; classtype:trojan-activity; sid:91279064; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/www/handle/doc"; depth:15; nocase; http.host; content:"service-62fercq6-1314780031.nj.apigw.tencentcs.com"; depth:50; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1279063/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_04; classtype:trojan-activity; sid:91279063; rev:1;) alert tcp $HOME_NET any -> [23.94.203.122] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1279062/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_04; classtype:trojan-activity; sid:91279062; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"service-owedaeao-1304783326.gz.tencentapigw.com.cn"; depth:50; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1279061/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_04; classtype:trojan-activity; sid:91279061; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api/x"; depth:6; nocase; http.host; content:"service-owedaeao-1304783326.gz.tencentapigw.com.cn"; depth:50; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1279060/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_04; classtype:trojan-activity; sid:91279060; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"116.203.166.11"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1279058/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_04; classtype:trojan-activity; sid:91279058; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"116.203.167.34"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1279057/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_04; classtype:trojan-activity; sid:91279057; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"5.75.212.114"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1279056/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_04; classtype:trojan-activity; sid:91279056; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"65.109.241.185"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1279055/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_04; classtype:trojan-activity; sid:91279055; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"116.203.2.129"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1279054/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_04; classtype:trojan-activity; sid:91279054; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/r8z0l"; depth:6; nocase; http.host; content:"t.me"; depth:4; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1279053/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_04; classtype:trojan-activity; sid:91279053; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/profiles/76561199698764354"; depth:27; nocase; http.host; content:"steamcommunity.com"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1279052/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_04; classtype:trojan-activity; sid:91279052; rev:1;) alert tcp $HOME_NET any -> [116.203.166.11] 443 (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1279051/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_04; classtype:trojan-activity; sid:91279051; rev:1;) alert tcp $HOME_NET any -> [116.203.2.129] 5432 (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1279047/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_04; classtype:trojan-activity; sid:91279047; rev:1;) alert tcp $HOME_NET any -> [65.109.241.185] 443 (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1279048/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_04; classtype:trojan-activity; sid:91279048; rev:1;) alert tcp $HOME_NET any -> [5.75.212.114] 443 (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1279049/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_04; classtype:trojan-activity; sid:91279049; rev:1;) alert tcp $HOME_NET any -> [116.203.167.34] 443 (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1279050/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_04; classtype:trojan-activity; sid:91279050; rev:1;) alert tcp $HOME_NET any -> [165.22.122.24] 4433 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1279044/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_04; classtype:trojan-activity; sid:91279044; rev:1;) alert tcp $HOME_NET any -> [107.172.157.40] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1279043/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_04; classtype:trojan-activity; sid:91279043; rev:1;) alert tcp $HOME_NET any -> [49.113.75.152] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1279042/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_04; classtype:trojan-activity; sid:91279042; rev:1;) alert tcp $HOME_NET any -> [107.172.191.253] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1279041/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_04; classtype:trojan-activity; sid:91279041; rev:1;) alert tcp $HOME_NET any -> [2.88.147.93] 443 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1279040/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_04; classtype:trojan-activity; sid:91279040; rev:1;) alert tcp $HOME_NET any -> [23.177.56.78] 443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1279039/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_04; classtype:trojan-activity; sid:91279039; rev:1;) alert tcp $HOME_NET any -> [111.123.53.96] 4506 (msg:"ThreatFox Deimos botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1279038/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_04; classtype:trojan-activity; sid:91279038; rev:1;) alert tcp $HOME_NET any -> [185.241.124.218] 7443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1279037/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_04; classtype:trojan-activity; sid:91279037; rev:1;) alert tcp $HOME_NET any -> [144.208.127.241] 1717 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1278823/; target:src_ip; metadata: confidence_level 75, first_seen 2024_06_04; classtype:trojan-activity; sid:91278823; rev:1;) alert tcp $HOME_NET any -> [5.42.65.63] 14707 (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1278822/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_04; classtype:trojan-activity; sid:91278822; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jquery-3.3.1.min.js"; depth:20; nocase; http.host; content:"101.37.32.248"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1278821/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_04; classtype:trojan-activity; sid:91278821; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ga.js"; depth:6; nocase; http.host; content:"162.14.107.218"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1278820/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_04; classtype:trojan-activity; sid:91278820; rev:1;) alert tcp $HOME_NET any -> [154.83.13.161] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1278819/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_04; classtype:trojan-activity; sid:91278819; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/watch"; depth:6; nocase; http.host; content:"service-6xro0ifb-1253442149.bj.tencentapigw.com.cn"; depth:50; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1278818/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_04; classtype:trojan-activity; sid:91278818; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"service-6xro0ifb-1253442149.bj.tencentapigw.com.cn"; depth:50; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1278816/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_04; classtype:trojan-activity; sid:91278816; rev:1;) alert tcp $HOME_NET any -> [154.83.13.161] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1278817/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_04; classtype:trojan-activity; sid:91278817; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/watch"; depth:6; nocase; http.host; content:"service-6xro0ifb-1253442149.bj.tencentapigw.com.cn"; depth:50; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1278815/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_04; classtype:trojan-activity; sid:91278815; rev:1;) alert tcp $HOME_NET any -> [152.32.135.165] 9999 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1278814/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_04; classtype:trojan-activity; sid:91278814; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/_/scs/mail-static/_/js/"; depth:24; nocase; http.host; content:"dns.163microsoft.com"; depth:20; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1278812/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_04; classtype:trojan-activity; sid:91278812; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"dns.163microsoft.com"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1278813/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_04; classtype:trojan-activity; sid:91278813; rev:1;) alert tcp $HOME_NET any -> [95.179.228.20] 1177 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1278805/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_04; classtype:trojan-activity; sid:91278805; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mozi.m"; depth:7; nocase; http.host; content:"41.140.220.38"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1278804/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_04; classtype:trojan-activity; sid:91278804; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 49%)"; dns_query; content:"goudieelectric.shop"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1278769/; target:src_ip; metadata: confidence_level 49, first_seen 2024_06_04; classtype:trojan-activity; sid:91278769; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 49%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/the-zero-residual-concept/products"; depth:35; nocase; http.host; content:"simonandschuster.shop"; depth:21; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1278771/; target:src_ip; metadata: confidence_level 49, first_seen 2024_06_04; classtype:trojan-activity; sid:91278771; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 49%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/the-zero-residual-concept/sjj-solutions"; depth:40; nocase; http.host; content:"simonandschuster.shop"; depth:21; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1278772/; target:src_ip; metadata: confidence_level 49, first_seen 2024_06_04; classtype:trojan-activity; sid:91278772; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/hold-harmless-agreement-car-accident"; depth:37; nocase; http.host; content:"bvp.ch"; depth:6; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1278799/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_04; classtype:trojan-activity; sid:91278799; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 49%)"; dns_query; content:"simonandschuster.shop"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1278770/; target:src_ip; metadata: confidence_level 49, first_seen 2024_06_04; classtype:trojan-activity; sid:91278770; rev:1;) alert tcp $HOME_NET any -> [93.123.39.160] 80 (msg:"ThreatFox Loki Password Stealer (PWS) botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1278800/; target:src_ip; metadata: confidence_level 75, first_seen 2024_06_04; classtype:trojan-activity; sid:91278800; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"ulysse-cazabonne.cam"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1278801/; target:src_ip; metadata: confidence_level 75, first_seen 2024_06_04; classtype:trojan-activity; sid:91278801; rev:1;) alert tcp $HOME_NET any -> [185.43.220.45] 4001 (msg:"ThreatFox SystemBC botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1278798/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_04; classtype:trojan-activity; sid:91278798; rev:1;) alert tcp $HOME_NET any -> [47.96.141.225] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1278797/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_04; classtype:trojan-activity; sid:91278797; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"service-nshpe3hn-1303962289.sh.tencentapigw.com"; depth:47; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1278796/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_04; classtype:trojan-activity; sid:91278796; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/destroy/v4.7/gxd7023e"; depth:22; nocase; http.host; content:"service-nshpe3hn-1303962289.sh.tencentapigw.com"; depth:47; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1278795/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_04; classtype:trojan-activity; sid:91278795; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/push"; depth:5; nocase; http.host; content:"103.116.245.79"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1278794/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_04; classtype:trojan-activity; sid:91278794; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/load"; depth:5; nocase; http.host; content:"82.157.78.234"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1278793/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_04; classtype:trojan-activity; sid:91278793; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/feedapi/v1/newsserver/api/getusername"; depth:38; nocase; http.host; content:"221.227.232.106"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1278792/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_04; classtype:trojan-activity; sid:91278792; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/rewardsapp/ncfooter"; depth:20; nocase; http.host; content:"59.80.47.124"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1278791/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_04; classtype:trojan-activity; sid:91278791; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/feedapi/v1/newsserver/api/getpassword"; depth:38; nocase; http.host; content:"61.170.44.194"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1278790/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_04; classtype:trojan-activity; sid:91278790; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/rewardsapp/ncfooter"; depth:20; nocase; http.host; content:"111.6.56.138"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1278789/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_04; classtype:trojan-activity; sid:91278789; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/analytics/v1_upload"; depth:20; nocase; http.host; content:"111.51.156.247"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1278788/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_04; classtype:trojan-activity; sid:91278788; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/hp/api/v1/carousel"; depth:19; nocase; http.host; content:"183.232.189.148"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1278787/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_04; classtype:trojan-activity; sid:91278787; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/fwlink"; depth:7; nocase; http.host; content:"120.78.217.180"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1278786/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_04; classtype:trojan-activity; sid:91278786; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ga.js"; depth:6; nocase; http.host; content:"121.37.215.238"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1278785/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_04; classtype:trojan-activity; sid:91278785; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ptj"; depth:4; nocase; http.host; content:"43.138.179.199"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1278784/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_04; classtype:trojan-activity; sid:91278784; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ie9compatviewlist.xml"; depth:22; nocase; http.host; content:"123.57.59.76"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1278783/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_04; classtype:trojan-activity; sid:91278783; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dot.gif"; depth:8; nocase; http.host; content:"microsoftsoftwave.com"; depth:21; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1278782/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_04; classtype:trojan-activity; sid:91278782; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/update"; depth:7; nocase; http.host; content:"150.109.103.16"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1278781/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_04; classtype:trojan-activity; sid:91278781; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pixel.gif"; depth:10; nocase; http.host; content:"3.145.83.235"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1278780/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_04; classtype:trojan-activity; sid:91278780; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/updates"; depth:8; nocase; http.host; content:"106.52.130.164"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1278779/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_04; classtype:trojan-activity; sid:91278779; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/updates.rss"; depth:12; nocase; http.host; content:"175.178.99.133"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1278778/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_04; classtype:trojan-activity; sid:91278778; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/check"; depth:6; nocase; http.host; content:"150.109.103.16"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1278777/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_04; classtype:trojan-activity; sid:91278777; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/g.pixel"; depth:8; nocase; http.host; content:"43.138.179.199"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1278776/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_04; classtype:trojan-activity; sid:91278776; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ie9compatviewlist.xml"; depth:22; nocase; http.host; content:"43.138.179.199"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1278775/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_04; classtype:trojan-activity; sid:91278775; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ie9compatviewlist.xml"; depth:22; nocase; http.host; content:"79.124.40.106"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1278774/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_04; classtype:trojan-activity; sid:91278774; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dot.gif"; depth:8; nocase; http.host; content:"79.124.40.106"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1278773/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_04; classtype:trojan-activity; sid:91278773; rev:1;) alert tcp $HOME_NET any -> [198.211.116.98] 443 (msg:"ThreatFox DanaBot botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1278757/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_04; classtype:trojan-activity; sid:91278757; rev:1;) alert tcp $HOME_NET any -> [115.0.0.5] 108 (msg:"ThreatFox DanaBot botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1278758/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_04; classtype:trojan-activity; sid:91278758; rev:1;) alert tcp $HOME_NET any -> [80.0.65.0] 75 (msg:"ThreatFox DanaBot botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1278759/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_04; classtype:trojan-activity; sid:91278759; rev:1;) alert tcp $HOME_NET any -> [70.0.71.0] 67 (msg:"ThreatFox DanaBot botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1278760/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_04; classtype:trojan-activity; sid:91278760; rev:1;) alert tcp $HOME_NET any -> [187.1.0.0] 443 (msg:"ThreatFox DanaBot botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1278761/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_04; classtype:trojan-activity; sid:91278761; rev:1;) alert tcp $HOME_NET any -> [135.181.106.42] 443 (msg:"ThreatFox DanaBot botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1278762/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_04; classtype:trojan-activity; sid:91278762; rev:1;) alert tcp $HOME_NET any -> [89.0.101.0] 2304 (msg:"ThreatFox DanaBot botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1278763/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_04; classtype:trojan-activity; sid:91278763; rev:1;) alert tcp $HOME_NET any -> [72.0.74.0] 66 (msg:"ThreatFox DanaBot botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1278764/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_04; classtype:trojan-activity; sid:91278764; rev:1;) alert tcp $HOME_NET any -> [110.0.0.7] 768 (msg:"ThreatFox DanaBot botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1278765/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_04; classtype:trojan-activity; sid:91278765; rev:1;) alert tcp $HOME_NET any -> [83.0.68.0] 90 (msg:"ThreatFox DanaBot botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1278766/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_04; classtype:trojan-activity; sid:91278766; rev:1;) alert tcp $HOME_NET any -> [45.146.164.24] 443 (msg:"ThreatFox DanaBot botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1278767/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_04; classtype:trojan-activity; sid:91278767; rev:1;) alert tcp $HOME_NET any -> [111.0.119.0] 78 (msg:"ThreatFox DanaBot botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1278768/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_04; classtype:trojan-activity; sid:91278768; rev:1;) alert tcp $HOME_NET any -> [175.178.109.66] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1278756/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_04; classtype:trojan-activity; sid:91278756; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jquery-3.3.1.min.js"; depth:20; nocase; http.host; content:"175.178.109.66"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1278755/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_04; classtype:trojan-activity; sid:91278755; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/reports.php"; depth:12; nocase; http.host; content:"keydian.com"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1278725/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_04; classtype:trojan-activity; sid:91278725; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/updates.rss"; depth:12; nocase; http.host; content:"149.28.222.242"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1278754/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_04; classtype:trojan-activity; sid:91278754; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dpixel"; depth:7; nocase; http.host; content:"206.238.115.243"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1278753/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_04; classtype:trojan-activity; sid:91278753; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/load"; depth:5; nocase; http.host; content:"123.249.33.8"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1278752/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_04; classtype:trojan-activity; sid:91278752; rev:1;) alert tcp $HOME_NET any -> [182.148.187.185] 8123 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1278751/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_04; classtype:trojan-activity; sid:91278751; rev:1;) alert tcp $HOME_NET any -> [124.70.99.224] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1278750/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_04; classtype:trojan-activity; sid:91278750; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/g.pixel"; depth:8; nocase; http.host; content:"124.70.99.224"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1278749/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_04; classtype:trojan-activity; sid:91278749; rev:1;) alert tcp $HOME_NET any -> [101.37.32.248] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1278748/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_04; classtype:trojan-activity; sid:91278748; rev:1;) alert tcp $HOME_NET any -> [47.93.53.140] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1278747/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_04; classtype:trojan-activity; sid:91278747; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/updates.rss"; depth:12; nocase; http.host; content:"47.93.53.140"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1278746/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_04; classtype:trojan-activity; sid:91278746; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/en_us/all.js"; depth:13; nocase; http.host; content:"124.70.154.188"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1278745/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_04; classtype:trojan-activity; sid:91278745; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/lib/v2/wcp-consent.js"; depth:22; nocase; http.host; content:"39.100.106.193"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1278744/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_04; classtype:trojan-activity; sid:91278744; rev:1;) alert tcp $HOME_NET any -> [185.235.242.76] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1278743/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_04; classtype:trojan-activity; sid:91278743; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"bc.hipool.shop"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1278742/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_04; classtype:trojan-activity; sid:91278742; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-content"; depth:11; nocase; http.host; content:"bc.hipool.shop"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1278741/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_04; classtype:trojan-activity; sid:91278741; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jquery-3.3.1.min.js"; depth:20; nocase; http.host; content:"101.37.32.248"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1278740/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_04; classtype:trojan-activity; sid:91278740; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/j.ad"; depth:5; nocase; http.host; content:"34.92.137.73"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1278739/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_04; classtype:trojan-activity; sid:91278739; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/__utm.gif"; depth:10; nocase; http.host; content:"64.226.98.234"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1278737/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_04; classtype:trojan-activity; sid:91278737; rev:1;) alert tcp $HOME_NET any -> [64.226.98.234] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1278738/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_04; classtype:trojan-activity; sid:91278738; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/j.ad"; depth:5; nocase; http.host; content:"1.92.156.179"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1278736/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_04; classtype:trojan-activity; sid:91278736; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ptj"; depth:4; nocase; http.host; content:"43.136.177.143"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1278735/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_04; classtype:trojan-activity; sid:91278735; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/g.pixel"; depth:8; nocase; http.host; content:"101.33.198.179"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1278734/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_04; classtype:trojan-activity; sid:91278734; rev:1;) alert tcp $HOME_NET any -> [106.53.207.158] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1278733/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_04; classtype:trojan-activity; sid:91278733; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dpixel"; depth:7; nocase; http.host; content:"106.53.207.158"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1278732/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_04; classtype:trojan-activity; sid:91278732; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/g.pixel"; depth:8; nocase; http.host; content:"106.53.193.159"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1278731/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_04; classtype:trojan-activity; sid:91278731; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/g.pixel"; depth:8; nocase; http.host; content:"45.43.37.219"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1278729/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_04; classtype:trojan-activity; sid:91278729; rev:1;) alert tcp $HOME_NET any -> [45.43.37.219] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1278730/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_04; classtype:trojan-activity; sid:91278730; rev:1;) alert tcp $HOME_NET any -> [150.158.36.17] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1278728/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_04; classtype:trojan-activity; sid:91278728; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api/x"; depth:6; nocase; http.host; content:"service-47u9brah-1326578525.cd.tencentapigw.com"; depth:47; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1278726/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_04; classtype:trojan-activity; sid:91278726; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"service-47u9brah-1326578525.cd.tencentapigw.com"; depth:47; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1278727/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_04; classtype:trojan-activity; sid:91278727; rev:1;) alert tcp $HOME_NET any -> [89.169.52.127] 80 (msg:"ThreatFox Meduza Stealer botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1278723/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_04; classtype:trojan-activity; sid:91278723; rev:1;) alert tcp $HOME_NET any -> [43.139.163.17] 10088 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1278722/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_04; classtype:trojan-activity; sid:91278722; rev:1;) alert tcp $HOME_NET any -> [101.201.118.20] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1278721/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_04; classtype:trojan-activity; sid:91278721; rev:1;) alert tcp $HOME_NET any -> [101.35.235.109] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1278720/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_04; classtype:trojan-activity; sid:91278720; rev:1;) alert tcp $HOME_NET any -> [67.0.241.90] 443 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1278719/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_04; classtype:trojan-activity; sid:91278719; rev:1;) alert tcp $HOME_NET any -> [67.0.229.208] 443 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1278718/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_04; classtype:trojan-activity; sid:91278718; rev:1;) alert tcp $HOME_NET any -> [67.71.30.199] 2222 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1278717/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_04; classtype:trojan-activity; sid:91278717; rev:1;) alert tcp $HOME_NET any -> [107.175.115.91] 18189 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1278716/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_04; classtype:trojan-activity; sid:91278716; rev:1;) alert tcp $HOME_NET any -> [18.188.159.82] 443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1278715/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_04; classtype:trojan-activity; sid:91278715; rev:1;) alert tcp $HOME_NET any -> [93.123.39.168] 443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1278714/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_04; classtype:trojan-activity; sid:91278714; rev:1;) alert tcp $HOME_NET any -> [94.156.67.3] 443 (msg:"ThreatFox BianLian botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1278713/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_04; classtype:trojan-activity; sid:91278713; rev:1;) alert tcp $HOME_NET any -> [116.204.167.161] 443 (msg:"ThreatFox Deimos botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1278712/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_04; classtype:trojan-activity; sid:91278712; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"languangjob.com"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1278700/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_04; classtype:trojan-activity; sid:91278700; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"voip.analytics-edges.com"; depth:24; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1278699/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_04; classtype:trojan-activity; sid:91278699; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/reports.php"; depth:12; nocase; http.host; content:"jenn.jj"; depth:7; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1278672/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_04; classtype:trojan-activity; sid:91278672; rev:1;) alert tcp $HOME_NET any -> [77.91.77.40] 80 (msg:"ThreatFox AMOS botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1278669/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_04; classtype:trojan-activity; sid:91278669; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"wear626.com"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1278701/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_04; classtype:trojan-activity; sid:91278701; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/reports.php"; depth:12; nocase; http.host; content:"kancelariakaluza.pl"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1278706/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_04; classtype:trojan-activity; sid:91278706; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"win32.duckdns.org"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1278707/; target:src_ip; metadata: confidence_level 75, first_seen 2024_06_04; classtype:trojan-activity; sid:91278707; rev:1;) alert tcp $HOME_NET any -> [147.185.221.20] 9426 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1278708/; target:src_ip; metadata: confidence_level 75, first_seen 2024_06_04; classtype:trojan-activity; sid:91278708; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"so-taxi.gl.at.ply.gg"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1278709/; target:src_ip; metadata: confidence_level 75, first_seen 2024_06_04; classtype:trojan-activity; sid:91278709; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cx"; depth:3; nocase; http.host; content:"47.116.125.180"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1278710/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_04; classtype:trojan-activity; sid:91278710; rev:1;) alert tcp $HOME_NET any -> [47.116.125.180] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1278711/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_04; classtype:trojan-activity; sid:91278711; rev:1;) alert tcp $HOME_NET any -> [94.232.249.46] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1278698/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_03; classtype:trojan-activity; sid:91278698; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tab_home.js"; depth:12; nocase; http.host; content:"94.232.249.46"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1278697/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_03; classtype:trojan-activity; sid:91278697; rev:1;) alert tcp $HOME_NET any -> [47.245.42.208] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1278696/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_03; classtype:trojan-activity; sid:91278696; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/_/scs/mail-static/_/js/"; depth:24; nocase; http.host; content:"47.245.42.208"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1278695/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_03; classtype:trojan-activity; sid:91278695; rev:1;) alert tcp $HOME_NET any -> [47.99.194.96] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1278694/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_03; classtype:trojan-activity; sid:91278694; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/match"; depth:6; nocase; http.host; content:"47.99.194.96"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1278693/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_03; classtype:trojan-activity; sid:91278693; rev:1;) alert tcp $HOME_NET any -> [94.156.68.17] 80 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1278692/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_03; classtype:trojan-activity; sid:91278692; rev:1;) alert tcp $HOME_NET any -> [35.184.180.199] 80 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1278691/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_03; classtype:trojan-activity; sid:91278691; rev:1;) alert tcp $HOME_NET any -> [8.138.119.106] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1278690/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_03; classtype:trojan-activity; sid:91278690; rev:1;) alert tcp $HOME_NET any -> [47.113.192.177] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1278689/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_03; classtype:trojan-activity; sid:91278689; rev:1;) alert tcp $HOME_NET any -> [106.75.75.24] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1278688/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_03; classtype:trojan-activity; sid:91278688; rev:1;) alert tcp $HOME_NET any -> [35.202.169.153] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1278687/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_03; classtype:trojan-activity; sid:91278687; rev:1;) alert tcp $HOME_NET any -> [217.165.157.202] 22 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1278686/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_03; classtype:trojan-activity; sid:91278686; rev:1;) alert tcp $HOME_NET any -> [149.109.241.64] 443 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1278685/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_03; classtype:trojan-activity; sid:91278685; rev:1;) alert tcp $HOME_NET any -> [39.40.161.183] 995 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1278684/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_03; classtype:trojan-activity; sid:91278684; rev:1;) alert tcp $HOME_NET any -> [184.63.156.240] 443 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1278683/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_03; classtype:trojan-activity; sid:91278683; rev:1;) alert tcp $HOME_NET any -> [45.92.9.110] 443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1278682/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_03; classtype:trojan-activity; sid:91278682; rev:1;) alert tcp $HOME_NET any -> [103.245.39.231] 80 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1278681/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_03; classtype:trojan-activity; sid:91278681; rev:1;) alert tcp $HOME_NET any -> [43.143.170.206] 8443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1278680/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_03; classtype:trojan-activity; sid:91278680; rev:1;) alert tcp $HOME_NET any -> [121.37.252.50] 443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1278679/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_03; classtype:trojan-activity; sid:91278679; rev:1;) alert tcp $HOME_NET any -> [140.249.32.175] 4505 (msg:"ThreatFox Deimos botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1278678/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_03; classtype:trojan-activity; sid:91278678; rev:1;) alert tcp $HOME_NET any -> [52.68.210.54] 80 (msg:"ThreatFox Brute Ratel C4 botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1278677/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_03; classtype:trojan-activity; sid:91278677; rev:1;) alert tcp $HOME_NET any -> [86.104.72.20] 7443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1278676/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_03; classtype:trojan-activity; sid:91278676; rev:1;) alert tcp $HOME_NET any -> [103.85.25.168] 80 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1278675/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_03; classtype:trojan-activity; sid:91278675; rev:1;) alert tcp $HOME_NET any -> [101.35.42.157] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1278674/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_03; classtype:trojan-activity; sid:91278674; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/__utm.gif"; depth:10; nocase; http.host; content:"101.35.42.157"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1278673/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_03; classtype:trojan-activity; sid:91278673; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"update.mirrorss.top"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1278671/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_03; classtype:trojan-activity; sid:91278671; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"upgrade.mirrorss.top"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1278670/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_03; classtype:trojan-activity; sid:91278670; rev:1;) alert tcp $HOME_NET any -> [103.179.189.111] 8848 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1278467/; target:src_ip; metadata: confidence_level 75, first_seen 2024_06_03; classtype:trojan-activity; sid:91278467; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cdn-vs/original.js"; depth:19; nocase; http.host; content:"theonelartist.com"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1278463/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_03; classtype:trojan-activity; sid:91278463; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"theonelartist.com"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1278464/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_03; classtype:trojan-activity; sid:91278464; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cdn-vs/cache.php"; depth:17; nocase; http.host; content:"theonelartist.com"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1278465/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_03; classtype:trojan-activity; sid:91278465; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cdn-vs/2per.php"; depth:16; nocase; http.host; content:"theonelartist.com"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1278466/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_03; classtype:trojan-activity; sid:91278466; rev:1;) alert tcp $HOME_NET any -> [96.47.235.152] 2024 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1278462/; target:src_ip; metadata: confidence_level 75, first_seen 2024_06_03; classtype:trojan-activity; sid:91278462; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 49%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"65.108.55.55"; depth:12; nocase; reference:url, threatfox.abuse.ch/ioc/1278458/; target:src_ip; metadata: confidence_level 49, first_seen 2024_06_03; classtype:trojan-activity; sid:91278458; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 49%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"91.107.221.88"; depth:13; nocase; reference:url, threatfox.abuse.ch/ioc/1278459/; target:src_ip; metadata: confidence_level 49, first_seen 2024_06_03; classtype:trojan-activity; sid:91278459; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"load.memoryloader.com"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1278460/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_03; classtype:trojan-activity; sid:91278460; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"memoryloader.com"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1278461/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_03; classtype:trojan-activity; sid:91278461; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 49%)"; dns_query; content:"baqebei1.online"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1278450/; target:src_ip; metadata: confidence_level 49, first_seen 2024_06_03; classtype:trojan-activity; sid:91278450; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 49%)"; dns_query; content:"d1x9q8w2e4.xyz"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1278452/; target:src_ip; metadata: confidence_level 49, first_seen 2024_06_03; classtype:trojan-activity; sid:91278452; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 49%)"; dns_query; content:"cdnforfiles.xyz"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1278451/; target:src_ip; metadata: confidence_level 49, first_seen 2024_06_03; classtype:trojan-activity; sid:91278451; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/hold-harmless-agreement-car-accident/"; depth:38; nocase; http.host; content:"bvp.ch"; depth:6; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1278456/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_03; classtype:trojan-activity; sid:91278456; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/reports.php"; depth:12; nocase; http.host; content:"intermissionhostel.no"; depth:21; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1278457/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_03; classtype:trojan-activity; sid:91278457; rev:1;) alert tcp $HOME_NET any -> [147.45.47.36] 27667 (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1278455/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_03; classtype:trojan-activity; sid:91278455; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ptj"; depth:4; nocase; http.host; content:"111.229.142.238"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1278454/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_03; classtype:trojan-activity; sid:91278454; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pixel"; depth:6; nocase; http.host; content:"81.68.253.22"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1278453/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_03; classtype:trojan-activity; sid:91278453; rev:1;) alert tcp $HOME_NET any -> [114.132.87.9] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1278449/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_03; classtype:trojan-activity; sid:91278449; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/activity"; depth:9; nocase; http.host; content:"114.132.87.9"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1278448/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_03; classtype:trojan-activity; sid:91278448; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/activity"; depth:9; nocase; http.host; content:"139.196.191.50"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1278447/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_03; classtype:trojan-activity; sid:91278447; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/updates.rss"; depth:12; nocase; http.host; content:"106.53.207.158"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1278446/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_03; classtype:trojan-activity; sid:91278446; rev:1;) alert tcp $HOME_NET any -> [8.222.230.186] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1278445/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_03; classtype:trojan-activity; sid:91278445; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/activity"; depth:9; nocase; http.host; content:"8.222.230.186"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1278444/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_03; classtype:trojan-activity; sid:91278444; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/transfer-agreement-concept"; depth:27; nocase; http.host; content:"bvp.ch"; depth:6; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1278439/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_03; classtype:trojan-activity; sid:91278439; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/reports.php"; depth:12; nocase; http.host; content:"inpersonakbh.dk"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1278443/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_03; classtype:trojan-activity; sid:91278443; rev:1;) alert tcp $HOME_NET any -> [45.147.99.158] 8080 (msg:"ThreatFox WhiteSnake Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1278438/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_03; classtype:trojan-activity; sid:91278438; rev:1;) alert tcp $HOME_NET any -> [173.212.209.190] 4001 (msg:"ThreatFox WhiteSnake Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1278437/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_03; classtype:trojan-activity; sid:91278437; rev:1;) alert tcp $HOME_NET any -> [149.88.44.159] 80 (msg:"ThreatFox WhiteSnake Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1278436/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_03; classtype:trojan-activity; sid:91278436; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"lldl.xyz"; depth:8; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1278433/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_03; classtype:trojan-activity; sid:91278433; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"llcl.xyz"; depth:8; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1278434/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_03; classtype:trojan-activity; sid:91278434; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"llal.xyz"; depth:8; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1278435/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_03; classtype:trojan-activity; sid:91278435; rev:1;) alert tcp $HOME_NET any -> [50.114.37.52] 443 (msg:"ThreatFox FAKEUPDATES botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1278432/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_03; classtype:trojan-activity; sid:91278432; rev:1;) alert tcp $HOME_NET any -> [91.151.89.217] 80 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1278431/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_03; classtype:trojan-activity; sid:91278431; rev:1;) alert tcp $HOME_NET any -> [147.78.103.131] 50555 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1278430/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_03; classtype:trojan-activity; sid:91278430; rev:1;) alert tcp $HOME_NET any -> [13.54.165.166] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1278429/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_03; classtype:trojan-activity; sid:91278429; rev:1;) alert tcp $HOME_NET any -> [46.246.86.8] 3000 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1278428/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_03; classtype:trojan-activity; sid:91278428; rev:1;) alert tcp $HOME_NET any -> [222.239.101.244] 8888 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1278427/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_03; classtype:trojan-activity; sid:91278427; rev:1;) alert tcp $HOME_NET any -> [105.154.220.55] 995 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1278426/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_03; classtype:trojan-activity; sid:91278426; rev:1;) alert tcp $HOME_NET any -> [75.173.34.175] 443 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1278425/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_03; classtype:trojan-activity; sid:91278425; rev:1;) alert tcp $HOME_NET any -> [77.126.87.47] 443 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1278424/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_03; classtype:trojan-activity; sid:91278424; rev:1;) alert tcp $HOME_NET any -> [70.27.138.67] 2078 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1278423/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_03; classtype:trojan-activity; sid:91278423; rev:1;) alert tcp $HOME_NET any -> [159.100.29.70] 80 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1278422/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_03; classtype:trojan-activity; sid:91278422; rev:1;) alert tcp $HOME_NET any -> [49.119.120.21] 10250 (msg:"ThreatFox Deimos botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1278421/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_03; classtype:trojan-activity; sid:91278421; rev:1;) alert tcp $HOME_NET any -> [117.139.140.7] 4506 (msg:"ThreatFox Deimos botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1278420/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_03; classtype:trojan-activity; sid:91278420; rev:1;) alert tcp $HOME_NET any -> [18.207.197.162] 9999 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1278419/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_03; classtype:trojan-activity; sid:91278419; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/reports.php"; depth:12; nocase; http.host; content:"ieshua.org"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1278384/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_03; classtype:trojan-activity; sid:91278384; rev:1;) alert tcp $HOME_NET any -> [18.158.249.75] 18801 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1278396/; target:src_ip; metadata: confidence_level 75, first_seen 2024_06_03; classtype:trojan-activity; sid:91278396; rev:1;) alert tcp $HOME_NET any -> [18.192.31.165] 18801 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1278397/; target:src_ip; metadata: confidence_level 75, first_seen 2024_06_03; classtype:trojan-activity; sid:91278397; rev:1;) alert tcp $HOME_NET any -> [3.124.142.205] 18801 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1278398/; target:src_ip; metadata: confidence_level 75, first_seen 2024_06_03; classtype:trojan-activity; sid:91278398; rev:1;) alert tcp $HOME_NET any -> [3.125.102.39] 16276 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1278408/; target:src_ip; metadata: confidence_level 75, first_seen 2024_06_03; classtype:trojan-activity; sid:91278408; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/reports.php"; depth:12; nocase; http.host; content:"ingahanka.de"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1278405/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_03; classtype:trojan-activity; sid:91278405; rev:1;) alert tcp $HOME_NET any -> [3.134.125.175] 16424 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1278407/; target:src_ip; metadata: confidence_level 75, first_seen 2024_06_03; classtype:trojan-activity; sid:91278407; rev:1;) alert tcp $HOME_NET any -> [193.161.193.99] 44070 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1278409/; target:src_ip; metadata: confidence_level 75, first_seen 2024_06_03; classtype:trojan-activity; sid:91278409; rev:1;) alert tcp $HOME_NET any -> [147.78.103.81] 80 (msg:"ThreatFox Loki Password Stealer (PWS) botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1278410/; target:src_ip; metadata: confidence_level 75, first_seen 2024_06_03; classtype:trojan-activity; sid:91278410; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"pendarcc.ir"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1278412/; target:src_ip; metadata: confidence_level 75, first_seen 2024_06_03; classtype:trojan-activity; sid:91278412; rev:1;) alert tcp $HOME_NET any -> [212.114.52.163] 4044 (msg:"ThreatFox SystemBC botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1278416/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_03; classtype:trojan-activity; sid:91278416; rev:1;) alert tcp $HOME_NET any -> [185.43.220.45] 4383 (msg:"ThreatFox SystemBC botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1278417/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_03; classtype:trojan-activity; sid:91278417; rev:1;) alert tcp $HOME_NET any -> [110.42.248.7] 4449 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1278418/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_03; classtype:trojan-activity; sid:91278418; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/8zef"; depth:5; nocase; http.host; content:"124.71.81.174"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1278415/; target:src_ip; metadata: confidence_level 75, first_seen 2024_06_03; classtype:trojan-activity; sid:91278415; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"b35977a00ebd8086.safe1.lat"; depth:26; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1278414/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_03; classtype:trojan-activity; sid:91278414; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jquery-3.3.1.min.js"; depth:20; nocase; http.host; content:"b35977a00ebd8086.safe1.lat"; depth:26; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1278413/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_03; classtype:trojan-activity; sid:91278413; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mozi.m"; depth:7; nocase; http.host; content:"221.15.22.4"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1278406/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_03; classtype:trojan-activity; sid:91278406; rev:1;) alert tcp $HOME_NET any -> [47.94.143.32] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1278401/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_02; classtype:trojan-activity; sid:91278401; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/claim/servlets-examples/i2i52xqkqqzf"; depth:37; nocase; http.host; content:"47.94.143.32"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1278400/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_02; classtype:trojan-activity; sid:91278400; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/claim/servlets-examples/i2i52xqkqqzf"; depth:37; nocase; http.host; content:"47.94.143.32"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1278399/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_02; classtype:trojan-activity; sid:91278399; rev:1;) alert tcp $HOME_NET any -> [45.13.199.69] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1278395/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_02; classtype:trojan-activity; sid:91278395; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jquery-3.3.1.min.js"; depth:20; nocase; http.host; content:"45.13.199.69"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1278394/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_02; classtype:trojan-activity; sid:91278394; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"dasy.68chat11.com"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1278393/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_02; classtype:trojan-activity; sid:91278393; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jquery-3.3.1.min.js"; depth:20; nocase; http.host; content:"dasy.68chat11.com"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1278392/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_02; classtype:trojan-activity; sid:91278392; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"colet.capsmono.com"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1278391/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_02; classtype:trojan-activity; sid:91278391; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jquery-3.3.1.min.js"; depth:20; nocase; http.host; content:"colet.capsmono.com"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1278390/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_02; classtype:trojan-activity; sid:91278390; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"sera.capsmono.com"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1278389/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_02; classtype:trojan-activity; sid:91278389; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jquery-3.3.1.min.js"; depth:20; nocase; http.host; content:"sera.capsmono.com"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1278388/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_02; classtype:trojan-activity; sid:91278388; rev:1;) alert tcp $HOME_NET any -> [45.92.158.20] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1278387/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_02; classtype:trojan-activity; sid:91278387; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jquery-3.3.1.min.js"; depth:20; nocase; http.host; content:"static.nvidiadrives.com"; depth:23; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1278386/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_02; classtype:trojan-activity; sid:91278386; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"static.nvidiadrives.com"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1278385/; target:src_ip; metadata: confidence_level 75, first_seen 2024_06_02; classtype:trojan-activity; sid:91278385; rev:1;) alert tcp $HOME_NET any -> [194.26.141.80] 80 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1278383/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_02; classtype:trojan-activity; sid:91278383; rev:1;) alert tcp $HOME_NET any -> [2.58.56.83] 80 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1278382/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_02; classtype:trojan-activity; sid:91278382; rev:1;) alert tcp $HOME_NET any -> [37.27.47.248] 443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1278380/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_02; classtype:trojan-activity; sid:91278380; rev:1;) alert tcp $HOME_NET any -> [5.188.86.231] 8443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1278379/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_02; classtype:trojan-activity; sid:91278379; rev:1;) alert tcp $HOME_NET any -> [51.38.113.200] 7443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1278378/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_02; classtype:trojan-activity; sid:91278378; rev:1;) alert tcp $HOME_NET any -> [160.176.174.24] 10000 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1278218/; target:src_ip; metadata: confidence_level 75, first_seen 2024_06_02; classtype:trojan-activity; sid:91278218; rev:1;) alert tcp $HOME_NET any -> [95.179.228.20] 5050 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1278219/; target:src_ip; metadata: confidence_level 75, first_seen 2024_06_02; classtype:trojan-activity; sid:91278219; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/videotoprocesslinuxflowergeneratorlocalcentral.php"; depth:51; nocase; http.host; content:"333376cm.n9shteam1.top"; depth:22; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1278221/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_02; classtype:trojan-activity; sid:91278221; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"namex-na.com"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1278220/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_02; classtype:trojan-activity; sid:91278220; rev:1;) alert tcp $HOME_NET any -> [194.67.193.204] 443 (msg:"ThreatFox Matanbuchus botnet C2 traffic (ip:port - confidence level: 60%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1278217/; target:src_ip; metadata: confidence_level 60, first_seen 2024_06_02; classtype:trojan-activity; sid:91278217; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pws/fre.php"; depth:12; nocase; http.host; content:"namex-na.com"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1278216/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_02; classtype:trojan-activity; sid:91278216; rev:1;) alert tcp $HOME_NET any -> [185.216.70.126] 8081 (msg:"ThreatFox RisePro botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1278215/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_02; classtype:trojan-activity; sid:91278215; rev:1;) alert tcp $HOME_NET any -> [47.113.107.52] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1278214/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_02; classtype:trojan-activity; sid:91278214; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ca"; depth:3; nocase; http.host; content:"47.113.107.52"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1278213/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_02; classtype:trojan-activity; sid:91278213; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cm"; depth:3; nocase; http.host; content:"124.223.26.171"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1278211/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_02; classtype:trojan-activity; sid:91278211; rev:1;) alert tcp $HOME_NET any -> [111.231.140.197] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1278212/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_02; classtype:trojan-activity; sid:91278212; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"www.040.red"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1278209/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_02; classtype:trojan-activity; sid:91278209; rev:1;) alert tcp $HOME_NET any -> [206.119.171.91] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1278210/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_02; classtype:trojan-activity; sid:91278210; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/updates"; depth:8; nocase; http.host; content:"www.040.red"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1278208/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_02; classtype:trojan-activity; sid:91278208; rev:1;) alert tcp $HOME_NET any -> [158.160.169.50] 443 (msg:"ThreatFox FAKEUPDATES payload delivery (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1278207/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_02; classtype:trojan-activity; sid:91278207; rev:1;) alert tcp $HOME_NET any -> [185.216.70.126] 50500 (msg:"ThreatFox RisePro botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1278206/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_02; classtype:trojan-activity; sid:91278206; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/l1nc0in.php"; depth:12; nocase; http.host; content:"a0988419.xsph.ru"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1278205/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_02; classtype:trojan-activity; sid:91278205; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/0e36490e.php"; depth:13; nocase; http.host; content:"a0988327.xsph.ru"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1278204/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_02; classtype:trojan-activity; sid:91278204; rev:1;) alert tcp $HOME_NET any -> [105.155.167.141] 10000 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1278203/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_02; classtype:trojan-activity; sid:91278203; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dpixel"; depth:7; nocase; http.host; content:"8.210.9.201"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1278202/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_02; classtype:trojan-activity; sid:91278202; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/match"; depth:6; nocase; http.host; content:"106.15.235.168"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1278201/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_02; classtype:trojan-activity; sid:91278201; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ca"; depth:3; nocase; http.host; content:"47.112.127.168"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1278200/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_02; classtype:trojan-activity; sid:91278200; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/updates.rss"; depth:12; nocase; http.host; content:"47.120.67.163"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1278199/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_02; classtype:trojan-activity; sid:91278199; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/activity"; depth:9; nocase; http.host; content:"43.136.218.157"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1278198/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_02; classtype:trojan-activity; sid:91278198; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ga.js"; depth:6; nocase; http.host; content:"118.107.4.157"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1278197/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_02; classtype:trojan-activity; sid:91278197; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/fwlink"; depth:7; nocase; http.host; content:"62.204.41.11"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1278176/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_02; classtype:trojan-activity; sid:91278176; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"lamayokohama.shop"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1278175/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_02; classtype:trojan-activity; sid:91278175; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/functionalstatus/hyra2dh-3blkdyr7nwtfasg"; depth:41; nocase; http.host; content:"lamayokohama.shop"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1278174/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_02; classtype:trojan-activity; sid:91278174; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cx"; depth:3; nocase; http.host; content:"119.91.209.244"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1278173/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_02; classtype:trojan-activity; sid:91278173; rev:1;) alert tcp $HOME_NET any -> [119.91.208.190] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1278172/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_02; classtype:trojan-activity; sid:91278172; rev:1;) alert tcp $HOME_NET any -> [104.194.133.83] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1278171/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_02; classtype:trojan-activity; sid:91278171; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/latest/v8.6/z1hbha1y1"; depth:22; nocase; http.host; content:"104.194.133.83"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1278170/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_02; classtype:trojan-activity; sid:91278170; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blog/how-to-sue-landlord-for-breach-of-contract-legal-guide/"; depth:61; nocase; http.host; content:"www.quantumsoftech.com"; depth:22; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1278168/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_02; classtype:trojan-activity; sid:91278168; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/reports.php"; depth:12; nocase; http.host; content:"hotelfonfreda.com"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1278169/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_02; classtype:trojan-activity; sid:91278169; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/df/tt"; depth:6; nocase; http.host; content:"drinkresources.rest"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1278151/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_02; classtype:trojan-activity; sid:91278151; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"drinkresources.rest"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1278152/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_02; classtype:trojan-activity; sid:91278152; rev:1;) alert tcp $HOME_NET any -> [192.169.69.25] 7019 (msg:"ThreatFox Nanocore RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1278153/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_02; classtype:trojan-activity; sid:91278153; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"haul.duckdns.org"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1278154/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_02; classtype:trojan-activity; sid:91278154; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/reports.php"; depth:12; nocase; http.host; content:"homedevice.pro"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1278159/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_02; classtype:trojan-activity; sid:91278159; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/reports.php"; depth:12; nocase; http.host; content:"hopgermany.com"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1278160/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_02; classtype:trojan-activity; sid:91278160; rev:1;) alert tcp $HOME_NET any -> [94.156.79.248] 80 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1278167/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_02; classtype:trojan-activity; sid:91278167; rev:1;) alert tcp $HOME_NET any -> [91.92.249.70] 80 (msg:"ThreatFox Meduza Stealer botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1278166/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_02; classtype:trojan-activity; sid:91278166; rev:1;) alert tcp $HOME_NET any -> [20.199.91.184] 1024 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1278165/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_02; classtype:trojan-activity; sid:91278165; rev:1;) alert tcp $HOME_NET any -> [185.23.253.150] 443 (msg:"ThreatFox Responder botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1278164/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_02; classtype:trojan-activity; sid:91278164; rev:1;) alert tcp $HOME_NET any -> [165.227.187.77] 443 (msg:"ThreatFox BianLian botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1278163/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_02; classtype:trojan-activity; sid:91278163; rev:1;) alert tcp $HOME_NET any -> [185.130.44.166] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1278162/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_02; classtype:trojan-activity; sid:91278162; rev:1;) alert tcp $HOME_NET any -> [185.130.44.166] 443 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1278161/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_02; classtype:trojan-activity; sid:91278161; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/reports.php"; depth:12; nocase; http.host; content:"h-port-s.com"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1278148/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_01; classtype:trojan-activity; sid:91278148; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/login"; depth:6; nocase; http.host; content:"android.manx7.net"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1277953/; target:src_ip; metadata: confidence_level 75, first_seen 2024_06_01; classtype:trojan-activity; sid:91277953; rev:1;) alert tcp $HOME_NET any -> [31.220.1.98] 80 (msg:"ThreatFox Loki Password Stealer (PWS) botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1278147/; target:src_ip; metadata: confidence_level 75, first_seen 2024_06_01; classtype:trojan-activity; sid:91278147; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/login"; depth:6; nocase; http.host; content:"162.120.71.117"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1277951/; target:src_ip; metadata: confidence_level 75, first_seen 2024_06_01; classtype:trojan-activity; sid:91277951; rev:1;) alert tcp $HOME_NET any -> [114.130.36.119] 80 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1278146/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_01; classtype:trojan-activity; sid:91278146; rev:1;) alert tcp $HOME_NET any -> [5.104.83.153] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1278145/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_01; classtype:trojan-activity; sid:91278145; rev:1;) alert tcp $HOME_NET any -> [84.32.44.156] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1278144/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_01; classtype:trojan-activity; sid:91278144; rev:1;) alert tcp $HOME_NET any -> [105.154.220.125] 995 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1278143/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_01; classtype:trojan-activity; sid:91278143; rev:1;) alert tcp $HOME_NET any -> [83.110.222.242] 443 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1278142/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_01; classtype:trojan-activity; sid:91278142; rev:1;) alert tcp $HOME_NET any -> [39.40.129.89] 995 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1278141/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_01; classtype:trojan-activity; sid:91278141; rev:1;) alert tcp $HOME_NET any -> [172.207.80.170] 443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1278140/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_01; classtype:trojan-activity; sid:91278140; rev:1;) alert tcp $HOME_NET any -> [54.215.94.76] 57580 (msg:"ThreatFox BianLian botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1278139/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_01; classtype:trojan-activity; sid:91278139; rev:1;) alert tcp $HOME_NET any -> [187.156.103.32] 80 (msg:"ThreatFox Amadey botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1278138/; target:src_ip; metadata: confidence_level 80, first_seen 2024_06_01; classtype:trojan-activity; sid:91278138; rev:1;) alert tcp $HOME_NET any -> [5.42.67.10] 15647 (msg:"ThreatFox SectopRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1278137/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_01; classtype:trojan-activity; sid:91278137; rev:1;) alert tcp $HOME_NET any -> [194.67.193.203] 443 (msg:"ThreatFox Matanbuchus botnet C2 traffic (ip:port - confidence level: 60%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1277950/; target:src_ip; metadata: confidence_level 60, first_seen 2024_06_01; classtype:trojan-activity; sid:91277950; rev:1;) alert tcp $HOME_NET any -> [94.232.249.90] 8848 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1277949/; target:src_ip; metadata: confidence_level 75, first_seen 2024_06_01; classtype:trojan-activity; sid:91277949; rev:1;) alert tcp $HOME_NET any -> [13.60.40.107] 1912 (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1277948/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_01; classtype:trojan-activity; sid:91277948; rev:1;) alert tcp $HOME_NET any -> [158.160.171.112] 443 (msg:"ThreatFox FAKEUPDATES payload delivery (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1277945/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_01; classtype:trojan-activity; sid:91277945; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/reports.php"; depth:12; nocase; http.host; content:"gps-football.com"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1277947/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_01; classtype:trojan-activity; sid:91277947; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dpixel"; depth:7; nocase; http.host; content:"124.70.99.224"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1277944/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_01; classtype:trojan-activity; sid:91277944; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/owa/"; depth:5; nocase; http.host; content:"47.109.69.135"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1277943/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_01; classtype:trojan-activity; sid:91277943; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/visit.js"; depth:9; nocase; http.host; content:"39.106.153.195"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1277942/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_01; classtype:trojan-activity; sid:91277942; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api/3"; depth:6; nocase; http.host; content:"42.194.199.231"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1277941/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_01; classtype:trojan-activity; sid:91277941; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ptj"; depth:4; nocase; http.host; content:"47.120.61.134"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1277940/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_01; classtype:trojan-activity; sid:91277940; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ca"; depth:3; nocase; http.host; content:"206.233.133.151"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1277939/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_01; classtype:trojan-activity; sid:91277939; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/push"; depth:5; nocase; http.host; content:"124.221.76.197"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1277938/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_01; classtype:trojan-activity; sid:91277938; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/owa/"; depth:5; nocase; http.host; content:"47.109.69.135"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1277936/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_01; classtype:trojan-activity; sid:91277936; rev:1;) alert tcp $HOME_NET any -> [47.109.69.135] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1277937/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_01; classtype:trojan-activity; sid:91277937; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/__utm.gif"; depth:10; nocase; http.host; content:"ghs.lidajun.lol"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1277935/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_01; classtype:trojan-activity; sid:91277935; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/g.pixel"; depth:8; nocase; http.host; content:"117.50.184.22"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1277934/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_01; classtype:trojan-activity; sid:91277934; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cm"; depth:3; nocase; http.host; content:"117.50.184.22"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1277933/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_01; classtype:trojan-activity; sid:91277933; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/activity"; depth:9; nocase; http.host; content:"134.122.75.115"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1277932/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_01; classtype:trojan-activity; sid:91277932; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cx"; depth:3; nocase; http.host; content:"117.50.184.22"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1277931/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_01; classtype:trojan-activity; sid:91277931; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ie9compatviewlist.xml"; depth:22; nocase; http.host; content:"101.91.154.125"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1277930/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_01; classtype:trojan-activity; sid:91277930; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dpixel"; depth:7; nocase; http.host; content:"134.122.75.115"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1277929/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_01; classtype:trojan-activity; sid:91277929; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ptj"; depth:4; nocase; http.host; content:"60.204.217.11"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1277928/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_01; classtype:trojan-activity; sid:91277928; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/j.ad"; depth:5; nocase; http.host; content:"103.150.10.45"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1277927/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_01; classtype:trojan-activity; sid:91277927; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/en_us/all.js"; depth:13; nocase; http.host; content:"101.91.154.125"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1277926/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_01; classtype:trojan-activity; sid:91277926; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cm"; depth:3; nocase; http.host; content:"107.148.37.77"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1277925/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_01; classtype:trojan-activity; sid:91277925; rev:1;) alert tcp $HOME_NET any -> [124.71.81.174] 9998 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1277918/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_01; classtype:trojan-activity; sid:91277918; rev:1;) alert tcp $HOME_NET any -> [124.71.81.174] 9898 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1277919/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_01; classtype:trojan-activity; sid:91277919; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ld6w"; depth:5; nocase; http.host; content:"124.71.81.174"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1277920/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_01; classtype:trojan-activity; sid:91277920; rev:1;) alert tcp $HOME_NET any -> [85.192.20.120] 9999 (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1277923/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_01; classtype:trojan-activity; sid:91277923; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ca"; depth:3; nocase; http.host; content:"120.77.150.119"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1277924/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_01; classtype:trojan-activity; sid:91277924; rev:1;) alert tcp $HOME_NET any -> [172.245.240.166] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1277922/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_01; classtype:trojan-activity; sid:91277922; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/compare/v2.66/g6ebs8vjr0"; depth:25; nocase; http.host; content:"172.245.240.166"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1277921/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_01; classtype:trojan-activity; sid:91277921; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/5-comma-rules-a-guide-to-proper-punctuation-in-legal-writing/"; depth:62; nocase; http.host; content:"labonczfa.hu"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1277893/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_01; classtype:trojan-activity; sid:91277893; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/reports.php"; depth:12; nocase; http.host; content:"glasstheatre.org"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1277894/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_01; classtype:trojan-activity; sid:91277894; rev:1;) alert tcp $HOME_NET any -> [194.59.30.121] 80 (msg:"ThreatFox Socks5 Systemz botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1277917/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_01; classtype:trojan-activity; sid:91277917; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/682e702a.php"; depth:13; nocase; http.host; content:"a0988934.xsph.ru"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1277916/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_01; classtype:trojan-activity; sid:91277916; rev:1;) alert tcp $HOME_NET any -> [143.244.129.124] 80 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1277915/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_01; classtype:trojan-activity; sid:91277915; rev:1;) alert tcp $HOME_NET any -> [45.88.79.152] 80 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1277914/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_01; classtype:trojan-activity; sid:91277914; rev:1;) alert tcp $HOME_NET any -> [185.216.70.82] 80 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1277913/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_01; classtype:trojan-activity; sid:91277913; rev:1;) alert tcp $HOME_NET any -> [47.99.66.178] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1277912/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_01; classtype:trojan-activity; sid:91277912; rev:1;) alert tcp $HOME_NET any -> [146.190.20.6] 443 (msg:"ThreatFox Responder botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1277911/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_01; classtype:trojan-activity; sid:91277911; rev:1;) alert tcp $HOME_NET any -> [194.87.148.48] 443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1277910/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_01; classtype:trojan-activity; sid:91277910; rev:1;) alert tcp $HOME_NET any -> [165.227.187.77] 5060 (msg:"ThreatFox BianLian botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1277909/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_01; classtype:trojan-activity; sid:91277909; rev:1;) alert tcp $HOME_NET any -> [165.227.187.77] 1433 (msg:"ThreatFox BianLian botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1277908/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_01; classtype:trojan-activity; sid:91277908; rev:1;) alert tcp $HOME_NET any -> [51.91.209.109] 32455 (msg:"ThreatFox Deimos botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1277907/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_01; classtype:trojan-activity; sid:91277907; rev:1;) alert tcp $HOME_NET any -> [51.91.209.109] 31962 (msg:"ThreatFox Deimos botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1277906/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_01; classtype:trojan-activity; sid:91277906; rev:1;) alert tcp $HOME_NET any -> [51.91.209.109] 30674 (msg:"ThreatFox Deimos botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1277905/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_01; classtype:trojan-activity; sid:91277905; rev:1;) alert tcp $HOME_NET any -> [51.91.209.154] 32455 (msg:"ThreatFox Deimos botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1277904/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_01; classtype:trojan-activity; sid:91277904; rev:1;) alert tcp $HOME_NET any -> [51.91.209.154] 31962 (msg:"ThreatFox Deimos botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1277903/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_01; classtype:trojan-activity; sid:91277903; rev:1;) alert tcp $HOME_NET any -> [51.91.209.154] 30674 (msg:"ThreatFox Deimos botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1277902/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_01; classtype:trojan-activity; sid:91277902; rev:1;) alert tcp $HOME_NET any -> [51.91.208.69] 32455 (msg:"ThreatFox Deimos botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1277901/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_01; classtype:trojan-activity; sid:91277901; rev:1;) alert tcp $HOME_NET any -> [51.91.208.69] 31962 (msg:"ThreatFox Deimos botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1277900/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_01; classtype:trojan-activity; sid:91277900; rev:1;) alert tcp $HOME_NET any -> [51.91.208.69] 30674 (msg:"ThreatFox Deimos botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1277899/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_01; classtype:trojan-activity; sid:91277899; rev:1;) alert tcp $HOME_NET any -> [116.136.135.93] 4506 (msg:"ThreatFox Deimos botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1277898/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_01; classtype:trojan-activity; sid:91277898; rev:1;) alert tcp $HOME_NET any -> [101.226.27.179] 4505 (msg:"ThreatFox Deimos botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1277897/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_01; classtype:trojan-activity; sid:91277897; rev:1;) alert tcp $HOME_NET any -> [94.156.144.46] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1277896/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_01; classtype:trojan-activity; sid:91277896; rev:1;) alert tcp $HOME_NET any -> [143.244.162.77] 7443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1277895/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_01; classtype:trojan-activity; sid:91277895; rev:1;) alert tcp $HOME_NET any -> [209.25.140.211] 23521 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1277846/; target:src_ip; metadata: confidence_level 75, first_seen 2024_06_01; classtype:trojan-activity; sid:91277846; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cdn-vs/original.js"; depth:19; nocase; http.host; content:"ranconimports.com"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1277871/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_01; classtype:trojan-activity; sid:91277871; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"ranconimports.com"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1277872/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_01; classtype:trojan-activity; sid:91277872; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cdn-vs/cache.php"; depth:17; nocase; http.host; content:"ranconimports.com"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1277873/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_01; classtype:trojan-activity; sid:91277873; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cdn-vs/2per.php"; depth:16; nocase; http.host; content:"ranconimports.com"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1277874/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_01; classtype:trojan-activity; sid:91277874; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"allbou.com"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1277889/; target:src_ip; metadata: confidence_level 75, first_seen 2024_06_01; classtype:trojan-activity; sid:91277889; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/reports.php"; depth:12; nocase; http.host; content:"gantegh.agbubulgaria.org"; depth:24; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1277886/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_01; classtype:trojan-activity; sid:91277886; rev:1;) alert tcp $HOME_NET any -> [2.59.135.134] 666 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1277890/; target:src_ip; metadata: confidence_level 75, first_seen 2024_06_01; classtype:trojan-activity; sid:91277890; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/2022/04/20/will-dispute-lawyers-brisbane/"; depth:42; nocase; http.host; content:"www.casagaribaldi.it"; depth:20; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1277891/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_01; classtype:trojan-activity; sid:91277891; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/reports.php"; depth:12; nocase; http.host; content:"gimnazjum6.zgo.pl"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1277892/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_01; classtype:trojan-activity; sid:91277892; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mozi.m"; depth:7; nocase; http.host; content:"58.178.116.82"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1277887/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_01; classtype:trojan-activity; sid:91277887; rev:1;) alert tcp $HOME_NET any -> [65.21.79.150] 27667 (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1277881/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_31; classtype:trojan-activity; sid:91277881; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ga.js"; depth:6; nocase; http.host; content:"101.133.156.69"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1277880/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_31; classtype:trojan-activity; sid:91277880; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"sangfor.sanfor.club"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1277879/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_31; classtype:trojan-activity; sid:91277879; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-admin"; depth:9; nocase; http.host; content:"sangfor.sanfor.club"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1277878/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_31; classtype:trojan-activity; sid:91277878; rev:1;) alert tcp $HOME_NET any -> [77.91.77.117] 8081 (msg:"ThreatFox RisePro botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1277877/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_31; classtype:trojan-activity; sid:91277877; rev:1;) alert tcp $HOME_NET any -> [77.91.77.117] 50500 (msg:"ThreatFox RisePro botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1277876/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_31; classtype:trojan-activity; sid:91277876; rev:1;) alert tcp $HOME_NET any -> [195.10.205.90] 4608 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1277870/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_31; classtype:trojan-activity; sid:91277870; rev:1;) alert tcp $HOME_NET any -> [13.92.183.218] 8443 (msg:"ThreatFox Pikabot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1277869/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_31; classtype:trojan-activity; sid:91277869; rev:1;) alert tcp $HOME_NET any -> [34.146.16.228] 2095 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1277868/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_31; classtype:trojan-activity; sid:91277868; rev:1;) alert tcp $HOME_NET any -> [116.62.125.203] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1277867/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_31; classtype:trojan-activity; sid:91277867; rev:1;) alert tcp $HOME_NET any -> [8.213.217.173] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1277866/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_31; classtype:trojan-activity; sid:91277866; rev:1;) alert tcp $HOME_NET any -> [106.54.197.233] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1277865/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_31; classtype:trojan-activity; sid:91277865; rev:1;) alert tcp $HOME_NET any -> [46.246.80.15] 9000 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1277864/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_31; classtype:trojan-activity; sid:91277864; rev:1;) alert tcp $HOME_NET any -> [46.246.80.15] 6000 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1277863/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_31; classtype:trojan-activity; sid:91277863; rev:1;) alert tcp $HOME_NET any -> [2.50.54.171] 443 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1277862/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_31; classtype:trojan-activity; sid:91277862; rev:1;) alert tcp $HOME_NET any -> [142.247.168.217] 443 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1277861/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_31; classtype:trojan-activity; sid:91277861; rev:1;) alert tcp $HOME_NET any -> [1.161.68.230] 443 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1277860/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_31; classtype:trojan-activity; sid:91277860; rev:1;) alert tcp $HOME_NET any -> [88.251.35.194] 443 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1277859/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_31; classtype:trojan-activity; sid:91277859; rev:1;) alert tcp $HOME_NET any -> [178.87.97.126] 443 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1277858/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_31; classtype:trojan-activity; sid:91277858; rev:1;) alert tcp $HOME_NET any -> [96.9.213.175] 80 (msg:"ThreatFox pupy botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1277857/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_31; classtype:trojan-activity; sid:91277857; rev:1;) alert tcp $HOME_NET any -> [172.173.169.179] 443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1277856/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_31; classtype:trojan-activity; sid:91277856; rev:1;) alert tcp $HOME_NET any -> [13.60.83.83] 443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1277855/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_31; classtype:trojan-activity; sid:91277855; rev:1;) alert tcp $HOME_NET any -> [155.94.204.217] 4443 (msg:"ThreatFox Deimos botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1277854/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_31; classtype:trojan-activity; sid:91277854; rev:1;) alert tcp $HOME_NET any -> [38.165.104.28] 443 (msg:"ThreatFox Deimos botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1277853/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_31; classtype:trojan-activity; sid:91277853; rev:1;) alert tcp $HOME_NET any -> [89.23.118.175] 3000 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1277852/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_31; classtype:trojan-activity; sid:91277852; rev:1;) alert tcp $HOME_NET any -> [47.237.20.201] 7443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1277851/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_31; classtype:trojan-activity; sid:91277851; rev:1;) alert tcp $HOME_NET any -> [94.156.144.46] 7443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1277850/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_31; classtype:trojan-activity; sid:91277850; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/moore/five/fre.php"; depth:19; nocase; http.host; content:"tampabayllc.top"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1277849/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_31; classtype:trojan-activity; sid:91277849; rev:1;) alert tcp $HOME_NET any -> [91.207.183.111] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1277848/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_31; classtype:trojan-activity; sid:91277848; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ga.js"; depth:6; nocase; http.host; content:"91.207.183.111"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1277847/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_31; classtype:trojan-activity; sid:91277847; rev:1;) alert tcp $HOME_NET any -> [3.127.138.57] 17169 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1277843/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_31; classtype:trojan-activity; sid:91277843; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/reports.php"; depth:12; nocase; http.host; content:"francesco.tarricone.it"; depth:22; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1277845/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_31; classtype:trojan-activity; sid:91277845; rev:1;) alert tcp $HOME_NET any -> [91.92.243.101] 1081 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1277844/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_31; classtype:trojan-activity; sid:91277844; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/reports.php"; depth:12; nocase; http.host; content:"forum.altoadigeinnovazione.it"; depth:29; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1277609/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_31; classtype:trojan-activity; sid:91277609; rev:1;) alert tcp $HOME_NET any -> [47.120.59.37] 6161 (msg:"ThreatFox Ghost RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1277611/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_31; classtype:trojan-activity; sid:91277611; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/c05b44c6.php"; depth:13; nocase; http.host; content:"a0986754.xsph.ru"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1277610/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_31; classtype:trojan-activity; sid:91277610; rev:1;) alert tcp $HOME_NET any -> [77.91.73.187] 443 (msg:"ThreatFox Unidentified 111 (Latrodectus) botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1277570/; target:src_ip; metadata: confidence_level 80, first_seen 2024_05_31; classtype:trojan-activity; sid:91277570; rev:1;) alert tcp $HOME_NET any -> [74.119.193.200] 443 (msg:"ThreatFox Unidentified 111 (Latrodectus) botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1277571/; target:src_ip; metadata: confidence_level 80, first_seen 2024_05_31; classtype:trojan-activity; sid:91277571; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cavedesponts/what-is-a-contract-seal/"; depth:38; nocase; http.host; content:"laurenti.ch"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1277572/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_31; classtype:trojan-activity; sid:91277572; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/what-is-gratuitous-contract/"; depth:29; nocase; http.host; content:"fluechtlinge-malen.ch"; depth:21; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1277573/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_31; classtype:trojan-activity; sid:91277573; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/what-is-a-safe-equity-agreement/"; depth:33; nocase; http.host; content:"hirschen-rorschach.ch"; depth:21; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1277574/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_31; classtype:trojan-activity; sid:91277574; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/reports.php"; depth:12; nocase; http.host; content:"flavirama.be"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1277577/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_31; classtype:trojan-activity; sid:91277577; rev:1;) alert tcp $HOME_NET any -> [195.114.193.217] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1277608/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_31; classtype:trojan-activity; sid:91277608; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/g.pixel"; depth:8; nocase; http.host; content:"195.114.193.217"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1277607/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_31; classtype:trojan-activity; sid:91277607; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/__utm.gif"; depth:10; nocase; http.host; content:"164.92.237.49"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1277605/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_31; classtype:trojan-activity; sid:91277605; rev:1;) alert tcp $HOME_NET any -> [164.92.237.49] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1277606/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_31; classtype:trojan-activity; sid:91277606; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cm"; depth:3; nocase; http.host; content:"62.234.55.243"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1277603/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_31; classtype:trojan-activity; sid:91277603; rev:1;) alert tcp $HOME_NET any -> [62.234.55.243] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1277604/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_31; classtype:trojan-activity; sid:91277604; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api/3"; depth:6; nocase; http.host; content:"www.supportsmicrosoft.xyz"; depth:25; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1277602/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_31; classtype:trojan-activity; sid:91277602; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jquery-3.3.1.min.js"; depth:20; nocase; http.host; content:"141.98.212.51"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1277601/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_31; classtype:trojan-activity; sid:91277601; rev:1;) alert tcp $HOME_NET any -> [82.156.167.60] 8080 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1277600/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_31; classtype:trojan-activity; sid:91277600; rev:1;) alert tcp $HOME_NET any -> [106.53.207.158] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1277599/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_31; classtype:trojan-activity; sid:91277599; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api/x"; depth:6; nocase; http.host; content:"service-mpstp742-1252578700.gz.tencentapigw.com.cn"; depth:50; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1277597/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_31; classtype:trojan-activity; sid:91277597; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"service-mpstp742-1252578700.gz.tencentapigw.com.cn"; depth:50; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1277598/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_31; classtype:trojan-activity; sid:91277598; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cdn/jquery-v3-31/jquery-3.3.1.min.js"; depth:37; nocase; http.host; content:"36.89.252.50"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1277596/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_31; classtype:trojan-activity; sid:91277596; rev:1;) alert tcp $HOME_NET any -> [82.156.167.60] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1277595/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_31; classtype:trojan-activity; sid:91277595; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/en_us/all.js"; depth:13; nocase; http.host; content:"34.92.137.73"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1277594/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_31; classtype:trojan-activity; sid:91277594; rev:1;) alert tcp $HOME_NET any -> [106.75.237.106] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1277593/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_31; classtype:trojan-activity; sid:91277593; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/match"; depth:6; nocase; http.host; content:"106.75.237.106"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1277592/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_31; classtype:trojan-activity; sid:91277592; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cm"; depth:3; nocase; http.host; content:"119.3.179.37"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1277590/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_31; classtype:trojan-activity; sid:91277590; rev:1;) alert tcp $HOME_NET any -> [119.3.179.37] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1277591/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_31; classtype:trojan-activity; sid:91277591; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ca"; depth:3; nocase; http.host; content:"106.54.209.36"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1277589/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_31; classtype:trojan-activity; sid:91277589; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"service-g0t0y6tj-1324325324.cd.tencentapigw.com"; depth:47; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1277587/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_31; classtype:trojan-activity; sid:91277587; rev:1;) alert tcp $HOME_NET any -> [101.43.32.212] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1277588/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_31; classtype:trojan-activity; sid:91277588; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/prod/api/debug"; depth:15; nocase; http.host; content:"service-g0t0y6tj-1324325324.cd.tencentapigw.com"; depth:47; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1277586/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_31; classtype:trojan-activity; sid:91277586; rev:1;) alert tcp $HOME_NET any -> [43.143.245.43] 8443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1277585/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_31; classtype:trojan-activity; sid:91277585; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/introduction/edr"; depth:17; nocase; http.host; content:"1.12.45.242"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1277584/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_31; classtype:trojan-activity; sid:91277584; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/introduction/edr"; depth:17; nocase; http.host; content:"1.12.239.198"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1277583/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_31; classtype:trojan-activity; sid:91277583; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/updates.rss"; depth:12; nocase; http.host; content:"124.221.76.197"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1277582/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_31; classtype:trojan-activity; sid:91277582; rev:1;) alert tcp $HOME_NET any -> [129.211.173.252] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1277581/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_31; classtype:trojan-activity; sid:91277581; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/match"; depth:6; nocase; http.host; content:"129.211.173.252"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1277580/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_31; classtype:trojan-activity; sid:91277580; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/__utm.gif"; depth:10; nocase; http.host; content:"129.211.173.252"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1277579/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_31; classtype:trojan-activity; sid:91277579; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mozi.m"; depth:7; nocase; http.host; content:"186.4.217.208"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1277578/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_31; classtype:trojan-activity; sid:91277578; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 80%)"; dns_query; content:"hjkdnd.duckdns.org"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1277568/; target:src_ip; metadata: confidence_level 80, first_seen 2024_05_31; classtype:trojan-activity; sid:91277568; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 80%)"; dns_query; content:"markjohnhvncpure.duckdns.org"; depth:28; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1277569/; target:src_ip; metadata: confidence_level 80, first_seen 2024_05_31; classtype:trojan-activity; sid:91277569; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/zdq5m2jhm2zkztkx/"; depth:18; nocase; http.host; content:"yavasyavaslo261.com"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1277558/; target:src_ip; metadata: confidence_level 80, first_seen 2024_05_31; classtype:trojan-activity; sid:91277558; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/zdq5m2jhm2zkztkx/"; depth:18; nocase; http.host; content:"selammudur24.com"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1277557/; target:src_ip; metadata: confidence_level 80, first_seen 2024_05_31; classtype:trojan-activity; sid:91277557; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/zdq5m2jhm2zkztkx/"; depth:18; nocase; http.host; content:"adbennaberortak.com"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1277556/; target:src_ip; metadata: confidence_level 80, first_seen 2024_05_31; classtype:trojan-activity; sid:91277556; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/reports.php"; depth:12; nocase; http.host; content:"festivalrykten.se"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1277544/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_31; classtype:trojan-activity; sid:91277544; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/zdq5m2jhm2zkztkx/"; depth:18; nocase; http.host; content:"adile56tasarim.com"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1277555/; target:src_ip; metadata: confidence_level 80, first_seen 2024_05_31; classtype:trojan-activity; sid:91277555; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/reports.php"; depth:12; nocase; http.host; content:"festivalrykten.se"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1277543/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_31; classtype:trojan-activity; sid:91277543; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/us-social-security-agreements/"; depth:31; nocase; http.host; content:"www.platypus-verlag.ch"; depth:22; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1277542/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_31; classtype:trojan-activity; sid:91277542; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/transfer-agreement-concept/"; depth:28; nocase; http.host; content:"bvp.ch"; depth:6; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1277541/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_31; classtype:trojan-activity; sid:91277541; rev:1;) alert tcp $HOME_NET any -> [77.91.77.88] 80 (msg:"ThreatFox AMOS botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1277535/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_31; classtype:trojan-activity; sid:91277535; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ca"; depth:3; nocase; http.host; content:"124.220.6.158"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1277567/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_31; classtype:trojan-activity; sid:91277567; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/fwlink"; depth:7; nocase; http.host; content:"123.60.90.39"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1277566/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_31; classtype:trojan-activity; sid:91277566; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cm"; depth:3; nocase; http.host; content:"123.60.90.39"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1277565/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_31; classtype:trojan-activity; sid:91277565; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ca"; depth:3; nocase; http.host; content:"113.200.137.225"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1277564/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_31; classtype:trojan-activity; sid:91277564; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ga.js"; depth:6; nocase; http.host; content:"content.microsoft.com.w.kunlunca.com"; depth:36; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1277563/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_31; classtype:trojan-activity; sid:91277563; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/activity"; depth:9; nocase; http.host; content:"101.43.49.244"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1277562/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_31; classtype:trojan-activity; sid:91277562; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ie9compatviewlist.xml"; depth:22; nocase; http.host; content:"111.231.140.197"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1277561/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_31; classtype:trojan-activity; sid:91277561; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/fwlink"; depth:7; nocase; http.host; content:"124.220.148.63"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1277560/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_31; classtype:trojan-activity; sid:91277560; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ga.js"; depth:6; nocase; http.host; content:"meetlak.link"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1277559/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_31; classtype:trojan-activity; sid:91277559; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dot.gif"; depth:8; nocase; http.host; content:"38.60.217.159"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1277554/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_31; classtype:trojan-activity; sid:91277554; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/load"; depth:5; nocase; http.host; content:"124.220.6.158"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1277553/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_31; classtype:trojan-activity; sid:91277553; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api/v1/fetch"; depth:13; nocase; http.host; content:"47.106.154.91"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1277552/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_31; classtype:trojan-activity; sid:91277552; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ca"; depth:3; nocase; http.host; content:"124.220.148.63"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1277551/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_31; classtype:trojan-activity; sid:91277551; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/search//uyc06653ba892e.css"; depth:27; nocase; http.host; content:"www.loginmicrosoftadmin.shop"; depth:28; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1277550/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_31; classtype:trojan-activity; sid:91277550; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/fwlink"; depth:7; nocase; http.host; content:"82.157.78.234"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1277549/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_31; classtype:trojan-activity; sid:91277549; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dpixel"; depth:7; nocase; http.host; content:"103.150.10.45"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1277548/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_31; classtype:trojan-activity; sid:91277548; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/fwlink"; depth:7; nocase; http.host; content:"123.57.63.53"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1277547/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_31; classtype:trojan-activity; sid:91277547; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pixel.gif"; depth:10; nocase; http.host; content:"118.31.115.178"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1277546/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_31; classtype:trojan-activity; sid:91277546; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/g.pixel"; depth:8; nocase; http.host; content:"118.31.115.178"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1277545/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_31; classtype:trojan-activity; sid:91277545; rev:1;) alert tcp $HOME_NET any -> [216.245.184.156] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1277540/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_31; classtype:trojan-activity; sid:91277540; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/define/balance/cckrhyf90gm"; depth:27; nocase; http.host; content:"ecomexplosion.com"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1277538/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_31; classtype:trojan-activity; sid:91277538; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ecomexplosion.com"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1277539/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_31; classtype:trojan-activity; sid:91277539; rev:1;) alert tcp $HOME_NET any -> [114.115.174.131] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1277537/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_31; classtype:trojan-activity; sid:91277537; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cx"; depth:3; nocase; http.host; content:"114.115.174.131"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1277536/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_31; classtype:trojan-activity; sid:91277536; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sq"; depth:3; nocase; http.host; content:"185.234.216.143"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1277534/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_31; classtype:trojan-activity; sid:91277534; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/reports.php"; depth:12; nocase; http.host; content:"etnikk.com"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1277533/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_31; classtype:trojan-activity; sid:91277533; rev:1;) alert tcp $HOME_NET any -> [137.220.137.85] 24818 (msg:"ThreatFox Ghost RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1277530/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_31; classtype:trojan-activity; sid:91277530; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"139.59.45.226"; depth:13; nocase; reference:url, threatfox.abuse.ch/ioc/1277524/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_31; classtype:trojan-activity; sid:91277524; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"3.110.90.191"; depth:12; nocase; reference:url, threatfox.abuse.ch/ioc/1277525/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_31; classtype:trojan-activity; sid:91277525; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"104.248.144.21"; depth:14; nocase; reference:url, threatfox.abuse.ch/ioc/1277526/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_31; classtype:trojan-activity; sid:91277526; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"212.193.51.233"; depth:14; nocase; reference:url, threatfox.abuse.ch/ioc/1277527/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_31; classtype:trojan-activity; sid:91277527; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"213.136.70.135"; depth:14; nocase; reference:url, threatfox.abuse.ch/ioc/1277529/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_31; classtype:trojan-activity; sid:91277529; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"47.98.103.55"; depth:12; nocase; reference:url, threatfox.abuse.ch/ioc/1277528/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_31; classtype:trojan-activity; sid:91277528; rev:1;) alert tcp $HOME_NET any -> [117.50.187.104] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1277523/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_31; classtype:trojan-activity; sid:91277523; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jquery-3.3.1.min.js"; depth:20; nocase; http.host; content:"117.50.187.104"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1277522/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_31; classtype:trojan-activity; sid:91277522; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"5.75.212.9"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1277521/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_31; classtype:trojan-activity; sid:91277521; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"116.202.2.84"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1277520/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_31; classtype:trojan-activity; sid:91277520; rev:1;) alert tcp $HOME_NET any -> [5.75.212.9] 443 (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1277519/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_31; classtype:trojan-activity; sid:91277519; rev:1;) alert tcp $HOME_NET any -> [116.202.2.84] 443 (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1277518/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_31; classtype:trojan-activity; sid:91277518; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"192.52.167.217"; depth:14; nocase; reference:url, threatfox.abuse.ch/ioc/1277497/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_31; classtype:trojan-activity; sid:91277497; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"167.99.76.75"; depth:12; nocase; reference:url, threatfox.abuse.ch/ioc/1277514/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_31; classtype:trojan-activity; sid:91277514; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"smlivin.com"; depth:11; nocase; reference:url, threatfox.abuse.ch/ioc/1277515/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_31; classtype:trojan-activity; sid:91277515; rev:1;) alert tcp $HOME_NET any -> [45.95.169.128] 4444 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1277516/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_31; classtype:trojan-activity; sid:91277516; rev:1;) alert tcp $HOME_NET any -> [94.156.69.232] 65024 (msg:"ThreatFox Nanocore RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1277517/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_31; classtype:trojan-activity; sid:91277517; rev:1;) alert tcp $HOME_NET any -> [91.214.78.238] 80 (msg:"ThreatFox Meduza Stealer botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1277513/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_31; classtype:trojan-activity; sid:91277513; rev:1;) alert tcp $HOME_NET any -> [149.104.24.217] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1277512/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_31; classtype:trojan-activity; sid:91277512; rev:1;) alert tcp $HOME_NET any -> [47.120.22.59] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1277511/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_31; classtype:trojan-activity; sid:91277511; rev:1;) alert tcp $HOME_NET any -> [47.108.238.82] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1277510/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_31; classtype:trojan-activity; sid:91277510; rev:1;) alert tcp $HOME_NET any -> [107.172.234.139] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1277509/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_31; classtype:trojan-activity; sid:91277509; rev:1;) alert tcp $HOME_NET any -> [106.54.4.100] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1277508/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_31; classtype:trojan-activity; sid:91277508; rev:1;) alert tcp $HOME_NET any -> [49.235.147.250] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1277507/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_31; classtype:trojan-activity; sid:91277507; rev:1;) alert tcp $HOME_NET any -> [46.246.6.4] 9000 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1277506/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_31; classtype:trojan-activity; sid:91277506; rev:1;) alert tcp $HOME_NET any -> [159.235.45.80] 443 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1277505/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_31; classtype:trojan-activity; sid:91277505; rev:1;) alert tcp $HOME_NET any -> [182.30.4.130] 443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1277504/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_31; classtype:trojan-activity; sid:91277504; rev:1;) alert tcp $HOME_NET any -> [202.169.39.4] 443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1277503/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_31; classtype:trojan-activity; sid:91277503; rev:1;) alert tcp $HOME_NET any -> [54.203.168.251] 443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1277502/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_31; classtype:trojan-activity; sid:91277502; rev:1;) alert tcp $HOME_NET any -> [81.43.243.155] 443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1277501/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_31; classtype:trojan-activity; sid:91277501; rev:1;) alert tcp $HOME_NET any -> [89.23.118.175] 7443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1277500/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_31; classtype:trojan-activity; sid:91277500; rev:1;) alert tcp $HOME_NET any -> [206.119.72.125] 47000 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1277498/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_31; classtype:trojan-activity; sid:91277498; rev:1;) alert tcp $HOME_NET any -> [206.119.72.125] 8888 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1277499/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_31; classtype:trojan-activity; sid:91277499; rev:1;) alert tcp $HOME_NET any -> [34.125.100.30] 5050 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1277486/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_31; classtype:trojan-activity; sid:91277486; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"gorodpro-42772.portmap.host"; depth:27; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1277485/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_31; classtype:trojan-activity; sid:91277485; rev:1;) alert tcp $HOME_NET any -> [43.155.163.53] 24543 (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1277487/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_31; classtype:trojan-activity; sid:91277487; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 80%)"; dns_query; content:"akmedia.in"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1277488/; target:src_ip; metadata: confidence_level 80, first_seen 2024_05_31; classtype:trojan-activity; sid:91277488; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 80%)"; dns_query; content:"bethesdaserukam.org"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1277489/; target:src_ip; metadata: confidence_level 80, first_seen 2024_05_31; classtype:trojan-activity; sid:91277489; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 80%)"; dns_query; content:"galandskiyher5.com"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1277491/; target:src_ip; metadata: confidence_level 80, first_seen 2024_05_31; classtype:trojan-activity; sid:91277491; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 80%)"; dns_query; content:"humman.art"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1277493/; target:src_ip; metadata: confidence_level 80, first_seen 2024_05_31; classtype:trojan-activity; sid:91277493; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 80%)"; dns_query; content:"host-file-host6.com"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1277492/; target:src_ip; metadata: confidence_level 80, first_seen 2024_05_31; classtype:trojan-activity; sid:91277492; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 80%)"; dns_query; content:"nuljjjnuli.org"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1277494/; target:src_ip; metadata: confidence_level 80, first_seen 2024_05_31; classtype:trojan-activity; sid:91277494; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 80%)"; dns_query; content:"trybobry.com.ua"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1277495/; target:src_ip; metadata: confidence_level 80, first_seen 2024_05_31; classtype:trojan-activity; sid:91277495; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 80%)"; dns_query; content:"vacantion18ffeu.cc"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1277496/; target:src_ip; metadata: confidence_level 80, first_seen 2024_05_31; classtype:trojan-activity; sid:91277496; rev:1;) alert tcp $HOME_NET any -> [193.161.193.99] 42772 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1277484/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_31; classtype:trojan-activity; sid:91277484; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"tcp.ngrok.io"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1277482/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_31; classtype:trojan-activity; sid:91277482; rev:1;) alert tcp $HOME_NET any -> [216.137.178.203] 80 (msg:"ThreatFox Loki Password Stealer (PWS) botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1277459/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_31; classtype:trojan-activity; sid:91277459; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"www.matantalbenna.com"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1277460/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_31; classtype:trojan-activity; sid:91277460; rev:1;) alert tcp $HOME_NET any -> [51.68.167.104] 80 (msg:"ThreatFox Loki Password Stealer (PWS) botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1277461/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_31; classtype:trojan-activity; sid:91277461; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"geckoplumbing.com.au"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1277463/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_31; classtype:trojan-activity; sid:91277463; rev:1;) alert tcp $HOME_NET any -> [93.123.39.66] 6318 (msg:"ThreatFox Nanocore RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1277464/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_31; classtype:trojan-activity; sid:91277464; rev:1;) alert tcp $HOME_NET any -> [46.246.86.11] 2054 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1277465/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_31; classtype:trojan-activity; sid:91277465; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"anti2020.duckdns.org"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1277466/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_31; classtype:trojan-activity; sid:91277466; rev:1;) alert tcp $HOME_NET any -> [209.25.141.211] 23521 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1277467/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_31; classtype:trojan-activity; sid:91277467; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"tips-prairie.at.ply.gg"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1277468/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_31; classtype:trojan-activity; sid:91277468; rev:1;) alert tcp $HOME_NET any -> [147.185.221.19] 45758 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1277469/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_31; classtype:trojan-activity; sid:91277469; rev:1;) alert tcp $HOME_NET any -> [147.185.221.19] 49671 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1277470/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_31; classtype:trojan-activity; sid:91277470; rev:1;) alert tcp $HOME_NET any -> [3.17.7.232] 16424 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1277471/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_31; classtype:trojan-activity; sid:91277471; rev:1;) alert tcp $HOME_NET any -> [3.22.30.40] 16424 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1277472/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_31; classtype:trojan-activity; sid:91277472; rev:1;) alert tcp $HOME_NET any -> [3.14.182.203] 16424 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1277473/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_31; classtype:trojan-activity; sid:91277473; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/l790rt2bv0htr.php"; depth:18; nocase; http.host; content:"dfcgbllaafenfkh.top"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1277474/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_31; classtype:trojan-activity; sid:91277474; rev:1;) alert tcp $HOME_NET any -> [46.148.39.131] 80 (msg:"ThreatFox Loki Password Stealer (PWS) botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1277458/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_31; classtype:trojan-activity; sid:91277458; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mmi1m2zimgrmodey/"; depth:18; nocase; http.host; content:"moneyeurolanddelicim.net"; depth:24; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1277435/; target:src_ip; metadata: confidence_level 80, first_seen 2024_05_31; classtype:trojan-activity; sid:91277435; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mmi1m2zimgrmodey/"; depth:18; nocase; http.host; content:"moneyeurolandbabis.net"; depth:22; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1277436/; target:src_ip; metadata: confidence_level 80, first_seen 2024_05_31; classtype:trojan-activity; sid:91277436; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox credit card skimming (domain - confidence level: 75%)"; dns_query; content:"amazon-analytic.com"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1277437/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_31; classtype:bad-unknown; sid:91277437; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/reports.php"; depth:12; nocase; http.host; content:"entertainmenttechnologies.co.uk"; depth:31; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1277441/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_31; classtype:trojan-activity; sid:91277441; rev:1;) alert tcp $HOME_NET any -> [93.123.39.98] 1312 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1277449/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_31; classtype:trojan-activity; sid:91277449; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/s3c6cx5iguhtr.php"; depth:18; nocase; http.host; content:"dfcgbllaafenfkh.top"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1277450/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_31; classtype:trojan-activity; sid:91277450; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"dfcgbllaafenfkh.top"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1277451/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_31; classtype:trojan-activity; sid:91277451; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/uiavk0u7uzhtr.php"; depth:18; nocase; http.host; content:"dfcgbllaafenfkh.top"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1277452/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_31; classtype:trojan-activity; sid:91277452; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/reports.php"; depth:12; nocase; http.host; content:"estforestry.com"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1277456/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_31; classtype:trojan-activity; sid:91277456; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tolowgamesqlpublicdownloads.php"; depth:32; nocase; http.host; content:"501046cm.n9shteam3.top"; depth:22; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1277490/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_31; classtype:trojan-activity; sid:91277490; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/58256ec0.php"; depth:13; nocase; http.host; content:"optimal-expert.000webhostapp.com"; depth:32; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1277483/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_31; classtype:trojan-activity; sid:91277483; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/njrs"; depth:5; nocase; http.host; content:"47.120.35.167"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1277480/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_31; classtype:trojan-activity; sid:91277480; rev:1;) alert tcp $HOME_NET any -> [49.13.194.118] 5552 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1277476/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_31; classtype:trojan-activity; sid:91277476; rev:1;) alert tcp $HOME_NET any -> [8.210.206.52] 1725 (msg:"ThreatFox Ghost RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1277475/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_31; classtype:trojan-activity; sid:91277475; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/59f76ddc.php"; depth:13; nocase; http.host; content:"a0985805.xsph.ru"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1277457/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_31; classtype:trojan-activity; sid:91277457; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pixel.gif"; depth:10; nocase; http.host; content:"43.136.43.49"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1277453/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_30; classtype:trojan-activity; sid:91277453; rev:1;) alert tcp $HOME_NET any -> [162.252.175.98] 443 (msg:"ThreatFox FAKEUPDATES botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1277448/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_30; classtype:trojan-activity; sid:91277448; rev:1;) alert tcp $HOME_NET any -> [142.202.240.61] 443 (msg:"ThreatFox FAKEUPDATES botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1277447/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_30; classtype:trojan-activity; sid:91277447; rev:1;) alert tcp $HOME_NET any -> [207.148.0.16] 443 (msg:"ThreatFox FAKEUPDATES botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1277446/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_30; classtype:trojan-activity; sid:91277446; rev:1;) alert tcp $HOME_NET any -> [3.222.53.37] 445 (msg:"ThreatFox Responder botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1277445/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_30; classtype:trojan-activity; sid:91277445; rev:1;) alert tcp $HOME_NET any -> [44.211.3.42] 443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1277444/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_30; classtype:trojan-activity; sid:91277444; rev:1;) alert tcp $HOME_NET any -> [63.250.56.164] 8008 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1277443/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_30; classtype:trojan-activity; sid:91277443; rev:1;) alert tcp $HOME_NET any -> [94.20.154.243] 443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1277442/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_30; classtype:trojan-activity; sid:91277442; rev:1;) alert tcp $HOME_NET any -> [154.40.57.207] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1277438/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_30; classtype:trojan-activity; sid:91277438; rev:1;) alert tcp $HOME_NET any -> [134.209.106.197] 80 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1277432/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_30; classtype:trojan-activity; sid:91277432; rev:1;) alert tcp $HOME_NET any -> [89.169.53.116] 80 (msg:"ThreatFox Meduza Stealer botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1277431/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_30; classtype:trojan-activity; sid:91277431; rev:1;) alert tcp $HOME_NET any -> [89.169.52.177] 80 (msg:"ThreatFox Meduza Stealer botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1277430/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_30; classtype:trojan-activity; sid:91277430; rev:1;) alert tcp $HOME_NET any -> [116.196.120.131] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1277429/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_30; classtype:trojan-activity; sid:91277429; rev:1;) alert tcp $HOME_NET any -> [49.235.166.144] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1277428/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_30; classtype:trojan-activity; sid:91277428; rev:1;) alert tcp $HOME_NET any -> [46.246.86.18] 9000 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1277427/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_30; classtype:trojan-activity; sid:91277427; rev:1;) alert tcp $HOME_NET any -> [2.50.7.121] 22 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1277426/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_30; classtype:trojan-activity; sid:91277426; rev:1;) alert tcp $HOME_NET any -> [86.98.8.132] 443 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1277425/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_30; classtype:trojan-activity; sid:91277425; rev:1;) alert tcp $HOME_NET any -> [84.213.214.124] 995 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1277424/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_30; classtype:trojan-activity; sid:91277424; rev:1;) alert tcp $HOME_NET any -> [91.237.124.162] 443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1277423/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_30; classtype:trojan-activity; sid:91277423; rev:1;) alert tcp $HOME_NET any -> [52.40.136.42] 443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1277422/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_30; classtype:trojan-activity; sid:91277422; rev:1;) alert tcp $HOME_NET any -> [54.169.75.222] 443 (msg:"ThreatFox Deimos botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1277421/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_30; classtype:trojan-activity; sid:91277421; rev:1;) alert tcp $HOME_NET any -> [167.172.150.173] 7443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1277420/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_30; classtype:trojan-activity; sid:91277420; rev:1;) alert tcp $HOME_NET any -> [65.21.63.6] 443 (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1277419/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_30; classtype:trojan-activity; sid:91277419; rev:1;) alert tcp $HOME_NET any -> [194.67.193.201] 443 (msg:"ThreatFox Matanbuchus botnet C2 traffic (ip:port - confidence level: 60%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1277417/; target:src_ip; metadata: confidence_level 60, first_seen 2024_05_30; classtype:trojan-activity; sid:91277417; rev:1;) alert tcp $HOME_NET any -> [194.67.193.202] 443 (msg:"ThreatFox Matanbuchus botnet C2 traffic (ip:port - confidence level: 60%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1277418/; target:src_ip; metadata: confidence_level 60, first_seen 2024_05_30; classtype:trojan-activity; sid:91277418; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jquery-3.3.1.min.js"; depth:20; nocase; http.host; content:"103.146.158.113"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1277416/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_30; classtype:trojan-activity; sid:91277416; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"1c-viewer.info"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1277414/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_30; classtype:trojan-activity; sid:91277414; rev:1;) alert tcp $HOME_NET any -> [185.196.8.18] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1277415/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_30; classtype:trojan-activity; sid:91277415; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/handler"; depth:8; nocase; http.host; content:"1c-viewer.info"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1277413/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_30; classtype:trojan-activity; sid:91277413; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"www.supportsmicrosoft.xyz"; depth:25; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1277412/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_30; classtype:trojan-activity; sid:91277412; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api/3"; depth:6; nocase; http.host; content:"www.supportsmicrosoft.xyz"; depth:25; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1277411/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_30; classtype:trojan-activity; sid:91277411; rev:1;) alert tcp $HOME_NET any -> [64.176.178.205] 1988 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1277410/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_30; classtype:trojan-activity; sid:91277410; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/rmknqt3s"; depth:9; nocase; http.host; content:"1july.com"; depth:9; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1277407/; target:src_ip; metadata: confidence_level 80, first_seen 2024_05_30; classtype:trojan-activity; sid:91277407; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/kz5hd3dkenwged02vbat_kwgfdmwq1"; depth:31; nocase; http.host; content:"download2361.mediafire.com"; depth:26; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1277408/; target:src_ip; metadata: confidence_level 80, first_seen 2024_05_30; classtype:trojan-activity; sid:91277408; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 80%)"; dns_query; content:"sustac.com"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1277409/; target:src_ip; metadata: confidence_level 80, first_seen 2024_05_30; classtype:trojan-activity; sid:91277409; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bvxny6r6"; depth:9; nocase; http.host; content:"s9l0w7n3y5.xyz"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1277406/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_30; classtype:trojan-activity; sid:91277406; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"s9l0w7n3y5.xyz"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1277179/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_30; classtype:trojan-activity; sid:91277179; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/8otabr/"; depth:8; nocase; http.host; content:"s9l0w7n3y5.xyz"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1277405/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_30; classtype:trojan-activity; sid:91277405; rev:1;) alert tcp $HOME_NET any -> [117.72.33.87] 53 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1277178/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_30; classtype:trojan-activity; sid:91277178; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ns2.ylzinfo.xyz"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1277177/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_30; classtype:trojan-activity; sid:91277177; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ns1.ylzinfo.xyz"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1277176/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_30; classtype:trojan-activity; sid:91277176; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/d10/fre.php"; depth:12; nocase; http.host; content:"sempersim.su"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1277175/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_30; classtype:trojan-activity; sid:91277175; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bvxny6r6"; depth:9; nocase; http.host; content:"bestcdnforfree.site"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1277174/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_30; classtype:trojan-activity; sid:91277174; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/8otabr/"; depth:8; nocase; http.host; content:"bestcdnforfree.site"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1277173/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_30; classtype:trojan-activity; sid:91277173; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"poivyzeaa.top"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1277166/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_30; classtype:trojan-activity; sid:91277166; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/1.php"; depth:6; nocase; http.host; content:"poivyzeaa.top"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1277164/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_30; classtype:trojan-activity; sid:91277164; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/updates.rss"; depth:12; nocase; http.host; content:"27.25.151.38"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1277172/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_30; classtype:trojan-activity; sid:91277172; rev:1;) alert tcp $HOME_NET any -> [111.230.207.78] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1277171/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_30; classtype:trojan-activity; sid:91277171; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jquery-3.3.2.n2cq4mxdz4nio9xihttp.min.js"; depth:41; nocase; http.host; content:"122.51.194.153"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1277170/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_30; classtype:trojan-activity; sid:91277170; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jquery-3.3.2.n2cq4mxdz4nio9xihttp.min.js"; depth:41; nocase; http.host; content:"122.51.194.153"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1277169/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_30; classtype:trojan-activity; sid:91277169; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/image/"; depth:7; nocase; http.host; content:"115.159.50.50"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1277168/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_30; classtype:trojan-activity; sid:91277168; rev:1;) alert tcp $HOME_NET any -> [101.33.194.194] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1277167/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_30; classtype:trojan-activity; sid:91277167; rev:1;) alert tcp $HOME_NET any -> [83.97.73.157] 4482 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1277165/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_30; classtype:trojan-activity; sid:91277165; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/g.pixel"; depth:8; nocase; http.host; content:"109.196.166.188"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1277163/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_30; classtype:trojan-activity; sid:91277163; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dpixel"; depth:7; nocase; http.host; content:"107.148.37.77"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1277161/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_30; classtype:trojan-activity; sid:91277161; rev:1;) alert tcp $HOME_NET any -> [107.148.37.77] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1277162/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_30; classtype:trojan-activity; sid:91277162; rev:1;) alert tcp $HOME_NET any -> [124.221.113.199] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1277160/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_30; classtype:trojan-activity; sid:91277160; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/updates.rss"; depth:12; nocase; http.host; content:"124.221.113.199"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1277159/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_30; classtype:trojan-activity; sid:91277159; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dot.gif"; depth:8; nocase; http.host; content:"8.220.192.59"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1277157/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_30; classtype:trojan-activity; sid:91277157; rev:1;) alert tcp $HOME_NET any -> [8.220.192.59] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1277158/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_30; classtype:trojan-activity; sid:91277158; rev:1;) alert tcp $HOME_NET any -> [192.3.16.18] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1277156/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_30; classtype:trojan-activity; sid:91277156; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/activity"; depth:9; nocase; http.host; content:"192.3.16.18"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1277155/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_30; classtype:trojan-activity; sid:91277155; rev:1;) alert tcp $HOME_NET any -> [140.83.83.58] 9988 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1277154/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_30; classtype:trojan-activity; sid:91277154; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ga.js"; depth:6; nocase; http.host; content:"free.iwaf.cn"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1277152/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_30; classtype:trojan-activity; sid:91277152; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"free.iwaf.cn"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1277153/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_30; classtype:trojan-activity; sid:91277153; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pixel.gif"; depth:10; nocase; http.host; content:"129.211.26.3"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1277151/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_30; classtype:trojan-activity; sid:91277151; rev:1;) alert tcp $HOME_NET any -> [111.67.195.152] 6666 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1277150/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_30; classtype:trojan-activity; sid:91277150; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api/x"; depth:6; nocase; http.host; content:"42.51.38.108"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1277149/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_30; classtype:trojan-activity; sid:91277149; rev:1;) alert tcp $HOME_NET any -> [45.152.86.11] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1277148/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_30; classtype:trojan-activity; sid:91277148; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/visit.js"; depth:9; nocase; http.host; content:"45.152.86.11"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1277147/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_30; classtype:trojan-activity; sid:91277147; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"bestcdnforfree.site"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1277146/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_30; classtype:trojan-activity; sid:91277146; rev:1;) alert tcp $HOME_NET any -> [94.156.67.124] 1024 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1277145/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_30; classtype:trojan-activity; sid:91277145; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/8otabr/"; depth:8; nocase; http.host; content:"p4wq3e5r6t.xyz"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1277142/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_30; classtype:trojan-activity; sid:91277142; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bvxny6r6"; depth:9; nocase; http.host; content:"gotthebestoffer.site"; depth:20; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1277143/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_30; classtype:trojan-activity; sid:91277143; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"gotthebestoffer.site"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1277144/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_30; classtype:trojan-activity; sid:91277144; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-content/nanofolder/img-files/nacati.res"; depth:43; nocase; http.host; content:"groundbreakingsstyle.com"; depth:24; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1277139/; target:src_ip; metadata: confidence_level 80, first_seen 2024_05_30; classtype:trojan-activity; sid:91277139; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-content/nanofolder/img-files/a95c346e-bd42-406b-a6a4-ed808e98bf67.res"; depth:73; nocase; http.host; content:"groundbreakingsstyle.com"; depth:24; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1277140/; target:src_ip; metadata: confidence_level 80, first_seen 2024_05_30; classtype:trojan-activity; sid:91277140; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"diditaxi.kro.kr"; depth:15; nocase; reference:url, threatfox.abuse.ch/ioc/1277141/; target:src_ip; metadata: confidence_level 80, first_seen 2024_05_30; classtype:trojan-activity; sid:91277141; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 80%)"; dns_query; content:"accountasifkwosov.shop"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1277138/; target:src_ip; metadata: confidence_level 80, first_seen 2024_05_30; classtype:trojan-activity; sid:91277138; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"p4wq3e5r6t.xyz"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1277137/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_30; classtype:trojan-activity; sid:91277137; rev:1;) alert tcp $HOME_NET any -> [77.91.77.87] 80 (msg:"ThreatFox AMOS botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1277117/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_30; classtype:trojan-activity; sid:91277117; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/l1nc0in.php"; depth:12; nocase; http.host; content:"a0987339.xsph.ru"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1277136/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_30; classtype:trojan-activity; sid:91277136; rev:1;) alert tcp $HOME_NET any -> [54.180.3.125] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1277135/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_30; classtype:trojan-activity; sid:91277135; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/del/students/l9ut5v9e"; depth:22; nocase; http.host; content:"54.180.3.125"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1277134/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_30; classtype:trojan-activity; sid:91277134; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/fwlink"; depth:7; nocase; http.host; content:"8.130.134.5"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1277133/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_30; classtype:trojan-activity; sid:91277133; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cm"; depth:3; nocase; http.host; content:"103.40.161.161"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1277132/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_30; classtype:trojan-activity; sid:91277132; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/activity"; depth:9; nocase; http.host; content:"47.115.203.204"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1277131/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_30; classtype:trojan-activity; sid:91277131; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/load"; depth:5; nocase; http.host; content:"47.121.133.136"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1277130/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_30; classtype:trojan-activity; sid:91277130; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/load"; depth:5; nocase; http.host; content:"47.116.33.203"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1277129/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_30; classtype:trojan-activity; sid:91277129; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dot.gif"; depth:8; nocase; http.host; content:"123.60.90.39"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1277128/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_30; classtype:trojan-activity; sid:91277128; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/j.ad"; depth:5; nocase; http.host; content:"112.124.65.163"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1277127/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_30; classtype:trojan-activity; sid:91277127; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/visit.js"; depth:9; nocase; http.host; content:"123.60.90.39"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1277126/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_30; classtype:trojan-activity; sid:91277126; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/match"; depth:6; nocase; http.host; content:"121.40.19.66"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1277125/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_30; classtype:trojan-activity; sid:91277125; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cx"; depth:3; nocase; http.host; content:"114.115.210.125"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1277124/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_30; classtype:trojan-activity; sid:91277124; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/activity"; depth:9; nocase; http.host; content:"124.220.6.158"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1277123/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_30; classtype:trojan-activity; sid:91277123; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dot.gif"; depth:8; nocase; http.host; content:"121.40.127.134"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1277122/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_30; classtype:trojan-activity; sid:91277122; rev:1;) alert tcp $HOME_NET any -> [185.241.208.229] 51997 (msg:"ThreatFox Ave Maria botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1277121/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_30; classtype:trojan-activity; sid:91277121; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/__utm.gif"; depth:10; nocase; http.host; content:"47.254.149.115"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1277120/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_30; classtype:trojan-activity; sid:91277120; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dpixel"; depth:7; nocase; http.host; content:"1.94.43.16"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1277119/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_30; classtype:trojan-activity; sid:91277119; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jquery-3.3.1.min.jsp"; depth:21; nocase; http.host; content:"8.222.156.244"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1277118/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_30; classtype:trojan-activity; sid:91277118; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/updates.rss"; depth:12; nocase; http.host; content:"129.226.201.214"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1277116/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_30; classtype:trojan-activity; sid:91277116; rev:1;) alert tcp $HOME_NET any -> [204.137.14.135] 443 (msg:"ThreatFox SystemBC botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1277111/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_30; classtype:trojan-activity; sid:91277111; rev:1;) alert tcp $HOME_NET any -> [45.135.180.6] 443 (msg:"ThreatFox SystemBC botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1277112/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_30; classtype:trojan-activity; sid:91277112; rev:1;) alert tcp $HOME_NET any -> [94.232.46.202] 80 (msg:"ThreatFox SystemBC botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1277113/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_30; classtype:trojan-activity; sid:91277113; rev:1;) alert tcp $HOME_NET any -> [5.161.81.32] 80 (msg:"ThreatFox SystemBC botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1277114/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_30; classtype:trojan-activity; sid:91277114; rev:1;) alert tcp $HOME_NET any -> [180.131.145.92] 80 (msg:"ThreatFox SystemBC botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1277115/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_30; classtype:trojan-activity; sid:91277115; rev:1;) alert tcp $HOME_NET any -> [104.168.107.220] 80 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1277110/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_30; classtype:trojan-activity; sid:91277110; rev:1;) alert tcp $HOME_NET any -> [15.228.248.19] 80 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1277109/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_30; classtype:trojan-activity; sid:91277109; rev:1;) alert tcp $HOME_NET any -> [45.59.120.155] 80 (msg:"ThreatFox Meduza Stealer botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1277108/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_30; classtype:trojan-activity; sid:91277108; rev:1;) alert tcp $HOME_NET any -> [207.148.17.169] 9000 (msg:"ThreatFox pupy botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1277107/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_30; classtype:trojan-activity; sid:91277107; rev:1;) alert tcp $HOME_NET any -> [212.47.244.109] 40056 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1277106/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_30; classtype:trojan-activity; sid:91277106; rev:1;) alert tcp $HOME_NET any -> [109.123.234.20] 443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1277105/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_30; classtype:trojan-activity; sid:91277105; rev:1;) alert tcp $HOME_NET any -> [34.242.178.11] 443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1277104/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_30; classtype:trojan-activity; sid:91277104; rev:1;) alert tcp $HOME_NET any -> [43.134.47.80] 2096 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1277103/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_30; classtype:trojan-activity; sid:91277103; rev:1;) alert tcp $HOME_NET any -> [45.33.97.250] 443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1277102/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_30; classtype:trojan-activity; sid:91277102; rev:1;) alert tcp $HOME_NET any -> [174.138.24.101] 443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1277101/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_30; classtype:trojan-activity; sid:91277101; rev:1;) alert tcp $HOME_NET any -> [104.200.72.177] 47513 (msg:"ThreatFox BianLian botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1277100/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_30; classtype:trojan-activity; sid:91277100; rev:1;) alert tcp $HOME_NET any -> [23.225.146.82] 443 (msg:"ThreatFox Deimos botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1277099/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_30; classtype:trojan-activity; sid:91277099; rev:1;) alert tcp $HOME_NET any -> [23.225.146.83] 443 (msg:"ThreatFox Deimos botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1277098/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_30; classtype:trojan-activity; sid:91277098; rev:1;) alert tcp $HOME_NET any -> [23.225.146.85] 443 (msg:"ThreatFox Deimos botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1277097/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_30; classtype:trojan-activity; sid:91277097; rev:1;) alert tcp $HOME_NET any -> [23.225.146.86] 443 (msg:"ThreatFox Deimos botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1277096/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_30; classtype:trojan-activity; sid:91277096; rev:1;) alert tcp $HOME_NET any -> [23.225.146.84] 443 (msg:"ThreatFox Deimos botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1277095/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_30; classtype:trojan-activity; sid:91277095; rev:1;) alert tcp $HOME_NET any -> [188.166.116.129] 4443 (msg:"ThreatFox Deimos botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1277094/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_30; classtype:trojan-activity; sid:91277094; rev:1;) alert tcp $HOME_NET any -> [164.90.230.22] 3000 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1277093/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_30; classtype:trojan-activity; sid:91277093; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"dovuzu3rz.top"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1276833/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_30; classtype:trojan-activity; sid:91276833; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/h/get.php"; depth:10; nocase; http.host; content:"septicfl.com"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1276834/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_30; classtype:trojan-activity; sid:91276834; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"septicfl.com"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1276835/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_30; classtype:trojan-activity; sid:91276835; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/reports.php"; depth:12; nocase; http.host; content:"kimtams.dk"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1276854/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_30; classtype:trojan-activity; sid:91276854; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/reports.php"; depth:12; nocase; http.host; content:"lifeunworthyoflife.com"; depth:22; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1276857/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_30; classtype:trojan-activity; sid:91276857; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/reports.php"; depth:12; nocase; http.host; content:"davidjhindlemann.com"; depth:20; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1276870/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_30; classtype:trojan-activity; sid:91276870; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"muse.krazzykriss.com"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1276856/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_30; classtype:trojan-activity; sid:91276856; rev:1;) alert tcp $HOME_NET any -> [103.40.161.161] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1277092/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_30; classtype:trojan-activity; sid:91277092; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ca"; depth:3; nocase; http.host; content:"103.40.161.161"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1277091/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_30; classtype:trojan-activity; sid:91277091; rev:1;) alert tcp $HOME_NET any -> [192.227.234.164] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1277090/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_30; classtype:trojan-activity; sid:91277090; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/j.ad"; depth:5; nocase; http.host; content:"test.info-twpower.top"; depth:21; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1277089/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_30; classtype:trojan-activity; sid:91277089; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"test.info-twpower.top"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1277088/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_30; classtype:trojan-activity; sid:91277088; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dot.gif"; depth:8; nocase; http.host; content:"test.info-twpower.top"; depth:21; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1277087/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_30; classtype:trojan-activity; sid:91277087; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/_defaultwindows.php"; depth:20; nocase; http.host; content:"chernobyl-cheat.fun"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1277086/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_30; classtype:trojan-activity; sid:91277086; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/index.php/41286969787314313"; depth:28; nocase; http.host; content:"45.61.137.215"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1277085/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_30; classtype:trojan-activity; sid:91277085; rev:1;) alert tcp $HOME_NET any -> [5.42.65.129] 2353 (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1277084/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_30; classtype:trojan-activity; sid:91277084; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/processgamebigloaddbflower.php"; depth:31; nocase; http.host; content:"434778cm.n9shteam1.top"; depth:22; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1277083/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_30; classtype:trojan-activity; sid:91277083; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mozi.m"; depth:7; nocase; http.host; content:"171.120.225.117"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1277082/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_30; classtype:trojan-activity; sid:91277082; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/83a18cdb.php"; depth:13; nocase; http.host; content:"a0987361.xsph.ru"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1276874/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_30; classtype:trojan-activity; sid:91276874; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/l1nc0in.php"; depth:12; nocase; http.host; content:"a0987707.xsph.ru"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1276873/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_30; classtype:trojan-activity; sid:91276873; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/9qod"; depth:5; nocase; http.host; content:"120.46.36.83"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1276872/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_29; classtype:trojan-activity; sid:91276872; rev:1;) alert tcp $HOME_NET any -> [120.46.36.83] 32569 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1276871/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_29; classtype:trojan-activity; sid:91276871; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/w99t"; depth:5; nocase; http.host; content:"120.26.223.78"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1276869/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_29; classtype:trojan-activity; sid:91276869; rev:1;) alert tcp $HOME_NET any -> [120.26.223.78] 33128 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1276868/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_29; classtype:trojan-activity; sid:91276868; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/profiles/76561199695752269"; depth:27; nocase; http.host; content:"steamcommunity.com"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1276867/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_29; classtype:trojan-activity; sid:91276867; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ta904ek"; depth:8; nocase; http.host; content:"t.me"; depth:4; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1276866/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_29; classtype:trojan-activity; sid:91276866; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/~escolodo/alive/five/fre.ph"; depth:28; nocase; http.host; content:"31.220.2.120"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1276865/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_29; classtype:trojan-activity; sid:91276865; rev:1;) alert tcp $HOME_NET any -> [101.52.247.105] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1276864/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_29; classtype:trojan-activity; sid:91276864; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api/getit"; depth:10; nocase; http.host; content:"service-r3og53uv-1303913364.sh.tencentapigw.com"; depth:47; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1276863/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_29; classtype:trojan-activity; sid:91276863; rev:1;) alert tcp $HOME_NET any -> [43.247.135.114] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1276862/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_29; classtype:trojan-activity; sid:91276862; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/5en1bjq8aauym2zgoy3k/ll_9354efa.js"; depth:35; nocase; http.host; content:"43.247.135.114"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1276861/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_29; classtype:trojan-activity; sid:91276861; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/283479bd.php"; depth:13; nocase; http.host; content:"a0986534.xsph.ru"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1276860/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_29; classtype:trojan-activity; sid:91276860; rev:1;) alert tcp $HOME_NET any -> [104.36.229.16] 443 (msg:"ThreatFox Unidentified 111 (Latrodectus) botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1276858/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_29; classtype:trojan-activity; sid:91276858; rev:1;) alert tcp $HOME_NET any -> [193.168.141.64] 443 (msg:"ThreatFox Unidentified 111 (Latrodectus) botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1276859/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_29; classtype:trojan-activity; sid:91276859; rev:1;) alert tcp $HOME_NET any -> [45.84.0.48] 80 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1276853/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_29; classtype:trojan-activity; sid:91276853; rev:1;) alert tcp $HOME_NET any -> [172.104.183.19] 80 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1276852/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_29; classtype:trojan-activity; sid:91276852; rev:1;) alert tcp $HOME_NET any -> [74.50.84.238] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1276851/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_29; classtype:trojan-activity; sid:91276851; rev:1;) alert tcp $HOME_NET any -> [154.204.56.185] 9999 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1276850/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_29; classtype:trojan-activity; sid:91276850; rev:1;) alert tcp $HOME_NET any -> [82.157.149.243] 8889 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1276849/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_29; classtype:trojan-activity; sid:91276849; rev:1;) alert tcp $HOME_NET any -> [101.43.104.72] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1276848/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_29; classtype:trojan-activity; sid:91276848; rev:1;) alert tcp $HOME_NET any -> [154.246.228.229] 2078 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1276847/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_29; classtype:trojan-activity; sid:91276847; rev:1;) alert tcp $HOME_NET any -> [94.49.26.240] 443 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1276846/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_29; classtype:trojan-activity; sid:91276846; rev:1;) alert tcp $HOME_NET any -> [85.107.186.99] 443 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1276845/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_29; classtype:trojan-activity; sid:91276845; rev:1;) alert tcp $HOME_NET any -> [37.107.5.240] 443 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1276844/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_29; classtype:trojan-activity; sid:91276844; rev:1;) alert tcp $HOME_NET any -> [39.40.159.20] 995 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1276843/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_29; classtype:trojan-activity; sid:91276843; rev:1;) alert tcp $HOME_NET any -> [202.169.39.4] 80 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1276842/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_29; classtype:trojan-activity; sid:91276842; rev:1;) alert tcp $HOME_NET any -> [54.174.87.114] 443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1276841/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_29; classtype:trojan-activity; sid:91276841; rev:1;) alert tcp $HOME_NET any -> [54.174.87.114] 40056 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1276840/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_29; classtype:trojan-activity; sid:91276840; rev:1;) alert tcp $HOME_NET any -> [66.85.173.32] 25532 (msg:"ThreatFox BianLian botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1276839/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_29; classtype:trojan-activity; sid:91276839; rev:1;) alert tcp $HOME_NET any -> [206.237.4.54] 7443 (msg:"ThreatFox BianLian botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1276838/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_29; classtype:trojan-activity; sid:91276838; rev:1;) alert tcp $HOME_NET any -> [185.7.219.103] 443 (msg:"ThreatFox BianLian botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1276837/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_29; classtype:trojan-activity; sid:91276837; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/_defaultwindows.php"; depth:20; nocase; http.host; content:"a0913612.xsph.ru"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1276836/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_29; classtype:trojan-activity; sid:91276836; rev:1;) alert tcp $HOME_NET any -> [180.131.145.85] 53 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1276832/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_29; classtype:trojan-activity; sid:91276832; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"owa.lieamwalls.com"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1276831/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_29; classtype:trojan-activity; sid:91276831; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"profile.lieamwalls.com"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1276829/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_29; classtype:trojan-activity; sid:91276829; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"email.lieamwalls.com"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1276830/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_29; classtype:trojan-activity; sid:91276830; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"mail.lieamwalls.com"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1276828/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_29; classtype:trojan-activity; sid:91276828; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"store.lieamwalls.com"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1276827/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_29; classtype:trojan-activity; sid:91276827; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"www.lieamwalls.com"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1276826/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_29; classtype:trojan-activity; sid:91276826; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/1.php"; depth:6; nocase; http.host; content:"dovuzu3rz.top"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1276825/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_29; classtype:trojan-activity; sid:91276825; rev:1;) alert tcp $HOME_NET any -> [5.161.81.32] 4001 (msg:"ThreatFox SystemBC botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1276824/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_29; classtype:trojan-activity; sid:91276824; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/marinabarros320168/new/main/execute_dll.exe"; depth:44; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1276821/; target:src_ip; metadata: confidence_level 80, first_seen 2024_05_29; classtype:trojan-activity; sid:91276821; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/alexiadarocha195267/rp/raw/main/execute_dll.zip"; depth:48; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1276822/; target:src_ip; metadata: confidence_level 80, first_seen 2024_05_29; classtype:trojan-activity; sid:91276822; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mir/index.php"; depth:14; nocase; http.host; content:"216.189.159.34"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1276823/; target:src_ip; metadata: confidence_level 80, first_seen 2024_05_29; classtype:trojan-activity; sid:91276823; rev:1;) alert tcp $HOME_NET any -> [18.252.159.103] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1276820/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_29; classtype:trojan-activity; sid:91276820; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/avatars"; depth:8; nocase; http.host; content:"hr-helpdesk.org"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1276819/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_29; classtype:trojan-activity; sid:91276819; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/g.pixel"; depth:8; nocase; http.host; content:"47.97.100.26"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1276818/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_29; classtype:trojan-activity; sid:91276818; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jquery-3.3.1.min.js"; depth:20; nocase; http.host; content:"101.43.228.249"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1276817/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_29; classtype:trojan-activity; sid:91276817; rev:1;) alert tcp $HOME_NET any -> [94.156.69.3] 8080 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1276816/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_29; classtype:trojan-activity; sid:91276816; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jquery-3.3.1.min.js"; depth:20; nocase; http.host; content:"microsoft.kaspersky.xyz"; depth:23; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1276814/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_29; classtype:trojan-activity; sid:91276814; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"microsoft.kaspersky.xyz"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1276815/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_29; classtype:trojan-activity; sid:91276815; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/search"; depth:7; nocase; http.host; content:"64.23.177.220"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1276813/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_29; classtype:trojan-activity; sid:91276813; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/en_us/all.js"; depth:13; nocase; http.host; content:"meetlak.link"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1276812/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_29; classtype:trojan-activity; sid:91276812; rev:1;) alert tcp $HOME_NET any -> [162.33.177.167] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1276811/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_29; classtype:trojan-activity; sid:91276811; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/show/miscellaneous/yg435fs33kc"; depth:31; nocase; http.host; content:"asterchildrenshoes.com"; depth:22; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1276809/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_29; classtype:trojan-activity; sid:91276809; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"asterchildrenshoes.com"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1276810/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_29; classtype:trojan-activity; sid:91276810; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"microsoft.kasperzky.xyz"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1276807/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_29; classtype:trojan-activity; sid:91276807; rev:1;) alert tcp $HOME_NET any -> [94.156.69.3] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1276808/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_29; classtype:trojan-activity; sid:91276808; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jquery-3.3.1.min.js"; depth:20; nocase; http.host; content:"microsoft.kasperzky.xyz"; depth:23; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1276806/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_29; classtype:trojan-activity; sid:91276806; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/load"; depth:5; nocase; http.host; content:"64.7.199.88"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1276804/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_29; classtype:trojan-activity; sid:91276804; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dpixel"; depth:7; nocase; http.host; content:"47.121.133.136"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1276803/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_29; classtype:trojan-activity; sid:91276803; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/latest/v2.54/ysl053kc7qd"; depth:25; nocase; http.host; content:"124.223.41.181"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1276801/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_29; classtype:trojan-activity; sid:91276801; rev:1;) alert tcp $HOME_NET any -> [124.223.41.181] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1276802/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_29; classtype:trojan-activity; sid:91276802; rev:1;) alert tcp $HOME_NET any -> [15.206.69.211] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1276800/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_29; classtype:trojan-activity; sid:91276800; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/j.ad"; depth:5; nocase; http.host; content:"15.206.69.211"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1276799/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_29; classtype:trojan-activity; sid:91276799; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/owa/"; depth:5; nocase; http.host; content:"192.121.162.21"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1276798/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_29; classtype:trojan-activity; sid:91276798; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"responsiveuikit.com"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1276797/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_29; classtype:trojan-activity; sid:91276797; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mozi.m"; depth:7; nocase; http.host; content:"117.194.219.233"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1276796/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_29; classtype:trojan-activity; sid:91276796; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cdn-vs/original.js"; depth:19; nocase; http.host; content:"burdurpastane.com"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1276789/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_29; classtype:trojan-activity; sid:91276789; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"burdurpastane.com"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1276790/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_29; classtype:trojan-activity; sid:91276790; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cdn-vs/cache.php"; depth:17; nocase; http.host; content:"burdurpastane.com"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1276791/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_29; classtype:trojan-activity; sid:91276791; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cdn-vs/2per.php"; depth:16; nocase; http.host; content:"burdurpastane.com"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1276792/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_29; classtype:trojan-activity; sid:91276792; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/data.php"; depth:9; nocase; http.host; content:"lilygovert91.top"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1276793/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_29; classtype:trojan-activity; sid:91276793; rev:1;) alert tcp $HOME_NET any -> [94.158.245.103] 443 (msg:"ThreatFox NetSupportManager RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1276794/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_29; classtype:trojan-activity; sid:91276794; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/reports.php"; depth:12; nocase; http.host; content:"genevafarm.com"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1276795/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_29; classtype:trojan-activity; sid:91276795; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ca"; depth:3; nocase; http.host; content:"101.200.86.176"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1276788/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_29; classtype:trojan-activity; sid:91276788; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cm"; depth:3; nocase; http.host; content:"service-hvcrn7y8-1257783886.gz.tencentapigw.com.cn"; depth:50; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1276787/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_29; classtype:trojan-activity; sid:91276787; rev:1;) alert tcp $HOME_NET any -> [8.210.9.201] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1276786/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_29; classtype:trojan-activity; sid:91276786; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/activity"; depth:9; nocase; http.host; content:"8.210.9.201"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1276785/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_29; classtype:trojan-activity; sid:91276785; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ptj"; depth:4; nocase; http.host; content:"194.59.30.143"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1276784/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_29; classtype:trojan-activity; sid:91276784; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/j.ad"; depth:5; nocase; http.host; content:"43.138.179.199"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1276783/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_29; classtype:trojan-activity; sid:91276783; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/updates.rss"; depth:12; nocase; http.host; content:"139.155.90.81"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1276782/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_29; classtype:trojan-activity; sid:91276782; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/j.ad"; depth:5; nocase; http.host; content:"101.35.42.157"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1276781/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_29; classtype:trojan-activity; sid:91276781; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dpixel"; depth:7; nocase; http.host; content:"43.138.173.160"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1276780/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_29; classtype:trojan-activity; sid:91276780; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/activity"; depth:9; nocase; http.host; content:"159.138.131.191"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1276779/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_29; classtype:trojan-activity; sid:91276779; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dpixel"; depth:7; nocase; http.host; content:"43.138.179.199"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1276778/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_29; classtype:trojan-activity; sid:91276778; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/visit.js"; depth:9; nocase; http.host; content:"39.98.157.4"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1276777/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_29; classtype:trojan-activity; sid:91276777; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/fwlink"; depth:7; nocase; http.host; content:"113.200.137.225"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1276776/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_29; classtype:trojan-activity; sid:91276776; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/activity"; depth:9; nocase; http.host; content:"content.microsoft.com.w.kunlunca.com"; depth:36; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1276775/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_29; classtype:trojan-activity; sid:91276775; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/push"; depth:5; nocase; http.host; content:"43.138.179.199"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1276774/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_29; classtype:trojan-activity; sid:91276774; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cx"; depth:3; nocase; http.host; content:"60.204.217.11"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1276773/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_29; classtype:trojan-activity; sid:91276773; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/updates.rss"; depth:12; nocase; http.host; content:"8.130.30.60"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1276772/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_29; classtype:trojan-activity; sid:91276772; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dot.gif"; depth:8; nocase; http.host; content:"124.220.6.158"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1276771/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_29; classtype:trojan-activity; sid:91276771; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/__utm.gif"; depth:10; nocase; http.host; content:"103.150.10.45"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1276770/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_29; classtype:trojan-activity; sid:91276770; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/reports.php"; depth:12; nocase; http.host; content:"dutchdreamhorses.com"; depth:20; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1276769/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_29; classtype:trojan-activity; sid:91276769; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"scada.paradizeconstruction.com"; depth:30; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1276767/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_29; classtype:trojan-activity; sid:91276767; rev:1;) alert tcp $HOME_NET any -> [173.44.141.51] 443 (msg:"ThreatFox FAKEUPDATES payload delivery (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1276768/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_29; classtype:trojan-activity; sid:91276768; rev:1;) alert tcp $HOME_NET any -> [79.110.62.25] 3608 (msg:"ThreatFox STRRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1276766/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_29; classtype:trojan-activity; sid:91276766; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"128.140.34.253"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1276765/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_29; classtype:trojan-activity; sid:91276765; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"116.202.190.18"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1276764/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_29; classtype:trojan-activity; sid:91276764; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"95.217.241.137"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1276763/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_29; classtype:trojan-activity; sid:91276763; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"88.198.124.82"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1276762/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_29; classtype:trojan-activity; sid:91276762; rev:1;) alert tcp $HOME_NET any -> [116.202.190.18] 443 (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1276760/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_29; classtype:trojan-activity; sid:91276760; rev:1;) alert tcp $HOME_NET any -> [128.140.34.253] 443 (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1276761/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_29; classtype:trojan-activity; sid:91276761; rev:1;) alert tcp $HOME_NET any -> [95.217.241.137] 443 (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1276759/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_29; classtype:trojan-activity; sid:91276759; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/products/putty.zip"; depth:19; nocase; http.host; content:"ccwaterfall.com"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1276733/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_29; classtype:trojan-activity; sid:91276733; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/products/reader.zip"; depth:20; nocase; http.host; content:"i.wanblibang.com.cn"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1276730/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_29; classtype:trojan-activity; sid:91276730; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/products/reader.zip"; depth:20; nocase; http.host; content:"ccwaterfall.com"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1276731/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_29; classtype:trojan-activity; sid:91276731; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/products/putty.zip"; depth:19; nocase; http.host; content:"i.wanblibang.com.cn"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1276732/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_29; classtype:trojan-activity; sid:91276732; rev:1;) alert tcp $HOME_NET any -> [188.130.251.44] 59666 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1276713/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_29; classtype:trojan-activity; sid:91276713; rev:1;) alert tcp $HOME_NET any -> [158.160.14.246] 443 (msg:"ThreatFox FAKEUPDATES payload delivery (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1276715/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_29; classtype:trojan-activity; sid:91276715; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/products/reader.zip"; depth:20; nocase; http.host; content:"192.177.51.248"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1276729/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_29; classtype:trojan-activity; sid:91276729; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"jupyterlab.site"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1276714/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_29; classtype:trojan-activity; sid:91276714; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"ciston.nut.cc"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1276692/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_29; classtype:trojan-activity; sid:91276692; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/products/putty.zip"; depth:19; nocase; http.host; content:"192.177.51.248"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1276734/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_29; classtype:trojan-activity; sid:91276734; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 50%)"; dns_query; content:"blockworks.one"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1276738/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_29; classtype:trojan-activity; sid:91276738; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 50%)"; dns_query; content:"tokenworks.io"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1276739/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_29; classtype:trojan-activity; sid:91276739; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/reports.php"; depth:12; nocase; http.host; content:"dontcrydesignlab.com"; depth:20; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1276744/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_29; classtype:trojan-activity; sid:91276744; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/reports.php"; depth:12; nocase; http.host; content:"doublertrailers.com"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1276746/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_29; classtype:trojan-activity; sid:91276746; rev:1;) alert tcp $HOME_NET any -> [91.107.126.182] 80 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1276758/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_29; classtype:trojan-activity; sid:91276758; rev:1;) alert tcp $HOME_NET any -> [20.201.118.111] 80 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1276757/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_29; classtype:trojan-activity; sid:91276757; rev:1;) alert tcp $HOME_NET any -> [92.63.103.69] 80 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1276756/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_29; classtype:trojan-activity; sid:91276756; rev:1;) alert tcp $HOME_NET any -> [124.223.217.37] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1276755/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_29; classtype:trojan-activity; sid:91276755; rev:1;) alert tcp $HOME_NET any -> [149.104.24.124] 1088 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1276754/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_29; classtype:trojan-activity; sid:91276754; rev:1;) alert tcp $HOME_NET any -> [46.246.12.11] 6000 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1276753/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_29; classtype:trojan-activity; sid:91276753; rev:1;) alert tcp $HOME_NET any -> [70.31.125.90] 2222 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1276752/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_29; classtype:trojan-activity; sid:91276752; rev:1;) alert tcp $HOME_NET any -> [122.51.194.153] 8888 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1276751/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_29; classtype:trojan-activity; sid:91276751; rev:1;) alert tcp $HOME_NET any -> [165.227.79.41] 443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1276750/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_29; classtype:trojan-activity; sid:91276750; rev:1;) alert tcp $HOME_NET any -> [195.54.160.90] 54320 (msg:"ThreatFox BianLian botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1276749/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_29; classtype:trojan-activity; sid:91276749; rev:1;) alert tcp $HOME_NET any -> [91.92.246.183] 8443 (msg:"ThreatFox BianLian botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1276748/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_29; classtype:trojan-activity; sid:91276748; rev:1;) alert tcp $HOME_NET any -> [113.207.40.22] 4505 (msg:"ThreatFox Deimos botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1276747/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_29; classtype:trojan-activity; sid:91276747; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/d9/fre.php"; depth:11; nocase; http.host; content:"sempersim.su"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1276745/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_29; classtype:trojan-activity; sid:91276745; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pixel.gif"; depth:10; nocase; http.host; content:"175.178.227.173"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1276736/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_28; classtype:trojan-activity; sid:91276736; rev:1;) alert tcp $HOME_NET any -> [23.227.196.84] 6606 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1276735/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_28; classtype:trojan-activity; sid:91276735; rev:1;) alert tcp $HOME_NET any -> [185.234.216.143] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1276728/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_28; classtype:trojan-activity; sid:91276728; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sq"; depth:3; nocase; http.host; content:"94.232.249.36"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1276727/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_28; classtype:trojan-activity; sid:91276727; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/__utm.gif"; depth:10; nocase; http.host; content:"101.200.86.176"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1276726/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_28; classtype:trojan-activity; sid:91276726; rev:1;) alert tcp $HOME_NET any -> [101.43.112.155] 8081 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1276725/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_28; classtype:trojan-activity; sid:91276725; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cx"; depth:3; nocase; http.host; content:"123.207.46.13"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1276724/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_28; classtype:trojan-activity; sid:91276724; rev:1;) alert tcp $HOME_NET any -> [51.79.134.205] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1276723/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_28; classtype:trojan-activity; sid:91276723; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/g.pixel"; depth:8; nocase; http.host; content:"51.79.134.205"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1276722/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_28; classtype:trojan-activity; sid:91276722; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jquery-3.3.1.min.js"; depth:20; nocase; http.host; content:"156.238.240.49"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1276721/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_28; classtype:trojan-activity; sid:91276721; rev:1;) alert tcp $HOME_NET any -> [5.230.54.39] 443 (msg:"ThreatFox Unidentified 111 (Latrodectus) botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1276720/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_28; classtype:trojan-activity; sid:91276720; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"selltix.org"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1276719/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_28; classtype:trojan-activity; sid:91276719; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/forum2/index.php"; depth:17; nocase; http.host; content:"otyt.ru"; depth:7; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1276718/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_28; classtype:trojan-activity; sid:91276718; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/forum/index.php"; depth:16; nocase; http.host; content:"selltix.org"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1276717/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_28; classtype:trojan-activity; sid:91276717; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/forum/viewtopic.php"; depth:20; nocase; http.host; content:"176.58.121.168"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1276716/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_28; classtype:trojan-activity; sid:91276716; rev:1;) alert tcp $HOME_NET any -> [174.138.184.53] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1276712/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_28; classtype:trojan-activity; sid:91276712; rev:1;) alert tcp $HOME_NET any -> [106.54.61.66] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1276711/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_28; classtype:trojan-activity; sid:91276711; rev:1;) alert tcp $HOME_NET any -> [81.69.248.205] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1276710/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_28; classtype:trojan-activity; sid:91276710; rev:1;) alert tcp $HOME_NET any -> [172.111.174.67] 8081 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1276709/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_28; classtype:trojan-activity; sid:91276709; rev:1;) alert tcp $HOME_NET any -> [8.147.119.54] 443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1276708/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_28; classtype:trojan-activity; sid:91276708; rev:1;) alert tcp $HOME_NET any -> [107.175.115.91] 80 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1276706/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_28; classtype:trojan-activity; sid:91276706; rev:1;) alert tcp $HOME_NET any -> [209.38.50.170] 443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1276707/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_28; classtype:trojan-activity; sid:91276707; rev:1;) alert tcp $HOME_NET any -> [107.175.115.91] 8443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1276705/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_28; classtype:trojan-activity; sid:91276705; rev:1;) alert tcp $HOME_NET any -> [185.140.12.198] 80 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1276704/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_28; classtype:trojan-activity; sid:91276704; rev:1;) alert tcp $HOME_NET any -> [195.123.225.88] 443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1276703/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_28; classtype:trojan-activity; sid:91276703; rev:1;) alert tcp $HOME_NET any -> [195.123.225.88] 80 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1276702/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_28; classtype:trojan-activity; sid:91276702; rev:1;) alert tcp $HOME_NET any -> [185.22.64.121] 443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1276701/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_28; classtype:trojan-activity; sid:91276701; rev:1;) alert tcp $HOME_NET any -> [46.183.25.51] 443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1276700/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_28; classtype:trojan-activity; sid:91276700; rev:1;) alert tcp $HOME_NET any -> [101.75.251.49] 4505 (msg:"ThreatFox Deimos botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1276699/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_28; classtype:trojan-activity; sid:91276699; rev:1;) alert tcp $HOME_NET any -> [163.181.100.75] 4506 (msg:"ThreatFox Deimos botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1276698/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_28; classtype:trojan-activity; sid:91276698; rev:1;) alert tcp $HOME_NET any -> [37.27.92.9] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1276697/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_28; classtype:trojan-activity; sid:91276697; rev:1;) alert tcp $HOME_NET any -> [79.154.35.27] 7443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1276696/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_28; classtype:trojan-activity; sid:91276696; rev:1;) alert tcp $HOME_NET any -> [89.116.110.27] 7443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1276695/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_28; classtype:trojan-activity; sid:91276695; rev:1;) alert tcp $HOME_NET any -> [103.85.25.168] 443 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1276694/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_28; classtype:trojan-activity; sid:91276694; rev:1;) alert tcp $HOME_NET any -> [23.95.60.82] 4445 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1276693/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_28; classtype:trojan-activity; sid:91276693; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/p/land.php"; depth:11; nocase; http.host; content:"ashleypuerner.com"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1276689/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_28; classtype:trojan-activity; sid:91276689; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"ashleypuerner.com"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1276690/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_28; classtype:trojan-activity; sid:91276690; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-content/upgrade/update.php"; depth:30; nocase; http.host; content:"sustaincharlotte.org"; depth:20; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1276691/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_28; classtype:trojan-activity; sid:91276691; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"jumbie.duckdns.org"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1276687/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_28; classtype:trojan-activity; sid:91276687; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/reports.php"; depth:12; nocase; http.host; content:"digitalfreight.co.uk"; depth:20; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1276455/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_28; classtype:trojan-activity; sid:91276455; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/is-bear-spray-legal-in-ca-california-bear-spray-laws-explained/"; depth:64; nocase; http.host; content:"solar-audio.net"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1276688/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_28; classtype:trojan-activity; sid:91276688; rev:1;) alert tcp $HOME_NET any -> [45.141.215.89] 2404 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1276454/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_28; classtype:trojan-activity; sid:91276454; rev:1;) alert tcp $HOME_NET any -> [51.195.53.197] 13914 (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1276453/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_28; classtype:trojan-activity; sid:91276453; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/9e2cad7d.php"; depth:13; nocase; http.host; content:"a0982426.xsph.ru"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1276452/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_28; classtype:trojan-activity; sid:91276452; rev:1;) alert tcp $HOME_NET any -> [47.106.154.91] 8443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1276451/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_28; classtype:trojan-activity; sid:91276451; rev:1;) alert tcp $HOME_NET any -> [109.107.182.39] 7771 (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1276450/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_28; classtype:trojan-activity; sid:91276450; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/login"; depth:6; nocase; http.host; content:"iskorpion.com"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1276449/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_28; classtype:trojan-activity; sid:91276449; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/login"; depth:6; nocase; http.host; content:"159.100.30.229"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1276445/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_28; classtype:trojan-activity; sid:91276445; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/login"; depth:6; nocase; http.host; content:"66.42.55.224"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1276446/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_28; classtype:trojan-activity; sid:91276446; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/login"; depth:6; nocase; http.host; content:"170.64.204.255"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1276447/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_28; classtype:trojan-activity; sid:91276447; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/login"; depth:6; nocase; http.host; content:"88.99.33.29"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1276448/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_28; classtype:trojan-activity; sid:91276448; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/login"; depth:6; nocase; http.host; content:"37.27.110.36"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1276442/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_28; classtype:trojan-activity; sid:91276442; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/login"; depth:6; nocase; http.host; content:"13.201.8.106"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1276443/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_28; classtype:trojan-activity; sid:91276443; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"metallc.top"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1276439/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_28; classtype:trojan-activity; sid:91276439; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/login"; depth:6; nocase; http.host; content:"128.199.82.21"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1276440/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_28; classtype:trojan-activity; sid:91276440; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/login"; depth:6; nocase; http.host; content:"hack.umbrel.online"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1276441/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_28; classtype:trojan-activity; sid:91276441; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"telnet.8b8n.com"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1276437/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_28; classtype:trojan-activity; sid:91276437; rev:1;) alert tcp $HOME_NET any -> [172.67.175.19] 80 (msg:"ThreatFox Loki Password Stealer (PWS) botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1276438/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_28; classtype:trojan-activity; sid:91276438; rev:1;) alert tcp $HOME_NET any -> [91.92.249.80] 4090 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1276436/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_28; classtype:trojan-activity; sid:91276436; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/login"; depth:6; nocase; http.host; content:"52.66.138.99"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1276444/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_28; classtype:trojan-activity; sid:91276444; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/login"; depth:6; nocase; http.host; content:"47.245.94.37"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1276404/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_28; classtype:trojan-activity; sid:91276404; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/login"; depth:6; nocase; http.host; content:"165.232.156.200"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1276407/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_28; classtype:trojan-activity; sid:91276407; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/login"; depth:6; nocase; http.host; content:"82.115.17.84"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1276408/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_28; classtype:trojan-activity; sid:91276408; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/login"; depth:6; nocase; http.host; content:"192.52.167.217"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1276409/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_28; classtype:trojan-activity; sid:91276409; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/login"; depth:6; nocase; http.host; content:"128.199.156.238"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1276410/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_28; classtype:trojan-activity; sid:91276410; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/login"; depth:6; nocase; http.host; content:"78.47.219.204"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1276411/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_28; classtype:trojan-activity; sid:91276411; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jquery-3.3.2.n2cq4mxdz4nio9xihttp.min.js"; depth:41; nocase; http.host; content:"140.246.157.86"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1276435/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_28; classtype:trojan-activity; sid:91276435; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/__utm.gif"; depth:10; nocase; http.host; content:"123.57.192.94"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1276434/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_28; classtype:trojan-activity; sid:91276434; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/image/"; depth:7; nocase; http.host; content:"47.96.174.24"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1276433/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_28; classtype:trojan-activity; sid:91276433; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/communicate/v7.55/oub6r9bd5p"; depth:29; nocase; http.host; content:"121.36.105.186"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1276431/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_28; classtype:trojan-activity; sid:91276431; rev:1;) alert tcp $HOME_NET any -> [121.36.105.186] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1276432/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_28; classtype:trojan-activity; sid:91276432; rev:1;) alert tcp $HOME_NET any -> [47.76.44.105] 8443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1276430/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_28; classtype:trojan-activity; sid:91276430; rev:1;) alert tcp $HOME_NET any -> [47.117.156.22] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1276429/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_28; classtype:trojan-activity; sid:91276429; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pixel"; depth:6; nocase; http.host; content:"47.117.156.22"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1276428/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_28; classtype:trojan-activity; sid:91276428; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ptj"; depth:4; nocase; http.host; content:"119.45.224.170"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1276426/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_28; classtype:trojan-activity; sid:91276426; rev:1;) alert tcp $HOME_NET any -> [119.45.224.170] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1276427/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_28; classtype:trojan-activity; sid:91276427; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/__utm.gif"; depth:10; nocase; http.host; content:"119.45.224.170"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1276425/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_28; classtype:trojan-activity; sid:91276425; rev:1;) alert tcp $HOME_NET any -> [119.45.224.170] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1276424/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_28; classtype:trojan-activity; sid:91276424; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/visit.js"; depth:9; nocase; http.host; content:"47.254.149.115"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1276423/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_28; classtype:trojan-activity; sid:91276423; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/c/msdownload/update/others/2024/05/9dv7ayhg1ag2kwo30_"; depth:54; nocase; http.host; content:"122.51.2.91"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1276422/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_28; classtype:trojan-activity; sid:91276422; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jquery-3.3.1.min.js"; depth:20; nocase; http.host; content:"121.196.202.214"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1276420/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_28; classtype:trojan-activity; sid:91276420; rev:1;) alert tcp $HOME_NET any -> [121.196.202.214] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1276421/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_28; classtype:trojan-activity; sid:91276421; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/match"; depth:6; nocase; http.host; content:"47.115.216.170"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1276419/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_28; classtype:trojan-activity; sid:91276419; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/updates.rss"; depth:12; nocase; http.host; content:"175.178.227.173"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1276418/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_28; classtype:trojan-activity; sid:91276418; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ca"; depth:3; nocase; http.host; content:"47.254.149.115"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1276417/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_28; classtype:trojan-activity; sid:91276417; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cx"; depth:3; nocase; http.host; content:"8.134.122.112"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1276416/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_28; classtype:trojan-activity; sid:91276416; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-admin"; depth:9; nocase; http.host; content:"w.sanfor.club"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1276414/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_28; classtype:trojan-activity; sid:91276414; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"w.sanfor.club"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1276415/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_28; classtype:trojan-activity; sid:91276415; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/assets/lang/zh-cn/lang.js"; depth:26; nocase; http.host; content:"1.92.81.30"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1276412/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_28; classtype:trojan-activity; sid:91276412; rev:1;) alert tcp $HOME_NET any -> [1.92.81.30] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1276413/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_28; classtype:trojan-activity; sid:91276413; rev:1;) alert tcp $HOME_NET any -> [85.209.133.248] 4449 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1276406/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_28; classtype:trojan-activity; sid:91276406; rev:1;) alert tcp $HOME_NET any -> [80.76.49.162] 4545 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1276405/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_28; classtype:trojan-activity; sid:91276405; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"super.shoppro.fun"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1276400/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_28; classtype:trojan-activity; sid:91276400; rev:1;) alert tcp $HOME_NET any -> [159.89.247.83] 22533 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1276401/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_28; classtype:trojan-activity; sid:91276401; rev:1;) alert tcp $HOME_NET any -> [162.120.71.116] 53421 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1276402/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_28; classtype:trojan-activity; sid:91276402; rev:1;) alert tcp $HOME_NET any -> [162.120.71.117] 53421 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1276403/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_28; classtype:trojan-activity; sid:91276403; rev:1;) alert tcp $HOME_NET any -> [80.253.246.4] 777 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1276371/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_28; classtype:trojan-activity; sid:91276371; rev:1;) alert tcp $HOME_NET any -> [3.94.10.34] 80 (msg:"ThreatFox Loki Password Stealer (PWS) botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1276372/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_28; classtype:trojan-activity; sid:91276372; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"erxst.info"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1276373/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_28; classtype:trojan-activity; sid:91276373; rev:1;) alert tcp $HOME_NET any -> [192.3.209.101] 80 (msg:"ThreatFox Loki Password Stealer (PWS) botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1276374/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_28; classtype:trojan-activity; sid:91276374; rev:1;) alert tcp $HOME_NET any -> [156.238.240.49] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1276399/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_28; classtype:trojan-activity; sid:91276399; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/_/scs/mail-static/_/js/"; depth:24; nocase; http.host; content:"156.238.240.49"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1276398/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_28; classtype:trojan-activity; sid:91276398; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/eo.css"; depth:7; nocase; http.host; content:"43.138.173.160"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1276396/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_28; classtype:trojan-activity; sid:91276396; rev:1;) alert tcp $HOME_NET any -> [43.138.173.160] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1276397/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_28; classtype:trojan-activity; sid:91276397; rev:1;) alert tcp $HOME_NET any -> [157.230.250.250] 42597 (msg:"ThreatFox MooBot botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1276395/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_28; classtype:trojan-activity; sid:91276395; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dpixel"; depth:7; nocase; http.host; content:"47.108.153.69"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1276394/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_28; classtype:trojan-activity; sid:91276394; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ca"; depth:3; nocase; http.host; content:"124.222.15.103"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1276393/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_28; classtype:trojan-activity; sid:91276393; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dot.gif"; depth:8; nocase; http.host; content:"38.147.170.150"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1276392/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_28; classtype:trojan-activity; sid:91276392; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cx"; depth:3; nocase; http.host; content:"47.92.131.203"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1276391/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_28; classtype:trojan-activity; sid:91276391; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cx"; depth:3; nocase; http.host; content:"192.168.3.187"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1276390/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_28; classtype:trojan-activity; sid:91276390; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pixel.gif"; depth:10; nocase; http.host; content:"112.124.5.135"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1276389/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_28; classtype:trojan-activity; sid:91276389; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/activity"; depth:9; nocase; http.host; content:"124.222.52.190"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1276388/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_28; classtype:trojan-activity; sid:91276388; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/match"; depth:6; nocase; http.host; content:"service-ltwr9lk5-1319740527.sh.apigw.tencentcs.com"; depth:50; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1276387/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_28; classtype:trojan-activity; sid:91276387; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pixel"; depth:6; nocase; http.host; content:"103.150.10.45"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1276386/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_28; classtype:trojan-activity; sid:91276386; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ptj"; depth:4; nocase; http.host; content:"microsoftsoftwave.com"; depth:21; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1276385/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_28; classtype:trojan-activity; sid:91276385; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/load"; depth:5; nocase; http.host; content:"38.147.170.150"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1276384/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_28; classtype:trojan-activity; sid:91276384; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/updates.rss"; depth:12; nocase; http.host; content:"38.180.146.236"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1276383/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_28; classtype:trojan-activity; sid:91276383; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/g.pixel"; depth:8; nocase; http.host; content:"175.178.99.133"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1276382/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_28; classtype:trojan-activity; sid:91276382; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"service-b8dmmmy2-1318428097.gz.tencentapigw.com.cn"; depth:50; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1276381/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_28; classtype:trojan-activity; sid:91276381; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/visit.js"; depth:9; nocase; http.host; content:"service-b8dmmmy2-1318428097.gz.tencentapigw.com.cn"; depth:50; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1276380/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_28; classtype:trojan-activity; sid:91276380; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cm"; depth:3; nocase; http.host; content:"124.222.52.190"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1276379/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_28; classtype:trojan-activity; sid:91276379; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pixel.gif"; depth:10; nocase; http.host; content:"47.100.180.123"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1276378/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_28; classtype:trojan-activity; sid:91276378; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"coinbasenftapp.com"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1276375/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_28; classtype:trojan-activity; sid:91276375; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"test.fynndows.de"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1276376/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_28; classtype:trojan-activity; sid:91276376; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"myra.re"; depth:7; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1276377/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_28; classtype:trojan-activity; sid:91276377; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api/"; depth:5; nocase; http.host; content:"91.215.85.55"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1276365/; target:src_ip; metadata: confidence_level 80, first_seen 2024_05_28; classtype:trojan-activity; sid:91276365; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/juranfile"; depth:10; nocase; http.host; content:"becorist.com"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1276366/; target:src_ip; metadata: confidence_level 80, first_seen 2024_05_28; classtype:trojan-activity; sid:91276366; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/86.apk"; depth:7; nocase; http.host; content:"menusand.com"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1276363/; target:src_ip; metadata: confidence_level 80, first_seen 2024_05_28; classtype:trojan-activity; sid:91276363; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/hanihani"; depth:9; nocase; http.host; content:"menusand.com"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1276362/; target:src_ip; metadata: confidence_level 80, first_seen 2024_05_28; classtype:trojan-activity; sid:91276362; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"185.215.113.31"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1276364/; target:src_ip; metadata: confidence_level 80, first_seen 2024_05_28; classtype:trojan-activity; sid:91276364; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"cnc.bobungbu.com"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1276360/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_28; classtype:trojan-activity; sid:91276360; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pdffile"; depth:8; nocase; http.host; content:"menusand.com"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1276361/; target:src_ip; metadata: confidence_level 80, first_seen 2024_05_28; classtype:trojan-activity; sid:91276361; rev:1;) alert tcp $HOME_NET any -> [103.177.35.32] 19990 (msg:"ThreatFox MooBot botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1276359/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_28; classtype:trojan-activity; sid:91276359; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/trani"; depth:6; nocase; http.host; content:"becorist.com"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1276367/; target:src_ip; metadata: confidence_level 80, first_seen 2024_05_28; classtype:trojan-activity; sid:91276367; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mp/cd/ddh.php"; depth:14; nocase; http.host; content:"readmemag.com"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1276369/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_28; classtype:trojan-activity; sid:91276369; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"readmemag.com"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1276370/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_28; classtype:trojan-activity; sid:91276370; rev:1;) alert tcp $HOME_NET any -> [103.151.239.121] 2023 (msg:"ThreatFox MooBot botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1276368/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_28; classtype:trojan-activity; sid:91276368; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"backup.identitynetwork.top"; depth:26; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1276353/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_28; classtype:trojan-activity; sid:91276353; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"backupnet.identitynetwork.top"; depth:29; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1276354/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_28; classtype:trojan-activity; sid:91276354; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"srv.identitynetwork.top"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1276355/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_28; classtype:trojan-activity; sid:91276355; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"tor-exit1.identitynetwork.top"; depth:29; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1276356/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_28; classtype:trojan-activity; sid:91276356; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"identitynetwork.top"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1276357/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_28; classtype:trojan-activity; sid:91276357; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"proxies.identitynetwork.top"; depth:27; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1276358/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_28; classtype:trojan-activity; sid:91276358; rev:1;) alert tcp $HOME_NET any -> [92.63.193.250] 80 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1276352/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_28; classtype:trojan-activity; sid:91276352; rev:1;) alert tcp $HOME_NET any -> [5.78.105.122] 80 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1276351/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_28; classtype:trojan-activity; sid:91276351; rev:1;) alert tcp $HOME_NET any -> [86.38.247.6] 80 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1276350/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_28; classtype:trojan-activity; sid:91276350; rev:1;) alert tcp $HOME_NET any -> [114.115.220.199] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1276349/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_28; classtype:trojan-activity; sid:91276349; rev:1;) alert tcp $HOME_NET any -> [8.218.239.22] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1276348/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_28; classtype:trojan-activity; sid:91276348; rev:1;) alert tcp $HOME_NET any -> [49.113.77.31] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1276347/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_28; classtype:trojan-activity; sid:91276347; rev:1;) alert tcp $HOME_NET any -> [1.13.195.134] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1276346/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_28; classtype:trojan-activity; sid:91276346; rev:1;) alert tcp $HOME_NET any -> [106.14.22.214] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1276345/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_28; classtype:trojan-activity; sid:91276345; rev:1;) alert tcp $HOME_NET any -> [103.114.163.246] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1276344/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_28; classtype:trojan-activity; sid:91276344; rev:1;) alert tcp $HOME_NET any -> [122.51.1.111] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1276343/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_28; classtype:trojan-activity; sid:91276343; rev:1;) alert tcp $HOME_NET any -> [2.50.38.57] 22 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1276342/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_28; classtype:trojan-activity; sid:91276342; rev:1;) alert tcp $HOME_NET any -> [77.124.100.196] 443 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1276341/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_28; classtype:trojan-activity; sid:91276341; rev:1;) alert tcp $HOME_NET any -> [4.236.60.242] 80 (msg:"ThreatFox Responder botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1276340/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_28; classtype:trojan-activity; sid:91276340; rev:1;) alert tcp $HOME_NET any -> [20.55.194.105] 443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1276339/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_28; classtype:trojan-activity; sid:91276339; rev:1;) alert tcp $HOME_NET any -> [193.149.189.27] 80 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1276338/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_28; classtype:trojan-activity; sid:91276338; rev:1;) alert tcp $HOME_NET any -> [199.19.106.171] 443 (msg:"ThreatFox Deimos botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1276337/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_28; classtype:trojan-activity; sid:91276337; rev:1;) alert tcp $HOME_NET any -> [119.96.67.97] 4506 (msg:"ThreatFox Deimos botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1276336/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_28; classtype:trojan-activity; sid:91276336; rev:1;) alert tcp $HOME_NET any -> [45.135.232.38] 8443 (msg:"ThreatFox Brute Ratel C4 botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1276335/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_28; classtype:trojan-activity; sid:91276335; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"95.217.242.38"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1276333/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_28; classtype:trojan-activity; sid:91276333; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"116.203.7.199"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1276334/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_28; classtype:trojan-activity; sid:91276334; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"95.217.242.38"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1276332/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_28; classtype:trojan-activity; sid:91276332; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"95.217.242.38"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1276331/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_28; classtype:trojan-activity; sid:91276331; rev:1;) alert tcp $HOME_NET any -> [95.217.242.38] 443 (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1276328/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_28; classtype:trojan-activity; sid:91276328; rev:1;) alert tcp $HOME_NET any -> [95.217.242.38] 5432 (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1276329/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_28; classtype:trojan-activity; sid:91276329; rev:1;) alert tcp $HOME_NET any -> [116.203.7.199] 80 (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1276330/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_28; classtype:trojan-activity; sid:91276330; rev:1;) alert tcp $HOME_NET any -> [95.217.242.38] 80 (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1276327/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_28; classtype:trojan-activity; sid:91276327; rev:1;) alert tcp $HOME_NET any -> [148.113.165.11] 81 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1276325/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_28; classtype:trojan-activity; sid:91276325; rev:1;) alert tcp $HOME_NET any -> [148.113.165.11] 81 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1276326/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_28; classtype:trojan-activity; sid:91276326; rev:1;) alert tcp $HOME_NET any -> [46.183.223.7] 14563 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1276324/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_28; classtype:trojan-activity; sid:91276324; rev:1;) alert tcp $HOME_NET any -> [91.92.241.69] 5555 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1276320/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_28; classtype:trojan-activity; sid:91276320; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"lolibes.nut.cc"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1276321/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_28; classtype:trojan-activity; sid:91276321; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"fiseriy.nut.cc"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1276315/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_28; classtype:trojan-activity; sid:91276315; rev:1;) alert tcp $HOME_NET any -> [54.244.188.177] 80 (msg:"ThreatFox Loki Password Stealer (PWS) botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1276314/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_28; classtype:trojan-activity; sid:91276314; rev:1;) alert tcp $HOME_NET any -> [149.28.222.15] 44506 (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1276309/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_28; classtype:trojan-activity; sid:91276309; rev:1;) alert tcp $HOME_NET any -> [105.154.226.162] 10000 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1276308/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_28; classtype:trojan-activity; sid:91276308; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"x555hd.ddns.net"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1276289/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_28; classtype:trojan-activity; sid:91276289; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"unikorea.go.ci"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1276284/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_28; classtype:trojan-activity; sid:91276284; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"kakaoaccouts.store"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1276283/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_28; classtype:trojan-activity; sid:91276283; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"mofamail.homes"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1276282/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_28; classtype:trojan-activity; sid:91276282; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"mofamail.shop"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1276281/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_28; classtype:trojan-activity; sid:91276281; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cdn-vs/2per.php"; depth:16; nocase; http.host; content:"10xshares.com"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1276279/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_28; classtype:trojan-activity; sid:91276279; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"apcorp.homes"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1276280/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_28; classtype:trojan-activity; sid:91276280; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cdn-vs/cache.php"; depth:17; nocase; http.host; content:"10xshares.com"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1276278/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_28; classtype:trojan-activity; sid:91276278; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"10xshares.com"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1276277/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_28; classtype:trojan-activity; sid:91276277; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cdn-vs/original.js"; depth:19; nocase; http.host; content:"10xshares.com"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1276276/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_28; classtype:trojan-activity; sid:91276276; rev:1;) alert tcp $HOME_NET any -> [147.78.103.240] 1974 (msg:"ThreatFox Nanocore RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1276323/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_28; classtype:trojan-activity; sid:91276323; rev:1;) alert tcp $HOME_NET any -> [109.248.151.250] 6609 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1276322/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_28; classtype:trojan-activity; sid:91276322; rev:1;) alert tcp $HOME_NET any -> [45.159.211.110] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1276319/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_27; classtype:trojan-activity; sid:91276319; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/en_us/all.js"; depth:13; nocase; http.host; content:"45.159.211.110"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1276318/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_27; classtype:trojan-activity; sid:91276318; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mod/v3.44/z2u5lk0c"; depth:19; nocase; http.host; content:"193.233.75.241"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1276317/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_27; classtype:trojan-activity; sid:91276317; rev:1;) alert tcp $HOME_NET any -> [91.92.249.107] 85 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1276316/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_27; classtype:trojan-activity; sid:91276316; rev:1;) alert tcp $HOME_NET any -> [94.232.46.11] 443 (msg:"ThreatFox Unidentified 111 (Latrodectus) botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1276313/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_27; classtype:trojan-activity; sid:91276313; rev:1;) alert tcp $HOME_NET any -> [185.164.163.79] 443 (msg:"ThreatFox Unidentified 111 (Latrodectus) botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1276310/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_27; classtype:trojan-activity; sid:91276310; rev:1;) alert tcp $HOME_NET any -> [104.36.229.104] 443 (msg:"ThreatFox Unidentified 111 (Latrodectus) botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1276311/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_27; classtype:trojan-activity; sid:91276311; rev:1;) alert tcp $HOME_NET any -> [193.168.141.62] 443 (msg:"ThreatFox Unidentified 111 (Latrodectus) botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1276312/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_27; classtype:trojan-activity; sid:91276312; rev:1;) alert tcp $HOME_NET any -> [194.59.30.80] 80 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1276307/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_27; classtype:trojan-activity; sid:91276307; rev:1;) alert tcp $HOME_NET any -> [172.232.185.9] 2222 (msg:"ThreatFox Pikabot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1276306/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_27; classtype:trojan-activity; sid:91276306; rev:1;) alert tcp $HOME_NET any -> [172.232.188.170] 2083 (msg:"ThreatFox Pikabot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1276305/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_27; classtype:trojan-activity; sid:91276305; rev:1;) alert tcp $HOME_NET any -> [121.41.62.6] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1276304/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_27; classtype:trojan-activity; sid:91276304; rev:1;) alert tcp $HOME_NET any -> [47.116.208.65] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1276303/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_27; classtype:trojan-activity; sid:91276303; rev:1;) alert tcp $HOME_NET any -> [122.51.166.71] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1276302/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_27; classtype:trojan-activity; sid:91276302; rev:1;) alert tcp $HOME_NET any -> [103.1.40.82] 8848 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1276301/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_27; classtype:trojan-activity; sid:91276301; rev:1;) alert tcp $HOME_NET any -> [2.50.7.137] 22 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1276300/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_27; classtype:trojan-activity; sid:91276300; rev:1;) alert tcp $HOME_NET any -> [39.40.177.113] 995 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1276299/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_27; classtype:trojan-activity; sid:91276299; rev:1;) alert tcp $HOME_NET any -> [78.168.80.155] 443 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1276298/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_27; classtype:trojan-activity; sid:91276298; rev:1;) alert tcp $HOME_NET any -> [31.44.88.175] 445 (msg:"ThreatFox Responder botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1276297/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_27; classtype:trojan-activity; sid:91276297; rev:1;) alert tcp $HOME_NET any -> [138.68.185.106] 445 (msg:"ThreatFox Responder botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1276296/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_27; classtype:trojan-activity; sid:91276296; rev:1;) alert tcp $HOME_NET any -> [142.93.101.65] 445 (msg:"ThreatFox Responder botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1276295/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_27; classtype:trojan-activity; sid:91276295; rev:1;) alert tcp $HOME_NET any -> [185.22.64.121] 40056 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1276294/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_27; classtype:trojan-activity; sid:91276294; rev:1;) alert tcp $HOME_NET any -> [3.26.243.129] 443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1276293/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_27; classtype:trojan-activity; sid:91276293; rev:1;) alert tcp $HOME_NET any -> [58.215.159.80] 4506 (msg:"ThreatFox Deimos botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1276292/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_27; classtype:trojan-activity; sid:91276292; rev:1;) alert tcp $HOME_NET any -> [39.145.65.90] 4505 (msg:"ThreatFox Deimos botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1276291/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_27; classtype:trojan-activity; sid:91276291; rev:1;) alert tcp $HOME_NET any -> [20.160.204.211] 7443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1276290/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_27; classtype:trojan-activity; sid:91276290; rev:1;) alert tcp $HOME_NET any -> [156.232.192.118] 2001 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1276288/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_27; classtype:trojan-activity; sid:91276288; rev:1;) alert tcp $HOME_NET any -> [154.219.163.74] 2001 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1276287/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_27; classtype:trojan-activity; sid:91276287; rev:1;) alert tcp $HOME_NET any -> [154.219.151.246] 2001 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1276286/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_27; classtype:trojan-activity; sid:91276286; rev:1;) alert tcp $HOME_NET any -> [197.202.219.104] 555 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1276285/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_27; classtype:trojan-activity; sid:91276285; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/index.php"; depth:10; nocase; http.host; content:"vilendar.ga"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1276275/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_27; classtype:trojan-activity; sid:91276275; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/index.php"; depth:10; nocase; http.host; content:"prolinice.ga"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1276274/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_27; classtype:trojan-activity; sid:91276274; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/1.zip"; depth:6; nocase; http.host; content:"kostumn1.ilabserver.com"; depth:23; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1276273/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_27; classtype:trojan-activity; sid:91276273; rev:1;) alert tcp $HOME_NET any -> [116.203.15.103] 443 (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1276269/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_27; classtype:trojan-activity; sid:91276269; rev:1;) alert tcp $HOME_NET any -> [91.107.221.88] 9000 (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1276270/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_27; classtype:trojan-activity; sid:91276270; rev:1;) alert tcp $HOME_NET any -> [116.202.6.172] 443 (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1276271/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_27; classtype:trojan-activity; sid:91276271; rev:1;) alert tcp $HOME_NET any -> [49.12.115.112] 443 (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1276272/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_27; classtype:trojan-activity; sid:91276272; rev:1;) alert tcp $HOME_NET any -> [159.69.102.132] 443 (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1276266/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_27; classtype:trojan-activity; sid:91276266; rev:1;) alert tcp $HOME_NET any -> [94.130.190.88] 443 (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1276267/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_27; classtype:trojan-activity; sid:91276267; rev:1;) alert tcp $HOME_NET any -> [195.201.253.107] 443 (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1276268/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_27; classtype:trojan-activity; sid:91276268; rev:1;) alert tcp $HOME_NET any -> [65.109.242.59] 443 (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1276262/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_27; classtype:trojan-activity; sid:91276262; rev:1;) alert tcp $HOME_NET any -> [78.46.237.77] 443 (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1276263/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_27; classtype:trojan-activity; sid:91276263; rev:1;) alert tcp $HOME_NET any -> [78.47.123.174] 443 (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1276264/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_27; classtype:trojan-activity; sid:91276264; rev:1;) alert tcp $HOME_NET any -> [49.13.227.86] 443 (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1276265/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_27; classtype:trojan-activity; sid:91276265; rev:1;) alert tcp $HOME_NET any -> [65.108.55.55] 9000 (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1276260/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_27; classtype:trojan-activity; sid:91276260; rev:1;) alert tcp $HOME_NET any -> [37.27.34.12] 443 (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1276261/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_27; classtype:trojan-activity; sid:91276261; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"49.12.115.112"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1276259/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_27; classtype:trojan-activity; sid:91276259; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"116.202.6.172"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1276258/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_27; classtype:trojan-activity; sid:91276258; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"91.107.221.88"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1276257/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_27; classtype:trojan-activity; sid:91276257; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"116.203.15.103"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1276255/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_27; classtype:trojan-activity; sid:91276255; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"88.198.124.82"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1276256/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_27; classtype:trojan-activity; sid:91276256; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"195.201.253.107"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1276254/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_27; classtype:trojan-activity; sid:91276254; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"94.130.190.88"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1276253/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_27; classtype:trojan-activity; sid:91276253; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"159.69.102.132"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1276252/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_27; classtype:trojan-activity; sid:91276252; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"49.13.227.86"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1276251/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_27; classtype:trojan-activity; sid:91276251; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"78.47.123.174"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1276250/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_27; classtype:trojan-activity; sid:91276250; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"78.46.237.77"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1276249/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_27; classtype:trojan-activity; sid:91276249; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"65.109.242.59"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1276248/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_27; classtype:trojan-activity; sid:91276248; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"37.27.34.12"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1276247/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_27; classtype:trojan-activity; sid:91276247; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/profiles/76561199689717899"; depth:27; nocase; http.host; content:"steamcommunity.com"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1276246/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_27; classtype:trojan-activity; sid:91276246; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/copterwin"; depth:10; nocase; http.host; content:"t.me"; depth:4; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1276245/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_27; classtype:trojan-activity; sid:91276245; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"65.108.55.55"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1276244/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_27; classtype:trojan-activity; sid:91276244; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cdn-vs/original.js"; depth:19; nocase; http.host; content:"bookmycooks.com"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1275992/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_27; classtype:trojan-activity; sid:91275992; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"bookmycooks.com"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1275993/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_27; classtype:trojan-activity; sid:91275993; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cdn-vs/cache.php"; depth:17; nocase; http.host; content:"bookmycooks.com"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1275994/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_27; classtype:trojan-activity; sid:91275994; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cdn-vs/2per.php"; depth:16; nocase; http.host; content:"bookmycooks.com"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1275995/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_27; classtype:trojan-activity; sid:91275995; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/data.php"; depth:9; nocase; http.host; content:"ycva887.top"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1275996/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_27; classtype:trojan-activity; sid:91275996; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"23.83.114.131"; depth:13; nocase; reference:url, threatfox.abuse.ch/ioc/1275991/; target:src_ip; metadata: confidence_level 80, first_seen 2024_05_27; classtype:trojan-activity; sid:91275991; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/zdqyn2nmogezotlk/"; depth:18; nocase; http.host; content:"sekenmarabatayfabanane.shop"; depth:27; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1275989/; target:src_ip; metadata: confidence_level 80, first_seen 2024_05_27; classtype:trojan-activity; sid:91275989; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/zdqyn2nmogezotlk"; depth:17; nocase; http.host; content:"kemerdekaradarderler32.shop"; depth:27; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1275990/; target:src_ip; metadata: confidence_level 80, first_seen 2024_05_27; classtype:trojan-activity; sid:91275990; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/zdqyn2nmogezotlk/"; depth:18; nocase; http.host; content:"karalarlanasa.net"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1275987/; target:src_ip; metadata: confidence_level 80, first_seen 2024_05_27; classtype:trojan-activity; sid:91275987; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/zdqyn2nmogezotlk/"; depth:18; nocase; http.host; content:"hakandakal2.shop"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1275988/; target:src_ip; metadata: confidence_level 80, first_seen 2024_05_27; classtype:trojan-activity; sid:91275988; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/zdqyn2nmogezotlk/"; depth:18; nocase; http.host; content:"manavhakanlar.shop"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1275984/; target:src_ip; metadata: confidence_level 80, first_seen 2024_05_27; classtype:trojan-activity; sid:91275984; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/zdqyn2nmogezotlk/"; depth:18; nocase; http.host; content:"kiremithanedekiler.shop"; depth:23; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1275985/; target:src_ip; metadata: confidence_level 80, first_seen 2024_05_27; classtype:trojan-activity; sid:91275985; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/zdqyn2nmogezotlk/"; depth:18; nocase; http.host; content:"kemerdekaradara123.shop"; depth:23; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1275986/; target:src_ip; metadata: confidence_level 80, first_seen 2024_05_27; classtype:trojan-activity; sid:91275986; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 80%)"; dns_query; content:"main.cloudfronts.net"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1275981/; target:src_ip; metadata: confidence_level 80, first_seen 2024_05_27; classtype:trojan-activity; sid:91275981; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/zdqyn2nmogezotlk/"; depth:18; nocase; http.host; content:"kemerdekaradar.shop"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1275982/; target:src_ip; metadata: confidence_level 80, first_seen 2024_05_27; classtype:trojan-activity; sid:91275982; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/zdqyn2nmogezotlk/"; depth:18; nocase; http.host; content:"massakarada.shop"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1275983/; target:src_ip; metadata: confidence_level 80, first_seen 2024_05_27; classtype:trojan-activity; sid:91275983; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 80%)"; dns_query; content:"dash.cloudflare.ovh"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1275980/; target:src_ip; metadata: confidence_level 80, first_seen 2024_05_27; classtype:trojan-activity; sid:91275980; rev:1;) alert tcp $HOME_NET any -> [147.185.221.19] 32384 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1275978/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_27; classtype:trojan-activity; sid:91275978; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"control-road.gl.at.ply.gg"; depth:25; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1275979/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_27; classtype:trojan-activity; sid:91275979; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"www.dnacharting.com"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1275977/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_27; classtype:trojan-activity; sid:91275977; rev:1;) alert tcp $HOME_NET any -> [77.221.151.54] 80 (msg:"ThreatFox AMOS botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1275960/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_27; classtype:trojan-activity; sid:91275960; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ga.js"; depth:6; nocase; http.host; content:"116.114.20.190"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1275975/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_27; classtype:trojan-activity; sid:91275975; rev:1;) alert tcp $HOME_NET any -> [112.124.5.135] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1275974/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_27; classtype:trojan-activity; sid:91275974; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pixel.gif"; depth:10; nocase; http.host; content:"112.124.5.135"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1275973/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_27; classtype:trojan-activity; sid:91275973; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pixel.gif"; depth:10; nocase; http.host; content:"147.45.159.99"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1275972/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_27; classtype:trojan-activity; sid:91275972; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pixel.gif"; depth:10; nocase; http.host; content:"147.45.159.99"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1275971/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_27; classtype:trojan-activity; sid:91275971; rev:1;) alert tcp $HOME_NET any -> [38.180.146.236] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1275970/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_27; classtype:trojan-activity; sid:91275970; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cx"; depth:3; nocase; http.host; content:"38.180.146.236"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1275969/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_27; classtype:trojan-activity; sid:91275969; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ga.js"; depth:6; nocase; http.host; content:"147.45.159.99"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1275968/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_27; classtype:trojan-activity; sid:91275968; rev:1;) alert tcp $HOME_NET any -> [45.138.157.129] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1275967/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_27; classtype:trojan-activity; sid:91275967; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ie9compatviewlist.xml"; depth:22; nocase; http.host; content:"45.138.157.129"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1275966/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_27; classtype:trojan-activity; sid:91275966; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dpixel"; depth:7; nocase; http.host; content:"122.51.85.143"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1275965/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_27; classtype:trojan-activity; sid:91275965; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-admin"; depth:9; nocase; http.host; content:"123.60.99.12"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1275964/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_27; classtype:trojan-activity; sid:91275964; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/g.pixel"; depth:8; nocase; http.host; content:"147.45.159.99"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1275963/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_27; classtype:trojan-activity; sid:91275963; rev:1;) alert tcp $HOME_NET any -> [45.128.232.15] 13322 (msg:"ThreatFox MooBot botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1275962/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_27; classtype:trojan-activity; sid:91275962; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"dzjs.ceshi.ink"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1275961/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_27; classtype:trojan-activity; sid:91275961; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cx"; depth:3; nocase; http.host; content:"101.99.75.164"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1275958/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_27; classtype:trojan-activity; sid:91275958; rev:1;) alert tcp $HOME_NET any -> [101.99.75.164] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1275959/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_27; classtype:trojan-activity; sid:91275959; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"arcade.shinjiku.xyz"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1275957/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_27; classtype:trojan-activity; sid:91275957; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/activity"; depth:9; nocase; http.host; content:"arcade.shinjiku.xyz"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1275956/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_27; classtype:trojan-activity; sid:91275956; rev:1;) alert tcp $HOME_NET any -> [116.114.20.190] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1275955/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_27; classtype:trojan-activity; sid:91275955; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/push"; depth:5; nocase; http.host; content:"116.114.20.190"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1275954/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_27; classtype:trojan-activity; sid:91275954; rev:1;) alert tcp $HOME_NET any -> [154.219.154.72] 2001 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1275953/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_27; classtype:trojan-activity; sid:91275953; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cm"; depth:3; nocase; http.host; content:"156.232.186.194"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1275952/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_27; classtype:trojan-activity; sid:91275952; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/__utm.gif"; depth:10; nocase; http.host; content:"124.220.6.158"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1275951/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_27; classtype:trojan-activity; sid:91275951; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ga.js"; depth:6; nocase; http.host; content:"123.60.90.39"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1275950/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_27; classtype:trojan-activity; sid:91275950; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/prod/api/debug"; depth:15; nocase; http.host; content:"service-hjsbgio3-1324325235.cd.tencentapigw.com"; depth:47; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1275948/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_27; classtype:trojan-activity; sid:91275948; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"service-hjsbgio3-1324325235.cd.tencentapigw.com"; depth:47; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1275949/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_27; classtype:trojan-activity; sid:91275949; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pixel"; depth:6; nocase; http.host; content:"123.60.90.39"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1275947/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_27; classtype:trojan-activity; sid:91275947; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cx"; depth:3; nocase; http.host; content:"shellmanaggggger.com"; depth:20; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1275945/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_27; classtype:trojan-activity; sid:91275945; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"shellmanaggggger.com"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1275946/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_27; classtype:trojan-activity; sid:91275946; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/assets/css/font-awesome.css"; depth:28; nocase; http.host; content:"124.70.99.70"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1275944/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_27; classtype:trojan-activity; sid:91275944; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dot.gif"; depth:8; nocase; http.host; content:"119.45.21.247"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1275943/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_27; classtype:trojan-activity; sid:91275943; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dot.gif"; depth:8; nocase; http.host; content:"120.26.46.50"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1275942/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_27; classtype:trojan-activity; sid:91275942; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/updates.rss"; depth:12; nocase; http.host; content:"103.97.58.61"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1275941/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_27; classtype:trojan-activity; sid:91275941; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pixel.gif"; depth:10; nocase; http.host; content:"192.252.182.98"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1275940/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_27; classtype:trojan-activity; sid:91275940; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/assets/lang/en-us/lang.js"; depth:26; nocase; http.host; content:"162.14.102.143"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1275939/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_27; classtype:trojan-activity; sid:91275939; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ptj"; depth:4; nocase; http.host; content:"120.26.46.50"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1275938/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_27; classtype:trojan-activity; sid:91275938; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/fwlink"; depth:7; nocase; http.host; content:"124.220.6.158"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1275937/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_27; classtype:trojan-activity; sid:91275937; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ca"; depth:3; nocase; http.host; content:"42.192.131.115"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1275936/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_27; classtype:trojan-activity; sid:91275936; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"unio.bumbleshrimp.com"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1275931/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_27; classtype:trojan-activity; sid:91275931; rev:1;) alert tcp $HOME_NET any -> [194.26.192.147] 7244 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1275932/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_27; classtype:trojan-activity; sid:91275932; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/updates.rss"; depth:12; nocase; http.host; content:"60.204.217.11"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1275935/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_27; classtype:trojan-activity; sid:91275935; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ptj"; depth:4; nocase; http.host; content:"147.78.47.184"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1275934/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_27; classtype:trojan-activity; sid:91275934; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dpixel"; depth:7; nocase; http.host; content:"47.89.225.2"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1275933/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_27; classtype:trojan-activity; sid:91275933; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dbl841/index.php"; depth:17; nocase; http.host; content:"hqt3.shop"; depth:9; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1275930/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_27; classtype:trojan-activity; sid:91275930; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"jnmanymen.ydns.eu"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1275929/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_27; classtype:trojan-activity; sid:91275929; rev:1;) alert tcp $HOME_NET any -> [45.137.22.173] 55615 (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1275928/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_27; classtype:trojan-activity; sid:91275928; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/gateway/register"; depth:17; nocase; http.host; content:"45.120.177.178"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1275924/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_27; classtype:trojan-activity; sid:91275924; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/gateway/report"; depth:15; nocase; http.host; content:"45.120.177.178"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1275925/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_27; classtype:trojan-activity; sid:91275925; rev:1;) alert tcp $HOME_NET any -> [176.123.4.187] 666 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1275926/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_27; classtype:trojan-activity; sid:91275926; rev:1;) alert tcp $HOME_NET any -> [8.217.223.172] 6000 (msg:"ThreatFox Ghost RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1275927/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_27; classtype:trojan-activity; sid:91275927; rev:1;) alert tcp $HOME_NET any -> [45.132.181.5] 80 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1275923/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_27; classtype:trojan-activity; sid:91275923; rev:1;) alert tcp $HOME_NET any -> [172.234.244.189] 1194 (msg:"ThreatFox Pikabot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1275922/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_27; classtype:trojan-activity; sid:91275922; rev:1;) alert tcp $HOME_NET any -> [194.36.191.81] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1275921/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_27; classtype:trojan-activity; sid:91275921; rev:1;) alert tcp $HOME_NET any -> [103.110.152.8] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1275920/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_27; classtype:trojan-activity; sid:91275920; rev:1;) alert tcp $HOME_NET any -> [34.146.109.26] 2095 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1275919/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_27; classtype:trojan-activity; sid:91275919; rev:1;) alert tcp $HOME_NET any -> [86.98.22.184] 443 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1275918/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_27; classtype:trojan-activity; sid:91275918; rev:1;) alert tcp $HOME_NET any -> [123.60.181.176] 443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1275917/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_27; classtype:trojan-activity; sid:91275917; rev:1;) alert tcp $HOME_NET any -> [95.144.6.229] 443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1275916/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_27; classtype:trojan-activity; sid:91275916; rev:1;) alert tcp $HOME_NET any -> [185.234.216.209] 20025 (msg:"ThreatFox BianLian botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1275915/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_27; classtype:trojan-activity; sid:91275915; rev:1;) alert tcp $HOME_NET any -> [146.70.80.94] 20004 (msg:"ThreatFox BianLian botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1275914/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_27; classtype:trojan-activity; sid:91275914; rev:1;) alert tcp $HOME_NET any -> [152.42.245.111] 7443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1275913/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_27; classtype:trojan-activity; sid:91275913; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mje2ytczy2mxnja0/"; depth:18; nocase; http.host; content:"fozkiv.xyz"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1275855/; target:src_ip; metadata: confidence_level 80, first_seen 2024_05_27; classtype:trojan-activity; sid:91275855; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mje2ytczy2mxnja0/"; depth:18; nocase; http.host; content:"wemdap.top"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1275856/; target:src_ip; metadata: confidence_level 80, first_seen 2024_05_27; classtype:trojan-activity; sid:91275856; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mje2ytczy2mxnja0/"; depth:18; nocase; http.host; content:"zupqel.xyz"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1275857/; target:src_ip; metadata: confidence_level 80, first_seen 2024_05_27; classtype:trojan-activity; sid:91275857; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mje2ytczy2mxnja0/"; depth:18; nocase; http.host; content:"rizyat.top"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1275858/; target:src_ip; metadata: confidence_level 80, first_seen 2024_05_27; classtype:trojan-activity; sid:91275858; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mje2ytczy2mxnja0/"; depth:18; nocase; http.host; content:"gikmuv.xyz"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1275859/; target:src_ip; metadata: confidence_level 80, first_seen 2024_05_27; classtype:trojan-activity; sid:91275859; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mje2ytczy2mxnja0/"; depth:18; nocase; http.host; content:"xotpin.top"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1275860/; target:src_ip; metadata: confidence_level 80, first_seen 2024_05_27; classtype:trojan-activity; sid:91275860; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mje2ytczy2mxnja0/"; depth:18; nocase; http.host; content:"werboq.xyz"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1275861/; target:src_ip; metadata: confidence_level 80, first_seen 2024_05_27; classtype:trojan-activity; sid:91275861; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mje2ytczy2mxnja0/"; depth:18; nocase; http.host; content:"nevdiz.xyz"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1275863/; target:src_ip; metadata: confidence_level 80, first_seen 2024_05_27; classtype:trojan-activity; sid:91275863; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mje2ytczy2mxnja0/"; depth:18; nocase; http.host; content:"hudxap.top"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1275862/; target:src_ip; metadata: confidence_level 80, first_seen 2024_05_27; classtype:trojan-activity; sid:91275862; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mje2ytczy2mxnja0/"; depth:18; nocase; http.host; content:"kovjep.top"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1275864/; target:src_ip; metadata: confidence_level 80, first_seen 2024_05_27; classtype:trojan-activity; sid:91275864; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mje2ytczy2mxnja0/"; depth:18; nocase; http.host; content:"tupfij.xyz"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1275867/; target:src_ip; metadata: confidence_level 80, first_seen 2024_05_27; classtype:trojan-activity; sid:91275867; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mje2ytczy2mxnja0/"; depth:18; nocase; http.host; content:"yiqvux.xyz"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1275865/; target:src_ip; metadata: confidence_level 80, first_seen 2024_05_27; classtype:trojan-activity; sid:91275865; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mje2ytczy2mxnja0/"; depth:18; nocase; http.host; content:"qowzef.top"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1275866/; target:src_ip; metadata: confidence_level 80, first_seen 2024_05_27; classtype:trojan-activity; sid:91275866; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mje2ytczy2mxnja0/"; depth:18; nocase; http.host; content:"leoyuz.top"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1275868/; target:src_ip; metadata: confidence_level 80, first_seen 2024_05_27; classtype:trojan-activity; sid:91275868; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mje2ytczy2mxnja0/"; depth:18; nocase; http.host; content:"xepmeq.xyz"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1275869/; target:src_ip; metadata: confidence_level 80, first_seen 2024_05_27; classtype:trojan-activity; sid:91275869; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mje2ytczy2mxnja0/"; depth:18; nocase; http.host; content:"qidvob.top"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1275870/; target:src_ip; metadata: confidence_level 80, first_seen 2024_05_27; classtype:trojan-activity; sid:91275870; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mje2ytczy2mxnja0/"; depth:18; nocase; http.host; content:"gufwap.xyz"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1275871/; target:src_ip; metadata: confidence_level 80, first_seen 2024_05_27; classtype:trojan-activity; sid:91275871; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mje2ytczy2mxnja0/"; depth:18; nocase; http.host; content:"xulqir.top"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1275872/; target:src_ip; metadata: confidence_level 80, first_seen 2024_05_27; classtype:trojan-activity; sid:91275872; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mje2ytczy2mxnja0/"; depth:18; nocase; http.host; content:"lupzod.xyz"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1275873/; target:src_ip; metadata: confidence_level 80, first_seen 2024_05_27; classtype:trojan-activity; sid:91275873; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"edgewell.cam"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1275907/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_27; classtype:trojan-activity; sid:91275907; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"zaragoza.ddns.net"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1275910/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_27; classtype:trojan-activity; sid:91275910; rev:1;) alert tcp $HOME_NET any -> [18.156.13.209] 10092 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1275902/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_27; classtype:trojan-activity; sid:91275902; rev:1;) alert tcp $HOME_NET any -> [18.192.93.86] 10092 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1275900/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_27; classtype:trojan-activity; sid:91275900; rev:1;) alert tcp $HOME_NET any -> [3.126.37.18] 10092 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1275901/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_27; classtype:trojan-activity; sid:91275901; rev:1;) alert tcp $HOME_NET any -> [18.157.68.73] 10092 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1275898/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_27; classtype:trojan-activity; sid:91275898; rev:1;) alert tcp $HOME_NET any -> [3.127.138.57] 10092 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1275899/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_27; classtype:trojan-activity; sid:91275899; rev:1;) alert tcp $HOME_NET any -> [3.127.181.115] 14522 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1275894/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_27; classtype:trojan-activity; sid:91275894; rev:1;) alert tcp $HOME_NET any -> [18.197.239.5] 10092 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1275897/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_27; classtype:trojan-activity; sid:91275897; rev:1;) alert tcp $HOME_NET any -> [3.67.161.133] 14522 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1275891/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_27; classtype:trojan-activity; sid:91275891; rev:1;) alert tcp $HOME_NET any -> [18.158.58.205] 14522 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1275892/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_27; classtype:trojan-activity; sid:91275892; rev:1;) alert tcp $HOME_NET any -> [3.64.4.198] 14522 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1275893/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_27; classtype:trojan-activity; sid:91275893; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cdn-vs/2per.php"; depth:16; nocase; http.host; content:"elbied.com"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1275878/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_27; classtype:trojan-activity; sid:91275878; rev:1;) alert tcp $HOME_NET any -> [18.192.31.165] 15881 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1275890/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_27; classtype:trojan-activity; sid:91275890; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cdn-vs/original.js"; depth:19; nocase; http.host; content:"elbied.com"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1275875/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_27; classtype:trojan-activity; sid:91275875; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"elbied.com"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1275876/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_27; classtype:trojan-activity; sid:91275876; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cdn-vs/cache.php"; depth:17; nocase; http.host; content:"elbied.com"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1275877/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_27; classtype:trojan-activity; sid:91275877; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mje2ytczy2mxnja0/"; depth:18; nocase; http.host; content:"juxleq.top"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1275854/; target:src_ip; metadata: confidence_level 80, first_seen 2024_05_27; classtype:trojan-activity; sid:91275854; rev:1;) alert tcp $HOME_NET any -> [178.215.236.209] 1999 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1275824/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_27; classtype:trojan-activity; sid:91275824; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/understanding-japanese-weapon-laws-regulations-and-restrictions/"; depth:65; nocase; http.host; content:"signcitysa.com"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1275852/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_27; classtype:trojan-activity; sid:91275852; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/d8/fre.php"; depth:11; nocase; http.host; content:"sempersim.su"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1275912/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_27; classtype:trojan-activity; sid:91275912; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 75%)"; dns_query; content:"africa.thesmalladventureguide.com"; depth:33; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1275853/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_27; classtype:trojan-activity; sid:91275853; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"jscodecss.com"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1275911/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_27; classtype:trojan-activity; sid:91275911; rev:1;) alert tcp $HOME_NET any -> [45.76.129.156] 1177 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1275909/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_27; classtype:trojan-activity; sid:91275909; rev:1;) alert tcp $HOME_NET any -> [185.216.70.147] 6318 (msg:"ThreatFox Nanocore RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1275908/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_27; classtype:trojan-activity; sid:91275908; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dv2/pws/fre.php"; depth:16; nocase; http.host; content:"edgewell.cam"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1275905/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_27; classtype:trojan-activity; sid:91275905; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dv2/pws/fre.php"; depth:16; nocase; http.host; content:"edgewell.cam"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1275904/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_27; classtype:trojan-activity; sid:91275904; rev:1;) alert tcp $HOME_NET any -> [111.173.106.171] 53779 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1275903/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_27; classtype:trojan-activity; sid:91275903; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tophpsecureprocessprocessorwordpressdletemporary.php"; depth:53; nocase; http.host; content:"a0986030.xsph.ru"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1275896/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_26; classtype:trojan-activity; sid:91275896; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/l1nc0in.php"; depth:12; nocase; http.host; content:"f0986642.xsph.ru"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1275895/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_26; classtype:trojan-activity; sid:91275895; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/g.pixel"; depth:8; nocase; http.host; content:"192.168.50.128"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1275889/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_26; classtype:trojan-activity; sid:91275889; rev:1;) alert tcp $HOME_NET any -> [112.126.71.52] 8889 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1275888/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_26; classtype:trojan-activity; sid:91275888; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dot.gif"; depth:8; nocase; http.host; content:"47.112.127.168"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1275887/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_26; classtype:trojan-activity; sid:91275887; rev:1;) alert tcp $HOME_NET any -> [147.45.159.99] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1275886/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_26; classtype:trojan-activity; sid:91275886; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/load"; depth:5; nocase; http.host; content:"147.45.159.99"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1275885/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_26; classtype:trojan-activity; sid:91275885; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/externalimagephppollsecurepacketcpuprocessdbtrack.php"; depth:54; nocase; http.host; content:"expectum.top"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1275884/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_26; classtype:trojan-activity; sid:91275884; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/__utm.gif"; depth:10; nocase; http.host; content:"139.196.10.154"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1275883/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_26; classtype:trojan-activity; sid:91275883; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/visit.js"; depth:9; nocase; http.host; content:"124.223.7.200"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1275882/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_26; classtype:trojan-activity; sid:91275882; rev:1;) alert tcp $HOME_NET any -> [124.71.4.216] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1275881/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_26; classtype:trojan-activity; sid:91275881; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ipv6test/test"; depth:14; nocase; http.host; content:"124.71.4.216"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1275880/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_26; classtype:trojan-activity; sid:91275880; rev:1;) alert tcp $HOME_NET any -> [91.215.85.23] 15647 (msg:"ThreatFox SectopRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1275879/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_26; classtype:trojan-activity; sid:91275879; rev:1;) alert tcp $HOME_NET any -> [176.124.32.55] 443 (msg:"ThreatFox Unidentified 111 (Latrodectus) botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1275874/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_26; classtype:trojan-activity; sid:91275874; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/match"; depth:6; nocase; http.host; content:"185.227.154.57"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1275851/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_26; classtype:trojan-activity; sid:91275851; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pixel"; depth:6; nocase; http.host; content:"152.32.202.240"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1275850/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_26; classtype:trojan-activity; sid:91275850; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ga.js"; depth:6; nocase; http.host; content:"3.133.149.211"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1275849/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_26; classtype:trojan-activity; sid:91275849; rev:1;) alert tcp $HOME_NET any -> [81.200.148.166] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1275848/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_26; classtype:trojan-activity; sid:91275848; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/en_us/all.js"; depth:13; nocase; http.host; content:"81.200.148.166"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1275847/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_26; classtype:trojan-activity; sid:91275847; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/__utm.gif"; depth:10; nocase; http.host; content:"209.38.242.240"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1275846/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_26; classtype:trojan-activity; sid:91275846; rev:1;) alert tcp $HOME_NET any -> [109.107.181.140] 50555 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1275845/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_26; classtype:trojan-activity; sid:91275845; rev:1;) alert tcp $HOME_NET any -> [94.154.172.154] 80 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1275844/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_26; classtype:trojan-activity; sid:91275844; rev:1;) alert tcp $HOME_NET any -> [124.220.28.62] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1275843/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_26; classtype:trojan-activity; sid:91275843; rev:1;) alert tcp $HOME_NET any -> [103.40.161.185] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1275842/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_26; classtype:trojan-activity; sid:91275842; rev:1;) alert tcp $HOME_NET any -> [101.184.153.168] 2222 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1275841/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_26; classtype:trojan-activity; sid:91275841; rev:1;) alert tcp $HOME_NET any -> [194.219.215.105] 995 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1275840/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_26; classtype:trojan-activity; sid:91275840; rev:1;) alert tcp $HOME_NET any -> [5.163.250.175] 443 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1275839/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_26; classtype:trojan-activity; sid:91275839; rev:1;) alert tcp $HOME_NET any -> [118.161.16.91] 443 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1275838/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_26; classtype:trojan-activity; sid:91275838; rev:1;) alert tcp $HOME_NET any -> [51.20.124.126] 443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1275837/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_26; classtype:trojan-activity; sid:91275837; rev:1;) alert tcp $HOME_NET any -> [193.239.86.162] 443 (msg:"ThreatFox BianLian botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1275836/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_26; classtype:trojan-activity; sid:91275836; rev:1;) alert tcp $HOME_NET any -> [185.234.216.209] 20042 (msg:"ThreatFox BianLian botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1275835/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_26; classtype:trojan-activity; sid:91275835; rev:1;) alert tcp $HOME_NET any -> [185.234.216.209] 20024 (msg:"ThreatFox BianLian botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1275834/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_26; classtype:trojan-activity; sid:91275834; rev:1;) alert tcp $HOME_NET any -> [185.234.216.209] 20033 (msg:"ThreatFox BianLian botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1275833/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_26; classtype:trojan-activity; sid:91275833; rev:1;) alert tcp $HOME_NET any -> [185.234.216.209] 20041 (msg:"ThreatFox BianLian botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1275832/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_26; classtype:trojan-activity; sid:91275832; rev:1;) alert tcp $HOME_NET any -> [185.234.216.209] 20052 (msg:"ThreatFox BianLian botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1275831/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_26; classtype:trojan-activity; sid:91275831; rev:1;) alert tcp $HOME_NET any -> [185.234.216.209] 20051 (msg:"ThreatFox BianLian botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1275830/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_26; classtype:trojan-activity; sid:91275830; rev:1;) alert tcp $HOME_NET any -> [185.234.216.209] 20044 (msg:"ThreatFox BianLian botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1275829/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_26; classtype:trojan-activity; sid:91275829; rev:1;) alert tcp $HOME_NET any -> [185.234.216.209] 20043 (msg:"ThreatFox BianLian botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1275828/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_26; classtype:trojan-activity; sid:91275828; rev:1;) alert tcp $HOME_NET any -> [185.234.216.209] 20050 (msg:"ThreatFox BianLian botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1275827/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_26; classtype:trojan-activity; sid:91275827; rev:1;) alert tcp $HOME_NET any -> [223.111.199.81] 4506 (msg:"ThreatFox Deimos botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1275826/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_26; classtype:trojan-activity; sid:91275826; rev:1;) alert tcp $HOME_NET any -> [45.77.136.43] 8443 (msg:"ThreatFox Brute Ratel C4 botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1275825/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_26; classtype:trojan-activity; sid:91275825; rev:1;) alert tcp $HOME_NET any -> [3.66.38.117] 17680 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1275823/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_26; classtype:trojan-activity; sid:91275823; rev:1;) alert tcp $HOME_NET any -> [89.110.74.77] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1275723/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_26; classtype:trojan-activity; sid:91275723; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ca"; depth:3; nocase; http.host; content:"host-89-110-74-77.hosted-by-vdsina.com"; depth:38; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1275721/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_26; classtype:trojan-activity; sid:91275721; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"host-89-110-74-77.hosted-by-vdsina.com"; depth:38; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1275722/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_26; classtype:trojan-activity; sid:91275722; rev:1;) alert tcp $HOME_NET any -> [43.139.248.193] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1275720/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_26; classtype:trojan-activity; sid:91275720; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"service-ir8o1y75-1324325235.cd.tencentapigw.com"; depth:47; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1275719/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_26; classtype:trojan-activity; sid:91275719; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/prod/api/debug"; depth:15; nocase; http.host; content:"service-ir8o1y75-1324325235.cd.tencentapigw.com"; depth:47; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1275718/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_26; classtype:trojan-activity; sid:91275718; rev:1;) alert tcp $HOME_NET any -> [107.173.101.131] 8443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1275717/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_26; classtype:trojan-activity; sid:91275717; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/search//uyc06653ba892e.js"; depth:26; nocase; http.host; content:"www.loginmicrosoftadmin.shop"; depth:28; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1275716/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_26; classtype:trojan-activity; sid:91275716; rev:1;) alert tcp $HOME_NET any -> [120.46.202.105] 8099 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1275715/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_26; classtype:trojan-activity; sid:91275715; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/g.pixel"; depth:8; nocase; http.host; content:"47.116.125.180"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1275714/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_26; classtype:trojan-activity; sid:91275714; rev:1;) alert tcp $HOME_NET any -> [111.230.117.136] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1275713/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_26; classtype:trojan-activity; sid:91275713; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/feedapi/v1/newsserver/api/getusername"; depth:38; nocase; http.host; content:"111.230.117.136"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1275712/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_26; classtype:trojan-activity; sid:91275712; rev:1;) alert tcp $HOME_NET any -> [152.69.199.124] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1275711/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_26; classtype:trojan-activity; sid:91275711; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/push"; depth:5; nocase; http.host; content:"free2.iwaf.cn"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1275709/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_26; classtype:trojan-activity; sid:91275709; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"free2.iwaf.cn"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1275710/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_26; classtype:trojan-activity; sid:91275710; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/push"; depth:5; nocase; http.host; content:"120.46.202.105"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1275708/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_26; classtype:trojan-activity; sid:91275708; rev:1;) alert tcp $HOME_NET any -> [52.14.9.202] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1275707/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_26; classtype:trojan-activity; sid:91275707; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/preload"; depth:8; nocase; http.host; content:"s2-charterschools.securportal.com"; depth:33; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1275706/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_26; classtype:trojan-activity; sid:91275706; rev:1;) alert tcp $HOME_NET any -> [111.230.190.86] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1275705/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_26; classtype:trojan-activity; sid:91275705; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jquery-3.3.1.min.js"; depth:20; nocase; http.host; content:"139.9.189.30"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1275704/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_26; classtype:trojan-activity; sid:91275704; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/activity"; depth:9; nocase; http.host; content:"118.107.4.157"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1275703/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_26; classtype:trojan-activity; sid:91275703; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/updates.rss"; depth:12; nocase; http.host; content:"112.124.5.135"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1275702/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_26; classtype:trojan-activity; sid:91275702; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"s2-charterschools.securportal.com"; depth:33; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1275700/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_26; classtype:trojan-activity; sid:91275700; rev:1;) alert tcp $HOME_NET any -> [52.14.9.202] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1275701/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_26; classtype:trojan-activity; sid:91275701; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/preload"; depth:8; nocase; http.host; content:"s2-charterschools.securportal.com"; depth:33; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1275699/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_26; classtype:trojan-activity; sid:91275699; rev:1;) alert tcp $HOME_NET any -> [106.55.223.208] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1275698/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_26; classtype:trojan-activity; sid:91275698; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/rewardsapp/ncfooter"; depth:20; nocase; http.host; content:"111.230.190.86"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1275697/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_26; classtype:trojan-activity; sid:91275697; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/feedapi/v1/newsserver/api/getusername"; depth:38; nocase; http.host; content:"101.33.194.194"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1275696/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_26; classtype:trojan-activity; sid:91275696; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/en_us/all.js"; depth:13; nocase; http.host; content:"94.241.142.55"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1275694/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_26; classtype:trojan-activity; sid:91275694; rev:1;) alert tcp $HOME_NET any -> [94.241.142.55] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1275695/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_26; classtype:trojan-activity; sid:91275695; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"www.loginmicrosoftadmin.shop"; depth:28; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1275692/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_26; classtype:trojan-activity; sid:91275692; rev:1;) alert tcp $HOME_NET any -> [107.173.101.131] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1275693/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_26; classtype:trojan-activity; sid:91275693; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/search//uyc06653ba892e.js"; depth:26; nocase; http.host; content:"www.loginmicrosoftadmin.shop"; depth:28; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1275691/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_26; classtype:trojan-activity; sid:91275691; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api/getit"; depth:10; nocase; http.host; content:"service-5ba7yjpl-1303971391.bj.tencentapigw.com.cn"; depth:50; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1275689/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_26; classtype:trojan-activity; sid:91275689; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"service-5ba7yjpl-1303971391.bj.tencentapigw.com.cn"; depth:50; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1275690/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_26; classtype:trojan-activity; sid:91275690; rev:1;) alert tcp $HOME_NET any -> [144.34.175.110] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1275688/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_26; classtype:trojan-activity; sid:91275688; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/search/"; depth:8; nocase; http.host; content:"144.34.175.110"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1275687/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_26; classtype:trojan-activity; sid:91275687; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"auth.familysafty.com"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1275657/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_26; classtype:trojan-activity; sid:91275657; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"familysafty.com"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1275658/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_26; classtype:trojan-activity; sid:91275658; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"babycandidateoswp.shop"; depth:22; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1275663/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_26; classtype:trojan-activity; sid:91275663; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"museumtespaceorsp.shop"; depth:22; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1275664/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_26; classtype:trojan-activity; sid:91275664; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"buttockdecarderwiso.shop"; depth:24; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1275665/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_26; classtype:trojan-activity; sid:91275665; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"averageaattractiionsl.shop"; depth:26; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1275666/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_26; classtype:trojan-activity; sid:91275666; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"femininiespywageg.shop"; depth:22; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1275667/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_26; classtype:trojan-activity; sid:91275667; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"employhabragaomlsp.shop"; depth:23; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1275668/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_26; classtype:trojan-activity; sid:91275668; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"stalfbaclcalorieeis.shop"; depth:24; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1275669/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_26; classtype:trojan-activity; sid:91275669; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"civilianurinedtsraov.shop"; depth:25; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1275670/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_26; classtype:trojan-activity; sid:91275670; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"roomabolishsnifftwk.shop"; depth:24; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1275671/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_26; classtype:trojan-activity; sid:91275671; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"babycandidateoswp.shop"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1275672/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_26; classtype:trojan-activity; sid:91275672; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"museumtespaceorsp.shop"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1275673/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_26; classtype:trojan-activity; sid:91275673; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"buttockdecarderwiso.shop"; depth:24; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1275674/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_26; classtype:trojan-activity; sid:91275674; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"averageaattractiionsl.shop"; depth:26; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1275675/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_26; classtype:trojan-activity; sid:91275675; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"femininiespywageg.shop"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1275676/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_26; classtype:trojan-activity; sid:91275676; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"employhabragaomlsp.shop"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1275677/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_26; classtype:trojan-activity; sid:91275677; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"stalfbaclcalorieeis.shop"; depth:24; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1275678/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_26; classtype:trojan-activity; sid:91275678; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"civilianurinedtsraov.shop"; depth:25; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1275679/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_26; classtype:trojan-activity; sid:91275679; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"roomabolishsnifftwk.shop"; depth:24; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1275680/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_26; classtype:trojan-activity; sid:91275680; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"employeedscratshj.shop"; depth:22; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1275681/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_26; classtype:trojan-activity; sid:91275681; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"employeedscratshj.shop"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1275682/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_26; classtype:trojan-activity; sid:91275682; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"netwire2021.duckdns.org"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1275655/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_26; classtype:trojan-activity; sid:91275655; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"729231cm.n9shteam1.top"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1275656/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_26; classtype:trojan-activity; sid:91275656; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"86t7b9br9.ddns.net"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1275654/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_26; classtype:trojan-activity; sid:91275654; rev:1;) alert tcp $HOME_NET any -> [94.156.65.172] 4449 (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1275648/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_26; classtype:trojan-activity; sid:91275648; rev:1;) alert tcp $HOME_NET any -> [43.226.229.43] 2030 (msg:"ThreatFox NetWire RC botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1275651/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_26; classtype:trojan-activity; sid:91275651; rev:1;) alert tcp $HOME_NET any -> [23.95.88.13] 3360 (msg:"ThreatFox NetWire RC botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1275650/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_26; classtype:trojan-activity; sid:91275650; rev:1;) alert tcp $HOME_NET any -> [192.169.69.25] 3042 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1275652/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_26; classtype:trojan-activity; sid:91275652; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"njratnew.duckdns.org"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1275653/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_26; classtype:trojan-activity; sid:91275653; rev:1;) alert tcp $HOME_NET any -> [34.246.200.160] 80 (msg:"ThreatFox Loki Password Stealer (PWS) botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1275683/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_26; classtype:trojan-activity; sid:91275683; rev:1;) alert tcp $HOME_NET any -> [118.194.235.187] 50500 (msg:"ThreatFox RisePro botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1275686/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_26; classtype:trojan-activity; sid:91275686; rev:1;) alert tcp $HOME_NET any -> [105.154.228.100] 10000 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1275685/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_26; classtype:trojan-activity; sid:91275685; rev:1;) alert tcp $HOME_NET any -> [194.59.31.74] 5552 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1275684/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_26; classtype:trojan-activity; sid:91275684; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmp/index.php"; depth:14; nocase; http.host; content:"lobulraualov.in.net"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1275662/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_26; classtype:trojan-activity; sid:91275662; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmp/index.php"; depth:14; nocase; http.host; content:"guteyr.cc"; depth:9; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1275661/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_26; classtype:trojan-activity; sid:91275661; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmp/index.php"; depth:14; nocase; http.host; content:"greendag.ru"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1275660/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_26; classtype:trojan-activity; sid:91275660; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmp/index.php"; depth:14; nocase; http.host; content:"dbfhns.in"; depth:9; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1275659/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_26; classtype:trojan-activity; sid:91275659; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/nyashsupport.php"; depth:17; nocase; http.host; content:"729231cm.n9shteam1.top"; depth:22; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1275649/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_26; classtype:trojan-activity; sid:91275649; rev:1;) alert tcp $HOME_NET any -> [62.109.21.72] 80 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1275647/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_26; classtype:trojan-activity; sid:91275647; rev:1;) alert tcp $HOME_NET any -> [154.198.224.117] 80 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1275645/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_26; classtype:trojan-activity; sid:91275645; rev:1;) alert tcp $HOME_NET any -> [66.94.103.177] 80 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1275644/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_26; classtype:trojan-activity; sid:91275644; rev:1;) alert tcp $HOME_NET any -> [42.51.38.108] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1275643/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_26; classtype:trojan-activity; sid:91275643; rev:1;) alert tcp $HOME_NET any -> [150.109.154.221] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1275642/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_26; classtype:trojan-activity; sid:91275642; rev:1;) alert tcp $HOME_NET any -> [139.59.73.191] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1275641/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_26; classtype:trojan-activity; sid:91275641; rev:1;) alert tcp $HOME_NET any -> [194.219.106.103] 995 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1275640/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_26; classtype:trojan-activity; sid:91275640; rev:1;) alert tcp $HOME_NET any -> [70.31.125.221] 2222 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1275639/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_26; classtype:trojan-activity; sid:91275639; rev:1;) alert tcp $HOME_NET any -> [158.160.172.199] 443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1275638/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_26; classtype:trojan-activity; sid:91275638; rev:1;) alert tcp $HOME_NET any -> [172.96.137.156] 21132 (msg:"ThreatFox BianLian botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1275637/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_26; classtype:trojan-activity; sid:91275637; rev:1;) alert tcp $HOME_NET any -> [195.88.87.66] 7443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1275636/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_26; classtype:trojan-activity; sid:91275636; rev:1;) alert tcp $HOME_NET any -> [65.0.92.162] 1337 (msg:"ThreatFox SpyNote botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1275495/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_26; classtype:trojan-activity; sid:91275495; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/assets/crx/xiaomi%20service_pmp.apk"; depth:36; nocase; http.host; content:"65.2.129.159"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1275490/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_26; classtype:trojan-activity; sid:91275490; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"ec2-65-2-129-159.ap-south-1.compute.amazonaws.com"; depth:49; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1275492/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_26; classtype:trojan-activity; sid:91275492; rev:1;) alert tcp $HOME_NET any -> [65.2.129.159] 80 (msg:"ThreatFox SpyNote payload delivery (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1275493/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_26; classtype:trojan-activity; sid:91275493; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/assets/crx/xiaomi%20service_dp.apk"; depth:35; nocase; http.host; content:"65.2.129.159"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1275488/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_26; classtype:trojan-activity; sid:91275488; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/assets/crx/xiaomi%20service.apk"; depth:32; nocase; http.host; content:"65.2.129.159"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1275489/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_26; classtype:trojan-activity; sid:91275489; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/assets/t.apk"; depth:13; nocase; http.host; content:"65.2.129.159"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1275491/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_26; classtype:trojan-activity; sid:91275491; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/assets/tester/miui%20security.apk"; depth:34; nocase; http.host; content:"65.2.129.159"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1275486/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_26; classtype:trojan-activity; sid:91275486; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/assets/crx/xiaomi%20service%20ddp.apk"; depth:38; nocase; http.host; content:"65.2.129.159"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1275487/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_26; classtype:trojan-activity; sid:91275487; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/assets/tester/mui%20security_dropper.apk"; depth:41; nocase; http.host; content:"65.2.129.159"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1275485/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_26; classtype:trojan-activity; sid:91275485; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/assets/crx/xiaomi%20service_pmp.apk"; depth:36; nocase; http.host; content:"ec2-65-2-129-159.ap-south-1.compute.amazonaws.com"; depth:49; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1275482/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_26; classtype:trojan-activity; sid:91275482; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/assets/t.apk"; depth:13; nocase; http.host; content:"ec2-65-2-129-159.ap-south-1.compute.amazonaws.com"; depth:49; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1275483/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_26; classtype:trojan-activity; sid:91275483; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/assets/tester/miui%20_securitym.apk"; depth:36; nocase; http.host; content:"65.2.129.159"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1275484/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_26; classtype:trojan-activity; sid:91275484; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/assets/crx/xiaomi%20service_dp.apk"; depth:35; nocase; http.host; content:"ec2-65-2-129-159.ap-south-1.compute.amazonaws.com"; depth:49; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1275480/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_26; classtype:trojan-activity; sid:91275480; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/assets/crx/xiaomi%20service%20ddp.apk"; depth:38; nocase; http.host; content:"ec2-65-2-129-159.ap-south-1.compute.amazonaws.com"; depth:49; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1275479/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_26; classtype:trojan-activity; sid:91275479; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/assets/crx/xiaomi%20service.apk"; depth:32; nocase; http.host; content:"ec2-65-2-129-159.ap-south-1.compute.amazonaws.com"; depth:49; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1275481/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_26; classtype:trojan-activity; sid:91275481; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/assets/tester/miui%20_securitym.apk"; depth:36; nocase; http.host; content:"ec2-65-2-129-159.ap-south-1.compute.amazonaws.com"; depth:49; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1275476/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_26; classtype:trojan-activity; sid:91275476; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/assets/tester/mui%20security_dropper.apk"; depth:41; nocase; http.host; content:"ec2-65-2-129-159.ap-south-1.compute.amazonaws.com"; depth:49; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1275477/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_26; classtype:trojan-activity; sid:91275477; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/assets/tester/miui%20security.apk"; depth:34; nocase; http.host; content:"ec2-65-2-129-159.ap-south-1.compute.amazonaws.com"; depth:49; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1275478/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_26; classtype:trojan-activity; sid:91275478; rev:1;) alert tcp $HOME_NET any -> [84.247.179.77] 443 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1275475/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_26; classtype:trojan-activity; sid:91275475; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"botuser0.duckdns.org"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1275494/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_26; classtype:trojan-activity; sid:91275494; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"botusesr472.duckdns.org"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1275496/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_26; classtype:trojan-activity; sid:91275496; rev:1;) alert tcp $HOME_NET any -> [209.25.143.181] 17370 (msg:"ThreatFox SpyNote botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1275497/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_26; classtype:trojan-activity; sid:91275497; rev:1;) alert tcp $HOME_NET any -> [3.121.139.82] 14200 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1275628/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_26; classtype:trojan-activity; sid:91275628; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/l1nc0in.php"; depth:12; nocase; http.host; content:"a0984236.xsph.ru"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1275635/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_26; classtype:trojan-activity; sid:91275635; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/l1nc0in.php"; depth:12; nocase; http.host; content:"a0984984.xsph.ru"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1275634/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_26; classtype:trojan-activity; sid:91275634; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/forum/viewtopic.php"; depth:20; nocase; http.host; content:"198.74.55.173"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1275633/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_26; classtype:trojan-activity; sid:91275633; rev:1;) alert tcp $HOME_NET any -> [94.156.8.186] 37552 (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1275632/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_26; classtype:trojan-activity; sid:91275632; rev:1;) alert tcp $HOME_NET any -> [45.142.36.64] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1275631/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_25; classtype:trojan-activity; sid:91275631; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/owa/i5y78cwpvberrzcqw9mlrb8t8wlu"; depth:33; nocase; http.host; content:"pt-security.ru"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1275629/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_25; classtype:trojan-activity; sid:91275629; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"pt-security.ru"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1275630/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_25; classtype:trojan-activity; sid:91275630; rev:1;) alert tcp $HOME_NET any -> [91.92.252.242] 80 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1275627/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_25; classtype:trojan-activity; sid:91275627; rev:1;) alert tcp $HOME_NET any -> [103.244.226.171] 80 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1275626/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_25; classtype:trojan-activity; sid:91275626; rev:1;) alert tcp $HOME_NET any -> [27.0.235.26] 80 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1275625/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_25; classtype:trojan-activity; sid:91275625; rev:1;) alert tcp $HOME_NET any -> [45.77.65.118] 1024 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1275624/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_25; classtype:trojan-activity; sid:91275624; rev:1;) alert tcp $HOME_NET any -> [39.40.148.170] 995 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1275623/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_25; classtype:trojan-activity; sid:91275623; rev:1;) alert tcp $HOME_NET any -> [158.160.166.214] 443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1275622/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_25; classtype:trojan-activity; sid:91275622; rev:1;) alert tcp $HOME_NET any -> [158.160.140.150] 443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1275621/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_25; classtype:trojan-activity; sid:91275621; rev:1;) alert tcp $HOME_NET any -> [162.216.243.183] 443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1275620/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_25; classtype:trojan-activity; sid:91275620; rev:1;) alert tcp $HOME_NET any -> [164.90.253.167] 443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1275619/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_25; classtype:trojan-activity; sid:91275619; rev:1;) alert tcp $HOME_NET any -> [117.103.116.78] 4505 (msg:"ThreatFox Deimos botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1275618/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_25; classtype:trojan-activity; sid:91275618; rev:1;) alert tcp $HOME_NET any -> [24.181.166.196] 7443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1275617/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_25; classtype:trojan-activity; sid:91275617; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mozi.m"; depth:7; nocase; http.host; content:"123.7.220.144"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1275616/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_25; classtype:trojan-activity; sid:91275616; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jquery-3.3.1.min.js"; depth:20; nocase; http.host; content:"updates.sublimetext.workers.dev"; depth:31; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1275614/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_25; classtype:trojan-activity; sid:91275614; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"updates.sublimetext.workers.dev"; depth:31; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1275615/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_25; classtype:trojan-activity; sid:91275615; rev:1;) alert tcp $HOME_NET any -> [147.185.221.19] 36946 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1275474/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_25; classtype:trojan-activity; sid:91275474; rev:1;) alert tcp $HOME_NET any -> [81.4.109.230] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1275473/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_25; classtype:trojan-activity; sid:91275473; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/activity"; depth:9; nocase; http.host; content:"81.4.109.230"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1275472/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_25; classtype:trojan-activity; sid:91275472; rev:1;) alert tcp $HOME_NET any -> [159.75.141.193] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1275471/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_25; classtype:trojan-activity; sid:91275471; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/feedapi/v1/newsserver/api/getpassword"; depth:38; nocase; http.host; content:"159.75.141.193"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1275470/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_25; classtype:trojan-activity; sid:91275470; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/rewardsapp/ncfooter"; depth:20; nocase; http.host; content:"119.91.242.101"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1275469/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_25; classtype:trojan-activity; sid:91275469; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/analytics/v1_upload"; depth:20; nocase; http.host; content:"1.14.242.95"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1275468/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_25; classtype:trojan-activity; sid:91275468; rev:1;) alert tcp $HOME_NET any -> [119.91.242.214] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1275467/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_25; classtype:trojan-activity; sid:91275467; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dpixel"; depth:7; nocase; http.host; content:"119.45.21.247"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1275466/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_25; classtype:trojan-activity; sid:91275466; rev:1;) alert tcp $HOME_NET any -> [171.214.210.223] 8123 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1275465/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_25; classtype:trojan-activity; sid:91275465; rev:1;) alert tcp $HOME_NET any -> [45.76.153.153] 8443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1275464/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_25; classtype:trojan-activity; sid:91275464; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api/3"; depth:6; nocase; http.host; content:"catseven.top"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1275462/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_25; classtype:trojan-activity; sid:91275462; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"catseven.top"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1275463/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_25; classtype:trojan-activity; sid:91275463; rev:1;) alert tcp $HOME_NET any -> [82.157.182.107] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1275461/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_25; classtype:trojan-activity; sid:91275461; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/j.ad"; depth:5; nocase; http.host; content:"82.157.182.107"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1275460/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_25; classtype:trojan-activity; sid:91275460; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/push"; depth:5; nocase; http.host; content:"47.89.225.2"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1275459/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_25; classtype:trojan-activity; sid:91275459; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pixel"; depth:6; nocase; http.host; content:"154.12.55.92"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1275458/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_25; classtype:trojan-activity; sid:91275458; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ghs.lidajun.lol"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1275457/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_25; classtype:trojan-activity; sid:91275457; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pixel.gif"; depth:10; nocase; http.host; content:"ghs.lidajun.lol"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1275456/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_25; classtype:trojan-activity; sid:91275456; rev:1;) alert tcp $HOME_NET any -> [103.253.43.175] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1275455/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_25; classtype:trojan-activity; sid:91275455; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/_/scs/mail-static/_/js/"; depth:24; nocase; http.host; content:"103.253.43.175"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1275454/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_25; classtype:trojan-activity; sid:91275454; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/g.pixel"; depth:8; nocase; http.host; content:"47.106.154.91"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1275453/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_25; classtype:trojan-activity; sid:91275453; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/omp/api/get_page_config"; depth:24; nocase; http.host; content:"111.230.112.171"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1275452/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_25; classtype:trojan-activity; sid:91275452; rev:1;) alert tcp $HOME_NET any -> [39.100.117.165] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1275451/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_25; classtype:trojan-activity; sid:91275451; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/push"; depth:5; nocase; http.host; content:"39.100.117.165"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1275450/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_25; classtype:trojan-activity; sid:91275450; rev:1;) alert tcp $HOME_NET any -> [106.53.76.19] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1275449/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_25; classtype:trojan-activity; sid:91275449; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ie9compatviewlist.xml"; depth:22; nocase; http.host; content:"106.53.76.19"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1275448/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_25; classtype:trojan-activity; sid:91275448; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/g.pixel"; depth:8; nocase; http.host; content:"120.78.217.180"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1275447/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_25; classtype:trojan-activity; sid:91275447; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/introduction/edr"; depth:17; nocase; http.host; content:"47.242.0.17"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1275446/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_25; classtype:trojan-activity; sid:91275446; rev:1;) alert tcp $HOME_NET any -> [194.62.250.122] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1275445/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_25; classtype:trojan-activity; sid:91275445; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"certificatecenter.info"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1275444/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_25; classtype:trojan-activity; sid:91275444; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/image/"; depth:7; nocase; http.host; content:"certificatecenter.info"; depth:22; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1275443/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_25; classtype:trojan-activity; sid:91275443; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ca"; depth:3; nocase; http.host; content:"39.100.117.165"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1275442/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_25; classtype:trojan-activity; sid:91275442; rev:1;) alert tcp $HOME_NET any -> [156.236.72.148] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1275441/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_25; classtype:trojan-activity; sid:91275441; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/en_us/all.js"; depth:13; nocase; http.host; content:"156.236.72.148"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1275440/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_25; classtype:trojan-activity; sid:91275440; rev:1;) alert tcp $HOME_NET any -> [193.112.148.133] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1275439/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_25; classtype:trojan-activity; sid:91275439; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/hp/api/v1/carousel"; depth:19; nocase; http.host; content:"119.91.242.214"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1275438/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_25; classtype:trojan-activity; sid:91275438; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/feedapi/v1/newsserver/api/getpassword"; depth:38; nocase; http.host; content:"106.53.111.143"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1275437/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_25; classtype:trojan-activity; sid:91275437; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/hp/api/v1/carousel"; depth:19; nocase; http.host; content:"193.112.148.133"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1275436/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_25; classtype:trojan-activity; sid:91275436; rev:1;) alert tcp $HOME_NET any -> [65.108.232.23] 80 (msg:"ThreatFox AMOS botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1275428/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_25; classtype:trojan-activity; sid:91275428; rev:1;) alert tcp $HOME_NET any -> [5.182.86.95] 80 (msg:"ThreatFox AMOS botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1275435/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_25; classtype:trojan-activity; sid:91275435; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ee"; depth:3; nocase; http.host; content:"baznas.dompetdhuaafa.biz.id"; depth:27; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1275434/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_25; classtype:trojan-activity; sid:91275434; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ptj"; depth:4; nocase; http.host; content:"49.232.208.22"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1275433/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_25; classtype:trojan-activity; sid:91275433; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/push"; depth:5; nocase; http.host; content:"81.71.127.160"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1275432/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_25; classtype:trojan-activity; sid:91275432; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pixel.gif"; depth:10; nocase; http.host; content:"194.59.30.143"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1275431/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_25; classtype:trojan-activity; sid:91275431; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/en_us/all.js"; depth:13; nocase; http.host; content:"42.51.45.241"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1275430/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_25; classtype:trojan-activity; sid:91275430; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/activity"; depth:9; nocase; http.host; content:"42.192.131.115"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1275429/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_25; classtype:trojan-activity; sid:91275429; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/fwlink"; depth:7; nocase; http.host; content:"1.15.247.249"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1275427/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_25; classtype:trojan-activity; sid:91275427; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/match"; depth:6; nocase; http.host; content:"23.95.65.198"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1275426/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_25; classtype:trojan-activity; sid:91275426; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pixel.gif"; depth:10; nocase; http.host; content:"121.36.81.223"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1275425/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_25; classtype:trojan-activity; sid:91275425; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ie9compatviewlist.xml"; depth:22; nocase; http.host; content:"129.211.215.7"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1275424/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_25; classtype:trojan-activity; sid:91275424; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jquery-3.3.1.min.js"; depth:20; nocase; http.host; content:"47.98.251.131"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1275423/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_25; classtype:trojan-activity; sid:91275423; rev:1;) alert tcp $HOME_NET any -> [120.78.217.180] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1275422/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_25; classtype:trojan-activity; sid:91275422; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pixel.gif"; depth:10; nocase; http.host; content:"185.52.1.169"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1275420/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_25; classtype:trojan-activity; sid:91275420; rev:1;) alert tcp $HOME_NET any -> [185.52.1.169] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1275421/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_25; classtype:trojan-activity; sid:91275421; rev:1;) alert tcp $HOME_NET any -> [159.223.86.73] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1275419/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_25; classtype:trojan-activity; sid:91275419; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"baznas.dompetdhuaafa.biz.id"; depth:27; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1275418/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_25; classtype:trojan-activity; sid:91275418; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ee"; depth:3; nocase; http.host; content:"baznas.dompetdhuaafa.biz.id"; depth:27; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1275417/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_25; classtype:trojan-activity; sid:91275417; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/en_us/all.js"; depth:13; nocase; http.host; content:"213.109.202.188"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1275416/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_25; classtype:trojan-activity; sid:91275416; rev:1;) alert tcp $HOME_NET any -> [111.223.247.163] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1275415/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_25; classtype:trojan-activity; sid:91275415; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/activity"; depth:9; nocase; http.host; content:"124.70.99.224"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1275414/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_25; classtype:trojan-activity; sid:91275414; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/fwlink"; depth:7; nocase; http.host; content:"124.222.129.148"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1275413/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_25; classtype:trojan-activity; sid:91275413; rev:1;) alert tcp $HOME_NET any -> [123.60.48.76] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1275412/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_25; classtype:trojan-activity; sid:91275412; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/match"; depth:6; nocase; http.host; content:"123.60.48.76"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1275411/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_25; classtype:trojan-activity; sid:91275411; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/kaisa_image/"; depth:13; nocase; http.host; content:"123.60.104.67"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1275410/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_25; classtype:trojan-activity; sid:91275410; rev:1;) alert tcp $HOME_NET any -> [93.123.39.12] 666 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1275348/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_25; classtype:trojan-activity; sid:91275348; rev:1;) alert tcp $HOME_NET any -> [121.43.176.110] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1275370/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_25; classtype:trojan-activity; sid:91275370; rev:1;) alert tcp $HOME_NET any -> [178.128.92.166] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1275371/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_25; classtype:trojan-activity; sid:91275371; rev:1;) alert tcp $HOME_NET any -> [98.71.132.101] 8443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1275372/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_25; classtype:trojan-activity; sid:91275372; rev:1;) alert tcp $HOME_NET any -> [18.176.67.169] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1275366/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_25; classtype:trojan-activity; sid:91275366; rev:1;) alert tcp $HOME_NET any -> [120.26.203.206] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1275367/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_25; classtype:trojan-activity; sid:91275367; rev:1;) alert tcp $HOME_NET any -> [91.107.207.2] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1275368/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_25; classtype:trojan-activity; sid:91275368; rev:1;) alert tcp $HOME_NET any -> [2.207.107.91] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1275369/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_25; classtype:trojan-activity; sid:91275369; rev:1;) alert tcp $HOME_NET any -> [20.234.212.180] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1275361/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_25; classtype:trojan-activity; sid:91275361; rev:1;) alert tcp $HOME_NET any -> [89.44.199.196] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1275362/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_25; classtype:trojan-activity; sid:91275362; rev:1;) alert tcp $HOME_NET any -> [20.234.209.66] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1275363/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_25; classtype:trojan-activity; sid:91275363; rev:1;) alert tcp $HOME_NET any -> [52.73.128.242] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1275364/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_25; classtype:trojan-activity; sid:91275364; rev:1;) alert tcp $HOME_NET any -> [20.16.73.54] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1275365/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_25; classtype:trojan-activity; sid:91275365; rev:1;) alert tcp $HOME_NET any -> [172.187.154.69] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1275356/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_25; classtype:trojan-activity; sid:91275356; rev:1;) alert tcp $HOME_NET any -> [20.231.230.3] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1275357/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_25; classtype:trojan-activity; sid:91275357; rev:1;) alert tcp $HOME_NET any -> [35.226.15.73] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1275358/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_25; classtype:trojan-activity; sid:91275358; rev:1;) alert tcp $HOME_NET any -> [73.15.226.35] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1275359/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_25; classtype:trojan-activity; sid:91275359; rev:1;) alert tcp $HOME_NET any -> [20.234.212.176] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1275360/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_25; classtype:trojan-activity; sid:91275360; rev:1;) alert tcp $HOME_NET any -> [34.219.143.252] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1275351/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_25; classtype:trojan-activity; sid:91275351; rev:1;) alert tcp $HOME_NET any -> [3.133.126.43] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1275352/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_25; classtype:trojan-activity; sid:91275352; rev:1;) alert tcp $HOME_NET any -> [52.32.75.223] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1275353/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_25; classtype:trojan-activity; sid:91275353; rev:1;) alert tcp $HOME_NET any -> [138.197.156.131] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1275354/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_25; classtype:trojan-activity; sid:91275354; rev:1;) alert tcp $HOME_NET any -> [143.198.116.46] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1275355/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_25; classtype:trojan-activity; sid:91275355; rev:1;) alert tcp $HOME_NET any -> [35.222.211.147] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1275349/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_25; classtype:trojan-activity; sid:91275349; rev:1;) alert tcp $HOME_NET any -> [147.211.222.35] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1275350/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_25; classtype:trojan-activity; sid:91275350; rev:1;) alert tcp $HOME_NET any -> [217.12.200.158] 80 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1275347/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_25; classtype:trojan-activity; sid:91275347; rev:1;) alert tcp $HOME_NET any -> [158.160.71.51] 80 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1275337/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_25; classtype:trojan-activity; sid:91275337; rev:1;) alert tcp $HOME_NET any -> [159.223.0.196] 80 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1275338/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_25; classtype:trojan-activity; sid:91275338; rev:1;) alert tcp $HOME_NET any -> [161.35.207.209] 80 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1275339/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_25; classtype:trojan-activity; sid:91275339; rev:1;) alert tcp $HOME_NET any -> [172.174.105.127] 80 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1275340/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_25; classtype:trojan-activity; sid:91275340; rev:1;) alert tcp $HOME_NET any -> [172.201.107.88] 80 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1275341/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_25; classtype:trojan-activity; sid:91275341; rev:1;) alert tcp $HOME_NET any -> [185.16.43.59] 80 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1275342/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_25; classtype:trojan-activity; sid:91275342; rev:1;) alert tcp $HOME_NET any -> [185.158.94.217] 80 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1275343/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_25; classtype:trojan-activity; sid:91275343; rev:1;) alert tcp $HOME_NET any -> [185.178.46.202] 80 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1275344/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_25; classtype:trojan-activity; sid:91275344; rev:1;) alert tcp $HOME_NET any -> [201.243.95.21] 80 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1275345/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_25; classtype:trojan-activity; sid:91275345; rev:1;) alert tcp $HOME_NET any -> [210.215.129.104] 80 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1275346/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_25; classtype:trojan-activity; sid:91275346; rev:1;) alert tcp $HOME_NET any -> [122.114.252.179] 80 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1275324/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_25; classtype:trojan-activity; sid:91275324; rev:1;) alert tcp $HOME_NET any -> [128.199.59.209] 80 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1275325/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_25; classtype:trojan-activity; sid:91275325; rev:1;) alert tcp $HOME_NET any -> [129.226.154.137] 80 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1275326/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_25; classtype:trojan-activity; sid:91275326; rev:1;) alert tcp $HOME_NET any -> [134.209.171.201] 80 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1275327/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_25; classtype:trojan-activity; sid:91275327; rev:1;) alert tcp $HOME_NET any -> [135.181.205.15] 80 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1275328/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_25; classtype:trojan-activity; sid:91275328; rev:1;) alert tcp $HOME_NET any -> [137.184.39.229] 80 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1275329/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_25; classtype:trojan-activity; sid:91275329; rev:1;) alert tcp $HOME_NET any -> [138.197.66.41] 80 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1275330/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_25; classtype:trojan-activity; sid:91275330; rev:1;) alert tcp $HOME_NET any -> [142.93.74.10] 80 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1275331/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_25; classtype:trojan-activity; sid:91275331; rev:1;) alert tcp $HOME_NET any -> [143.198.233.101] 80 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1275332/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_25; classtype:trojan-activity; sid:91275332; rev:1;) alert tcp $HOME_NET any -> [146.148.110.87] 80 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1275333/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_25; classtype:trojan-activity; sid:91275333; rev:1;) alert tcp $HOME_NET any -> [147.45.150.204] 80 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1275334/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_25; classtype:trojan-activity; sid:91275334; rev:1;) alert tcp $HOME_NET any -> [149.104.26.229] 80 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1275335/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_25; classtype:trojan-activity; sid:91275335; rev:1;) alert tcp $HOME_NET any -> [152.42.162.105] 80 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1275336/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_25; classtype:trojan-activity; sid:91275336; rev:1;) alert tcp $HOME_NET any -> [47.242.227.140] 80 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1275306/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_25; classtype:trojan-activity; sid:91275306; rev:1;) alert tcp $HOME_NET any -> [51.250.108.206] 80 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1275307/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_25; classtype:trojan-activity; sid:91275307; rev:1;) alert tcp $HOME_NET any -> [52.14.189.239] 80 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1275308/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_25; classtype:trojan-activity; sid:91275308; rev:1;) alert tcp $HOME_NET any -> [54.74.198.96] 80 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1275309/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_25; classtype:trojan-activity; sid:91275309; rev:1;) alert tcp $HOME_NET any -> [54.183.137.162] 80 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1275310/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_25; classtype:trojan-activity; sid:91275310; rev:1;) alert tcp $HOME_NET any -> [62.171.158.126] 80 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1275311/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_25; classtype:trojan-activity; sid:91275311; rev:1;) alert tcp $HOME_NET any -> [64.23.149.255] 80 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1275312/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_25; classtype:trojan-activity; sid:91275312; rev:1;) alert tcp $HOME_NET any -> [65.20.72.205] 80 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1275313/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_25; classtype:trojan-activity; sid:91275313; rev:1;) alert tcp $HOME_NET any -> [68.183.69.22] 80 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1275314/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_25; classtype:trojan-activity; sid:91275314; rev:1;) alert tcp $HOME_NET any -> [94.131.8.254] 80 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1275315/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_25; classtype:trojan-activity; sid:91275315; rev:1;) alert tcp $HOME_NET any -> [95.217.6.101] 80 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1275316/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_25; classtype:trojan-activity; sid:91275316; rev:1;) alert tcp $HOME_NET any -> [107.172.159.50] 80 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1275317/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_25; classtype:trojan-activity; sid:91275317; rev:1;) alert tcp $HOME_NET any -> [118.31.164.200] 80 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1275318/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_25; classtype:trojan-activity; sid:91275318; rev:1;) alert tcp $HOME_NET any -> [120.27.139.123] 80 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1275319/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_25; classtype:trojan-activity; sid:91275319; rev:1;) alert tcp $HOME_NET any -> [121.40.157.89] 80 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1275320/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_25; classtype:trojan-activity; sid:91275320; rev:1;) alert tcp $HOME_NET any -> [121.43.166.96] 80 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1275321/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_25; classtype:trojan-activity; sid:91275321; rev:1;) alert tcp $HOME_NET any -> [121.127.33.25] 80 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1275322/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_25; classtype:trojan-activity; sid:91275322; rev:1;) alert tcp $HOME_NET any -> [121.199.0.100] 80 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1275323/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_25; classtype:trojan-activity; sid:91275323; rev:1;) alert tcp $HOME_NET any -> [20.186.89.88] 80 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1275288/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_25; classtype:trojan-activity; sid:91275288; rev:1;) alert tcp $HOME_NET any -> [20.229.189.122] 80 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1275289/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_25; classtype:trojan-activity; sid:91275289; rev:1;) alert tcp $HOME_NET any -> [34.16.7.41] 80 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1275290/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_25; classtype:trojan-activity; sid:91275290; rev:1;) alert tcp $HOME_NET any -> [34.31.178.96] 80 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1275291/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_25; classtype:trojan-activity; sid:91275291; rev:1;) alert tcp $HOME_NET any -> [34.171.128.254] 80 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1275292/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_25; classtype:trojan-activity; sid:91275292; rev:1;) alert tcp $HOME_NET any -> [35.153.232.88] 80 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1275293/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_25; classtype:trojan-activity; sid:91275293; rev:1;) alert tcp $HOME_NET any -> [35.163.149.144] 80 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1275294/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_25; classtype:trojan-activity; sid:91275294; rev:1;) alert tcp $HOME_NET any -> [35.177.104.235] 80 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1275295/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_25; classtype:trojan-activity; sid:91275295; rev:1;) alert tcp $HOME_NET any -> [35.239.106.52] 80 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1275296/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_25; classtype:trojan-activity; sid:91275296; rev:1;) alert tcp $HOME_NET any -> [37.187.118.185] 80 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1275297/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_25; classtype:trojan-activity; sid:91275297; rev:1;) alert tcp $HOME_NET any -> [44.224.147.7] 80 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1275298/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_25; classtype:trojan-activity; sid:91275298; rev:1;) alert tcp $HOME_NET any -> [45.133.238.221] 80 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1275299/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_25; classtype:trojan-activity; sid:91275299; rev:1;) alert tcp $HOME_NET any -> [47.74.90.4] 80 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1275300/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_25; classtype:trojan-activity; sid:91275300; rev:1;) alert tcp $HOME_NET any -> [47.76.61.241] 80 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1275301/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_25; classtype:trojan-activity; sid:91275301; rev:1;) alert tcp $HOME_NET any -> [47.96.141.72] 80 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1275302/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_25; classtype:trojan-activity; sid:91275302; rev:1;) alert tcp $HOME_NET any -> [47.96.141.218] 80 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1275303/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_25; classtype:trojan-activity; sid:91275303; rev:1;) alert tcp $HOME_NET any -> [47.96.254.47] 80 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1275304/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_25; classtype:trojan-activity; sid:91275304; rev:1;) alert tcp $HOME_NET any -> [47.99.102.146] 80 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1275305/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_25; classtype:trojan-activity; sid:91275305; rev:1;) alert tcp $HOME_NET any -> [3.16.25.250] 80 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1275279/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_25; classtype:trojan-activity; sid:91275279; rev:1;) alert tcp $HOME_NET any -> [3.23.94.235] 80 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1275280/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_25; classtype:trojan-activity; sid:91275280; rev:1;) alert tcp $HOME_NET any -> [3.82.197.233] 80 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1275281/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_25; classtype:trojan-activity; sid:91275281; rev:1;) alert tcp $HOME_NET any -> [3.144.95.38] 80 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1275282/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_25; classtype:trojan-activity; sid:91275282; rev:1;) alert tcp $HOME_NET any -> [5.255.116.34] 80 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1275283/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_25; classtype:trojan-activity; sid:91275283; rev:1;) alert tcp $HOME_NET any -> [13.40.187.52] 80 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1275284/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_25; classtype:trojan-activity; sid:91275284; rev:1;) alert tcp $HOME_NET any -> [13.50.224.236] 80 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1275285/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_25; classtype:trojan-activity; sid:91275285; rev:1;) alert tcp $HOME_NET any -> [13.58.109.128] 80 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1275286/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_25; classtype:trojan-activity; sid:91275286; rev:1;) alert tcp $HOME_NET any -> [13.238.128.178] 80 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1275287/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_25; classtype:trojan-activity; sid:91275287; rev:1;) alert tcp $HOME_NET any -> [178.128.208.252] 80 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1275278/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_25; classtype:trojan-activity; sid:91275278; rev:1;) alert tcp $HOME_NET any -> [165.22.217.69] 80 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1275277/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_25; classtype:trojan-activity; sid:91275277; rev:1;) alert tcp $HOME_NET any -> [206.189.140.103] 80 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1275276/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_25; classtype:trojan-activity; sid:91275276; rev:1;) alert tcp $HOME_NET any -> [18.208.232.211] 80 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1275275/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_25; classtype:trojan-activity; sid:91275275; rev:1;) alert tcp $HOME_NET any -> [134.122.204.200] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1275274/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_25; classtype:trojan-activity; sid:91275274; rev:1;) alert tcp $HOME_NET any -> [34.146.210.0] 2095 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1275273/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_25; classtype:trojan-activity; sid:91275273; rev:1;) alert tcp $HOME_NET any -> [89.117.1.117] 14431 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1275272/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_25; classtype:trojan-activity; sid:91275272; rev:1;) alert tcp $HOME_NET any -> [3.145.14.200] 443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1275271/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_25; classtype:trojan-activity; sid:91275271; rev:1;) alert tcp $HOME_NET any -> [200.234.232.64] 80 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1275270/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_25; classtype:trojan-activity; sid:91275270; rev:1;) alert tcp $HOME_NET any -> [192.169.69.25] 2054 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1275269/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_25; classtype:trojan-activity; sid:91275269; rev:1;) alert tcp $HOME_NET any -> [192.169.69.25] 5060 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1275268/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_25; classtype:trojan-activity; sid:91275268; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"liviste8888.softether.net"; depth:25; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1275251/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_25; classtype:trojan-activity; sid:91275251; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"sight.geoportal.co.id"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1275252/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_25; classtype:trojan-activity; sid:91275252; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"bitdefenderupdate.org"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1275249/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_25; classtype:trojan-activity; sid:91275249; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"smlivin.com"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1275250/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_25; classtype:trojan-activity; sid:91275250; rev:1;) alert tcp $HOME_NET any -> [184.105.237.195] 10008 (msg:"ThreatFox Nanocore RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1275248/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_25; classtype:trojan-activity; sid:91275248; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"tiktokshoppro.shop"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1275253/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_25; classtype:trojan-activity; sid:91275253; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/manual.php"; depth:11; nocase; http.host; content:"andylaub.com"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1275255/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_25; classtype:trojan-activity; sid:91275255; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"vpn340948845.softether.net"; depth:26; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1275256/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_25; classtype:trojan-activity; sid:91275256; rev:1;) alert tcp $HOME_NET any -> [41.142.211.38] 10000 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1275265/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_25; classtype:trojan-activity; sid:91275265; rev:1;) alert tcp $HOME_NET any -> [154.12.93.14] 13855 (msg:"ThreatFox Ghost RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1275267/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_25; classtype:trojan-activity; sid:91275267; rev:1;) alert tcp $HOME_NET any -> [65.21.63.6] 3306 (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1275266/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_25; classtype:trojan-activity; sid:91275266; rev:1;) alert tcp $HOME_NET any -> [160.177.77.232] 10000 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1275264/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_25; classtype:trojan-activity; sid:91275264; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pixel"; depth:6; nocase; http.host; content:"47.242.238.41"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1275263/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_24; classtype:trojan-activity; sid:91275263; rev:1;) alert tcp $HOME_NET any -> [47.99.151.161] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1275262/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_24; classtype:trojan-activity; sid:91275262; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/push"; depth:5; nocase; http.host; content:"47.99.151.161"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1275261/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_24; classtype:trojan-activity; sid:91275261; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/push"; depth:5; nocase; http.host; content:"47.100.244.166"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1275260/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_24; classtype:trojan-activity; sid:91275260; rev:1;) alert tcp $HOME_NET any -> [191.88.248.178] 3008 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1275259/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_24; classtype:trojan-activity; sid:91275259; rev:1;) alert tcp $HOME_NET any -> [74.48.9.144] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1275258/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_24; classtype:trojan-activity; sid:91275258; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/load"; depth:5; nocase; http.host; content:"74.48.9.144"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1275257/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_24; classtype:trojan-activity; sid:91275257; rev:1;) alert tcp $HOME_NET any -> [20.117.108.240] 7825 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1275254/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_24; classtype:trojan-activity; sid:91275254; rev:1;) alert tcp $HOME_NET any -> [5.252.176.97] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1274957/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_24; classtype:trojan-activity; sid:91274957; rev:1;) alert tcp $HOME_NET any -> [159.65.210.12] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1274958/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_24; classtype:trojan-activity; sid:91274958; rev:1;) alert tcp $HOME_NET any -> [178.62.57.69] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1274959/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_24; classtype:trojan-activity; sid:91274959; rev:1;) alert tcp $HOME_NET any -> [185.244.181.207] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1274961/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_24; classtype:trojan-activity; sid:91274961; rev:1;) alert tcp $HOME_NET any -> [18.119.104.19] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1274960/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_24; classtype:trojan-activity; sid:91274960; rev:1;) alert tcp $HOME_NET any -> [138.68.81.93] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1274962/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_24; classtype:trojan-activity; sid:91274962; rev:1;) alert tcp $HOME_NET any -> [138.197.113.218] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1274963/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_24; classtype:trojan-activity; sid:91274963; rev:1;) alert tcp $HOME_NET any -> [93.95.231.98] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1274964/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_24; classtype:trojan-activity; sid:91274964; rev:1;) alert tcp $HOME_NET any -> [176.36.20.11] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1274965/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_24; classtype:trojan-activity; sid:91274965; rev:1;) alert tcp $HOME_NET any -> [159.203.173.117] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1274966/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_24; classtype:trojan-activity; sid:91274966; rev:1;) alert tcp $HOME_NET any -> [178.170.13.122] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1274968/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_24; classtype:trojan-activity; sid:91274968; rev:1;) alert tcp $HOME_NET any -> [167.172.27.13] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1274967/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_24; classtype:trojan-activity; sid:91274967; rev:1;) alert tcp $HOME_NET any -> [45.120.178.47] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1274969/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_24; classtype:trojan-activity; sid:91274969; rev:1;) alert tcp $HOME_NET any -> [144.91.123.40] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1274970/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_24; classtype:trojan-activity; sid:91274970; rev:1;) alert tcp $HOME_NET any -> [178.62.203.210] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1274971/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_24; classtype:trojan-activity; sid:91274971; rev:1;) alert tcp $HOME_NET any -> [146.190.20.237] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1274972/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_24; classtype:trojan-activity; sid:91274972; rev:1;) alert tcp $HOME_NET any -> [35.189.178.127] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1274973/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_24; classtype:trojan-activity; sid:91274973; rev:1;) alert tcp $HOME_NET any -> [159.100.22.133] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1274974/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_24; classtype:trojan-activity; sid:91274974; rev:1;) alert tcp $HOME_NET any -> [42.96.32.189] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1274976/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_24; classtype:trojan-activity; sid:91274976; rev:1;) alert tcp $HOME_NET any -> [130.215.28.105] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1274975/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_24; classtype:trojan-activity; sid:91274975; rev:1;) alert tcp $HOME_NET any -> [201.87.237.3] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1274977/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_24; classtype:trojan-activity; sid:91274977; rev:1;) alert tcp $HOME_NET any -> [104.194.79.234] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1274978/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_24; classtype:trojan-activity; sid:91274978; rev:1;) alert tcp $HOME_NET any -> [191.233.248.46] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1274979/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_24; classtype:trojan-activity; sid:91274979; rev:1;) alert tcp $HOME_NET any -> [191.233.254.31] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1274980/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_24; classtype:trojan-activity; sid:91274980; rev:1;) alert tcp $HOME_NET any -> [178.128.39.255] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1274982/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_24; classtype:trojan-activity; sid:91274982; rev:1;) alert tcp $HOME_NET any -> [120.46.91.41] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1274981/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_24; classtype:trojan-activity; sid:91274981; rev:1;) alert tcp $HOME_NET any -> [134.122.51.249] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1274983/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_24; classtype:trojan-activity; sid:91274983; rev:1;) alert tcp $HOME_NET any -> [85.203.42.194] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1274984/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_24; classtype:trojan-activity; sid:91274984; rev:1;) alert tcp $HOME_NET any -> [147.185.221.17] 41021 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1274985/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_24; classtype:trojan-activity; sid:91274985; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"every-unnecessary.gl.at.ply.gg"; depth:30; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1274986/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_24; classtype:trojan-activity; sid:91274986; rev:1;) alert tcp $HOME_NET any -> [38.62.245.19] 4747 (msg:"ThreatFox STRRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1274992/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_24; classtype:trojan-activity; sid:91274992; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"manymen7.ydns.eu"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1274993/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_24; classtype:trojan-activity; sid:91274993; rev:1;) alert tcp $HOME_NET any -> [91.92.252.201] 1024 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1275234/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_24; classtype:trojan-activity; sid:91275234; rev:1;) alert tcp $HOME_NET any -> [23.95.182.29] 443 (msg:"ThreatFox FAKEUPDATES botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1275246/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_24; classtype:trojan-activity; sid:91275246; rev:1;) alert tcp $HOME_NET any -> [147.45.69.6] 80 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1275245/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_24; classtype:trojan-activity; sid:91275245; rev:1;) alert tcp $HOME_NET any -> [106.75.75.118] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1275244/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_24; classtype:trojan-activity; sid:91275244; rev:1;) alert tcp $HOME_NET any -> [128.199.184.87] 10000 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1275243/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_24; classtype:trojan-activity; sid:91275243; rev:1;) alert tcp $HOME_NET any -> [52.200.215.252] 443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1275242/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_24; classtype:trojan-activity; sid:91275242; rev:1;) alert tcp $HOME_NET any -> [3.99.177.194] 443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1275241/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_24; classtype:trojan-activity; sid:91275241; rev:1;) alert tcp $HOME_NET any -> [78.41.139.60] 443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1275240/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_24; classtype:trojan-activity; sid:91275240; rev:1;) alert tcp $HOME_NET any -> [176.107.154.149] 443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1275239/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_24; classtype:trojan-activity; sid:91275239; rev:1;) alert tcp $HOME_NET any -> [147.135.92.77] 443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1275238/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_24; classtype:trojan-activity; sid:91275238; rev:1;) alert tcp $HOME_NET any -> [39.185.245.209] 4506 (msg:"ThreatFox Deimos botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1275237/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_24; classtype:trojan-activity; sid:91275237; rev:1;) alert tcp $HOME_NET any -> [106.52.75.125] 30001 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1275236/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_24; classtype:trojan-activity; sid:91275236; rev:1;) alert tcp $HOME_NET any -> [106.52.75.125] 8888 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1275235/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_24; classtype:trojan-activity; sid:91275235; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/g.pixel"; depth:8; nocase; http.host; content:"39.101.130.1"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1274990/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_24; classtype:trojan-activity; sid:91274990; rev:1;) alert tcp $HOME_NET any -> [39.101.130.53] 8001 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1274991/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_24; classtype:trojan-activity; sid:91274991; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api/getit"; depth:10; nocase; http.host; content:"43.136.176.207"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1274989/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_24; classtype:trojan-activity; sid:91274989; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/owa/"; depth:5; nocase; http.host; content:"117.50.178.197"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1274988/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_24; classtype:trojan-activity; sid:91274988; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/serverwordpress/protonphpprovider9/baselinecentraltrack/tempexternalbetter/1to/traffic/packetpipeuploads/externalgenerator4javascript/9auth1db/sqllinuxasync3/pipephpjscpuauthbigloadtrafficwordpresswppublic.php"; depth:210; nocase; http.host; content:"89.111.173.112"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1274987/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_24; classtype:trojan-activity; sid:91274987; rev:1;) alert tcp $HOME_NET any -> [174.138.179.200] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1274954/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_24; classtype:trojan-activity; sid:91274954; rev:1;) alert tcp $HOME_NET any -> [8.222.228.156] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1274955/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_24; classtype:trojan-activity; sid:91274955; rev:1;) alert tcp $HOME_NET any -> [8.222.253.149] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1274956/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_24; classtype:trojan-activity; sid:91274956; rev:1;) alert tcp $HOME_NET any -> [206.166.251.243] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1274947/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_24; classtype:trojan-activity; sid:91274947; rev:1;) alert tcp $HOME_NET any -> [192.253.234.80] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1274948/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_24; classtype:trojan-activity; sid:91274948; rev:1;) alert tcp $HOME_NET any -> [161.35.135.204] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1274949/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_24; classtype:trojan-activity; sid:91274949; rev:1;) alert tcp $HOME_NET any -> [167.71.205.181] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1274950/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_24; classtype:trojan-activity; sid:91274950; rev:1;) alert tcp $HOME_NET any -> [107.148.77.36] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1274951/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_24; classtype:trojan-activity; sid:91274951; rev:1;) alert tcp $HOME_NET any -> [146.70.54.90] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1274952/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_24; classtype:trojan-activity; sid:91274952; rev:1;) alert tcp $HOME_NET any -> [35.91.159.178] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1274953/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_24; classtype:trojan-activity; sid:91274953; rev:1;) alert tcp $HOME_NET any -> [37.220.86.55] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1274939/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_24; classtype:trojan-activity; sid:91274939; rev:1;) alert tcp $HOME_NET any -> [82.147.84.166] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1274940/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_24; classtype:trojan-activity; sid:91274940; rev:1;) alert tcp $HOME_NET any -> [45.79.139.29] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1274941/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_24; classtype:trojan-activity; sid:91274941; rev:1;) alert tcp $HOME_NET any -> [185.142.184.147] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1274942/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_24; classtype:trojan-activity; sid:91274942; rev:1;) alert tcp $HOME_NET any -> [95.164.18.23] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1274943/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_24; classtype:trojan-activity; sid:91274943; rev:1;) alert tcp $HOME_NET any -> [8.213.220.188] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1274944/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_24; classtype:trojan-activity; sid:91274944; rev:1;) alert tcp $HOME_NET any -> [91.92.242.174] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1274945/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_24; classtype:trojan-activity; sid:91274945; rev:1;) alert tcp $HOME_NET any -> [206.119.167.184] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1274946/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_24; classtype:trojan-activity; sid:91274946; rev:1;) alert tcp $HOME_NET any -> [64.23.213.55] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1274931/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_24; classtype:trojan-activity; sid:91274931; rev:1;) alert tcp $HOME_NET any -> [168.100.11.139] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1274932/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_24; classtype:trojan-activity; sid:91274932; rev:1;) alert tcp $HOME_NET any -> [38.207.149.95] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1274933/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_24; classtype:trojan-activity; sid:91274933; rev:1;) alert tcp $HOME_NET any -> [38.207.149.93] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1274934/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_24; classtype:trojan-activity; sid:91274934; rev:1;) alert tcp $HOME_NET any -> [38.207.149.96] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1274935/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_24; classtype:trojan-activity; sid:91274935; rev:1;) alert tcp $HOME_NET any -> [94.158.247.71] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1274936/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_24; classtype:trojan-activity; sid:91274936; rev:1;) alert tcp $HOME_NET any -> [38.207.149.94] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1274937/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_24; classtype:trojan-activity; sid:91274937; rev:1;) alert tcp $HOME_NET any -> [38.207.149.97] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1274938/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_24; classtype:trojan-activity; sid:91274938; rev:1;) alert tcp $HOME_NET any -> [185.216.68.112] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1274924/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_24; classtype:trojan-activity; sid:91274924; rev:1;) alert tcp $HOME_NET any -> [139.162.73.120] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1274925/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_24; classtype:trojan-activity; sid:91274925; rev:1;) alert tcp $HOME_NET any -> [47.242.116.142] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1274926/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_24; classtype:trojan-activity; sid:91274926; rev:1;) alert tcp $HOME_NET any -> [5.161.212.47] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1274927/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_24; classtype:trojan-activity; sid:91274927; rev:1;) alert tcp $HOME_NET any -> [150.109.254.40] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1274928/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_24; classtype:trojan-activity; sid:91274928; rev:1;) alert tcp $HOME_NET any -> [78.47.126.26] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1274929/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_24; classtype:trojan-activity; sid:91274929; rev:1;) alert tcp $HOME_NET any -> [134.209.173.136] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1274930/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_24; classtype:trojan-activity; sid:91274930; rev:1;) alert tcp $HOME_NET any -> [107.148.37.171] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1274917/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_24; classtype:trojan-activity; sid:91274917; rev:1;) alert tcp $HOME_NET any -> [191.233.253.225] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1274918/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_24; classtype:trojan-activity; sid:91274918; rev:1;) alert tcp $HOME_NET any -> [202.129.16.106] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1274919/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_24; classtype:trojan-activity; sid:91274919; rev:1;) alert tcp $HOME_NET any -> [213.148.1.16] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1274920/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_24; classtype:trojan-activity; sid:91274920; rev:1;) alert tcp $HOME_NET any -> [45.9.148.209] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1274921/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_24; classtype:trojan-activity; sid:91274921; rev:1;) alert tcp $HOME_NET any -> [34.23.66.82] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1274922/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_24; classtype:trojan-activity; sid:91274922; rev:1;) alert tcp $HOME_NET any -> [135.181.205.15] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1274923/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_24; classtype:trojan-activity; sid:91274923; rev:1;) alert tcp $HOME_NET any -> [23.236.66.200] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1274908/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_24; classtype:trojan-activity; sid:91274908; rev:1;) alert tcp $HOME_NET any -> [89.221.225.207] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1274909/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_24; classtype:trojan-activity; sid:91274909; rev:1;) alert tcp $HOME_NET any -> [149.104.1.145] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1274910/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_24; classtype:trojan-activity; sid:91274910; rev:1;) alert tcp $HOME_NET any -> [94.198.54.193] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1274911/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_24; classtype:trojan-activity; sid:91274911; rev:1;) alert tcp $HOME_NET any -> [51.159.234.90] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1274912/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_24; classtype:trojan-activity; sid:91274912; rev:1;) alert tcp $HOME_NET any -> [191.233.249.66] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1274913/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_24; classtype:trojan-activity; sid:91274913; rev:1;) alert tcp $HOME_NET any -> [162.120.71.48] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1274914/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_24; classtype:trojan-activity; sid:91274914; rev:1;) alert tcp $HOME_NET any -> [34.16.110.198] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1274915/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_24; classtype:trojan-activity; sid:91274915; rev:1;) alert tcp $HOME_NET any -> [143.47.225.174] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1274916/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_24; classtype:trojan-activity; sid:91274916; rev:1;) alert tcp $HOME_NET any -> [138.128.247.200] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1274901/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_24; classtype:trojan-activity; sid:91274901; rev:1;) alert tcp $HOME_NET any -> [185.113.8.148] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1274902/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_24; classtype:trojan-activity; sid:91274902; rev:1;) alert tcp $HOME_NET any -> [54.179.178.208] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1274903/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_24; classtype:trojan-activity; sid:91274903; rev:1;) alert tcp $HOME_NET any -> [5.199.161.21] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1274904/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_24; classtype:trojan-activity; sid:91274904; rev:1;) alert tcp $HOME_NET any -> [158.220.115.82] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1274905/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_24; classtype:trojan-activity; sid:91274905; rev:1;) alert tcp $HOME_NET any -> [174.138.179.149] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1274906/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_24; classtype:trojan-activity; sid:91274906; rev:1;) alert tcp $HOME_NET any -> [87.248.156.153] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1274907/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_24; classtype:trojan-activity; sid:91274907; rev:1;) alert tcp $HOME_NET any -> [207.148.81.11] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1274894/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_24; classtype:trojan-activity; sid:91274894; rev:1;) alert tcp $HOME_NET any -> [185.186.245.86] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1274895/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_24; classtype:trojan-activity; sid:91274895; rev:1;) alert tcp $HOME_NET any -> [34.93.210.165] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1274896/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_24; classtype:trojan-activity; sid:91274896; rev:1;) alert tcp $HOME_NET any -> [5.252.179.38] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1274897/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_24; classtype:trojan-activity; sid:91274897; rev:1;) alert tcp $HOME_NET any -> [16.163.146.197] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1274898/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_24; classtype:trojan-activity; sid:91274898; rev:1;) alert tcp $HOME_NET any -> [81.17.103.110] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1274899/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_24; classtype:trojan-activity; sid:91274899; rev:1;) alert tcp $HOME_NET any -> [57.128.87.135] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1274900/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_24; classtype:trojan-activity; sid:91274900; rev:1;) alert tcp $HOME_NET any -> [217.195.153.204] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1274887/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_24; classtype:trojan-activity; sid:91274887; rev:1;) alert tcp $HOME_NET any -> [194.87.252.24] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1274888/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_24; classtype:trojan-activity; sid:91274888; rev:1;) alert tcp $HOME_NET any -> [151.236.27.67] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1274889/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_24; classtype:trojan-activity; sid:91274889; rev:1;) alert tcp $HOME_NET any -> [121.36.36.99] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1274890/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_24; classtype:trojan-activity; sid:91274890; rev:1;) alert tcp $HOME_NET any -> [192.177.98.86] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1274891/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_24; classtype:trojan-activity; sid:91274891; rev:1;) alert tcp $HOME_NET any -> [46.226.167.60] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1274892/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_24; classtype:trojan-activity; sid:91274892; rev:1;) alert tcp $HOME_NET any -> [193.178.147.164] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1274893/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_24; classtype:trojan-activity; sid:91274893; rev:1;) alert tcp $HOME_NET any -> [188.120.248.116] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1274881/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_24; classtype:trojan-activity; sid:91274881; rev:1;) alert tcp $HOME_NET any -> [162.19.64.24] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1274882/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_24; classtype:trojan-activity; sid:91274882; rev:1;) alert tcp $HOME_NET any -> [172.245.19.146] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1274883/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_24; classtype:trojan-activity; sid:91274883; rev:1;) alert tcp $HOME_NET any -> [45.11.181.128] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1274884/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_24; classtype:trojan-activity; sid:91274884; rev:1;) alert tcp $HOME_NET any -> [45.154.12.202] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1274885/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_24; classtype:trojan-activity; sid:91274885; rev:1;) alert tcp $HOME_NET any -> [157.245.12.65] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1274886/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_24; classtype:trojan-activity; sid:91274886; rev:1;) alert tcp $HOME_NET any -> [136.144.162.236] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1274880/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_24; classtype:trojan-activity; sid:91274880; rev:1;) alert tcp $HOME_NET any -> [178.128.94.42] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1274875/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_24; classtype:trojan-activity; sid:91274875; rev:1;) alert tcp $HOME_NET any -> [54.169.221.72] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1274876/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_24; classtype:trojan-activity; sid:91274876; rev:1;) alert tcp $HOME_NET any -> [104.128.88.109] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1274877/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_24; classtype:trojan-activity; sid:91274877; rev:1;) alert tcp $HOME_NET any -> [45.140.143.62] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1274878/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_24; classtype:trojan-activity; sid:91274878; rev:1;) alert tcp $HOME_NET any -> [80.251.217.247] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1274879/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_24; classtype:trojan-activity; sid:91274879; rev:1;) alert tcp $HOME_NET any -> [172.245.159.246] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1274868/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_24; classtype:trojan-activity; sid:91274868; rev:1;) alert tcp $HOME_NET any -> [8.219.57.178] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1274869/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_24; classtype:trojan-activity; sid:91274869; rev:1;) alert tcp $HOME_NET any -> [207.180.253.60] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1274870/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_24; classtype:trojan-activity; sid:91274870; rev:1;) alert tcp $HOME_NET any -> [81.200.148.166] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1274871/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_24; classtype:trojan-activity; sid:91274871; rev:1;) alert tcp $HOME_NET any -> [54.169.178.188] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1274872/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_24; classtype:trojan-activity; sid:91274872; rev:1;) alert tcp $HOME_NET any -> [134.122.35.217] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1274873/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_24; classtype:trojan-activity; sid:91274873; rev:1;) alert tcp $HOME_NET any -> [150.158.9.124] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1274874/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_24; classtype:trojan-activity; sid:91274874; rev:1;) alert tcp $HOME_NET any -> [45.145.228.51] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1274862/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_24; classtype:trojan-activity; sid:91274862; rev:1;) alert tcp $HOME_NET any -> [115.159.152.161] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1274863/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_24; classtype:trojan-activity; sid:91274863; rev:1;) alert tcp $HOME_NET any -> [103.207.68.25] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1274864/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_24; classtype:trojan-activity; sid:91274864; rev:1;) alert tcp $HOME_NET any -> [20.255.58.253] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1274865/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_24; classtype:trojan-activity; sid:91274865; rev:1;) alert tcp $HOME_NET any -> [51.250.1.152] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1274866/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_24; classtype:trojan-activity; sid:91274866; rev:1;) alert tcp $HOME_NET any -> [68.84.193.1] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1274867/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_24; classtype:trojan-activity; sid:91274867; rev:1;) alert tcp $HOME_NET any -> [185.150.162.80] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1274856/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_24; classtype:trojan-activity; sid:91274856; rev:1;) alert tcp $HOME_NET any -> [188.166.9.214] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1274857/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_24; classtype:trojan-activity; sid:91274857; rev:1;) alert tcp $HOME_NET any -> [94.23.84.20] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1274858/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_24; classtype:trojan-activity; sid:91274858; rev:1;) alert tcp $HOME_NET any -> [103.56.16.31] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1274859/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_24; classtype:trojan-activity; sid:91274859; rev:1;) alert tcp $HOME_NET any -> [172.233.90.114] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1274860/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_24; classtype:trojan-activity; sid:91274860; rev:1;) alert tcp $HOME_NET any -> [43.138.184.91] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1274861/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_24; classtype:trojan-activity; sid:91274861; rev:1;) alert tcp $HOME_NET any -> [213.139.205.100] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1274850/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_24; classtype:trojan-activity; sid:91274850; rev:1;) alert tcp $HOME_NET any -> [185.174.101.126] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1274851/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_24; classtype:trojan-activity; sid:91274851; rev:1;) alert tcp $HOME_NET any -> [158.220.106.198] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1274852/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_24; classtype:trojan-activity; sid:91274852; rev:1;) alert tcp $HOME_NET any -> [3.25.174.244] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1274853/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_24; classtype:trojan-activity; sid:91274853; rev:1;) alert tcp $HOME_NET any -> [170.64.249.50] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1274854/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_24; classtype:trojan-activity; sid:91274854; rev:1;) alert tcp $HOME_NET any -> [34.232.187.165] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1274855/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_24; classtype:trojan-activity; sid:91274855; rev:1;) alert tcp $HOME_NET any -> [45.115.236.168] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1274843/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_24; classtype:trojan-activity; sid:91274843; rev:1;) alert tcp $HOME_NET any -> [193.46.243.117] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1274844/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_24; classtype:trojan-activity; sid:91274844; rev:1;) alert tcp $HOME_NET any -> [163.172.188.230] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1274845/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_24; classtype:trojan-activity; sid:91274845; rev:1;) alert tcp $HOME_NET any -> [185.246.118.237] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1274846/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_24; classtype:trojan-activity; sid:91274846; rev:1;) alert tcp $HOME_NET any -> [79.174.93.85] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1274847/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_24; classtype:trojan-activity; sid:91274847; rev:1;) alert tcp $HOME_NET any -> [156.224.26.80] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1274848/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_24; classtype:trojan-activity; sid:91274848; rev:1;) alert tcp $HOME_NET any -> [194.15.216.113] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1274849/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_24; classtype:trojan-activity; sid:91274849; rev:1;) alert tcp $HOME_NET any -> [138.197.32.191] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1274834/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_24; classtype:trojan-activity; sid:91274834; rev:1;) alert tcp $HOME_NET any -> [47.128.239.93] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1274835/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_24; classtype:trojan-activity; sid:91274835; rev:1;) alert tcp $HOME_NET any -> [137.184.178.106] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1274836/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_24; classtype:trojan-activity; sid:91274836; rev:1;) alert tcp $HOME_NET any -> [107.172.44.232] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1274837/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_24; classtype:trojan-activity; sid:91274837; rev:1;) alert tcp $HOME_NET any -> [13.229.232.97] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1274838/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_24; classtype:trojan-activity; sid:91274838; rev:1;) alert tcp $HOME_NET any -> [16.163.53.136] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1274839/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_24; classtype:trojan-activity; sid:91274839; rev:1;) alert tcp $HOME_NET any -> [107.173.87.151] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1274840/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_24; classtype:trojan-activity; sid:91274840; rev:1;) alert tcp $HOME_NET any -> [43.134.204.137] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1274841/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_24; classtype:trojan-activity; sid:91274841; rev:1;) alert tcp $HOME_NET any -> [8.208.15.65] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1274842/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_24; classtype:trojan-activity; sid:91274842; rev:1;) alert tcp $HOME_NET any -> [185.112.144.136] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1274827/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_24; classtype:trojan-activity; sid:91274827; rev:1;) alert tcp $HOME_NET any -> [194.87.146.103] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1274828/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_24; classtype:trojan-activity; sid:91274828; rev:1;) alert tcp $HOME_NET any -> [89.23.117.246] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1274829/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_24; classtype:trojan-activity; sid:91274829; rev:1;) alert tcp $HOME_NET any -> [139.84.155.5] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1274830/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_24; classtype:trojan-activity; sid:91274830; rev:1;) alert tcp $HOME_NET any -> [3.75.210.50] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1274831/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_24; classtype:trojan-activity; sid:91274831; rev:1;) alert tcp $HOME_NET any -> [94.158.247.13] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1274832/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_24; classtype:trojan-activity; sid:91274832; rev:1;) alert tcp $HOME_NET any -> [192.210.203.236] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1274833/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_24; classtype:trojan-activity; sid:91274833; rev:1;) alert tcp $HOME_NET any -> [62.171.158.126] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1274821/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_24; classtype:trojan-activity; sid:91274821; rev:1;) alert tcp $HOME_NET any -> [45.32.124.195] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1274822/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_24; classtype:trojan-activity; sid:91274822; rev:1;) alert tcp $HOME_NET any -> [23.159.160.16] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1274823/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_24; classtype:trojan-activity; sid:91274823; rev:1;) alert tcp $HOME_NET any -> [74.48.139.77] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1274824/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_24; classtype:trojan-activity; sid:91274824; rev:1;) alert tcp $HOME_NET any -> [143.244.181.177] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1274825/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_24; classtype:trojan-activity; sid:91274825; rev:1;) alert tcp $HOME_NET any -> [45.77.6.216] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1274826/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_24; classtype:trojan-activity; sid:91274826; rev:1;) alert tcp $HOME_NET any -> [179.43.172.53] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1274814/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_24; classtype:trojan-activity; sid:91274814; rev:1;) alert tcp $HOME_NET any -> [159.65.137.199] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1274815/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_24; classtype:trojan-activity; sid:91274815; rev:1;) alert tcp $HOME_NET any -> [89.147.111.197] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1274816/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_24; classtype:trojan-activity; sid:91274816; rev:1;) alert tcp $HOME_NET any -> [156.245.19.127] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1274817/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_24; classtype:trojan-activity; sid:91274817; rev:1;) alert tcp $HOME_NET any -> [154.3.2.153] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1274818/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_24; classtype:trojan-activity; sid:91274818; rev:1;) alert tcp $HOME_NET any -> [64.225.60.244] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1274819/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_24; classtype:trojan-activity; sid:91274819; rev:1;) alert tcp $HOME_NET any -> [84.252.94.179] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1274820/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_24; classtype:trojan-activity; sid:91274820; rev:1;) alert tcp $HOME_NET any -> [52.226.161.33] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1274809/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_24; classtype:trojan-activity; sid:91274809; rev:1;) alert tcp $HOME_NET any -> [80.87.206.160] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1274810/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_24; classtype:trojan-activity; sid:91274810; rev:1;) alert tcp $HOME_NET any -> [134.209.170.217] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1274811/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_24; classtype:trojan-activity; sid:91274811; rev:1;) alert tcp $HOME_NET any -> [143.110.237.179] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1274812/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_24; classtype:trojan-activity; sid:91274812; rev:1;) alert tcp $HOME_NET any -> [45.33.103.13] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1274813/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_24; classtype:trojan-activity; sid:91274813; rev:1;) alert tcp $HOME_NET any -> [165.232.86.167] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1274805/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_24; classtype:trojan-activity; sid:91274805; rev:1;) alert tcp $HOME_NET any -> [142.93.71.107] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1274806/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_24; classtype:trojan-activity; sid:91274806; rev:1;) alert tcp $HOME_NET any -> [185.104.112.206] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1274807/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_24; classtype:trojan-activity; sid:91274807; rev:1;) alert tcp $HOME_NET any -> [43.129.31.59] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1274808/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_24; classtype:trojan-activity; sid:91274808; rev:1;) alert tcp $HOME_NET any -> [185.239.226.11] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1274798/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_24; classtype:trojan-activity; sid:91274798; rev:1;) alert tcp $HOME_NET any -> [206.188.197.211] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1274799/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_24; classtype:trojan-activity; sid:91274799; rev:1;) alert tcp $HOME_NET any -> [23.95.61.136] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1274800/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_24; classtype:trojan-activity; sid:91274800; rev:1;) alert tcp $HOME_NET any -> [8.130.67.45] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1274801/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_24; classtype:trojan-activity; sid:91274801; rev:1;) alert tcp $HOME_NET any -> [151.80.119.224] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1274802/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_24; classtype:trojan-activity; sid:91274802; rev:1;) alert tcp $HOME_NET any -> [46.226.105.167] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1274803/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_24; classtype:trojan-activity; sid:91274803; rev:1;) alert tcp $HOME_NET any -> [174.138.79.59] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1274804/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_24; classtype:trojan-activity; sid:91274804; rev:1;) alert tcp $HOME_NET any -> [85.215.44.146] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1274791/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_24; classtype:trojan-activity; sid:91274791; rev:1;) alert tcp $HOME_NET any -> [45.55.51.117] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1274792/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_24; classtype:trojan-activity; sid:91274792; rev:1;) alert tcp $HOME_NET any -> [54.204.118.225] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1274793/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_24; classtype:trojan-activity; sid:91274793; rev:1;) alert tcp $HOME_NET any -> [52.139.156.33] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1274794/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_24; classtype:trojan-activity; sid:91274794; rev:1;) alert tcp $HOME_NET any -> [103.207.68.204] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1274795/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_24; classtype:trojan-activity; sid:91274795; rev:1;) alert tcp $HOME_NET any -> [172.235.10.74] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1274796/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_24; classtype:trojan-activity; sid:91274796; rev:1;) alert tcp $HOME_NET any -> [18.216.41.200] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1274797/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_24; classtype:trojan-activity; sid:91274797; rev:1;) alert tcp $HOME_NET any -> [185.29.8.219] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1274786/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_24; classtype:trojan-activity; sid:91274786; rev:1;) alert tcp $HOME_NET any -> [66.151.41.58] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1274787/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_24; classtype:trojan-activity; sid:91274787; rev:1;) alert tcp $HOME_NET any -> [137.184.126.213] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1274788/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_24; classtype:trojan-activity; sid:91274788; rev:1;) alert tcp $HOME_NET any -> [113.31.106.106] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1274789/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_24; classtype:trojan-activity; sid:91274789; rev:1;) alert tcp $HOME_NET any -> [139.59.236.124] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1274790/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_24; classtype:trojan-activity; sid:91274790; rev:1;) alert tcp $HOME_NET any -> [172.245.246.103] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1274779/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_24; classtype:trojan-activity; sid:91274779; rev:1;) alert tcp $HOME_NET any -> [64.23.139.91] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1274780/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_24; classtype:trojan-activity; sid:91274780; rev:1;) alert tcp $HOME_NET any -> [154.12.87.184] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1274781/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_24; classtype:trojan-activity; sid:91274781; rev:1;) alert tcp $HOME_NET any -> [138.68.173.59] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1274782/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_24; classtype:trojan-activity; sid:91274782; rev:1;) alert tcp $HOME_NET any -> [194.87.252.205] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1274783/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_24; classtype:trojan-activity; sid:91274783; rev:1;) alert tcp $HOME_NET any -> [8.222.176.223] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1274784/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_24; classtype:trojan-activity; sid:91274784; rev:1;) alert tcp $HOME_NET any -> [209.38.200.20] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1274785/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_24; classtype:trojan-activity; sid:91274785; rev:1;) alert tcp $HOME_NET any -> [54.167.175.147] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1274773/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_24; classtype:trojan-activity; sid:91274773; rev:1;) alert tcp $HOME_NET any -> [170.64.249.48] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1274774/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_24; classtype:trojan-activity; sid:91274774; rev:1;) alert tcp $HOME_NET any -> [66.78.40.182] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1274775/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_24; classtype:trojan-activity; sid:91274775; rev:1;) alert tcp $HOME_NET any -> [185.247.224.163] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1274776/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_24; classtype:trojan-activity; sid:91274776; rev:1;) alert tcp $HOME_NET any -> [3.224.74.192] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1274777/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_24; classtype:trojan-activity; sid:91274777; rev:1;) alert tcp $HOME_NET any -> [185.177.59.103] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1274778/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_24; classtype:trojan-activity; sid:91274778; rev:1;) alert tcp $HOME_NET any -> [147.45.136.226] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1274768/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_24; classtype:trojan-activity; sid:91274768; rev:1;) alert tcp $HOME_NET any -> [38.180.141.152] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1274769/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_24; classtype:trojan-activity; sid:91274769; rev:1;) alert tcp $HOME_NET any -> [168.138.179.33] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1274770/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_24; classtype:trojan-activity; sid:91274770; rev:1;) alert tcp $HOME_NET any -> [185.237.252.174] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1274771/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_24; classtype:trojan-activity; sid:91274771; rev:1;) alert tcp $HOME_NET any -> [111.180.204.51] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1274772/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_24; classtype:trojan-activity; sid:91274772; rev:1;) alert tcp $HOME_NET any -> [20.224.227.30] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1274762/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_24; classtype:trojan-activity; sid:91274762; rev:1;) alert tcp $HOME_NET any -> [172.233.214.50] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1274763/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_24; classtype:trojan-activity; sid:91274763; rev:1;) alert tcp $HOME_NET any -> [188.127.227.208] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1274764/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_24; classtype:trojan-activity; sid:91274764; rev:1;) alert tcp $HOME_NET any -> [45.133.238.41] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1274765/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_24; classtype:trojan-activity; sid:91274765; rev:1;) alert tcp $HOME_NET any -> [83.97.73.202] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1274766/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_24; classtype:trojan-activity; sid:91274766; rev:1;) alert tcp $HOME_NET any -> [23.254.204.15] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1274767/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_24; classtype:trojan-activity; sid:91274767; rev:1;) alert tcp $HOME_NET any -> [164.90.228.119] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1274757/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_24; classtype:trojan-activity; sid:91274757; rev:1;) alert tcp $HOME_NET any -> [176.120.73.75] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1274758/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_24; classtype:trojan-activity; sid:91274758; rev:1;) alert tcp $HOME_NET any -> [38.207.176.218] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1274759/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_24; classtype:trojan-activity; sid:91274759; rev:1;) alert tcp $HOME_NET any -> [46.148.26.72] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1274760/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_24; classtype:trojan-activity; sid:91274760; rev:1;) alert tcp $HOME_NET any -> [209.141.54.92] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1274761/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_24; classtype:trojan-activity; sid:91274761; rev:1;) alert tcp $HOME_NET any -> [80.78.23.106] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1274755/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_24; classtype:trojan-activity; sid:91274755; rev:1;) alert tcp $HOME_NET any -> [192.121.87.111] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1274756/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_24; classtype:trojan-activity; sid:91274756; rev:1;) alert tcp $HOME_NET any -> [195.201.223.219] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1274753/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_24; classtype:trojan-activity; sid:91274753; rev:1;) alert tcp $HOME_NET any -> [199.248.230.106] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1274754/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_24; classtype:trojan-activity; sid:91274754; rev:1;) alert tcp $HOME_NET any -> [156.245.13.61] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1274748/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_24; classtype:trojan-activity; sid:91274748; rev:1;) alert tcp $HOME_NET any -> [156.245.13.101] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1274749/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_24; classtype:trojan-activity; sid:91274749; rev:1;) alert tcp $HOME_NET any -> [157.90.21.73] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1274750/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_24; classtype:trojan-activity; sid:91274750; rev:1;) alert tcp $HOME_NET any -> [165.227.136.106] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1274751/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_24; classtype:trojan-activity; sid:91274751; rev:1;) alert tcp $HOME_NET any -> [170.64.160.157] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1274752/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_24; classtype:trojan-activity; sid:91274752; rev:1;) alert tcp $HOME_NET any -> [156.245.13.36] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1274747/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_24; classtype:trojan-activity; sid:91274747; rev:1;) alert tcp $HOME_NET any -> [54.243.224.196] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1274744/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_24; classtype:trojan-activity; sid:91274744; rev:1;) alert tcp $HOME_NET any -> [64.23.191.37] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1274745/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_24; classtype:trojan-activity; sid:91274745; rev:1;) alert tcp $HOME_NET any -> [82.157.142.84] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1274746/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_24; classtype:trojan-activity; sid:91274746; rev:1;) alert tcp $HOME_NET any -> [8.220.197.83] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1274740/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_24; classtype:trojan-activity; sid:91274740; rev:1;) alert tcp $HOME_NET any -> [34.124.239.78] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1274741/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_24; classtype:trojan-activity; sid:91274741; rev:1;) alert tcp $HOME_NET any -> [35.224.239.139] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1274742/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_24; classtype:trojan-activity; sid:91274742; rev:1;) alert tcp $HOME_NET any -> [38.242.152.52] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1274743/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_24; classtype:trojan-activity; sid:91274743; rev:1;) alert tcp $HOME_NET any -> [5.8.10.66] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1274739/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_24; classtype:trojan-activity; sid:91274739; rev:1;) alert tcp $HOME_NET any -> [152.89.198.51] 15647 (msg:"ThreatFox SectopRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1274738/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_24; classtype:trojan-activity; sid:91274738; rev:1;) alert tcp $HOME_NET any -> [77.221.137.158] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1274737/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_24; classtype:trojan-activity; sid:91274737; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/temporary/7trackdb7/trackwptemp.php"; depth:36; nocase; http.host; content:"62.109.13.68"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1274736/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_24; classtype:trojan-activity; sid:91274736; rev:1;) alert tcp $HOME_NET any -> [47.99.188.195] 8080 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1274735/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_24; classtype:trojan-activity; sid:91274735; rev:1;) alert tcp $HOME_NET any -> [5.180.154.49] 8081 (msg:"ThreatFox RisePro botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1274734/; target:src_ip; metadata: confidence_level 80, first_seen 2024_05_24; classtype:trojan-activity; sid:91274734; rev:1;) alert tcp $HOME_NET any -> [193.168.143.107] 443 (msg:"ThreatFox IcedID botnet C2 traffic (ip:port - confidence level: 60%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1274733/; target:src_ip; metadata: confidence_level 60, first_seen 2024_05_24; classtype:trojan-activity; sid:91274733; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/center/user_sid"; depth:16; nocase; http.host; content:"43.138.234.160"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1274732/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_24; classtype:trojan-activity; sid:91274732; rev:1;) alert tcp $HOME_NET any -> [43.138.234.160] 8088 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1274731/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_24; classtype:trojan-activity; sid:91274731; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/__utm.gif"; depth:10; nocase; http.host; content:"123.57.63.53"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1274730/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_24; classtype:trojan-activity; sid:91274730; rev:1;) alert tcp $HOME_NET any -> [143.198.216.99] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1274729/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_24; classtype:trojan-activity; sid:91274729; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ie9compatviewlist.xml"; depth:22; nocase; http.host; content:"143.198.216.99"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1274728/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_24; classtype:trojan-activity; sid:91274728; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/load"; depth:5; nocase; http.host; content:"43.242.200.159"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1274727/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_24; classtype:trojan-activity; sid:91274727; rev:1;) alert tcp $HOME_NET any -> [47.92.127.53] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1274726/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_24; classtype:trojan-activity; sid:91274726; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mall_100_100.html"; depth:18; nocase; http.host; content:"47.92.127.53"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1274725/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_24; classtype:trojan-activity; sid:91274725; rev:1;) alert tcp $HOME_NET any -> [101.132.250.80] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1274724/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_24; classtype:trojan-activity; sid:91274724; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jquery-3.3.1.min.js"; depth:20; nocase; http.host; content:"101.132.250.80"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1274723/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_24; classtype:trojan-activity; sid:91274723; rev:1;) alert tcp $HOME_NET any -> [39.100.111.113] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1274722/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_24; classtype:trojan-activity; sid:91274722; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"sck.img.yunphui.com"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1274721/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_24; classtype:trojan-activity; sid:91274721; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/lib/v2/wcp-consent.js"; depth:22; nocase; http.host; content:"sck.img.yunphui.com"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1274720/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_24; classtype:trojan-activity; sid:91274720; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/lib/v2/wcp-consent.js"; depth:22; nocase; http.host; content:"ec-web.staticec.com"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1274718/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_24; classtype:trojan-activity; sid:91274718; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ec-web.staticec.com"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1274719/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_24; classtype:trojan-activity; sid:91274719; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/__utm.gif"; depth:10; nocase; http.host; content:"91.92.254.84"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1274717/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_24; classtype:trojan-activity; sid:91274717; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/visit.js"; depth:9; nocase; http.host; content:"8.130.156.236"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1274715/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_24; classtype:trojan-activity; sid:91274715; rev:1;) alert tcp $HOME_NET any -> [8.130.156.236] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1274716/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_24; classtype:trojan-activity; sid:91274716; rev:1;) alert tcp $HOME_NET any -> [8.222.130.235] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1274714/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_24; classtype:trojan-activity; sid:91274714; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"www.notepadplugin.top"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1274713/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_24; classtype:trojan-activity; sid:91274713; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jquery-3.3.1.min.js"; depth:20; nocase; http.host; content:"www.notepadplugin.top"; depth:21; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1274712/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_24; classtype:trojan-activity; sid:91274712; rev:1;) alert tcp $HOME_NET any -> [162.14.102.143] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1274711/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_24; classtype:trojan-activity; sid:91274711; rev:1;) alert tcp $HOME_NET any -> [36.89.252.50] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1274710/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_24; classtype:trojan-activity; sid:91274710; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cdn/main/jquery-3.3.1.min.js"; depth:29; nocase; http.host; content:"103.26.14.91"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1274709/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_24; classtype:trojan-activity; sid:91274709; rev:1;) alert tcp $HOME_NET any -> [74.124.44.237] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1274708/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_24; classtype:trojan-activity; sid:91274708; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"jqueryupdate1.confidantsoftware.com"; depth:35; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1274707/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_24; classtype:trojan-activity; sid:91274707; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jquery-3.3.1.min.js"; depth:20; nocase; http.host; content:"jqueryupdate1.confidantsoftware.com"; depth:35; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1274706/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_24; classtype:trojan-activity; sid:91274706; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/owa/"; depth:5; nocase; http.host; content:"20.56.35.166"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1274705/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_24; classtype:trojan-activity; sid:91274705; rev:1;) alert tcp $HOME_NET any -> [5.135.192.32] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1274704/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_24; classtype:trojan-activity; sid:91274704; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/hogayaterachalhatfirnaaana"; depth:27; nocase; http.host; content:"5.135.192.32"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1274703/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_24; classtype:trojan-activity; sid:91274703; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dot.gif"; depth:8; nocase; http.host; content:"107.173.57.243"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1274702/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_24; classtype:trojan-activity; sid:91274702; rev:1;) alert tcp $HOME_NET any -> [47.92.127.53] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1274701/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_24; classtype:trojan-activity; sid:91274701; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mall_100_100.html"; depth:18; nocase; http.host; content:"47.92.127.53"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1274700/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_24; classtype:trojan-activity; sid:91274700; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/l1nc0in.php"; depth:12; nocase; http.host; content:"a0981582.xsph.ru"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1274699/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_24; classtype:trojan-activity; sid:91274699; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/_defaultwindows.php"; depth:20; nocase; http.host; content:"a0949311.xsph.ru"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1274698/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_24; classtype:trojan-activity; sid:91274698; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ae048376.php"; depth:13; nocase; http.host; content:"budding-knives.000webhostapp.com"; depth:32; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1274697/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_24; classtype:trojan-activity; sid:91274697; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/installer.msi"; depth:14; nocase; http.host; content:"mediaclubspot.com"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1274695/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_24; classtype:trojan-activity; sid:91274695; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wasabi-2.0.7.1.msi"; depth:19; nocase; http.host; content:"mediaclubspot.com"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1274696/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_24; classtype:trojan-activity; sid:91274696; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cx"; depth:3; nocase; http.host; content:"47.105.69.34"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1274692/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_24; classtype:trojan-activity; sid:91274692; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ie9compatviewlist.xml"; depth:22; nocase; http.host; content:"47.98.247.113"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1274691/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_24; classtype:trojan-activity; sid:91274691; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ca"; depth:3; nocase; http.host; content:"47.105.69.34"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1274690/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_24; classtype:trojan-activity; sid:91274690; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/activity"; depth:9; nocase; http.host; content:"23.95.65.198"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1274689/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_24; classtype:trojan-activity; sid:91274689; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ptj"; depth:4; nocase; http.host; content:"1.94.43.16"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1274688/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_24; classtype:trojan-activity; sid:91274688; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dpixel"; depth:7; nocase; http.host; content:"129.211.215.7"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1274687/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_24; classtype:trojan-activity; sid:91274687; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ga.js"; depth:6; nocase; http.host; content:"47.98.247.113"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1274686/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_24; classtype:trojan-activity; sid:91274686; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ie9compatviewlist.xml"; depth:22; nocase; http.host; content:"23.95.65.198"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1274685/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_24; classtype:trojan-activity; sid:91274685; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/fwlink"; depth:7; nocase; http.host; content:"update.360safety.xyz"; depth:20; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1274684/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_24; classtype:trojan-activity; sid:91274684; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pixel"; depth:6; nocase; http.host; content:"38.147.170.150"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1274683/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_24; classtype:trojan-activity; sid:91274683; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/en_us/all.js"; depth:13; nocase; http.host; content:"193.143.1.180"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1274682/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_24; classtype:trojan-activity; sid:91274682; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/l1nc0in.php"; depth:12; nocase; http.host; content:"a0984678.xsph.ru"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1274681/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_24; classtype:trojan-activity; sid:91274681; rev:1;) alert tcp $HOME_NET any -> [38.62.245.18] 3232 (msg:"ThreatFox STRRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1274673/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_24; classtype:trojan-activity; sid:91274673; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api/v1/async/info"; depth:18; nocase; http.host; content:"8.134.249.167"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1274680/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_24; classtype:trojan-activity; sid:91274680; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"api.ziekte.news"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1274678/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_24; classtype:trojan-activity; sid:91274678; rev:1;) alert tcp $HOME_NET any -> [54.242.72.155] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1274679/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_24; classtype:trojan-activity; sid:91274679; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jquery-3.3.1.min.js"; depth:20; nocase; http.host; content:"api.ziekte.news"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1274677/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_24; classtype:trojan-activity; sid:91274677; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"service-hvcrn7y8-1257783886.gz.tencentapigw.com.cn"; depth:50; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1274676/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_24; classtype:trojan-activity; sid:91274676; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/omp/api/micro_app/get_org_app"; depth:30; nocase; http.host; content:"service-hvcrn7y8-1257783886.gz.tencentapigw.com.cn"; depth:50; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1274675/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_24; classtype:trojan-activity; sid:91274675; rev:1;) alert tcp $HOME_NET any -> [120.77.150.119] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1274674/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_24; classtype:trojan-activity; sid:91274674; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox credit card skimming (domain - confidence level: 100%)"; dns_query; content:"statisticgateway.com"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1274672/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_24; classtype:bad-unknown; sid:91274672; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/8724b2c0.php"; depth:13; nocase; http.host; content:"a0985701.xsph.ru"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1274671/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_24; classtype:trojan-activity; sid:91274671; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/nzuxnjc3ymzjntnl/"; depth:18; nocase; http.host; content:"maviderinkalem.shop"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1274653/; target:src_ip; metadata: confidence_level 80, first_seen 2024_05_24; classtype:trojan-activity; sid:91274653; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/nzuxnjc3ymzjntnl/"; depth:18; nocase; http.host; content:"karayipkalanda.shop"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1274654/; target:src_ip; metadata: confidence_level 80, first_seen 2024_05_24; classtype:trojan-activity; sid:91274654; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/nzuxnjc3ymzjntnl/"; depth:18; nocase; http.host; content:"maviceketler.shop"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1274655/; target:src_ip; metadata: confidence_level 80, first_seen 2024_05_24; classtype:trojan-activity; sid:91274655; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/nzuxnjc3ymzjntnl/"; depth:18; nocase; http.host; content:"martilarlaaraba.shop"; depth:20; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1274656/; target:src_ip; metadata: confidence_level 80, first_seen 2024_05_24; classtype:trojan-activity; sid:91274656; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/nzuxnjc3ymzjntnl/"; depth:18; nocase; http.host; content:"kafaneredeciler2.shop"; depth:21; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1274657/; target:src_ip; metadata: confidence_level 80, first_seen 2024_05_24; classtype:trojan-activity; sid:91274657; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/nzuxnjc3ymzjntnl/"; depth:18; nocase; http.host; content:"mavidlimanda.shop"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1274658/; target:src_ip; metadata: confidence_level 80, first_seen 2024_05_24; classtype:trojan-activity; sid:91274658; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/nzuxnjc3ymzjntnl/"; depth:18; nocase; http.host; content:"mavidendercam.com"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1274659/; target:src_ip; metadata: confidence_level 80, first_seen 2024_05_24; classtype:trojan-activity; sid:91274659; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/nzuxnjc3ymzjntnl/"; depth:18; nocase; http.host; content:"mavideritarak2.shop"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1274660/; target:src_ip; metadata: confidence_level 80, first_seen 2024_05_24; classtype:trojan-activity; sid:91274660; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/nzuxnjc3ymzjntnl/"; depth:18; nocase; http.host; content:"beyazgelinlik12.shop"; depth:20; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1274661/; target:src_ip; metadata: confidence_level 80, first_seen 2024_05_24; classtype:trojan-activity; sid:91274661; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/nzuxnjc3ymzjntnl/"; depth:18; nocase; http.host; content:"mahmatagada.top"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1274662/; target:src_ip; metadata: confidence_level 80, first_seen 2024_05_24; classtype:trojan-activity; sid:91274662; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/nzuxnjc3ymzjntnl/"; depth:18; nocase; http.host; content:"maviderinasfkalem1231.shop"; depth:26; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1274663/; target:src_ip; metadata: confidence_level 80, first_seen 2024_05_24; classtype:trojan-activity; sid:91274663; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/nzuxnjc3ymzjntnl/"; depth:18; nocase; http.host; content:"hadiordangel23.net"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1274664/; target:src_ip; metadata: confidence_level 80, first_seen 2024_05_24; classtype:trojan-activity; sid:91274664; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/nzuxnjc3ymzjntnl/"; depth:18; nocase; http.host; content:"martilarlaaraba2412.shop"; depth:24; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1274665/; target:src_ip; metadata: confidence_level 80, first_seen 2024_05_24; classtype:trojan-activity; sid:91274665; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/nzuxnjc3ymzjntnl/"; depth:18; nocase; http.host; content:"kafaneredecilersda2.shop"; depth:24; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1274666/; target:src_ip; metadata: confidence_level 80, first_seen 2024_05_24; classtype:trojan-activity; sid:91274666; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/nzuxnjc3ymzjntnl/"; depth:18; nocase; http.host; content:"mavidlimanda123.shop"; depth:20; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1274667/; target:src_ip; metadata: confidence_level 80, first_seen 2024_05_24; classtype:trojan-activity; sid:91274667; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/nzuxnjc3ymzjntnl"; depth:17; nocase; http.host; content:"mavidendercamlar2.com"; depth:21; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1274668/; target:src_ip; metadata: confidence_level 80, first_seen 2024_05_24; classtype:trojan-activity; sid:91274668; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox credit card skimming (domain - confidence level: 100%)"; dns_query; content:"analytics-static.com"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1274670/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_24; classtype:bad-unknown; sid:91274670; rev:1;) alert tcp $HOME_NET any -> [45.128.36.178] 5610 (msg:"ThreatFox STRRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1274669/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_24; classtype:trojan-activity; sid:91274669; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/l1nc0in.php"; depth:12; nocase; http.host; content:"a0983585.xsph.ru"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1274652/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_24; classtype:trojan-activity; sid:91274652; rev:1;) alert tcp $HOME_NET any -> [198.55.115.39] 8808 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1274651/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_24; classtype:trojan-activity; sid:91274651; rev:1;) alert tcp $HOME_NET any -> [198.55.115.39] 6606 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1274650/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_24; classtype:trojan-activity; sid:91274650; rev:1;) alert tcp $HOME_NET any -> [198.55.115.39] 7707 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1274649/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_24; classtype:trojan-activity; sid:91274649; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/manual.php"; depth:11; nocase; http.host; content:"alex-faber.com"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1274648/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_24; classtype:trojan-activity; sid:91274648; rev:1;) alert tcp $HOME_NET any -> [79.137.206.67] 80 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1274646/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_24; classtype:trojan-activity; sid:91274646; rev:1;) alert tcp $HOME_NET any -> [47.96.168.200] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1274645/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_24; classtype:trojan-activity; sid:91274645; rev:1;) alert tcp $HOME_NET any -> [39.104.52.122] 30005 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1274644/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_24; classtype:trojan-activity; sid:91274644; rev:1;) alert tcp $HOME_NET any -> [162.14.96.180] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1274643/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_24; classtype:trojan-activity; sid:91274643; rev:1;) alert tcp $HOME_NET any -> [39.106.17.72] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1274642/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_24; classtype:trojan-activity; sid:91274642; rev:1;) alert tcp $HOME_NET any -> [23.94.66.68] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1274641/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_24; classtype:trojan-activity; sid:91274641; rev:1;) alert tcp $HOME_NET any -> [5.253.41.224] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1274640/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_24; classtype:trojan-activity; sid:91274640; rev:1;) alert tcp $HOME_NET any -> [47.96.72.100] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1274639/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_24; classtype:trojan-activity; sid:91274639; rev:1;) alert tcp $HOME_NET any -> [46.246.82.14] 9000 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1274638/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_24; classtype:trojan-activity; sid:91274638; rev:1;) alert tcp $HOME_NET any -> [46.246.82.14] 6000 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1274637/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_24; classtype:trojan-activity; sid:91274637; rev:1;) alert tcp $HOME_NET any -> [103.187.4.53] 8848 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1274636/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_24; classtype:trojan-activity; sid:91274636; rev:1;) alert tcp $HOME_NET any -> [2.50.4.36] 22 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1274635/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_24; classtype:trojan-activity; sid:91274635; rev:1;) alert tcp $HOME_NET any -> [52.50.41.59] 445 (msg:"ThreatFox Responder botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1274634/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_24; classtype:trojan-activity; sid:91274634; rev:1;) alert tcp $HOME_NET any -> [20.117.108.240] 5612 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1274633/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_24; classtype:trojan-activity; sid:91274633; rev:1;) alert tcp $HOME_NET any -> [195.77.176.178] 443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1274632/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_24; classtype:trojan-activity; sid:91274632; rev:1;) alert tcp $HOME_NET any -> [138.197.37.104] 443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1274630/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_24; classtype:trojan-activity; sid:91274630; rev:1;) alert tcp $HOME_NET any -> [138.197.37.104] 80 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1274631/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_24; classtype:trojan-activity; sid:91274631; rev:1;) alert tcp $HOME_NET any -> [159.223.0.103] 80 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1274629/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_24; classtype:trojan-activity; sid:91274629; rev:1;) alert tcp $HOME_NET any -> [194.67.207.216] 443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1274628/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_24; classtype:trojan-activity; sid:91274628; rev:1;) alert tcp $HOME_NET any -> [99.83.165.50] 443 (msg:"ThreatFox Deimos botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1274627/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_24; classtype:trojan-activity; sid:91274627; rev:1;) alert tcp $HOME_NET any -> [142.93.74.10] 7443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1274626/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_24; classtype:trojan-activity; sid:91274626; rev:1;) alert tcp $HOME_NET any -> [18.176.67.169] 7443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1274625/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_24; classtype:trojan-activity; sid:91274625; rev:1;) alert tcp $HOME_NET any -> [147.45.150.204] 7443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1274624/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_24; classtype:trojan-activity; sid:91274624; rev:1;) alert tcp $HOME_NET any -> [54.249.228.34] 80 (msg:"ThreatFox Brute Ratel C4 botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1274623/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_24; classtype:trojan-activity; sid:91274623; rev:1;) alert tcp $HOME_NET any -> [87.247.142.15] 30003 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1274622/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_24; classtype:trojan-activity; sid:91274622; rev:1;) alert tcp $HOME_NET any -> [87.247.142.15] 30007 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1274621/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_24; classtype:trojan-activity; sid:91274621; rev:1;) alert tcp $HOME_NET any -> [87.247.142.15] 30004 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1274620/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_24; classtype:trojan-activity; sid:91274620; rev:1;) alert tcp $HOME_NET any -> [87.247.142.15] 30002 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1274619/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_24; classtype:trojan-activity; sid:91274619; rev:1;) alert tcp $HOME_NET any -> [87.247.142.15] 30006 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1274618/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_24; classtype:trojan-activity; sid:91274618; rev:1;) alert tcp $HOME_NET any -> [103.85.25.168] 8095 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1274617/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_24; classtype:trojan-activity; sid:91274617; rev:1;) alert tcp $HOME_NET any -> [103.85.25.168] 8080 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1274616/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_24; classtype:trojan-activity; sid:91274616; rev:1;) alert tcp $HOME_NET any -> [64.23.184.217] 666 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1274615/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_24; classtype:trojan-activity; sid:91274615; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/understanding-call-and-put-contracts-legal-options-trading-guide/"; depth:66; nocase; http.host; content:"solar-audio.net"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1274592/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_24; classtype:trojan-activity; sid:91274592; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/manual.php"; depth:11; nocase; http.host; content:"clintkustoms.com"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1274593/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_24; classtype:trojan-activity; sid:91274593; rev:1;) alert tcp $HOME_NET any -> [160.176.158.157] 10000 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1274595/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_24; classtype:trojan-activity; sid:91274595; rev:1;) alert tcp $HOME_NET any -> [154.204.78.151] 80 (msg:"ThreatFox Loki Password Stealer (PWS) botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1274600/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_24; classtype:trojan-activity; sid:91274600; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"valdepian.com"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1274601/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_24; classtype:trojan-activity; sid:91274601; rev:1;) alert tcp $HOME_NET any -> [3.125.223.134] 13265 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1274609/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_24; classtype:trojan-activity; sid:91274609; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/manual.php"; depth:11; nocase; http.host; content:"4bata.net"; depth:9; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1274608/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_24; classtype:trojan-activity; sid:91274608; rev:1;) alert tcp $HOME_NET any -> [3.125.209.94] 13265 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1274610/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_24; classtype:trojan-activity; sid:91274610; rev:1;) alert tcp $HOME_NET any -> [40.121.142.114] 6709 (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1274611/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_24; classtype:trojan-activity; sid:91274611; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/visit.js"; depth:9; nocase; http.host; content:"101.91.154.125"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1274614/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_24; classtype:trojan-activity; sid:91274614; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cm"; depth:3; nocase; http.host; content:"101.91.154.125"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1274613/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_24; classtype:trojan-activity; sid:91274613; rev:1;) alert tcp $HOME_NET any -> [194.59.31.54] 3154 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1274612/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_24; classtype:trojan-activity; sid:91274612; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/l1nc0in.php"; depth:12; nocase; http.host; content:"822987529cm.whiteproducts.ru"; depth:28; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1274603/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_23; classtype:trojan-activity; sid:91274603; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/_defaultwindows.php"; depth:20; nocase; http.host; content:"a0984800.xsph.ru"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1274602/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_23; classtype:trojan-activity; sid:91274602; rev:1;) alert tcp $HOME_NET any -> [159.223.29.112] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1274599/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_23; classtype:trojan-activity; sid:91274599; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/load"; depth:5; nocase; http.host; content:"159.223.29.112"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1274598/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_23; classtype:trojan-activity; sid:91274598; rev:1;) alert tcp $HOME_NET any -> [46.101.212.131] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1274597/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_23; classtype:trojan-activity; sid:91274597; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ga.js"; depth:6; nocase; http.host; content:"46.101.212.131"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1274596/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_23; classtype:trojan-activity; sid:91274596; rev:1;) alert tcp $HOME_NET any -> [188.226.118.231] 1527 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1274590/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_23; classtype:trojan-activity; sid:91274590; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"njratvtope30.ddns.net"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1274591/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_23; classtype:trojan-activity; sid:91274591; rev:1;) alert tcp $HOME_NET any -> [94.250.250.251] 80 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1274589/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_23; classtype:trojan-activity; sid:91274589; rev:1;) alert tcp $HOME_NET any -> [185.196.10.211] 80 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1274588/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_23; classtype:trojan-activity; sid:91274588; rev:1;) alert tcp $HOME_NET any -> [185.208.158.109] 80 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1274587/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_23; classtype:trojan-activity; sid:91274587; rev:1;) alert tcp $HOME_NET any -> [91.92.254.155] 80 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1274586/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_23; classtype:trojan-activity; sid:91274586; rev:1;) alert tcp $HOME_NET any -> [43.136.180.61] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1274585/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_23; classtype:trojan-activity; sid:91274585; rev:1;) alert tcp $HOME_NET any -> [120.76.74.159] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1274584/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_23; classtype:trojan-activity; sid:91274584; rev:1;) alert tcp $HOME_NET any -> [156.238.236.241] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1274583/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_23; classtype:trojan-activity; sid:91274583; rev:1;) alert tcp $HOME_NET any -> [177.255.88.222] 8000 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1274582/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_23; classtype:trojan-activity; sid:91274582; rev:1;) alert tcp $HOME_NET any -> [2.30.117.234] 443 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1274581/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_23; classtype:trojan-activity; sid:91274581; rev:1;) alert tcp $HOME_NET any -> [39.40.142.133] 995 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1274580/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_23; classtype:trojan-activity; sid:91274580; rev:1;) alert tcp $HOME_NET any -> [98.64.127.186] 80 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1274579/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_23; classtype:trojan-activity; sid:91274579; rev:1;) alert tcp $HOME_NET any -> [107.175.115.91] 443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1274578/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_23; classtype:trojan-activity; sid:91274578; rev:1;) alert tcp $HOME_NET any -> [200.234.232.64] 8443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1274577/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_23; classtype:trojan-activity; sid:91274577; rev:1;) alert tcp $HOME_NET any -> [38.242.151.91] 443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1274576/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_23; classtype:trojan-activity; sid:91274576; rev:1;) alert tcp $HOME_NET any -> [45.56.165.131] 5142 (msg:"ThreatFox BianLian botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1274575/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_23; classtype:trojan-activity; sid:91274575; rev:1;) alert tcp $HOME_NET any -> [110.168.29.138] 7443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1274574/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_23; classtype:trojan-activity; sid:91274574; rev:1;) alert tcp $HOME_NET any -> [87.247.142.15] 54002 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1274573/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_23; classtype:trojan-activity; sid:91274573; rev:1;) alert tcp $HOME_NET any -> [5.42.67.8] 8081 (msg:"ThreatFox RisePro botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1274572/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_23; classtype:trojan-activity; sid:91274572; rev:1;) alert tcp $HOME_NET any -> [5.42.65.116] 8081 (msg:"ThreatFox RisePro botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1274571/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_23; classtype:trojan-activity; sid:91274571; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/index.php"; depth:10; nocase; http.host; content:"vivianstyler.ru"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1274570/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_23; classtype:trojan-activity; sid:91274570; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/index.php"; depth:10; nocase; http.host; content:"vikompalion.ru"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1274569/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_23; classtype:trojan-activity; sid:91274569; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/index.php"; depth:10; nocase; http.host; content:"sephoraofficetz.ru"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1274568/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_23; classtype:trojan-activity; sid:91274568; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/index.php"; depth:10; nocase; http.host; content:"rafraystore.ru"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1274567/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_23; classtype:trojan-activity; sid:91274567; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/index.php"; depth:10; nocase; http.host; content:"picwalldoor.ru"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1274566/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_23; classtype:trojan-activity; sid:91274566; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/index.php"; depth:10; nocase; http.host; content:"ccbaminumpot.ru"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1274565/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_23; classtype:trojan-activity; sid:91274565; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/index.php"; depth:10; nocase; http.host; content:"agentsuperpupervinil.ru"; depth:23; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1274564/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_23; classtype:trojan-activity; sid:91274564; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/download/csharp/"; depth:17; nocase; http.host; content:"20.163.176.155"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1274367/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_23; classtype:trojan-activity; sid:91274367; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/index.php"; depth:10; nocase; http.host; content:"20.163.176.155"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1274368/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_23; classtype:trojan-activity; sid:91274368; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/login/process.php"; depth:18; nocase; http.host; content:"20.163.176.155"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1274369/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_23; classtype:trojan-activity; sid:91274369; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/news.php"; depth:9; nocase; http.host; content:"20.163.176.155"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1274370/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_23; classtype:trojan-activity; sid:91274370; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/update2.hta"; depth:12; nocase; http.host; content:"powershell.skype-api.co.uk"; depth:26; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1274377/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_23; classtype:trojan-activity; sid:91274377; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/update.ps1~"; depth:12; nocase; http.host; content:"powershell.skype-api.co.uk"; depth:26; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1274378/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_23; classtype:trojan-activity; sid:91274378; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/update.ps1"; depth:11; nocase; http.host; content:"powershell.skype-api.co.uk"; depth:26; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1274379/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_23; classtype:trojan-activity; sid:91274379; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/update.hta"; depth:11; nocase; http.host; content:"powershell.skype-api.co.uk"; depth:26; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1274380/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_23; classtype:trojan-activity; sid:91274380; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ps-updater.exe"; depth:15; nocase; http.host; content:"powershell.skype-api.co.uk"; depth:26; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1274381/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_23; classtype:trojan-activity; sid:91274381; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/update2.hta"; depth:12; nocase; http.host; content:"20.163.176.155"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1274382/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_23; classtype:trojan-activity; sid:91274382; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/update.ps1~"; depth:12; nocase; http.host; content:"20.163.176.155"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1274383/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_23; classtype:trojan-activity; sid:91274383; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/update.ps1"; depth:11; nocase; http.host; content:"20.163.176.155"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1274384/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_23; classtype:trojan-activity; sid:91274384; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/update.hta"; depth:11; nocase; http.host; content:"20.163.176.155"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1274385/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_23; classtype:trojan-activity; sid:91274385; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ps-updater.exe"; depth:15; nocase; http.host; content:"20.163.176.155"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1274386/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_23; classtype:trojan-activity; sid:91274386; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/login/process.php"; depth:18; nocase; http.host; content:"powershell.skype-api.co.uk"; depth:26; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1274363/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_23; classtype:trojan-activity; sid:91274363; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/news.php"; depth:9; nocase; http.host; content:"powershell.skype-api.co.uk"; depth:26; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1274364/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_23; classtype:trojan-activity; sid:91274364; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/admin/get.php"; depth:14; nocase; http.host; content:"20.163.176.155"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1274365/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_23; classtype:trojan-activity; sid:91274365; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/index.jsp"; depth:10; nocase; http.host; content:"20.163.176.155"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1274366/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_23; classtype:trojan-activity; sid:91274366; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/admin/get.php"; depth:14; nocase; http.host; content:"powershell.skype-api.co.uk"; depth:26; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1274359/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_23; classtype:trojan-activity; sid:91274359; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/index.jsp"; depth:10; nocase; http.host; content:"powershell.skype-api.co.uk"; depth:26; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1274360/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_23; classtype:trojan-activity; sid:91274360; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/download/csharp/"; depth:17; nocase; http.host; content:"powershell.skype-api.co.uk"; depth:26; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1274361/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_23; classtype:trojan-activity; sid:91274361; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/index.php"; depth:10; nocase; http.host; content:"powershell.skype-api.co.uk"; depth:26; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1274362/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_23; classtype:trojan-activity; sid:91274362; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"powershell.skype-api.co.uk"; depth:26; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1274357/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_23; classtype:trojan-activity; sid:91274357; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"skype-api.co.uk"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1274358/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_23; classtype:trojan-activity; sid:91274358; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/news.php"; depth:9; nocase; http.host; content:"powershell.skype-api.co.uk"; depth:26; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1274356/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_23; classtype:trojan-activity; sid:91274356; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"skype-api.co.uk"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1274388/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_23; classtype:trojan-activity; sid:91274388; rev:1;) alert tcp $HOME_NET any -> [20.163.176.155] 443 (msg:"ThreatFox Unknown malware payload delivery (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1274389/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_23; classtype:trojan-activity; sid:91274389; rev:1;) alert tcp $HOME_NET any -> [20.163.176.155] 80 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1274390/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_23; classtype:trojan-activity; sid:91274390; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"powershell.skype-api.co.uk"; depth:26; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1274387/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_23; classtype:trojan-activity; sid:91274387; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"wonderbooth.com.my"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1274418/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_23; classtype:trojan-activity; sid:91274418; rev:1;) alert tcp $HOME_NET any -> [3.125.223.134] 18134 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1274419/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_23; classtype:trojan-activity; sid:91274419; rev:1;) alert tcp $HOME_NET any -> [3.124.142.205] 18134 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1274420/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_23; classtype:trojan-activity; sid:91274420; rev:1;) alert tcp $HOME_NET any -> [18.158.249.75] 18134 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1274421/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_23; classtype:trojan-activity; sid:91274421; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"newsddawork.3utilities.com"; depth:26; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1274424/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_23; classtype:trojan-activity; sid:91274424; rev:1;) alert tcp $HOME_NET any -> [94.232.249.160] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1274425/; target:src_ip; metadata: confidence_level 80, first_seen 2024_05_23; classtype:trojan-activity; sid:91274425; rev:1;) alert tcp $HOME_NET any -> [147.124.205.158] 40544 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1274549/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_23; classtype:trojan-activity; sid:91274549; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"icpanel.hackcrack.io"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1274550/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_23; classtype:trojan-activity; sid:91274550; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bot6708321519:aah9wpgzqn8mlll2zn6ccueu4dymqgcetcq/"; depth:51; nocase; http.host; content:"api.telegram.org"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1274551/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_23; classtype:trojan-activity; sid:91274551; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"automatia.in"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1274553/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_23; classtype:trojan-activity; sid:91274553; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/manual.php"; depth:11; nocase; http.host; content:"chudywawrzyniec.pl"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1274557/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_23; classtype:trojan-activity; sid:91274557; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/manual.php"; depth:11; nocase; http.host; content:"cimaq.es"; depth:8; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1274560/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_23; classtype:trojan-activity; sid:91274560; rev:1;) alert tcp $HOME_NET any -> [130.51.23.8] 80 (msg:"ThreatFox Loki Password Stealer (PWS) botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1274562/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_23; classtype:trojan-activity; sid:91274562; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"sssteell-com.asia"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1274563/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_23; classtype:trojan-activity; sid:91274563; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/nmfkztc4ywm3ztk2/"; depth:18; nocase; http.host; content:"54ggter6ujfgt.site"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1274348/; target:src_ip; metadata: confidence_level 80, first_seen 2024_05_23; classtype:trojan-activity; sid:91274348; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/nmfkztc4ywm3ztk2/"; depth:18; nocase; http.host; content:"kdehrweuybvfrer4.xyz"; depth:20; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1274349/; target:src_ip; metadata: confidence_level 80, first_seen 2024_05_23; classtype:trojan-activity; sid:91274349; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"hydeoutent.com"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1274354/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_23; classtype:trojan-activity; sid:91274354; rev:1;) alert tcp $HOME_NET any -> [18.158.58.205] 15949 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1274355/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_23; classtype:trojan-activity; sid:91274355; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/nmfkztc4ywm3ztk2/"; depth:18; nocase; http.host; content:"frewgewhy6fg.top"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1274347/; target:src_ip; metadata: confidence_level 80, first_seen 2024_05_23; classtype:trojan-activity; sid:91274347; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/nmfkztc4ywm3ztk2/"; depth:18; nocase; http.host; content:"jey6mjdyerh82k.online"; depth:21; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1274346/; target:src_ip; metadata: confidence_level 80, first_seen 2024_05_23; classtype:trojan-activity; sid:91274346; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/manual.php"; depth:11; nocase; http.host; content:"cambiobolivar.com"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1274344/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_23; classtype:trojan-activity; sid:91274344; rev:1;) alert tcp $HOME_NET any -> [18.229.146.63] 14622 (msg:"ThreatFox LimeRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1274342/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_23; classtype:trojan-activity; sid:91274342; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/raw/6bpeutd1"; depth:13; nocase; http.host; content:"pastebin.com"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1274343/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_23; classtype:trojan-activity; sid:91274343; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"spygate.myftp.biz"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1274292/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_23; classtype:trojan-activity; sid:91274292; rev:1;) alert tcp $HOME_NET any -> [185.215.113.67] 40960 (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1274293/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_23; classtype:trojan-activity; sid:91274293; rev:1;) alert tcp $HOME_NET any -> [46.246.14.16] 6000 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1274314/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_23; classtype:trojan-activity; sid:91274314; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/manual.php"; depth:11; nocase; http.host; content:"azahar.bg"; depth:9; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1274315/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_23; classtype:trojan-activity; sid:91274315; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/manual.php"; depth:11; nocase; http.host; content:"blog.kappo-mifuku.com"; depth:21; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1274341/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_23; classtype:trojan-activity; sid:91274341; rev:1;) alert tcp $HOME_NET any -> [105.104.48.230] 5552 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1274291/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_23; classtype:trojan-activity; sid:91274291; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sht/fre.php"; depth:12; nocase; http.host; content:"sssteell-com.asia"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1274561/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_23; classtype:trojan-activity; sid:91274561; rev:1;) alert tcp $HOME_NET any -> [5.42.67.8] 50500 (msg:"ThreatFox RisePro botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1274559/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_23; classtype:trojan-activity; sid:91274559; rev:1;) alert tcp $HOME_NET any -> [5.42.65.116] 50500 (msg:"ThreatFox RisePro botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1274558/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_23; classtype:trojan-activity; sid:91274558; rev:1;) alert tcp $HOME_NET any -> [88.198.124.82] 80 (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1274556/; target:src_ip; metadata: confidence_level 80, first_seen 2024_05_23; classtype:trojan-activity; sid:91274556; rev:1;) alert tcp $HOME_NET any -> [116.202.8.208] 443 (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1274555/; target:src_ip; metadata: confidence_level 80, first_seen 2024_05_23; classtype:trojan-activity; sid:91274555; rev:1;) alert tcp $HOME_NET any -> [116.202.8.208] 80 (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1274554/; target:src_ip; metadata: confidence_level 80, first_seen 2024_05_23; classtype:trojan-activity; sid:91274554; rev:1;) alert tcp $HOME_NET any -> [104.243.242.165] 1620 (msg:"ThreatFox Nanocore RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1274423/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_23; classtype:trojan-activity; sid:91274423; rev:1;) alert tcp $HOME_NET any -> [66.235.168.242] 4449 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1274422/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_23; classtype:trojan-activity; sid:91274422; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pixel.gif"; depth:10; nocase; http.host; content:"38.207.176.115"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1274416/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_23; classtype:trojan-activity; sid:91274416; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ptj"; depth:4; nocase; http.host; content:"118.31.115.178"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1274415/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_23; classtype:trojan-activity; sid:91274415; rev:1;) alert tcp $HOME_NET any -> [118.195.183.6] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1274414/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_23; classtype:trojan-activity; sid:91274414; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/activity"; depth:9; nocase; http.host; content:"118.195.183.6"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1274413/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_23; classtype:trojan-activity; sid:91274413; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cm"; depth:3; nocase; http.host; content:"154.3.0.70"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1274412/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_23; classtype:trojan-activity; sid:91274412; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ca"; depth:3; nocase; http.host; content:"124.220.215.195"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1274411/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_23; classtype:trojan-activity; sid:91274411; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/updates.rss"; depth:12; nocase; http.host; content:"3.145.83.235"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1274410/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_23; classtype:trojan-activity; sid:91274410; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/push"; depth:5; nocase; http.host; content:"106.15.62.124"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1274409/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_23; classtype:trojan-activity; sid:91274409; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jquery-3.3.1.min.js"; depth:20; nocase; http.host; content:"www.bitdefenders.shop"; depth:21; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1274407/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_23; classtype:trojan-activity; sid:91274407; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"www.bitdefenders.shop"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1274408/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_23; classtype:trojan-activity; sid:91274408; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pixel"; depth:6; nocase; http.host; content:"124.220.215.195"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1274406/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_23; classtype:trojan-activity; sid:91274406; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ga.js"; depth:6; nocase; http.host; content:"118.31.115.178"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1274405/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_23; classtype:trojan-activity; sid:91274405; rev:1;) alert tcp $HOME_NET any -> [118.195.183.6] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1274404/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_23; classtype:trojan-activity; sid:91274404; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dot.gif"; depth:8; nocase; http.host; content:"118.195.183.6"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1274403/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_23; classtype:trojan-activity; sid:91274403; rev:1;) alert tcp $HOME_NET any -> [129.211.215.7] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1274402/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_23; classtype:trojan-activity; sid:91274402; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dot.gif"; depth:8; nocase; http.host; content:"129.211.215.7"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1274401/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_23; classtype:trojan-activity; sid:91274401; rev:1;) alert tcp $HOME_NET any -> [202.144.192.44] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1274400/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_23; classtype:trojan-activity; sid:91274400; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jquery-3.3.1.min.js"; depth:20; nocase; http.host; content:"202.144.192.44"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1274399/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_23; classtype:trojan-activity; sid:91274399; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dot.gif"; depth:8; nocase; http.host; content:"64.7.198.122"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1274398/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_23; classtype:trojan-activity; sid:91274398; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/update/version"; depth:15; nocase; http.host; content:"117.72.46.146"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1274397/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_23; classtype:trojan-activity; sid:91274397; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dpixel"; depth:7; nocase; http.host; content:"38.207.176.115"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1274396/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_23; classtype:trojan-activity; sid:91274396; rev:1;) alert tcp $HOME_NET any -> [154.3.0.70] 4444 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1274395/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_23; classtype:trojan-activity; sid:91274395; rev:1;) alert tcp $HOME_NET any -> [66.235.168.242] 3232 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1274352/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_23; classtype:trojan-activity; sid:91274352; rev:1;) alert tcp $HOME_NET any -> [185.196.10.81] 4449 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1274351/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_23; classtype:trojan-activity; sid:91274351; rev:1;) alert tcp $HOME_NET any -> [91.214.78.17] 2404 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1274350/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_23; classtype:trojan-activity; sid:91274350; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/push"; depth:5; nocase; http.host; content:"47.120.67.163"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1274338/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_23; classtype:trojan-activity; sid:91274338; rev:1;) alert tcp $HOME_NET any -> [118.89.125.171] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1274337/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_23; classtype:trojan-activity; sid:91274337; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/match"; depth:6; nocase; http.host; content:"118.89.125.171"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1274336/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_23; classtype:trojan-activity; sid:91274336; rev:1;) alert tcp $HOME_NET any -> [118.25.192.79] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1274335/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_23; classtype:trojan-activity; sid:91274335; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/fwlink"; depth:7; nocase; http.host; content:"118.25.192.79"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1274334/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_23; classtype:trojan-activity; sid:91274334; rev:1;) alert tcp $HOME_NET any -> [117.50.179.15] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1274333/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_23; classtype:trojan-activity; sid:91274333; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/aaaaaaaaa"; depth:10; nocase; http.host; content:"117.50.179.15"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1274332/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_23; classtype:trojan-activity; sid:91274332; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pythonpacketgamebigloadprivatecentral.php"; depth:42; nocase; http.host; content:"objectiveci.top"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1274331/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_23; classtype:trojan-activity; sid:91274331; rev:1;) alert tcp $HOME_NET any -> [45.95.169.137] 2404 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1274330/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_23; classtype:trojan-activity; sid:91274330; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cm"; depth:3; nocase; http.host; content:"117.72.35.30"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1274329/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_23; classtype:trojan-activity; sid:91274329; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ga.js"; depth:6; nocase; http.host; content:"47.108.137.190"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1274328/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_23; classtype:trojan-activity; sid:91274328; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/fwlink"; depth:7; nocase; http.host; content:"141.98.7.79"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1274327/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_23; classtype:trojan-activity; sid:91274327; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pixel.gif"; depth:10; nocase; http.host; content:"123.207.29.252"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1274326/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_23; classtype:trojan-activity; sid:91274326; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/assets/css/bootstrap.sass"; depth:26; nocase; http.host; content:"124.70.99.70"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1274325/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_23; classtype:trojan-activity; sid:91274325; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/g.pixel"; depth:8; nocase; http.host; content:"60.204.135.117"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1274324/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_23; classtype:trojan-activity; sid:91274324; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cx"; depth:3; nocase; http.host; content:"91.224.92.27"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1274323/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_23; classtype:trojan-activity; sid:91274323; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/match"; depth:6; nocase; http.host; content:"60.204.217.11"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1274322/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_23; classtype:trojan-activity; sid:91274322; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/search/"; depth:8; nocase; http.host; content:"182.92.216.171"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1274321/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_23; classtype:trojan-activity; sid:91274321; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/j.ad"; depth:5; nocase; http.host; content:"47.116.33.203"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1274320/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_23; classtype:trojan-activity; sid:91274320; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cm"; depth:3; nocase; http.host; content:"121.40.127.134"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1274319/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_23; classtype:trojan-activity; sid:91274319; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/__utm.gif"; depth:10; nocase; http.host; content:"117.72.47.106"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1274318/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_23; classtype:trojan-activity; sid:91274318; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/g.pixel"; depth:8; nocase; http.host; content:"124.71.46.93"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1274317/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_23; classtype:trojan-activity; sid:91274317; rev:1;) alert tcp $HOME_NET any -> [147.45.47.35] 47230 (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1274316/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_23; classtype:trojan-activity; sid:91274316; rev:1;) alert tcp $HOME_NET any -> [185.208.158.112] 80 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1274313/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_23; classtype:trojan-activity; sid:91274313; rev:1;) alert tcp $HOME_NET any -> [23.96.246.163] 80 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1274312/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_23; classtype:trojan-activity; sid:91274312; rev:1;) alert tcp $HOME_NET any -> [154.26.130.199] 80 (msg:"ThreatFox Meduza Stealer botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1274311/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_23; classtype:trojan-activity; sid:91274311; rev:1;) alert tcp $HOME_NET any -> [172.247.168.75] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1274310/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_23; classtype:trojan-activity; sid:91274310; rev:1;) alert tcp $HOME_NET any -> [142.171.133.69] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1274309/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_23; classtype:trojan-activity; sid:91274309; rev:1;) alert tcp $HOME_NET any -> [211.159.225.15] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1274308/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_23; classtype:trojan-activity; sid:91274308; rev:1;) alert tcp $HOME_NET any -> [78.142.245.78] 8443 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1274307/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_23; classtype:trojan-activity; sid:91274307; rev:1;) alert tcp $HOME_NET any -> [46.246.86.16] 6000 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1274306/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_23; classtype:trojan-activity; sid:91274306; rev:1;) alert tcp $HOME_NET any -> [69.157.7.219] 2222 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1274305/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_23; classtype:trojan-activity; sid:91274305; rev:1;) alert tcp $HOME_NET any -> [125.239.206.199] 995 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1274304/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_23; classtype:trojan-activity; sid:91274304; rev:1;) alert tcp $HOME_NET any -> [4.236.25.168] 80 (msg:"ThreatFox Responder botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1274303/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_23; classtype:trojan-activity; sid:91274303; rev:1;) alert tcp $HOME_NET any -> [185.245.61.76] 443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1274302/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_23; classtype:trojan-activity; sid:91274302; rev:1;) alert tcp $HOME_NET any -> [79.137.117.20] 443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1274301/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_23; classtype:trojan-activity; sid:91274301; rev:1;) alert tcp $HOME_NET any -> [41.216.183.135] 8443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1274300/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_23; classtype:trojan-activity; sid:91274300; rev:1;) alert tcp $HOME_NET any -> [91.92.250.190] 443 (msg:"ThreatFox BianLian botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1274299/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_23; classtype:trojan-activity; sid:91274299; rev:1;) alert tcp $HOME_NET any -> [197.243.57.122] 60000 (msg:"ThreatFox BianLian botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1274298/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_23; classtype:trojan-activity; sid:91274298; rev:1;) alert tcp $HOME_NET any -> [107.174.115.223] 4443 (msg:"ThreatFox Deimos botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1274297/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_23; classtype:trojan-activity; sid:91274297; rev:1;) alert tcp $HOME_NET any -> [45.15.158.15] 7443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1274296/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_23; classtype:trojan-activity; sid:91274296; rev:1;) alert tcp $HOME_NET any -> [37.187.118.185] 7443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1274295/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_23; classtype:trojan-activity; sid:91274295; rev:1;) alert tcp $HOME_NET any -> [38.60.136.208] 7443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1274294/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_23; classtype:trojan-activity; sid:91274294; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ywrhzjaxngm1yjfh/"; depth:18; nocase; http.host; content:"cyclohexylamine.top"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1274271/; target:src_ip; metadata: confidence_level 80, first_seen 2024_05_23; classtype:trojan-activity; sid:91274271; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ywrhzjaxngm1yjfh/"; depth:18; nocase; http.host; content:"excommunicative.cc"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1274272/; target:src_ip; metadata: confidence_level 80, first_seen 2024_05_23; classtype:trojan-activity; sid:91274272; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ywrhzjaxngm1yjfh/"; depth:18; nocase; http.host; content:"quinquagenarian.xyz"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1274273/; target:src_ip; metadata: confidence_level 80, first_seen 2024_05_23; classtype:trojan-activity; sid:91274273; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ywrhzjaxngm1yjfh/"; depth:18; nocase; http.host; content:"juxtaglomerular.net"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1274274/; target:src_ip; metadata: confidence_level 80, first_seen 2024_05_23; classtype:trojan-activity; sid:91274274; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ywrhzjaxngm1yjfh/"; depth:18; nocase; http.host; content:"juxtaglomerular.hk"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1274275/; target:src_ip; metadata: confidence_level 80, first_seen 2024_05_23; classtype:trojan-activity; sid:91274275; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/manual.php"; depth:11; nocase; http.host; content:"animefestival.asia"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1274281/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_23; classtype:trojan-activity; sid:91274281; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/manual.php"; depth:11; nocase; http.host; content:"animefestival.asia"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1274282/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_23; classtype:trojan-activity; sid:91274282; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/manual.php"; depth:11; nocase; http.host; content:"animefestival.asia"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1274283/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_23; classtype:trojan-activity; sid:91274283; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cdn-vs/original.js"; depth:19; nocase; http.host; content:"womendonotdothat.com"; depth:20; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1274286/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_23; classtype:trojan-activity; sid:91274286; rev:1;) alert tcp $HOME_NET any -> [196.64.243.43] 10000 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1274284/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_23; classtype:trojan-activity; sid:91274284; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"womendonotdothat.com"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1274287/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_23; classtype:trojan-activity; sid:91274287; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cdn-vs/cache.php"; depth:17; nocase; http.host; content:"womendonotdothat.com"; depth:20; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1274288/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_23; classtype:trojan-activity; sid:91274288; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cdn-vs/2per.php"; depth:16; nocase; http.host; content:"womendonotdothat.com"; depth:20; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1274289/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_23; classtype:trojan-activity; sid:91274289; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/l1nc0in.php"; depth:12; nocase; http.host; content:"a0985859.xsph.ru"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1274290/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_23; classtype:trojan-activity; sid:91274290; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/l1nc0in.php"; depth:12; nocase; http.host; content:"mikilo39.beget.tech"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1274285/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_23; classtype:trojan-activity; sid:91274285; rev:1;) alert tcp $HOME_NET any -> [88.198.124.82] 443 (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1274279/; target:src_ip; metadata: confidence_level 80, first_seen 2024_05_23; classtype:trojan-activity; sid:91274279; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dpixel"; depth:7; nocase; http.host; content:"122.228.8.145"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1274278/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_22; classtype:trojan-activity; sid:91274278; rev:1;) alert tcp $HOME_NET any -> [111.229.166.198] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1274277/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_22; classtype:trojan-activity; sid:91274277; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/j.ad"; depth:5; nocase; http.host; content:"111.229.166.198"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1274276/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_22; classtype:trojan-activity; sid:91274276; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/_/scs/mail-static/_/js/"; depth:24; nocase; http.host; content:"msc-mvc-updates.com"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1274270/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_22; classtype:trojan-activity; sid:91274270; rev:1;) alert tcp $HOME_NET any -> [80.66.88.86] 443 (msg:"ThreatFox IcedID botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1274269/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_22; classtype:trojan-activity; sid:91274269; rev:1;) alert tcp $HOME_NET any -> [185.172.128.136] 8081 (msg:"ThreatFox RisePro botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1274268/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_22; classtype:trojan-activity; sid:91274268; rev:1;) alert tcp $HOME_NET any -> [147.185.221.19] 60143 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1274265/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_22; classtype:trojan-activity; sid:91274265; rev:1;) alert tcp $HOME_NET any -> [209.25.141.2] 42759 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1274266/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_22; classtype:trojan-activity; sid:91274266; rev:1;) alert tcp $HOME_NET any -> [209.25.141.2] 42240 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1274267/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_22; classtype:trojan-activity; sid:91274267; rev:1;) alert tcp $HOME_NET any -> [83.229.69.242] 1312 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1274264/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_22; classtype:trojan-activity; sid:91274264; rev:1;) alert tcp $HOME_NET any -> [78.135.85.118] 80 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1274263/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_22; classtype:trojan-activity; sid:91274263; rev:1;) alert tcp $HOME_NET any -> [202.146.222.171] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1274262/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_22; classtype:trojan-activity; sid:91274262; rev:1;) alert tcp $HOME_NET any -> [117.72.69.250] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1274261/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_22; classtype:trojan-activity; sid:91274261; rev:1;) alert tcp $HOME_NET any -> [198.46.160.241] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1274260/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_22; classtype:trojan-activity; sid:91274260; rev:1;) alert tcp $HOME_NET any -> [107.173.210.245] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1274259/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_22; classtype:trojan-activity; sid:91274259; rev:1;) alert tcp $HOME_NET any -> [47.96.179.5] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1274258/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_22; classtype:trojan-activity; sid:91274258; rev:1;) alert tcp $HOME_NET any -> [172.247.168.79] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1274257/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_22; classtype:trojan-activity; sid:91274257; rev:1;) alert tcp $HOME_NET any -> [5.163.115.132] 443 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1274256/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_22; classtype:trojan-activity; sid:91274256; rev:1;) alert tcp $HOME_NET any -> [87.249.50.32] 443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1274255/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_22; classtype:trojan-activity; sid:91274255; rev:1;) alert tcp $HOME_NET any -> [172.172.150.146] 80 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1274254/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_22; classtype:trojan-activity; sid:91274254; rev:1;) alert tcp $HOME_NET any -> [172.187.161.228] 443 (msg:"ThreatFox BianLian botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1274253/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_22; classtype:trojan-activity; sid:91274253; rev:1;) alert tcp $HOME_NET any -> [206.237.4.54] 9443 (msg:"ThreatFox BianLian botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1274252/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_22; classtype:trojan-activity; sid:91274252; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mozi.m"; depth:7; nocase; http.host; content:"111.38.106.19"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1274251/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_22; classtype:trojan-activity; sid:91274251; rev:1;) alert tcp $HOME_NET any -> [185.172.128.136] 50500 (msg:"ThreatFox RisePro botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1274250/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_22; classtype:trojan-activity; sid:91274250; rev:1;) alert tcp $HOME_NET any -> [107.172.31.6] 1070 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1274249/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_22; classtype:trojan-activity; sid:91274249; rev:1;) alert tcp $HOME_NET any -> [5.42.65.115] 40551 (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1274248/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_22; classtype:trojan-activity; sid:91274248; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/data.php"; depth:9; nocase; http.host; content:"lucabet68.online"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1274246/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_22; classtype:trojan-activity; sid:91274246; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/zdq5m2jhm2zkztkx/"; depth:18; nocase; http.host; content:"9adiletasarim.com"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1274239/; target:src_ip; metadata: confidence_level 80, first_seen 2024_05_22; classtype:trojan-activity; sid:91274239; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cdn-vs/cache.php"; depth:17; nocase; http.host; content:"jurassicworldtheexhibition.com"; depth:30; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1274244/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_22; classtype:trojan-activity; sid:91274244; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/zdq5m2jhm2zkztkx/"; depth:18; nocase; http.host; content:"6adiletasarim.com"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1274236/; target:src_ip; metadata: confidence_level 80, first_seen 2024_05_22; classtype:trojan-activity; sid:91274236; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/zdq5m2jhm2zkztkx/"; depth:18; nocase; http.host; content:"7adiletasarim.com"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1274237/; target:src_ip; metadata: confidence_level 80, first_seen 2024_05_22; classtype:trojan-activity; sid:91274237; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/zdq5m2jhm2zkztkx/"; depth:18; nocase; http.host; content:"8adiletasarim.com"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1274238/; target:src_ip; metadata: confidence_level 80, first_seen 2024_05_22; classtype:trojan-activity; sid:91274238; rev:1;) alert tcp $HOME_NET any -> [193.233.255.34] 1111 (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1273994/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_22; classtype:trojan-activity; sid:91273994; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/zdq5m2jhm2zkztkx/"; depth:18; nocase; http.host; content:"5adiletasarim.com"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1274235/; target:src_ip; metadata: confidence_level 80, first_seen 2024_05_22; classtype:trojan-activity; sid:91274235; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cdn-vs/original.js"; depth:19; nocase; http.host; content:"jurassicworldtheexhibition.com"; depth:30; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1274243/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_22; classtype:trojan-activity; sid:91274243; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cdn-vs/2per.php"; depth:16; nocase; http.host; content:"jurassicworldtheexhibition.com"; depth:30; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1274245/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_22; classtype:trojan-activity; sid:91274245; rev:1;) alert tcp $HOME_NET any -> [5.181.156.63] 443 (msg:"ThreatFox NetSupportManager RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1274247/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_22; classtype:trojan-activity; sid:91274247; rev:1;) alert tcp $HOME_NET any -> [79.137.207.27] 80 (msg:"ThreatFox Meduza Stealer botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1274242/; target:src_ip; metadata: confidence_level 80, first_seen 2024_05_22; classtype:trojan-activity; sid:91274242; rev:1;) alert tcp $HOME_NET any -> [118.194.235.187] 8081 (msg:"ThreatFox RisePro botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1274241/; target:src_ip; metadata: confidence_level 80, first_seen 2024_05_22; classtype:trojan-activity; sid:91274241; rev:1;) alert tcp $HOME_NET any -> [95.164.87.54] 8081 (msg:"ThreatFox RisePro botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1274240/; target:src_ip; metadata: confidence_level 80, first_seen 2024_05_22; classtype:trojan-activity; sid:91274240; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/manual.php"; depth:11; nocase; http.host; content:"ajserviceusa.com"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1273993/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_22; classtype:trojan-activity; sid:91273993; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ogqyzwqwnguyzdk3/"; depth:18; nocase; http.host; content:"kozansinyalcimisinla.com"; depth:24; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1273985/; target:src_ip; metadata: confidence_level 80, first_seen 2024_05_22; classtype:trojan-activity; sid:91273985; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mjvlnznjndfizdm3/"; depth:18; nocase; http.host; content:"mayadasinyalcimisinaga.com"; depth:26; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1273982/; target:src_ip; metadata: confidence_level 80, first_seen 2024_05_22; classtype:trojan-activity; sid:91273982; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mjvlnznjndfizdm3/"; depth:18; nocase; http.host; content:"mayadahacibaba.net"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1273983/; target:src_ip; metadata: confidence_level 80, first_seen 2024_05_22; classtype:trojan-activity; sid:91273983; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ogqyzwqwnguyzdk3/"; depth:18; nocase; http.host; content:"kozanaseviyor.net"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1273984/; target:src_ip; metadata: confidence_level 80, first_seen 2024_05_22; classtype:trojan-activity; sid:91273984; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/manual.php"; depth:11; nocase; http.host; content:"airgaz.bydgoszcz.pl"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1273977/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_22; classtype:trojan-activity; sid:91273977; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mjvlnznjndfizdm3/"; depth:18; nocase; http.host; content:"mayadahackerbaba.net"; depth:20; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1273979/; target:src_ip; metadata: confidence_level 80, first_seen 2024_05_22; classtype:trojan-activity; sid:91273979; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mjvlnznjndfizdm3/"; depth:18; nocase; http.host; content:"mayadadelimisinyav.com"; depth:22; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1273980/; target:src_ip; metadata: confidence_level 80, first_seen 2024_05_22; classtype:trojan-activity; sid:91273980; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mjvlnznjndfizdm3/"; depth:18; nocase; http.host; content:"mayadabeniseviyor.net"; depth:21; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1273981/; target:src_ip; metadata: confidence_level 80, first_seen 2024_05_22; classtype:trojan-activity; sid:91273981; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ogqyzwqwnguyzdk3/"; depth:18; nocase; http.host; content:"kozanhacibaba.net"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1273986/; target:src_ip; metadata: confidence_level 80, first_seen 2024_05_22; classtype:trojan-activity; sid:91273986; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"bipto.org"; depth:9; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1273990/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_22; classtype:trojan-activity; sid:91273990; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"jobresurs.ru"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1273991/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_22; classtype:trojan-activity; sid:91273991; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"tonybabb.com"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1273992/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_22; classtype:trojan-activity; sid:91273992; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmp/index.php"; depth:14; nocase; http.host; content:"tonybabb.com"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1273989/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_22; classtype:trojan-activity; sid:91273989; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmp/index.php"; depth:14; nocase; http.host; content:"jobresurs.ru"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1273988/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_22; classtype:trojan-activity; sid:91273988; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmp/index.php"; depth:14; nocase; http.host; content:"bipto.org"; depth:9; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1273987/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_22; classtype:trojan-activity; sid:91273987; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jtpo"; depth:5; nocase; http.host; content:"114.132.98.252"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1273978/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_22; classtype:trojan-activity; sid:91273978; rev:1;) alert tcp $HOME_NET any -> [114.132.98.252] 4431 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1273976/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_22; classtype:trojan-activity; sid:91273976; rev:1;) alert tcp $HOME_NET any -> [193.33.195.42] 15647 (msg:"ThreatFox SectopRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1273975/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_22; classtype:trojan-activity; sid:91273975; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dpixel"; depth:7; nocase; http.host; content:"150.158.43.153"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1273974/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_22; classtype:trojan-activity; sid:91273974; rev:1;) alert tcp $HOME_NET any -> [119.28.83.149] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1273973/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_22; classtype:trojan-activity; sid:91273973; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/activity"; depth:9; nocase; http.host; content:"47.236.8.228"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1273971/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_22; classtype:trojan-activity; sid:91273971; rev:1;) alert tcp $HOME_NET any -> [159.138.131.191] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1273970/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_22; classtype:trojan-activity; sid:91273970; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ga.js"; depth:6; nocase; http.host; content:"159.138.131.191"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1273969/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_22; classtype:trojan-activity; sid:91273969; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cm"; depth:3; nocase; http.host; content:"360.wangli.cyou"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1273968/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_22; classtype:trojan-activity; sid:91273968; rev:1;) alert tcp $HOME_NET any -> [13.230.185.79] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1273967/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_22; classtype:trojan-activity; sid:91273967; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jquery-3.3.1.min.js"; depth:20; nocase; http.host; content:"13.230.185.79"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1273966/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_22; classtype:trojan-activity; sid:91273966; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"merckllc.top"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1273958/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_22; classtype:trojan-activity; sid:91273958; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"infres.in"; depth:9; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1273960/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_22; classtype:trojan-activity; sid:91273960; rev:1;) alert tcp $HOME_NET any -> [64.7.198.169] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1273965/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_22; classtype:trojan-activity; sid:91273965; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"alliancebbs.com"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1273964/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_22; classtype:trojan-activity; sid:91273964; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/damage/v9.19/m3zw19mk"; depth:22; nocase; http.host; content:"alliancebbs.com"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1273963/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_22; classtype:trojan-activity; sid:91273963; rev:1;) alert tcp $HOME_NET any -> [81.70.17.125] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1273962/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_22; classtype:trojan-activity; sid:91273962; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dot.gif"; depth:8; nocase; http.host; content:"81.70.17.125"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1273961/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_22; classtype:trojan-activity; sid:91273961; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/l1nc0in.php"; depth:12; nocase; http.host; content:"a0982894.xsph.ru"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1273956/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_22; classtype:trojan-activity; sid:91273956; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/manual.php"; depth:11; nocase; http.host; content:"aimrental.net"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1273948/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_22; classtype:trojan-activity; sid:91273948; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dpixel"; depth:7; nocase; http.host; content:"43.153.222.28"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1273955/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_22; classtype:trojan-activity; sid:91273955; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api/x"; depth:6; nocase; http.host; content:"39.100.85.244"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1273954/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_22; classtype:trojan-activity; sid:91273954; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pixel.gif"; depth:10; nocase; http.host; content:"124.220.6.158"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1273953/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_22; classtype:trojan-activity; sid:91273953; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ca"; depth:3; nocase; http.host; content:"185.243.240.54"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1273952/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_22; classtype:trojan-activity; sid:91273952; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/updates.rss"; depth:12; nocase; http.host; content:"121.40.127.134"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1273951/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_22; classtype:trojan-activity; sid:91273951; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/visit.js"; depth:9; nocase; http.host; content:"124.220.6.158"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1273950/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_22; classtype:trojan-activity; sid:91273950; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/visit.js"; depth:9; nocase; http.host; content:"101.42.169.90"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1273949/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_22; classtype:trojan-activity; sid:91273949; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ie9compatviewlist.xml"; depth:22; nocase; http.host; content:"1.92.91.192"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1273947/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_22; classtype:trojan-activity; sid:91273947; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pixel.gif"; depth:10; nocase; http.host; content:"1.94.43.16"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1273946/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_22; classtype:trojan-activity; sid:91273946; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/push"; depth:5; nocase; http.host; content:"60.204.217.11"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1273945/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_22; classtype:trojan-activity; sid:91273945; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pixel.gif"; depth:10; nocase; http.host; content:"43.153.222.28"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1273944/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_22; classtype:trojan-activity; sid:91273944; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/kin/five/fre.php"; depth:17; nocase; http.host; content:"merckllc.top"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1273943/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_22; classtype:trojan-activity; sid:91273943; rev:1;) alert tcp $HOME_NET any -> [45.76.129.156] 5050 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1273942/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_22; classtype:trojan-activity; sid:91273942; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/manual.php"; depth:11; nocase; http.host; content:"602024.com"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1273941/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_22; classtype:trojan-activity; sid:91273941; rev:1;) alert tcp $HOME_NET any -> [106.52.246.227] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1273938/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_22; classtype:trojan-activity; sid:91273938; rev:1;) alert tcp $HOME_NET any -> [13.215.90.213] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1273937/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_22; classtype:trojan-activity; sid:91273937; rev:1;) alert tcp $HOME_NET any -> [49.232.128.33] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1273936/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_22; classtype:trojan-activity; sid:91273936; rev:1;) alert tcp $HOME_NET any -> [123.207.205.138] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1273935/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_22; classtype:trojan-activity; sid:91273935; rev:1;) alert tcp $HOME_NET any -> [46.246.14.12] 9000 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1273934/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_22; classtype:trojan-activity; sid:91273934; rev:1;) alert tcp $HOME_NET any -> [189.152.7.184] 443 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1273933/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_22; classtype:trojan-activity; sid:91273933; rev:1;) alert tcp $HOME_NET any -> [2.50.33.176] 22 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1273932/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_22; classtype:trojan-activity; sid:91273932; rev:1;) alert tcp $HOME_NET any -> [20.21.130.76] 443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1273931/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_22; classtype:trojan-activity; sid:91273931; rev:1;) alert tcp $HOME_NET any -> [45.95.234.87] 443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1273930/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_22; classtype:trojan-activity; sid:91273930; rev:1;) alert tcp $HOME_NET any -> [121.14.159.60] 10250 (msg:"ThreatFox Deimos botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1273929/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_22; classtype:trojan-activity; sid:91273929; rev:1;) alert tcp $HOME_NET any -> [135.181.205.15] 7443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1273928/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_22; classtype:trojan-activity; sid:91273928; rev:1;) alert tcp $HOME_NET any -> [159.223.0.196] 7443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1273927/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_22; classtype:trojan-activity; sid:91273927; rev:1;) alert tcp $HOME_NET any -> [172.105.57.197] 7443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1273926/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_22; classtype:trojan-activity; sid:91273926; rev:1;) alert tcp $HOME_NET any -> [87.247.142.15] 30005 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1273925/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_22; classtype:trojan-activity; sid:91273925; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-includes/text/mc.js"; depth:23; nocase; http.host; content:"electrikar.com.mx"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1273885/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_22; classtype:trojan-activity; sid:91273885; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/m2eyotm2m2fly2my/"; depth:18; nocase; http.host; content:"junggvbvb.com"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1273895/; target:src_ip; metadata: confidence_level 80, first_seen 2024_05_22; classtype:trojan-activity; sid:91273895; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/m2eyotm2m2fly2my/"; depth:18; nocase; http.host; content:"nisiqnisiq.com"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1273893/; target:src_ip; metadata: confidence_level 80, first_seen 2024_05_22; classtype:trojan-activity; sid:91273893; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/m2eyotm2m2fly2my/"; depth:18; nocase; http.host; content:"siqnisiq.com"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1273894/; target:src_ip; metadata: confidence_level 80, first_seen 2024_05_22; classtype:trojan-activity; sid:91273894; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/m2eyotm2m2fly2my/"; depth:18; nocase; http.host; content:"junggvbv.com"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1273896/; target:src_ip; metadata: confidence_level 80, first_seen 2024_05_22; classtype:trojan-activity; sid:91273896; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/m2eyotm2m2fly2my/"; depth:18; nocase; http.host; content:"sabgggsabggg.com"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1273897/; target:src_ip; metadata: confidence_level 80, first_seen 2024_05_22; classtype:trojan-activity; sid:91273897; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"production-reservation.gl.at.ply.gg"; depth:35; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1273901/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_22; classtype:trojan-activity; sid:91273901; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/manual.php"; depth:11; nocase; http.host; content:"dc3common.sakura.ne.jp"; depth:22; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1273914/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_22; classtype:trojan-activity; sid:91273914; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/manual.php"; depth:11; nocase; http.host; content:"4handscleaning.com"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1273917/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_22; classtype:trojan-activity; sid:91273917; rev:1;) alert tcp $HOME_NET any -> [35.158.159.254] 17748 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1273918/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_22; classtype:trojan-activity; sid:91273918; rev:1;) alert tcp $HOME_NET any -> [3.127.138.57] 10614 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1273921/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_22; classtype:trojan-activity; sid:91273921; rev:1;) alert tcp $HOME_NET any -> [3.126.37.18] 10614 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1273922/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_22; classtype:trojan-activity; sid:91273922; rev:1;) alert tcp $HOME_NET any -> [18.192.93.86] 10614 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1273923/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_22; classtype:trojan-activity; sid:91273923; rev:1;) alert tcp $HOME_NET any -> [18.197.239.5] 10614 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1273924/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_22; classtype:trojan-activity; sid:91273924; rev:1;) alert tcp $HOME_NET any -> [204.10.160.176] 2404 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1273920/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_22; classtype:trojan-activity; sid:91273920; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/l1nc0in.php"; depth:12; nocase; http.host; content:"a0982456.xsph.ru"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1273919/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_22; classtype:trojan-activity; sid:91273919; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/d5/fre.php"; depth:11; nocase; http.host; content:"sempersim.su"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1273916/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_22; classtype:trojan-activity; sid:91273916; rev:1;) alert tcp $HOME_NET any -> [121.37.221.98] 11443 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1273915/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_22; classtype:trojan-activity; sid:91273915; rev:1;) alert tcp $HOME_NET any -> [109.107.181.111] 80 (msg:"ThreatFox Meduza Stealer botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1273912/; target:src_ip; metadata: confidence_level 80, first_seen 2024_05_22; classtype:trojan-activity; sid:91273912; rev:1;) alert tcp $HOME_NET any -> [5.75.232.183] 443 (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1273911/; target:src_ip; metadata: confidence_level 80, first_seen 2024_05_22; classtype:trojan-activity; sid:91273911; rev:1;) alert tcp $HOME_NET any -> [5.75.232.183] 80 (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1273910/; target:src_ip; metadata: confidence_level 80, first_seen 2024_05_22; classtype:trojan-activity; sid:91273910; rev:1;) alert tcp $HOME_NET any -> [41.249.41.48] 10000 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1273909/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_21; classtype:trojan-activity; sid:91273909; rev:1;) alert tcp $HOME_NET any -> [23.26.232.161] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1273908/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_21; classtype:trojan-activity; sid:91273908; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/open/js/jweixin-1.4.0.js"; depth:25; nocase; http.host; content:"23.26.232.161"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1273907/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_21; classtype:trojan-activity; sid:91273907; rev:1;) alert tcp $HOME_NET any -> [80.249.147.242] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1273906/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_21; classtype:trojan-activity; sid:91273906; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/favicon.js"; depth:11; nocase; http.host; content:"80.249.147.242"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1273905/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_21; classtype:trojan-activity; sid:91273905; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"aiphiex9ae.ptsupport.tech"; depth:25; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1273904/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_21; classtype:trojan-activity; sid:91273904; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/favicon.js"; depth:11; nocase; http.host; content:"aiphiex9ae.ptsupport.tech"; depth:25; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1273903/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_21; classtype:trojan-activity; sid:91273903; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pixel"; depth:6; nocase; http.host; content:"185.243.240.54"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1273902/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_21; classtype:trojan-activity; sid:91273902; rev:1;) alert tcp $HOME_NET any -> [147.185.221.19] 47823 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1273900/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_21; classtype:trojan-activity; sid:91273900; rev:1;) alert tcp $HOME_NET any -> [146.19.143.163] 443 (msg:"ThreatFox IcedID botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1273899/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_21; classtype:trojan-activity; sid:91273899; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"jelelaiyegba.duckdns.org"; depth:24; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1273898/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_21; classtype:trojan-activity; sid:91273898; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cm"; depth:3; nocase; http.host; content:"47.116.33.203"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1273892/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_21; classtype:trojan-activity; sid:91273892; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/updates.rss"; depth:12; nocase; http.host; content:"microsoftsoftwave.com"; depth:21; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1273891/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_21; classtype:trojan-activity; sid:91273891; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api/x"; depth:6; nocase; http.host; content:"service-i50ggjoo-1253504731.gz.tencentapigw.com.cn"; depth:50; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1273889/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_21; classtype:trojan-activity; sid:91273889; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"service-i50ggjoo-1253504731.gz.tencentapigw.com.cn"; depth:50; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1273890/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_21; classtype:trojan-activity; sid:91273890; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/account"; depth:8; nocase; http.host; content:"8.137.117.105"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1273888/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_21; classtype:trojan-activity; sid:91273888; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp08/wp-includes/dtcla.php"; depth:27; nocase; http.host; content:"1.14.69.16"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1273887/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_21; classtype:trojan-activity; sid:91273887; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cm"; depth:3; nocase; http.host; content:"124.220.6.158"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1273886/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_21; classtype:trojan-activity; sid:91273886; rev:1;) alert tcp $HOME_NET any -> [94.16.118.242] 7080 (msg:"ThreatFox WhiteSnake Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1273884/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_21; classtype:trojan-activity; sid:91273884; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/da9ae588.php"; depth:13; nocase; http.host; content:"fanskrairg.temp.swtest.ru"; depth:25; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1273883/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_21; classtype:trojan-activity; sid:91273883; rev:1;) alert tcp $HOME_NET any -> [51.15.16.116] 443 (msg:"ThreatFox FAKEUPDATES botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1273882/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_21; classtype:trojan-activity; sid:91273882; rev:1;) alert tcp $HOME_NET any -> [91.107.127.198] 80 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1273881/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_21; classtype:trojan-activity; sid:91273881; rev:1;) alert tcp $HOME_NET any -> [185.208.158.47] 80 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1273880/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_21; classtype:trojan-activity; sid:91273880; rev:1;) alert tcp $HOME_NET any -> [207.244.252.87] 80 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1273879/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_21; classtype:trojan-activity; sid:91273879; rev:1;) alert tcp $HOME_NET any -> [103.234.72.191] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1273878/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_21; classtype:trojan-activity; sid:91273878; rev:1;) alert tcp $HOME_NET any -> [172.247.168.232] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1273877/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_21; classtype:trojan-activity; sid:91273877; rev:1;) alert tcp $HOME_NET any -> [49.232.128.4] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1273876/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_21; classtype:trojan-activity; sid:91273876; rev:1;) alert tcp $HOME_NET any -> [216.250.247.22] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1273875/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_21; classtype:trojan-activity; sid:91273875; rev:1;) alert tcp $HOME_NET any -> [46.246.14.12] 6000 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1273874/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_21; classtype:trojan-activity; sid:91273874; rev:1;) alert tcp $HOME_NET any -> [78.182.41.160] 443 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1273873/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_21; classtype:trojan-activity; sid:91273873; rev:1;) alert tcp $HOME_NET any -> [38.145.202.153] 443 (msg:"ThreatFox pupy botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1273872/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_21; classtype:trojan-activity; sid:91273872; rev:1;) alert tcp $HOME_NET any -> [87.249.50.32] 8888 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1273871/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_21; classtype:trojan-activity; sid:91273871; rev:1;) alert tcp $HOME_NET any -> [45.95.234.87] 8888 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1273870/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_21; classtype:trojan-activity; sid:91273870; rev:1;) alert tcp $HOME_NET any -> [152.89.92.204] 443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1273869/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_21; classtype:trojan-activity; sid:91273869; rev:1;) alert tcp $HOME_NET any -> [213.183.56.95] 25 (msg:"ThreatFox BianLian botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1273868/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_21; classtype:trojan-activity; sid:91273868; rev:1;) alert tcp $HOME_NET any -> [205.234.200.8] 443 (msg:"ThreatFox Deimos botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1273867/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_21; classtype:trojan-activity; sid:91273867; rev:1;) alert tcp $HOME_NET any -> [61.182.130.80] 4506 (msg:"ThreatFox Deimos botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1273866/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_21; classtype:trojan-activity; sid:91273866; rev:1;) alert tcp $HOME_NET any -> [65.20.72.205] 7443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1273865/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_21; classtype:trojan-activity; sid:91273865; rev:1;) alert tcp $HOME_NET any -> [172.247.44.101] 7443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1273864/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_21; classtype:trojan-activity; sid:91273864; rev:1;) alert tcp $HOME_NET any -> [165.227.229.96] 7443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1273863/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_21; classtype:trojan-activity; sid:91273863; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/manual.php"; depth:11; nocase; http.host; content:"bip.dpsbranszczyk.pl"; depth:20; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1273856/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_21; classtype:trojan-activity; sid:91273856; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ga.js"; depth:6; nocase; http.host; content:"3.145.83.235"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1273862/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_21; classtype:trojan-activity; sid:91273862; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"3.145.83.235"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1273860/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_21; classtype:trojan-activity; sid:91273860; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/q2gs"; depth:5; nocase; http.host; content:"3.145.83.235"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1273861/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_21; classtype:trojan-activity; sid:91273861; rev:1;) alert tcp $HOME_NET any -> [3.145.83.235] 8080 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1273859/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_21; classtype:trojan-activity; sid:91273859; rev:1;) alert tcp $HOME_NET any -> [51.195.145.87] 8092 (msg:"ThreatFox BitRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1273858/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_21; classtype:trojan-activity; sid:91273858; rev:1;) alert tcp $HOME_NET any -> [178.236.247.210] 8080 (msg:"ThreatFox BitRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1273857/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_21; classtype:trojan-activity; sid:91273857; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ezikidei.ddns.net"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1273514/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_21; classtype:trojan-activity; sid:91273514; rev:1;) alert tcp $HOME_NET any -> [185.255.114.98] 5634 (msg:"ThreatFox STRRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1273513/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_21; classtype:trojan-activity; sid:91273513; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/manual.php"; depth:11; nocase; http.host; content:"bezpiecznie.org"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1273827/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_21; classtype:trojan-activity; sid:91273827; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"survey-dover.gl.at.ply.gg"; depth:25; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1273547/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_21; classtype:trojan-activity; sid:91273547; rev:1;) alert tcp $HOME_NET any -> [147.185.221.18] 21679 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1273546/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_21; classtype:trojan-activity; sid:91273546; rev:1;) alert tcp $HOME_NET any -> [93.123.85.72] 4258 (msg:"ThreatFox BiBi-Linux payload delivery (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1273845/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_21; classtype:trojan-activity; sid:91273845; rev:1;) alert tcp $HOME_NET any -> [5.42.96.141] 80 (msg:"ThreatFox Amadey botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1273855/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_21; classtype:trojan-activity; sid:91273855; rev:1;) alert tcp $HOME_NET any -> [185.94.29.85] 2222 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1273854/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_21; classtype:trojan-activity; sid:91273854; rev:1;) alert tcp $HOME_NET any -> [47.208.30.4] 2222 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1273853/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_21; classtype:trojan-activity; sid:91273853; rev:1;) alert tcp $HOME_NET any -> [47.238.162.247] 65503 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1273852/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_21; classtype:trojan-activity; sid:91273852; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"mylittlecabbage.net"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1273851/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_21; classtype:trojan-activity; sid:91273851; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"goodone.loseyourip.com"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1273850/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_21; classtype:trojan-activity; sid:91273850; rev:1;) alert tcp $HOME_NET any -> [213.195.117.131] 5001 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1273849/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_21; classtype:trojan-activity; sid:91273849; rev:1;) alert tcp $HOME_NET any -> [160.178.192.178] 10000 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1273848/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_21; classtype:trojan-activity; sid:91273848; rev:1;) alert tcp $HOME_NET any -> [202.133.88.95] 8080 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1273847/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_21; classtype:trojan-activity; sid:91273847; rev:1;) alert tcp $HOME_NET any -> [192.227.228.34] 8808 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1273846/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_21; classtype:trojan-activity; sid:91273846; rev:1;) alert tcp $HOME_NET any -> [165.227.44.40] 6606 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1273844/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_21; classtype:trojan-activity; sid:91273844; rev:1;) alert tcp $HOME_NET any -> [194.67.193.25] 443 (msg:"ThreatFox Matanbuchus botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1273843/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_21; classtype:trojan-activity; sid:91273843; rev:1;) alert tcp $HOME_NET any -> [194.67.193.24] 443 (msg:"ThreatFox Matanbuchus botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1273842/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_21; classtype:trojan-activity; sid:91273842; rev:1;) alert tcp $HOME_NET any -> [151.106.34.110] 8081 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1273841/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_21; classtype:trojan-activity; sid:91273841; rev:1;) alert tcp $HOME_NET any -> [103.1.40.154] 8000 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1273840/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_21; classtype:trojan-activity; sid:91273840; rev:1;) alert tcp $HOME_NET any -> [91.110.144.65] 9000 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1273839/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_21; classtype:trojan-activity; sid:91273839; rev:1;) alert tcp $HOME_NET any -> [79.110.49.252] 6606 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1273836/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_21; classtype:trojan-activity; sid:91273836; rev:1;) alert tcp $HOME_NET any -> [79.110.49.252] 7707 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1273837/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_21; classtype:trojan-activity; sid:91273837; rev:1;) alert tcp $HOME_NET any -> [79.110.49.252] 8808 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1273838/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_21; classtype:trojan-activity; sid:91273838; rev:1;) alert tcp $HOME_NET any -> [78.179.134.46] 888 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1273833/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_21; classtype:trojan-activity; sid:91273833; rev:1;) alert tcp $HOME_NET any -> [78.179.247.213] 888 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1273834/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_21; classtype:trojan-activity; sid:91273834; rev:1;) alert tcp $HOME_NET any -> [78.179.134.46] 3000 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1273835/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_21; classtype:trojan-activity; sid:91273835; rev:1;) alert tcp $HOME_NET any -> [78.161.80.54] 888 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1273832/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_21; classtype:trojan-activity; sid:91273832; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"cloud.palloaltonetworks.com"; depth:27; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1273830/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_21; classtype:trojan-activity; sid:91273830; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/anticipate/v10.75/u4fwfq0ej9c"; depth:30; nocase; http.host; content:"cloud.palloaltonetworks.com"; depth:27; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1273829/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_21; classtype:trojan-activity; sid:91273829; rev:1;) alert tcp $HOME_NET any -> [184.145.64.157] 4444 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1273828/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_21; classtype:trojan-activity; sid:91273828; rev:1;) alert tcp $HOME_NET any -> [179.97.173.22] 5000 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1273826/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_21; classtype:trojan-activity; sid:91273826; rev:1;) alert tcp $HOME_NET any -> [101.201.150.204] 8888 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1273825/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_21; classtype:trojan-activity; sid:91273825; rev:1;) alert tcp $HOME_NET any -> [54.193.220.196] 4782 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1273824/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_21; classtype:trojan-activity; sid:91273824; rev:1;) alert tcp $HOME_NET any -> [51.178.195.149] 443 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1273823/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_21; classtype:trojan-activity; sid:91273823; rev:1;) alert tcp $HOME_NET any -> [14.225.219.33] 9999 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1273822/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_21; classtype:trojan-activity; sid:91273822; rev:1;) alert tcp $HOME_NET any -> [185.234.75.77] 6666 (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1273821/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_21; classtype:trojan-activity; sid:91273821; rev:1;) alert tcp $HOME_NET any -> [91.92.249.89] 34568 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1273818/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_21; classtype:trojan-activity; sid:91273818; rev:1;) alert tcp $HOME_NET any -> [91.92.249.43] 34568 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1273819/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_21; classtype:trojan-activity; sid:91273819; rev:1;) alert tcp $HOME_NET any -> [91.92.254.84] 8080 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1273820/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_21; classtype:trojan-activity; sid:91273820; rev:1;) alert tcp $HOME_NET any -> [91.92.249.88] 34568 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1273817/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_21; classtype:trojan-activity; sid:91273817; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ca"; depth:3; nocase; http.host; content:"103.146.158.113"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1273816/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_21; classtype:trojan-activity; sid:91273816; rev:1;) alert tcp $HOME_NET any -> [103.146.158.113] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1273815/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_21; classtype:trojan-activity; sid:91273815; rev:1;) alert tcp $HOME_NET any -> [51.81.169.92] 6606 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1273814/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_21; classtype:trojan-activity; sid:91273814; rev:1;) alert tcp $HOME_NET any -> [107.173.156.189] 8888 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1273813/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_21; classtype:trojan-activity; sid:91273813; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"mad.chakrashaman.com"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1273812/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_21; classtype:trojan-activity; sid:91273812; rev:1;) alert tcp $HOME_NET any -> [108.160.131.194] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1273550/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_21; classtype:trojan-activity; sid:91273550; rev:1;) alert tcp $HOME_NET any -> [65.20.71.36] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1273549/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_21; classtype:trojan-activity; sid:91273549; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/___utm.gif"; depth:11; nocase; http.host; content:"209.38.242.240"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1273548/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_21; classtype:trojan-activity; sid:91273548; rev:1;) alert tcp $HOME_NET any -> [209.38.242.240] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1273545/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_21; classtype:trojan-activity; sid:91273545; rev:1;) alert tcp $HOME_NET any -> [206.189.11.228] 50050 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1273544/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_21; classtype:trojan-activity; sid:91273544; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/__utm.gif"; depth:10; nocase; http.host; content:"157.230.110.194"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1273543/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_21; classtype:trojan-activity; sid:91273543; rev:1;) alert tcp $HOME_NET any -> [157.230.110.194] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1273542/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_21; classtype:trojan-activity; sid:91273542; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/j.ad"; depth:5; nocase; http.host; content:"64.227.124.121"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1273541/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_21; classtype:trojan-activity; sid:91273541; rev:1;) alert tcp $HOME_NET any -> [64.227.124.121] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1273540/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_21; classtype:trojan-activity; sid:91273540; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/__utm.gif"; depth:10; nocase; http.host; content:"64.226.77.182"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1273539/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_21; classtype:trojan-activity; sid:91273539; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/__utm.gif"; depth:10; nocase; http.host; content:"64.226.77.182"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1273538/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_21; classtype:trojan-activity; sid:91273538; rev:1;) alert tcp $HOME_NET any -> [64.226.77.182] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1273536/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_21; classtype:trojan-activity; sid:91273536; rev:1;) alert tcp $HOME_NET any -> [64.226.77.182] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1273537/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_21; classtype:trojan-activity; sid:91273537; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"liudehua.buzz"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1273535/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_21; classtype:trojan-activity; sid:91273535; rev:1;) alert tcp $HOME_NET any -> [64.23.177.220] 8443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1273534/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_21; classtype:trojan-activity; sid:91273534; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/push"; depth:5; nocase; http.host; content:"47.237.95.107"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1273533/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_21; classtype:trojan-activity; sid:91273533; rev:1;) alert tcp $HOME_NET any -> [47.237.95.107] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1273532/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_21; classtype:trojan-activity; sid:91273532; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"chinamobi1e.shop"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1273531/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_21; classtype:trojan-activity; sid:91273531; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ga.js"; depth:6; nocase; http.host; content:"chinamobi1e.shop"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1273530/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_21; classtype:trojan-activity; sid:91273530; rev:1;) alert tcp $HOME_NET any -> [8.218.140.240] 2095 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1273528/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_21; classtype:trojan-activity; sid:91273528; rev:1;) alert tcp $HOME_NET any -> [8.218.140.240] 2086 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1273529/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_21; classtype:trojan-activity; sid:91273529; rev:1;) alert tcp $HOME_NET any -> [124.71.78.211] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1273524/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_21; classtype:trojan-activity; sid:91273524; rev:1;) alert tcp $HOME_NET any -> [124.71.223.58] 5431 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1273525/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_21; classtype:trojan-activity; sid:91273525; rev:1;) alert tcp $HOME_NET any -> [139.9.189.30] 8443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1273526/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_21; classtype:trojan-activity; sid:91273526; rev:1;) alert tcp $HOME_NET any -> [139.159.179.84] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1273527/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_21; classtype:trojan-activity; sid:91273527; rev:1;) alert tcp $HOME_NET any -> [124.70.99.224] 2231 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1273521/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_21; classtype:trojan-activity; sid:91273521; rev:1;) alert tcp $HOME_NET any -> [124.70.213.23] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1273522/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_21; classtype:trojan-activity; sid:91273522; rev:1;) alert tcp $HOME_NET any -> [124.70.213.23] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1273523/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_21; classtype:trojan-activity; sid:91273523; rev:1;) alert tcp $HOME_NET any -> [116.204.115.90] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1273517/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_21; classtype:trojan-activity; sid:91273517; rev:1;) alert tcp $HOME_NET any -> [121.36.23.25] 8099 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1273518/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_21; classtype:trojan-activity; sid:91273518; rev:1;) alert tcp $HOME_NET any -> [124.70.0.56] 8089 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1273519/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_21; classtype:trojan-activity; sid:91273519; rev:1;) alert tcp $HOME_NET any -> [124.70.0.56] 8081 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1273520/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_21; classtype:trojan-activity; sid:91273520; rev:1;) alert tcp $HOME_NET any -> [1.92.156.179] 81 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1273515/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_21; classtype:trojan-activity; sid:91273515; rev:1;) alert tcp $HOME_NET any -> [1.94.43.16] 9999 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1273516/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_21; classtype:trojan-activity; sid:91273516; rev:1;) alert tcp $HOME_NET any -> [120.55.63.163] 789 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1273511/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_21; classtype:trojan-activity; sid:91273511; rev:1;) alert tcp $HOME_NET any -> [139.224.0.158] 8069 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1273512/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_21; classtype:trojan-activity; sid:91273512; rev:1;) alert tcp $HOME_NET any -> [112.124.5.135] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1273507/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_21; classtype:trojan-activity; sid:91273507; rev:1;) alert tcp $HOME_NET any -> [112.124.71.123] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1273508/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_21; classtype:trojan-activity; sid:91273508; rev:1;) alert tcp $HOME_NET any -> [112.126.77.173] 8080 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1273509/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_21; classtype:trojan-activity; sid:91273509; rev:1;) alert tcp $HOME_NET any -> [118.31.0.110] 8080 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1273510/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_21; classtype:trojan-activity; sid:91273510; rev:1;) alert tcp $HOME_NET any -> [47.120.20.82] 8888 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1273504/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_21; classtype:trojan-activity; sid:91273504; rev:1;) alert tcp $HOME_NET any -> [101.37.31.139] 6650 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1273505/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_21; classtype:trojan-activity; sid:91273505; rev:1;) alert tcp $HOME_NET any -> [101.132.124.211] 8080 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1273506/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_21; classtype:trojan-activity; sid:91273506; rev:1;) alert tcp $HOME_NET any -> [47.98.154.34] 10443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1273499/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_21; classtype:trojan-activity; sid:91273499; rev:1;) alert tcp $HOME_NET any -> [47.105.68.50] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1273500/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_21; classtype:trojan-activity; sid:91273500; rev:1;) alert tcp $HOME_NET any -> [47.105.121.158] 58443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1273501/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_21; classtype:trojan-activity; sid:91273501; rev:1;) alert tcp $HOME_NET any -> [47.109.69.135] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1273502/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_21; classtype:trojan-activity; sid:91273502; rev:1;) alert tcp $HOME_NET any -> [47.115.204.203] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1273503/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_21; classtype:trojan-activity; sid:91273503; rev:1;) alert tcp $HOME_NET any -> [39.100.117.165] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1273495/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_21; classtype:trojan-activity; sid:91273495; rev:1;) alert tcp $HOME_NET any -> [47.92.7.36] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1273496/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_21; classtype:trojan-activity; sid:91273496; rev:1;) alert tcp $HOME_NET any -> [47.92.7.36] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1273497/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_21; classtype:trojan-activity; sid:91273497; rev:1;) alert tcp $HOME_NET any -> [47.92.24.58] 8001 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1273498/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_21; classtype:trojan-activity; sid:91273498; rev:1;) alert tcp $HOME_NET any -> [8.130.103.235] 50050 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1273491/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_21; classtype:trojan-activity; sid:91273491; rev:1;) alert tcp $HOME_NET any -> [8.136.121.216] 33898 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1273492/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_21; classtype:trojan-activity; sid:91273492; rev:1;) alert tcp $HOME_NET any -> [8.146.198.79] 8888 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1273493/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_21; classtype:trojan-activity; sid:91273493; rev:1;) alert tcp $HOME_NET any -> [39.99.254.197] 5432 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1273494/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_21; classtype:trojan-activity; sid:91273494; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/3longpolltemporary/_/2provider/0voiddbvideolongpoll/vmphpjavascripthttpgeosqldatalifetemp.php"; depth:94; nocase; http.host; content:"5.35.98.20"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1273490/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_21; classtype:trojan-activity; sid:91273490; rev:1;) alert tcp $HOME_NET any -> [175.178.45.180] 8080 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1273488/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_21; classtype:trojan-activity; sid:91273488; rev:1;) alert tcp $HOME_NET any -> [175.178.45.180] 9090 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1273489/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_21; classtype:trojan-activity; sid:91273489; rev:1;) alert tcp $HOME_NET any -> [150.158.43.153] 4443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1273487/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_21; classtype:trojan-activity; sid:91273487; rev:1;) alert tcp $HOME_NET any -> [139.155.99.210] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1273486/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_21; classtype:trojan-activity; sid:91273486; rev:1;) alert tcp $HOME_NET any -> [122.51.2.91] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1273485/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_21; classtype:trojan-activity; sid:91273485; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pixel.gif"; depth:10; nocase; http.host; content:"119.45.226.126"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1273484/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_21; classtype:trojan-activity; sid:91273484; rev:1;) alert tcp $HOME_NET any -> [119.45.226.126] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1273483/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_21; classtype:trojan-activity; sid:91273483; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/beacon.exe"; depth:11; nocase; http.host; content:"114.132.120.166"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1273482/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_21; classtype:trojan-activity; sid:91273482; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/load"; depth:5; nocase; http.host; content:"101.43.111.14"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1273481/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_21; classtype:trojan-activity; sid:91273481; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/activity"; depth:9; nocase; http.host; content:"49.65.96.139"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1273480/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_21; classtype:trojan-activity; sid:91273480; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/j.ad"; depth:5; nocase; http.host; content:"111.230.38.159"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1273479/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_21; classtype:trojan-activity; sid:91273479; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"rw1-api-update.afd.azureedge.net"; depth:32; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1273478/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_21; classtype:trojan-activity; sid:91273478; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pixel.gif"; depth:10; nocase; http.host; content:"rw1-api-update.afd.azureedge.net"; depth:32; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1273477/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_21; classtype:trojan-activity; sid:91273477; rev:1;) alert tcp $HOME_NET any -> [111.230.38.159] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1273476/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_21; classtype:trojan-activity; sid:91273476; rev:1;) alert tcp $HOME_NET any -> [110.40.180.6] 8083 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1273475/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_21; classtype:trojan-activity; sid:91273475; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/visit.js"; depth:9; nocase; http.host; content:"nimappche.buzz"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1273474/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_21; classtype:trojan-activity; sid:91273474; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/visit.js"; depth:9; nocase; http.host; content:"101.43.29.8"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1273473/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_21; classtype:trojan-activity; sid:91273473; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/en_us/all.js"; depth:13; nocase; http.host; content:"106.53.181.113"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1273472/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_21; classtype:trojan-activity; sid:91273472; rev:1;) alert tcp $HOME_NET any -> [101.43.29.8] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1273471/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_21; classtype:trojan-activity; sid:91273471; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jquery-3.3.1.min.js"; depth:20; nocase; http.host; content:"38.54.33.85"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1273470/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_21; classtype:trojan-activity; sid:91273470; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pixel"; depth:6; nocase; http.host; content:"101.35.248.106"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1273468/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_21; classtype:trojan-activity; sid:91273468; rev:1;) alert tcp $HOME_NET any -> [8.217.222.41] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1273469/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_21; classtype:trojan-activity; sid:91273469; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"time.api.chinabm.cn"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1273467/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_21; classtype:trojan-activity; sid:91273467; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/maps/overlaybfpr"; depth:17; nocase; http.host; content:"time.api.chinabm.cn"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1273466/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_21; classtype:trojan-activity; sid:91273466; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api/x"; depth:6; nocase; http.host; content:"service-f9dx5hom-1305082597.gz.tencentapigw.com.cn"; depth:50; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1273465/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_21; classtype:trojan-activity; sid:91273465; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api/3"; depth:6; nocase; http.host; content:"hell.hydracenter.xyz"; depth:20; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1273464/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_21; classtype:trojan-activity; sid:91273464; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/__utm.gif"; depth:10; nocase; http.host; content:"150.158.43.153"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1273463/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_21; classtype:trojan-activity; sid:91273463; rev:1;) alert tcp $HOME_NET any -> [64.7.199.165] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1273462/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_21; classtype:trojan-activity; sid:91273462; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dpixel"; depth:7; nocase; http.host; content:"64.7.199.165"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1273461/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_21; classtype:trojan-activity; sid:91273461; rev:1;) alert tcp $HOME_NET any -> [101.35.248.106] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1273460/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_21; classtype:trojan-activity; sid:91273460; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cm"; depth:3; nocase; http.host; content:"91.224.92.27"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1273458/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_21; classtype:trojan-activity; sid:91273458; rev:1;) alert tcp $HOME_NET any -> [91.224.92.27] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1273459/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_21; classtype:trojan-activity; sid:91273459; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pixel.gif"; depth:10; nocase; http.host; content:"139.159.203.44"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1273457/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_21; classtype:trojan-activity; sid:91273457; rev:1;) alert tcp $HOME_NET any -> [139.159.203.44] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1273456/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_21; classtype:trojan-activity; sid:91273456; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/match"; depth:6; nocase; http.host; content:"139.159.203.44"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1273455/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_21; classtype:trojan-activity; sid:91273455; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dot.gif"; depth:8; nocase; http.host; content:"1.94.43.16"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1273454/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_21; classtype:trojan-activity; sid:91273454; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jquery-3.3.2.slim.min.js"; depth:25; nocase; http.host; content:"101.35.245.191"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1273453/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_21; classtype:trojan-activity; sid:91273453; rev:1;) alert tcp $HOME_NET any -> [81.69.37.111] 8088 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1273452/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_21; classtype:trojan-activity; sid:91273452; rev:1;) alert tcp $HOME_NET any -> [43.139.168.97] 8888 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1273451/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_21; classtype:trojan-activity; sid:91273451; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/updates.rss"; depth:12; nocase; http.host; content:"1.14.96.14"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1273450/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_21; classtype:trojan-activity; sid:91273450; rev:1;) alert tcp $HOME_NET any -> [1.14.96.14] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1273449/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_21; classtype:trojan-activity; sid:91273449; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mozi.m"; depth:7; nocase; http.host; content:"117.248.45.81"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1273448/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_21; classtype:trojan-activity; sid:91273448; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/manual.php"; depth:11; nocase; http.host; content:"annitaswaerts.nl"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1273447/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_21; classtype:trojan-activity; sid:91273447; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 75%)"; dns_query; content:"nanoshield.pro"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1273443/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_21; classtype:trojan-activity; sid:91273443; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jquery-3.3.1.min.js"; depth:20; nocase; http.host; content:"172.84.93.210"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1273445/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_21; classtype:trojan-activity; sid:91273445; rev:1;) alert tcp $HOME_NET any -> [85.209.133.18] 4545 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1273444/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_21; classtype:trojan-activity; sid:91273444; rev:1;) alert tcp $HOME_NET any -> [94.156.68.219] 2323 (msg:"ThreatFox Nanocore RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1273442/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_21; classtype:trojan-activity; sid:91273442; rev:1;) alert tcp $HOME_NET any -> [142.93.102.168] 9511 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1273441/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_21; classtype:trojan-activity; sid:91273441; rev:1;) alert tcp $HOME_NET any -> [5.42.96.3] 23 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1273439/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_21; classtype:trojan-activity; sid:91273439; rev:1;) alert tcp $HOME_NET any -> [173.249.34.252] 23 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1273440/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_21; classtype:trojan-activity; sid:91273440; rev:1;) alert tcp $HOME_NET any -> [192.169.69.25] 59712 (msg:"ThreatFox Nanocore RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1273438/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_21; classtype:trojan-activity; sid:91273438; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/manual.php"; depth:11; nocase; http.host; content:"andreaslennartsson.com"; depth:22; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1273432/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_21; classtype:trojan-activity; sid:91273432; rev:1;) alert tcp $HOME_NET any -> [124.70.99.70] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1273437/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_21; classtype:trojan-activity; sid:91273437; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/assets/lang/en-us/lang.js"; depth:26; nocase; http.host; content:"124.70.99.70"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1273436/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_21; classtype:trojan-activity; sid:91273436; rev:1;) alert tcp $HOME_NET any -> [8.217.222.41] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1273435/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_21; classtype:trojan-activity; sid:91273435; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"update.api.qianxin.xyz"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1273434/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_21; classtype:trojan-activity; sid:91273434; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/owa/"; depth:5; nocase; http.host; content:"update.api.qianxin.xyz"; depth:22; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1273433/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_21; classtype:trojan-activity; sid:91273433; rev:1;) alert tcp $HOME_NET any -> [185.243.240.54] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1273431/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_21; classtype:trojan-activity; sid:91273431; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cx"; depth:3; nocase; http.host; content:"185.243.240.54"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1273430/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_21; classtype:trojan-activity; sid:91273430; rev:1;) alert tcp $HOME_NET any -> [79.110.49.106] 80 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1273429/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_21; classtype:trojan-activity; sid:91273429; rev:1;) alert tcp $HOME_NET any -> [193.164.4.124] 80 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1273428/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_21; classtype:trojan-activity; sid:91273428; rev:1;) alert tcp $HOME_NET any -> [77.105.147.23] 80 (msg:"ThreatFox Meduza Stealer botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1273427/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_21; classtype:trojan-activity; sid:91273427; rev:1;) alert tcp $HOME_NET any -> [43.159.58.81] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1273426/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_21; classtype:trojan-activity; sid:91273426; rev:1;) alert tcp $HOME_NET any -> [49.234.187.223] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1273425/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_21; classtype:trojan-activity; sid:91273425; rev:1;) alert tcp $HOME_NET any -> [111.229.19.56] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1273424/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_21; classtype:trojan-activity; sid:91273424; rev:1;) alert tcp $HOME_NET any -> [46.246.6.23] 9000 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1273422/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_21; classtype:trojan-activity; sid:91273422; rev:1;) alert tcp $HOME_NET any -> [46.246.6.23] 6000 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1273423/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_21; classtype:trojan-activity; sid:91273423; rev:1;) alert tcp $HOME_NET any -> [46.246.6.23] 8000 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1273421/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_21; classtype:trojan-activity; sid:91273421; rev:1;) alert tcp $HOME_NET any -> [79.107.155.247] 995 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1273420/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_21; classtype:trojan-activity; sid:91273420; rev:1;) alert tcp $HOME_NET any -> [2.50.34.153] 22 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1273419/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_21; classtype:trojan-activity; sid:91273419; rev:1;) alert tcp $HOME_NET any -> [41.99.47.129] 443 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1273418/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_21; classtype:trojan-activity; sid:91273418; rev:1;) alert tcp $HOME_NET any -> [185.208.158.37] 443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1273417/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_21; classtype:trojan-activity; sid:91273417; rev:1;) alert tcp $HOME_NET any -> [185.216.70.120] 2427 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1273416/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_21; classtype:trojan-activity; sid:91273416; rev:1;) alert tcp $HOME_NET any -> [23.227.203.30] 443 (msg:"ThreatFox SmokeLoader botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1273415/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_21; classtype:trojan-activity; sid:91273415; rev:1;) alert tcp $HOME_NET any -> [146.70.41.146] 443 (msg:"ThreatFox SmokeLoader botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1273414/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_21; classtype:trojan-activity; sid:91273414; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"airwide-land.com"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1273412/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_21; classtype:trojan-activity; sid:91273412; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"summerwaterhall.com"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1273413/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_21; classtype:trojan-activity; sid:91273413; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/calcroom.php"; depth:13; nocase; http.host; content:"airwide-land.com"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1273411/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_21; classtype:trojan-activity; sid:91273411; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/calcroom.php"; depth:13; nocase; http.host; content:"airwide-land.com"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1273409/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_21; classtype:trojan-activity; sid:91273409; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/calcroom.php"; depth:13; nocase; http.host; content:"summerwaterhall.com"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1273410/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_21; classtype:trojan-activity; sid:91273410; rev:1;) alert tcp $HOME_NET any -> [185.29.9.103] 2404 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1273408/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_21; classtype:trojan-activity; sid:91273408; rev:1;) alert tcp $HOME_NET any -> [185.222.57.152] 35789 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1273407/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_21; classtype:trojan-activity; sid:91273407; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/d6/fre.php"; depth:11; nocase; http.host; content:"sempersim.su"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1273406/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_21; classtype:trojan-activity; sid:91273406; rev:1;) alert tcp $HOME_NET any -> [93.123.85.72] 4258 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1273405/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_21; classtype:trojan-activity; sid:91273405; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"fashionstune.com"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1273404/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_21; classtype:trojan-activity; sid:91273404; rev:1;) alert tcp $HOME_NET any -> [185.196.9.79] 1337 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1273394/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_21; classtype:trojan-activity; sid:91273394; rev:1;) alert tcp $HOME_NET any -> [107.189.14.17] 1337 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1273395/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_21; classtype:trojan-activity; sid:91273395; rev:1;) alert tcp $HOME_NET any -> [160.179.60.231] 10000 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1273392/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_21; classtype:trojan-activity; sid:91273392; rev:1;) alert tcp $HOME_NET any -> [91.92.252.211] 777 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1273393/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_21; classtype:trojan-activity; sid:91273393; rev:1;) alert tcp $HOME_NET any -> [185.196.9.79] 6667 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1273378/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_21; classtype:trojan-activity; sid:91273378; rev:1;) alert tcp $HOME_NET any -> [45.95.169.101] 23 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1273379/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_21; classtype:trojan-activity; sid:91273379; rev:1;) alert tcp $HOME_NET any -> [185.150.26.232] 3778 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1273380/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_21; classtype:trojan-activity; sid:91273380; rev:1;) alert tcp $HOME_NET any -> [91.92.252.211] 444 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1273381/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_21; classtype:trojan-activity; sid:91273381; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/zdqyn2nmogezotlk/"; depth:18; nocase; http.host; content:"sekensenserr.shop"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1273382/; target:src_ip; metadata: confidence_level 80, first_seen 2024_05_21; classtype:trojan-activity; sid:91273382; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/zdqyn2nmogezotlk/"; depth:18; nocase; http.host; content:"sekenmarabatayfa.shop"; depth:21; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1273383/; target:src_ip; metadata: confidence_level 80, first_seen 2024_05_21; classtype:trojan-activity; sid:91273383; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/zdqyn2nmogezotlk"; depth:17; nocase; http.host; content:"kemerdekaradar.shop"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1273384/; target:src_ip; metadata: confidence_level 80, first_seen 2024_05_21; classtype:trojan-activity; sid:91273384; rev:1;) alert tcp $HOME_NET any -> [141.11.92.115] 3778 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1273396/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_21; classtype:trojan-activity; sid:91273396; rev:1;) alert tcp $HOME_NET any -> [194.59.30.223] 888 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1273397/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_21; classtype:trojan-activity; sid:91273397; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/manual.php"; depth:11; nocase; http.host; content:"allegro.autoszczepaniak.pl"; depth:26; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1273400/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_21; classtype:trojan-activity; sid:91273400; rev:1;) alert tcp $HOME_NET any -> [109.248.151.181] 1996 (msg:"ThreatFox Nanocore RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1273402/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_21; classtype:trojan-activity; sid:91273402; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mozi.m"; depth:7; nocase; http.host; content:"117.216.24.109"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1273401/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_21; classtype:trojan-activity; sid:91273401; rev:1;) alert tcp $HOME_NET any -> [101.43.111.14] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1273391/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_20; classtype:trojan-activity; sid:91273391; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cm"; depth:3; nocase; http.host; content:"124.220.53.223"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1273390/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_20; classtype:trojan-activity; sid:91273390; rev:1;) alert tcp $HOME_NET any -> [23.26.232.161] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1273389/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_20; classtype:trojan-activity; sid:91273389; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/open/js/jweixin-1.4.0.js"; depth:25; nocase; http.host; content:"23.26.232.161"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1273388/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_20; classtype:trojan-activity; sid:91273388; rev:1;) alert tcp $HOME_NET any -> [172.105.121.169] 7707 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1273387/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_20; classtype:trojan-activity; sid:91273387; rev:1;) alert tcp $HOME_NET any -> [172.105.121.169] 6606 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1273386/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_20; classtype:trojan-activity; sid:91273386; rev:1;) alert tcp $HOME_NET any -> [172.105.121.169] 8808 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1273385/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_20; classtype:trojan-activity; sid:91273385; rev:1;) alert tcp $HOME_NET any -> [34.27.202.94] 80 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1273377/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_20; classtype:trojan-activity; sid:91273377; rev:1;) alert tcp $HOME_NET any -> [172.247.168.152] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1273376/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_20; classtype:trojan-activity; sid:91273376; rev:1;) alert tcp $HOME_NET any -> [116.62.167.249] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1273375/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_20; classtype:trojan-activity; sid:91273375; rev:1;) alert tcp $HOME_NET any -> [2.50.34.255] 22 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1273374/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_20; classtype:trojan-activity; sid:91273374; rev:1;) alert tcp $HOME_NET any -> [5.163.165.105] 443 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1273373/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_20; classtype:trojan-activity; sid:91273373; rev:1;) alert tcp $HOME_NET any -> [37.14.238.189] 2222 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1273372/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_20; classtype:trojan-activity; sid:91273372; rev:1;) alert tcp $HOME_NET any -> [172.105.76.71] 443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1273371/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_20; classtype:trojan-activity; sid:91273371; rev:1;) alert tcp $HOME_NET any -> [81.70.190.242] 443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1273370/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_20; classtype:trojan-activity; sid:91273370; rev:1;) alert tcp $HOME_NET any -> [35.95.145.156] 8443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1273369/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_20; classtype:trojan-activity; sid:91273369; rev:1;) alert tcp $HOME_NET any -> [167.172.53.165] 7443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1273368/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_20; classtype:trojan-activity; sid:91273368; rev:1;) alert tcp $HOME_NET any -> [158.178.195.77] 20000 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1273367/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_20; classtype:trojan-activity; sid:91273367; rev:1;) alert tcp $HOME_NET any -> [154.198.247.73] 8099 (msg:"ThreatFox ConnectBack botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1273366/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_20; classtype:trojan-activity; sid:91273366; rev:1;) alert tcp $HOME_NET any -> [176.32.38.160] 42021 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1273365/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_20; classtype:trojan-activity; sid:91273365; rev:1;) alert tcp $HOME_NET any -> [3.125.102.39] 14740 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1273352/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_20; classtype:trojan-activity; sid:91273352; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/manual.php"; depth:11; nocase; http.host; content:"costumes-urbains.com"; depth:20; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1273343/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_20; classtype:trojan-activity; sid:91273343; rev:1;) alert tcp $HOME_NET any -> [3.125.209.94] 14740 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1273350/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_20; classtype:trojan-activity; sid:91273350; rev:1;) alert tcp $HOME_NET any -> [3.125.223.134] 14740 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1273351/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_20; classtype:trojan-activity; sid:91273351; rev:1;) alert tcp $HOME_NET any -> [3.124.142.205] 14088 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1273353/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_20; classtype:trojan-activity; sid:91273353; rev:1;) alert tcp $HOME_NET any -> [18.192.31.165] 14088 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1273354/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_20; classtype:trojan-activity; sid:91273354; rev:1;) alert tcp $HOME_NET any -> [3.125.223.134] 14088 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1273355/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_20; classtype:trojan-activity; sid:91273355; rev:1;) alert tcp $HOME_NET any -> [18.158.249.75] 14088 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1273356/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_20; classtype:trojan-activity; sid:91273356; rev:1;) alert tcp $HOME_NET any -> [3.125.209.94] 14088 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1273357/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_20; classtype:trojan-activity; sid:91273357; rev:1;) alert tcp $HOME_NET any -> [3.125.102.39] 14088 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1273358/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_20; classtype:trojan-activity; sid:91273358; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"0.tpc.eu.ngrok.io"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1273359/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_20; classtype:trojan-activity; sid:91273359; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pixel.gif"; depth:10; nocase; http.host; content:"118.178.105.142"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1273364/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_20; classtype:trojan-activity; sid:91273364; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/j.ad"; depth:5; nocase; http.host; content:"47.115.38.144"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1273363/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_20; classtype:trojan-activity; sid:91273363; rev:1;) alert tcp $HOME_NET any -> [111.231.21.83] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1273362/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_20; classtype:trojan-activity; sid:91273362; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/_/scs/mail-static/_/js/"; depth:24; nocase; http.host; content:"111.231.21.83"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1273361/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_20; classtype:trojan-activity; sid:91273361; rev:1;) alert tcp $HOME_NET any -> [89.105.223.78] 41672 (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1273360/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_20; classtype:trojan-activity; sid:91273360; rev:1;) alert tcp $HOME_NET any -> [194.55.186.11] 22 (msg:"ThreatFox Stealc botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1273349/; target:src_ip; metadata: confidence_level 80, first_seen 2024_05_20; classtype:trojan-activity; sid:91273349; rev:1;) alert tcp $HOME_NET any -> [194.55.186.11] 80 (msg:"ThreatFox Stealc botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1273348/; target:src_ip; metadata: confidence_level 80, first_seen 2024_05_20; classtype:trojan-activity; sid:91273348; rev:1;) alert tcp $HOME_NET any -> [62.133.61.244] 80 (msg:"ThreatFox Stealc botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1273347/; target:src_ip; metadata: confidence_level 80, first_seen 2024_05_20; classtype:trojan-activity; sid:91273347; rev:1;) alert tcp $HOME_NET any -> [62.133.61.244] 22 (msg:"ThreatFox Stealc botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1273346/; target:src_ip; metadata: confidence_level 80, first_seen 2024_05_20; classtype:trojan-activity; sid:91273346; rev:1;) alert tcp $HOME_NET any -> [194.55.186.12] 80 (msg:"ThreatFox Stealc botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1273345/; target:src_ip; metadata: confidence_level 80, first_seen 2024_05_20; classtype:trojan-activity; sid:91273345; rev:1;) alert tcp $HOME_NET any -> [194.55.186.12] 22 (msg:"ThreatFox Stealc botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1273344/; target:src_ip; metadata: confidence_level 80, first_seen 2024_05_20; classtype:trojan-activity; sid:91273344; rev:1;) alert tcp $HOME_NET any -> [46.183.223.69] 13452 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1273342/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_20; classtype:trojan-activity; sid:91273342; rev:1;) alert tcp $HOME_NET any -> [5.61.33.19] 8081 (msg:"ThreatFox RisePro botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1273341/; target:src_ip; metadata: confidence_level 80, first_seen 2024_05_20; classtype:trojan-activity; sid:91273341; rev:1;) alert tcp $HOME_NET any -> [18.209.224.126] 8081 (msg:"ThreatFox RisePro botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1273340/; target:src_ip; metadata: confidence_level 80, first_seen 2024_05_20; classtype:trojan-activity; sid:91273340; rev:1;) alert tcp $HOME_NET any -> [5.42.96.64] 8081 (msg:"ThreatFox RisePro botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1273339/; target:src_ip; metadata: confidence_level 80, first_seen 2024_05_20; classtype:trojan-activity; sid:91273339; rev:1;) alert tcp $HOME_NET any -> [152.89.217.229] 15647 (msg:"ThreatFox SectopRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1273338/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_20; classtype:trojan-activity; sid:91273338; rev:1;) alert tcp $HOME_NET any -> [18.192.31.165] 14740 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1273337/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_20; classtype:trojan-activity; sid:91273337; rev:1;) alert tcp $HOME_NET any -> [141.98.7.146] 30120 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1273128/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_20; classtype:trojan-activity; sid:91273128; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/manual.php"; depth:11; nocase; http.host; content:"cocktailhacker.com"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1273129/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_20; classtype:trojan-activity; sid:91273129; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/manual.php"; depth:11; nocase; http.host; content:"col21-champollion.ac-dijon.fr"; depth:29; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1273130/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_20; classtype:trojan-activity; sid:91273130; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jquerys-6.3.5.max.js"; depth:21; nocase; http.host; content:"service-dq87eeqy-1259321672.gz.tencentapigw.com.cn"; depth:50; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1273335/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_20; classtype:trojan-activity; sid:91273335; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"service-dq87eeqy-1259321672.gz.tencentapigw.com.cn"; depth:50; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1273336/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_20; classtype:trojan-activity; sid:91273336; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/activity"; depth:9; nocase; http.host; content:"192.168.52.131"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1273127/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_20; classtype:trojan-activity; sid:91273127; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ptj"; depth:4; nocase; http.host; content:"192.168.150.148"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1273126/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_20; classtype:trojan-activity; sid:91273126; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cdn-vs/original.js"; depth:19; nocase; http.host; content:"gamestockxchange.com"; depth:20; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1273119/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_20; classtype:trojan-activity; sid:91273119; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cdn-vs/cache.php"; depth:17; nocase; http.host; content:"gamestockxchange.com"; depth:20; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1273120/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_20; classtype:trojan-activity; sid:91273120; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cdn-vs/2per.php"; depth:16; nocase; http.host; content:"gamestockxchange.com"; depth:20; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1273121/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_20; classtype:trojan-activity; sid:91273121; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/data.php"; depth:9; nocase; http.host; content:"zp3mvmzab.top"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1273122/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_20; classtype:trojan-activity; sid:91273122; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/lancer/get.php"; depth:15; nocase; http.host; content:"cajgtus.com"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1273125/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_20; classtype:trojan-activity; sid:91273125; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/utradvices.scr"; depth:15; nocase; http.host; content:"advising-receipts.com"; depth:21; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1273124/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_20; classtype:trojan-activity; sid:91273124; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bank/payment_advice.scr"; depth:24; nocase; http.host; content:"advising-receipts.com"; depth:21; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1273123/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_20; classtype:trojan-activity; sid:91273123; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pixel.gif"; depth:10; nocase; http.host; content:"47.236.31.187"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1273118/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_20; classtype:trojan-activity; sid:91273118; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/en_us/all.js"; depth:13; nocase; http.host; content:"175.178.45.180"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1273117/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_20; classtype:trojan-activity; sid:91273117; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/d2clzbmsjml"; depth:12; nocase; http.host; content:"klgbb.com"; depth:9; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1273115/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_20; classtype:trojan-activity; sid:91273115; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"klgbb.com"; depth:9; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1273116/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_20; classtype:trojan-activity; sid:91273116; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/d2clzbmsjml"; depth:12; nocase; http.host; content:"210.56.49.167"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1273114/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_20; classtype:trojan-activity; sid:91273114; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/d2clzbmsjml"; depth:12; nocase; http.host; content:"210.56.49.167"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1273113/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_20; classtype:trojan-activity; sid:91273113; rev:1;) alert tcp $HOME_NET any -> [194.59.30.143] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1273112/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_20; classtype:trojan-activity; sid:91273112; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/load"; depth:5; nocase; http.host; content:"194.59.30.143"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1273111/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_20; classtype:trojan-activity; sid:91273111; rev:1;) alert tcp $HOME_NET any -> [194.87.252.8] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1273110/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_20; classtype:trojan-activity; sid:91273110; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jquery-3.3.1.min.js"; depth:20; nocase; http.host; content:"194.87.252.8"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1273109/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_20; classtype:trojan-activity; sid:91273109; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/match"; depth:6; nocase; http.host; content:"116.196.82.90"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1273108/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_20; classtype:trojan-activity; sid:91273108; rev:1;) alert tcp $HOME_NET any -> [45.61.136.79] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1273107/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_20; classtype:trojan-activity; sid:91273107; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/fashion/v3.62/9cpwzfxyo"; depth:24; nocase; http.host; content:"anphealthcenter.com"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1273105/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_20; classtype:trojan-activity; sid:91273105; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"anphealthcenter.com"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1273106/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_20; classtype:trojan-activity; sid:91273106; rev:1;) alert tcp $HOME_NET any -> [116.198.34.83] 2086 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1273104/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_20; classtype:trojan-activity; sid:91273104; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api/x"; depth:6; nocase; http.host; content:"bqrg123.com"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1273102/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_20; classtype:trojan-activity; sid:91273102; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"bqrg123.com"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1273103/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_20; classtype:trojan-activity; sid:91273103; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ie9compatviewlist.xml"; depth:22; nocase; http.host; content:"23.94.169.124"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1273101/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_20; classtype:trojan-activity; sid:91273101; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/activity"; depth:9; nocase; http.host; content:"43.136.64.163"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1273100/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_20; classtype:trojan-activity; sid:91273100; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/push"; depth:5; nocase; http.host; content:"172.84.93.210"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1273099/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_20; classtype:trojan-activity; sid:91273099; rev:1;) alert tcp $HOME_NET any -> [51.38.187.10] 80 (msg:"ThreatFox Loki Password Stealer (PWS) botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1273093/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_20; classtype:trojan-activity; sid:91273093; rev:1;) alert tcp $HOME_NET any -> [158.160.167.238] 443 (msg:"ThreatFox FAKEUPDATES payload delivery (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1273097/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_20; classtype:trojan-activity; sid:91273097; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mozi.m"; depth:7; nocase; http.host; content:"117.253.12.185"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1273098/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_20; classtype:trojan-activity; sid:91273098; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/index.php/modify"; depth:17; nocase; http.host; content:"45.61.137.215"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1273096/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_20; classtype:trojan-activity; sid:91273096; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"manxzas12.duckdns.org"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1273095/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_20; classtype:trojan-activity; sid:91273095; rev:1;) alert tcp $HOME_NET any -> [46.246.6.12] 7045 (msg:"ThreatFox Vjw0rm botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1273094/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_20; classtype:trojan-activity; sid:91273094; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pyramidzx.scr"; depth:14; nocase; http.host; content:"covid19help.top"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1273092/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_20; classtype:trojan-activity; sid:91273092; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tolinuxflower.php"; depth:18; nocase; http.host; content:"759931cm.n9shteam1.top"; depth:22; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1273091/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_20; classtype:trojan-activity; sid:91273091; rev:1;) alert tcp $HOME_NET any -> [199.223.235.67] 5050 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1273088/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_20; classtype:trojan-activity; sid:91273088; rev:1;) alert tcp $HOME_NET any -> [106.53.181.113] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1273090/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_20; classtype:trojan-activity; sid:91273090; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cm"; depth:3; nocase; http.host; content:"106.53.181.113"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1273089/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_20; classtype:trojan-activity; sid:91273089; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"shipboot.com"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1273078/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_20; classtype:trojan-activity; sid:91273078; rev:1;) alert tcp $HOME_NET any -> [192.169.69.25] 482 (msg:"ThreatFox Nanocore RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1273085/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_20; classtype:trojan-activity; sid:91273085; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"tomcoyne.duckdns.org"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1273086/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_20; classtype:trojan-activity; sid:91273086; rev:1;) alert tcp $HOME_NET any -> [41.249.104.99] 10000 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1273087/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_20; classtype:trojan-activity; sid:91273087; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/j.ad"; depth:5; nocase; http.host; content:"124.223.28.25"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1273084/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_20; classtype:trojan-activity; sid:91273084; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cm"; depth:3; nocase; http.host; content:"192.227.232.151"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1273083/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_20; classtype:trojan-activity; sid:91273083; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ga.js"; depth:6; nocase; http.host; content:"59.110.172.50"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1273082/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_20; classtype:trojan-activity; sid:91273082; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/j.ad"; depth:5; nocase; http.host; content:"101.35.19.133"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1273081/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_20; classtype:trojan-activity; sid:91273081; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/push"; depth:5; nocase; http.host; content:"124.223.28.25"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1273080/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_20; classtype:trojan-activity; sid:91273080; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/unwood/admin/1/ppptp.jpg"; depth:25; nocase; http.host; content:"185.229.237.201"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1273079/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_20; classtype:trojan-activity; sid:91273079; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/manual.php"; depth:11; nocase; http.host; content:"choi.helava.com"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1273073/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_20; classtype:trojan-activity; sid:91273073; rev:1;) alert tcp $HOME_NET any -> [8.222.156.244] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1273076/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_20; classtype:trojan-activity; sid:91273076; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jquery-3.3.1.min.jsp"; depth:21; nocase; http.host; content:"ww2.jji.cz"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1273075/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_20; classtype:trojan-activity; sid:91273075; rev:1;) alert tcp $HOME_NET any -> [154.44.10.166] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1273072/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_20; classtype:trojan-activity; sid:91273072; rev:1;) alert tcp $HOME_NET any -> [46.246.12.3] 9000 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1273071/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_20; classtype:trojan-activity; sid:91273071; rev:1;) alert tcp $HOME_NET any -> [63.135.69.92] 443 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1273070/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_20; classtype:trojan-activity; sid:91273070; rev:1;) alert tcp $HOME_NET any -> [159.203.143.205] 80 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1273069/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_20; classtype:trojan-activity; sid:91273069; rev:1;) alert tcp $HOME_NET any -> [159.203.143.205] 443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1273068/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_20; classtype:trojan-activity; sid:91273068; rev:1;) alert tcp $HOME_NET any -> [94.156.69.89] 443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1273067/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_20; classtype:trojan-activity; sid:91273067; rev:1;) alert tcp $HOME_NET any -> [158.160.169.85] 80 (msg:"ThreatFox SmokeLoader botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1273066/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_20; classtype:trojan-activity; sid:91273066; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"stayherefata4l.org"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1273065/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_20; classtype:trojan-activity; sid:91273065; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"masduh38sjdai.org"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1273063/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_20; classtype:trojan-activity; sid:91273063; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"omfghellobrosjda38.org"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1273064/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_20; classtype:trojan-activity; sid:91273064; rev:1;) alert tcp $HOME_NET any -> [64.188.27.90] 2404 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1273062/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_20; classtype:trojan-activity; sid:91273062; rev:1;) alert tcp $HOME_NET any -> [192.169.69.25] 2506 (msg:"ThreatFox Nanocore RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1273046/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_20; classtype:trojan-activity; sid:91273046; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"nikt0x.duckdns.org"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1273047/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_20; classtype:trojan-activity; sid:91273047; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"wae54.duckdns.org"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1273048/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_20; classtype:trojan-activity; sid:91273048; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"wave54.duckdns.org"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1273049/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_20; classtype:trojan-activity; sid:91273049; rev:1;) alert tcp $HOME_NET any -> [192.169.69.25] 83 (msg:"ThreatFox Nanocore RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1273050/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_20; classtype:trojan-activity; sid:91273050; rev:1;) alert tcp $HOME_NET any -> [18.158.249.75] 19473 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1273051/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_20; classtype:trojan-activity; sid:91273051; rev:1;) alert tcp $HOME_NET any -> [3.68.171.119] 13006 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1273052/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_20; classtype:trojan-activity; sid:91273052; rev:1;) alert tcp $HOME_NET any -> [3.69.157.220] 15748 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1273053/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_20; classtype:trojan-activity; sid:91273053; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/manual.php"; depth:11; nocase; http.host; content:"chivas.taegermoos.com"; depth:21; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1273057/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_20; classtype:trojan-activity; sid:91273057; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/6wpimage/cdn/apiasync/generatordb/process/line37/flowerproton/eternalsqlmultipublic/uploads/gameapiasync/updategamepacket/jsproton3/jsgamesecure/centraltest/to/javascripthttpgamesql.php"; depth:186; nocase; http.host; content:"146.0.73.222"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1273061/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_20; classtype:trojan-activity; sid:91273061; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/index.php/index"; depth:16; nocase; http.host; content:"45.61.137.215"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1273060/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_20; classtype:trojan-activity; sid:91273060; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/index.php/6790"; depth:15; nocase; http.host; content:"45.61.137.215"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1273059/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_20; classtype:trojan-activity; sid:91273059; rev:1;) alert tcp $HOME_NET any -> [147.45.47.149] 8081 (msg:"ThreatFox RisePro botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1273056/; target:src_ip; metadata: confidence_level 80, first_seen 2024_05_20; classtype:trojan-activity; sid:91273056; rev:1;) alert tcp $HOME_NET any -> [77.221.156.5] 80 (msg:"ThreatFox Meduza Stealer botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1273055/; target:src_ip; metadata: confidence_level 80, first_seen 2024_05_20; classtype:trojan-activity; sid:91273055; rev:1;) alert tcp $HOME_NET any -> [185.73.125.157] 443 (msg:"ThreatFox Unidentified 111 (Latrodectus) botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1273054/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_19; classtype:trojan-activity; sid:91273054; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/index.php"; depth:10; nocase; http.host; content:"stayherefata4l.org"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1273045/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_19; classtype:trojan-activity; sid:91273045; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/index.php"; depth:10; nocase; http.host; content:"omfghellobrosjda38.org"; depth:22; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1273044/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_19; classtype:trojan-activity; sid:91273044; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/index.php"; depth:10; nocase; http.host; content:"masduh38sjdai.org"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1273043/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_19; classtype:trojan-activity; sid:91273043; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/match"; depth:6; nocase; http.host; content:"114.115.210.125"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1273042/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_19; classtype:trojan-activity; sid:91273042; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ie9compatviewlist.xml"; depth:22; nocase; http.host; content:"150.158.141.97"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1273041/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_19; classtype:trojan-activity; sid:91273041; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/updates.rss"; depth:12; nocase; http.host; content:"103.146.140.99"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1273040/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_19; classtype:trojan-activity; sid:91273040; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/updates.rss"; depth:12; nocase; http.host; content:"124.223.28.25"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1273039/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_19; classtype:trojan-activity; sid:91273039; rev:1;) alert tcp $HOME_NET any -> [35.225.180.133] 80 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1273038/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_19; classtype:trojan-activity; sid:91273038; rev:1;) alert tcp $HOME_NET any -> [38.207.123.5] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1273037/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_19; classtype:trojan-activity; sid:91273037; rev:1;) alert tcp $HOME_NET any -> [38.207.123.167] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1273036/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_19; classtype:trojan-activity; sid:91273036; rev:1;) alert tcp $HOME_NET any -> [172.247.168.127] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1273035/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_19; classtype:trojan-activity; sid:91273035; rev:1;) alert tcp $HOME_NET any -> [38.207.123.68] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1273034/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_19; classtype:trojan-activity; sid:91273034; rev:1;) alert tcp $HOME_NET any -> [107.151.234.238] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1273033/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_19; classtype:trojan-activity; sid:91273033; rev:1;) alert tcp $HOME_NET any -> [38.207.123.2] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1273032/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_19; classtype:trojan-activity; sid:91273032; rev:1;) alert tcp $HOME_NET any -> [38.207.123.25] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1273031/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_19; classtype:trojan-activity; sid:91273031; rev:1;) alert tcp $HOME_NET any -> [38.207.123.33] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1273030/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_19; classtype:trojan-activity; sid:91273030; rev:1;) alert tcp $HOME_NET any -> [38.207.123.245] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1273029/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_19; classtype:trojan-activity; sid:91273029; rev:1;) alert tcp $HOME_NET any -> [38.207.123.14] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1273028/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_19; classtype:trojan-activity; sid:91273028; rev:1;) alert tcp $HOME_NET any -> [38.207.123.61] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1273027/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_19; classtype:trojan-activity; sid:91273027; rev:1;) alert tcp $HOME_NET any -> [38.207.123.7] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1273026/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_19; classtype:trojan-activity; sid:91273026; rev:1;) alert tcp $HOME_NET any -> [38.207.123.141] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1273025/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_19; classtype:trojan-activity; sid:91273025; rev:1;) alert tcp $HOME_NET any -> [38.207.123.21] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1273024/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_19; classtype:trojan-activity; sid:91273024; rev:1;) alert tcp $HOME_NET any -> [39.100.95.111] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1273023/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_19; classtype:trojan-activity; sid:91273023; rev:1;) alert tcp $HOME_NET any -> [2.50.44.84] 443 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1273022/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_19; classtype:trojan-activity; sid:91273022; rev:1;) alert tcp $HOME_NET any -> [3.74.121.88] 23175 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1273021/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_19; classtype:trojan-activity; sid:91273021; rev:1;) alert tcp $HOME_NET any -> [45.56.165.131] 6781 (msg:"ThreatFox BianLian botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1273020/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_19; classtype:trojan-activity; sid:91273020; rev:1;) alert tcp $HOME_NET any -> [168.100.8.115] 7443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1273019/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_19; classtype:trojan-activity; sid:91273019; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/3bfd31da.php"; depth:13; nocase; http.host; content:"cx53027.tw1.ru"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1272823/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_19; classtype:trojan-activity; sid:91272823; rev:1;) alert tcp $HOME_NET any -> [194.55.186.13] 22 (msg:"ThreatFox Stealc botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1272822/; target:src_ip; metadata: confidence_level 80, first_seen 2024_05_19; classtype:trojan-activity; sid:91272822; rev:1;) alert tcp $HOME_NET any -> [194.55.186.13] 80 (msg:"ThreatFox Stealc botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1272821/; target:src_ip; metadata: confidence_level 80, first_seen 2024_05_19; classtype:trojan-activity; sid:91272821; rev:1;) alert tcp $HOME_NET any -> [105.154.100.36] 10000 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1272820/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_19; classtype:trojan-activity; sid:91272820; rev:1;) alert tcp $HOME_NET any -> [3.124.142.205] 19473 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1272819/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_19; classtype:trojan-activity; sid:91272819; rev:1;) alert tcp $HOME_NET any -> [3.125.102.39] 19473 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1272818/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_19; classtype:trojan-activity; sid:91272818; rev:1;) alert tcp $HOME_NET any -> [3.125.223.134] 19473 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1272817/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_19; classtype:trojan-activity; sid:91272817; rev:1;) alert tcp $HOME_NET any -> [18.192.31.165] 19473 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1272816/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_19; classtype:trojan-activity; sid:91272816; rev:1;) alert tcp $HOME_NET any -> [77.221.151.45] 80 (msg:"ThreatFox AMOS botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1272805/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_19; classtype:trojan-activity; sid:91272805; rev:1;) alert tcp $HOME_NET any -> [5.42.96.124] 80 (msg:"ThreatFox AMOS botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1272814/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_19; classtype:trojan-activity; sid:91272814; rev:1;) alert tcp $HOME_NET any -> [5.42.96.184] 80 (msg:"ThreatFox AMOS botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1272809/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_19; classtype:trojan-activity; sid:91272809; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/manual.php"; depth:11; nocase; http.host; content:"centralzvornik.ba"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1272803/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_19; classtype:trojan-activity; sid:91272803; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/manual.php"; depth:11; nocase; http.host; content:"centre-culturel-laricamarie.fr"; depth:30; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1272815/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_19; classtype:trojan-activity; sid:91272815; rev:1;) alert tcp $HOME_NET any -> [8.222.156.244] 2087 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1272813/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_19; classtype:trojan-activity; sid:91272813; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jquery-3.3.1.min.jsp"; depth:21; nocase; http.host; content:"ww2.jji.cz"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1272812/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_19; classtype:trojan-activity; sid:91272812; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"eas.cqiv.com"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1272811/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_19; classtype:trojan-activity; sid:91272811; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jquery-3.3.1.min.js"; depth:20; nocase; http.host; content:"eas.cqiv.com"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1272810/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_19; classtype:trojan-activity; sid:91272810; rev:1;) alert tcp $HOME_NET any -> [3.69.157.220] 13006 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1272808/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_19; classtype:trojan-activity; sid:91272808; rev:1;) alert tcp $HOME_NET any -> [18.197.239.109] 13006 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1272807/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_19; classtype:trojan-activity; sid:91272807; rev:1;) alert tcp $HOME_NET any -> [3.69.115.178] 13006 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1272806/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_19; classtype:trojan-activity; sid:91272806; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/processlinuxtest.php"; depth:21; nocase; http.host; content:"579050cm.nyashkoon.top"; depth:22; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1272804/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_19; classtype:trojan-activity; sid:91272804; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jquery-3.3.1.min.js"; depth:20; nocase; http.host; content:"121.5.66.186"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1272802/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_19; classtype:trojan-activity; sid:91272802; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/manual.php"; depth:11; nocase; http.host; content:"blog.yorozumanrakudo.com"; depth:24; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1272801/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_19; classtype:trojan-activity; sid:91272801; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jquery-3.3.1.min.js"; depth:20; nocase; http.host; content:"120.55.74.104"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1272800/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_19; classtype:trojan-activity; sid:91272800; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api/x"; depth:6; nocase; http.host; content:"121.36.23.25"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1272799/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_19; classtype:trojan-activity; sid:91272799; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pixel.gif"; depth:10; nocase; http.host; content:"103.143.81.93"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1272798/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_19; classtype:trojan-activity; sid:91272798; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/match"; depth:6; nocase; http.host; content:"47.94.249.38"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1272797/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_19; classtype:trojan-activity; sid:91272797; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/owa/"; depth:5; nocase; http.host; content:"42.192.131.115"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1272796/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_19; classtype:trojan-activity; sid:91272796; rev:1;) alert tcp $HOME_NET any -> [114.115.203.114] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1272795/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_19; classtype:trojan-activity; sid:91272795; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/owa"; depth:4; nocase; http.host; content:"114.115.203.114"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1272794/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_19; classtype:trojan-activity; sid:91272794; rev:1;) alert tcp $HOME_NET any -> [117.50.178.197] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1272793/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_19; classtype:trojan-activity; sid:91272793; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/owa/"; depth:5; nocase; http.host; content:"117.50.178.197"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1272792/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_19; classtype:trojan-activity; sid:91272792; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ca"; depth:3; nocase; http.host; content:"47.76.42.3"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1272791/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_19; classtype:trojan-activity; sid:91272791; rev:1;) alert tcp $HOME_NET any -> [111.229.103.152] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1272790/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_19; classtype:trojan-activity; sid:91272790; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/push"; depth:5; nocase; http.host; content:"111.229.103.152"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1272789/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_19; classtype:trojan-activity; sid:91272789; rev:1;) alert tcp $HOME_NET any -> [123.58.198.236] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1272788/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_19; classtype:trojan-activity; sid:91272788; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cm"; depth:3; nocase; http.host; content:"123.58.198.236"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1272787/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_19; classtype:trojan-activity; sid:91272787; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/owa/"; depth:5; nocase; http.host; content:"42.192.131.115"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1272786/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_19; classtype:trojan-activity; sid:91272786; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api/x"; depth:6; nocase; http.host; content:"39.100.85.244"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1272785/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_19; classtype:trojan-activity; sid:91272785; rev:1;) alert tcp $HOME_NET any -> [118.178.105.142] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1272784/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_19; classtype:trojan-activity; sid:91272784; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cx"; depth:3; nocase; http.host; content:"118.178.105.142"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1272783/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_19; classtype:trojan-activity; sid:91272783; rev:1;) alert tcp $HOME_NET any -> [47.94.249.38] 8090 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1272782/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_19; classtype:trojan-activity; sid:91272782; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/visit.js"; depth:9; nocase; http.host; content:"192.168.12.128"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1272781/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_19; classtype:trojan-activity; sid:91272781; rev:1;) alert tcp $HOME_NET any -> [4.248.13.38] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1272780/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_19; classtype:trojan-activity; sid:91272780; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"dp-prod-dist.azureedge.net"; depth:26; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1272779/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_19; classtype:trojan-activity; sid:91272779; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/app.js"; depth:7; nocase; http.host; content:"dp-prod-dist.azureedge.net"; depth:26; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1272778/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_19; classtype:trojan-activity; sid:91272778; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/__utm.gif"; depth:10; nocase; http.host; content:"207.154.242.220"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1272777/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_19; classtype:trojan-activity; sid:91272777; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/owa/"; depth:5; nocase; http.host; content:"42.192.131.115"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1272776/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_19; classtype:trojan-activity; sid:91272776; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/visit.js"; depth:9; nocase; http.host; content:"175.178.45.180"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1272775/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_19; classtype:trojan-activity; sid:91272775; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ca"; depth:3; nocase; http.host; content:"39.104.49.238"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1272774/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_19; classtype:trojan-activity; sid:91272774; rev:1;) alert tcp $HOME_NET any -> [8.222.156.244] 8443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1272773/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_19; classtype:trojan-activity; sid:91272773; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jquery-3.3.1.min.jsp"; depth:21; nocase; http.host; content:"ww2.jji.cz"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1272771/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_19; classtype:trojan-activity; sid:91272771; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ww2.jji.cz"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1272772/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_19; classtype:trojan-activity; sid:91272772; rev:1;) alert tcp $HOME_NET any -> [207.154.242.220] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1272770/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_19; classtype:trojan-activity; sid:91272770; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/__utm.gif"; depth:10; nocase; http.host; content:"207.154.242.220"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1272769/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_19; classtype:trojan-activity; sid:91272769; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmp/index.php"; depth:14; nocase; http.host; content:"h-c-v.ru"; depth:8; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1272768/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_19; classtype:trojan-activity; sid:91272768; rev:1;) alert tcp $HOME_NET any -> [31.44.6.123] 80 (msg:"ThreatFox SmokeLoader botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1272767/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_19; classtype:trojan-activity; sid:91272767; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"h-c-v.ru"; depth:8; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1272766/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_19; classtype:trojan-activity; sid:91272766; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/manual.php"; depth:11; nocase; http.host; content:"blog.nishitama-auto.com"; depth:23; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1272765/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_19; classtype:trojan-activity; sid:91272765; rev:1;) alert tcp $HOME_NET any -> [38.207.123.126] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1272764/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_19; classtype:trojan-activity; sid:91272764; rev:1;) alert tcp $HOME_NET any -> [38.207.123.214] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1272763/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_19; classtype:trojan-activity; sid:91272763; rev:1;) alert tcp $HOME_NET any -> [38.207.123.54] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1272762/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_19; classtype:trojan-activity; sid:91272762; rev:1;) alert tcp $HOME_NET any -> [38.207.123.222] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1272761/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_19; classtype:trojan-activity; sid:91272761; rev:1;) alert tcp $HOME_NET any -> [38.207.123.60] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1272760/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_19; classtype:trojan-activity; sid:91272760; rev:1;) alert tcp $HOME_NET any -> [38.207.123.74] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1272759/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_19; classtype:trojan-activity; sid:91272759; rev:1;) alert tcp $HOME_NET any -> [38.207.123.62] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1272758/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_19; classtype:trojan-activity; sid:91272758; rev:1;) alert tcp $HOME_NET any -> [38.207.123.244] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1272757/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_19; classtype:trojan-activity; sid:91272757; rev:1;) alert tcp $HOME_NET any -> [38.207.123.31] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1272756/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_19; classtype:trojan-activity; sid:91272756; rev:1;) alert tcp $HOME_NET any -> [38.207.123.216] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1272755/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_19; classtype:trojan-activity; sid:91272755; rev:1;) alert tcp $HOME_NET any -> [38.207.123.43] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1272754/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_19; classtype:trojan-activity; sid:91272754; rev:1;) alert tcp $HOME_NET any -> [38.207.123.146] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1272753/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_19; classtype:trojan-activity; sid:91272753; rev:1;) alert tcp $HOME_NET any -> [38.207.123.191] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1272752/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_19; classtype:trojan-activity; sid:91272752; rev:1;) alert tcp $HOME_NET any -> [38.207.123.32] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1272751/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_19; classtype:trojan-activity; sid:91272751; rev:1;) alert tcp $HOME_NET any -> [38.207.123.8] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1272750/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_19; classtype:trojan-activity; sid:91272750; rev:1;) alert tcp $HOME_NET any -> [38.207.123.152] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1272749/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_19; classtype:trojan-activity; sid:91272749; rev:1;) alert tcp $HOME_NET any -> [38.207.123.10] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1272748/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_19; classtype:trojan-activity; sid:91272748; rev:1;) alert tcp $HOME_NET any -> [38.207.123.242] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1272747/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_19; classtype:trojan-activity; sid:91272747; rev:1;) alert tcp $HOME_NET any -> [38.207.123.122] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1272746/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_19; classtype:trojan-activity; sid:91272746; rev:1;) alert tcp $HOME_NET any -> [38.207.123.162] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1272745/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_19; classtype:trojan-activity; sid:91272745; rev:1;) alert tcp $HOME_NET any -> [38.207.123.105] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1272744/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_19; classtype:trojan-activity; sid:91272744; rev:1;) alert tcp $HOME_NET any -> [38.207.123.149] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1272743/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_19; classtype:trojan-activity; sid:91272743; rev:1;) alert tcp $HOME_NET any -> [38.207.123.175] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1272742/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_19; classtype:trojan-activity; sid:91272742; rev:1;) alert tcp $HOME_NET any -> [38.207.123.183] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1272741/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_19; classtype:trojan-activity; sid:91272741; rev:1;) alert tcp $HOME_NET any -> [38.207.123.85] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1272740/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_19; classtype:trojan-activity; sid:91272740; rev:1;) alert tcp $HOME_NET any -> [38.207.123.29] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1272739/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_19; classtype:trojan-activity; sid:91272739; rev:1;) alert tcp $HOME_NET any -> [38.207.123.90] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1272738/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_19; classtype:trojan-activity; sid:91272738; rev:1;) alert tcp $HOME_NET any -> [38.207.123.48] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1272737/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_19; classtype:trojan-activity; sid:91272737; rev:1;) alert tcp $HOME_NET any -> [38.207.123.232] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1272736/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_19; classtype:trojan-activity; sid:91272736; rev:1;) alert tcp $HOME_NET any -> [38.207.123.11] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1272735/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_19; classtype:trojan-activity; sid:91272735; rev:1;) alert tcp $HOME_NET any -> [38.207.123.93] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1272734/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_19; classtype:trojan-activity; sid:91272734; rev:1;) alert tcp $HOME_NET any -> [38.207.123.174] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1272733/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_19; classtype:trojan-activity; sid:91272733; rev:1;) alert tcp $HOME_NET any -> [38.207.123.80] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1272732/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_19; classtype:trojan-activity; sid:91272732; rev:1;) alert tcp $HOME_NET any -> [38.207.123.113] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1272731/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_19; classtype:trojan-activity; sid:91272731; rev:1;) alert tcp $HOME_NET any -> [38.207.123.195] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1272730/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_19; classtype:trojan-activity; sid:91272730; rev:1;) alert tcp $HOME_NET any -> [38.207.123.27] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1272729/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_19; classtype:trojan-activity; sid:91272729; rev:1;) alert tcp $HOME_NET any -> [38.207.123.229] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1272728/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_19; classtype:trojan-activity; sid:91272728; rev:1;) alert tcp $HOME_NET any -> [38.207.123.69] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1272727/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_19; classtype:trojan-activity; sid:91272727; rev:1;) alert tcp $HOME_NET any -> [38.207.123.184] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1272726/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_19; classtype:trojan-activity; sid:91272726; rev:1;) alert tcp $HOME_NET any -> [38.207.123.140] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1272725/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_19; classtype:trojan-activity; sid:91272725; rev:1;) alert tcp $HOME_NET any -> [38.207.123.230] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1272724/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_19; classtype:trojan-activity; sid:91272724; rev:1;) alert tcp $HOME_NET any -> [38.207.123.15] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1272723/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_19; classtype:trojan-activity; sid:91272723; rev:1;) alert tcp $HOME_NET any -> [38.207.123.12] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1272722/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_19; classtype:trojan-activity; sid:91272722; rev:1;) alert tcp $HOME_NET any -> [38.207.123.63] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1272721/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_19; classtype:trojan-activity; sid:91272721; rev:1;) alert tcp $HOME_NET any -> [38.207.123.142] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1272720/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_19; classtype:trojan-activity; sid:91272720; rev:1;) alert tcp $HOME_NET any -> [38.207.123.217] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1272719/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_19; classtype:trojan-activity; sid:91272719; rev:1;) alert tcp $HOME_NET any -> [38.207.123.3] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1272718/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_19; classtype:trojan-activity; sid:91272718; rev:1;) alert tcp $HOME_NET any -> [38.207.123.103] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1272717/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_19; classtype:trojan-activity; sid:91272717; rev:1;) alert tcp $HOME_NET any -> [38.207.123.234] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1272716/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_19; classtype:trojan-activity; sid:91272716; rev:1;) alert tcp $HOME_NET any -> [39.100.111.208] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1272715/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_19; classtype:trojan-activity; sid:91272715; rev:1;) alert tcp $HOME_NET any -> [38.207.123.147] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1272714/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_19; classtype:trojan-activity; sid:91272714; rev:1;) alert tcp $HOME_NET any -> [38.207.123.215] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1272713/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_19; classtype:trojan-activity; sid:91272713; rev:1;) alert tcp $HOME_NET any -> [38.207.123.159] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1272712/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_19; classtype:trojan-activity; sid:91272712; rev:1;) alert tcp $HOME_NET any -> [38.207.123.161] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1272711/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_19; classtype:trojan-activity; sid:91272711; rev:1;) alert tcp $HOME_NET any -> [38.207.123.165] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1272710/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_19; classtype:trojan-activity; sid:91272710; rev:1;) alert tcp $HOME_NET any -> [38.207.123.151] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1272709/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_19; classtype:trojan-activity; sid:91272709; rev:1;) alert tcp $HOME_NET any -> [38.207.123.254] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1272708/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_19; classtype:trojan-activity; sid:91272708; rev:1;) alert tcp $HOME_NET any -> [38.207.123.81] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1272707/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_19; classtype:trojan-activity; sid:91272707; rev:1;) alert tcp $HOME_NET any -> [38.207.123.197] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1272706/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_19; classtype:trojan-activity; sid:91272706; rev:1;) alert tcp $HOME_NET any -> [38.207.123.155] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1272705/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_19; classtype:trojan-activity; sid:91272705; rev:1;) alert tcp $HOME_NET any -> [38.207.123.158] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1272704/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_19; classtype:trojan-activity; sid:91272704; rev:1;) alert tcp $HOME_NET any -> [38.207.123.169] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1272703/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_19; classtype:trojan-activity; sid:91272703; rev:1;) alert tcp $HOME_NET any -> [38.207.123.168] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1272702/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_19; classtype:trojan-activity; sid:91272702; rev:1;) alert tcp $HOME_NET any -> [38.207.123.181] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1272701/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_19; classtype:trojan-activity; sid:91272701; rev:1;) alert tcp $HOME_NET any -> [38.207.123.127] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1272700/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_19; classtype:trojan-activity; sid:91272700; rev:1;) alert tcp $HOME_NET any -> [38.207.123.91] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1272699/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_19; classtype:trojan-activity; sid:91272699; rev:1;) alert tcp $HOME_NET any -> [38.207.123.66] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1272698/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_19; classtype:trojan-activity; sid:91272698; rev:1;) alert tcp $HOME_NET any -> [38.207.123.77] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1272697/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_19; classtype:trojan-activity; sid:91272697; rev:1;) alert tcp $HOME_NET any -> [38.207.123.129] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1272696/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_19; classtype:trojan-activity; sid:91272696; rev:1;) alert tcp $HOME_NET any -> [38.207.123.131] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1272695/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_19; classtype:trojan-activity; sid:91272695; rev:1;) alert tcp $HOME_NET any -> [38.207.123.135] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1272694/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_19; classtype:trojan-activity; sid:91272694; rev:1;) alert tcp $HOME_NET any -> [38.207.123.119] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1272693/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_19; classtype:trojan-activity; sid:91272693; rev:1;) alert tcp $HOME_NET any -> [38.207.123.110] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1272692/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_19; classtype:trojan-activity; sid:91272692; rev:1;) alert tcp $HOME_NET any -> [38.207.123.139] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1272691/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_19; classtype:trojan-activity; sid:91272691; rev:1;) alert tcp $HOME_NET any -> [38.207.123.83] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1272690/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_19; classtype:trojan-activity; sid:91272690; rev:1;) alert tcp $HOME_NET any -> [38.207.123.47] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1272689/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_19; classtype:trojan-activity; sid:91272689; rev:1;) alert tcp $HOME_NET any -> [38.207.123.17] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1272688/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_19; classtype:trojan-activity; sid:91272688; rev:1;) alert tcp $HOME_NET any -> [38.207.123.231] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1272687/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_19; classtype:trojan-activity; sid:91272687; rev:1;) alert tcp $HOME_NET any -> [38.207.123.92] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1272686/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_19; classtype:trojan-activity; sid:91272686; rev:1;) alert tcp $HOME_NET any -> [38.207.123.117] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1272685/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_19; classtype:trojan-activity; sid:91272685; rev:1;) alert tcp $HOME_NET any -> [38.207.123.170] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1272684/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_19; classtype:trojan-activity; sid:91272684; rev:1;) alert tcp $HOME_NET any -> [38.207.123.227] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1272683/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_19; classtype:trojan-activity; sid:91272683; rev:1;) alert tcp $HOME_NET any -> [38.207.123.76] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1272682/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_19; classtype:trojan-activity; sid:91272682; rev:1;) alert tcp $HOME_NET any -> [38.207.123.240] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1272681/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_19; classtype:trojan-activity; sid:91272681; rev:1;) alert tcp $HOME_NET any -> [38.207.123.218] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1272680/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_19; classtype:trojan-activity; sid:91272680; rev:1;) alert tcp $HOME_NET any -> [38.207.123.94] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1272679/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_19; classtype:trojan-activity; sid:91272679; rev:1;) alert tcp $HOME_NET any -> [38.207.123.128] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1272678/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_19; classtype:trojan-activity; sid:91272678; rev:1;) alert tcp $HOME_NET any -> [38.207.123.233] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1272677/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_19; classtype:trojan-activity; sid:91272677; rev:1;) alert tcp $HOME_NET any -> [38.207.123.67] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1272676/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_19; classtype:trojan-activity; sid:91272676; rev:1;) alert tcp $HOME_NET any -> [38.207.123.24] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1272675/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_19; classtype:trojan-activity; sid:91272675; rev:1;) alert tcp $HOME_NET any -> [38.207.123.35] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1272674/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_19; classtype:trojan-activity; sid:91272674; rev:1;) alert tcp $HOME_NET any -> [38.207.123.64] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1272673/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_19; classtype:trojan-activity; sid:91272673; rev:1;) alert tcp $HOME_NET any -> [38.207.123.223] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1272672/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_19; classtype:trojan-activity; sid:91272672; rev:1;) alert tcp $HOME_NET any -> [38.207.123.253] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1272671/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_19; classtype:trojan-activity; sid:91272671; rev:1;) alert tcp $HOME_NET any -> [38.207.123.78] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1272670/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_19; classtype:trojan-activity; sid:91272670; rev:1;) alert tcp $HOME_NET any -> [38.207.123.95] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1272669/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_19; classtype:trojan-activity; sid:91272669; rev:1;) alert tcp $HOME_NET any -> [38.207.123.171] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1272668/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_19; classtype:trojan-activity; sid:91272668; rev:1;) alert tcp $HOME_NET any -> [38.207.123.173] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1272667/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_19; classtype:trojan-activity; sid:91272667; rev:1;) alert tcp $HOME_NET any -> [38.207.123.88] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1272666/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_19; classtype:trojan-activity; sid:91272666; rev:1;) alert tcp $HOME_NET any -> [38.207.123.203] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1272665/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_19; classtype:trojan-activity; sid:91272665; rev:1;) alert tcp $HOME_NET any -> [38.207.123.160] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1272664/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_19; classtype:trojan-activity; sid:91272664; rev:1;) alert tcp $HOME_NET any -> [38.207.123.98] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1272663/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_19; classtype:trojan-activity; sid:91272663; rev:1;) alert tcp $HOME_NET any -> [60.251.145.96] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1272661/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_19; classtype:trojan-activity; sid:91272661; rev:1;) alert tcp $HOME_NET any -> [38.207.123.116] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1272662/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_19; classtype:trojan-activity; sid:91272662; rev:1;) alert tcp $HOME_NET any -> [38.207.123.114] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1272660/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_19; classtype:trojan-activity; sid:91272660; rev:1;) alert tcp $HOME_NET any -> [38.207.123.207] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1272659/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_19; classtype:trojan-activity; sid:91272659; rev:1;) alert tcp $HOME_NET any -> [38.207.123.19] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1272658/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_19; classtype:trojan-activity; sid:91272658; rev:1;) alert tcp $HOME_NET any -> [38.207.123.206] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1272657/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_19; classtype:trojan-activity; sid:91272657; rev:1;) alert tcp $HOME_NET any -> [38.207.123.28] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1272656/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_19; classtype:trojan-activity; sid:91272656; rev:1;) alert tcp $HOME_NET any -> [38.207.123.109] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1272655/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_19; classtype:trojan-activity; sid:91272655; rev:1;) alert tcp $HOME_NET any -> [38.207.123.164] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1272654/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_19; classtype:trojan-activity; sid:91272654; rev:1;) alert tcp $HOME_NET any -> [38.207.123.211] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1272653/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_19; classtype:trojan-activity; sid:91272653; rev:1;) alert tcp $HOME_NET any -> [38.207.123.188] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1272652/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_19; classtype:trojan-activity; sid:91272652; rev:1;) alert tcp $HOME_NET any -> [38.207.123.143] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1272651/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_19; classtype:trojan-activity; sid:91272651; rev:1;) alert tcp $HOME_NET any -> [38.207.123.123] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1272650/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_19; classtype:trojan-activity; sid:91272650; rev:1;) alert tcp $HOME_NET any -> [38.207.123.23] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1272649/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_19; classtype:trojan-activity; sid:91272649; rev:1;) alert tcp $HOME_NET any -> [38.207.123.136] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1272648/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_19; classtype:trojan-activity; sid:91272648; rev:1;) alert tcp $HOME_NET any -> [38.207.123.156] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1272647/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_19; classtype:trojan-activity; sid:91272647; rev:1;) alert tcp $HOME_NET any -> [46.246.82.10] 8000 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1272646/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_19; classtype:trojan-activity; sid:91272646; rev:1;) alert tcp $HOME_NET any -> [46.246.82.10] 6000 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1272645/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_19; classtype:trojan-activity; sid:91272645; rev:1;) alert tcp $HOME_NET any -> [176.44.119.238] 443 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1272644/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_19; classtype:trojan-activity; sid:91272644; rev:1;) alert tcp $HOME_NET any -> [1.161.101.90] 443 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1272643/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_19; classtype:trojan-activity; sid:91272643; rev:1;) alert tcp $HOME_NET any -> [34.30.75.53] 443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1272642/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_19; classtype:trojan-activity; sid:91272642; rev:1;) alert tcp $HOME_NET any -> [94.156.68.220] 443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1272641/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_19; classtype:trojan-activity; sid:91272641; rev:1;) alert tcp $HOME_NET any -> [135.181.67.161] 443 (msg:"ThreatFox BianLian botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1272640/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_19; classtype:trojan-activity; sid:91272640; rev:1;) alert tcp $HOME_NET any -> [223.109.3.172] 4505 (msg:"ThreatFox Deimos botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1272639/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_19; classtype:trojan-activity; sid:91272639; rev:1;) alert tcp $HOME_NET any -> [117.135.194.92] 4506 (msg:"ThreatFox Deimos botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1272638/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_19; classtype:trojan-activity; sid:91272638; rev:1;) alert tcp $HOME_NET any -> [152.42.162.105] 7443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1272637/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_19; classtype:trojan-activity; sid:91272637; rev:1;) alert tcp $HOME_NET any -> [152.89.92.204] 7443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1272636/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_19; classtype:trojan-activity; sid:91272636; rev:1;) alert tcp $HOME_NET any -> [185.130.46.229] 8080 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1272635/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_19; classtype:trojan-activity; sid:91272635; rev:1;) alert tcp $HOME_NET any -> [185.130.46.229] 443 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1272634/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_19; classtype:trojan-activity; sid:91272634; rev:1;) alert tcp $HOME_NET any -> [185.130.46.229] 80 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1272633/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_19; classtype:trojan-activity; sid:91272633; rev:1;) alert tcp $HOME_NET any -> [185.130.46.229] 8443 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1272631/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_19; classtype:trojan-activity; sid:91272631; rev:1;) alert tcp $HOME_NET any -> [185.130.46.229] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1272632/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_19; classtype:trojan-activity; sid:91272632; rev:1;) alert tcp $HOME_NET any -> [95.164.18.23] 8888 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1272630/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_19; classtype:trojan-activity; sid:91272630; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"botnet.manhquyen.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1272628/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_19; classtype:trojan-activity; sid:91272628; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"manhquyen.xyz"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1272629/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_19; classtype:trojan-activity; sid:91272629; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"asyncprogramminghub.com"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1272590/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_19; classtype:trojan-activity; sid:91272590; rev:1;) alert tcp $HOME_NET any -> [147.185.221.19] 56071 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1272597/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_19; classtype:trojan-activity; sid:91272597; rev:1;) alert tcp $HOME_NET any -> [3.17.7.232] 15743 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1272599/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_19; classtype:trojan-activity; sid:91272599; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"subjects-handbook.gl.at.ply.gg"; depth:30; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1272598/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_19; classtype:trojan-activity; sid:91272598; rev:1;) alert tcp $HOME_NET any -> [3.13.191.225] 15743 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1272600/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_19; classtype:trojan-activity; sid:91272600; rev:1;) alert tcp $HOME_NET any -> [80.92.204.233] 7765 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1272601/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_19; classtype:trojan-activity; sid:91272601; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/manual.php"; depth:11; nocase; http.host; content:"bigdawgimages.net"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1272604/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_19; classtype:trojan-activity; sid:91272604; rev:1;) alert tcp $HOME_NET any -> [185.215.151.236] 16678 (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1272605/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_19; classtype:trojan-activity; sid:91272605; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/p/land.php"; depth:11; nocase; http.host; content:"zoomzle.com"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1272621/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_19; classtype:trojan-activity; sid:91272621; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"zoomzle.com"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1272622/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_19; classtype:trojan-activity; sid:91272622; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-content/upgrade/update.php"; depth:30; nocase; http.host; content:"www.netzwerkreklame.de"; depth:22; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1272623/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_19; classtype:trojan-activity; sid:91272623; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/crush/v1.8/m5el9gvh8h3"; depth:23; nocase; http.host; content:"47.122.9.214"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1272627/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_19; classtype:trojan-activity; sid:91272627; rev:1;) alert tcp $HOME_NET any -> [172.111.216.4] 6606 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1272626/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_19; classtype:trojan-activity; sid:91272626; rev:1;) alert tcp $HOME_NET any -> [94.156.8.28] 65012 (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1272625/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_19; classtype:trojan-activity; sid:91272625; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/88c01d4f.php"; depth:13; nocase; http.host; content:"a0982137.xsph.ru"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1272624/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_19; classtype:trojan-activity; sid:91272624; rev:1;) alert tcp $HOME_NET any -> [105.102.222.156] 6001 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1272620/; target:src_ip; metadata: confidence_level 80, first_seen 2024_05_19; classtype:trojan-activity; sid:91272620; rev:1;) alert tcp $HOME_NET any -> [45.138.16.225] 80 (msg:"ThreatFox Hook botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1272619/; target:src_ip; metadata: confidence_level 80, first_seen 2024_05_19; classtype:trojan-activity; sid:91272619; rev:1;) alert tcp $HOME_NET any -> [2.58.56.246] 80 (msg:"ThreatFox Hook botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1272618/; target:src_ip; metadata: confidence_level 80, first_seen 2024_05_19; classtype:trojan-activity; sid:91272618; rev:1;) alert tcp $HOME_NET any -> [156.242.47.199] 4396 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1272617/; target:src_ip; metadata: confidence_level 80, first_seen 2024_05_19; classtype:trojan-activity; sid:91272617; rev:1;) alert tcp $HOME_NET any -> [156.242.40.201] 4396 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1272616/; target:src_ip; metadata: confidence_level 80, first_seen 2024_05_19; classtype:trojan-activity; sid:91272616; rev:1;) alert tcp $HOME_NET any -> [86.106.119.113] 80 (msg:"ThreatFox RecordBreaker botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1272615/; target:src_ip; metadata: confidence_level 80, first_seen 2024_05_19; classtype:trojan-activity; sid:91272615; rev:1;) alert tcp $HOME_NET any -> [146.185.209.82] 80 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1272614/; target:src_ip; metadata: confidence_level 80, first_seen 2024_05_19; classtype:trojan-activity; sid:91272614; rev:1;) alert tcp $HOME_NET any -> [212.113.117.130] 22 (msg:"ThreatFox Stealc botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1272613/; target:src_ip; metadata: confidence_level 80, first_seen 2024_05_19; classtype:trojan-activity; sid:91272613; rev:1;) alert tcp $HOME_NET any -> [212.113.117.130] 80 (msg:"ThreatFox Stealc botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1272612/; target:src_ip; metadata: confidence_level 80, first_seen 2024_05_19; classtype:trojan-activity; sid:91272612; rev:1;) alert tcp $HOME_NET any -> [156.242.41.216] 50050 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1272611/; target:src_ip; metadata: confidence_level 80, first_seen 2024_05_19; classtype:trojan-activity; sid:91272611; rev:1;) alert tcp $HOME_NET any -> [119.23.56.222] 9999 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1272610/; target:src_ip; metadata: confidence_level 80, first_seen 2024_05_19; classtype:trojan-activity; sid:91272610; rev:1;) alert tcp $HOME_NET any -> [78.47.105.28] 80 (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1272609/; target:src_ip; metadata: confidence_level 80, first_seen 2024_05_19; classtype:trojan-activity; sid:91272609; rev:1;) alert tcp $HOME_NET any -> [78.47.105.28] 443 (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1272608/; target:src_ip; metadata: confidence_level 80, first_seen 2024_05_19; classtype:trojan-activity; sid:91272608; rev:1;) alert tcp $HOME_NET any -> [172.111.216.4] 8808 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1272607/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_19; classtype:trojan-activity; sid:91272607; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/_defaultwindows.php"; depth:20; nocase; http.host; content:"a0943999.xsph.ru"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1272606/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_18; classtype:trojan-activity; sid:91272606; rev:1;) alert tcp $HOME_NET any -> [108.186.255.117] 51896 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1272596/; target:src_ip; metadata: confidence_level 80, first_seen 2024_05_18; classtype:trojan-activity; sid:91272596; rev:1;) alert tcp $HOME_NET any -> [91.210.107.136] 65535 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1272595/; target:src_ip; metadata: confidence_level 80, first_seen 2024_05_18; classtype:trojan-activity; sid:91272595; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/push"; depth:5; nocase; http.host; content:"45.142.36.59"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1272594/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_18; classtype:trojan-activity; sid:91272594; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jquery-3.3.1.min.js"; depth:20; nocase; http.host; content:"185.196.9.181"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1272593/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_18; classtype:trojan-activity; sid:91272593; rev:1;) alert tcp $HOME_NET any -> [94.247.42.253] 443 (msg:"ThreatFox Gozi botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1272592/; target:src_ip; metadata: confidence_level 80, first_seen 2024_05_18; classtype:trojan-activity; sid:91272592; rev:1;) alert tcp $HOME_NET any -> [31.214.157.229] 443 (msg:"ThreatFox Gozi botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1272591/; target:src_ip; metadata: confidence_level 80, first_seen 2024_05_18; classtype:trojan-activity; sid:91272591; rev:1;) alert tcp $HOME_NET any -> [105.102.84.188] 6001 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1272589/; target:src_ip; metadata: confidence_level 80, first_seen 2024_05_18; classtype:trojan-activity; sid:91272589; rev:1;) alert tcp $HOME_NET any -> [14.247.219.179] 80 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1272588/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_18; classtype:trojan-activity; sid:91272588; rev:1;) alert tcp $HOME_NET any -> [38.207.123.243] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1272587/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_18; classtype:trojan-activity; sid:91272587; rev:1;) alert tcp $HOME_NET any -> [38.207.123.51] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1272586/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_18; classtype:trojan-activity; sid:91272586; rev:1;) alert tcp $HOME_NET any -> [38.207.123.221] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1272585/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_18; classtype:trojan-activity; sid:91272585; rev:1;) alert tcp $HOME_NET any -> [38.207.123.46] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1272584/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_18; classtype:trojan-activity; sid:91272584; rev:1;) alert tcp $HOME_NET any -> [38.207.123.102] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1272583/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_18; classtype:trojan-activity; sid:91272583; rev:1;) alert tcp $HOME_NET any -> [38.207.123.226] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1272582/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_18; classtype:trojan-activity; sid:91272582; rev:1;) alert tcp $HOME_NET any -> [38.207.123.106] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1272581/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_18; classtype:trojan-activity; sid:91272581; rev:1;) alert tcp $HOME_NET any -> [38.207.123.20] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1272580/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_18; classtype:trojan-activity; sid:91272580; rev:1;) alert tcp $HOME_NET any -> [38.207.123.49] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1272579/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_18; classtype:trojan-activity; sid:91272579; rev:1;) alert tcp $HOME_NET any -> [38.207.123.163] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1272578/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_18; classtype:trojan-activity; sid:91272578; rev:1;) alert tcp $HOME_NET any -> [38.207.123.134] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1272577/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_18; classtype:trojan-activity; sid:91272577; rev:1;) alert tcp $HOME_NET any -> [38.207.123.13] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1272576/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_18; classtype:trojan-activity; sid:91272576; rev:1;) alert tcp $HOME_NET any -> [38.207.123.45] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1272575/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_18; classtype:trojan-activity; sid:91272575; rev:1;) alert tcp $HOME_NET any -> [38.207.123.204] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1272574/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_18; classtype:trojan-activity; sid:91272574; rev:1;) alert tcp $HOME_NET any -> [38.207.123.247] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1272573/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_18; classtype:trojan-activity; sid:91272573; rev:1;) alert tcp $HOME_NET any -> [38.207.123.121] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1272572/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_18; classtype:trojan-activity; sid:91272572; rev:1;) alert tcp $HOME_NET any -> [38.207.123.200] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1272571/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_18; classtype:trojan-activity; sid:91272571; rev:1;) alert tcp $HOME_NET any -> [38.207.123.224] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1272570/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_18; classtype:trojan-activity; sid:91272570; rev:1;) alert tcp $HOME_NET any -> [38.207.123.202] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1272569/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_18; classtype:trojan-activity; sid:91272569; rev:1;) alert tcp $HOME_NET any -> [38.207.123.150] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1272568/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_18; classtype:trojan-activity; sid:91272568; rev:1;) alert tcp $HOME_NET any -> [38.207.123.185] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1272567/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_18; classtype:trojan-activity; sid:91272567; rev:1;) alert tcp $HOME_NET any -> [38.207.123.87] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1272566/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_18; classtype:trojan-activity; sid:91272566; rev:1;) alert tcp $HOME_NET any -> [38.207.123.194] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1272565/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_18; classtype:trojan-activity; sid:91272565; rev:1;) alert tcp $HOME_NET any -> [104.238.167.85] 1024 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1272564/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_18; classtype:trojan-activity; sid:91272564; rev:1;) alert tcp $HOME_NET any -> [46.246.82.10] 9000 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1272563/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_18; classtype:trojan-activity; sid:91272563; rev:1;) alert tcp $HOME_NET any -> [41.98.227.43] 443 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1272562/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_18; classtype:trojan-activity; sid:91272562; rev:1;) alert tcp $HOME_NET any -> [206.206.123.220] 443 (msg:"ThreatFox pupy botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1272561/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_18; classtype:trojan-activity; sid:91272561; rev:1;) alert tcp $HOME_NET any -> [51.8.82.12] 40056 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1272560/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_18; classtype:trojan-activity; sid:91272560; rev:1;) alert tcp $HOME_NET any -> [110.43.133.2] 10250 (msg:"ThreatFox Deimos botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1272559/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_18; classtype:trojan-activity; sid:91272559; rev:1;) alert tcp $HOME_NET any -> [27.221.54.88] 4505 (msg:"ThreatFox Deimos botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1272558/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_18; classtype:trojan-activity; sid:91272558; rev:1;) alert tcp $HOME_NET any -> [95.164.18.23] 10101 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1272557/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_18; classtype:trojan-activity; sid:91272557; rev:1;) alert tcp $HOME_NET any -> [95.164.18.23] 21 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1272556/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_18; classtype:trojan-activity; sid:91272556; rev:1;) alert tcp $HOME_NET any -> [213.226.112.82] 443 (msg:"ThreatFox FAKEUPDATES payload delivery (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1272555/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_18; classtype:trojan-activity; sid:91272555; rev:1;) alert tcp $HOME_NET any -> [192.3.55.32] 80 (msg:"ThreatFox Hook botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1272554/; target:src_ip; metadata: confidence_level 80, first_seen 2024_05_18; classtype:trojan-activity; sid:91272554; rev:1;) alert tcp $HOME_NET any -> [45.128.232.90] 43957 (msg:"ThreatFox MooBot botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1272549/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_18; classtype:trojan-activity; sid:91272549; rev:1;) alert tcp $HOME_NET any -> [156.242.40.208] 4396 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1272553/; target:src_ip; metadata: confidence_level 80, first_seen 2024_05_18; classtype:trojan-activity; sid:91272553; rev:1;) alert tcp $HOME_NET any -> [156.242.47.194] 4396 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1272552/; target:src_ip; metadata: confidence_level 80, first_seen 2024_05_18; classtype:trojan-activity; sid:91272552; rev:1;) alert tcp $HOME_NET any -> [101.43.211.59] 18080 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1272551/; target:src_ip; metadata: confidence_level 80, first_seen 2024_05_18; classtype:trojan-activity; sid:91272551; rev:1;) alert tcp $HOME_NET any -> [106.15.62.124] 2222 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1272550/; target:src_ip; metadata: confidence_level 80, first_seen 2024_05_18; classtype:trojan-activity; sid:91272550; rev:1;) alert tcp $HOME_NET any -> [77.221.151.106] 8081 (msg:"ThreatFox RisePro botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1272548/; target:src_ip; metadata: confidence_level 80, first_seen 2024_05_18; classtype:trojan-activity; sid:91272548; rev:1;) alert tcp $HOME_NET any -> [45.245.96.209] 1177 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1272022/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_18; classtype:trojan-activity; sid:91272022; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/advdlc.php"; depth:11; nocase; http.host; content:"185.172.128.90"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1272023/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_18; classtype:trojan-activity; sid:91272023; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/advdlc.php"; depth:11; nocase; http.host; content:"5.42.65.64"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1272024/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_18; classtype:trojan-activity; sid:91272024; rev:1;) alert tcp $HOME_NET any -> [5.42.65.64] 80 (msg:"ThreatFox GCleaner botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1272025/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_18; classtype:trojan-activity; sid:91272025; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"en.mg-trade.ir"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1272049/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_18; classtype:trojan-activity; sid:91272049; rev:1;) alert tcp $HOME_NET any -> [85.239.62.80] 443 (msg:"ThreatFox DanaBot botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1272045/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_18; classtype:trojan-activity; sid:91272045; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/manual.php"; depth:11; nocase; http.host; content:"cpbrandindia.com"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1272044/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_18; classtype:trojan-activity; sid:91272044; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/manual.php"; depth:11; nocase; http.host; content:"cybergroundproject.com"; depth:22; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1272047/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_18; classtype:trojan-activity; sid:91272047; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"ransomproducts.top"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1272057/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_18; classtype:trojan-activity; sid:91272057; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/manual.php"; depth:11; nocase; http.host; content:"d-mag.com"; depth:9; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1272064/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_18; classtype:trojan-activity; sid:91272064; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/manual.php"; depth:11; nocase; http.host; content:"dantra.de"; depth:9; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1272067/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_18; classtype:trojan-activity; sid:91272067; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/manual.php"; depth:11; nocase; http.host; content:"daylightdesignsinc.com"; depth:22; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1272109/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_18; classtype:trojan-activity; sid:91272109; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/manual.php"; depth:11; nocase; http.host; content:"dasouza.es"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1272111/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_18; classtype:trojan-activity; sid:91272111; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/manual.php"; depth:11; nocase; http.host; content:"despedidadesolteroengandia.globalwords.net"; depth:42; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1272130/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_18; classtype:trojan-activity; sid:91272130; rev:1;) alert tcp $HOME_NET any -> [103.162.20.57] 839 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1272128/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_18; classtype:trojan-activity; sid:91272128; rev:1;) alert tcp $HOME_NET any -> [188.68.221.152] 443 (msg:"ThreatFox FAKEUPDATES payload delivery (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1272122/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_18; classtype:trojan-activity; sid:91272122; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"19.ip.gl.ply.gg"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1272319/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_18; classtype:trojan-activity; sid:91272319; rev:1;) alert tcp $HOME_NET any -> [147.185.221.19] 54921 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1272318/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_18; classtype:trojan-activity; sid:91272318; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"allows-hindu.gl.at.ply.gg"; depth:25; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1272316/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_18; classtype:trojan-activity; sid:91272316; rev:1;) alert tcp $HOME_NET any -> [147.185.221.19] 54934 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1272315/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_18; classtype:trojan-activity; sid:91272315; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/f/664684db3a68e68a8dfe2d68"; depth:27; nocase; http.host; content:"nocodeform.io"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1272133/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_18; classtype:trojan-activity; sid:91272133; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/f/663357252acab5ebd7dc4d25"; depth:27; nocase; http.host; content:"nocodeform.io"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1272132/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_18; classtype:trojan-activity; sid:91272132; rev:1;) alert tcp $HOME_NET any -> [152.228.175.121] 23581 (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1272320/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_18; classtype:trojan-activity; sid:91272320; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cdn-vs/cache.php"; depth:17; nocase; http.host; content:"chezfur.com"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1272396/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_18; classtype:trojan-activity; sid:91272396; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cdn-vs/original.js"; depth:19; nocase; http.host; content:"chezfur.com"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1272395/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_18; classtype:trojan-activity; sid:91272395; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/manual.php"; depth:11; nocase; http.host; content:"b-betternow.com"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1272364/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_18; classtype:trojan-activity; sid:91272364; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cdn-vs/2per.php"; depth:16; nocase; http.host; content:"chezfur.com"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1272397/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_18; classtype:trojan-activity; sid:91272397; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/data.php"; depth:9; nocase; http.host; content:"osiria-agency.com"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1272398/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_18; classtype:trojan-activity; sid:91272398; rev:1;) alert tcp $HOME_NET any -> [147.185.221.19] 55286 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1272399/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_18; classtype:trojan-activity; sid:91272399; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"an-take.gl.at.ply.gg"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1272400/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_18; classtype:trojan-activity; sid:91272400; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"oepz3iov3ycdiu7lnsrnpe9i2yxdl1ng6760527951839536392332869280909.one"; depth:67; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1272405/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_18; classtype:trojan-activity; sid:91272405; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/manual.php"; depth:11; nocase; http.host; content:"bakbordet.se"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1272434/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_18; classtype:trojan-activity; sid:91272434; rev:1;) alert tcp $HOME_NET any -> [184.105.237.196] 1122 (msg:"ThreatFox Nanocore RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1272472/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_18; classtype:trojan-activity; sid:91272472; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/manual.php"; depth:11; nocase; http.host; content:"betelpl.bdl.pl"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1272473/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_18; classtype:trojan-activity; sid:91272473; rev:1;) alert tcp $HOME_NET any -> [144.202.40.66] 7771 (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1272474/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_18; classtype:trojan-activity; sid:91272474; rev:1;) alert tcp $HOME_NET any -> [147.185.221.19] 26075 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1272475/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_18; classtype:trojan-activity; sid:91272475; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ie9compatviewlist.xml"; depth:22; nocase; http.host; content:"119.91.231.57"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1272471/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_18; classtype:trojan-activity; sid:91272471; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cm"; depth:3; nocase; http.host; content:"8.141.166.236"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1272470/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_18; classtype:trojan-activity; sid:91272470; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp06/wp-includes/po.php"; depth:24; nocase; http.host; content:"43.156.16.199"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1272469/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_18; classtype:trojan-activity; sid:91272469; rev:1;) alert tcp $HOME_NET any -> [121.36.23.25] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1272468/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_18; classtype:trojan-activity; sid:91272468; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api/x"; depth:6; nocase; http.host; content:"service-ifupx5k9-1253438913.bj.tencentapigw.com.cn"; depth:50; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1272466/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_18; classtype:trojan-activity; sid:91272466; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"service-ifupx5k9-1253438913.bj.tencentapigw.com.cn"; depth:50; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1272467/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_18; classtype:trojan-activity; sid:91272467; rev:1;) alert tcp $HOME_NET any -> [47.236.147.33] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1272465/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_18; classtype:trojan-activity; sid:91272465; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/visit.js"; depth:9; nocase; http.host; content:"47.236.147.33"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1272464/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_18; classtype:trojan-activity; sid:91272464; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/fwlink"; depth:7; nocase; http.host; content:"91.92.254.204"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1272463/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_18; classtype:trojan-activity; sid:91272463; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cm"; depth:3; nocase; http.host; content:"microsoftsoftwave.com"; depth:21; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1272462/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_18; classtype:trojan-activity; sid:91272462; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/include/template/isx.php"; depth:25; nocase; http.host; content:"43.156.16.199"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1272460/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_18; classtype:trojan-activity; sid:91272460; rev:1;) alert tcp $HOME_NET any -> [43.156.16.199] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1272461/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_18; classtype:trojan-activity; sid:91272461; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/digicertglobalrootg1.crl"; depth:25; nocase; http.host; content:"18.199.46.180"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1272459/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_18; classtype:trojan-activity; sid:91272459; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/j.ad"; depth:5; nocase; http.host; content:"119.91.231.57"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1272458/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_18; classtype:trojan-activity; sid:91272458; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ie9compatviewlist.xml"; depth:22; nocase; http.host; content:"119.91.231.57"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1272457/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_18; classtype:trojan-activity; sid:91272457; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/updates.rss"; depth:12; nocase; http.host; content:"43.242.203.214"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1272456/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_18; classtype:trojan-activity; sid:91272456; rev:1;) alert tcp $HOME_NET any -> [13.40.213.208] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1272455/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_18; classtype:trojan-activity; sid:91272455; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jquery-2.8.4.min.js"; depth:20; nocase; http.host; content:"13.40.213.208"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1272454/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_18; classtype:trojan-activity; sid:91272454; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cx"; depth:3; nocase; http.host; content:"119.3.216.120"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1272453/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_18; classtype:trojan-activity; sid:91272453; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/__utm.gif"; depth:10; nocase; http.host; content:"103.146.140.99"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1272451/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_18; classtype:trojan-activity; sid:91272451; rev:1;) alert tcp $HOME_NET any -> [103.146.140.99] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1272452/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_18; classtype:trojan-activity; sid:91272452; rev:1;) alert tcp $HOME_NET any -> [106.53.76.227] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1272450/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_18; classtype:trojan-activity; sid:91272450; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jquery-3.3.1.min.js"; depth:20; nocase; http.host; content:"106.53.76.227"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1272449/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_18; classtype:trojan-activity; sid:91272449; rev:1;) alert tcp $HOME_NET any -> [119.91.231.57] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1272448/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_18; classtype:trojan-activity; sid:91272448; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/push"; depth:5; nocase; http.host; content:"119.91.231.57"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1272447/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_18; classtype:trojan-activity; sid:91272447; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jquery-3.3.1.min.js"; depth:20; nocase; http.host; content:"118.31.116.9"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1272446/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_18; classtype:trojan-activity; sid:91272446; rev:1;) alert tcp $HOME_NET any -> [51.89.158.68] 7777 (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1272445/; target:src_ip; metadata: confidence_level 80, first_seen 2024_05_18; classtype:trojan-activity; sid:91272445; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/match"; depth:6; nocase; http.host; content:"47.92.75.135"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1272444/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_18; classtype:trojan-activity; sid:91272444; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/download/20/zo2xy7a4bowu"; depth:25; nocase; http.host; content:"81.70.232.50"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1272443/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_18; classtype:trojan-activity; sid:91272443; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/__utm.gif"; depth:10; nocase; http.host; content:"104.214.168.71"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1272442/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_18; classtype:trojan-activity; sid:91272442; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/push"; depth:5; nocase; http.host; content:"110.41.21.173"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1272441/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_18; classtype:trojan-activity; sid:91272441; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cx"; depth:3; nocase; http.host; content:"38.147.170.150"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1272440/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_18; classtype:trojan-activity; sid:91272440; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ga.js"; depth:6; nocase; http.host; content:"43.139.177.77"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1272439/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_18; classtype:trojan-activity; sid:91272439; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/load"; depth:5; nocase; http.host; content:"cdn.dadadsadaccsoong.top"; depth:24; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1272438/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_18; classtype:trojan-activity; sid:91272438; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dpixel"; depth:7; nocase; http.host; content:"38.147.170.150"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1272437/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_18; classtype:trojan-activity; sid:91272437; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/j.ad"; depth:5; nocase; http.host; content:"103.150.10.45"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1272436/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_18; classtype:trojan-activity; sid:91272436; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ga.js"; depth:6; nocase; http.host; content:"81.71.127.160"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1272435/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_18; classtype:trojan-activity; sid:91272435; rev:1;) alert tcp $HOME_NET any -> [81.70.163.57] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1272433/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_18; classtype:trojan-activity; sid:91272433; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"service-6y22lbhj-1318289497.bj.tencentapigw.com.cn"; depth:50; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1272432/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_18; classtype:trojan-activity; sid:91272432; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jquery/2.0.1/jquery.min.js"; depth:27; nocase; http.host; content:"service-6y22lbhj-1318289497.bj.tencentapigw.com.cn"; depth:50; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1272431/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_18; classtype:trojan-activity; sid:91272431; rev:1;) alert tcp $HOME_NET any -> [138.197.40.89] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1272430/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_18; classtype:trojan-activity; sid:91272430; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"iopqwe.azureedge.net"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1272429/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_18; classtype:trojan-activity; sid:91272429; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/web.asp"; depth:8; nocase; http.host; content:"iopqwe.azureedge.net"; depth:20; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1272428/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_18; classtype:trojan-activity; sid:91272428; rev:1;) alert tcp $HOME_NET any -> [111.223.247.232] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1272427/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_18; classtype:trojan-activity; sid:91272427; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jquery-3.3.1.min.js"; depth:20; nocase; http.host; content:"www.weather.pm"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1272425/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_18; classtype:trojan-activity; sid:91272425; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"www.weather.pm"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1272426/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_18; classtype:trojan-activity; sid:91272426; rev:1;) alert tcp $HOME_NET any -> [147.78.103.101] 3783 (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1272424/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_18; classtype:trojan-activity; sid:91272424; rev:1;) alert tcp $HOME_NET any -> [82.146.33.201] 80 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1272423/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_18; classtype:trojan-activity; sid:91272423; rev:1;) alert tcp $HOME_NET any -> [182.160.6.136] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1272422/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_18; classtype:trojan-activity; sid:91272422; rev:1;) alert tcp $HOME_NET any -> [39.104.18.126] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1272421/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_18; classtype:trojan-activity; sid:91272421; rev:1;) alert tcp $HOME_NET any -> [103.234.72.175] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1272420/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_18; classtype:trojan-activity; sid:91272420; rev:1;) alert tcp $HOME_NET any -> [46.246.4.24] 9000 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1272419/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_18; classtype:trojan-activity; sid:91272419; rev:1;) alert tcp $HOME_NET any -> [174.82.220.81] 443 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1272418/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_18; classtype:trojan-activity; sid:91272418; rev:1;) alert tcp $HOME_NET any -> [43.198.137.245] 443 (msg:"ThreatFox pupy botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1272417/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_18; classtype:trojan-activity; sid:91272417; rev:1;) alert tcp $HOME_NET any -> [37.114.42.26] 443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1272416/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_18; classtype:trojan-activity; sid:91272416; rev:1;) alert tcp $HOME_NET any -> [18.118.127.83] 443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1272415/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_18; classtype:trojan-activity; sid:91272415; rev:1;) alert tcp $HOME_NET any -> [37.228.138.163] 8080 (msg:"ThreatFox BianLian botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1272414/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_18; classtype:trojan-activity; sid:91272414; rev:1;) alert tcp $HOME_NET any -> [125.39.177.105] 4505 (msg:"ThreatFox Deimos botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1272413/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_18; classtype:trojan-activity; sid:91272413; rev:1;) alert tcp $HOME_NET any -> [3.130.124.10] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1272412/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_18; classtype:trojan-activity; sid:91272412; rev:1;) alert tcp $HOME_NET any -> [161.35.207.209] 7443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1272411/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_18; classtype:trojan-activity; sid:91272411; rev:1;) alert tcp $HOME_NET any -> [128.199.59.209] 7443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1272410/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_18; classtype:trojan-activity; sid:91272410; rev:1;) alert tcp $HOME_NET any -> [156.242.45.195] 50050 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1272409/; target:src_ip; metadata: confidence_level 80, first_seen 2024_05_18; classtype:trojan-activity; sid:91272409; rev:1;) alert tcp $HOME_NET any -> [156.242.41.212] 50050 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1272408/; target:src_ip; metadata: confidence_level 80, first_seen 2024_05_18; classtype:trojan-activity; sid:91272408; rev:1;) alert tcp $HOME_NET any -> [1.14.206.72] 50050 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1272407/; target:src_ip; metadata: confidence_level 80, first_seen 2024_05_18; classtype:trojan-activity; sid:91272407; rev:1;) alert tcp $HOME_NET any -> [124.223.220.137] 50050 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1272406/; target:src_ip; metadata: confidence_level 80, first_seen 2024_05_18; classtype:trojan-activity; sid:91272406; rev:1;) alert tcp $HOME_NET any -> [147.78.103.134] 80 (msg:"ThreatFox Hook botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1272404/; target:src_ip; metadata: confidence_level 80, first_seen 2024_05_18; classtype:trojan-activity; sid:91272404; rev:1;) alert tcp $HOME_NET any -> [38.55.26.37] 808 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1272403/; target:src_ip; metadata: confidence_level 80, first_seen 2024_05_18; classtype:trojan-activity; sid:91272403; rev:1;) alert tcp $HOME_NET any -> [156.242.46.195] 4396 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1272402/; target:src_ip; metadata: confidence_level 80, first_seen 2024_05_18; classtype:trojan-activity; sid:91272402; rev:1;) alert tcp $HOME_NET any -> [156.242.43.213] 4396 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1272401/; target:src_ip; metadata: confidence_level 80, first_seen 2024_05_18; classtype:trojan-activity; sid:91272401; rev:1;) alert tcp $HOME_NET any -> [171.38.43.209] 42421 (msg:"ThreatFox Ghost RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1272394/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_18; classtype:trojan-activity; sid:91272394; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/search.php"; depth:11; nocase; http.host; content:"orlandomedianews.com"; depth:20; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1272393/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_18; classtype:trojan-activity; sid:91272393; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/search.php"; depth:11; nocase; http.host; content:"natureanimalsreports.com"; depth:24; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1272392/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_18; classtype:trojan-activity; sid:91272392; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/providerlocalsqlline/javascriptlongpolltrackwindows/voiddbdbapi/1bigload/testuploads/proton/protonvoiddb8datalife/5auth2/multiprocessordatalifegame/dle8/windowsdownloads/linuxproviderbasemulti/provider/imagejavascriptrequestprocessordefaultlinuxtestdle.php"; depth:257; nocase; http.host; content:"193.17.183.196"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1272391/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_18; classtype:trojan-activity; sid:91272391; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/fpmz"; depth:5; nocase; http.host; content:"update.windowsupdate.com.cdn.dnsv1.com"; depth:38; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1272390/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_18; classtype:trojan-activity; sid:91272390; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/js/lib/jquery-1-edb203c114.10.2.js"; depth:35; nocase; http.host; content:"120.26.36.197"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1272389/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_18; classtype:trojan-activity; sid:91272389; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/lfzq"; depth:5; nocase; http.host; content:"39.107.242.125"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1272388/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_18; classtype:trojan-activity; sid:91272388; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/icon2.png"; depth:10; nocase; http.host; content:"175.178.226.246"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1272387/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_18; classtype:trojan-activity; sid:91272387; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pnf9"; depth:5; nocase; http.host; content:"128.199.184.87"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1272386/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_18; classtype:trojan-activity; sid:91272386; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api/v2/default-get"; depth:19; nocase; http.host; content:"107.173.111.244"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1272385/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_18; classtype:trojan-activity; sid:91272385; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/404"; depth:4; nocase; http.host; content:"107.173.111.244"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1272384/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_18; classtype:trojan-activity; sid:91272384; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pmo1"; depth:5; nocase; http.host; content:"192.168.221.133"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1272383/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_18; classtype:trojan-activity; sid:91272383; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/vcq3"; depth:5; nocase; http.host; content:"119.3.90.227"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1272382/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_18; classtype:trojan-activity; sid:91272382; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/visit.js"; depth:9; nocase; http.host; content:"81.69.37.111"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1272381/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_18; classtype:trojan-activity; sid:91272381; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jquery-3.3.2.slim.min.js"; depth:25; nocase; http.host; content:"101.43.96.90"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1272380/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_18; classtype:trojan-activity; sid:91272380; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jquery-3.3.2.slim.min.js"; depth:25; nocase; http.host; content:"150.158.150.214"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1272379/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_18; classtype:trojan-activity; sid:91272379; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/videolinetoupdateprocessorauthprotectsqlasync.php"; depth:50; nocase; http.host; content:"77.105.161.254"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1272378/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_18; classtype:trojan-activity; sid:91272378; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api/x"; depth:6; nocase; http.host; content:"service-0xgb0mzs-1317544938.gz.tencentapigw.com.cn"; depth:50; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1272377/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_18; classtype:trojan-activity; sid:91272377; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xpof"; depth:5; nocase; http.host; content:"172.16.1.106"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1272376/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_18; classtype:trojan-activity; sid:91272376; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xu79"; depth:5; nocase; http.host; content:"124.70.99.224"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1272375/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_18; classtype:trojan-activity; sid:91272375; rev:1;) alert tcp $HOME_NET any -> [156.242.47.202] 50050 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1272374/; target:src_ip; metadata: confidence_level 80, first_seen 2024_05_18; classtype:trojan-activity; sid:91272374; rev:1;) alert tcp $HOME_NET any -> [47.109.192.10] 50050 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1272373/; target:src_ip; metadata: confidence_level 80, first_seen 2024_05_18; classtype:trojan-activity; sid:91272373; rev:1;) alert tcp $HOME_NET any -> [156.242.40.208] 50050 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1272372/; target:src_ip; metadata: confidence_level 80, first_seen 2024_05_18; classtype:trojan-activity; sid:91272372; rev:1;) alert tcp $HOME_NET any -> [45.152.64.31] 10010 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1272371/; target:src_ip; metadata: confidence_level 80, first_seen 2024_05_18; classtype:trojan-activity; sid:91272371; rev:1;) alert tcp $HOME_NET any -> [104.193.69.161] 443 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1272370/; target:src_ip; metadata: confidence_level 80, first_seen 2024_05_18; classtype:trojan-activity; sid:91272370; rev:1;) alert tcp $HOME_NET any -> [20.163.182.1] 443 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1272369/; target:src_ip; metadata: confidence_level 80, first_seen 2024_05_18; classtype:trojan-activity; sid:91272369; rev:1;) alert tcp $HOME_NET any -> [52.15.184.142] 443 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1272368/; target:src_ip; metadata: confidence_level 80, first_seen 2024_05_18; classtype:trojan-activity; sid:91272368; rev:1;) alert tcp $HOME_NET any -> [72.142.102.168] 443 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1272367/; target:src_ip; metadata: confidence_level 80, first_seen 2024_05_18; classtype:trojan-activity; sid:91272367; rev:1;) alert tcp $HOME_NET any -> [8.134.122.112] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1272366/; target:src_ip; metadata: confidence_level 80, first_seen 2024_05_18; classtype:trojan-activity; sid:91272366; rev:1;) alert tcp $HOME_NET any -> [156.242.41.216] 4396 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1272365/; target:src_ip; metadata: confidence_level 80, first_seen 2024_05_18; classtype:trojan-activity; sid:91272365; rev:1;) alert tcp $HOME_NET any -> [149.88.75.162] 80 (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1272361/; target:src_ip; metadata: confidence_level 80, first_seen 2024_05_18; classtype:trojan-activity; sid:91272361; rev:1;) alert tcp $HOME_NET any -> [194.26.232.166] 22 (msg:"ThreatFox Stealc botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1272360/; target:src_ip; metadata: confidence_level 80, first_seen 2024_05_17; classtype:trojan-activity; sid:91272360; rev:1;) alert tcp $HOME_NET any -> [194.26.232.166] 80 (msg:"ThreatFox Stealc botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1272359/; target:src_ip; metadata: confidence_level 80, first_seen 2024_05_17; classtype:trojan-activity; sid:91272359; rev:1;) alert tcp $HOME_NET any -> [23.88.106.134] 80 (msg:"ThreatFox Stealc botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1272358/; target:src_ip; metadata: confidence_level 80, first_seen 2024_05_17; classtype:trojan-activity; sid:91272358; rev:1;) alert tcp $HOME_NET any -> [23.88.106.134] 22 (msg:"ThreatFox Stealc botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1272357/; target:src_ip; metadata: confidence_level 80, first_seen 2024_05_17; classtype:trojan-activity; sid:91272357; rev:1;) alert tcp $HOME_NET any -> [194.26.232.108] 80 (msg:"ThreatFox Stealc botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1272356/; target:src_ip; metadata: confidence_level 80, first_seen 2024_05_17; classtype:trojan-activity; sid:91272356; rev:1;) alert tcp $HOME_NET any -> [194.26.232.108] 22 (msg:"ThreatFox Stealc botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1272355/; target:src_ip; metadata: confidence_level 80, first_seen 2024_05_17; classtype:trojan-activity; sid:91272355; rev:1;) alert tcp $HOME_NET any -> [47.236.19.63] 23456 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1272354/; target:src_ip; metadata: confidence_level 80, first_seen 2024_05_17; classtype:trojan-activity; sid:91272354; rev:1;) alert tcp $HOME_NET any -> [156.242.47.212] 50050 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1272353/; target:src_ip; metadata: confidence_level 80, first_seen 2024_05_17; classtype:trojan-activity; sid:91272353; rev:1;) alert tcp $HOME_NET any -> [156.242.46.196] 50050 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1272352/; target:src_ip; metadata: confidence_level 80, first_seen 2024_05_17; classtype:trojan-activity; sid:91272352; rev:1;) alert tcp $HOME_NET any -> [156.242.43.199] 50050 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1272351/; target:src_ip; metadata: confidence_level 80, first_seen 2024_05_17; classtype:trojan-activity; sid:91272351; rev:1;) alert tcp $HOME_NET any -> [156.242.43.213] 50050 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1272350/; target:src_ip; metadata: confidence_level 80, first_seen 2024_05_17; classtype:trojan-activity; sid:91272350; rev:1;) alert tcp $HOME_NET any -> [156.242.45.220] 50050 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1272349/; target:src_ip; metadata: confidence_level 80, first_seen 2024_05_17; classtype:trojan-activity; sid:91272349; rev:1;) alert tcp $HOME_NET any -> [156.242.47.211] 50050 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1272348/; target:src_ip; metadata: confidence_level 80, first_seen 2024_05_17; classtype:trojan-activity; sid:91272348; rev:1;) alert tcp $HOME_NET any -> [192.227.232.151] 3389 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1272347/; target:src_ip; metadata: confidence_level 80, first_seen 2024_05_17; classtype:trojan-activity; sid:91272347; rev:1;) alert tcp $HOME_NET any -> [146.70.87.203] 41795 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1272346/; target:src_ip; metadata: confidence_level 80, first_seen 2024_05_17; classtype:trojan-activity; sid:91272346; rev:1;) alert tcp $HOME_NET any -> [67.205.164.149] 443 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1272345/; target:src_ip; metadata: confidence_level 80, first_seen 2024_05_17; classtype:trojan-activity; sid:91272345; rev:1;) alert tcp $HOME_NET any -> [188.127.225.90] 443 (msg:"ThreatFox Gozi botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1272344/; target:src_ip; metadata: confidence_level 80, first_seen 2024_05_17; classtype:trojan-activity; sid:91272344; rev:1;) alert tcp $HOME_NET any -> [156.242.43.212] 4396 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1272343/; target:src_ip; metadata: confidence_level 80, first_seen 2024_05_17; classtype:trojan-activity; sid:91272343; rev:1;) alert tcp $HOME_NET any -> [156.242.45.210] 4396 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1272342/; target:src_ip; metadata: confidence_level 80, first_seen 2024_05_17; classtype:trojan-activity; sid:91272342; rev:1;) alert tcp $HOME_NET any -> [156.242.42.220] 4396 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1272341/; target:src_ip; metadata: confidence_level 80, first_seen 2024_05_17; classtype:trojan-activity; sid:91272341; rev:1;) alert tcp $HOME_NET any -> [154.12.55.92] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1272340/; target:src_ip; metadata: confidence_level 80, first_seen 2024_05_17; classtype:trojan-activity; sid:91272340; rev:1;) alert tcp $HOME_NET any -> [156.242.41.219] 4396 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1272339/; target:src_ip; metadata: confidence_level 80, first_seen 2024_05_17; classtype:trojan-activity; sid:91272339; rev:1;) alert tcp $HOME_NET any -> [156.242.46.196] 4396 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1272338/; target:src_ip; metadata: confidence_level 80, first_seen 2024_05_17; classtype:trojan-activity; sid:91272338; rev:1;) alert tcp $HOME_NET any -> [209.222.101.102] 8081 (msg:"ThreatFox RisePro botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1272337/; target:src_ip; metadata: confidence_level 80, first_seen 2024_05_17; classtype:trojan-activity; sid:91272337; rev:1;) alert tcp $HOME_NET any -> [77.238.229.68] 8081 (msg:"ThreatFox RisePro botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1272336/; target:src_ip; metadata: confidence_level 80, first_seen 2024_05_17; classtype:trojan-activity; sid:91272336; rev:1;) alert tcp $HOME_NET any -> [1.54.12.82] 4444 (msg:"ThreatFox Orcus RAT botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1272335/; target:src_ip; metadata: confidence_level 80, first_seen 2024_05_17; classtype:trojan-activity; sid:91272335; rev:1;) alert tcp $HOME_NET any -> [5.75.214.104] 80 (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1272334/; target:src_ip; metadata: confidence_level 80, first_seen 2024_05_17; classtype:trojan-activity; sid:91272334; rev:1;) alert tcp $HOME_NET any -> [5.75.212.247] 443 (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1272333/; target:src_ip; metadata: confidence_level 80, first_seen 2024_05_17; classtype:trojan-activity; sid:91272333; rev:1;) alert tcp $HOME_NET any -> [5.75.212.247] 80 (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1272332/; target:src_ip; metadata: confidence_level 80, first_seen 2024_05_17; classtype:trojan-activity; sid:91272332; rev:1;) alert tcp $HOME_NET any -> [116.202.1.60] 443 (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1272331/; target:src_ip; metadata: confidence_level 80, first_seen 2024_05_17; classtype:trojan-activity; sid:91272331; rev:1;) alert tcp $HOME_NET any -> [116.202.1.60] 80 (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1272330/; target:src_ip; metadata: confidence_level 80, first_seen 2024_05_17; classtype:trojan-activity; sid:91272330; rev:1;) alert tcp $HOME_NET any -> [5.75.215.51] 80 (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1272329/; target:src_ip; metadata: confidence_level 80, first_seen 2024_05_17; classtype:trojan-activity; sid:91272329; rev:1;) alert tcp $HOME_NET any -> [5.75.215.51] 443 (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1272328/; target:src_ip; metadata: confidence_level 80, first_seen 2024_05_17; classtype:trojan-activity; sid:91272328; rev:1;) alert tcp $HOME_NET any -> [85.107.228.217] 3001 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1272327/; target:src_ip; metadata: confidence_level 80, first_seen 2024_05_17; classtype:trojan-activity; sid:91272327; rev:1;) alert tcp $HOME_NET any -> [91.92.255.182] 4444 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1272326/; target:src_ip; metadata: confidence_level 80, first_seen 2024_05_17; classtype:trojan-activity; sid:91272326; rev:1;) alert tcp $HOME_NET any -> [95.164.47.247] 8443 (msg:"ThreatFox Deimos botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1272325/; target:src_ip; metadata: confidence_level 80, first_seen 2024_05_17; classtype:trojan-activity; sid:91272325; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ptj"; depth:4; nocase; http.host; content:"45.148.120.165"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1272323/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_17; classtype:trojan-activity; sid:91272323; rev:1;) alert tcp $HOME_NET any -> [45.148.120.165] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1272324/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_17; classtype:trojan-activity; sid:91272324; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/_defaultwindows.php"; depth:20; nocase; http.host; content:"a0948305.xsph.ru"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1272322/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_17; classtype:trojan-activity; sid:91272322; rev:1;) alert tcp $HOME_NET any -> [104.129.20.98] 443 (msg:"ThreatFox Unidentified 111 (Latrodectus) botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1272321/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_17; classtype:trojan-activity; sid:91272321; rev:1;) alert tcp $HOME_NET any -> [41.249.51.52] 10000 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1272317/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_17; classtype:trojan-activity; sid:91272317; rev:1;) alert tcp $HOME_NET any -> [3.79.194.172] 81 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1272314/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_17; classtype:trojan-activity; sid:91272314; rev:1;) alert tcp $HOME_NET any -> [194.116.229.84] 80 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1272313/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_17; classtype:trojan-activity; sid:91272313; rev:1;) alert tcp $HOME_NET any -> [89.185.85.44] 80 (msg:"ThreatFox Meduza Stealer botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1272312/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_17; classtype:trojan-activity; sid:91272312; rev:1;) alert tcp $HOME_NET any -> [124.70.47.247] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1272311/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_17; classtype:trojan-activity; sid:91272311; rev:1;) alert tcp $HOME_NET any -> [103.146.158.113] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1272310/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_17; classtype:trojan-activity; sid:91272310; rev:1;) alert tcp $HOME_NET any -> [106.14.0.122] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1272309/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_17; classtype:trojan-activity; sid:91272309; rev:1;) alert tcp $HOME_NET any -> [95.179.165.102] 1024 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1272308/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_17; classtype:trojan-activity; sid:91272308; rev:1;) alert tcp $HOME_NET any -> [45.61.132.242] 443 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1272307/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_17; classtype:trojan-activity; sid:91272307; rev:1;) alert tcp $HOME_NET any -> [217.165.79.196] 22 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1272306/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_17; classtype:trojan-activity; sid:91272306; rev:1;) alert tcp $HOME_NET any -> [47.243.185.50] 80 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1272305/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_17; classtype:trojan-activity; sid:91272305; rev:1;) alert tcp $HOME_NET any -> [118.33.178.150] 8880 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1272304/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_17; classtype:trojan-activity; sid:91272304; rev:1;) alert tcp $HOME_NET any -> [44.200.252.252] 443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1272303/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_17; classtype:trojan-activity; sid:91272303; rev:1;) alert tcp $HOME_NET any -> [82.153.138.180] 10443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1272302/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_17; classtype:trojan-activity; sid:91272302; rev:1;) alert tcp $HOME_NET any -> [79.137.199.78] 8888 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1272301/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_17; classtype:trojan-activity; sid:91272301; rev:1;) alert tcp $HOME_NET any -> [79.137.199.78] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1272300/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_17; classtype:trojan-activity; sid:91272300; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/visit.js"; depth:9; nocase; http.host; content:"121.40.213.116"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1272134/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_17; classtype:trojan-activity; sid:91272134; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/index.php/3b1tenbkyj"; depth:21; nocase; http.host; content:"45.61.137.215"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1272131/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_17; classtype:trojan-activity; sid:91272131; rev:1;) alert tcp $HOME_NET any -> [95.163.84.88] 81 (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1272129/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_17; classtype:trojan-activity; sid:91272129; rev:1;) alert tcp $HOME_NET any -> [3.125.223.134] 15221 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1272127/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_17; classtype:trojan-activity; sid:91272127; rev:1;) alert tcp $HOME_NET any -> [3.125.102.39] 15221 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1272126/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_17; classtype:trojan-activity; sid:91272126; rev:1;) alert tcp $HOME_NET any -> [18.192.31.165] 15221 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1272125/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_17; classtype:trojan-activity; sid:91272125; rev:1;) alert tcp $HOME_NET any -> [3.125.209.94] 15221 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1272124/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_17; classtype:trojan-activity; sid:91272124; rev:1;) alert tcp $HOME_NET any -> [104.194.152.154] 3678 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1272123/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_17; classtype:trojan-activity; sid:91272123; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dot.gif"; depth:8; nocase; http.host; content:"38.54.16.50"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1272121/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_17; classtype:trojan-activity; sid:91272121; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/activity"; depth:9; nocase; http.host; content:"8.134.89.27"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1272119/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_17; classtype:trojan-activity; sid:91272119; rev:1;) alert tcp $HOME_NET any -> [8.134.89.27] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1272120/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_17; classtype:trojan-activity; sid:91272120; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jquery-3.3.1.min.js"; depth:20; nocase; http.host; content:"107.172.159.139"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1272118/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_17; classtype:trojan-activity; sid:91272118; rev:1;) alert tcp $HOME_NET any -> [121.40.213.116] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1272117/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_17; classtype:trojan-activity; sid:91272117; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api/x"; depth:6; nocase; http.host; content:"service-pw5pdob2-1301751349.gz.tencentapigw.com.cn"; depth:50; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1272116/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_17; classtype:trojan-activity; sid:91272116; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"service-pw5pdob2-1301751349.gz.tencentapigw.com.cn"; depth:50; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1272114/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_17; classtype:trojan-activity; sid:91272114; rev:1;) alert tcp $HOME_NET any -> [121.40.213.116] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1272115/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_17; classtype:trojan-activity; sid:91272115; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api/x"; depth:6; nocase; http.host; content:"service-pw5pdob2-1301751349.gz.tencentapigw.com.cn"; depth:50; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1272113/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_17; classtype:trojan-activity; sid:91272113; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mozi.m"; depth:7; nocase; http.host; content:"115.51.111.73"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1272112/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_17; classtype:trojan-activity; sid:91272112; rev:1;) alert tcp $HOME_NET any -> [106.53.94.240] 6000 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1272108/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_17; classtype:trojan-activity; sid:91272108; rev:1;) alert tcp $HOME_NET any -> [139.9.105.56] 8033 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1272107/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_17; classtype:trojan-activity; sid:91272107; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ie9compatviewlist.xml"; depth:22; nocase; http.host; content:"38.147.170.150"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1272106/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_17; classtype:trojan-activity; sid:91272106; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api/x"; depth:6; nocase; http.host; content:"service-g9r06izm-1320366142.gz.tencentapigw.com.cn"; depth:50; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1272104/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_17; classtype:trojan-activity; sid:91272104; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"service-g9r06izm-1320366142.gz.tencentapigw.com.cn"; depth:50; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1272105/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_17; classtype:trojan-activity; sid:91272105; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp06/wp-includes/po.php"; depth:24; nocase; http.host; content:"47.243.26.247"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1272103/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_17; classtype:trojan-activity; sid:91272103; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp08/wp-includes/dtcla.php"; depth:27; nocase; http.host; content:"47.243.26.247"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1272102/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_17; classtype:trojan-activity; sid:91272102; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pixel"; depth:6; nocase; http.host; content:"101.201.54.74"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1272101/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_17; classtype:trojan-activity; sid:91272101; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/en_us/all.js"; depth:13; nocase; http.host; content:"101.201.54.74"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1272100/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_17; classtype:trojan-activity; sid:91272100; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/__utm.gif"; depth:10; nocase; http.host; content:"101.201.46.105"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1272099/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_17; classtype:trojan-activity; sid:91272099; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"upload.windowscdn.cn"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1272098/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_17; classtype:trojan-activity; sid:91272098; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/feedapi/v1/newsserver/api/getpassword"; depth:38; nocase; http.host; content:"upload.windowscdn.cn"; depth:20; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1272097/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_17; classtype:trojan-activity; sid:91272097; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/match"; depth:6; nocase; http.host; content:"38.147.170.150"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1272096/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_17; classtype:trojan-activity; sid:91272096; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/updates.rss"; depth:12; nocase; http.host; content:"192.168.183.131"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1272095/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_17; classtype:trojan-activity; sid:91272095; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api/x"; depth:6; nocase; http.host; content:"114.132.120.166"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1272094/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_17; classtype:trojan-activity; sid:91272094; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/showthread.php"; depth:15; nocase; http.host; content:"85.203.42.194"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1272093/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_17; classtype:trojan-activity; sid:91272093; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ptj"; depth:4; nocase; http.host; content:"121.41.101.90"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1272092/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_17; classtype:trojan-activity; sid:91272092; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/load"; depth:5; nocase; http.host; content:"101.201.54.74"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1272091/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_17; classtype:trojan-activity; sid:91272091; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/list/hx28/config.php"; depth:21; nocase; http.host; content:"1.12.55.117"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1272090/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_17; classtype:trojan-activity; sid:91272090; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cm"; depth:3; nocase; http.host; content:"124.220.148.63"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1272089/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_17; classtype:trojan-activity; sid:91272089; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ptj"; depth:4; nocase; http.host; content:"124.220.148.63"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1272088/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_17; classtype:trojan-activity; sid:91272088; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/list/hx28/config.php"; depth:21; nocase; http.host; content:"1.12.55.117"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1272087/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_17; classtype:trojan-activity; sid:91272087; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/push"; depth:5; nocase; http.host; content:"124.220.148.63"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1272086/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_17; classtype:trojan-activity; sid:91272086; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/visit.js"; depth:9; nocase; http.host; content:"124.220.148.63"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1272085/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_17; classtype:trojan-activity; sid:91272085; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jquery-3.3.1.min.js"; depth:20; nocase; http.host; content:"www.vip8806.mom"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1272083/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_17; classtype:trojan-activity; sid:91272083; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"www.vip8806.mom"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1272084/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_17; classtype:trojan-activity; sid:91272084; rev:1;) alert tcp $HOME_NET any -> [185.64.246.135] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1272082/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_17; classtype:trojan-activity; sid:91272082; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pixel.gif"; depth:10; nocase; http.host; content:"47.99.188.195"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1272081/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_17; classtype:trojan-activity; sid:91272081; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jquery-3.3.1.min.js"; depth:20; nocase; http.host; content:"118.31.116.9"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1272080/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_17; classtype:trojan-activity; sid:91272080; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api/getit"; depth:10; nocase; http.host; content:"service-k2snyjb7-1326503875.bj.tencentapigw.com.cn"; depth:50; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1272079/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_17; classtype:trojan-activity; sid:91272079; rev:1;) alert tcp $HOME_NET any -> [91.151.89.38] 80 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1272078/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_17; classtype:trojan-activity; sid:91272078; rev:1;) alert tcp $HOME_NET any -> [104.214.168.71] 9999 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1272077/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_17; classtype:trojan-activity; sid:91272077; rev:1;) alert tcp $HOME_NET any -> [46.246.86.15] 9000 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1272076/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_17; classtype:trojan-activity; sid:91272076; rev:1;) alert tcp $HOME_NET any -> [46.246.247.138] 995 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1272075/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_17; classtype:trojan-activity; sid:91272075; rev:1;) alert tcp $HOME_NET any -> [50.35.141.241] 443 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1272074/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_17; classtype:trojan-activity; sid:91272074; rev:1;) alert tcp $HOME_NET any -> [185.196.11.117] 443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1272073/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_17; classtype:trojan-activity; sid:91272073; rev:1;) alert tcp $HOME_NET any -> [46.101.3.161] 443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1272072/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_17; classtype:trojan-activity; sid:91272072; rev:1;) alert tcp $HOME_NET any -> [88.198.122.201] 443 (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1272070/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_17; classtype:trojan-activity; sid:91272070; rev:1;) alert tcp $HOME_NET any -> [88.198.122.201] 9000 (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1272071/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_17; classtype:trojan-activity; sid:91272071; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"88.198.122.201"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1272069/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_17; classtype:trojan-activity; sid:91272069; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"88.198.122.201"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1272068/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_17; classtype:trojan-activity; sid:91272068; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/kin/five/fre.php"; depth:17; nocase; http.host; content:"ransomproducts.top"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1272061/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_17; classtype:trojan-activity; sid:91272061; rev:1;) alert tcp $HOME_NET any -> [173.212.199.134] 8808 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1272060/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_17; classtype:trojan-activity; sid:91272060; rev:1;) alert tcp $HOME_NET any -> [94.156.66.54] 65140 (msg:"ThreatFox Nanocore RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1272059/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_17; classtype:trojan-activity; sid:91272059; rev:1;) alert tcp $HOME_NET any -> [192.169.69.26] 65140 (msg:"ThreatFox Nanocore RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1272058/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_17; classtype:trojan-activity; sid:91272058; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/d1e75357.php"; depth:13; nocase; http.host; content:"a0982032.xsph.ru"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1272055/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_17; classtype:trojan-activity; sid:91272055; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/096e856b.php"; depth:13; nocase; http.host; content:"a0982114.xsph.ru"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1272054/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_17; classtype:trojan-activity; sid:91272054; rev:1;) alert tcp $HOME_NET any -> [212.162.153.199] 4001 (msg:"ThreatFox SystemBC botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1272053/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_16; classtype:trojan-activity; sid:91272053; rev:1;) alert tcp $HOME_NET any -> [39.100.85.244] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1272052/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_16; classtype:trojan-activity; sid:91272052; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api/x"; depth:6; nocase; http.host; content:"service-5hq806dl-1305010017.sh.tencentapigw.com"; depth:47; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1272050/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_16; classtype:trojan-activity; sid:91272050; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"service-5hq806dl-1305010017.sh.tencentapigw.com"; depth:47; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1272051/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_16; classtype:trojan-activity; sid:91272051; rev:1;) alert tcp $HOME_NET any -> [45.88.186.125] 1111 (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1272043/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_16; classtype:trojan-activity; sid:91272043; rev:1;) alert tcp $HOME_NET any -> [5.180.155.190] 80 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1272042/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_16; classtype:trojan-activity; sid:91272042; rev:1;) alert tcp $HOME_NET any -> [79.137.195.24] 80 (msg:"ThreatFox Meduza Stealer botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1272041/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_16; classtype:trojan-activity; sid:91272041; rev:1;) alert tcp $HOME_NET any -> [192.3.233.217] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1272040/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_16; classtype:trojan-activity; sid:91272040; rev:1;) alert tcp $HOME_NET any -> [198.181.39.4] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1272039/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_16; classtype:trojan-activity; sid:91272039; rev:1;) alert tcp $HOME_NET any -> [46.246.86.15] 8000 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1272038/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_16; classtype:trojan-activity; sid:91272038; rev:1;) alert tcp $HOME_NET any -> [88.232.102.20] 443 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1272037/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_16; classtype:trojan-activity; sid:91272037; rev:1;) alert tcp $HOME_NET any -> [45.241.46.65] 995 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1272036/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_16; classtype:trojan-activity; sid:91272036; rev:1;) alert tcp $HOME_NET any -> [92.205.178.185] 445 (msg:"ThreatFox Responder botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1272035/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_16; classtype:trojan-activity; sid:91272035; rev:1;) alert tcp $HOME_NET any -> [159.65.114.122] 80 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1272034/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_16; classtype:trojan-activity; sid:91272034; rev:1;) alert tcp $HOME_NET any -> [47.76.120.184] 80 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1272033/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_16; classtype:trojan-activity; sid:91272033; rev:1;) alert tcp $HOME_NET any -> [3.106.207.57] 443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1272032/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_16; classtype:trojan-activity; sid:91272032; rev:1;) alert tcp $HOME_NET any -> [89.116.236.42] 443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1272031/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_16; classtype:trojan-activity; sid:91272031; rev:1;) alert tcp $HOME_NET any -> [104.223.76.201] 2779 (msg:"ThreatFox BianLian botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1272030/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_16; classtype:trojan-activity; sid:91272030; rev:1;) alert tcp $HOME_NET any -> [188.25.10.129] 7443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1272029/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_16; classtype:trojan-activity; sid:91272029; rev:1;) alert tcp $HOME_NET any -> [45.133.74.80] 7443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1272028/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_16; classtype:trojan-activity; sid:91272028; rev:1;) alert tcp $HOME_NET any -> [113.31.106.106] 20000 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1272027/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_16; classtype:trojan-activity; sid:91272027; rev:1;) alert tcp $HOME_NET any -> [94.156.66.54] 7310 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1272026/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_16; classtype:trojan-activity; sid:91272026; rev:1;) alert tcp $HOME_NET any -> [41.142.192.216] 10000 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1271796/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_16; classtype:trojan-activity; sid:91271796; rev:1;) alert tcp $HOME_NET any -> [185.93.221.12] 443 (msg:"ThreatFox IcedID botnet C2 traffic (ip:port - confidence level: 60%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1271795/; target:src_ip; metadata: confidence_level 60, first_seen 2024_05_16; classtype:trojan-activity; sid:91271795; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bl134/index.php"; depth:16; nocase; http.host; content:"ehzwq.shop"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1271794/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_16; classtype:trojan-activity; sid:91271794; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/evie1/five/fre.php"; depth:19; nocase; http.host; content:"193.238.153.15"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1271793/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_16; classtype:trojan-activity; sid:91271793; rev:1;) alert tcp $HOME_NET any -> [89.117.145.5] 2404 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1271792/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_16; classtype:trojan-activity; sid:91271792; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cdn-vs/original.js"; depth:19; nocase; http.host; content:"penisowners.com"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1271758/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_16; classtype:trojan-activity; sid:91271758; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cdn-vs/cache.php"; depth:17; nocase; http.host; content:"penisowners.com"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1271759/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_16; classtype:trojan-activity; sid:91271759; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cdn-vs/per.php"; depth:15; nocase; http.host; content:"penisowners.com"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1271760/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_16; classtype:trojan-activity; sid:91271760; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/data.php"; depth:9; nocase; http.host; content:"redsquardhack.com"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1271761/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_16; classtype:trojan-activity; sid:91271761; rev:1;) alert tcp $HOME_NET any -> [5.181.156.11] 443 (msg:"ThreatFox NetSupportManager RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1271762/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_16; classtype:trojan-activity; sid:91271762; rev:1;) alert tcp $HOME_NET any -> [185.216.70.125] 1974 (msg:"ThreatFox Nanocore RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1271791/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_16; classtype:trojan-activity; sid:91271791; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/8otabr/"; depth:8; nocase; http.host; content:"d1x9q8w2e4.xyz"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1271739/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_16; classtype:trojan-activity; sid:91271739; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bvxny6r6"; depth:9; nocase; http.host; content:"d1x9q8w2e4.xyz"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1271740/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_16; classtype:trojan-activity; sid:91271740; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"d1x9q8w2e4.xyz"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1271741/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_16; classtype:trojan-activity; sid:91271741; rev:1;) alert tcp $HOME_NET any -> [104.223.35.217] 3232 (msg:"ThreatFox STRRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1271744/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_16; classtype:trojan-activity; sid:91271744; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"axe.ydns.eu"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1271745/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_16; classtype:trojan-activity; sid:91271745; rev:1;) alert tcp $HOME_NET any -> [84.38.181.66] 443 (msg:"ThreatFox FAKEUPDATES payload delivery (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1271746/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_16; classtype:trojan-activity; sid:91271746; rev:1;) alert tcp $HOME_NET any -> [94.156.69.165] 8900 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1271789/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_16; classtype:trojan-activity; sid:91271789; rev:1;) alert tcp $HOME_NET any -> [94.156.69.166] 8900 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1271790/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_16; classtype:trojan-activity; sid:91271790; rev:1;) alert tcp $HOME_NET any -> [94.156.69.164] 8900 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1271787/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_16; classtype:trojan-activity; sid:91271787; rev:1;) alert tcp $HOME_NET any -> [94.156.69.165] 4443 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1271788/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_16; classtype:trojan-activity; sid:91271788; rev:1;) alert tcp $HOME_NET any -> [94.156.69.163] 8900 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1271786/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_16; classtype:trojan-activity; sid:91271786; rev:1;) alert tcp $HOME_NET any -> [94.156.64.90] 8900 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1271784/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_16; classtype:trojan-activity; sid:91271784; rev:1;) alert tcp $HOME_NET any -> [94.156.69.161] 8900 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1271785/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_16; classtype:trojan-activity; sid:91271785; rev:1;) alert tcp $HOME_NET any -> [94.156.64.5] 8900 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1271783/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_16; classtype:trojan-activity; sid:91271783; rev:1;) alert tcp $HOME_NET any -> [94.156.64.51] 8900 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1271782/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_16; classtype:trojan-activity; sid:91271782; rev:1;) alert tcp $HOME_NET any -> [94.156.64.21] 8900 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1271780/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_16; classtype:trojan-activity; sid:91271780; rev:1;) alert tcp $HOME_NET any -> [94.156.64.51] 4443 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1271781/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_16; classtype:trojan-activity; sid:91271781; rev:1;) alert tcp $HOME_NET any -> [91.92.255.79] 8900 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1271778/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_16; classtype:trojan-activity; sid:91271778; rev:1;) alert tcp $HOME_NET any -> [94.156.64.21] 4443 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1271779/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_16; classtype:trojan-activity; sid:91271779; rev:1;) alert tcp $HOME_NET any -> [91.92.255.25] 8900 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1271777/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_16; classtype:trojan-activity; sid:91271777; rev:1;) alert tcp $HOME_NET any -> [91.92.255.16] 8900 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1271775/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_16; classtype:trojan-activity; sid:91271775; rev:1;) alert tcp $HOME_NET any -> [91.92.255.25] 4443 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1271776/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_16; classtype:trojan-activity; sid:91271776; rev:1;) alert tcp $HOME_NET any -> [91.92.254.201] 8900 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1271773/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_16; classtype:trojan-activity; sid:91271773; rev:1;) alert tcp $HOME_NET any -> [91.92.254.21] 8900 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1271774/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_16; classtype:trojan-activity; sid:91271774; rev:1;) alert tcp $HOME_NET any -> [91.92.254.201] 4443 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1271772/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_16; classtype:trojan-activity; sid:91271772; rev:1;) alert tcp $HOME_NET any -> [91.92.251.245] 8900 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1271771/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_16; classtype:trojan-activity; sid:91271771; rev:1;) alert tcp $HOME_NET any -> [91.92.251.179] 8900 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1271770/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_16; classtype:trojan-activity; sid:91271770; rev:1;) alert tcp $HOME_NET any -> [91.92.251.159] 8900 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1271769/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_16; classtype:trojan-activity; sid:91271769; rev:1;) alert tcp $HOME_NET any -> [91.92.251.153] 8900 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1271767/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_16; classtype:trojan-activity; sid:91271767; rev:1;) alert tcp $HOME_NET any -> [91.92.251.159] 4443 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1271768/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_16; classtype:trojan-activity; sid:91271768; rev:1;) alert tcp $HOME_NET any -> [91.92.251.136] 8900 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1271766/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_16; classtype:trojan-activity; sid:91271766; rev:1;) alert tcp $HOME_NET any -> [91.92.248.82] 8900 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1271765/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_16; classtype:trojan-activity; sid:91271765; rev:1;) alert tcp $HOME_NET any -> [91.92.248.82] 4443 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1271764/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_16; classtype:trojan-activity; sid:91271764; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/7043a0c6a68d9c65.php"; depth:21; nocase; http.host; content:"185.172.128.170"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1271763/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_16; classtype:trojan-activity; sid:91271763; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pixel"; depth:6; nocase; http.host; content:"45.136.14.91"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1271757/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_16; classtype:trojan-activity; sid:91271757; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/updates.rss"; depth:12; nocase; http.host; content:"io.cy789.ml"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1271756/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_16; classtype:trojan-activity; sid:91271756; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pixel"; depth:6; nocase; http.host; content:"101.37.31.139"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1271755/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_16; classtype:trojan-activity; sid:91271755; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jquery-3.3.1.min.js"; depth:20; nocase; http.host; content:"162.14.70.154"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1271754/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_16; classtype:trojan-activity; sid:91271754; rev:1;) alert tcp $HOME_NET any -> [101.200.120.13] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1271753/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_16; classtype:trojan-activity; sid:91271753; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ie9compatviewlist.xml"; depth:22; nocase; http.host; content:"101.200.120.13"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1271752/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_16; classtype:trojan-activity; sid:91271752; rev:1;) alert tcp $HOME_NET any -> [192.227.232.151] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1271751/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_16; classtype:trojan-activity; sid:91271751; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/j.ad"; depth:5; nocase; http.host; content:"192.227.232.151"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1271750/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_16; classtype:trojan-activity; sid:91271750; rev:1;) alert tcp $HOME_NET any -> [39.100.103.167] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1271749/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_16; classtype:trojan-activity; sid:91271749; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/search/"; depth:8; nocase; http.host; content:"m.taobao.com"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1271747/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_16; classtype:trojan-activity; sid:91271747; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"m.taobao.com"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1271748/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_16; classtype:trojan-activity; sid:91271748; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/244cbe83570df263.php"; depth:21; nocase; http.host; content:"89.105.198.134"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1271743/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_16; classtype:trojan-activity; sid:91271743; rev:1;) alert tcp $HOME_NET any -> [62.102.148.166] 3319 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1271742/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_16; classtype:trojan-activity; sid:91271742; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ie9compatviewlist.xml"; depth:22; nocase; http.host; content:"152.136.174.196"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1271738/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_16; classtype:trojan-activity; sid:91271738; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/docs"; depth:5; nocase; http.host; content:"1.180.235.137"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1271737/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_16; classtype:trojan-activity; sid:91271737; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/docs"; depth:5; nocase; http.host; content:"42.202.173.171"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1271736/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_16; classtype:trojan-activity; sid:91271736; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/docs"; depth:5; nocase; http.host; content:"123.129.194.160"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1271735/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_16; classtype:trojan-activity; sid:91271735; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/docs"; depth:5; nocase; http.host; content:"117.27.246.96"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1271734/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_16; classtype:trojan-activity; sid:91271734; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/docs"; depth:5; nocase; http.host; content:"125.211.192.21"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1271732/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_16; classtype:trojan-activity; sid:91271732; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/docs"; depth:5; nocase; http.host; content:"117.180.231.141"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1271733/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_16; classtype:trojan-activity; sid:91271733; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/docs"; depth:5; nocase; http.host; content:"113.62.127.124"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1271731/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_16; classtype:trojan-activity; sid:91271731; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/docs"; depth:5; nocase; http.host; content:"116.207.181.183"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1271730/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_16; classtype:trojan-activity; sid:91271730; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/docs"; depth:5; nocase; http.host; content:"14.119.106.190"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1271729/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_16; classtype:trojan-activity; sid:91271729; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/include/template/isx.php"; depth:25; nocase; http.host; content:"47.243.26.247"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1271728/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_16; classtype:trojan-activity; sid:91271728; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/__utm.gif"; depth:10; nocase; http.host; content:"111.231.140.197"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1271727/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_16; classtype:trojan-activity; sid:91271727; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/j.ad"; depth:5; nocase; http.host; content:"43.153.222.28"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1271726/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_16; classtype:trojan-activity; sid:91271726; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/j.ad"; depth:5; nocase; http.host; content:"43.134.23.107"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1271725/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_16; classtype:trojan-activity; sid:91271725; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cx"; depth:3; nocase; http.host; content:"43.153.222.28"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1271724/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_16; classtype:trojan-activity; sid:91271724; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dot.gif"; depth:8; nocase; http.host; content:"148.135.72.115"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1271723/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_16; classtype:trojan-activity; sid:91271723; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/push"; depth:5; nocase; http.host; content:"www.chinamobile.live"; depth:20; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1271722/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_16; classtype:trojan-activity; sid:91271722; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"service-3c8gl60w-1320366142.gz.tencentapigw.com.cn"; depth:50; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1271721/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_16; classtype:trojan-activity; sid:91271721; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api/x"; depth:6; nocase; http.host; content:"service-3c8gl60w-1320366142.gz.tencentapigw.com.cn"; depth:50; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1271720/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_16; classtype:trojan-activity; sid:91271720; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/g.pixel"; depth:8; nocase; http.host; content:"47.108.153.69"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1271719/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_16; classtype:trojan-activity; sid:91271719; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/j.ad"; depth:5; nocase; http.host; content:"123.57.85.206"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1271718/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_16; classtype:trojan-activity; sid:91271718; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/download/20/zo2xy7a4bowu"; depth:25; nocase; http.host; content:"81.70.232.50"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1271717/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_16; classtype:trojan-activity; sid:91271717; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/fwlink"; depth:7; nocase; http.host; content:"124.220.148.63"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1271716/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_16; classtype:trojan-activity; sid:91271716; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/updates.rss"; depth:12; nocase; http.host; content:"47.243.26.247"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1271715/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_16; classtype:trojan-activity; sid:91271715; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/__utm.gif"; depth:10; nocase; http.host; content:"124.220.148.63"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1271714/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_16; classtype:trojan-activity; sid:91271714; rev:1;) alert tcp $HOME_NET any -> [103.150.8.12] 5689 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1271713/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_16; classtype:trojan-activity; sid:91271713; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cm"; depth:3; nocase; http.host; content:"124.220.148.63"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1271712/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_16; classtype:trojan-activity; sid:91271712; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/push"; depth:5; nocase; http.host; content:"124.220.148.63"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1271711/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_16; classtype:trojan-activity; sid:91271711; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dot.gif"; depth:8; nocase; http.host; content:"23.95.65.198"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1271710/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_16; classtype:trojan-activity; sid:91271710; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dpixel"; depth:7; nocase; http.host; content:"85.203.42.194"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1271709/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_16; classtype:trojan-activity; sid:91271709; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jquery-3.3.1.min.js"; depth:20; nocase; http.host; content:"47.113.191.88"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1271708/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_16; classtype:trojan-activity; sid:91271708; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/fwlink"; depth:7; nocase; http.host; content:"124.221.95.96"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1271707/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_16; classtype:trojan-activity; sid:91271707; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api/auth/v1/log"; depth:16; nocase; http.host; content:"47.93.40.122"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1271706/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_16; classtype:trojan-activity; sid:91271706; rev:1;) alert tcp $HOME_NET any -> [117.72.72.128] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1271705/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_16; classtype:trojan-activity; sid:91271705; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ca"; depth:3; nocase; http.host; content:"117.72.72.128"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1271704/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_16; classtype:trojan-activity; sid:91271704; rev:1;) alert tcp $HOME_NET any -> [80.66.75.52] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1271703/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_16; classtype:trojan-activity; sid:91271703; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/functionalstatus/m2m9iodw7rseqaswcw04yac"; depth:41; nocase; http.host; content:"helloboy.shop"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1271701/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_16; classtype:trojan-activity; sid:91271701; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"helloboy.shop"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1271702/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_16; classtype:trojan-activity; sid:91271702; rev:1;) alert tcp $HOME_NET any -> [156.251.172.80] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1271700/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_16; classtype:trojan-activity; sid:91271700; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"vip8806.mom"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1271699/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_16; classtype:trojan-activity; sid:91271699; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jquery-3.3.1.min.js"; depth:20; nocase; http.host; content:"vip8806.mom"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1271698/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_16; classtype:trojan-activity; sid:91271698; rev:1;) alert tcp $HOME_NET any -> [8.218.192.174] 8443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1271697/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_16; classtype:trojan-activity; sid:91271697; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jquery-3.3.1.min.js"; depth:20; nocase; http.host; content:"www.testabcdtest.xyz"; depth:20; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1271695/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_16; classtype:trojan-activity; sid:91271695; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"www.testabcdtest.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1271696/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_16; classtype:trojan-activity; sid:91271696; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/vendorreact.dc6a29.chunk.js"; depth:28; nocase; http.host; content:"49.234.58.158"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1271694/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_16; classtype:trojan-activity; sid:91271694; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ptj"; depth:4; nocase; http.host; content:"43.139.160.164"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1271693/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_16; classtype:trojan-activity; sid:91271693; rev:1;) alert tcp $HOME_NET any -> [94.103.86.181] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1271692/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_16; classtype:trojan-activity; sid:91271692; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/updates.rss"; depth:12; nocase; http.host; content:"94.103.86.181"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1271691/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_16; classtype:trojan-activity; sid:91271691; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/visit.js"; depth:9; nocase; http.host; content:"47.116.187.27"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1271690/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_16; classtype:trojan-activity; sid:91271690; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/j.ad"; depth:5; nocase; http.host; content:"103.39.109.3"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1271689/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_16; classtype:trojan-activity; sid:91271689; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"360.wangli.cyou"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1271687/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_16; classtype:trojan-activity; sid:91271687; rev:1;) alert tcp $HOME_NET any -> [154.198.227.90] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1271688/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_16; classtype:trojan-activity; sid:91271688; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dot.gif"; depth:8; nocase; http.host; content:"360.wangli.cyou"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1271686/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_16; classtype:trojan-activity; sid:91271686; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/fwlink"; depth:7; nocase; http.host; content:"120.27.158.236"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1271685/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_16; classtype:trojan-activity; sid:91271685; rev:1;) alert tcp $HOME_NET any -> [114.132.120.166] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1271684/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_16; classtype:trojan-activity; sid:91271684; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api/x"; depth:6; nocase; http.host; content:"service-izlolzm0-1318382624.gz.tencentapigw.com.cn"; depth:50; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1271683/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_16; classtype:trojan-activity; sid:91271683; rev:1;) alert tcp $HOME_NET any -> [118.31.116.9] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1271682/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_16; classtype:trojan-activity; sid:91271682; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jquery-3.3.1.min.js"; depth:20; nocase; http.host; content:"118.31.116.9"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1271681/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_16; classtype:trojan-activity; sid:91271681; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/zscm"; depth:5; nocase; http.host; content:"103.116.247.207"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1271680/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_16; classtype:trojan-activity; sid:91271680; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/awybcwjc"; depth:9; nocase; http.host; content:"savoystocks.com"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1271678/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_16; classtype:trojan-activity; sid:91271678; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/yrorantd"; depth:9; nocase; http.host; content:"savoystocks.com"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1271679/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_16; classtype:trojan-activity; sid:91271679; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"savoystocks.com"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1271677/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_16; classtype:trojan-activity; sid:91271677; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jquery-3.3.1.min.js"; depth:20; nocase; http.host; content:"38.181.44.106"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1271676/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_16; classtype:trojan-activity; sid:91271676; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jquery-3.3.1.min.js"; depth:20; nocase; http.host; content:"47.101.181.195"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1271675/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_16; classtype:trojan-activity; sid:91271675; rev:1;) alert tcp $HOME_NET any -> [154.212.149.59] 446 (msg:"ThreatFox Orcus RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1271674/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_16; classtype:trojan-activity; sid:91271674; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/meeting/32251816/"; depth:18; nocase; http.host; content:"3.208.96.244"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1271673/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_16; classtype:trojan-activity; sid:91271673; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/functionalstatus"; depth:17; nocase; http.host; content:"3.208.96.244"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1271672/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_16; classtype:trojan-activity; sid:91271672; rev:1;) alert tcp $HOME_NET any -> [3.208.96.244] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1271671/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_16; classtype:trojan-activity; sid:91271671; rev:1;) alert tcp $HOME_NET any -> [116.202.5.235] 443 (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1271670/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_16; classtype:trojan-activity; sid:91271670; rev:1;) alert tcp $HOME_NET any -> [95.217.240.101] 9000 (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1271668/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_16; classtype:trojan-activity; sid:91271668; rev:1;) alert tcp $HOME_NET any -> [116.202.0.24] 443 (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1271669/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_16; classtype:trojan-activity; sid:91271669; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"116.202.5.235"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1271667/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_16; classtype:trojan-activity; sid:91271667; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"116.202.0.24"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1271666/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_16; classtype:trojan-activity; sid:91271666; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"95.217.240.101"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1271665/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_16; classtype:trojan-activity; sid:91271665; rev:1;) alert tcp $HOME_NET any -> [18.198.77.177] 11598 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1271535/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_16; classtype:trojan-activity; sid:91271535; rev:1;) alert tcp $HOME_NET any -> [3.127.59.75] 11598 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1271536/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_16; classtype:trojan-activity; sid:91271536; rev:1;) alert tcp $HOME_NET any -> [35.158.159.254] 11598 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1271537/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_16; classtype:trojan-activity; sid:91271537; rev:1;) alert tcp $HOME_NET any -> [5.42.65.85] 45779 (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1271571/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_16; classtype:trojan-activity; sid:91271571; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"modularfunctiondev.com"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1271585/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_16; classtype:trojan-activity; sid:91271585; rev:1;) alert tcp $HOME_NET any -> [45.90.57.51] 80 (msg:"ThreatFox Loki Password Stealer (PWS) botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1271614/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_16; classtype:trojan-activity; sid:91271614; rev:1;) alert tcp $HOME_NET any -> [174.138.28.28] 42597 (msg:"ThreatFox MooBot botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1271615/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_16; classtype:trojan-activity; sid:91271615; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"vip.manhquyen.xyz"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1271616/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_16; classtype:trojan-activity; sid:91271616; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"mediagift.vn"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1271620/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_16; classtype:trojan-activity; sid:91271620; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"kingu.xyz"; depth:9; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1271499/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_16; classtype:trojan-activity; sid:91271499; rev:1;) alert tcp $HOME_NET any -> [18.197.239.5] 14141 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1271500/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_16; classtype:trojan-activity; sid:91271500; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/full-scope-contracting"; depth:23; nocase; http.host; content:"pricelessdesign.com"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1271501/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_16; classtype:trojan-activity; sid:91271501; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/what-is-the-difference-between-sla-ola-and-underpinning-contracts"; depth:66; nocase; http.host; content:"urbedu.live"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1271532/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_16; classtype:trojan-activity; sid:91271532; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"jayp.eu"; depth:7; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1271492/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_16; classtype:trojan-activity; sid:91271492; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/2023/05/23/what-is-an-enterprise-agreements"; depth:44; nocase; http.host; content:"burleys.ca"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1271089/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_16; classtype:trojan-activity; sid:91271089; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/2022/12/11/what-tint-is-legal-in-new-mexico"; depth:44; nocase; http.host; content:"trustadvisorygroup.com"; depth:22; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1271337/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_16; classtype:trojan-activity; sid:91271337; rev:1;) alert tcp $HOME_NET any -> [147.185.221.19] 52445 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1271048/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_16; classtype:trojan-activity; sid:91271048; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"tool-seven.gl.at.ply.gg"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1271049/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_16; classtype:trojan-activity; sid:91271049; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wfqpfwr1d"; depth:10; nocase; http.host; content:"submit-form.com"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1271051/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_16; classtype:trojan-activity; sid:91271051; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bless/tsend.php"; depth:16; nocase; http.host; content:"a0979777.xsph.ru"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1271052/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_16; classtype:trojan-activity; sid:91271052; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"a0979777.xsph.ru"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1271053/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_16; classtype:trojan-activity; sid:91271053; rev:1;) alert tcp $HOME_NET any -> [80.249.146.170] 443 (msg:"ThreatFox FAKEUPDATES payload delivery (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1271054/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_16; classtype:trojan-activity; sid:91271054; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"polikarbonad.xyz"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1271046/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_16; classtype:trojan-activity; sid:91271046; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bvxny6r6"; depth:9; nocase; http.host; content:"polikarbonad.xyz"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1271045/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_16; classtype:trojan-activity; sid:91271045; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/8otabr/"; depth:8; nocase; http.host; content:"polikarbonad.xyz"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1271044/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_16; classtype:trojan-activity; sid:91271044; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"leckeier.ydidiya.store"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1271033/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_16; classtype:trojan-activity; sid:91271033; rev:1;) alert tcp $HOME_NET any -> [194.9.6.197] 60195 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1271032/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_16; classtype:trojan-activity; sid:91271032; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"advancedapiintegrations.com"; depth:27; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1271031/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_16; classtype:trojan-activity; sid:91271031; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/profiles/76561199619471799"; depth:27; nocase; http.host; content:"steamcommunity.com"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1271664/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_16; classtype:trojan-activity; sid:91271664; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/profiles/76561199620821253"; depth:27; nocase; http.host; content:"steamcommunity.com"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1271663/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_16; classtype:trojan-activity; sid:91271663; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/profiles/76561199619468640"; depth:27; nocase; http.host; content:"steamcommunity.com"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1271662/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_16; classtype:trojan-activity; sid:91271662; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/profiles/76561199620057897"; depth:27; nocase; http.host; content:"steamcommunity.com"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1271661/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_16; classtype:trojan-activity; sid:91271661; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"frjk.xyz"; depth:8; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1271658/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_16; classtype:trojan-activity; sid:91271658; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"frpk.xyz"; depth:8; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1271659/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_16; classtype:trojan-activity; sid:91271659; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"frsk.xyz"; depth:8; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1271660/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_16; classtype:trojan-activity; sid:91271660; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/up/b"; depth:5; nocase; http.host; content:"frsk.xyz"; depth:8; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1271656/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_16; classtype:trojan-activity; sid:91271656; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"frgk.xyz"; depth:8; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1271657/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_16; classtype:trojan-activity; sid:91271657; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/up/b"; depth:5; nocase; http.host; content:"frpk.xyz"; depth:8; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1271655/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_16; classtype:trojan-activity; sid:91271655; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/up/b"; depth:5; nocase; http.host; content:"frjk.xyz"; depth:8; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1271654/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_16; classtype:trojan-activity; sid:91271654; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/up/b"; depth:5; nocase; http.host; content:"frgk.xyz"; depth:8; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1271653/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_16; classtype:trojan-activity; sid:91271653; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/up"; depth:3; nocase; http.host; content:"frsk.xyz"; depth:8; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1271652/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_16; classtype:trojan-activity; sid:91271652; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/up"; depth:3; nocase; http.host; content:"frpk.xyz"; depth:8; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1271651/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_16; classtype:trojan-activity; sid:91271651; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/up"; depth:3; nocase; http.host; content:"frjk.xyz"; depth:8; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1271650/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_16; classtype:trojan-activity; sid:91271650; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/up"; depth:3; nocase; http.host; content:"frgk.xyz"; depth:8; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1271649/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_16; classtype:trojan-activity; sid:91271649; rev:1;) alert tcp $HOME_NET any -> [91.92.250.176] 80 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1271648/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_16; classtype:trojan-activity; sid:91271648; rev:1;) alert tcp $HOME_NET any -> [206.81.30.223] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1271647/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_16; classtype:trojan-activity; sid:91271647; rev:1;) alert tcp $HOME_NET any -> [8.134.211.144] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1271646/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_16; classtype:trojan-activity; sid:91271646; rev:1;) alert tcp $HOME_NET any -> [43.136.99.149] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1271645/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_16; classtype:trojan-activity; sid:91271645; rev:1;) alert tcp $HOME_NET any -> [107.172.90.243] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1271644/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_16; classtype:trojan-activity; sid:91271644; rev:1;) alert tcp $HOME_NET any -> [43.132.156.20] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1271643/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_16; classtype:trojan-activity; sid:91271643; rev:1;) alert tcp $HOME_NET any -> [46.246.12.25] 9000 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1271642/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_16; classtype:trojan-activity; sid:91271642; rev:1;) alert tcp $HOME_NET any -> [46.246.12.25] 8000 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1271641/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_16; classtype:trojan-activity; sid:91271641; rev:1;) alert tcp $HOME_NET any -> [46.246.12.25] 6000 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1271640/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_16; classtype:trojan-activity; sid:91271640; rev:1;) alert tcp $HOME_NET any -> [197.94.217.65] 443 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1271639/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_16; classtype:trojan-activity; sid:91271639; rev:1;) alert tcp $HOME_NET any -> [41.99.107.98] 443 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1271638/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_16; classtype:trojan-activity; sid:91271638; rev:1;) alert tcp $HOME_NET any -> [70.31.125.232] 2222 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1271637/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_16; classtype:trojan-activity; sid:91271637; rev:1;) alert tcp $HOME_NET any -> [23.227.198.228] 80 (msg:"ThreatFox Responder botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1271636/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_16; classtype:trojan-activity; sid:91271636; rev:1;) alert tcp $HOME_NET any -> [23.227.198.228] 443 (msg:"ThreatFox Responder botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1271635/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_16; classtype:trojan-activity; sid:91271635; rev:1;) alert tcp $HOME_NET any -> [87.106.230.151] 64443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1271634/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_16; classtype:trojan-activity; sid:91271634; rev:1;) alert tcp $HOME_NET any -> [35.178.232.65] 443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1271633/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_16; classtype:trojan-activity; sid:91271633; rev:1;) alert tcp $HOME_NET any -> [16.171.84.168] 443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1271632/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_16; classtype:trojan-activity; sid:91271632; rev:1;) alert tcp $HOME_NET any -> [146.190.122.253] 47001 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1271630/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_16; classtype:trojan-activity; sid:91271630; rev:1;) alert tcp $HOME_NET any -> [146.190.122.253] 80 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1271631/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_16; classtype:trojan-activity; sid:91271631; rev:1;) alert tcp $HOME_NET any -> [104.225.129.140] 58883 (msg:"ThreatFox BianLian botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1271629/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_16; classtype:trojan-activity; sid:91271629; rev:1;) alert tcp $HOME_NET any -> [45.9.148.129] 7443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1271628/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_16; classtype:trojan-activity; sid:91271628; rev:1;) alert tcp $HOME_NET any -> [43.134.118.235] 7443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1271627/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_16; classtype:trojan-activity; sid:91271627; rev:1;) alert tcp $HOME_NET any -> [91.107.207.2] 7443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1271626/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_16; classtype:trojan-activity; sid:91271626; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/4b0f4886.php"; depth:13; nocase; http.host; content:"a0981474.xsph.ru"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1271625/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_16; classtype:trojan-activity; sid:91271625; rev:1;) alert tcp $HOME_NET any -> [151.115.72.13] 8000 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1271624/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_16; classtype:trojan-activity; sid:91271624; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/index.php/check.php"; depth:20; nocase; http.host; content:"164.90.149.46"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1271623/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_16; classtype:trojan-activity; sid:91271623; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/index.php/check.php"; depth:20; nocase; http.host; content:"164.90.149.46"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1271622/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_16; classtype:trojan-activity; sid:91271622; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/_defaultwindows.php"; depth:20; nocase; http.host; content:"aery-messages.000webhostapp.com"; depth:31; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1271621/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_16; classtype:trojan-activity; sid:91271621; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/index.php/t"; depth:12; nocase; http.host; content:"45.61.137.215"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1271618/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_16; classtype:trojan-activity; sid:91271618; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/l1nc0in.php"; depth:12; nocase; http.host; content:"a0981341.xsph.ru"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1271617/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_16; classtype:trojan-activity; sid:91271617; rev:1;) alert tcp $HOME_NET any -> [43.138.168.21] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1271613/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_15; classtype:trojan-activity; sid:91271613; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api/x"; depth:6; nocase; http.host; content:"service-5xpqvjqk-1320366142.gz.tencentapigw.com.cn"; depth:50; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1271611/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_15; classtype:trojan-activity; sid:91271611; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"service-5xpqvjqk-1320366142.gz.tencentapigw.com.cn"; depth:50; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1271612/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_15; classtype:trojan-activity; sid:91271612; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/big/five/fre.php"; depth:17; nocase; http.host; content:"45.90.57.51"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1271610/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_15; classtype:trojan-activity; sid:91271610; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api/v1/async/info"; depth:18; nocase; http.host; content:"103.148.151.179"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1271609/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_15; classtype:trojan-activity; sid:91271609; rev:1;) alert tcp $HOME_NET any -> [91.238.181.235] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1271608/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_15; classtype:trojan-activity; sid:91271608; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/level/v3.82/1thwfwtjj8"; depth:23; nocase; http.host; content:"blmdiscount.com"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1271607/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_15; classtype:trojan-activity; sid:91271607; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"blmdiscount.com"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1271605/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_15; classtype:trojan-activity; sid:91271605; rev:1;) alert tcp $HOME_NET any -> [91.238.181.235] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1271606/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_15; classtype:trojan-activity; sid:91271606; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/level/v3.82/1thwfwtjj8"; depth:23; nocase; http.host; content:"blmdiscount.com"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1271604/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_15; classtype:trojan-activity; sid:91271604; rev:1;) alert tcp $HOME_NET any -> [160.176.173.93] 10000 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1271603/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_15; classtype:trojan-activity; sid:91271603; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"utd-corts.com"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1271590/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_15; classtype:trojan-activity; sid:91271590; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"utd-forts.com"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1271591/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_15; classtype:trojan-activity; sid:91271591; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"utm-adrooz.com"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1271592/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_15; classtype:trojan-activity; sid:91271592; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"utm-adschuk.com"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1271593/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_15; classtype:trojan-activity; sid:91271593; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"utm-advrez.com"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1271594/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_15; classtype:trojan-activity; sid:91271594; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"utm-drmka.com"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1271595/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_15; classtype:trojan-activity; sid:91271595; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"utm-fukap.com"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1271596/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_15; classtype:trojan-activity; sid:91271596; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"utm-msh.com"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1271597/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_15; classtype:trojan-activity; sid:91271597; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"utm-adsname.com"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1271598/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_15; classtype:trojan-activity; sid:91271598; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"utm-adschuk.com"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1271599/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_15; classtype:trojan-activity; sid:91271599; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"utm-adsgoogle.com"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1271600/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_15; classtype:trojan-activity; sid:91271600; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"utm-advrez.com"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1271601/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_15; classtype:trojan-activity; sid:91271601; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"cdn-inform.com"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1271602/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_15; classtype:trojan-activity; sid:91271602; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/_defaultwindows.php"; depth:20; nocase; http.host; content:"cz63343.tw1.ru"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1271589/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_15; classtype:trojan-activity; sid:91271589; rev:1;) alert tcp $HOME_NET any -> [5.42.96.100] 8081 (msg:"ThreatFox RisePro botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1271588/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_15; classtype:trojan-activity; sid:91271588; rev:1;) alert tcp $HOME_NET any -> [104.129.21.246] 443 (msg:"ThreatFox Unidentified 111 (Latrodectus) botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1271586/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_15; classtype:trojan-activity; sid:91271586; rev:1;) alert tcp $HOME_NET any -> [185.12.14.54] 443 (msg:"ThreatFox IcedID botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1271587/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_15; classtype:trojan-activity; sid:91271587; rev:1;) alert tcp $HOME_NET any -> [91.92.255.209] 8081 (msg:"ThreatFox RisePro botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1271584/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_15; classtype:trojan-activity; sid:91271584; rev:1;) alert tcp $HOME_NET any -> [177.60.122.85] 5000 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1271583/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_15; classtype:trojan-activity; sid:91271583; rev:1;) alert tcp $HOME_NET any -> [103.200.124.194] 4782 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1271580/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_15; classtype:trojan-activity; sid:91271580; rev:1;) alert tcp $HOME_NET any -> [103.200.124.195] 4782 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1271581/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_15; classtype:trojan-activity; sid:91271581; rev:1;) alert tcp $HOME_NET any -> [103.200.124.197] 4782 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1271582/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_15; classtype:trojan-activity; sid:91271582; rev:1;) alert tcp $HOME_NET any -> [89.121.228.226] 25565 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1271579/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_15; classtype:trojan-activity; sid:91271579; rev:1;) alert tcp $HOME_NET any -> [54.39.249.55] 81 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1271578/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_15; classtype:trojan-activity; sid:91271578; rev:1;) alert tcp $HOME_NET any -> [47.120.35.45] 4782 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1271577/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_15; classtype:trojan-activity; sid:91271577; rev:1;) alert tcp $HOME_NET any -> [24.14.83.31] 8081 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1271576/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_15; classtype:trojan-activity; sid:91271576; rev:1;) alert tcp $HOME_NET any -> [14.225.208.152] 9999 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1271575/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_15; classtype:trojan-activity; sid:91271575; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/l1nc0in.php"; depth:12; nocase; http.host; content:"a0981008.xsph.ru"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1271574/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_15; classtype:trojan-activity; sid:91271574; rev:1;) alert tcp $HOME_NET any -> [199.223.235.67] 8808 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1271573/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_15; classtype:trojan-activity; sid:91271573; rev:1;) alert tcp $HOME_NET any -> [187.24.4.218] 9999 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1271572/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_15; classtype:trojan-activity; sid:91271572; rev:1;) alert tcp $HOME_NET any -> [178.215.236.224] 4444 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1271570/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_15; classtype:trojan-activity; sid:91271570; rev:1;) alert tcp $HOME_NET any -> [88.138.253.60] 80 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1271569/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_15; classtype:trojan-activity; sid:91271569; rev:1;) alert tcp $HOME_NET any -> [51.81.169.92] 7707 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1271568/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_15; classtype:trojan-activity; sid:91271568; rev:1;) alert tcp $HOME_NET any -> [45.88.186.125] 7707 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1271562/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_15; classtype:trojan-activity; sid:91271562; rev:1;) alert tcp $HOME_NET any -> [45.88.186.125] 8808 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1271563/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_15; classtype:trojan-activity; sid:91271563; rev:1;) alert tcp $HOME_NET any -> [45.88.186.197] 4444 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1271564/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_15; classtype:trojan-activity; sid:91271564; rev:1;) alert tcp $HOME_NET any -> [45.88.186.197] 6666 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1271565/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_15; classtype:trojan-activity; sid:91271565; rev:1;) alert tcp $HOME_NET any -> [45.88.186.197] 7777 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1271566/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_15; classtype:trojan-activity; sid:91271566; rev:1;) alert tcp $HOME_NET any -> [45.88.186.197] 8888 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1271567/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_15; classtype:trojan-activity; sid:91271567; rev:1;) alert tcp $HOME_NET any -> [45.88.186.125] 6606 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1271561/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_15; classtype:trojan-activity; sid:91271561; rev:1;) alert tcp $HOME_NET any -> [109.116.71.248] 88 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1271560/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_15; classtype:trojan-activity; sid:91271560; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/load"; depth:5; nocase; http.host; content:"94.156.68.92"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1271559/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_15; classtype:trojan-activity; sid:91271559; rev:1;) alert tcp $HOME_NET any -> [94.156.68.92] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1271558/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_15; classtype:trojan-activity; sid:91271558; rev:1;) alert tcp $HOME_NET any -> [91.92.255.16] 4443 (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1271550/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_15; classtype:trojan-activity; sid:91271550; rev:1;) alert tcp $HOME_NET any -> [91.92.255.79] 4443 (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1271551/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_15; classtype:trojan-activity; sid:91271551; rev:1;) alert tcp $HOME_NET any -> [94.156.64.5] 4443 (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1271552/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_15; classtype:trojan-activity; sid:91271552; rev:1;) alert tcp $HOME_NET any -> [94.156.64.90] 4443 (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1271553/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_15; classtype:trojan-activity; sid:91271553; rev:1;) alert tcp $HOME_NET any -> [94.156.69.161] 4443 (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1271554/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_15; classtype:trojan-activity; sid:91271554; rev:1;) alert tcp $HOME_NET any -> [94.156.69.163] 4443 (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1271555/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_15; classtype:trojan-activity; sid:91271555; rev:1;) alert tcp $HOME_NET any -> [94.156.69.164] 4443 (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1271556/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_15; classtype:trojan-activity; sid:91271556; rev:1;) alert tcp $HOME_NET any -> [94.156.69.166] 4443 (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1271557/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_15; classtype:trojan-activity; sid:91271557; rev:1;) alert tcp $HOME_NET any -> [91.92.251.153] 4443 (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1271546/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_15; classtype:trojan-activity; sid:91271546; rev:1;) alert tcp $HOME_NET any -> [91.92.251.179] 4443 (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1271547/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_15; classtype:trojan-activity; sid:91271547; rev:1;) alert tcp $HOME_NET any -> [91.92.251.245] 4443 (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1271548/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_15; classtype:trojan-activity; sid:91271548; rev:1;) alert tcp $HOME_NET any -> [91.92.254.21] 4443 (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1271549/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_15; classtype:trojan-activity; sid:91271549; rev:1;) alert tcp $HOME_NET any -> [91.92.251.136] 4443 (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1271545/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_15; classtype:trojan-activity; sid:91271545; rev:1;) alert tcp $HOME_NET any -> [91.92.246.53] 5554 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1271544/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_15; classtype:trojan-activity; sid:91271544; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dpixel"; depth:7; nocase; http.host; content:"91.92.245.161"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1271543/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_15; classtype:trojan-activity; sid:91271543; rev:1;) alert tcp $HOME_NET any -> [91.92.245.161] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1271542/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_15; classtype:trojan-activity; sid:91271542; rev:1;) alert tcp $HOME_NET any -> [91.92.243.214] 80 (msg:"ThreatFox ERMAC botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1271541/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_15; classtype:trojan-activity; sid:91271541; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ca"; depth:3; nocase; http.host; content:"ace.cmicro.xyz"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1271540/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_15; classtype:trojan-activity; sid:91271540; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ace.cmicro.xyz"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1271539/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_15; classtype:trojan-activity; sid:91271539; rev:1;) alert tcp $HOME_NET any -> [2.58.15.239] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1271538/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_15; classtype:trojan-activity; sid:91271538; rev:1;) alert tcp $HOME_NET any -> [38.54.33.85] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1271534/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_15; classtype:trojan-activity; sid:91271534; rev:1;) alert tcp $HOME_NET any -> [45.142.36.59] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1271533/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_15; classtype:trojan-activity; sid:91271533; rev:1;) alert tcp $HOME_NET any -> [172.105.37.93] 8443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1271531/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_15; classtype:trojan-activity; sid:91271531; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"arista-onelogein.com"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1271530/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_15; classtype:trojan-activity; sid:91271530; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"character-acquisitions.gl.at.ply.gg"; depth:35; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1271529/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_15; classtype:trojan-activity; sid:91271529; rev:1;) alert tcp $HOME_NET any -> [185.196.8.112] 80 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1271528/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_15; classtype:trojan-activity; sid:91271528; rev:1;) alert tcp $HOME_NET any -> [91.202.233.228] 50555 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1271527/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_15; classtype:trojan-activity; sid:91271527; rev:1;) alert tcp $HOME_NET any -> [139.59.32.225] 80 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1271526/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_15; classtype:trojan-activity; sid:91271526; rev:1;) alert tcp $HOME_NET any -> [167.235.28.146] 63333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1271525/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_15; classtype:trojan-activity; sid:91271525; rev:1;) alert tcp $HOME_NET any -> [118.195.138.159] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1271524/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_15; classtype:trojan-activity; sid:91271524; rev:1;) alert tcp $HOME_NET any -> [89.116.159.101] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1271523/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_15; classtype:trojan-activity; sid:91271523; rev:1;) alert tcp $HOME_NET any -> [47.94.143.32] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1271522/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_15; classtype:trojan-activity; sid:91271522; rev:1;) alert tcp $HOME_NET any -> [86.185.5.61] 2222 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1271521/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_15; classtype:trojan-activity; sid:91271521; rev:1;) alert tcp $HOME_NET any -> [69.159.0.52] 2222 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1271520/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_15; classtype:trojan-activity; sid:91271520; rev:1;) alert tcp $HOME_NET any -> [83.213.204.133] 993 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1271519/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_15; classtype:trojan-activity; sid:91271519; rev:1;) alert tcp $HOME_NET any -> [189.140.14.175] 443 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1271518/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_15; classtype:trojan-activity; sid:91271518; rev:1;) alert tcp $HOME_NET any -> [50.35.133.136] 443 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1271517/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_15; classtype:trojan-activity; sid:91271517; rev:1;) alert tcp $HOME_NET any -> [45.153.70.148] 443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1271516/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_15; classtype:trojan-activity; sid:91271516; rev:1;) alert tcp $HOME_NET any -> [5.42.104.202] 443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1271515/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_15; classtype:trojan-activity; sid:91271515; rev:1;) alert tcp $HOME_NET any -> [65.109.237.32] 4443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1271514/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_15; classtype:trojan-activity; sid:91271514; rev:1;) alert tcp $HOME_NET any -> [128.199.184.87] 443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1271513/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_15; classtype:trojan-activity; sid:91271513; rev:1;) alert tcp $HOME_NET any -> [104.238.61.20] 7800 (msg:"ThreatFox BianLian botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1271512/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_15; classtype:trojan-activity; sid:91271512; rev:1;) alert tcp $HOME_NET any -> [173.44.141.206] 50050 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1271511/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_15; classtype:trojan-activity; sid:91271511; rev:1;) alert tcp $HOME_NET any -> [110.168.29.157] 7443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1271510/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_15; classtype:trojan-activity; sid:91271510; rev:1;) alert tcp $HOME_NET any -> [80.79.4.177] 7443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1271509/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_15; classtype:trojan-activity; sid:91271509; rev:1;) alert tcp $HOME_NET any -> [162.0.233.89] 7443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1271508/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_15; classtype:trojan-activity; sid:91271508; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/d3/fre.php"; depth:11; nocase; http.host; content:"sempersim.su"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1271507/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_15; classtype:trojan-activity; sid:91271507; rev:1;) alert tcp $HOME_NET any -> [173.44.141.207] 444 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1271506/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_15; classtype:trojan-activity; sid:91271506; rev:1;) alert tcp $HOME_NET any -> [170.130.165.157] 50050 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1271505/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_15; classtype:trojan-activity; sid:91271505; rev:1;) alert tcp $HOME_NET any -> [173.44.141.127] 50050 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1271504/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_15; classtype:trojan-activity; sid:91271504; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"bestshawls.com"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1271503/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_15; classtype:trojan-activity; sid:91271503; rev:1;) alert tcp $HOME_NET any -> [173.44.141.50] 444 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1271502/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_15; classtype:trojan-activity; sid:91271502; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/adsid/google/ui"; depth:16; nocase; http.host; content:"82.180.133.120"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1271496/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_15; classtype:trojan-activity; sid:91271496; rev:1;) alert tcp $HOME_NET any -> [82.180.133.120] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1271497/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_15; classtype:trojan-activity; sid:91271497; rev:1;) alert tcp $HOME_NET any -> [82.180.133.120] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1271495/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_15; classtype:trojan-activity; sid:91271495; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"support.meedicalabc.com"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1271494/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_15; classtype:trojan-activity; sid:91271494; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/adsid/google/ui"; depth:16; nocase; http.host; content:"support.meedicalabc.com"; depth:23; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1271493/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_15; classtype:trojan-activity; sid:91271493; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/load"; depth:5; nocase; http.host; content:"43.128.43.17"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1271490/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_15; classtype:trojan-activity; sid:91271490; rev:1;) alert tcp $HOME_NET any -> [43.128.43.17] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1271489/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_15; classtype:trojan-activity; sid:91271489; rev:1;) alert tcp $HOME_NET any -> [198.23.149.76] 8088 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1271488/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_15; classtype:trojan-activity; sid:91271488; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/updates.rss"; depth:12; nocase; http.host; content:"172.245.79.26"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1271487/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_15; classtype:trojan-activity; sid:91271487; rev:1;) alert tcp $HOME_NET any -> [172.245.79.26] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1271486/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_15; classtype:trojan-activity; sid:91271486; rev:1;) alert tcp $HOME_NET any -> [107.173.168.25] 4433 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1271485/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_15; classtype:trojan-activity; sid:91271485; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ga.js"; depth:6; nocase; http.host; content:"107.172.60.23"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1271484/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_15; classtype:trojan-activity; sid:91271484; rev:1;) alert tcp $HOME_NET any -> [107.172.60.23] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1271483/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_15; classtype:trojan-activity; sid:91271483; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"news.maomwxb.top"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1271482/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_15; classtype:trojan-activity; sid:91271482; rev:1;) alert tcp $HOME_NET any -> [104.168.102.175] 2096 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1271481/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_15; classtype:trojan-activity; sid:91271481; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"hell.hydracenter.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1271480/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_15; classtype:trojan-activity; sid:91271480; rev:1;) alert tcp $HOME_NET any -> [23.94.14.151] 8443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1271479/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_15; classtype:trojan-activity; sid:91271479; rev:1;) alert tcp $HOME_NET any -> [47.254.149.115] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1271478/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_15; classtype:trojan-activity; sid:91271478; rev:1;) alert tcp $HOME_NET any -> [47.236.31.187] 8080 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1271477/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_15; classtype:trojan-activity; sid:91271477; rev:1;) alert tcp $HOME_NET any -> [47.76.42.3] 8443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1271476/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_15; classtype:trojan-activity; sid:91271476; rev:1;) alert tcp $HOME_NET any -> [124.71.143.196] 8443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1271475/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_15; classtype:trojan-activity; sid:91271475; rev:1;) alert tcp $HOME_NET any -> [124.71.41.210] 8081 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1271473/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_15; classtype:trojan-activity; sid:91271473; rev:1;) alert tcp $HOME_NET any -> [124.71.41.210] 8082 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1271474/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_15; classtype:trojan-activity; sid:91271474; rev:1;) alert tcp $HOME_NET any -> [121.37.67.93] 9999 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1271472/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_15; classtype:trojan-activity; sid:91271472; rev:1;) alert tcp $HOME_NET any -> [120.46.36.55] 8080 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1271471/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_15; classtype:trojan-activity; sid:91271471; rev:1;) alert tcp $HOME_NET any -> [119.3.216.120] 9999 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1271470/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_15; classtype:trojan-activity; sid:91271470; rev:1;) alert tcp $HOME_NET any -> [1.94.49.55] 50050 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1271469/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_15; classtype:trojan-activity; sid:91271469; rev:1;) alert tcp $HOME_NET any -> [1.94.49.55] 60000 (msg:"ThreatFox Viper RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1271468/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_15; classtype:trojan-activity; sid:91271468; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"xqp.loveyoueverytime.xyz"; depth:24; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1271467/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_15; classtype:trojan-activity; sid:91271467; rev:1;) alert tcp $HOME_NET any -> [123.56.116.120] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1271466/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_15; classtype:trojan-activity; sid:91271466; rev:1;) alert tcp $HOME_NET any -> [121.196.193.233] 20000 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1271465/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_15; classtype:trojan-activity; sid:91271465; rev:1;) alert tcp $HOME_NET any -> [121.196.193.233] 10000 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1271464/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_15; classtype:trojan-activity; sid:91271464; rev:1;) alert tcp $HOME_NET any -> [120.79.157.3] 8080 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1271463/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_15; classtype:trojan-activity; sid:91271463; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/www/handle/doc"; depth:15; nocase; http.host; content:"120.76.197.13"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1271462/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_15; classtype:trojan-activity; sid:91271462; rev:1;) alert tcp $HOME_NET any -> [120.76.197.13] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1271461/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_15; classtype:trojan-activity; sid:91271461; rev:1;) alert tcp $HOME_NET any -> [120.27.158.236] 81 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1271460/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_15; classtype:trojan-activity; sid:91271460; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/visit.js"; depth:9; nocase; http.host; content:"106.14.90.7"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1271459/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_15; classtype:trojan-activity; sid:91271459; rev:1;) alert tcp $HOME_NET any -> [106.14.90.7] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1271458/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_15; classtype:trojan-activity; sid:91271458; rev:1;) alert tcp $HOME_NET any -> [101.201.105.176] 8080 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1271457/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_15; classtype:trojan-activity; sid:91271457; rev:1;) alert tcp $HOME_NET any -> [59.110.6.203] 888 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1271456/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_15; classtype:trojan-activity; sid:91271456; rev:1;) alert tcp $HOME_NET any -> [47.117.174.198] 8080 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1271455/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_15; classtype:trojan-activity; sid:91271455; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cm"; depth:3; nocase; http.host; content:"47.99.151.38"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1271454/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_15; classtype:trojan-activity; sid:91271454; rev:1;) alert tcp $HOME_NET any -> [47.99.151.38] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1271453/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_15; classtype:trojan-activity; sid:91271453; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"service-f9dx5hom-1305082597.gz.tencentapigw.com.cn"; depth:50; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1271452/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_15; classtype:trojan-activity; sid:91271452; rev:1;) alert tcp $HOME_NET any -> [47.92.174.226] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1271451/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_15; classtype:trojan-activity; sid:91271451; rev:1;) alert tcp $HOME_NET any -> [47.92.85.204] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1271450/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_15; classtype:trojan-activity; sid:91271450; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"service-lu8tgeea-1305082597.gz.tencentapigw.com.cn"; depth:50; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1271449/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_15; classtype:trojan-activity; sid:91271449; rev:1;) alert tcp $HOME_NET any -> [39.100.102.40] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1271448/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_15; classtype:trojan-activity; sid:91271448; rev:1;) alert tcp $HOME_NET any -> [8.137.107.238] 3306 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1271447/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_15; classtype:trojan-activity; sid:91271447; rev:1;) alert tcp $HOME_NET any -> [156.242.47.218] 50050 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1271445/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_15; classtype:trojan-activity; sid:91271445; rev:1;) alert tcp $HOME_NET any -> [156.242.47.221] 50050 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1271446/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_15; classtype:trojan-activity; sid:91271446; rev:1;) alert tcp $HOME_NET any -> [156.242.46.219] 50050 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1271438/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_15; classtype:trojan-activity; sid:91271438; rev:1;) alert tcp $HOME_NET any -> [156.242.47.196] 50050 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1271439/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_15; classtype:trojan-activity; sid:91271439; rev:1;) alert tcp $HOME_NET any -> [156.242.47.198] 50050 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1271440/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_15; classtype:trojan-activity; sid:91271440; rev:1;) alert tcp $HOME_NET any -> [156.242.47.204] 50050 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1271441/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_15; classtype:trojan-activity; sid:91271441; rev:1;) alert tcp $HOME_NET any -> [156.242.47.207] 50050 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1271442/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_15; classtype:trojan-activity; sid:91271442; rev:1;) alert tcp $HOME_NET any -> [156.242.47.208] 50050 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1271443/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_15; classtype:trojan-activity; sid:91271443; rev:1;) alert tcp $HOME_NET any -> [156.242.47.210] 50050 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1271444/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_15; classtype:trojan-activity; sid:91271444; rev:1;) alert tcp $HOME_NET any -> [156.242.46.209] 50050 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1271431/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_15; classtype:trojan-activity; sid:91271431; rev:1;) alert tcp $HOME_NET any -> [156.242.46.210] 50050 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1271432/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_15; classtype:trojan-activity; sid:91271432; rev:1;) alert tcp $HOME_NET any -> [156.242.46.211] 50050 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1271433/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_15; classtype:trojan-activity; sid:91271433; rev:1;) alert tcp $HOME_NET any -> [156.242.46.213] 50050 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1271434/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_15; classtype:trojan-activity; sid:91271434; rev:1;) alert tcp $HOME_NET any -> [156.242.46.214] 50050 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1271435/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_15; classtype:trojan-activity; sid:91271435; rev:1;) alert tcp $HOME_NET any -> [156.242.46.216] 50050 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1271436/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_15; classtype:trojan-activity; sid:91271436; rev:1;) alert tcp $HOME_NET any -> [156.242.46.218] 50050 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1271437/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_15; classtype:trojan-activity; sid:91271437; rev:1;) alert tcp $HOME_NET any -> [156.242.46.199] 50050 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1271424/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_15; classtype:trojan-activity; sid:91271424; rev:1;) alert tcp $HOME_NET any -> [156.242.46.200] 50050 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1271425/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_15; classtype:trojan-activity; sid:91271425; rev:1;) alert tcp $HOME_NET any -> [156.242.46.201] 50050 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1271426/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_15; classtype:trojan-activity; sid:91271426; rev:1;) alert tcp $HOME_NET any -> [156.242.46.202] 50050 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1271427/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_15; classtype:trojan-activity; sid:91271427; rev:1;) alert tcp $HOME_NET any -> [156.242.46.203] 50050 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1271428/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_15; classtype:trojan-activity; sid:91271428; rev:1;) alert tcp $HOME_NET any -> [156.242.46.204] 50050 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1271429/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_15; classtype:trojan-activity; sid:91271429; rev:1;) alert tcp $HOME_NET any -> [156.242.46.206] 50050 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1271430/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_15; classtype:trojan-activity; sid:91271430; rev:1;) alert tcp $HOME_NET any -> [156.242.45.209] 50050 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1271417/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_15; classtype:trojan-activity; sid:91271417; rev:1;) alert tcp $HOME_NET any -> [156.242.45.221] 50050 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1271418/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_15; classtype:trojan-activity; sid:91271418; rev:1;) alert tcp $HOME_NET any -> [156.242.46.193] 50050 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1271419/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_15; classtype:trojan-activity; sid:91271419; rev:1;) alert tcp $HOME_NET any -> [156.242.46.194] 50050 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1271420/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_15; classtype:trojan-activity; sid:91271420; rev:1;) alert tcp $HOME_NET any -> [156.242.46.195] 50050 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1271421/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_15; classtype:trojan-activity; sid:91271421; rev:1;) alert tcp $HOME_NET any -> [156.242.46.197] 50050 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1271422/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_15; classtype:trojan-activity; sid:91271422; rev:1;) alert tcp $HOME_NET any -> [156.242.46.198] 50050 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1271423/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_15; classtype:trojan-activity; sid:91271423; rev:1;) alert tcp $HOME_NET any -> [156.242.44.217] 50050 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1271410/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_15; classtype:trojan-activity; sid:91271410; rev:1;) alert tcp $HOME_NET any -> [156.242.44.219] 50050 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1271411/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_15; classtype:trojan-activity; sid:91271411; rev:1;) alert tcp $HOME_NET any -> [156.242.45.197] 50050 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1271412/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_15; classtype:trojan-activity; sid:91271412; rev:1;) alert tcp $HOME_NET any -> [156.242.45.201] 50050 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1271413/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_15; classtype:trojan-activity; sid:91271413; rev:1;) alert tcp $HOME_NET any -> [156.242.45.202] 50050 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1271414/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_15; classtype:trojan-activity; sid:91271414; rev:1;) alert tcp $HOME_NET any -> [156.242.45.204] 50050 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1271415/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_15; classtype:trojan-activity; sid:91271415; rev:1;) alert tcp $HOME_NET any -> [156.242.45.206] 50050 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1271416/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_15; classtype:trojan-activity; sid:91271416; rev:1;) alert tcp $HOME_NET any -> [156.242.44.199] 50050 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1271404/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_15; classtype:trojan-activity; sid:91271404; rev:1;) alert tcp $HOME_NET any -> [156.242.44.200] 50050 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1271405/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_15; classtype:trojan-activity; sid:91271405; rev:1;) alert tcp $HOME_NET any -> [156.242.44.202] 50050 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1271406/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_15; classtype:trojan-activity; sid:91271406; rev:1;) alert tcp $HOME_NET any -> [156.242.44.208] 50050 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1271407/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_15; classtype:trojan-activity; sid:91271407; rev:1;) alert tcp $HOME_NET any -> [156.242.44.209] 50050 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1271408/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_15; classtype:trojan-activity; sid:91271408; rev:1;) alert tcp $HOME_NET any -> [156.242.44.211] 50050 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1271409/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_15; classtype:trojan-activity; sid:91271409; rev:1;) alert tcp $HOME_NET any -> [156.242.43.216] 50050 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1271397/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_15; classtype:trojan-activity; sid:91271397; rev:1;) alert tcp $HOME_NET any -> [156.242.43.217] 50050 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1271398/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_15; classtype:trojan-activity; sid:91271398; rev:1;) alert tcp $HOME_NET any -> [156.242.43.218] 50050 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1271399/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_15; classtype:trojan-activity; sid:91271399; rev:1;) alert tcp $HOME_NET any -> [156.242.43.219] 50050 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1271400/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_15; classtype:trojan-activity; sid:91271400; rev:1;) alert tcp $HOME_NET any -> [156.242.43.220] 50050 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1271401/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_15; classtype:trojan-activity; sid:91271401; rev:1;) alert tcp $HOME_NET any -> [156.242.43.221] 50050 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1271402/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_15; classtype:trojan-activity; sid:91271402; rev:1;) alert tcp $HOME_NET any -> [156.242.44.195] 50050 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1271403/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_15; classtype:trojan-activity; sid:91271403; rev:1;) alert tcp $HOME_NET any -> [156.242.42.217] 50050 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1271391/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_15; classtype:trojan-activity; sid:91271391; rev:1;) alert tcp $HOME_NET any -> [156.242.42.221] 50050 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1271392/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_15; classtype:trojan-activity; sid:91271392; rev:1;) alert tcp $HOME_NET any -> [156.242.43.198] 50050 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1271393/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_15; classtype:trojan-activity; sid:91271393; rev:1;) alert tcp $HOME_NET any -> [156.242.43.200] 50050 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1271394/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_15; classtype:trojan-activity; sid:91271394; rev:1;) alert tcp $HOME_NET any -> [156.242.43.211] 50050 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1271395/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_15; classtype:trojan-activity; sid:91271395; rev:1;) alert tcp $HOME_NET any -> [156.242.43.214] 50050 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1271396/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_15; classtype:trojan-activity; sid:91271396; rev:1;) alert tcp $HOME_NET any -> [156.242.41.214] 50050 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1271384/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_15; classtype:trojan-activity; sid:91271384; rev:1;) alert tcp $HOME_NET any -> [156.242.41.219] 50050 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1271385/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_15; classtype:trojan-activity; sid:91271385; rev:1;) alert tcp $HOME_NET any -> [156.242.41.220] 50050 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1271386/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_15; classtype:trojan-activity; sid:91271386; rev:1;) alert tcp $HOME_NET any -> [156.242.42.193] 50050 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1271387/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_15; classtype:trojan-activity; sid:91271387; rev:1;) alert tcp $HOME_NET any -> [156.242.42.203] 50050 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1271388/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_15; classtype:trojan-activity; sid:91271388; rev:1;) alert tcp $HOME_NET any -> [156.242.42.208] 50050 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1271389/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_15; classtype:trojan-activity; sid:91271389; rev:1;) alert tcp $HOME_NET any -> [156.242.42.210] 50050 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1271390/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_15; classtype:trojan-activity; sid:91271390; rev:1;) alert tcp $HOME_NET any -> [156.242.40.219] 4396 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1271377/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_15; classtype:trojan-activity; sid:91271377; rev:1;) alert tcp $HOME_NET any -> [156.242.40.220] 50050 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1271378/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_15; classtype:trojan-activity; sid:91271378; rev:1;) alert tcp $HOME_NET any -> [156.242.40.221] 4396 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1271379/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_15; classtype:trojan-activity; sid:91271379; rev:1;) alert tcp $HOME_NET any -> [156.242.41.196] 50050 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1271380/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_15; classtype:trojan-activity; sid:91271380; rev:1;) alert tcp $HOME_NET any -> [156.242.41.200] 50050 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1271381/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_15; classtype:trojan-activity; sid:91271381; rev:1;) alert tcp $HOME_NET any -> [156.242.41.209] 50050 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1271382/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_15; classtype:trojan-activity; sid:91271382; rev:1;) alert tcp $HOME_NET any -> [156.242.41.213] 50050 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1271383/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_15; classtype:trojan-activity; sid:91271383; rev:1;) alert tcp $HOME_NET any -> [156.242.40.212] 50050 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1271370/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_15; classtype:trojan-activity; sid:91271370; rev:1;) alert tcp $HOME_NET any -> [156.242.40.214] 4396 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1271371/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_15; classtype:trojan-activity; sid:91271371; rev:1;) alert tcp $HOME_NET any -> [156.242.40.217] 50050 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1271372/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_15; classtype:trojan-activity; sid:91271372; rev:1;) alert tcp $HOME_NET any -> [156.242.40.217] 4396 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1271373/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_15; classtype:trojan-activity; sid:91271373; rev:1;) alert tcp $HOME_NET any -> [156.242.40.218] 50050 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1271374/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_15; classtype:trojan-activity; sid:91271374; rev:1;) alert tcp $HOME_NET any -> [156.242.40.218] 4396 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1271375/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_15; classtype:trojan-activity; sid:91271375; rev:1;) alert tcp $HOME_NET any -> [156.242.40.219] 50050 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1271376/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_15; classtype:trojan-activity; sid:91271376; rev:1;) alert tcp $HOME_NET any -> [156.242.40.204] 50050 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1271363/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_15; classtype:trojan-activity; sid:91271363; rev:1;) alert tcp $HOME_NET any -> [156.242.40.204] 4396 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1271364/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_15; classtype:trojan-activity; sid:91271364; rev:1;) alert tcp $HOME_NET any -> [156.242.40.205] 50050 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1271365/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_15; classtype:trojan-activity; sid:91271365; rev:1;) alert tcp $HOME_NET any -> [156.242.40.205] 4396 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1271366/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_15; classtype:trojan-activity; sid:91271366; rev:1;) alert tcp $HOME_NET any -> [156.242.40.206] 50050 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1271367/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_15; classtype:trojan-activity; sid:91271367; rev:1;) alert tcp $HOME_NET any -> [156.242.40.207] 50050 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1271368/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_15; classtype:trojan-activity; sid:91271368; rev:1;) alert tcp $HOME_NET any -> [156.242.40.209] 50050 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1271369/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_15; classtype:trojan-activity; sid:91271369; rev:1;) alert tcp $HOME_NET any -> [156.242.40.195] 50050 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1271356/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_15; classtype:trojan-activity; sid:91271356; rev:1;) alert tcp $HOME_NET any -> [156.242.40.196] 4396 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1271357/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_15; classtype:trojan-activity; sid:91271357; rev:1;) alert tcp $HOME_NET any -> [156.242.40.197] 50050 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1271358/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_15; classtype:trojan-activity; sid:91271358; rev:1;) alert tcp $HOME_NET any -> [156.242.40.198] 50050 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1271359/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_15; classtype:trojan-activity; sid:91271359; rev:1;) alert tcp $HOME_NET any -> [156.242.40.198] 4396 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1271360/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_15; classtype:trojan-activity; sid:91271360; rev:1;) alert tcp $HOME_NET any -> [156.242.40.203] 50050 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1271361/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_15; classtype:trojan-activity; sid:91271361; rev:1;) alert tcp $HOME_NET any -> [156.242.40.203] 4396 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1271362/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_15; classtype:trojan-activity; sid:91271362; rev:1;) alert tcp $HOME_NET any -> [156.242.40.193] 50050 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1271353/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_15; classtype:trojan-activity; sid:91271353; rev:1;) alert tcp $HOME_NET any -> [156.242.40.194] 50050 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1271354/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_15; classtype:trojan-activity; sid:91271354; rev:1;) alert tcp $HOME_NET any -> [156.242.40.194] 4396 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1271355/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_15; classtype:trojan-activity; sid:91271355; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/activity"; depth:9; nocase; http.host; content:"124.223.163.235"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1271352/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_15; classtype:trojan-activity; sid:91271352; rev:1;) alert tcp $HOME_NET any -> [124.223.163.235] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1271351/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_15; classtype:trojan-activity; sid:91271351; rev:1;) alert tcp $HOME_NET any -> [124.222.91.4] 8443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1271350/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_15; classtype:trojan-activity; sid:91271350; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"service-k2snyjb7-1326503875.bj.tencentapigw.com.cn"; depth:50; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1271349/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_15; classtype:trojan-activity; sid:91271349; rev:1;) alert tcp $HOME_NET any -> [119.45.224.129] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1271348/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_15; classtype:trojan-activity; sid:91271348; rev:1;) alert tcp $HOME_NET any -> [118.25.85.198] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1271347/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_15; classtype:trojan-activity; sid:91271347; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"service-a7h4x98o-1257783886.gz.tencentapigw.com.cn"; depth:50; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1271346/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_15; classtype:trojan-activity; sid:91271346; rev:1;) alert tcp $HOME_NET any -> [111.230.112.171] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1271344/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_15; classtype:trojan-activity; sid:91271344; rev:1;) alert tcp $HOME_NET any -> [111.230.112.171] 8080 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1271345/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_15; classtype:trojan-activity; sid:91271345; rev:1;) alert tcp $HOME_NET any -> [106.55.164.217] 8089 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1271343/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_15; classtype:trojan-activity; sid:91271343; rev:1;) alert tcp $HOME_NET any -> [101.43.24.140] 60000 (msg:"ThreatFox Viper RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1271342/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_15; classtype:trojan-activity; sid:91271342; rev:1;) alert tcp $HOME_NET any -> [101.43.24.140] 3306 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1271340/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_15; classtype:trojan-activity; sid:91271340; rev:1;) alert tcp $HOME_NET any -> [101.43.24.140] 8000 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1271341/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_15; classtype:trojan-activity; sid:91271341; rev:1;) alert tcp $HOME_NET any -> [82.156.145.233] 8086 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1271339/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_15; classtype:trojan-activity; sid:91271339; rev:1;) alert tcp $HOME_NET any -> [43.139.160.164] 7443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1271338/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_15; classtype:trojan-activity; sid:91271338; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/updates.rss"; depth:12; nocase; http.host; content:"42.192.67.154"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1271336/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_15; classtype:trojan-activity; sid:91271336; rev:1;) alert tcp $HOME_NET any -> [42.192.67.154] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1271335/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_15; classtype:trojan-activity; sid:91271335; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/eternalimagerequestcpudefaultdblinux.php"; depth:41; nocase; http.host; content:"339380cm.n9shteam3.top"; depth:22; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1271334/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_15; classtype:trojan-activity; sid:91271334; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/updateserverasynctestdle.php"; depth:29; nocase; http.host; content:"softworker.top"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1271333/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_15; classtype:trojan-activity; sid:91271333; rev:1;) alert tcp $HOME_NET any -> [5.75.214.104] 443 (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1271087/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_15; classtype:trojan-activity; sid:91271087; rev:1;) alert tcp $HOME_NET any -> [5.75.214.74] 443 (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1271088/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_15; classtype:trojan-activity; sid:91271088; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"5.75.214.74"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1271083/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_15; classtype:trojan-activity; sid:91271083; rev:1;) alert tcp $HOME_NET any -> [116.202.5.235] 9000 (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1271084/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_15; classtype:trojan-activity; sid:91271084; rev:1;) alert tcp $HOME_NET any -> [95.217.240.101] 443 (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1271085/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_15; classtype:trojan-activity; sid:91271085; rev:1;) alert tcp $HOME_NET any -> [5.75.220.208] 443 (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1271086/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_15; classtype:trojan-activity; sid:91271086; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"5.75.214.104"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1271082/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_15; classtype:trojan-activity; sid:91271082; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"5.75.220.208"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1271081/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_15; classtype:trojan-activity; sid:91271081; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"95.217.240.101"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1271080/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_15; classtype:trojan-activity; sid:91271080; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"116.202.5.235"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1271079/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_15; classtype:trojan-activity; sid:91271079; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"dns.beenewsdream.net"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1271077/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_15; classtype:trojan-activity; sid:91271077; rev:1;) alert tcp $HOME_NET any -> [104.156.244.171] 53 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1271078/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_15; classtype:trojan-activity; sid:91271078; rev:1;) alert tcp $HOME_NET any -> [49.234.58.158] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1271076/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_15; classtype:trojan-activity; sid:91271076; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/vendorreact.dc6a29.chunk.js"; depth:28; nocase; http.host; content:"49.234.58.158"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1271075/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_15; classtype:trojan-activity; sid:91271075; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jquery-3.2.1.min.js"; depth:20; nocase; http.host; content:"139.9.149.143"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1271074/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_15; classtype:trojan-activity; sid:91271074; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ptj"; depth:4; nocase; http.host; content:"213.109.202.188"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1271072/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_15; classtype:trojan-activity; sid:91271072; rev:1;) alert tcp $HOME_NET any -> [213.109.202.188] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1271073/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_15; classtype:trojan-activity; sid:91271073; rev:1;) alert tcp $HOME_NET any -> [5.161.187.89] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1271071/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_15; classtype:trojan-activity; sid:91271071; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dot.gif"; depth:8; nocase; http.host; content:"5.161.187.89"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1271070/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_15; classtype:trojan-activity; sid:91271070; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/af/fgjds2u"; depth:11; nocase; http.host; content:"1.12.55.117"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1271069/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_15; classtype:trojan-activity; sid:91271069; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/af/fgjds2u"; depth:11; nocase; http.host; content:"1.12.55.117"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1271068/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_15; classtype:trojan-activity; sid:91271068; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/fwlink"; depth:7; nocase; http.host; content:"139.224.0.158"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1271067/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_15; classtype:trojan-activity; sid:91271067; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pixel.gif"; depth:10; nocase; http.host; content:"8.134.102.18"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1271066/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_15; classtype:trojan-activity; sid:91271066; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dot.gif"; depth:8; nocase; http.host; content:"47.92.75.135"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1271065/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_15; classtype:trojan-activity; sid:91271065; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ptj"; depth:4; nocase; http.host; content:"8.134.102.18"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1271064/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_15; classtype:trojan-activity; sid:91271064; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/match"; depth:6; nocase; http.host; content:"154.12.31.24"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1271063/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_15; classtype:trojan-activity; sid:91271063; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/feedapi/v1/newsserver/api/getpassword"; depth:38; nocase; http.host; content:"113.142.27.102"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1271061/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_15; classtype:trojan-activity; sid:91271061; rev:1;) alert tcp $HOME_NET any -> [139.159.192.61] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1271062/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_15; classtype:trojan-activity; sid:91271062; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/analytics/v1_upload"; depth:20; nocase; http.host; content:"111.63.149.104"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1271060/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_15; classtype:trojan-activity; sid:91271060; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/feedapi/v1/newsserver/api/getusername"; depth:38; nocase; http.host; content:"61.240.220.53"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1271059/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_15; classtype:trojan-activity; sid:91271059; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/rewardsapp/ncfooter"; depth:20; nocase; http.host; content:"42.177.83.109"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1271058/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_15; classtype:trojan-activity; sid:91271058; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/analytics/v1_upload"; depth:20; nocase; http.host; content:"113.194.50.172"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1271057/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_15; classtype:trojan-activity; sid:91271057; rev:1;) alert tcp $HOME_NET any -> [107.172.61.115] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1271056/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_15; classtype:trojan-activity; sid:91271056; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/j.ad"; depth:5; nocase; http.host; content:"107.172.61.115"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1271055/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_15; classtype:trojan-activity; sid:91271055; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pixel"; depth:6; nocase; http.host; content:"148.135.72.115"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1271050/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_15; classtype:trojan-activity; sid:91271050; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/processordbtraffictrackdatalife.php"; depth:36; nocase; http.host; content:"jewokfweteto.skibiteamx.top"; depth:27; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1271047/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_15; classtype:trojan-activity; sid:91271047; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dot.gif"; depth:8; nocase; http.host; content:"107.175.158.78"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1271043/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_15; classtype:trojan-activity; sid:91271043; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/updates.rss"; depth:12; nocase; http.host; content:"43.153.222.28"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1271042/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_15; classtype:trojan-activity; sid:91271042; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dpixel"; depth:7; nocase; http.host; content:"43.153.222.28"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1271041/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_15; classtype:trojan-activity; sid:91271041; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dot.gif"; depth:8; nocase; http.host; content:"47.116.33.203"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1271040/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_15; classtype:trojan-activity; sid:91271040; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cx"; depth:3; nocase; http.host; content:"81.71.127.160"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1271039/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_15; classtype:trojan-activity; sid:91271039; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ga.js"; depth:6; nocase; http.host; content:"147.78.47.184"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1271038/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_15; classtype:trojan-activity; sid:91271038; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/_defaultwindows.php"; depth:20; nocase; http.host; content:"preachy-multiplex.000webhostapp.com"; depth:35; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1271037/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_15; classtype:trojan-activity; sid:91271037; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/load"; depth:5; nocase; http.host; content:"176.32.35.104"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1271036/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_15; classtype:trojan-activity; sid:91271036; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/updates.rss"; depth:12; nocase; http.host; content:"176.32.35.104"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1271035/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_15; classtype:trojan-activity; sid:91271035; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pixel"; depth:6; nocase; http.host; content:"176.32.35.104"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1271034/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_15; classtype:trojan-activity; sid:91271034; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/activity"; depth:9; nocase; http.host; content:"60.204.133.143"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1271030/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_15; classtype:trojan-activity; sid:91271030; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/activity"; depth:9; nocase; http.host; content:"152.136.174.196"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1271028/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_15; classtype:trojan-activity; sid:91271028; rev:1;) alert tcp $HOME_NET any -> [152.136.174.196] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1271029/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_15; classtype:trojan-activity; sid:91271029; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bvxny6r6"; depth:9; nocase; http.host; content:"forgreatestgoal.site"; depth:20; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1271024/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_15; classtype:trojan-activity; sid:91271024; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/8otabr/"; depth:8; nocase; http.host; content:"forgreatestgoal.site"; depth:20; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1271023/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_15; classtype:trojan-activity; sid:91271023; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"forgreatestgoal.site"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1271025/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_15; classtype:trojan-activity; sid:91271025; rev:1;) alert tcp $HOME_NET any -> [82.197.68.240] 43957 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1271027/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_15; classtype:trojan-activity; sid:91271027; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"cnc.zaloweb.ink"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1271026/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_15; classtype:trojan-activity; sid:91271026; rev:1;) alert tcp $HOME_NET any -> [3.125.209.94] 12194 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1271013/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_15; classtype:trojan-activity; sid:91271013; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/2022/01/17/tattooing-from-home-laws-in-alberta-what-you-need-to-know"; depth:69; nocase; http.host; content:"asleman.org"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1271010/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_15; classtype:trojan-activity; sid:91271010; rev:1;) alert tcp $HOME_NET any -> [45.245.103.148] 5555 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1271011/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_15; classtype:trojan-activity; sid:91271011; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"venomm.ddns.net"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1271012/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_15; classtype:trojan-activity; sid:91271012; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"okilometros.duckdns.org"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1271005/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_15; classtype:trojan-activity; sid:91271005; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/oklahoma-street-legal-vehicle-requirements"; depth:43; nocase; http.host; content:"curecvc.com"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1271007/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_15; classtype:trojan-activity; sid:91271007; rev:1;) alert tcp $HOME_NET any -> [192.169.69.25] 1992 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1271004/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_15; classtype:trojan-activity; sid:91271004; rev:1;) alert tcp $HOME_NET any -> [68.233.238.115] 80 (msg:"ThreatFox solarmarker botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1270991/; target:src_ip; metadata: confidence_level 80, first_seen 2024_05_15; classtype:trojan-activity; sid:91270991; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/manual.php"; depth:11; nocase; http.host; content:"catering-szafran.pl"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1271000/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_15; classtype:trojan-activity; sid:91271000; rev:1;) alert tcp $HOME_NET any -> [3.124.142.205] 12272 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1270987/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_15; classtype:trojan-activity; sid:91270987; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/manual.php"; depth:11; nocase; http.host; content:"catalogodecosmetica.com"; depth:23; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1270988/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_15; classtype:trojan-activity; sid:91270988; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/manual.php"; depth:11; nocase; http.host; content:"calderconsultants.com"; depth:21; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1270985/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_15; classtype:trojan-activity; sid:91270985; rev:1;) alert tcp $HOME_NET any -> [45.137.22.150] 55615 (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1271022/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_15; classtype:trojan-activity; sid:91271022; rev:1;) alert tcp $HOME_NET any -> [149.154.65.99] 80 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1271021/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_15; classtype:trojan-activity; sid:91271021; rev:1;) alert tcp $HOME_NET any -> [104.248.131.61] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1271020/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_15; classtype:trojan-activity; sid:91271020; rev:1;) alert tcp $HOME_NET any -> [101.43.26.191] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1271019/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_15; classtype:trojan-activity; sid:91271019; rev:1;) alert tcp $HOME_NET any -> [41.99.115.55] 443 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1271018/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_15; classtype:trojan-activity; sid:91271018; rev:1;) alert tcp $HOME_NET any -> [38.60.203.99] 443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1271017/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_15; classtype:trojan-activity; sid:91271017; rev:1;) alert tcp $HOME_NET any -> [13.51.174.30] 80 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1271016/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_15; classtype:trojan-activity; sid:91271016; rev:1;) alert tcp $HOME_NET any -> [193.122.115.146] 443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1271015/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_15; classtype:trojan-activity; sid:91271015; rev:1;) alert tcp $HOME_NET any -> [185.222.58.62] 2404 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1271014/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_15; classtype:trojan-activity; sid:91271014; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/geodefaultsqllinuxgeneratortesttrackdownloadstemporary.php"; depth:59; nocase; http.host; content:"266026cm.n9shteam3.top"; depth:22; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1271009/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_15; classtype:trojan-activity; sid:91271009; rev:1;) alert tcp $HOME_NET any -> [18.158.249.75] 19048 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1271008/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_15; classtype:trojan-activity; sid:91271008; rev:1;) alert tcp $HOME_NET any -> [94.156.68.141] 80 (msg:"ThreatFox Amadey botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1271006/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_15; classtype:trojan-activity; sid:91271006; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/h9fmdw5/index.php"; depth:18; nocase; http.host; content:"94.156.68.141"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1270998/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_14; classtype:trojan-activity; sid:91270998; rev:1;) alert tcp $HOME_NET any -> [185.241.208.23] 5200 (msg:"ThreatFox Ave Maria botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1270999/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_14; classtype:trojan-activity; sid:91270999; rev:1;) alert tcp $HOME_NET any -> [45.61.137.23] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1270997/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_14; classtype:trojan-activity; sid:91270997; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"www.checktimes.top"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1270996/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_14; classtype:trojan-activity; sid:91270996; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/promote/static/xv4splmog"; depth:25; nocase; http.host; content:"www.checktimes.top"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1270995/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_14; classtype:trojan-activity; sid:91270995; rev:1;) alert tcp $HOME_NET any -> [114.132.98.252] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1270994/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_14; classtype:trojan-activity; sid:91270994; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/g.pixel"; depth:8; nocase; http.host; content:"192.168.117.134"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1270993/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_14; classtype:trojan-activity; sid:91270993; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/d2/fre.php"; depth:11; nocase; http.host; content:"sempersim.su"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1270992/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_14; classtype:trojan-activity; sid:91270992; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"flexiblemaria.com"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1270990/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_14; classtype:trojan-activity; sid:91270990; rev:1;) alert tcp $HOME_NET any -> [66.63.188.21] 443 (msg:"ThreatFox Unidentified 111 (Latrodectus) botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1270989/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_14; classtype:trojan-activity; sid:91270989; rev:1;) alert tcp $HOME_NET any -> [146.190.15.117] 60169 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1270986/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_14; classtype:trojan-activity; sid:91270986; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/manual.php"; depth:11; nocase; http.host; content:"bvp.ch"; depth:6; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1270976/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_14; classtype:trojan-activity; sid:91270976; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/general-manager-role-key-responsibilities-and-legal-implications"; depth:65; nocase; http.host; content:"signcitysa.com"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1270688/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_14; classtype:trojan-activity; sid:91270688; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/manual.php"; depth:11; nocase; http.host; content:"brastal.pl"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1270689/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_14; classtype:trojan-activity; sid:91270689; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/manual.php"; depth:11; nocase; http.host; content:"bramafhu.pl"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1270692/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_14; classtype:trojan-activity; sid:91270692; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/manual.php"; depth:11; nocase; http.host; content:"brastal.pl"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1270694/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_14; classtype:trojan-activity; sid:91270694; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/manual.php"; depth:11; nocase; http.host; content:"bramafhu.pl"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1270697/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_14; classtype:trojan-activity; sid:91270697; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/manual.php"; depth:11; nocase; http.host; content:"businesstraveller.pl"; depth:20; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1270700/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_14; classtype:trojan-activity; sid:91270700; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"franccoisfreres.com"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1270742/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_14; classtype:trojan-activity; sid:91270742; rev:1;) alert tcp $HOME_NET any -> [31.44.4.118] 443 (msg:"ThreatFox FAKEUPDATES payload delivery (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1270738/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_14; classtype:trojan-activity; sid:91270738; rev:1;) alert tcp $HOME_NET any -> [147.45.78.168] 443 (msg:"ThreatFox FAKEUPDATES botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1270983/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_14; classtype:trojan-activity; sid:91270983; rev:1;) alert tcp $HOME_NET any -> [147.45.78.168] 80 (msg:"ThreatFox FAKEUPDATES botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1270984/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_14; classtype:trojan-activity; sid:91270984; rev:1;) alert tcp $HOME_NET any -> [46.246.84.8] 8000 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1270982/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_14; classtype:trojan-activity; sid:91270982; rev:1;) alert tcp $HOME_NET any -> [46.246.84.8] 6000 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1270981/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_14; classtype:trojan-activity; sid:91270981; rev:1;) alert tcp $HOME_NET any -> [2.50.7.21] 22 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1270980/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_14; classtype:trojan-activity; sid:91270980; rev:1;) alert tcp $HOME_NET any -> [167.56.67.81] 995 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1270979/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_14; classtype:trojan-activity; sid:91270979; rev:1;) alert tcp $HOME_NET any -> [162.216.243.61] 443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1270978/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_14; classtype:trojan-activity; sid:91270978; rev:1;) alert tcp $HOME_NET any -> [156.253.7.77] 4506 (msg:"ThreatFox Deimos botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1270977/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_14; classtype:trojan-activity; sid:91270977; rev:1;) alert tcp $HOME_NET any -> [39.98.60.175] 2083 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1270974/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_14; classtype:trojan-activity; sid:91270974; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/index.js"; depth:9; nocase; http.host; content:"vsj888.shop"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1270972/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_14; classtype:trojan-activity; sid:91270972; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"vsj888.shop"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1270973/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_14; classtype:trojan-activity; sid:91270973; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/activity"; depth:9; nocase; http.host; content:"47.243.26.247"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1270971/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_14; classtype:trojan-activity; sid:91270971; rev:1;) alert tcp $HOME_NET any -> [45.142.36.59] 53 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1270970/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_14; classtype:trojan-activity; sid:91270970; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ns.jakithebest.ru"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1270969/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_14; classtype:trojan-activity; sid:91270969; rev:1;) alert tcp $HOME_NET any -> [91.92.249.99] 13359 (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1270743/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_14; classtype:trojan-activity; sid:91270743; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pws/fre.php"; depth:12; nocase; http.host; content:"franccoisfreres.com"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1270741/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_14; classtype:trojan-activity; sid:91270741; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pws/fre.php"; depth:12; nocase; http.host; content:"franccoisfreres.com"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1270740/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_14; classtype:trojan-activity; sid:91270740; rev:1;) alert tcp $HOME_NET any -> [79.110.49.184] 80 (msg:"ThreatFox Socks5 Systemz botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1270739/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_14; classtype:trojan-activity; sid:91270739; rev:1;) alert tcp $HOME_NET any -> [86.124.171.111] 80 (msg:"ThreatFox FAKEUPDATES botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1270735/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_14; classtype:trojan-activity; sid:91270735; rev:1;) alert tcp $HOME_NET any -> [86.124.171.111] 443 (msg:"ThreatFox FAKEUPDATES botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1270734/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_14; classtype:trojan-activity; sid:91270734; rev:1;) alert tcp $HOME_NET any -> [201.124.50.186] 995 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1270733/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_14; classtype:trojan-activity; sid:91270733; rev:1;) alert tcp $HOME_NET any -> [47.101.67.119] 80 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1270732/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_14; classtype:trojan-activity; sid:91270732; rev:1;) alert tcp $HOME_NET any -> [64.225.27.95] 443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1270731/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_14; classtype:trojan-activity; sid:91270731; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/_/scs/mail-static/_/js/"; depth:24; nocase; http.host; content:"47.117.174.198"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1270729/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_14; classtype:trojan-activity; sid:91270729; rev:1;) alert tcp $HOME_NET any -> [47.117.174.198] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1270730/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_14; classtype:trojan-activity; sid:91270730; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/j.ad"; depth:5; nocase; http.host; content:"89.187.28.116"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1270728/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_14; classtype:trojan-activity; sid:91270728; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pixel"; depth:6; nocase; http.host; content:"36.111.191.33"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1270727/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_14; classtype:trojan-activity; sid:91270727; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/visit.js"; depth:9; nocase; http.host; content:"13.232.63.18"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1270726/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_14; classtype:trojan-activity; sid:91270726; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ptj"; depth:4; nocase; http.host; content:"121.40.127.134"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1270725/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_14; classtype:trojan-activity; sid:91270725; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/push"; depth:5; nocase; http.host; content:"103.17.119.73"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1270724/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_14; classtype:trojan-activity; sid:91270724; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/updates.rss"; depth:12; nocase; http.host; content:"45.136.14.91"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1270723/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_14; classtype:trojan-activity; sid:91270723; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"service-kj4ef32e-1252578700.gz.tencentapigw.com.cn"; depth:50; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1270721/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_14; classtype:trojan-activity; sid:91270721; rev:1;) alert tcp $HOME_NET any -> [113.31.105.33] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1270722/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_14; classtype:trojan-activity; sid:91270722; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api/x"; depth:6; nocase; http.host; content:"service-kj4ef32e-1252578700.gz.tencentapigw.com.cn"; depth:50; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1270720/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_14; classtype:trojan-activity; sid:91270720; rev:1;) alert tcp $HOME_NET any -> [175.178.49.159] 5555 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1270719/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_14; classtype:trojan-activity; sid:91270719; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cm"; depth:3; nocase; http.host; content:"141.98.7.79"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1270717/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_14; classtype:trojan-activity; sid:91270717; rev:1;) alert tcp $HOME_NET any -> [141.98.7.79] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1270718/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_14; classtype:trojan-activity; sid:91270718; rev:1;) alert tcp $HOME_NET any -> [39.98.60.175] 8443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1270716/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_14; classtype:trojan-activity; sid:91270716; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/index.js"; depth:9; nocase; http.host; content:"gov.vsj888.shop"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1270714/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_14; classtype:trojan-activity; sid:91270714; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"gov.vsj888.shop"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1270715/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_14; classtype:trojan-activity; sid:91270715; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ptj"; depth:4; nocase; http.host; content:"192.3.24.157"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1270713/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_14; classtype:trojan-activity; sid:91270713; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/activity"; depth:9; nocase; http.host; content:"47.243.26.247"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1270712/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_14; classtype:trojan-activity; sid:91270712; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/push"; depth:5; nocase; http.host; content:"47.92.96.144"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1270711/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_14; classtype:trojan-activity; sid:91270711; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dot.gif"; depth:8; nocase; http.host; content:"43.138.168.21"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1270710/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_14; classtype:trojan-activity; sid:91270710; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/visit.js"; depth:9; nocase; http.host; content:"81.71.127.160"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1270709/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_14; classtype:trojan-activity; sid:91270709; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/en_us/all.js"; depth:13; nocase; http.host; content:"43.143.110.110"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1270708/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_14; classtype:trojan-activity; sid:91270708; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/load"; depth:5; nocase; http.host; content:"111.231.21.83"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1270707/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_14; classtype:trojan-activity; sid:91270707; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dpixel"; depth:7; nocase; http.host; content:"43.138.222.123"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1270706/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_14; classtype:trojan-activity; sid:91270706; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ptj"; depth:4; nocase; http.host; content:"23.95.65.198"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1270705/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_14; classtype:trojan-activity; sid:91270705; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ptj"; depth:4; nocase; http.host; content:"110.41.21.173"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1270704/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_14; classtype:trojan-activity; sid:91270704; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/visit.js"; depth:9; nocase; http.host; content:"47.115.215.30"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1270703/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_14; classtype:trojan-activity; sid:91270703; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/fwlink"; depth:7; nocase; http.host; content:"123.57.85.206"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1270702/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_14; classtype:trojan-activity; sid:91270702; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ie9compatviewlist.xml"; depth:22; nocase; http.host; content:"update.360safety.xyz"; depth:20; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1270701/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_14; classtype:trojan-activity; sid:91270701; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cx"; depth:3; nocase; http.host; content:"13.232.63.18"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1270686/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_14; classtype:trojan-activity; sid:91270686; rev:1;) alert tcp $HOME_NET any -> [13.232.63.18] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1270687/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_14; classtype:trojan-activity; sid:91270687; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api/v1/async/info"; depth:18; nocase; http.host; content:"103.148.151.179"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1270685/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_14; classtype:trojan-activity; sid:91270685; rev:1;) alert tcp $HOME_NET any -> [64.7.198.58] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1270684/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_14; classtype:trojan-activity; sid:91270684; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/__utm.gif"; depth:10; nocase; http.host; content:"www.jumpsrever.top"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1270682/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_14; classtype:trojan-activity; sid:91270682; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"www.jumpsrever.top"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1270683/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_14; classtype:trojan-activity; sid:91270683; rev:1;) alert tcp $HOME_NET any -> [95.217.28.63] 443 (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1270680/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_14; classtype:trojan-activity; sid:91270680; rev:1;) alert tcp $HOME_NET any -> [88.99.124.6] 9000 (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1270681/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_14; classtype:trojan-activity; sid:91270681; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"88.99.124.6"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1270679/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_14; classtype:trojan-activity; sid:91270679; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/k0mono"; depth:7; nocase; http.host; content:"t.me"; depth:4; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1270678/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_14; classtype:trojan-activity; sid:91270678; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"95.217.28.63"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1270677/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_14; classtype:trojan-activity; sid:91270677; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/profiles/76561199686524322"; depth:27; nocase; http.host; content:"steamcommunity.com"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1270676/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_14; classtype:trojan-activity; sid:91270676; rev:1;) alert tcp $HOME_NET any -> [94.156.65.181] 3434 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1270675/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_14; classtype:trojan-activity; sid:91270675; rev:1;) alert tcp $HOME_NET any -> [2.58.95.97] 33335 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1270674/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_14; classtype:trojan-activity; sid:91270674; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"senpaiontop.nl"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1270673/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_14; classtype:trojan-activity; sid:91270673; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/rpc"; depth:4; nocase; http.host; content:"1.14.192.93"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1270672/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_14; classtype:trojan-activity; sid:91270672; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/manual.php"; depth:11; nocase; http.host; content:"booking.intersport.it"; depth:21; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1270670/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_14; classtype:trojan-activity; sid:91270670; rev:1;) alert tcp $HOME_NET any -> [107.175.212.20] 2877 (msg:"ThreatFox Ave Maria botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1270671/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_14; classtype:trojan-activity; sid:91270671; rev:1;) alert tcp $HOME_NET any -> [38.55.144.53] 12340 (msg:"ThreatFox Rekoobe botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1270658/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_14; classtype:trojan-activity; sid:91270658; rev:1;) alert tcp $HOME_NET any -> [23.226.57.2] 7771 (msg:"ThreatFox SpyNote botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1270657/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_14; classtype:trojan-activity; sid:91270657; rev:1;) alert tcp $HOME_NET any -> [109.176.199.251] 80 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1270656/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_14; classtype:trojan-activity; sid:91270656; rev:1;) alert tcp $HOME_NET any -> [172.105.15.137] 80 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1270655/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_14; classtype:trojan-activity; sid:91270655; rev:1;) alert tcp $HOME_NET any -> [154.12.35.157] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1270654/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_14; classtype:trojan-activity; sid:91270654; rev:1;) alert tcp $HOME_NET any -> [189.140.20.27] 443 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1270653/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_14; classtype:trojan-activity; sid:91270653; rev:1;) alert tcp $HOME_NET any -> [41.97.68.44] 443 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1270652/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_14; classtype:trojan-activity; sid:91270652; rev:1;) alert tcp $HOME_NET any -> [70.31.125.171] 2222 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1270651/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_14; classtype:trojan-activity; sid:91270651; rev:1;) alert tcp $HOME_NET any -> [83.110.197.64] 443 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1270650/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_14; classtype:trojan-activity; sid:91270650; rev:1;) alert tcp $HOME_NET any -> [85.102.166.95] 443 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1270649/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_14; classtype:trojan-activity; sid:91270649; rev:1;) alert tcp $HOME_NET any -> [38.207.176.36] 9999 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1270648/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_14; classtype:trojan-activity; sid:91270648; rev:1;) alert tcp $HOME_NET any -> [207.148.125.4] 443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1270647/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_14; classtype:trojan-activity; sid:91270647; rev:1;) alert tcp $HOME_NET any -> [185.234.216.209] 20035 (msg:"ThreatFox BianLian botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1270646/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_14; classtype:trojan-activity; sid:91270646; rev:1;) alert tcp $HOME_NET any -> [172.233.172.190] 7443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1270645/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_14; classtype:trojan-activity; sid:91270645; rev:1;) alert tcp $HOME_NET any -> [52.174.178.162] 3389 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1270644/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_14; classtype:trojan-activity; sid:91270644; rev:1;) alert tcp $HOME_NET any -> [167.99.191.228] 31338 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1270643/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_14; classtype:trojan-activity; sid:91270643; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mcmaster-collective-agreement-faculty"; depth:38; nocase; http.host; content:"bigcheeserodents.com"; depth:20; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1270613/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_14; classtype:trojan-activity; sid:91270613; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"zkfileshost.com"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1270614/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_14; classtype:trojan-activity; sid:91270614; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"wasabiwallet.is"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1270615/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_14; classtype:trojan-activity; sid:91270615; rev:1;) alert tcp $HOME_NET any -> [18.158.249.75] 16602 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1270619/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_14; classtype:trojan-activity; sid:91270619; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"strutitinca.ro"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1270622/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_14; classtype:trojan-activity; sid:91270622; rev:1;) alert tcp $HOME_NET any -> [18.192.31.165] 12841 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1270623/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_14; classtype:trojan-activity; sid:91270623; rev:1;) alert tcp $HOME_NET any -> [3.125.223.134] 12841 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1270624/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_14; classtype:trojan-activity; sid:91270624; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"o.tpc.ngrok.io"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1270625/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_14; classtype:trojan-activity; sid:91270625; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"capty.nut.cc"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1270627/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_14; classtype:trojan-activity; sid:91270627; rev:1;) alert tcp $HOME_NET any -> [52.28.112.211] 10948 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1270602/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_14; classtype:trojan-activity; sid:91270602; rev:1;) alert tcp $HOME_NET any -> [3.127.253.86] 10948 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1270603/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_14; classtype:trojan-activity; sid:91270603; rev:1;) alert tcp $HOME_NET any -> [147.185.221.18] 34625 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1270570/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_14; classtype:trojan-activity; sid:91270570; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"vacation-nails.gl.at.ply.gg"; depth:27; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1270571/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_14; classtype:trojan-activity; sid:91270571; rev:1;) alert tcp $HOME_NET any -> [3.127.59.75] 10948 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1270601/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_14; classtype:trojan-activity; sid:91270601; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/manual.php"; depth:11; nocase; http.host; content:"boisebrides.keydesigndevelopment.com"; depth:36; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1270573/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_14; classtype:trojan-activity; sid:91270573; rev:1;) alert tcp $HOME_NET any -> [3.121.139.82] 10948 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1270569/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_14; classtype:trojan-activity; sid:91270569; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/whatsapp.apk"; depth:13; nocase; http.host; content:"4.194.25.153"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1270556/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_14; classtype:trojan-activity; sid:91270556; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/kavach.apk"; depth:11; nocase; http.host; content:"4.194.25.153"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1270560/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_14; classtype:trojan-activity; sid:91270560; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/foody.apk"; depth:10; nocase; http.host; content:"4.194.25.153"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1270557/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_14; classtype:trojan-activity; sid:91270557; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/whatsapp%20%282%29.apk"; depth:23; nocase; http.host; content:"4.194.25.153"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1270558/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_14; classtype:trojan-activity; sid:91270558; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/hidden.apk"; depth:11; nocase; http.host; content:"4.194.25.153"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1270559/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_14; classtype:trojan-activity; sid:91270559; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/zdqyn2nmogezotik/"; depth:18; nocase; http.host; content:"karakaplandalgada.shop"; depth:22; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1270631/; target:src_ip; metadata: confidence_level 80, first_seen 2024_05_14; classtype:trojan-activity; sid:91270631; rev:1;) alert tcp $HOME_NET any -> [8.209.111.227] 12814 (msg:"ThreatFox SystemBC botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1270628/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_14; classtype:trojan-activity; sid:91270628; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/zdqyn2nmogezotik/"; depth:18; nocase; http.host; content:"karakaplandalgada124.shop"; depth:25; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1270629/; target:src_ip; metadata: confidence_level 80, first_seen 2024_05_14; classtype:trojan-activity; sid:91270629; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/zdqyn2nmogezotik/"; depth:18; nocase; http.host; content:"kapankralda.top"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1270630/; target:src_ip; metadata: confidence_level 80, first_seen 2024_05_14; classtype:trojan-activity; sid:91270630; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/zdqyn2nmogezotik/"; depth:18; nocase; http.host; content:"karakaplandalgadadas.com"; depth:24; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1270632/; target:src_ip; metadata: confidence_level 80, first_seen 2024_05_14; classtype:trojan-activity; sid:91270632; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/zdqyn2nmogezotik/"; depth:18; nocase; http.host; content:"neredekalgelsn3.shop"; depth:20; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1270633/; target:src_ip; metadata: confidence_level 80, first_seen 2024_05_14; classtype:trojan-activity; sid:91270633; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/zdqyn2nmogezotik/"; depth:18; nocase; http.host; content:"kamarkadals53.shop"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1270634/; target:src_ip; metadata: confidence_level 80, first_seen 2024_05_14; classtype:trojan-activity; sid:91270634; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/zdqyn2nmogezotik/"; depth:18; nocase; http.host; content:"manavkaradas.shop"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1270635/; target:src_ip; metadata: confidence_level 80, first_seen 2024_05_14; classtype:trojan-activity; sid:91270635; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/zdqyn2nmogezotik/"; depth:18; nocase; http.host; content:"karacellalder.shop"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1270636/; target:src_ip; metadata: confidence_level 80, first_seen 2024_05_14; classtype:trojan-activity; sid:91270636; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/zdqyn2nmogezotik/"; depth:18; nocase; http.host; content:"kamaradas412.top"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1270637/; target:src_ip; metadata: confidence_level 80, first_seen 2024_05_14; classtype:trojan-activity; sid:91270637; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/zdqyn2nmogezotik/"; depth:18; nocase; http.host; content:"karadalganagerekta2.com"; depth:23; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1270638/; target:src_ip; metadata: confidence_level 80, first_seen 2024_05_14; classtype:trojan-activity; sid:91270638; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/2023/06/08/secret-agreement-between-germany"; depth:44; nocase; http.host; content:"ikwilvanmijnpoloaf.nl"; depth:21; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1270639/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_14; classtype:trojan-activity; sid:91270639; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/manual.php"; depth:11; nocase; http.host; content:"booking.chaletsphilippe.com"; depth:27; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1270641/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_14; classtype:trojan-activity; sid:91270641; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/imagetocpuupdateapitemporary.php"; depth:33; nocase; http.host; content:"taketa.top"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1270642/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_14; classtype:trojan-activity; sid:91270642; rev:1;) alert tcp $HOME_NET any -> [193.149.176.178] 5200 (msg:"ThreatFox Ave Maria botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1270620/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_14; classtype:trojan-activity; sid:91270620; rev:1;) alert tcp $HOME_NET any -> [3.125.223.134] 16602 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1270618/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_14; classtype:trojan-activity; sid:91270618; rev:1;) alert tcp $HOME_NET any -> [3.124.142.205] 16602 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1270617/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_14; classtype:trojan-activity; sid:91270617; rev:1;) alert tcp $HOME_NET any -> [3.125.102.39] 16602 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1270616/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_14; classtype:trojan-activity; sid:91270616; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/httpdefaultpublicuploads.php"; depth:29; nocase; http.host; content:"642229cm.n9shteam3.top"; depth:22; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1270612/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_13; classtype:trojan-activity; sid:91270612; rev:1;) alert tcp $HOME_NET any -> [160.177.79.24] 10000 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1270611/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_13; classtype:trojan-activity; sid:91270611; rev:1;) alert tcp $HOME_NET any -> [92.118.170.81] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1270610/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_13; classtype:trojan-activity; sid:91270610; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jquery-3.3.1.min.js"; depth:20; nocase; http.host; content:"92.118.170.81"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1270609/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_13; classtype:trojan-activity; sid:91270609; rev:1;) alert tcp $HOME_NET any -> [111.230.25.167] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1270608/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_13; classtype:trojan-activity; sid:91270608; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api/getit"; depth:10; nocase; http.host; content:"111.230.25.167"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1270607/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_13; classtype:trojan-activity; sid:91270607; rev:1;) alert tcp $HOME_NET any -> [5.42.96.86] 4449 (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1270606/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_13; classtype:trojan-activity; sid:91270606; rev:1;) alert tcp $HOME_NET any -> [5.42.96.86] 41441 (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1270605/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_13; classtype:trojan-activity; sid:91270605; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/l1nc0in.php"; depth:12; nocase; http.host; content:"a0974467.xsph.ru"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1270604/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_13; classtype:trojan-activity; sid:91270604; rev:1;) alert tcp $HOME_NET any -> [45.137.22.143] 55615 (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1270600/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_13; classtype:trojan-activity; sid:91270600; rev:1;) alert tcp $HOME_NET any -> [97.74.93.173] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1270599/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_13; classtype:trojan-activity; sid:91270599; rev:1;) alert tcp $HOME_NET any -> [154.64.253.40] 10000 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1270598/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_13; classtype:trojan-activity; sid:91270598; rev:1;) alert tcp $HOME_NET any -> [89.148.139.184] 2222 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1270597/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_13; classtype:trojan-activity; sid:91270597; rev:1;) alert tcp $HOME_NET any -> [185.216.68.100] 8443 (msg:"ThreatFox pupy botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1270596/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_13; classtype:trojan-activity; sid:91270596; rev:1;) alert tcp $HOME_NET any -> [77.232.137.28] 443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1270595/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_13; classtype:trojan-activity; sid:91270595; rev:1;) alert tcp $HOME_NET any -> [45.32.100.118] 443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1270594/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_13; classtype:trojan-activity; sid:91270594; rev:1;) alert tcp $HOME_NET any -> [198.46.215.32] 443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1270593/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_13; classtype:trojan-activity; sid:91270593; rev:1;) alert tcp $HOME_NET any -> [212.47.247.193] 443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1270592/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_13; classtype:trojan-activity; sid:91270592; rev:1;) alert tcp $HOME_NET any -> [193.227.134.247] 443 (msg:"ThreatFox BianLian botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1270591/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_13; classtype:trojan-activity; sid:91270591; rev:1;) alert tcp $HOME_NET any -> [185.234.216.209] 20036 (msg:"ThreatFox BianLian botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1270590/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_13; classtype:trojan-activity; sid:91270590; rev:1;) alert tcp $HOME_NET any -> [185.234.216.209] 20032 (msg:"ThreatFox BianLian botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1270588/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_13; classtype:trojan-activity; sid:91270588; rev:1;) alert tcp $HOME_NET any -> [185.234.216.209] 20034 (msg:"ThreatFox BianLian botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1270589/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_13; classtype:trojan-activity; sid:91270589; rev:1;) alert tcp $HOME_NET any -> [185.234.216.209] 20031 (msg:"ThreatFox BianLian botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1270587/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_13; classtype:trojan-activity; sid:91270587; rev:1;) alert tcp $HOME_NET any -> [13.215.213.40] 443 (msg:"ThreatFox Deimos botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1270586/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_13; classtype:trojan-activity; sid:91270586; rev:1;) alert tcp $HOME_NET any -> [119.76.173.139] 7443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1270585/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_13; classtype:trojan-activity; sid:91270585; rev:1;) alert tcp $HOME_NET any -> [162.0.233.89] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1270584/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_13; classtype:trojan-activity; sid:91270584; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mozi.m"; depth:7; nocase; http.host; content:"27.193.201.53"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1270583/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_13; classtype:trojan-activity; sid:91270583; rev:1;) alert tcp $HOME_NET any -> [156.242.46.205] 50050 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1270582/; target:src_ip; metadata: confidence_level 80, first_seen 2024_05_13; classtype:trojan-activity; sid:91270582; rev:1;) alert tcp $HOME_NET any -> [170.130.165.130] 50050 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1270581/; target:src_ip; metadata: confidence_level 80, first_seen 2024_05_13; classtype:trojan-activity; sid:91270581; rev:1;) alert tcp $HOME_NET any -> [103.85.25.168] 3000 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1270580/; target:src_ip; metadata: confidence_level 80, first_seen 2024_05_13; classtype:trojan-activity; sid:91270580; rev:1;) alert tcp $HOME_NET any -> [1.117.93.65] 8443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1270579/; target:src_ip; metadata: confidence_level 80, first_seen 2024_05_13; classtype:trojan-activity; sid:91270579; rev:1;) alert tcp $HOME_NET any -> [156.242.40.206] 4396 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1270578/; target:src_ip; metadata: confidence_level 80, first_seen 2024_05_13; classtype:trojan-activity; sid:91270578; rev:1;) alert tcp $HOME_NET any -> [103.74.102.181] 2981 (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1270577/; target:src_ip; metadata: confidence_level 80, first_seen 2024_05_13; classtype:trojan-activity; sid:91270577; rev:1;) alert tcp $HOME_NET any -> [91.92.245.225] 1024 (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1270576/; target:src_ip; metadata: confidence_level 80, first_seen 2024_05_13; classtype:trojan-activity; sid:91270576; rev:1;) alert tcp $HOME_NET any -> [94.96.101.221] 3460 (msg:"ThreatFox Poison Ivy botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1270575/; target:src_ip; metadata: confidence_level 80, first_seen 2024_05_13; classtype:trojan-activity; sid:91270575; rev:1;) alert tcp $HOME_NET any -> [201.215.238.207] 81 (msg:"ThreatFox Xtreme RAT botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1270572/; target:src_ip; metadata: confidence_level 80, first_seen 2024_05_13; classtype:trojan-activity; sid:91270572; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/updates.rss"; depth:12; nocase; http.host; content:"101.201.54.74"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1270568/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_13; classtype:trojan-activity; sid:91270568; rev:1;) alert tcp $HOME_NET any -> [185.216.70.15] 65012 (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1270567/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_13; classtype:trojan-activity; sid:91270567; rev:1;) alert tcp $HOME_NET any -> [41.142.26.2] 10000 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1270566/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_13; classtype:trojan-activity; sid:91270566; rev:1;) alert tcp $HOME_NET any -> [4.194.25.153] 5214 (msg:"ThreatFox SpyNote botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1270555/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_13; classtype:trojan-activity; sid:91270555; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/hhme/"; depth:6; nocase; http.host; content:"www.premiumsystemshk.com"; depth:24; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1270360/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_13; classtype:trojan-activity; sid:91270360; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"premiumsystemshk.com"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1270361/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_13; classtype:trojan-activity; sid:91270361; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"www.premiumsystemshk.com"; depth:24; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1270362/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_13; classtype:trojan-activity; sid:91270362; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/manual.php"; depth:11; nocase; http.host; content:"bmeg.fel.cvut.cz"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1270366/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_13; classtype:trojan-activity; sid:91270366; rev:1;) alert tcp $HOME_NET any -> [3.67.161.133] 11843 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1270359/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_13; classtype:trojan-activity; sid:91270359; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/manual.php"; depth:11; nocase; http.host; content:"blurrypixel.com"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1270357/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_13; classtype:trojan-activity; sid:91270357; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cdn-vs/per.php"; depth:15; nocase; http.host; content:"firstaischool.com"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1270354/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_13; classtype:trojan-activity; sid:91270354; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/data.php"; depth:9; nocase; http.host; content:"veniam-veritatis.site"; depth:21; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1270355/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_13; classtype:trojan-activity; sid:91270355; rev:1;) alert tcp $HOME_NET any -> [5.181.156.36] 443 (msg:"ThreatFox NetSupportManager RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1270356/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_13; classtype:trojan-activity; sid:91270356; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cdn-vs/original.js"; depth:19; nocase; http.host; content:"firstaischool.com"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1270352/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_13; classtype:trojan-activity; sid:91270352; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cdn-vs/cache.php"; depth:17; nocase; http.host; content:"firstaischool.com"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1270353/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_13; classtype:trojan-activity; sid:91270353; rev:1;) alert tcp $HOME_NET any -> [18.158.249.75] 12222 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1270331/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_13; classtype:trojan-activity; sid:91270331; rev:1;) alert tcp $HOME_NET any -> [18.192.31.165] 12222 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1270330/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_13; classtype:trojan-activity; sid:91270330; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/manual.php"; depth:11; nocase; http.host; content:"blog.soryokan.com"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1270290/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_13; classtype:trojan-activity; sid:91270290; rev:1;) alert tcp $HOME_NET any -> [3.124.142.205] 12222 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1270332/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_13; classtype:trojan-activity; sid:91270332; rev:1;) alert tcp $HOME_NET any -> [38.92.47.116] 7771 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1270334/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_13; classtype:trojan-activity; sid:91270334; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/manual.php"; depth:11; nocase; http.host; content:"blog.zhaixudong.com"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1270336/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_13; classtype:trojan-activity; sid:91270336; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/manual.php"; depth:11; nocase; http.host; content:"blog.teramachi-ah.com"; depth:21; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1270337/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_13; classtype:trojan-activity; sid:91270337; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api/endpoint.php"; depth:17; nocase; http.host; content:"51.195.211.231"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1270351/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_13; classtype:trojan-activity; sid:91270351; rev:1;) alert tcp $HOME_NET any -> [51.195.211.231] 1337 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1270350/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_13; classtype:trojan-activity; sid:91270350; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"de-engines.gl.at.ply.gg"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1270348/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_13; classtype:trojan-activity; sid:91270348; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"these-accommodation.gl.at.ply.gg"; depth:32; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1270349/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_13; classtype:trojan-activity; sid:91270349; rev:1;) alert tcp $HOME_NET any -> [45.88.91.227] 80 (msg:"ThreatFox ERMAC botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1270347/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_13; classtype:trojan-activity; sid:91270347; rev:1;) alert tcp $HOME_NET any -> [8.217.113.1] 65503 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1270346/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_13; classtype:trojan-activity; sid:91270346; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"twinks234.duckdns.org"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1270345/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_13; classtype:trojan-activity; sid:91270345; rev:1;) alert tcp $HOME_NET any -> [147.135.165.29] 6606 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1270343/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_13; classtype:trojan-activity; sid:91270343; rev:1;) alert tcp $HOME_NET any -> [147.135.165.29] 7707 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1270344/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_13; classtype:trojan-activity; sid:91270344; rev:1;) alert tcp $HOME_NET any -> [136.175.8.56] 9090 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1270342/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_13; classtype:trojan-activity; sid:91270342; rev:1;) alert tcp $HOME_NET any -> [84.38.134.107] 59543 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1270341/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_13; classtype:trojan-activity; sid:91270341; rev:1;) alert tcp $HOME_NET any -> [51.89.158.68] 8888 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1270340/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_13; classtype:trojan-activity; sid:91270340; rev:1;) alert tcp $HOME_NET any -> [45.88.186.241] 6606 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1270338/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_13; classtype:trojan-activity; sid:91270338; rev:1;) alert tcp $HOME_NET any -> [45.88.186.241] 6666 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1270339/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_13; classtype:trojan-activity; sid:91270339; rev:1;) alert tcp $HOME_NET any -> [141.11.250.181] 443 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1270335/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_13; classtype:trojan-activity; sid:91270335; rev:1;) alert tcp $HOME_NET any -> [94.156.8.229] 1334 (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1270333/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_13; classtype:trojan-activity; sid:91270333; rev:1;) alert tcp $HOME_NET any -> [94.232.245.250] 443 (msg:"ThreatFox DarkGate botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1270329/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_13; classtype:trojan-activity; sid:91270329; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"voip.analytics-edges.com"; depth:24; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1270328/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_13; classtype:trojan-activity; sid:91270328; rev:1;) alert tcp $HOME_NET any -> [91.92.255.220] 6606 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1270327/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_13; classtype:trojan-activity; sid:91270327; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"newsarena.sbs"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1270326/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_13; classtype:trojan-activity; sid:91270326; rev:1;) alert tcp $HOME_NET any -> [91.92.255.190] 6606 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1270323/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_13; classtype:trojan-activity; sid:91270323; rev:1;) alert tcp $HOME_NET any -> [91.92.255.190] 7707 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1270324/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_13; classtype:trojan-activity; sid:91270324; rev:1;) alert tcp $HOME_NET any -> [91.92.255.190] 8808 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1270325/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_13; classtype:trojan-activity; sid:91270325; rev:1;) alert tcp $HOME_NET any -> [91.92.255.108] 6606 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1270320/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_13; classtype:trojan-activity; sid:91270320; rev:1;) alert tcp $HOME_NET any -> [91.92.255.108] 7707 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1270321/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_13; classtype:trojan-activity; sid:91270321; rev:1;) alert tcp $HOME_NET any -> [91.92.255.108] 8808 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1270322/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_13; classtype:trojan-activity; sid:91270322; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/j.ad"; depth:5; nocase; http.host; content:"103.40.161.161"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1270319/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_13; classtype:trojan-activity; sid:91270319; rev:1;) alert tcp $HOME_NET any -> [45.145.228.157] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1270318/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_13; classtype:trojan-activity; sid:91270318; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ca"; depth:3; nocase; http.host; content:"45.145.228.157"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1270317/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_13; classtype:trojan-activity; sid:91270317; rev:1;) alert tcp $HOME_NET any -> [83.143.112.27] 25565 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1270316/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_13; classtype:trojan-activity; sid:91270316; rev:1;) alert tcp $HOME_NET any -> [95.164.4.185] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1270315/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_13; classtype:trojan-activity; sid:91270315; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ga.js"; depth:6; nocase; http.host; content:"95.164.4.185"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1270314/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_13; classtype:trojan-activity; sid:91270314; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/load"; depth:5; nocase; http.host; content:"45.145.228.157"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1270313/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_13; classtype:trojan-activity; sid:91270313; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ga.js"; depth:6; nocase; http.host; content:"45.86.162.215"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1270312/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_13; classtype:trojan-activity; sid:91270312; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ga.js"; depth:6; nocase; http.host; content:"139.84.155.5"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1270311/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_13; classtype:trojan-activity; sid:91270311; rev:1;) alert tcp $HOME_NET any -> [139.84.155.5] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1270310/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_13; classtype:trojan-activity; sid:91270310; rev:1;) alert tcp $HOME_NET any -> [45.76.172.9] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1270308/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_13; classtype:trojan-activity; sid:91270308; rev:1;) alert tcp $HOME_NET any -> [45.76.172.9] 8443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1270309/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_13; classtype:trojan-activity; sid:91270309; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"chinamobilie.com"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1270307/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_13; classtype:trojan-activity; sid:91270307; rev:1;) alert tcp $HOME_NET any -> [43.156.16.199] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1270306/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_13; classtype:trojan-activity; sid:91270306; rev:1;) alert tcp $HOME_NET any -> [47.236.160.26] 8080 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1270305/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_13; classtype:trojan-activity; sid:91270305; rev:1;) alert tcp $HOME_NET any -> [8.217.35.112] 4444 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1270304/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_13; classtype:trojan-activity; sid:91270304; rev:1;) alert tcp $HOME_NET any -> [124.220.148.109] 40040 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1270303/; target:src_ip; metadata: confidence_level 80, first_seen 2024_05_13; classtype:trojan-activity; sid:91270303; rev:1;) alert tcp $HOME_NET any -> [123.57.77.11] 61314 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1270302/; target:src_ip; metadata: confidence_level 80, first_seen 2024_05_13; classtype:trojan-activity; sid:91270302; rev:1;) alert tcp $HOME_NET any -> [13.51.85.88] 443 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1270301/; target:src_ip; metadata: confidence_level 80, first_seen 2024_05_13; classtype:trojan-activity; sid:91270301; rev:1;) alert tcp $HOME_NET any -> [45.33.103.13] 443 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1270300/; target:src_ip; metadata: confidence_level 80, first_seen 2024_05_13; classtype:trojan-activity; sid:91270300; rev:1;) alert tcp $HOME_NET any -> [43.136.98.30] 9009 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1270299/; target:src_ip; metadata: confidence_level 80, first_seen 2024_05_13; classtype:trojan-activity; sid:91270299; rev:1;) alert tcp $HOME_NET any -> [46.148.26.72] 443 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1270298/; target:src_ip; metadata: confidence_level 80, first_seen 2024_05_13; classtype:trojan-activity; sid:91270298; rev:1;) alert tcp $HOME_NET any -> [209.38.194.149] 8443 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1270297/; target:src_ip; metadata: confidence_level 80, first_seen 2024_05_13; classtype:trojan-activity; sid:91270297; rev:1;) alert tcp $HOME_NET any -> [123.60.69.126] 4488 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1270296/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_13; classtype:trojan-activity; sid:91270296; rev:1;) alert tcp $HOME_NET any -> [158.69.62.23] 80 (msg:"ThreatFox Hook botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1270295/; target:src_ip; metadata: confidence_level 80, first_seen 2024_05_13; classtype:trojan-activity; sid:91270295; rev:1;) alert tcp $HOME_NET any -> [38.55.26.37] 888 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1270293/; target:src_ip; metadata: confidence_level 80, first_seen 2024_05_13; classtype:trojan-activity; sid:91270293; rev:1;) alert tcp $HOME_NET any -> [120.46.128.120] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1270294/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_13; classtype:trojan-activity; sid:91270294; rev:1;) alert tcp $HOME_NET any -> [43.136.71.208] 8054 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1270292/; target:src_ip; metadata: confidence_level 80, first_seen 2024_05_13; classtype:trojan-activity; sid:91270292; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"edgeupdate.office365update.cn"; depth:29; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1270291/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_13; classtype:trojan-activity; sid:91270291; rev:1;) alert tcp $HOME_NET any -> [116.205.141.173] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1270284/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_13; classtype:trojan-activity; sid:91270284; rev:1;) alert tcp $HOME_NET any -> [14.5.161.232] 5001 (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1270283/; target:src_ip; metadata: confidence_level 80, first_seen 2024_05_13; classtype:trojan-activity; sid:91270283; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/63b26ebf.php"; depth:13; nocase; http.host; content:"a0980477.xsph.ru"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1270282/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_13; classtype:trojan-activity; sid:91270282; rev:1;) alert tcp $HOME_NET any -> [121.41.101.166] 8888 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1270281/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_13; classtype:trojan-activity; sid:91270281; rev:1;) alert tcp $HOME_NET any -> [180.214.239.242] 10134 (msg:"ThreatFox Orcus RAT botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1270280/; target:src_ip; metadata: confidence_level 80, first_seen 2024_05_13; classtype:trojan-activity; sid:91270280; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cx"; depth:3; nocase; http.host; content:"121.41.1.47"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1270279/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_13; classtype:trojan-activity; sid:91270279; rev:1;) alert tcp $HOME_NET any -> [121.41.1.47] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1270278/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_13; classtype:trojan-activity; sid:91270278; rev:1;) alert tcp $HOME_NET any -> [121.40.127.134] 4443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1270277/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_13; classtype:trojan-activity; sid:91270277; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ie9compatviewlist.xml"; depth:22; nocase; http.host; content:"121.40.21.218"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1270276/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_13; classtype:trojan-activity; sid:91270276; rev:1;) alert tcp $HOME_NET any -> [121.40.21.218] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1270275/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_13; classtype:trojan-activity; sid:91270275; rev:1;) alert tcp $HOME_NET any -> [112.124.65.163] 8089 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1270274/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_13; classtype:trojan-activity; sid:91270274; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dpixel"; depth:7; nocase; http.host; content:"47.121.26.64"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1270273/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_13; classtype:trojan-activity; sid:91270273; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/en_us/all.js"; depth:13; nocase; http.host; content:"47.121.26.64"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1270272/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_13; classtype:trojan-activity; sid:91270272; rev:1;) alert tcp $HOME_NET any -> [47.121.26.64] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1270270/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_13; classtype:trojan-activity; sid:91270270; rev:1;) alert tcp $HOME_NET any -> [47.121.26.64] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1270271/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_13; classtype:trojan-activity; sid:91270271; rev:1;) alert tcp $HOME_NET any -> [47.115.216.170] 8443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1270269/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_13; classtype:trojan-activity; sid:91270269; rev:1;) alert tcp $HOME_NET any -> [47.109.100.127] 10500 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1270268/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_13; classtype:trojan-activity; sid:91270268; rev:1;) alert tcp $HOME_NET any -> [47.109.49.229] 8887 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1270267/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_13; classtype:trojan-activity; sid:91270267; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/en_us/all.js"; depth:13; nocase; http.host; content:"47.100.196.58"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1270266/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_13; classtype:trojan-activity; sid:91270266; rev:1;) alert tcp $HOME_NET any -> [47.100.196.58] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1270265/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_13; classtype:trojan-activity; sid:91270265; rev:1;) alert tcp $HOME_NET any -> [47.97.31.229] 8888 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1270264/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_13; classtype:trojan-activity; sid:91270264; rev:1;) alert tcp $HOME_NET any -> [47.96.74.108] 8800 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1270263/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_13; classtype:trojan-activity; sid:91270263; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/updates.rss"; depth:12; nocase; http.host; content:"47.94.249.38"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1270262/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_13; classtype:trojan-activity; sid:91270262; rev:1;) alert tcp $HOME_NET any -> [47.94.249.38] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1270260/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_13; classtype:trojan-activity; sid:91270260; rev:1;) alert tcp $HOME_NET any -> [47.94.249.38] 8888 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1270261/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_13; classtype:trojan-activity; sid:91270261; rev:1;) alert tcp $HOME_NET any -> [39.101.76.249] 60000 (msg:"ThreatFox Viper RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1270259/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_13; classtype:trojan-activity; sid:91270259; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dot.gif"; depth:8; nocase; http.host; content:"39.101.76.249"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1270258/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_13; classtype:trojan-activity; sid:91270258; rev:1;) alert tcp $HOME_NET any -> [39.101.76.249] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1270257/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_13; classtype:trojan-activity; sid:91270257; rev:1;) alert tcp $HOME_NET any -> [39.98.110.45] 8010 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1270256/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_13; classtype:trojan-activity; sid:91270256; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/manual.php"; depth:11; nocase; http.host; content:"blog.saffronstays.com"; depth:21; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1270255/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_13; classtype:trojan-activity; sid:91270255; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/en_us/all.js"; depth:13; nocase; http.host; content:"116.205.224.194"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1270252/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_13; classtype:trojan-activity; sid:91270252; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/visit.js"; depth:9; nocase; http.host; content:"175.178.80.49"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1270251/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_13; classtype:trojan-activity; sid:91270251; rev:1;) alert tcp $HOME_NET any -> [175.178.80.49] 8080 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1270250/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_13; classtype:trojan-activity; sid:91270250; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ca"; depth:3; nocase; http.host; content:"124.220.167.247"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1270249/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_13; classtype:trojan-activity; sid:91270249; rev:1;) alert tcp $HOME_NET any -> [124.220.167.247] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1270248/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_13; classtype:trojan-activity; sid:91270248; rev:1;) alert tcp $HOME_NET any -> [118.25.185.173] 9999 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1270247/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_13; classtype:trojan-activity; sid:91270247; rev:1;) alert tcp $HOME_NET any -> [114.132.61.178] 4433 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1270246/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_13; classtype:trojan-activity; sid:91270246; rev:1;) alert tcp $HOME_NET any -> [101.43.7.115] 33078 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1270245/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_13; classtype:trojan-activity; sid:91270245; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ca"; depth:3; nocase; http.host; content:"101.34.84.157"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1270244/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_13; classtype:trojan-activity; sid:91270244; rev:1;) alert tcp $HOME_NET any -> [101.34.84.157] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1270243/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_13; classtype:trojan-activity; sid:91270243; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/images/x"; depth:9; nocase; http.host; content:"images-aliyun-oss.oss-cn-beijing.aliyuncs.com"; depth:45; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1270242/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_13; classtype:trojan-activity; sid:91270242; rev:1;) alert tcp $HOME_NET any -> [82.156.151.200] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1270241/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_13; classtype:trojan-activity; sid:91270241; rev:1;) alert tcp $HOME_NET any -> [43.143.193.228] 2083 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1270240/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_13; classtype:trojan-activity; sid:91270240; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/push"; depth:5; nocase; http.host; content:"43.138.240.140"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1270239/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_13; classtype:trojan-activity; sid:91270239; rev:1;) alert tcp $HOME_NET any -> [43.138.240.140] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1270238/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_13; classtype:trojan-activity; sid:91270238; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"yuanruicn.top"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1270237/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_13; classtype:trojan-activity; sid:91270237; rev:1;) alert tcp $HOME_NET any -> [43.136.59.232] 8443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1270236/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_13; classtype:trojan-activity; sid:91270236; rev:1;) alert tcp $HOME_NET any -> [1.12.248.183] 27000 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1270235/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_13; classtype:trojan-activity; sid:91270235; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"88.99.124.6"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1270234/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_13; classtype:trojan-activity; sid:91270234; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"95.217.28.63"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1270233/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_13; classtype:trojan-activity; sid:91270233; rev:1;) alert tcp $HOME_NET any -> [95.217.28.63] 9000 (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1270231/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_13; classtype:trojan-activity; sid:91270231; rev:1;) alert tcp $HOME_NET any -> [88.99.124.6] 443 (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1270232/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_13; classtype:trojan-activity; sid:91270232; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/manual.php"; depth:11; nocase; http.host; content:"blog.rainbow1122.com"; depth:20; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1270230/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_13; classtype:trojan-activity; sid:91270230; rev:1;) alert tcp $HOME_NET any -> [192.169.69.25] 3615 (msg:"ThreatFox Nanocore RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1270219/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_13; classtype:trojan-activity; sid:91270219; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dpixel"; depth:7; nocase; http.host; content:"47.105.69.34"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1270228/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_13; classtype:trojan-activity; sid:91270228; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ga.js"; depth:6; nocase; http.host; content:"47.105.69.34"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1270227/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_13; classtype:trojan-activity; sid:91270227; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/match"; depth:6; nocase; http.host; content:"101.201.54.74"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1270226/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_13; classtype:trojan-activity; sid:91270226; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ie9compatviewlist.xml"; depth:22; nocase; http.host; content:"www.flash-update.info"; depth:21; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1270225/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_13; classtype:trojan-activity; sid:91270225; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/match"; depth:6; nocase; http.host; content:"cs.h1ll0.cs.in"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1270224/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_13; classtype:trojan-activity; sid:91270224; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/activity"; depth:9; nocase; http.host; content:"8.141.13.130"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1270223/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_13; classtype:trojan-activity; sid:91270223; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ie9compatviewlist.xml"; depth:22; nocase; http.host; content:"101.201.54.74"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1270222/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_13; classtype:trojan-activity; sid:91270222; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/include/template/isx.php"; depth:25; nocase; http.host; content:"1.14.69.16"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1270221/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_13; classtype:trojan-activity; sid:91270221; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ca"; depth:3; nocase; http.host; content:"120.78.139.9"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1270220/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_13; classtype:trojan-activity; sid:91270220; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cx"; depth:3; nocase; http.host; content:"101.201.54.74"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1270218/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_13; classtype:trojan-activity; sid:91270218; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/updates.rss"; depth:12; nocase; http.host; content:"47.115.215.30"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1270217/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_13; classtype:trojan-activity; sid:91270217; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/j.ad"; depth:5; nocase; http.host; content:"175.178.50.68"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1270216/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_13; classtype:trojan-activity; sid:91270216; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/fwlink"; depth:7; nocase; http.host; content:"110.41.21.173"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1270215/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_13; classtype:trojan-activity; sid:91270215; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pixel.gif"; depth:10; nocase; http.host; content:"47.115.215.30"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1270214/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_13; classtype:trojan-activity; sid:91270214; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pixel"; depth:6; nocase; http.host; content:"23.95.65.198"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1270213/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_13; classtype:trojan-activity; sid:91270213; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wps/solution/index"; depth:19; nocase; http.host; content:"58.218.215.181"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1270212/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_13; classtype:trojan-activity; sid:91270212; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wps/solution/index"; depth:19; nocase; http.host; content:"42.248.140.76"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1270211/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_13; classtype:trojan-activity; sid:91270211; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wps/solution/index"; depth:19; nocase; http.host; content:"180.213.251.231"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1270210/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_13; classtype:trojan-activity; sid:91270210; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wps/solution/index"; depth:19; nocase; http.host; content:"140.249.61.241"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1270209/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_13; classtype:trojan-activity; sid:91270209; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wps/solution/index"; depth:19; nocase; http.host; content:"124.236.110.231"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1270208/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_13; classtype:trojan-activity; sid:91270208; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wps/solution/index"; depth:19; nocase; http.host; content:"111.170.24.232"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1270207/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_13; classtype:trojan-activity; sid:91270207; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wps/solution/index"; depth:19; nocase; http.host; content:"106.42.215.249"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1270206/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_13; classtype:trojan-activity; sid:91270206; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/manual.php"; depth:11; nocase; http.host; content:"blog.pet-portraitartist.com"; depth:27; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1270192/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_13; classtype:trojan-activity; sid:91270192; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"frck.xyz"; depth:8; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1270203/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_13; classtype:trojan-activity; sid:91270203; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"frdk.xyz"; depth:8; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1270204/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_13; classtype:trojan-activity; sid:91270204; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"frfk.xyz"; depth:8; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1270205/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_13; classtype:trojan-activity; sid:91270205; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/up/b"; depth:5; nocase; http.host; content:"frcf.xyz"; depth:8; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1270202/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_13; classtype:trojan-activity; sid:91270202; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/up/"; depth:4; nocase; http.host; content:"frcf.xyz"; depth:8; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1270201/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_13; classtype:trojan-activity; sid:91270201; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/up/"; depth:4; nocase; http.host; content:"frdk.xyz"; depth:8; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1270200/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_13; classtype:trojan-activity; sid:91270200; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/up/b"; depth:5; nocase; http.host; content:"frck.xyz"; depth:8; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1270199/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_13; classtype:trojan-activity; sid:91270199; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/up/"; depth:4; nocase; http.host; content:"frck.xyz"; depth:8; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1270198/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_13; classtype:trojan-activity; sid:91270198; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/profiles/76561199655148275"; depth:27; nocase; http.host; content:"steamcommunity.com"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1270197/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_13; classtype:trojan-activity; sid:91270197; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/profiles/76561199620321083"; depth:27; nocase; http.host; content:"steamcommunity.com"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1270196/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_13; classtype:trojan-activity; sid:91270196; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/profiles/76561199609760273"; depth:27; nocase; http.host; content:"steamcommunity.com"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1270195/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_13; classtype:trojan-activity; sid:91270195; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/profiles/76561199619783336"; depth:27; nocase; http.host; content:"steamcommunity.com"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1270194/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_13; classtype:trojan-activity; sid:91270194; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/profiles/76561199620585818"; depth:27; nocase; http.host; content:"steamcommunity.com"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1270193/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_13; classtype:trojan-activity; sid:91270193; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/evie2/five/fre.php"; depth:19; nocase; http.host; content:"spencerstuartllc.top"; depth:20; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1270191/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_13; classtype:trojan-activity; sid:91270191; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/zdqyn2nmogezotlk/"; depth:18; nocase; http.host; content:"arabadakal.shop"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1270052/; target:src_ip; metadata: confidence_level 80, first_seen 2024_05_13; classtype:trojan-activity; sid:91270052; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/zdqyn2nmogezotlk/"; depth:18; nocase; http.host; content:"amcakalarada.shop"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1270053/; target:src_ip; metadata: confidence_level 80, first_seen 2024_05_13; classtype:trojan-activity; sid:91270053; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/zdqyn2nmogezotlk/"; depth:18; nocase; http.host; content:"yakanbirkarda.shop"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1270054/; target:src_ip; metadata: confidence_level 80, first_seen 2024_05_13; classtype:trojan-activity; sid:91270054; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/zdqyn2nmogezotlk/"; depth:18; nocase; http.host; content:"yakanbirkardanma.top"; depth:20; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1270055/; target:src_ip; metadata: confidence_level 80, first_seen 2024_05_13; classtype:trojan-activity; sid:91270055; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/zdqyn2nmogezotlk/"; depth:18; nocase; http.host; content:"karamakarnakalem.com"; depth:20; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1270056/; target:src_ip; metadata: confidence_level 80, first_seen 2024_05_13; classtype:trojan-activity; sid:91270056; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/zdqyn2nmogezotlk/"; depth:18; nocase; http.host; content:"karayanlardanmak.shop"; depth:21; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1270058/; target:src_ip; metadata: confidence_level 80, first_seen 2024_05_13; classtype:trojan-activity; sid:91270058; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/zdqyn2nmogezotlk/"; depth:18; nocase; http.host; content:"marabakalem.shop"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1270057/; target:src_ip; metadata: confidence_level 80, first_seen 2024_05_13; classtype:trojan-activity; sid:91270057; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/zdqyn2nmogezotlk/"; depth:18; nocase; http.host; content:"sekenmakaslar.shop"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1270059/; target:src_ip; metadata: confidence_level 80, first_seen 2024_05_13; classtype:trojan-activity; sid:91270059; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/manual.php"; depth:11; nocase; http.host; content:"blog.itoyakuten.net"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1270061/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_13; classtype:trojan-activity; sid:91270061; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/manual.php"; depth:11; nocase; http.host; content:"blog.jens-bolz.de"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1270064/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_13; classtype:trojan-activity; sid:91270064; rev:1;) alert tcp $HOME_NET any -> [18.197.239.109] 18014 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1270066/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_13; classtype:trojan-activity; sid:91270066; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/index.php/2023/03/20/pros-and-cons-of-multilateral-trade-agreements"; depth:68; nocase; http.host; content:"awadhshreehospital.in"; depth:21; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1270068/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_13; classtype:trojan-activity; sid:91270068; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/manual.php"; depth:11; nocase; http.host; content:"blog.jonheese.com"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1270104/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_13; classtype:trojan-activity; sid:91270104; rev:1;) alert tcp $HOME_NET any -> [193.233.132.40] 80 (msg:"ThreatFox AMOS botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1270148/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_13; classtype:trojan-activity; sid:91270148; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/manual.php"; depth:11; nocase; http.host; content:"blog.lizzygraykitchens.com"; depth:26; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1270150/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_13; classtype:trojan-activity; sid:91270150; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/manual.php"; depth:11; nocase; http.host; content:"blog.lizzygraykitchens.com"; depth:26; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1270151/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_13; classtype:trojan-activity; sid:91270151; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"88.198.193.148"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1270190/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_13; classtype:trojan-activity; sid:91270190; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"50.75.213.183"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1270189/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_13; classtype:trojan-activity; sid:91270189; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"5.42.96.89"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1270188/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_13; classtype:trojan-activity; sid:91270188; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"78.47.23.196"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1270187/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_13; classtype:trojan-activity; sid:91270187; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"168.119.166.86"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1270186/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_13; classtype:trojan-activity; sid:91270186; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"77.221.151.87"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1270185/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_13; classtype:trojan-activity; sid:91270185; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"5.75.208.137"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1270184/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_13; classtype:trojan-activity; sid:91270184; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"5.75.213.183"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1270183/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_13; classtype:trojan-activity; sid:91270183; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"65.109.242.112"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1270182/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_13; classtype:trojan-activity; sid:91270182; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"65.21.183.11"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1270181/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_13; classtype:trojan-activity; sid:91270181; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"49.13.49.198"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1270180/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_13; classtype:trojan-activity; sid:91270180; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/profiles/76561199675758951"; depth:27; nocase; http.host; content:"steamcommunity.com"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1270179/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_13; classtype:trojan-activity; sid:91270179; rev:1;) alert tcp $HOME_NET any -> [168.119.166.86] 443 (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1270174/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_13; classtype:trojan-activity; sid:91270174; rev:1;) alert tcp $HOME_NET any -> [78.47.23.196] 443 (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1270175/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_13; classtype:trojan-activity; sid:91270175; rev:1;) alert tcp $HOME_NET any -> [5.42.96.89] 443 (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1270176/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_13; classtype:trojan-activity; sid:91270176; rev:1;) alert tcp $HOME_NET any -> [50.75.213.183] 443 (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1270177/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_13; classtype:trojan-activity; sid:91270177; rev:1;) alert tcp $HOME_NET any -> [88.198.193.148] 443 (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1270178/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_13; classtype:trojan-activity; sid:91270178; rev:1;) alert tcp $HOME_NET any -> [49.13.49.198] 9000 (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1270171/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_13; classtype:trojan-activity; sid:91270171; rev:1;) alert tcp $HOME_NET any -> [65.21.183.11] 443 (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1270172/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_13; classtype:trojan-activity; sid:91270172; rev:1;) alert tcp $HOME_NET any -> [77.221.151.87] 443 (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1270173/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_13; classtype:trojan-activity; sid:91270173; rev:1;) alert tcp $HOME_NET any -> [149.154.67.148] 80 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1270170/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_13; classtype:trojan-activity; sid:91270170; rev:1;) alert tcp $HOME_NET any -> [41.99.220.207] 443 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1270169/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_13; classtype:trojan-activity; sid:91270169; rev:1;) alert tcp $HOME_NET any -> [82.8.144.54] 443 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1270168/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_13; classtype:trojan-activity; sid:91270168; rev:1;) alert tcp $HOME_NET any -> [46.246.181.110] 995 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1270167/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_13; classtype:trojan-activity; sid:91270167; rev:1;) alert tcp $HOME_NET any -> [41.251.193.48] 995 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1270166/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_13; classtype:trojan-activity; sid:91270166; rev:1;) alert tcp $HOME_NET any -> [104.248.223.131] 80 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1270165/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_13; classtype:trojan-activity; sid:91270165; rev:1;) alert tcp $HOME_NET any -> [104.223.76.201] 44102 (msg:"ThreatFox BianLian botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1270164/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_13; classtype:trojan-activity; sid:91270164; rev:1;) alert tcp $HOME_NET any -> [183.214.129.174] 4506 (msg:"ThreatFox Deimos botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1270163/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_13; classtype:trojan-activity; sid:91270163; rev:1;) alert tcp $HOME_NET any -> [54.95.170.58] 80 (msg:"ThreatFox Brute Ratel C4 botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1270162/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_13; classtype:trojan-activity; sid:91270162; rev:1;) alert tcp $HOME_NET any -> [185.216.117.157] 9002 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1270161/; target:src_ip; metadata: confidence_level 80, first_seen 2024_05_13; classtype:trojan-activity; sid:91270161; rev:1;) alert tcp $HOME_NET any -> [80.66.75.43] 44433 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1270160/; target:src_ip; metadata: confidence_level 80, first_seen 2024_05_13; classtype:trojan-activity; sid:91270160; rev:1;) alert tcp $HOME_NET any -> [150.158.121.15] 60000 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1270159/; target:src_ip; metadata: confidence_level 80, first_seen 2024_05_13; classtype:trojan-activity; sid:91270159; rev:1;) alert tcp $HOME_NET any -> [205.185.121.28] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1270158/; target:src_ip; metadata: confidence_level 80, first_seen 2024_05_13; classtype:trojan-activity; sid:91270158; rev:1;) alert tcp $HOME_NET any -> [18.188.31.230] 443 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1270157/; target:src_ip; metadata: confidence_level 80, first_seen 2024_05_13; classtype:trojan-activity; sid:91270157; rev:1;) alert tcp $HOME_NET any -> [203.205.6.67] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1270156/; target:src_ip; metadata: confidence_level 80, first_seen 2024_05_13; classtype:trojan-activity; sid:91270156; rev:1;) alert tcp $HOME_NET any -> [170.130.165.69] 444 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1270155/; target:src_ip; metadata: confidence_level 80, first_seen 2024_05_13; classtype:trojan-activity; sid:91270155; rev:1;) alert tcp $HOME_NET any -> [198.23.135.53] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1270154/; target:src_ip; metadata: confidence_level 80, first_seen 2024_05_13; classtype:trojan-activity; sid:91270154; rev:1;) alert tcp $HOME_NET any -> [20.52.146.50] 10443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1270153/; target:src_ip; metadata: confidence_level 80, first_seen 2024_05_13; classtype:trojan-activity; sid:91270153; rev:1;) alert tcp $HOME_NET any -> [120.77.251.72] 10001 (msg:"ThreatFox Xtreme RAT botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1270147/; target:src_ip; metadata: confidence_level 80, first_seen 2024_05_13; classtype:trojan-activity; sid:91270147; rev:1;) alert tcp $HOME_NET any -> [114.115.206.47] 50050 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1270146/; target:src_ip; metadata: confidence_level 80, first_seen 2024_05_12; classtype:trojan-activity; sid:91270146; rev:1;) alert tcp $HOME_NET any -> [124.223.9.21] 54321 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1270145/; target:src_ip; metadata: confidence_level 80, first_seen 2024_05_12; classtype:trojan-activity; sid:91270145; rev:1;) alert tcp $HOME_NET any -> [124.156.213.14] 50050 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1270144/; target:src_ip; metadata: confidence_level 80, first_seen 2024_05_12; classtype:trojan-activity; sid:91270144; rev:1;) alert tcp $HOME_NET any -> [94.20.88.63] 63192 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1270143/; target:src_ip; metadata: confidence_level 80, first_seen 2024_05_12; classtype:trojan-activity; sid:91270143; rev:1;) alert tcp $HOME_NET any -> [47.98.251.131] 5000 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1270142/; target:src_ip; metadata: confidence_level 80, first_seen 2024_05_12; classtype:trojan-activity; sid:91270142; rev:1;) alert tcp $HOME_NET any -> [47.116.170.61] 60000 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1270141/; target:src_ip; metadata: confidence_level 80, first_seen 2024_05_12; classtype:trojan-activity; sid:91270141; rev:1;) alert tcp $HOME_NET any -> [137.220.197.172] 33666 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1270140/; target:src_ip; metadata: confidence_level 80, first_seen 2024_05_12; classtype:trojan-activity; sid:91270140; rev:1;) alert tcp $HOME_NET any -> [79.132.140.216] 50053 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1270139/; target:src_ip; metadata: confidence_level 80, first_seen 2024_05_12; classtype:trojan-activity; sid:91270139; rev:1;) alert tcp $HOME_NET any -> [101.32.37.92] 50150 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1270138/; target:src_ip; metadata: confidence_level 80, first_seen 2024_05_12; classtype:trojan-activity; sid:91270138; rev:1;) alert tcp $HOME_NET any -> [101.32.37.92] 2096 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1270137/; target:src_ip; metadata: confidence_level 80, first_seen 2024_05_12; classtype:trojan-activity; sid:91270137; rev:1;) alert tcp $HOME_NET any -> [80.66.75.53] 44433 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1270136/; target:src_ip; metadata: confidence_level 80, first_seen 2024_05_12; classtype:trojan-activity; sid:91270136; rev:1;) alert tcp $HOME_NET any -> [109.196.166.188] 808 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1270135/; target:src_ip; metadata: confidence_level 80, first_seen 2024_05_12; classtype:trojan-activity; sid:91270135; rev:1;) alert tcp $HOME_NET any -> [43.136.96.90] 65432 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1270134/; target:src_ip; metadata: confidence_level 80, first_seen 2024_05_12; classtype:trojan-activity; sid:91270134; rev:1;) alert tcp $HOME_NET any -> [47.109.106.162] 50050 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1270133/; target:src_ip; metadata: confidence_level 80, first_seen 2024_05_12; classtype:trojan-activity; sid:91270133; rev:1;) alert tcp $HOME_NET any -> [137.220.197.188] 33666 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1270132/; target:src_ip; metadata: confidence_level 80, first_seen 2024_05_12; classtype:trojan-activity; sid:91270132; rev:1;) alert tcp $HOME_NET any -> [146.190.38.217] 50050 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1270131/; target:src_ip; metadata: confidence_level 80, first_seen 2024_05_12; classtype:trojan-activity; sid:91270131; rev:1;) alert tcp $HOME_NET any -> [143.198.3.13] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1270130/; target:src_ip; metadata: confidence_level 80, first_seen 2024_05_12; classtype:trojan-activity; sid:91270130; rev:1;) alert tcp $HOME_NET any -> [34.29.187.33] 443 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1270129/; target:src_ip; metadata: confidence_level 80, first_seen 2024_05_12; classtype:trojan-activity; sid:91270129; rev:1;) alert tcp $HOME_NET any -> [135.125.255.44] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1270128/; target:src_ip; metadata: confidence_level 80, first_seen 2024_05_12; classtype:trojan-activity; sid:91270128; rev:1;) alert tcp $HOME_NET any -> [45.144.3.98] 443 (msg:"ThreatFox Gozi botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1270127/; target:src_ip; metadata: confidence_level 80, first_seen 2024_05_12; classtype:trojan-activity; sid:91270127; rev:1;) alert tcp $HOME_NET any -> [77.51.217.181] 25565 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1270126/; target:src_ip; metadata: confidence_level 80, first_seen 2024_05_12; classtype:trojan-activity; sid:91270126; rev:1;) alert tcp $HOME_NET any -> [5.53.20.184] 3333 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1270125/; target:src_ip; metadata: confidence_level 80, first_seen 2024_05_12; classtype:trojan-activity; sid:91270125; rev:1;) alert tcp $HOME_NET any -> [50.114.32.219] 4443 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1270124/; target:src_ip; metadata: confidence_level 80, first_seen 2024_05_12; classtype:trojan-activity; sid:91270124; rev:1;) alert tcp $HOME_NET any -> [35.226.17.12] 80 (msg:"ThreatFox Hook botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1270123/; target:src_ip; metadata: confidence_level 80, first_seen 2024_05_12; classtype:trojan-activity; sid:91270123; rev:1;) alert tcp $HOME_NET any -> [103.17.119.73] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1270122/; target:src_ip; metadata: confidence_level 80, first_seen 2024_05_12; classtype:trojan-activity; sid:91270122; rev:1;) alert tcp $HOME_NET any -> [162.14.105.213] 8082 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1270121/; target:src_ip; metadata: confidence_level 80, first_seen 2024_05_12; classtype:trojan-activity; sid:91270121; rev:1;) alert tcp $HOME_NET any -> [162.14.122.93] 8088 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1270120/; target:src_ip; metadata: confidence_level 80, first_seen 2024_05_12; classtype:trojan-activity; sid:91270120; rev:1;) alert tcp $HOME_NET any -> [39.101.189.31] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1270119/; target:src_ip; metadata: confidence_level 80, first_seen 2024_05_12; classtype:trojan-activity; sid:91270119; rev:1;) alert tcp $HOME_NET any -> [47.236.7.86] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1270118/; target:src_ip; metadata: confidence_level 80, first_seen 2024_05_12; classtype:trojan-activity; sid:91270118; rev:1;) alert tcp $HOME_NET any -> [172.105.121.169] 8081 (msg:"ThreatFox RisePro botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1270117/; target:src_ip; metadata: confidence_level 80, first_seen 2024_05_12; classtype:trojan-activity; sid:91270117; rev:1;) alert tcp $HOME_NET any -> [5.42.96.191] 8081 (msg:"ThreatFox RisePro botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1270116/; target:src_ip; metadata: confidence_level 80, first_seen 2024_05_12; classtype:trojan-activity; sid:91270116; rev:1;) alert tcp $HOME_NET any -> [217.12.208.114] 8088 (msg:"ThreatFox RisePro botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1270115/; target:src_ip; metadata: confidence_level 80, first_seen 2024_05_12; classtype:trojan-activity; sid:91270115; rev:1;) alert tcp $HOME_NET any -> [5.42.96.91] 8081 (msg:"ThreatFox RisePro botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1270114/; target:src_ip; metadata: confidence_level 80, first_seen 2024_05_12; classtype:trojan-activity; sid:91270114; rev:1;) alert tcp $HOME_NET any -> [46.17.44.143] 1194 (msg:"ThreatFox Orcus RAT botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1270113/; target:src_ip; metadata: confidence_level 80, first_seen 2024_05_12; classtype:trojan-activity; sid:91270113; rev:1;) alert tcp $HOME_NET any -> [197.119.237.124] 80 (msg:"ThreatFox Orcus RAT botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1270112/; target:src_ip; metadata: confidence_level 80, first_seen 2024_05_12; classtype:trojan-activity; sid:91270112; rev:1;) alert tcp $HOME_NET any -> [38.145.202.143] 8080 (msg:"ThreatFox Orcus RAT botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1270111/; target:src_ip; metadata: confidence_level 80, first_seen 2024_05_12; classtype:trojan-activity; sid:91270111; rev:1;) alert tcp $HOME_NET any -> [38.145.202.143] 80 (msg:"ThreatFox Orcus RAT botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1270110/; target:src_ip; metadata: confidence_level 80, first_seen 2024_05_12; classtype:trojan-activity; sid:91270110; rev:1;) alert tcp $HOME_NET any -> [77.99.80.4] 10134 (msg:"ThreatFox Orcus RAT botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1270109/; target:src_ip; metadata: confidence_level 80, first_seen 2024_05_12; classtype:trojan-activity; sid:91270109; rev:1;) alert tcp $HOME_NET any -> [2.56.245.124] 10134 (msg:"ThreatFox Orcus RAT botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1270108/; target:src_ip; metadata: confidence_level 80, first_seen 2024_05_12; classtype:trojan-activity; sid:91270108; rev:1;) alert tcp $HOME_NET any -> [5.42.96.142] 80 (msg:"ThreatFox RecordBreaker botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1270107/; target:src_ip; metadata: confidence_level 80, first_seen 2024_05_12; classtype:trojan-activity; sid:91270107; rev:1;) alert tcp $HOME_NET any -> [77.221.151.82] 80 (msg:"ThreatFox RecordBreaker botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1270106/; target:src_ip; metadata: confidence_level 80, first_seen 2024_05_12; classtype:trojan-activity; sid:91270106; rev:1;) alert tcp $HOME_NET any -> [91.92.242.162] 80 (msg:"ThreatFox RecordBreaker botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1270105/; target:src_ip; metadata: confidence_level 80, first_seen 2024_05_12; classtype:trojan-activity; sid:91270105; rev:1;) alert tcp $HOME_NET any -> [171.250.191.217] 9999 (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1270102/; target:src_ip; metadata: confidence_level 80, first_seen 2024_05_12; classtype:trojan-activity; sid:91270102; rev:1;) alert tcp $HOME_NET any -> [171.250.191.217] 8000 (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1270101/; target:src_ip; metadata: confidence_level 80, first_seen 2024_05_12; classtype:trojan-activity; sid:91270101; rev:1;) alert tcp $HOME_NET any -> [171.250.191.217] 5001 (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1270100/; target:src_ip; metadata: confidence_level 80, first_seen 2024_05_12; classtype:trojan-activity; sid:91270100; rev:1;) alert tcp $HOME_NET any -> [171.250.191.217] 5000 (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1270099/; target:src_ip; metadata: confidence_level 80, first_seen 2024_05_12; classtype:trojan-activity; sid:91270099; rev:1;) alert tcp $HOME_NET any -> [171.250.191.217] 4449 (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1270098/; target:src_ip; metadata: confidence_level 80, first_seen 2024_05_12; classtype:trojan-activity; sid:91270098; rev:1;) alert tcp $HOME_NET any -> [58.186.236.71] 9000 (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1270097/; target:src_ip; metadata: confidence_level 80, first_seen 2024_05_12; classtype:trojan-activity; sid:91270097; rev:1;) alert tcp $HOME_NET any -> [45.94.170.223] 4449 (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1270096/; target:src_ip; metadata: confidence_level 80, first_seen 2024_05_12; classtype:trojan-activity; sid:91270096; rev:1;) alert tcp $HOME_NET any -> [45.94.170.223] 2000 (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1270095/; target:src_ip; metadata: confidence_level 80, first_seen 2024_05_12; classtype:trojan-activity; sid:91270095; rev:1;) alert tcp $HOME_NET any -> [1.53.31.3] 80 (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1270094/; target:src_ip; metadata: confidence_level 80, first_seen 2024_05_12; classtype:trojan-activity; sid:91270094; rev:1;) alert tcp $HOME_NET any -> [193.187.175.70] 8080 (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1270093/; target:src_ip; metadata: confidence_level 80, first_seen 2024_05_12; classtype:trojan-activity; sid:91270093; rev:1;) alert tcp $HOME_NET any -> [91.219.62.14] 7777 (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1270092/; target:src_ip; metadata: confidence_level 80, first_seen 2024_05_12; classtype:trojan-activity; sid:91270092; rev:1;) alert tcp $HOME_NET any -> [1.53.107.135] 9000 (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1270091/; target:src_ip; metadata: confidence_level 80, first_seen 2024_05_12; classtype:trojan-activity; sid:91270091; rev:1;) alert tcp $HOME_NET any -> [120.156.150.101] 8085 (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1270090/; target:src_ip; metadata: confidence_level 80, first_seen 2024_05_12; classtype:trojan-activity; sid:91270090; rev:1;) alert tcp $HOME_NET any -> [3.141.40.232] 8443 (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1270089/; target:src_ip; metadata: confidence_level 80, first_seen 2024_05_12; classtype:trojan-activity; sid:91270089; rev:1;) alert tcp $HOME_NET any -> [1.180.161.186] 5000 (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1270088/; target:src_ip; metadata: confidence_level 80, first_seen 2024_05_12; classtype:trojan-activity; sid:91270088; rev:1;) alert tcp $HOME_NET any -> [77.73.39.76] 443 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1270087/; target:src_ip; metadata: confidence_level 80, first_seen 2024_05_12; classtype:trojan-activity; sid:91270087; rev:1;) alert tcp $HOME_NET any -> [150.95.112.19] 80 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1270086/; target:src_ip; metadata: confidence_level 80, first_seen 2024_05_12; classtype:trojan-activity; sid:91270086; rev:1;) alert tcp $HOME_NET any -> [94.156.67.118] 80 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1270085/; target:src_ip; metadata: confidence_level 80, first_seen 2024_05_12; classtype:trojan-activity; sid:91270085; rev:1;) alert tcp $HOME_NET any -> [103.14.226.21] 80 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1270084/; target:src_ip; metadata: confidence_level 80, first_seen 2024_05_12; classtype:trojan-activity; sid:91270084; rev:1;) alert tcp $HOME_NET any -> [178.215.236.112] 80 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1270083/; target:src_ip; metadata: confidence_level 80, first_seen 2024_05_12; classtype:trojan-activity; sid:91270083; rev:1;) alert tcp $HOME_NET any -> [178.215.236.182] 80 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1270082/; target:src_ip; metadata: confidence_level 80, first_seen 2024_05_12; classtype:trojan-activity; sid:91270082; rev:1;) alert tcp $HOME_NET any -> [59.174.210.205] 10134 (msg:"ThreatFox Orcus RAT botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1270081/; target:src_ip; metadata: confidence_level 80, first_seen 2024_05_12; classtype:trojan-activity; sid:91270081; rev:1;) alert tcp $HOME_NET any -> [106.75.218.92] 1177 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1270080/; target:src_ip; metadata: confidence_level 80, first_seen 2024_05_12; classtype:trojan-activity; sid:91270080; rev:1;) alert tcp $HOME_NET any -> [5.34.182.45] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1270079/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_12; classtype:trojan-activity; sid:91270079; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/add/contact-us/u0tej4uo"; depth:24; nocase; http.host; content:"5.34.182.45"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1270078/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_12; classtype:trojan-activity; sid:91270078; rev:1;) alert tcp $HOME_NET any -> [122.10.35.49] 808 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1270077/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_12; classtype:trojan-activity; sid:91270077; rev:1;) alert tcp $HOME_NET any -> [210.114.11.173] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1270076/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_12; classtype:trojan-activity; sid:91270076; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/push"; depth:5; nocase; http.host; content:"210.114.11.173"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1270075/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_12; classtype:trojan-activity; sid:91270075; rev:1;) alert tcp $HOME_NET any -> [34.141.169.93] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1270074/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_12; classtype:trojan-activity; sid:91270074; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cx"; depth:3; nocase; http.host; content:"34.141.169.93"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1270073/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_12; classtype:trojan-activity; sid:91270073; rev:1;) alert tcp $HOME_NET any -> [122.10.105.49] 808 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1270072/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_12; classtype:trojan-activity; sid:91270072; rev:1;) alert tcp $HOME_NET any -> [5.34.182.45] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1270071/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_12; classtype:trojan-activity; sid:91270071; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/add/contact-us/u0tej4uo"; depth:24; nocase; http.host; content:"5.34.182.45"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1270070/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_12; classtype:trojan-activity; sid:91270070; rev:1;) alert tcp $HOME_NET any -> [92.44.20.216] 9733 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1270069/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_12; classtype:trojan-activity; sid:91270069; rev:1;) alert tcp $HOME_NET any -> [85.114.96.11] 1602 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1270067/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_12; classtype:trojan-activity; sid:91270067; rev:1;) alert tcp $HOME_NET any -> [85.114.96.11] 37552 (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1270065/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_12; classtype:trojan-activity; sid:91270065; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wordpressbetter/voiddb/bigloadlinux/dletrafficphp/protectwordpress/uploads2/image/39/mariadbapitraffic/process/5/trafficuniversalwordpress.php"; depth:143; nocase; http.host; content:"62.109.7.179"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1270062/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_12; classtype:trojan-activity; sid:91270062; rev:1;) alert tcp $HOME_NET any -> [95.164.63.81] 80 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1270051/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_12; classtype:trojan-activity; sid:91270051; rev:1;) alert tcp $HOME_NET any -> [23.254.128.104] 50555 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1270050/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_12; classtype:trojan-activity; sid:91270050; rev:1;) alert tcp $HOME_NET any -> [116.205.224.194] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1270049/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_12; classtype:trojan-activity; sid:91270049; rev:1;) alert tcp $HOME_NET any -> [39.107.57.153] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1270048/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_12; classtype:trojan-activity; sid:91270048; rev:1;) alert tcp $HOME_NET any -> [118.161.6.183] 443 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1270047/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_12; classtype:trojan-activity; sid:91270047; rev:1;) alert tcp $HOME_NET any -> [197.86.195.192] 443 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1270046/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_12; classtype:trojan-activity; sid:91270046; rev:1;) alert tcp $HOME_NET any -> [91.210.107.202] 30252 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1270045/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_12; classtype:trojan-activity; sid:91270045; rev:1;) alert tcp $HOME_NET any -> [107.172.159.50] 7443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1270044/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_12; classtype:trojan-activity; sid:91270044; rev:1;) alert tcp $HOME_NET any -> [3.115.31.102] 80 (msg:"ThreatFox Brute Ratel C4 botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1270043/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_12; classtype:trojan-activity; sid:91270043; rev:1;) alert tcp $HOME_NET any -> [45.138.74.48] 8888 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1270042/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_12; classtype:trojan-activity; sid:91270042; rev:1;) alert tcp $HOME_NET any -> [45.138.74.48] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1270041/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_12; classtype:trojan-activity; sid:91270041; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/n2mymzexngvhyjnj/"; depth:18; nocase; http.host; content:"kozanhackerr.net"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1269860/; target:src_ip; metadata: confidence_level 80, first_seen 2024_05_12; classtype:trojan-activity; sid:91269860; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/n2mymzexngvhyjnj/"; depth:18; nocase; http.host; content:"kozandelimisin.com"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1269861/; target:src_ip; metadata: confidence_level 80, first_seen 2024_05_12; classtype:trojan-activity; sid:91269861; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/n2mymzexngvhyjnj/"; depth:18; nocase; http.host; content:"kozanaseviyor.net"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1269862/; target:src_ip; metadata: confidence_level 80, first_seen 2024_05_12; classtype:trojan-activity; sid:91269862; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/n2mymzexngvhyjnj/"; depth:18; nocase; http.host; content:"kozansinyalcimisinla.com"; depth:24; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1269863/; target:src_ip; metadata: confidence_level 80, first_seen 2024_05_12; classtype:trojan-activity; sid:91269863; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/n2mymzexngvhyjnj/"; depth:18; nocase; http.host; content:"kozanhacibaba.net"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1269864/; target:src_ip; metadata: confidence_level 80, first_seen 2024_05_12; classtype:trojan-activity; sid:91269864; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/nmfkztc4ywm3ztk2/"; depth:18; nocase; http.host; content:"jin-tonik-boom.com"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1269865/; target:src_ip; metadata: confidence_level 80, first_seen 2024_05_12; classtype:trojan-activity; sid:91269865; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/nmfkztc4ywm3ztk2/"; depth:18; nocase; http.host; content:"double-bubble-gum.com"; depth:21; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1269866/; target:src_ip; metadata: confidence_level 80, first_seen 2024_05_12; classtype:trojan-activity; sid:91269866; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/nmfkztc4ywm3ztk2/"; depth:18; nocase; http.host; content:"bed-car-top-car.com"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1269867/; target:src_ip; metadata: confidence_level 80, first_seen 2024_05_12; classtype:trojan-activity; sid:91269867; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/nmfkztc4ywm3ztk2/"; depth:18; nocase; http.host; content:"free-tree-loop.com"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1269868/; target:src_ip; metadata: confidence_level 80, first_seen 2024_05_12; classtype:trojan-activity; sid:91269868; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/nmfkztc4ywm3ztk2/"; depth:18; nocase; http.host; content:"big-tree-ilusion.com"; depth:20; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1269869/; target:src_ip; metadata: confidence_level 80, first_seen 2024_05_12; classtype:trojan-activity; sid:91269869; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/nmfkztc4ywm3ztk2/"; depth:18; nocase; http.host; content:"pica-chupachups-ok.com"; depth:22; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1269870/; target:src_ip; metadata: confidence_level 80, first_seen 2024_05_12; classtype:trojan-activity; sid:91269870; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/yy.apk"; depth:7; nocase; http.host; content:"202.79.165.162"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1269872/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_12; classtype:trojan-activity; sid:91269872; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/oo.apk"; depth:7; nocase; http.host; content:"202.79.165.162"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1269873/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_12; classtype:trojan-activity; sid:91269873; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/iu.apk"; depth:7; nocase; http.host; content:"202.79.165.162"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1269874/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_12; classtype:trojan-activity; sid:91269874; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/c1.apk"; depth:7; nocase; http.host; content:"202.79.165.162"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1269875/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_12; classtype:trojan-activity; sid:91269875; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/b.apk"; depth:6; nocase; http.host; content:"202.79.165.162"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1269876/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_12; classtype:trojan-activity; sid:91269876; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/3123.apk"; depth:9; nocase; http.host; content:"202.79.165.162"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1269877/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_12; classtype:trojan-activity; sid:91269877; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/yy.apk"; depth:7; nocase; http.host; content:"202.79.165.170"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1269879/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_12; classtype:trojan-activity; sid:91269879; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/apkide_japanpost1.apk"; depth:22; nocase; http.host; content:"202.79.165.162"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1269878/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_12; classtype:trojan-activity; sid:91269878; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/oo.apk"; depth:7; nocase; http.host; content:"202.79.165.170"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1269880/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_12; classtype:trojan-activity; sid:91269880; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/iu.apk"; depth:7; nocase; http.host; content:"202.79.165.170"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1269881/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_12; classtype:trojan-activity; sid:91269881; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/c1.apk"; depth:7; nocase; http.host; content:"202.79.165.170"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1269882/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_12; classtype:trojan-activity; sid:91269882; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/yy.apk"; depth:7; nocase; http.host; content:"202.79.165.160"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1269886/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_12; classtype:trojan-activity; sid:91269886; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/b.apk"; depth:6; nocase; http.host; content:"202.79.165.170"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1269883/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_12; classtype:trojan-activity; sid:91269883; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/apkide_japanpost1.apk"; depth:22; nocase; http.host; content:"202.79.165.170"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1269885/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_12; classtype:trojan-activity; sid:91269885; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/oo.apk"; depth:7; nocase; http.host; content:"202.79.165.160"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1269887/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_12; classtype:trojan-activity; sid:91269887; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/iu.apk"; depth:7; nocase; http.host; content:"202.79.165.160"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1269888/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_12; classtype:trojan-activity; sid:91269888; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/c1.apk"; depth:7; nocase; http.host; content:"202.79.165.160"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1269889/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_12; classtype:trojan-activity; sid:91269889; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/manual.php"; depth:11; nocase; http.host; content:"blog.icondesignlab.com"; depth:22; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1269801/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_12; classtype:trojan-activity; sid:91269801; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/manual.php"; depth:11; nocase; http.host; content:"blog.icondesignlab.com"; depth:22; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1269793/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_12; classtype:trojan-activity; sid:91269793; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/manual.php"; depth:11; nocase; http.host; content:"blog.hongo-makoto.com"; depth:21; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1269790/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_12; classtype:trojan-activity; sid:91269790; rev:1;) alert tcp $HOME_NET any -> [80.249.144.188] 443 (msg:"ThreatFox FAKEUPDATES payload delivery (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1269792/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_12; classtype:trojan-activity; sid:91269792; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/brewinstaller"; depth:14; nocase; http.host; content:"5.255.107.149"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1269849/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_12; classtype:trojan-activity; sid:91269849; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/brewinstaller"; depth:14; nocase; http.host; content:"homebrew.cx"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1269850/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_12; classtype:trojan-activity; sid:91269850; rev:1;) alert tcp $HOME_NET any -> [107.175.150.73] 80 (msg:"ThreatFox Loki Password Stealer (PWS) botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1269848/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_12; classtype:trojan-activity; sid:91269848; rev:1;) alert tcp $HOME_NET any -> [5.255.107.149] 443 (msg:"ThreatFox AMOS payload delivery (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1269852/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_12; classtype:trojan-activity; sid:91269852; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"homebrew.cx"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1269853/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_12; classtype:trojan-activity; sid:91269853; rev:1;) alert tcp $HOME_NET any -> [139.180.155.73] 5000 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1269855/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_12; classtype:trojan-activity; sid:91269855; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/b.apk"; depth:6; nocase; http.host; content:"202.79.165.160"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1269890/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_12; classtype:trojan-activity; sid:91269890; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/3123.apk"; depth:9; nocase; http.host; content:"202.79.165.160"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1269891/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_12; classtype:trojan-activity; sid:91269891; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/apkide_japanpost1.apk"; depth:22; nocase; http.host; content:"202.79.165.160"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1269892/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_12; classtype:trojan-activity; sid:91269892; rev:1;) alert tcp $HOME_NET any -> [202.79.165.160] 9080 (msg:"ThreatFox Unknown malware payload delivery (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1269893/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_12; classtype:trojan-activity; sid:91269893; rev:1;) alert tcp $HOME_NET any -> [202.79.165.162] 9080 (msg:"ThreatFox Unknown malware payload delivery (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1269894/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_12; classtype:trojan-activity; sid:91269894; rev:1;) alert tcp $HOME_NET any -> [202.79.165.170] 9080 (msg:"ThreatFox Unknown malware payload delivery (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1269895/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_12; classtype:trojan-activity; sid:91269895; rev:1;) alert tcp $HOME_NET any -> [103.206.109.165] 1177 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1269902/; target:src_ip; metadata: confidence_level 80, first_seen 2024_05_12; classtype:trojan-activity; sid:91269902; rev:1;) alert tcp $HOME_NET any -> [45.74.0.252] 54984 (msg:"ThreatFox Nanocore RAT botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1269901/; target:src_ip; metadata: confidence_level 80, first_seen 2024_05_12; classtype:trojan-activity; sid:91269901; rev:1;) alert tcp $HOME_NET any -> [95.169.211.7] 54984 (msg:"ThreatFox Nanocore RAT botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1269900/; target:src_ip; metadata: confidence_level 80, first_seen 2024_05_12; classtype:trojan-activity; sid:91269900; rev:1;) alert tcp $HOME_NET any -> [172.111.139.13] 54984 (msg:"ThreatFox Nanocore RAT botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1269899/; target:src_ip; metadata: confidence_level 80, first_seen 2024_05_12; classtype:trojan-activity; sid:91269899; rev:1;) alert tcp $HOME_NET any -> [194.59.31.115] 54984 (msg:"ThreatFox Nanocore RAT botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1269898/; target:src_ip; metadata: confidence_level 80, first_seen 2024_05_12; classtype:trojan-activity; sid:91269898; rev:1;) alert tcp $HOME_NET any -> [45.95.169.177] 54984 (msg:"ThreatFox Nanocore RAT botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1269897/; target:src_ip; metadata: confidence_level 80, first_seen 2024_05_12; classtype:trojan-activity; sid:91269897; rev:1;) alert tcp $HOME_NET any -> [35.87.2.201] 80 (msg:"ThreatFox Nimplant botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1269896/; target:src_ip; metadata: confidence_level 80, first_seen 2024_05_12; classtype:trojan-activity; sid:91269896; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/updates.rss"; depth:12; nocase; http.host; content:"81.17.22.42"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1269871/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_12; classtype:trojan-activity; sid:91269871; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/1.zip"; depth:6; nocase; http.host; content:"smbeckwithlaw.com"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1269859/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_12; classtype:trojan-activity; sid:91269859; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/1.zip"; depth:6; nocase; http.host; content:"smbeckwithlaw.com"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1269858/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_12; classtype:trojan-activity; sid:91269858; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"kindupdates.com"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1269857/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_12; classtype:trojan-activity; sid:91269857; rev:1;) alert tcp $HOME_NET any -> [54.180.28.87] 8081 (msg:"ThreatFox RisePro botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1269856/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_12; classtype:trojan-activity; sid:91269856; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/imagepipelowauthgameflowertestprivate.php"; depth:42; nocase; http.host; content:"815622cm.n9shteam3.top"; depth:22; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1269847/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_12; classtype:trojan-activity; sid:91269847; rev:1;) alert tcp $HOME_NET any -> [194.36.178.33] 47454 (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1269846/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_12; classtype:trojan-activity; sid:91269846; rev:1;) alert tcp $HOME_NET any -> [185.196.11.252] 4444 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1269845/; target:src_ip; metadata: confidence_level 80, first_seen 2024_05_12; classtype:trojan-activity; sid:91269845; rev:1;) alert tcp $HOME_NET any -> [185.104.195.215] 4444 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1269844/; target:src_ip; metadata: confidence_level 80, first_seen 2024_05_12; classtype:trojan-activity; sid:91269844; rev:1;) alert tcp $HOME_NET any -> [5.252.53.186] 1337 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1269843/; target:src_ip; metadata: confidence_level 80, first_seen 2024_05_12; classtype:trojan-activity; sid:91269843; rev:1;) alert tcp $HOME_NET any -> [185.104.195.215] 1337 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1269842/; target:src_ip; metadata: confidence_level 80, first_seen 2024_05_12; classtype:trojan-activity; sid:91269842; rev:1;) alert tcp $HOME_NET any -> [91.92.251.57] 1337 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1269841/; target:src_ip; metadata: confidence_level 80, first_seen 2024_05_12; classtype:trojan-activity; sid:91269841; rev:1;) alert tcp $HOME_NET any -> [38.54.56.43] 8443 (msg:"ThreatFox Deimos botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1269840/; target:src_ip; metadata: confidence_level 80, first_seen 2024_05_12; classtype:trojan-activity; sid:91269840; rev:1;) alert tcp $HOME_NET any -> [95.164.16.146] 8443 (msg:"ThreatFox Deimos botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1269839/; target:src_ip; metadata: confidence_level 80, first_seen 2024_05_12; classtype:trojan-activity; sid:91269839; rev:1;) alert tcp $HOME_NET any -> [102.47.144.227] 443 (msg:"ThreatFox PoshC2 botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1269838/; target:src_ip; metadata: confidence_level 80, first_seen 2024_05_12; classtype:trojan-activity; sid:91269838; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ga.js"; depth:6; nocase; http.host; content:"148.135.46.9"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1269837/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_12; classtype:trojan-activity; sid:91269837; rev:1;) alert tcp $HOME_NET any -> [39.105.60.105] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1269836/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_12; classtype:trojan-activity; sid:91269836; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/fwlink"; depth:7; nocase; http.host; content:"39.105.60.105"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1269835/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_12; classtype:trojan-activity; sid:91269835; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/en_us/all.js"; depth:13; nocase; http.host; content:"42.192.131.115"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1269833/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_12; classtype:trojan-activity; sid:91269833; rev:1;) alert tcp $HOME_NET any -> [42.192.131.115] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1269834/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_12; classtype:trojan-activity; sid:91269834; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jquery-3.2.1.min.js"; depth:20; nocase; http.host; content:"139.9.149.143"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1269831/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_12; classtype:trojan-activity; sid:91269831; rev:1;) alert tcp $HOME_NET any -> [139.9.149.143] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1269832/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_12; classtype:trojan-activity; sid:91269832; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pixel.gif"; depth:10; nocase; http.host; content:"8.134.163.72"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1269829/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_12; classtype:trojan-activity; sid:91269829; rev:1;) alert tcp $HOME_NET any -> [8.134.163.72] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1269830/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_12; classtype:trojan-activity; sid:91269830; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jquery-3.3.3.min.js"; depth:20; nocase; http.host; content:"114.132.120.166"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1269828/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_12; classtype:trojan-activity; sid:91269828; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ga.js"; depth:6; nocase; http.host; content:"95.164.4.185"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1269826/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_12; classtype:trojan-activity; sid:91269826; rev:1;) alert tcp $HOME_NET any -> [95.164.4.185] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1269827/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_12; classtype:trojan-activity; sid:91269827; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cx"; depth:3; nocase; http.host; content:"47.115.38.144"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1269825/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_12; classtype:trojan-activity; sid:91269825; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/__utm.gif"; depth:10; nocase; http.host; content:"148.135.46.9"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1269824/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_12; classtype:trojan-activity; sid:91269824; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pixel.gif"; depth:10; nocase; http.host; content:"175.178.49.159"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1269823/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_12; classtype:trojan-activity; sid:91269823; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api/x"; depth:6; nocase; http.host; content:"114.55.112.203"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1269822/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_12; classtype:trojan-activity; sid:91269822; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/match"; depth:6; nocase; http.host; content:"164.92.249.209"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1269821/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_12; classtype:trojan-activity; sid:91269821; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ie9compatviewlist.xml"; depth:22; nocase; http.host; content:"8.130.134.5"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1269820/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_12; classtype:trojan-activity; sid:91269820; rev:1;) alert tcp $HOME_NET any -> [139.9.149.143] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1269819/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_12; classtype:trojan-activity; sid:91269819; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jquery-3.2.1.min.js"; depth:20; nocase; http.host; content:"139.9.149.143"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1269818/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_12; classtype:trojan-activity; sid:91269818; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"js.mitigize.com"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1269817/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_12; classtype:trojan-activity; sid:91269817; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dot.gif"; depth:8; nocase; http.host; content:"js.mitigize.com"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1269816/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_12; classtype:trojan-activity; sid:91269816; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jquery-3.3.1.min.js"; depth:20; nocase; http.host; content:"5.34.182.216"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1269815/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_12; classtype:trojan-activity; sid:91269815; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jquery-3.3.1.min.js"; depth:20; nocase; http.host; content:"142.171.200.25"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1269814/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_12; classtype:trojan-activity; sid:91269814; rev:1;) alert tcp $HOME_NET any -> [43.143.193.228] 2096 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1269813/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_12; classtype:trojan-activity; sid:91269813; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"www.chiante1ecom.com"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1269812/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_12; classtype:trojan-activity; sid:91269812; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jquery-3.3.1.min.js"; depth:20; nocase; http.host; content:"www.chiante1ecom.com"; depth:20; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1269811/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_12; classtype:trojan-activity; sid:91269811; rev:1;) alert tcp $HOME_NET any -> [164.92.249.209] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1269810/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_12; classtype:trojan-activity; sid:91269810; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ca"; depth:3; nocase; http.host; content:"164.92.249.209"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1269809/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_12; classtype:trojan-activity; sid:91269809; rev:1;) alert tcp $HOME_NET any -> [54.180.28.87] 50500 (msg:"ThreatFox RisePro botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1269791/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_12; classtype:trojan-activity; sid:91269791; rev:1;) alert tcp $HOME_NET any -> [193.143.1.180] 801 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1269788/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_12; classtype:trojan-activity; sid:91269788; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"prideconstituiiosjk.shop"; depth:24; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1269777/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_12; classtype:trojan-activity; sid:91269777; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"smallelementyjdui.shop"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1269778/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_12; classtype:trojan-activity; sid:91269778; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"appetitesallooonsj.shop"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1269775/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_12; classtype:trojan-activity; sid:91269775; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"minorittyeffeoos.shop"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1269776/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_12; classtype:trojan-activity; sid:91269776; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"tendencyportionjsuk.shop"; depth:24; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1269773/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_12; classtype:trojan-activity; sid:91269773; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"headraisepresidensu.shop"; depth:24; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1269774/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_12; classtype:trojan-activity; sid:91269774; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"sloganprogrevidefkso.shop"; depth:25; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1269770/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_12; classtype:trojan-activity; sid:91269770; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"sofaprivateawarderysj.shop"; depth:26; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1269771/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_12; classtype:trojan-activity; sid:91269771; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"lineagelasserytailsd.shop"; depth:25; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1269772/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_12; classtype:trojan-activity; sid:91269772; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"smallelementyjdui.shop"; depth:22; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1269769/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_12; classtype:trojan-activity; sid:91269769; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"appetitesallooonsj.shop"; depth:23; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1269766/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_12; classtype:trojan-activity; sid:91269766; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"minorittyeffeoos.shop"; depth:21; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1269767/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_12; classtype:trojan-activity; sid:91269767; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"prideconstituiiosjk.shop"; depth:24; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1269768/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_12; classtype:trojan-activity; sid:91269768; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"tendencyportionjsuk.shop"; depth:24; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1269764/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_12; classtype:trojan-activity; sid:91269764; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"headraisepresidensu.shop"; depth:24; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1269765/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_12; classtype:trojan-activity; sid:91269765; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"sloganprogrevidefkso.shop"; depth:25; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1269761/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_12; classtype:trojan-activity; sid:91269761; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"sofaprivateawarderysj.shop"; depth:26; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1269762/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_12; classtype:trojan-activity; sid:91269762; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"lineagelasserytailsd.shop"; depth:25; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1269763/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_12; classtype:trojan-activity; sid:91269763; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/manual.php"; depth:11; nocase; http.host; content:"blog.gn8.at"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1269759/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_12; classtype:trojan-activity; sid:91269759; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/manual.php"; depth:11; nocase; http.host; content:"blog.gn8.at"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1269760/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_12; classtype:trojan-activity; sid:91269760; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/zamo7h/index.php"; depth:17; nocase; http.host; content:"5.42.96.7"; depth:9; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1269779/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_12; classtype:trojan-activity; sid:91269779; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/zamo7h/login.php"; depth:17; nocase; http.host; content:"5.42.96.7"; depth:9; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1269780/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_12; classtype:trojan-activity; sid:91269780; rev:1;) alert tcp $HOME_NET any -> [5.42.96.7] 80 (msg:"ThreatFox Amadey botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1269781/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_12; classtype:trojan-activity; sid:91269781; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/index.php"; depth:10; nocase; http.host; content:"trad-einmyus.com"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1269782/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_12; classtype:trojan-activity; sid:91269782; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/index.php"; depth:10; nocase; http.host; content:"tradein-myus.com"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1269783/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_12; classtype:trojan-activity; sid:91269783; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/index.php"; depth:10; nocase; http.host; content:"trade-inmyus.com"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1269784/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_12; classtype:trojan-activity; sid:91269784; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"trad-einmyus.com"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1269785/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_12; classtype:trojan-activity; sid:91269785; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"tradein-myus.com"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1269786/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_12; classtype:trojan-activity; sid:91269786; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"trade-inmyus.com"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1269787/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_12; classtype:trojan-activity; sid:91269787; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/zjm0njuxndm5mmvi/"; depth:18; nocase; http.host; content:"tambanunakere.xyz"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1269514/; target:src_ip; metadata: confidence_level 80, first_seen 2024_05_12; classtype:trojan-activity; sid:91269514; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/zjm0njuxndm5mmvi/"; depth:18; nocase; http.host; content:"tabukareler.top"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1269513/; target:src_ip; metadata: confidence_level 80, first_seen 2024_05_12; classtype:trojan-activity; sid:91269513; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/zjm0njuxndm5mmvi/"; depth:18; nocase; http.host; content:"fesatokero.top"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1269515/; target:src_ip; metadata: confidence_level 80, first_seen 2024_05_12; classtype:trojan-activity; sid:91269515; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/zjm0njuxndm5mmvi/"; depth:18; nocase; http.host; content:"lemanobelki.xyz"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1269516/; target:src_ip; metadata: confidence_level 80, first_seen 2024_05_12; classtype:trojan-activity; sid:91269516; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/zjm0njuxndm5mmvi/"; depth:18; nocase; http.host; content:"tutankamunhaci.top"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1269517/; target:src_ip; metadata: confidence_level 80, first_seen 2024_05_12; classtype:trojan-activity; sid:91269517; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/zjm0njuxndm5mmvi/"; depth:18; nocase; http.host; content:"karakapkaraklpak.xyz"; depth:20; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1269518/; target:src_ip; metadata: confidence_level 80, first_seen 2024_05_12; classtype:trojan-activity; sid:91269518; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/zjm0njuxndm5mmvi/"; depth:18; nocase; http.host; content:"buzbuzdagdaglari.top"; depth:20; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1269519/; target:src_ip; metadata: confidence_level 80, first_seen 2024_05_12; classtype:trojan-activity; sid:91269519; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/zjm0njuxndm5mmvi/"; depth:18; nocase; http.host; content:"bilebilegndere.xyz"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1269520/; target:src_ip; metadata: confidence_level 80, first_seen 2024_05_12; classtype:trojan-activity; sid:91269520; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/zjm0njuxndm5mmvi/"; depth:18; nocase; http.host; content:"saybyebyetohepiniz.xyz"; depth:22; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1269521/; target:src_ip; metadata: confidence_level 80, first_seen 2024_05_12; classtype:trojan-activity; sid:91269521; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/zjm0njuxndm5mmvi/"; depth:18; nocase; http.host; content:"ruhumdnzincirr.top"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1269522/; target:src_ip; metadata: confidence_level 80, first_seen 2024_05_12; classtype:trojan-activity; sid:91269522; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/zjm0njuxndm5mmvi/"; depth:18; nocase; http.host; content:"kefalmefaltefal.xyz"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1269523/; target:src_ip; metadata: confidence_level 80, first_seen 2024_05_12; classtype:trojan-activity; sid:91269523; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/zjm0njuxndm5mmvi/"; depth:18; nocase; http.host; content:"gecelerisvdmpkiyasen.top"; depth:24; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1269524/; target:src_ip; metadata: confidence_level 80, first_seen 2024_05_12; classtype:trojan-activity; sid:91269524; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/zjm0njuxndm5mmvi/"; depth:18; nocase; http.host; content:"yoktuhcfener.xyz"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1269526/; target:src_ip; metadata: confidence_level 80, first_seen 2024_05_12; classtype:trojan-activity; sid:91269526; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/zjm0njuxndm5mmvi/"; depth:18; nocase; http.host; content:"kranliktaaradm.xyz"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1269525/; target:src_ip; metadata: confidence_level 80, first_seen 2024_05_12; classtype:trojan-activity; sid:91269525; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/zjm0njuxndm5mmvi/"; depth:18; nocase; http.host; content:"astralanahatarim.top"; depth:20; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1269529/; target:src_ip; metadata: confidence_level 80, first_seen 2024_05_12; classtype:trojan-activity; sid:91269529; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/zjm0njuxndm5mmvi/"; depth:18; nocase; http.host; content:"dlounayyanimda.top"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1269527/; target:src_ip; metadata: confidence_level 80, first_seen 2024_05_12; classtype:trojan-activity; sid:91269527; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/zjm0njuxndm5mmvi/"; depth:18; nocase; http.host; content:"izlemebskasiyla.xyz"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1269528/; target:src_ip; metadata: confidence_level 80, first_seen 2024_05_12; classtype:trojan-activity; sid:91269528; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/zjm0njuxndm5mmvi/"; depth:18; nocase; http.host; content:"anilardvrimi.xyz"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1269530/; target:src_ip; metadata: confidence_level 80, first_seen 2024_05_12; classtype:trojan-activity; sid:91269530; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/zjm0njuxndm5mmvi/"; depth:18; nocase; http.host; content:"leardolordoloro.top"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1269531/; target:src_ip; metadata: confidence_level 80, first_seen 2024_05_12; classtype:trojan-activity; sid:91269531; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/zjm0njuxndm5mmvi/"; depth:18; nocase; http.host; content:"hadikapanikapatsana.xyz"; depth:23; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1269532/; target:src_ip; metadata: confidence_level 80, first_seen 2024_05_12; classtype:trojan-activity; sid:91269532; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/manual.php"; depth:11; nocase; http.host; content:"blog.festivalfilmeduc.net"; depth:25; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1269458/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_12; classtype:trojan-activity; sid:91269458; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/images/"; depth:8; nocase; http.host; content:"39.100.85.244"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1269459/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_12; classtype:trojan-activity; sid:91269459; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ny-car-lease-tax-calculator"; depth:28; nocase; http.host; content:"urbedu.live"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1269740/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_12; classtype:trojan-activity; sid:91269740; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/8otabr/"; depth:8; nocase; http.host; content:"y9f6z0q1w2.xyz"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1269542/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_12; classtype:trojan-activity; sid:91269542; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bvxny6r6"; depth:9; nocase; http.host; content:"y9f6z0q1w2.xyz"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1269543/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_12; classtype:trojan-activity; sid:91269543; rev:1;) alert tcp $HOME_NET any -> [147.185.221.19] 10345 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1269709/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_12; classtype:trojan-activity; sid:91269709; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"study-window.gl.at.ply.gg"; depth:25; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1269710/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_12; classtype:trojan-activity; sid:91269710; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ny-car-lease-tax-calculator"; depth:28; nocase; http.host; content:"urbedu.live"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1269741/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_12; classtype:trojan-activity; sid:91269741; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/2022/10/01/are-ping-eye-irons-legal"; depth:36; nocase; http.host; content:"trustadvisorygroup.com"; depth:22; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1269742/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_12; classtype:trojan-activity; sid:91269742; rev:1;) alert tcp $HOME_NET any -> [192.169.69.25] 2551 (msg:"ThreatFox Nanocore RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1269745/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_12; classtype:trojan-activity; sid:91269745; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/2023/05/23/what-is-an-enterprise-agreements/"; depth:45; nocase; http.host; content:"www.burleys.ca"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1269746/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_12; classtype:trojan-activity; sid:91269746; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/2022/03/11/lease-agreement-between-husband-and-wife"; depth:52; nocase; http.host; content:"casadevida.net"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1269752/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_12; classtype:trojan-activity; sid:91269752; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/updates.rss"; depth:12; nocase; http.host; content:"47.108.153.69"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1269758/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_12; classtype:trojan-activity; sid:91269758; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/match"; depth:6; nocase; http.host; content:"23.95.65.198"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1269757/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_12; classtype:trojan-activity; sid:91269757; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/__utm.gif"; depth:10; nocase; http.host; content:"101.42.228.86"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1269756/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_12; classtype:trojan-activity; sid:91269756; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ga.js"; depth:6; nocase; http.host; content:"23.95.65.198"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1269755/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_12; classtype:trojan-activity; sid:91269755; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pixel.gif"; depth:10; nocase; http.host; content:"43.153.222.28"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1269754/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_12; classtype:trojan-activity; sid:91269754; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dot.gif"; depth:8; nocase; http.host; content:"103.150.10.45"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1269753/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_12; classtype:trojan-activity; sid:91269753; rev:1;) alert tcp $HOME_NET any -> [185.117.72.120] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1269751/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_12; classtype:trojan-activity; sid:91269751; rev:1;) alert tcp $HOME_NET any -> [149.154.158.222] 3933 (msg:"ThreatFox BianLian botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1269750/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_12; classtype:trojan-activity; sid:91269750; rev:1;) alert tcp $HOME_NET any -> [104.200.72.177] 57067 (msg:"ThreatFox BianLian botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1269749/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_12; classtype:trojan-activity; sid:91269749; rev:1;) alert tcp $HOME_NET any -> [173.216.245.82] 8080 (msg:"ThreatFox Deimos botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1269748/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_12; classtype:trojan-activity; sid:91269748; rev:1;) alert tcp $HOME_NET any -> [35.177.104.235] 7443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1269747/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_12; classtype:trojan-activity; sid:91269747; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/l1nc0in.php"; depth:12; nocase; http.host; content:"53473cm.easyswap.space"; depth:22; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1269744/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_12; classtype:trojan-activity; sid:91269744; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/_defaultwindows.php"; depth:20; nocase; http.host; content:"a0951334.xsph.ru"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1269743/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_12; classtype:trojan-activity; sid:91269743; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api/methon/scan"; depth:16; nocase; http.host; content:"43.136.71.208"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1269739/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_11; classtype:trojan-activity; sid:91269739; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dot.gif"; depth:8; nocase; http.host; content:"154.44.24.21"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1269738/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_11; classtype:trojan-activity; sid:91269738; rev:1;) alert tcp $HOME_NET any -> [54.82.65.203] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1269737/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_11; classtype:trojan-activity; sid:91269737; rev:1;) alert tcp $HOME_NET any -> [34.92.137.73] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1269736/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_11; classtype:trojan-activity; sid:91269736; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ptj"; depth:4; nocase; http.host; content:"34.92.137.73"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1269735/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_11; classtype:trojan-activity; sid:91269735; rev:1;) alert tcp $HOME_NET any -> [43.156.13.20] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1269734/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_11; classtype:trojan-activity; sid:91269734; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/rewardsapp/ncfooter"; depth:20; nocase; http.host; content:"43.156.13.20"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1269733/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_11; classtype:trojan-activity; sid:91269733; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/fwlink"; depth:7; nocase; http.host; content:"111.230.98.22"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1269732/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_11; classtype:trojan-activity; sid:91269732; rev:1;) alert tcp $HOME_NET any -> [154.204.180.125] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1269731/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_11; classtype:trojan-activity; sid:91269731; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/activity"; depth:9; nocase; http.host; content:"154.204.180.125"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1269730/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_11; classtype:trojan-activity; sid:91269730; rev:1;) alert tcp $HOME_NET any -> [51.89.72.183] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1269729/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_11; classtype:trojan-activity; sid:91269729; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/index.htm"; depth:10; nocase; http.host; content:"51.89.72.183"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1269728/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_11; classtype:trojan-activity; sid:91269728; rev:1;) alert tcp $HOME_NET any -> [113.31.105.33] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1269727/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_11; classtype:trojan-activity; sid:91269727; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api/x"; depth:6; nocase; http.host; content:"service-1bsjckga-1252578700.gz.tencentapigw.com.cn"; depth:50; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1269725/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_11; classtype:trojan-activity; sid:91269725; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"service-1bsjckga-1252578700.gz.tencentapigw.com.cn"; depth:50; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1269726/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_11; classtype:trojan-activity; sid:91269726; rev:1;) alert tcp $HOME_NET any -> [185.196.8.18] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1269724/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_11; classtype:trojan-activity; sid:91269724; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"action-winds.cfd"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1269723/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_11; classtype:trojan-activity; sid:91269723; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"microstar.cfd"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1269721/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_11; classtype:trojan-activity; sid:91269721; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/data"; depth:5; nocase; http.host; content:"action-winds.cfd"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1269722/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_11; classtype:trojan-activity; sid:91269722; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/task"; depth:5; nocase; http.host; content:"microstar.cfd"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1269720/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_11; classtype:trojan-activity; sid:91269720; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/v1"; depth:3; nocase; http.host; content:"1c-marketing.top"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1269718/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_11; classtype:trojan-activity; sid:91269718; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"1c-marketing.top"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1269719/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_11; classtype:trojan-activity; sid:91269719; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/updates.rss"; depth:12; nocase; http.host; content:"122.10.105.51"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1269717/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_11; classtype:trojan-activity; sid:91269717; rev:1;) alert tcp $HOME_NET any -> [43.143.193.228] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1269716/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_11; classtype:trojan-activity; sid:91269716; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jquery-3.3.1.min.js"; depth:20; nocase; http.host; content:"43.143.193.228"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1269715/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_11; classtype:trojan-activity; sid:91269715; rev:1;) alert tcp $HOME_NET any -> [111.229.209.159] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1269714/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_11; classtype:trojan-activity; sid:91269714; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/microsoft/owa/"; depth:15; nocase; http.host; content:"111.229.209.159"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1269713/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_11; classtype:trojan-activity; sid:91269713; rev:1;) alert tcp $HOME_NET any -> [91.92.250.227] 6606 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1269712/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_11; classtype:trojan-activity; sid:91269712; rev:1;) alert tcp $HOME_NET any -> [95.217.242.180] 443 (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1269711/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_11; classtype:trojan-activity; sid:91269711; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dot.gif"; depth:8; nocase; http.host; content:"124.222.36.180"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1269541/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_11; classtype:trojan-activity; sid:91269541; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cx"; depth:3; nocase; http.host; content:"124.222.52.190"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1269540/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_11; classtype:trojan-activity; sid:91269540; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/fwlink"; depth:7; nocase; http.host; content:"101.201.54.74"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1269539/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_11; classtype:trojan-activity; sid:91269539; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dot.gif"; depth:8; nocase; http.host; content:"192.168.183.131"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1269538/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_11; classtype:trojan-activity; sid:91269538; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/en_us/all.js"; depth:13; nocase; http.host; content:"8.141.13.130"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1269537/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_11; classtype:trojan-activity; sid:91269537; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pixel.gif"; depth:10; nocase; http.host; content:"110.41.21.173"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1269536/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_11; classtype:trojan-activity; sid:91269536; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dpixel"; depth:7; nocase; http.host; content:"49.235.118.195"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1269535/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_11; classtype:trojan-activity; sid:91269535; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dot.gif"; depth:8; nocase; http.host; content:"1.14.204.208"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1269534/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_11; classtype:trojan-activity; sid:91269534; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/j.ad"; depth:5; nocase; http.host; content:"8.219.229.99"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1269533/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_11; classtype:trojan-activity; sid:91269533; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pixel"; depth:6; nocase; http.host; content:"1.117.93.65"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1269512/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_11; classtype:trojan-activity; sid:91269512; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/fwlink"; depth:7; nocase; http.host; content:"8.219.229.99"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1269511/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_11; classtype:trojan-activity; sid:91269511; rev:1;) alert tcp $HOME_NET any -> [103.21.88.13] 50555 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1269510/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_11; classtype:trojan-activity; sid:91269510; rev:1;) alert tcp $HOME_NET any -> [103.21.88.14] 50555 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1269509/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_11; classtype:trojan-activity; sid:91269509; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/visit.js"; depth:9; nocase; http.host; content:"8.141.13.130"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1269508/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_11; classtype:trojan-activity; sid:91269508; rev:1;) alert tcp $HOME_NET any -> [91.92.250.224] 80 (msg:"ThreatFox Meduza Stealer botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1269507/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_11; classtype:trojan-activity; sid:91269507; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/fwlink"; depth:7; nocase; http.host; content:"103.150.10.45"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1269506/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_11; classtype:trojan-activity; sid:91269506; rev:1;) alert tcp $HOME_NET any -> [8.130.135.45] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1269505/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_11; classtype:trojan-activity; sid:91269505; rev:1;) alert tcp $HOME_NET any -> [120.55.100.239] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1269504/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_11; classtype:trojan-activity; sid:91269504; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/updates.rss"; depth:12; nocase; http.host; content:"124.222.52.190"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1269503/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_11; classtype:trojan-activity; sid:91269503; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dot.gif"; depth:8; nocase; http.host; content:"43.153.222.28"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1269502/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_11; classtype:trojan-activity; sid:91269502; rev:1;) alert tcp $HOME_NET any -> [43.159.230.147] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1269501/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_11; classtype:trojan-activity; sid:91269501; rev:1;) alert tcp $HOME_NET any -> [118.25.101.81] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1269499/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_11; classtype:trojan-activity; sid:91269499; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/match"; depth:6; nocase; http.host; content:"124.223.220.137"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1269500/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_11; classtype:trojan-activity; sid:91269500; rev:1;) alert tcp $HOME_NET any -> [107.167.18.2] 7979 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1269498/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_11; classtype:trojan-activity; sid:91269498; rev:1;) alert tcp $HOME_NET any -> [107.167.18.4] 7979 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1269497/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_11; classtype:trojan-activity; sid:91269497; rev:1;) alert tcp $HOME_NET any -> [107.167.18.3] 7979 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1269496/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_11; classtype:trojan-activity; sid:91269496; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cx"; depth:3; nocase; http.host; content:"43.153.222.28"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1269495/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_11; classtype:trojan-activity; sid:91269495; rev:1;) alert tcp $HOME_NET any -> [107.167.18.6] 7979 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1269494/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_11; classtype:trojan-activity; sid:91269494; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/c/msdownload/update/others/2016/12/29136388_"; depth:45; nocase; http.host; content:"104.236.69.99"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1269493/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_11; classtype:trojan-activity; sid:91269493; rev:1;) alert tcp $HOME_NET any -> [85.104.36.117] 443 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1269492/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_11; classtype:trojan-activity; sid:91269492; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/en_us/all.js"; depth:13; nocase; http.host; content:"147.135.211.38"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1269491/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_11; classtype:trojan-activity; sid:91269491; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ptj"; depth:4; nocase; http.host; content:"111.231.21.83"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1269490/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_11; classtype:trojan-activity; sid:91269490; rev:1;) alert tcp $HOME_NET any -> [13.231.126.178] 443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1269489/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_11; classtype:trojan-activity; sid:91269489; rev:1;) alert tcp $HOME_NET any -> [178.128.170.218] 443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1269488/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_11; classtype:trojan-activity; sid:91269488; rev:1;) alert tcp $HOME_NET any -> [172.81.61.224] 443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1269487/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_11; classtype:trojan-activity; sid:91269487; rev:1;) alert tcp $HOME_NET any -> [43.155.16.246] 443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1269486/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_11; classtype:trojan-activity; sid:91269486; rev:1;) alert tcp $HOME_NET any -> [172.172.150.146] 443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1269485/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_11; classtype:trojan-activity; sid:91269485; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/_/scs/mail-static/_/js/"; depth:24; nocase; http.host; content:"47.108.137.190"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1269483/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_11; classtype:trojan-activity; sid:91269483; rev:1;) alert tcp $HOME_NET any -> [185.234.216.209] 20023 (msg:"ThreatFox BianLian botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1269484/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_11; classtype:trojan-activity; sid:91269484; rev:1;) alert tcp $HOME_NET any -> [149.154.158.222] 36884 (msg:"ThreatFox BianLian botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1269482/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_11; classtype:trojan-activity; sid:91269482; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/fwlink"; depth:7; nocase; http.host; content:"47.108.153.69"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1269481/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_11; classtype:trojan-activity; sid:91269481; rev:1;) alert tcp $HOME_NET any -> [5.189.152.51] 80 (msg:"ThreatFox Deimos botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1269480/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_11; classtype:trojan-activity; sid:91269480; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pixel.gif"; depth:10; nocase; http.host; content:"173.249.196.234"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1269479/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_11; classtype:trojan-activity; sid:91269479; rev:1;) alert tcp $HOME_NET any -> [52.83.56.72] 443 (msg:"ThreatFox Deimos botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1269478/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_11; classtype:trojan-activity; sid:91269478; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/c/msdownload/update/others/2016/12/29136388_"; depth:45; nocase; http.host; content:"104.236.69.99"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1269477/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_11; classtype:trojan-activity; sid:91269477; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/__utm.gif"; depth:10; nocase; http.host; content:"101.201.54.74"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1269476/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_11; classtype:trojan-activity; sid:91269476; rev:1;) alert tcp $HOME_NET any -> [125.73.208.47] 4505 (msg:"ThreatFox Deimos botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1269475/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_11; classtype:trojan-activity; sid:91269475; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ga.js"; depth:6; nocase; http.host; content:"101.201.54.74"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1269474/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_11; classtype:trojan-activity; sid:91269474; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/push"; depth:5; nocase; http.host; content:"88.214.26.29"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1269473/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_11; classtype:trojan-activity; sid:91269473; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books"; depth:60; nocase; http.host; content:"wraimey.com"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1269471/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_11; classtype:trojan-activity; sid:91269471; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"wraimey.com"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1269472/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_11; classtype:trojan-activity; sid:91269472; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"d1v4b6pbk0kwvw.cloudfront.net"; depth:29; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1269470/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_11; classtype:trojan-activity; sid:91269470; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books"; depth:60; nocase; http.host; content:"d1v4b6pbk0kwvw.cloudfront.net"; depth:29; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1269469/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_11; classtype:trojan-activity; sid:91269469; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books"; depth:60; nocase; http.host; content:"d2ewlfde9nvzf.cloudfront.net"; depth:28; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1269467/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_11; classtype:trojan-activity; sid:91269467; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"d2ewlfde9nvzf.cloudfront.net"; depth:28; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1269468/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_11; classtype:trojan-activity; sid:91269468; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/push"; depth:5; nocase; http.host; content:"118.25.85.49"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1269466/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_11; classtype:trojan-activity; sid:91269466; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cx"; depth:3; nocase; http.host; content:"188.116.22.177"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1269465/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_11; classtype:trojan-activity; sid:91269465; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/metro91/admin/1/ppptp.jpg"; depth:26; nocase; http.host; content:"139.9.62.19"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1269464/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_11; classtype:trojan-activity; sid:91269464; rev:1;) alert tcp $HOME_NET any -> [23.227.203.189] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1269463/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_11; classtype:trojan-activity; sid:91269463; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/functionalstatus/mcvq-9f5hgl92ma7ouczvcz"; depth:41; nocase; http.host; content:"23.227.203.189"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1269462/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_11; classtype:trojan-activity; sid:91269462; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/metro91/admin/1/ppptp.jpg"; depth:26; nocase; http.host; content:"139.9.62.19"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1269461/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_11; classtype:trojan-activity; sid:91269461; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/updates.rss"; depth:12; nocase; http.host; content:"84.247.155.115"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1269460/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_11; classtype:trojan-activity; sid:91269460; rev:1;) alert tcp $HOME_NET any -> [105.155.173.158] 10000 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1269457/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_11; classtype:trojan-activity; sid:91269457; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/_defaultwindows.php"; depth:20; nocase; http.host; content:"cq77272.tw1.ru"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1269456/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_11; classtype:trojan-activity; sid:91269456; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/yti3ntjmywy0mwe2/"; depth:18; nocase; http.host; content:"ferocanhackerr.net"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1269444/; target:src_ip; metadata: confidence_level 80, first_seen 2024_05_11; classtype:trojan-activity; sid:91269444; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/yti3ntjmywy0mwe2/"; depth:18; nocase; http.host; content:"ferocandelimisin.com"; depth:20; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1269445/; target:src_ip; metadata: confidence_level 80, first_seen 2024_05_11; classtype:trojan-activity; sid:91269445; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/yti3ntjmywy0mwe2/"; depth:18; nocase; http.host; content:"ferocansinyalcimisinla.com"; depth:26; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1269447/; target:src_ip; metadata: confidence_level 80, first_seen 2024_05_11; classtype:trojan-activity; sid:91269447; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/yti3ntjmywy0mwe2/"; depth:18; nocase; http.host; content:"ferocanaseviyor.net"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1269446/; target:src_ip; metadata: confidence_level 80, first_seen 2024_05_11; classtype:trojan-activity; sid:91269446; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/yti3ntjmywy0mwe2/"; depth:18; nocase; http.host; content:"ferocanagahacibaba.net"; depth:22; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1269448/; target:src_ip; metadata: confidence_level 80, first_seen 2024_05_11; classtype:trojan-activity; sid:91269448; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ote5mzgxywzinjk1/"; depth:18; nocase; http.host; content:"bananamanana.org"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1269449/; target:src_ip; metadata: confidence_level 80, first_seen 2024_05_11; classtype:trojan-activity; sid:91269449; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ote5mzgxywzinjk1/"; depth:18; nocase; http.host; content:"spedarito.top"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1269450/; target:src_ip; metadata: confidence_level 80, first_seen 2024_05_11; classtype:trojan-activity; sid:91269450; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ote5mzgxywzinjk1/"; depth:18; nocase; http.host; content:"spritecocola.top"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1269452/; target:src_ip; metadata: confidence_level 80, first_seen 2024_05_11; classtype:trojan-activity; sid:91269452; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ote5mzgxywzinjk1/"; depth:18; nocase; http.host; content:"melonna.top"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1269451/; target:src_ip; metadata: confidence_level 80, first_seen 2024_05_11; classtype:trojan-activity; sid:91269451; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ote5mzgxywzinjk1/"; depth:18; nocase; http.host; content:"meibuzjasta.top"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1269453/; target:src_ip; metadata: confidence_level 80, first_seen 2024_05_11; classtype:trojan-activity; sid:91269453; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ote5mzgxywzinjk1/"; depth:18; nocase; http.host; content:"makcolanivaesto.top"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1269454/; target:src_ip; metadata: confidence_level 80, first_seen 2024_05_11; classtype:trojan-activity; sid:91269454; rev:1;) alert tcp $HOME_NET any -> [45.76.153.153] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1269439/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_11; classtype:trojan-activity; sid:91269439; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/manual.php"; depth:11; nocase; http.host; content:"blog.enghauser.de"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1269441/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_11; classtype:trojan-activity; sid:91269441; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/login"; depth:6; nocase; http.host; content:"nt-stealers.com"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1269442/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_11; classtype:trojan-activity; sid:91269442; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"nt-stealers.com"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1269443/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_11; classtype:trojan-activity; sid:91269443; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ote5mzgxywzinjk1/"; depth:18; nocase; http.host; content:"birimammonedm.top"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1269455/; target:src_ip; metadata: confidence_level 80, first_seen 2024_05_11; classtype:trojan-activity; sid:91269455; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ar/understanding-ohio-forced-medication-laws-what-you-need-to-know"; depth:67; nocase; http.host; content:"smallders.com"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1269423/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_11; classtype:trojan-activity; sid:91269423; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/manual.php"; depth:11; nocase; http.host; content:"blog.demuthphoto.com"; depth:20; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1269412/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_11; classtype:trojan-activity; sid:91269412; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/manual.php"; depth:11; nocase; http.host; content:"blog.demuthphoto.com"; depth:20; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1269413/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_11; classtype:trojan-activity; sid:91269413; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/2022/03/31/washington-state-medical-assistant-scope-of-practice-laws-legal-overview"; depth:84; nocase; http.host; content:"asleman.org"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1269408/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_11; classtype:trojan-activity; sid:91269408; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/2023/08/28/how-to-write-money-agreement"; depth:40; nocase; http.host; content:"ikwilvanmijnpoloaf.nl"; depth:21; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1269409/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_11; classtype:trojan-activity; sid:91269409; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/manual.php"; depth:11; nocase; http.host; content:"blog.demuthphoto.com"; depth:20; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1269410/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_11; classtype:trojan-activity; sid:91269410; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/manual.php"; depth:11; nocase; http.host; content:"blog.demuthphoto.com"; depth:20; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1269411/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_11; classtype:trojan-activity; sid:91269411; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ywrhzjaxngm1yjfh/"; depth:18; nocase; http.host; content:"countnatbt.site"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1269402/; target:src_ip; metadata: confidence_level 80, first_seen 2024_05_11; classtype:trojan-activity; sid:91269402; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ywrhzjaxngm1yjfh/"; depth:18; nocase; http.host; content:"mix3etbt.website"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1269403/; target:src_ip; metadata: confidence_level 80, first_seen 2024_05_11; classtype:trojan-activity; sid:91269403; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ywrhzjaxngm1yjfh/"; depth:18; nocase; http.host; content:"btcountates.fun"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1269404/; target:src_ip; metadata: confidence_level 80, first_seen 2024_05_11; classtype:trojan-activity; sid:91269404; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ywrhzjaxngm1yjfh/"; depth:18; nocase; http.host; content:"3countbt.pw"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1269405/; target:src_ip; metadata: confidence_level 80, first_seen 2024_05_11; classtype:trojan-activity; sid:91269405; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ywrhzjaxngm1yjfh/"; depth:18; nocase; http.host; content:"vat-app.su"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1269406/; target:src_ip; metadata: confidence_level 80, first_seen 2024_05_11; classtype:trojan-activity; sid:91269406; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ywrhzjaxngm1yjfh/"; depth:18; nocase; http.host; content:"alleggro.pw"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1269407/; target:src_ip; metadata: confidence_level 80, first_seen 2024_05_11; classtype:trojan-activity; sid:91269407; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/orange-coast-title-company-license-number-legal-title-services"; depth:63; nocase; http.host; content:"lumiere.grupotyc.com"; depth:20; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1269424/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_11; classtype:trojan-activity; sid:91269424; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"krampus-executor.org"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1269428/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_11; classtype:trojan-activity; sid:91269428; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sendgrid/krampus/files/15199097/krampus.zip"; depth:44; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1269429/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_11; classtype:trojan-activity; sid:91269429; rev:1;) alert tcp $HOME_NET any -> [80.66.81.134] 80 (msg:"ThreatFox SmartLoader botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1269431/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_11; classtype:trojan-activity; sid:91269431; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api/owysn2ysn2ysytasowusodysogmsotysnjqsn2ms"; depth:45; nocase; http.host; content:"80.66.81.134"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1269430/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_11; classtype:trojan-activity; sid:91269430; rev:1;) alert tcp $HOME_NET any -> [146.70.158.83] 80 (msg:"ThreatFox solarmarker botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1269433/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_11; classtype:trojan-activity; sid:91269433; rev:1;) alert tcp $HOME_NET any -> [54.80.154.23] 80 (msg:"ThreatFox Loki Password Stealer (PWS) botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1269437/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_11; classtype:trojan-activity; sid:91269437; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"higomanga.info"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1269438/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_11; classtype:trojan-activity; sid:91269438; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/_defaultwindows.php"; depth:20; nocase; http.host; content:"a0946931.xsph.ru"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1269436/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_11; classtype:trojan-activity; sid:91269436; rev:1;) alert tcp $HOME_NET any -> [176.123.161.158] 1337 (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1269435/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_11; classtype:trojan-activity; sid:91269435; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/eternalprotectdefault.php"; depth:26; nocase; http.host; content:"044913cm.n9shteam2.top"; depth:22; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1269434/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_11; classtype:trojan-activity; sid:91269434; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/e7ea97c6.php"; depth:13; nocase; http.host; content:"a0941925.xsph.ru"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1269427/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_11; classtype:trojan-activity; sid:91269427; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ie9compatviewlist.xml"; depth:22; nocase; http.host; content:"124.220.19.159"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1269426/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_11; classtype:trojan-activity; sid:91269426; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/__utm.gif"; depth:10; nocase; http.host; content:"8.137.116.204"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1269425/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_11; classtype:trojan-activity; sid:91269425; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/a448b41e.php"; depth:13; nocase; http.host; content:"a0929453.xsph.ru"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1269422/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_11; classtype:trojan-activity; sid:91269422; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/linejavascriptsqltraffic.php"; depth:29; nocase; http.host; content:"470927cm.n9shteam3.top"; depth:22; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1269401/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_11; classtype:trojan-activity; sid:91269401; rev:1;) alert tcp $HOME_NET any -> [79.110.49.244] 80 (msg:"ThreatFox Socks5 Systemz botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1269400/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_11; classtype:trojan-activity; sid:91269400; rev:1;) alert tcp $HOME_NET any -> [45.155.250.229] 80 (msg:"ThreatFox Socks5 Systemz botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1269399/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_11; classtype:trojan-activity; sid:91269399; rev:1;) alert tcp $HOME_NET any -> [115.231.218.42] 10299 (msg:"ThreatFox Ghost RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1269398/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_11; classtype:trojan-activity; sid:91269398; rev:1;) alert tcp $HOME_NET any -> [123.99.198.130] 10299 (msg:"ThreatFox Ghost RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1269397/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_11; classtype:trojan-activity; sid:91269397; rev:1;) alert tcp $HOME_NET any -> [103.186.117.142] 1144 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1269396/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_11; classtype:trojan-activity; sid:91269396; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api/azure"; depth:10; nocase; http.host; content:"boriz400.com"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1269395/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_11; classtype:trojan-activity; sid:91269395; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/content.php"; depth:12; nocase; http.host; content:"anikvan.com"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1269394/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_11; classtype:trojan-activity; sid:91269394; rev:1;) alert tcp $HOME_NET any -> [95.164.68.73] 443 (msg:"ThreatFox Unidentified 111 (Latrodectus) botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1269392/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_11; classtype:trojan-activity; sid:91269392; rev:1;) alert tcp $HOME_NET any -> [91.194.11.183] 443 (msg:"ThreatFox Unidentified 111 (Latrodectus) botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1269393/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_11; classtype:trojan-activity; sid:91269393; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"anikvan.com"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1269389/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_11; classtype:trojan-activity; sid:91269389; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"boriz400.com"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1269390/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_11; classtype:trojan-activity; sid:91269390; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"illoskanawer.com"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1269391/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_11; classtype:trojan-activity; sid:91269391; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/2022/11/11/legal-responsibility-of-a-when-a-dog-attacks-a-cat"; depth:62; nocase; http.host; content:"mindelscott.com"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1269356/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_11; classtype:trojan-activity; sid:91269356; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/manual.php"; depth:11; nocase; http.host; content:"blixtgordon.se"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1269358/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_11; classtype:trojan-activity; sid:91269358; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/manual.php"; depth:11; nocase; http.host; content:"blixtgordon.se"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1269359/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_11; classtype:trojan-activity; sid:91269359; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"blazinghotter.igg.biz"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1269361/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_11; classtype:trojan-activity; sid:91269361; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/microsoft-enterprise-purchase-agreement"; depth:40; nocase; http.host; content:"studiolegalefalco-masi.it"; depth:25; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1269372/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_11; classtype:trojan-activity; sid:91269372; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/guarantor-for-rental-agreement-ontario"; depth:39; nocase; http.host; content:"bellbaker.com"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1269373/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_11; classtype:trojan-activity; sid:91269373; rev:1;) alert tcp $HOME_NET any -> [18.192.93.86] 14858 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1269374/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_11; classtype:trojan-activity; sid:91269374; rev:1;) alert tcp $HOME_NET any -> [46.183.222.118] 5057 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1269378/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_11; classtype:trojan-activity; sid:91269378; rev:1;) alert tcp $HOME_NET any -> [167.88.174.49] 8081 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1269379/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_11; classtype:trojan-activity; sid:91269379; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/2022/12/06/what-color-rock-lights-are-legal-in-florida"; depth:55; nocase; http.host; content:"langtonhowarth.co.uk"; depth:20; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1269380/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_11; classtype:trojan-activity; sid:91269380; rev:1;) alert tcp $HOME_NET any -> [185.173.36.71] 80 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1269388/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_11; classtype:trojan-activity; sid:91269388; rev:1;) alert tcp $HOME_NET any -> [106.52.18.198] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1269387/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_11; classtype:trojan-activity; sid:91269387; rev:1;) alert tcp $HOME_NET any -> [119.45.38.211] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1269386/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_11; classtype:trojan-activity; sid:91269386; rev:1;) alert tcp $HOME_NET any -> [1.161.85.40] 443 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1269385/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_11; classtype:trojan-activity; sid:91269385; rev:1;) alert tcp $HOME_NET any -> [103.70.232.240] 80 (msg:"ThreatFox Responder botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1269384/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_11; classtype:trojan-activity; sid:91269384; rev:1;) alert tcp $HOME_NET any -> [104.200.72.177] 6513 (msg:"ThreatFox BianLian botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1269383/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_11; classtype:trojan-activity; sid:91269383; rev:1;) alert tcp $HOME_NET any -> [185.17.40.153] 81 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1269381/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_11; classtype:trojan-activity; sid:91269381; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/images/favicon.ico"; depth:19; nocase; http.host; content:"images-oss-1318291330.cos.ap-beijing.myqcloud.com"; depth:49; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1269376/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_11; classtype:trojan-activity; sid:91269376; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"images-oss-1318291330.cos.ap-beijing.myqcloud.com"; depth:49; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1269377/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_11; classtype:trojan-activity; sid:91269377; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cm"; depth:3; nocase; http.host; content:"43.153.222.28"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1269375/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_11; classtype:trojan-activity; sid:91269375; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/live/"; depth:6; nocase; http.host; content:"qaliharsit.tech"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1269371/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_10; classtype:trojan-activity; sid:91269371; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/live/"; depth:6; nocase; http.host; content:"illoskanawer.com"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1269370/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_10; classtype:trojan-activity; sid:91269370; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/live/"; depth:6; nocase; http.host; content:"workspacin.cloud"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1269369/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_10; classtype:trojan-activity; sid:91269369; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/msi.msi"; depth:8; nocase; http.host; content:"91.194.11.64"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1269368/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_10; classtype:trojan-activity; sid:91269368; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ca"; depth:3; nocase; http.host; content:"43.153.222.28"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1269367/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_10; classtype:trojan-activity; sid:91269367; rev:1;) alert tcp $HOME_NET any -> [107.174.241.206] 8888 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1269366/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_10; classtype:trojan-activity; sid:91269366; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jquery-3.3.1.min.js"; depth:20; nocase; http.host; content:"172.16.117.131"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1269365/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_10; classtype:trojan-activity; sid:91269365; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/load"; depth:5; nocase; http.host; content:"193.134.211.173"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1269363/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_10; classtype:trojan-activity; sid:91269363; rev:1;) alert tcp $HOME_NET any -> [193.134.211.173] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1269364/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_10; classtype:trojan-activity; sid:91269364; rev:1;) alert tcp $HOME_NET any -> [118.89.90.122] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1269362/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_10; classtype:trojan-activity; sid:91269362; rev:1;) alert tcp $HOME_NET any -> [185.73.125.7] 443 (msg:"ThreatFox Unidentified 111 (Latrodectus) botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1269357/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_10; classtype:trojan-activity; sid:91269357; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/login"; depth:6; nocase; http.host; content:"5.42.96.65"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1269339/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_10; classtype:trojan-activity; sid:91269339; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/login"; depth:6; nocase; http.host; content:"77.221.151.92"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1269341/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_10; classtype:trojan-activity; sid:91269341; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/login"; depth:6; nocase; http.host; content:"5.42.96.77"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1269340/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_10; classtype:trojan-activity; sid:91269340; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/login"; depth:6; nocase; http.host; content:"5.42.96.54"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1269337/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_10; classtype:trojan-activity; sid:91269337; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/login"; depth:6; nocase; http.host; content:"5.42.96.55"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1269338/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_10; classtype:trojan-activity; sid:91269338; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/login"; depth:6; nocase; http.host; content:"5.42.96.14"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1269336/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_10; classtype:trojan-activity; sid:91269336; rev:1;) alert tcp $HOME_NET any -> [5.42.96.77] 8081 (msg:"ThreatFox RisePro botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1269331/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_10; classtype:trojan-activity; sid:91269331; rev:1;) alert tcp $HOME_NET any -> [77.221.151.92] 8081 (msg:"ThreatFox RisePro botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1269332/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_10; classtype:trojan-activity; sid:91269332; rev:1;) alert tcp $HOME_NET any -> [94.156.68.83] 8081 (msg:"ThreatFox RisePro botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1269333/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_10; classtype:trojan-activity; sid:91269333; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/login"; depth:6; nocase; http.host; content:"94.156.68.83"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1269342/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_10; classtype:trojan-activity; sid:91269342; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/login"; depth:6; nocase; http.host; content:"107.178.105.96"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1269343/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_10; classtype:trojan-activity; sid:91269343; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/login"; depth:6; nocase; http.host; content:"147.45.47.126"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1269345/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_10; classtype:trojan-activity; sid:91269345; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/login"; depth:6; nocase; http.host; content:"147.45.47.147"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1269346/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_10; classtype:trojan-activity; sid:91269346; rev:1;) alert tcp $HOME_NET any -> [103.153.69.150] 12345 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1269355/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_10; classtype:trojan-activity; sid:91269355; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"acceptabledcooeprs.shop"; depth:23; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1269015/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_10; classtype:trojan-activity; sid:91269015; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"obsceneclassyjuwks.shop"; depth:23; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1269016/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_10; classtype:trojan-activity; sid:91269016; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"zippyfinickysofwps.shop"; depth:23; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1269017/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_10; classtype:trojan-activity; sid:91269017; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"miniaturefinerninewjs.shop"; depth:26; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1269018/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_10; classtype:trojan-activity; sid:91269018; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"sweetsquarediaslw.shop"; depth:22; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1269020/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_10; classtype:trojan-activity; sid:91269020; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"plaintediousidowsko.shop"; depth:24; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1269019/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_10; classtype:trojan-activity; sid:91269019; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"holicisticscrarws.shop"; depth:22; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1269021/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_10; classtype:trojan-activity; sid:91269021; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"boredimperissvieos.shop"; depth:23; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1269022/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_10; classtype:trojan-activity; sid:91269022; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"whispedwoodmoodsksl.shop"; depth:24; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1269023/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_10; classtype:trojan-activity; sid:91269023; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"acceptabledcooeprs.shop"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1269024/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_10; classtype:trojan-activity; sid:91269024; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"obsceneclassyjuwks.shop"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1269025/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_10; classtype:trojan-activity; sid:91269025; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"zippyfinickysofwps.shop"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1269026/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_10; classtype:trojan-activity; sid:91269026; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"miniaturefinerninewjs.shop"; depth:26; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1269027/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_10; classtype:trojan-activity; sid:91269027; rev:1;) alert tcp $HOME_NET any -> [37.1.36.185] 1912 (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1269039/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_10; classtype:trojan-activity; sid:91269039; rev:1;) alert tcp $HOME_NET any -> [194.59.31.219] 2023 (msg:"ThreatFox Socks5 Systemz botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1269040/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_10; classtype:trojan-activity; sid:91269040; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/manual.php"; depth:11; nocase; http.host; content:"bliss.pro"; depth:9; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1269041/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_10; classtype:trojan-activity; sid:91269041; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"plaintediousidowsko.shop"; depth:24; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1269028/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_10; classtype:trojan-activity; sid:91269028; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"sweetsquarediaslw.shop"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1269029/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_10; classtype:trojan-activity; sid:91269029; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"holicisticscrarws.shop"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1269030/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_10; classtype:trojan-activity; sid:91269030; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"boredimperissvieos.shop"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1269031/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_10; classtype:trojan-activity; sid:91269031; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"mazefearcontainujsy.shop"; depth:24; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1269032/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_10; classtype:trojan-activity; sid:91269032; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"stiffraspyofkwsl.shop"; depth:21; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1269033/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_10; classtype:trojan-activity; sid:91269033; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"plasterdaughejsijuk.shop"; depth:24; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1269034/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_10; classtype:trojan-activity; sid:91269034; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"mazefearcontainujsy.shop"; depth:24; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1269035/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_10; classtype:trojan-activity; sid:91269035; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"directorryversionyju.shop"; depth:25; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1269036/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_10; classtype:trojan-activity; sid:91269036; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"stiffraspyofkwsl.shop"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1269037/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_10; classtype:trojan-activity; sid:91269037; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"plasterdaughejsijuk.shop"; depth:24; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1269038/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_10; classtype:trojan-activity; sid:91269038; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"whispedwoodmoodsksl.shop"; depth:24; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1269014/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_10; classtype:trojan-activity; sid:91269014; rev:1;) alert tcp $HOME_NET any -> [5.75.208.137] 9000 (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1269012/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_10; classtype:trojan-activity; sid:91269012; rev:1;) alert tcp $HOME_NET any -> [5.75.208.137] 443 (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1269013/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_10; classtype:trojan-activity; sid:91269013; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"65.109.242.112"; depth:14; nocase; reference:url, threatfox.abuse.ch/ioc/1269009/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_10; classtype:trojan-activity; sid:91269009; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"5.75.208.137"; depth:12; nocase; reference:url, threatfox.abuse.ch/ioc/1269010/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_10; classtype:trojan-activity; sid:91269010; rev:1;) alert tcp $HOME_NET any -> [65.109.242.112] 443 (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1269011/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_10; classtype:trojan-activity; sid:91269011; rev:1;) alert tcp $HOME_NET any -> [89.37.143.245] 56016 (msg:"ThreatFox Agent Tesla botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1269005/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_10; classtype:trojan-activity; sid:91269005; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/profiles/76561199681720597"; depth:27; nocase; http.host; content:"steamcommunity.com"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1269007/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_10; classtype:trojan-activity; sid:91269007; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/talmatin"; depth:9; nocase; http.host; content:"t.me"; depth:4; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1269008/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_10; classtype:trojan-activity; sid:91269008; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ftp.folder.ro"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1269004/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_10; classtype:trojan-activity; sid:91269004; rev:1;) alert tcp $HOME_NET any -> [180.76.54.181] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1269354/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_10; classtype:trojan-activity; sid:91269354; rev:1;) alert tcp $HOME_NET any -> [175.27.189.129] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1269353/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_10; classtype:trojan-activity; sid:91269353; rev:1;) alert tcp $HOME_NET any -> [107.167.18.5] 7979 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1269352/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_10; classtype:trojan-activity; sid:91269352; rev:1;) alert tcp $HOME_NET any -> [142.247.182.11] 443 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1269351/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_10; classtype:trojan-activity; sid:91269351; rev:1;) alert tcp $HOME_NET any -> [41.99.54.227] 443 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1269350/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_10; classtype:trojan-activity; sid:91269350; rev:1;) alert tcp $HOME_NET any -> [164.90.213.105] 80 (msg:"ThreatFox Responder botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1269348/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_10; classtype:trojan-activity; sid:91269348; rev:1;) alert tcp $HOME_NET any -> [164.90.213.105] 443 (msg:"ThreatFox Responder botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1269349/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_10; classtype:trojan-activity; sid:91269349; rev:1;) alert tcp $HOME_NET any -> [74.48.115.132] 443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1269347/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_10; classtype:trojan-activity; sid:91269347; rev:1;) alert tcp $HOME_NET any -> [43.138.25.26] 80 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1269344/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_10; classtype:trojan-activity; sid:91269344; rev:1;) alert tcp $HOME_NET any -> [107.172.57.113] 443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1269335/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_10; classtype:trojan-activity; sid:91269335; rev:1;) alert tcp $HOME_NET any -> [34.221.207.33] 8443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1269334/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_10; classtype:trojan-activity; sid:91269334; rev:1;) alert tcp $HOME_NET any -> [23.94.120.119] 5443 (msg:"ThreatFox BianLian botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1269330/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_10; classtype:trojan-activity; sid:91269330; rev:1;) alert tcp $HOME_NET any -> [54.253.108.48] 443 (msg:"ThreatFox Deimos botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1269329/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_10; classtype:trojan-activity; sid:91269329; rev:1;) alert tcp $HOME_NET any -> [13.55.72.22] 443 (msg:"ThreatFox Deimos botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1269328/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_10; classtype:trojan-activity; sid:91269328; rev:1;) alert tcp $HOME_NET any -> [13.79.48.220] 3000 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1269327/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_10; classtype:trojan-activity; sid:91269327; rev:1;) alert tcp $HOME_NET any -> [45.14.66.194] 7443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1269326/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_10; classtype:trojan-activity; sid:91269326; rev:1;) alert tcp $HOME_NET any -> [18.170.123.22] 7443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1269325/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_10; classtype:trojan-activity; sid:91269325; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mozi.m"; depth:7; nocase; http.host; content:"115.55.239.209"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1269324/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_10; classtype:trojan-activity; sid:91269324; rev:1;) alert tcp $HOME_NET any -> [193.168.143.196] 443 (msg:"ThreatFox IcedID botnet C2 traffic (ip:port - confidence level: 60%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1269006/; target:src_ip; metadata: confidence_level 60, first_seen 2024_05_10; classtype:trojan-activity; sid:91269006; rev:1;) alert tcp $HOME_NET any -> [34.29.71.138] 80 (msg:"ThreatFox Loki Password Stealer (PWS) botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1269001/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_10; classtype:trojan-activity; sid:91269001; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"lapphuongshoe.com"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1269002/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_10; classtype:trojan-activity; sid:91269002; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/2022/12/05/what-age-can-you-legally-leave-a-child-home-alone-in-california"; depth:75; nocase; http.host; content:"langtonhowarth.co.uk"; depth:20; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1268975/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_10; classtype:trojan-activity; sid:91268975; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/annual-agreement-for-permanent-seasonal-employment"; depth:51; nocase; http.host; content:"radium-audio.com"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1268976/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_10; classtype:trojan-activity; sid:91268976; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/understanding-dog-barking-laws-in-nsw-what-you-need-to-know"; depth:60; nocase; http.host; content:"darululoom.com.au"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1268977/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_10; classtype:trojan-activity; sid:91268977; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"edulinkr.com"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1269000/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_10; classtype:trojan-activity; sid:91269000; rev:1;) alert tcp $HOME_NET any -> [43.139.107.157] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1268998/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_10; classtype:trojan-activity; sid:91268998; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pixel.gif"; depth:10; nocase; http.host; content:"service-ac5ca85o-1314199502.gz.tencentapigw.com.cn"; depth:50; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1268997/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_10; classtype:trojan-activity; sid:91268997; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dpixel"; depth:7; nocase; http.host; content:"114.115.205.82"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1268995/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_10; classtype:trojan-activity; sid:91268995; rev:1;) alert tcp $HOME_NET any -> [114.115.205.82] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1268996/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_10; classtype:trojan-activity; sid:91268996; rev:1;) alert tcp $HOME_NET any -> [43.139.107.157] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1268994/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_10; classtype:trojan-activity; sid:91268994; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"service-ac5ca85o-1314199502.gz.tencentapigw.com.cn"; depth:50; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1268993/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_10; classtype:trojan-activity; sid:91268993; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/match"; depth:6; nocase; http.host; content:"service-ac5ca85o-1314199502.gz.tencentapigw.com.cn"; depth:50; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1268992/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_10; classtype:trojan-activity; sid:91268992; rev:1;) alert tcp $HOME_NET any -> [40.76.51.14] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1268991/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_10; classtype:trojan-activity; sid:91268991; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cx"; depth:3; nocase; http.host; content:"40.76.51.14"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1268990/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_10; classtype:trojan-activity; sid:91268990; rev:1;) alert tcp $HOME_NET any -> [116.198.34.83] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1268989/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_10; classtype:trojan-activity; sid:91268989; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api/x"; depth:6; nocase; http.host; content:"service-3vkzoky0-1312172028.gz.tencentapigw.com.cn"; depth:50; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1268988/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_10; classtype:trojan-activity; sid:91268988; rev:1;) alert tcp $HOME_NET any -> [8.210.81.151] 8443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1268987/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_10; classtype:trojan-activity; sid:91268987; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api/v3/corporationlimited"; depth:26; nocase; http.host; content:"wpscheckmembers.vip"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1268985/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_10; classtype:trojan-activity; sid:91268985; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"wpscheckmembers.vip"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1268986/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_10; classtype:trojan-activity; sid:91268986; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jquery-3.3.2.n2cq4mxdz4nio9xihttp.min.js"; depth:41; nocase; http.host; content:"140.246.157.86"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1268984/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_10; classtype:trojan-activity; sid:91268984; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/load"; depth:5; nocase; http.host; content:"124.222.36.180"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1268983/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_10; classtype:trojan-activity; sid:91268983; rev:1;) alert tcp $HOME_NET any -> [111.230.98.22] 3333 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1268982/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_10; classtype:trojan-activity; sid:91268982; rev:1;) alert tcp $HOME_NET any -> [116.198.34.83] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1268981/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_10; classtype:trojan-activity; sid:91268981; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"service-3vkzoky0-1312172028.gz.tencentapigw.com.cn"; depth:50; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1268980/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_10; classtype:trojan-activity; sid:91268980; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api/x"; depth:6; nocase; http.host; content:"service-3vkzoky0-1312172028.gz.tencentapigw.com.cn"; depth:50; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1268979/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_10; classtype:trojan-activity; sid:91268979; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/visit.js"; depth:9; nocase; http.host; content:"43.139.107.157"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1268978/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_10; classtype:trojan-activity; sid:91268978; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/adjt8svp3dlardjlt.exe"; depth:22; nocase; http.host; content:"goupbuy.com"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1268973/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_10; classtype:trojan-activity; sid:91268973; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"goupbuy.com"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1268974/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_10; classtype:trojan-activity; sid:91268974; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/2023/08/11/a-voidable-contract-is-quizlet"; depth:42; nocase; http.host; content:"ikwilvanmijnpoloaf.nl"; depth:21; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1268948/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_10; classtype:trojan-activity; sid:91268948; rev:1;) alert tcp $HOME_NET any -> [107.173.4.21] 2888 (msg:"ThreatFox STRRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1268959/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_10; classtype:trojan-activity; sid:91268959; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"madamwebb.duckdns.org"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1268960/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_10; classtype:trojan-activity; sid:91268960; rev:1;) alert tcp $HOME_NET any -> [31.220.2.120] 80 (msg:"ThreatFox Loki Password Stealer (PWS) botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1268958/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_10; classtype:trojan-activity; sid:91268958; rev:1;) alert tcp $HOME_NET any -> [156.238.224.215] 6642 (msg:"ThreatFox LimeRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1268961/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_10; classtype:trojan-activity; sid:91268961; rev:1;) alert tcp $HOME_NET any -> [18.229.146.63] 13081 (msg:"ThreatFox LimeRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1268962/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_10; classtype:trojan-activity; sid:91268962; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"kammies.co.za"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1268964/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_10; classtype:trojan-activity; sid:91268964; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/kom/dhl1.php"; depth:13; nocase; http.host; content:"dhgnegociosinmobiliarios.com"; depth:28; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1268970/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_10; classtype:trojan-activity; sid:91268970; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"dhgnegociosinmobiliarios.com"; depth:28; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1268971/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_10; classtype:trojan-activity; sid:91268971; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/2022/12/13/writing-dollar-amounts-in-legal-documents"; depth:53; nocase; http.host; content:"mindelscott.com"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1268972/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_10; classtype:trojan-activity; sid:91268972; rev:1;) alert tcp $HOME_NET any -> [54.254.164.33] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1268969/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_10; classtype:trojan-activity; sid:91268969; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/server/api-v1/"; depth:15; nocase; http.host; content:"cdn-carbonat.kimcuonghoanmy.shop"; depth:32; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1268967/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_10; classtype:trojan-activity; sid:91268967; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"cdn-carbonat.kimcuonghoanmy.shop"; depth:32; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1268968/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_10; classtype:trojan-activity; sid:91268968; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/__utm.gif"; depth:10; nocase; http.host; content:"18.232.156.244"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1268966/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_10; classtype:trojan-activity; sid:91268966; rev:1;) alert tcp $HOME_NET any -> [185.189.112.19] 30311 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1268965/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_10; classtype:trojan-activity; sid:91268965; rev:1;) alert tcp $HOME_NET any -> [42.192.37.72] 50055 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1268957/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_10; classtype:trojan-activity; sid:91268957; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/visit.js"; depth:9; nocase; http.host; content:"121.40.127.134"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1268956/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_10; classtype:trojan-activity; sid:91268956; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/load"; depth:5; nocase; http.host; content:"139.9.190.31"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1268955/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_10; classtype:trojan-activity; sid:91268955; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ie9compatviewlist.xml"; depth:22; nocase; http.host; content:"23.95.65.198"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1268954/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_10; classtype:trojan-activity; sid:91268954; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ga.js"; depth:6; nocase; http.host; content:"192.168.183.131"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1268953/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_10; classtype:trojan-activity; sid:91268953; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/latest/v2.54/ysl053kc7qd"; depth:25; nocase; http.host; content:"101.200.86.179"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1268952/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_10; classtype:trojan-activity; sid:91268952; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ie9compatviewlist.xml"; depth:22; nocase; http.host; content:"101.35.235.73"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1268951/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_10; classtype:trojan-activity; sid:91268951; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/fwlink"; depth:7; nocase; http.host; content:"101.201.54.74"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1268950/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_10; classtype:trojan-activity; sid:91268950; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/match"; depth:6; nocase; http.host; content:"110.41.21.173"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1268949/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_10; classtype:trojan-activity; sid:91268949; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ca"; depth:3; nocase; http.host; content:"88.214.26.29"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1268947/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_10; classtype:trojan-activity; sid:91268947; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"workspacin.cloud"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1268945/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_10; classtype:trojan-activity; sid:91268945; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"qaliharsit.tech"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1268946/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_10; classtype:trojan-activity; sid:91268946; rev:1;) alert tcp $HOME_NET any -> [172.93.222.147] 2404 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1268944/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_10; classtype:trojan-activity; sid:91268944; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blog/sample-letter-to-request-extension-of-contract"; depth:52; nocase; http.host; content:"terragamecenter.com"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1268938/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_10; classtype:trojan-activity; sid:91268938; rev:1;) alert tcp $HOME_NET any -> [195.123.211.210] 80 (msg:"ThreatFox Loki Password Stealer (PWS) botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1268943/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_10; classtype:trojan-activity; sid:91268943; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mall_100_100.html"; depth:18; nocase; http.host; content:"62.234.27.204"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1268942/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_10; classtype:trojan-activity; sid:91268942; rev:1;) alert tcp $HOME_NET any -> [43.138.20.240] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1268941/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_10; classtype:trojan-activity; sid:91268941; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/updates"; depth:8; nocase; http.host; content:"43.138.20.240"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1268940/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_10; classtype:trojan-activity; sid:91268940; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/evie1/five/fre.php"; depth:19; nocase; http.host; content:"195.123.211.210"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1268939/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_10; classtype:trojan-activity; sid:91268939; rev:1;) alert tcp $HOME_NET any -> [103.153.69.150] 4258 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1268937/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_10; classtype:trojan-activity; sid:91268937; rev:1;) alert tcp $HOME_NET any -> [103.153.69.151] 4258 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1268936/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_10; classtype:trojan-activity; sid:91268936; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ogi0ngqwmdlmmduz/"; depth:18; nocase; http.host; content:"185.234.216.120"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1268896/; target:src_ip; metadata: confidence_level 80, first_seen 2024_05_10; classtype:trojan-activity; sid:91268896; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/otmzyzq3yzgyogrk/"; depth:18; nocase; http.host; content:"midigomedelimisinyav.com"; depth:24; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1268898/; target:src_ip; metadata: confidence_level 80, first_seen 2024_05_10; classtype:trojan-activity; sid:91268898; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/otmzyzq3yzgyogrk/"; depth:18; nocase; http.host; content:"midigomehackerbaba.net"; depth:22; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1268897/; target:src_ip; metadata: confidence_level 80, first_seen 2024_05_10; classtype:trojan-activity; sid:91268897; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/otmzyzq3yzgyogrk/"; depth:18; nocase; http.host; content:"midigomesinyalcimisinaga.com"; depth:28; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1268900/; target:src_ip; metadata: confidence_level 80, first_seen 2024_05_10; classtype:trojan-activity; sid:91268900; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/otmzyzq3yzgyogrk/"; depth:18; nocase; http.host; content:"midigomebeniseviyor.net"; depth:23; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1268899/; target:src_ip; metadata: confidence_level 80, first_seen 2024_05_10; classtype:trojan-activity; sid:91268899; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/otmzyzq3yzgyogrk/"; depth:18; nocase; http.host; content:"midigomehacibaba.net"; depth:20; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1268901/; target:src_ip; metadata: confidence_level 80, first_seen 2024_05_10; classtype:trojan-activity; sid:91268901; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mmi1m2zimgrmodey/"; depth:18; nocase; http.host; content:"moneyeuroland.net"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1268902/; target:src_ip; metadata: confidence_level 80, first_seen 2024_05_10; classtype:trojan-activity; sid:91268902; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mmi1m2zimgrmodey/"; depth:18; nocase; http.host; content:"moneyeuroland7.com"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1268903/; target:src_ip; metadata: confidence_level 80, first_seen 2024_05_10; classtype:trojan-activity; sid:91268903; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mmi1m2zimgrmodey/"; depth:18; nocase; http.host; content:"moneyeuroland.com"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1268904/; target:src_ip; metadata: confidence_level 80, first_seen 2024_05_10; classtype:trojan-activity; sid:91268904; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mmi1m2zimgrmodey/"; depth:18; nocase; http.host; content:"moneyeurolandcamp.net"; depth:21; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1268905/; target:src_ip; metadata: confidence_level 80, first_seen 2024_05_10; classtype:trojan-activity; sid:91268905; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mmi1m2zimgrmodey/"; depth:18; nocase; http.host; content:"2moneyeuroland.net"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1268906/; target:src_ip; metadata: confidence_level 80, first_seen 2024_05_10; classtype:trojan-activity; sid:91268906; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mmi1m2zimgrmodey/"; depth:18; nocase; http.host; content:"2moneyeuroland.com"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1268907/; target:src_ip; metadata: confidence_level 80, first_seen 2024_05_10; classtype:trojan-activity; sid:91268907; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mmi1m2zimgrmodey/"; depth:18; nocase; http.host; content:"3moneyeuroland.com"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1268908/; target:src_ip; metadata: confidence_level 80, first_seen 2024_05_10; classtype:trojan-activity; sid:91268908; rev:1;) alert tcp $HOME_NET any -> [91.92.240.229] 4258 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1268922/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_10; classtype:trojan-activity; sid:91268922; rev:1;) alert tcp $HOME_NET any -> [3.127.138.57] 17751 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1268844/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_10; classtype:trojan-activity; sid:91268844; rev:1;) alert tcp $HOME_NET any -> [104.250.172.89] 1177 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1268845/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_10; classtype:trojan-activity; sid:91268845; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"levantain.ddns.net"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1268846/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_10; classtype:trojan-activity; sid:91268846; rev:1;) alert tcp $HOME_NET any -> [51.158.202.242] 443 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1268553/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_10; classtype:trojan-activity; sid:91268553; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"asra1.ddns.net"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1268554/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_10; classtype:trojan-activity; sid:91268554; rev:1;) alert tcp $HOME_NET any -> [31.184.253.65] 443 (msg:"ThreatFox FAKEUPDATES payload delivery (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1268566/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_10; classtype:trojan-activity; sid:91268566; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"y9f6z0q1w2.xyz"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1268575/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_10; classtype:trojan-activity; sid:91268575; rev:1;) alert tcp $HOME_NET any -> [5.253.40.168] 80 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1268935/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_10; classtype:trojan-activity; sid:91268935; rev:1;) alert tcp $HOME_NET any -> [45.8.144.87] 80 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1268934/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_10; classtype:trojan-activity; sid:91268934; rev:1;) alert tcp $HOME_NET any -> [116.205.231.141] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1268933/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_10; classtype:trojan-activity; sid:91268933; rev:1;) alert tcp $HOME_NET any -> [122.51.220.170] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1268932/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_10; classtype:trojan-activity; sid:91268932; rev:1;) alert tcp $HOME_NET any -> [46.246.14.19] 9000 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1268931/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_10; classtype:trojan-activity; sid:91268931; rev:1;) alert tcp $HOME_NET any -> [187.192.66.171] 443 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1268930/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_10; classtype:trojan-activity; sid:91268930; rev:1;) alert tcp $HOME_NET any -> [64.229.116.108] 2222 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1268929/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_10; classtype:trojan-activity; sid:91268929; rev:1;) alert tcp $HOME_NET any -> [104.248.223.131] 443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1268928/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_10; classtype:trojan-activity; sid:91268928; rev:1;) alert tcp $HOME_NET any -> [45.32.233.38] 80 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1268927/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_10; classtype:trojan-activity; sid:91268927; rev:1;) alert tcp $HOME_NET any -> [185.234.216.209] 20054 (msg:"ThreatFox BianLian botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1268926/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_10; classtype:trojan-activity; sid:91268926; rev:1;) alert tcp $HOME_NET any -> [34.221.207.33] 7443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1268925/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_10; classtype:trojan-activity; sid:91268925; rev:1;) alert tcp $HOME_NET any -> [13.79.48.220] 7443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1268924/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_10; classtype:trojan-activity; sid:91268924; rev:1;) alert tcp $HOME_NET any -> [193.3.19.136] 53 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1268923/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_10; classtype:trojan-activity; sid:91268923; rev:1;) alert tcp $HOME_NET any -> [91.92.245.49] 50500 (msg:"ThreatFox RisePro botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1268921/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_10; classtype:trojan-activity; sid:91268921; rev:1;) alert tcp $HOME_NET any -> [107.175.229.141] 53152 (msg:"ThreatFox STRRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1268920/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_10; classtype:trojan-activity; sid:91268920; rev:1;) alert tcp $HOME_NET any -> [46.246.82.10] 2054 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1268919/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_10; classtype:trojan-activity; sid:91268919; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ca"; depth:3; nocase; http.host; content:"149.62.47.7"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1268918/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_10; classtype:trojan-activity; sid:91268918; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cx"; depth:3; nocase; http.host; content:"23.95.65.198"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1268917/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_10; classtype:trojan-activity; sid:91268917; rev:1;) alert tcp $HOME_NET any -> [5.42.96.65] 50500 (msg:"ThreatFox RisePro botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1268916/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_10; classtype:trojan-activity; sid:91268916; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/982c183d8a9835c6.php"; depth:21; nocase; http.host; content:"45.11.92.124"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1268915/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_10; classtype:trojan-activity; sid:91268915; rev:1;) alert tcp $HOME_NET any -> [84.247.154.81] 7707 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1268914/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_09; classtype:trojan-activity; sid:91268914; rev:1;) alert tcp $HOME_NET any -> [84.247.154.81] 6606 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1268913/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_09; classtype:trojan-activity; sid:91268913; rev:1;) alert tcp $HOME_NET any -> [84.247.154.81] 8808 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1268912/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_09; classtype:trojan-activity; sid:91268912; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cx"; depth:3; nocase; http.host; content:"149.62.47.7"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1268910/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_09; classtype:trojan-activity; sid:91268910; rev:1;) alert tcp $HOME_NET any -> [149.62.47.7] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1268911/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_09; classtype:trojan-activity; sid:91268911; rev:1;) alert tcp $HOME_NET any -> [105.154.96.186] 10000 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1268909/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_09; classtype:trojan-activity; sid:91268909; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/2727ccb9.php"; depth:13; nocase; http.host; content:"a0951158.xsph.ru"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1268895/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_09; classtype:trojan-activity; sid:91268895; rev:1;) alert tcp $HOME_NET any -> [62.133.60.205] 22 (msg:"ThreatFox Stealc botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1268894/; target:src_ip; metadata: confidence_level 80, first_seen 2024_05_09; classtype:trojan-activity; sid:91268894; rev:1;) alert tcp $HOME_NET any -> [62.133.60.205] 80 (msg:"ThreatFox Stealc botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1268893/; target:src_ip; metadata: confidence_level 80, first_seen 2024_05_09; classtype:trojan-activity; sid:91268893; rev:1;) alert tcp $HOME_NET any -> [49.13.229.86] 22 (msg:"ThreatFox Stealc botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1268892/; target:src_ip; metadata: confidence_level 80, first_seen 2024_05_09; classtype:trojan-activity; sid:91268892; rev:1;) alert tcp $HOME_NET any -> [49.13.229.86] 80 (msg:"ThreatFox Stealc botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1268891/; target:src_ip; metadata: confidence_level 80, first_seen 2024_05_09; classtype:trojan-activity; sid:91268891; rev:1;) alert tcp $HOME_NET any -> [89.23.103.96] 22 (msg:"ThreatFox Stealc botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1268890/; target:src_ip; metadata: confidence_level 80, first_seen 2024_05_09; classtype:trojan-activity; sid:91268890; rev:1;) alert tcp $HOME_NET any -> [89.23.103.96] 80 (msg:"ThreatFox Stealc botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1268889/; target:src_ip; metadata: confidence_level 80, first_seen 2024_05_09; classtype:trojan-activity; sid:91268889; rev:1;) alert tcp $HOME_NET any -> [89.23.103.165] 22 (msg:"ThreatFox Stealc botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1268888/; target:src_ip; metadata: confidence_level 80, first_seen 2024_05_09; classtype:trojan-activity; sid:91268888; rev:1;) alert tcp $HOME_NET any -> [89.23.103.165] 80 (msg:"ThreatFox Stealc botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1268887/; target:src_ip; metadata: confidence_level 80, first_seen 2024_05_09; classtype:trojan-activity; sid:91268887; rev:1;) alert tcp $HOME_NET any -> [89.23.103.168] 22 (msg:"ThreatFox Stealc botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1268886/; target:src_ip; metadata: confidence_level 80, first_seen 2024_05_09; classtype:trojan-activity; sid:91268886; rev:1;) alert tcp $HOME_NET any -> [89.23.103.168] 80 (msg:"ThreatFox Stealc botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1268885/; target:src_ip; metadata: confidence_level 80, first_seen 2024_05_09; classtype:trojan-activity; sid:91268885; rev:1;) alert tcp $HOME_NET any -> [89.23.103.159] 22 (msg:"ThreatFox Stealc botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1268884/; target:src_ip; metadata: confidence_level 80, first_seen 2024_05_09; classtype:trojan-activity; sid:91268884; rev:1;) alert tcp $HOME_NET any -> [65.109.170.29] 80 (msg:"ThreatFox Stealc botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1268882/; target:src_ip; metadata: confidence_level 80, first_seen 2024_05_09; classtype:trojan-activity; sid:91268882; rev:1;) alert tcp $HOME_NET any -> [65.109.170.29] 22 (msg:"ThreatFox Stealc botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1268881/; target:src_ip; metadata: confidence_level 80, first_seen 2024_05_09; classtype:trojan-activity; sid:91268881; rev:1;) alert tcp $HOME_NET any -> [62.133.60.218] 80 (msg:"ThreatFox Stealc botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1268880/; target:src_ip; metadata: confidence_level 80, first_seen 2024_05_09; classtype:trojan-activity; sid:91268880; rev:1;) alert tcp $HOME_NET any -> [62.133.60.218] 22 (msg:"ThreatFox Stealc botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1268879/; target:src_ip; metadata: confidence_level 80, first_seen 2024_05_09; classtype:trojan-activity; sid:91268879; rev:1;) alert tcp $HOME_NET any -> [89.23.103.129] 22 (msg:"ThreatFox Stealc botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1268878/; target:src_ip; metadata: confidence_level 80, first_seen 2024_05_09; classtype:trojan-activity; sid:91268878; rev:1;) alert tcp $HOME_NET any -> [89.23.103.89] 22 (msg:"ThreatFox Stealc botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1268876/; target:src_ip; metadata: confidence_level 80, first_seen 2024_05_09; classtype:trojan-activity; sid:91268876; rev:1;) alert tcp $HOME_NET any -> [89.23.103.141] 22 (msg:"ThreatFox Stealc botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1268874/; target:src_ip; metadata: confidence_level 80, first_seen 2024_05_09; classtype:trojan-activity; sid:91268874; rev:1;) alert tcp $HOME_NET any -> [89.23.103.141] 80 (msg:"ThreatFox Stealc botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1268873/; target:src_ip; metadata: confidence_level 80, first_seen 2024_05_09; classtype:trojan-activity; sid:91268873; rev:1;) alert tcp $HOME_NET any -> [95.181.173.85] 22 (msg:"ThreatFox Stealc botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1268872/; target:src_ip; metadata: confidence_level 80, first_seen 2024_05_09; classtype:trojan-activity; sid:91268872; rev:1;) alert tcp $HOME_NET any -> [95.181.173.85] 80 (msg:"ThreatFox Stealc botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1268871/; target:src_ip; metadata: confidence_level 80, first_seen 2024_05_09; classtype:trojan-activity; sid:91268871; rev:1;) alert tcp $HOME_NET any -> [89.23.103.109] 80 (msg:"ThreatFox Stealc botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1268870/; target:src_ip; metadata: confidence_level 80, first_seen 2024_05_09; classtype:trojan-activity; sid:91268870; rev:1;) alert tcp $HOME_NET any -> [89.23.103.109] 22 (msg:"ThreatFox Stealc botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1268869/; target:src_ip; metadata: confidence_level 80, first_seen 2024_05_09; classtype:trojan-activity; sid:91268869; rev:1;) alert tcp $HOME_NET any -> [89.23.103.132] 22 (msg:"ThreatFox Stealc botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1268868/; target:src_ip; metadata: confidence_level 80, first_seen 2024_05_09; classtype:trojan-activity; sid:91268868; rev:1;) alert tcp $HOME_NET any -> [89.23.103.132] 80 (msg:"ThreatFox Stealc botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1268867/; target:src_ip; metadata: confidence_level 80, first_seen 2024_05_09; classtype:trojan-activity; sid:91268867; rev:1;) alert tcp $HOME_NET any -> [5.42.96.14] 8081 (msg:"ThreatFox RisePro botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1268866/; target:src_ip; metadata: confidence_level 80, first_seen 2024_05_09; classtype:trojan-activity; sid:91268866; rev:1;) alert tcp $HOME_NET any -> [5.42.96.65] 8081 (msg:"ThreatFox RisePro botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1268865/; target:src_ip; metadata: confidence_level 80, first_seen 2024_05_09; classtype:trojan-activity; sid:91268865; rev:1;) alert tcp $HOME_NET any -> [147.45.47.147] 8081 (msg:"ThreatFox RisePro botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1268864/; target:src_ip; metadata: confidence_level 80, first_seen 2024_05_09; classtype:trojan-activity; sid:91268864; rev:1;) alert tcp $HOME_NET any -> [107.178.105.96] 8081 (msg:"ThreatFox RisePro botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1268863/; target:src_ip; metadata: confidence_level 80, first_seen 2024_05_09; classtype:trojan-activity; sid:91268863; rev:1;) alert tcp $HOME_NET any -> [91.92.245.49] 8081 (msg:"ThreatFox RisePro botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1268862/; target:src_ip; metadata: confidence_level 80, first_seen 2024_05_09; classtype:trojan-activity; sid:91268862; rev:1;) alert tcp $HOME_NET any -> [5.75.213.183] 443 (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1268861/; target:src_ip; metadata: confidence_level 80, first_seen 2024_05_09; classtype:trojan-activity; sid:91268861; rev:1;) alert tcp $HOME_NET any -> [5.75.213.183] 80 (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1268860/; target:src_ip; metadata: confidence_level 80, first_seen 2024_05_09; classtype:trojan-activity; sid:91268860; rev:1;) alert tcp $HOME_NET any -> [49.12.115.57] 443 (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1268859/; target:src_ip; metadata: confidence_level 80, first_seen 2024_05_09; classtype:trojan-activity; sid:91268859; rev:1;) alert tcp $HOME_NET any -> [49.12.115.57] 80 (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1268858/; target:src_ip; metadata: confidence_level 80, first_seen 2024_05_09; classtype:trojan-activity; sid:91268858; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/l1nc0in.php"; depth:12; nocase; http.host; content:"vladiez8.beget.tech"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1268857/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_09; classtype:trojan-activity; sid:91268857; rev:1;) alert tcp $HOME_NET any -> [172.104.182.4] 80 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1268856/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_09; classtype:trojan-activity; sid:91268856; rev:1;) alert tcp $HOME_NET any -> [101.99.75.123] 80 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1268855/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_09; classtype:trojan-activity; sid:91268855; rev:1;) alert tcp $HOME_NET any -> [103.45.173.142] 4444 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1268854/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_09; classtype:trojan-activity; sid:91268854; rev:1;) alert tcp $HOME_NET any -> [103.187.4.53] 8080 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1268853/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_09; classtype:trojan-activity; sid:91268853; rev:1;) alert tcp $HOME_NET any -> [190.135.209.105] 995 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1268852/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_09; classtype:trojan-activity; sid:91268852; rev:1;) alert tcp $HOME_NET any -> [54.227.37.24] 443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1268851/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_09; classtype:trojan-activity; sid:91268851; rev:1;) alert tcp $HOME_NET any -> [122.248.226.169] 443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1268850/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_09; classtype:trojan-activity; sid:91268850; rev:1;) alert tcp $HOME_NET any -> [65.20.78.91] 8443 (msg:"ThreatFox BianLian botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1268849/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_09; classtype:trojan-activity; sid:91268849; rev:1;) alert tcp $HOME_NET any -> [93.127.197.83] 7443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1268848/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_09; classtype:trojan-activity; sid:91268848; rev:1;) alert tcp $HOME_NET any -> [195.10.205.91] 1707 (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1268847/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_09; classtype:trojan-activity; sid:91268847; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pixel.gif"; depth:10; nocase; http.host; content:"39.98.157.4"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1268582/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_09; classtype:trojan-activity; sid:91268582; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/push"; depth:5; nocase; http.host; content:"104.214.168.71"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1268581/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_09; classtype:trojan-activity; sid:91268581; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/g.pixel"; depth:8; nocase; http.host; content:"52.190.15.163"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1268580/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_09; classtype:trojan-activity; sid:91268580; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/load"; depth:5; nocase; http.host; content:"39.98.157.4"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1268579/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_09; classtype:trojan-activity; sid:91268579; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/match"; depth:6; nocase; http.host; content:"39.98.157.4"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1268578/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_09; classtype:trojan-activity; sid:91268578; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pixel"; depth:6; nocase; http.host; content:"101.201.54.74"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1268577/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_09; classtype:trojan-activity; sid:91268577; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ga.js"; depth:6; nocase; http.host; content:"39.107.242.125"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1268576/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_09; classtype:trojan-activity; sid:91268576; rev:1;) alert tcp $HOME_NET any -> [79.110.62.41] 7205 (msg:"ThreatFox STRRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1268574/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_09; classtype:trojan-activity; sid:91268574; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/j.ad"; depth:5; nocase; http.host; content:"47.96.74.108"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1268573/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_09; classtype:trojan-activity; sid:91268573; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dpixel"; depth:7; nocase; http.host; content:"101.133.175.78"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1268572/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_09; classtype:trojan-activity; sid:91268572; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/updates.rss"; depth:12; nocase; http.host; content:"185.145.148.107"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1268571/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_09; classtype:trojan-activity; sid:91268571; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"www.hathawaya.xyz"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1268570/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_09; classtype:trojan-activity; sid:91268570; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/about"; depth:6; nocase; http.host; content:"www.hathawaya.xyz"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1268569/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_09; classtype:trojan-activity; sid:91268569; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dpixel"; depth:7; nocase; http.host; content:"185.145.148.107"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1268568/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_09; classtype:trojan-activity; sid:91268568; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/updates.rss"; depth:12; nocase; http.host; content:"8.134.148.103"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1268567/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_09; classtype:trojan-activity; sid:91268567; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ie9compatviewlist.xml"; depth:22; nocase; http.host; content:"1.14.204.208"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1268565/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_09; classtype:trojan-activity; sid:91268565; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pixel"; depth:6; nocase; http.host; content:"121.40.127.134"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1268564/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_09; classtype:trojan-activity; sid:91268564; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pixel.gif"; depth:10; nocase; http.host; content:"103.26.14.91"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1268563/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_09; classtype:trojan-activity; sid:91268563; rev:1;) alert tcp $HOME_NET any -> [8.134.150.210] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1268562/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_09; classtype:trojan-activity; sid:91268562; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api/x"; depth:6; nocase; http.host; content:"106.54.143.140"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1268561/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_09; classtype:trojan-activity; sid:91268561; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/user"; depth:5; nocase; http.host; content:"175.24.252.50"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1268560/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_09; classtype:trojan-activity; sid:91268560; rev:1;) alert tcp $HOME_NET any -> [49.232.90.121] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1268559/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_09; classtype:trojan-activity; sid:91268559; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"www.dq.sched.vip-dk.tdnsvod1.cn"; depth:31; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1268558/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_09; classtype:trojan-activity; sid:91268558; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/compute/cd/k7ba6v385v"; depth:22; nocase; http.host; content:"www.dq.sched.vip-dk.tdnsvod1.cn"; depth:31; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1268557/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_09; classtype:trojan-activity; sid:91268557; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mozi.m"; depth:7; nocase; http.host; content:"117.222.251.230"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1268556/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_09; classtype:trojan-activity; sid:91268556; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/a6031851.php"; depth:13; nocase; http.host; content:"a0952196.xsph.ru"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1268555/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_09; classtype:trojan-activity; sid:91268555; rev:1;) alert tcp $HOME_NET any -> [192.169.69.26] 65024 (msg:"ThreatFox Nanocore RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1268551/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_09; classtype:trojan-activity; sid:91268551; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/imagejavascriptupdateapiserverdefaultbasewindowstrafficpublic.php"; depth:66; nocase; http.host; content:"956330cm.n9shteam2.top"; depth:22; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1268550/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_09; classtype:trojan-activity; sid:91268550; rev:1;) alert tcp $HOME_NET any -> [45.89.55.76] 3330 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1268512/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_09; classtype:trojan-activity; sid:91268512; rev:1;) alert tcp $HOME_NET any -> [3.67.62.142] 14420 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1268539/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_09; classtype:trojan-activity; sid:91268539; rev:1;) alert tcp $HOME_NET any -> [18.158.58.205] 14420 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1268540/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_09; classtype:trojan-activity; sid:91268540; rev:1;) alert tcp $HOME_NET any -> [3.67.161.133] 14420 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1268541/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_09; classtype:trojan-activity; sid:91268541; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"consultantinsurance.net"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1268544/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_09; classtype:trojan-activity; sid:91268544; rev:1;) alert tcp $HOME_NET any -> [45.95.169.162] 4781 (msg:"ThreatFox STRRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1268549/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_09; classtype:trojan-activity; sid:91268549; rev:1;) alert tcp $HOME_NET any -> [5.42.96.54] 8081 (msg:"ThreatFox RisePro botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1268547/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_09; classtype:trojan-activity; sid:91268547; rev:1;) alert tcp $HOME_NET any -> [5.42.96.55] 8081 (msg:"ThreatFox RisePro botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1268548/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_09; classtype:trojan-activity; sid:91268548; rev:1;) alert tcp $HOME_NET any -> [81.70.189.76] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1268546/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_09; classtype:trojan-activity; sid:91268546; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ga.js"; depth:6; nocase; http.host; content:"81.70.189.76"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1268545/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_09; classtype:trojan-activity; sid:91268545; rev:1;) alert tcp $HOME_NET any -> [5.42.96.55] 50500 (msg:"ThreatFox RisePro botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1268543/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_09; classtype:trojan-activity; sid:91268543; rev:1;) alert tcp $HOME_NET any -> [103.186.117.184] 1199 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1268542/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_09; classtype:trojan-activity; sid:91268542; rev:1;) alert tcp $HOME_NET any -> [5.42.96.54] 50500 (msg:"ThreatFox RisePro botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1268538/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_09; classtype:trojan-activity; sid:91268538; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/activity"; depth:9; nocase; http.host; content:"81.71.127.160"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1268536/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_09; classtype:trojan-activity; sid:91268536; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cx"; depth:3; nocase; http.host; content:"43.138.188.41"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1268535/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_09; classtype:trojan-activity; sid:91268535; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/activity"; depth:9; nocase; http.host; content:"49.232.208.22"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1268534/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_09; classtype:trojan-activity; sid:91268534; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cx"; depth:3; nocase; http.host; content:"134.122.75.115"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1268533/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_09; classtype:trojan-activity; sid:91268533; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/activity"; depth:9; nocase; http.host; content:"175.178.242.75"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1268532/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_09; classtype:trojan-activity; sid:91268532; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/__utm.gif"; depth:10; nocase; http.host; content:"47.102.156.247"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1268531/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_09; classtype:trojan-activity; sid:91268531; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/__utm.gif"; depth:10; nocase; http.host; content:"175.178.242.75"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1268530/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_09; classtype:trojan-activity; sid:91268530; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/j.ad"; depth:5; nocase; http.host; content:"111.230.98.22"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1268529/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_09; classtype:trojan-activity; sid:91268529; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cx"; depth:3; nocase; http.host; content:"49.235.187.155"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1268528/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_09; classtype:trojan-activity; sid:91268528; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ptj"; depth:4; nocase; http.host; content:"54.244.147.176"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1268527/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_09; classtype:trojan-activity; sid:91268527; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pixel.gif"; depth:10; nocase; http.host; content:"3se9ewodke339f0e83.connectivitytests.com"; depth:40; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1268526/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_09; classtype:trojan-activity; sid:91268526; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/match"; depth:6; nocase; http.host; content:"newstatisc.googleinfo.se"; depth:24; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1268525/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_09; classtype:trojan-activity; sid:91268525; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/load"; depth:5; nocase; http.host; content:"54.244.147.176"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1268524/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_09; classtype:trojan-activity; sid:91268524; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/match"; depth:6; nocase; http.host; content:"39.104.230.184"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1268523/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_09; classtype:trojan-activity; sid:91268523; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/push"; depth:5; nocase; http.host; content:"js.msedgeupdate.com"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1268522/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_09; classtype:trojan-activity; sid:91268522; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/__utm.gif"; depth:10; nocase; http.host; content:"134.122.75.115"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1268521/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_09; classtype:trojan-activity; sid:91268521; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dpixel"; depth:7; nocase; http.host; content:"112.124.65.163"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1268520/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_09; classtype:trojan-activity; sid:91268520; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/push"; depth:5; nocase; http.host; content:"47.102.156.247"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1268519/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_09; classtype:trojan-activity; sid:91268519; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/visit.js"; depth:9; nocase; http.host; content:"111.230.98.22"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1268518/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_09; classtype:trojan-activity; sid:91268518; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ga.js"; depth:6; nocase; http.host; content:"103.150.10.45"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1268517/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_09; classtype:trojan-activity; sid:91268517; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ie9compatviewlist.xml"; depth:22; nocase; http.host; content:"52.190.15.163"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1268516/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_09; classtype:trojan-activity; sid:91268516; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/visit.js"; depth:9; nocase; http.host; content:"156.224.20.92"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1268515/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_09; classtype:trojan-activity; sid:91268515; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/fwlink"; depth:7; nocase; http.host; content:"23.95.65.198"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1268514/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_09; classtype:trojan-activity; sid:91268514; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jquery-3.3.1.min.js"; depth:20; nocase; http.host; content:"investment.kumbaraan.biz.id"; depth:27; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1268513/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_09; classtype:trojan-activity; sid:91268513; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp06/wp-includes/po.php"; depth:24; nocase; http.host; content:"111.230.12.238"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1268511/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_09; classtype:trojan-activity; sid:91268511; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/a6fa9b7c.php"; depth:13; nocase; http.host; content:"a0945627.xsph.ru"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1268508/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_09; classtype:trojan-activity; sid:91268508; rev:1;) alert tcp $HOME_NET any -> [91.92.254.38] 10443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1268507/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_09; classtype:trojan-activity; sid:91268507; rev:1;) alert tcp $HOME_NET any -> [45.141.215.44] 80 (msg:"ThreatFox Meduza Stealer botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1268506/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_09; classtype:trojan-activity; sid:91268506; rev:1;) alert tcp $HOME_NET any -> [46.246.4.7] 6000 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1268505/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_09; classtype:trojan-activity; sid:91268505; rev:1;) alert tcp $HOME_NET any -> [46.246.4.7] 8000 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1268504/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_09; classtype:trojan-activity; sid:91268504; rev:1;) alert tcp $HOME_NET any -> [70.31.125.116] 2222 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1268503/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_09; classtype:trojan-activity; sid:91268503; rev:1;) alert tcp $HOME_NET any -> [35.86.153.6] 445 (msg:"ThreatFox Responder botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1268502/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_09; classtype:trojan-activity; sid:91268502; rev:1;) alert tcp $HOME_NET any -> [174.138.103.97] 40056 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1268501/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_09; classtype:trojan-activity; sid:91268501; rev:1;) alert tcp $HOME_NET any -> [47.236.36.46] 80 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1268500/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_09; classtype:trojan-activity; sid:91268500; rev:1;) alert tcp $HOME_NET any -> [99.79.63.116] 443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1268499/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_09; classtype:trojan-activity; sid:91268499; rev:1;) alert tcp $HOME_NET any -> [20.83.27.106] 80 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1268498/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_09; classtype:trojan-activity; sid:91268498; rev:1;) alert tcp $HOME_NET any -> [172.96.137.156] 64447 (msg:"ThreatFox BianLian botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1268497/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_09; classtype:trojan-activity; sid:91268497; rev:1;) alert tcp $HOME_NET any -> [194.190.220.7] 10250 (msg:"ThreatFox Deimos botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1268496/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_09; classtype:trojan-activity; sid:91268496; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/evie3/five/fre.php"; depth:19; nocase; http.host; content:"rocheholding.top"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1268495/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_09; classtype:trojan-activity; sid:91268495; rev:1;) alert tcp $HOME_NET any -> [93.95.115.2] 9462 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1268494/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_09; classtype:trojan-activity; sid:91268494; rev:1;) alert tcp $HOME_NET any -> [172.93.222.220] 2404 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1268493/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_09; classtype:trojan-activity; sid:91268493; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ar/understanding-ohio-forced-medication-laws-what-you-need-to-know/"; depth:68; nocase; http.host; content:"smallders.com"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1268378/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_09; classtype:trojan-activity; sid:91268378; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/2022/11/11/legal-responsibility-of-a-when-a-dog-attacks-a-cat/"; depth:63; nocase; http.host; content:"www.mindelscott.com"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1268379/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_09; classtype:trojan-activity; sid:91268379; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/understanding-traffic-laws-in-grenada-a-complete-guide/64592/"; depth:62; nocase; http.host; content:"ecoprotection.in"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1268380/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_09; classtype:trojan-activity; sid:91268380; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/understanding-false-advertising-laws-in-ohio-what-you-need-to-know/"; depth:68; nocase; http.host; content:"www.plugh.co.in"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1268381/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_09; classtype:trojan-activity; sid:91268381; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/2023/12/10/do-you-qualify-for-bereavement-leave-for-grandparents-in-law"; depth:72; nocase; http.host; content:"asleman.org"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1268382/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_09; classtype:trojan-activity; sid:91268382; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/is-a-collaborative-practice-agreement-required-in-texas-for-physician-assistant/"; depth:81; nocase; http.host; content:"larryslocksmith.com"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1268383/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_09; classtype:trojan-activity; sid:91268383; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/index.php/2023/03/20/pros-and-cons-of-multilateral-trade-agreements/"; depth:69; nocase; http.host; content:"awadhshreehospital.in"; depth:21; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1268384/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_09; classtype:trojan-activity; sid:91268384; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/2023/10/12/understanding-the-lebanese-legal-system-laws-courts-and-rights/"; depth:75; nocase; http.host; content:"ngsindia.org"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1268385/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_09; classtype:trojan-activity; sid:91268385; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/abm/disagreement-has-how-many-syllables/"; depth:41; nocase; http.host; content:"theelegant.co.uk"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1268386/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_09; classtype:trojan-activity; sid:91268386; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/california-law-essential-break-room-requirements-explained/"; depth:60; nocase; http.host; content:"mysmartbox.solutions"; depth:20; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1268387/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_09; classtype:trojan-activity; sid:91268387; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/2022/03/31/washington-state-medical-assistant-scope-of-practice-laws-legal-overview/"; depth:85; nocase; http.host; content:"asleman.org"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1268388/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_09; classtype:trojan-activity; sid:91268388; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/2022/02/26/humana-medicare-tier-exception-form/"; depth:48; nocase; http.host; content:"pinkfinancialbank.com"; depth:21; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1268389/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_09; classtype:trojan-activity; sid:91268389; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/2022/03/31/washington-state-medical-assistant-scope-of-practice-laws-legal-overview/"; depth:85; nocase; http.host; content:"asleman.org"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1268390/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_09; classtype:trojan-activity; sid:91268390; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/what-is-the-difference-between-appointment-letter-and-employment-contract/"; depth:75; nocase; http.host; content:"pt-tkbi.com"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1268391/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_09; classtype:trojan-activity; sid:91268391; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/understanding-traffic-laws-in-grenada-a-complete-guide/64592/"; depth:62; nocase; http.host; content:"ecoprotection.in"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1268392/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_09; classtype:trojan-activity; sid:91268392; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/common-law-marriage-military-recognition-and-legal-rights"; depth:58; nocase; http.host; content:"norholmgods.com"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1268393/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_09; classtype:trojan-activity; sid:91268393; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/free-online-company-secretary-courses-legal-training-certification/"; depth:68; nocase; http.host; content:"krushinews18.com"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1268396/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_09; classtype:trojan-activity; sid:91268396; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blog/resignation-letter-template-mutual-agreement/"; depth:51; nocase; http.host; content:"www.travisshoots.com"; depth:20; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1268394/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_09; classtype:trojan-activity; sid:91268394; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/2022/12/04/ver-saldo-do-nota-legal/"; depth:36; nocase; http.host; content:"americanepoxy.bond10templates.com"; depth:33; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1268395/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_09; classtype:trojan-activity; sid:91268395; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/2021/12/30/ukraine-staff-level-agreement-legal-guidelines-and-requirements/"; depth:76; nocase; http.host; content:"ngsindia.org"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1268397/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_09; classtype:trojan-activity; sid:91268397; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/vps-enterprise-agreement-2016-schedule-b/"; depth:42; nocase; http.host; content:"museocambellotti.cittadifondazione.it"; depth:37; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1268398/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_09; classtype:trojan-activity; sid:91268398; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/scaffolding-agreement/"; depth:23; nocase; http.host; content:"pt-tkbi.com"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1268399/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_09; classtype:trojan-activity; sid:91268399; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/legalisation-of-documents-a-guide-to-authenticating-legal-papers/"; depth:66; nocase; http.host; content:"lotbuds.com"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1268400/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_09; classtype:trojan-activity; sid:91268400; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/microsoft-enterprise-purchase-agreement/"; depth:41; nocase; http.host; content:"studiolegalefalco-masi.it"; depth:25; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1268401/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_09; classtype:trojan-activity; sid:91268401; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/is-a-collaborative-practice-agreement-required-in-texas-for-physician-assistant"; depth:80; nocase; http.host; content:"larryslocksmith.com"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1268402/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_09; classtype:trojan-activity; sid:91268402; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mcmaster-collective-agreement-faculty/"; depth:39; nocase; http.host; content:"bigcheeserodents.com"; depth:20; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1268404/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_09; classtype:trojan-activity; sid:91268404; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/2022/11/13/legal-valuation-group-valuation-sap/"; depth:48; nocase; http.host; content:"pptribe.com"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1268403/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_09; classtype:trojan-activity; sid:91268403; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/understanding-legal-entity-hierarchy-a-comprehensive-guide/"; depth:60; nocase; http.host; content:"tcl.brandshop.ke"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1268406/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_09; classtype:trojan-activity; sid:91268406; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/general-manager-role-key-responsibilities-and-legal-implications/"; depth:66; nocase; http.host; content:"signcitysa.com"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1268376/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_09; classtype:trojan-activity; sid:91268376; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/abm/disagreement-has-how-many-syllables/"; depth:41; nocase; http.host; content:"theelegant.co.uk"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1268377/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_09; classtype:trojan-activity; sid:91268377; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/2022/11/13/legal-valuation-group-valuation-sap/"; depth:48; nocase; http.host; content:"pptribe.com"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1268375/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_09; classtype:trojan-activity; sid:91268375; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ny-car-lease-tax-calculator/"; depth:29; nocase; http.host; content:"urbedu.live"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1268373/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_09; classtype:trojan-activity; sid:91268373; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/california-law-essential-break-room-requirements-explained/"; depth:60; nocase; http.host; content:"mysmartbox.solutions"; depth:20; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1268374/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_09; classtype:trojan-activity; sid:91268374; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ifrs-16-legal-fees-understanding-the-implications-for-businesses"; depth:65; nocase; http.host; content:"mctools.co"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1268371/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_09; classtype:trojan-activity; sid:91268371; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mutual-agreement-resignation-letter-sample"; depth:43; nocase; http.host; content:"goodstos.com"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1268372/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_09; classtype:trojan-activity; sid:91268372; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/2023/12/10/do-you-qualify-for-bereavement-leave-for-grandparents-in-law/"; depth:73; nocase; http.host; content:"asleman.org"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1268368/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_09; classtype:trojan-activity; sid:91268368; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/2022/11/11/legal-responsibility-of-a-when-a-dog-attacks-a-cat/"; depth:63; nocase; http.host; content:"www.mindelscott.com"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1268369/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_09; classtype:trojan-activity; sid:91268369; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/2022/03/31/washington-state-medical-assistant-scope-of-practice-laws-legal-overview/"; depth:85; nocase; http.host; content:"asleman.org"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1268370/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_09; classtype:trojan-activity; sid:91268370; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sample-general-manager-employment-contract-for-a-company/"; depth:58; nocase; http.host; content:"you-green.com"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1268366/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_09; classtype:trojan-activity; sid:91268366; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/what-is-in-the-new-nafta-agreement/"; depth:36; nocase; http.host; content:"phutungotochinhhang.vn"; depth:22; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1268364/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_09; classtype:trojan-activity; sid:91268364; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/2023/01/20/sample-physician-assistant-practice-agreement-california/"; depth:69; nocase; http.host; content:"jcfpa.org"; depth:9; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1268367/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_09; classtype:trojan-activity; sid:91268367; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/how-contract-research-organizations-profit-business-model-analysis/"; depth:68; nocase; http.host; content:"alphacleantech.com"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1268365/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_09; classtype:trojan-activity; sid:91268365; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/2023/01/20/sample-physician-assistant-practice-agreement-california/"; depth:69; nocase; http.host; content:"jcfpa.org"; depth:9; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1268363/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_09; classtype:trojan-activity; sid:91268363; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/scaffolding-agreement/"; depth:23; nocase; http.host; content:"pt-tkbi.com"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1268405/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_09; classtype:trojan-activity; sid:91268405; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/manual.php"; depth:11; nocase; http.host; content:"artlab.se"; depth:9; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1268407/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_09; classtype:trojan-activity; sid:91268407; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/manual.php"; depth:11; nocase; http.host; content:"arts-npo.org"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1268408/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_09; classtype:trojan-activity; sid:91268408; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/manual.php"; depth:11; nocase; http.host; content:"auto-coop.com"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1268409/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_09; classtype:trojan-activity; sid:91268409; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/english.php"; depth:12; nocase; http.host; content:"www.medischdrukwerk.nl"; depth:22; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1268410/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_09; classtype:trojan-activity; sid:91268410; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/english.php"; depth:12; nocase; http.host; content:"www.gxtfinance.com"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1268411/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_09; classtype:trojan-activity; sid:91268411; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/manual.php"; depth:11; nocase; http.host; content:"auto-coop.com"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1268412/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_09; classtype:trojan-activity; sid:91268412; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/manual.php"; depth:11; nocase; http.host; content:"auto-coop.com"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1268413/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_09; classtype:trojan-activity; sid:91268413; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/english.php"; depth:12; nocase; http.host; content:"www.medischdrukwerk.nl"; depth:22; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1268414/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_09; classtype:trojan-activity; sid:91268414; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/manual.php"; depth:11; nocase; http.host; content:"artlab.se"; depth:9; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1268415/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_09; classtype:trojan-activity; sid:91268415; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/manual.php"; depth:11; nocase; http.host; content:"auto-coop.hu"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1268416/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_09; classtype:trojan-activity; sid:91268416; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/doc.php"; depth:8; nocase; http.host; content:"www.dismerchandise.com"; depth:22; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1268417/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_09; classtype:trojan-activity; sid:91268417; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/english.php"; depth:12; nocase; http.host; content:"www.penhaligonsfriends.org.uk"; depth:29; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1268418/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_09; classtype:trojan-activity; sid:91268418; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/english.php"; depth:12; nocase; http.host; content:"www.medischdrukwerk.nl"; depth:22; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1268419/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_09; classtype:trojan-activity; sid:91268419; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/english.php"; depth:12; nocase; http.host; content:"www.petrolpower.de"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1268420/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_09; classtype:trojan-activity; sid:91268420; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/english.php"; depth:12; nocase; http.host; content:"www.metalhoz.com"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1268421/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_09; classtype:trojan-activity; sid:91268421; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/doc.php"; depth:8; nocase; http.host; content:"www.anettelonnsfotvard.se"; depth:25; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1268426/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_09; classtype:trojan-activity; sid:91268426; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/doc.php"; depth:8; nocase; http.host; content:"www.chanderbhushan.com"; depth:22; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1268422/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_09; classtype:trojan-activity; sid:91268422; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/manual.php"; depth:11; nocase; http.host; content:"2015.artencounters.ro"; depth:21; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1268423/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_09; classtype:trojan-activity; sid:91268423; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/doc.php"; depth:8; nocase; http.host; content:"www.chanderbhushan.com"; depth:22; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1268424/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_09; classtype:trojan-activity; sid:91268424; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/manual.php"; depth:11; nocase; http.host; content:"4dgamers.com"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1268425/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_09; classtype:trojan-activity; sid:91268425; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/english.php"; depth:12; nocase; http.host; content:"www.penhaligonsfriends.org.uk"; depth:29; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1268427/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_09; classtype:trojan-activity; sid:91268427; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/english.php"; depth:12; nocase; http.host; content:"www.medischdrukwerk.nl"; depth:22; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1268428/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_09; classtype:trojan-activity; sid:91268428; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/manual.php"; depth:11; nocase; http.host; content:"4dgamers.com"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1268429/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_09; classtype:trojan-activity; sid:91268429; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/doc.php"; depth:8; nocase; http.host; content:"www.chanderbhushan.com"; depth:22; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1268430/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_09; classtype:trojan-activity; sid:91268430; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/manual.php"; depth:11; nocase; http.host; content:"auto-coop.com"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1268431/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_09; classtype:trojan-activity; sid:91268431; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/english.php"; depth:12; nocase; http.host; content:"www.miketrees.com"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1268432/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_09; classtype:trojan-activity; sid:91268432; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/doc.php"; depth:8; nocase; http.host; content:"www.anettelonnsfotvard.se"; depth:25; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1268433/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_09; classtype:trojan-activity; sid:91268433; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/manual.php"; depth:11; nocase; http.host; content:"auto-coop.com"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1268434/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_09; classtype:trojan-activity; sid:91268434; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/english.php"; depth:12; nocase; http.host; content:"www.fastex.se"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1268435/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_09; classtype:trojan-activity; sid:91268435; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/manual.php"; depth:11; nocase; http.host; content:"auto-coop.hu"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1268437/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_09; classtype:trojan-activity; sid:91268437; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/manual.php"; depth:11; nocase; http.host; content:"4dgamers.com"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1268436/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_09; classtype:trojan-activity; sid:91268436; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/english.php"; depth:12; nocase; http.host; content:"www.medischdrukwerk.nl"; depth:22; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1268438/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_09; classtype:trojan-activity; sid:91268438; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/manual.php"; depth:11; nocase; http.host; content:"artlab.se"; depth:9; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1268439/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_09; classtype:trojan-activity; sid:91268439; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/english.php"; depth:12; nocase; http.host; content:"www.medischdrukwerk.nl"; depth:22; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1268440/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_09; classtype:trojan-activity; sid:91268440; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/manual.php"; depth:11; nocase; http.host; content:"auto-coop.com"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1268441/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_09; classtype:trojan-activity; sid:91268441; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/manual.php"; depth:11; nocase; http.host; content:"auto-coop.hu"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1268442/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_09; classtype:trojan-activity; sid:91268442; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/manual.php"; depth:11; nocase; http.host; content:"auto-coop.com"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1268443/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_09; classtype:trojan-activity; sid:91268443; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/english.php"; depth:12; nocase; http.host; content:"www.finaltolightspeed.com"; depth:25; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1268444/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_09; classtype:trojan-activity; sid:91268444; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/english.php"; depth:12; nocase; http.host; content:"www.penhaligonsfriends.org.uk"; depth:29; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1268445/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_09; classtype:trojan-activity; sid:91268445; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/manual.php"; depth:11; nocase; http.host; content:"artlab.se"; depth:9; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1268446/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_09; classtype:trojan-activity; sid:91268446; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/manual.php"; depth:11; nocase; http.host; content:"artlab.se"; depth:9; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1268447/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_09; classtype:trojan-activity; sid:91268447; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/english.php"; depth:12; nocase; http.host; content:"www.medischdrukwerk.nl"; depth:22; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1268448/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_09; classtype:trojan-activity; sid:91268448; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/manual.php"; depth:11; nocase; http.host; content:"artlab.se"; depth:9; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1268449/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_09; classtype:trojan-activity; sid:91268449; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/english.php"; depth:12; nocase; http.host; content:"www.medischdrukwerk.nl"; depth:22; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1268450/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_09; classtype:trojan-activity; sid:91268450; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/english.php"; depth:12; nocase; http.host; content:"www.fastex.se"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1268451/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_09; classtype:trojan-activity; sid:91268451; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/english.php"; depth:12; nocase; http.host; content:"www.gxtfinance.com"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1268452/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_09; classtype:trojan-activity; sid:91268452; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/index.php/2023/06/04/nbu-msp-collective-agreement/"; depth:51; nocase; http.host; content:"conyers.biz"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1268361/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_09; classtype:trojan-activity; sid:91268361; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/fha-cash-reserve-requirements-everything-you-need-to-know/"; depth:59; nocase; http.host; content:"overhplusproperties.com"; depth:23; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1268362/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_09; classtype:trojan-activity; sid:91268362; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bcnu-collective-agreement-bereavement-leave/"; depth:45; nocase; http.host; content:"bellbaker.com"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1268359/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_09; classtype:trojan-activity; sid:91268359; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/2022/11/11/legal-responsibility-of-a-when-a-dog-attacks-a-cat/"; depth:63; nocase; http.host; content:"www.mindelscott.com"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1268360/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_09; classtype:trojan-activity; sid:91268360; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ema-guidance-on-quality-agreements"; depth:35; nocase; http.host; content:"reiner.nrha.com"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1268344/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_09; classtype:trojan-activity; sid:91268344; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/gun-laws-in-denmark-understanding-regulations-and-restrictions"; depth:63; nocase; http.host; content:"produtoresflorestais.pt"; depth:23; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1268357/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_09; classtype:trojan-activity; sid:91268357; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/2023/05/what-is-the-benefit-of-a-tolling-agreement/"; depth:52; nocase; http.host; content:"www.paloubis.com"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1268358/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_09; classtype:trojan-activity; sid:91268358; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/withdrawal-agreement-free-movement/"; depth:36; nocase; http.host; content:"lareplica.es"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1268356/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_09; classtype:trojan-activity; sid:91268356; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/how-contract-research-organizations-profit-business-model-analysis"; depth:67; nocase; http.host; content:"alphacleantech.com"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1268342/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_09; classtype:trojan-activity; sid:91268342; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/what-is-in-the-new-nafta-agreement"; depth:35; nocase; http.host; content:"phutungotochinhhang.vn"; depth:22; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1268343/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_09; classtype:trojan-activity; sid:91268343; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/index.php/2023/06/04/nbu-msp-collective-agreement"; depth:50; nocase; http.host; content:"conyers.biz"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1268341/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_09; classtype:trojan-activity; sid:91268341; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/withdrawal-agreement-free-movement"; depth:35; nocase; http.host; content:"lareplica.es"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1268337/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_09; classtype:trojan-activity; sid:91268337; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/scaffolding-agreement"; depth:22; nocase; http.host; content:"pt-tkbi.com"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1268340/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_09; classtype:trojan-activity; sid:91268340; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/2023/01/20/sample-physician-assistant-practice-agreement-california"; depth:68; nocase; http.host; content:"jcfpa.org"; depth:9; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1268338/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_09; classtype:trojan-activity; sid:91268338; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/vps-enterprise-agreement-2016-schedule-b"; depth:41; nocase; http.host; content:"museocambellotti.cittadifondazione.it"; depth:37; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1268339/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_09; classtype:trojan-activity; sid:91268339; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/gun-laws-in-denmark-understanding-regulations-and-restrictions"; depth:63; nocase; http.host; content:"produtoresflorestais.pt"; depth:23; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1268336/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_09; classtype:trojan-activity; sid:91268336; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/abm/disagreement-has-how-many-syllables"; depth:40; nocase; http.host; content:"theelegant.co.uk"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1268335/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_09; classtype:trojan-activity; sid:91268335; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/2022/02/26/humana-medicare-tier-exception-form"; depth:47; nocase; http.host; content:"pinkfinancialbank.com"; depth:21; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1268333/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_09; classtype:trojan-activity; sid:91268333; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/california-law-essential-break-room-requirements-explained"; depth:59; nocase; http.host; content:"mysmartbox.solutions"; depth:20; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1268334/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_09; classtype:trojan-activity; sid:91268334; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mutual-agreement-resignation-letter-sample"; depth:43; nocase; http.host; content:"goodstos.com"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1268331/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_09; classtype:trojan-activity; sid:91268331; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/understanding-false-advertising-laws-in-ohio-what-you-need-to-know"; depth:67; nocase; http.host; content:"plugh.co.in"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1268327/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_09; classtype:trojan-activity; sid:91268327; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/manual.php"; depth:11; nocase; http.host; content:"aynasy.com"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1268323/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_09; classtype:trojan-activity; sid:91268323; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/2022/11/13/legal-valuation-group-valuation-sap"; depth:47; nocase; http.host; content:"pptribe.com"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1268330/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_09; classtype:trojan-activity; sid:91268330; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tenancy-agreement-sample-guyana"; depth:32; nocase; http.host; content:"eberlie.ca"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1268320/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_09; classtype:trojan-activity; sid:91268320; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bcnu-collective-agreement-bereavement-leave"; depth:44; nocase; http.host; content:"bellbaker.com"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1268319/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_09; classtype:trojan-activity; sid:91268319; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/zdgynwm4zjc4ngu2/"; depth:18; nocase; http.host; content:"tavimtopindomiz.xyz"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1268297/; target:src_ip; metadata: confidence_level 80, first_seen 2024_05_09; classtype:trojan-activity; sid:91268297; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/zdgynwm4zjc4ngu2/"; depth:18; nocase; http.host; content:"harmancomesdel.xyz"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1268289/; target:src_ip; metadata: confidence_level 80, first_seen 2024_05_09; classtype:trojan-activity; sid:91268289; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/zdgynwm4zjc4ngu2/"; depth:18; nocase; http.host; content:"gabirezdolirezdomez.xyz"; depth:23; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1268290/; target:src_ip; metadata: confidence_level 80, first_seen 2024_05_09; classtype:trojan-activity; sid:91268290; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/zdgynwm4zjc4ngu2/"; depth:18; nocase; http.host; content:"tahtalivilazdolezdominez.xyz"; depth:28; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1268291/; target:src_ip; metadata: confidence_level 80, first_seen 2024_05_09; classtype:trojan-activity; sid:91268291; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/zdgynwm4zjc4ngu2/"; depth:18; nocase; http.host; content:"tahirbankobinezcomez.xyz"; depth:24; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1268292/; target:src_ip; metadata: confidence_level 80, first_seen 2024_05_09; classtype:trojan-activity; sid:91268292; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/zdgynwm4zjc4ngu2/"; depth:18; nocase; http.host; content:"demetakbaslobinezdomez.xyz"; depth:26; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1268293/; target:src_ip; metadata: confidence_level 80, first_seen 2024_05_09; classtype:trojan-activity; sid:91268293; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/zdgynwm4zjc4ngu2/"; depth:18; nocase; http.host; content:"sahrayedcomineztopes.xyz"; depth:24; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1268294/; target:src_ip; metadata: confidence_level 80, first_seen 2024_05_09; classtype:trojan-activity; sid:91268294; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/zdgynwm4zjc4ngu2/"; depth:18; nocase; http.host; content:"tekireztokirezdomez.xyz"; depth:23; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1268295/; target:src_ip; metadata: confidence_level 80, first_seen 2024_05_09; classtype:trojan-activity; sid:91268295; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/zdgynwm4zjc4ngu2/"; depth:18; nocase; http.host; content:"takhoplikezdomez.xyz"; depth:20; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1268296/; target:src_ip; metadata: confidence_level 80, first_seen 2024_05_09; classtype:trojan-activity; sid:91268296; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/zdgynwm4zjc4ngu2/"; depth:18; nocase; http.host; content:"caymahedsocyescez.xyz"; depth:21; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1268298/; target:src_ip; metadata: confidence_level 80, first_seen 2024_05_09; classtype:trojan-activity; sid:91268298; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/zdgynwm4zjc4ngu2/"; depth:18; nocase; http.host; content:"tahirwolwerdoviz.xyz"; depth:20; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1268299/; target:src_ip; metadata: confidence_level 80, first_seen 2024_05_09; classtype:trojan-activity; sid:91268299; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/zdgynwm4zjc4ngu2/"; depth:18; nocase; http.host; content:"hatipbabagelipdol.xyz"; depth:21; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1268300/; target:src_ip; metadata: confidence_level 80, first_seen 2024_05_09; classtype:trojan-activity; sid:91268300; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/zdgynwm4zjc4ngu2/"; depth:18; nocase; http.host; content:"terektorekdomirez.top"; depth:21; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1268286/; target:src_ip; metadata: confidence_level 80, first_seen 2024_05_09; classtype:trojan-activity; sid:91268286; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/zdgynwm4zjc4ngu2/"; depth:18; nocase; http.host; content:"hahyolkabinezlokezdo.top"; depth:24; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1268287/; target:src_ip; metadata: confidence_level 80, first_seen 2024_05_09; classtype:trojan-activity; sid:91268287; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/zdgynwm4zjc4ngu2/"; depth:18; nocase; http.host; content:"salihogobinezdolinez.top"; depth:24; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1268285/; target:src_ip; metadata: confidence_level 80, first_seen 2024_05_09; classtype:trojan-activity; sid:91268285; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/zdgynwm4zjc4ngu2/"; depth:18; nocase; http.host; content:"teyfangobinezdo.xyz"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1268288/; target:src_ip; metadata: confidence_level 80, first_seen 2024_05_09; classtype:trojan-activity; sid:91268288; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/zdgynwm4zjc4ngu2/"; depth:18; nocase; http.host; content:"sayrodfalireznolere.top"; depth:23; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1268282/; target:src_ip; metadata: confidence_level 80, first_seen 2024_05_09; classtype:trojan-activity; sid:91268282; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/zdgynwm4zjc4ngu2/"; depth:18; nocase; http.host; content:"tarakomizdolirez.top"; depth:20; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1268283/; target:src_ip; metadata: confidence_level 80, first_seen 2024_05_09; classtype:trojan-activity; sid:91268283; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/zdgynwm4zjc4ngu2/"; depth:18; nocase; http.host; content:"caymedcoymenconez.top"; depth:21; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1268284/; target:src_ip; metadata: confidence_level 80, first_seen 2024_05_09; classtype:trojan-activity; sid:91268284; rev:1;) alert tcp $HOME_NET any -> [41.249.40.69] 10000 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1268466/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_09; classtype:trojan-activity; sid:91268466; rev:1;) alert tcp $HOME_NET any -> [45.32.124.195] 443 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1268469/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_09; classtype:trojan-activity; sid:91268469; rev:1;) alert tcp $HOME_NET any -> [167.71.205.181] 2096 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1268470/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_09; classtype:trojan-activity; sid:91268470; rev:1;) alert tcp $HOME_NET any -> [8.219.229.99] 11111 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1268471/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_09; classtype:trojan-activity; sid:91268471; rev:1;) alert tcp $HOME_NET any -> [159.65.12.129] 80 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1268472/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_09; classtype:trojan-activity; sid:91268472; rev:1;) alert tcp $HOME_NET any -> [3.125.223.134] 11168 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1268490/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_09; classtype:trojan-activity; sid:91268490; rev:1;) alert tcp $HOME_NET any -> [18.192.31.165] 11168 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1268491/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_09; classtype:trojan-activity; sid:91268491; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/8otabr/"; depth:8; nocase; http.host; content:"skylinehigh.com"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1268263/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_09; classtype:trojan-activity; sid:91268263; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bvxny6r6"; depth:9; nocase; http.host; content:"skylinehigh.com"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1268264/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_09; classtype:trojan-activity; sid:91268264; rev:1;) alert tcp $HOME_NET any -> [91.92.244.58] 60195 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1268265/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_09; classtype:trojan-activity; sid:91268265; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"minuoddos.top"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1268266/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_09; classtype:trojan-activity; sid:91268266; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/1dad0133.php"; depth:13; nocase; http.host; content:"a0951529.xsph.ru"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1268492/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_09; classtype:trojan-activity; sid:91268492; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/_defaultwindows.php"; depth:20; nocase; http.host; content:"a0950683.xsph.ru"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1268468/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_09; classtype:trojan-activity; sid:91268468; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pythontrack.php"; depth:16; nocase; http.host; content:"005514cm.n9shteam1.top"; depth:22; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1268467/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_09; classtype:trojan-activity; sid:91268467; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/967d93f7.php"; depth:13; nocase; http.host; content:"a0951137.xsph.ru"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1268465/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_09; classtype:trojan-activity; sid:91268465; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/d1/fre.php"; depth:11; nocase; http.host; content:"sempersim.su"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1268464/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_09; classtype:trojan-activity; sid:91268464; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mozi.m"; depth:7; nocase; http.host; content:"59.89.178.203"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1268463/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_09; classtype:trojan-activity; sid:91268463; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/python4/cdndownloads/basejavascript/provider5trafficwindows/5dump/7windowswindowsdatalife/auth8/generatorvideobasephp/mariadbphp/multidefault/1dumpcentral5/flowerapitrackprocessor/cpujsmultibetter/3uploads/dleuploads0multi/sqlpython/4external/http/better8geo/phprequestlinuxpublic.php"; depth:285; nocase; http.host; content:"77.221.157.108"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1268462/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_08; classtype:trojan-activity; sid:91268462; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"53473cm.easyswap.space"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1268461/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_08; classtype:trojan-activity; sid:91268461; rev:1;) alert tcp $HOME_NET any -> [101.43.186.30] 8848 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1268460/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_08; classtype:trojan-activity; sid:91268460; rev:1;) alert tcp $HOME_NET any -> [91.92.249.117] 3232 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1268459/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_08; classtype:trojan-activity; sid:91268459; rev:1;) alert tcp $HOME_NET any -> [83.229.87.144] 8080 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1268458/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_08; classtype:trojan-activity; sid:91268458; rev:1;) alert tcp $HOME_NET any -> [143.92.56.50] 4782 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1268457/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_08; classtype:trojan-activity; sid:91268457; rev:1;) alert tcp $HOME_NET any -> [193.38.34.125] 2000 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1268456/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_08; classtype:trojan-activity; sid:91268456; rev:1;) alert tcp $HOME_NET any -> [156.195.80.192] 80 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1268454/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_08; classtype:trojan-activity; sid:91268454; rev:1;) alert tcp $HOME_NET any -> [156.195.80.192] 8080 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1268455/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_08; classtype:trojan-activity; sid:91268455; rev:1;) alert tcp $HOME_NET any -> [128.90.123.108] 9999 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1268453/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_08; classtype:trojan-activity; sid:91268453; rev:1;) alert tcp $HOME_NET any -> [64.23.156.73] 4047 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1268355/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_08; classtype:trojan-activity; sid:91268355; rev:1;) alert tcp $HOME_NET any -> [54.39.216.104] 2222 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1268354/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_08; classtype:trojan-activity; sid:91268354; rev:1;) alert tcp $HOME_NET any -> [47.245.105.90] 9876 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1268353/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_08; classtype:trojan-activity; sid:91268353; rev:1;) alert tcp $HOME_NET any -> [46.246.6.18] 2000 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1268352/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_08; classtype:trojan-activity; sid:91268352; rev:1;) alert tcp $HOME_NET any -> [34.41.72.142] 2000 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1268351/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_08; classtype:trojan-activity; sid:91268351; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"beamazyn.com"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1268350/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_08; classtype:trojan-activity; sid:91268350; rev:1;) alert tcp $HOME_NET any -> [18.232.156.244] 81 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1268349/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_08; classtype:trojan-activity; sid:91268349; rev:1;) alert tcp $HOME_NET any -> [185.93.221.118] 443 (msg:"ThreatFox Unidentified 111 (Latrodectus) botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1268346/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_08; classtype:trojan-activity; sid:91268346; rev:1;) alert tcp $HOME_NET any -> [193.168.143.195] 443 (msg:"ThreatFox IcedID botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1268347/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_08; classtype:trojan-activity; sid:91268347; rev:1;) alert tcp $HOME_NET any -> [193.168.141.196] 443 (msg:"ThreatFox IcedID botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1268348/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_08; classtype:trojan-activity; sid:91268348; rev:1;) alert tcp $HOME_NET any -> [154.44.24.21] 1111 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1268345/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_08; classtype:trojan-activity; sid:91268345; rev:1;) alert tcp $HOME_NET any -> [13.212.154.138] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1268332/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_08; classtype:trojan-activity; sid:91268332; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/load"; depth:5; nocase; http.host; content:"52.215.189.95"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1268329/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_08; classtype:trojan-activity; sid:91268329; rev:1;) alert tcp $HOME_NET any -> [52.215.189.95] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1268328/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_08; classtype:trojan-activity; sid:91268328; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ptj"; depth:4; nocase; http.host; content:"54.67.45.193"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1268326/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_08; classtype:trojan-activity; sid:91268326; rev:1;) alert tcp $HOME_NET any -> [54.67.45.193] 8888 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1268325/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_08; classtype:trojan-activity; sid:91268325; rev:1;) alert tcp $HOME_NET any -> [54.67.45.193] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1268324/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_08; classtype:trojan-activity; sid:91268324; rev:1;) alert tcp $HOME_NET any -> [107.173.57.243] 8888 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1268322/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_08; classtype:trojan-activity; sid:91268322; rev:1;) alert tcp $HOME_NET any -> [107.172.191.222] 8080 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1268321/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_08; classtype:trojan-activity; sid:91268321; rev:1;) alert tcp $HOME_NET any -> [23.226.54.25] 2083 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1268318/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_08; classtype:trojan-activity; sid:91268318; rev:1;) alert tcp $HOME_NET any -> [121.37.137.69] 8443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1268317/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_08; classtype:trojan-activity; sid:91268317; rev:1;) alert tcp $HOME_NET any -> [110.41.136.69] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1268316/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_08; classtype:trojan-activity; sid:91268316; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ie9compatviewlist.xml"; depth:22; nocase; http.host; content:"47.92.96.144"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1268315/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_08; classtype:trojan-activity; sid:91268315; rev:1;) alert tcp $HOME_NET any -> [47.92.96.144] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1268314/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_08; classtype:trojan-activity; sid:91268314; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ptj"; depth:4; nocase; http.host; content:"8.130.133.34"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1268313/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_08; classtype:trojan-activity; sid:91268313; rev:1;) alert tcp $HOME_NET any -> [8.130.133.34] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1268312/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_08; classtype:trojan-activity; sid:91268312; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/g.pixel"; depth:8; nocase; http.host; content:"8.130.102.101"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1268311/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_08; classtype:trojan-activity; sid:91268311; rev:1;) alert tcp $HOME_NET any -> [8.130.102.101] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1268310/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_08; classtype:trojan-activity; sid:91268310; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/__utm.gif"; depth:10; nocase; http.host; content:"111.231.15.198"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1268309/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_08; classtype:trojan-activity; sid:91268309; rev:1;) alert tcp $HOME_NET any -> [111.231.15.198] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1268308/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_08; classtype:trojan-activity; sid:91268308; rev:1;) alert tcp $HOME_NET any -> [118.25.85.49] 6443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1268307/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_08; classtype:trojan-activity; sid:91268307; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/fwlink"; depth:7; nocase; http.host; content:"119.91.231.57"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1268306/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_08; classtype:trojan-activity; sid:91268306; rev:1;) alert tcp $HOME_NET any -> [119.91.231.57] 8080 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1268305/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_08; classtype:trojan-activity; sid:91268305; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"service-izlolzm0-1318382624.gz.tencentapigw.com.cn"; depth:50; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1268304/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_08; classtype:trojan-activity; sid:91268304; rev:1;) alert tcp $HOME_NET any -> [175.178.128.143] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1268303/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_08; classtype:trojan-activity; sid:91268303; rev:1;) alert tcp $HOME_NET any -> [162.14.69.252] 81 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1268302/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_08; classtype:trojan-activity; sid:91268302; rev:1;) alert tcp $HOME_NET any -> [159.75.93.32] 10001 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1268301/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_08; classtype:trojan-activity; sid:91268301; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/_defaultwindows.php"; depth:20; nocase; http.host; content:"a0950998.xsph.ru"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1268281/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_08; classtype:trojan-activity; sid:91268281; rev:1;) alert tcp $HOME_NET any -> [101.34.235.206] 8088 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1268280/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_08; classtype:trojan-activity; sid:91268280; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/match"; depth:6; nocase; http.host; content:"49.235.118.195"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1268279/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_08; classtype:trojan-activity; sid:91268279; rev:1;) alert tcp $HOME_NET any -> [49.235.118.195] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1268278/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_08; classtype:trojan-activity; sid:91268278; rev:1;) alert tcp $HOME_NET any -> [43.136.64.163] 8888 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1268277/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_08; classtype:trojan-activity; sid:91268277; rev:1;) alert tcp $HOME_NET any -> [94.156.65.126] 8081 (msg:"ThreatFox RisePro botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1268276/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_08; classtype:trojan-activity; sid:91268276; rev:1;) alert tcp $HOME_NET any -> [94.102.59.173] 58943 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1268275/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_08; classtype:trojan-activity; sid:91268275; rev:1;) alert tcp $HOME_NET any -> [91.219.62.14] 8888 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1268274/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_08; classtype:trojan-activity; sid:91268274; rev:1;) alert tcp $HOME_NET any -> [91.142.77.140] 80 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1268273/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_08; classtype:trojan-activity; sid:91268273; rev:1;) alert tcp $HOME_NET any -> [94.156.65.137] 80 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1268272/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_08; classtype:trojan-activity; sid:91268272; rev:1;) alert tcp $HOME_NET any -> [146.56.200.201] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1268271/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_08; classtype:trojan-activity; sid:91268271; rev:1;) alert tcp $HOME_NET any -> [120.46.37.189] 8848 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1268270/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_08; classtype:trojan-activity; sid:91268270; rev:1;) alert tcp $HOME_NET any -> [39.40.189.62] 995 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1268269/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_08; classtype:trojan-activity; sid:91268269; rev:1;) alert tcp $HOME_NET any -> [172.96.137.156] 55295 (msg:"ThreatFox BianLian botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1268268/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_08; classtype:trojan-activity; sid:91268268; rev:1;) alert tcp $HOME_NET any -> [8.129.77.150] 10004 (msg:"ThreatFox Deimos botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1268267/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_08; classtype:trojan-activity; sid:91268267; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/8otabr/"; depth:8; nocase; http.host; content:"debtavailable.com"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1268255/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_08; classtype:trojan-activity; sid:91268255; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bvxny6r6"; depth:9; nocase; http.host; content:"debtavailable.com"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1268256/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_08; classtype:trojan-activity; sid:91268256; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"debtavailable.com"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1268260/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_08; classtype:trojan-activity; sid:91268260; rev:1;) alert tcp $HOME_NET any -> [103.14.226.21] 4258 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1268261/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_08; classtype:trojan-activity; sid:91268261; rev:1;) alert tcp $HOME_NET any -> [67.207.161.230] 16769 (msg:"ThreatFox STRRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1268262/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_08; classtype:trojan-activity; sid:91268262; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"cnc.nperm.net"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1268259/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_08; classtype:trojan-activity; sid:91268259; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"poor-indians-tax-me.icu"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1268257/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_08; classtype:trojan-activity; sid:91268257; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"scan.nperm.net"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1268258/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_08; classtype:trojan-activity; sid:91268258; rev:1;) alert tcp $HOME_NET any -> [193.222.96.124] 7287 (msg:"ThreatFox Venom RAT payload delivery (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1267977/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_08; classtype:trojan-activity; sid:91267977; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/2.hta"; depth:6; nocase; http.host; content:"193.222.96.124"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1267978/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_08; classtype:trojan-activity; sid:91267978; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/1.hta"; depth:6; nocase; http.host; content:"193.222.96.124"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1267979/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_08; classtype:trojan-activity; sid:91267979; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/3.hta"; depth:6; nocase; http.host; content:"193.222.96.124"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1267980/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_08; classtype:trojan-activity; sid:91267980; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/5.hta"; depth:6; nocase; http.host; content:"193.222.96.124"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1267981/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_08; classtype:trojan-activity; sid:91267981; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/4.hta"; depth:6; nocase; http.host; content:"193.222.96.124"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1267982/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_08; classtype:trojan-activity; sid:91267982; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xd.bat"; depth:7; nocase; http.host; content:"193.222.96.124"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1267983/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_08; classtype:trojan-activity; sid:91267983; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xx.bat"; depth:7; nocase; http.host; content:"193.222.96.143"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1268076/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_08; classtype:trojan-activity; sid:91268076; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/.hta"; depth:5; nocase; http.host; content:"193.222.96.143"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1268078/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_08; classtype:trojan-activity; sid:91268078; rev:1;) alert tcp $HOME_NET any -> [193.222.96.143] 7287 (msg:"ThreatFox Venom RAT payload delivery (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1268089/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_08; classtype:trojan-activity; sid:91268089; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/8otabr/"; depth:8; nocase; http.host; content:"voicelesson.org"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1268224/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_08; classtype:trojan-activity; sid:91268224; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bvxny6r6"; depth:9; nocase; http.host; content:"voicelesson.org"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1268226/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_08; classtype:trojan-activity; sid:91268226; rev:1;) alert tcp $HOME_NET any -> [193.222.96.143] 4449 (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1268246/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_08; classtype:trojan-activity; sid:91268246; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/2022/11/26/pet-skunk-legal-in-california"; depth:41; nocase; http.host; content:"trustadvisorygroup.com"; depth:22; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1268248/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_08; classtype:trojan-activity; sid:91268248; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"voicelesson.org"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1268247/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_08; classtype:trojan-activity; sid:91268247; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"superkart.duckdns.org"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1268252/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_08; classtype:trojan-activity; sid:91268252; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"getintothe.duckdns.org"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1268253/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_08; classtype:trojan-activity; sid:91268253; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"safetheworld.duckdns.org"; depth:24; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1268254/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_08; classtype:trojan-activity; sid:91268254; rev:1;) alert tcp $HOME_NET any -> [103.142.244.19] 7771 (msg:"ThreatFox SpyNote botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1268249/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_08; classtype:trojan-activity; sid:91268249; rev:1;) alert tcp $HOME_NET any -> [47.57.184.164] 7771 (msg:"ThreatFox SpyNote botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1268250/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_08; classtype:trojan-activity; sid:91268250; rev:1;) alert tcp $HOME_NET any -> [47.57.7.44] 7771 (msg:"ThreatFox SpyNote botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1268251/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_08; classtype:trojan-activity; sid:91268251; rev:1;) alert tcp $HOME_NET any -> [193.222.96.124] 5050 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1267976/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_08; classtype:trojan-activity; sid:91267976; rev:1;) alert tcp $HOME_NET any -> [5.42.65.77] 6541 (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1267974/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_08; classtype:trojan-activity; sid:91267974; rev:1;) alert tcp $HOME_NET any -> [147.45.47.93] 80 (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1267975/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_08; classtype:trojan-activity; sid:91267975; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bvxny6r6"; depth:9; nocase; http.host; content:"listwisconsin.com"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1267973/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_08; classtype:trojan-activity; sid:91267973; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"listwisconsin.com"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1267971/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_08; classtype:trojan-activity; sid:91267971; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/8otabr/"; depth:8; nocase; http.host; content:"listwisconsin.com"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1267972/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_08; classtype:trojan-activity; sid:91267972; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/load"; depth:5; nocase; http.host; content:"210.114.11.173"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1267970/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_08; classtype:trojan-activity; sid:91267970; rev:1;) alert tcp $HOME_NET any -> [47.109.178.63] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1267969/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_08; classtype:trojan-activity; sid:91267969; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api/x"; depth:6; nocase; http.host; content:"service-b0kt7bkd-1307485220.cd.tencentapigw.com"; depth:47; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1267968/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_08; classtype:trojan-activity; sid:91267968; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cx"; depth:3; nocase; http.host; content:"124.221.181.157"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1267967/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_08; classtype:trojan-activity; sid:91267967; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ca"; depth:3; nocase; http.host; content:"101.43.43.245"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1267966/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_08; classtype:trojan-activity; sid:91267966; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cm"; depth:3; nocase; http.host; content:"47.99.177.59"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1267965/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_08; classtype:trojan-activity; sid:91267965; rev:1;) alert tcp $HOME_NET any -> [101.200.86.179] 9999 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1267964/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_08; classtype:trojan-activity; sid:91267964; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pixel.gif"; depth:10; nocase; http.host; content:"47.109.49.229"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1267962/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_08; classtype:trojan-activity; sid:91267962; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/push"; depth:5; nocase; http.host; content:"111.230.98.22"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1267961/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_08; classtype:trojan-activity; sid:91267961; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"service-b0kt7bkd-1307485220.cd.tencentapigw.com"; depth:47; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1267959/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_08; classtype:trojan-activity; sid:91267959; rev:1;) alert tcp $HOME_NET any -> [47.109.178.63] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1267960/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_08; classtype:trojan-activity; sid:91267960; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api/x"; depth:6; nocase; http.host; content:"service-b0kt7bkd-1307485220.cd.tencentapigw.com"; depth:47; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1267958/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_08; classtype:trojan-activity; sid:91267958; rev:1;) alert tcp $HOME_NET any -> [147.185.221.19] 47021 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1267955/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_08; classtype:trojan-activity; sid:91267955; rev:1;) alert tcp $HOME_NET any -> [15.165.134.129] 8649 (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1267957/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_08; classtype:trojan-activity; sid:91267957; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/l1nc0in.php"; depth:12; nocase; http.host; content:"a0944507.xsph.ru"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1267956/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_08; classtype:trojan-activity; sid:91267956; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"teachabletutorials.com"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1267929/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_08; classtype:trojan-activity; sid:91267929; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/8otabr/"; depth:8; nocase; http.host; content:"teachabletutorials.com"; depth:22; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1267930/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_08; classtype:trojan-activity; sid:91267930; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bvxny6r6"; depth:9; nocase; http.host; content:"teachabletutorials.com"; depth:22; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1267931/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_08; classtype:trojan-activity; sid:91267931; rev:1;) alert tcp $HOME_NET any -> [77.83.199.148] 443 (msg:"ThreatFox FAKEUPDATES botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1267954/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_08; classtype:trojan-activity; sid:91267954; rev:1;) alert tcp $HOME_NET any -> [77.83.199.148] 80 (msg:"ThreatFox FAKEUPDATES botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1267953/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_08; classtype:trojan-activity; sid:91267953; rev:1;) alert tcp $HOME_NET any -> [213.159.68.64] 80 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1267952/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_08; classtype:trojan-activity; sid:91267952; rev:1;) alert tcp $HOME_NET any -> [172.245.5.4] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1267951/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_08; classtype:trojan-activity; sid:91267951; rev:1;) alert tcp $HOME_NET any -> [185.142.184.203] 443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1267950/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_08; classtype:trojan-activity; sid:91267950; rev:1;) alert tcp $HOME_NET any -> [107.175.229.141] 46613 (msg:"ThreatFox STRRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1267949/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_08; classtype:trojan-activity; sid:91267949; rev:1;) alert tcp $HOME_NET any -> [62.102.148.189] 11274 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1267948/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_08; classtype:trojan-activity; sid:91267948; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ptj"; depth:4; nocase; http.host; content:"47.116.211.207"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1267947/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_08; classtype:trojan-activity; sid:91267947; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/visit.js"; depth:9; nocase; http.host; content:"120.27.131.3"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1267946/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_08; classtype:trojan-activity; sid:91267946; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pixel"; depth:6; nocase; http.host; content:"111.230.12.238"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1267945/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_08; classtype:trojan-activity; sid:91267945; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/load"; depth:5; nocase; http.host; content:"124.222.141.231"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1267944/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_08; classtype:trojan-activity; sid:91267944; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/visit.js"; depth:9; nocase; http.host; content:"103.150.10.45"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1267943/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_08; classtype:trojan-activity; sid:91267943; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/updates.rss"; depth:12; nocase; http.host; content:"118.194.233.185"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1267942/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_08; classtype:trojan-activity; sid:91267942; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/load"; depth:5; nocase; http.host; content:"3se9ewodke339f0e83.connectivitytests.com"; depth:40; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1267941/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_08; classtype:trojan-activity; sid:91267941; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/j.ad"; depth:5; nocase; http.host; content:"60.204.217.11"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1267940/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_08; classtype:trojan-activity; sid:91267940; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ie9compatviewlist.xml"; depth:22; nocase; http.host; content:"124.222.141.231"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1267939/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_08; classtype:trojan-activity; sid:91267939; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"cn1.cdngw.com"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1267938/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_08; classtype:trojan-activity; sid:91267938; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/c/msdownload/update/others/2024/05/9dv7ayhg1ag2kwo30_"; depth:54; nocase; http.host; content:"117.72.8.192"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1267937/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_08; classtype:trojan-activity; sid:91267937; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/chromeupdate/shellex/index.php"; depth:31; nocase; http.host; content:"8.134.80.227"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1267936/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_08; classtype:trojan-activity; sid:91267936; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/load"; depth:5; nocase; http.host; content:"23.95.65.198"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1267935/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_08; classtype:trojan-activity; sid:91267935; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/activity"; depth:9; nocase; http.host; content:"88.214.26.29"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1267934/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_08; classtype:trojan-activity; sid:91267934; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/d4/fre.php"; depth:11; nocase; http.host; content:"sempersim.su"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1267933/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_08; classtype:trojan-activity; sid:91267933; rev:1;) alert tcp $HOME_NET any -> [12.202.180.134] 8797 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1267932/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_08; classtype:trojan-activity; sid:91267932; rev:1;) alert tcp $HOME_NET any -> [185.29.9.120] 2404 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1267928/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_08; classtype:trojan-activity; sid:91267928; rev:1;) alert tcp $HOME_NET any -> [103.186.117.26] 1177 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1267927/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_08; classtype:trojan-activity; sid:91267927; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/8otabr/"; depth:8; nocase; http.host; content:"waytowealth.org"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1267925/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_08; classtype:trojan-activity; sid:91267925; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bvxny6r6"; depth:9; nocase; http.host; content:"waytowealth.org"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1267926/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_08; classtype:trojan-activity; sid:91267926; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"waytowealth.org"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1267924/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_08; classtype:trojan-activity; sid:91267924; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"seadrill.top"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1267923/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_08; classtype:trojan-activity; sid:91267923; rev:1;) alert tcp $HOME_NET any -> [96.47.233.137] 2404 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1267921/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_08; classtype:trojan-activity; sid:91267921; rev:1;) alert tcp $HOME_NET any -> [107.173.4.16] 2560 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1267920/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_08; classtype:trojan-activity; sid:91267920; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/kelvin/five/fre.php"; depth:20; nocase; http.host; content:"seadrill.top"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1267919/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_08; classtype:trojan-activity; sid:91267919; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/externalvmsecuresqlwindowstrackdatalife.php"; depth:44; nocase; http.host; content:"065963cm.nyashkoon.top"; depth:22; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1267918/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_08; classtype:trojan-activity; sid:91267918; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"currentsilverprice.com"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1267915/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_08; classtype:trojan-activity; sid:91267915; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/8otabr/"; depth:8; nocase; http.host; content:"currentsilverprice.com"; depth:22; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1267916/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_08; classtype:trojan-activity; sid:91267916; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bvxny6r6"; depth:9; nocase; http.host; content:"currentsilverprice.com"; depth:22; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1267917/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_08; classtype:trojan-activity; sid:91267917; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/42public4/base/test0centralvideo/datalifepythondbflower/bigloadprovider/2dle/0private/authline6/request4/providervideorequestflowertraffictesttracktemporary.php"; depth:161; nocase; http.host; content:"199.231.191.222"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1267914/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_08; classtype:trojan-activity; sid:91267914; rev:1;) alert tcp $HOME_NET any -> [67.211.218.147] 4001 (msg:"ThreatFox SystemBC botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1267913/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_08; classtype:trojan-activity; sid:91267913; rev:1;) alert tcp $HOME_NET any -> [154.38.104.54] 80 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1267912/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_08; classtype:trojan-activity; sid:91267912; rev:1;) alert tcp $HOME_NET any -> [147.45.47.39] 50555 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1267911/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_08; classtype:trojan-activity; sid:91267911; rev:1;) alert tcp $HOME_NET any -> [89.116.193.177] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1267910/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_08; classtype:trojan-activity; sid:91267910; rev:1;) alert tcp $HOME_NET any -> [47.108.229.11] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1267909/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_08; classtype:trojan-activity; sid:91267909; rev:1;) alert tcp $HOME_NET any -> [69.162.96.30] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1267908/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_08; classtype:trojan-activity; sid:91267908; rev:1;) alert tcp $HOME_NET any -> [121.41.18.122] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1267907/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_08; classtype:trojan-activity; sid:91267907; rev:1;) alert tcp $HOME_NET any -> [46.246.86.7] 9000 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1267906/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_08; classtype:trojan-activity; sid:91267906; rev:1;) alert tcp $HOME_NET any -> [46.246.86.7] 8000 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1267905/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_08; classtype:trojan-activity; sid:91267905; rev:1;) alert tcp $HOME_NET any -> [41.99.118.137] 443 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1267904/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_08; classtype:trojan-activity; sid:91267904; rev:1;) alert tcp $HOME_NET any -> [94.98.69.74] 443 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1267903/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_08; classtype:trojan-activity; sid:91267903; rev:1;) alert tcp $HOME_NET any -> [2.50.39.105] 22 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1267902/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_08; classtype:trojan-activity; sid:91267902; rev:1;) alert tcp $HOME_NET any -> [82.157.173.114] 8443 (msg:"ThreatFox pupy botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1267901/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_08; classtype:trojan-activity; sid:91267901; rev:1;) alert tcp $HOME_NET any -> [31.214.157.49] 445 (msg:"ThreatFox Responder botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1267900/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_08; classtype:trojan-activity; sid:91267900; rev:1;) alert tcp $HOME_NET any -> [143.110.211.214] 50001 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1267899/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_08; classtype:trojan-activity; sid:91267899; rev:1;) alert tcp $HOME_NET any -> [103.82.194.41] 443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1267898/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_08; classtype:trojan-activity; sid:91267898; rev:1;) alert tcp $HOME_NET any -> [195.80.148.170] 9090 (msg:"ThreatFox BianLian botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1267897/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_08; classtype:trojan-activity; sid:91267897; rev:1;) alert tcp $HOME_NET any -> [64.95.13.226] 443 (msg:"ThreatFox BianLian botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1267896/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_08; classtype:trojan-activity; sid:91267896; rev:1;) alert tcp $HOME_NET any -> [2.58.15.151] 13576 (msg:"ThreatFox BianLian botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1267895/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_08; classtype:trojan-activity; sid:91267895; rev:1;) alert tcp $HOME_NET any -> [5.8.18.9] 20000 (msg:"ThreatFox BianLian botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1267894/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_08; classtype:trojan-activity; sid:91267894; rev:1;) alert tcp $HOME_NET any -> [45.41.187.220] 7443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1267893/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_08; classtype:trojan-activity; sid:91267893; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mje3ztbjn2rmm2m4/"; depth:18; nocase; http.host; content:"kyrtasarim22.net"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1267878/; target:src_ip; metadata: confidence_level 80, first_seen 2024_05_08; classtype:trojan-activity; sid:91267878; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bvxny6r6"; depth:9; nocase; http.host; content:"valentinedaycard.com"; depth:20; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1267884/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_08; classtype:trojan-activity; sid:91267884; rev:1;) alert tcp $HOME_NET any -> [91.92.253.11] 65024 (msg:"ThreatFox Nanocore RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1267892/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_08; classtype:trojan-activity; sid:91267892; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/8otabr/"; depth:8; nocase; http.host; content:"valentinedaycard.com"; depth:20; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1267883/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_08; classtype:trojan-activity; sid:91267883; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mje3ztbjn2rmm2m4/"; depth:18; nocase; http.host; content:"kyrtasarim22.com"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1267879/; target:src_ip; metadata: confidence_level 80, first_seen 2024_05_08; classtype:trojan-activity; sid:91267879; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mje3ztbjn2rmm2m4/"; depth:18; nocase; http.host; content:"kyrtasarim33.com"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1267880/; target:src_ip; metadata: confidence_level 80, first_seen 2024_05_08; classtype:trojan-activity; sid:91267880; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"dev.operationanonrecoil.ru"; depth:26; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1267881/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_08; classtype:trojan-activity; sid:91267881; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"trailshop.net"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1267603/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_08; classtype:trojan-activity; sid:91267603; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"realbumblebee.net"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1267604/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_08; classtype:trojan-activity; sid:91267604; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"recentbee.net"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1267605/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_08; classtype:trojan-activity; sid:91267605; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"investrealtydom.net"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1267606/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_08; classtype:trojan-activity; sid:91267606; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"webnubee.com"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1267607/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_08; classtype:trojan-activity; sid:91267607; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"artspathgroup.net"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1267608/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_08; classtype:trojan-activity; sid:91267608; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"buyblocknow.com"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1267609/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_08; classtype:trojan-activity; sid:91267609; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"currentbee.net"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1267610/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_08; classtype:trojan-activity; sid:91267610; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"modernbeem.net"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1267611/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_08; classtype:trojan-activity; sid:91267611; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"startupbusiness24.net"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1267612/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_08; classtype:trojan-activity; sid:91267612; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"magentoengineers.com"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1267614/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_08; classtype:trojan-activity; sid:91267614; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"childrensdolls.com"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1267613/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_08; classtype:trojan-activity; sid:91267613; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"myfinancialexperts.com"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1267615/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_08; classtype:trojan-activity; sid:91267615; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"limitedtoday.com"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1267616/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_08; classtype:trojan-activity; sid:91267616; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"kekeoamigo.com"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1267617/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_08; classtype:trojan-activity; sid:91267617; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"nebraska-lawyers.com"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1267618/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_08; classtype:trojan-activity; sid:91267618; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"tomlawcenter.com"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1267619/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_08; classtype:trojan-activity; sid:91267619; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"thesmartcloudusa.com"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1267620/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_08; classtype:trojan-activity; sid:91267620; rev:1;) alert tcp $HOME_NET any -> [103.174.73.185] 45456 (msg:"ThreatFox MooBot botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1267621/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_08; classtype:trojan-activity; sid:91267621; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"bot.heleh.com.vn"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1267622/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_08; classtype:trojan-activity; sid:91267622; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"rasapool.net"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1267600/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_08; classtype:trojan-activity; sid:91267600; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"artspathgroupe.net"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1267602/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_08; classtype:trojan-activity; sid:91267602; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"specialdrills.com"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1267599/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_08; classtype:trojan-activity; sid:91267599; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"thetrailbig.net"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1267601/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_08; classtype:trojan-activity; sid:91267601; rev:1;) alert tcp $HOME_NET any -> [193.233.132.132] 80 (msg:"ThreatFox AMOS botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1267562/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_08; classtype:trojan-activity; sid:91267562; rev:1;) alert tcp $HOME_NET any -> [178.159.39.40] 19667 (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1267570/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_08; classtype:trojan-activity; sid:91267570; rev:1;) alert tcp $HOME_NET any -> [77.221.151.41] 80 (msg:"ThreatFox AMOS botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1267571/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_08; classtype:trojan-activity; sid:91267571; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"itemsdostawa.com"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1267573/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_08; classtype:trojan-activity; sid:91267573; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"masterokrwh.duckdns.org"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1267597/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_08; classtype:trojan-activity; sid:91267597; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"valentinedaycard.com"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1267598/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_08; classtype:trojan-activity; sid:91267598; rev:1;) alert tcp $HOME_NET any -> [45.148.244.102] 6395 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1267891/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_07; classtype:trojan-activity; sid:91267891; rev:1;) alert tcp $HOME_NET any -> [114.132.87.123] 4782 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1267890/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_07; classtype:trojan-activity; sid:91267890; rev:1;) alert tcp $HOME_NET any -> [159.223.86.73] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1267889/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_07; classtype:trojan-activity; sid:91267889; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ee"; depth:3; nocase; http.host; content:"otomotif.kumbaraan.biz.id"; depth:25; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1267888/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_07; classtype:trojan-activity; sid:91267888; rev:1;) alert tcp $HOME_NET any -> [207.246.64.185] 6161 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1267887/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_07; classtype:trojan-activity; sid:91267887; rev:1;) alert tcp $HOME_NET any -> [178.215.236.110] 3050 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1267886/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_07; classtype:trojan-activity; sid:91267886; rev:1;) alert tcp $HOME_NET any -> [5.189.217.203] 443 (msg:"ThreatFox IcedID botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1267885/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_07; classtype:trojan-activity; sid:91267885; rev:1;) alert tcp $HOME_NET any -> [77.75.230.59] 445 (msg:"ThreatFox DarkGate botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1267882/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_07; classtype:trojan-activity; sid:91267882; rev:1;) alert tcp $HOME_NET any -> [154.53.43.84] 80 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1267877/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_07; classtype:trojan-activity; sid:91267877; rev:1;) alert tcp $HOME_NET any -> [193.26.115.113] 80 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1267876/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_07; classtype:trojan-activity; sid:91267876; rev:1;) alert tcp $HOME_NET any -> [38.45.124.235] 30100 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1267875/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_07; classtype:trojan-activity; sid:91267875; rev:1;) alert tcp $HOME_NET any -> [139.9.105.56] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1267874/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_07; classtype:trojan-activity; sid:91267874; rev:1;) alert tcp $HOME_NET any -> [117.72.33.6] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1267873/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_07; classtype:trojan-activity; sid:91267873; rev:1;) alert tcp $HOME_NET any -> [86.98.18.48] 443 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1267872/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_07; classtype:trojan-activity; sid:91267872; rev:1;) alert tcp $HOME_NET any -> [159.65.12.129] 443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1267871/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_07; classtype:trojan-activity; sid:91267871; rev:1;) alert tcp $HOME_NET any -> [194.246.114.20] 443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1267870/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_07; classtype:trojan-activity; sid:91267870; rev:1;) alert tcp $HOME_NET any -> [64.95.13.226] 1433 (msg:"ThreatFox BianLian botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1267869/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_07; classtype:trojan-activity; sid:91267869; rev:1;) alert tcp $HOME_NET any -> [18.134.60.47] 8084 (msg:"ThreatFox Deimos botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1267868/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_07; classtype:trojan-activity; sid:91267868; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mozi.m"; depth:7; nocase; http.host; content:"117.212.101.199"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1267867/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_07; classtype:trojan-activity; sid:91267867; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/c/msdownload/update/others/2016/12/29136388_"; depth:45; nocase; http.host; content:"54.82.65.203"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1267623/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_07; classtype:trojan-activity; sid:91267623; rev:1;) alert tcp $HOME_NET any -> [54.244.147.176] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1267596/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_07; classtype:trojan-activity; sid:91267596; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/load"; depth:5; nocase; http.host; content:"54.244.147.176"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1267595/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_07; classtype:trojan-activity; sid:91267595; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"proya.cyou"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1267593/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_07; classtype:trojan-activity; sid:91267593; rev:1;) alert tcp $HOME_NET any -> [114.132.120.166] 8880 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1267594/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_07; classtype:trojan-activity; sid:91267594; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jquery-3.3.3.min.js"; depth:20; nocase; http.host; content:"proya.cyou"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1267592/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_07; classtype:trojan-activity; sid:91267592; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cm"; depth:3; nocase; http.host; content:"54.244.147.176"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1267590/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_07; classtype:trojan-activity; sid:91267590; rev:1;) alert tcp $HOME_NET any -> [54.244.147.176] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1267591/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_07; classtype:trojan-activity; sid:91267591; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/__utm.gif"; depth:10; nocase; http.host; content:"www.testtttt.com"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1267588/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_07; classtype:trojan-activity; sid:91267588; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"www.testtttt.com"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1267589/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_07; classtype:trojan-activity; sid:91267589; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cm"; depth:3; nocase; http.host; content:"110.41.21.173"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1267587/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_07; classtype:trojan-activity; sid:91267587; rev:1;) alert tcp $HOME_NET any -> [79.132.142.65] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1267586/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_07; classtype:trojan-activity; sid:91267586; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/live/content/stream-9a42d411-e060-49be-8cd9-9a15d111ea30/f29df6de-5918-46d2-a4b8-157990ed06ab"; depth:94; nocase; http.host; content:"79.132.142.65"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1267585/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_07; classtype:trojan-activity; sid:91267585; rev:1;) alert tcp $HOME_NET any -> [172.81.132.113] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1267584/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_07; classtype:trojan-activity; sid:91267584; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pixel.gif"; depth:10; nocase; http.host; content:"172.81.132.113"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1267583/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_07; classtype:trojan-activity; sid:91267583; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mozi.m"; depth:7; nocase; http.host; content:"117.200.176.50"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1267582/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_07; classtype:trojan-activity; sid:91267582; rev:1;) alert tcp $HOME_NET any -> [116.203.12.249] 443 (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1267580/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_07; classtype:trojan-activity; sid:91267580; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"tstarks.xyz"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1267581/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_07; classtype:trojan-activity; sid:91267581; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"116.203.12.249"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1267577/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_07; classtype:trojan-activity; sid:91267577; rev:1;) alert tcp $HOME_NET any -> [116.203.7.126] 443 (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1267578/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_07; classtype:trojan-activity; sid:91267578; rev:1;) alert tcp $HOME_NET any -> [65.109.242.112] 9000 (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1267579/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_07; classtype:trojan-activity; sid:91267579; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"65.109.242.112"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1267576/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_07; classtype:trojan-activity; sid:91267576; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"116.203.7.126"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1267575/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_07; classtype:trojan-activity; sid:91267575; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"tstarks.xyz"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1267574/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_07; classtype:trojan-activity; sid:91267574; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/_defaultwindows.php"; depth:20; nocase; http.host; content:"cj32434.tw1.ru"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1267572/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_07; classtype:trojan-activity; sid:91267572; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/display/chan/ib61i7mya"; depth:23; nocase; http.host; content:"74.91.29.102"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1267569/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_07; classtype:trojan-activity; sid:91267569; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/722c81812703a73d.php"; depth:21; nocase; http.host; content:"193.163.7.82"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1267568/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_07; classtype:trojan-activity; sid:91267568; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/updates"; depth:8; nocase; http.host; content:"91.92.249.122"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1267567/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_07; classtype:trojan-activity; sid:91267567; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/updates.rss"; depth:12; nocase; http.host; content:"111.230.12.238"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1267566/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_07; classtype:trojan-activity; sid:91267566; rev:1;) alert tcp $HOME_NET any -> [113.31.106.106] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1267565/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_07; classtype:trojan-activity; sid:91267565; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/preserve/extranet/lff00fq6u2h0"; depth:31; nocase; http.host; content:"113.31.106.106"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1267564/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_07; classtype:trojan-activity; sid:91267564; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/display/chan/ib61i7mya"; depth:23; nocase; http.host; content:"74.91.29.102"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1267563/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_07; classtype:trojan-activity; sid:91267563; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/share/ms_excel_document_helper.hta"; depth:35; nocase; http.host; content:"77.75.230.59"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1267561/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_07; classtype:trojan-activity; sid:91267561; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"bandarsport.net"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1267555/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_07; classtype:trojan-activity; sid:91267555; rev:1;) alert tcp $HOME_NET any -> [50.114.177.189] 443 (msg:"ThreatFox FAKEUPDATES payload delivery (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1267551/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_07; classtype:trojan-activity; sid:91267551; rev:1;) alert tcp $HOME_NET any -> [156.253.8.166] 4444 (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1267560/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_07; classtype:trojan-activity; sid:91267560; rev:1;) alert tcp $HOME_NET any -> [13.77.123.222] 4444 (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1267559/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_07; classtype:trojan-activity; sid:91267559; rev:1;) alert tcp $HOME_NET any -> [195.26.240.251] 9999 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1267558/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_07; classtype:trojan-activity; sid:91267558; rev:1;) alert tcp $HOME_NET any -> [45.126.209.172] 6666 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1267557/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_07; classtype:trojan-activity; sid:91267557; rev:1;) alert tcp $HOME_NET any -> [45.126.209.172] 5555 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1267556/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_07; classtype:trojan-activity; sid:91267556; rev:1;) alert tcp $HOME_NET any -> [14.164.99.119] 8080 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1267554/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_07; classtype:trojan-activity; sid:91267554; rev:1;) alert tcp $HOME_NET any -> [222.108.86.185] 8888 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1267553/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_07; classtype:trojan-activity; sid:91267553; rev:1;) alert tcp $HOME_NET any -> [191.82.203.72] 2000 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1267552/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_07; classtype:trojan-activity; sid:91267552; rev:1;) alert tcp $HOME_NET any -> [175.137.217.143] 9876 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1267550/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_07; classtype:trojan-activity; sid:91267550; rev:1;) alert tcp $HOME_NET any -> [143.92.56.46] 4782 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1267548/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_07; classtype:trojan-activity; sid:91267548; rev:1;) alert tcp $HOME_NET any -> [143.92.56.60] 4782 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1267549/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_07; classtype:trojan-activity; sid:91267549; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ptj"; depth:4; nocase; http.host; content:"134.122.75.115"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1267547/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_07; classtype:trojan-activity; sid:91267547; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/__utm.gif"; depth:10; nocase; http.host; content:"60.204.217.11"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1267546/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_07; classtype:trojan-activity; sid:91267546; rev:1;) alert tcp $HOME_NET any -> [192.121.102.3] 19933 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1267545/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_07; classtype:trojan-activity; sid:91267545; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/updates.rss"; depth:12; nocase; http.host; content:"1.117.232.76"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1267544/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_07; classtype:trojan-activity; sid:91267544; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/load"; depth:5; nocase; http.host; content:"134.122.75.115"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1267543/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_07; classtype:trojan-activity; sid:91267543; rev:1;) alert tcp $HOME_NET any -> [94.156.68.82] 4449 (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1267542/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_07; classtype:trojan-activity; sid:91267542; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/j.ad"; depth:5; nocase; http.host; content:"175.178.242.75"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1267541/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_07; classtype:trojan-activity; sid:91267541; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dot.gif"; depth:8; nocase; http.host; content:"175.178.242.75"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1267540/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_07; classtype:trojan-activity; sid:91267540; rev:1;) alert tcp $HOME_NET any -> [94.156.67.83] 34568 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1267539/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_07; classtype:trojan-activity; sid:91267539; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ga.js"; depth:6; nocase; http.host; content:"134.122.75.115"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1267538/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_07; classtype:trojan-activity; sid:91267538; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/c/msdownload/update/others/2024/05/9dv7ayhg1ag2kwo30_"; depth:54; nocase; http.host; content:"117.72.8.192"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1267537/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_07; classtype:trojan-activity; sid:91267537; rev:1;) alert tcp $HOME_NET any -> [91.92.249.122] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1267536/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_07; classtype:trojan-activity; sid:91267536; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/fwlink"; depth:7; nocase; http.host; content:"38.147.170.150"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1267535/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_07; classtype:trojan-activity; sid:91267535; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dot.gif"; depth:8; nocase; http.host; content:"52.190.15.163"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1267534/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_07; classtype:trojan-activity; sid:91267534; rev:1;) alert tcp $HOME_NET any -> [91.92.245.195] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1267533/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_07; classtype:trojan-activity; sid:91267533; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/fwlink"; depth:7; nocase; http.host; content:"38.147.170.150"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1267532/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_07; classtype:trojan-activity; sid:91267532; rev:1;) alert tcp $HOME_NET any -> [89.39.106.35] 1339 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1267531/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_07; classtype:trojan-activity; sid:91267531; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api/get"; depth:8; nocase; http.host; content:"a2ef406e2c2351e0b9e80029c909242d.melonhack.top"; depth:46; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1267530/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_07; classtype:trojan-activity; sid:91267530; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"a2ef406e2c2351e0b9e80029c909242d.melonhack.top"; depth:46; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1267529/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_07; classtype:trojan-activity; sid:91267529; rev:1;) alert tcp $HOME_NET any -> [89.213.184.158] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1267527/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_07; classtype:trojan-activity; sid:91267527; rev:1;) alert tcp $HOME_NET any -> [154.44.24.21] 8443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1267528/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_07; classtype:trojan-activity; sid:91267528; rev:1;) alert tcp $HOME_NET any -> [154.40.46.121] 8848 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1267525/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_07; classtype:trojan-activity; sid:91267525; rev:1;) alert tcp $HOME_NET any -> [154.9.254.227] 50050 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1267526/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_07; classtype:trojan-activity; sid:91267526; rev:1;) alert tcp $HOME_NET any -> [142.171.224.212] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1267524/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_07; classtype:trojan-activity; sid:91267524; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pixel.gif"; depth:10; nocase; http.host; content:"62.204.41.11"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1267523/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_07; classtype:trojan-activity; sid:91267523; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/j.ad"; depth:5; nocase; http.host; content:"62.204.41.11"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1267522/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_07; classtype:trojan-activity; sid:91267522; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ga.js"; depth:6; nocase; http.host; content:"88.214.26.29"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1267521/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_07; classtype:trojan-activity; sid:91267521; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dpixel"; depth:7; nocase; http.host; content:"79.124.40.106"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1267520/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_07; classtype:trojan-activity; sid:91267520; rev:1;) alert tcp $HOME_NET any -> [52.234.248.198] 8080 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1267519/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_07; classtype:trojan-activity; sid:91267519; rev:1;) alert tcp $HOME_NET any -> [52.234.248.198] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1267518/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_07; classtype:trojan-activity; sid:91267518; rev:1;) alert tcp $HOME_NET any -> [20.102.88.44] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1267517/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_07; classtype:trojan-activity; sid:91267517; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cx"; depth:3; nocase; http.host; content:"mystoreanandhelens.online"; depth:25; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1267516/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_07; classtype:trojan-activity; sid:91267516; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"mystoreanandhelens.online"; depth:25; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1267515/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_07; classtype:trojan-activity; sid:91267515; rev:1;) alert tcp $HOME_NET any -> [4.157.67.191] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1267514/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_07; classtype:trojan-activity; sid:91267514; rev:1;) alert tcp $HOME_NET any -> [4.149.228.118] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1267513/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_07; classtype:trojan-activity; sid:91267513; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"apt.daili778.org"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1267512/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_07; classtype:trojan-activity; sid:91267512; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ptj"; depth:4; nocase; http.host; content:"43.128.113.251"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1267511/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_07; classtype:trojan-activity; sid:91267511; rev:1;) alert tcp $HOME_NET any -> [43.128.113.251] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1267510/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_07; classtype:trojan-activity; sid:91267510; rev:1;) alert tcp $HOME_NET any -> [43.128.113.251] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1267509/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_07; classtype:trojan-activity; sid:91267509; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/fwlink"; depth:7; nocase; http.host; content:"47.236.52.108"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1267508/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_07; classtype:trojan-activity; sid:91267508; rev:1;) alert tcp $HOME_NET any -> [47.236.52.108] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1267506/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_07; classtype:trojan-activity; sid:91267506; rev:1;) alert tcp $HOME_NET any -> [47.236.52.108] 7000 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1267507/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_07; classtype:trojan-activity; sid:91267507; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/g.pixel"; depth:8; nocase; http.host; content:"8.219.204.94"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1267505/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_07; classtype:trojan-activity; sid:91267505; rev:1;) alert tcp $HOME_NET any -> [8.219.204.94] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1267504/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_07; classtype:trojan-activity; sid:91267504; rev:1;) alert tcp $HOME_NET any -> [14.5.161.232] 8008 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1267503/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_07; classtype:trojan-activity; sid:91267503; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/googleapi/affiliation/v1/affiliation:lookupbyhashprefix"; depth:56; nocase; http.host; content:"139.159.183.48"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1267502/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_07; classtype:trojan-activity; sid:91267502; rev:1;) alert tcp $HOME_NET any -> [139.159.183.48] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1267501/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_07; classtype:trojan-activity; sid:91267501; rev:1;) alert tcp $HOME_NET any -> [121.36.75.121] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1267500/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_07; classtype:trojan-activity; sid:91267500; rev:1;) alert tcp $HOME_NET any -> [47.109.48.193] 2345 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1267499/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_07; classtype:trojan-activity; sid:91267499; rev:1;) alert tcp $HOME_NET any -> [47.109.70.202] 32680 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1267498/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_07; classtype:trojan-activity; sid:91267498; rev:1;) alert tcp $HOME_NET any -> [123.57.59.76] 8999 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1267497/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_07; classtype:trojan-activity; sid:91267497; rev:1;) alert tcp $HOME_NET any -> [124.221.181.157] 8443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1267494/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_07; classtype:trojan-activity; sid:91267494; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/push"; depth:5; nocase; http.host; content:"124.220.62.60"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1267493/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_07; classtype:trojan-activity; sid:91267493; rev:1;) alert tcp $HOME_NET any -> [124.220.62.60] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1267492/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_07; classtype:trojan-activity; sid:91267492; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/en_us/all.js"; depth:13; nocase; http.host; content:"120.53.249.27"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1267491/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_07; classtype:trojan-activity; sid:91267491; rev:1;) alert tcp $HOME_NET any -> [120.53.249.27] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1267490/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_07; classtype:trojan-activity; sid:91267490; rev:1;) alert tcp $HOME_NET any -> [119.91.236.91] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1267489/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_07; classtype:trojan-activity; sid:91267489; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"otomotif.kumbaraan.biz.id"; depth:25; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1267488/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_07; classtype:trojan-activity; sid:91267488; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dhl"; depth:4; nocase; http.host; content:"otomotif.kumbaraan.biz.id"; depth:25; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1267487/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_07; classtype:trojan-activity; sid:91267487; rev:1;) alert tcp $HOME_NET any -> [111.230.12.238] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1267486/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_07; classtype:trojan-activity; sid:91267486; rev:1;) alert tcp $HOME_NET any -> [1.117.232.76] 4880 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1267485/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_07; classtype:trojan-activity; sid:91267485; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"sdjgh29387y29ws.group-networks.ru"; depth:33; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1267480/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_07; classtype:trojan-activity; sid:91267480; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"sdiufgsdugif.group-networks.ru"; depth:30; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1267481/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_07; classtype:trojan-activity; sid:91267481; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"tracking-alert.org"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1267482/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_07; classtype:trojan-activity; sid:91267482; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"zsu-ua-gov.info"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1267483/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_07; classtype:trojan-activity; sid:91267483; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"secure-network-rebirthltd.ru"; depth:28; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1267484/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_07; classtype:trojan-activity; sid:91267484; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"net.kovey-net.xyz"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1267472/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_07; classtype:trojan-activity; sid:91267472; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"fbmarket-place.info"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1267473/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_07; classtype:trojan-activity; sid:91267473; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"www.fbmarket-place.info"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1267474/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_07; classtype:trojan-activity; sid:91267474; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"zimbralet.x24hr.com"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1267475/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_07; classtype:trojan-activity; sid:91267475; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"net-killer.verminteam.link"; depth:26; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1267476/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_07; classtype:trojan-activity; sid:91267476; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"emv1.ib-comm-gateway.com"; depth:24; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1267477/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_07; classtype:trojan-activity; sid:91267477; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"mirai-nro.space"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1267478/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_07; classtype:trojan-activity; sid:91267478; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"boats.voidnet.click"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1267479/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_07; classtype:trojan-activity; sid:91267479; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"raw.mezo-api.xyz"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1267465/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_07; classtype:trojan-activity; sid:91267465; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"bot.secure-network-rebirthltd.ru"; depth:32; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1267466/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_07; classtype:trojan-activity; sid:91267466; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"security.secure-core-rebirthltd.su"; depth:34; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1267467/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_07; classtype:trojan-activity; sid:91267467; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"vps.rebirth-network.su"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1267468/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_07; classtype:trojan-activity; sid:91267468; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"security.rebirth-network.su"; depth:27; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1267469/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_07; classtype:trojan-activity; sid:91267469; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"sex.secure-cyber-security-rebirthltd.su"; depth:39; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1267470/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_07; classtype:trojan-activity; sid:91267470; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"xkoic3y.dekma-gay.ru"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1267471/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_07; classtype:trojan-activity; sid:91267471; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"cs.proxy1.bf"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1267458/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_07; classtype:trojan-activity; sid:91267458; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"hismokes.shop"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1267459/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_07; classtype:trojan-activity; sid:91267459; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"net-killer.ddns.net"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1267460/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_07; classtype:trojan-activity; sid:91267460; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"net-killer.ooguy.com"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1267461/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_07; classtype:trojan-activity; sid:91267461; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"aiko-network.tech"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1267462/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_07; classtype:trojan-activity; sid:91267462; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"domain-botnet.servehttp.com"; depth:27; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1267463/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_07; classtype:trojan-activity; sid:91267463; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"qngxgw.eu.org"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1267464/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_07; classtype:trojan-activity; sid:91267464; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"sro3ga.net"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1267457/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_07; classtype:trojan-activity; sid:91267457; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mmexoda3mdazzja5/"; depth:18; nocase; http.host; content:"2moneycsasfasfh.net"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1267453/; target:src_ip; metadata: confidence_level 80, first_seen 2024_05_07; classtype:trojan-activity; sid:91267453; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wasabi-2.0.7.msi"; depth:17; nocase; http.host; content:"filesclubspot.com"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1267451/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_07; classtype:trojan-activity; sid:91267451; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/index.php"; depth:10; nocase; http.host; content:"wasabiwallet.is"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1267452/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_07; classtype:trojan-activity; sid:91267452; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mmexoda3mdazzja5/"; depth:18; nocase; http.host; content:"2moneycsasfasfh.com"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1267454/; target:src_ip; metadata: confidence_level 80, first_seen 2024_05_07; classtype:trojan-activity; sid:91267454; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mmexoda3mdazzja5/"; depth:18; nocase; http.host; content:"3moneycsasfasfh.com"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1267455/; target:src_ip; metadata: confidence_level 80, first_seen 2024_05_07; classtype:trojan-activity; sid:91267455; rev:1;) alert tcp $HOME_NET any -> [45.150.67.118] 80 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1267450/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_07; classtype:trojan-activity; sid:91267450; rev:1;) alert tcp $HOME_NET any -> [45.83.31.137] 80 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1267449/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_07; classtype:trojan-activity; sid:91267449; rev:1;) alert tcp $HOME_NET any -> [185.173.36.11] 80 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1267448/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_07; classtype:trojan-activity; sid:91267448; rev:1;) alert tcp $HOME_NET any -> [79.137.162.53] 80 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1267447/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_07; classtype:trojan-activity; sid:91267447; rev:1;) alert tcp $HOME_NET any -> [198.46.143.196] 80 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1267446/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_07; classtype:trojan-activity; sid:91267446; rev:1;) alert tcp $HOME_NET any -> [154.198.224.105] 80 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1267445/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_07; classtype:trojan-activity; sid:91267445; rev:1;) alert tcp $HOME_NET any -> [189.140.17.93] 443 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1267444/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_07; classtype:trojan-activity; sid:91267444; rev:1;) alert tcp $HOME_NET any -> [79.107.156.73] 995 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1267443/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_07; classtype:trojan-activity; sid:91267443; rev:1;) alert tcp $HOME_NET any -> [75.173.16.24] 443 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1267442/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_07; classtype:trojan-activity; sid:91267442; rev:1;) alert tcp $HOME_NET any -> [189.176.230.210] 443 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1267441/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_07; classtype:trojan-activity; sid:91267441; rev:1;) alert tcp $HOME_NET any -> [77.124.170.112] 443 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1267440/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_07; classtype:trojan-activity; sid:91267440; rev:1;) alert tcp $HOME_NET any -> [86.98.19.216] 443 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1267439/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_07; classtype:trojan-activity; sid:91267439; rev:1;) alert tcp $HOME_NET any -> [45.152.85.10] 445 (msg:"ThreatFox Responder botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1267438/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_07; classtype:trojan-activity; sid:91267438; rev:1;) alert tcp $HOME_NET any -> [107.175.115.199] 80 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1267437/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_07; classtype:trojan-activity; sid:91267437; rev:1;) alert tcp $HOME_NET any -> [103.151.111.138] 443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1267436/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_07; classtype:trojan-activity; sid:91267436; rev:1;) alert tcp $HOME_NET any -> [85.31.238.253] 443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1267435/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_07; classtype:trojan-activity; sid:91267435; rev:1;) alert tcp $HOME_NET any -> [143.110.211.214] 443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1267434/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_07; classtype:trojan-activity; sid:91267434; rev:1;) alert tcp $HOME_NET any -> [64.95.13.226] 5060 (msg:"ThreatFox BianLian botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1267433/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_07; classtype:trojan-activity; sid:91267433; rev:1;) alert tcp $HOME_NET any -> [38.60.223.86] 53 (msg:"ThreatFox BianLian botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1267432/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_07; classtype:trojan-activity; sid:91267432; rev:1;) alert tcp $HOME_NET any -> [163.181.105.70] 4506 (msg:"ThreatFox Deimos botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1267431/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_07; classtype:trojan-activity; sid:91267431; rev:1;) alert tcp $HOME_NET any -> [185.202.173.179] 2404 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1267430/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_07; classtype:trojan-activity; sid:91267430; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/_defaultwindows.php"; depth:20; nocase; http.host; content:"a0947994.xsph.ru"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1267429/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_07; classtype:trojan-activity; sid:91267429; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"updateleft.com"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1267424/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_07; classtype:trojan-activity; sid:91267424; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cdn-vs/cache.php"; depth:17; nocase; http.host; content:"libidotechnexus.com"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1267418/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_07; classtype:trojan-activity; sid:91267418; rev:1;) alert tcp $HOME_NET any -> [194.26.232.43] 20746 (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1267407/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_07; classtype:trojan-activity; sid:91267407; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cdn-vs/original.js"; depth:19; nocase; http.host; content:"libidotechnexus.com"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1267417/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_07; classtype:trojan-activity; sid:91267417; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cdn-vs/per.php"; depth:15; nocase; http.host; content:"libidotechnexus.com"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1267419/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_07; classtype:trojan-activity; sid:91267419; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"findyourbackups.com"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1267425/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_07; classtype:trojan-activity; sid:91267425; rev:1;) alert tcp $HOME_NET any -> [192.169.69.25] 80 (msg:"ThreatFox Loki Password Stealer (PWS) botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1267426/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_07; classtype:trojan-activity; sid:91267426; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"djanic.duckdns.org"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1267427/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_07; classtype:trojan-activity; sid:91267427; rev:1;) alert tcp $HOME_NET any -> [178.73.192.210] 7045 (msg:"ThreatFox Vjw0rm botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1267428/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_07; classtype:trojan-activity; sid:91267428; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/awzk"; depth:5; nocase; http.host; content:"14.5.161.232"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1267423/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_06; classtype:trojan-activity; sid:91267423; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/match"; depth:6; nocase; http.host; content:"91.92.244.120"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1267422/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_06; classtype:trojan-activity; sid:91267422; rev:1;) alert tcp $HOME_NET any -> [147.45.47.126] 8081 (msg:"ThreatFox RisePro botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1267421/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_06; classtype:trojan-activity; sid:91267421; rev:1;) alert tcp $HOME_NET any -> [196.65.165.110] 10000 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1267420/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_06; classtype:trojan-activity; sid:91267420; rev:1;) alert tcp $HOME_NET any -> [47.116.211.207] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1267416/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_06; classtype:trojan-activity; sid:91267416; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/visit.js"; depth:9; nocase; http.host; content:"47.116.211.207"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1267415/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_06; classtype:trojan-activity; sid:91267415; rev:1;) alert tcp $HOME_NET any -> [47.113.118.200] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1267414/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_06; classtype:trojan-activity; sid:91267414; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/www/handle/doc"; depth:15; nocase; http.host; content:"47.113.118.200"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1267413/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_06; classtype:trojan-activity; sid:91267413; rev:1;) alert tcp $HOME_NET any -> [193.149.185.14] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1267412/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_06; classtype:trojan-activity; sid:91267412; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"www.microsoftsendtime.shop"; depth:26; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1267411/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_06; classtype:trojan-activity; sid:91267411; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/promote/static/xv4splmog"; depth:25; nocase; http.host; content:"www.microsoftsendtime.shop"; depth:26; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1267410/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_06; classtype:trojan-activity; sid:91267410; rev:1;) alert tcp $HOME_NET any -> [185.196.10.247] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1267409/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_06; classtype:trojan-activity; sid:91267409; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dpixel"; depth:7; nocase; http.host; content:"185.196.10.247"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1267408/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_06; classtype:trojan-activity; sid:91267408; rev:1;) alert tcp $HOME_NET any -> [147.45.47.126] 58709 (msg:"ThreatFox RisePro botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1267406/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_06; classtype:trojan-activity; sid:91267406; rev:1;) alert tcp $HOME_NET any -> [20.100.11.101] 42074 (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1267405/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_06; classtype:trojan-activity; sid:91267405; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tolongpollbasetemporary.php"; depth:28; nocase; http.host; content:"046408cm.n9shteam3.top"; depth:22; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1267404/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_06; classtype:trojan-activity; sid:91267404; rev:1;) alert tcp $HOME_NET any -> [193.233.254.16] 50555 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1267403/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_06; classtype:trojan-activity; sid:91267403; rev:1;) alert tcp $HOME_NET any -> [85.208.69.48] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1267402/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_06; classtype:trojan-activity; sid:91267402; rev:1;) alert tcp $HOME_NET any -> [172.234.250.178] 2222 (msg:"ThreatFox Pikabot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1267401/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_06; classtype:trojan-activity; sid:91267401; rev:1;) alert tcp $HOME_NET any -> [49.232.18.28] 65458 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1267400/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_06; classtype:trojan-activity; sid:91267400; rev:1;) alert tcp $HOME_NET any -> [83.229.122.141] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1267399/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_06; classtype:trojan-activity; sid:91267399; rev:1;) alert tcp $HOME_NET any -> [169.255.58.218] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1267398/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_06; classtype:trojan-activity; sid:91267398; rev:1;) alert tcp $HOME_NET any -> [148.74.227.176] 443 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1267397/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_06; classtype:trojan-activity; sid:91267397; rev:1;) alert tcp $HOME_NET any -> [94.49.41.130] 443 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1267396/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_06; classtype:trojan-activity; sid:91267396; rev:1;) alert tcp $HOME_NET any -> [45.121.147.114] 443 (msg:"ThreatFox BianLian botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1267395/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_06; classtype:trojan-activity; sid:91267395; rev:1;) alert tcp $HOME_NET any -> [185.234.216.209] 20038 (msg:"ThreatFox BianLian botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1267394/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_06; classtype:trojan-activity; sid:91267394; rev:1;) alert tcp $HOME_NET any -> [45.152.85.10] 80 (msg:"ThreatFox BianLian botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1267393/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_06; classtype:trojan-activity; sid:91267393; rev:1;) alert tcp $HOME_NET any -> [45.200.8.75] 4506 (msg:"ThreatFox Deimos botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1267392/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_06; classtype:trojan-activity; sid:91267392; rev:1;) alert tcp $HOME_NET any -> [3.109.78.6] 7443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1267391/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_06; classtype:trojan-activity; sid:91267391; rev:1;) alert tcp $HOME_NET any -> [147.185.221.18] 46584 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1267188/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_06; classtype:trojan-activity; sid:91267188; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"few-madrid.gl.at.ply.gg"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1267189/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_06; classtype:trojan-activity; sid:91267189; rev:1;) alert tcp $HOME_NET any -> [5.182.211.142] 47925 (msg:"ThreatFox MooBot botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1267190/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_06; classtype:trojan-activity; sid:91267190; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"comfortel.cloud"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1267191/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_06; classtype:trojan-activity; sid:91267191; rev:1;) alert tcp $HOME_NET any -> [94.156.67.241] 47925 (msg:"ThreatFox MooBot botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1267192/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_06; classtype:trojan-activity; sid:91267192; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"cnc.fungoa.kro.kr"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1267193/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_06; classtype:trojan-activity; sid:91267193; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"bola.kumbaraan.biz.id"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1267195/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_06; classtype:trojan-activity; sid:91267195; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ee"; depth:3; nocase; http.host; content:"bola.kumbaraan.biz.id"; depth:21; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1267194/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_06; classtype:trojan-activity; sid:91267194; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pages/login.php"; depth:16; nocase; http.host; content:"zepwk111.uk"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1267187/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_06; classtype:trojan-activity; sid:91267187; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/login.php"; depth:10; nocase; http.host; content:"xmr.r4nd0m.anondns.net"; depth:22; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1267186/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_06; classtype:trojan-activity; sid:91267186; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/login.php"; depth:10; nocase; http.host; content:"xm.centralmarketingkur.com"; depth:26; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1267185/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_06; classtype:trojan-activity; sid:91267185; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pages/login.php"; depth:16; nocase; http.host; content:"x3qc.com"; depth:8; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1267184/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_06; classtype:trojan-activity; sid:91267184; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pages/login.php"; depth:16; nocase; http.host; content:"www.x3qc.com"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1267183/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_06; classtype:trojan-activity; sid:91267183; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pages/login.php"; depth:16; nocase; http.host; content:"www.trustabletechsupport.com"; depth:28; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1267182/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_06; classtype:trojan-activity; sid:91267182; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/login.php"; depth:10; nocase; http.host; content:"www.telefonemusk.ru"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1267181/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_06; classtype:trojan-activity; sid:91267181; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/login.php"; depth:10; nocase; http.host; content:"www.smartpanel.top"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1267180/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_06; classtype:trojan-activity; sid:91267180; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/login.php"; depth:10; nocase; http.host; content:"www.servermethod.net"; depth:20; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1267179/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_06; classtype:trojan-activity; sid:91267179; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/login.php"; depth:10; nocase; http.host; content:"www.rede.tphost.com.br"; depth:22; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1267178/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_06; classtype:trojan-activity; sid:91267178; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/login.php"; depth:10; nocase; http.host; content:"www.paquerasfacilitadas.fun.g10corretora.com.br"; depth:47; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1267177/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_06; classtype:trojan-activity; sid:91267177; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/login.php"; depth:10; nocase; http.host; content:"www.panitor.xyz"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1267176/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_06; classtype:trojan-activity; sid:91267176; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pages/login.php"; depth:16; nocase; http.host; content:"www.panel.52jfg.xyz"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1267175/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_06; classtype:trojan-activity; sid:91267175; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pages/login.php"; depth:16; nocase; http.host; content:"www.ok.adaklab.ir"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1267174/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_06; classtype:trojan-activity; sid:91267174; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pages/login.php"; depth:16; nocase; http.host; content:"www.muiairdrop.com"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1267173/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_06; classtype:trojan-activity; sid:91267173; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/login.php"; depth:10; nocase; http.host; content:"www.krypto.itwu.pl"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1267172/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_06; classtype:trojan-activity; sid:91267172; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pages/login.php"; depth:16; nocase; http.host; content:"www.koldiv.ru"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1267171/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_06; classtype:trojan-activity; sid:91267171; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/login.php"; depth:10; nocase; http.host; content:"www.kaspersky-secure.ru"; depth:23; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1267170/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_06; classtype:trojan-activity; sid:91267170; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/login.php"; depth:10; nocase; http.host; content:"www.fortunagamez.com"; depth:20; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1267169/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_06; classtype:trojan-activity; sid:91267169; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pages/login.php"; depth:16; nocase; http.host; content:"www.dontdoxme.space"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1267168/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_06; classtype:trojan-activity; sid:91267168; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pages/login.php"; depth:16; nocase; http.host; content:"www.controlpanel29.com"; depth:22; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1267167/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_06; classtype:trojan-activity; sid:91267167; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/login.php"; depth:10; nocase; http.host; content:"www.cdnupdateservice.com"; depth:24; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1267166/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_06; classtype:trojan-activity; sid:91267166; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pages/login.php"; depth:16; nocase; http.host; content:"www.blablaminions.online"; depth:24; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1267165/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_06; classtype:trojan-activity; sid:91267165; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pages/login.php"; depth:16; nocase; http.host; content:"www.badtrippaap.store"; depth:21; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1267164/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_06; classtype:trojan-activity; sid:91267164; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/login.php"; depth:10; nocase; http.host; content:"www.akunet.host"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1267163/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_06; classtype:trojan-activity; sid:91267163; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pages/login.php"; depth:16; nocase; http.host; content:"www.52jfg.xyz"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1267162/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_06; classtype:trojan-activity; sid:91267162; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pages/login.php"; depth:16; nocase; http.host; content:"vps-zap998573-1.zap-srv.com"; depth:27; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1267161/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_06; classtype:trojan-activity; sid:91267161; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pages/login.php"; depth:16; nocase; http.host; content:"trustabletechsupport.com"; depth:24; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1267160/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_06; classtype:trojan-activity; sid:91267160; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/login.php"; depth:10; nocase; http.host; content:"telefonemusk.ru"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1267159/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_06; classtype:trojan-activity; sid:91267159; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/login.php"; depth:10; nocase; http.host; content:"smartpanel.top"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1267158/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_06; classtype:trojan-activity; sid:91267158; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pages/login.php"; depth:16; nocase; http.host; content:"sh4945832.c.had.su"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1267157/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_06; classtype:trojan-activity; sid:91267157; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/login.php"; depth:10; nocase; http.host; content:"servermethod.net"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1267156/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_06; classtype:trojan-activity; sid:91267156; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pages/login.php"; depth:16; nocase; http.host; content:"sec-1-min.usevm.xyz"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1267155/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_06; classtype:trojan-activity; sid:91267155; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pages/login.php"; depth:16; nocase; http.host; content:"seanhenning-101.ddns.net"; depth:24; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1267154/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_06; classtype:trojan-activity; sid:91267154; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pages/login.php"; depth:16; nocase; http.host; content:"satoshisbeck.org"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1267153/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_06; classtype:trojan-activity; sid:91267153; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/login.php"; depth:10; nocase; http.host; content:"rede.tphost.com.br"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1267152/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_06; classtype:trojan-activity; sid:91267152; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/login.php"; depth:10; nocase; http.host; content:"paquerasfacilitadas.fun.g10corretora.com.br"; depth:43; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1267151/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_06; classtype:trojan-activity; sid:91267151; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/login.php"; depth:10; nocase; http.host; content:"panitor.xyz"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1267150/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_06; classtype:trojan-activity; sid:91267150; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pages/login.php"; depth:16; nocase; http.host; content:"panfsaafcxzelkfsha31523.xyz"; depth:27; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1267149/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_06; classtype:trojan-activity; sid:91267149; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/login.php"; depth:10; nocase; http.host; content:"panelyapiinsaat.net"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1267148/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_06; classtype:trojan-activity; sid:91267148; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pages/login.php"; depth:16; nocase; http.host; content:"onedrive.cam"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1267147/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_06; classtype:trojan-activity; sid:91267147; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pages/login.php"; depth:16; nocase; http.host; content:"ok.adaklab.ir"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1267146/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_06; classtype:trojan-activity; sid:91267146; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/login.php"; depth:10; nocase; http.host; content:"ns3109813.ip-54-36-127.eu"; depth:25; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1267145/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_06; classtype:trojan-activity; sid:91267145; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pages/login.php"; depth:16; nocase; http.host; content:"netmatic.gr"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1267144/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_06; classtype:trojan-activity; sid:91267144; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pages/login.php"; depth:16; nocase; http.host; content:"muiairdrop.com"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1267143/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_06; classtype:trojan-activity; sid:91267143; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pages/login.php"; depth:16; nocase; http.host; content:"mrzopr.com"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1267142/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_06; classtype:trojan-activity; sid:91267142; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pages/login.php"; depth:16; nocase; http.host; content:"monerominer.ddns.net"; depth:20; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1267141/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_06; classtype:trojan-activity; sid:91267141; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pages/login.php"; depth:16; nocase; http.host; content:"modules.su"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1267140/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_06; classtype:trojan-activity; sid:91267140; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/login.php"; depth:10; nocase; http.host; content:"miner.sjzh.top"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1267139/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_06; classtype:trojan-activity; sid:91267139; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pages/login.php"; depth:16; nocase; http.host; content:"mail.ok.adaklab.ir"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1267137/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_06; classtype:trojan-activity; sid:91267137; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/login.php"; depth:10; nocase; http.host; content:"main-node.incaves.fr"; depth:20; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1267138/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_06; classtype:trojan-activity; sid:91267138; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pages/login.php"; depth:16; nocase; http.host; content:"mail.52jfg.xyz"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1267136/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_06; classtype:trojan-activity; sid:91267136; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pages/login.php"; depth:16; nocase; http.host; content:"lozak.site"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1267135/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_06; classtype:trojan-activity; sid:91267135; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pages/login.php"; depth:16; nocase; http.host; content:"klanox.ru"; depth:9; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1267134/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_06; classtype:trojan-activity; sid:91267134; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/login.php"; depth:10; nocase; http.host; content:"kaspersky-secure.ru"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1267133/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_06; classtype:trojan-activity; sid:91267133; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/login.php"; depth:10; nocase; http.host; content:"fortunagamez.com"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1267132/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_06; classtype:trojan-activity; sid:91267132; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/login.php"; depth:10; nocase; http.host; content:"demo.citichoice.ca"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1267131/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_06; classtype:trojan-activity; sid:91267131; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/login.php"; depth:10; nocase; http.host; content:"data.shopvigil.com"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1267130/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_06; classtype:trojan-activity; sid:91267130; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pages/login.php"; depth:16; nocase; http.host; content:"controlpanel29.com"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1267129/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_06; classtype:trojan-activity; sid:91267129; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pages/login.php"; depth:16; nocase; http.host; content:"cf-protected-l7.com"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1267128/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_06; classtype:trojan-activity; sid:91267128; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/login.php"; depth:10; nocase; http.host; content:"cdnupdateservice.com"; depth:20; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1267127/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_06; classtype:trojan-activity; sid:91267127; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/login.php"; depth:10; nocase; http.host; content:"caboshed-rations.000webhostapp.com"; depth:34; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1267126/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_06; classtype:trojan-activity; sid:91267126; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pages/login.php"; depth:16; nocase; http.host; content:"blablg.site.transip.me"; depth:22; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1267125/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_06; classtype:trojan-activity; sid:91267125; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pages/login.php"; depth:16; nocase; http.host; content:"blablaminions.online"; depth:20; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1267124/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_06; classtype:trojan-activity; sid:91267124; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pages/login.php"; depth:16; nocase; http.host; content:"badtrippaap.store"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1267123/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_06; classtype:trojan-activity; sid:91267123; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pages/login.php"; depth:16; nocase; http.host; content:"aquaop.top"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1267122/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_06; classtype:trojan-activity; sid:91267122; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/login.php"; depth:10; nocase; http.host; content:"akunet.host"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1267121/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_06; classtype:trojan-activity; sid:91267121; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/login.php"; depth:10; nocase; http.host; content:"82.66.185.138"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1267120/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_06; classtype:trojan-activity; sid:91267120; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/login.php"; depth:10; nocase; http.host; content:"54.36.127.183"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1267119/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_06; classtype:trojan-activity; sid:91267119; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pages/login.php"; depth:16; nocase; http.host; content:"52jfg.xyz"; depth:9; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1267118/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_06; classtype:trojan-activity; sid:91267118; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pages/login.php"; depth:16; nocase; http.host; content:"45.9.150.125"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1267117/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_06; classtype:trojan-activity; sid:91267117; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pages/login.php"; depth:16; nocase; http.host; content:"185.125.50.17"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1267116/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_06; classtype:trojan-activity; sid:91267116; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pages/login.php"; depth:16; nocase; http.host; content:"176.119.35.43"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1267115/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_06; classtype:trojan-activity; sid:91267115; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pages/login.php"; depth:16; nocase; http.host; content:"106.54.200.213"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1267114/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_06; classtype:trojan-activity; sid:91267114; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pages/login.php"; depth:16; nocase; http.host; content:"104759689316.com"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1267113/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_06; classtype:trojan-activity; sid:91267113; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pages/login.php"; depth:16; nocase; http.host; content:"zepwk111.uk"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1267112/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_06; classtype:trojan-activity; sid:91267112; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pages/login.php"; depth:16; nocase; http.host; content:"x3qc.com"; depth:8; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1267110/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_06; classtype:trojan-activity; sid:91267110; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/login.php"; depth:10; nocase; http.host; content:"xmr.r4nd0m.anondns.net"; depth:22; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1267111/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_06; classtype:trojan-activity; sid:91267111; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pages/login.php"; depth:16; nocase; http.host; content:"www.x3qc.com"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1267109/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_06; classtype:trojan-activity; sid:91267109; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pages/login.php"; depth:16; nocase; http.host; content:"www.trustabletechsupport.com"; depth:28; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1267108/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_06; classtype:trojan-activity; sid:91267108; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/login.php"; depth:10; nocase; http.host; content:"www.smartpanel.top"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1267107/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_06; classtype:trojan-activity; sid:91267107; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/login.php"; depth:10; nocase; http.host; content:"www.servermethod.net"; depth:20; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1267106/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_06; classtype:trojan-activity; sid:91267106; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/login.php"; depth:10; nocase; http.host; content:"www.paquerasfacilitadas.fun.g10corretora.com.br"; depth:47; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1267104/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_06; classtype:trojan-activity; sid:91267104; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/login.php"; depth:10; nocase; http.host; content:"www.rede.tphost.com.br"; depth:22; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1267105/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_06; classtype:trojan-activity; sid:91267105; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/login.php"; depth:10; nocase; http.host; content:"www.panitor.xyz"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1267103/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_06; classtype:trojan-activity; sid:91267103; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pages/login.php"; depth:16; nocase; http.host; content:"www.panel.52jfg.xyz"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1267102/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_06; classtype:trojan-activity; sid:91267102; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pages/login.php"; depth:16; nocase; http.host; content:"www.ok.adaklab.ir"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1267101/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_06; classtype:trojan-activity; sid:91267101; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pages/login.php"; depth:16; nocase; http.host; content:"www.koldiv.ru"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1267100/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_06; classtype:trojan-activity; sid:91267100; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/login.php"; depth:10; nocase; http.host; content:"www.kaspersky-secure.ru"; depth:23; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1267099/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_06; classtype:trojan-activity; sid:91267099; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pages/login.php"; depth:16; nocase; http.host; content:"www.controlpanel29.com"; depth:22; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1267097/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_06; classtype:trojan-activity; sid:91267097; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/login.php"; depth:10; nocase; http.host; content:"www.data.shopvigil.com"; depth:22; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1267098/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_06; classtype:trojan-activity; sid:91267098; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pages/login.php"; depth:16; nocase; http.host; content:"www.badtrippaap.store"; depth:21; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1267096/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_06; classtype:trojan-activity; sid:91267096; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pages/login.php"; depth:16; nocase; http.host; content:"www.52jfg.xyz"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1267095/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_06; classtype:trojan-activity; sid:91267095; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pages/login.php"; depth:16; nocase; http.host; content:"vps-zap998573-1.zap-srv.com"; depth:27; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1267094/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_06; classtype:trojan-activity; sid:91267094; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pages/login.php"; depth:16; nocase; http.host; content:"trustabletechsupport.com"; depth:24; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1267093/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_06; classtype:trojan-activity; sid:91267093; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pages/login.php"; depth:16; nocase; http.host; content:"static.55.253.216.95.clients.your-server.de"; depth:43; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1267091/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_06; classtype:trojan-activity; sid:91267091; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pages/login.php"; depth:16; nocase; http.host; content:"striperouter.supelle.co"; depth:23; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1267092/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_06; classtype:trojan-activity; sid:91267092; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pages/login.php"; depth:16; nocase; http.host; content:"static.254.146.21.65.clients.your-server.de"; depth:43; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1267090/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_06; classtype:trojan-activity; sid:91267090; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pages/login.php"; depth:16; nocase; http.host; content:"static.254.146.21.65.clients.your-server.de"; depth:43; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1267089/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_06; classtype:trojan-activity; sid:91267089; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/login.php"; depth:10; nocase; http.host; content:"servermethod.net"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1267087/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_06; classtype:trojan-activity; sid:91267087; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pages/login.php"; depth:16; nocase; http.host; content:"sh4945832.c.had.su"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1267088/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_06; classtype:trojan-activity; sid:91267088; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pages/login.php"; depth:16; nocase; http.host; content:"rustbakingtable.com"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1267086/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_06; classtype:trojan-activity; sid:91267086; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/login.php"; depth:10; nocase; http.host; content:"rede.tphost.com.br"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1267085/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_06; classtype:trojan-activity; sid:91267085; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/login.php"; depth:10; nocase; http.host; content:"paquerasfacilitadas.fun.g10corretora.com.br"; depth:43; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1267084/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_06; classtype:trojan-activity; sid:91267084; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/login.php"; depth:10; nocase; http.host; content:"panitor.xyz"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1267083/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_06; classtype:trojan-activity; sid:91267083; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pages/login.php"; depth:16; nocase; http.host; content:"panel.52jfg.xyz"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1267081/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_06; classtype:trojan-activity; sid:91267081; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pages/login.php"; depth:16; nocase; http.host; content:"panfsaafcxzelkfsha31523.xyz"; depth:27; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1267082/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_06; classtype:trojan-activity; sid:91267082; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pages/login.php"; depth:16; nocase; http.host; content:"ok.adaklab.ir"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1267080/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_06; classtype:trojan-activity; sid:91267080; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/login.php"; depth:10; nocase; http.host; content:"ns3109813.ip-54-36-127.eu"; depth:25; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1267079/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_06; classtype:trojan-activity; sid:91267079; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pages/login.php"; depth:16; nocase; http.host; content:"netmatic.gr"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1267077/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_06; classtype:trojan-activity; sid:91267077; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pages/login.php"; depth:16; nocase; http.host; content:"newstroczvmonmy3ne1w.su"; depth:23; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1267078/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_06; classtype:trojan-activity; sid:91267078; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pages/login.php"; depth:16; nocase; http.host; content:"muiairdrop.com"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1267076/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_06; classtype:trojan-activity; sid:91267076; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pages/login.php"; depth:16; nocase; http.host; content:"minernumberone.org"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1267075/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_06; classtype:trojan-activity; sid:91267075; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pages/login.php"; depth:16; nocase; http.host; content:"minerchenzhi888.top"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1267074/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_06; classtype:trojan-activity; sid:91267074; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pages/login.php"; depth:16; nocase; http.host; content:"mainnet-rpc.rupayx.com"; depth:22; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1267072/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_06; classtype:trojan-activity; sid:91267072; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pages/login.php"; depth:16; nocase; http.host; content:"mainnet-rpc.rupayx.com"; depth:22; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1267073/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_06; classtype:trojan-activity; sid:91267073; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/login.php"; depth:10; nocase; http.host; content:"main-node.incaves.fr"; depth:20; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1267071/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_06; classtype:trojan-activity; sid:91267071; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pages/login.php"; depth:16; nocase; http.host; content:"mail.52jfg.xyz"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1267069/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_06; classtype:trojan-activity; sid:91267069; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pages/login.php"; depth:16; nocase; http.host; content:"mail.ok.adaklab.ir"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1267070/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_06; classtype:trojan-activity; sid:91267070; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pages/login.php"; depth:16; nocase; http.host; content:"klanox.ru"; depth:9; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1267067/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_06; classtype:trojan-activity; sid:91267067; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pages/login.php"; depth:16; nocase; http.host; content:"lavender-leopard-40929.zap.cloud"; depth:32; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1267068/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_06; classtype:trojan-activity; sid:91267068; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pages/login.php"; depth:16; nocase; http.host; content:"jk013.xyz"; depth:9; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1267065/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_06; classtype:trojan-activity; sid:91267065; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/login.php"; depth:10; nocase; http.host; content:"kaspersky-secure.ru"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1267066/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_06; classtype:trojan-activity; sid:91267066; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pages/login.php"; depth:16; nocase; http.host; content:"jk006.xyz"; depth:9; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1267064/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_06; classtype:trojan-activity; sid:91267064; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pages/login.php"; depth:16; nocase; http.host; content:"jk005.xyz"; depth:9; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1267063/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_06; classtype:trojan-activity; sid:91267063; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/login.php"; depth:10; nocase; http.host; content:"data.shopvigil.com"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1267061/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_06; classtype:trojan-activity; sid:91267061; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pages/login.php"; depth:16; nocase; http.host; content:"device-679f12e8-5521-4674-9797-cc5c04ee4213.remotewd.com"; depth:56; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1267062/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_06; classtype:trojan-activity; sid:91267062; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pages/login.php"; depth:16; nocase; http.host; content:"controlpanel29.com"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1267060/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_06; classtype:trojan-activity; sid:91267060; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/login.php"; depth:10; nocase; http.host; content:"caboshed-rations.000webhostapp.com"; depth:34; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1267058/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_06; classtype:trojan-activity; sid:91267058; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pages/login.php"; depth:16; nocase; http.host; content:"cf-protected-l7.com"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1267059/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_06; classtype:trojan-activity; sid:91267059; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pages/login.php"; depth:16; nocase; http.host; content:"aquaop.top"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1267057/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_06; classtype:trojan-activity; sid:91267057; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/login.php"; depth:10; nocase; http.host; content:"82.66.185.138"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1267056/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_06; classtype:trojan-activity; sid:91267056; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/login.php"; depth:10; nocase; http.host; content:"82.66.185.138"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1267055/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_06; classtype:trojan-activity; sid:91267055; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pages/login.php"; depth:16; nocase; http.host; content:"70.225.125.34.bc.googleusercontent.com"; depth:38; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1267054/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_06; classtype:trojan-activity; sid:91267054; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pages/login.php"; depth:16; nocase; http.host; content:"66.78.40.230.kyun.network"; depth:25; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1267053/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_06; classtype:trojan-activity; sid:91267053; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pages/login.php"; depth:16; nocase; http.host; content:"65.21.146.254.sslip.io"; depth:22; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1267052/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_06; classtype:trojan-activity; sid:91267052; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pages/login.php"; depth:16; nocase; http.host; content:"65.21.146.254.sslip.io"; depth:22; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1267051/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_06; classtype:trojan-activity; sid:91267051; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/login.php"; depth:10; nocase; http.host; content:"54.36.127.183"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1267050/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_06; classtype:trojan-activity; sid:91267050; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pages/login.php"; depth:16; nocase; http.host; content:"52jfg.xyz"; depth:9; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1267049/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_06; classtype:trojan-activity; sid:91267049; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pages/login.php"; depth:16; nocase; http.host; content:"51.195.211.231"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1267048/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_06; classtype:trojan-activity; sid:91267048; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pages/login.php"; depth:16; nocase; http.host; content:"31.27.151.203"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1267046/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_06; classtype:trojan-activity; sid:91267046; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pages/login.php"; depth:16; nocase; http.host; content:"34.125.225.70"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1267047/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_06; classtype:trojan-activity; sid:91267047; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pages/login.php"; depth:16; nocase; http.host; content:"185.125.50.17"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1267045/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_06; classtype:trojan-activity; sid:91267045; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pages/login.php"; depth:16; nocase; http.host; content:"185.112.147.62"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1267044/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_06; classtype:trojan-activity; sid:91267044; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pages/login.php"; depth:16; nocase; http.host; content:"176.119.35.43"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1267043/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_06; classtype:trojan-activity; sid:91267043; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/login.php"; depth:10; nocase; http.host; content:"172-104-103-158.ip.linodeusercontent.com"; depth:40; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1267042/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_06; classtype:trojan-activity; sid:91267042; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pages/login.php"; depth:16; nocase; http.host; content:"16.171.137.228"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1267041/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_06; classtype:trojan-activity; sid:91267041; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pages/login.php"; depth:16; nocase; http.host; content:"144920-1-76bedd-01.services.oktawave.com"; depth:40; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1267040/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_06; classtype:trojan-activity; sid:91267040; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pages/login.php"; depth:16; nocase; http.host; content:"116.204.132.131"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1267039/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_06; classtype:trojan-activity; sid:91267039; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pages/login.php"; depth:16; nocase; http.host; content:"107.175.202.158"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1267037/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_06; classtype:trojan-activity; sid:91267037; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pages/login.php"; depth:16; nocase; http.host; content:"112.78.3.100"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1267038/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_06; classtype:trojan-activity; sid:91267038; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pages/login.php"; depth:16; nocase; http.host; content:"106.54.200.213"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1267036/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_06; classtype:trojan-activity; sid:91267036; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pages/login.php"; depth:16; nocase; http.host; content:"103.106.189.49"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1267035/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_06; classtype:trojan-activity; sid:91267035; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/login.php"; depth:10; nocase; http.host; content:"102.50.247.129"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1267034/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_06; classtype:trojan-activity; sid:91267034; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/new/login"; depth:10; nocase; http.host; content:"whitedesk.cow-procyon.ts.net"; depth:28; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1267033/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_06; classtype:trojan-activity; sid:91267033; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/new/login"; depth:10; nocase; http.host; content:"nocomp.freeboxos.fr"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1267032/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_06; classtype:trojan-activity; sid:91267032; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/new/login"; depth:10; nocase; http.host; content:"mythic.pcfindercentral.com"; depth:26; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1267031/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_06; classtype:trojan-activity; sid:91267031; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/new/login"; depth:10; nocase; http.host; content:"m.agorasecurity.it"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1267030/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_06; classtype:trojan-activity; sid:91267030; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/new/login"; depth:10; nocase; http.host; content:"ip14.ip-51-254-53.eu"; depth:20; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1267029/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_06; classtype:trojan-activity; sid:91267029; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/new/login"; depth:10; nocase; http.host; content:"data.iexcom.de"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1267028/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_06; classtype:trojan-activity; sid:91267028; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/new/login"; depth:10; nocase; http.host; content:"c2.rmrf.one"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1267027/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_06; classtype:trojan-activity; sid:91267027; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/new/login"; depth:10; nocase; http.host; content:"95.217.6.101"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1267026/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_06; classtype:trojan-activity; sid:91267026; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/new/login"; depth:10; nocase; http.host; content:"95.164.19.54"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1267025/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_06; classtype:trojan-activity; sid:91267025; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/new/login"; depth:10; nocase; http.host; content:"83.244.163.202"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1267024/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_06; classtype:trojan-activity; sid:91267024; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/new/login"; depth:10; nocase; http.host; content:"82.97.251.102"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1267023/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_06; classtype:trojan-activity; sid:91267023; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/new/login"; depth:10; nocase; http.host; content:"82.65.203.196"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1267022/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_06; classtype:trojan-activity; sid:91267022; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/new/login"; depth:10; nocase; http.host; content:"78.47.48.88"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1267021/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_06; classtype:trojan-activity; sid:91267021; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/new/login"; depth:10; nocase; http.host; content:"64.23.196.210"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1267020/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_06; classtype:trojan-activity; sid:91267020; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/new/login"; depth:10; nocase; http.host; content:"64.23.155.109"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1267019/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_06; classtype:trojan-activity; sid:91267019; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/new/login"; depth:10; nocase; http.host; content:"62.210.188.78"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1267018/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_06; classtype:trojan-activity; sid:91267018; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/new/login"; depth:10; nocase; http.host; content:"61.162.223.117"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1267017/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_06; classtype:trojan-activity; sid:91267017; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/new/login"; depth:10; nocase; http.host; content:"54.168.147.222"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1267016/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_06; classtype:trojan-activity; sid:91267016; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/new/login"; depth:10; nocase; http.host; content:"51.254.53.14"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1267015/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_06; classtype:trojan-activity; sid:91267015; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/new/login"; depth:10; nocase; http.host; content:"45.95.174.39"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1267014/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_06; classtype:trojan-activity; sid:91267014; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/new/login"; depth:10; nocase; http.host; content:"45.137.118.181"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1267013/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_06; classtype:trojan-activity; sid:91267013; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/new/login"; depth:10; nocase; http.host; content:"3.146.206.142"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1267012/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_06; classtype:trojan-activity; sid:91267012; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/new/login"; depth:10; nocase; http.host; content:"217.12.200.158"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1267011/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_06; classtype:trojan-activity; sid:91267011; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/new/login"; depth:10; nocase; http.host; content:"193.201.126.69"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1267010/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_06; classtype:trojan-activity; sid:91267010; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/new/login"; depth:10; nocase; http.host; content:"188.166.153.84"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1267009/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_06; classtype:trojan-activity; sid:91267009; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/new/login"; depth:10; nocase; http.host; content:"185.16.43.59"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1267008/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_06; classtype:trojan-activity; sid:91267008; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/new/login"; depth:10; nocase; http.host; content:"178.128.92.166"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1267007/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_06; classtype:trojan-activity; sid:91267007; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/new/login"; depth:10; nocase; http.host; content:"165.227.90.98"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1267006/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_06; classtype:trojan-activity; sid:91267006; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/new/login"; depth:10; nocase; http.host; content:"158.160.71.51"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1267005/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_06; classtype:trojan-activity; sid:91267005; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/new/login"; depth:10; nocase; http.host; content:"154.38.167.90"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1267004/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_06; classtype:trojan-activity; sid:91267004; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/new/login"; depth:10; nocase; http.host; content:"149.248.21.89"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1267003/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_06; classtype:trojan-activity; sid:91267003; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/new/login"; depth:10; nocase; http.host; content:"149.104.26.229"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1267002/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_06; classtype:trojan-activity; sid:91267002; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/new/login"; depth:10; nocase; http.host; content:"139.144.117.63"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1267001/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_06; classtype:trojan-activity; sid:91267001; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/new/login"; depth:10; nocase; http.host; content:"138.197.156.131"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1267000/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_06; classtype:trojan-activity; sid:91267000; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/new/login"; depth:10; nocase; http.host; content:"137.184.39.229"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1266999/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_06; classtype:trojan-activity; sid:91266999; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/new/login"; depth:10; nocase; http.host; content:"134.209.171.201"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1266998/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_06; classtype:trojan-activity; sid:91266998; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/new/login"; depth:10; nocase; http.host; content:"129.226.154.137"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1266997/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_06; classtype:trojan-activity; sid:91266997; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/new/login"; depth:10; nocase; http.host; content:"104.37.190.52"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1266996/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_06; classtype:trojan-activity; sid:91266996; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/new/login"; depth:10; nocase; http.host; content:"104.156.255.239"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1266995/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_06; classtype:trojan-activity; sid:91266995; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/new/login"; depth:10; nocase; http.host; content:"c2.rmrf.one"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1266994/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_06; classtype:trojan-activity; sid:91266994; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cdn-vs/original.js"; depth:19; nocase; http.host; content:"thecookoutcaterer.com"; depth:21; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1266963/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_06; classtype:trojan-activity; sid:91266963; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cdn-vs/cache.php"; depth:17; nocase; http.host; content:"thecookoutcaterer.com"; depth:21; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1266964/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_06; classtype:trojan-activity; sid:91266964; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cdn-vs/per.php"; depth:15; nocase; http.host; content:"thecookoutcaterer.com"; depth:21; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1266965/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_06; classtype:trojan-activity; sid:91266965; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/up/b"; depth:5; nocase; http.host; content:"trxu.xyz"; depth:8; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1266989/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_06; classtype:trojan-activity; sid:91266989; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/up/b"; depth:5; nocase; http.host; content:"trxq.xyz"; depth:8; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1266988/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_06; classtype:trojan-activity; sid:91266988; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/up"; depth:3; nocase; http.host; content:"trxu.xyz"; depth:8; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1266987/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_06; classtype:trojan-activity; sid:91266987; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/up"; depth:3; nocase; http.host; content:"trxq.xyz"; depth:8; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1266986/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_06; classtype:trojan-activity; sid:91266986; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/up/b"; depth:5; nocase; http.host; content:"trxh.xyz"; depth:8; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1266985/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_06; classtype:trojan-activity; sid:91266985; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/up"; depth:3; nocase; http.host; content:"trxh.xyz"; depth:8; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1266984/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_06; classtype:trojan-activity; sid:91266984; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ujs/9adbbdfd-2661-43e4-8280-7f9a9698f912"; depth:41; nocase; http.host; content:"trxh.xyz"; depth:8; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1266983/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_06; classtype:trojan-activity; sid:91266983; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/up/b"; depth:5; nocase; http.host; content:"veronicabal.com"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1266982/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_06; classtype:trojan-activity; sid:91266982; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/up"; depth:3; nocase; http.host; content:"veronicabal.com"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1266981/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_06; classtype:trojan-activity; sid:91266981; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/up/b"; depth:5; nocase; http.host; content:"iicc.fun"; depth:8; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1266980/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_06; classtype:trojan-activity; sid:91266980; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/up"; depth:3; nocase; http.host; content:"iicc.fun"; depth:8; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1266979/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_06; classtype:trojan-activity; sid:91266979; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ujs/10924410-23ef-465e-a794-c614640e2bf2"; depth:41; nocase; http.host; content:"iicc.fun"; depth:8; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1266978/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_06; classtype:trojan-activity; sid:91266978; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/up/b"; depth:5; nocase; http.host; content:"dervinko.biz"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1266977/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_06; classtype:trojan-activity; sid:91266977; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ujs/8921e7ad-5b9e-4fca-97e6-c631b2636cc9"; depth:41; nocase; http.host; content:"dervinko.biz"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1266975/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_06; classtype:trojan-activity; sid:91266975; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/up"; depth:3; nocase; http.host; content:"dervinko.biz"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1266976/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_06; classtype:trojan-activity; sid:91266976; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/profiles/76561199621302269"; depth:27; nocase; http.host; content:"steamcommunity.com"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1266974/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_06; classtype:trojan-activity; sid:91266974; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/profiles/76561199621451974"; depth:27; nocase; http.host; content:"steamcommunity.com"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1266973/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_06; classtype:trojan-activity; sid:91266973; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/profiles/76561199609719039"; depth:27; nocase; http.host; content:"steamcommunity.com"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1266972/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_06; classtype:trojan-activity; sid:91266972; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"dervinko.biz"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1266966/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_06; classtype:trojan-activity; sid:91266966; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"iicc.fun"; depth:8; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1266967/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_06; classtype:trojan-activity; sid:91266967; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"veronicabal.com"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1266968/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_06; classtype:trojan-activity; sid:91266968; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"trxh.xyz"; depth:8; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1266969/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_06; classtype:trojan-activity; sid:91266969; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"trxq.xyz"; depth:8; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1266970/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_06; classtype:trojan-activity; sid:91266970; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"trxu.xyz"; depth:8; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1266971/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_06; classtype:trojan-activity; sid:91266971; rev:1;) alert tcp $HOME_NET any -> [47.237.82.113] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1266962/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_06; classtype:trojan-activity; sid:91266962; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/push"; depth:5; nocase; http.host; content:"91.92.244.120"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1266961/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_06; classtype:trojan-activity; sid:91266961; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pixel.gif"; depth:10; nocase; http.host; content:"88.214.26.29"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1266960/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_06; classtype:trojan-activity; sid:91266960; rev:1;) alert tcp $HOME_NET any -> [134.122.130.186] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1266959/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_06; classtype:trojan-activity; sid:91266959; rev:1;) alert tcp $HOME_NET any -> [185.29.10.215] 15548 (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1266958/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_06; classtype:trojan-activity; sid:91266958; rev:1;) alert tcp $HOME_NET any -> [87.121.105.244] 80 (msg:"ThreatFox Socks5 Systemz botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1266957/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_06; classtype:trojan-activity; sid:91266957; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/g.pixel"; depth:8; nocase; http.host; content:"42.140.200.250"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1266956/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_06; classtype:trojan-activity; sid:91266956; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/load"; depth:5; nocase; http.host; content:"43.139.235.226"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1266955/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_06; classtype:trojan-activity; sid:91266955; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ie9compatviewlist.xml"; depth:22; nocase; http.host; content:"149.104.25.85"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1266954/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_06; classtype:trojan-activity; sid:91266954; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ga.js"; depth:6; nocase; http.host; content:"149.104.25.85"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1266953/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_06; classtype:trojan-activity; sid:91266953; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/push"; depth:5; nocase; http.host; content:"156.224.20.92"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1266952/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_06; classtype:trojan-activity; sid:91266952; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"poopy.aarkhipov.ru"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1266951/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_06; classtype:trojan-activity; sid:91266951; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jquery-3.3.1.min.js"; depth:20; nocase; http.host; content:"poopy.aarkhipov.ru"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1266950/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_06; classtype:trojan-activity; sid:91266950; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"comm.sells-it.net"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1266946/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_06; classtype:trojan-activity; sid:91266946; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"coms.sells-it.net"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1266947/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_06; classtype:trojan-activity; sid:91266947; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"comss.sells-it.net"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1266948/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_06; classtype:trojan-activity; sid:91266948; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"comas.sells-it.net"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1266949/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_06; classtype:trojan-activity; sid:91266949; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"nerakar.duckdns.org"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1266945/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_06; classtype:trojan-activity; sid:91266945; rev:1;) alert tcp $HOME_NET any -> [121.43.146.19] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1266944/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_06; classtype:trojan-activity; sid:91266944; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/crush/v10.60/u23vvqgxfwvv"; depth:26; nocase; http.host; content:"121.43.146.19"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1266943/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_06; classtype:trojan-activity; sid:91266943; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dpixel"; depth:7; nocase; http.host; content:"14.5.161.232"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1266942/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_06; classtype:trojan-activity; sid:91266942; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"mybackups.duckdns.org"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1266902/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_06; classtype:trojan-activity; sid:91266902; rev:1;) alert tcp $HOME_NET any -> [5.39.43.50] 1337 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1266849/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_06; classtype:trojan-activity; sid:91266849; rev:1;) alert tcp $HOME_NET any -> [95.164.89.184] 41653 (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1266865/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_06; classtype:trojan-activity; sid:91266865; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"eastcoastrest.com"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1266848/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_06; classtype:trojan-activity; sid:91266848; rev:1;) alert tcp $HOME_NET any -> [158.160.8.110] 4258 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1266846/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_06; classtype:trojan-activity; sid:91266846; rev:1;) alert tcp $HOME_NET any -> [198.144.229.143] 80 (msg:"ThreatFox Loki Password Stealer (PWS) botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1266847/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_06; classtype:trojan-activity; sid:91266847; rev:1;) alert tcp $HOME_NET any -> [193.124.22.107] 443 (msg:"ThreatFox FAKEUPDATES payload delivery (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1266863/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_06; classtype:trojan-activity; sid:91266863; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pixel"; depth:6; nocase; http.host; content:"123.60.182.74"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1266941/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_06; classtype:trojan-activity; sid:91266941; rev:1;) alert tcp $HOME_NET any -> [43.143.121.107] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1266940/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_06; classtype:trojan-activity; sid:91266940; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jquery-3.3.1.min.js"; depth:20; nocase; http.host; content:"43.143.121.107"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1266939/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_06; classtype:trojan-activity; sid:91266939; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/static/js/jquery-3.3.1.min.js"; depth:30; nocase; http.host; content:"141.164.52.164"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1266937/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_06; classtype:trojan-activity; sid:91266937; rev:1;) alert tcp $HOME_NET any -> [141.164.52.164] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1266938/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_06; classtype:trojan-activity; sid:91266938; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dot.gif"; depth:8; nocase; http.host; content:"117.72.36.227"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1266936/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_06; classtype:trojan-activity; sid:91266936; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dpixel"; depth:7; nocase; http.host; content:"117.72.47.106"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1266935/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_06; classtype:trojan-activity; sid:91266935; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/match"; depth:6; nocase; http.host; content:"147.135.211.38"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1266934/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_06; classtype:trojan-activity; sid:91266934; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/j.ad"; depth:5; nocase; http.host; content:"123.60.182.74"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1266933/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_06; classtype:trojan-activity; sid:91266933; rev:1;) alert tcp $HOME_NET any -> [45.126.209.49] 6666 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1266930/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_06; classtype:trojan-activity; sid:91266930; rev:1;) alert tcp $HOME_NET any -> [45.126.209.67] 7707 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1266931/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_06; classtype:trojan-activity; sid:91266931; rev:1;) alert tcp $HOME_NET any -> [45.126.209.70] 6666 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1266932/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_06; classtype:trojan-activity; sid:91266932; rev:1;) alert tcp $HOME_NET any -> [4.233.217.192] 8808 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1266929/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_06; classtype:trojan-activity; sid:91266929; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"65.108.152.56"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1266926/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_06; classtype:trojan-activity; sid:91266926; rev:1;) alert tcp $HOME_NET any -> [23.88.46.51] 9000 (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1266927/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_06; classtype:trojan-activity; sid:91266927; rev:1;) alert tcp $HOME_NET any -> [65.108.152.56] 9000 (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1266928/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_06; classtype:trojan-activity; sid:91266928; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"23.88.46.51"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1266925/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_06; classtype:trojan-activity; sid:91266925; rev:1;) alert tcp $HOME_NET any -> [105.101.132.10] 6001 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1266924/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_06; classtype:trojan-activity; sid:91266924; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"service-cycxnhe5-1302650299.sh.tencentapigw.com"; depth:47; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1266923/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_06; classtype:trojan-activity; sid:91266923; rev:1;) alert tcp $HOME_NET any -> [38.6.177.42] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1266922/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_06; classtype:trojan-activity; sid:91266922; rev:1;) alert tcp $HOME_NET any -> [172.247.123.87] 8080 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1266921/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_06; classtype:trojan-activity; sid:91266921; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"microsoftsoftwave.com"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1266919/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_06; classtype:trojan-activity; sid:91266919; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"azure.microsoftsoftwave.com"; depth:27; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1266920/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_06; classtype:trojan-activity; sid:91266920; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jquery-3.3.2.slim.min.js"; depth:25; nocase; http.host; content:"azure.microsoftsoftwave.com"; depth:27; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1266918/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_06; classtype:trojan-activity; sid:91266918; rev:1;) alert tcp $HOME_NET any -> [154.198.245.62] 8443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1266917/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_06; classtype:trojan-activity; sid:91266917; rev:1;) alert tcp $HOME_NET any -> [124.70.102.58] 9876 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1266916/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_06; classtype:trojan-activity; sid:91266916; rev:1;) alert tcp $HOME_NET any -> [64.188.26.202] 1604 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1266915/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_06; classtype:trojan-activity; sid:91266915; rev:1;) alert tcp $HOME_NET any -> [121.40.146.236] 8080 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1266914/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_06; classtype:trojan-activity; sid:91266914; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cm"; depth:3; nocase; http.host; content:"124.220.21.75"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1266913/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_06; classtype:trojan-activity; sid:91266913; rev:1;) alert tcp $HOME_NET any -> [124.220.21.75] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1266912/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_06; classtype:trojan-activity; sid:91266912; rev:1;) alert tcp $HOME_NET any -> [43.140.200.250] 10000 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1266911/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_06; classtype:trojan-activity; sid:91266911; rev:1;) alert tcp $HOME_NET any -> [86.104.74.31] 9981 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1266910/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_06; classtype:trojan-activity; sid:91266910; rev:1;) alert tcp $HOME_NET any -> [23.224.233.76] 80 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1266909/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_06; classtype:trojan-activity; sid:91266909; rev:1;) alert tcp $HOME_NET any -> [66.42.49.63] 80 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1266908/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_06; classtype:trojan-activity; sid:91266908; rev:1;) alert tcp $HOME_NET any -> [41.97.25.181] 443 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1266907/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_06; classtype:trojan-activity; sid:91266907; rev:1;) alert tcp $HOME_NET any -> [185.234.216.209] 20048 (msg:"ThreatFox BianLian botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1266906/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_06; classtype:trojan-activity; sid:91266906; rev:1;) alert tcp $HOME_NET any -> [36.150.240.37] 4505 (msg:"ThreatFox Deimos botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1266905/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_06; classtype:trojan-activity; sid:91266905; rev:1;) alert tcp $HOME_NET any -> [111.6.178.72] 4506 (msg:"ThreatFox Deimos botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1266904/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_06; classtype:trojan-activity; sid:91266904; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dpixel"; depth:7; nocase; http.host; content:"144.48.9.242"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1266903/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_06; classtype:trojan-activity; sid:91266903; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/c035a2f2.php"; depth:13; nocase; http.host; content:"a0951158.xsph.ru"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1266901/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_06; classtype:trojan-activity; sid:91266901; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cf5cbdf706840b3f.php"; depth:21; nocase; http.host; content:"okkolus.com"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1266900/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_06; classtype:trojan-activity; sid:91266900; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/_defaultwindows.php"; depth:20; nocase; http.host; content:"cn80908.tw1.ru"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1266899/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_05; classtype:trojan-activity; sid:91266899; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/providervmpipepollpacketgamedatalifepublic.php"; depth:47; nocase; http.host; content:"937039cm.n9shteam3.top"; depth:22; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1266864/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_05; classtype:trojan-activity; sid:91266864; rev:1;) alert tcp $HOME_NET any -> [45.150.67.229] 80 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1266862/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_05; classtype:trojan-activity; sid:91266862; rev:1;) alert tcp $HOME_NET any -> [104.236.199.233] 80 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1266861/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_05; classtype:trojan-activity; sid:91266861; rev:1;) alert tcp $HOME_NET any -> [154.88.23.34] 80 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1266860/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_05; classtype:trojan-activity; sid:91266860; rev:1;) alert tcp $HOME_NET any -> [47.109.29.37] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1266859/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_05; classtype:trojan-activity; sid:91266859; rev:1;) alert tcp $HOME_NET any -> [65.20.85.135] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1266858/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_05; classtype:trojan-activity; sid:91266858; rev:1;) alert tcp $HOME_NET any -> [149.109.132.237] 443 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1266857/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_05; classtype:trojan-activity; sid:91266857; rev:1;) alert tcp $HOME_NET any -> [197.87.143.78] 443 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1266856/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_05; classtype:trojan-activity; sid:91266856; rev:1;) alert tcp $HOME_NET any -> [86.166.47.91] 2222 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1266855/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_05; classtype:trojan-activity; sid:91266855; rev:1;) alert tcp $HOME_NET any -> [155.138.128.220] 443 (msg:"ThreatFox pupy botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1266854/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_05; classtype:trojan-activity; sid:91266854; rev:1;) alert tcp $HOME_NET any -> [20.93.16.228] 80 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1266853/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_05; classtype:trojan-activity; sid:91266853; rev:1;) alert tcp $HOME_NET any -> [99.83.229.219] 443 (msg:"ThreatFox Deimos botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1266851/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_05; classtype:trojan-activity; sid:91266851; rev:1;) alert tcp $HOME_NET any -> [111.31.37.38] 4506 (msg:"ThreatFox Deimos botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1266850/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_05; classtype:trojan-activity; sid:91266850; rev:1;) alert tcp $HOME_NET any -> [94.156.67.181] 23 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1266843/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_05; classtype:trojan-activity; sid:91266843; rev:1;) alert tcp $HOME_NET any -> [216.238.88.174] 23 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1266844/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_05; classtype:trojan-activity; sid:91266844; rev:1;) alert tcp $HOME_NET any -> [5.42.96.3] 23 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1266845/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_05; classtype:trojan-activity; sid:91266845; rev:1;) alert tcp $HOME_NET any -> [146.59.3.38] 43957 (msg:"ThreatFox MooBot botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1266842/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_05; classtype:trojan-activity; sid:91266842; rev:1;) alert tcp $HOME_NET any -> [94.156.68.142] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1266841/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_05; classtype:trojan-activity; sid:91266841; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jquery-3.3.1.min.js"; depth:20; nocase; http.host; content:"94.156.68.142"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1266840/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_05; classtype:trojan-activity; sid:91266840; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ptj"; depth:4; nocase; http.host; content:"123.57.59.76"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1266839/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_05; classtype:trojan-activity; sid:91266839; rev:1;) alert tcp $HOME_NET any -> [167.71.242.213] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1266838/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_05; classtype:trojan-activity; sid:91266838; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pixel"; depth:6; nocase; http.host; content:"149.104.25.85"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1266837/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_05; classtype:trojan-activity; sid:91266837; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dot.gif"; depth:8; nocase; http.host; content:"114.115.210.125"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1266836/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_05; classtype:trojan-activity; sid:91266836; rev:1;) alert tcp $HOME_NET any -> [80.87.206.203] 8956 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1266835/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_05; classtype:trojan-activity; sid:91266835; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/zdqyn2nmogezotlk/"; depth:18; nocase; http.host; content:"jilkqypt.xyz"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1266820/; target:src_ip; metadata: confidence_level 80, first_seen 2024_05_05; classtype:trojan-activity; sid:91266820; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/zdqyn2nmogezotlk/"; depth:18; nocase; http.host; content:"jivmzylf.xyz"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1266818/; target:src_ip; metadata: confidence_level 80, first_seen 2024_05_05; classtype:trojan-activity; sid:91266818; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/zdqyn2nmogezotlk/"; depth:18; nocase; http.host; content:"kipxfuvz.top"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1266819/; target:src_ip; metadata: confidence_level 80, first_seen 2024_05_05; classtype:trojan-activity; sid:91266819; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/zdqyn2nmogezotlk/"; depth:18; nocase; http.host; content:"bluzgipx.top"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1266821/; target:src_ip; metadata: confidence_level 80, first_seen 2024_05_05; classtype:trojan-activity; sid:91266821; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/zdqyn2nmogezotlk/"; depth:18; nocase; http.host; content:"zwolkrip.xyz"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1266822/; target:src_ip; metadata: confidence_level 80, first_seen 2024_05_05; classtype:trojan-activity; sid:91266822; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/zdqyn2nmogezotlk/"; depth:18; nocase; http.host; content:"zyrmjuxp.top"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1266823/; target:src_ip; metadata: confidence_level 80, first_seen 2024_05_05; classtype:trojan-activity; sid:91266823; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/zdqyn2nmogezotlk/"; depth:18; nocase; http.host; content:"fqunpluz.xyz"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1266824/; target:src_ip; metadata: confidence_level 80, first_seen 2024_05_05; classtype:trojan-activity; sid:91266824; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/zdqyn2nmogezotlk/"; depth:18; nocase; http.host; content:"zixpjovr.top"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1266825/; target:src_ip; metadata: confidence_level 80, first_seen 2024_05_05; classtype:trojan-activity; sid:91266825; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/zdqyn2nmogezotlk/"; depth:18; nocase; http.host; content:"qyrlzymp.xyz"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1266826/; target:src_ip; metadata: confidence_level 80, first_seen 2024_05_05; classtype:trojan-activity; sid:91266826; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ngi0mwewzji4zgq2/"; depth:18; nocase; http.host; content:"rabaffet2.com.tr"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1266828/; target:src_ip; metadata: confidence_level 80, first_seen 2024_05_05; classtype:trojan-activity; sid:91266828; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ngi0mwewzji4zgq2/"; depth:18; nocase; http.host; content:"rabaffet.com.tr"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1266827/; target:src_ip; metadata: confidence_level 80, first_seen 2024_05_05; classtype:trojan-activity; sid:91266827; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ngi0mwewzji4zgq2/"; depth:18; nocase; http.host; content:"rabaffet3.com.tr"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1266829/; target:src_ip; metadata: confidence_level 80, first_seen 2024_05_05; classtype:trojan-activity; sid:91266829; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ngi0mwewzji4zgq2/"; depth:18; nocase; http.host; content:"rabaffet4.com.tr"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1266830/; target:src_ip; metadata: confidence_level 80, first_seen 2024_05_05; classtype:trojan-activity; sid:91266830; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ngi0mwewzji4zgq2/"; depth:18; nocase; http.host; content:"rabaffet5.com.tr"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1266831/; target:src_ip; metadata: confidence_level 80, first_seen 2024_05_05; classtype:trojan-activity; sid:91266831; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ngi0mwewzji4zgq2/"; depth:18; nocase; http.host; content:"rabaffet6.com.tr"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1266832/; target:src_ip; metadata: confidence_level 80, first_seen 2024_05_05; classtype:trojan-activity; sid:91266832; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ngi0mwewzji4zgq2/"; depth:18; nocase; http.host; content:"rabaffet7.com.tr"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1266833/; target:src_ip; metadata: confidence_level 80, first_seen 2024_05_05; classtype:trojan-activity; sid:91266833; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ngi0mwewzji4zgq2/"; depth:18; nocase; http.host; content:"rabaffet8.com.tr"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1266834/; target:src_ip; metadata: confidence_level 80, first_seen 2024_05_05; classtype:trojan-activity; sid:91266834; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/zdqyn2nmogezotlk/"; depth:18; nocase; http.host; content:"ploxqenj.top"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1266817/; target:src_ip; metadata: confidence_level 80, first_seen 2024_05_05; classtype:trojan-activity; sid:91266817; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/zdqyn2nmogezotlk/"; depth:18; nocase; http.host; content:"kuplzavn.xyz"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1266814/; target:src_ip; metadata: confidence_level 80, first_seen 2024_05_05; classtype:trojan-activity; sid:91266814; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/zdqyn2nmogezotlk/"; depth:18; nocase; http.host; content:"fruzjenk.xyz"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1266816/; target:src_ip; metadata: confidence_level 80, first_seen 2024_05_05; classtype:trojan-activity; sid:91266816; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/zdqyn2nmogezotlk/"; depth:18; nocase; http.host; content:"zyptqalv.xyz"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1266812/; target:src_ip; metadata: confidence_level 80, first_seen 2024_05_05; classtype:trojan-activity; sid:91266812; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/zdqyn2nmogezotlk/"; depth:18; nocase; http.host; content:"fwizjexy.top"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1266813/; target:src_ip; metadata: confidence_level 80, first_seen 2024_05_05; classtype:trojan-activity; sid:91266813; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/zdqyn2nmogezotlk/"; depth:18; nocase; http.host; content:"plimqylx.top"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1266815/; target:src_ip; metadata: confidence_level 80, first_seen 2024_05_05; classtype:trojan-activity; sid:91266815; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/zdqyn2nmogezotlk/"; depth:18; nocase; http.host; content:"klurjorp.top"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1266811/; target:src_ip; metadata: confidence_level 80, first_seen 2024_05_05; classtype:trojan-activity; sid:91266811; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/zdqyn2nmogezotlk/"; depth:18; nocase; http.host; content:"gufxdixt.xyz"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1266810/; target:src_ip; metadata: confidence_level 80, first_seen 2024_05_05; classtype:trojan-activity; sid:91266810; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/zdqyn2nmogezotlk/"; depth:18; nocase; http.host; content:"jiqkkuzn.xyz"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1266808/; target:src_ip; metadata: confidence_level 80, first_seen 2024_05_05; classtype:trojan-activity; sid:91266808; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/zdqyn2nmogezotlk/"; depth:18; nocase; http.host; content:"fpyxzorv.top"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1266807/; target:src_ip; metadata: confidence_level 80, first_seen 2024_05_05; classtype:trojan-activity; sid:91266807; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/zdqyn2nmogezotlk/"; depth:18; nocase; http.host; content:"qwipblom.top"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1266809/; target:src_ip; metadata: confidence_level 80, first_seen 2024_05_05; classtype:trojan-activity; sid:91266809; rev:1;) alert tcp $HOME_NET any -> [209.25.141.212] 32243 (msg:"ThreatFox Nanocore RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1266758/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_05; classtype:trojan-activity; sid:91266758; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"july-pty.at.ply.gg"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1266759/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_05; classtype:trojan-activity; sid:91266759; rev:1;) alert tcp $HOME_NET any -> [45.146.234.130] 38241 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1266806/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_05; classtype:trojan-activity; sid:91266806; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/category/research-2/"; depth:21; nocase; http.host; content:"185.196.10.121"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1266805/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_05; classtype:trojan-activity; sid:91266805; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/hubcap/mayo-clinic-radio-full-shows/"; depth:37; nocase; http.host; content:"185.196.10.121"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1266804/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_05; classtype:trojan-activity; sid:91266804; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/push"; depth:5; nocase; http.host; content:"149.104.25.85"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1266803/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_05; classtype:trojan-activity; sid:91266803; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ca"; depth:3; nocase; http.host; content:"124.220.148.63"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1266802/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_05; classtype:trojan-activity; sid:91266802; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ie9compatviewlist.xml"; depth:22; nocase; http.host; content:"124.220.148.63"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1266801/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_05; classtype:trojan-activity; sid:91266801; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/load"; depth:5; nocase; http.host; content:"124.220.148.63"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1266800/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_05; classtype:trojan-activity; sid:91266800; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/g.pixel"; depth:8; nocase; http.host; content:"124.220.148.63"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1266799/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_05; classtype:trojan-activity; sid:91266799; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ie9compatviewlist.xml"; depth:22; nocase; http.host; content:"88.214.26.29"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1266798/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_05; classtype:trojan-activity; sid:91266798; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"eve.now-dns.net"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1266797/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_05; classtype:trojan-activity; sid:91266797; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"linux-treatment.gl.at.ply.gg"; depth:28; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1266796/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_05; classtype:trojan-activity; sid:91266796; rev:1;) alert tcp $HOME_NET any -> [84.46.255.42] 81 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1266795/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_05; classtype:trojan-activity; sid:91266795; rev:1;) alert tcp $HOME_NET any -> [38.6.193.7] 3588 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1266794/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_05; classtype:trojan-activity; sid:91266794; rev:1;) alert tcp $HOME_NET any -> [45.125.67.207] 50070 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1266793/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_05; classtype:trojan-activity; sid:91266793; rev:1;) alert tcp $HOME_NET any -> [45.61.141.37] 8080 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1266791/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_05; classtype:trojan-activity; sid:91266791; rev:1;) alert tcp $HOME_NET any -> [45.61.141.37] 50050 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1266792/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_05; classtype:trojan-activity; sid:91266792; rev:1;) alert tcp $HOME_NET any -> [176.241.64.239] 15443 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1266788/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_05; classtype:trojan-activity; sid:91266788; rev:1;) alert tcp $HOME_NET any -> [176.241.64.239] 23142 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1266789/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_05; classtype:trojan-activity; sid:91266789; rev:1;) alert tcp $HOME_NET any -> [176.241.64.239] 51200 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1266790/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_05; classtype:trojan-activity; sid:91266790; rev:1;) alert tcp $HOME_NET any -> [176.241.64.239] 5000 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1266785/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_05; classtype:trojan-activity; sid:91266785; rev:1;) alert tcp $HOME_NET any -> [176.241.64.239] 5222 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1266786/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_05; classtype:trojan-activity; sid:91266786; rev:1;) alert tcp $HOME_NET any -> [176.241.64.239] 8636 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1266787/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_05; classtype:trojan-activity; sid:91266787; rev:1;) alert tcp $HOME_NET any -> [176.241.64.239] 49501 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1266778/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_05; classtype:trojan-activity; sid:91266778; rev:1;) alert tcp $HOME_NET any -> [176.241.64.239] 6007 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1266779/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_05; classtype:trojan-activity; sid:91266779; rev:1;) alert tcp $HOME_NET any -> [176.241.64.239] 8081 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1266780/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_05; classtype:trojan-activity; sid:91266780; rev:1;) alert tcp $HOME_NET any -> [176.241.64.239] 1080 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1266781/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_05; classtype:trojan-activity; sid:91266781; rev:1;) alert tcp $HOME_NET any -> [176.241.64.239] 6540 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1266782/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_05; classtype:trojan-activity; sid:91266782; rev:1;) alert tcp $HOME_NET any -> [176.241.64.239] 8159 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1266783/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_05; classtype:trojan-activity; sid:91266783; rev:1;) alert tcp $HOME_NET any -> [176.241.64.239] 51269 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1266784/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_05; classtype:trojan-activity; sid:91266784; rev:1;) alert tcp $HOME_NET any -> [176.241.64.239] 22206 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1266769/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_05; classtype:trojan-activity; sid:91266769; rev:1;) alert tcp $HOME_NET any -> [176.241.64.239] 44770 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1266770/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_05; classtype:trojan-activity; sid:91266770; rev:1;) alert tcp $HOME_NET any -> [176.241.64.239] 58603 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1266771/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_05; classtype:trojan-activity; sid:91266771; rev:1;) alert tcp $HOME_NET any -> [176.241.64.239] 30827 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1266772/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_05; classtype:trojan-activity; sid:91266772; rev:1;) alert tcp $HOME_NET any -> [176.241.64.239] 33786 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1266773/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_05; classtype:trojan-activity; sid:91266773; rev:1;) alert tcp $HOME_NET any -> [176.241.64.239] 88 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1266774/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_05; classtype:trojan-activity; sid:91266774; rev:1;) alert tcp $HOME_NET any -> [176.241.64.239] 939 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1266775/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_05; classtype:trojan-activity; sid:91266775; rev:1;) alert tcp $HOME_NET any -> [176.241.64.239] 8545 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1266776/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_05; classtype:trojan-activity; sid:91266776; rev:1;) alert tcp $HOME_NET any -> [176.241.64.239] 25616 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1266777/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_05; classtype:trojan-activity; sid:91266777; rev:1;) alert tcp $HOME_NET any -> [176.241.64.239] 28888 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1266760/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_05; classtype:trojan-activity; sid:91266760; rev:1;) alert tcp $HOME_NET any -> [176.241.64.239] 38519 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1266761/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_05; classtype:trojan-activity; sid:91266761; rev:1;) alert tcp $HOME_NET any -> [176.241.64.239] 2762 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1266762/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_05; classtype:trojan-activity; sid:91266762; rev:1;) alert tcp $HOME_NET any -> [176.241.64.239] 6697 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1266763/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_05; classtype:trojan-activity; sid:91266763; rev:1;) alert tcp $HOME_NET any -> [176.241.64.239] 45835 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1266764/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_05; classtype:trojan-activity; sid:91266764; rev:1;) alert tcp $HOME_NET any -> [176.241.64.239] 50995 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1266765/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_05; classtype:trojan-activity; sid:91266765; rev:1;) alert tcp $HOME_NET any -> [176.241.64.239] 51601 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1266766/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_05; classtype:trojan-activity; sid:91266766; rev:1;) alert tcp $HOME_NET any -> [176.241.64.239] 52200 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1266767/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_05; classtype:trojan-activity; sid:91266767; rev:1;) alert tcp $HOME_NET any -> [176.241.64.239] 831 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1266768/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_05; classtype:trojan-activity; sid:91266768; rev:1;) alert tcp $HOME_NET any -> [193.123.61.173] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1266757/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_05; classtype:trojan-activity; sid:91266757; rev:1;) alert tcp $HOME_NET any -> [192.121.102.103] 19933 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1266756/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_05; classtype:trojan-activity; sid:91266756; rev:1;) alert tcp $HOME_NET any -> [145.220.74.183] 5000 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1266755/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_05; classtype:trojan-activity; sid:91266755; rev:1;) alert tcp $HOME_NET any -> [45.86.162.215] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1266753/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_05; classtype:trojan-activity; sid:91266753; rev:1;) alert tcp $HOME_NET any -> [45.86.162.215] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1266754/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_05; classtype:trojan-activity; sid:91266754; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pollgeodatalifepublic.php"; depth:26; nocase; http.host; content:"630004cm.nyashtech.top"; depth:22; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1266752/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_05; classtype:trojan-activity; sid:91266752; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/secure/longpollprivateasync/1testdump/traffic/flowerserverbase/test/trafficwordpressdatalifedlelocalprivatecdnuploadsdownloads.php"; depth:131; nocase; http.host; content:"147.45.44.3"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1266751/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_05; classtype:trojan-activity; sid:91266751; rev:1;) alert tcp $HOME_NET any -> [23.226.54.31] 2083 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1266750/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_05; classtype:trojan-activity; sid:91266750; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ga.js"; depth:6; nocase; http.host; content:"47.237.65.40"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1266749/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_05; classtype:trojan-activity; sid:91266749; rev:1;) alert tcp $HOME_NET any -> [47.237.65.40] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1266748/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_05; classtype:trojan-activity; sid:91266748; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cx"; depth:3; nocase; http.host; content:"110.41.21.173"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1266747/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_05; classtype:trojan-activity; sid:91266747; rev:1;) alert tcp $HOME_NET any -> [110.41.21.173] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1266746/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_05; classtype:trojan-activity; sid:91266746; rev:1;) alert tcp $HOME_NET any -> [101.35.250.49] 4444 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1266745/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_05; classtype:trojan-activity; sid:91266745; rev:1;) alert tcp $HOME_NET any -> [35.157.111.131] 14964 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1266706/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_05; classtype:trojan-activity; sid:91266706; rev:1;) alert tcp $HOME_NET any -> [3.125.188.168] 14964 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1266707/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_05; classtype:trojan-activity; sid:91266707; rev:1;) alert tcp $HOME_NET any -> [82.197.93.75] 19851 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1266735/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_05; classtype:trojan-activity; sid:91266735; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"custom-packaging-products.com"; depth:29; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1266737/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_05; classtype:trojan-activity; sid:91266737; rev:1;) alert tcp $HOME_NET any -> [95.216.210.70] 80 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1266744/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_05; classtype:trojan-activity; sid:91266744; rev:1;) alert tcp $HOME_NET any -> [80.253.246.96] 80 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1266743/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_05; classtype:trojan-activity; sid:91266743; rev:1;) alert tcp $HOME_NET any -> [154.204.57.58] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1266742/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_05; classtype:trojan-activity; sid:91266742; rev:1;) alert tcp $HOME_NET any -> [41.99.250.77] 443 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1266741/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_05; classtype:trojan-activity; sid:91266741; rev:1;) alert tcp $HOME_NET any -> [197.86.195.39] 443 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1266740/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_05; classtype:trojan-activity; sid:91266740; rev:1;) alert tcp $HOME_NET any -> [80.210.56.248] 587 (msg:"ThreatFox Deimos botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1266739/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_05; classtype:trojan-activity; sid:91266739; rev:1;) alert tcp $HOME_NET any -> [36.147.2.78] 4505 (msg:"ThreatFox Deimos botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1266738/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_05; classtype:trojan-activity; sid:91266738; rev:1;) alert tcp $HOME_NET any -> [45.8.145.158] 3790 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1266734/; target:src_ip; metadata: confidence_level 80, first_seen 2024_05_04; classtype:trojan-activity; sid:91266734; rev:1;) alert tcp $HOME_NET any -> [80.76.49.5] 8081 (msg:"ThreatFox RisePro botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1266733/; target:src_ip; metadata: confidence_level 80, first_seen 2024_05_04; classtype:trojan-activity; sid:91266733; rev:1;) alert tcp $HOME_NET any -> [193.233.132.91] 8081 (msg:"ThreatFox RisePro botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1266732/; target:src_ip; metadata: confidence_level 80, first_seen 2024_05_04; classtype:trojan-activity; sid:91266732; rev:1;) alert tcp $HOME_NET any -> [54.37.74.73] 8848 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1266731/; target:src_ip; metadata: confidence_level 80, first_seen 2024_05_04; classtype:trojan-activity; sid:91266731; rev:1;) alert tcp $HOME_NET any -> [8.218.163.207] 8848 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1266730/; target:src_ip; metadata: confidence_level 80, first_seen 2024_05_04; classtype:trojan-activity; sid:91266730; rev:1;) alert tcp $HOME_NET any -> [138.124.180.93] 7443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1266729/; target:src_ip; metadata: confidence_level 80, first_seen 2024_05_04; classtype:trojan-activity; sid:91266729; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/iopsmxt.a3x"; depth:12; nocase; http.host; content:"45.154.98.21"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1266728/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_04; classtype:trojan-activity; sid:91266728; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/test.txt"; depth:9; nocase; http.host; content:"45.154.98.21"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1266727/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_04; classtype:trojan-activity; sid:91266727; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pqkizk.exe"; depth:11; nocase; http.host; content:"45.154.98.21"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1266726/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_04; classtype:trojan-activity; sid:91266726; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/r-ops/yreuit.a3x"; depth:17; nocase; http.host; content:"194.26.192.57"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1266725/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_04; classtype:trojan-activity; sid:91266725; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/r-ops/test.txt"; depth:15; nocase; http.host; content:"194.26.192.57"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1266724/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_04; classtype:trojan-activity; sid:91266724; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/r-ops/ncvui.exe"; depth:16; nocase; http.host; content:"194.26.192.57"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1266723/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_04; classtype:trojan-activity; sid:91266723; rev:1;) alert tcp $HOME_NET any -> [1.34.91.90] 8080 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1266722/; target:src_ip; metadata: confidence_level 80, first_seen 2024_05_04; classtype:trojan-activity; sid:91266722; rev:1;) alert tcp $HOME_NET any -> [167.179.81.150] 800 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1266721/; target:src_ip; metadata: confidence_level 80, first_seen 2024_05_04; classtype:trojan-activity; sid:91266721; rev:1;) alert tcp $HOME_NET any -> [91.92.245.171] 8094 (msg:"ThreatFox DarkGate botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1266720/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_04; classtype:trojan-activity; sid:91266720; rev:1;) alert tcp $HOME_NET any -> [104.248.7.62] 80 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1266719/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_04; classtype:trojan-activity; sid:91266719; rev:1;) alert tcp $HOME_NET any -> [46.246.6.5] 3000 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1266718/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_04; classtype:trojan-activity; sid:91266718; rev:1;) alert tcp $HOME_NET any -> [187.170.72.64] 995 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1266717/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_04; classtype:trojan-activity; sid:91266717; rev:1;) alert tcp $HOME_NET any -> [41.99.71.194] 443 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1266716/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_04; classtype:trojan-activity; sid:91266716; rev:1;) alert tcp $HOME_NET any -> [52.51.249.79] 445 (msg:"ThreatFox Responder botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1266715/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_04; classtype:trojan-activity; sid:91266715; rev:1;) alert tcp $HOME_NET any -> [121.127.33.246] 38442 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1266714/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_04; classtype:trojan-activity; sid:91266714; rev:1;) alert tcp $HOME_NET any -> [91.210.107.202] 443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1266713/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_04; classtype:trojan-activity; sid:91266713; rev:1;) alert tcp $HOME_NET any -> [5.104.80.155] 8443 (msg:"ThreatFox BianLian botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1266712/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_04; classtype:trojan-activity; sid:91266712; rev:1;) alert tcp $HOME_NET any -> [182.176.35.160] 443 (msg:"ThreatFox Deimos botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1266711/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_04; classtype:trojan-activity; sid:91266711; rev:1;) alert tcp $HOME_NET any -> [121.36.16.229] 8080 (msg:"ThreatFox Deimos botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1266710/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_04; classtype:trojan-activity; sid:91266710; rev:1;) alert tcp $HOME_NET any -> [185.209.31.28] 8888 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1266709/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_04; classtype:trojan-activity; sid:91266709; rev:1;) alert tcp $HOME_NET any -> [185.209.31.28] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1266708/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_04; classtype:trojan-activity; sid:91266708; rev:1;) alert tcp $HOME_NET any -> [93.123.85.120] 1312 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1266202/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_04; classtype:trojan-activity; sid:91266202; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"chatgpt-app.cloud"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1266214/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_04; classtype:trojan-activity; sid:91266214; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/reactivate/encryption/lkpfsfmbp"; depth:32; nocase; http.host; content:"106.54.41.171"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1266510/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_04; classtype:trojan-activity; sid:91266510; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/fwlink"; depth:7; nocase; http.host; content:"84.46.255.42"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1266509/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_04; classtype:trojan-activity; sid:91266509; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cm"; depth:3; nocase; http.host; content:"113.125.18.75"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1266508/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_04; classtype:trojan-activity; sid:91266508; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ga.js"; depth:6; nocase; http.host; content:"113.125.18.75"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1266507/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_04; classtype:trojan-activity; sid:91266507; rev:1;) alert tcp $HOME_NET any -> [45.88.90.29] 80 (msg:"ThreatFox ERMAC botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1266506/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_04; classtype:trojan-activity; sid:91266506; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/11836452.php"; depth:13; nocase; http.host; content:"a0949002.xsph.ru"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1266505/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_04; classtype:trojan-activity; sid:91266505; rev:1;) alert tcp $HOME_NET any -> [80.76.49.6] 80 (msg:"ThreatFox ERMAC botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1266504/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_04; classtype:trojan-activity; sid:91266504; rev:1;) alert tcp $HOME_NET any -> [85.209.133.240] 80 (msg:"ThreatFox ERMAC botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1266503/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_04; classtype:trojan-activity; sid:91266503; rev:1;) alert tcp $HOME_NET any -> [187.135.83.41] 2077 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1266501/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_04; classtype:trojan-activity; sid:91266501; rev:1;) alert tcp $HOME_NET any -> [187.135.83.41] 2083 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1266502/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_04; classtype:trojan-activity; sid:91266502; rev:1;) alert tcp $HOME_NET any -> [187.135.83.41] 2087 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1266498/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_04; classtype:trojan-activity; sid:91266498; rev:1;) alert tcp $HOME_NET any -> [187.135.83.41] 2222 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1266499/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_04; classtype:trojan-activity; sid:91266499; rev:1;) alert tcp $HOME_NET any -> [187.135.83.41] 1911 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1266500/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_04; classtype:trojan-activity; sid:91266500; rev:1;) alert tcp $HOME_NET any -> [105.102.94.27] 6001 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1266497/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_04; classtype:trojan-activity; sid:91266497; rev:1;) alert tcp $HOME_NET any -> [105.101.125.80] 6001 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1266496/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_04; classtype:trojan-activity; sid:91266496; rev:1;) alert tcp $HOME_NET any -> [118.68.145.50] 9000 (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1266495/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_04; classtype:trojan-activity; sid:91266495; rev:1;) alert tcp $HOME_NET any -> [45.145.43.183] 9955 (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1266494/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_04; classtype:trojan-activity; sid:91266494; rev:1;) alert tcp $HOME_NET any -> [42.119.107.175] 9000 (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1266493/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_04; classtype:trojan-activity; sid:91266493; rev:1;) alert tcp $HOME_NET any -> [202.188.41.179] 9876 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1266492/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_04; classtype:trojan-activity; sid:91266492; rev:1;) alert tcp $HOME_NET any -> [191.82.192.124] 2000 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1266491/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_04; classtype:trojan-activity; sid:91266491; rev:1;) alert tcp $HOME_NET any -> [181.162.177.31] 8080 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1266490/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_04; classtype:trojan-activity; sid:91266490; rev:1;) alert tcp $HOME_NET any -> [181.162.143.146] 8080 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1266489/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_04; classtype:trojan-activity; sid:91266489; rev:1;) alert tcp $HOME_NET any -> [177.68.45.3] 5000 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1266488/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_04; classtype:trojan-activity; sid:91266488; rev:1;) alert tcp $HOME_NET any -> [45.125.44.78] 4782 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1266487/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_04; classtype:trojan-activity; sid:91266487; rev:1;) alert tcp $HOME_NET any -> [101.43.49.80] 8848 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1266486/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_04; classtype:trojan-activity; sid:91266486; rev:1;) alert tcp $HOME_NET any -> [65.109.22.155] 7777 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1266485/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_04; classtype:trojan-activity; sid:91266485; rev:1;) alert tcp $HOME_NET any -> [137.175.123.61] 8848 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1266480/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_04; classtype:trojan-activity; sid:91266480; rev:1;) alert tcp $HOME_NET any -> [137.175.123.62] 8848 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1266481/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_04; classtype:trojan-activity; sid:91266481; rev:1;) alert tcp $HOME_NET any -> [137.175.123.63] 8848 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1266482/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_04; classtype:trojan-activity; sid:91266482; rev:1;) alert tcp $HOME_NET any -> [137.175.123.64] 8848 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1266483/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_04; classtype:trojan-activity; sid:91266483; rev:1;) alert tcp $HOME_NET any -> [137.175.123.65] 8848 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1266484/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_04; classtype:trojan-activity; sid:91266484; rev:1;) alert tcp $HOME_NET any -> [137.175.77.118] 8848 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1266472/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_04; classtype:trojan-activity; sid:91266472; rev:1;) alert tcp $HOME_NET any -> [137.175.77.119] 8848 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1266473/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_04; classtype:trojan-activity; sid:91266473; rev:1;) alert tcp $HOME_NET any -> [137.175.77.120] 8848 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1266474/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_04; classtype:trojan-activity; sid:91266474; rev:1;) alert tcp $HOME_NET any -> [137.175.77.121] 8848 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1266475/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_04; classtype:trojan-activity; sid:91266475; rev:1;) alert tcp $HOME_NET any -> [137.175.77.122] 8848 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1266476/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_04; classtype:trojan-activity; sid:91266476; rev:1;) alert tcp $HOME_NET any -> [137.175.77.123] 8848 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1266477/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_04; classtype:trojan-activity; sid:91266477; rev:1;) alert tcp $HOME_NET any -> [137.175.77.124] 8848 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1266478/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_04; classtype:trojan-activity; sid:91266478; rev:1;) alert tcp $HOME_NET any -> [137.175.77.125] 8848 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1266479/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_04; classtype:trojan-activity; sid:91266479; rev:1;) alert tcp $HOME_NET any -> [137.175.77.111] 8848 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1266465/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_04; classtype:trojan-activity; sid:91266465; rev:1;) alert tcp $HOME_NET any -> [137.175.77.112] 8848 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1266466/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_04; classtype:trojan-activity; sid:91266466; rev:1;) alert tcp $HOME_NET any -> [137.175.77.113] 8848 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1266467/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_04; classtype:trojan-activity; sid:91266467; rev:1;) alert tcp $HOME_NET any -> [137.175.77.114] 8848 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1266468/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_04; classtype:trojan-activity; sid:91266468; rev:1;) alert tcp $HOME_NET any -> [137.175.77.115] 8848 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1266469/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_04; classtype:trojan-activity; sid:91266469; rev:1;) alert tcp $HOME_NET any -> [137.175.77.116] 8848 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1266470/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_04; classtype:trojan-activity; sid:91266470; rev:1;) alert tcp $HOME_NET any -> [137.175.77.117] 8848 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1266471/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_04; classtype:trojan-activity; sid:91266471; rev:1;) alert tcp $HOME_NET any -> [137.175.77.103] 8848 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1266457/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_04; classtype:trojan-activity; sid:91266457; rev:1;) alert tcp $HOME_NET any -> [137.175.77.104] 8848 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1266458/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_04; classtype:trojan-activity; sid:91266458; rev:1;) alert tcp $HOME_NET any -> [137.175.77.105] 8848 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1266459/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_04; classtype:trojan-activity; sid:91266459; rev:1;) alert tcp $HOME_NET any -> [137.175.77.106] 8848 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1266460/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_04; classtype:trojan-activity; sid:91266460; rev:1;) alert tcp $HOME_NET any -> [137.175.77.107] 8848 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1266461/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_04; classtype:trojan-activity; sid:91266461; rev:1;) alert tcp $HOME_NET any -> [137.175.77.108] 8848 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1266462/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_04; classtype:trojan-activity; sid:91266462; rev:1;) alert tcp $HOME_NET any -> [137.175.77.109] 8848 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1266463/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_04; classtype:trojan-activity; sid:91266463; rev:1;) alert tcp $HOME_NET any -> [137.175.77.110] 8848 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1266464/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_04; classtype:trojan-activity; sid:91266464; rev:1;) alert tcp $HOME_NET any -> [137.175.77.95] 8848 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1266449/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_04; classtype:trojan-activity; sid:91266449; rev:1;) alert tcp $HOME_NET any -> [137.175.77.96] 8848 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1266450/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_04; classtype:trojan-activity; sid:91266450; rev:1;) alert tcp $HOME_NET any -> [137.175.77.97] 8848 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1266451/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_04; classtype:trojan-activity; sid:91266451; rev:1;) alert tcp $HOME_NET any -> [137.175.77.98] 8848 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1266452/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_04; classtype:trojan-activity; sid:91266452; rev:1;) alert tcp $HOME_NET any -> [137.175.77.99] 8848 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1266453/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_04; classtype:trojan-activity; sid:91266453; rev:1;) alert tcp $HOME_NET any -> [137.175.77.100] 8848 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1266454/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_04; classtype:trojan-activity; sid:91266454; rev:1;) alert tcp $HOME_NET any -> [137.175.77.101] 8848 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1266455/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_04; classtype:trojan-activity; sid:91266455; rev:1;) alert tcp $HOME_NET any -> [137.175.77.102] 8848 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1266456/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_04; classtype:trojan-activity; sid:91266456; rev:1;) alert tcp $HOME_NET any -> [137.175.77.85] 8848 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1266440/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_04; classtype:trojan-activity; sid:91266440; rev:1;) alert tcp $HOME_NET any -> [137.175.77.86] 8848 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1266441/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_04; classtype:trojan-activity; sid:91266441; rev:1;) alert tcp $HOME_NET any -> [137.175.77.87] 8848 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1266442/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_04; classtype:trojan-activity; sid:91266442; rev:1;) alert tcp $HOME_NET any -> [137.175.77.88] 8848 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1266443/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_04; classtype:trojan-activity; sid:91266443; rev:1;) alert tcp $HOME_NET any -> [137.175.77.89] 8848 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1266444/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_04; classtype:trojan-activity; sid:91266444; rev:1;) alert tcp $HOME_NET any -> [137.175.77.90] 8848 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1266445/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_04; classtype:trojan-activity; sid:91266445; rev:1;) alert tcp $HOME_NET any -> [137.175.77.91] 8848 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1266446/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_04; classtype:trojan-activity; sid:91266446; rev:1;) alert tcp $HOME_NET any -> [137.175.77.92] 8848 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1266447/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_04; classtype:trojan-activity; sid:91266447; rev:1;) alert tcp $HOME_NET any -> [137.175.77.93] 8848 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1266448/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_04; classtype:trojan-activity; sid:91266448; rev:1;) alert tcp $HOME_NET any -> [137.175.77.76] 8848 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1266431/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_04; classtype:trojan-activity; sid:91266431; rev:1;) alert tcp $HOME_NET any -> [137.175.77.77] 8848 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1266432/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_04; classtype:trojan-activity; sid:91266432; rev:1;) alert tcp $HOME_NET any -> [137.175.77.78] 8848 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1266433/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_04; classtype:trojan-activity; sid:91266433; rev:1;) alert tcp $HOME_NET any -> [137.175.77.79] 8848 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1266434/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_04; classtype:trojan-activity; sid:91266434; rev:1;) alert tcp $HOME_NET any -> [137.175.77.80] 8848 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1266435/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_04; classtype:trojan-activity; sid:91266435; rev:1;) alert tcp $HOME_NET any -> [137.175.77.81] 8848 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1266436/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_04; classtype:trojan-activity; sid:91266436; rev:1;) alert tcp $HOME_NET any -> [137.175.77.82] 8848 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1266437/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_04; classtype:trojan-activity; sid:91266437; rev:1;) alert tcp $HOME_NET any -> [137.175.77.83] 8848 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1266438/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_04; classtype:trojan-activity; sid:91266438; rev:1;) alert tcp $HOME_NET any -> [137.175.77.84] 8848 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1266439/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_04; classtype:trojan-activity; sid:91266439; rev:1;) alert tcp $HOME_NET any -> [137.175.77.67] 8848 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1266422/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_04; classtype:trojan-activity; sid:91266422; rev:1;) alert tcp $HOME_NET any -> [137.175.77.68] 8848 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1266423/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_04; classtype:trojan-activity; sid:91266423; rev:1;) alert tcp $HOME_NET any -> [137.175.77.69] 8848 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1266424/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_04; classtype:trojan-activity; sid:91266424; rev:1;) alert tcp $HOME_NET any -> [137.175.77.70] 8848 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1266425/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_04; classtype:trojan-activity; sid:91266425; rev:1;) alert tcp $HOME_NET any -> [137.175.77.71] 8848 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1266426/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_04; classtype:trojan-activity; sid:91266426; rev:1;) alert tcp $HOME_NET any -> [137.175.77.72] 8848 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1266427/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_04; classtype:trojan-activity; sid:91266427; rev:1;) alert tcp $HOME_NET any -> [137.175.77.73] 8848 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1266428/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_04; classtype:trojan-activity; sid:91266428; rev:1;) alert tcp $HOME_NET any -> [137.175.77.74] 8848 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1266429/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_04; classtype:trojan-activity; sid:91266429; rev:1;) alert tcp $HOME_NET any -> [137.175.77.75] 8848 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1266430/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_04; classtype:trojan-activity; sid:91266430; rev:1;) alert tcp $HOME_NET any -> [137.175.73.121] 8848 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1266415/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_04; classtype:trojan-activity; sid:91266415; rev:1;) alert tcp $HOME_NET any -> [137.175.73.122] 8848 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1266416/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_04; classtype:trojan-activity; sid:91266416; rev:1;) alert tcp $HOME_NET any -> [137.175.73.123] 8848 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1266417/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_04; classtype:trojan-activity; sid:91266417; rev:1;) alert tcp $HOME_NET any -> [137.175.73.124] 8848 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1266418/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_04; classtype:trojan-activity; sid:91266418; rev:1;) alert tcp $HOME_NET any -> [137.175.73.125] 8848 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1266419/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_04; classtype:trojan-activity; sid:91266419; rev:1;) alert tcp $HOME_NET any -> [137.175.77.65] 8848 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1266420/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_04; classtype:trojan-activity; sid:91266420; rev:1;) alert tcp $HOME_NET any -> [137.175.77.66] 8848 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1266421/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_04; classtype:trojan-activity; sid:91266421; rev:1;) alert tcp $HOME_NET any -> [137.175.73.113] 8848 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1266407/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_04; classtype:trojan-activity; sid:91266407; rev:1;) alert tcp $HOME_NET any -> [137.175.73.114] 8848 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1266408/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_04; classtype:trojan-activity; sid:91266408; rev:1;) alert tcp $HOME_NET any -> [137.175.73.115] 8848 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1266409/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_04; classtype:trojan-activity; sid:91266409; rev:1;) alert tcp $HOME_NET any -> [137.175.73.116] 8848 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1266410/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_04; classtype:trojan-activity; sid:91266410; rev:1;) alert tcp $HOME_NET any -> [137.175.73.117] 8848 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1266411/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_04; classtype:trojan-activity; sid:91266411; rev:1;) alert tcp $HOME_NET any -> [137.175.73.118] 8848 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1266412/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_04; classtype:trojan-activity; sid:91266412; rev:1;) alert tcp $HOME_NET any -> [137.175.73.119] 8848 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1266413/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_04; classtype:trojan-activity; sid:91266413; rev:1;) alert tcp $HOME_NET any -> [137.175.73.120] 8848 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1266414/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_04; classtype:trojan-activity; sid:91266414; rev:1;) alert tcp $HOME_NET any -> [137.175.73.106] 8848 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1266400/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_04; classtype:trojan-activity; sid:91266400; rev:1;) alert tcp $HOME_NET any -> [137.175.73.107] 8848 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1266401/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_04; classtype:trojan-activity; sid:91266401; rev:1;) alert tcp $HOME_NET any -> [137.175.73.108] 8848 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1266402/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_04; classtype:trojan-activity; sid:91266402; rev:1;) alert tcp $HOME_NET any -> [137.175.73.109] 8848 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1266403/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_04; classtype:trojan-activity; sid:91266403; rev:1;) alert tcp $HOME_NET any -> [137.175.73.110] 8848 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1266404/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_04; classtype:trojan-activity; sid:91266404; rev:1;) alert tcp $HOME_NET any -> [137.175.73.111] 8848 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1266405/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_04; classtype:trojan-activity; sid:91266405; rev:1;) alert tcp $HOME_NET any -> [137.175.73.112] 8848 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1266406/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_04; classtype:trojan-activity; sid:91266406; rev:1;) alert tcp $HOME_NET any -> [137.175.73.99] 8848 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1266393/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_04; classtype:trojan-activity; sid:91266393; rev:1;) alert tcp $HOME_NET any -> [137.175.73.100] 8848 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1266394/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_04; classtype:trojan-activity; sid:91266394; rev:1;) alert tcp $HOME_NET any -> [137.175.73.101] 8848 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1266395/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_04; classtype:trojan-activity; sid:91266395; rev:1;) alert tcp $HOME_NET any -> [137.175.73.102] 8848 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1266396/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_04; classtype:trojan-activity; sid:91266396; rev:1;) alert tcp $HOME_NET any -> [137.175.73.103] 8848 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1266397/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_04; classtype:trojan-activity; sid:91266397; rev:1;) alert tcp $HOME_NET any -> [137.175.73.104] 8848 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1266398/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_04; classtype:trojan-activity; sid:91266398; rev:1;) alert tcp $HOME_NET any -> [137.175.73.105] 8848 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1266399/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_04; classtype:trojan-activity; sid:91266399; rev:1;) alert tcp $HOME_NET any -> [137.175.73.90] 8848 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1266384/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_04; classtype:trojan-activity; sid:91266384; rev:1;) alert tcp $HOME_NET any -> [137.175.73.91] 8848 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1266385/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_04; classtype:trojan-activity; sid:91266385; rev:1;) alert tcp $HOME_NET any -> [137.175.73.92] 8848 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1266386/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_04; classtype:trojan-activity; sid:91266386; rev:1;) alert tcp $HOME_NET any -> [137.175.73.93] 8848 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1266387/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_04; classtype:trojan-activity; sid:91266387; rev:1;) alert tcp $HOME_NET any -> [137.175.73.94] 8848 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1266388/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_04; classtype:trojan-activity; sid:91266388; rev:1;) alert tcp $HOME_NET any -> [137.175.73.95] 8848 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1266389/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_04; classtype:trojan-activity; sid:91266389; rev:1;) alert tcp $HOME_NET any -> [137.175.73.96] 8848 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1266390/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_04; classtype:trojan-activity; sid:91266390; rev:1;) alert tcp $HOME_NET any -> [137.175.73.97] 8848 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1266391/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_04; classtype:trojan-activity; sid:91266391; rev:1;) alert tcp $HOME_NET any -> [137.175.73.98] 8848 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1266392/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_04; classtype:trojan-activity; sid:91266392; rev:1;) alert tcp $HOME_NET any -> [137.175.73.81] 8848 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1266375/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_04; classtype:trojan-activity; sid:91266375; rev:1;) alert tcp $HOME_NET any -> [137.175.73.82] 8848 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1266376/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_04; classtype:trojan-activity; sid:91266376; rev:1;) alert tcp $HOME_NET any -> [137.175.73.83] 8848 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1266377/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_04; classtype:trojan-activity; sid:91266377; rev:1;) alert tcp $HOME_NET any -> [137.175.73.84] 8848 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1266378/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_04; classtype:trojan-activity; sid:91266378; rev:1;) alert tcp $HOME_NET any -> [137.175.73.85] 8848 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1266379/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_04; classtype:trojan-activity; sid:91266379; rev:1;) alert tcp $HOME_NET any -> [137.175.73.86] 8848 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1266380/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_04; classtype:trojan-activity; sid:91266380; rev:1;) alert tcp $HOME_NET any -> [137.175.73.87] 8848 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1266381/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_04; classtype:trojan-activity; sid:91266381; rev:1;) alert tcp $HOME_NET any -> [137.175.73.88] 8848 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1266382/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_04; classtype:trojan-activity; sid:91266382; rev:1;) alert tcp $HOME_NET any -> [137.175.73.89] 8848 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1266383/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_04; classtype:trojan-activity; sid:91266383; rev:1;) alert tcp $HOME_NET any -> [137.175.73.73] 8848 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1266367/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_04; classtype:trojan-activity; sid:91266367; rev:1;) alert tcp $HOME_NET any -> [137.175.73.74] 8848 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1266368/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_04; classtype:trojan-activity; sid:91266368; rev:1;) alert tcp $HOME_NET any -> [137.175.73.75] 8848 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1266369/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_04; classtype:trojan-activity; sid:91266369; rev:1;) alert tcp $HOME_NET any -> [137.175.73.76] 8848 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1266370/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_04; classtype:trojan-activity; sid:91266370; rev:1;) alert tcp $HOME_NET any -> [137.175.73.77] 8848 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1266371/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_04; classtype:trojan-activity; sid:91266371; rev:1;) alert tcp $HOME_NET any -> [137.175.73.78] 8848 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1266372/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_04; classtype:trojan-activity; sid:91266372; rev:1;) alert tcp $HOME_NET any -> [137.175.73.79] 8848 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1266373/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_04; classtype:trojan-activity; sid:91266373; rev:1;) alert tcp $HOME_NET any -> [137.175.73.80] 8848 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1266374/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_04; classtype:trojan-activity; sid:91266374; rev:1;) alert tcp $HOME_NET any -> [137.175.70.125] 8848 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1266358/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_04; classtype:trojan-activity; sid:91266358; rev:1;) alert tcp $HOME_NET any -> [137.175.73.65] 8848 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1266359/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_04; classtype:trojan-activity; sid:91266359; rev:1;) alert tcp $HOME_NET any -> [137.175.73.66] 8848 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1266360/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_04; classtype:trojan-activity; sid:91266360; rev:1;) alert tcp $HOME_NET any -> [137.175.73.67] 8848 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1266361/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_04; classtype:trojan-activity; sid:91266361; rev:1;) alert tcp $HOME_NET any -> [137.175.73.68] 8848 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1266362/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_04; classtype:trojan-activity; sid:91266362; rev:1;) alert tcp $HOME_NET any -> [137.175.73.69] 8848 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1266363/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_04; classtype:trojan-activity; sid:91266363; rev:1;) alert tcp $HOME_NET any -> [137.175.73.70] 8848 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1266364/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_04; classtype:trojan-activity; sid:91266364; rev:1;) alert tcp $HOME_NET any -> [137.175.73.71] 8848 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1266365/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_04; classtype:trojan-activity; sid:91266365; rev:1;) alert tcp $HOME_NET any -> [137.175.73.72] 8848 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1266366/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_04; classtype:trojan-activity; sid:91266366; rev:1;) alert tcp $HOME_NET any -> [137.175.70.117] 8848 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1266350/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_04; classtype:trojan-activity; sid:91266350; rev:1;) alert tcp $HOME_NET any -> [137.175.70.118] 8848 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1266351/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_04; classtype:trojan-activity; sid:91266351; rev:1;) alert tcp $HOME_NET any -> [137.175.70.119] 8848 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1266352/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_04; classtype:trojan-activity; sid:91266352; rev:1;) alert tcp $HOME_NET any -> [137.175.70.120] 8848 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1266353/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_04; classtype:trojan-activity; sid:91266353; rev:1;) alert tcp $HOME_NET any -> [137.175.70.121] 8848 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1266354/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_04; classtype:trojan-activity; sid:91266354; rev:1;) alert tcp $HOME_NET any -> [137.175.70.122] 8848 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1266355/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_04; classtype:trojan-activity; sid:91266355; rev:1;) alert tcp $HOME_NET any -> [137.175.70.123] 8848 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1266356/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_04; classtype:trojan-activity; sid:91266356; rev:1;) alert tcp $HOME_NET any -> [137.175.70.124] 8848 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1266357/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_04; classtype:trojan-activity; sid:91266357; rev:1;) alert tcp $HOME_NET any -> [137.175.70.111] 8848 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1266344/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_04; classtype:trojan-activity; sid:91266344; rev:1;) alert tcp $HOME_NET any -> [137.175.70.112] 8848 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1266345/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_04; classtype:trojan-activity; sid:91266345; rev:1;) alert tcp $HOME_NET any -> [137.175.70.113] 8848 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1266346/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_04; classtype:trojan-activity; sid:91266346; rev:1;) alert tcp $HOME_NET any -> [137.175.70.114] 8848 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1266347/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_04; classtype:trojan-activity; sid:91266347; rev:1;) alert tcp $HOME_NET any -> [137.175.70.115] 8848 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1266348/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_04; classtype:trojan-activity; sid:91266348; rev:1;) alert tcp $HOME_NET any -> [137.175.70.116] 8848 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1266349/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_04; classtype:trojan-activity; sid:91266349; rev:1;) alert tcp $HOME_NET any -> [137.175.70.104] 8848 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1266337/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_04; classtype:trojan-activity; sid:91266337; rev:1;) alert tcp $HOME_NET any -> [137.175.70.105] 8848 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1266338/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_04; classtype:trojan-activity; sid:91266338; rev:1;) alert tcp $HOME_NET any -> [137.175.70.106] 8848 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1266339/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_04; classtype:trojan-activity; sid:91266339; rev:1;) alert tcp $HOME_NET any -> [137.175.70.107] 8848 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1266340/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_04; classtype:trojan-activity; sid:91266340; rev:1;) alert tcp $HOME_NET any -> [137.175.70.108] 8848 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1266341/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_04; classtype:trojan-activity; sid:91266341; rev:1;) alert tcp $HOME_NET any -> [137.175.70.109] 8848 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1266342/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_04; classtype:trojan-activity; sid:91266342; rev:1;) alert tcp $HOME_NET any -> [137.175.70.110] 8848 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1266343/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_04; classtype:trojan-activity; sid:91266343; rev:1;) alert tcp $HOME_NET any -> [137.175.70.95] 8848 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1266328/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_04; classtype:trojan-activity; sid:91266328; rev:1;) alert tcp $HOME_NET any -> [137.175.70.96] 8848 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1266329/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_04; classtype:trojan-activity; sid:91266329; rev:1;) alert tcp $HOME_NET any -> [137.175.70.97] 8848 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1266330/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_04; classtype:trojan-activity; sid:91266330; rev:1;) alert tcp $HOME_NET any -> [137.175.70.98] 8848 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1266331/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_04; classtype:trojan-activity; sid:91266331; rev:1;) alert tcp $HOME_NET any -> [137.175.70.99] 8848 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1266332/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_04; classtype:trojan-activity; sid:91266332; rev:1;) alert tcp $HOME_NET any -> [137.175.70.100] 8848 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1266333/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_04; classtype:trojan-activity; sid:91266333; rev:1;) alert tcp $HOME_NET any -> [137.175.70.101] 8848 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1266334/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_04; classtype:trojan-activity; sid:91266334; rev:1;) alert tcp $HOME_NET any -> [137.175.70.102] 8848 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1266335/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_04; classtype:trojan-activity; sid:91266335; rev:1;) alert tcp $HOME_NET any -> [137.175.70.103] 8848 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1266336/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_04; classtype:trojan-activity; sid:91266336; rev:1;) alert tcp $HOME_NET any -> [137.175.70.87] 8848 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1266320/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_04; classtype:trojan-activity; sid:91266320; rev:1;) alert tcp $HOME_NET any -> [137.175.70.88] 8848 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1266321/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_04; classtype:trojan-activity; sid:91266321; rev:1;) alert tcp $HOME_NET any -> [137.175.70.89] 8848 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1266322/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_04; classtype:trojan-activity; sid:91266322; rev:1;) alert tcp $HOME_NET any -> [137.175.70.90] 8848 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1266323/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_04; classtype:trojan-activity; sid:91266323; rev:1;) alert tcp $HOME_NET any -> [137.175.70.91] 8848 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1266324/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_04; classtype:trojan-activity; sid:91266324; rev:1;) alert tcp $HOME_NET any -> [137.175.70.92] 8848 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1266325/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_04; classtype:trojan-activity; sid:91266325; rev:1;) alert tcp $HOME_NET any -> [137.175.70.93] 8848 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1266326/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_04; classtype:trojan-activity; sid:91266326; rev:1;) alert tcp $HOME_NET any -> [137.175.70.94] 8848 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1266327/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_04; classtype:trojan-activity; sid:91266327; rev:1;) alert tcp $HOME_NET any -> [137.175.70.78] 8848 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1266311/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_04; classtype:trojan-activity; sid:91266311; rev:1;) alert tcp $HOME_NET any -> [137.175.70.79] 8848 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1266312/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_04; classtype:trojan-activity; sid:91266312; rev:1;) alert tcp $HOME_NET any -> [137.175.70.80] 8848 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1266313/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_04; classtype:trojan-activity; sid:91266313; rev:1;) alert tcp $HOME_NET any -> [137.175.70.81] 8848 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1266314/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_04; classtype:trojan-activity; sid:91266314; rev:1;) alert tcp $HOME_NET any -> [137.175.70.82] 8848 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1266315/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_04; classtype:trojan-activity; sid:91266315; rev:1;) alert tcp $HOME_NET any -> [137.175.70.83] 8848 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1266316/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_04; classtype:trojan-activity; sid:91266316; rev:1;) alert tcp $HOME_NET any -> [137.175.70.84] 8848 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1266317/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_04; classtype:trojan-activity; sid:91266317; rev:1;) alert tcp $HOME_NET any -> [137.175.70.85] 8848 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1266318/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_04; classtype:trojan-activity; sid:91266318; rev:1;) alert tcp $HOME_NET any -> [137.175.70.86] 8848 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1266319/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_04; classtype:trojan-activity; sid:91266319; rev:1;) alert tcp $HOME_NET any -> [137.175.70.69] 8848 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1266302/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_04; classtype:trojan-activity; sid:91266302; rev:1;) alert tcp $HOME_NET any -> [137.175.70.70] 8848 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1266303/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_04; classtype:trojan-activity; sid:91266303; rev:1;) alert tcp $HOME_NET any -> [137.175.70.71] 8848 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1266304/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_04; classtype:trojan-activity; sid:91266304; rev:1;) alert tcp $HOME_NET any -> [137.175.70.72] 8848 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1266305/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_04; classtype:trojan-activity; sid:91266305; rev:1;) alert tcp $HOME_NET any -> [137.175.70.73] 8848 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1266306/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_04; classtype:trojan-activity; sid:91266306; rev:1;) alert tcp $HOME_NET any -> [137.175.70.74] 8848 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1266307/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_04; classtype:trojan-activity; sid:91266307; rev:1;) alert tcp $HOME_NET any -> [137.175.70.75] 8848 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1266308/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_04; classtype:trojan-activity; sid:91266308; rev:1;) alert tcp $HOME_NET any -> [137.175.70.76] 8848 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1266309/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_04; classtype:trojan-activity; sid:91266309; rev:1;) alert tcp $HOME_NET any -> [137.175.70.77] 8848 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1266310/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_04; classtype:trojan-activity; sid:91266310; rev:1;) alert tcp $HOME_NET any -> [137.175.68.250] 8848 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1266294/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_04; classtype:trojan-activity; sid:91266294; rev:1;) alert tcp $HOME_NET any -> [137.175.68.251] 8848 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1266295/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_04; classtype:trojan-activity; sid:91266295; rev:1;) alert tcp $HOME_NET any -> [137.175.68.252] 8848 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1266296/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_04; classtype:trojan-activity; sid:91266296; rev:1;) alert tcp $HOME_NET any -> [137.175.68.253] 8848 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1266297/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_04; classtype:trojan-activity; sid:91266297; rev:1;) alert tcp $HOME_NET any -> [137.175.70.65] 8848 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1266298/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_04; classtype:trojan-activity; sid:91266298; rev:1;) alert tcp $HOME_NET any -> [137.175.70.66] 8848 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1266299/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_04; classtype:trojan-activity; sid:91266299; rev:1;) alert tcp $HOME_NET any -> [137.175.70.67] 8848 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1266300/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_04; classtype:trojan-activity; sid:91266300; rev:1;) alert tcp $HOME_NET any -> [137.175.70.68] 8848 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1266301/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_04; classtype:trojan-activity; sid:91266301; rev:1;) alert tcp $HOME_NET any -> [137.175.68.243] 8848 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1266287/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_04; classtype:trojan-activity; sid:91266287; rev:1;) alert tcp $HOME_NET any -> [137.175.68.244] 8848 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1266288/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_04; classtype:trojan-activity; sid:91266288; rev:1;) alert tcp $HOME_NET any -> [137.175.68.245] 8848 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1266289/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_04; classtype:trojan-activity; sid:91266289; rev:1;) alert tcp $HOME_NET any -> [137.175.68.246] 8848 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1266290/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_04; classtype:trojan-activity; sid:91266290; rev:1;) alert tcp $HOME_NET any -> [137.175.68.247] 8848 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1266291/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_04; classtype:trojan-activity; sid:91266291; rev:1;) alert tcp $HOME_NET any -> [137.175.68.248] 8848 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1266292/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_04; classtype:trojan-activity; sid:91266292; rev:1;) alert tcp $HOME_NET any -> [137.175.68.249] 8848 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1266293/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_04; classtype:trojan-activity; sid:91266293; rev:1;) alert tcp $HOME_NET any -> [137.175.68.235] 8848 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1266279/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_04; classtype:trojan-activity; sid:91266279; rev:1;) alert tcp $HOME_NET any -> [137.175.68.236] 8848 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1266280/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_04; classtype:trojan-activity; sid:91266280; rev:1;) alert tcp $HOME_NET any -> [137.175.68.237] 8848 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1266281/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_04; classtype:trojan-activity; sid:91266281; rev:1;) alert tcp $HOME_NET any -> [137.175.68.238] 8848 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1266282/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_04; classtype:trojan-activity; sid:91266282; rev:1;) alert tcp $HOME_NET any -> [137.175.68.239] 8848 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1266283/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_04; classtype:trojan-activity; sid:91266283; rev:1;) alert tcp $HOME_NET any -> [137.175.68.240] 8848 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1266284/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_04; classtype:trojan-activity; sid:91266284; rev:1;) alert tcp $HOME_NET any -> [137.175.68.241] 8848 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1266285/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_04; classtype:trojan-activity; sid:91266285; rev:1;) alert tcp $HOME_NET any -> [137.175.68.242] 8848 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1266286/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_04; classtype:trojan-activity; sid:91266286; rev:1;) alert tcp $HOME_NET any -> [137.175.68.232] 8848 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1266276/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_04; classtype:trojan-activity; sid:91266276; rev:1;) alert tcp $HOME_NET any -> [137.175.68.233] 8848 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1266277/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_04; classtype:trojan-activity; sid:91266277; rev:1;) alert tcp $HOME_NET any -> [137.175.68.234] 8848 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1266278/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_04; classtype:trojan-activity; sid:91266278; rev:1;) alert tcp $HOME_NET any -> [137.175.68.225] 8848 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1266269/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_04; classtype:trojan-activity; sid:91266269; rev:1;) alert tcp $HOME_NET any -> [137.175.68.226] 8848 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1266270/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_04; classtype:trojan-activity; sid:91266270; rev:1;) alert tcp $HOME_NET any -> [137.175.68.227] 8848 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1266271/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_04; classtype:trojan-activity; sid:91266271; rev:1;) alert tcp $HOME_NET any -> [137.175.68.228] 8848 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1266272/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_04; classtype:trojan-activity; sid:91266272; rev:1;) alert tcp $HOME_NET any -> [137.175.68.229] 8848 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1266273/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_04; classtype:trojan-activity; sid:91266273; rev:1;) alert tcp $HOME_NET any -> [137.175.68.230] 8848 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1266274/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_04; classtype:trojan-activity; sid:91266274; rev:1;) alert tcp $HOME_NET any -> [137.175.68.231] 8848 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1266275/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_04; classtype:trojan-activity; sid:91266275; rev:1;) alert tcp $HOME_NET any -> [137.175.68.218] 8848 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1266262/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_04; classtype:trojan-activity; sid:91266262; rev:1;) alert tcp $HOME_NET any -> [137.175.68.219] 8848 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1266263/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_04; classtype:trojan-activity; sid:91266263; rev:1;) alert tcp $HOME_NET any -> [137.175.68.220] 8848 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1266264/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_04; classtype:trojan-activity; sid:91266264; rev:1;) alert tcp $HOME_NET any -> [137.175.68.221] 8848 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1266265/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_04; classtype:trojan-activity; sid:91266265; rev:1;) alert tcp $HOME_NET any -> [137.175.68.222] 8848 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1266266/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_04; classtype:trojan-activity; sid:91266266; rev:1;) alert tcp $HOME_NET any -> [137.175.68.223] 8848 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1266267/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_04; classtype:trojan-activity; sid:91266267; rev:1;) alert tcp $HOME_NET any -> [137.175.68.224] 8848 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1266268/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_04; classtype:trojan-activity; sid:91266268; rev:1;) alert tcp $HOME_NET any -> [137.175.68.210] 8848 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1266254/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_04; classtype:trojan-activity; sid:91266254; rev:1;) alert tcp $HOME_NET any -> [137.175.68.211] 8848 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1266255/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_04; classtype:trojan-activity; sid:91266255; rev:1;) alert tcp $HOME_NET any -> [137.175.68.212] 8848 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1266256/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_04; classtype:trojan-activity; sid:91266256; rev:1;) alert tcp $HOME_NET any -> [137.175.68.213] 8848 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1266257/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_04; classtype:trojan-activity; sid:91266257; rev:1;) alert tcp $HOME_NET any -> [137.175.68.214] 8848 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1266258/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_04; classtype:trojan-activity; sid:91266258; rev:1;) alert tcp $HOME_NET any -> [137.175.68.215] 8848 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1266259/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_04; classtype:trojan-activity; sid:91266259; rev:1;) alert tcp $HOME_NET any -> [137.175.68.216] 8848 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1266260/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_04; classtype:trojan-activity; sid:91266260; rev:1;) alert tcp $HOME_NET any -> [137.175.68.217] 8848 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1266261/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_04; classtype:trojan-activity; sid:91266261; rev:1;) alert tcp $HOME_NET any -> [137.175.68.203] 8848 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1266247/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_04; classtype:trojan-activity; sid:91266247; rev:1;) alert tcp $HOME_NET any -> [137.175.68.204] 8848 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1266248/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_04; classtype:trojan-activity; sid:91266248; rev:1;) alert tcp $HOME_NET any -> [137.175.68.205] 8848 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1266249/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_04; classtype:trojan-activity; sid:91266249; rev:1;) alert tcp $HOME_NET any -> [137.175.68.206] 8848 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1266250/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_04; classtype:trojan-activity; sid:91266250; rev:1;) alert tcp $HOME_NET any -> [137.175.68.207] 8848 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1266251/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_04; classtype:trojan-activity; sid:91266251; rev:1;) alert tcp $HOME_NET any -> [137.175.68.208] 8848 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1266252/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_04; classtype:trojan-activity; sid:91266252; rev:1;) alert tcp $HOME_NET any -> [137.175.68.209] 8848 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1266253/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_04; classtype:trojan-activity; sid:91266253; rev:1;) alert tcp $HOME_NET any -> [137.175.68.195] 8848 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1266239/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_04; classtype:trojan-activity; sid:91266239; rev:1;) alert tcp $HOME_NET any -> [137.175.68.196] 8848 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1266240/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_04; classtype:trojan-activity; sid:91266240; rev:1;) alert tcp $HOME_NET any -> [137.175.68.197] 8848 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1266241/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_04; classtype:trojan-activity; sid:91266241; rev:1;) alert tcp $HOME_NET any -> [137.175.68.198] 8848 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1266242/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_04; classtype:trojan-activity; sid:91266242; rev:1;) alert tcp $HOME_NET any -> [137.175.68.199] 8848 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1266243/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_04; classtype:trojan-activity; sid:91266243; rev:1;) alert tcp $HOME_NET any -> [137.175.68.200] 8848 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1266244/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_04; classtype:trojan-activity; sid:91266244; rev:1;) alert tcp $HOME_NET any -> [137.175.68.201] 8848 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1266245/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_04; classtype:trojan-activity; sid:91266245; rev:1;) alert tcp $HOME_NET any -> [137.175.68.202] 8848 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1266246/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_04; classtype:trojan-activity; sid:91266246; rev:1;) alert tcp $HOME_NET any -> [137.175.68.193] 8848 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1266237/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_04; classtype:trojan-activity; sid:91266237; rev:1;) alert tcp $HOME_NET any -> [137.175.68.194] 8848 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1266238/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_04; classtype:trojan-activity; sid:91266238; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"beshomandotestbesnd.run.place"; depth:29; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1266236/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_04; classtype:trojan-activity; sid:91266236; rev:1;) alert tcp $HOME_NET any -> [186.137.33.82] 2112 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1266235/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_04; classtype:trojan-activity; sid:91266235; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"strekhost2085.con-ip.com"; depth:24; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1266234/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_04; classtype:trojan-activity; sid:91266234; rev:1;) alert tcp $HOME_NET any -> [178.73.192.2] 2000 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1266233/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_04; classtype:trojan-activity; sid:91266233; rev:1;) alert tcp $HOME_NET any -> [128.90.103.39] 9999 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1266231/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_04; classtype:trojan-activity; sid:91266231; rev:1;) alert tcp $HOME_NET any -> [128.90.123.87] 9999 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1266232/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_04; classtype:trojan-activity; sid:91266232; rev:1;) alert tcp $HOME_NET any -> [94.156.79.216] 8888 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1266230/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_04; classtype:trojan-activity; sid:91266230; rev:1;) alert tcp $HOME_NET any -> [85.107.228.217] 20000 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1266229/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_04; classtype:trojan-activity; sid:91266229; rev:1;) alert tcp $HOME_NET any -> [85.107.228.217] 888 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1266227/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_04; classtype:trojan-activity; sid:91266227; rev:1;) alert tcp $HOME_NET any -> [85.107.228.217] 7070 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1266228/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_04; classtype:trojan-activity; sid:91266228; rev:1;) alert tcp $HOME_NET any -> [51.81.105.250] 8808 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1266226/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_04; classtype:trojan-activity; sid:91266226; rev:1;) alert tcp $HOME_NET any -> [45.126.209.21] 9999 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1266222/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_04; classtype:trojan-activity; sid:91266222; rev:1;) alert tcp $HOME_NET any -> [45.126.209.21] 7777 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1266223/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_04; classtype:trojan-activity; sid:91266223; rev:1;) alert tcp $HOME_NET any -> [45.126.209.21] 7707 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1266224/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_04; classtype:trojan-activity; sid:91266224; rev:1;) alert tcp $HOME_NET any -> [45.126.209.21] 4444 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1266225/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_04; classtype:trojan-activity; sid:91266225; rev:1;) alert tcp $HOME_NET any -> [62.133.60.240] 3000 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1266221/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_04; classtype:trojan-activity; sid:91266221; rev:1;) alert tcp $HOME_NET any -> [195.10.205.74] 3000 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1266220/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_04; classtype:trojan-activity; sid:91266220; rev:1;) alert tcp $HOME_NET any -> [168.100.9.207] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1266219/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_04; classtype:trojan-activity; sid:91266219; rev:1;) alert tcp $HOME_NET any -> [94.156.67.214] 7777 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1266215/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_04; classtype:trojan-activity; sid:91266215; rev:1;) alert tcp $HOME_NET any -> [94.156.67.214] 4444 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1266216/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_04; classtype:trojan-activity; sid:91266216; rev:1;) alert tcp $HOME_NET any -> [94.156.67.214] 6006 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1266217/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_04; classtype:trojan-activity; sid:91266217; rev:1;) alert tcp $HOME_NET any -> [94.156.67.214] 8008 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1266218/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_04; classtype:trojan-activity; sid:91266218; rev:1;) alert tcp $HOME_NET any -> [82.176.208.14] 80 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1266213/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_04; classtype:trojan-activity; sid:91266213; rev:1;) alert tcp $HOME_NET any -> [54.82.65.203] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1266212/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_04; classtype:trojan-activity; sid:91266212; rev:1;) alert tcp $HOME_NET any -> [34.193.50.197] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1266211/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_04; classtype:trojan-activity; sid:91266211; rev:1;) alert tcp $HOME_NET any -> [45.136.15.209] 60050 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1266210/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_04; classtype:trojan-activity; sid:91266210; rev:1;) alert tcp $HOME_NET any -> [45.136.14.91] 7777 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1266209/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_04; classtype:trojan-activity; sid:91266209; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pixel"; depth:6; nocase; http.host; content:"172.245.228.91"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1266208/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_04; classtype:trojan-activity; sid:91266208; rev:1;) alert tcp $HOME_NET any -> [172.245.228.91] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1266207/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_04; classtype:trojan-activity; sid:91266207; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ca"; depth:3; nocase; http.host; content:"124.70.154.188"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1266206/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_04; classtype:trojan-activity; sid:91266206; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dot.gif"; depth:8; nocase; http.host; content:"101.43.165.220"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1266205/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_04; classtype:trojan-activity; sid:91266205; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jquery-3.3.1.min.js"; depth:20; nocase; http.host; content:"senkiv.ru"; depth:9; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1266203/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_04; classtype:trojan-activity; sid:91266203; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"senkiv.ru"; depth:9; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1266204/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_04; classtype:trojan-activity; sid:91266204; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/en_us/all.js"; depth:13; nocase; http.host; content:"18.167.36.79"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1266201/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_04; classtype:trojan-activity; sid:91266201; rev:1;) alert tcp $HOME_NET any -> [18.163.119.175] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1266199/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_04; classtype:trojan-activity; sid:91266199; rev:1;) alert tcp $HOME_NET any -> [18.163.119.175] 6443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1266200/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_04; classtype:trojan-activity; sid:91266200; rev:1;) alert tcp $HOME_NET any -> [54.67.45.193] 50050 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1266198/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_04; classtype:trojan-activity; sid:91266198; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/c/msdownload/update/others/2016/12/29136388_"; depth:45; nocase; http.host; content:"d30eev9g4ojzqi.cloudfront.net"; depth:29; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1266197/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_04; classtype:trojan-activity; sid:91266197; rev:1;) alert tcp $HOME_NET any -> [13.39.182.141] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1266196/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_04; classtype:trojan-activity; sid:91266196; rev:1;) alert tcp $HOME_NET any -> [207.148.30.221] 23392 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1266195/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_04; classtype:trojan-activity; sid:91266195; rev:1;) alert tcp $HOME_NET any -> [158.247.250.186] 5004 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1266194/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_04; classtype:trojan-activity; sid:91266194; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"8996djnv.top"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1266192/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_04; classtype:trojan-activity; sid:91266192; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"www.8996djnv.top"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1266193/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_04; classtype:trojan-activity; sid:91266193; rev:1;) alert tcp $HOME_NET any -> [23.226.54.38] 2096 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1266191/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_04; classtype:trojan-activity; sid:91266191; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/en_us/all.js"; depth:13; nocase; http.host; content:"1.92.91.192"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1266190/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_04; classtype:trojan-activity; sid:91266190; rev:1;) alert tcp $HOME_NET any -> [1.92.91.192] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1266189/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_04; classtype:trojan-activity; sid:91266189; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-content/themes/twentytwentytwo/dark.hta"; depth:43; nocase; http.host; content:"linktoxic34.com"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1266188/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_04; classtype:trojan-activity; sid:91266188; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"dogmupdate.com"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1266187/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_04; classtype:trojan-activity; sid:91266187; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"y0ue7nc4v.life"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1266159/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_04; classtype:trojan-activity; sid:91266159; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"c3x5wqfqd.life"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1266160/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_04; classtype:trojan-activity; sid:91266160; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"p9m9as6rc.life"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1266161/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_04; classtype:trojan-activity; sid:91266161; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"5yv0b66c5.life"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1266162/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_04; classtype:trojan-activity; sid:91266162; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"8s75cl4j9.life"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1266163/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_04; classtype:trojan-activity; sid:91266163; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"x7ir6c3dp.life"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1266164/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_04; classtype:trojan-activity; sid:91266164; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"8jcl1fkor.life"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1266165/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_04; classtype:trojan-activity; sid:91266165; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"prl7fpdgq.life"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1266166/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_04; classtype:trojan-activity; sid:91266166; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"uvx6qjirx.life"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1266167/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_04; classtype:trojan-activity; sid:91266167; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"mei2hlvph.life"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1266168/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_04; classtype:trojan-activity; sid:91266168; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"497hssmh9.life"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1266169/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_04; classtype:trojan-activity; sid:91266169; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"vjgmo889e.life"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1266170/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_04; classtype:trojan-activity; sid:91266170; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"wox5mblpd.life"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1266171/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_04; classtype:trojan-activity; sid:91266171; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"4kqz7kqt2.life"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1266172/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_04; classtype:trojan-activity; sid:91266172; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"pzhihpnt2.life"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1266173/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_04; classtype:trojan-activity; sid:91266173; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"lcd7igvud.life"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1266174/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_04; classtype:trojan-activity; sid:91266174; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"99t9f8t4c.life"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1266175/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_04; classtype:trojan-activity; sid:91266175; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"axqje16l4.life"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1266176/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_04; classtype:trojan-activity; sid:91266176; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"wp9wddjn4.life"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1266177/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_04; classtype:trojan-activity; sid:91266177; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"gmsjfazpo.life"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1266178/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_04; classtype:trojan-activity; sid:91266178; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"8fqxxf116.life"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1266179/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_04; classtype:trojan-activity; sid:91266179; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ezsj23n67.life"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1266180/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_04; classtype:trojan-activity; sid:91266180; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"z75717vaj.life"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1266181/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_04; classtype:trojan-activity; sid:91266181; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"3rldogkrx.life"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1266182/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_04; classtype:trojan-activity; sid:91266182; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"s7n9pjbnl.life"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1266183/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_04; classtype:trojan-activity; sid:91266183; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"o3f4d47j3.life"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1266184/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_04; classtype:trojan-activity; sid:91266184; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"cj87mkoo4.life"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1266185/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_04; classtype:trojan-activity; sid:91266185; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"govntutzt.life"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1266186/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_04; classtype:trojan-activity; sid:91266186; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"un5nke6rt.life"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1266131/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_04; classtype:trojan-activity; sid:91266131; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"yombx43uh.life"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1266132/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_04; classtype:trojan-activity; sid:91266132; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"awjjbslep.life"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1266133/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_04; classtype:trojan-activity; sid:91266133; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"arl8xdy0i.life"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1266134/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_04; classtype:trojan-activity; sid:91266134; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"m460p6w8i.life"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1266135/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_04; classtype:trojan-activity; sid:91266135; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ulfv8hiv3.life"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1266136/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_04; classtype:trojan-activity; sid:91266136; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"5hsghdbng.life"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1266137/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_04; classtype:trojan-activity; sid:91266137; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"awmv2d35g.life"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1266138/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_04; classtype:trojan-activity; sid:91266138; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"l9w8yn2fo.life"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1266139/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_04; classtype:trojan-activity; sid:91266139; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"jzvx353vf.life"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1266140/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_04; classtype:trojan-activity; sid:91266140; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"inekdxiil.life"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1266141/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_04; classtype:trojan-activity; sid:91266141; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"x5zxvz2yn.life"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1266142/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_04; classtype:trojan-activity; sid:91266142; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"xszhjlyga.life"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1266143/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_04; classtype:trojan-activity; sid:91266143; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"k4ikh1i8s.life"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1266144/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_04; classtype:trojan-activity; sid:91266144; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"8t8g8jquy.life"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1266145/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_04; classtype:trojan-activity; sid:91266145; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"lgu7drz5a.life"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1266146/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_04; classtype:trojan-activity; sid:91266146; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"2jlczycvw.life"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1266147/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_04; classtype:trojan-activity; sid:91266147; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"tcyvzdeex.life"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1266148/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_04; classtype:trojan-activity; sid:91266148; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"49jw256uc.life"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1266149/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_04; classtype:trojan-activity; sid:91266149; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"oqfb13om6.life"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1266150/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_04; classtype:trojan-activity; sid:91266150; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"rm43ln1wn.life"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1266151/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_04; classtype:trojan-activity; sid:91266151; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"1d98d2w0k.life"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1266152/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_04; classtype:trojan-activity; sid:91266152; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"43dtvcgy6.life"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1266153/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_04; classtype:trojan-activity; sid:91266153; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"2x5cn12li.life"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1266154/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_04; classtype:trojan-activity; sid:91266154; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"j2hsoa4va.life"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1266155/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_04; classtype:trojan-activity; sid:91266155; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"trfy09x33.life"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1266156/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_04; classtype:trojan-activity; sid:91266156; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"lnoz4exs6.life"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1266157/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_04; classtype:trojan-activity; sid:91266157; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"y7mmp6opv.life"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1266158/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_04; classtype:trojan-activity; sid:91266158; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"pltfrvss1.life"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1266103/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_04; classtype:trojan-activity; sid:91266103; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"z4aarde49.life"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1266104/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_04; classtype:trojan-activity; sid:91266104; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"4hdkyh1ns.life"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1266105/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_04; classtype:trojan-activity; sid:91266105; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"crbk7hduu.life"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1266106/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_04; classtype:trojan-activity; sid:91266106; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"p5zhkxu7x.life"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1266107/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_04; classtype:trojan-activity; sid:91266107; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"v4wlbpzf0.life"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1266108/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_04; classtype:trojan-activity; sid:91266108; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"qm4hupdsq.life"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1266109/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_04; classtype:trojan-activity; sid:91266109; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"go6nu8hgl.life"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1266110/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_04; classtype:trojan-activity; sid:91266110; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"gaamc74sm.life"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1266111/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_04; classtype:trojan-activity; sid:91266111; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"23b3imkqh.life"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1266112/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_04; classtype:trojan-activity; sid:91266112; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"9qf9v3tgq.life"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1266113/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_04; classtype:trojan-activity; sid:91266113; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"yg7kcxnie.life"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1266114/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_04; classtype:trojan-activity; sid:91266114; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"gebj02y46.life"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1266115/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_04; classtype:trojan-activity; sid:91266115; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"f0a3myb17.life"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1266116/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_04; classtype:trojan-activity; sid:91266116; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"donkvamcz.life"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1266117/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_04; classtype:trojan-activity; sid:91266117; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"c231spcbk.life"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1266118/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_04; classtype:trojan-activity; sid:91266118; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"tdyfmnlvv.life"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1266119/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_04; classtype:trojan-activity; sid:91266119; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"2niq3fv8t.life"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1266120/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_04; classtype:trojan-activity; sid:91266120; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"44uegsxdd.life"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1266121/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_04; classtype:trojan-activity; sid:91266121; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"8nrjr6hc4.life"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1266122/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_04; classtype:trojan-activity; sid:91266122; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"jvmzaf24a.life"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1266123/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_04; classtype:trojan-activity; sid:91266123; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"9f8srknbf.life"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1266124/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_04; classtype:trojan-activity; sid:91266124; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"gpoxpkoiy.life"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1266125/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_04; classtype:trojan-activity; sid:91266125; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ynnlb3rus.life"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1266126/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_04; classtype:trojan-activity; sid:91266126; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"292edkjz6.life"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1266127/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_04; classtype:trojan-activity; sid:91266127; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ofav9exew.life"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1266128/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_04; classtype:trojan-activity; sid:91266128; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"uaeo95mzk.life"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1266129/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_04; classtype:trojan-activity; sid:91266129; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"db9oyi6b2.life"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1266130/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_04; classtype:trojan-activity; sid:91266130; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"d00d7ks32.life"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1266087/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_04; classtype:trojan-activity; sid:91266087; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"11qet4bgg.life"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1266088/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_04; classtype:trojan-activity; sid:91266088; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"2a6m2wkiq.life"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1266089/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_04; classtype:trojan-activity; sid:91266089; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"xky2lv24m.life"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1266090/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_04; classtype:trojan-activity; sid:91266090; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"cmau5xobd.life"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1266091/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_04; classtype:trojan-activity; sid:91266091; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"upxamcuma.life"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1266092/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_04; classtype:trojan-activity; sid:91266092; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"z1hf83vee.life"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1266093/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_04; classtype:trojan-activity; sid:91266093; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"yk37wagdg.life"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1266094/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_04; classtype:trojan-activity; sid:91266094; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ajl0toabj.life"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1266095/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_04; classtype:trojan-activity; sid:91266095; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"qqpjqdylr.life"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1266096/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_04; classtype:trojan-activity; sid:91266096; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"1wrap3lnr.life"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1266097/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_04; classtype:trojan-activity; sid:91266097; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"z8g4klplp.life"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1266098/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_04; classtype:trojan-activity; sid:91266098; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"7clm8w86o.life"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1266099/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_04; classtype:trojan-activity; sid:91266099; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"nii34kqrw.life"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1266100/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_04; classtype:trojan-activity; sid:91266100; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"dl23dcg0p.life"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1266101/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_04; classtype:trojan-activity; sid:91266101; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"pwfkwiup6.life"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1266102/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_04; classtype:trojan-activity; sid:91266102; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/load"; depth:5; nocase; http.host; content:"47.109.192.10"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1266086/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_04; classtype:trojan-activity; sid:91266086; rev:1;) alert tcp $HOME_NET any -> [47.109.192.10] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1266085/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_04; classtype:trojan-activity; sid:91266085; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cm"; depth:3; nocase; http.host; content:"47.108.252.63"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1266084/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_04; classtype:trojan-activity; sid:91266084; rev:1;) alert tcp $HOME_NET any -> [47.108.252.63] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1266083/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_04; classtype:trojan-activity; sid:91266083; rev:1;) alert tcp $HOME_NET any -> [85.197.93.75] 19851 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1266036/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_04; classtype:trojan-activity; sid:91266036; rev:1;) alert tcp $HOME_NET any -> [46.246.80.19] 1994 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1266042/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_04; classtype:trojan-activity; sid:91266042; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/whserver.exe"; depth:13; nocase; http.host; content:"1.92.90.232"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1266047/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_04; classtype:trojan-activity; sid:91266047; rev:1;) alert tcp $HOME_NET any -> [147.185.221.19] 39657 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1266051/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_04; classtype:trojan-activity; sid:91266051; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"these-accommodation.gl.at.ply.gg"; depth:32; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1266052/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_04; classtype:trojan-activity; sid:91266052; rev:1;) alert tcp $HOME_NET any -> [141.8.193.79] 443 (msg:"ThreatFox FAKEUPDATES payload delivery (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1266077/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_04; classtype:trojan-activity; sid:91266077; rev:1;) alert tcp $HOME_NET any -> [47.99.152.157] 7894 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1266082/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_04; classtype:trojan-activity; sid:91266082; rev:1;) alert tcp $HOME_NET any -> [94.156.69.245] 5801 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1265811/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_04; classtype:trojan-activity; sid:91265811; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"brownselocalsz.duckdns.org"; depth:26; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1265812/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_04; classtype:trojan-activity; sid:91265812; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"klikkancontrolsx.ddnsfree.com"; depth:29; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1265813/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_04; classtype:trojan-activity; sid:91265813; rev:1;) alert tcp $HOME_NET any -> [47.92.149.15] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1266080/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_04; classtype:trojan-activity; sid:91266080; rev:1;) alert tcp $HOME_NET any -> [47.92.149.15] 8443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1266081/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_04; classtype:trojan-activity; sid:91266081; rev:1;) alert tcp $HOME_NET any -> [47.92.149.15] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1266079/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_04; classtype:trojan-activity; sid:91266079; rev:1;) alert tcp $HOME_NET any -> [8.130.134.5] 6000 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1266078/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_04; classtype:trojan-activity; sid:91266078; rev:1;) alert tcp $HOME_NET any -> [124.221.226.243] 1414 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1266076/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_04; classtype:trojan-activity; sid:91266076; rev:1;) alert tcp $HOME_NET any -> [120.53.87.29] 9999 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1266075/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_04; classtype:trojan-activity; sid:91266075; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/activity"; depth:9; nocase; http.host; content:"106.54.23.53"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1266074/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_04; classtype:trojan-activity; sid:91266074; rev:1;) alert tcp $HOME_NET any -> [106.54.23.53] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1266073/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_04; classtype:trojan-activity; sid:91266073; rev:1;) alert tcp $HOME_NET any -> [49.232.236.209] 50050 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1266072/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_04; classtype:trojan-activity; sid:91266072; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ie9compatviewlist.xml"; depth:22; nocase; http.host; content:"43.139.120.180"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1266071/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_04; classtype:trojan-activity; sid:91266071; rev:1;) alert tcp $HOME_NET any -> [43.139.120.180] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1266069/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_04; classtype:trojan-activity; sid:91266069; rev:1;) alert tcp $HOME_NET any -> [43.139.120.180] 8082 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1266070/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_04; classtype:trojan-activity; sid:91266070; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/__utm.gif"; depth:10; nocase; http.host; content:"43.139.107.213"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1266068/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_04; classtype:trojan-activity; sid:91266068; rev:1;) alert tcp $HOME_NET any -> [43.139.107.213] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1266067/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_04; classtype:trojan-activity; sid:91266067; rev:1;) alert tcp $HOME_NET any -> [1.117.230.165] 5578 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1266066/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_04; classtype:trojan-activity; sid:91266066; rev:1;) alert tcp $HOME_NET any -> [65.21.147.214] 50555 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1266064/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_04; classtype:trojan-activity; sid:91266064; rev:1;) alert tcp $HOME_NET any -> [185.186.25.42] 50555 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1266063/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_04; classtype:trojan-activity; sid:91266063; rev:1;) alert tcp $HOME_NET any -> [185.186.25.33] 50555 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1266062/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_04; classtype:trojan-activity; sid:91266062; rev:1;) alert tcp $HOME_NET any -> [147.45.41.2] 50555 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1266061/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_04; classtype:trojan-activity; sid:91266061; rev:1;) alert tcp $HOME_NET any -> [124.223.40.156] 10000 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1266060/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_04; classtype:trojan-activity; sid:91266060; rev:1;) alert tcp $HOME_NET any -> [39.40.174.210] 995 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1266059/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_04; classtype:trojan-activity; sid:91266059; rev:1;) alert tcp $HOME_NET any -> [166.62.100.52] 7443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1266058/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_04; classtype:trojan-activity; sid:91266058; rev:1;) alert tcp $HOME_NET any -> [93.127.194.22] 7443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1266057/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_04; classtype:trojan-activity; sid:91266057; rev:1;) alert tcp $HOME_NET any -> [185.223.28.15] 4483 (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1266056/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_04; classtype:trojan-activity; sid:91266056; rev:1;) alert tcp $HOME_NET any -> [45.61.150.201] 8808 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1266055/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_04; classtype:trojan-activity; sid:91266055; rev:1;) alert tcp $HOME_NET any -> [45.61.150.201] 7707 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1266054/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_04; classtype:trojan-activity; sid:91266054; rev:1;) alert tcp $HOME_NET any -> [45.61.150.201] 6606 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1266053/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_04; classtype:trojan-activity; sid:91266053; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/edb7233b.php"; depth:13; nocase; http.host; content:"a0950024.xsph.ru"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1266050/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_04; classtype:trojan-activity; sid:91266050; rev:1;) alert tcp $HOME_NET any -> [109.120.178.235] 26632 (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1266048/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_03; classtype:trojan-activity; sid:91266048; rev:1;) alert tcp $HOME_NET any -> [146.19.143.134] 443 (msg:"ThreatFox Unidentified 111 (Latrodectus) botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1266046/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_03; classtype:trojan-activity; sid:91266046; rev:1;) alert tcp $HOME_NET any -> [147.185.221.19] 39717 (msg:"ThreatFox Revenge RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1266045/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_03; classtype:trojan-activity; sid:91266045; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/authdefaultdle.php"; depth:19; nocase; http.host; content:"reallysrv.top"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1266044/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_03; classtype:trojan-activity; sid:91266044; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/_defaultwindows.php"; depth:20; nocase; http.host; content:"a0947008.xsph.ru"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1266043/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_03; classtype:trojan-activity; sid:91266043; rev:1;) alert tcp $HOME_NET any -> [144.76.71.93] 313 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1266041/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_03; classtype:trojan-activity; sid:91266041; rev:1;) alert tcp $HOME_NET any -> [139.59.110.64] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1266040/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_03; classtype:trojan-activity; sid:91266040; rev:1;) alert tcp $HOME_NET any -> [51.15.225.131] 40056 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1266039/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_03; classtype:trojan-activity; sid:91266039; rev:1;) alert tcp $HOME_NET any -> [99.83.190.128] 443 (msg:"ThreatFox Deimos botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1266038/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_03; classtype:trojan-activity; sid:91266038; rev:1;) alert tcp $HOME_NET any -> [185.107.56.48] 443 (msg:"ThreatFox LimeRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1266037/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_03; classtype:trojan-activity; sid:91266037; rev:1;) alert tcp $HOME_NET any -> [8.218.228.15] 60478 (msg:"ThreatFox BianLian botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1265808/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_03; classtype:trojan-activity; sid:91265808; rev:1;) alert tcp $HOME_NET any -> [68.168.211.94] 2052 (msg:"ThreatFox SparkRAT botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1265809/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_03; classtype:trojan-activity; sid:91265809; rev:1;) alert tcp $HOME_NET any -> [89.105.201.183] 2023 (msg:"ThreatFox Socks5 Systemz botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1265810/; target:src_ip; metadata: confidence_level 80, first_seen 2024_05_03; classtype:trojan-activity; sid:91265810; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/updates.rss"; depth:12; nocase; http.host; content:"62.204.41.11"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1265807/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_03; classtype:trojan-activity; sid:91265807; rev:1;) alert tcp $HOME_NET any -> [194.140.198.234] 9993 (msg:"ThreatFox DynamicStealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1265790/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_03; classtype:trojan-activity; sid:91265790; rev:1;) alert tcp $HOME_NET any -> [217.138.215.79] 80 (msg:"ThreatFox solarmarker botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1265796/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_03; classtype:trojan-activity; sid:91265796; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sig32.gif"; depth:10; nocase; http.host; content:"207.148.109.8"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1265797/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_03; classtype:trojan-activity; sid:91265797; rev:1;) alert tcp $HOME_NET any -> [207.148.109.8] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1265798/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_03; classtype:trojan-activity; sid:91265798; rev:1;) alert tcp $HOME_NET any -> [109.120.133.115] 443 (msg:"ThreatFox FAKEUPDATES payload delivery (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1265799/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_03; classtype:trojan-activity; sid:91265799; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/j.ad"; depth:5; nocase; http.host; content:"120.25.2.115"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1265806/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_03; classtype:trojan-activity; sid:91265806; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/__utm.gif"; depth:10; nocase; http.host; content:"47.109.48.193"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1265805/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_03; classtype:trojan-activity; sid:91265805; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books"; depth:60; nocase; http.host; content:"103.234.54.136"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1265804/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_03; classtype:trojan-activity; sid:91265804; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"support.popuiarenlinea.com"; depth:26; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1265802/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_03; classtype:trojan-activity; sid:91265802; rev:1;) alert tcp $HOME_NET any -> [142.171.104.108] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1265803/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_03; classtype:trojan-activity; sid:91265803; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/lv"; depth:3; nocase; http.host; content:"support.popuiarenlinea.com"; depth:26; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1265801/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_03; classtype:trojan-activity; sid:91265801; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dot.gif"; depth:8; nocase; http.host; content:"114.132.62.71"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1265800/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_03; classtype:trojan-activity; sid:91265800; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/p7mi"; depth:5; nocase; http.host; content:"47.96.174.24"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1265795/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_03; classtype:trojan-activity; sid:91265795; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"cecilio.one"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1265793/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_03; classtype:trojan-activity; sid:91265793; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"bobs.kraken11op.ru"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1265794/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_03; classtype:trojan-activity; sid:91265794; rev:1;) alert tcp $HOME_NET any -> [101.99.93.222] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1265792/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_03; classtype:trojan-activity; sid:91265792; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pixel.gif"; depth:10; nocase; http.host; content:"101.99.93.222"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1265791/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_03; classtype:trojan-activity; sid:91265791; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ptj"; depth:4; nocase; http.host; content:"207.148.109.8"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1265789/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_03; classtype:trojan-activity; sid:91265789; rev:1;) alert tcp $HOME_NET any -> [37.120.235.122] 2269 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1265788/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_03; classtype:trojan-activity; sid:91265788; rev:1;) alert tcp $HOME_NET any -> [8.218.244.117] 443 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1265743/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_03; classtype:trojan-activity; sid:91265743; rev:1;) alert tcp $HOME_NET any -> [103.158.190.167] 443 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1265744/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_03; classtype:trojan-activity; sid:91265744; rev:1;) alert tcp $HOME_NET any -> [47.242.52.22] 443 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1265745/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_03; classtype:trojan-activity; sid:91265745; rev:1;) alert tcp $HOME_NET any -> [193.56.255.142] 443 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1265746/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_03; classtype:trojan-activity; sid:91265746; rev:1;) alert tcp $HOME_NET any -> [8.210.167.64] 443 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1265749/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_03; classtype:trojan-activity; sid:91265749; rev:1;) alert tcp $HOME_NET any -> [8.210.4.242] 443 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1265747/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_03; classtype:trojan-activity; sid:91265747; rev:1;) alert tcp $HOME_NET any -> [38.60.193.62] 443 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1265748/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_03; classtype:trojan-activity; sid:91265748; rev:1;) alert tcp $HOME_NET any -> [8.210.134.47] 443 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1265750/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_03; classtype:trojan-activity; sid:91265750; rev:1;) alert tcp $HOME_NET any -> [139.180.208.107] 443 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1265751/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_03; classtype:trojan-activity; sid:91265751; rev:1;) alert tcp $HOME_NET any -> [8.210.174.168] 443 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1265752/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_03; classtype:trojan-activity; sid:91265752; rev:1;) alert tcp $HOME_NET any -> [8.217.84.192] 443 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1265754/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_03; classtype:trojan-activity; sid:91265754; rev:1;) alert tcp $HOME_NET any -> [8.218.17.11] 443 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1265753/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_03; classtype:trojan-activity; sid:91265753; rev:1;) alert tcp $HOME_NET any -> [8.218.163.77] 443 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1265755/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_03; classtype:trojan-activity; sid:91265755; rev:1;) alert tcp $HOME_NET any -> [8.218.248.158] 443 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1265756/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_03; classtype:trojan-activity; sid:91265756; rev:1;) alert tcp $HOME_NET any -> [8.218.56.204] 443 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1265757/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_03; classtype:trojan-activity; sid:91265757; rev:1;) alert tcp $HOME_NET any -> [8.218.217.76] 443 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1265758/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_03; classtype:trojan-activity; sid:91265758; rev:1;) alert tcp $HOME_NET any -> [8.217.0.193] 443 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1265759/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_03; classtype:trojan-activity; sid:91265759; rev:1;) alert tcp $HOME_NET any -> [8.217.96.167] 443 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1265760/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_03; classtype:trojan-activity; sid:91265760; rev:1;) alert tcp $HOME_NET any -> [94.131.110.28] 443 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1265761/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_03; classtype:trojan-activity; sid:91265761; rev:1;) alert tcp $HOME_NET any -> [64.176.8.105] 443 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1265762/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_03; classtype:trojan-activity; sid:91265762; rev:1;) alert tcp $HOME_NET any -> [128.14.105.154] 443 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1265763/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_03; classtype:trojan-activity; sid:91265763; rev:1;) alert tcp $HOME_NET any -> [45.116.78.250] 443 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1265764/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_03; classtype:trojan-activity; sid:91265764; rev:1;) alert tcp $HOME_NET any -> [146.70.157.115] 443 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1265765/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_03; classtype:trojan-activity; sid:91265765; rev:1;) alert tcp $HOME_NET any -> [45.32.115.37] 443 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1265766/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_03; classtype:trojan-activity; sid:91265766; rev:1;) alert tcp $HOME_NET any -> [207.148.95.161] 443 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1265767/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_03; classtype:trojan-activity; sid:91265767; rev:1;) alert tcp $HOME_NET any -> [185.167.61.21] 443 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1265768/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_03; classtype:trojan-activity; sid:91265768; rev:1;) alert tcp $HOME_NET any -> [164.215.103.248] 443 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1265769/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_03; classtype:trojan-activity; sid:91265769; rev:1;) alert tcp $HOME_NET any -> [173.199.71.24] 443 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1265770/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_03; classtype:trojan-activity; sid:91265770; rev:1;) alert tcp $HOME_NET any -> [8.217.107.25] 443 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1265771/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_03; classtype:trojan-activity; sid:91265771; rev:1;) alert tcp $HOME_NET any -> [47.243.60.4] 443 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1265772/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_03; classtype:trojan-activity; sid:91265772; rev:1;) alert tcp $HOME_NET any -> [8.210.168.192] 443 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1265773/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_03; classtype:trojan-activity; sid:91265773; rev:1;) alert tcp $HOME_NET any -> [8.218.193.197] 443 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1265774/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_03; classtype:trojan-activity; sid:91265774; rev:1;) alert tcp $HOME_NET any -> [8.218.128.35] 443 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1265776/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_03; classtype:trojan-activity; sid:91265776; rev:1;) alert tcp $HOME_NET any -> [8.210.74.92] 443 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1265775/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_03; classtype:trojan-activity; sid:91265775; rev:1;) alert tcp $HOME_NET any -> [8.218.213.245] 443 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1265777/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_03; classtype:trojan-activity; sid:91265777; rev:1;) alert tcp $HOME_NET any -> [8.210.221.119] 443 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1265778/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_03; classtype:trojan-activity; sid:91265778; rev:1;) alert tcp $HOME_NET any -> [45.159.250.235] 443 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1265779/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_03; classtype:trojan-activity; sid:91265779; rev:1;) alert tcp $HOME_NET any -> [8.217.122.135] 443 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1265781/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_03; classtype:trojan-activity; sid:91265781; rev:1;) alert tcp $HOME_NET any -> [185.81.114.45] 443 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1265780/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_03; classtype:trojan-activity; sid:91265780; rev:1;) alert tcp $HOME_NET any -> [193.124.41.246] 443 (msg:"ThreatFox FAKEUPDATES payload delivery (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1265783/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_03; classtype:trojan-activity; sid:91265783; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api/x"; depth:6; nocase; http.host; content:"chniabank.com"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1265787/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_03; classtype:trojan-activity; sid:91265787; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"investment.kumbaraan.biz.id"; depth:27; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1265786/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_03; classtype:trojan-activity; sid:91265786; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dhl"; depth:4; nocase; http.host; content:"investment.kumbaraan.biz.id"; depth:27; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1265785/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_03; classtype:trojan-activity; sid:91265785; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/match"; depth:6; nocase; http.host; content:"81.71.127.160"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1265784/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_03; classtype:trojan-activity; sid:91265784; rev:1;) alert tcp $HOME_NET any -> [193.142.146.21] 2404 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1265728/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_03; classtype:trojan-activity; sid:91265728; rev:1;) alert tcp $HOME_NET any -> [185.234.67.47] 4047 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1265729/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_03; classtype:trojan-activity; sid:91265729; rev:1;) alert tcp $HOME_NET any -> [172.111.244.68] 4047 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1265730/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_03; classtype:trojan-activity; sid:91265730; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"quickdatenight.duckdns.org"; depth:26; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1265731/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_03; classtype:trojan-activity; sid:91265731; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"laitheliar.duckdns.org"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1265732/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_03; classtype:trojan-activity; sid:91265732; rev:1;) alert tcp $HOME_NET any -> [198.98.59.177] 8848 (msg:"ThreatFox MooBot botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1265742/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_03; classtype:trojan-activity; sid:91265742; rev:1;) alert tcp $HOME_NET any -> [139.59.110.64] 80 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1265741/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_03; classtype:trojan-activity; sid:91265741; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"minuoddos.xyz"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1265740/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_03; classtype:trojan-activity; sid:91265740; rev:1;) alert tcp $HOME_NET any -> [217.165.15.83] 443 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1265739/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_03; classtype:trojan-activity; sid:91265739; rev:1;) alert tcp $HOME_NET any -> [147.45.136.226] 443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1265738/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_03; classtype:trojan-activity; sid:91265738; rev:1;) alert tcp $HOME_NET any -> [39.185.245.204] 4505 (msg:"ThreatFox Deimos botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1265737/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_03; classtype:trojan-activity; sid:91265737; rev:1;) alert tcp $HOME_NET any -> [77.37.43.47] 7443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1265736/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_03; classtype:trojan-activity; sid:91265736; rev:1;) alert tcp $HOME_NET any -> [193.3.19.136] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1265734/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_03; classtype:trojan-activity; sid:91265734; rev:1;) alert tcp $HOME_NET any -> [193.3.19.136] 8443 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1265735/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_03; classtype:trojan-activity; sid:91265735; rev:1;) alert tcp $HOME_NET any -> [94.156.71.74] 666 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1265733/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_03; classtype:trojan-activity; sid:91265733; rev:1;) alert tcp $HOME_NET any -> [45.152.115.131] 4444 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1265574/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_03; classtype:trojan-activity; sid:91265574; rev:1;) alert tcp $HOME_NET any -> [62.234.180.14] 8089 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1265575/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_03; classtype:trojan-activity; sid:91265575; rev:1;) alert tcp $HOME_NET any -> [54.255.171.65] 81 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1265571/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_03; classtype:trojan-activity; sid:91265571; rev:1;) alert tcp $HOME_NET any -> [110.41.184.136] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1265572/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_03; classtype:trojan-activity; sid:91265572; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"www.paamsa.duckdns.org"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1265573/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_03; classtype:trojan-activity; sid:91265573; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"empames.com"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1265569/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_03; classtype:trojan-activity; sid:91265569; rev:1;) alert tcp $HOME_NET any -> [54.205.59.212] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1265570/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_03; classtype:trojan-activity; sid:91265570; rev:1;) alert tcp $HOME_NET any -> [38.6.193.9] 3588 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1265565/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_03; classtype:trojan-activity; sid:91265565; rev:1;) alert tcp $HOME_NET any -> [59.110.91.44] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1265567/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_03; classtype:trojan-activity; sid:91265567; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"www.appxoxo.com"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1265563/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_03; classtype:trojan-activity; sid:91265563; rev:1;) alert tcp $HOME_NET any -> [103.40.161.161] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1265564/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_03; classtype:trojan-activity; sid:91265564; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"gp.miaoys.cc"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1265556/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_03; classtype:trojan-activity; sid:91265556; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"api.data.nextb.top"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1265558/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_03; classtype:trojan-activity; sid:91265558; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"77mh.icu"; depth:8; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1265559/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_03; classtype:trojan-activity; sid:91265559; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"cargillrewards.com"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1265554/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_03; classtype:trojan-activity; sid:91265554; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"dcftjs8112.woodensunbeds.com"; depth:28; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1265557/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_03; classtype:trojan-activity; sid:91265557; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"appxoxo.com"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1265553/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_03; classtype:trojan-activity; sid:91265553; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"dexhub.pro"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1265555/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_03; classtype:trojan-activity; sid:91265555; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"c2.sns-labs.net"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1265550/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_03; classtype:trojan-activity; sid:91265550; rev:1;) alert tcp $HOME_NET any -> [185.91.127.221] 1340 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1265576/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_03; classtype:trojan-activity; sid:91265576; rev:1;) alert tcp $HOME_NET any -> [47.120.16.255] 7000 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1265577/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_03; classtype:trojan-activity; sid:91265577; rev:1;) alert tcp $HOME_NET any -> [20.41.84.113] 8089 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1265578/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_03; classtype:trojan-activity; sid:91265578; rev:1;) alert tcp $HOME_NET any -> [188.116.22.177] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1265579/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_03; classtype:trojan-activity; sid:91265579; rev:1;) alert tcp $HOME_NET any -> [91.92.245.12] 8081 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1265580/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_03; classtype:trojan-activity; sid:91265580; rev:1;) alert tcp $HOME_NET any -> [47.96.252.193] 5555 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1265581/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_03; classtype:trojan-activity; sid:91265581; rev:1;) alert tcp $HOME_NET any -> [45.12.53.231] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1265582/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_03; classtype:trojan-activity; sid:91265582; rev:1;) alert tcp $HOME_NET any -> [36.111.191.33] 8888 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1265583/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_03; classtype:trojan-activity; sid:91265583; rev:1;) alert tcp $HOME_NET any -> [212.64.24.30] 18080 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1265584/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_03; classtype:trojan-activity; sid:91265584; rev:1;) alert tcp $HOME_NET any -> [212.64.24.30] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1265585/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_03; classtype:trojan-activity; sid:91265585; rev:1;) alert tcp $HOME_NET any -> [47.115.215.30] 6666 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1265587/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_03; classtype:trojan-activity; sid:91265587; rev:1;) alert tcp $HOME_NET any -> [119.45.21.247] 8080 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1265586/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_03; classtype:trojan-activity; sid:91265586; rev:1;) alert tcp $HOME_NET any -> [114.55.116.176] 6000 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1265588/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_03; classtype:trojan-activity; sid:91265588; rev:1;) alert tcp $HOME_NET any -> [120.78.3.11] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1265589/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_03; classtype:trojan-activity; sid:91265589; rev:1;) alert tcp $HOME_NET any -> [150.158.75.102] 15478 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1265590/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_03; classtype:trojan-activity; sid:91265590; rev:1;) alert tcp $HOME_NET any -> [123.57.205.182] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1265592/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_03; classtype:trojan-activity; sid:91265592; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"cpcontacts.maasssa.duckdns.org"; depth:30; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1265560/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_03; classtype:trojan-activity; sid:91265560; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"test2.tcash.sigmacomp.pl"; depth:24; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1265561/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_03; classtype:trojan-activity; sid:91265561; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"www.binarycode.vip"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1265562/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_03; classtype:trojan-activity; sid:91265562; rev:1;) alert tcp $HOME_NET any -> [24.144.96.216] 8081 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1265566/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_03; classtype:trojan-activity; sid:91265566; rev:1;) alert tcp $HOME_NET any -> [123.57.205.182] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1265591/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_03; classtype:trojan-activity; sid:91265591; rev:1;) alert tcp $HOME_NET any -> [18.167.36.79] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1265593/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_03; classtype:trojan-activity; sid:91265593; rev:1;) alert tcp $HOME_NET any -> [18.167.36.79] 6443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1265594/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_03; classtype:trojan-activity; sid:91265594; rev:1;) alert tcp $HOME_NET any -> [180.210.220.75] 8443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1265595/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_03; classtype:trojan-activity; sid:91265595; rev:1;) alert tcp $HOME_NET any -> [103.234.54.136] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1265596/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_03; classtype:trojan-activity; sid:91265596; rev:1;) alert tcp $HOME_NET any -> [147.135.211.38] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1265597/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_03; classtype:trojan-activity; sid:91265597; rev:1;) alert tcp $HOME_NET any -> [38.181.57.174] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1265598/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_03; classtype:trojan-activity; sid:91265598; rev:1;) alert tcp $HOME_NET any -> [101.43.43.245] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1265599/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_03; classtype:trojan-activity; sid:91265599; rev:1;) alert tcp $HOME_NET any -> [18.162.61.95] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1265601/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_03; classtype:trojan-activity; sid:91265601; rev:1;) alert tcp $HOME_NET any -> [13.212.24.201] 81 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1265600/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_03; classtype:trojan-activity; sid:91265600; rev:1;) alert tcp $HOME_NET any -> [38.6.193.10] 3588 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1265602/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_03; classtype:trojan-activity; sid:91265602; rev:1;) alert tcp $HOME_NET any -> [103.150.10.45] 9443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1265603/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_03; classtype:trojan-activity; sid:91265603; rev:1;) alert tcp $HOME_NET any -> [194.36.178.33] 37732 (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1265722/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_03; classtype:trojan-activity; sid:91265722; rev:1;) alert tcp $HOME_NET any -> [154.198.227.90] 8088 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1265604/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_03; classtype:trojan-activity; sid:91265604; rev:1;) alert tcp $HOME_NET any -> [147.185.221.19] 42294 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1265726/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_03; classtype:trojan-activity; sid:91265726; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"tkanilux.com.ua"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1265725/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_03; classtype:trojan-activity; sid:91265725; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"reviews-christians.gl.at.ply.gg"; depth:31; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1265727/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_03; classtype:trojan-activity; sid:91265727; rev:1;) alert tcp $HOME_NET any -> [147.185.221.19] 33587 (msg:"ThreatFox N-W0rm botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1265723/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_03; classtype:trojan-activity; sid:91265723; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"bogote.xyz"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1265721/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_02; classtype:trojan-activity; sid:91265721; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"davltp.xyz"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1265720/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_02; classtype:trojan-activity; sid:91265720; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"davltp.xyz"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1265718/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_02; classtype:trojan-activity; sid:91265718; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"bogote.xyz"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1265719/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_02; classtype:trojan-activity; sid:91265719; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 75%)"; dns_query; content:"eprst431.boo"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1265713/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_02; classtype:trojan-activity; sid:91265713; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 75%)"; dns_query; content:"msq2323232300000.online"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1265714/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_02; classtype:trojan-activity; sid:91265714; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 75%)"; dns_query; content:"static.cdn40.click"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1265715/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_02; classtype:trojan-activity; sid:91265715; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 75%)"; dns_query; content:"statistic.cdn47.space"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1265716/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_02; classtype:trojan-activity; sid:91265716; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 75%)"; dns_query; content:"storage.cdn48f.space"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1265717/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_02; classtype:trojan-activity; sid:91265717; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 75%)"; dns_query; content:"cdn1704.com"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1265690/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_02; classtype:trojan-activity; sid:91265690; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 75%)"; dns_query; content:"cdn25.space"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1265691/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_02; classtype:trojan-activity; sid:91265691; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 75%)"; dns_query; content:"cdn2525.com"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1265692/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_02; classtype:trojan-activity; sid:91265692; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 75%)"; dns_query; content:"cdn27.space"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1265693/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_02; classtype:trojan-activity; sid:91265693; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 75%)"; dns_query; content:"cdn30.space"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1265694/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_02; classtype:trojan-activity; sid:91265694; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 75%)"; dns_query; content:"cdn31.space"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1265695/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_02; classtype:trojan-activity; sid:91265695; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 75%)"; dns_query; content:"cdn32.space"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1265696/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_02; classtype:trojan-activity; sid:91265696; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 75%)"; dns_query; content:"cdn33.space"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1265697/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_02; classtype:trojan-activity; sid:91265697; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 75%)"; dns_query; content:"cdn34.space"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1265698/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_02; classtype:trojan-activity; sid:91265698; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 75%)"; dns_query; content:"cdn35.space"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1265699/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_02; classtype:trojan-activity; sid:91265699; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 75%)"; dns_query; content:"cdn36.space"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1265700/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_02; classtype:trojan-activity; sid:91265700; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 75%)"; dns_query; content:"cdn37.space"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1265701/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_02; classtype:trojan-activity; sid:91265701; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 75%)"; dns_query; content:"cdn38.space"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1265702/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_02; classtype:trojan-activity; sid:91265702; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 75%)"; dns_query; content:"cdn40.click"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1265703/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_02; classtype:trojan-activity; sid:91265703; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 75%)"; dns_query; content:"cdn41.space"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1265704/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_02; classtype:trojan-activity; sid:91265704; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 75%)"; dns_query; content:"cdn42.space"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1265705/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_02; classtype:trojan-activity; sid:91265705; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 75%)"; dns_query; content:"cdn44.space"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1265706/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_02; classtype:trojan-activity; sid:91265706; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 75%)"; dns_query; content:"cdn45.space"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1265707/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_02; classtype:trojan-activity; sid:91265707; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 75%)"; dns_query; content:"cdn46.space"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1265708/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_02; classtype:trojan-activity; sid:91265708; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 75%)"; dns_query; content:"cdn47.space"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1265709/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_02; classtype:trojan-activity; sid:91265709; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 75%)"; dns_query; content:"cdn48f.space"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1265710/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_02; classtype:trojan-activity; sid:91265710; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 75%)"; dns_query; content:"eprst251.boo"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1265711/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_02; classtype:trojan-activity; sid:91265711; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 75%)"; dns_query; content:"eprst281.boo"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1265712/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_02; classtype:trojan-activity; sid:91265712; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 75%)"; dns_query; content:"pdfreader.link"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1265670/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_02; classtype:trojan-activity; sid:91265670; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 75%)"; dns_query; content:"quicken-install.com"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1265671/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_02; classtype:trojan-activity; sid:91265671; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 75%)"; dns_query; content:"vkontakte.in"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1265672/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_02; classtype:trojan-activity; sid:91265672; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 75%)"; dns_query; content:"wall-street-journal.link"; depth:24; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1265673/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_02; classtype:trojan-activity; sid:91265673; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 75%)"; dns_query; content:"workable.uk.com"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1265674/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_02; classtype:trojan-activity; sid:91265674; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 75%)"; dns_query; content:"wsj.pm"; depth:6; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1265675/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_02; classtype:trojan-activity; sid:91265675; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 75%)"; dns_query; content:"wsj.re"; depth:6; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1265676/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_02; classtype:trojan-activity; sid:91265676; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 75%)"; dns_query; content:"wsj.wales"; depth:9; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1265677/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_02; classtype:trojan-activity; sid:91265677; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 75%)"; dns_query; content:"wsj.wf"; depth:6; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1265678/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_02; classtype:trojan-activity; sid:91265678; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 75%)"; dns_query; content:"www.blackrock.wf"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1265679/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_02; classtype:trojan-activity; sid:91265679; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 75%)"; dns_query; content:"www.concur.pm"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1265680/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_02; classtype:trojan-activity; sid:91265680; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 75%)"; dns_query; content:"www.concur.re"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1265681/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_02; classtype:trojan-activity; sid:91265681; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 75%)"; dns_query; content:"www.wsj.re"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1265682/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_02; classtype:trojan-activity; sid:91265682; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 75%)"; dns_query; content:"www.wsj.wf"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1265683/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_02; classtype:trojan-activity; sid:91265683; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 75%)"; dns_query; content:"wwwlegals.com"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1265684/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_02; classtype:trojan-activity; sid:91265684; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 75%)"; dns_query; content:"cdn1102.com"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1265685/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_02; classtype:trojan-activity; sid:91265685; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 75%)"; dns_query; content:"cdn1124.net"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1265686/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_02; classtype:trojan-activity; sid:91265686; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 75%)"; dns_query; content:"cdn1168.net"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1265687/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_02; classtype:trojan-activity; sid:91265687; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 75%)"; dns_query; content:"cdn1701.com"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1265688/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_02; classtype:trojan-activity; sid:91265688; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 75%)"; dns_query; content:"cdn1702.click"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1265689/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_02; classtype:trojan-activity; sid:91265689; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 75%)"; dns_query; content:"7-zip.cfd"; depth:9; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1265646/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_02; classtype:trojan-activity; sid:91265646; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 75%)"; dns_query; content:"7-zip.day"; depth:9; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1265647/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_02; classtype:trojan-activity; sid:91265647; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 75%)"; dns_query; content:"advanced-ip-scanner.cfd"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1265648/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_02; classtype:trojan-activity; sid:91265648; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 75%)"; dns_query; content:"advanced-ip-scanner.link"; depth:24; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1265649/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_02; classtype:trojan-activity; sid:91265649; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 75%)"; dns_query; content:"advancedipscannerapp.com"; depth:24; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1265650/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_02; classtype:trojan-activity; sid:91265650; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 75%)"; dns_query; content:"aimp.day"; depth:8; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1265651/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_02; classtype:trojan-activity; sid:91265651; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 75%)"; dns_query; content:"aimp.pm"; depth:7; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1265652/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_02; classtype:trojan-activity; sid:91265652; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 75%)"; dns_query; content:"asana.tel"; depth:9; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1265653/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_02; classtype:trojan-activity; sid:91265653; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 75%)"; dns_query; content:"asana.wf"; depth:8; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1265654/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_02; classtype:trojan-activity; sid:91265654; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 75%)"; dns_query; content:"autodesk.pm"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1265655/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_02; classtype:trojan-activity; sid:91265655; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 75%)"; dns_query; content:"blackrock.re"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1265656/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_02; classtype:trojan-activity; sid:91265656; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 75%)"; dns_query; content:"blackrock.wf"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1265657/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_02; classtype:trojan-activity; sid:91265657; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 75%)"; dns_query; content:"concur.cfd"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1265658/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_02; classtype:trojan-activity; sid:91265658; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 75%)"; dns_query; content:"concur.pm"; depth:9; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1265659/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_02; classtype:trojan-activity; sid:91265659; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 75%)"; dns_query; content:"concur.re"; depth:9; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1265660/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_02; classtype:trojan-activity; sid:91265660; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 75%)"; dns_query; content:"concur.skin"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1265661/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_02; classtype:trojan-activity; sid:91265661; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 75%)"; dns_query; content:"hidifypro.turkalphapro.ir"; depth:25; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1265662/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_02; classtype:trojan-activity; sid:91265662; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 75%)"; dns_query; content:"hubspot.pm"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1265663/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_02; classtype:trojan-activity; sid:91265663; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 75%)"; dns_query; content:"hubspot.wf"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1265664/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_02; classtype:trojan-activity; sid:91265664; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 75%)"; dns_query; content:"lexisnexis.day"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1265665/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_02; classtype:trojan-activity; sid:91265665; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 75%)"; dns_query; content:"meet-go.click"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1265666/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_02; classtype:trojan-activity; sid:91265666; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 75%)"; dns_query; content:"meet-go.day"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1265667/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_02; classtype:trojan-activity; sid:91265667; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 75%)"; dns_query; content:"meet-go.link"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1265668/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_02; classtype:trojan-activity; sid:91265668; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 75%)"; dns_query; content:"meet-go.org"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1265669/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_02; classtype:trojan-activity; sid:91265669; rev:1;) alert tcp $HOME_NET any -> [141.98.168.16] 443 (msg:"ThreatFox NetSupportManager RAT payload delivery (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1265641/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_02; classtype:trojan-activity; sid:91265641; rev:1;) alert tcp $HOME_NET any -> [141.98.168.106] 443 (msg:"ThreatFox NetSupportManager RAT payload delivery (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1265642/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_02; classtype:trojan-activity; sid:91265642; rev:1;) alert tcp $HOME_NET any -> [176.120.75.247] 443 (msg:"ThreatFox NetSupportManager RAT payload delivery (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1265643/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_02; classtype:trojan-activity; sid:91265643; rev:1;) alert tcp $HOME_NET any -> [193.233.205.45] 443 (msg:"ThreatFox NetSupportManager RAT payload delivery (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1265644/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_02; classtype:trojan-activity; sid:91265644; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 75%)"; dns_query; content:"138.124.183.79.sslip.io"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1265645/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_02; classtype:trojan-activity; sid:91265645; rev:1;) alert tcp $HOME_NET any -> [138.124.184.247] 443 (msg:"ThreatFox NetSupportManager RAT payload delivery (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1265638/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_02; classtype:trojan-activity; sid:91265638; rev:1;) alert tcp $HOME_NET any -> [138.124.184.249] 443 (msg:"ThreatFox NetSupportManager RAT payload delivery (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1265639/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_02; classtype:trojan-activity; sid:91265639; rev:1;) alert tcp $HOME_NET any -> [138.124.184.250] 443 (msg:"ThreatFox NetSupportManager RAT payload delivery (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1265640/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_02; classtype:trojan-activity; sid:91265640; rev:1;) alert tcp $HOME_NET any -> [138.124.183.95] 443 (msg:"ThreatFox NetSupportManager RAT payload delivery (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1265634/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_02; classtype:trojan-activity; sid:91265634; rev:1;) alert tcp $HOME_NET any -> [138.124.183.175] 443 (msg:"ThreatFox NetSupportManager RAT payload delivery (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1265635/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_02; classtype:trojan-activity; sid:91265635; rev:1;) alert tcp $HOME_NET any -> [138.124.183.176] 443 (msg:"ThreatFox NetSupportManager RAT payload delivery (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1265636/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_02; classtype:trojan-activity; sid:91265636; rev:1;) alert tcp $HOME_NET any -> [138.124.184.64] 443 (msg:"ThreatFox NetSupportManager RAT payload delivery (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1265637/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_02; classtype:trojan-activity; sid:91265637; rev:1;) alert tcp $HOME_NET any -> [109.107.170.81] 443 (msg:"ThreatFox NetSupportManager RAT payload delivery (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1265630/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_02; classtype:trojan-activity; sid:91265630; rev:1;) alert tcp $HOME_NET any -> [138.124.180.85] 443 (msg:"ThreatFox NetSupportManager RAT payload delivery (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1265631/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_02; classtype:trojan-activity; sid:91265631; rev:1;) alert tcp $HOME_NET any -> [138.124.183.79] 443 (msg:"ThreatFox NetSupportManager RAT payload delivery (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1265632/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_02; classtype:trojan-activity; sid:91265632; rev:1;) alert tcp $HOME_NET any -> [138.124.183.91] 443 (msg:"ThreatFox NetSupportManager RAT payload delivery (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1265633/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_02; classtype:trojan-activity; sid:91265633; rev:1;) alert tcp $HOME_NET any -> [103.113.70.68] 443 (msg:"ThreatFox NetSupportManager RAT payload delivery (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1265627/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_02; classtype:trojan-activity; sid:91265627; rev:1;) alert tcp $HOME_NET any -> [103.113.70.134] 443 (msg:"ThreatFox NetSupportManager RAT payload delivery (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1265628/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_02; classtype:trojan-activity; sid:91265628; rev:1;) alert tcp $HOME_NET any -> [103.113.70.142] 443 (msg:"ThreatFox NetSupportManager RAT payload delivery (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1265629/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_02; classtype:trojan-activity; sid:91265629; rev:1;) alert tcp $HOME_NET any -> [103.35.191.28] 443 (msg:"ThreatFox NetSupportManager RAT payload delivery (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1265623/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_02; classtype:trojan-activity; sid:91265623; rev:1;) alert tcp $HOME_NET any -> [103.35.191.53] 443 (msg:"ThreatFox NetSupportManager RAT payload delivery (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1265624/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_02; classtype:trojan-activity; sid:91265624; rev:1;) alert tcp $HOME_NET any -> [103.35.191.56] 443 (msg:"ThreatFox NetSupportManager RAT payload delivery (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1265625/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_02; classtype:trojan-activity; sid:91265625; rev:1;) alert tcp $HOME_NET any -> [103.35.191.76] 443 (msg:"ThreatFox NetSupportManager RAT payload delivery (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1265626/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_02; classtype:trojan-activity; sid:91265626; rev:1;) alert tcp $HOME_NET any -> [91.149.239.120] 443 (msg:"ThreatFox NetSupportManager RAT payload delivery (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1265620/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_02; classtype:trojan-activity; sid:91265620; rev:1;) alert tcp $HOME_NET any -> [94.131.101.65] 443 (msg:"ThreatFox NetSupportManager RAT payload delivery (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1265621/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_02; classtype:trojan-activity; sid:91265621; rev:1;) alert tcp $HOME_NET any -> [103.35.188.98] 443 (msg:"ThreatFox NetSupportManager RAT payload delivery (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1265622/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_02; classtype:trojan-activity; sid:91265622; rev:1;) alert tcp $HOME_NET any -> [86.104.72.154] 443 (msg:"ThreatFox NetSupportManager RAT payload delivery (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1265616/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_02; classtype:trojan-activity; sid:91265616; rev:1;) alert tcp $HOME_NET any -> [86.104.72.155] 443 (msg:"ThreatFox NetSupportManager RAT payload delivery (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1265617/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_02; classtype:trojan-activity; sid:91265617; rev:1;) alert tcp $HOME_NET any -> [86.104.72.157] 443 (msg:"ThreatFox NetSupportManager RAT payload delivery (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1265618/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_02; classtype:trojan-activity; sid:91265618; rev:1;) alert tcp $HOME_NET any -> [86.104.72.158] 443 (msg:"ThreatFox NetSupportManager RAT payload delivery (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1265619/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_02; classtype:trojan-activity; sid:91265619; rev:1;) alert tcp $HOME_NET any -> [45.142.212.150] 443 (msg:"ThreatFox NetSupportManager RAT payload delivery (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1265612/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_02; classtype:trojan-activity; sid:91265612; rev:1;) alert tcp $HOME_NET any -> [45.152.113.251] 443 (msg:"ThreatFox NetSupportManager RAT payload delivery (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1265613/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_02; classtype:trojan-activity; sid:91265613; rev:1;) alert tcp $HOME_NET any -> [45.159.211.211] 443 (msg:"ThreatFox NetSupportManager RAT payload delivery (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1265614/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_02; classtype:trojan-activity; sid:91265614; rev:1;) alert tcp $HOME_NET any -> [77.105.162.54] 443 (msg:"ThreatFox NetSupportManager RAT payload delivery (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1265615/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_02; classtype:trojan-activity; sid:91265615; rev:1;) alert tcp $HOME_NET any -> [23.170.40.136] 443 (msg:"ThreatFox NetSupportManager RAT payload delivery (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1265608/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_02; classtype:trojan-activity; sid:91265608; rev:1;) alert tcp $HOME_NET any -> [45.67.229.73] 443 (msg:"ThreatFox NetSupportManager RAT payload delivery (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1265609/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_02; classtype:trojan-activity; sid:91265609; rev:1;) alert tcp $HOME_NET any -> [45.89.53.223] 443 (msg:"ThreatFox NetSupportManager RAT payload delivery (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1265610/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_02; classtype:trojan-activity; sid:91265610; rev:1;) alert tcp $HOME_NET any -> [45.89.53.244] 443 (msg:"ThreatFox NetSupportManager RAT payload delivery (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1265611/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_02; classtype:trojan-activity; sid:91265611; rev:1;) alert tcp $HOME_NET any -> [5.180.24.160] 443 (msg:"ThreatFox NetSupportManager RAT payload delivery (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1265606/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_02; classtype:trojan-activity; sid:91265606; rev:1;) alert tcp $HOME_NET any -> [23.133.88.190] 443 (msg:"ThreatFox NetSupportManager RAT payload delivery (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1265607/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_02; classtype:trojan-activity; sid:91265607; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/is-ready"; depth:9; nocase; http.host; content:"masterokrwh.duckdns.org"; depth:23; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1265605/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_02; classtype:trojan-activity; sid:91265605; rev:1;) alert tcp $HOME_NET any -> [89.110.68.218] 21572 (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1265549/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_02; classtype:trojan-activity; sid:91265549; rev:1;) alert tcp $HOME_NET any -> [5.189.253.247] 443 (msg:"ThreatFox IcedID botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1265548/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_02; classtype:trojan-activity; sid:91265548; rev:1;) alert tcp $HOME_NET any -> [159.89.186.168] 80 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1265547/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_02; classtype:trojan-activity; sid:91265547; rev:1;) alert tcp $HOME_NET any -> [77.221.151.59] 50555 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1265546/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_02; classtype:trojan-activity; sid:91265546; rev:1;) alert tcp $HOME_NET any -> [37.60.252.83] 80 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1265545/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_02; classtype:trojan-activity; sid:91265545; rev:1;) alert tcp $HOME_NET any -> [147.45.47.47] 50555 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1265544/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_02; classtype:trojan-activity; sid:91265544; rev:1;) alert tcp $HOME_NET any -> [142.171.184.166] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1265543/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_02; classtype:trojan-activity; sid:91265543; rev:1;) alert tcp $HOME_NET any -> [2.88.123.80] 443 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1265542/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_02; classtype:trojan-activity; sid:91265542; rev:1;) alert tcp $HOME_NET any -> [41.96.176.247] 443 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1265541/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_02; classtype:trojan-activity; sid:91265541; rev:1;) alert tcp $HOME_NET any -> [85.99.29.198] 443 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1265540/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_02; classtype:trojan-activity; sid:91265540; rev:1;) alert tcp $HOME_NET any -> [175.10.45.89] 4432 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1265539/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_02; classtype:trojan-activity; sid:91265539; rev:1;) alert tcp $HOME_NET any -> [86.98.19.98] 443 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1265538/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_02; classtype:trojan-activity; sid:91265538; rev:1;) alert tcp $HOME_NET any -> [189.140.8.160] 443 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1265537/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_02; classtype:trojan-activity; sid:91265537; rev:1;) alert tcp $HOME_NET any -> [103.195.6.58] 443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1265536/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_02; classtype:trojan-activity; sid:91265536; rev:1;) alert tcp $HOME_NET any -> [170.64.140.92] 443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1265535/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_02; classtype:trojan-activity; sid:91265535; rev:1;) alert tcp $HOME_NET any -> [138.197.28.158] 8080 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1265534/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_02; classtype:trojan-activity; sid:91265534; rev:1;) alert tcp $HOME_NET any -> [138.197.28.158] 443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1265533/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_02; classtype:trojan-activity; sid:91265533; rev:1;) alert tcp $HOME_NET any -> [5.42.85.10] 8443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1265531/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_02; classtype:trojan-activity; sid:91265531; rev:1;) alert tcp $HOME_NET any -> [147.45.149.10] 443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1265530/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_02; classtype:trojan-activity; sid:91265530; rev:1;) alert tcp $HOME_NET any -> [50.114.37.38] 8443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1265529/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_02; classtype:trojan-activity; sid:91265529; rev:1;) alert tcp $HOME_NET any -> [13.82.179.86] 443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1265528/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_02; classtype:trojan-activity; sid:91265528; rev:1;) alert tcp $HOME_NET any -> [31.192.107.143] 8443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1265527/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_02; classtype:trojan-activity; sid:91265527; rev:1;) alert tcp $HOME_NET any -> [134.122.85.18] 7443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1265526/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_02; classtype:trojan-activity; sid:91265526; rev:1;) alert tcp $HOME_NET any -> [135.181.119.247] 26827 (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1265525/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_02; classtype:trojan-activity; sid:91265525; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dbbaseflowerdatalife.php"; depth:25; nocase; http.host; content:"45.141.102.40"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1265524/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_02; classtype:trojan-activity; sid:91265524; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"nandos.hopto.org"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1265307/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_02; classtype:trojan-activity; sid:91265307; rev:1;) alert tcp $HOME_NET any -> [103.77.208.150] 43957 (msg:"ThreatFox MooBot botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1265306/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_02; classtype:trojan-activity; sid:91265306; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pixel.gif"; depth:10; nocase; http.host; content:"47.116.213.137"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1265305/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_02; classtype:trojan-activity; sid:91265305; rev:1;) alert tcp $HOME_NET any -> [94.241.142.87] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1265304/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_02; classtype:trojan-activity; sid:91265304; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/fwlink"; depth:7; nocase; http.host; content:"149.104.25.105"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1265303/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_02; classtype:trojan-activity; sid:91265303; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pixel.gif"; depth:10; nocase; http.host; content:"149.104.25.85"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1265302/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_02; classtype:trojan-activity; sid:91265302; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jquery-3.3.1.min.js"; depth:20; nocase; http.host; content:"156.231.64.36"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1265301/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_02; classtype:trojan-activity; sid:91265301; rev:1;) alert tcp $HOME_NET any -> [31.128.32.22] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1265300/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_02; classtype:trojan-activity; sid:91265300; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pixel"; depth:6; nocase; http.host; content:"31.128.32.22"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1265299/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_02; classtype:trojan-activity; sid:91265299; rev:1;) alert tcp $HOME_NET any -> [156.251.172.80] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1265298/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_02; classtype:trojan-activity; sid:91265298; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jquery-3.3.1.min.js"; depth:20; nocase; http.host; content:"156.251.172.80"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1265297/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_02; classtype:trojan-activity; sid:91265297; rev:1;) alert tcp $HOME_NET any -> [64.23.165.12] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1265296/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_02; classtype:trojan-activity; sid:91265296; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/w3c.js"; depth:7; nocase; http.host; content:"aawwn.azureedge.net"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1265294/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_02; classtype:trojan-activity; sid:91265294; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"aawwn.azureedge.net"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1265295/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_02; classtype:trojan-activity; sid:91265295; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/fwlink"; depth:7; nocase; http.host; content:"49.235.187.155"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1265293/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_02; classtype:trojan-activity; sid:91265293; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ie9compatviewlist.xml"; depth:22; nocase; http.host; content:"193.143.1.180"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1265292/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_02; classtype:trojan-activity; sid:91265292; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/__utm.gif"; depth:10; nocase; http.host; content:"207.154.255.140"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1265291/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_02; classtype:trojan-activity; sid:91265291; rev:1;) alert tcp $HOME_NET any -> [185.241.225.213] 3389 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1265290/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_02; classtype:trojan-activity; sid:91265290; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pixel.gif"; depth:10; nocase; http.host; content:"47.108.153.69"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1265289/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_02; classtype:trojan-activity; sid:91265289; rev:1;) alert tcp $HOME_NET any -> [43.136.38.59] 53 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1265288/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_02; classtype:trojan-activity; sid:91265288; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"www.dahuatec.xyz"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1265287/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_02; classtype:trojan-activity; sid:91265287; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pixel.gif"; depth:10; nocase; http.host; content:"43.153.222.28"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1265286/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_02; classtype:trojan-activity; sid:91265286; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/push"; depth:5; nocase; http.host; content:"1488.winstate.cc"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1265285/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_02; classtype:trojan-activity; sid:91265285; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mmzmzgvlmji3nzu0/"; depth:18; nocase; http.host; content:"zirbnarg.top"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1265233/; target:src_ip; metadata: confidence_level 80, first_seen 2024_05_02; classtype:trojan-activity; sid:91265233; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mmzmzgvlmji3nzu0/"; depth:18; nocase; http.host; content:"jilepofk.xyz"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1265234/; target:src_ip; metadata: confidence_level 80, first_seen 2024_05_02; classtype:trojan-activity; sid:91265234; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mmzmzgvlmji3nzu0/"; depth:18; nocase; http.host; content:"wustyelk.top"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1265235/; target:src_ip; metadata: confidence_level 80, first_seen 2024_05_02; classtype:trojan-activity; sid:91265235; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mmzmzgvlmji3nzu0/"; depth:18; nocase; http.host; content:"mixylozt.xyz"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1265236/; target:src_ip; metadata: confidence_level 80, first_seen 2024_05_02; classtype:trojan-activity; sid:91265236; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mmzmzgvlmji3nzu0/"; depth:18; nocase; http.host; content:"quoxvebz.top"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1265237/; target:src_ip; metadata: confidence_level 80, first_seen 2024_05_02; classtype:trojan-activity; sid:91265237; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mmzmzgvlmji3nzu0/"; depth:18; nocase; http.host; content:"hifkxarp.xyz"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1265238/; target:src_ip; metadata: confidence_level 80, first_seen 2024_05_02; classtype:trojan-activity; sid:91265238; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mmzmzgvlmji3nzu0/"; depth:18; nocase; http.host; content:"dultzown.top"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1265239/; target:src_ip; metadata: confidence_level 80, first_seen 2024_05_02; classtype:trojan-activity; sid:91265239; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mmzmzgvlmji3nzu0/"; depth:18; nocase; http.host; content:"kervplun.xyz"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1265240/; target:src_ip; metadata: confidence_level 80, first_seen 2024_05_02; classtype:trojan-activity; sid:91265240; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mmzmzgvlmji3nzu0/"; depth:18; nocase; http.host; content:"vikexems.top"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1265241/; target:src_ip; metadata: confidence_level 80, first_seen 2024_05_02; classtype:trojan-activity; sid:91265241; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mmzmzgvlmji3nzu0/"; depth:18; nocase; http.host; content:"bontmawy.xyz"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1265242/; target:src_ip; metadata: confidence_level 80, first_seen 2024_05_02; classtype:trojan-activity; sid:91265242; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mmzmzgvlmji3nzu0/"; depth:18; nocase; http.host; content:"sirljufi.top"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1265243/; target:src_ip; metadata: confidence_level 80, first_seen 2024_05_02; classtype:trojan-activity; sid:91265243; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mmzmzgvlmji3nzu0/"; depth:18; nocase; http.host; content:"zoxtneep.xyz"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1265246/; target:src_ip; metadata: confidence_level 80, first_seen 2024_05_02; classtype:trojan-activity; sid:91265246; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mmzmzgvlmji3nzu0/"; depth:18; nocase; http.host; content:"glaxwimb.xyz"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1265244/; target:src_ip; metadata: confidence_level 80, first_seen 2024_05_02; classtype:trojan-activity; sid:91265244; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mmzmzgvlmji3nzu0/"; depth:18; nocase; http.host; content:"fruljilk.top"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1265245/; target:src_ip; metadata: confidence_level 80, first_seen 2024_05_02; classtype:trojan-activity; sid:91265245; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mmzmzgvlmji3nzu0/"; depth:18; nocase; http.host; content:"yampdrik.top"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1265247/; target:src_ip; metadata: confidence_level 80, first_seen 2024_05_02; classtype:trojan-activity; sid:91265247; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mmzmzgvlmji3nzu0/"; depth:18; nocase; http.host; content:"zorbpuft.xyz"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1265248/; target:src_ip; metadata: confidence_level 80, first_seen 2024_05_02; classtype:trojan-activity; sid:91265248; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mmzmzgvlmji3nzu0/"; depth:18; nocase; http.host; content:"riltshuv.top"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1265249/; target:src_ip; metadata: confidence_level 80, first_seen 2024_05_02; classtype:trojan-activity; sid:91265249; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mmzmzgvlmji3nzu0/"; depth:18; nocase; http.host; content:"vempyurt.xyz"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1265250/; target:src_ip; metadata: confidence_level 80, first_seen 2024_05_02; classtype:trojan-activity; sid:91265250; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mmzmzgvlmji3nzu0/"; depth:18; nocase; http.host; content:"dyltwerm.xyz"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1265252/; target:src_ip; metadata: confidence_level 80, first_seen 2024_05_02; classtype:trojan-activity; sid:91265252; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mmzmzgvlmji3nzu0/"; depth:18; nocase; http.host; content:"hozzkwor.top"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1265251/; target:src_ip; metadata: confidence_level 80, first_seen 2024_05_02; classtype:trojan-activity; sid:91265251; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pixel.gif"; depth:10; nocase; http.host; content:"79.124.40.106"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1265284/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_02; classtype:trojan-activity; sid:91265284; rev:1;) alert tcp $HOME_NET any -> [8.130.52.13] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1265283/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_02; classtype:trojan-activity; sid:91265283; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/eternallowapiuniversallocal.php"; depth:32; nocase; http.host; content:"a0835675.xsph.ru"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1265282/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_02; classtype:trojan-activity; sid:91265282; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/noa.exe"; depth:8; nocase; http.host; content:"192.3.239.4"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1265281/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_02; classtype:trojan-activity; sid:91265281; rev:1;) alert tcp $HOME_NET any -> [154.12.31.24] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1265280/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_02; classtype:trojan-activity; sid:91265280; rev:1;) alert tcp $HOME_NET any -> [154.12.31.24] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1265279/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_02; classtype:trojan-activity; sid:91265279; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jquery-3.3.1.min.js"; depth:20; nocase; http.host; content:"154.12.31.24"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1265278/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_02; classtype:trojan-activity; sid:91265278; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jquery-3.3.1.min.js"; depth:20; nocase; http.host; content:"107.174.254.9"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1265277/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_02; classtype:trojan-activity; sid:91265277; rev:1;) alert tcp $HOME_NET any -> [107.174.254.9] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1265276/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_02; classtype:trojan-activity; sid:91265276; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"service-inqt462u-1314366639.hk.tencentapigw.cn"; depth:46; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1265275/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_02; classtype:trojan-activity; sid:91265275; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jquery-3.3.1.min.js"; depth:20; nocase; http.host; content:"service-inqt462u-1314366639.hk.tencentapigw.cn"; depth:46; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1265274/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_02; classtype:trojan-activity; sid:91265274; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jquery-3.3.1.min.js"; depth:20; nocase; http.host; content:"23.95.166.199"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1265272/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_02; classtype:trojan-activity; sid:91265272; rev:1;) alert tcp $HOME_NET any -> [23.95.166.199] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1265273/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_02; classtype:trojan-activity; sid:91265273; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jquery-3.3.1.min.js"; depth:20; nocase; http.host; content:"175.178.49.159"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1265271/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_02; classtype:trojan-activity; sid:91265271; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"fbmarket-place.info"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1265269/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_02; classtype:trojan-activity; sid:91265269; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"www.fbmarket-place.info"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1265270/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_02; classtype:trojan-activity; sid:91265270; rev:1;) alert tcp $HOME_NET any -> [45.142.214.27] 80 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1265268/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_02; classtype:trojan-activity; sid:91265268; rev:1;) alert tcp $HOME_NET any -> [146.19.247.126] 80 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1265267/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_02; classtype:trojan-activity; sid:91265267; rev:1;) alert tcp $HOME_NET any -> [8.138.108.192] 8848 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1265266/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_02; classtype:trojan-activity; sid:91265266; rev:1;) alert tcp $HOME_NET any -> [16.16.233.72] 443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1265265/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_02; classtype:trojan-activity; sid:91265265; rev:1;) alert tcp $HOME_NET any -> [45.14.246.124] 443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1265264/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_02; classtype:trojan-activity; sid:91265264; rev:1;) alert tcp $HOME_NET any -> [103.82.195.234] 443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1265263/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_02; classtype:trojan-activity; sid:91265263; rev:1;) alert tcp $HOME_NET any -> [45.14.246.53] 443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1265262/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_02; classtype:trojan-activity; sid:91265262; rev:1;) alert tcp $HOME_NET any -> [18.177.137.182] 443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1265261/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_02; classtype:trojan-activity; sid:91265261; rev:1;) alert tcp $HOME_NET any -> [222.186.17.75] 4505 (msg:"ThreatFox Deimos botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1265260/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_02; classtype:trojan-activity; sid:91265260; rev:1;) alert tcp $HOME_NET any -> [138.197.66.41] 7443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1265259/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_02; classtype:trojan-activity; sid:91265259; rev:1;) alert tcp $HOME_NET any -> [104.37.190.52] 7443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1265258/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_02; classtype:trojan-activity; sid:91265258; rev:1;) alert tcp $HOME_NET any -> [47.251.12.23] 7443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1265257/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_02; classtype:trojan-activity; sid:91265257; rev:1;) alert tcp $HOME_NET any -> [45.76.53.16] 443 (msg:"ThreatFox Brute Ratel C4 botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1265256/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_02; classtype:trojan-activity; sid:91265256; rev:1;) alert tcp $HOME_NET any -> [143.110.151.209] 8888 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1265255/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_02; classtype:trojan-activity; sid:91265255; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"116.202.185.228"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1265254/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_02; classtype:trojan-activity; sid:91265254; rev:1;) alert tcp $HOME_NET any -> [116.202.185.228] 443 (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1265253/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_02; classtype:trojan-activity; sid:91265253; rev:1;) alert tcp $HOME_NET any -> [65.108.19.51] 37149 (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1265232/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_02; classtype:trojan-activity; sid:91265232; rev:1;) alert tcp $HOME_NET any -> [154.9.246.151] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1265231/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_02; classtype:trojan-activity; sid:91265231; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"28489294.xyz"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1265230/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_02; classtype:trojan-activity; sid:91265230; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/activity"; depth:9; nocase; http.host; content:"28489294.xyz"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1265229/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_02; classtype:trojan-activity; sid:91265229; rev:1;) alert tcp $HOME_NET any -> [34.91.32.224] 80 (msg:"ThreatFox Loki Password Stealer (PWS) botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1265227/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_02; classtype:trojan-activity; sid:91265227; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"abscete.info"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1265228/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_02; classtype:trojan-activity; sid:91265228; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/match"; depth:6; nocase; http.host; content:"84.247.155.115"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1265226/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_02; classtype:trojan-activity; sid:91265226; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bu2t"; depth:5; nocase; http.host; content:"84.247.155.115"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1265225/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_02; classtype:trojan-activity; sid:91265225; rev:1;) alert tcp $HOME_NET any -> [84.247.155.115] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1265224/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_02; classtype:trojan-activity; sid:91265224; rev:1;) alert tcp $HOME_NET any -> [91.92.252.187] 606 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1265223/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_02; classtype:trojan-activity; sid:91265223; rev:1;) alert tcp $HOME_NET any -> [46.41.139.162] 4444 (msg:"ThreatFox ConnectBack botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1265222/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_02; classtype:trojan-activity; sid:91265222; rev:1;) alert tcp $HOME_NET any -> [176.123.1.127] 666 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1265209/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_02; classtype:trojan-activity; sid:91265209; rev:1;) alert tcp $HOME_NET any -> [185.172.128.95] 6666 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1265210/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_02; classtype:trojan-activity; sid:91265210; rev:1;) alert tcp $HOME_NET any -> [185.172.128.95] 6655 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1265211/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_02; classtype:trojan-activity; sid:91265211; rev:1;) alert tcp $HOME_NET any -> [193.142.146.181] 6655 (msg:"ThreatFox DynamicStealer botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1265212/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_02; classtype:trojan-activity; sid:91265212; rev:1;) alert tcp $HOME_NET any -> [157.10.45.238] 43957 (msg:"ThreatFox MooBot botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1265218/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_02; classtype:trojan-activity; sid:91265218; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"apibnng.servehttp.com"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1265219/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_02; classtype:trojan-activity; sid:91265219; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"teaching-wireless.gl.at.ply.gg"; depth:30; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1264961/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_02; classtype:trojan-activity; sid:91264961; rev:1;) alert tcp $HOME_NET any -> [147.185.221.19] 39289 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1264960/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_02; classtype:trojan-activity; sid:91264960; rev:1;) alert tcp $HOME_NET any -> [12.221.146.138] 8450 (msg:"ThreatFox XWorm botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1264958/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_02; classtype:trojan-activity; sid:91264958; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"aprilxrwonew8450.duckdns.org"; depth:28; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1264959/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_02; classtype:trojan-activity; sid:91264959; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ie9compatviewlist.xml"; depth:22; nocase; http.host; content:"123.57.85.206"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1265221/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_01; classtype:trojan-activity; sid:91265221; rev:1;) alert tcp $HOME_NET any -> [163.5.210.97] 3307 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1265220/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_01; classtype:trojan-activity; sid:91265220; rev:1;) alert tcp $HOME_NET any -> [104.236.69.99] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1265217/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_01; classtype:trojan-activity; sid:91265217; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/c/msdownload/update/others/2016/12/29136388_"; depth:45; nocase; http.host; content:"54.82.65.203"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1265216/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_01; classtype:trojan-activity; sid:91265216; rev:1;) alert tcp $HOME_NET any -> [154.9.246.151] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1265215/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_01; classtype:trojan-activity; sid:91265215; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/match"; depth:6; nocase; http.host; content:"154.9.246.151"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1265214/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_01; classtype:trojan-activity; sid:91265214; rev:1;) alert tcp $HOME_NET any -> [94.156.8.188] 50500 (msg:"ThreatFox RisePro botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1265213/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_01; classtype:trojan-activity; sid:91265213; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"nevers.xyz"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1265204/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_01; classtype:trojan-activity; sid:91265204; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"nevers.xyz"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1265205/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_01; classtype:trojan-activity; sid:91265205; rev:1;) alert tcp $HOME_NET any -> [95.217.245.42] 9000 (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1265206/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_01; classtype:trojan-activity; sid:91265206; rev:1;) alert tcp $HOME_NET any -> [159.69.102.118] 9000 (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1265207/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_01; classtype:trojan-activity; sid:91265207; rev:1;) alert tcp $HOME_NET any -> [88.198.124.238] 443 (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1265208/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_01; classtype:trojan-activity; sid:91265208; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"88.198.124.238"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1265203/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_01; classtype:trojan-activity; sid:91265203; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"159.69.102.118"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1265202/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_01; classtype:trojan-activity; sid:91265202; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"95.217.245.42"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1265201/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_01; classtype:trojan-activity; sid:91265201; rev:1;) alert tcp $HOME_NET any -> [94.156.66.78] 1337 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1265199/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_01; classtype:trojan-activity; sid:91265199; rev:1;) alert tcp $HOME_NET any -> [128.199.74.55] 3778 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1265200/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_01; classtype:trojan-activity; sid:91265200; rev:1;) alert tcp $HOME_NET any -> [103.67.163.33] 80 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1265198/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_01; classtype:trojan-activity; sid:91265198; rev:1;) alert tcp $HOME_NET any -> [141.95.109.73] 80 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1265197/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_01; classtype:trojan-activity; sid:91265197; rev:1;) alert tcp $HOME_NET any -> [162.33.177.157] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1265196/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_01; classtype:trojan-activity; sid:91265196; rev:1;) alert tcp $HOME_NET any -> [86.126.231.249] 443 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1265195/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_01; classtype:trojan-activity; sid:91265195; rev:1;) alert tcp $HOME_NET any -> [41.99.16.165] 443 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1265194/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_01; classtype:trojan-activity; sid:91265194; rev:1;) alert tcp $HOME_NET any -> [142.247.217.110] 443 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1265193/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_01; classtype:trojan-activity; sid:91265193; rev:1;) alert tcp $HOME_NET any -> [1.161.71.160] 443 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1265192/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_01; classtype:trojan-activity; sid:91265192; rev:1;) alert tcp $HOME_NET any -> [80.76.32.4] 443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1265191/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_01; classtype:trojan-activity; sid:91265191; rev:1;) alert tcp $HOME_NET any -> [222.186.17.75] 4506 (msg:"ThreatFox Deimos botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1265190/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_01; classtype:trojan-activity; sid:91265190; rev:1;) alert tcp $HOME_NET any -> [162.0.230.176] 7443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1265189/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_01; classtype:trojan-activity; sid:91265189; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"craf.kro.kr"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1265188/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_01; classtype:trojan-activity; sid:91265188; rev:1;) alert tcp $HOME_NET any -> [54.39.249.56] 61562 (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1265187/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_01; classtype:trojan-activity; sid:91265187; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/l1nc0in.php"; depth:12; nocase; http.host; content:"a0949584.xsph.ru"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1265186/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_01; classtype:trojan-activity; sid:91265186; rev:1;) alert tcp $HOME_NET any -> [2.57.149.77] 15647 (msg:"ThreatFox SectopRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1265185/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_01; classtype:trojan-activity; sid:91265185; rev:1;) alert tcp $HOME_NET any -> [93.123.85.108] 4782 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1264962/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_01; classtype:trojan-activity; sid:91264962; rev:1;) alert tcp $HOME_NET any -> [146.19.143.186] 443 (msg:"ThreatFox IcedID botnet C2 traffic (ip:port - confidence level: 60%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1264849/; target:src_ip; metadata: confidence_level 60, first_seen 2024_05_01; classtype:trojan-activity; sid:91264849; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/zdqyn2nmogezotlk/"; depth:18; nocase; http.host; content:"seniseverdimbenenaz.xyz"; depth:23; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1264827/; target:src_ip; metadata: confidence_level 80, first_seen 2024_05_01; classtype:trojan-activity; sid:91264827; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/zdqyn2nmogezotlk/"; depth:18; nocase; http.host; content:"yenihacamattedavicisi.top"; depth:25; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1264828/; target:src_ip; metadata: confidence_level 80, first_seen 2024_05_01; classtype:trojan-activity; sid:91264828; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/zdqyn2nmogezotlk/"; depth:18; nocase; http.host; content:"benkadereyenikdustum.top"; depth:24; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1264829/; target:src_ip; metadata: confidence_level 80, first_seen 2024_05_01; classtype:trojan-activity; sid:91264829; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/zdqyn2nmogezotlk/"; depth:18; nocase; http.host; content:"asperonilaclari.top"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1264830/; target:src_ip; metadata: confidence_level 80, first_seen 2024_05_01; classtype:trojan-activity; sid:91264830; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/zdqyn2nmogezotlk/"; depth:18; nocase; http.host; content:"fitildeyenilerdin.top"; depth:21; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1264831/; target:src_ip; metadata: confidence_level 80, first_seen 2024_05_01; classtype:trojan-activity; sid:91264831; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/zdqyn2nmogezotlk/"; depth:18; nocase; http.host; content:"kaderbizegulmezmi.top"; depth:21; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1264832/; target:src_ip; metadata: confidence_level 80, first_seen 2024_05_01; classtype:trojan-activity; sid:91264832; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/zdqyn2nmogezotlk/"; depth:18; nocase; http.host; content:"seningibiadamlarbenisev.top"; depth:27; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1264833/; target:src_ip; metadata: confidence_level 80, first_seen 2024_05_01; classtype:trojan-activity; sid:91264833; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/zdqyn2nmogezotlk/"; depth:18; nocase; http.host; content:"saglemkzanlar.top"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1264834/; target:src_ip; metadata: confidence_level 80, first_seen 2024_05_01; classtype:trojan-activity; sid:91264834; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/zdqyn2nmogezotlk/"; depth:18; nocase; http.host; content:"akuaakveryum.top"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1264835/; target:src_ip; metadata: confidence_level 80, first_seen 2024_05_01; classtype:trojan-activity; sid:91264835; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/zdqyn2nmogezotlk/"; depth:18; nocase; http.host; content:"yeniseylerdenememelan.xyz"; depth:25; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1264837/; target:src_ip; metadata: confidence_level 80, first_seen 2024_05_01; classtype:trojan-activity; sid:91264837; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/zdqyn2nmogezotlk/"; depth:18; nocase; http.host; content:"bebeklerdeoynarx.top"; depth:20; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1264836/; target:src_ip; metadata: confidence_level 80, first_seen 2024_05_01; classtype:trojan-activity; sid:91264836; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/zdqyn2nmogezotlk/"; depth:18; nocase; http.host; content:"atasehirkkuaforu.top"; depth:20; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1264838/; target:src_ip; metadata: confidence_level 80, first_seen 2024_05_01; classtype:trojan-activity; sid:91264838; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/zdqyn2nmogezotlk/"; depth:18; nocase; http.host; content:"canankarataylabebek.com"; depth:23; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1264839/; target:src_ip; metadata: confidence_level 80, first_seen 2024_05_01; classtype:trojan-activity; sid:91264839; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/zdqyn2nmogezotlk/"; depth:18; nocase; http.host; content:"sevsenneolurduuuu.top"; depth:21; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1264840/; target:src_ip; metadata: confidence_level 80, first_seen 2024_05_01; classtype:trojan-activity; sid:91264840; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/zdqyn2nmogezotlk/"; depth:18; nocase; http.host; content:"sevmesenneeeolur.top"; depth:20; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1264841/; target:src_ip; metadata: confidence_level 80, first_seen 2024_05_01; classtype:trojan-activity; sid:91264841; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/zdqyn2nmogezotlk/"; depth:18; nocase; http.host; content:"kopekuyuztedavicisi.xyz"; depth:23; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1264842/; target:src_ip; metadata: confidence_level 80, first_seen 2024_05_01; classtype:trojan-activity; sid:91264842; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/zdqyn2nmogezotlk/"; depth:18; nocase; http.host; content:"hayvanyemekveriyoruz.top"; depth:24; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1264843/; target:src_ip; metadata: confidence_level 80, first_seen 2024_05_01; classtype:trojan-activity; sid:91264843; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/zdqyn2nmogezotlk/"; depth:18; nocase; http.host; content:"topcularaktaricisisedat.shop"; depth:28; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1264844/; target:src_ip; metadata: confidence_level 80, first_seen 2024_05_01; classtype:trojan-activity; sid:91264844; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/zdqyn2nmogezotlk/"; depth:18; nocase; http.host; content:"evcilkusbesleme.shop"; depth:20; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1264845/; target:src_ip; metadata: confidence_level 80, first_seen 2024_05_01; classtype:trojan-activity; sid:91264845; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/zdqyn2nmogezotlk/"; depth:18; nocase; http.host; content:"verdilerbizeikiadam.shop"; depth:24; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1264846/; target:src_ip; metadata: confidence_level 80, first_seen 2024_05_01; classtype:trojan-activity; sid:91264846; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/zdqyn2nmogezotlk/"; depth:18; nocase; http.host; content:"tokatmotorcukuryesi.top"; depth:23; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1264847/; target:src_ip; metadata: confidence_level 80, first_seen 2024_05_01; classtype:trojan-activity; sid:91264847; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/zdqyn2nmogezotlk/"; depth:18; nocase; http.host; content:"arackiralamacankiri.com"; depth:23; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1264848/; target:src_ip; metadata: confidence_level 80, first_seen 2024_05_01; classtype:trojan-activity; sid:91264848; rev:1;) alert tcp $HOME_NET any -> [45.128.232.8] 58267 (msg:"ThreatFox MooBot botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1264795/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_01; classtype:trojan-activity; sid:91264795; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/task/owysn2ysn2ysytasowusodysogmsotysnjqsn2ms"; depth:46; nocase; http.host; content:"80.66.89.146"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1264812/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_01; classtype:trojan-activity; sid:91264812; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"xijinping.mov"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1264796/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_01; classtype:trojan-activity; sid:91264796; rev:1;) alert tcp $HOME_NET any -> [185.35.4.119] 5678 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1264826/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_01; classtype:trojan-activity; sid:91264826; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/vm_longpollbasetraffictrackwordpressprivateuploads.php"; depth:55; nocase; http.host; content:"remotetable.top"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1264825/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_01; classtype:trojan-activity; sid:91264825; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/zomgapt"; depth:8; nocase; http.host; content:"106.14.141.234"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1264824/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_01; classtype:trojan-activity; sid:91264824; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dequeue/mqseries/d7w0gtjfy"; depth:27; nocase; http.host; content:"ikea0.com"; depth:9; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1264823/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_01; classtype:trojan-activity; sid:91264823; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dequeue/mqseries/d7w0gtjfy"; depth:27; nocase; http.host; content:"lebondogicoin.com"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1264822/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_01; classtype:trojan-activity; sid:91264822; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dequeue/mqseries/d7w0gtjfy"; depth:27; nocase; http.host; content:"91.238.181.230"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1264821/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_01; classtype:trojan-activity; sid:91264821; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api/x"; depth:6; nocase; http.host; content:"43.140.37.49"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1264819/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_01; classtype:trojan-activity; sid:91264819; rev:1;) alert tcp $HOME_NET any -> [43.140.37.49] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1264820/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_01; classtype:trojan-activity; sid:91264820; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api/3"; depth:6; nocase; http.host; content:"159.75.104.157"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1264818/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_01; classtype:trojan-activity; sid:91264818; rev:1;) alert tcp $HOME_NET any -> [18.158.249.75] 12088 (msg:"ThreatFox LimeRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1264817/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_01; classtype:trojan-activity; sid:91264817; rev:1;) alert tcp $HOME_NET any -> [3.124.142.205] 12088 (msg:"ThreatFox LimeRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1264816/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_01; classtype:trojan-activity; sid:91264816; rev:1;) alert tcp $HOME_NET any -> [18.192.31.165] 12088 (msg:"ThreatFox LimeRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1264815/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_01; classtype:trojan-activity; sid:91264815; rev:1;) alert tcp $HOME_NET any -> [3.125.209.94] 12088 (msg:"ThreatFox LimeRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1264814/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_01; classtype:trojan-activity; sid:91264814; rev:1;) alert tcp $HOME_NET any -> [147.45.47.36] 39849 (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1264813/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_01; classtype:trojan-activity; sid:91264813; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/g.pixel"; depth:8; nocase; http.host; content:"120.48.96.69"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1264811/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_01; classtype:trojan-activity; sid:91264811; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ptj"; depth:4; nocase; http.host; content:"47.99.182.25"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1264810/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_01; classtype:trojan-activity; sid:91264810; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"dbgrw1.azurefd.net"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1264809/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_01; classtype:trojan-activity; sid:91264809; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/__utm.gif"; depth:10; nocase; http.host; content:"dbgrw1.azurefd.net"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1264808/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_01; classtype:trojan-activity; sid:91264808; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ptj"; depth:4; nocase; http.host; content:"47.108.153.69"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1264807/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_01; classtype:trojan-activity; sid:91264807; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dot.gif"; depth:8; nocase; http.host; content:"120.48.96.69"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1264806/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_01; classtype:trojan-activity; sid:91264806; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mall_100_100.html"; depth:18; nocase; http.host; content:"sz-sourcetail-v4.volcmlt.com"; depth:28; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1264804/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_01; classtype:trojan-activity; sid:91264804; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"sz-sourcetail-v4.volcmlt.com"; depth:28; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1264805/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_01; classtype:trojan-activity; sid:91264805; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api/x"; depth:6; nocase; http.host; content:"8.147.132.135"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1264803/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_01; classtype:trojan-activity; sid:91264803; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/__utm.gif"; depth:10; nocase; http.host; content:"60.204.220.208"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1264802/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_01; classtype:trojan-activity; sid:91264802; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api/x"; depth:6; nocase; http.host; content:"service-8lop3tot-1321953982.sh.tencentapigw.com"; depth:47; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1264800/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_01; classtype:trojan-activity; sid:91264800; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"service-8lop3tot-1321953982.sh.tencentapigw.com"; depth:47; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1264801/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_01; classtype:trojan-activity; sid:91264801; rev:1;) alert tcp $HOME_NET any -> [170.106.169.138] 2053 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1264799/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_01; classtype:trojan-activity; sid:91264799; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/462c30d592f23b18/jquery/3.7.1/jquery.min.js"; depth:44; nocase; http.host; content:"update.micromain.cfd"; depth:20; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1264797/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_01; classtype:trojan-activity; sid:91264797; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"update.micromain.cfd"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1264798/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_01; classtype:trojan-activity; sid:91264798; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/otm5zwjizgqynzjh/"; depth:18; nocase; http.host; content:"adiletasarim.com"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1264761/; target:src_ip; metadata: confidence_level 80, first_seen 2024_05_01; classtype:trojan-activity; sid:91264761; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/otm5zwjizgqynzjh/"; depth:18; nocase; http.host; content:"3adiletasarim.com"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1264763/; target:src_ip; metadata: confidence_level 80, first_seen 2024_05_01; classtype:trojan-activity; sid:91264763; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/otm5zwjizgqynzjh/"; depth:18; nocase; http.host; content:"2adiletasarim.com"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1264762/; target:src_ip; metadata: confidence_level 80, first_seen 2024_05_01; classtype:trojan-activity; sid:91264762; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/otm5zwjizgqynzjh/"; depth:18; nocase; http.host; content:"4adiletasarim.com"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1264764/; target:src_ip; metadata: confidence_level 80, first_seen 2024_05_01; classtype:trojan-activity; sid:91264764; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/otm5zwjizgqynzjh/"; depth:18; nocase; http.host; content:"5adiletasarim.com"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1264765/; target:src_ip; metadata: confidence_level 80, first_seen 2024_05_01; classtype:trojan-activity; sid:91264765; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mje2ytczy2mxnja0/"; depth:18; nocase; http.host; content:"karakutuoynlar.top"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1264767/; target:src_ip; metadata: confidence_level 80, first_seen 2024_05_01; classtype:trojan-activity; sid:91264767; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mje2ytczy2mxnja0/"; depth:18; nocase; http.host; content:"karaaslancamping.xyz"; depth:20; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1264766/; target:src_ip; metadata: confidence_level 80, first_seen 2024_05_01; classtype:trojan-activity; sid:91264766; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mje2ytczy2mxnja0/"; depth:18; nocase; http.host; content:"oyunlarlemmi.top"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1264768/; target:src_ip; metadata: confidence_level 80, first_seen 2024_05_01; classtype:trojan-activity; sid:91264768; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mje2ytczy2mxnja0/"; depth:18; nocase; http.host; content:"candancanda.top"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1264769/; target:src_ip; metadata: confidence_level 80, first_seen 2024_05_01; classtype:trojan-activity; sid:91264769; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mje2ytczy2mxnja0/"; depth:18; nocase; http.host; content:"kaderdegulmzx.top"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1264770/; target:src_ip; metadata: confidence_level 80, first_seen 2024_05_01; classtype:trojan-activity; sid:91264770; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mje2ytczy2mxnja0/"; depth:18; nocase; http.host; content:"sevmekdeacilar.top"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1264771/; target:src_ip; metadata: confidence_level 80, first_seen 2024_05_01; classtype:trojan-activity; sid:91264771; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mje2ytczy2mxnja0/"; depth:18; nocase; http.host; content:"huzunluponsimm.top"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1264772/; target:src_ip; metadata: confidence_level 80, first_seen 2024_05_01; classtype:trojan-activity; sid:91264772; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mje2ytczy2mxnja0/"; depth:18; nocase; http.host; content:"kaderimyaziklar.top"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1264773/; target:src_ip; metadata: confidence_level 80, first_seen 2024_05_01; classtype:trojan-activity; sid:91264773; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mje2ytczy2mxnja0/"; depth:18; nocase; http.host; content:"mkkaoooama.top"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1264774/; target:src_ip; metadata: confidence_level 80, first_seen 2024_05_01; classtype:trojan-activity; sid:91264774; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mje2ytczy2mxnja0/"; depth:18; nocase; http.host; content:"ataseiorunaa.top"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1264775/; target:src_ip; metadata: confidence_level 80, first_seen 2024_05_01; classtype:trojan-activity; sid:91264775; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mje2ytczy2mxnja0/"; depth:18; nocase; http.host; content:"oyungouardman.com"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1264776/; target:src_ip; metadata: confidence_level 80, first_seen 2024_05_01; classtype:trojan-activity; sid:91264776; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mje2ytczy2mxnja0/"; depth:18; nocase; http.host; content:"sevmenenenaaa.top"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1264777/; target:src_ip; metadata: confidence_level 80, first_seen 2024_05_01; classtype:trojan-activity; sid:91264777; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mje2ytczy2mxnja0/"; depth:18; nocase; http.host; content:"canozturkkaka.top"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1264778/; target:src_ip; metadata: confidence_level 80, first_seen 2024_05_01; classtype:trojan-activity; sid:91264778; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mje2ytczy2mxnja0/"; depth:18; nocase; http.host; content:"biggiyenim.top"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1264779/; target:src_ip; metadata: confidence_level 80, first_seen 2024_05_01; classtype:trojan-activity; sid:91264779; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mje2ytczy2mxnja0/"; depth:18; nocase; http.host; content:"cigkoftebedavahizmetim.top"; depth:26; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1264780/; target:src_ip; metadata: confidence_level 80, first_seen 2024_05_01; classtype:trojan-activity; sid:91264780; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mje2ytczy2mxnja0/"; depth:18; nocase; http.host; content:"vasathastalari.top"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1264781/; target:src_ip; metadata: confidence_level 80, first_seen 2024_05_01; classtype:trojan-activity; sid:91264781; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mje2ytczy2mxnja0/"; depth:18; nocase; http.host; content:"kenedabirnumaratedavicisi.xyz"; depth:29; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1264782/; target:src_ip; metadata: confidence_level 80, first_seen 2024_05_01; classtype:trojan-activity; sid:91264782; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mje2ytczy2mxnja0/"; depth:18; nocase; http.host; content:"kediseakiyoruz.top"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1264783/; target:src_ip; metadata: confidence_level 80, first_seen 2024_05_01; classtype:trojan-activity; sid:91264783; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mje2ytczy2mxnja0/"; depth:18; nocase; http.host; content:"yavuzllarmarketim.shop"; depth:22; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1264784/; target:src_ip; metadata: confidence_level 80, first_seen 2024_05_01; classtype:trojan-activity; sid:91264784; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mje2ytczy2mxnja0/"; depth:18; nocase; http.host; content:"yeniuygarckaportaci.top"; depth:23; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1264785/; target:src_ip; metadata: confidence_level 80, first_seen 2024_05_01; classtype:trojan-activity; sid:91264785; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mje2ytczy2mxnja0/"; depth:18; nocase; http.host; content:"servisdepaketlemem.top"; depth:22; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1264786/; target:src_ip; metadata: confidence_level 80, first_seen 2024_05_01; classtype:trojan-activity; sid:91264786; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mje2ytczy2mxnja0/"; depth:18; nocase; http.host; content:"panssiyoncukuryesi.top"; depth:22; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1264787/; target:src_ip; metadata: confidence_level 80, first_seen 2024_05_01; classtype:trojan-activity; sid:91264787; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mje2ytczy2mxnja0/"; depth:18; nocase; http.host; content:"hizlimkaretdealisveris.com"; depth:26; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1264788/; target:src_ip; metadata: confidence_level 80, first_seen 2024_05_01; classtype:trojan-activity; sid:91264788; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/yzg2ogjiogu5owqy/"; depth:18; nocase; http.host; content:"45.88.91.119"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1264789/; target:src_ip; metadata: confidence_level 80, first_seen 2024_05_01; classtype:trojan-activity; sid:91264789; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/yzg2ogjiogu5owqy/"; depth:18; nocase; http.host; content:"agambenikoviyoryav.net"; depth:22; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1264790/; target:src_ip; metadata: confidence_level 80, first_seen 2024_05_01; classtype:trojan-activity; sid:91264790; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/yzg2ogjiogu5owqy/"; depth:18; nocase; http.host; content:"agambeniseviyoryav.com"; depth:22; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1264791/; target:src_ip; metadata: confidence_level 80, first_seen 2024_05_01; classtype:trojan-activity; sid:91264791; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/yzg2ogjiogu5owqy/"; depth:18; nocase; http.host; content:"kardesimbenikoviyoryav.net"; depth:26; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1264792/; target:src_ip; metadata: confidence_level 80, first_seen 2024_05_01; classtype:trojan-activity; sid:91264792; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/yzg2ogjiogu5owqy/"; depth:18; nocase; http.host; content:"kardesimbeniseviyoryav.com"; depth:26; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1264793/; target:src_ip; metadata: confidence_level 80, first_seen 2024_05_01; classtype:trojan-activity; sid:91264793; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/yzg2ogjiogu5owqy/"; depth:18; nocase; http.host; content:"kekembeniseviyoryav.com"; depth:23; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1264794/; target:src_ip; metadata: confidence_level 80, first_seen 2024_05_01; classtype:trojan-activity; sid:91264794; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/zdqyn2nmogezotik/"; depth:18; nocase; http.host; content:"marababrtdakand4.shop"; depth:21; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1264759/; target:src_ip; metadata: confidence_level 80, first_seen 2024_05_01; classtype:trojan-activity; sid:91264759; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/zdqyn2nmogezotik/"; depth:18; nocase; http.host; content:"marabkanatlarda2.shop"; depth:21; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1264760/; target:src_ip; metadata: confidence_level 80, first_seen 2024_05_01; classtype:trojan-activity; sid:91264760; rev:1;) alert tcp $HOME_NET any -> [94.156.8.76] 33966 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1264758/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_01; classtype:trojan-activity; sid:91264758; rev:1;) alert tcp $HOME_NET any -> [5.180.154.53] 443 (msg:"ThreatFox FAKEUPDATES payload delivery (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1264757/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_01; classtype:trojan-activity; sid:91264757; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/push"; depth:5; nocase; http.host; content:"173.211.46.172"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1264756/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_01; classtype:trojan-activity; sid:91264756; rev:1;) alert tcp $HOME_NET any -> [91.245.225.7] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1264755/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_01; classtype:trojan-activity; sid:91264755; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pixel.gif"; depth:10; nocase; http.host; content:"47.96.252.193"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1264754/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_01; classtype:trojan-activity; sid:91264754; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/a69d09b357e06b52.php"; depth:21; nocase; http.host; content:"193.163.7.88"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1264753/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_01; classtype:trojan-activity; sid:91264753; rev:1;) alert tcp $HOME_NET any -> [45.140.146.209] 80 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1264752/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_01; classtype:trojan-activity; sid:91264752; rev:1;) alert tcp $HOME_NET any -> [91.92.245.22] 80 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1264751/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_01; classtype:trojan-activity; sid:91264751; rev:1;) alert tcp $HOME_NET any -> [141.8.199.126] 80 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1264750/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_01; classtype:trojan-activity; sid:91264750; rev:1;) alert tcp $HOME_NET any -> [41.99.220.227] 443 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1264749/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_01; classtype:trojan-activity; sid:91264749; rev:1;) alert tcp $HOME_NET any -> [63.35.228.8] 445 (msg:"ThreatFox Responder botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1264748/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_01; classtype:trojan-activity; sid:91264748; rev:1;) alert tcp $HOME_NET any -> [45.32.100.118] 80 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1264747/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_01; classtype:trojan-activity; sid:91264747; rev:1;) alert tcp $HOME_NET any -> [77.91.74.239] 443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1264746/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_01; classtype:trojan-activity; sid:91264746; rev:1;) alert tcp $HOME_NET any -> [23.95.61.136] 29443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1264745/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_01; classtype:trojan-activity; sid:91264745; rev:1;) alert tcp $HOME_NET any -> [81.43.24.55] 443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1264744/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_01; classtype:trojan-activity; sid:91264744; rev:1;) alert tcp $HOME_NET any -> [91.92.250.2] 4433 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1264743/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_01; classtype:trojan-activity; sid:91264743; rev:1;) alert tcp $HOME_NET any -> [91.238.181.233] 8443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1264742/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_01; classtype:trojan-activity; sid:91264742; rev:1;) alert tcp $HOME_NET any -> [87.121.69.206] 3306 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1264741/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_01; classtype:trojan-activity; sid:91264741; rev:1;) alert tcp $HOME_NET any -> [142.93.109.84] 443 (msg:"ThreatFox BianLian botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1264740/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_01; classtype:trojan-activity; sid:91264740; rev:1;) alert tcp $HOME_NET any -> [157.245.70.79] 443 (msg:"ThreatFox BianLian botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1264739/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_01; classtype:trojan-activity; sid:91264739; rev:1;) alert tcp $HOME_NET any -> [163.181.39.72] 4505 (msg:"ThreatFox Deimos botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1264738/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_01; classtype:trojan-activity; sid:91264738; rev:1;) alert tcp $HOME_NET any -> [149.104.26.229] 7443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1264737/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_01; classtype:trojan-activity; sid:91264737; rev:1;) alert tcp $HOME_NET any -> [72.14.186.33] 7443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1264736/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_01; classtype:trojan-activity; sid:91264736; rev:1;) alert tcp $HOME_NET any -> [144.202.125.45] 8888 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1264735/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_01; classtype:trojan-activity; sid:91264735; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp/private/wordpress3/vmmariadbsecureflower/cdnsecure/multiimagesqlphp/6secure3vm/gamepythonmultidownloads/externalgeneratorjavascript8/testtest8/0providercdn/58/cpupollpoll/5/imagelocal/tracklongpoll/multidleuploads/localcdn.php"; depth:230; nocase; http.host; content:"89.23.98.112"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1264734/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_01; classtype:trojan-activity; sid:91264734; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/evie1/five/fre.php"; depth:19; nocase; http.host; content:"ebnsina.top"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1264733/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_01; classtype:trojan-activity; sid:91264733; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/login"; depth:6; nocase; http.host; content:"193.233.132.22"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1264694/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_01; classtype:trojan-activity; sid:91264694; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/login"; depth:6; nocase; http.host; content:"77.221.151.20"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1264695/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_01; classtype:trojan-activity; sid:91264695; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/login"; depth:6; nocase; http.host; content:"45.15.156.9"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1264696/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_01; classtype:trojan-activity; sid:91264696; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/login"; depth:6; nocase; http.host; content:"185.172.128.65"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1264697/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_01; classtype:trojan-activity; sid:91264697; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/login"; depth:6; nocase; http.host; content:"193.142.146.101"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1264698/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_01; classtype:trojan-activity; sid:91264698; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/login"; depth:6; nocase; http.host; content:"193.233.132.222"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1264699/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_01; classtype:trojan-activity; sid:91264699; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/login"; depth:6; nocase; http.host; content:"193.233.132.47"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1264700/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_01; classtype:trojan-activity; sid:91264700; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/login"; depth:6; nocase; http.host; content:"147.45.47.102"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1264701/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_01; classtype:trojan-activity; sid:91264701; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/login"; depth:6; nocase; http.host; content:"94.156.64.237"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1264702/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_01; classtype:trojan-activity; sid:91264702; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/login"; depth:6; nocase; http.host; content:"193.233.132.217"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1264703/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_01; classtype:trojan-activity; sid:91264703; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/login"; depth:6; nocase; http.host; content:"38.92.40.19"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1264704/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_01; classtype:trojan-activity; sid:91264704; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/login"; depth:6; nocase; http.host; content:"64.94.85.165"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1264705/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_01; classtype:trojan-activity; sid:91264705; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/login"; depth:6; nocase; http.host; content:"147.45.47.101"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1264706/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_01; classtype:trojan-activity; sid:91264706; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/login"; depth:6; nocase; http.host; content:"147.45.47.93"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1264707/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_01; classtype:trojan-activity; sid:91264707; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/login"; depth:6; nocase; http.host; content:"77.221.151.10"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1264708/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_01; classtype:trojan-activity; sid:91264708; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/login"; depth:6; nocase; http.host; content:"217.195.207.156"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1264709/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_01; classtype:trojan-activity; sid:91264709; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/login"; depth:6; nocase; http.host; content:"193.233.132.101"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1264710/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_01; classtype:trojan-activity; sid:91264710; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/login"; depth:6; nocase; http.host; content:"77.221.151.12"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1264711/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_01; classtype:trojan-activity; sid:91264711; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/teamb/five/pvqdq929bsx_a_d_m1n_a.php"; depth:37; nocase; http.host; content:"tampabayllc.top"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1264712/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_01; classtype:trojan-activity; sid:91264712; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dtyedh/five/pvqdq929bsx_a_d_m1n_a.php"; depth:38; nocase; http.host; content:"91.92.253.221"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1264713/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_01; classtype:trojan-activity; sid:91264713; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dek/vv5/pvqdq929bsx_a_d_m1n_a.php"; depth:34; nocase; http.host; content:"alphaumi.com"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1264714/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_01; classtype:trojan-activity; sid:91264714; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/alpha/five/pvqdq929bsx_a_d_m1n_a.php"; depth:37; nocase; http.host; content:"roof.spencerstuartllc.top"; depth:25; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1264715/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_01; classtype:trojan-activity; sid:91264715; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/kioy/five/pvqdq929bsx_a_d_m1n_a.php"; depth:36; nocase; http.host; content:"91.92.252.146"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1264716/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_01; classtype:trojan-activity; sid:91264716; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pws/pvqdq929bsx_a_d_m1n_a.php"; depth:30; nocase; http.host; content:"altaskifer.sbs"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1264717/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_01; classtype:trojan-activity; sid:91264717; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ob/pvqdq929bsx_a_d_m1n_a.php"; depth:29; nocase; http.host; content:"sempersim.su"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1264718/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_01; classtype:trojan-activity; sid:91264718; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/project/five/pvqdq929bsx_a_d_m1n_a.php"; depth:39; nocase; http.host; content:"ebnsina.top"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1264719/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_01; classtype:trojan-activity; sid:91264719; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/c13/pvqdq929bsx_a_d_m1n_a.php"; depth:30; nocase; http.host; content:"sempersim.su"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1264720/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_01; classtype:trojan-activity; sid:91264720; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/t/project/five/pvqdq929bsx_a_d_m1n_a.php"; depth:41; nocase; http.host; content:"saldanha.top"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1264721/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_01; classtype:trojan-activity; sid:91264721; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/document/five/pvqdq929bsx_a_d_m1n_a.php"; depth:40; nocase; http.host; content:"meridianresourcellc.top"; depth:23; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1264722/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_01; classtype:trojan-activity; sid:91264722; rev:1;) alert tcp $HOME_NET any -> [3.125.223.134] 12194 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1264726/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_01; classtype:trojan-activity; sid:91264726; rev:1;) alert tcp $HOME_NET any -> [193.233.132.126] 80 (msg:"ThreatFox AMOS botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1264727/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_01; classtype:trojan-activity; sid:91264727; rev:1;) alert tcp $HOME_NET any -> [45.133.174.75] 8426 (msg:"ThreatFox Houdini botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1264728/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_01; classtype:trojan-activity; sid:91264728; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"masterokrwh.duckdns.org"; depth:23; nocase; reference:url, threatfox.abuse.ch/ioc/1264729/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_01; classtype:trojan-activity; sid:91264729; rev:1;) alert tcp $HOME_NET any -> [38.45.200.163] 38241 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1264730/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_01; classtype:trojan-activity; sid:91264730; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/zdqyn2nmogezotik/"; depth:18; nocase; http.host; content:"teckmarkanmdas4.shop"; depth:20; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1264675/; target:src_ip; metadata: confidence_level 80, first_seen 2024_05_01; classtype:trojan-activity; sid:91264675; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/zdqyn2nmogezotik/"; depth:18; nocase; http.host; content:"marababrtdas.shop"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1264676/; target:src_ip; metadata: confidence_level 80, first_seen 2024_05_01; classtype:trojan-activity; sid:91264676; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/content/images/size/w256h256/2021/03/favicon.png"; depth:49; nocase; http.host; content:"alphaumi.com"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1264692/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_01; classtype:trojan-activity; sid:91264692; rev:1;) alert tcp $HOME_NET any -> [45.145.166.210] 80 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1264693/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_01; classtype:trojan-activity; sid:91264693; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/zdqyn2nmogezotik/"; depth:18; nocase; http.host; content:"teckmarkanary1.shop"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1264674/; target:src_ip; metadata: confidence_level 80, first_seen 2024_05_01; classtype:trojan-activity; sid:91264674; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"justloki.com"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1264653/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_01; classtype:trojan-activity; sid:91264653; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"nanoderecho.com"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1264654/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_01; classtype:trojan-activity; sid:91264654; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"dinets.best"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1264655/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_01; classtype:trojan-activity; sid:91264655; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/data.php"; depth:9; nocase; http.host; content:"pdd888167.top"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1264657/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_01; classtype:trojan-activity; sid:91264657; rev:1;) alert tcp $HOME_NET any -> [185.215.113.117] 30711 (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1264662/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_01; classtype:trojan-activity; sid:91264662; rev:1;) alert tcp $HOME_NET any -> [45.137.22.186] 55615 (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1264732/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_01; classtype:trojan-activity; sid:91264732; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/_defaultwindows.php"; depth:20; nocase; http.host; content:"ytere.elementfx.com"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1264731/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_01; classtype:trojan-activity; sid:91264731; rev:1;) alert tcp $HOME_NET any -> [18.192.31.165] 12194 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1264725/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_30; classtype:trojan-activity; sid:91264725; rev:1;) alert tcp $HOME_NET any -> [3.125.102.39] 12194 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1264724/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_30; classtype:trojan-activity; sid:91264724; rev:1;) alert tcp $HOME_NET any -> [3.124.142.205] 12194 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1264723/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_30; classtype:trojan-activity; sid:91264723; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-content/themes/twentytwenty/pttfrp.php"; depth:42; nocase; http.host; content:"unokodkelas.cl"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1264689/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_30; classtype:trojan-activity; sid:91264689; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-content/themes/hello-elementor/t745ny.php"; depth:45; nocase; http.host; content:"www.judicialconsulting.es"; depth:25; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1264690/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_30; classtype:trojan-activity; sid:91264690; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ph/wp-content/themes/twentytwentythree/6rndt2.php"; depth:50; nocase; http.host; content:"rariate.com"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1264688/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_30; classtype:trojan-activity; sid:91264688; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-content/themes/twentytwentyfour/qshgfl.php"; depth:46; nocase; http.host; content:"polarishousingsystems.com"; depth:25; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1264687/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_30; classtype:trojan-activity; sid:91264687; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-content/themes/twentytwenty/i4imyy.php"; depth:42; nocase; http.host; content:"dorseydorse.com"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1264686/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_30; classtype:trojan-activity; sid:91264686; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ph/wp-content/themes/twentytwentythree/plxka3.php"; depth:50; nocase; http.host; content:"barliam.com"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1264685/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_30; classtype:trojan-activity; sid:91264685; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-content/themes/hello-elementor/t745ny.php"; depth:45; nocase; http.host; content:"www.judicialconsulting.es"; depth:25; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1264684/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_30; classtype:trojan-activity; sid:91264684; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ph/wp-content/themes/twentytwentythree/6rndt2.php"; depth:50; nocase; http.host; content:"rariate.com"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1264683/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_30; classtype:trojan-activity; sid:91264683; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ph/wp-content/themes/twentytwentythree/plxka3.php"; depth:50; nocase; http.host; content:"barliam.com"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1264682/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_30; classtype:trojan-activity; sid:91264682; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-content/themes/twentytwentyfour/qshgfl.php"; depth:46; nocase; http.host; content:"polarishousingsystems.com"; depth:25; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1264681/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_30; classtype:trojan-activity; sid:91264681; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-content/themes/hello-elementor/t745ny.php"; depth:45; nocase; http.host; content:"www.judicialconsulting.es"; depth:25; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1264680/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_30; classtype:trojan-activity; sid:91264680; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-content/themes/twentytwenty/pttfrp.php"; depth:42; nocase; http.host; content:"unokodkelas.cl"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1264679/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_30; classtype:trojan-activity; sid:91264679; rev:1;) alert tcp $HOME_NET any -> [45.156.23.186] 80 (msg:"ThreatFox Amadey botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1264677/; target:src_ip; metadata: confidence_level 80, first_seen 2024_04_30; classtype:trojan-activity; sid:91264677; rev:1;) alert tcp $HOME_NET any -> [5.42.107.163] 80 (msg:"ThreatFox Meduza Stealer botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1264673/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_30; classtype:trojan-activity; sid:91264673; rev:1;) alert tcp $HOME_NET any -> [91.92.249.182] 34419 (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1264672/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_30; classtype:trojan-activity; sid:91264672; rev:1;) alert tcp $HOME_NET any -> [216.83.42.230] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1264671/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_30; classtype:trojan-activity; sid:91264671; rev:1;) alert tcp $HOME_NET any -> [45.195.54.195] 2558 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1264670/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_30; classtype:trojan-activity; sid:91264670; rev:1;) alert tcp $HOME_NET any -> [2.31.159.11] 443 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1264669/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_30; classtype:trojan-activity; sid:91264669; rev:1;) alert tcp $HOME_NET any -> [14.1.98.189] 443 (msg:"ThreatFox pupy botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1264668/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_30; classtype:trojan-activity; sid:91264668; rev:1;) alert tcp $HOME_NET any -> [31.192.107.143] 443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1264667/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_30; classtype:trojan-activity; sid:91264667; rev:1;) alert tcp $HOME_NET any -> [159.223.220.207] 1433 (msg:"ThreatFox BianLian botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1264666/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_30; classtype:trojan-activity; sid:91264666; rev:1;) alert tcp $HOME_NET any -> [164.92.231.251] 10000 (msg:"ThreatFox BianLian botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1264665/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_30; classtype:trojan-activity; sid:91264665; rev:1;) alert tcp $HOME_NET any -> [128.14.237.229] 8888 (msg:"ThreatFox BianLian botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1264664/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_30; classtype:trojan-activity; sid:91264664; rev:1;) alert tcp $HOME_NET any -> [148.135.40.198] 5004 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1264663/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_30; classtype:trojan-activity; sid:91264663; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"hobobo.xyz"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1264659/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_30; classtype:trojan-activity; sid:91264659; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"racess.xyz"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1264660/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_30; classtype:trojan-activity; sid:91264660; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"hobobo.xyz"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1264661/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_30; classtype:trojan-activity; sid:91264661; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"racess.xyz"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1264658/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_30; classtype:trojan-activity; sid:91264658; rev:1;) alert tcp $HOME_NET any -> [154.19.164.108] 446 (msg:"ThreatFox Orcus RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1264656/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_30; classtype:trojan-activity; sid:91264656; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"zoomus.pro"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1264649/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_30; classtype:trojan-activity; sid:91264649; rev:1;) alert tcp $HOME_NET any -> [135.148.153.89] 443 (msg:"ThreatFox FAKEUPDATES payload delivery (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1264650/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_30; classtype:trojan-activity; sid:91264650; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jquery-3.3.3.min.js"; depth:20; nocase; http.host; content:"114.132.120.166"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1264648/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_30; classtype:trojan-activity; sid:91264648; rev:1;) alert tcp $HOME_NET any -> [45.149.172.101] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1264647/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_30; classtype:trojan-activity; sid:91264647; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ga.js"; depth:6; nocase; http.host; content:"101.36.117.53"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1264646/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_30; classtype:trojan-activity; sid:91264646; rev:1;) alert tcp $HOME_NET any -> [5.161.191.120] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1264645/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_30; classtype:trojan-activity; sid:91264645; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ch"; depth:3; nocase; http.host; content:"fibersee.com"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1264643/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_30; classtype:trojan-activity; sid:91264643; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"fibersee.com"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1264644/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_30; classtype:trojan-activity; sid:91264644; rev:1;) alert tcp $HOME_NET any -> [152.42.128.17] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1264642/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_30; classtype:trojan-activity; sid:91264642; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i3less01"; depth:9; nocase; http.host; content:"178.208.87.34"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1264641/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_30; classtype:trojan-activity; sid:91264641; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/j.ad"; depth:5; nocase; http.host; content:"107.175.158.78"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1264640/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_30; classtype:trojan-activity; sid:91264640; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cm"; depth:3; nocase; http.host; content:"124.222.56.66"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1264639/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_30; classtype:trojan-activity; sid:91264639; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api/x"; depth:6; nocase; http.host; content:"124.220.148.63"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1264638/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_30; classtype:trojan-activity; sid:91264638; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/g.pixel"; depth:8; nocase; http.host; content:"117.72.65.27"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1264637/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_30; classtype:trojan-activity; sid:91264637; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jquery-3.3.1.min.js"; depth:20; nocase; http.host; content:"103.69.129.34"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1264635/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_30; classtype:trojan-activity; sid:91264635; rev:1;) alert tcp $HOME_NET any -> [103.69.129.34] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1264636/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_30; classtype:trojan-activity; sid:91264636; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"shaffatta.com"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1264631/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_30; classtype:trojan-activity; sid:91264631; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"apidevwa.com"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1264632/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_30; classtype:trojan-activity; sid:91264632; rev:1;) alert tcp $HOME_NET any -> [31.220.40.22] 80 (msg:"ThreatFox Loki Password Stealer (PWS) botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1264629/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_30; classtype:trojan-activity; sid:91264629; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/fdca69ae739b4897.php"; depth:21; nocase; http.host; content:"shaffatta.com"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1264630/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_30; classtype:trojan-activity; sid:91264630; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/download/return-of-space-setup.rar"; depth:35; nocase; http.host; content:"returnofspace.com"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1264612/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_30; classtype:trojan-activity; sid:91264612; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"returnofspace.com"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1264613/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_30; classtype:trojan-activity; sid:91264613; rev:1;) alert tcp $HOME_NET any -> [31.41.44.97] 443 (msg:"ThreatFox FAKEUPDATES payload delivery (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1264616/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_30; classtype:trojan-activity; sid:91264616; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"apidevst.com"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1264617/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_30; classtype:trojan-activity; sid:91264617; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jquery-3.3.1.min.js"; depth:20; nocase; http.host; content:"45.158.21.47"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1264634/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_30; classtype:trojan-activity; sid:91264634; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/match"; depth:6; nocase; http.host; content:"107.173.30.114"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1264633/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_30; classtype:trojan-activity; sid:91264633; rev:1;) alert tcp $HOME_NET any -> [119.91.229.161] 53 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1264628/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_30; classtype:trojan-activity; sid:91264628; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ns4.tencentupdate.buzz"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1264627/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_30; classtype:trojan-activity; sid:91264627; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ns2.tencentupdate.buzz"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1264625/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_30; classtype:trojan-activity; sid:91264625; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ns3.tencentupdate.buzz"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1264626/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_30; classtype:trojan-activity; sid:91264626; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ns1.tencentupdate.buzz"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1264624/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_30; classtype:trojan-activity; sid:91264624; rev:1;) alert tcp $HOME_NET any -> [111.229.214.58] 53 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1264623/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_30; classtype:trojan-activity; sid:91264623; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"chat.icbcbc.com.cn"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1264622/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_30; classtype:trojan-activity; sid:91264622; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"oss.icbcbc.com.cn"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1264620/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_30; classtype:trojan-activity; sid:91264620; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"vpn.icbcbc.com.cn"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1264621/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_30; classtype:trojan-activity; sid:91264621; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"mailtest.icbcbc.com.cn"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1264619/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_30; classtype:trojan-activity; sid:91264619; rev:1;) alert tcp $HOME_NET any -> [64.44.83.130] 2465 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1264618/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_30; classtype:trojan-activity; sid:91264618; rev:1;) alert tcp $HOME_NET any -> [192.144.233.13] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1264615/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_30; classtype:trojan-activity; sid:91264615; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jquery-3.3.1.min.js"; depth:20; nocase; http.host; content:"192.144.233.13"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1264614/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_30; classtype:trojan-activity; sid:91264614; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/en_us/all.js"; depth:13; nocase; http.host; content:"116.62.197.217"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1264611/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_30; classtype:trojan-activity; sid:91264611; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/activity"; depth:9; nocase; http.host; content:"60.204.220.208"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1264610/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_30; classtype:trojan-activity; sid:91264610; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/load"; depth:5; nocase; http.host; content:"47.108.153.69"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1264609/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_30; classtype:trojan-activity; sid:91264609; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/fwlink"; depth:7; nocase; http.host; content:"47.113.195.22"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1264608/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_30; classtype:trojan-activity; sid:91264608; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ga.js"; depth:6; nocase; http.host; content:"service-bzbl2uq7-1312255927.bj.apigw.tencentcs.com"; depth:50; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1264607/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_30; classtype:trojan-activity; sid:91264607; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cm"; depth:3; nocase; http.host; content:"43.130.60.49"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1264606/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_30; classtype:trojan-activity; sid:91264606; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dhl"; depth:4; nocase; http.host; content:"finance.kumbaraan.biz.id"; depth:24; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1264605/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_30; classtype:trojan-activity; sid:91264605; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/g.pixel"; depth:8; nocase; http.host; content:"128.199.178.134"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1264604/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_30; classtype:trojan-activity; sid:91264604; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/en_us/all.js"; depth:13; nocase; http.host; content:"124.220.28.253"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1264603/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_30; classtype:trojan-activity; sid:91264603; rev:1;) alert tcp $HOME_NET any -> [192.253.251.131] 1780 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1264602/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_30; classtype:trojan-activity; sid:91264602; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/g.pixel"; depth:8; nocase; http.host; content:"173.211.46.172"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1264601/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_30; classtype:trojan-activity; sid:91264601; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pixel"; depth:6; nocase; http.host; content:"173.211.46.172"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1264600/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_30; classtype:trojan-activity; sid:91264600; rev:1;) alert tcp $HOME_NET any -> [159.65.236.136] 8080 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1264599/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_30; classtype:trojan-activity; sid:91264599; rev:1;) alert tcp $HOME_NET any -> [88.255.228.65] 22222 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1264590/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_30; classtype:trojan-activity; sid:91264590; rev:1;) alert tcp $HOME_NET any -> [88.255.228.67] 22222 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1264591/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_30; classtype:trojan-activity; sid:91264591; rev:1;) alert tcp $HOME_NET any -> [88.255.228.71] 22222 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1264592/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_30; classtype:trojan-activity; sid:91264592; rev:1;) alert tcp $HOME_NET any -> [88.255.228.87] 22222 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1264593/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_30; classtype:trojan-activity; sid:91264593; rev:1;) alert tcp $HOME_NET any -> [188.166.233.47] 4444 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1264594/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_30; classtype:trojan-activity; sid:91264594; rev:1;) alert tcp $HOME_NET any -> [139.59.244.228] 9043 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1264595/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_30; classtype:trojan-activity; sid:91264595; rev:1;) alert tcp $HOME_NET any -> [152.42.162.206] 4444 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1264596/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_30; classtype:trojan-activity; sid:91264596; rev:1;) alert tcp $HOME_NET any -> [128.199.77.233] 80 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1264597/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_30; classtype:trojan-activity; sid:91264597; rev:1;) alert tcp $HOME_NET any -> [134.209.93.75] 4546 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1264598/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_30; classtype:trojan-activity; sid:91264598; rev:1;) alert tcp $HOME_NET any -> [185.178.231.9] 42167 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1264583/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_30; classtype:trojan-activity; sid:91264583; rev:1;) alert tcp $HOME_NET any -> [185.178.231.9] 48129 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1264584/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_30; classtype:trojan-activity; sid:91264584; rev:1;) alert tcp $HOME_NET any -> [37.120.247.189] 5432 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1264585/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_30; classtype:trojan-activity; sid:91264585; rev:1;) alert tcp $HOME_NET any -> [156.247.10.49] 443 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1264586/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_30; classtype:trojan-activity; sid:91264586; rev:1;) alert tcp $HOME_NET any -> [111.230.102.189] 10233 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1264587/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_30; classtype:trojan-activity; sid:91264587; rev:1;) alert tcp $HOME_NET any -> [194.76.225.12] 48129 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1264588/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_30; classtype:trojan-activity; sid:91264588; rev:1;) alert tcp $HOME_NET any -> [85.243.246.80] 11117 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1264589/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_30; classtype:trojan-activity; sid:91264589; rev:1;) alert tcp $HOME_NET any -> [192.210.243.200] 21 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1264576/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_30; classtype:trojan-activity; sid:91264576; rev:1;) alert tcp $HOME_NET any -> [101.35.153.30] 60030 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1264577/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_30; classtype:trojan-activity; sid:91264577; rev:1;) alert tcp $HOME_NET any -> [101.35.153.30] 61122 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1264578/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_30; classtype:trojan-activity; sid:91264578; rev:1;) alert tcp $HOME_NET any -> [147.45.75.169] 1234 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1264579/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_30; classtype:trojan-activity; sid:91264579; rev:1;) alert tcp $HOME_NET any -> [194.27.78.73] 443 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1264580/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_30; classtype:trojan-activity; sid:91264580; rev:1;) alert tcp $HOME_NET any -> [91.212.166.11] 4444 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1264581/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_30; classtype:trojan-activity; sid:91264581; rev:1;) alert tcp $HOME_NET any -> [185.178.231.9] 37582 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1264582/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_30; classtype:trojan-activity; sid:91264582; rev:1;) alert tcp $HOME_NET any -> [80.78.23.130] 32579 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1264567/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_30; classtype:trojan-activity; sid:91264567; rev:1;) alert tcp $HOME_NET any -> [185.81.29.119] 888 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1264568/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_30; classtype:trojan-activity; sid:91264568; rev:1;) alert tcp $HOME_NET any -> [88.255.228.75] 22222 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1264569/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_30; classtype:trojan-activity; sid:91264569; rev:1;) alert tcp $HOME_NET any -> [95.179.161.101] 8088 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1264570/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_30; classtype:trojan-activity; sid:91264570; rev:1;) alert tcp $HOME_NET any -> [147.135.92.133] 9001 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1264571/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_30; classtype:trojan-activity; sid:91264571; rev:1;) alert tcp $HOME_NET any -> [51.79.147.232] 8848 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1264572/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_30; classtype:trojan-activity; sid:91264572; rev:1;) alert tcp $HOME_NET any -> [51.79.147.232] 8849 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1264573/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_30; classtype:trojan-activity; sid:91264573; rev:1;) alert tcp $HOME_NET any -> [87.240.92.152] 8089 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1264574/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_30; classtype:trojan-activity; sid:91264574; rev:1;) alert tcp $HOME_NET any -> [124.117.212.178] 17885 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1264575/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_30; classtype:trojan-activity; sid:91264575; rev:1;) alert tcp $HOME_NET any -> [143.42.77.165] 4003 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1264560/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_30; classtype:trojan-activity; sid:91264560; rev:1;) alert tcp $HOME_NET any -> [124.156.213.48] 9190 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1264561/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_30; classtype:trojan-activity; sid:91264561; rev:1;) alert tcp $HOME_NET any -> [124.156.213.48] 9195 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1264562/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_30; classtype:trojan-activity; sid:91264562; rev:1;) alert tcp $HOME_NET any -> [106.14.90.167] 54321 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1264563/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_30; classtype:trojan-activity; sid:91264563; rev:1;) alert tcp $HOME_NET any -> [143.107.118.119] 1337 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1264564/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_30; classtype:trojan-activity; sid:91264564; rev:1;) alert tcp $HOME_NET any -> [194.164.198.171] 4444 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1264565/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_30; classtype:trojan-activity; sid:91264565; rev:1;) alert tcp $HOME_NET any -> [132.232.207.111] 2012 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1264566/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_30; classtype:trojan-activity; sid:91264566; rev:1;) alert tcp $HOME_NET any -> [124.221.85.42] 59326 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1264550/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_30; classtype:trojan-activity; sid:91264550; rev:1;) alert tcp $HOME_NET any -> [90.58.232.165] 2404 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1264551/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_30; classtype:trojan-activity; sid:91264551; rev:1;) alert tcp $HOME_NET any -> [106.249.249.42] 69 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1264552/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_30; classtype:trojan-activity; sid:91264552; rev:1;) alert tcp $HOME_NET any -> [123.56.214.38] 8520 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1264553/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_30; classtype:trojan-activity; sid:91264553; rev:1;) alert tcp $HOME_NET any -> [138.128.245.94] 80 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1264554/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_30; classtype:trojan-activity; sid:91264554; rev:1;) alert tcp $HOME_NET any -> [94.237.26.141] 8443 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1264555/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_30; classtype:trojan-activity; sid:91264555; rev:1;) alert tcp $HOME_NET any -> [101.200.86.179] 4444 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1264556/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_30; classtype:trojan-activity; sid:91264556; rev:1;) alert tcp $HOME_NET any -> [134.195.90.65] 4444 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1264557/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_30; classtype:trojan-activity; sid:91264557; rev:1;) alert tcp $HOME_NET any -> [71.226.250.46] 4444 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1264558/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_30; classtype:trojan-activity; sid:91264558; rev:1;) alert tcp $HOME_NET any -> [143.42.77.165] 4001 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1264559/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_30; classtype:trojan-activity; sid:91264559; rev:1;) alert tcp $HOME_NET any -> [23.168.152.123] 4444 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1264541/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_30; classtype:trojan-activity; sid:91264541; rev:1;) alert tcp $HOME_NET any -> [152.136.174.227] 111 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1264542/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_30; classtype:trojan-activity; sid:91264542; rev:1;) alert tcp $HOME_NET any -> [189.130.114.202] 8443 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1264543/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_30; classtype:trojan-activity; sid:91264543; rev:1;) alert tcp $HOME_NET any -> [189.130.114.202] 9090 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1264544/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_30; classtype:trojan-activity; sid:91264544; rev:1;) alert tcp $HOME_NET any -> [122.10.12.198] 7777 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1264545/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_30; classtype:trojan-activity; sid:91264545; rev:1;) alert tcp $HOME_NET any -> [122.10.12.198] 8866 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1264546/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_30; classtype:trojan-activity; sid:91264546; rev:1;) alert tcp $HOME_NET any -> [188.132.165.122] 4444 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1264547/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_30; classtype:trojan-activity; sid:91264547; rev:1;) alert tcp $HOME_NET any -> [45.120.177.168] 20491 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1264548/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_30; classtype:trojan-activity; sid:91264548; rev:1;) alert tcp $HOME_NET any -> [54.77.163.254] 4444 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1264549/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_30; classtype:trojan-activity; sid:91264549; rev:1;) alert tcp $HOME_NET any -> [8.134.151.154] 443 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1264533/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_30; classtype:trojan-activity; sid:91264533; rev:1;) alert tcp $HOME_NET any -> [52.204.15.224] 443 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1264534/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_30; classtype:trojan-activity; sid:91264534; rev:1;) alert tcp $HOME_NET any -> [5.181.23.2] 17482 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1264535/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_30; classtype:trojan-activity; sid:91264535; rev:1;) alert tcp $HOME_NET any -> [47.108.137.180] 8888 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1264536/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_30; classtype:trojan-activity; sid:91264536; rev:1;) alert tcp $HOME_NET any -> [69.197.135.34] 8000 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1264537/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_30; classtype:trojan-activity; sid:91264537; rev:1;) alert tcp $HOME_NET any -> [69.197.135.34] 9999 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1264538/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_30; classtype:trojan-activity; sid:91264538; rev:1;) alert tcp $HOME_NET any -> [189.130.141.19] 8443 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1264539/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_30; classtype:trojan-activity; sid:91264539; rev:1;) alert tcp $HOME_NET any -> [189.130.141.19] 9090 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1264540/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_30; classtype:trojan-activity; sid:91264540; rev:1;) alert tcp $HOME_NET any -> [180.168.35.68] 17885 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1264526/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_30; classtype:trojan-activity; sid:91264526; rev:1;) alert tcp $HOME_NET any -> [170.244.164.110] 4444 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1264527/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_30; classtype:trojan-activity; sid:91264527; rev:1;) alert tcp $HOME_NET any -> [147.78.47.184] 1443 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1264528/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_30; classtype:trojan-activity; sid:91264528; rev:1;) alert tcp $HOME_NET any -> [49.89.136.49] 7890 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1264529/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_30; classtype:trojan-activity; sid:91264529; rev:1;) alert tcp $HOME_NET any -> [148.135.35.177] 80 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1264530/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_30; classtype:trojan-activity; sid:91264530; rev:1;) alert tcp $HOME_NET any -> [148.135.35.177] 90 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1264531/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_30; classtype:trojan-activity; sid:91264531; rev:1;) alert tcp $HOME_NET any -> [179.60.150.151] 8080 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1264532/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_30; classtype:trojan-activity; sid:91264532; rev:1;) alert tcp $HOME_NET any -> [111.42.219.3] 18002 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1264517/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_30; classtype:trojan-activity; sid:91264517; rev:1;) alert tcp $HOME_NET any -> [123.60.148.51] 4621 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1264518/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_30; classtype:trojan-activity; sid:91264518; rev:1;) alert tcp $HOME_NET any -> [123.60.148.51] 4622 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1264519/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_30; classtype:trojan-activity; sid:91264519; rev:1;) alert tcp $HOME_NET any -> [90.188.237.87] 4443 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1264520/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_30; classtype:trojan-activity; sid:91264520; rev:1;) alert tcp $HOME_NET any -> [45.61.136.150] 4444 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1264521/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_30; classtype:trojan-activity; sid:91264521; rev:1;) alert tcp $HOME_NET any -> [45.118.145.224] 4444 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1264522/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_30; classtype:trojan-activity; sid:91264522; rev:1;) alert tcp $HOME_NET any -> [88.214.24.119] 9393 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1264523/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_30; classtype:trojan-activity; sid:91264523; rev:1;) alert tcp $HOME_NET any -> [192.3.103.58] 20024 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1264524/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_30; classtype:trojan-activity; sid:91264524; rev:1;) alert tcp $HOME_NET any -> [154.92.22.143] 8088 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1264525/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_30; classtype:trojan-activity; sid:91264525; rev:1;) alert tcp $HOME_NET any -> [65.108.5.194] 9043 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1264511/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_30; classtype:trojan-activity; sid:91264511; rev:1;) alert tcp $HOME_NET any -> [37.135.123.157] 443 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1264512/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_30; classtype:trojan-activity; sid:91264512; rev:1;) alert tcp $HOME_NET any -> [45.145.43.140] 8888 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1264513/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_30; classtype:trojan-activity; sid:91264513; rev:1;) alert tcp $HOME_NET any -> [52.31.159.183] 443 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1264514/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_30; classtype:trojan-activity; sid:91264514; rev:1;) alert tcp $HOME_NET any -> [88.255.228.74] 22222 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1264515/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_30; classtype:trojan-activity; sid:91264515; rev:1;) alert tcp $HOME_NET any -> [197.46.143.141] 4444 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1264516/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_30; classtype:trojan-activity; sid:91264516; rev:1;) alert tcp $HOME_NET any -> [112.74.55.109] 19002 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1264501/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_30; classtype:trojan-activity; sid:91264501; rev:1;) alert tcp $HOME_NET any -> [112.74.55.109] 20002 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1264502/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_30; classtype:trojan-activity; sid:91264502; rev:1;) alert tcp $HOME_NET any -> [206.42.37.212] 4444 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1264503/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_30; classtype:trojan-activity; sid:91264503; rev:1;) alert tcp $HOME_NET any -> [37.1.200.46] 4446 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1264504/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_30; classtype:trojan-activity; sid:91264504; rev:1;) alert tcp $HOME_NET any -> [18.141.129.246] 18080 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1264505/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_30; classtype:trojan-activity; sid:91264505; rev:1;) alert tcp $HOME_NET any -> [144.76.155.4] 11117 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1264506/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_30; classtype:trojan-activity; sid:91264506; rev:1;) alert tcp $HOME_NET any -> [216.137.179.214] 1337 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1264507/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_30; classtype:trojan-activity; sid:91264507; rev:1;) alert tcp $HOME_NET any -> [51.161.194.168] 5 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1264508/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_30; classtype:trojan-activity; sid:91264508; rev:1;) alert tcp $HOME_NET any -> [146.70.54.90] 4444 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1264509/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_30; classtype:trojan-activity; sid:91264509; rev:1;) alert tcp $HOME_NET any -> [65.108.5.194] 8043 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1264510/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_30; classtype:trojan-activity; sid:91264510; rev:1;) alert tcp $HOME_NET any -> [39.108.246.91] 16202 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1264498/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_30; classtype:trojan-activity; sid:91264498; rev:1;) alert tcp $HOME_NET any -> [193.188.22.9] 4444 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1264499/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_30; classtype:trojan-activity; sid:91264499; rev:1;) alert tcp $HOME_NET any -> [112.74.55.109] 18602 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1264500/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_30; classtype:trojan-activity; sid:91264500; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mall_100_100.html"; depth:18; nocase; http.host; content:"visualstudio.microsoft.com.volcgslb-mlt.com"; depth:43; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1264497/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_30; classtype:trojan-activity; sid:91264497; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dhl"; depth:4; nocase; http.host; content:"finance.kumbaraan.biz.id"; depth:24; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1264495/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_30; classtype:trojan-activity; sid:91264495; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"finance.kumbaraan.biz.id"; depth:24; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1264496/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_30; classtype:trojan-activity; sid:91264496; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ee"; depth:3; nocase; http.host; content:"breakingnews.kumbaraan.biz.id"; depth:29; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1264493/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_30; classtype:trojan-activity; sid:91264493; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"breakingnews.kumbaraan.biz.id"; depth:29; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1264494/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_30; classtype:trojan-activity; sid:91264494; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api/x"; depth:6; nocase; http.host; content:"124.220.148.63"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1264492/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_30; classtype:trojan-activity; sid:91264492; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/en_us/all.js"; depth:13; nocase; http.host; content:"45.116.79.9"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1264491/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_30; classtype:trojan-activity; sid:91264491; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api/x"; depth:6; nocase; http.host; content:"124.220.148.63"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1264490/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_30; classtype:trojan-activity; sid:91264490; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api/x"; depth:6; nocase; http.host; content:"124.220.148.63"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1264489/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_30; classtype:trojan-activity; sid:91264489; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ns2.crnbchina.buzz"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1264488/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_30; classtype:trojan-activity; sid:91264488; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ns1.crnbchina.buzz"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1264487/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_30; classtype:trojan-activity; sid:91264487; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/m2eyotm2m2fly2my/"; depth:18; nocase; http.host; content:"jyjgoyydia.com"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1264481/; target:src_ip; metadata: confidence_level 80, first_seen 2024_04_30; classtype:trojan-activity; sid:91264481; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/8cgp/"; depth:6; nocase; http.host; content:"www.arilyfarlico.ru"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1264484/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_30; classtype:trojan-activity; sid:91264484; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"arilyfarlico.ru"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1264485/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_30; classtype:trojan-activity; sid:91264485; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"www.arilyfarlico.ru"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1264486/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_30; classtype:trojan-activity; sid:91264486; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"herioscheats.xyz"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1264483/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_30; classtype:trojan-activity; sid:91264483; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"xkoic3y.dekma-gay.ru"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1264482/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_30; classtype:trojan-activity; sid:91264482; rev:1;) alert tcp $HOME_NET any -> [163.5.160.27] 51523 (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1264480/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_30; classtype:trojan-activity; sid:91264480; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"bot.secure-network-rebirthltd.ru"; depth:32; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1264475/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_30; classtype:trojan-activity; sid:91264475; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"security.secure-core-rebirthltd.su"; depth:34; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1264476/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_30; classtype:trojan-activity; sid:91264476; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"vps.rebirth-network.su"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1264477/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_30; classtype:trojan-activity; sid:91264477; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"security.rebirth-network.su"; depth:27; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1264478/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_30; classtype:trojan-activity; sid:91264478; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"sex.secure-cyber-security-rebirthltd.su"; depth:39; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1264479/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_30; classtype:trojan-activity; sid:91264479; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"xysk5eeyj0j5n.xyz"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1264473/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_30; classtype:trojan-activity; sid:91264473; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"vps.rebirth-network.su"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1264474/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_30; classtype:trojan-activity; sid:91264474; rev:1;) alert tcp $HOME_NET any -> [5.182.87.218] 80 (msg:"ThreatFox Meduza Stealer botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1264472/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_30; classtype:trojan-activity; sid:91264472; rev:1;) alert tcp $HOME_NET any -> [5.42.101.189] 80 (msg:"ThreatFox Meduza Stealer botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1264471/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_30; classtype:trojan-activity; sid:91264471; rev:1;) alert tcp $HOME_NET any -> [5.42.101.184] 80 (msg:"ThreatFox Meduza Stealer botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1264470/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_30; classtype:trojan-activity; sid:91264470; rev:1;) alert tcp $HOME_NET any -> [45.204.153.249] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1264469/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_30; classtype:trojan-activity; sid:91264469; rev:1;) alert tcp $HOME_NET any -> [154.248.27.182] 888 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1264468/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_30; classtype:trojan-activity; sid:91264468; rev:1;) alert tcp $HOME_NET any -> [154.248.27.182] 6001 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1264467/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_30; classtype:trojan-activity; sid:91264467; rev:1;) alert tcp $HOME_NET any -> [154.248.27.182] 22222 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1264466/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_30; classtype:trojan-activity; sid:91264466; rev:1;) alert tcp $HOME_NET any -> [154.248.27.182] 222 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1264465/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_30; classtype:trojan-activity; sid:91264465; rev:1;) alert tcp $HOME_NET any -> [154.248.27.182] 993 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1264464/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_30; classtype:trojan-activity; sid:91264464; rev:1;) alert tcp $HOME_NET any -> [154.248.27.182] 17150 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1264463/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_30; classtype:trojan-activity; sid:91264463; rev:1;) alert tcp $HOME_NET any -> [154.248.27.182] 15284 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1264462/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_30; classtype:trojan-activity; sid:91264462; rev:1;) alert tcp $HOME_NET any -> [154.248.27.182] 56670 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1264461/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_30; classtype:trojan-activity; sid:91264461; rev:1;) alert tcp $HOME_NET any -> [154.248.27.182] 1200 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1264460/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_30; classtype:trojan-activity; sid:91264460; rev:1;) alert tcp $HOME_NET any -> [46.246.86.14] 8000 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1264459/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_30; classtype:trojan-activity; sid:91264459; rev:1;) alert tcp $HOME_NET any -> [20.117.109.69] 80 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1264458/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_30; classtype:trojan-activity; sid:91264458; rev:1;) alert tcp $HOME_NET any -> [159.223.220.207] 5060 (msg:"ThreatFox BianLian botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1264457/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_30; classtype:trojan-activity; sid:91264457; rev:1;) alert tcp $HOME_NET any -> [159.223.220.207] 443 (msg:"ThreatFox BianLian botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1264456/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_30; classtype:trojan-activity; sid:91264456; rev:1;) alert tcp $HOME_NET any -> [164.92.231.251] 5060 (msg:"ThreatFox BianLian botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1264455/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_30; classtype:trojan-activity; sid:91264455; rev:1;) alert tcp $HOME_NET any -> [164.92.231.251] 443 (msg:"ThreatFox BianLian botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1264454/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_30; classtype:trojan-activity; sid:91264454; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"berlyn777.con-ip.com"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1264453/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_30; classtype:trojan-activity; sid:91264453; rev:1;) alert tcp $HOME_NET any -> [45.141.215.185] 7777 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1264452/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_30; classtype:trojan-activity; sid:91264452; rev:1;) alert tcp $HOME_NET any -> [147.185.221.19] 39209 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1264419/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_30; classtype:trojan-activity; sid:91264419; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"analysis-minolta.gl.at.ply.gg"; depth:29; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1264420/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_30; classtype:trojan-activity; sid:91264420; rev:1;) alert tcp $HOME_NET any -> [45.13.227.201] 33966 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1264423/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_30; classtype:trojan-activity; sid:91264423; rev:1;) alert tcp $HOME_NET any -> [94.156.79.197] 60195 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1264430/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_30; classtype:trojan-activity; sid:91264430; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"xkoic3y.dekma-gay.ru"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1264431/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_30; classtype:trojan-activity; sid:91264431; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/imagevmpipepythonjavascriptauthlocal.php"; depth:41; nocase; http.host; content:"994609cm.n9shteam2.top"; depth:22; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1264451/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_29; classtype:trojan-activity; sid:91264451; rev:1;) alert tcp $HOME_NET any -> [45.32.196.110] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1264450/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_29; classtype:trojan-activity; sid:91264450; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books"; depth:60; nocase; http.host; content:"45.32.196.110"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1264449/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_29; classtype:trojan-activity; sid:91264449; rev:1;) alert tcp $HOME_NET any -> [85.159.231.54] 80 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1264448/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_29; classtype:trojan-activity; sid:91264448; rev:1;) alert tcp $HOME_NET any -> [5.75.213.100] 9000 (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1264445/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_29; classtype:trojan-activity; sid:91264445; rev:1;) alert tcp $HOME_NET any -> [95.217.242.142] 443 (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1264446/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_29; classtype:trojan-activity; sid:91264446; rev:1;) alert tcp $HOME_NET any -> [49.12.115.59] 443 (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1264447/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_29; classtype:trojan-activity; sid:91264447; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"49.12.115.59"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1264443/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_29; classtype:trojan-activity; sid:91264443; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"graims.xyz"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1264444/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_29; classtype:trojan-activity; sid:91264444; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/profiles/76561199680449169"; depth:27; nocase; http.host; content:"steamcommunity.com"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1264442/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_29; classtype:trojan-activity; sid:91264442; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"95.217.242.142"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1264440/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_29; classtype:trojan-activity; sid:91264440; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/r1g1o"; depth:6; nocase; http.host; content:"t.me"; depth:4; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1264441/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_29; classtype:trojan-activity; sid:91264441; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"5.75.213.100"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1264439/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_29; classtype:trojan-activity; sid:91264439; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"graims.xyz"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1264438/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_29; classtype:trojan-activity; sid:91264438; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bim.msi"; depth:8; nocase; http.host; content:"185.219.220.149"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1264437/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_29; classtype:trojan-activity; sid:91264437; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/security_check/"; depth:16; nocase; http.host; content:"dimozti1.org"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1264435/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_29; classtype:trojan-activity; sid:91264435; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/v0/b/case-419310.appspot.com/o/czczc1lrbt%2fdocument_b48_15w635167-5740247h6548-3238a9.js"; depth:90; nocase; http.host; content:"firebasestorage.googleapis.com"; depth:30; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1264436/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_29; classtype:trojan-activity; sid:91264436; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/l1nc0in.php"; depth:12; nocase; http.host; content:"a0948640.xsph.ru"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1264434/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_29; classtype:trojan-activity; sid:91264434; rev:1;) alert tcp $HOME_NET any -> [94.232.45.84] 443 (msg:"ThreatFox IcedID botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1264432/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_29; classtype:trojan-activity; sid:91264432; rev:1;) alert tcp $HOME_NET any -> [85.239.33.247] 443 (msg:"ThreatFox Unidentified 111 (Latrodectus) botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1264433/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_29; classtype:trojan-activity; sid:91264433; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/__utm.gif"; depth:10; nocase; http.host; content:"192.252.182.98"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1264429/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_29; classtype:trojan-activity; sid:91264429; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dequeue/mqseries/d7w0gtjfy"; depth:27; nocase; http.host; content:"lebondogicoin.com"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1264427/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_29; classtype:trojan-activity; sid:91264427; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"lebondogicoin.com"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1264428/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_29; classtype:trojan-activity; sid:91264428; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dequeue/mqseries/d7w0gtjfy"; depth:27; nocase; http.host; content:"ikea0.com"; depth:9; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1264425/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_29; classtype:trojan-activity; sid:91264425; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ikea0.com"; depth:9; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1264426/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_29; classtype:trojan-activity; sid:91264426; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dequeue/mqseries/d7w0gtjfy"; depth:27; nocase; http.host; content:"91.238.181.230"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1264424/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_29; classtype:trojan-activity; sid:91264424; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"mirai-nro.space"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1264421/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_29; classtype:trojan-activity; sid:91264421; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"cecilio.pro"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1264422/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_29; classtype:trojan-activity; sid:91264422; rev:1;) alert tcp $HOME_NET any -> [45.67.229.3] 80 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1264418/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_29; classtype:trojan-activity; sid:91264418; rev:1;) alert tcp $HOME_NET any -> [104.238.161.101] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1264417/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_29; classtype:trojan-activity; sid:91264417; rev:1;) alert tcp $HOME_NET any -> [154.248.27.182] 995 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1264416/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_29; classtype:trojan-activity; sid:91264416; rev:1;) alert tcp $HOME_NET any -> [154.248.27.182] 502 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1264415/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_29; classtype:trojan-activity; sid:91264415; rev:1;) alert tcp $HOME_NET any -> [46.246.86.14] 6000 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1264414/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_29; classtype:trojan-activity; sid:91264414; rev:1;) alert tcp $HOME_NET any -> [2.88.152.124] 443 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1264413/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_29; classtype:trojan-activity; sid:91264413; rev:1;) alert tcp $HOME_NET any -> [78.167.159.0] 443 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1264412/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_29; classtype:trojan-activity; sid:91264412; rev:1;) alert tcp $HOME_NET any -> [50.60.142.192] 443 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1264411/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_29; classtype:trojan-activity; sid:91264411; rev:1;) alert tcp $HOME_NET any -> [164.92.231.251] 1433 (msg:"ThreatFox BianLian botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1264410/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_29; classtype:trojan-activity; sid:91264410; rev:1;) alert tcp $HOME_NET any -> [38.6.199.111] 29903 (msg:"ThreatFox Deimos botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1264409/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_29; classtype:trojan-activity; sid:91264409; rev:1;) alert tcp $HOME_NET any -> [77.68.73.99] 8080 (msg:"ThreatFox Deimos botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1264408/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_29; classtype:trojan-activity; sid:91264408; rev:1;) alert tcp $HOME_NET any -> [163.181.141.79] 4505 (msg:"ThreatFox Deimos botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1264407/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_29; classtype:trojan-activity; sid:91264407; rev:1;) alert tcp $HOME_NET any -> [35.171.228.255] 7443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1264406/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_29; classtype:trojan-activity; sid:91264406; rev:1;) alert tcp $HOME_NET any -> [195.189.96.70] 27443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1264405/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_29; classtype:trojan-activity; sid:91264405; rev:1;) alert tcp $HOME_NET any -> [38.207.179.24] 7443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1264404/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_29; classtype:trojan-activity; sid:91264404; rev:1;) alert tcp $HOME_NET any -> [95.179.159.107] 443 (msg:"ThreatFox Brute Ratel C4 botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1264403/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_29; classtype:trojan-activity; sid:91264403; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/eternalpollprotecttrafficwordpresslocaltempdownloads.php"; depth:57; nocase; http.host; content:"055442cm.n9shteam2.top"; depth:22; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1264402/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_29; classtype:trojan-activity; sid:91264402; rev:1;) alert tcp $HOME_NET any -> [47.243.26.247] 8888 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1264400/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_29; classtype:trojan-activity; sid:91264400; rev:1;) alert tcp $HOME_NET any -> [47.243.26.247] 5000 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1264401/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_29; classtype:trojan-activity; sid:91264401; rev:1;) alert tcp $HOME_NET any -> [8.210.220.109] 50001 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1264399/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_29; classtype:trojan-activity; sid:91264399; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/fwlink"; depth:7; nocase; http.host; content:"47.99.188.195"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1264398/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_29; classtype:trojan-activity; sid:91264398; rev:1;) alert tcp $HOME_NET any -> [47.99.188.195] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1264397/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_29; classtype:trojan-activity; sid:91264397; rev:1;) alert tcp $HOME_NET any -> [39.104.66.132] 8081 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1264396/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_29; classtype:trojan-activity; sid:91264396; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/match"; depth:6; nocase; http.host; content:"52.190.15.163"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1264395/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_29; classtype:trojan-activity; sid:91264395; rev:1;) alert tcp $HOME_NET any -> [124.220.148.63] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1264394/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_29; classtype:trojan-activity; sid:91264394; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"//api/x"; depth:7; nocase; http.host; content:"service-hh4fmtad-1321953982.sh.tencentapigw.com"; depth:47; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1264392/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_29; classtype:trojan-activity; sid:91264392; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"service-hh4fmtad-1321953982.sh.tencentapigw.com/"; depth:48; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1264393/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_29; classtype:trojan-activity; sid:91264393; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cdn-vs/original.js"; depth:19; nocase; http.host; content:"nanoderecho.com"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1264384/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_29; classtype:trojan-activity; sid:91264384; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cdn-vs/cache.php"; depth:17; nocase; http.host; content:"nanoderecho.com"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1264385/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_29; classtype:trojan-activity; sid:91264385; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/data.php"; depth:9; nocase; http.host; content:"dinets.best"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1264386/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_29; classtype:trojan-activity; sid:91264386; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cdn-vs/per.php"; depth:15; nocase; http.host; content:"nanoderecho.com"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1264387/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_29; classtype:trojan-activity; sid:91264387; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cdn-vs/original.js"; depth:19; nocase; http.host; content:"pixelread.com"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1264388/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_29; classtype:trojan-activity; sid:91264388; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cdn-vs/cache.php"; depth:17; nocase; http.host; content:"pixelread.com"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1264389/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_29; classtype:trojan-activity; sid:91264389; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cdn-vs/per.php"; depth:15; nocase; http.host; content:"pixelread.com"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1264390/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_29; classtype:trojan-activity; sid:91264390; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/polldbsecureuploads/datalife21sql/58/5db/temporary4wordpress/image/videosecureauthbaseasynctrafficcdn.php"; depth:106; nocase; http.host; content:"85.159.231.54"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1264391/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_29; classtype:trojan-activity; sid:91264391; rev:1;) alert tcp $HOME_NET any -> [150.95.109.27] 43957 (msg:"ThreatFox MooBot botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1264125/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_29; classtype:trojan-activity; sid:91264125; rev:1;) alert tcp $HOME_NET any -> [85.60.29.68] 8889 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1264124/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_29; classtype:trojan-activity; sid:91264124; rev:1;) alert tcp $HOME_NET any -> [93.123.85.113] 5667 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1264117/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_29; classtype:trojan-activity; sid:91264117; rev:1;) alert tcp $HOME_NET any -> [154.197.110.188] 5667 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1264118/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_29; classtype:trojan-activity; sid:91264118; rev:1;) alert tcp $HOME_NET any -> [31.220.1.44] 5667 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1264119/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_29; classtype:trojan-activity; sid:91264119; rev:1;) alert tcp $HOME_NET any -> [154.197.110.191] 5667 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1264120/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_29; classtype:trojan-activity; sid:91264120; rev:1;) alert tcp $HOME_NET any -> [93.123.85.112] 5667 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1264121/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_29; classtype:trojan-activity; sid:91264121; rev:1;) alert tcp $HOME_NET any -> [94.156.248.20] 5667 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1264122/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_29; classtype:trojan-activity; sid:91264122; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jquery-3.3.1.min.js"; depth:20; nocase; http.host; content:"156.245.13.36"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1264123/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_29; classtype:trojan-activity; sid:91264123; rev:1;) alert tcp $HOME_NET any -> [92.63.176.42] 443 (msg:"ThreatFox FAKEUPDATES payload delivery (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1264105/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_29; classtype:trojan-activity; sid:91264105; rev:1;) alert tcp $HOME_NET any -> [141.8.198.223] 443 (msg:"ThreatFox FAKEUPDATES payload delivery (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1264106/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_29; classtype:trojan-activity; sid:91264106; rev:1;) alert tcp $HOME_NET any -> [147.45.125.182] 443 (msg:"ThreatFox FAKEUPDATES payload delivery (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1264107/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_29; classtype:trojan-activity; sid:91264107; rev:1;) alert tcp $HOME_NET any -> [5.42.100.119] 4258 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1264108/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_29; classtype:trojan-activity; sid:91264108; rev:1;) alert tcp $HOME_NET any -> [45.130.201.28] 443 (msg:"ThreatFox FAKEUPDATES payload delivery (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1264114/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_29; classtype:trojan-activity; sid:91264114; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"premium.davidabostic.com"; depth:24; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1264115/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_29; classtype:trojan-activity; sid:91264115; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bot5239412158:aahxn8rc3uvbhy_kv77gticxcuvbuxckd_8/"; depth:51; nocase; http.host; content:"api.telegram.org"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1264116/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_29; classtype:trojan-activity; sid:91264116; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmp/index.php"; depth:14; nocase; http.host; content:"piratia.su"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1264113/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_29; classtype:trojan-activity; sid:91264113; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmp/index.php"; depth:14; nocase; http.host; content:"piratia-life.ru"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1264112/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_29; classtype:trojan-activity; sid:91264112; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmp/index.php"; depth:14; nocase; http.host; content:"icebrasilpr.com"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1264111/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_29; classtype:trojan-activity; sid:91264111; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmp/index.php"; depth:14; nocase; http.host; content:"h-c-v.ru"; depth:8; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1264110/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_29; classtype:trojan-activity; sid:91264110; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmp/index.php"; depth:14; nocase; http.host; content:"cellc.org"; depth:9; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1264109/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_29; classtype:trojan-activity; sid:91264109; rev:1;) alert tcp $HOME_NET any -> [162.218.115.202] 26392 (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1264104/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_29; classtype:trojan-activity; sid:91264104; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/supershell/login"; depth:17; nocase; http.host; content:"43.135.5.150"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1264006/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_29; classtype:trojan-activity; sid:91264006; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/supershell/login"; depth:17; nocase; http.host; content:"39.101.205.127"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1264002/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_29; classtype:trojan-activity; sid:91264002; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/supershell/login"; depth:17; nocase; http.host; content:"43.130.60.49"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1264005/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_29; classtype:trojan-activity; sid:91264005; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/supershell/login"; depth:17; nocase; http.host; content:"39.98.115.22"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1264000/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_29; classtype:trojan-activity; sid:91264000; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/supershell/login"; depth:17; nocase; http.host; content:"39.98.204.142"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1264001/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_29; classtype:trojan-activity; sid:91264001; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/supershell/login"; depth:17; nocase; http.host; content:"23.95.233.180"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1263997/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_29; classtype:trojan-activity; sid:91263997; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/supershell/login"; depth:17; nocase; http.host; content:"38.55.97.170"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1263998/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_29; classtype:trojan-activity; sid:91263998; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/supershell/login"; depth:17; nocase; http.host; content:"38.181.25.62"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1263999/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_29; classtype:trojan-activity; sid:91263999; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/supershell/login"; depth:17; nocase; http.host; content:"23.94.66.43"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1263996/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_29; classtype:trojan-activity; sid:91263996; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/supershell/login"; depth:17; nocase; http.host; content:"8.213.212.170"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1263991/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_29; classtype:trojan-activity; sid:91263991; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/supershell/login"; depth:17; nocase; http.host; content:"8.222.130.235"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1263994/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_29; classtype:trojan-activity; sid:91263994; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/supershell/login"; depth:17; nocase; http.host; content:"20.2.223.147"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1263995/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_29; classtype:trojan-activity; sid:91263995; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/supershell/login"; depth:17; nocase; http.host; content:"8.217.200.158"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1263992/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_29; classtype:trojan-activity; sid:91263992; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/supershell/login"; depth:17; nocase; http.host; content:"8.218.138.77"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1263993/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_29; classtype:trojan-activity; sid:91263993; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/supershell/login"; depth:17; nocase; http.host; content:"8.142.124.166"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1263989/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_29; classtype:trojan-activity; sid:91263989; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/supershell/login"; depth:17; nocase; http.host; content:"8.212.183.234"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1263990/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_29; classtype:trojan-activity; sid:91263990; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/supershell/login"; depth:17; nocase; http.host; content:"4.224.84.20"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1263987/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_29; classtype:trojan-activity; sid:91263987; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/supershell/login"; depth:17; nocase; http.host; content:"8.137.59.132"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1263988/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_29; classtype:trojan-activity; sid:91263988; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/supershell/login"; depth:17; nocase; http.host; content:"39.105.213.32"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1264003/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_29; classtype:trojan-activity; sid:91264003; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/supershell/login"; depth:17; nocase; http.host; content:"43.129.31.59"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1264004/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_29; classtype:trojan-activity; sid:91264004; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/supershell/login"; depth:17; nocase; http.host; content:"43.139.113.158"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1264007/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_29; classtype:trojan-activity; sid:91264007; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/supershell/login"; depth:17; nocase; http.host; content:"43.143.112.29"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1264008/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_29; classtype:trojan-activity; sid:91264008; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/supershell/login"; depth:17; nocase; http.host; content:"43.143.130.124"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1264009/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_29; classtype:trojan-activity; sid:91264009; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/supershell/login"; depth:17; nocase; http.host; content:"43.153.207.85"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1264010/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_29; classtype:trojan-activity; sid:91264010; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/supershell/login"; depth:17; nocase; http.host; content:"43.163.240.112"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1264011/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_29; classtype:trojan-activity; sid:91264011; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/supershell/login"; depth:17; nocase; http.host; content:"43.198.238.210"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1264012/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_29; classtype:trojan-activity; sid:91264012; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/supershell/login"; depth:17; nocase; http.host; content:"47.98.158.167"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1264014/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_29; classtype:trojan-activity; sid:91264014; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/supershell/login"; depth:17; nocase; http.host; content:"47.94.88.4"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1264013/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_29; classtype:trojan-activity; sid:91264013; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/supershell/login"; depth:17; nocase; http.host; content:"47.98.188.214"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1264015/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_29; classtype:trojan-activity; sid:91264015; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/supershell/login"; depth:17; nocase; http.host; content:"47.108.204.218"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1264016/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_29; classtype:trojan-activity; sid:91264016; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/supershell/login"; depth:17; nocase; http.host; content:"47.113.219.67"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1264017/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_29; classtype:trojan-activity; sid:91264017; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/supershell/login"; depth:17; nocase; http.host; content:"47.242.8.254"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1264018/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_29; classtype:trojan-activity; sid:91264018; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/supershell/login"; depth:17; nocase; http.host; content:"47.242.95.207"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1264019/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_29; classtype:trojan-activity; sid:91264019; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/supershell/login"; depth:17; nocase; http.host; content:"49.233.206.56"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1264020/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_29; classtype:trojan-activity; sid:91264020; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/supershell/login"; depth:17; nocase; http.host; content:"52.26.153.104"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1264021/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_29; classtype:trojan-activity; sid:91264021; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/supershell/login"; depth:17; nocase; http.host; content:"54.202.238.187"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1264022/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_29; classtype:trojan-activity; sid:91264022; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/supershell/login"; depth:17; nocase; http.host; content:"60.204.232.46"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1264023/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_29; classtype:trojan-activity; sid:91264023; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/supershell/login"; depth:17; nocase; http.host; content:"62.234.26.58"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1264024/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_29; classtype:trojan-activity; sid:91264024; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/supershell/login"; depth:17; nocase; http.host; content:"74.48.60.99"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1264025/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_29; classtype:trojan-activity; sid:91264025; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/supershell/login"; depth:17; nocase; http.host; content:"97.74.93.113"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1264026/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_29; classtype:trojan-activity; sid:91264026; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/supershell/login"; depth:17; nocase; http.host; content:"101.34.243.60"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1264027/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_29; classtype:trojan-activity; sid:91264027; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/supershell/login"; depth:17; nocase; http.host; content:"101.37.13.119"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1264028/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_29; classtype:trojan-activity; sid:91264028; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/supershell/login"; depth:17; nocase; http.host; content:"101.200.214.198"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1264029/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_29; classtype:trojan-activity; sid:91264029; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/supershell/login"; depth:17; nocase; http.host; content:"103.106.190.156"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1264030/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_29; classtype:trojan-activity; sid:91264030; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/supershell/login"; depth:17; nocase; http.host; content:"103.209.129.193"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1264031/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_29; classtype:trojan-activity; sid:91264031; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/supershell/login"; depth:17; nocase; http.host; content:"104.214.168.71"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1264032/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_29; classtype:trojan-activity; sid:91264032; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/supershell/login"; depth:17; nocase; http.host; content:"106.75.66.128"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1264033/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_29; classtype:trojan-activity; sid:91264033; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/supershell/login"; depth:17; nocase; http.host; content:"107.172.16.106"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1264035/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_29; classtype:trojan-activity; sid:91264035; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/supershell/login"; depth:17; nocase; http.host; content:"107.151.245.165"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1264034/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_29; classtype:trojan-activity; sid:91264034; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/supershell/login"; depth:17; nocase; http.host; content:"107.172.141.153"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1264036/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_29; classtype:trojan-activity; sid:91264036; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/supershell/login"; depth:17; nocase; http.host; content:"107.172.196.204"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1264037/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_29; classtype:trojan-activity; sid:91264037; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/supershell/login"; depth:17; nocase; http.host; content:"107.173.201.151"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1264038/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_29; classtype:trojan-activity; sid:91264038; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/supershell/login"; depth:17; nocase; http.host; content:"107.174.93.253"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1264039/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_29; classtype:trojan-activity; sid:91264039; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/supershell/login"; depth:17; nocase; http.host; content:"107.174.254.6"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1264040/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_29; classtype:trojan-activity; sid:91264040; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/supershell/login"; depth:17; nocase; http.host; content:"110.40.139.46"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1264041/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_29; classtype:trojan-activity; sid:91264041; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/supershell/login"; depth:17; nocase; http.host; content:"111.173.117.130"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1264042/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_29; classtype:trojan-activity; sid:91264042; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/supershell/login"; depth:17; nocase; http.host; content:"111.223.247.163"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1264043/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_29; classtype:trojan-activity; sid:91264043; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/supershell/login"; depth:17; nocase; http.host; content:"111.223.247.232"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1264044/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_29; classtype:trojan-activity; sid:91264044; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/supershell/login"; depth:17; nocase; http.host; content:"111.231.145.137"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1264045/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_29; classtype:trojan-activity; sid:91264045; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/supershell/login"; depth:17; nocase; http.host; content:"114.55.100.165"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1264046/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_29; classtype:trojan-activity; sid:91264046; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/supershell/login"; depth:17; nocase; http.host; content:"114.115.180.116"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1264047/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_29; classtype:trojan-activity; sid:91264047; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/supershell/login"; depth:17; nocase; http.host; content:"116.255.216.145"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1264048/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_29; classtype:trojan-activity; sid:91264048; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/supershell/login"; depth:17; nocase; http.host; content:"117.72.9.31"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1264049/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_29; classtype:trojan-activity; sid:91264049; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/supershell/login"; depth:17; nocase; http.host; content:"117.72.38.14"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1264050/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_29; classtype:trojan-activity; sid:91264050; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/supershell/login"; depth:17; nocase; http.host; content:"117.72.64.94"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1264051/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_29; classtype:trojan-activity; sid:91264051; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/supershell/login"; depth:17; nocase; http.host; content:"117.72.74.16"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1264052/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_29; classtype:trojan-activity; sid:91264052; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/supershell/login"; depth:17; nocase; http.host; content:"118.123.1.178"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1264053/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_29; classtype:trojan-activity; sid:91264053; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/supershell/login"; depth:17; nocase; http.host; content:"119.29.249.217"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1264054/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_29; classtype:trojan-activity; sid:91264054; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/supershell/login"; depth:17; nocase; http.host; content:"119.45.17.224"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1264055/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_29; classtype:trojan-activity; sid:91264055; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/supershell/login"; depth:17; nocase; http.host; content:"119.45.219.31"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1264056/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_29; classtype:trojan-activity; sid:91264056; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/supershell/login"; depth:17; nocase; http.host; content:"120.26.224.87"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1264057/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_29; classtype:trojan-activity; sid:91264057; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/supershell/login"; depth:17; nocase; http.host; content:"120.46.39.241"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1264058/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_29; classtype:trojan-activity; sid:91264058; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/supershell/login"; depth:17; nocase; http.host; content:"120.46.59.252"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1264059/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_29; classtype:trojan-activity; sid:91264059; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/supershell/login"; depth:17; nocase; http.host; content:"121.36.61.185"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1264060/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_29; classtype:trojan-activity; sid:91264060; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/supershell/login"; depth:17; nocase; http.host; content:"121.36.105.186"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1264061/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_29; classtype:trojan-activity; sid:91264061; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/supershell/login"; depth:17; nocase; http.host; content:"121.36.219.56"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1264062/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_29; classtype:trojan-activity; sid:91264062; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/supershell/login"; depth:17; nocase; http.host; content:"121.199.78.3"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1264063/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_29; classtype:trojan-activity; sid:91264063; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/supershell/login"; depth:17; nocase; http.host; content:"122.114.26.5"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1264064/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_29; classtype:trojan-activity; sid:91264064; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/supershell/login"; depth:17; nocase; http.host; content:"123.56.214.38"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1264065/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_29; classtype:trojan-activity; sid:91264065; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/supershell/login"; depth:17; nocase; http.host; content:"123.57.3.221"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1264066/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_29; classtype:trojan-activity; sid:91264066; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/supershell/login"; depth:17; nocase; http.host; content:"123.57.137.235"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1264067/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_29; classtype:trojan-activity; sid:91264067; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/supershell/login"; depth:17; nocase; http.host; content:"123.207.16.205"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1264068/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_29; classtype:trojan-activity; sid:91264068; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/supershell/login"; depth:17; nocase; http.host; content:"123.249.35.1"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1264069/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_29; classtype:trojan-activity; sid:91264069; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/supershell/login"; depth:17; nocase; http.host; content:"123.249.87.1"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1264070/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_29; classtype:trojan-activity; sid:91264070; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/supershell/login"; depth:17; nocase; http.host; content:"124.70.143.234"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1264071/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_29; classtype:trojan-activity; sid:91264071; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/supershell/login"; depth:17; nocase; http.host; content:"124.221.56.114"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1264072/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_29; classtype:trojan-activity; sid:91264072; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/supershell/login"; depth:17; nocase; http.host; content:"139.9.65.87"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1264073/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_29; classtype:trojan-activity; sid:91264073; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/supershell/login"; depth:17; nocase; http.host; content:"139.199.2.99"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1264075/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_29; classtype:trojan-activity; sid:91264075; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/supershell/login"; depth:17; nocase; http.host; content:"139.9.117.78"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1264074/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_29; classtype:trojan-activity; sid:91264074; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/supershell/login"; depth:17; nocase; http.host; content:"146.56.214.238"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1264076/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_29; classtype:trojan-activity; sid:91264076; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/supershell/login"; depth:17; nocase; http.host; content:"146.56.237.36"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1264077/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_29; classtype:trojan-activity; sid:91264077; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/supershell/login"; depth:17; nocase; http.host; content:"150.109.241.155"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1264078/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_29; classtype:trojan-activity; sid:91264078; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/supershell/login"; depth:17; nocase; http.host; content:"152.32.219.243"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1264079/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_29; classtype:trojan-activity; sid:91264079; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/supershell/login"; depth:17; nocase; http.host; content:"154.12.90.87"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1264080/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_29; classtype:trojan-activity; sid:91264080; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/supershell/login"; depth:17; nocase; http.host; content:"159.75.180.29"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1264081/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_29; classtype:trojan-activity; sid:91264081; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/supershell/login"; depth:17; nocase; http.host; content:"162.214.135.90"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1264082/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_29; classtype:trojan-activity; sid:91264082; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/supershell/login"; depth:17; nocase; http.host; content:"162.214.135.105"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1264083/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_29; classtype:trojan-activity; sid:91264083; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/supershell/login"; depth:17; nocase; http.host; content:"162.215.23.228"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1264084/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_29; classtype:trojan-activity; sid:91264084; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/supershell/login"; depth:17; nocase; http.host; content:"168.76.120.83"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1264085/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_29; classtype:trojan-activity; sid:91264085; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/supershell/login"; depth:17; nocase; http.host; content:"168.76.120.84"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1264086/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_29; classtype:trojan-activity; sid:91264086; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/supershell/login"; depth:17; nocase; http.host; content:"168.76.120.85"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1264087/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_29; classtype:trojan-activity; sid:91264087; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/supershell/login"; depth:17; nocase; http.host; content:"168.76.120.86"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1264088/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_29; classtype:trojan-activity; sid:91264088; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/supershell/login"; depth:17; nocase; http.host; content:"168.76.120.114"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1264089/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_29; classtype:trojan-activity; sid:91264089; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/supershell/login"; depth:17; nocase; http.host; content:"168.76.120.115"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1264090/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_29; classtype:trojan-activity; sid:91264090; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/supershell/login"; depth:17; nocase; http.host; content:"168.76.120.116"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1264091/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_29; classtype:trojan-activity; sid:91264091; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/supershell/login"; depth:17; nocase; http.host; content:"168.76.120.117"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1264092/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_29; classtype:trojan-activity; sid:91264092; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/supershell/login"; depth:17; nocase; http.host; content:"168.76.120.118"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1264093/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_29; classtype:trojan-activity; sid:91264093; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/supershell/login"; depth:17; nocase; http.host; content:"168.76.120.119"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1264094/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_29; classtype:trojan-activity; sid:91264094; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/supershell/login"; depth:17; nocase; http.host; content:"168.76.120.120"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1264095/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_29; classtype:trojan-activity; sid:91264095; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/supershell/login"; depth:17; nocase; http.host; content:"168.76.120.121"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1264096/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_29; classtype:trojan-activity; sid:91264096; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/supershell/login"; depth:17; nocase; http.host; content:"168.76.120.122"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1264097/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_29; classtype:trojan-activity; sid:91264097; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/supershell/login"; depth:17; nocase; http.host; content:"168.76.120.123"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1264098/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_29; classtype:trojan-activity; sid:91264098; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/supershell/login"; depth:17; nocase; http.host; content:"168.76.120.124"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1264099/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_29; classtype:trojan-activity; sid:91264099; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/supershell/login"; depth:17; nocase; http.host; content:"168.76.120.126"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1264101/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_29; classtype:trojan-activity; sid:91264101; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/supershell/login"; depth:17; nocase; http.host; content:"168.76.120.125"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1264100/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_29; classtype:trojan-activity; sid:91264100; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/supershell/login"; depth:17; nocase; http.host; content:"172.245.91.21"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1264102/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_29; classtype:trojan-activity; sid:91264102; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/supershell/login"; depth:17; nocase; http.host; content:"172.245.134.75"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1264103/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_29; classtype:trojan-activity; sid:91264103; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/g.pixel"; depth:8; nocase; http.host; content:"124.220.6.158"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1263986/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_29; classtype:trojan-activity; sid:91263986; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/match"; depth:6; nocase; http.host; content:"47.115.215.30"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1263985/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_29; classtype:trojan-activity; sid:91263985; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dpixel"; depth:7; nocase; http.host; content:"124.220.148.63"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1263984/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_29; classtype:trojan-activity; sid:91263984; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pixel.gif"; depth:10; nocase; http.host; content:"43.139.52.213"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1263983/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_29; classtype:trojan-activity; sid:91263983; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/updates.rss"; depth:12; nocase; http.host; content:"157.245.12.65"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1263982/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_29; classtype:trojan-activity; sid:91263982; rev:1;) alert tcp $HOME_NET any -> [47.120.52.161] 8888 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1263981/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_29; classtype:trojan-activity; sid:91263981; rev:1;) alert tcp $HOME_NET any -> [42.193.128.153] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1263980/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_29; classtype:trojan-activity; sid:91263980; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/feedapi/v1/newsserver/api/getpassword"; depth:38; nocase; http.host; content:"42.193.128.153"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1263979/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_29; classtype:trojan-activity; sid:91263979; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/j.ad"; depth:5; nocase; http.host; content:"123.206.115.56"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1263978/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_29; classtype:trojan-activity; sid:91263978; rev:1;) alert tcp $HOME_NET any -> [47.120.17.76] 55554 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1263977/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_29; classtype:trojan-activity; sid:91263977; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jquery-3.3.1.min.js"; depth:20; nocase; http.host; content:"www.gfyl.fun"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1263976/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_29; classtype:trojan-activity; sid:91263976; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ca"; depth:3; nocase; http.host; content:"162.14.73.154"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1263975/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_29; classtype:trojan-activity; sid:91263975; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/__utm.gif"; depth:10; nocase; http.host; content:"47.115.215.30"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1263974/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_29; classtype:trojan-activity; sid:91263974; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/match"; depth:6; nocase; http.host; content:"35.229.251.245"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1263973/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_29; classtype:trojan-activity; sid:91263973; rev:1;) alert tcp $HOME_NET any -> [134.122.130.181] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1263972/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_29; classtype:trojan-activity; sid:91263972; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/match"; depth:6; nocase; http.host; content:"124.220.148.63"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1263971/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_29; classtype:trojan-activity; sid:91263971; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ie9compatviewlist.xml"; depth:22; nocase; http.host; content:"124.220.148.63"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1263970/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_29; classtype:trojan-activity; sid:91263970; rev:1;) alert tcp $HOME_NET any -> [134.122.130.184] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1263969/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_29; classtype:trojan-activity; sid:91263969; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jquery-3.3.1.min.js"; depth:20; nocase; http.host; content:"134.122.130.181"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1263968/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_29; classtype:trojan-activity; sid:91263968; rev:1;) alert tcp $HOME_NET any -> [20.150.193.240] 8081 (msg:"ThreatFox RisePro botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1263965/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_29; classtype:trojan-activity; sid:91263965; rev:1;) alert tcp $HOME_NET any -> [87.120.84.5] 8081 (msg:"ThreatFox RisePro botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1263966/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_29; classtype:trojan-activity; sid:91263966; rev:1;) alert tcp $HOME_NET any -> [193.233.132.22] 8081 (msg:"ThreatFox RisePro botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1263967/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_29; classtype:trojan-activity; sid:91263967; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/yi3h"; depth:5; nocase; http.host; content:"47.243.59.237"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1263964/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_29; classtype:trojan-activity; sid:91263964; rev:1;) alert tcp $HOME_NET any -> [124.223.176.109] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1263962/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_29; classtype:trojan-activity; sid:91263962; rev:1;) alert tcp $HOME_NET any -> [152.136.128.162] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1263963/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_29; classtype:trojan-activity; sid:91263963; rev:1;) alert tcp $HOME_NET any -> [117.72.38.14] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1263961/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_29; classtype:trojan-activity; sid:91263961; rev:1;) alert tcp $HOME_NET any -> [101.34.71.193] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1263960/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_29; classtype:trojan-activity; sid:91263960; rev:1;) alert tcp $HOME_NET any -> [45.207.36.33] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1263957/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_29; classtype:trojan-activity; sid:91263957; rev:1;) alert tcp $HOME_NET any -> [45.207.36.50] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1263958/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_29; classtype:trojan-activity; sid:91263958; rev:1;) alert tcp $HOME_NET any -> [97.74.93.113] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1263959/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_29; classtype:trojan-activity; sid:91263959; rev:1;) alert tcp $HOME_NET any -> [192.227.146.240] 60000 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1263950/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_29; classtype:trojan-activity; sid:91263950; rev:1;) alert tcp $HOME_NET any -> [195.128.249.114] 60000 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1263951/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_29; classtype:trojan-activity; sid:91263951; rev:1;) alert tcp $HOME_NET any -> [198.46.190.54] 60000 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1263952/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_29; classtype:trojan-activity; sid:91263952; rev:1;) alert tcp $HOME_NET any -> [202.44.54.13] 60000 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1263953/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_29; classtype:trojan-activity; sid:91263953; rev:1;) alert tcp $HOME_NET any -> [211.97.157.121] 60000 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1263954/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_29; classtype:trojan-activity; sid:91263954; rev:1;) alert tcp $HOME_NET any -> [211.97.157.140] 60000 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1263955/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_29; classtype:trojan-activity; sid:91263955; rev:1;) alert tcp $HOME_NET any -> [211.97.157.214] 60000 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1263956/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_29; classtype:trojan-activity; sid:91263956; rev:1;) alert tcp $HOME_NET any -> [180.101.25.48] 60000 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1263945/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_29; classtype:trojan-activity; sid:91263945; rev:1;) alert tcp $HOME_NET any -> [185.230.228.136] 60000 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1263946/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_29; classtype:trojan-activity; sid:91263946; rev:1;) alert tcp $HOME_NET any -> [185.230.228.140] 60000 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1263947/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_29; classtype:trojan-activity; sid:91263947; rev:1;) alert tcp $HOME_NET any -> [185.230.228.141] 60000 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1263948/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_29; classtype:trojan-activity; sid:91263948; rev:1;) alert tcp $HOME_NET any -> [192.187.126.122] 60000 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1263949/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_29; classtype:trojan-activity; sid:91263949; rev:1;) alert tcp $HOME_NET any -> [154.12.62.33] 60000 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1263939/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_29; classtype:trojan-activity; sid:91263939; rev:1;) alert tcp $HOME_NET any -> [154.205.138.88] 60000 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1263940/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_29; classtype:trojan-activity; sid:91263940; rev:1;) alert tcp $HOME_NET any -> [154.205.138.170] 60000 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1263941/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_29; classtype:trojan-activity; sid:91263941; rev:1;) alert tcp $HOME_NET any -> [154.222.233.40] 60000 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1263942/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_29; classtype:trojan-activity; sid:91263942; rev:1;) alert tcp $HOME_NET any -> [162.14.69.252] 60000 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1263943/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_29; classtype:trojan-activity; sid:91263943; rev:1;) alert tcp $HOME_NET any -> [167.88.177.160] 60000 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1263944/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_29; classtype:trojan-activity; sid:91263944; rev:1;) alert tcp $HOME_NET any -> [141.11.209.156] 60000 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1263931/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_29; classtype:trojan-activity; sid:91263931; rev:1;) alert tcp $HOME_NET any -> [141.164.43.11] 60000 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1263932/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_29; classtype:trojan-activity; sid:91263932; rev:1;) alert tcp $HOME_NET any -> [142.171.80.217] 60000 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1263933/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_29; classtype:trojan-activity; sid:91263933; rev:1;) alert tcp $HOME_NET any -> [149.88.77.142] 60000 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1263934/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_29; classtype:trojan-activity; sid:91263934; rev:1;) alert tcp $HOME_NET any -> [149.104.24.126] 60000 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1263935/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_29; classtype:trojan-activity; sid:91263935; rev:1;) alert tcp $HOME_NET any -> [149.104.31.71] 60000 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1263936/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_29; classtype:trojan-activity; sid:91263936; rev:1;) alert tcp $HOME_NET any -> [150.158.116.244] 60000 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1263937/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_29; classtype:trojan-activity; sid:91263937; rev:1;) alert tcp $HOME_NET any -> [154.8.182.3] 60000 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1263938/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_29; classtype:trojan-activity; sid:91263938; rev:1;) alert tcp $HOME_NET any -> [124.221.38.104] 60000 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1263926/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_29; classtype:trojan-activity; sid:91263926; rev:1;) alert tcp $HOME_NET any -> [124.222.125.194] 60000 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1263927/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_29; classtype:trojan-activity; sid:91263927; rev:1;) alert tcp $HOME_NET any -> [125.122.27.242] 60000 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1263928/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_29; classtype:trojan-activity; sid:91263928; rev:1;) alert tcp $HOME_NET any -> [129.226.215.171] 60000 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1263929/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_29; classtype:trojan-activity; sid:91263929; rev:1;) alert tcp $HOME_NET any -> [139.159.253.83] 60000 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1263930/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_29; classtype:trojan-activity; sid:91263930; rev:1;) alert tcp $HOME_NET any -> [122.51.223.224] 60000 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1263920/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_29; classtype:trojan-activity; sid:91263920; rev:1;) alert tcp $HOME_NET any -> [123.56.214.38] 60000 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1263921/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_29; classtype:trojan-activity; sid:91263921; rev:1;) alert tcp $HOME_NET any -> [123.60.104.67] 60000 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1263922/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_29; classtype:trojan-activity; sid:91263922; rev:1;) alert tcp $HOME_NET any -> [123.249.100.205] 60000 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1263923/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_29; classtype:trojan-activity; sid:91263923; rev:1;) alert tcp $HOME_NET any -> [124.70.99.224] 60000 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1263924/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_29; classtype:trojan-activity; sid:91263924; rev:1;) alert tcp $HOME_NET any -> [124.220.70.112] 60000 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1263925/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_29; classtype:trojan-activity; sid:91263925; rev:1;) alert tcp $HOME_NET any -> [119.91.49.77] 60000 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1263912/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_29; classtype:trojan-activity; sid:91263912; rev:1;) alert tcp $HOME_NET any -> [120.78.133.59] 60000 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1263913/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_29; classtype:trojan-activity; sid:91263913; rev:1;) alert tcp $HOME_NET any -> [120.78.147.247] 60000 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1263914/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_29; classtype:trojan-activity; sid:91263914; rev:1;) alert tcp $HOME_NET any -> [121.36.61.185] 60000 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1263915/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_29; classtype:trojan-activity; sid:91263915; rev:1;) alert tcp $HOME_NET any -> [121.40.131.173] 60000 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1263916/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_29; classtype:trojan-activity; sid:91263916; rev:1;) alert tcp $HOME_NET any -> [121.40.201.213] 60000 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1263917/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_29; classtype:trojan-activity; sid:91263917; rev:1;) alert tcp $HOME_NET any -> [121.127.252.74] 60000 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1263918/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_29; classtype:trojan-activity; sid:91263918; rev:1;) alert tcp $HOME_NET any -> [121.196.154.24] 60000 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1263919/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_29; classtype:trojan-activity; sid:91263919; rev:1;) alert tcp $HOME_NET any -> [111.231.145.137] 60000 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1263905/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_29; classtype:trojan-activity; sid:91263905; rev:1;) alert tcp $HOME_NET any -> [112.74.99.79] 60000 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1263906/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_29; classtype:trojan-activity; sid:91263906; rev:1;) alert tcp $HOME_NET any -> [116.204.211.118] 60000 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1263907/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_29; classtype:trojan-activity; sid:91263907; rev:1;) alert tcp $HOME_NET any -> [117.72.13.191] 60000 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1263908/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_29; classtype:trojan-activity; sid:91263908; rev:1;) alert tcp $HOME_NET any -> [118.24.35.49] 60000 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1263909/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_29; classtype:trojan-activity; sid:91263909; rev:1;) alert tcp $HOME_NET any -> [118.89.72.87] 60000 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1263910/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_29; classtype:trojan-activity; sid:91263910; rev:1;) alert tcp $HOME_NET any -> [119.3.157.129] 60000 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1263911/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_29; classtype:trojan-activity; sid:91263911; rev:1;) alert tcp $HOME_NET any -> [103.146.179.124] 60000 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1263899/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_29; classtype:trojan-activity; sid:91263899; rev:1;) alert tcp $HOME_NET any -> [103.147.13.101] 60000 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1263900/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_29; classtype:trojan-activity; sid:91263900; rev:1;) alert tcp $HOME_NET any -> [104.167.222.174] 60000 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1263901/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_29; classtype:trojan-activity; sid:91263901; rev:1;) alert tcp $HOME_NET any -> [106.75.30.18] 60000 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1263902/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_29; classtype:trojan-activity; sid:91263902; rev:1;) alert tcp $HOME_NET any -> [109.107.140.195] 60000 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1263903/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_29; classtype:trojan-activity; sid:91263903; rev:1;) alert tcp $HOME_NET any -> [110.41.46.45] 60000 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1263904/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_29; classtype:trojan-activity; sid:91263904; rev:1;) alert tcp $HOME_NET any -> [101.42.247.160] 60000 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1263895/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_29; classtype:trojan-activity; sid:91263895; rev:1;) alert tcp $HOME_NET any -> [101.200.121.185] 60000 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1263896/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_29; classtype:trojan-activity; sid:91263896; rev:1;) alert tcp $HOME_NET any -> [101.200.214.198] 60000 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1263897/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_29; classtype:trojan-activity; sid:91263897; rev:1;) alert tcp $HOME_NET any -> [103.140.249.174] 60000 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1263898/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_29; classtype:trojan-activity; sid:91263898; rev:1;) alert tcp $HOME_NET any -> [61.164.242.162] 60000 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1263890/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_29; classtype:trojan-activity; sid:91263890; rev:1;) alert tcp $HOME_NET any -> [65.49.202.75] 60000 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1263891/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_29; classtype:trojan-activity; sid:91263891; rev:1;) alert tcp $HOME_NET any -> [72.18.214.132] 60000 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1263892/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_29; classtype:trojan-activity; sid:91263892; rev:1;) alert tcp $HOME_NET any -> [74.48.183.150] 60000 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1263893/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_29; classtype:trojan-activity; sid:91263893; rev:1;) alert tcp $HOME_NET any -> [82.156.175.18] 60000 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1263894/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_29; classtype:trojan-activity; sid:91263894; rev:1;) alert tcp $HOME_NET any -> [47.108.69.93] 60000 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1263883/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_29; classtype:trojan-activity; sid:91263883; rev:1;) alert tcp $HOME_NET any -> [47.108.204.218] 60000 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1263884/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_29; classtype:trojan-activity; sid:91263884; rev:1;) alert tcp $HOME_NET any -> [47.109.69.222] 60000 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1263885/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_29; classtype:trojan-activity; sid:91263885; rev:1;) alert tcp $HOME_NET any -> [47.116.222.232] 60000 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1263886/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_29; classtype:trojan-activity; sid:91263886; rev:1;) alert tcp $HOME_NET any -> [47.120.74.19] 60000 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1263887/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_29; classtype:trojan-activity; sid:91263887; rev:1;) alert tcp $HOME_NET any -> [47.122.41.10] 60000 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1263888/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_29; classtype:trojan-activity; sid:91263888; rev:1;) alert tcp $HOME_NET any -> [47.122.62.76] 60000 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1263889/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_29; classtype:trojan-activity; sid:91263889; rev:1;) alert tcp $HOME_NET any -> [43.138.148.100] 60000 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1263874/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_29; classtype:trojan-activity; sid:91263874; rev:1;) alert tcp $HOME_NET any -> [43.139.67.72] 60000 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1263875/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_29; classtype:trojan-activity; sid:91263875; rev:1;) alert tcp $HOME_NET any -> [43.142.18.154] 60000 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1263876/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_29; classtype:trojan-activity; sid:91263876; rev:1;) alert tcp $HOME_NET any -> [43.143.165.189] 60000 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1263877/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_29; classtype:trojan-activity; sid:91263877; rev:1;) alert tcp $HOME_NET any -> [45.76.183.211] 60000 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1263878/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_29; classtype:trojan-activity; sid:91263878; rev:1;) alert tcp $HOME_NET any -> [45.76.204.225] 60000 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1263879/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_29; classtype:trojan-activity; sid:91263879; rev:1;) alert tcp $HOME_NET any -> [45.145.43.140] 60000 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1263880/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_29; classtype:trojan-activity; sid:91263880; rev:1;) alert tcp $HOME_NET any -> [45.152.64.127] 60000 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1263881/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_29; classtype:trojan-activity; sid:91263881; rev:1;) alert tcp $HOME_NET any -> [47.94.96.157] 60000 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1263882/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_29; classtype:trojan-activity; sid:91263882; rev:1;) alert tcp $HOME_NET any -> [38.55.234.102] 60000 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1263862/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_29; classtype:trojan-activity; sid:91263862; rev:1;) alert tcp $HOME_NET any -> [38.55.235.60] 60000 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1263863/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_29; classtype:trojan-activity; sid:91263863; rev:1;) alert tcp $HOME_NET any -> [38.181.57.174] 60000 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1263864/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_29; classtype:trojan-activity; sid:91263864; rev:1;) alert tcp $HOME_NET any -> [38.181.78.196] 60000 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1263865/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_29; classtype:trojan-activity; sid:91263865; rev:1;) alert tcp $HOME_NET any -> [38.242.201.243] 60000 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1263866/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_29; classtype:trojan-activity; sid:91263866; rev:1;) alert tcp $HOME_NET any -> [39.99.226.34] 60000 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1263867/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_29; classtype:trojan-activity; sid:91263867; rev:1;) alert tcp $HOME_NET any -> [39.100.80.109] 60000 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1263868/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_29; classtype:trojan-activity; sid:91263868; rev:1;) alert tcp $HOME_NET any -> [39.107.252.211] 60000 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1263869/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_29; classtype:trojan-activity; sid:91263869; rev:1;) alert tcp $HOME_NET any -> [39.164.4.253] 60000 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1263870/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_29; classtype:trojan-activity; sid:91263870; rev:1;) alert tcp $HOME_NET any -> [42.193.10.78] 60000 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1263871/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_29; classtype:trojan-activity; sid:91263871; rev:1;) alert tcp $HOME_NET any -> [43.129.26.123] 60000 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1263872/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_29; classtype:trojan-activity; sid:91263872; rev:1;) alert tcp $HOME_NET any -> [43.136.86.7] 60000 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1263873/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_29; classtype:trojan-activity; sid:91263873; rev:1;) alert tcp $HOME_NET any -> [23.91.97.35] 60000 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1263850/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_29; classtype:trojan-activity; sid:91263850; rev:1;) alert tcp $HOME_NET any -> [23.225.145.234] 60000 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1263851/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_29; classtype:trojan-activity; sid:91263851; rev:1;) alert tcp $HOME_NET any -> [23.225.145.235] 60000 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1263852/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_29; classtype:trojan-activity; sid:91263852; rev:1;) alert tcp $HOME_NET any -> [23.225.145.236] 60000 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1263853/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_29; classtype:trojan-activity; sid:91263853; rev:1;) alert tcp $HOME_NET any -> [23.225.145.237] 60000 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1263854/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_29; classtype:trojan-activity; sid:91263854; rev:1;) alert tcp $HOME_NET any -> [23.225.145.238] 60000 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1263855/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_29; classtype:trojan-activity; sid:91263855; rev:1;) alert tcp $HOME_NET any -> [34.121.199.39] 60000 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1263856/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_29; classtype:trojan-activity; sid:91263856; rev:1;) alert tcp $HOME_NET any -> [35.93.178.73] 60000 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1263857/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_29; classtype:trojan-activity; sid:91263857; rev:1;) alert tcp $HOME_NET any -> [36.133.104.222] 60000 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1263858/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_29; classtype:trojan-activity; sid:91263858; rev:1;) alert tcp $HOME_NET any -> [36.213.14.43] 60000 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1263859/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_29; classtype:trojan-activity; sid:91263859; rev:1;) alert tcp $HOME_NET any -> [38.6.216.10] 60000 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1263860/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_29; classtype:trojan-activity; sid:91263860; rev:1;) alert tcp $HOME_NET any -> [38.12.30.105] 60000 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1263861/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_29; classtype:trojan-activity; sid:91263861; rev:1;) alert tcp $HOME_NET any -> [1.94.183.97] 60000 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1263840/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_29; classtype:trojan-activity; sid:91263840; rev:1;) alert tcp $HOME_NET any -> [8.130.114.243] 60000 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1263841/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_29; classtype:trojan-activity; sid:91263841; rev:1;) alert tcp $HOME_NET any -> [8.130.126.41] 60000 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1263842/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_29; classtype:trojan-activity; sid:91263842; rev:1;) alert tcp $HOME_NET any -> [8.130.165.254] 60000 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1263843/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_29; classtype:trojan-activity; sid:91263843; rev:1;) alert tcp $HOME_NET any -> [8.134.57.136] 60000 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1263844/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_29; classtype:trojan-activity; sid:91263844; rev:1;) alert tcp $HOME_NET any -> [8.138.21.121] 60000 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1263845/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_29; classtype:trojan-activity; sid:91263845; rev:1;) alert tcp $HOME_NET any -> [8.138.87.249] 60000 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1263846/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_29; classtype:trojan-activity; sid:91263846; rev:1;) alert tcp $HOME_NET any -> [8.149.142.195] 60000 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1263847/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_29; classtype:trojan-activity; sid:91263847; rev:1;) alert tcp $HOME_NET any -> [8.210.53.160] 60000 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1263848/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_29; classtype:trojan-activity; sid:91263848; rev:1;) alert tcp $HOME_NET any -> [8.219.161.156] 60000 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1263849/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_29; classtype:trojan-activity; sid:91263849; rev:1;) alert tcp $HOME_NET any -> [1.92.112.211] 60000 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1263839/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_29; classtype:trojan-activity; sid:91263839; rev:1;) alert tcp $HOME_NET any -> [192.3.216.140] 22337 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1263838/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_29; classtype:trojan-activity; sid:91263838; rev:1;) alert tcp $HOME_NET any -> [187.135.142.149] 2052 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1263837/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_29; classtype:trojan-activity; sid:91263837; rev:1;) alert tcp $HOME_NET any -> [187.135.142.149] 1670 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1263833/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_29; classtype:trojan-activity; sid:91263833; rev:1;) alert tcp $HOME_NET any -> [187.135.142.149] 1723 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1263834/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_29; classtype:trojan-activity; sid:91263834; rev:1;) alert tcp $HOME_NET any -> [187.135.142.149] 1883 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1263835/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_29; classtype:trojan-activity; sid:91263835; rev:1;) alert tcp $HOME_NET any -> [187.135.142.149] 2004 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1263836/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_29; classtype:trojan-activity; sid:91263836; rev:1;) alert tcp $HOME_NET any -> [187.135.142.149] 2086 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1263831/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_29; classtype:trojan-activity; sid:91263831; rev:1;) alert tcp $HOME_NET any -> [187.135.142.149] 2222 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1263832/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_29; classtype:trojan-activity; sid:91263832; rev:1;) alert tcp $HOME_NET any -> [187.135.138.104] 1801 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1263829/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_29; classtype:trojan-activity; sid:91263829; rev:1;) alert tcp $HOME_NET any -> [187.135.138.104] 2077 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1263830/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_29; classtype:trojan-activity; sid:91263830; rev:1;) alert tcp $HOME_NET any -> [187.21.210.99] 8085 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1263828/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_29; classtype:trojan-activity; sid:91263828; rev:1;) alert tcp $HOME_NET any -> [123.207.198.252] 8848 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1263827/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_29; classtype:trojan-activity; sid:91263827; rev:1;) alert tcp $HOME_NET any -> [157.254.223.10] 8085 (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1263826/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_29; classtype:trojan-activity; sid:91263826; rev:1;) alert tcp $HOME_NET any -> [111.173.116.29] 8541 (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1263825/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_29; classtype:trojan-activity; sid:91263825; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"visualstudio.microsoft.com.volcgslb-mlt.com"; depth:43; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1263823/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_29; classtype:trojan-activity; sid:91263823; rev:1;) alert tcp $HOME_NET any -> [39.100.109.229] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1263824/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_29; classtype:trojan-activity; sid:91263824; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mall_100_100.html"; depth:18; nocase; http.host; content:"visualstudio.microsoft.com.volcgslb-mlt.com"; depth:43; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1263822/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_29; classtype:trojan-activity; sid:91263822; rev:1;) alert tcp $HOME_NET any -> [202.188.41.26] 9876 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1263821/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_29; classtype:trojan-activity; sid:91263821; rev:1;) alert tcp $HOME_NET any -> [181.162.156.123] 8080 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1263820/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_29; classtype:trojan-activity; sid:91263820; rev:1;) alert tcp $HOME_NET any -> [121.184.1.234] 443 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1263819/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_29; classtype:trojan-activity; sid:91263819; rev:1;) alert tcp $HOME_NET any -> [45.144.30.147] 4747 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1263818/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_29; classtype:trojan-activity; sid:91263818; rev:1;) alert tcp $HOME_NET any -> [78.185.140.143] 81 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1263817/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_29; classtype:trojan-activity; sid:91263817; rev:1;) alert tcp $HOME_NET any -> [41.43.199.238] 8000 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1263816/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_29; classtype:trojan-activity; sid:91263816; rev:1;) alert tcp $HOME_NET any -> [194.147.115.133] 9282 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1263815/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_29; classtype:trojan-activity; sid:91263815; rev:1;) alert tcp $HOME_NET any -> [159.223.219.19] 443 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1263814/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_29; classtype:trojan-activity; sid:91263814; rev:1;) alert tcp $HOME_NET any -> [128.90.159.240] 5000 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1263813/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_29; classtype:trojan-activity; sid:91263813; rev:1;) alert tcp $HOME_NET any -> [128.90.128.169] 9999 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1263812/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_29; classtype:trojan-activity; sid:91263812; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ga.js"; depth:6; nocase; http.host; content:"91.92.251.108"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1263811/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_29; classtype:trojan-activity; sid:91263811; rev:1;) alert tcp $HOME_NET any -> [91.92.251.108] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1263810/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_29; classtype:trojan-activity; sid:91263810; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"apolovapers.com"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1263758/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_29; classtype:trojan-activity; sid:91263758; rev:1;) alert tcp $HOME_NET any -> [46.226.160.88] 4258 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1263801/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_29; classtype:trojan-activity; sid:91263801; rev:1;) alert tcp $HOME_NET any -> [91.92.247.164] 8888 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1263809/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_29; classtype:trojan-activity; sid:91263809; rev:1;) alert tcp $HOME_NET any -> [91.92.245.12] 60000 (msg:"ThreatFox Viper RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1263808/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_29; classtype:trojan-activity; sid:91263808; rev:1;) alert tcp $HOME_NET any -> [91.92.244.120] 60000 (msg:"ThreatFox Viper RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1263807/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_29; classtype:trojan-activity; sid:91263807; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/g.pixel"; depth:8; nocase; http.host; content:"43.139.235.226"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1263806/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_29; classtype:trojan-activity; sid:91263806; rev:1;) alert tcp $HOME_NET any -> [91.92.242.244] 80 (msg:"ThreatFox ERMAC botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1263805/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_29; classtype:trojan-activity; sid:91263805; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/__utm.gif"; depth:10; nocase; http.host; content:"45.116.79.9"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1263804/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_29; classtype:trojan-activity; sid:91263804; rev:1;) alert tcp $HOME_NET any -> [78.142.18.164] 5000 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1263803/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_29; classtype:trojan-activity; sid:91263803; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ie9compatviewlist.xml"; depth:22; nocase; http.host; content:"60.204.220.208"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1263802/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_29; classtype:trojan-activity; sid:91263802; rev:1;) alert tcp $HOME_NET any -> [77.221.151.20] 8081 (msg:"ThreatFox RisePro botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1263800/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_29; classtype:trojan-activity; sid:91263800; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dot.gif"; depth:8; nocase; http.host; content:"134.122.75.115"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1263799/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_29; classtype:trojan-activity; sid:91263799; rev:1;) alert tcp $HOME_NET any -> [51.159.234.90] 443 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1263798/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_29; classtype:trojan-activity; sid:91263798; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pixel.gif"; depth:10; nocase; http.host; content:"134.122.75.115"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1263797/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_29; classtype:trojan-activity; sid:91263797; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ie9compatviewlist.xml"; depth:22; nocase; http.host; content:"134.122.75.115"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1263796/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_29; classtype:trojan-activity; sid:91263796; rev:1;) alert tcp $HOME_NET any -> [216.250.252.159] 50545 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1263795/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_29; classtype:trojan-activity; sid:91263795; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/en_us/all.js"; depth:13; nocase; http.host; content:"45.120.178.47"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1263794/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_29; classtype:trojan-activity; sid:91263794; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/visit.js"; depth:9; nocase; http.host; content:"123.60.181.152"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1263793/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_29; classtype:trojan-activity; sid:91263793; rev:1;) alert tcp $HOME_NET any -> [45.120.178.47] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1263792/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_29; classtype:trojan-activity; sid:91263792; rev:1;) alert tcp $HOME_NET any -> [14.225.219.252] 42597 (msg:"ThreatFox MooBot botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1263791/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_29; classtype:trojan-activity; sid:91263791; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cx"; depth:3; nocase; http.host; content:"142.171.51.229"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1263790/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_29; classtype:trojan-activity; sid:91263790; rev:1;) alert tcp $HOME_NET any -> [142.171.51.229] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1263789/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_29; classtype:trojan-activity; sid:91263789; rev:1;) alert tcp $HOME_NET any -> [148.135.36.77] 8099 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1263788/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_29; classtype:trojan-activity; sid:91263788; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"24kawys.onflashdrive.app"; depth:24; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1263787/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_29; classtype:trojan-activity; sid:91263787; rev:1;) alert tcp $HOME_NET any -> [193.134.209.59] 8443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1263786/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_29; classtype:trojan-activity; sid:91263786; rev:1;) alert tcp $HOME_NET any -> [149.104.25.85] 8089 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1263784/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_29; classtype:trojan-activity; sid:91263784; rev:1;) alert tcp $HOME_NET any -> [149.104.25.85] 8090 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1263785/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_29; classtype:trojan-activity; sid:91263785; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"cms.nawwan.xyz"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1263783/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_29; classtype:trojan-activity; sid:91263783; rev:1;) alert tcp $HOME_NET any -> [45.152.64.87] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1263782/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_29; classtype:trojan-activity; sid:91263782; rev:1;) alert tcp $HOME_NET any -> [38.147.170.114] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1263781/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_29; classtype:trojan-activity; sid:91263781; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"faceboy.shop"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1263780/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_29; classtype:trojan-activity; sid:91263780; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/functionalstatus/udv4kciwnyksdzob3mbtibdhlviceevlp"; depth:51; nocase; http.host; content:"faceboy.shop"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1263779/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_29; classtype:trojan-activity; sid:91263779; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ga.js"; depth:6; nocase; http.host; content:"62.204.41.11"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1263778/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_29; classtype:trojan-activity; sid:91263778; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dpixel"; depth:7; nocase; http.host; content:"62.204.41.11"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1263777/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_29; classtype:trojan-activity; sid:91263777; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/load"; depth:5; nocase; http.host; content:"149.88.82.139"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1263776/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_29; classtype:trojan-activity; sid:91263776; rev:1;) alert tcp $HOME_NET any -> [149.88.82.139] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1263775/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_29; classtype:trojan-activity; sid:91263775; rev:1;) alert tcp $HOME_NET any -> [34.65.208.232] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1263774/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_29; classtype:trojan-activity; sid:91263774; rev:1;) alert tcp $HOME_NET any -> [107.191.57.190] 8088 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1263773/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_29; classtype:trojan-activity; sid:91263773; rev:1;) alert tcp $HOME_NET any -> [64.176.56.196] 445 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1263772/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_29; classtype:trojan-activity; sid:91263772; rev:1;) alert tcp $HOME_NET any -> [207.154.255.140] 8080 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1263771/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_29; classtype:trojan-activity; sid:91263771; rev:1;) alert tcp $HOME_NET any -> [207.154.242.220] 4433 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1263770/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_29; classtype:trojan-activity; sid:91263770; rev:1;) alert tcp $HOME_NET any -> [103.14.226.21] 12345 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1263769/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_29; classtype:trojan-activity; sid:91263769; rev:1;) alert tcp $HOME_NET any -> [142.93.43.244] 50000 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1263768/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_29; classtype:trojan-activity; sid:91263768; rev:1;) alert tcp $HOME_NET any -> [47.237.93.202] 4443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1263767/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_29; classtype:trojan-activity; sid:91263767; rev:1;) alert tcp $HOME_NET any -> [8.219.156.34] 10001 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1263766/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_29; classtype:trojan-activity; sid:91263766; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"www.prsix.xyz"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1263765/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_29; classtype:trojan-activity; sid:91263765; rev:1;) alert tcp $HOME_NET any -> [8.217.109.157] 2053 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1263764/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_29; classtype:trojan-activity; sid:91263764; rev:1;) alert tcp $HOME_NET any -> [185.73.125.96] 15647 (msg:"ThreatFox SectopRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1263763/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_29; classtype:trojan-activity; sid:91263763; rev:1;) alert tcp $HOME_NET any -> [123.60.182.74] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1263762/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_29; classtype:trojan-activity; sid:91263762; rev:1;) alert tcp $HOME_NET any -> [121.36.226.214] 5556 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1263761/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_29; classtype:trojan-activity; sid:91263761; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ie9compatviewlist.xml"; depth:22; nocase; http.host; content:"60.204.170.160"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1263760/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_29; classtype:trojan-activity; sid:91263760; rev:1;) alert tcp $HOME_NET any -> [60.204.170.160] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1263759/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_29; classtype:trojan-activity; sid:91263759; rev:1;) alert tcp $HOME_NET any -> [195.201.248.34] 443 (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1263755/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_29; classtype:trojan-activity; sid:91263755; rev:1;) alert tcp $HOME_NET any -> [95.217.242.142] 9000 (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1263756/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_29; classtype:trojan-activity; sid:91263756; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"95.217.242.142"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1263751/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_29; classtype:trojan-activity; sid:91263751; rev:1;) alert tcp $HOME_NET any -> [95.217.245.42] 443 (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1263752/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_29; classtype:trojan-activity; sid:91263752; rev:1;) alert tcp $HOME_NET any -> [128.140.8.170] 5432 (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1263753/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_29; classtype:trojan-activity; sid:91263753; rev:1;) alert tcp $HOME_NET any -> [116.202.178.41] 443 (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1263754/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_29; classtype:trojan-activity; sid:91263754; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"195.201.248.34"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1263750/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_29; classtype:trojan-activity; sid:91263750; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"116.202.178.41"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1263749/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_29; classtype:trojan-activity; sid:91263749; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"128.140.8.170"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1263748/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_29; classtype:trojan-activity; sid:91263748; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"95.217.245.42"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1263747/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_29; classtype:trojan-activity; sid:91263747; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/interface/picture/get"; depth:22; nocase; http.host; content:"service-rkcvh0tf-1252325407.cd.tencentapigw.com"; depth:47; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1263745/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_29; classtype:trojan-activity; sid:91263745; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"service-rkcvh0tf-1252325407.cd.tencentapigw.com"; depth:47; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1263746/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_29; classtype:trojan-activity; sid:91263746; rev:1;) alert tcp $HOME_NET any -> [121.43.168.17] 8081 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1263744/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_29; classtype:trojan-activity; sid:91263744; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ptj"; depth:4; nocase; http.host; content:"120.55.100.239"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1263743/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_29; classtype:trojan-activity; sid:91263743; rev:1;) alert tcp $HOME_NET any -> [120.55.100.239] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1263742/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_29; classtype:trojan-activity; sid:91263742; rev:1;) alert tcp $HOME_NET any -> [118.31.104.23] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1263741/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_29; classtype:trojan-activity; sid:91263741; rev:1;) alert tcp $HOME_NET any -> [114.55.112.203] 8080 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1263740/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_29; classtype:trojan-activity; sid:91263740; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ca"; depth:3; nocase; http.host; content:"47.109.134.131"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1263739/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_29; classtype:trojan-activity; sid:91263739; rev:1;) alert tcp $HOME_NET any -> [47.109.134.131] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1263738/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_29; classtype:trojan-activity; sid:91263738; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/load"; depth:5; nocase; http.host; content:"47.98.110.166"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1263737/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_29; classtype:trojan-activity; sid:91263737; rev:1;) alert tcp $HOME_NET any -> [47.98.110.166] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1263736/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_29; classtype:trojan-activity; sid:91263736; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"cuitikun.onflashdrive.app"; depth:25; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1263735/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_29; classtype:trojan-activity; sid:91263735; rev:1;) alert tcp $HOME_NET any -> [8.137.102.132] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1263733/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_29; classtype:trojan-activity; sid:91263733; rev:1;) alert tcp $HOME_NET any -> [8.137.102.132] 8080 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1263734/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_29; classtype:trojan-activity; sid:91263734; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cx"; depth:3; nocase; http.host; content:"175.178.49.159"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1263732/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_29; classtype:trojan-activity; sid:91263732; rev:1;) alert tcp $HOME_NET any -> [38.45.200.163] 3824 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1263731/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_29; classtype:trojan-activity; sid:91263731; rev:1;) alert tcp $HOME_NET any -> [175.178.49.159] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1263730/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_29; classtype:trojan-activity; sid:91263730; rev:1;) alert tcp $HOME_NET any -> [150.158.181.243] 15443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1263729/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_29; classtype:trojan-activity; sid:91263729; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/push"; depth:5; nocase; http.host; content:"124.223.213.106"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1263728/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_29; classtype:trojan-activity; sid:91263728; rev:1;) alert tcp $HOME_NET any -> [124.223.213.106] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1263726/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_29; classtype:trojan-activity; sid:91263726; rev:1;) alert tcp $HOME_NET any -> [124.223.213.106] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1263727/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_29; classtype:trojan-activity; sid:91263727; rev:1;) alert tcp $HOME_NET any -> [124.222.57.223] 64444 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1263725/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_29; classtype:trojan-activity; sid:91263725; rev:1;) alert tcp $HOME_NET any -> [124.222.57.223] 8081 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1263724/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_29; classtype:trojan-activity; sid:91263724; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/match"; depth:6; nocase; http.host; content:"124.221.37.195"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1263723/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_29; classtype:trojan-activity; sid:91263723; rev:1;) alert tcp $HOME_NET any -> [124.221.37.195] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1263722/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_29; classtype:trojan-activity; sid:91263722; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/__utm.gif"; depth:10; nocase; http.host; content:"118.195.209.57"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1263721/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_29; classtype:trojan-activity; sid:91263721; rev:1;) alert tcp $HOME_NET any -> [118.195.209.57] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1263720/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_29; classtype:trojan-activity; sid:91263720; rev:1;) alert tcp $HOME_NET any -> [118.25.173.248] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1263719/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_29; classtype:trojan-activity; sid:91263719; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dot.gif"; depth:8; nocase; http.host; content:"106.54.211.150"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1263718/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_29; classtype:trojan-activity; sid:91263718; rev:1;) alert tcp $HOME_NET any -> [106.54.211.150] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1263717/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_29; classtype:trojan-activity; sid:91263717; rev:1;) alert tcp $HOME_NET any -> [101.35.255.91] 9999 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1263716/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_29; classtype:trojan-activity; sid:91263716; rev:1;) alert tcp $HOME_NET any -> [43.138.0.3] 4444 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1263715/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_29; classtype:trojan-activity; sid:91263715; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/loader/screen/owysn2ysn2ysytasowusodysogmsotysnjqsn2ms"; depth:55; nocase; http.host; content:"80.66.89.165"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1263593/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_29; classtype:trojan-activity; sid:91263593; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/loader/screen/owysn2ysn2ysytasowusodysogmsotysnjqsn2ms"; depth:55; nocase; http.host; content:"80.66.89.161"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1263591/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_29; classtype:trojan-activity; sid:91263591; rev:1;) alert tcp $HOME_NET any -> [80.66.89.161] 80 (msg:"ThreatFox SmartLoader botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1263592/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_29; classtype:trojan-activity; sid:91263592; rev:1;) alert tcp $HOME_NET any -> [185.172.128.150] 80 (msg:"ThreatFox Stealc botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1263296/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_29; classtype:trojan-activity; sid:91263296; rev:1;) alert tcp $HOME_NET any -> [185.172.128.151] 80 (msg:"ThreatFox Stealc botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1263297/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_29; classtype:trojan-activity; sid:91263297; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"asero23.ddns.net"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1263307/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_29; classtype:trojan-activity; sid:91263307; rev:1;) alert tcp $HOME_NET any -> [80.66.89.165] 80 (msg:"ThreatFox SmartLoader botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1263594/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_29; classtype:trojan-activity; sid:91263594; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/delta-io/delta/files/15016110/delta.zip"; depth:40; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1263595/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_29; classtype:trojan-activity; sid:91263595; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/kampfkarren/roblox/files/15001743/roexec.zip"; depth:45; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1263597/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_29; classtype:trojan-activity; sid:91263597; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"deltaexploits.org"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1263599/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_29; classtype:trojan-activity; sid:91263599; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"roexec.org"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1263600/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_29; classtype:trojan-activity; sid:91263600; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/loader/screen/owysn2ysn2ysytasowusodysogmsotysnjqsn2ms"; depth:55; nocase; http.host; content:"80.66.89.146"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1263601/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_29; classtype:trojan-activity; sid:91263601; rev:1;) alert tcp $HOME_NET any -> [80.66.89.146] 80 (msg:"ThreatFox SmartLoader botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1263602/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_29; classtype:trojan-activity; sid:91263602; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"legendsworld.top"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1263618/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_29; classtype:trojan-activity; sid:91263618; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"cecilio.network"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1263711/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_29; classtype:trojan-activity; sid:91263711; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"retardedclassmate.dyn"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1263712/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_29; classtype:trojan-activity; sid:91263712; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"whitepeopleonly.dyn"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1263713/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_29; classtype:trojan-activity; sid:91263713; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"servernoworky.geek"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1263714/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_29; classtype:trojan-activity; sid:91263714; rev:1;) alert tcp $HOME_NET any -> [103.216.51.35] 50555 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1263710/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_29; classtype:trojan-activity; sid:91263710; rev:1;) alert tcp $HOME_NET any -> [185.241.208.213] 80 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1263709/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_29; classtype:trojan-activity; sid:91263709; rev:1;) alert tcp $HOME_NET any -> [38.55.97.170] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1263708/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_29; classtype:trojan-activity; sid:91263708; rev:1;) alert tcp $HOME_NET any -> [154.248.27.182] 55295 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1263707/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_29; classtype:trojan-activity; sid:91263707; rev:1;) alert tcp $HOME_NET any -> [154.248.27.182] 18351 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1263706/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_29; classtype:trojan-activity; sid:91263706; rev:1;) alert tcp $HOME_NET any -> [154.248.27.182] 16501 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1263704/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_29; classtype:trojan-activity; sid:91263704; rev:1;) alert tcp $HOME_NET any -> [154.248.27.182] 18082 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1263705/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_29; classtype:trojan-activity; sid:91263705; rev:1;) alert tcp $HOME_NET any -> [154.248.27.182] 2434 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1263703/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_29; classtype:trojan-activity; sid:91263703; rev:1;) alert tcp $HOME_NET any -> [154.248.27.182] 46829 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1263701/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_29; classtype:trojan-activity; sid:91263701; rev:1;) alert tcp $HOME_NET any -> [154.248.27.182] 80 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1263702/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_29; classtype:trojan-activity; sid:91263702; rev:1;) alert tcp $HOME_NET any -> [154.248.27.182] 34540 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1263700/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_29; classtype:trojan-activity; sid:91263700; rev:1;) alert tcp $HOME_NET any -> [154.248.27.182] 15443 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1263698/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_29; classtype:trojan-activity; sid:91263698; rev:1;) alert tcp $HOME_NET any -> [154.248.27.182] 29144 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1263699/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_29; classtype:trojan-activity; sid:91263699; rev:1;) alert tcp $HOME_NET any -> [154.248.27.182] 8080 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1263696/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_29; classtype:trojan-activity; sid:91263696; rev:1;) alert tcp $HOME_NET any -> [154.248.27.182] 13760 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1263697/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_29; classtype:trojan-activity; sid:91263697; rev:1;) alert tcp $HOME_NET any -> [154.248.27.182] 6005 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1263695/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_29; classtype:trojan-activity; sid:91263695; rev:1;) alert tcp $HOME_NET any -> [154.248.27.182] 62422 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1263693/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_29; classtype:trojan-activity; sid:91263693; rev:1;) alert tcp $HOME_NET any -> [154.248.27.182] 4369 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1263694/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_29; classtype:trojan-activity; sid:91263694; rev:1;) alert tcp $HOME_NET any -> [154.248.27.182] 23019 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1263691/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_29; classtype:trojan-activity; sid:91263691; rev:1;) alert tcp $HOME_NET any -> [154.248.27.182] 36161 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1263692/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_29; classtype:trojan-activity; sid:91263692; rev:1;) alert tcp $HOME_NET any -> [154.248.27.182] 2323 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1263690/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_29; classtype:trojan-activity; sid:91263690; rev:1;) alert tcp $HOME_NET any -> [154.248.27.182] 1723 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1263688/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_29; classtype:trojan-activity; sid:91263688; rev:1;) alert tcp $HOME_NET any -> [154.248.27.182] 2096 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1263689/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_29; classtype:trojan-activity; sid:91263689; rev:1;) alert tcp $HOME_NET any -> [154.248.27.182] 23 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1263686/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_29; classtype:trojan-activity; sid:91263686; rev:1;) alert tcp $HOME_NET any -> [154.248.27.182] 389 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1263687/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_29; classtype:trojan-activity; sid:91263687; rev:1;) alert tcp $HOME_NET any -> [154.248.27.182] 52101 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1263685/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_29; classtype:trojan-activity; sid:91263685; rev:1;) alert tcp $HOME_NET any -> [154.248.27.182] 4840 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1263683/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_29; classtype:trojan-activity; sid:91263683; rev:1;) alert tcp $HOME_NET any -> [154.248.27.182] 10298 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1263684/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_29; classtype:trojan-activity; sid:91263684; rev:1;) alert tcp $HOME_NET any -> [154.248.27.182] 6009 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1263681/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_29; classtype:trojan-activity; sid:91263681; rev:1;) alert tcp $HOME_NET any -> [154.248.27.182] 28987 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1263682/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_29; classtype:trojan-activity; sid:91263682; rev:1;) alert tcp $HOME_NET any -> [154.248.27.182] 3306 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1263680/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_29; classtype:trojan-activity; sid:91263680; rev:1;) alert tcp $HOME_NET any -> [154.248.27.182] 41115 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1263678/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_29; classtype:trojan-activity; sid:91263678; rev:1;) alert tcp $HOME_NET any -> [154.248.27.182] 62757 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1263679/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_29; classtype:trojan-activity; sid:91263679; rev:1;) alert tcp $HOME_NET any -> [154.248.27.182] 2281 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1263677/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_29; classtype:trojan-activity; sid:91263677; rev:1;) alert tcp $HOME_NET any -> [154.248.27.182] 319 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1263676/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_29; classtype:trojan-activity; sid:91263676; rev:1;) alert tcp $HOME_NET any -> [154.248.27.182] 19181 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1263674/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_29; classtype:trojan-activity; sid:91263674; rev:1;) alert tcp $HOME_NET any -> [154.248.27.182] 61753 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1263675/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_29; classtype:trojan-activity; sid:91263675; rev:1;) alert tcp $HOME_NET any -> [154.248.27.182] 18084 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1263673/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_29; classtype:trojan-activity; sid:91263673; rev:1;) alert tcp $HOME_NET any -> [154.248.27.182] 52200 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1263671/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_29; classtype:trojan-activity; sid:91263671; rev:1;) alert tcp $HOME_NET any -> [154.248.27.182] 56512 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1263672/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_29; classtype:trojan-activity; sid:91263672; rev:1;) alert tcp $HOME_NET any -> [154.248.27.182] 5060 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1263669/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_29; classtype:trojan-activity; sid:91263669; rev:1;) alert tcp $HOME_NET any -> [154.248.27.182] 25290 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1263670/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_29; classtype:trojan-activity; sid:91263670; rev:1;) alert tcp $HOME_NET any -> [154.248.27.182] 51445 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1263667/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_29; classtype:trojan-activity; sid:91263667; rev:1;) alert tcp $HOME_NET any -> [154.248.27.182] 3318 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1263668/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_29; classtype:trojan-activity; sid:91263668; rev:1;) alert tcp $HOME_NET any -> [154.248.27.182] 830 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1263666/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_29; classtype:trojan-activity; sid:91263666; rev:1;) alert tcp $HOME_NET any -> [154.248.27.182] 12881 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1263664/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_29; classtype:trojan-activity; sid:91263664; rev:1;) alert tcp $HOME_NET any -> [154.248.27.182] 20815 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1263665/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_29; classtype:trojan-activity; sid:91263665; rev:1;) alert tcp $HOME_NET any -> [154.248.27.182] 5672 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1263662/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_29; classtype:trojan-activity; sid:91263662; rev:1;) alert tcp $HOME_NET any -> [154.248.27.182] 10258 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1263663/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_29; classtype:trojan-activity; sid:91263663; rev:1;) alert tcp $HOME_NET any -> [154.248.27.182] 5000 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1263661/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_29; classtype:trojan-activity; sid:91263661; rev:1;) alert tcp $HOME_NET any -> [154.248.27.182] 33389 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1263659/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_29; classtype:trojan-activity; sid:91263659; rev:1;) alert tcp $HOME_NET any -> [154.248.27.182] 28983 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1263660/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_29; classtype:trojan-activity; sid:91263660; rev:1;) alert tcp $HOME_NET any -> [154.248.27.182] 5061 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1263657/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_29; classtype:trojan-activity; sid:91263657; rev:1;) alert tcp $HOME_NET any -> [154.248.27.182] 6000 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1263658/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_29; classtype:trojan-activity; sid:91263658; rev:1;) alert tcp $HOME_NET any -> [154.248.27.182] 445 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1263655/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_29; classtype:trojan-activity; sid:91263655; rev:1;) alert tcp $HOME_NET any -> [154.248.27.182] 2077 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1263656/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_29; classtype:trojan-activity; sid:91263656; rev:1;) alert tcp $HOME_NET any -> [154.248.27.182] 53419 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1263654/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_29; classtype:trojan-activity; sid:91263654; rev:1;) alert tcp $HOME_NET any -> [154.248.27.182] 11112 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1263652/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_29; classtype:trojan-activity; sid:91263652; rev:1;) alert tcp $HOME_NET any -> [154.248.27.182] 18260 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1263653/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_29; classtype:trojan-activity; sid:91263653; rev:1;) alert tcp $HOME_NET any -> [154.248.27.182] 6697 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1263650/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_29; classtype:trojan-activity; sid:91263650; rev:1;) alert tcp $HOME_NET any -> [154.248.27.182] 7704 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1263651/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_29; classtype:trojan-activity; sid:91263651; rev:1;) alert tcp $HOME_NET any -> [154.248.27.182] 6006 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1263649/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_29; classtype:trojan-activity; sid:91263649; rev:1;) alert tcp $HOME_NET any -> [154.248.27.182] 56910 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1263647/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_29; classtype:trojan-activity; sid:91263647; rev:1;) alert tcp $HOME_NET any -> [154.248.27.182] 58000 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1263648/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_29; classtype:trojan-activity; sid:91263648; rev:1;) alert tcp $HOME_NET any -> [154.248.27.182] 34365 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1263646/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_29; classtype:trojan-activity; sid:91263646; rev:1;) alert tcp $HOME_NET any -> [154.248.27.182] 49152 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1263644/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_29; classtype:trojan-activity; sid:91263644; rev:1;) alert tcp $HOME_NET any -> [154.248.27.182] 5905 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1263645/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_29; classtype:trojan-activity; sid:91263645; rev:1;) alert tcp $HOME_NET any -> [154.248.27.182] 20547 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1263642/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_29; classtype:trojan-activity; sid:91263642; rev:1;) alert tcp $HOME_NET any -> [154.248.27.182] 35062 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1263643/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_29; classtype:trojan-activity; sid:91263643; rev:1;) alert tcp $HOME_NET any -> [154.248.27.182] 8008 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1263640/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_29; classtype:trojan-activity; sid:91263640; rev:1;) alert tcp $HOME_NET any -> [154.248.27.182] 9024 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1263641/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_29; classtype:trojan-activity; sid:91263641; rev:1;) alert tcp $HOME_NET any -> [154.248.27.182] 61616 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1263639/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_29; classtype:trojan-activity; sid:91263639; rev:1;) alert tcp $HOME_NET any -> [154.248.27.182] 9508 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1263637/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_29; classtype:trojan-activity; sid:91263637; rev:1;) alert tcp $HOME_NET any -> [154.248.27.182] 53151 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1263638/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_29; classtype:trojan-activity; sid:91263638; rev:1;) alert tcp $HOME_NET any -> [154.248.27.182] 6699 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1263636/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_29; classtype:trojan-activity; sid:91263636; rev:1;) alert tcp $HOME_NET any -> [154.248.27.182] 1024 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1263634/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_29; classtype:trojan-activity; sid:91263634; rev:1;) alert tcp $HOME_NET any -> [154.248.27.182] 2762 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1263635/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_29; classtype:trojan-activity; sid:91263635; rev:1;) alert tcp $HOME_NET any -> [154.248.27.182] 831 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1263633/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_29; classtype:trojan-activity; sid:91263633; rev:1;) alert tcp $HOME_NET any -> [154.248.27.182] 11261 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1263632/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_29; classtype:trojan-activity; sid:91263632; rev:1;) alert tcp $HOME_NET any -> [154.248.27.182] 18245 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1263630/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_29; classtype:trojan-activity; sid:91263630; rev:1;) alert tcp $HOME_NET any -> [154.248.27.182] 49664 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1263631/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_29; classtype:trojan-activity; sid:91263631; rev:1;) alert tcp $HOME_NET any -> [154.248.27.182] 41909 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1263628/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_29; classtype:trojan-activity; sid:91263628; rev:1;) alert tcp $HOME_NET any -> [154.248.27.182] 8159 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1263629/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_29; classtype:trojan-activity; sid:91263629; rev:1;) alert tcp $HOME_NET any -> [154.248.27.182] 26350 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1263627/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_29; classtype:trojan-activity; sid:91263627; rev:1;) alert tcp $HOME_NET any -> [154.248.27.182] 5900 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1263625/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_29; classtype:trojan-activity; sid:91263625; rev:1;) alert tcp $HOME_NET any -> [154.248.27.182] 8010 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1263626/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_29; classtype:trojan-activity; sid:91263626; rev:1;) alert tcp $HOME_NET any -> [41.96.94.231] 443 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1263624/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_29; classtype:trojan-activity; sid:91263624; rev:1;) alert tcp $HOME_NET any -> [185.244.208.251] 16013 (msg:"ThreatFox Deimos botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1263623/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_29; classtype:trojan-activity; sid:91263623; rev:1;) alert tcp $HOME_NET any -> [98.98.119.98] 4506 (msg:"ThreatFox Deimos botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1263622/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_29; classtype:trojan-activity; sid:91263622; rev:1;) alert tcp $HOME_NET any -> [163.181.88.76] 4505 (msg:"ThreatFox Deimos botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1263621/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_29; classtype:trojan-activity; sid:91263621; rev:1;) alert tcp $HOME_NET any -> [3.239.164.16] 7443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1263620/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_29; classtype:trojan-activity; sid:91263620; rev:1;) alert tcp $HOME_NET any -> [52.193.137.127] 80 (msg:"ThreatFox Brute Ratel C4 botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1263619/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_29; classtype:trojan-activity; sid:91263619; rev:1;) alert tcp $HOME_NET any -> [179.14.9.152] 2020 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1263617/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_29; classtype:trojan-activity; sid:91263617; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/eternalpollgeocpu.php"; depth:22; nocase; http.host; content:"intopart.top"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1263616/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_28; classtype:trojan-activity; sid:91263616; rev:1;) alert tcp $HOME_NET any -> [154.213.17.187] 90 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1263615/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_28; classtype:trojan-activity; sid:91263615; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ie9compatviewlist.xml"; depth:22; nocase; http.host; content:"62.234.180.14"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1263614/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_28; classtype:trojan-activity; sid:91263614; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/zomgapt"; depth:8; nocase; http.host; content:"106.14.141.234"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1263612/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_28; classtype:trojan-activity; sid:91263612; rev:1;) alert tcp $HOME_NET any -> [106.14.141.234] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1263613/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_28; classtype:trojan-activity; sid:91263613; rev:1;) alert tcp $HOME_NET any -> [154.213.17.174] 90 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1263611/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_28; classtype:trojan-activity; sid:91263611; rev:1;) alert tcp $HOME_NET any -> [43.140.37.49] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1263610/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_28; classtype:trojan-activity; sid:91263610; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api/x"; depth:6; nocase; http.host; content:"service-jj4sc5n0-1325804472.gz.tencentapigw.com.cn"; depth:50; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1263608/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_28; classtype:trojan-activity; sid:91263608; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"service-jj4sc5n0-1325804472.gz.tencentapigw.com.cn"; depth:50; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1263609/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_28; classtype:trojan-activity; sid:91263609; rev:1;) alert tcp $HOME_NET any -> [146.56.208.163] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1263607/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_28; classtype:trojan-activity; sid:91263607; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/activity"; depth:9; nocase; http.host; content:"146.56.208.163"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1263606/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_28; classtype:trojan-activity; sid:91263606; rev:1;) alert tcp $HOME_NET any -> [45.125.67.49] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1263605/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_28; classtype:trojan-activity; sid:91263605; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/rn.js"; depth:6; nocase; http.host; content:"www.rollupdate.com"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1263603/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_28; classtype:trojan-activity; sid:91263603; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"www.rollupdate.com"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1263604/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_28; classtype:trojan-activity; sid:91263604; rev:1;) alert tcp $HOME_NET any -> [94.156.79.114] 8082 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1263589/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_28; classtype:trojan-activity; sid:91263589; rev:1;) alert tcp $HOME_NET any -> [94.156.79.114] 80 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1263588/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_28; classtype:trojan-activity; sid:91263588; rev:1;) alert tcp $HOME_NET any -> [1.161.86.140] 443 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1263587/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_28; classtype:trojan-activity; sid:91263587; rev:1;) alert tcp $HOME_NET any -> [170.64.210.247] 443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1263586/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_28; classtype:trojan-activity; sid:91263586; rev:1;) alert tcp $HOME_NET any -> [167.88.172.166] 8443 (msg:"ThreatFox BianLian botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1263585/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_28; classtype:trojan-activity; sid:91263585; rev:1;) alert tcp $HOME_NET any -> [93.88.74.63] 443 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1263335/; target:src_ip; metadata: confidence_level 80, first_seen 2024_04_28; classtype:trojan-activity; sid:91263335; rev:1;) alert tcp $HOME_NET any -> [45.88.90.46] 80 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1263334/; target:src_ip; metadata: confidence_level 80, first_seen 2024_04_28; classtype:trojan-activity; sid:91263334; rev:1;) alert tcp $HOME_NET any -> [14.225.203.65] 80 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1263333/; target:src_ip; metadata: confidence_level 80, first_seen 2024_04_28; classtype:trojan-activity; sid:91263333; rev:1;) alert tcp $HOME_NET any -> [59.175.126.222] 10134 (msg:"ThreatFox Orcus RAT botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1263332/; target:src_ip; metadata: confidence_level 80, first_seen 2024_04_28; classtype:trojan-activity; sid:91263332; rev:1;) alert tcp $HOME_NET any -> [35.157.61.186] 10134 (msg:"ThreatFox Orcus RAT botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1263331/; target:src_ip; metadata: confidence_level 80, first_seen 2024_04_28; classtype:trojan-activity; sid:91263331; rev:1;) alert tcp $HOME_NET any -> [94.49.189.224] 3460 (msg:"ThreatFox Poison Ivy botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1263330/; target:src_ip; metadata: confidence_level 80, first_seen 2024_04_28; classtype:trojan-activity; sid:91263330; rev:1;) alert tcp $HOME_NET any -> [102.47.134.6] 1177 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1263329/; target:src_ip; metadata: confidence_level 80, first_seen 2024_04_28; classtype:trojan-activity; sid:91263329; rev:1;) alert tcp $HOME_NET any -> [156.222.129.192] 1177 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1263328/; target:src_ip; metadata: confidence_level 80, first_seen 2024_04_28; classtype:trojan-activity; sid:91263328; rev:1;) alert tcp $HOME_NET any -> [62.16.66.34] 1177 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1263327/; target:src_ip; metadata: confidence_level 80, first_seen 2024_04_28; classtype:trojan-activity; sid:91263327; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/_defaultwindows.php"; depth:20; nocase; http.host; content:"a0949502.xsph.ru"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1263326/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_28; classtype:trojan-activity; sid:91263326; rev:1;) alert tcp $HOME_NET any -> [102.188.113.253] 54984 (msg:"ThreatFox Nanocore RAT botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1263325/; target:src_ip; metadata: confidence_level 80, first_seen 2024_04_28; classtype:trojan-activity; sid:91263325; rev:1;) alert tcp $HOME_NET any -> [91.92.253.28] 54984 (msg:"ThreatFox Nanocore RAT botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1263324/; target:src_ip; metadata: confidence_level 80, first_seen 2024_04_28; classtype:trojan-activity; sid:91263324; rev:1;) alert tcp $HOME_NET any -> [193.222.96.115] 54984 (msg:"ThreatFox Nanocore RAT botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1263323/; target:src_ip; metadata: confidence_level 80, first_seen 2024_04_28; classtype:trojan-activity; sid:91263323; rev:1;) alert tcp $HOME_NET any -> [116.198.232.233] 443 (msg:"ThreatFox Nanocore RAT botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1263322/; target:src_ip; metadata: confidence_level 80, first_seen 2024_04_28; classtype:trojan-activity; sid:91263322; rev:1;) alert tcp $HOME_NET any -> [47.103.91.191] 10001 (msg:"ThreatFox Xtreme RAT botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1263321/; target:src_ip; metadata: confidence_level 80, first_seen 2024_04_28; classtype:trojan-activity; sid:91263321; rev:1;) alert tcp $HOME_NET any -> [45.133.174.75] 8795 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1263320/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_28; classtype:trojan-activity; sid:91263320; rev:1;) alert tcp $HOME_NET any -> [124.71.106.234] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1263319/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_28; classtype:trojan-activity; sid:91263319; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/fwlink"; depth:7; nocase; http.host; content:"124.71.106.234"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1263318/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_28; classtype:trojan-activity; sid:91263318; rev:1;) alert tcp $HOME_NET any -> [159.65.235.56] 9005 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1263317/; target:src_ip; metadata: confidence_level 80, first_seen 2024_04_28; classtype:trojan-activity; sid:91263317; rev:1;) alert tcp $HOME_NET any -> [87.121.105.212] 8848 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1263316/; target:src_ip; metadata: confidence_level 80, first_seen 2024_04_28; classtype:trojan-activity; sid:91263316; rev:1;) alert tcp $HOME_NET any -> [38.59.124.16] 8848 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1263315/; target:src_ip; metadata: confidence_level 80, first_seen 2024_04_28; classtype:trojan-activity; sid:91263315; rev:1;) alert tcp $HOME_NET any -> [38.59.124.49] 8848 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1263314/; target:src_ip; metadata: confidence_level 80, first_seen 2024_04_28; classtype:trojan-activity; sid:91263314; rev:1;) alert tcp $HOME_NET any -> [3.249.36.72] 443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1263313/; target:src_ip; metadata: confidence_level 80, first_seen 2024_04_28; classtype:trojan-activity; sid:91263313; rev:1;) alert tcp $HOME_NET any -> [54.78.161.42] 443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1263312/; target:src_ip; metadata: confidence_level 80, first_seen 2024_04_28; classtype:trojan-activity; sid:91263312; rev:1;) alert tcp $HOME_NET any -> [103.30.17.17] 443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1263311/; target:src_ip; metadata: confidence_level 80, first_seen 2024_04_28; classtype:trojan-activity; sid:91263311; rev:1;) alert tcp $HOME_NET any -> [172.210.41.151] 443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1263310/; target:src_ip; metadata: confidence_level 80, first_seen 2024_04_28; classtype:trojan-activity; sid:91263310; rev:1;) alert tcp $HOME_NET any -> [91.92.252.107] 443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1263309/; target:src_ip; metadata: confidence_level 80, first_seen 2024_04_28; classtype:trojan-activity; sid:91263309; rev:1;) alert tcp $HOME_NET any -> [203.161.48.154] 443 (msg:"ThreatFox Agent Tesla botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1263308/; target:src_ip; metadata: confidence_level 80, first_seen 2024_04_28; classtype:trojan-activity; sid:91263308; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/iremotepanel"; depth:13; nocase; http.host; content:"38.60.254.86"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1263306/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_28; classtype:trojan-activity; sid:91263306; rev:1;) alert tcp $HOME_NET any -> [51.195.145.87] 7071 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1263305/; target:src_ip; metadata: confidence_level 80, first_seen 2024_04_28; classtype:trojan-activity; sid:91263305; rev:1;) alert tcp $HOME_NET any -> [95.211.208.153] 7707 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1263304/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_28; classtype:trojan-activity; sid:91263304; rev:1;) alert tcp $HOME_NET any -> [95.211.208.153] 6606 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1263303/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_28; classtype:trojan-activity; sid:91263303; rev:1;) alert tcp $HOME_NET any -> [95.211.208.153] 8808 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1263302/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_28; classtype:trojan-activity; sid:91263302; rev:1;) alert tcp $HOME_NET any -> [91.92.250.227] 7707 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1263301/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_28; classtype:trojan-activity; sid:91263301; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/providervideopythondefaultprivate.php"; depth:38; nocase; http.host; content:"796367cm.n9shteam2.top"; depth:22; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1263300/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_28; classtype:trojan-activity; sid:91263300; rev:1;) alert tcp $HOME_NET any -> [185.172.128.70] 3808 (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1263299/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_28; classtype:trojan-activity; sid:91263299; rev:1;) alert tcp $HOME_NET any -> [178.128.228.252] 5552 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1263298/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_28; classtype:trojan-activity; sid:91263298; rev:1;) alert tcp $HOME_NET any -> [181.131.217.222] 4203 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1263295/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_28; classtype:trojan-activity; sid:91263295; rev:1;) alert tcp $HOME_NET any -> [185.196.8.31] 3221 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1263294/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_28; classtype:trojan-activity; sid:91263294; rev:1;) alert tcp $HOME_NET any -> [5.253.246.39] 666 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1263293/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_28; classtype:trojan-activity; sid:91263293; rev:1;) alert tcp $HOME_NET any -> [5.42.102.198] 666 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1263292/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_28; classtype:trojan-activity; sid:91263292; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/c698e1bc8a2f5e6d.php"; depth:21; nocase; http.host; content:"185.172.128.150"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1263291/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_28; classtype:trojan-activity; sid:91263291; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/7043a0c6a68d9c65.php"; depth:21; nocase; http.host; content:"185.172.128.151"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1263290/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_28; classtype:trojan-activity; sid:91263290; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/eternalupdatebigloaduniversaldatalife.php"; depth:42; nocase; http.host; content:"550515cm.n9shteam2.top"; depth:22; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1263289/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_28; classtype:trojan-activity; sid:91263289; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/push"; depth:5; nocase; http.host; content:"8.134.11.7"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1263288/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_28; classtype:trojan-activity; sid:91263288; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mall_100_100.html"; depth:18; nocase; http.host; content:"39.100.109.229"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1263287/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_28; classtype:trojan-activity; sid:91263287; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cm"; depth:3; nocase; http.host; content:"175.178.160.155"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1263286/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_28; classtype:trojan-activity; sid:91263286; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ga.js"; depth:6; nocase; http.host; content:"47.113.150.236"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1263285/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_28; classtype:trojan-activity; sid:91263285; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/load"; depth:5; nocase; http.host; content:"38.47.107.44"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1263284/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_28; classtype:trojan-activity; sid:91263284; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pixel.gif"; depth:10; nocase; http.host; content:"118.31.118.253"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1263283/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_28; classtype:trojan-activity; sid:91263283; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/__utm.gif"; depth:10; nocase; http.host; content:"38.147.170.150"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1263282/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_28; classtype:trojan-activity; sid:91263282; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/fwlink"; depth:7; nocase; http.host; content:"175.178.160.155"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1263281/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_28; classtype:trojan-activity; sid:91263281; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/g.pixel"; depth:8; nocase; http.host; content:"175.178.160.155"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1263280/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_28; classtype:trojan-activity; sid:91263280; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/load"; depth:5; nocase; http.host; content:"60.204.220.208"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1263279/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_28; classtype:trojan-activity; sid:91263279; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/updates.rss"; depth:12; nocase; http.host; content:"cs.xfdaili.com"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1263278/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_28; classtype:trojan-activity; sid:91263278; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api/stream"; depth:11; nocase; http.host; content:"123.207.50.191"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1263277/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_28; classtype:trojan-activity; sid:91263277; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/activity"; depth:9; nocase; http.host; content:"cs.xfdaili.com"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1263276/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_28; classtype:trojan-activity; sid:91263276; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cm"; depth:3; nocase; http.host; content:"38.147.170.150"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1263275/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_28; classtype:trojan-activity; sid:91263275; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pixel"; depth:6; nocase; http.host; content:"88.214.26.29"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1263274/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_28; classtype:trojan-activity; sid:91263274; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/j.ad"; depth:5; nocase; http.host; content:"111.229.158.40"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1263273/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_28; classtype:trojan-activity; sid:91263273; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cx"; depth:3; nocase; http.host; content:"124.71.106.234"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1263272/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_28; classtype:trojan-activity; sid:91263272; rev:1;) alert tcp $HOME_NET any -> [47.120.52.161] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1263271/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_28; classtype:trojan-activity; sid:91263271; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/g.pixel"; depth:8; nocase; http.host; content:"47.120.52.161"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1263270/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_28; classtype:trojan-activity; sid:91263270; rev:1;) alert tcp $HOME_NET any -> [43.159.58.81] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1263269/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_28; classtype:trojan-activity; sid:91263269; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/updates"; depth:8; nocase; http.host; content:"c.qqwhoami.org"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1263267/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_28; classtype:trojan-activity; sid:91263267; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"c.qqwhoami.org"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1263268/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_28; classtype:trojan-activity; sid:91263268; rev:1;) alert tcp $HOME_NET any -> [61.139.24.20] 8123 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1263266/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_28; classtype:trojan-activity; sid:91263266; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ca"; depth:3; nocase; http.host; content:"www.qichen.fun"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1263265/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_28; classtype:trojan-activity; sid:91263265; rev:1;) alert tcp $HOME_NET any -> [41.199.23.195] 7000 (msg:"ThreatFox XWorm botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1263258/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_28; classtype:trojan-activity; sid:91263258; rev:1;) alert tcp $HOME_NET any -> [94.156.66.236] 23 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1263262/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_28; classtype:trojan-activity; sid:91263262; rev:1;) alert tcp $HOME_NET any -> [91.92.252.220] 7000 (msg:"ThreatFox XWorm botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1263257/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_28; classtype:trojan-activity; sid:91263257; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"saveclinetsforme68465454711991.publicvm.com"; depth:43; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1263259/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_28; classtype:trojan-activity; sid:91263259; rev:1;) alert tcp $HOME_NET any -> [18.192.31.165] 10266 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1263261/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_28; classtype:trojan-activity; sid:91263261; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"elamoto.com"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1263263/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_28; classtype:trojan-activity; sid:91263263; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"kongtuke.com"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1263264/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_28; classtype:trojan-activity; sid:91263264; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"kindofwelcomeperspective.com"; depth:28; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1263260/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_28; classtype:trojan-activity; sid:91263260; rev:1;) alert tcp $HOME_NET any -> [157.230.232.41] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1263256/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_28; classtype:trojan-activity; sid:91263256; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"powerbi3-dffqb3gfbudugyas.z03.azurefd.net"; depth:41; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1263255/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_28; classtype:trojan-activity; sid:91263255; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books"; depth:60; nocase; http.host; content:"powerbi3-dffqb3gfbudugyas.z03.azurefd.net"; depth:41; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1263254/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_28; classtype:trojan-activity; sid:91263254; rev:1;) alert tcp $HOME_NET any -> [154.213.17.156] 90 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1263253/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_28; classtype:trojan-activity; sid:91263253; rev:1;) alert tcp $HOME_NET any -> [103.166.184.95] 12345 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1263252/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_28; classtype:trojan-activity; sid:91263252; rev:1;) alert tcp $HOME_NET any -> [91.92.254.108] 1111 (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1263251/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_28; classtype:trojan-activity; sid:91263251; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cm"; depth:3; nocase; http.host; content:"47.98.247.113"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1263250/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_28; classtype:trojan-activity; sid:91263250; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/match"; depth:6; nocase; http.host; content:"45.116.79.9"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1263249/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_28; classtype:trojan-activity; sid:91263249; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/googleapi/affiliation/v1/affiliation:lookupbyhashprefix"; depth:56; nocase; http.host; content:"121.37.230.155"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1263248/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_28; classtype:trojan-activity; sid:91263248; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pixel.gif"; depth:10; nocase; http.host; content:"60.204.217.11"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1263247/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_28; classtype:trojan-activity; sid:91263247; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/updates.rss"; depth:12; nocase; http.host; content:"122.51.220.170"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1263246/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_28; classtype:trojan-activity; sid:91263246; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/j.ad"; depth:5; nocase; http.host; content:"173.211.46.172"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1263245/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_28; classtype:trojan-activity; sid:91263245; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/load"; depth:5; nocase; http.host; content:"173.211.46.172"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1263244/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_28; classtype:trojan-activity; sid:91263244; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/updates.rss"; depth:12; nocase; http.host; content:"47.98.247.113"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1263243/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_28; classtype:trojan-activity; sid:91263243; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pixel.gif"; depth:10; nocase; http.host; content:"123.60.181.152"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1263242/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_28; classtype:trojan-activity; sid:91263242; rev:1;) alert tcp $HOME_NET any -> [64.188.22.11] 2404 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1263241/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_28; classtype:trojan-activity; sid:91263241; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/odllnjm0owjknmu2/"; depth:18; nocase; http.host; content:"tecald.xyz"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1263239/; target:src_ip; metadata: confidence_level 80, first_seen 2024_04_28; classtype:trojan-activity; sid:91263239; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"street.letmeshine.xyz"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1263240/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_28; classtype:trojan-activity; sid:91263240; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/8bvxwqdec3/index.php"; depth:21; nocase; http.host; content:"kindofwelcomeperspective.com"; depth:28; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1263238/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_28; classtype:trojan-activity; sid:91263238; rev:1;) alert tcp $HOME_NET any -> [2.58.95.131] 65481 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1263237/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_28; classtype:trojan-activity; sid:91263237; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-admin/admin-ajax.php"; depth:24; nocase; http.host; content:"rakishevkenes.com"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1263236/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_28; classtype:trojan-activity; sid:91263236; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"palmeventeryjusk.shop"; depth:21; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1263220/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_28; classtype:trojan-activity; sid:91263220; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"strollheavengwu.shop"; depth:20; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1263221/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_28; classtype:trojan-activity; sid:91263221; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"peanuearthflaxes.shop"; depth:21; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1263222/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_28; classtype:trojan-activity; sid:91263222; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"auctiongutollyjkui.shop"; depth:23; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1263223/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_28; classtype:trojan-activity; sid:91263223; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"cleartotalfisherwo.shop"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1263224/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_28; classtype:trojan-activity; sid:91263224; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"worryfillvolcawoi.shop"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1263225/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_28; classtype:trojan-activity; sid:91263225; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"enthusiasimtitleow.shop"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1263226/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_28; classtype:trojan-activity; sid:91263226; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"dismissalcylinderhostw.shop"; depth:27; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1263227/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_28; classtype:trojan-activity; sid:91263227; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"affordcharmcropwo.shop"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1263228/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_28; classtype:trojan-activity; sid:91263228; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"diskretainvigorousiw.shop"; depth:25; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1263229/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_28; classtype:trojan-activity; sid:91263229; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"communicationgenerwo.shop"; depth:25; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1263230/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_28; classtype:trojan-activity; sid:91263230; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"pillowbrocccolipe.shop"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1263231/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_28; classtype:trojan-activity; sid:91263231; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"palmeventeryjusk.shop"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1263232/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_28; classtype:trojan-activity; sid:91263232; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"strollheavengwu.shop"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1263233/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_28; classtype:trojan-activity; sid:91263233; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"peanuearthflaxes.shop"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1263234/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_28; classtype:trojan-activity; sid:91263234; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"auctiongutollyjkui.shop"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1263235/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_28; classtype:trojan-activity; sid:91263235; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"democraticseekysiwo.shop"; depth:24; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1263218/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_28; classtype:trojan-activity; sid:91263218; rev:1;) alert tcp $HOME_NET any -> [87.121.105.4] 8797 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1263219/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_28; classtype:trojan-activity; sid:91263219; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"p.doxbin.uno"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1263217/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_28; classtype:trojan-activity; sid:91263217; rev:1;) alert tcp $HOME_NET any -> [45.88.90.17] 4444 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1263216/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_28; classtype:trojan-activity; sid:91263216; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/nme0n2ywowezmtm3/"; depth:18; nocase; http.host; content:"worldbestipscan.xyz"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1263166/; target:src_ip; metadata: confidence_level 80, first_seen 2024_04_28; classtype:trojan-activity; sid:91263166; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/nme0n2ywowezmtm3/"; depth:18; nocase; http.host; content:"worldscanipbest.xyz"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1263168/; target:src_ip; metadata: confidence_level 80, first_seen 2024_04_28; classtype:trojan-activity; sid:91263168; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/nme0n2ywowezmtm3/"; depth:18; nocase; http.host; content:"ipworldbestscan.xyz"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1263164/; target:src_ip; metadata: confidence_level 80, first_seen 2024_04_28; classtype:trojan-activity; sid:91263164; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/nme0n2ywowezmtm3/"; depth:18; nocase; http.host; content:"worldbestscanip.xyz"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1263165/; target:src_ip; metadata: confidence_level 80, first_seen 2024_04_28; classtype:trojan-activity; sid:91263165; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/nme0n2ywowezmtm3/"; depth:18; nocase; http.host; content:"ipscanworldbest.xyz"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1263162/; target:src_ip; metadata: confidence_level 80, first_seen 2024_04_28; classtype:trojan-activity; sid:91263162; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/nme0n2ywowezmtm3/"; depth:18; nocase; http.host; content:"ipworldscanbest.xyz"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1263163/; target:src_ip; metadata: confidence_level 80, first_seen 2024_04_28; classtype:trojan-activity; sid:91263163; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/nme0n2ywowezmtm3/"; depth:18; nocase; http.host; content:"ipscanbestworld.xyz"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1263161/; target:src_ip; metadata: confidence_level 80, first_seen 2024_04_28; classtype:trojan-activity; sid:91263161; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mmexoda3mdazzja5/"; depth:18; nocase; http.host; content:"moneycsasfasfh.com"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1263158/; target:src_ip; metadata: confidence_level 80, first_seen 2024_04_28; classtype:trojan-activity; sid:91263158; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mmexoda3mdazzja5/"; depth:18; nocase; http.host; content:"moneycsasfasfh.net"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1263159/; target:src_ip; metadata: confidence_level 80, first_seen 2024_04_28; classtype:trojan-activity; sid:91263159; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/nme0n2ywowezmtm3/"; depth:18; nocase; http.host; content:"scanworldbestip.xyz"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1263160/; target:src_ip; metadata: confidence_level 80, first_seen 2024_04_28; classtype:trojan-activity; sid:91263160; rev:1;) alert tcp $HOME_NET any -> [147.185.221.19] 36969 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1263156/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_28; classtype:trojan-activity; sid:91263156; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"phentermine-partial.gl.at.ply.gg"; depth:32; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1263157/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_28; classtype:trojan-activity; sid:91263157; rev:1;) alert tcp $HOME_NET any -> [137.220.224.49] 9834 (msg:"ThreatFox KrBanker botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1263154/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_28; classtype:trojan-activity; sid:91263154; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/nme0n2ywowezmtm3/"; depth:18; nocase; http.host; content:"worldscanbestip.xyz"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1263167/; target:src_ip; metadata: confidence_level 80, first_seen 2024_04_28; classtype:trojan-activity; sid:91263167; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/nme0n2ywowezmtm3/"; depth:18; nocase; http.host; content:"bestworldscanip.xyz"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1263169/; target:src_ip; metadata: confidence_level 80, first_seen 2024_04_28; classtype:trojan-activity; sid:91263169; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/nme0n2ywowezmtm3/"; depth:18; nocase; http.host; content:"bestipworldscan.xyz"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1263170/; target:src_ip; metadata: confidence_level 80, first_seen 2024_04_28; classtype:trojan-activity; sid:91263170; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/nme0n2ywowezmtm3/"; depth:18; nocase; http.host; content:"scanbestworldip.xyz"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1263171/; target:src_ip; metadata: confidence_level 80, first_seen 2024_04_28; classtype:trojan-activity; sid:91263171; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/8681490a59ad0e34.php"; depth:21; nocase; http.host; content:"185.70.186.153"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1263174/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_28; classtype:trojan-activity; sid:91263174; rev:1;) alert tcp $HOME_NET any -> [185.70.186.153] 80 (msg:"ThreatFox Stealc botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1263175/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_28; classtype:trojan-activity; sid:91263175; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/902e53a07830e030.php"; depth:21; nocase; http.host; content:"139.60.162.84"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1263177/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_28; classtype:trojan-activity; sid:91263177; rev:1;) alert tcp $HOME_NET any -> [139.60.162.84] 80 (msg:"ThreatFox Stealc botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1263178/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_28; classtype:trojan-activity; sid:91263178; rev:1;) alert tcp $HOME_NET any -> [185.172.128.62] 80 (msg:"ThreatFox Stealc botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1263179/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_28; classtype:trojan-activity; sid:91263179; rev:1;) alert tcp $HOME_NET any -> [185.161.248.78] 80 (msg:"ThreatFox Stealc botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1263182/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_28; classtype:trojan-activity; sid:91263182; rev:1;) alert tcp $HOME_NET any -> [14.225.203.65] 42597 (msg:"ThreatFox MooBot botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1263192/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_28; classtype:trojan-activity; sid:91263192; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"legendsworld.cloud"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1263193/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_28; classtype:trojan-activity; sid:91263193; rev:1;) alert tcp $HOME_NET any -> [147.45.78.74] 80 (msg:"ThreatFox FAKEUPDATES botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1263214/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_28; classtype:trojan-activity; sid:91263214; rev:1;) alert tcp $HOME_NET any -> [147.45.78.74] 443 (msg:"ThreatFox FAKEUPDATES botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1263215/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_28; classtype:trojan-activity; sid:91263215; rev:1;) alert tcp $HOME_NET any -> [91.92.247.95] 80 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1263213/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_28; classtype:trojan-activity; sid:91263213; rev:1;) alert tcp $HOME_NET any -> [45.91.8.8] 80 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1263212/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_28; classtype:trojan-activity; sid:91263212; rev:1;) alert tcp $HOME_NET any -> [111.173.117.130] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1263211/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_28; classtype:trojan-activity; sid:91263211; rev:1;) alert tcp $HOME_NET any -> [111.229.211.161] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1263210/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_28; classtype:trojan-activity; sid:91263210; rev:1;) alert tcp $HOME_NET any -> [52.155.97.150] 8080 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1263209/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_28; classtype:trojan-activity; sid:91263209; rev:1;) alert tcp $HOME_NET any -> [65.109.58.235] 443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1263208/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_28; classtype:trojan-activity; sid:91263208; rev:1;) alert tcp $HOME_NET any -> [88.214.26.33] 8443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1263207/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_28; classtype:trojan-activity; sid:91263207; rev:1;) alert tcp $HOME_NET any -> [170.64.231.144] 443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1263206/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_28; classtype:trojan-activity; sid:91263206; rev:1;) alert tcp $HOME_NET any -> [13.212.214.23] 10002 (msg:"ThreatFox Deimos botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1263205/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_28; classtype:trojan-activity; sid:91263205; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/externalpythonphpsecuretraffictestlocaltempuploadsdownloads.php"; depth:64; nocase; http.host; content:"188.120.242.235"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1263204/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_28; classtype:trojan-activity; sid:91263204; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/__utm.gif"; depth:10; nocase; http.host; content:"37.27.45.203"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1263203/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_27; classtype:trojan-activity; sid:91263203; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/a/file.txt"; depth:11; nocase; http.host; content:"s2r.tn"; depth:6; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1263202/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_27; classtype:trojan-activity; sid:91263202; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"surgical-farming-ca.com"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1263201/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_27; classtype:trojan-activity; sid:91263201; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"hjdsasync.duckdns.org"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1263200/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_27; classtype:trojan-activity; sid:91263200; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"undjsj.duckdns.org"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1263199/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_27; classtype:trojan-activity; sid:91263199; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"hjxwrm5.duckdns.org"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1263198/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_27; classtype:trojan-activity; sid:91263198; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"vbdsg.duckdns.org"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1263196/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_27; classtype:trojan-activity; sid:91263196; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"nmds.duckdns.org"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1263197/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_27; classtype:trojan-activity; sid:91263197; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/windows/downloadslongpoll/generatorimage/wordpress/wp6datalife0/phpjavascripthttpprotectflower.php"; depth:99; nocase; http.host; content:"212.113.106.125"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1263195/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_27; classtype:trojan-activity; sid:91263195; rev:1;) alert tcp $HOME_NET any -> [93.177.102.47] 80 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1263191/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_27; classtype:trojan-activity; sid:91263191; rev:1;) alert tcp $HOME_NET any -> [103.146.179.123] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1263190/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_27; classtype:trojan-activity; sid:91263190; rev:1;) alert tcp $HOME_NET any -> [107.173.201.151] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1263189/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_27; classtype:trojan-activity; sid:91263189; rev:1;) alert tcp $HOME_NET any -> [41.98.13.101] 443 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1263188/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_27; classtype:trojan-activity; sid:91263188; rev:1;) alert tcp $HOME_NET any -> [103.82.195.234] 8443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1263187/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_27; classtype:trojan-activity; sid:91263187; rev:1;) alert tcp $HOME_NET any -> [45.152.85.10] 8443 (msg:"ThreatFox BianLian botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1263186/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_27; classtype:trojan-activity; sid:91263186; rev:1;) alert tcp $HOME_NET any -> [64.23.196.210] 3000 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1263185/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_27; classtype:trojan-activity; sid:91263185; rev:1;) alert tcp $HOME_NET any -> [167.88.172.78] 65534 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1263184/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_27; classtype:trojan-activity; sid:91263184; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"greatnessappreviews.com"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1263183/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_27; classtype:trojan-activity; sid:91263183; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/teamb/five/fre.php"; depth:19; nocase; http.host; content:"tampabayllc.top"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1263181/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_27; classtype:trojan-activity; sid:91263181; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/gamecentraluploads.php"; depth:23; nocase; http.host; content:"178546cm.n9shteam3.top"; depth:22; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1263180/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_27; classtype:trojan-activity; sid:91263180; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/902e53a07830e030.php"; depth:21; nocase; http.host; content:"185.172.128.62"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1263173/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_27; classtype:trojan-activity; sid:91263173; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/8bvxwqdec3/index.php"; depth:21; nocase; http.host; content:"greatnessappreviews.com"; depth:23; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1263172/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_27; classtype:trojan-activity; sid:91263172; rev:1;) alert tcp $HOME_NET any -> [141.95.84.40] 1010 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1263155/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_27; classtype:trojan-activity; sid:91263155; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/8681490a59ad0e34.php"; depth:21; nocase; http.host; content:"185.172.128.76"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1263153/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_27; classtype:trojan-activity; sid:91263153; rev:1;) alert tcp $HOME_NET any -> [109.107.157.17] 15866 (msg:"ThreatFox MetaStealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1263060/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_27; classtype:trojan-activity; sid:91263060; rev:1;) alert tcp $HOME_NET any -> [185.117.3.187] 1024 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1263151/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_27; classtype:trojan-activity; sid:91263151; rev:1;) alert tcp $HOME_NET any -> [172.94.101.172] 6238 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1263152/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_27; classtype:trojan-activity; sid:91263152; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/updates.rss"; depth:12; nocase; http.host; content:"104.214.168.71"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1263150/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_27; classtype:trojan-activity; sid:91263150; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/fwlink"; depth:7; nocase; http.host; content:"38.47.107.44"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1263148/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_27; classtype:trojan-activity; sid:91263148; rev:1;) alert tcp $HOME_NET any -> [38.47.107.44] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1263149/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_27; classtype:trojan-activity; sid:91263149; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dot.gif"; depth:8; nocase; http.host; content:"47.96.72.192"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1263147/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_27; classtype:trojan-activity; sid:91263147; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/j.ad"; depth:5; nocase; http.host; content:"106.14.143.151"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1263145/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_27; classtype:trojan-activity; sid:91263145; rev:1;) alert tcp $HOME_NET any -> [124.223.9.21] 8085 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1263146/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_27; classtype:trojan-activity; sid:91263146; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/_/scs/mail-static/_/js/"; depth:24; nocase; http.host; content:"213.1.229.142"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1263144/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_27; classtype:trojan-activity; sid:91263144; rev:1;) alert tcp $HOME_NET any -> [35.224.58.250] 8080 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1263143/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_27; classtype:trojan-activity; sid:91263143; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api/3"; depth:6; nocase; http.host; content:"www.chinamobile.live"; depth:20; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1263142/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_27; classtype:trojan-activity; sid:91263142; rev:1;) alert tcp $HOME_NET any -> [38.60.217.159] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1263141/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_27; classtype:trojan-activity; sid:91263141; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/load"; depth:5; nocase; http.host; content:"38.60.217.159"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1263140/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_27; classtype:trojan-activity; sid:91263140; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ga.js"; depth:6; nocase; http.host; content:"116.205.185.98"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1263139/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_27; classtype:trojan-activity; sid:91263139; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pixel.gif"; depth:10; nocase; http.host; content:"116.62.197.217"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1263138/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_27; classtype:trojan-activity; sid:91263138; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/__utm.gif"; depth:10; nocase; http.host; content:"54.37.226.59"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1263137/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_27; classtype:trojan-activity; sid:91263137; rev:1;) alert tcp $HOME_NET any -> [154.201.73.20] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1263136/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_27; classtype:trojan-activity; sid:91263136; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pixel.gif"; depth:10; nocase; http.host; content:"154.201.73.20"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1263135/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_27; classtype:trojan-activity; sid:91263135; rev:1;) alert tcp $HOME_NET any -> [35.224.58.250] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1263134/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_27; classtype:trojan-activity; sid:91263134; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api/3"; depth:6; nocase; http.host; content:"www.chinamobile.live"; depth:20; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1263132/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_27; classtype:trojan-activity; sid:91263132; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"www.chinamobile.live"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1263133/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_27; classtype:trojan-activity; sid:91263133; rev:1;) alert tcp $HOME_NET any -> [45.55.199.36] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1263131/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_27; classtype:trojan-activity; sid:91263131; rev:1;) alert tcp $HOME_NET any -> [47.96.72.192] 4444 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1263130/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_27; classtype:trojan-activity; sid:91263130; rev:1;) alert tcp $HOME_NET any -> [91.92.255.137] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1263129/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_27; classtype:trojan-activity; sid:91263129; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jquery-3.3.1.min.js"; depth:20; nocase; http.host; content:"91.92.255.137"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1263128/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_27; classtype:trojan-activity; sid:91263128; rev:1;) alert tcp $HOME_NET any -> [91.92.255.137] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1263127/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_27; classtype:trojan-activity; sid:91263127; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jquery-3.3.1.min.js"; depth:20; nocase; http.host; content:"91.92.255.137"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1263126/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_27; classtype:trojan-activity; sid:91263126; rev:1;) alert tcp $HOME_NET any -> [39.100.90.3] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1263125/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_27; classtype:trojan-activity; sid:91263125; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jquery.com/"; depth:12; nocase; http.host; content:"39.100.90.3"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1263124/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_27; classtype:trojan-activity; sid:91263124; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/preserve/extranet/lff00fq6u2h0"; depth:31; nocase; http.host; content:"124.222.173.133"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1263123/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_27; classtype:trojan-activity; sid:91263123; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/activity"; depth:9; nocase; http.host; content:"39.98.157.4"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1263122/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_27; classtype:trojan-activity; sid:91263122; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pixel.gif"; depth:10; nocase; http.host; content:"8.130.34.85"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1263121/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_27; classtype:trojan-activity; sid:91263121; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dot.gif"; depth:8; nocase; http.host; content:"1488.winstate.cc"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1263120/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_27; classtype:trojan-activity; sid:91263120; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/fwlink"; depth:7; nocase; http.host; content:"39.98.157.4"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1263119/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_27; classtype:trojan-activity; sid:91263119; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/load"; depth:5; nocase; http.host; content:"43.251.159.58"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1263118/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_27; classtype:trojan-activity; sid:91263118; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cx"; depth:3; nocase; http.host; content:"106.14.75.240"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1263117/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_27; classtype:trojan-activity; sid:91263117; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/fwlink"; depth:7; nocase; http.host; content:"43.139.235.226"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1263116/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_27; classtype:trojan-activity; sid:91263116; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ga.js"; depth:6; nocase; http.host; content:"39.104.230.184"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1263115/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_27; classtype:trojan-activity; sid:91263115; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ie9compatviewlist.xml"; depth:22; nocase; http.host; content:"106.14.75.240"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1263114/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_27; classtype:trojan-activity; sid:91263114; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ga.js"; depth:6; nocase; http.host; content:"49.232.208.22"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1263113/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_27; classtype:trojan-activity; sid:91263113; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/push"; depth:5; nocase; http.host; content:"bb.makkgg.fyi"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1263112/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_27; classtype:trojan-activity; sid:91263112; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ptj"; depth:4; nocase; http.host; content:"154.12.29.59"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1263111/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_27; classtype:trojan-activity; sid:91263111; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ptj"; depth:4; nocase; http.host; content:"39.98.157.4"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1263110/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_27; classtype:trojan-activity; sid:91263110; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ie9compatviewlist.xml"; depth:22; nocase; http.host; content:"81.71.127.160"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1263109/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_27; classtype:trojan-activity; sid:91263109; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/visit.js"; depth:9; nocase; http.host; content:"162.14.107.218"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1263108/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_27; classtype:trojan-activity; sid:91263108; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/push"; depth:5; nocase; http.host; content:"43.138.222.123"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1263107/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_27; classtype:trojan-activity; sid:91263107; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ptj"; depth:4; nocase; http.host; content:"45.116.79.9"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1263106/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_27; classtype:trojan-activity; sid:91263106; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/rewardsapp/ncfooter"; depth:20; nocase; http.host; content:"101.33.192.242"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1263105/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_27; classtype:trojan-activity; sid:91263105; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/g.pixel"; depth:8; nocase; http.host; content:"120.46.130.73"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1263103/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_27; classtype:trojan-activity; sid:91263103; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/j.ad"; depth:5; nocase; http.host; content:"101.43.191.108"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1263102/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_27; classtype:trojan-activity; sid:91263102; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dpixel"; depth:7; nocase; http.host; content:"service-hzdzk12c-1318485841.gz.apigw.tencentcs.com"; depth:50; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1263101/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_27; classtype:trojan-activity; sid:91263101; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ie9compatviewlist.xml"; depth:22; nocase; http.host; content:"156.224.20.92"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1263100/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_27; classtype:trojan-activity; sid:91263100; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pixel.gif"; depth:10; nocase; http.host; content:"37.27.11.209"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1263099/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_27; classtype:trojan-activity; sid:91263099; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/visit.js"; depth:9; nocase; http.host; content:"128.199.178.134"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1263098/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_27; classtype:trojan-activity; sid:91263098; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ie9compatviewlist.xml"; depth:22; nocase; http.host; content:"101.43.165.220"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1263097/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_27; classtype:trojan-activity; sid:91263097; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ptj"; depth:4; nocase; http.host; content:"101.201.54.74"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1263096/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_27; classtype:trojan-activity; sid:91263096; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dpixel"; depth:7; nocase; http.host; content:"116.205.189.199"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1263095/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_27; classtype:trojan-activity; sid:91263095; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pixel.gif"; depth:10; nocase; http.host; content:"bb.makkgg.fyi"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1263094/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_27; classtype:trojan-activity; sid:91263094; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/updates.rss"; depth:12; nocase; http.host; content:"cs.h1ll0.cs.in"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1263093/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_27; classtype:trojan-activity; sid:91263093; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pixel.gif"; depth:10; nocase; http.host; content:"111.230.12.198"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1263092/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_27; classtype:trojan-activity; sid:91263092; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ie9compatviewlist.xml"; depth:22; nocase; http.host; content:"101.201.54.74"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1263091/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_27; classtype:trojan-activity; sid:91263091; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cm"; depth:3; nocase; http.host; content:"60.204.217.11"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1263090/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_27; classtype:trojan-activity; sid:91263090; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ca"; depth:3; nocase; http.host; content:"c.hcgos.com"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1263088/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_27; classtype:trojan-activity; sid:91263088; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"c.hcgos.com"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1263089/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_27; classtype:trojan-activity; sid:91263089; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pixel.gif"; depth:10; nocase; http.host; content:"39.105.191.1"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1263087/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_27; classtype:trojan-activity; sid:91263087; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api/x"; depth:6; nocase; http.host; content:"119.91.45.113"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1263086/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_27; classtype:trojan-activity; sid:91263086; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dpixel"; depth:7; nocase; http.host; content:"101.201.54.74"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1263085/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_27; classtype:trojan-activity; sid:91263085; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pixel.gif"; depth:10; nocase; http.host; content:"111.67.195.152"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1263084/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_27; classtype:trojan-activity; sid:91263084; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/originate/v4.01/qgqtnora"; depth:25; nocase; http.host; content:"www.yamaxun.blog"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1263082/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_27; classtype:trojan-activity; sid:91263082; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"www.yamaxun.blog"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1263083/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_27; classtype:trojan-activity; sid:91263083; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ga.js"; depth:6; nocase; http.host; content:"134.122.75.115"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1263081/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_27; classtype:trojan-activity; sid:91263081; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dpixel"; depth:7; nocase; http.host; content:"147.78.47.184"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1263080/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_27; classtype:trojan-activity; sid:91263080; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cm"; depth:3; nocase; http.host; content:"60.204.208.32"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1263079/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_27; classtype:trojan-activity; sid:91263079; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/push"; depth:5; nocase; http.host; content:"134.122.75.115"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1263078/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_27; classtype:trojan-activity; sid:91263078; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pixel"; depth:6; nocase; http.host; content:"42.51.45.241"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1263077/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_27; classtype:trojan-activity; sid:91263077; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/j.ad"; depth:5; nocase; http.host; content:"134.122.75.115"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1263076/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_27; classtype:trojan-activity; sid:91263076; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cm"; depth:3; nocase; http.host; content:"103.47.82.210"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1263075/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_27; classtype:trojan-activity; sid:91263075; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/g.pixel"; depth:8; nocase; http.host; content:"103.47.82.210"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1263074/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_27; classtype:trojan-activity; sid:91263074; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"click.buys.ru"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1263073/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_27; classtype:trojan-activity; sid:91263073; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jquery-3.3.1.min.js"; depth:20; nocase; http.host; content:"click.buys.ru"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1263072/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_27; classtype:trojan-activity; sid:91263072; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"service-e22kp8jz-1259321672.bj.tencentapigw.com.cn"; depth:50; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1263071/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_27; classtype:trojan-activity; sid:91263071; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jquerys-6.3.5.max.js"; depth:21; nocase; http.host; content:"service-e22kp8jz-1259321672.bj.tencentapigw.com.cn"; depth:50; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1263070/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_27; classtype:trojan-activity; sid:91263070; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/462c30d592f23b18/jquery/3.7.1/jquery.min.js"; depth:44; nocase; http.host; content:"qax.gsldedie.sbs"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1263069/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_27; classtype:trojan-activity; sid:91263069; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"canarapay-f5hghmdjd7eddbb4.z02.azurefd.net"; depth:42; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1263068/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_27; classtype:trojan-activity; sid:91263068; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/safebrowsing/i7f9l/s0rm6wozidfyrb6yai2d"; depth:40; nocase; http.host; content:"canarapay-f5hghmdjd7eddbb4.z02.azurefd.net"; depth:42; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1263067/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_27; classtype:trojan-activity; sid:91263067; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jquery-3.3.1.min.js"; depth:20; nocase; http.host; content:"logist.cct-logistics.com"; depth:24; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1263065/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_27; classtype:trojan-activity; sid:91263065; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"logist.cct-logistics.com"; depth:24; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1263066/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_27; classtype:trojan-activity; sid:91263066; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pixel.gif"; depth:10; nocase; http.host; content:"176.32.35.104"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1263064/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_27; classtype:trojan-activity; sid:91263064; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/match"; depth:6; nocase; http.host; content:"176.32.35.104"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1263063/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_27; classtype:trojan-activity; sid:91263063; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dot.gif"; depth:8; nocase; http.host; content:"176.32.35.104"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1263062/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_27; classtype:trojan-activity; sid:91263062; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ie9compatviewlist.xml"; depth:22; nocase; http.host; content:"io.cy789.ml"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1263061/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_27; classtype:trojan-activity; sid:91263061; rev:1;) alert tcp $HOME_NET any -> [121.37.230.155] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1263059/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_27; classtype:trojan-activity; sid:91263059; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/start/burst"; depth:12; nocase; http.host; content:"121.37.230.155"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1263058/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_27; classtype:trojan-activity; sid:91263058; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"95.217.246.168"; depth:14; nocase; reference:url, threatfox.abuse.ch/ioc/1263006/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_27; classtype:trojan-activity; sid:91263006; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"116.203.167.106"; depth:15; nocase; reference:url, threatfox.abuse.ch/ioc/1263007/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_27; classtype:trojan-activity; sid:91263007; rev:1;) alert tcp $HOME_NET any -> [3.124.67.191] 10250 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1263035/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_27; classtype:trojan-activity; sid:91263035; rev:1;) alert tcp $HOME_NET any -> [160.176.159.27] 10000 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1263036/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_27; classtype:trojan-activity; sid:91263036; rev:1;) alert tcp $HOME_NET any -> [167.71.169.160] 80 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1263054/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_27; classtype:trojan-activity; sid:91263054; rev:1;) alert tcp $HOME_NET any -> [94.156.79.186] 80 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1263053/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_27; classtype:trojan-activity; sid:91263053; rev:1;) alert tcp $HOME_NET any -> [109.120.177.64] 80 (msg:"ThreatFox Meduza Stealer botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1263052/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_27; classtype:trojan-activity; sid:91263052; rev:1;) alert tcp $HOME_NET any -> [101.200.121.56] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1263051/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_27; classtype:trojan-activity; sid:91263051; rev:1;) alert tcp $HOME_NET any -> [172.234.92.6] 9999 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1263050/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_27; classtype:trojan-activity; sid:91263050; rev:1;) alert tcp $HOME_NET any -> [178.62.55.204] 445 (msg:"ThreatFox Responder botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1263049/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_27; classtype:trojan-activity; sid:91263049; rev:1;) alert tcp $HOME_NET any -> [31.42.185.190] 8443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1263048/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_27; classtype:trojan-activity; sid:91263048; rev:1;) alert tcp $HOME_NET any -> [43.132.130.145] 443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1263047/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_27; classtype:trojan-activity; sid:91263047; rev:1;) alert tcp $HOME_NET any -> [80.87.206.160] 2080 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1263046/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_27; classtype:trojan-activity; sid:91263046; rev:1;) alert tcp $HOME_NET any -> [146.70.80.94] 20020 (msg:"ThreatFox BianLian botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1263045/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_27; classtype:trojan-activity; sid:91263045; rev:1;) alert tcp $HOME_NET any -> [185.234.216.209] 20039 (msg:"ThreatFox BianLian botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1263044/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_27; classtype:trojan-activity; sid:91263044; rev:1;) alert tcp $HOME_NET any -> [185.234.216.209] 20027 (msg:"ThreatFox BianLian botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1263043/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_27; classtype:trojan-activity; sid:91263043; rev:1;) alert tcp $HOME_NET any -> [216.153.61.72] 7443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1263042/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_27; classtype:trojan-activity; sid:91263042; rev:1;) alert tcp $HOME_NET any -> [3.216.133.137] 7443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1263041/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_27; classtype:trojan-activity; sid:91263041; rev:1;) alert tcp $HOME_NET any -> [138.124.183.209] 8443 (msg:"ThreatFox Brute Ratel C4 botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1263040/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_27; classtype:trojan-activity; sid:91263040; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/videosecureasyncdatalifeuploads.php"; depth:36; nocase; http.host; content:"842614cm.n9shteam2.top"; depth:22; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1263039/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_27; classtype:trojan-activity; sid:91263039; rev:1;) alert tcp $HOME_NET any -> [87.251.67.95] 443 (msg:"ThreatFox Unidentified 111 (Latrodectus) botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1263038/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_27; classtype:trojan-activity; sid:91263038; rev:1;) alert tcp $HOME_NET any -> [45.129.199.127] 443 (msg:"ThreatFox Unidentified 111 (Latrodectus) botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1263037/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_27; classtype:trojan-activity; sid:91263037; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jquery-3.3.1.min.js"; depth:20; nocase; http.host; content:"47.120.17.76"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1263034/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_27; classtype:trojan-activity; sid:91263034; rev:1;) alert tcp $HOME_NET any -> [3.67.15.169] 10250 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1263033/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_27; classtype:trojan-activity; sid:91263033; rev:1;) alert tcp $HOME_NET any -> [3.125.188.168] 10250 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1263032/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_27; classtype:trojan-activity; sid:91263032; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/updates.rss"; depth:12; nocase; http.host; content:"185.216.117.157"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1263030/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_26; classtype:trojan-activity; sid:91263030; rev:1;) alert tcp $HOME_NET any -> [185.216.117.157] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1263031/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_26; classtype:trojan-activity; sid:91263031; rev:1;) alert tcp $HOME_NET any -> [47.120.17.76] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1263029/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_26; classtype:trojan-activity; sid:91263029; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"www.gfyl.fun"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1263028/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_26; classtype:trojan-activity; sid:91263028; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jquery-3.3.1.min.js"; depth:20; nocase; http.host; content:"www.gfyl.fun"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1263027/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_26; classtype:trojan-activity; sid:91263027; rev:1;) alert tcp $HOME_NET any -> [139.159.241.73] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1263026/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_26; classtype:trojan-activity; sid:91263026; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/industry_solutions/test"; depth:24; nocase; http.host; content:"139.159.241.73"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1263025/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_26; classtype:trojan-activity; sid:91263025; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-content/plugins/share-private-files/shared/"; depth:47; nocase; http.host; content:"bigwing.algoitsolutions.co.uk"; depth:29; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1263024/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_26; classtype:trojan-activity; sid:91263024; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-content/plugins/user-private-files/shared/"; depth:46; nocase; http.host; content:"newsmedia247.site"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1263023/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_26; classtype:trojan-activity; sid:91263023; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-content/plugins/user-private-files/shared/"; depth:46; nocase; http.host; content:"antvietnam.com"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1263021/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_26; classtype:trojan-activity; sid:91263021; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-content/plugins/user-private-files/shared/"; depth:46; nocase; http.host; content:"cbg.divineunveil.com"; depth:20; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1263022/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_26; classtype:trojan-activity; sid:91263022; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-content/plugins/user-private-files/shared/"; depth:46; nocase; http.host; content:"stgmountainair.wpengine.com"; depth:27; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1263019/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_26; classtype:trojan-activity; sid:91263019; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-content/plugins/user-private-files/shared/"; depth:46; nocase; http.host; content:"bissecci.org"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1263020/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_26; classtype:trojan-activity; sid:91263020; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-content/plugins/share-private-files/shared/"; depth:47; nocase; http.host; content:"eco-villas.com"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1263018/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_26; classtype:trojan-activity; sid:91263018; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-content/plugins/user-private-files/shared/"; depth:46; nocase; http.host; content:"phs124168.com"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1263017/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_26; classtype:trojan-activity; sid:91263017; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-content/plugins/share-private-files/shared/"; depth:47; nocase; http.host; content:"saveutilitybills.com"; depth:20; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1263016/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_26; classtype:trojan-activity; sid:91263016; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-content/plugins/share-private-files/shared/"; depth:47; nocase; http.host; content:"rjjewelpk.com"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1263015/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_26; classtype:trojan-activity; sid:91263015; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-content/plugins/share-private-files/shared/"; depth:47; nocase; http.host; content:"www.pujamosporti.com"; depth:20; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1263014/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_26; classtype:trojan-activity; sid:91263014; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-content/plugins/share-private-files/shared/"; depth:47; nocase; http.host; content:"2mo.com"; depth:7; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1263013/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_26; classtype:trojan-activity; sid:91263013; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-content/plugins/share-private-files/shared/"; depth:47; nocase; http.host; content:"metrobasket.in"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1263012/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_26; classtype:trojan-activity; sid:91263012; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-content/plugins/user-private-files/shared/"; depth:46; nocase; http.host; content:"ugandainarabic.com"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1263011/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_26; classtype:trojan-activity; sid:91263011; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/neo.msi"; depth:8; nocase; http.host; content:"146.19.106.236"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1263010/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_26; classtype:trojan-activity; sid:91263010; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/live/"; depth:6; nocase; http.host; content:"startmast.shop"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1263009/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_26; classtype:trojan-activity; sid:91263009; rev:1;) alert tcp $HOME_NET any -> [94.232.41.106] 443 (msg:"ThreatFox Unidentified 111 (Latrodectus) botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1263008/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_26; classtype:trojan-activity; sid:91263008; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"webcamcn.xyz"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1262647/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_26; classtype:trojan-activity; sid:91262647; rev:1;) alert tcp $HOME_NET any -> [156.248.54.11] 80 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1262648/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_26; classtype:trojan-activity; sid:91262648; rev:1;) alert tcp $HOME_NET any -> [216.224.125.193] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1262649/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_26; classtype:trojan-activity; sid:91262649; rev:1;) alert tcp $HOME_NET any -> [38.181.20.8] 9227 (msg:"ThreatFox KrBanker botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1262650/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_26; classtype:trojan-activity; sid:91262650; rev:1;) alert tcp $HOME_NET any -> [27.124.46.73] 9817 (msg:"ThreatFox KrBanker botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1262651/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_26; classtype:trojan-activity; sid:91262651; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/f993692117a3fda2.php"; depth:21; nocase; http.host; content:"109.172.112.246"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1262652/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_26; classtype:trojan-activity; sid:91262652; rev:1;) alert tcp $HOME_NET any -> [109.172.112.246] 80 (msg:"ThreatFox Stealc botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1262653/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_26; classtype:trojan-activity; sid:91262653; rev:1;) alert tcp $HOME_NET any -> [185.172.128.111] 80 (msg:"ThreatFox Stealc botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1262654/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_26; classtype:trojan-activity; sid:91262654; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/koo1/decipher.csv"; depth:18; nocase; http.host; content:"nitio.com"; depth:9; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1262655/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_26; classtype:trojan-activity; sid:91262655; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/koo/kpyqgtbbzswvoy6.bin"; depth:24; nocase; http.host; content:"nitio.com"; depth:9; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1262656/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_26; classtype:trojan-activity; sid:91262656; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/k1/fdoimu226.bin"; depth:17; nocase; http.host; content:"nitio.com"; depth:9; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1262657/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_26; classtype:trojan-activity; sid:91262657; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/k2/unconscientiousness.jpb"; depth:27; nocase; http.host; content:"nitio.com"; depth:9; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1262658/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_26; classtype:trojan-activity; sid:91262658; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"nitio.com"; depth:9; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1262659/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_26; classtype:trojan-activity; sid:91262659; rev:1;) alert tcp $HOME_NET any -> [94.156.8.104] 80 (msg:"ThreatFox CloudEyE payload delivery (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1262660/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_26; classtype:trojan-activity; sid:91262660; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/yftql16.bin"; depth:12; nocase; http.host; content:"94.156.8.104"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1262661/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_26; classtype:trojan-activity; sid:91262661; rev:1;) alert tcp $HOME_NET any -> [94.156.128.246] 3323 (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1262662/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_26; classtype:trojan-activity; sid:91262662; rev:1;) alert tcp $HOME_NET any -> [101.99.92.10] 13500 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1262663/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_26; classtype:trojan-activity; sid:91262663; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"tampabayllc.top"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1262701/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_26; classtype:trojan-activity; sid:91262701; rev:1;) alert tcp $HOME_NET any -> [192.169.69.26] 7719 (msg:"ThreatFox Nanocore RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1262739/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_26; classtype:trojan-activity; sid:91262739; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"moranhq.duckdns.org"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1262740/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_26; classtype:trojan-activity; sid:91262740; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"156.248.54.11.webcamcn.xyz"; depth:26; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1262646/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_26; classtype:trojan-activity; sid:91262646; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"hm2.webcamcn.xyz"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1262645/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_26; classtype:trojan-activity; sid:91262645; rev:1;) alert tcp $HOME_NET any -> [154.53.42.53] 8448 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1262644/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_26; classtype:trojan-activity; sid:91262644; rev:1;) alert tcp $HOME_NET any -> [85.209.11.243] 15647 (msg:"ThreatFox SectopRAT botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1262643/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_26; classtype:trojan-activity; sid:91262643; rev:1;) alert tcp $HOME_NET any -> [93.71.184.63] 6606 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1262642/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_26; classtype:trojan-activity; sid:91262642; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"pronethellas.com"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1262636/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_26; classtype:trojan-activity; sid:91262636; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dezx/oblqlsgpaa72.bin"; depth:22; nocase; http.host; content:"pronethellas.com"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1262635/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_26; classtype:trojan-activity; sid:91262635; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"www.theertyuiergthjk.homes"; depth:26; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1262633/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_26; classtype:trojan-activity; sid:91262633; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"theertyuiergthjk.homes"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1262634/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_26; classtype:trojan-activity; sid:91262634; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/s8o3/"; depth:6; nocase; http.host; content:"www.theertyuiergthjk.homes"; depth:26; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1262632/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_26; classtype:trojan-activity; sid:91262632; rev:1;) alert tcp $HOME_NET any -> [49.233.206.56] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1263005/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_26; classtype:trojan-activity; sid:91263005; rev:1;) alert tcp $HOME_NET any -> [95.217.210.118] 80 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1263004/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_26; classtype:trojan-activity; sid:91263004; rev:1;) alert tcp $HOME_NET any -> [34.210.168.103] 443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1263003/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_26; classtype:trojan-activity; sid:91263003; rev:1;) alert tcp $HOME_NET any -> [147.78.103.182] 443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1263002/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_26; classtype:trojan-activity; sid:91263002; rev:1;) alert tcp $HOME_NET any -> [147.45.79.42] 443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1263001/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_26; classtype:trojan-activity; sid:91263001; rev:1;) alert tcp $HOME_NET any -> [51.15.249.226] 443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1263000/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_26; classtype:trojan-activity; sid:91263000; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/zc"; depth:3; nocase; http.host; content:"185.104.181.135"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1262998/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_26; classtype:trojan-activity; sid:91262998; rev:1;) alert tcp $HOME_NET any -> [185.104.181.135] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1262997/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_26; classtype:trojan-activity; sid:91262997; rev:1;) alert tcp $HOME_NET any -> [88.214.27.89] 8000 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1262996/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_26; classtype:trojan-activity; sid:91262996; rev:1;) alert tcp $HOME_NET any -> [37.27.45.203] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1262995/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_26; classtype:trojan-activity; sid:91262995; rev:1;) alert tcp $HOME_NET any -> [37.27.11.209] 8023 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1262994/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_26; classtype:trojan-activity; sid:91262994; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"riptode.xyz"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1262986/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_26; classtype:trojan-activity; sid:91262986; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"oktes.xyz"; depth:9; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1262987/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_26; classtype:trojan-activity; sid:91262987; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"hypaton.xyz"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1262988/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_26; classtype:trojan-activity; sid:91262988; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"vances.xyz"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1262989/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_26; classtype:trojan-activity; sid:91262989; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"meday.xyz"; depth:9; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1262990/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_26; classtype:trojan-activity; sid:91262990; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"woo2tech.xyz"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1262991/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_26; classtype:trojan-activity; sid:91262991; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"yestohe.xyz"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1262992/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_26; classtype:trojan-activity; sid:91262992; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"vtlintro.xyz"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1262993/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_26; classtype:trojan-activity; sid:91262993; rev:1;) alert tcp $HOME_NET any -> [95.217.246.168] 443 (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1262981/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_26; classtype:trojan-activity; sid:91262981; rev:1;) alert tcp $HOME_NET any -> [78.47.186.226] 443 (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1262982/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_26; classtype:trojan-activity; sid:91262982; rev:1;) alert tcp $HOME_NET any -> [78.47.14.240] 443 (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1262983/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_26; classtype:trojan-activity; sid:91262983; rev:1;) alert tcp $HOME_NET any -> [37.27.11.177] 443 (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1262984/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_26; classtype:trojan-activity; sid:91262984; rev:1;) alert tcp $HOME_NET any -> [116.203.0.165] 443 (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1262985/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_26; classtype:trojan-activity; sid:91262985; rev:1;) alert tcp $HOME_NET any -> [116.203.167.106] 5432 (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1262980/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_26; classtype:trojan-activity; sid:91262980; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"vtlintro.xyz"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1262979/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_26; classtype:trojan-activity; sid:91262979; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"yestohe.xyz"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1262978/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_26; classtype:trojan-activity; sid:91262978; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"woo2tech.xyz"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1262977/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_26; classtype:trojan-activity; sid:91262977; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"meday.xyz"; depth:9; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1262976/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_26; classtype:trojan-activity; sid:91262976; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"hypaton.xyz"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1262974/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_26; classtype:trojan-activity; sid:91262974; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"vances.xyz"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1262975/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_26; classtype:trojan-activity; sid:91262975; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"oktes.xyz"; depth:9; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1262973/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_26; classtype:trojan-activity; sid:91262973; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"riptode.xyz"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1262972/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_26; classtype:trojan-activity; sid:91262972; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"116.203.0.165"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1262971/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_26; classtype:trojan-activity; sid:91262971; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"37.27.11.177"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1262970/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_26; classtype:trojan-activity; sid:91262970; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"78.47.14.240"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1262969/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_26; classtype:trojan-activity; sid:91262969; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"95.217.246.168"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1262967/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_26; classtype:trojan-activity; sid:91262967; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"78.47.186.226"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1262968/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_26; classtype:trojan-activity; sid:91262968; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"116.203.167.106"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1262966/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_26; classtype:trojan-activity; sid:91262966; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"sol.ethvseos.nl"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1262965/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_26; classtype:trojan-activity; sid:91262965; rev:1;) alert tcp $HOME_NET any -> [185.196.9.172] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1262963/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_26; classtype:trojan-activity; sid:91262963; rev:1;) alert tcp $HOME_NET any -> [185.196.9.172] 2096 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1262964/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_26; classtype:trojan-activity; sid:91262964; rev:1;) alert tcp $HOME_NET any -> [159.89.124.149] 8085 (msg:"ThreatFox IcedID botnet C2 traffic (ip:port - confidence level: 60%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1262962/; target:src_ip; metadata: confidence_level 60, first_seen 2024_04_26; classtype:trojan-activity; sid:91262962; rev:1;) alert tcp $HOME_NET any -> [159.89.124.149] 8084 (msg:"ThreatFox IcedID botnet C2 traffic (ip:port - confidence level: 60%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1262961/; target:src_ip; metadata: confidence_level 60, first_seen 2024_04_26; classtype:trojan-activity; sid:91262961; rev:1;) alert tcp $HOME_NET any -> [94.232.45.77] 8085 (msg:"ThreatFox IcedID botnet C2 traffic (ip:port - confidence level: 60%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1262960/; target:src_ip; metadata: confidence_level 60, first_seen 2024_04_26; classtype:trojan-activity; sid:91262960; rev:1;) alert tcp $HOME_NET any -> [212.46.38.250] 443 (msg:"ThreatFox IcedID botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1262959/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_26; classtype:trojan-activity; sid:91262959; rev:1;) alert tcp $HOME_NET any -> [51.195.211.231] 80 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1262958/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_26; classtype:trojan-activity; sid:91262958; rev:1;) alert tcp $HOME_NET any -> [149.88.82.88] 8888 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1262957/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_26; classtype:trojan-activity; sid:91262957; rev:1;) alert tcp $HOME_NET any -> [137.175.77.94] 8848 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1262956/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_26; classtype:trojan-activity; sid:91262956; rev:1;) alert tcp $HOME_NET any -> [38.180.25.208] 8000 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1262955/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_26; classtype:trojan-activity; sid:91262955; rev:1;) alert tcp $HOME_NET any -> [202.47.118.167] 80 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1262954/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_26; classtype:trojan-activity; sid:91262954; rev:1;) alert tcp $HOME_NET any -> [191.82.222.55] 2000 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1262953/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_26; classtype:trojan-activity; sid:91262953; rev:1;) alert tcp $HOME_NET any -> [177.102.67.107] 5000 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1262952/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_26; classtype:trojan-activity; sid:91262952; rev:1;) alert tcp $HOME_NET any -> [175.137.217.128] 9876 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1262951/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_26; classtype:trojan-activity; sid:91262951; rev:1;) alert tcp $HOME_NET any -> [187.135.138.133] 2080 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1262947/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_26; classtype:trojan-activity; sid:91262947; rev:1;) alert tcp $HOME_NET any -> [187.135.138.133] 2086 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1262948/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_26; classtype:trojan-activity; sid:91262948; rev:1;) alert tcp $HOME_NET any -> [187.135.138.133] 2095 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1262949/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_26; classtype:trojan-activity; sid:91262949; rev:1;) alert tcp $HOME_NET any -> [187.135.138.133] 2222 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1262950/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_26; classtype:trojan-activity; sid:91262950; rev:1;) alert tcp $HOME_NET any -> [187.135.138.133] 2052 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1262944/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_26; classtype:trojan-activity; sid:91262944; rev:1;) alert tcp $HOME_NET any -> [187.135.138.133] 2053 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1262945/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_26; classtype:trojan-activity; sid:91262945; rev:1;) alert tcp $HOME_NET any -> [187.135.138.133] 2079 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1262946/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_26; classtype:trojan-activity; sid:91262946; rev:1;) alert tcp $HOME_NET any -> [141.11.93.161] 80 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1262942/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_26; classtype:trojan-activity; sid:91262942; rev:1;) alert tcp $HOME_NET any -> [141.11.93.161] 443 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1262943/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_26; classtype:trojan-activity; sid:91262943; rev:1;) alert tcp $HOME_NET any -> [91.132.49.90] 81 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1262941/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_26; classtype:trojan-activity; sid:91262941; rev:1;) alert tcp $HOME_NET any -> [222.239.35.173] 4449 (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1262810/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_26; classtype:trojan-activity; sid:91262810; rev:1;) alert tcp $HOME_NET any -> [173.249.52.60] 6000 (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1262765/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_26; classtype:trojan-activity; sid:91262765; rev:1;) alert tcp $HOME_NET any -> [184.174.96.94] 8888 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1262759/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_26; classtype:trojan-activity; sid:91262759; rev:1;) alert tcp $HOME_NET any -> [184.174.96.94] 9999 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1262760/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_26; classtype:trojan-activity; sid:91262760; rev:1;) alert tcp $HOME_NET any -> [184.174.96.94] 2222 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1262761/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_26; classtype:trojan-activity; sid:91262761; rev:1;) alert tcp $HOME_NET any -> [184.174.96.94] 4444 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1262762/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_26; classtype:trojan-activity; sid:91262762; rev:1;) alert tcp $HOME_NET any -> [184.174.96.94] 5555 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1262763/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_26; classtype:trojan-activity; sid:91262763; rev:1;) alert tcp $HOME_NET any -> [207.32.219.85] 8888 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1262764/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_26; classtype:trojan-activity; sid:91262764; rev:1;) alert tcp $HOME_NET any -> [46.246.14.22] 2000 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1262755/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_26; classtype:trojan-activity; sid:91262755; rev:1;) alert tcp $HOME_NET any -> [88.229.18.221] 888 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1262756/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_26; classtype:trojan-activity; sid:91262756; rev:1;) alert tcp $HOME_NET any -> [88.229.18.221] 20000 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1262757/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_26; classtype:trojan-activity; sid:91262757; rev:1;) alert tcp $HOME_NET any -> [142.202.191.162] 222 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1262758/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_26; classtype:trojan-activity; sid:91262758; rev:1;) alert tcp $HOME_NET any -> [94.156.65.26] 6006 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1262753/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_26; classtype:trojan-activity; sid:91262753; rev:1;) alert tcp $HOME_NET any -> [94.156.65.26] 7777 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1262754/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_26; classtype:trojan-activity; sid:91262754; rev:1;) alert tcp $HOME_NET any -> [94.154.172.83] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1262752/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_26; classtype:trojan-activity; sid:91262752; rev:1;) alert tcp $HOME_NET any -> [45.15.156.173] 8080 (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1262751/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_26; classtype:trojan-activity; sid:91262751; rev:1;) alert tcp $HOME_NET any -> [116.196.82.90] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1262750/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_26; classtype:trojan-activity; sid:91262750; rev:1;) alert tcp $HOME_NET any -> [18.232.156.244] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1262748/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_26; classtype:trojan-activity; sid:91262748; rev:1;) alert tcp $HOME_NET any -> [44.221.39.41] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1262749/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_26; classtype:trojan-activity; sid:91262749; rev:1;) alert tcp $HOME_NET any -> [54.145.84.81] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1262747/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_26; classtype:trojan-activity; sid:91262747; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/visit.js"; depth:9; nocase; http.host; content:"3.86.13.34"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1262746/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_26; classtype:trojan-activity; sid:91262746; rev:1;) alert tcp $HOME_NET any -> [3.86.13.34] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1262745/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_26; classtype:trojan-activity; sid:91262745; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pixel.gif"; depth:10; nocase; http.host; content:"154.201.83.203"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1262744/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_26; classtype:trojan-activity; sid:91262744; rev:1;) alert tcp $HOME_NET any -> [154.201.83.203] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1262743/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_26; classtype:trojan-activity; sid:91262743; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/activity"; depth:9; nocase; http.host; content:"154.12.23.153"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1262742/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_26; classtype:trojan-activity; sid:91262742; rev:1;) alert tcp $HOME_NET any -> [154.12.23.153] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1262741/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_26; classtype:trojan-activity; sid:91262741; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/push"; depth:5; nocase; http.host; content:"www.nickelviper.com"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1262738/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_26; classtype:trojan-activity; sid:91262738; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"www.nickelviper.com"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1262737/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_26; classtype:trojan-activity; sid:91262737; rev:1;) alert tcp $HOME_NET any -> [18.132.148.106] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1262736/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_26; classtype:trojan-activity; sid:91262736; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/image/"; depth:7; nocase; http.host; content:"ns1.anonymouskids.uk"; depth:20; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1262734/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_26; classtype:trojan-activity; sid:91262734; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"srothanhlong.vn"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1262735/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_26; classtype:trojan-activity; sid:91262735; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ns1.anonymouskids.uk"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1262733/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_26; classtype:trojan-activity; sid:91262733; rev:1;) alert tcp $HOME_NET any -> [3.132.209.99] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1262731/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_26; classtype:trojan-activity; sid:91262731; rev:1;) alert tcp $HOME_NET any -> [3.132.209.99] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1262732/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_26; classtype:trojan-activity; sid:91262732; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api/search/"; depth:12; nocase; http.host; content:"ao2gmabl4c.execute-api.us-east-1.amazonaws.com"; depth:46; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1262730/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_26; classtype:trojan-activity; sid:91262730; rev:1;) alert tcp $HOME_NET any -> [3.9.188.172] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1262729/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_26; classtype:trojan-activity; sid:91262729; rev:1;) alert tcp $HOME_NET any -> [3.0.50.245] 4433 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1262728/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_26; classtype:trojan-activity; sid:91262728; rev:1;) alert tcp $HOME_NET any -> [104.214.168.71] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1262727/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_26; classtype:trojan-activity; sid:91262727; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/push"; depth:5; nocase; http.host; content:"mail.metadate.services"; depth:22; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1262726/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_26; classtype:trojan-activity; sid:91262726; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"mail.metadate.services"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1262725/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_26; classtype:trojan-activity; sid:91262725; rev:1;) alert tcp $HOME_NET any -> [167.179.76.158] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1262724/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_26; classtype:trojan-activity; sid:91262724; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dpixel"; depth:7; nocase; http.host; content:"65.20.85.214"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1262723/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_26; classtype:trojan-activity; sid:91262723; rev:1;) alert tcp $HOME_NET any -> [65.20.85.214] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1262722/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_26; classtype:trojan-activity; sid:91262722; rev:1;) alert tcp $HOME_NET any -> [124.156.166.78] 7654 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1262721/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_26; classtype:trojan-activity; sid:91262721; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/load"; depth:5; nocase; http.host; content:"43.157.90.6"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1262720/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_26; classtype:trojan-activity; sid:91262720; rev:1;) alert tcp $HOME_NET any -> [43.157.90.6] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1262719/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_26; classtype:trojan-activity; sid:91262719; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dot.gif"; depth:8; nocase; http.host; content:"192.227.137.122"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1262718/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_26; classtype:trojan-activity; sid:91262718; rev:1;) alert tcp $HOME_NET any -> [192.227.137.122] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1262716/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_26; classtype:trojan-activity; sid:91262716; rev:1;) alert tcp $HOME_NET any -> [192.227.137.122] 8888 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1262717/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_26; classtype:trojan-activity; sid:91262717; rev:1;) alert tcp $HOME_NET any -> [152.42.244.175] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1262715/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_26; classtype:trojan-activity; sid:91262715; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/oscp/"; depth:6; nocase; http.host; content:"134.209.27.35"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1262714/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_26; classtype:trojan-activity; sid:91262714; rev:1;) alert tcp $HOME_NET any -> [134.209.27.35] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1262713/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_26; classtype:trojan-activity; sid:91262713; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/updates.rss"; depth:12; nocase; http.host; content:"47.236.28.67"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1262712/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_26; classtype:trojan-activity; sid:91262712; rev:1;) alert tcp $HOME_NET any -> [47.236.28.67] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1262711/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_26; classtype:trojan-activity; sid:91262711; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api/getit"; depth:10; nocase; http.host; content:"service-qyygkf1k-1307679590.gz.tencentapigw.com.cn"; depth:50; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1262710/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_26; classtype:trojan-activity; sid:91262710; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"service-qyygkf1k-1307679590.gz.tencentapigw.com.cn"; depth:50; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1262709/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_26; classtype:trojan-activity; sid:91262709; rev:1;) alert tcp $HOME_NET any -> [1.94.66.120] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1262708/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_26; classtype:trojan-activity; sid:91262708; rev:1;) alert tcp $HOME_NET any -> [1.94.52.236] 8888 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1262707/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_26; classtype:trojan-activity; sid:91262707; rev:1;) alert tcp $HOME_NET any -> [123.57.172.34] 4443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1262706/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_26; classtype:trojan-activity; sid:91262706; rev:1;) alert tcp $HOME_NET any -> [47.120.17.76] 3306 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1262705/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_26; classtype:trojan-activity; sid:91262705; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/lib/v2/wcp-consent.js"; depth:22; nocase; http.host; content:"47.92.151.17"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1262704/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_26; classtype:trojan-activity; sid:91262704; rev:1;) alert tcp $HOME_NET any -> [47.92.151.17] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1262703/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_26; classtype:trojan-activity; sid:91262703; rev:1;) alert tcp $HOME_NET any -> [39.104.28.176] 7777 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1262702/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_26; classtype:trojan-activity; sid:91262702; rev:1;) alert tcp $HOME_NET any -> [39.100.109.229] 8888 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1262699/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_26; classtype:trojan-activity; sid:91262699; rev:1;) alert tcp $HOME_NET any -> [39.98.43.192] 8888 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1262698/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_26; classtype:trojan-activity; sid:91262698; rev:1;) alert tcp $HOME_NET any -> [8.141.166.236] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1262696/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_26; classtype:trojan-activity; sid:91262696; rev:1;) alert tcp $HOME_NET any -> [8.141.166.236] 10001 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1262697/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_26; classtype:trojan-activity; sid:91262697; rev:1;) alert tcp $HOME_NET any -> [8.137.76.34] 9999 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1262695/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_26; classtype:trojan-activity; sid:91262695; rev:1;) alert tcp $HOME_NET any -> [8.134.92.24] 4433 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1262694/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_26; classtype:trojan-activity; sid:91262694; rev:1;) alert tcp $HOME_NET any -> [8.130.66.214] 10001 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1262693/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_26; classtype:trojan-activity; sid:91262693; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ie9compatviewlist.xml"; depth:22; nocase; http.host; content:"8.130.29.62"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1262692/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_26; classtype:trojan-activity; sid:91262692; rev:1;) alert tcp $HOME_NET any -> [8.130.29.62] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1262691/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_26; classtype:trojan-activity; sid:91262691; rev:1;) alert tcp $HOME_NET any -> [150.158.54.83] 7500 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1262690/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_26; classtype:trojan-activity; sid:91262690; rev:1;) alert tcp $HOME_NET any -> [124.222.15.103] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1262689/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_26; classtype:trojan-activity; sid:91262689; rev:1;) alert tcp $HOME_NET any -> [123.206.115.56] 6667 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1262688/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_26; classtype:trojan-activity; sid:91262688; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dot.gif"; depth:8; nocase; http.host; content:"122.51.89.45"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1262687/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_26; classtype:trojan-activity; sid:91262687; rev:1;) alert tcp $HOME_NET any -> [122.51.89.45] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1262686/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_26; classtype:trojan-activity; sid:91262686; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ca"; depth:3; nocase; http.host; content:"119.91.218.68"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1262685/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_26; classtype:trojan-activity; sid:91262685; rev:1;) alert tcp $HOME_NET any -> [119.91.218.68] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1262684/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_26; classtype:trojan-activity; sid:91262684; rev:1;) alert tcp $HOME_NET any -> [114.132.245.246] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1262683/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_26; classtype:trojan-activity; sid:91262683; rev:1;) alert tcp $HOME_NET any -> [111.229.200.233] 3333 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1262682/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_26; classtype:trojan-activity; sid:91262682; rev:1;) alert tcp $HOME_NET any -> [111.229.35.119] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1262680/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_26; classtype:trojan-activity; sid:91262680; rev:1;) alert tcp $HOME_NET any -> [111.229.35.119] 8080 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1262681/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_26; classtype:trojan-activity; sid:91262681; rev:1;) alert tcp $HOME_NET any -> [101.35.198.25] 9999 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1262679/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_26; classtype:trojan-activity; sid:91262679; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ie9compatviewlist.xml"; depth:22; nocase; http.host; content:"43.136.43.49"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1262678/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_26; classtype:trojan-activity; sid:91262678; rev:1;) alert tcp $HOME_NET any -> [43.136.43.49] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1262677/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_26; classtype:trojan-activity; sid:91262677; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dot.gif"; depth:8; nocase; http.host; content:"47.113.150.236"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1262676/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_26; classtype:trojan-activity; sid:91262676; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/metro91/admin/1/ppptp.jpg"; depth:26; nocase; http.host; content:"185.229.237.201"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1262675/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_26; classtype:trojan-activity; sid:91262675; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cm"; depth:3; nocase; http.host; content:"111.230.98.22"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1262674/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_26; classtype:trojan-activity; sid:91262674; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/__utm.gif"; depth:10; nocase; http.host; content:"43.130.252.161"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1262673/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_26; classtype:trojan-activity; sid:91262673; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/visit.js"; depth:9; nocase; http.host; content:"209.222.0.68"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1262672/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_26; classtype:trojan-activity; sid:91262672; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ptj"; depth:4; nocase; http.host; content:"60.205.115.92"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1262671/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_26; classtype:trojan-activity; sid:91262671; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/activity"; depth:9; nocase; http.host; content:"38.147.170.150"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1262670/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_26; classtype:trojan-activity; sid:91262670; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/owa/"; depth:5; nocase; http.host; content:"8.138.119.180"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1262669/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_26; classtype:trojan-activity; sid:91262669; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/en_us/all.js"; depth:13; nocase; http.host; content:"43.139.205.56"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1262668/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_26; classtype:trojan-activity; sid:91262668; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ca"; depth:3; nocase; http.host; content:"111.230.98.22"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1262667/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_26; classtype:trojan-activity; sid:91262667; rev:1;) alert tcp $HOME_NET any -> [118.31.116.9] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1262666/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_26; classtype:trojan-activity; sid:91262666; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jquery-3.3.1.min.js"; depth:20; nocase; http.host; content:"118.31.116.9"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1262665/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_26; classtype:trojan-activity; sid:91262665; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/updates.rss"; depth:12; nocase; http.host; content:"38.147.170.150"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1262664/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_26; classtype:trojan-activity; sid:91262664; rev:1;) alert tcp $HOME_NET any -> [8.138.119.180] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1262641/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_26; classtype:trojan-activity; sid:91262641; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/owa/"; depth:5; nocase; http.host; content:"8.138.119.180"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1262640/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_26; classtype:trojan-activity; sid:91262640; rev:1;) alert tcp $HOME_NET any -> [1.14.96.69] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1262639/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_26; classtype:trojan-activity; sid:91262639; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ca"; depth:3; nocase; http.host; content:"1.14.96.69"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1262638/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_26; classtype:trojan-activity; sid:91262638; rev:1;) alert tcp $HOME_NET any -> [45.142.182.80] 5900 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1262637/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_26; classtype:trojan-activity; sid:91262637; rev:1;) alert tcp $HOME_NET any -> [192.169.69.25] 5654 (msg:"ThreatFox Nanocore RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1262606/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_26; classtype:trojan-activity; sid:91262606; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"craftedfollowing.duckdns.org"; depth:28; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1262607/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_26; classtype:trojan-activity; sid:91262607; rev:1;) alert tcp $HOME_NET any -> [46.246.86.14] 1994 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1262580/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_26; classtype:trojan-activity; sid:91262580; rev:1;) alert tcp $HOME_NET any -> [172.94.9.228] 3980 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1262605/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_26; classtype:trojan-activity; sid:91262605; rev:1;) alert tcp $HOME_NET any -> [5.253.40.118] 80 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1262604/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_26; classtype:trojan-activity; sid:91262604; rev:1;) alert tcp $HOME_NET any -> [93.127.202.69] 80 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1262602/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_26; classtype:trojan-activity; sid:91262602; rev:1;) alert tcp $HOME_NET any -> [14.178.208.233] 80 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1262601/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_26; classtype:trojan-activity; sid:91262601; rev:1;) alert tcp $HOME_NET any -> [18.159.103.213] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1262600/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_26; classtype:trojan-activity; sid:91262600; rev:1;) alert tcp $HOME_NET any -> [77.91.70.104] 80 (msg:"ThreatFox Meduza Stealer botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1262599/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_26; classtype:trojan-activity; sid:91262599; rev:1;) alert tcp $HOME_NET any -> [54.202.238.187] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1262598/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_26; classtype:trojan-activity; sid:91262598; rev:1;) alert tcp $HOME_NET any -> [45.207.36.33] 2088 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1262597/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_26; classtype:trojan-activity; sid:91262597; rev:1;) alert tcp $HOME_NET any -> [45.207.36.50] 2088 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1262596/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_26; classtype:trojan-activity; sid:91262596; rev:1;) alert tcp $HOME_NET any -> [190.70.119.188] 4859 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1262595/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_26; classtype:trojan-activity; sid:91262595; rev:1;) alert tcp $HOME_NET any -> [45.141.84.135] 54183 (msg:"ThreatFox pupy botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1262594/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_26; classtype:trojan-activity; sid:91262594; rev:1;) alert tcp $HOME_NET any -> [35.192.76.216] 443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1262593/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_26; classtype:trojan-activity; sid:91262593; rev:1;) alert tcp $HOME_NET any -> [193.227.134.120] 443 (msg:"ThreatFox BianLian botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1262592/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_26; classtype:trojan-activity; sid:91262592; rev:1;) alert tcp $HOME_NET any -> [185.234.216.209] 20037 (msg:"ThreatFox BianLian botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1262591/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_26; classtype:trojan-activity; sid:91262591; rev:1;) alert tcp $HOME_NET any -> [45.95.174.253] 7443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1262590/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_26; classtype:trojan-activity; sid:91262590; rev:1;) alert tcp $HOME_NET any -> [45.95.174.39] 7443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1262589/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_26; classtype:trojan-activity; sid:91262589; rev:1;) alert tcp $HOME_NET any -> [149.28.25.144] 55556 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1262588/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_26; classtype:trojan-activity; sid:91262588; rev:1;) alert tcp $HOME_NET any -> [149.28.25.144] 5432 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1262587/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_26; classtype:trojan-activity; sid:91262587; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/lt8e"; depth:5; nocase; http.host; content:"39.105.191.1"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1262586/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_26; classtype:trojan-activity; sid:91262586; rev:1;) alert tcp $HOME_NET any -> [39.105.191.1] 18888 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1262585/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_26; classtype:trojan-activity; sid:91262585; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/javascriptpollmultigeneratordatalife.php"; depth:41; nocase; http.host; content:"taketa.top"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1262584/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_26; classtype:trojan-activity; sid:91262584; rev:1;) alert tcp $HOME_NET any -> [85.203.42.194] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1262583/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_26; classtype:trojan-activity; sid:91262583; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/en_us/all.js"; depth:13; nocase; http.host; content:"85.203.42.194"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1262582/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_26; classtype:trojan-activity; sid:91262582; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/~blog/"; depth:7; nocase; http.host; content:"45.77.223.48"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1262581/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_26; classtype:trojan-activity; sid:91262581; rev:1;) alert tcp $HOME_NET any -> [5.42.92.179] 18418 (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1262579/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_26; classtype:trojan-activity; sid:91262579; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/load"; depth:5; nocase; http.host; content:"124.70.154.188"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1262578/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_25; classtype:trojan-activity; sid:91262578; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dot.gif"; depth:8; nocase; http.host; content:"103.116.245.79"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1262577/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_25; classtype:trojan-activity; sid:91262577; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dot.gif"; depth:8; nocase; http.host; content:"175.178.54.48"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1262576/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_25; classtype:trojan-activity; sid:91262576; rev:1;) alert tcp $HOME_NET any -> [44.194.227.114] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1262575/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_25; classtype:trojan-activity; sid:91262575; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ms"; depth:3; nocase; http.host; content:"dct4jph3as9lp.cloudfront.net"; depth:28; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1262573/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_25; classtype:trojan-activity; sid:91262573; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"dct4jph3as9lp.cloudfront.net"; depth:28; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1262574/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_25; classtype:trojan-activity; sid:91262574; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/visit.js"; depth:9; nocase; http.host; content:"85.203.42.194"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1262571/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_25; classtype:trojan-activity; sid:91262571; rev:1;) alert tcp $HOME_NET any -> [85.203.42.194] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1262572/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_25; classtype:trojan-activity; sid:91262572; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/loginin.html"; depth:13; nocase; http.host; content:"23.94.169.124"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1262569/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_25; classtype:trojan-activity; sid:91262569; rev:1;) alert tcp $HOME_NET any -> [23.94.169.124] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1262570/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_25; classtype:trojan-activity; sid:91262570; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pixel.gif"; depth:10; nocase; http.host; content:"8.134.11.7"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1262567/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_25; classtype:trojan-activity; sid:91262567; rev:1;) alert tcp $HOME_NET any -> [8.134.11.7] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1262568/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_25; classtype:trojan-activity; sid:91262568; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"flypadi.com"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1262565/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_25; classtype:trojan-activity; sid:91262565; rev:1;) alert tcp $HOME_NET any -> [89.34.237.212] 80 (msg:"ThreatFox Loki Password Stealer (PWS) botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1262496/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_25; classtype:trojan-activity; sid:91262496; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/_defaultwindows.php"; depth:20; nocase; http.host; content:"cz24519.tw1.ru"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1262566/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_25; classtype:trojan-activity; sid:91262566; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-content/plugins/user-private-files/shared/"; depth:46; nocase; http.host; content:"cbg.divineunveil.com"; depth:20; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1262562/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_25; classtype:trojan-activity; sid:91262562; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-content/plugins/user-private-files/shared/"; depth:46; nocase; http.host; content:"pgdm.my"; depth:7; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1262563/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_25; classtype:trojan-activity; sid:91262563; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tangerang/wp-content/plugins/user-private-files/shared/"; depth:56; nocase; http.host; content:"tutycholid.com"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1262561/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_25; classtype:trojan-activity; sid:91262561; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/model-2/wp-content/plugins/user-private-files/shared/"; depth:54; nocase; http.host; content:"vitrine.izaragency.com"; depth:22; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1262560/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_25; classtype:trojan-activity; sid:91262560; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-content/plugins/user-private-files/shared/"; depth:46; nocase; http.host; content:"taifateule.com"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1262559/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_25; classtype:trojan-activity; sid:91262559; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-content/plugins/user-private-files/shared/"; depth:46; nocase; http.host; content:"upr.lk"; depth:6; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1262557/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_25; classtype:trojan-activity; sid:91262557; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-content/plugins/user-private-files/shared/"; depth:46; nocase; http.host; content:"phs124168.com"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1262558/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_25; classtype:trojan-activity; sid:91262558; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-content/plugins/user-private-files/shared/"; depth:46; nocase; http.host; content:"phatthanhnghia.com"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1262556/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_25; classtype:trojan-activity; sid:91262556; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-content/plugins/user-private-files/shared/"; depth:46; nocase; http.host; content:"quotesparade.com"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1262555/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_25; classtype:trojan-activity; sid:91262555; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-content/plugins/user-private-files/shared/"; depth:46; nocase; http.host; content:"ugandainarabic.com"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1262554/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_25; classtype:trojan-activity; sid:91262554; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-content/plugins/user-private-files/shared/"; depth:46; nocase; http.host; content:"thayhoicoffee.com"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1262553/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_25; classtype:trojan-activity; sid:91262553; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-content/plugins/user-private-files/shared/"; depth:46; nocase; http.host; content:"ideosphere.in"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1262551/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_25; classtype:trojan-activity; sid:91262551; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp/wp-content/plugins/user-private-files/shared/"; depth:49; nocase; http.host; content:"vegasnights.co.za"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1262552/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_25; classtype:trojan-activity; sid:91262552; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-content/plugins/user-private-files/shared/"; depth:46; nocase; http.host; content:"audio.daiphucminh.vn"; depth:20; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1262550/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_25; classtype:trojan-activity; sid:91262550; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-content/plugins/user-private-files/shared/"; depth:46; nocase; http.host; content:"seraphyaromatherapy.com"; depth:23; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1262549/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_25; classtype:trojan-activity; sid:91262549; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/chocolate/wp-content/plugins/user-private-files/shared/"; depth:56; nocase; http.host; content:"milkganache.com.br"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1262548/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_25; classtype:trojan-activity; sid:91262548; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/projects/visioncrystal/wp-content/plugins/user-private-files/shared/"; depth:69; nocase; http.host; content:"www.websitedesigningindia.biz"; depth:29; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1262547/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_25; classtype:trojan-activity; sid:91262547; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-content/plugins/user-private-files/shared/"; depth:46; nocase; http.host; content:"www.pansy-dz.com"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1262546/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_25; classtype:trojan-activity; sid:91262546; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-content/plugins/user-private-files/shared/"; depth:46; nocase; http.host; content:"ideanet.co.in"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1262545/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_25; classtype:trojan-activity; sid:91262545; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-content/plugins/user-private-files/shared/"; depth:46; nocase; http.host; content:"newsmedia247.site"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1262544/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_25; classtype:trojan-activity; sid:91262544; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-content/plugins/user-private-files/shared/"; depth:46; nocase; http.host; content:"reyadtours.com"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1262543/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_25; classtype:trojan-activity; sid:91262543; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-content/plugins/user-private-files/shared/"; depth:46; nocase; http.host; content:"bissecci.org"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1262542/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_25; classtype:trojan-activity; sid:91262542; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-content/plugins/user-private-files/shared/"; depth:46; nocase; http.host; content:"devaccrocs.allianceconsultants.net"; depth:34; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1262541/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_25; classtype:trojan-activity; sid:91262541; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-content/plugins/user-private-files/shared/"; depth:46; nocase; http.host; content:"manbaulhudaasia.aliyy.my"; depth:24; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1262540/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_25; classtype:trojan-activity; sid:91262540; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-content/plugins/user-private-files/shared/"; depth:46; nocase; http.host; content:"yahyacarpet.com"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1262539/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_25; classtype:trojan-activity; sid:91262539; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/epicure-traiteur/wp-content/plugins/user-private-files/shared/"; depth:63; nocase; http.host; content:"vitrine.izaragency.com"; depth:22; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1262538/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_25; classtype:trojan-activity; sid:91262538; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-content/plugins/user-private-files/shared/"; depth:46; nocase; http.host; content:"antvietnam.com"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1262537/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_25; classtype:trojan-activity; sid:91262537; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/site/wp-content/plugins/user-private-files/shared/"; depth:51; nocase; http.host; content:"direitopositivado.com.br"; depth:24; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1262536/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_25; classtype:trojan-activity; sid:91262536; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-content/plugins/user-private-files/shared/"; depth:46; nocase; http.host; content:"i.thietke.in"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1262535/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_25; classtype:trojan-activity; sid:91262535; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-content/plugins/user-private-files/shared/"; depth:46; nocase; http.host; content:"divifar.com"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1262534/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_25; classtype:trojan-activity; sid:91262534; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/indigo/wp-content/plugins/user-private-files/shared/"; depth:53; nocase; http.host; content:"konsaltakuatorial.com"; depth:21; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1262533/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_25; classtype:trojan-activity; sid:91262533; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/networkconnect/wp-content/plugins/user-private-files/shared/"; depth:61; nocase; http.host; content:"iswpcreator.com"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1262532/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_25; classtype:trojan-activity; sid:91262532; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/live"; depth:5; nocase; http.host; content:"grizmotras.com"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1262531/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_25; classtype:trojan-activity; sid:91262531; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/live"; depth:5; nocase; http.host; content:"pewwhranet.com"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1262530/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_25; classtype:trojan-activity; sid:91262530; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-content/plugins/user-private-files/shared/"; depth:46; nocase; http.host; content:"pgdm.my"; depth:7; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1262529/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_25; classtype:trojan-activity; sid:91262529; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-content/plugins/user-private-files/shared/"; depth:46; nocase; http.host; content:"cbg.divineunveil.com"; depth:20; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1262528/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_25; classtype:trojan-activity; sid:91262528; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tangerang/wp-content/plugins/user-private-files/shared/"; depth:56; nocase; http.host; content:"tutycholid.com"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1262527/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_25; classtype:trojan-activity; sid:91262527; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/model-2/wp-content/plugins/user-private-files/shared/"; depth:54; nocase; http.host; content:"vitrine.izaragency.com"; depth:22; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1262526/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_25; classtype:trojan-activity; sid:91262526; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-content/plugins/user-private-files/shared/"; depth:46; nocase; http.host; content:"taifateule.com"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1262525/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_25; classtype:trojan-activity; sid:91262525; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-content/plugins/user-private-files/shared/"; depth:46; nocase; http.host; content:"upr.lk"; depth:6; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1262523/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_25; classtype:trojan-activity; sid:91262523; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-content/plugins/user-private-files/shared/"; depth:46; nocase; http.host; content:"phs124168.com"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1262524/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_25; classtype:trojan-activity; sid:91262524; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-content/plugins/user-private-files/shared/"; depth:46; nocase; http.host; content:"phatthanhnghia.com"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1262522/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_25; classtype:trojan-activity; sid:91262522; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-content/plugins/user-private-files/shared/"; depth:46; nocase; http.host; content:"quotesparade.com"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1262521/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_25; classtype:trojan-activity; sid:91262521; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-content/plugins/user-private-files/shared/"; depth:46; nocase; http.host; content:"ugandainarabic.com"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1262520/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_25; classtype:trojan-activity; sid:91262520; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp/wp-content/plugins/user-private-files/shared/"; depth:49; nocase; http.host; content:"vegasnights.co.za"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1262518/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_25; classtype:trojan-activity; sid:91262518; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-content/plugins/user-private-files/shared/"; depth:46; nocase; http.host; content:"thayhoicoffee.com"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1262519/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_25; classtype:trojan-activity; sid:91262519; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-content/plugins/user-private-files/shared/"; depth:46; nocase; http.host; content:"ideosphere.in"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1262517/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_25; classtype:trojan-activity; sid:91262517; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-content/plugins/user-private-files/shared/"; depth:46; nocase; http.host; content:"audio.daiphucminh.vn"; depth:20; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1262516/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_25; classtype:trojan-activity; sid:91262516; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/chocolate/wp-content/plugins/user-private-files/shared/"; depth:56; nocase; http.host; content:"milkganache.com.br"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1262514/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_25; classtype:trojan-activity; sid:91262514; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-content/plugins/user-private-files/shared/"; depth:46; nocase; http.host; content:"seraphyaromatherapy.com"; depth:23; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1262515/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_25; classtype:trojan-activity; sid:91262515; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/projects/visioncrystal/wp-content/plugins/user-private-files/shared/"; depth:69; nocase; http.host; content:"www.websitedesigningindia.biz"; depth:29; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1262513/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_25; classtype:trojan-activity; sid:91262513; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-content/plugins/user-private-files/shared/"; depth:46; nocase; http.host; content:"www.pansy-dz.com"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1262512/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_25; classtype:trojan-activity; sid:91262512; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-content/plugins/user-private-files/shared/"; depth:46; nocase; http.host; content:"ideanet.co.in"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1262511/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_25; classtype:trojan-activity; sid:91262511; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-content/plugins/user-private-files/shared/"; depth:46; nocase; http.host; content:"reyadtours.com"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1262509/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_25; classtype:trojan-activity; sid:91262509; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-content/plugins/user-private-files/shared/"; depth:46; nocase; http.host; content:"newsmedia247.site"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1262510/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_25; classtype:trojan-activity; sid:91262510; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-content/plugins/user-private-files/shared/"; depth:46; nocase; http.host; content:"bissecci.org"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1262508/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_25; classtype:trojan-activity; sid:91262508; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-content/plugins/user-private-files/shared/"; depth:46; nocase; http.host; content:"devaccrocs.allianceconsultants.net"; depth:34; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1262507/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_25; classtype:trojan-activity; sid:91262507; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-content/plugins/user-private-files/shared/"; depth:46; nocase; http.host; content:"manbaulhudaasia.aliyy.my"; depth:24; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1262506/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_25; classtype:trojan-activity; sid:91262506; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-content/plugins/user-private-files/shared/"; depth:46; nocase; http.host; content:"yahyacarpet.com"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1262505/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_25; classtype:trojan-activity; sid:91262505; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/epicure-traiteur/wp-content/plugins/user-private-files/shared/"; depth:63; nocase; http.host; content:"vitrine.izaragency.com"; depth:22; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1262504/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_25; classtype:trojan-activity; sid:91262504; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-content/plugins/user-private-files/shared/"; depth:46; nocase; http.host; content:"antvietnam.com"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1262503/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_25; classtype:trojan-activity; sid:91262503; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-content/plugins/user-private-files/shared/"; depth:46; nocase; http.host; content:"i.thietke.in"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1262501/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_25; classtype:trojan-activity; sid:91262501; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/site/wp-content/plugins/user-private-files/shared/"; depth:51; nocase; http.host; content:"direitopositivado.com.br"; depth:24; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1262502/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_25; classtype:trojan-activity; sid:91262502; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-content/plugins/user-private-files/shared/"; depth:46; nocase; http.host; content:"divifar.com"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1262500/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_25; classtype:trojan-activity; sid:91262500; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/indigo/wp-content/plugins/user-private-files/shared/"; depth:53; nocase; http.host; content:"konsaltakuatorial.com"; depth:21; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1262499/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_25; classtype:trojan-activity; sid:91262499; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/networkconnect/wp-content/plugins/user-private-files/shared/"; depth:61; nocase; http.host; content:"iswpcreator.com"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1262498/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_25; classtype:trojan-activity; sid:91262498; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/security_check/"; depth:16; nocase; http.host; content:"nlqbgkl5.org"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1262497/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_25; classtype:trojan-activity; sid:91262497; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ad.msi"; depth:7; nocase; http.host; content:"45.95.11.217"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1262495/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_25; classtype:trojan-activity; sid:91262495; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/live/"; depth:6; nocase; http.host; content:"wrankaget.site"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1262494/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_25; classtype:trojan-activity; sid:91262494; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/live/"; depth:6; nocase; http.host; content:"jarinamaers.shop"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1262493/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_25; classtype:trojan-activity; sid:91262493; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/data.php"; depth:9; nocase; http.host; content:"svif-venezuela.com"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1262454/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_25; classtype:trojan-activity; sid:91262454; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/data.php"; depth:9; nocase; http.host; content:"svif-venezuela.com"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1262455/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_25; classtype:trojan-activity; sid:91262455; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/data.php"; depth:9; nocase; http.host; content:"94.131.101.129"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1262456/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_25; classtype:trojan-activity; sid:91262456; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"svif-venezuela.com"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1262457/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_25; classtype:trojan-activity; sid:91262457; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mmexoda3mdazzja5/"; depth:18; nocase; http.host; content:"33moneycshlazim33.shop"; depth:22; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1262461/; target:src_ip; metadata: confidence_level 80, first_seen 2024_04_25; classtype:trojan-activity; sid:91262461; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mmexoda3mdazzja5/"; depth:18; nocase; http.host; content:"moneycsasfasfh.shop"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1262462/; target:src_ip; metadata: confidence_level 80, first_seen 2024_04_25; classtype:trojan-activity; sid:91262462; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"trembolone.zapto.org"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1262460/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_25; classtype:trojan-activity; sid:91262460; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mmexoda3mdazzja5/"; depth:18; nocase; http.host; content:"moneycsffhgm7.shop"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1262464/; target:src_ip; metadata: confidence_level 80, first_seen 2024_04_25; classtype:trojan-activity; sid:91262464; rev:1;) alert tcp $HOME_NET any -> [91.92.240.43] 43957 (msg:"ThreatFox MooBot botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1262459/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_25; classtype:trojan-activity; sid:91262459; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mmexoda3mdazzja5/"; depth:18; nocase; http.host; content:"moneymaskalandd.shop"; depth:20; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1262463/; target:src_ip; metadata: confidence_level 80, first_seen 2024_04_25; classtype:trojan-activity; sid:91262463; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"minjuthecutest.com"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1262465/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_25; classtype:trojan-activity; sid:91262465; rev:1;) alert tcp $HOME_NET any -> [91.92.240.43] 2006 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1262489/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_25; classtype:trojan-activity; sid:91262489; rev:1;) alert tcp $HOME_NET any -> [91.92.243.102] 1990 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1262490/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_25; classtype:trojan-activity; sid:91262490; rev:1;) alert tcp $HOME_NET any -> [89.185.30.66] 2006 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1262491/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_25; classtype:trojan-activity; sid:91262491; rev:1;) alert tcp $HOME_NET any -> [45.88.90.46] 6969 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1262492/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_25; classtype:trojan-activity; sid:91262492; rev:1;) alert tcp $HOME_NET any -> [54.36.113.159] 80 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1262488/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_25; classtype:trojan-activity; sid:91262488; rev:1;) alert tcp $HOME_NET any -> [185.125.50.198] 80 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1262487/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_25; classtype:trojan-activity; sid:91262487; rev:1;) alert tcp $HOME_NET any -> [109.120.177.48] 80 (msg:"ThreatFox Meduza Stealer botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1262486/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_25; classtype:trojan-activity; sid:91262486; rev:1;) alert tcp $HOME_NET any -> [120.46.59.252] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1262485/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_25; classtype:trojan-activity; sid:91262485; rev:1;) alert tcp $HOME_NET any -> [45.63.124.134] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1262484/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_25; classtype:trojan-activity; sid:91262484; rev:1;) alert tcp $HOME_NET any -> [52.26.153.104] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1262483/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_25; classtype:trojan-activity; sid:91262483; rev:1;) alert tcp $HOME_NET any -> [43.139.113.158] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1262482/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_25; classtype:trojan-activity; sid:91262482; rev:1;) alert tcp $HOME_NET any -> [147.78.103.197] 4443 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1262481/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_25; classtype:trojan-activity; sid:91262481; rev:1;) alert tcp $HOME_NET any -> [46.246.80.7] 8000 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1262480/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_25; classtype:trojan-activity; sid:91262480; rev:1;) alert tcp $HOME_NET any -> [193.92.65.11] 995 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1262479/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_25; classtype:trojan-activity; sid:91262479; rev:1;) alert tcp $HOME_NET any -> [13.126.220.163] 445 (msg:"ThreatFox Responder botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1262478/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_25; classtype:trojan-activity; sid:91262478; rev:1;) alert tcp $HOME_NET any -> [18.253.226.108] 443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1262476/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_25; classtype:trojan-activity; sid:91262476; rev:1;) alert tcp $HOME_NET any -> [18.253.226.108] 80 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1262475/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_25; classtype:trojan-activity; sid:91262475; rev:1;) alert tcp $HOME_NET any -> [5.42.85.10] 443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1262474/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_25; classtype:trojan-activity; sid:91262474; rev:1;) alert tcp $HOME_NET any -> [18.118.8.124] 443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1262473/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_25; classtype:trojan-activity; sid:91262473; rev:1;) alert tcp $HOME_NET any -> [142.93.142.34] 443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1262472/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_25; classtype:trojan-activity; sid:91262472; rev:1;) alert tcp $HOME_NET any -> [89.117.172.225] 58895 (msg:"ThreatFox Deimos botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1262471/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_25; classtype:trojan-activity; sid:91262471; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mozi.m"; depth:7; nocase; http.host; content:"119.186.205.191"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1262470/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_25; classtype:trojan-activity; sid:91262470; rev:1;) alert tcp $HOME_NET any -> [45.15.156.9] 8081 (msg:"ThreatFox RisePro botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1262469/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_25; classtype:trojan-activity; sid:91262469; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/preload"; depth:8; nocase; http.host; content:"88.214.27.89"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1262467/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_25; classtype:trojan-activity; sid:91262467; rev:1;) alert tcp $HOME_NET any -> [88.214.27.89] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1262468/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_25; classtype:trojan-activity; sid:91262468; rev:1;) alert tcp $HOME_NET any -> [45.15.156.9] 50500 (msg:"ThreatFox RisePro botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1262466/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_25; classtype:trojan-activity; sid:91262466; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/files/netsupport43.zip"; depth:23; nocase; http.host; content:"138.124.180.84"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1262280/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_25; classtype:trojan-activity; sid:91262280; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/files/netsupport43.zip"; depth:23; nocase; http.host; content:"138.124.180.84"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1262281/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_25; classtype:trojan-activity; sid:91262281; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/files/advancedipscanner.msix"; depth:29; nocase; http.host; content:"cdn43.space"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1262282/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_25; classtype:trojan-activity; sid:91262282; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/files/netsupport43.zip"; depth:23; nocase; http.host; content:"cdn43.space"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1262283/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_25; classtype:trojan-activity; sid:91262283; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"cdn43.space"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1262284/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_25; classtype:trojan-activity; sid:91262284; rev:1;) alert tcp $HOME_NET any -> [138.124.180.84] 80 (msg:"ThreatFox NetSupportManager RAT payload delivery (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1262285/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_25; classtype:trojan-activity; sid:91262285; rev:1;) alert tcp $HOME_NET any -> [138.124.180.84] 443 (msg:"ThreatFox NetSupportManager RAT payload delivery (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1262286/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_25; classtype:trojan-activity; sid:91262286; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"hollandtrees.com"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1262291/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_25; classtype:trojan-activity; sid:91262291; rev:1;) alert tcp $HOME_NET any -> [89.185.30.66] 43957 (msg:"ThreatFox MooBot botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1262292/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_25; classtype:trojan-activity; sid:91262292; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/files/advancedipscanner.msix"; depth:29; nocase; http.host; content:"138.124.180.84"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1262279/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_25; classtype:trojan-activity; sid:91262279; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"bot.qngxgw.eu.org"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1262293/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_25; classtype:trojan-activity; sid:91262293; rev:1;) alert tcp $HOME_NET any -> [193.222.62.236] 443 (msg:"ThreatFox FAKEUPDATES payload delivery (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1262275/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_25; classtype:trojan-activity; sid:91262275; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/files/advancedipscanner.msix"; depth:29; nocase; http.host; content:"138.124.180.84"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1262278/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_25; classtype:trojan-activity; sid:91262278; rev:1;) alert tcp $HOME_NET any -> [94.232.45.77] 443 (msg:"ThreatFox IcedID botnet C2 traffic (ip:port - confidence level: 60%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1262453/; target:src_ip; metadata: confidence_level 60, first_seen 2024_04_25; classtype:trojan-activity; sid:91262453; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"dcxwq1.duckdns.org"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1262277/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_25; classtype:trojan-activity; sid:91262277; rev:1;) alert tcp $HOME_NET any -> [91.92.252.234] 3232 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1262276/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_25; classtype:trojan-activity; sid:91262276; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api/x"; depth:6; nocase; http.host; content:"service-dduj2otc-1303958398.gz.tencentapigw.com.cn"; depth:50; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1262274/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_25; classtype:trojan-activity; sid:91262274; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/__utm.gif"; depth:10; nocase; http.host; content:"88.214.26.29"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1262273/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_25; classtype:trojan-activity; sid:91262273; rev:1;) alert tcp $HOME_NET any -> [173.211.46.172] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1262272/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_25; classtype:trojan-activity; sid:91262272; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/visit.js"; depth:9; nocase; http.host; content:"173.211.46.172"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1262271/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_25; classtype:trojan-activity; sid:91262271; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/match"; depth:6; nocase; http.host; content:"185.216.117.157"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1262270/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_25; classtype:trojan-activity; sid:91262270; rev:1;) alert tcp $HOME_NET any -> [80.66.75.43] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1262269/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_25; classtype:trojan-activity; sid:91262269; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/vendorreact.dc6a29.chunk.js"; depth:28; nocase; http.host; content:"101.201.46.144"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1262268/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_25; classtype:trojan-activity; sid:91262268; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/preload"; depth:8; nocase; http.host; content:"88.214.27.89"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1262267/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_25; classtype:trojan-activity; sid:91262267; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/g.pixel"; depth:8; nocase; http.host; content:"211.159.172.150"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1262266/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_25; classtype:trojan-activity; sid:91262266; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/chromeupdate/shellex/default.php"; depth:33; nocase; http.host; content:"8.134.80.227"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1262265/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_25; classtype:trojan-activity; sid:91262265; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api/x"; depth:6; nocase; http.host; content:"service-dduj2otc-1303958398.gz.tencentapigw.com.cn"; depth:50; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1262263/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_25; classtype:trojan-activity; sid:91262263; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"service-dduj2otc-1303958398.gz.tencentapigw.com.cn"; depth:50; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1262264/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_25; classtype:trojan-activity; sid:91262264; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/push"; depth:5; nocase; http.host; content:"www.stylejason.com"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1262260/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_25; classtype:trojan-activity; sid:91262260; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"www.stylejason.com"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1262261/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_25; classtype:trojan-activity; sid:91262261; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/zjm0njuxndm5mmvi/"; depth:18; nocase; http.host; content:"mopelas.top"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1262219/; target:src_ip; metadata: confidence_level 80, first_seen 2024_04_25; classtype:trojan-activity; sid:91262219; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/zjm0njuxndm5mmvi/"; depth:18; nocase; http.host; content:"kambarca.top"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1262220/; target:src_ip; metadata: confidence_level 80, first_seen 2024_04_25; classtype:trojan-activity; sid:91262220; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/zjm0njuxndm5mmvi/"; depth:18; nocase; http.host; content:"yedekleregldk.top"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1262221/; target:src_ip; metadata: confidence_level 80, first_seen 2024_04_25; classtype:trojan-activity; sid:91262221; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/zjm0njuxndm5mmvi/"; depth:18; nocase; http.host; content:"karaklpak.top"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1262222/; target:src_ip; metadata: confidence_level 80, first_seen 2024_04_25; classtype:trojan-activity; sid:91262222; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/login"; depth:6; nocase; http.host; content:"1.gamithou.cyou"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1262259/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_25; classtype:trojan-activity; sid:91262259; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/login"; depth:6; nocase; http.host; content:"kuramaservices.xyz"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1262257/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_25; classtype:trojan-activity; sid:91262257; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/login"; depth:6; nocase; http.host; content:"78.40.116.170"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1262258/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_25; classtype:trojan-activity; sid:91262258; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/login"; depth:6; nocase; http.host; content:"91.92.254.165"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1262256/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_25; classtype:trojan-activity; sid:91262256; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/login"; depth:6; nocase; http.host; content:"158.220.106.37"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1262255/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_25; classtype:trojan-activity; sid:91262255; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/login"; depth:6; nocase; http.host; content:"51.38.70.1"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1262253/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_25; classtype:trojan-activity; sid:91262253; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/login"; depth:6; nocase; http.host; content:"89.117.151.8"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1262254/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_25; classtype:trojan-activity; sid:91262254; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/login"; depth:6; nocase; http.host; content:"57.129.16.213"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1262252/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_25; classtype:trojan-activity; sid:91262252; rev:1;) alert tcp $HOME_NET any -> [46.246.4.2] 7045 (msg:"ThreatFox Vjw0rm botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1262251/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_25; classtype:trojan-activity; sid:91262251; rev:1;) alert tcp $HOME_NET any -> [185.172.128.6] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1262250/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_25; classtype:trojan-activity; sid:91262250; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"qax.gsldedie.sbs"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1262248/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_25; classtype:trojan-activity; sid:91262248; rev:1;) alert tcp $HOME_NET any -> [170.106.169.138] 2087 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1262249/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_25; classtype:trojan-activity; sid:91262249; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jquery-3.3.1.min.js"; depth:20; nocase; http.host; content:"qax.gsldedie.sbs"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1262247/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_25; classtype:trojan-activity; sid:91262247; rev:1;) alert tcp $HOME_NET any -> [185.42.14.185] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1262246/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_25; classtype:trojan-activity; sid:91262246; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"dvbtools.com"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1262245/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_25; classtype:trojan-activity; sid:91262245; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/documentid"; depth:11; nocase; http.host; content:"dvbtools.com"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1262244/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_25; classtype:trojan-activity; sid:91262244; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/g.pixel"; depth:8; nocase; http.host; content:"101.200.197.134"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1262243/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_25; classtype:trojan-activity; sid:91262243; rev:1;) alert tcp $HOME_NET any -> [78.40.116.170] 8872 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1262242/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_25; classtype:trojan-activity; sid:91262242; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"youlovemedontyou.bounceme.net"; depth:29; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1262241/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_25; classtype:trojan-activity; sid:91262241; rev:1;) alert tcp $HOME_NET any -> [209.14.69.249] 666 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1262240/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_25; classtype:trojan-activity; sid:91262240; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"nocrynetworking.duckdns.org"; depth:27; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1262239/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_25; classtype:trojan-activity; sid:91262239; rev:1;) alert tcp $HOME_NET any -> [45.95.169.113] 4190 (msg:"ThreatFox Nanocore RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1262238/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_25; classtype:trojan-activity; sid:91262238; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"s.sushiking.world"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1262237/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_25; classtype:trojan-activity; sid:91262237; rev:1;) alert tcp $HOME_NET any -> [139.59.156.81] 9511 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1262231/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_25; classtype:trojan-activity; sid:91262231; rev:1;) alert tcp $HOME_NET any -> [159.203.9.75] 9511 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1262232/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_25; classtype:trojan-activity; sid:91262232; rev:1;) alert tcp $HOME_NET any -> [159.223.220.220] 9511 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1262233/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_25; classtype:trojan-activity; sid:91262233; rev:1;) alert tcp $HOME_NET any -> [161.35.210.154] 9511 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1262234/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_25; classtype:trojan-activity; sid:91262234; rev:1;) alert tcp $HOME_NET any -> [174.138.51.159] 9511 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1262235/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_25; classtype:trojan-activity; sid:91262235; rev:1;) alert tcp $HOME_NET any -> [174.138.51.232] 9511 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1262236/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_25; classtype:trojan-activity; sid:91262236; rev:1;) alert tcp $HOME_NET any -> [64.23.232.47] 9511 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1262223/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_25; classtype:trojan-activity; sid:91262223; rev:1;) alert tcp $HOME_NET any -> [64.23.251.7] 9511 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1262224/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_25; classtype:trojan-activity; sid:91262224; rev:1;) alert tcp $HOME_NET any -> [64.23.251.20] 9511 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1262225/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_25; classtype:trojan-activity; sid:91262225; rev:1;) alert tcp $HOME_NET any -> [64.225.17.60] 9511 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1262226/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_25; classtype:trojan-activity; sid:91262226; rev:1;) alert tcp $HOME_NET any -> [64.226.124.214] 9511 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1262227/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_25; classtype:trojan-activity; sid:91262227; rev:1;) alert tcp $HOME_NET any -> [68.183.48.122] 9511 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1262228/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_25; classtype:trojan-activity; sid:91262228; rev:1;) alert tcp $HOME_NET any -> [138.197.90.26] 9511 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1262229/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_25; classtype:trojan-activity; sid:91262229; rev:1;) alert tcp $HOME_NET any -> [139.59.41.182] 9511 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1262230/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_25; classtype:trojan-activity; sid:91262230; rev:1;) alert tcp $HOME_NET any -> [128.199.180.45] 9511 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1262215/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_25; classtype:trojan-activity; sid:91262215; rev:1;) alert tcp $HOME_NET any -> [138.68.97.101] 9511 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1262216/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_25; classtype:trojan-activity; sid:91262216; rev:1;) alert tcp $HOME_NET any -> [138.68.97.171] 9511 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1262217/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_25; classtype:trojan-activity; sid:91262217; rev:1;) alert tcp $HOME_NET any -> [146.190.135.213] 9511 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1262218/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_25; classtype:trojan-activity; sid:91262218; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/4track/testtrafficeternal/private3/secure7db/7private3/wordpresslocal/windows/cpuvoiddbtraffic/2base/providerexternalpipejavascriptupdatesqldbasynctemporary.php"; depth:161; nocase; http.host; content:"176.123.168.151"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1262214/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_25; classtype:trojan-activity; sid:91262214; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/1606aca9.php"; depth:13; nocase; http.host; content:"a0947291.xsph.ru"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1262213/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_25; classtype:trojan-activity; sid:91262213; rev:1;) alert tcp $HOME_NET any -> [45.95.169.113] 3190 (msg:"ThreatFox Nanocore RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1262212/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_25; classtype:trojan-activity; sid:91262212; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/j.ad"; depth:5; nocase; http.host; content:"118.31.118.253"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1262211/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_25; classtype:trojan-activity; sid:91262211; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/activity"; depth:9; nocase; http.host; content:"118.31.118.253"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1262210/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_25; classtype:trojan-activity; sid:91262210; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/~blog/"; depth:7; nocase; http.host; content:"45.77.223.48"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1262209/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_25; classtype:trojan-activity; sid:91262209; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"lsagjogu8ztaueghasdjsdigh.cc"; depth:28; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1262206/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_25; classtype:trojan-activity; sid:91262206; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"hitler.su"; depth:9; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1262207/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_25; classtype:trojan-activity; sid:91262207; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"kz.hitler.su"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1262208/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_25; classtype:trojan-activity; sid:91262208; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"pve.rebirthltd.com"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1262203/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_25; classtype:trojan-activity; sid:91262203; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"rebirthltd.top"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1262204/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_25; classtype:trojan-activity; sid:91262204; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"scan.rebirthltd.top"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1262205/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_25; classtype:trojan-activity; sid:91262205; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"secure-network-rebirthltd.ru"; depth:28; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1262189/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_25; classtype:trojan-activity; sid:91262189; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"bot.secure-network-rebirthltd.ru"; depth:32; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1262190/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_25; classtype:trojan-activity; sid:91262190; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"rebirthltd.dev"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1262191/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_25; classtype:trojan-activity; sid:91262191; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"scan.rebirthltd.dev"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1262192/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_25; classtype:trojan-activity; sid:91262192; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"secure-cyber-security-rebirthltd.su"; depth:35; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1262193/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_25; classtype:trojan-activity; sid:91262193; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"sex.secure-cyber-security-rebirthltd.su"; depth:39; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1262194/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_25; classtype:trojan-activity; sid:91262194; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"rebirth-network.su"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1262195/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_25; classtype:trojan-activity; sid:91262195; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"security.rebirth-network.su"; depth:27; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1262196/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_25; classtype:trojan-activity; sid:91262196; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"vps.rebirth-network.su"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1262197/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_25; classtype:trojan-activity; sid:91262197; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"adolfhitler.su"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1262198/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_25; classtype:trojan-activity; sid:91262198; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"kz.adolfhitler.su"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1262199/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_25; classtype:trojan-activity; sid:91262199; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"secure-core-rebirthltd.su"; depth:25; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1262200/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_25; classtype:trojan-activity; sid:91262200; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"security.secure-core-rebirthltd.su"; depth:34; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1262201/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_25; classtype:trojan-activity; sid:91262201; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"fuck-niggers.xyz"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1262202/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_25; classtype:trojan-activity; sid:91262202; rev:1;) alert tcp $HOME_NET any -> [45.32.168.59] 6363 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1262188/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_25; classtype:trojan-activity; sid:91262188; rev:1;) alert tcp $HOME_NET any -> [91.92.247.254] 80 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1262187/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_25; classtype:trojan-activity; sid:91262187; rev:1;) alert tcp $HOME_NET any -> [45.207.36.45] 2088 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1262186/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_25; classtype:trojan-activity; sid:91262186; rev:1;) alert tcp $HOME_NET any -> [46.246.82.21] 6000 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1262185/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_25; classtype:trojan-activity; sid:91262185; rev:1;) alert tcp $HOME_NET any -> [41.99.107.210] 443 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1262184/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_25; classtype:trojan-activity; sid:91262184; rev:1;) alert tcp $HOME_NET any -> [69.159.0.21] 2222 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1262183/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_25; classtype:trojan-activity; sid:91262183; rev:1;) alert tcp $HOME_NET any -> [77.126.168.121] 443 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1262182/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_25; classtype:trojan-activity; sid:91262182; rev:1;) alert tcp $HOME_NET any -> [154.82.65.35] 8443 (msg:"ThreatFox pupy botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1262181/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_25; classtype:trojan-activity; sid:91262181; rev:1;) alert tcp $HOME_NET any -> [64.23.159.147] 445 (msg:"ThreatFox Responder botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1262180/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_25; classtype:trojan-activity; sid:91262180; rev:1;) alert tcp $HOME_NET any -> [209.151.148.194] 445 (msg:"ThreatFox Responder botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1262179/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_25; classtype:trojan-activity; sid:91262179; rev:1;) alert tcp $HOME_NET any -> [51.8.90.242] 443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1262178/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_25; classtype:trojan-activity; sid:91262178; rev:1;) alert tcp $HOME_NET any -> [3.250.35.163] 443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1262177/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_25; classtype:trojan-activity; sid:91262177; rev:1;) alert tcp $HOME_NET any -> [3.250.35.163] 80 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1262176/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_25; classtype:trojan-activity; sid:91262176; rev:1;) alert tcp $HOME_NET any -> [86.60.160.90] 443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1262175/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_25; classtype:trojan-activity; sid:91262175; rev:1;) alert tcp $HOME_NET any -> [31.42.185.190] 443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1262174/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_25; classtype:trojan-activity; sid:91262174; rev:1;) alert tcp $HOME_NET any -> [164.92.80.224] 443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1262173/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_25; classtype:trojan-activity; sid:91262173; rev:1;) alert tcp $HOME_NET any -> [80.87.206.160] 8443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1262172/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_25; classtype:trojan-activity; sid:91262172; rev:1;) alert tcp $HOME_NET any -> [50.114.37.38] 443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1262171/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_25; classtype:trojan-activity; sid:91262171; rev:1;) alert tcp $HOME_NET any -> [129.226.154.137] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1262170/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_25; classtype:trojan-activity; sid:91262170; rev:1;) alert tcp $HOME_NET any -> [91.92.253.249] 7707 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1262169/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_25; classtype:trojan-activity; sid:91262169; rev:1;) alert tcp $HOME_NET any -> [91.92.253.249] 6606 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1262168/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_25; classtype:trojan-activity; sid:91262168; rev:1;) alert tcp $HOME_NET any -> [91.92.253.249] 8808 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1262167/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_25; classtype:trojan-activity; sid:91262167; rev:1;) alert tcp $HOME_NET any -> [172.160.240.225] 7654 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1262166/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_25; classtype:trojan-activity; sid:91262166; rev:1;) alert tcp $HOME_NET any -> [18.192.31.165] 12143 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1262157/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_25; classtype:trojan-activity; sid:91262157; rev:1;) alert tcp $HOME_NET any -> [3.125.223.134] 12143 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1262158/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_25; classtype:trojan-activity; sid:91262158; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"107.172.157.239"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1262148/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_25; classtype:trojan-activity; sid:91262148; rev:1;) alert tcp $HOME_NET any -> [91.149.202.222] 5667 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1262162/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_25; classtype:trojan-activity; sid:91262162; rev:1;) alert tcp $HOME_NET any -> [159.253.120.176] 5667 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1262163/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_25; classtype:trojan-activity; sid:91262163; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/~blog/"; depth:7; nocase; http.host; content:"45.77.223.48"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1262165/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_25; classtype:trojan-activity; sid:91262165; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/fwlink"; depth:7; nocase; http.host; content:"123.57.85.206"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1262164/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_25; classtype:trojan-activity; sid:91262164; rev:1;) alert tcp $HOME_NET any -> [41.249.109.159] 10000 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1262161/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_25; classtype:trojan-activity; sid:91262161; rev:1;) alert tcp $HOME_NET any -> [80.66.89.223] 38183 (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1262160/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_25; classtype:trojan-activity; sid:91262160; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/l1nc0in.php"; depth:12; nocase; http.host; content:"golovkcc.beget.tech"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1262159/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_24; classtype:trojan-activity; sid:91262159; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api/3"; depth:6; nocase; http.host; content:"www.fiash.info"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1262156/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_24; classtype:trojan-activity; sid:91262156; rev:1;) alert tcp $HOME_NET any -> [18.158.249.75] 12143 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1262155/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_24; classtype:trojan-activity; sid:91262155; rev:1;) alert tcp $HOME_NET any -> [3.125.209.94] 12143 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1262154/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_24; classtype:trojan-activity; sid:91262154; rev:1;) alert tcp $HOME_NET any -> [3.125.102.39] 12143 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1262153/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_24; classtype:trojan-activity; sid:91262153; rev:1;) alert tcp $HOME_NET any -> [45.148.120.189] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1262152/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_24; classtype:trojan-activity; sid:91262152; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ptj"; depth:4; nocase; http.host; content:"45.148.120.189"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1262151/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_24; classtype:trojan-activity; sid:91262151; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/c/msdownload/update/others/2016/12/29136388_"; depth:45; nocase; http.host; content:"193.32.179.234"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1262149/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_24; classtype:trojan-activity; sid:91262149; rev:1;) alert tcp $HOME_NET any -> [193.32.179.234] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1262150/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_24; classtype:trojan-activity; sid:91262150; rev:1;) alert tcp $HOME_NET any -> [95.169.196.22] 118 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1262139/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_24; classtype:trojan-activity; sid:91262139; rev:1;) alert tcp $HOME_NET any -> [185.196.11.177] 45 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1262140/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_24; classtype:trojan-activity; sid:91262140; rev:1;) alert tcp $HOME_NET any -> [212.70.149.10] 35342 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1262141/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_24; classtype:trojan-activity; sid:91262141; rev:1;) alert tcp $HOME_NET any -> [94.156.79.77] 3966 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1262142/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_24; classtype:trojan-activity; sid:91262142; rev:1;) alert tcp $HOME_NET any -> [2.58.95.123] 3778 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1262143/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_24; classtype:trojan-activity; sid:91262143; rev:1;) alert tcp $HOME_NET any -> [94.156.79.155] 5958 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1262144/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_24; classtype:trojan-activity; sid:91262144; rev:1;) alert tcp $HOME_NET any -> [66.187.4.175] 1337 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1262145/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_24; classtype:trojan-activity; sid:91262145; rev:1;) alert tcp $HOME_NET any -> [3.121.139.82] 12138 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1262146/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_24; classtype:trojan-activity; sid:91262146; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-content/themes/white-rock-progression/l3h0y5.php"; depth:52; nocase; http.host; content:"www.briccodeldente.it"; depth:21; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1262110/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_24; classtype:trojan-activity; sid:91262110; rev:1;) alert tcp $HOME_NET any -> [82.205.72.17] 8080 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1262137/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_24; classtype:trojan-activity; sid:91262137; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"aboft7e.ddns.net"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1262138/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_24; classtype:trojan-activity; sid:91262138; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-content/themes/twentytwentyone/0srbuw.php"; depth:45; nocase; http.host; content:"dreamerz.vn"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1262109/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_24; classtype:trojan-activity; sid:91262109; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-content/themes/twentytwentyone/msecgc.php"; depth:45; nocase; http.host; content:"www.savetheworldpodcast.com"; depth:27; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1262107/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_24; classtype:trojan-activity; sid:91262107; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-content/themes/twentytwentyfour/vhpg2j.php"; depth:46; nocase; http.host; content:"retrobox.rocks"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1262108/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_24; classtype:trojan-activity; sid:91262108; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-content/themes/twentytwentyone/sb9ivy.php"; depth:45; nocase; http.host; content:"djibek.com"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1262106/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_24; classtype:trojan-activity; sid:91262106; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"wavebysudryez.fr"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1262105/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_24; classtype:trojan-activity; sid:91262105; rev:1;) alert tcp $HOME_NET any -> [93.123.39.16] 1312 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1262103/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_24; classtype:trojan-activity; sid:91262103; rev:1;) alert tcp $HOME_NET any -> [5.230.68.74] 443 (msg:"ThreatFox IcedID botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1262147/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_24; classtype:trojan-activity; sid:91262147; rev:1;) alert tcp $HOME_NET any -> [45.88.186.159] 443 (msg:"ThreatFox FAKEUPDATES botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1262135/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_24; classtype:trojan-activity; sid:91262135; rev:1;) alert tcp $HOME_NET any -> [45.88.186.159] 80 (msg:"ThreatFox FAKEUPDATES botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1262136/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_24; classtype:trojan-activity; sid:91262136; rev:1;) alert tcp $HOME_NET any -> [89.208.105.144] 80 (msg:"ThreatFox Meduza Stealer botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1262134/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_24; classtype:trojan-activity; sid:91262134; rev:1;) alert tcp $HOME_NET any -> [20.67.206.46] 443 (msg:"ThreatFox Pikabot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1262133/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_24; classtype:trojan-activity; sid:91262133; rev:1;) alert tcp $HOME_NET any -> [47.94.88.4] 8889 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1262132/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_24; classtype:trojan-activity; sid:91262132; rev:1;) alert tcp $HOME_NET any -> [47.94.88.4] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1262131/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_24; classtype:trojan-activity; sid:91262131; rev:1;) alert tcp $HOME_NET any -> [104.194.79.234] 8044 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1262130/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_24; classtype:trojan-activity; sid:91262130; rev:1;) alert tcp $HOME_NET any -> [8.213.212.170] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1262129/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_24; classtype:trojan-activity; sid:91262129; rev:1;) alert tcp $HOME_NET any -> [43.129.31.59] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1262128/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_24; classtype:trojan-activity; sid:91262128; rev:1;) alert tcp $HOME_NET any -> [18.166.176.116] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1262127/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_24; classtype:trojan-activity; sid:91262127; rev:1;) alert tcp $HOME_NET any -> [130.63.213.199] 443 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1262126/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_24; classtype:trojan-activity; sid:91262126; rev:1;) alert tcp $HOME_NET any -> [35.72.161.191] 445 (msg:"ThreatFox Responder botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1262125/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_24; classtype:trojan-activity; sid:91262125; rev:1;) alert tcp $HOME_NET any -> [103.82.132.120] 8443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1262124/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_24; classtype:trojan-activity; sid:91262124; rev:1;) alert tcp $HOME_NET any -> [103.82.132.120] 443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1262123/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_24; classtype:trojan-activity; sid:91262123; rev:1;) alert tcp $HOME_NET any -> [143.198.237.101] 443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1262122/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_24; classtype:trojan-activity; sid:91262122; rev:1;) alert tcp $HOME_NET any -> [195.123.226.83] 443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1262121/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_24; classtype:trojan-activity; sid:91262121; rev:1;) alert tcp $HOME_NET any -> [92.243.64.130] 28002 (msg:"ThreatFox BianLian botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1262120/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_24; classtype:trojan-activity; sid:91262120; rev:1;) alert tcp $HOME_NET any -> [62.233.57.237] 443 (msg:"ThreatFox BianLian botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1262119/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_24; classtype:trojan-activity; sid:91262119; rev:1;) alert tcp $HOME_NET any -> [213.87.44.192] 443 (msg:"ThreatFox Deimos botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1262118/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_24; classtype:trojan-activity; sid:91262118; rev:1;) alert tcp $HOME_NET any -> [219.144.98.12] 4506 (msg:"ThreatFox Deimos botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1262117/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_24; classtype:trojan-activity; sid:91262117; rev:1;) alert tcp $HOME_NET any -> [98.98.118.81] 4505 (msg:"ThreatFox Deimos botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1262116/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_24; classtype:trojan-activity; sid:91262116; rev:1;) alert tcp $HOME_NET any -> [217.237.87.199] 3389 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1262115/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_24; classtype:trojan-activity; sid:91262115; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/providereternalprotectdbasync.php"; depth:34; nocase; http.host; content:"a0804818.xsph.ru"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1262114/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_24; classtype:trojan-activity; sid:91262114; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jquery-3.3.1.min.js"; depth:20; nocase; http.host; content:"43.138.73.164"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1262113/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_24; classtype:trojan-activity; sid:91262113; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ca"; depth:3; nocase; http.host; content:"152.136.100.26"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1262112/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_24; classtype:trojan-activity; sid:91262112; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cx"; depth:3; nocase; http.host; content:"123.57.85.206"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1262111/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_24; classtype:trojan-activity; sid:91262111; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"dttao.net"; depth:9; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1262104/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_24; classtype:trojan-activity; sid:91262104; rev:1;) alert tcp $HOME_NET any -> [193.233.132.139] 80 (msg:"ThreatFox Amadey botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1262102/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_24; classtype:trojan-activity; sid:91262102; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api/3"; depth:6; nocase; http.host; content:"20.106.253.207"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1262101/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_24; classtype:trojan-activity; sid:91262101; rev:1;) alert tcp $HOME_NET any -> [185.62.58.73] 443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1262100/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_24; classtype:trojan-activity; sid:91262100; rev:1;) alert tcp $HOME_NET any -> [82.153.64.23] 9999 (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1262099/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_24; classtype:trojan-activity; sid:91262099; rev:1;) alert tcp $HOME_NET any -> [46.246.84.12] 1994 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1262006/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_24; classtype:trojan-activity; sid:91262006; rev:1;) alert tcp $HOME_NET any -> [139.162.178.159] 2003 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1261864/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_24; classtype:trojan-activity; sid:91261864; rev:1;) alert tcp $HOME_NET any -> [78.40.117.167] 4444 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1261863/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_24; classtype:trojan-activity; sid:91261863; rev:1;) alert tcp $HOME_NET any -> [139.99.133.66] 6666 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1261862/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_24; classtype:trojan-activity; sid:91261862; rev:1;) alert tcp $HOME_NET any -> [139.99.133.66] 4444 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1261861/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_24; classtype:trojan-activity; sid:91261861; rev:1;) alert tcp $HOME_NET any -> [146.70.198.22] 60129 (msg:"ThreatFox Nanocore RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1261860/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_24; classtype:trojan-activity; sid:91261860; rev:1;) alert tcp $HOME_NET any -> [187.135.122.191] 2022 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1261859/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_24; classtype:trojan-activity; sid:91261859; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"hearthingdirecwi.shop"; depth:21; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1261787/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_24; classtype:trojan-activity; sid:91261787; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"116.211.228.233"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1261856/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_24; classtype:trojan-activity; sid:91261856; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/en_us/all.js"; depth:13; nocase; http.host; content:"18.162.61.95"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1261858/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_24; classtype:trojan-activity; sid:91261858; rev:1;) alert tcp $HOME_NET any -> [18.162.61.95] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1261857/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_24; classtype:trojan-activity; sid:91261857; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dpixel"; depth:7; nocase; http.host; content:"3.139.18.182"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1261855/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_24; classtype:trojan-activity; sid:91261855; rev:1;) alert tcp $HOME_NET any -> [3.139.18.182] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1261854/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_24; classtype:trojan-activity; sid:91261854; rev:1;) alert tcp $HOME_NET any -> [202.146.220.4] 50050 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1261853/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_24; classtype:trojan-activity; sid:91261853; rev:1;) alert tcp $HOME_NET any -> [123.249.36.186] 8888 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1261852/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_24; classtype:trojan-activity; sid:91261852; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/__utm.gif"; depth:10; nocase; http.host; content:"116.205.188.138"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1261851/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_24; classtype:trojan-activity; sid:91261851; rev:1;) alert tcp $HOME_NET any -> [116.205.188.138] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1261850/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_24; classtype:trojan-activity; sid:91261850; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ca"; depth:3; nocase; http.host; content:"8.130.70.205"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1261849/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_24; classtype:trojan-activity; sid:91261849; rev:1;) alert tcp $HOME_NET any -> [8.130.70.205] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1261848/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_24; classtype:trojan-activity; sid:91261848; rev:1;) alert tcp $HOME_NET any -> [101.34.87.236] 8888 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1261847/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_24; classtype:trojan-activity; sid:91261847; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cm"; depth:3; nocase; http.host; content:"45.116.79.9"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1261846/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_24; classtype:trojan-activity; sid:91261846; rev:1;) alert tcp $HOME_NET any -> [165.227.108.186] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1261845/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_24; classtype:trojan-activity; sid:91261845; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jquery-3.3.1.min.js"; depth:20; nocase; http.host; content:"167.71.242.213"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1261844/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_24; classtype:trojan-activity; sid:91261844; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jquery-3.3.1.min.js"; depth:20; nocase; http.host; content:"165.227.108.186"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1261843/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_24; classtype:trojan-activity; sid:91261843; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jquery-3.3.1.min.js"; depth:20; nocase; http.host; content:"45.55.199.36"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1261842/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_24; classtype:trojan-activity; sid:91261842; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/query/info"; depth:11; nocase; http.host; content:"47.92.131.203"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1261840/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_24; classtype:trojan-activity; sid:91261840; rev:1;) alert tcp $HOME_NET any -> [47.92.131.203] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1261841/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_24; classtype:trojan-activity; sid:91261841; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jquery-3.3.1.min.js"; depth:20; nocase; http.host; content:"1.94.13.86"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1261839/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_24; classtype:trojan-activity; sid:91261839; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/push"; depth:5; nocase; http.host; content:"123.57.85.206"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1261838/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_24; classtype:trojan-activity; sid:91261838; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/visit.js"; depth:9; nocase; http.host; content:"107.150.47.82"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1261837/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_24; classtype:trojan-activity; sid:91261837; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/en_us/all.js"; depth:13; nocase; http.host; content:"154.3.1.252"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1261836/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_24; classtype:trojan-activity; sid:91261836; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/updates.rss"; depth:12; nocase; http.host; content:"172.247.44.182"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1261835/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_24; classtype:trojan-activity; sid:91261835; rev:1;) alert tcp $HOME_NET any -> [173.211.46.172] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1261834/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_24; classtype:trojan-activity; sid:91261834; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mrew"; depth:5; nocase; http.host; content:"173.211.46.172"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1261833/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_24; classtype:trojan-activity; sid:91261833; rev:1;) alert tcp $HOME_NET any -> [61.240.29.215] 7777 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1261832/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_24; classtype:trojan-activity; sid:91261832; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/push"; depth:5; nocase; http.host; content:"61.240.29.221"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1261831/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_24; classtype:trojan-activity; sid:91261831; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ca"; depth:3; nocase; http.host; content:"91.92.242.190"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1261830/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_24; classtype:trojan-activity; sid:91261830; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ga.js"; depth:6; nocase; http.host; content:"35.221.150.166"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1261829/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_24; classtype:trojan-activity; sid:91261829; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/open/js/jweixin-1.4.0.js"; depth:25; nocase; http.host; content:"65.20.107.130"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1261828/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_24; classtype:trojan-activity; sid:91261828; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/push"; depth:5; nocase; http.host; content:"129.204.169.101"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1261827/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_24; classtype:trojan-activity; sid:91261827; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"service-6qlmfr7s-1312562872.gz.tencentapigw.com.cn"; depth:50; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1261826/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_24; classtype:trojan-activity; sid:91261826; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api/x"; depth:6; nocase; http.host; content:"service-6qlmfr7s-1312562872.gz.tencentapigw.com.cn"; depth:50; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1261825/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_24; classtype:trojan-activity; sid:91261825; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cx"; depth:3; nocase; http.host; content:"8.130.30.60"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1261824/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_24; classtype:trojan-activity; sid:91261824; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/milu_image/"; depth:12; nocase; http.host; content:"18.166.113.176"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1261823/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_24; classtype:trojan-activity; sid:91261823; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/logo.gif"; depth:9; nocase; http.host; content:"berita-timur.kumbaraan.biz.id"; depth:29; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1261822/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_24; classtype:trojan-activity; sid:91261822; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jquery-3.3.1.min.js"; depth:20; nocase; http.host; content:"49.232.157.82"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1261821/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_24; classtype:trojan-activity; sid:91261821; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/fwlink"; depth:7; nocase; http.host; content:"157.245.12.65"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1261820/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_24; classtype:trojan-activity; sid:91261820; rev:1;) alert tcp $HOME_NET any -> [156.224.20.92] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1261819/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_24; classtype:trojan-activity; sid:91261819; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/en_us/all.js"; depth:13; nocase; http.host; content:"156.224.20.92"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1261818/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_24; classtype:trojan-activity; sid:91261818; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cm"; depth:3; nocase; http.host; content:"107.174.254.9"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1261817/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_24; classtype:trojan-activity; sid:91261817; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"www.alipan.lol"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1261816/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_24; classtype:trojan-activity; sid:91261816; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api/3"; depth:6; nocase; http.host; content:"www.alipan.lol"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1261815/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_24; classtype:trojan-activity; sid:91261815; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jquery-3.3.1.min.js"; depth:20; nocase; http.host; content:"107.172.159.139"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1261814/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_24; classtype:trojan-activity; sid:91261814; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cx"; depth:3; nocase; http.host; content:"20.2.202.15"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1261813/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_24; classtype:trojan-activity; sid:91261813; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/fwlink"; depth:7; nocase; http.host; content:"192.227.155.201"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1261812/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_24; classtype:trojan-activity; sid:91261812; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/_/scs/mail-static/_/js/"; depth:24; nocase; http.host; content:"bliblyuvblfds.work.gd"; depth:21; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1261810/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_24; classtype:trojan-activity; sid:91261810; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"bliblyuvblfds.work.gd"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1261811/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_24; classtype:trojan-activity; sid:91261811; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/onedrive"; depth:9; nocase; http.host; content:"keolisgroup.azureedge.net"; depth:25; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1261809/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_24; classtype:trojan-activity; sid:91261809; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/updates.rss"; depth:12; nocase; http.host; content:"8.212.71.0"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1261808/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_24; classtype:trojan-activity; sid:91261808; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/j.ad"; depth:5; nocase; http.host; content:"60.204.222.75"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1261807/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_24; classtype:trojan-activity; sid:91261807; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/user/profile"; depth:13; nocase; http.host; content:"47.92.131.203"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1261806/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_24; classtype:trojan-activity; sid:91261806; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jquery-3.3.2.n2cq4mxdz4nio9xihttp.min.js"; depth:41; nocase; http.host; content:"139.155.134.117"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1261805/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_24; classtype:trojan-activity; sid:91261805; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"service-j78tszan-1319584009.sh.apigw.tencentcs.com"; depth:50; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1261804/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_24; classtype:trojan-activity; sid:91261804; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/product"; depth:8; nocase; http.host; content:"service-j78tszan-1319584009.sh.apigw.tencentcs.com"; depth:50; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1261803/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_24; classtype:trojan-activity; sid:91261803; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/g.pixel"; depth:8; nocase; http.host; content:"175.178.50.68"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1261802/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_24; classtype:trojan-activity; sid:91261802; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pixel.gif"; depth:10; nocase; http.host; content:"129.204.169.101"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1261801/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_24; classtype:trojan-activity; sid:91261801; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jquery-3.3.1.min.js"; depth:20; nocase; http.host; content:"23.102.7.180"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1261799/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_24; classtype:trojan-activity; sid:91261799; rev:1;) alert tcp $HOME_NET any -> [23.102.7.180] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1261800/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_24; classtype:trojan-activity; sid:91261800; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"berita-timur.kumbaraan.biz.id"; depth:29; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1261798/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_24; classtype:trojan-activity; sid:91261798; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/image"; depth:6; nocase; http.host; content:"berita-timur.kumbaraan.biz.id"; depth:29; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1261797/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_24; classtype:trojan-activity; sid:91261797; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/microsoftupdate/shellex/kb242742/default.aspx"; depth:46; nocase; http.host; content:"192.227.152.217"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1261796/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_24; classtype:trojan-activity; sid:91261796; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/milu_image/"; depth:12; nocase; http.host; content:"www.614110.xyz"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1261794/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_24; classtype:trojan-activity; sid:91261794; rev:1;) alert tcp $HOME_NET any -> [18.166.113.176] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1261795/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_24; classtype:trojan-activity; sid:91261795; rev:1;) alert tcp $HOME_NET any -> [154.213.17.138] 90 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1261793/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_24; classtype:trojan-activity; sid:91261793; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dot.gif"; depth:8; nocase; http.host; content:"154.213.17.132"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1261792/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_24; classtype:trojan-activity; sid:91261792; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"www.fiash.info"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1261791/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_24; classtype:trojan-activity; sid:91261791; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api/3"; depth:6; nocase; http.host; content:"www.fiash.info"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1261790/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_24; classtype:trojan-activity; sid:91261790; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api/3"; depth:6; nocase; http.host; content:"101.36.111.175"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1261789/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_24; classtype:trojan-activity; sid:91261789; rev:1;) alert tcp $HOME_NET any -> [192.144.128.196] 1994 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1261788/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_24; classtype:trojan-activity; sid:91261788; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mall_100_100.html"; depth:18; nocase; http.host; content:"39.100.109.229"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1261786/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_24; classtype:trojan-activity; sid:91261786; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/updates.rss"; depth:12; nocase; http.host; content:"150.158.141.97"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1261785/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_24; classtype:trojan-activity; sid:91261785; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/complete/pr/h6tcqrwr"; depth:21; nocase; http.host; content:"107.174.235.118"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1261784/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_24; classtype:trojan-activity; sid:91261784; rev:1;) alert tcp $HOME_NET any -> [120.46.91.175] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1261783/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_24; classtype:trojan-activity; sid:91261783; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/updates.rss"; depth:12; nocase; http.host; content:"120.46.91.175"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1261782/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_24; classtype:trojan-activity; sid:91261782; rev:1;) alert tcp $HOME_NET any -> [39.100.79.87] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1261781/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_24; classtype:trojan-activity; sid:91261781; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ga.js"; depth:6; nocase; http.host; content:"39.100.79.87"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1261780/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_24; classtype:trojan-activity; sid:91261780; rev:1;) alert tcp $HOME_NET any -> [39.100.109.229] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1261779/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_24; classtype:trojan-activity; sid:91261779; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mall_100_100.html"; depth:18; nocase; http.host; content:"www.huawei.com"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1261777/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_24; classtype:trojan-activity; sid:91261777; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/y2jhnzzhzwrjmzlm/"; depth:18; nocase; http.host; content:"karakalanda346.shop"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1261768/; target:src_ip; metadata: confidence_level 80, first_seen 2024_04_24; classtype:trojan-activity; sid:91261768; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/y2jhnzzhzwrjmzlm/"; depth:18; nocase; http.host; content:"karakafsafndan5.shop"; depth:20; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1261769/; target:src_ip; metadata: confidence_level 80, first_seen 2024_04_24; classtype:trojan-activity; sid:91261769; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/y2jhnzzhzwrjmzlm/"; depth:18; nocase; http.host; content:"karakalanfgdfg.shop"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1261770/; target:src_ip; metadata: confidence_level 80, first_seen 2024_04_24; classtype:trojan-activity; sid:91261770; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/y2jhnzzhzwrjmzlm/"; depth:18; nocase; http.host; content:"karakalaasdgtg.shop"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1261771/; target:src_ip; metadata: confidence_level 80, first_seen 2024_04_24; classtype:trojan-activity; sid:91261771; rev:1;) alert tcp $HOME_NET any -> [103.113.70.99] 2630 (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1261776/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_24; classtype:trojan-activity; sid:91261776; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"botnet.goelites.cc"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1261775/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_24; classtype:trojan-activity; sid:91261775; rev:1;) alert tcp $HOME_NET any -> [45.88.90.30] 43957 (msg:"ThreatFox MooBot botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1261774/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_24; classtype:trojan-activity; sid:91261774; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"putin.zelenskyj.ru"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1261772/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_24; classtype:trojan-activity; sid:91261772; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"zelenskyj.ru"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1261773/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_24; classtype:trojan-activity; sid:91261773; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dpixel"; depth:7; nocase; http.host; content:"115.159.62.32"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1261767/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_24; classtype:trojan-activity; sid:91261767; rev:1;) alert tcp $HOME_NET any -> [107.148.1.41] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1261766/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_24; classtype:trojan-activity; sid:91261766; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jquery-3.3.1.min.js"; depth:20; nocase; http.host; content:"firmware-yrs-conflicts-favorites.trycloudflare.com"; depth:50; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1261764/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_24; classtype:trojan-activity; sid:91261764; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"firmware-yrs-conflicts-favorites.trycloudflare.com"; depth:50; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1261765/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_24; classtype:trojan-activity; sid:91261765; rev:1;) alert tcp $HOME_NET any -> [93.123.85.131] 1337 (msg:"ThreatFox MooBot botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1261763/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_24; classtype:trojan-activity; sid:91261763; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"net-killer.ooguy.com"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1261760/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_24; classtype:trojan-activity; sid:91261760; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"xd.netsyn.online"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1261761/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_24; classtype:trojan-activity; sid:91261761; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"xd.nodefunction.vip"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1261762/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_24; classtype:trojan-activity; sid:91261762; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"eclp8oz0m8mxouv96hc9p7k2btydt3iv.click"; depth:38; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1261759/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_24; classtype:trojan-activity; sid:91261759; rev:1;) alert tcp $HOME_NET any -> [45.88.90.30] 80 (msg:"ThreatFox MooBot botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1261755/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_24; classtype:trojan-activity; sid:91261755; rev:1;) alert tcp $HOME_NET any -> [45.88.90.17] 80 (msg:"ThreatFox MooBot botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1261756/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_24; classtype:trojan-activity; sid:91261756; rev:1;) alert tcp $HOME_NET any -> [89.169.55.166] 80 (msg:"ThreatFox MooBot botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1261757/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_24; classtype:trojan-activity; sid:91261757; rev:1;) alert tcp $HOME_NET any -> [91.92.240.43] 80 (msg:"ThreatFox MooBot botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1261758/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_24; classtype:trojan-activity; sid:91261758; rev:1;) alert tcp $HOME_NET any -> [5.42.66.10] 50505 (msg:"ThreatFox RisePro botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1261754/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_24; classtype:trojan-activity; sid:91261754; rev:1;) alert tcp $HOME_NET any -> [45.150.64.135] 80 (msg:"ThreatFox Meduza Stealer botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1261753/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_24; classtype:trojan-activity; sid:91261753; rev:1;) alert tcp $HOME_NET any -> [95.179.190.134] 23954 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1261752/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_24; classtype:trojan-activity; sid:91261752; rev:1;) alert tcp $HOME_NET any -> [96.70.92.177] 465 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1261751/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_24; classtype:trojan-activity; sid:91261751; rev:1;) alert tcp $HOME_NET any -> [122.100.188.124] 445 (msg:"ThreatFox Responder botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1261750/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_24; classtype:trojan-activity; sid:91261750; rev:1;) alert tcp $HOME_NET any -> [158.160.87.195] 8443 (msg:"ThreatFox BianLian botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1261749/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_24; classtype:trojan-activity; sid:91261749; rev:1;) alert tcp $HOME_NET any -> [80.82.76.14] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1261748/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_24; classtype:trojan-activity; sid:91261748; rev:1;) alert tcp $HOME_NET any -> [140.249.32.157] 4506 (msg:"ThreatFox Deimos botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1261747/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_24; classtype:trojan-activity; sid:91261747; rev:1;) alert tcp $HOME_NET any -> [123.57.183.22] 8090 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1261746/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_24; classtype:trojan-activity; sid:91261746; rev:1;) alert tcp $HOME_NET any -> [101.200.197.134] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1261745/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_24; classtype:trojan-activity; sid:91261745; rev:1;) alert tcp $HOME_NET any -> [47.116.170.61] 8443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1261744/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_24; classtype:trojan-activity; sid:91261744; rev:1;) alert tcp $HOME_NET any -> [45.156.23.149] 80 (msg:"ThreatFox Amadey payload delivery (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1261226/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_24; classtype:trojan-activity; sid:91261226; rev:1;) alert tcp $HOME_NET any -> [45.156.23.186] 80 (msg:"ThreatFox Amadey payload delivery (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1261227/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_24; classtype:trojan-activity; sid:91261227; rev:1;) alert tcp $HOME_NET any -> [193.176.190.43] 80 (msg:"ThreatFox Amadey payload delivery (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1261228/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_24; classtype:trojan-activity; sid:91261228; rev:1;) alert tcp $HOME_NET any -> [193.242.145.129] 80 (msg:"ThreatFox Amadey payload delivery (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1261229/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_24; classtype:trojan-activity; sid:91261229; rev:1;) alert tcp $HOME_NET any -> [195.211.124.144] 80 (msg:"ThreatFox Amadey payload delivery (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1261230/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_24; classtype:trojan-activity; sid:91261230; rev:1;) alert tcp $HOME_NET any -> [194.116.214.7] 80 (msg:"ThreatFox Amadey payload delivery (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1261231/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_24; classtype:trojan-activity; sid:91261231; rev:1;) alert tcp $HOME_NET any -> [46.246.14.10] 1994 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1261740/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_24; classtype:trojan-activity; sid:91261740; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"nano.anygreaterways.tech"; depth:24; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1260928/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_24; classtype:trojan-activity; sid:91260928; rev:1;) alert tcp $HOME_NET any -> [3.6.98.232] 15030 (msg:"ThreatFox Nanocore RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1260989/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_24; classtype:trojan-activity; sid:91260989; rev:1;) alert tcp $HOME_NET any -> [3.6.30.85] 15030 (msg:"ThreatFox Nanocore RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1260990/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_24; classtype:trojan-activity; sid:91260990; rev:1;) alert tcp $HOME_NET any -> [3.6.122.107] 15030 (msg:"ThreatFox Nanocore RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1260998/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_24; classtype:trojan-activity; sid:91260998; rev:1;) alert tcp $HOME_NET any -> [154.53.42.53] 8847 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1261000/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_24; classtype:trojan-activity; sid:91261000; rev:1;) alert tcp $HOME_NET any -> [3.6.115.182] 10651 (msg:"ThreatFox Nanocore RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1261006/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_24; classtype:trojan-activity; sid:91261006; rev:1;) alert tcp $HOME_NET any -> [3.6.98.232] 10651 (msg:"ThreatFox Nanocore RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1261007/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_24; classtype:trojan-activity; sid:91261007; rev:1;) alert tcp $HOME_NET any -> [3.6.122.107] 10651 (msg:"ThreatFox Nanocore RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1261008/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_24; classtype:trojan-activity; sid:91261008; rev:1;) alert tcp $HOME_NET any -> [3.6.30.85] 10651 (msg:"ThreatFox Nanocore RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1261009/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_24; classtype:trojan-activity; sid:91261009; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/compare/sf/1g3fvhte94"; depth:22; nocase; http.host; content:"60.205.245.29"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1261742/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_24; classtype:trojan-activity; sid:91261742; rev:1;) alert tcp $HOME_NET any -> [60.205.245.29] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1261743/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_24; classtype:trojan-activity; sid:91261743; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/activity"; depth:9; nocase; http.host; content:"47.98.247.113"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1261741/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_24; classtype:trojan-activity; sid:91261741; rev:1;) alert tcp $HOME_NET any -> [91.92.252.220] 1337 (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1261739/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_24; classtype:trojan-activity; sid:91261739; rev:1;) alert tcp $HOME_NET any -> [193.233.132.47] 50500 (msg:"ThreatFox RisePro botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1261738/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_24; classtype:trojan-activity; sid:91261738; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/load"; depth:5; nocase; http.host; content:"101.201.54.74"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1261737/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_23; classtype:trojan-activity; sid:91261737; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/300e6d86f44da037.php"; depth:21; nocase; http.host; content:"89.105.198.253"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1261110/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_23; classtype:trojan-activity; sid:91261110; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/load"; depth:5; nocase; http.host; content:"115.159.62.32"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1261005/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_23; classtype:trojan-activity; sid:91261005; rev:1;) alert tcp $HOME_NET any -> [45.144.3.139] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1261004/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_23; classtype:trojan-activity; sid:91261004; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/visit.js"; depth:9; nocase; http.host; content:"45.144.3.139"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1261003/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_23; classtype:trojan-activity; sid:91261003; rev:1;) alert tcp $HOME_NET any -> [60.205.245.29] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1261002/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_23; classtype:trojan-activity; sid:91261002; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/compare/sf/1g3fvhte94"; depth:22; nocase; http.host; content:"60.205.245.29"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1261001/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_23; classtype:trojan-activity; sid:91261001; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"blockbeerman.fun"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1260999/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_23; classtype:trojan-activity; sid:91260999; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/_defaultwindows.php"; depth:20; nocase; http.host; content:"fghjdtgujkjdgkdettygdbnbbn.000webhostapp.com"; depth:44; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1260997/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_23; classtype:trojan-activity; sid:91260997; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/6/api144/9wp/imagevmcpubigloaddefault.php"; depth:42; nocase; http.host; content:"45.130.42.16"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1260996/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_23; classtype:trojan-activity; sid:91260996; rev:1;) alert tcp $HOME_NET any -> [193.37.69.112] 443 (msg:"ThreatFox IcedID botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1260994/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_23; classtype:trojan-activity; sid:91260994; rev:1;) alert tcp $HOME_NET any -> [193.168.143.19] 443 (msg:"ThreatFox IcedID botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1260995/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_23; classtype:trojan-activity; sid:91260995; rev:1;) alert tcp $HOME_NET any -> [45.129.199.246] 443 (msg:"ThreatFox Unidentified 111 (Latrodectus) botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1260993/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_23; classtype:trojan-activity; sid:91260993; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/test2/get.php"; depth:14; nocase; http.host; content:"cajgtus.com"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1260992/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_23; classtype:trojan-activity; sid:91260992; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/test1/get.php"; depth:14; nocase; http.host; content:"cajgtus.com"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1260991/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_23; classtype:trojan-activity; sid:91260991; rev:1;) alert tcp $HOME_NET any -> [62.60.130.8] 10000 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1260988/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_23; classtype:trojan-activity; sid:91260988; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/include/rili/gate.php"; depth:22; nocase; http.host; content:"smartoffice-eg.com"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1260987/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_23; classtype:trojan-activity; sid:91260987; rev:1;) alert tcp $HOME_NET any -> [47.96.107.37] 8082 (msg:"ThreatFox VBREVSHELL botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1260986/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_23; classtype:trojan-activity; sid:91260986; rev:1;) alert tcp $HOME_NET any -> [213.252.247.202] 6606 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1260985/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_23; classtype:trojan-activity; sid:91260985; rev:1;) alert tcp $HOME_NET any -> [213.252.247.202] 222 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1260984/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_23; classtype:trojan-activity; sid:91260984; rev:1;) alert tcp $HOME_NET any -> [156.195.128.36] 8000 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1260983/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_23; classtype:trojan-activity; sid:91260983; rev:1;) alert tcp $HOME_NET any -> [128.90.103.36] 9999 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1260982/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_23; classtype:trojan-activity; sid:91260982; rev:1;) alert tcp $HOME_NET any -> [85.97.168.208] 20000 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1260981/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_23; classtype:trojan-activity; sid:91260981; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/6ef96e7190cc7acd.php"; depth:21; nocase; http.host; content:"185.161.248.78"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1260980/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_23; classtype:trojan-activity; sid:91260980; rev:1;) alert tcp $HOME_NET any -> [185.229.237.201] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1260979/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_23; classtype:trojan-activity; sid:91260979; rev:1;) alert tcp $HOME_NET any -> [94.156.68.3] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1260978/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_23; classtype:trojan-activity; sid:91260978; rev:1;) alert tcp $HOME_NET any -> [94.156.68.3] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1260977/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_23; classtype:trojan-activity; sid:91260977; rev:1;) alert tcp $HOME_NET any -> [172.247.44.182] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1260975/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_23; classtype:trojan-activity; sid:91260975; rev:1;) alert tcp $HOME_NET any -> [154.198.194.220] 8089 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1260976/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_23; classtype:trojan-activity; sid:91260976; rev:1;) alert tcp $HOME_NET any -> [117.72.39.83] 50050 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1260974/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_23; classtype:trojan-activity; sid:91260974; rev:1;) alert tcp $HOME_NET any -> [117.72.65.27] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1260973/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_23; classtype:trojan-activity; sid:91260973; rev:1;) alert tcp $HOME_NET any -> [148.135.46.9] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1260971/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_23; classtype:trojan-activity; sid:91260971; rev:1;) alert tcp $HOME_NET any -> [148.135.46.9] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1260972/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_23; classtype:trojan-activity; sid:91260972; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"symposiumos.com"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1260970/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_23; classtype:trojan-activity; sid:91260970; rev:1;) alert tcp $HOME_NET any -> [170.130.55.123] 444 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1260969/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_23; classtype:trojan-activity; sid:91260969; rev:1;) alert tcp $HOME_NET any -> [103.146.141.15] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1260967/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_23; classtype:trojan-activity; sid:91260967; rev:1;) alert tcp $HOME_NET any -> [154.92.18.140] 54321 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1260968/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_23; classtype:trojan-activity; sid:91260968; rev:1;) alert tcp $HOME_NET any -> [114.116.50.214] 59527 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1260966/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_23; classtype:trojan-activity; sid:91260966; rev:1;) alert tcp $HOME_NET any -> [118.193.62.169] 3036 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1260965/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_23; classtype:trojan-activity; sid:91260965; rev:1;) alert tcp $HOME_NET any -> [101.36.117.53] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1260964/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_23; classtype:trojan-activity; sid:91260964; rev:1;) alert tcp $HOME_NET any -> [18.144.30.84] 8848 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1260963/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_23; classtype:trojan-activity; sid:91260963; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"www.614110.xyz"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1260962/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_23; classtype:trojan-activity; sid:91260962; rev:1;) alert tcp $HOME_NET any -> [18.166.113.176] 8443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1260961/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_23; classtype:trojan-activity; sid:91260961; rev:1;) alert tcp $HOME_NET any -> [54.249.71.250] 8005 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1260960/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_23; classtype:trojan-activity; sid:91260960; rev:1;) alert tcp $HOME_NET any -> [185.216.70.211] 50555 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1260959/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_23; classtype:trojan-activity; sid:91260959; rev:1;) alert tcp $HOME_NET any -> [104.214.168.71] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1260958/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_23; classtype:trojan-activity; sid:91260958; rev:1;) alert tcp $HOME_NET any -> [139.84.234.159] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1260957/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_23; classtype:trojan-activity; sid:91260957; rev:1;) alert tcp $HOME_NET any -> [176.44.95.96] 443 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1260956/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_23; classtype:trojan-activity; sid:91260956; rev:1;) alert tcp $HOME_NET any -> [85.107.24.39] 443 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1260955/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_23; classtype:trojan-activity; sid:91260955; rev:1;) alert tcp $HOME_NET any -> [122.248.198.64] 443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1260954/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_23; classtype:trojan-activity; sid:91260954; rev:1;) alert tcp $HOME_NET any -> [178.128.22.83] 443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1260953/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_23; classtype:trojan-activity; sid:91260953; rev:1;) alert tcp $HOME_NET any -> [66.135.9.239] 3232 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1260952/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_23; classtype:trojan-activity; sid:91260952; rev:1;) alert tcp $HOME_NET any -> [62.210.188.78] 7443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1260951/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_23; classtype:trojan-activity; sid:91260951; rev:1;) alert tcp $HOME_NET any -> [172.96.137.224] 8080 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1260950/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_23; classtype:trojan-activity; sid:91260950; rev:1;) alert tcp $HOME_NET any -> [144.208.127.115] 443 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1260949/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_23; classtype:trojan-activity; sid:91260949; rev:1;) alert tcp $HOME_NET any -> [144.208.127.115] 37821 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1260948/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_23; classtype:trojan-activity; sid:91260948; rev:1;) alert tcp $HOME_NET any -> [20.2.202.15] 81 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1260947/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_23; classtype:trojan-activity; sid:91260947; rev:1;) alert tcp $HOME_NET any -> [43.130.252.161] 8888 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1260946/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_23; classtype:trojan-activity; sid:91260946; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"img.creativemedia.top"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1260945/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_23; classtype:trojan-activity; sid:91260945; rev:1;) alert tcp $HOME_NET any -> [107.175.115.199] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1260944/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_23; classtype:trojan-activity; sid:91260944; rev:1;) alert tcp $HOME_NET any -> [23.94.133.100] 6001 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1260943/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_23; classtype:trojan-activity; sid:91260943; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"keolisgroup.azureedge.net"; depth:25; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1260942/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_23; classtype:trojan-activity; sid:91260942; rev:1;) alert tcp $HOME_NET any -> [138.68.87.151] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1260941/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_23; classtype:trojan-activity; sid:91260941; rev:1;) alert tcp $HOME_NET any -> [139.9.35.75] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1260940/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_23; classtype:trojan-activity; sid:91260940; rev:1;) alert tcp $HOME_NET any -> [139.196.174.180] 9090 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1260939/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_23; classtype:trojan-activity; sid:91260939; rev:1;) alert tcp $HOME_NET any -> [139.196.154.253] 8888 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1260938/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_23; classtype:trojan-activity; sid:91260938; rev:1;) alert tcp $HOME_NET any -> [123.57.58.184] 60000 (msg:"ThreatFox Viper RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1260937/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_23; classtype:trojan-activity; sid:91260937; rev:1;) alert tcp $HOME_NET any -> [123.57.58.184] 8888 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1260936/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_23; classtype:trojan-activity; sid:91260936; rev:1;) alert tcp $HOME_NET any -> [121.199.43.12] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1260935/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_23; classtype:trojan-activity; sid:91260935; rev:1;) alert tcp $HOME_NET any -> [120.25.2.115] 8000 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1260934/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_23; classtype:trojan-activity; sid:91260934; rev:1;) alert tcp $HOME_NET any -> [59.110.126.110] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1260933/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_23; classtype:trojan-activity; sid:91260933; rev:1;) alert tcp $HOME_NET any -> [47.120.63.146] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1260932/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_23; classtype:trojan-activity; sid:91260932; rev:1;) alert tcp $HOME_NET any -> [47.120.32.46] 10152 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1260931/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_23; classtype:trojan-activity; sid:91260931; rev:1;) alert tcp $HOME_NET any -> [47.117.156.10] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1260930/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_23; classtype:trojan-activity; sid:91260930; rev:1;) alert tcp $HOME_NET any -> [47.98.251.131] 1234 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1260929/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_23; classtype:trojan-activity; sid:91260929; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/en_us/all.js"; depth:13; nocase; http.host; content:"103.146.50.218"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1260927/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_23; classtype:trojan-activity; sid:91260927; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/match"; depth:6; nocase; http.host; content:"112.124.34.225"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1260926/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_23; classtype:trojan-activity; sid:91260926; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/visit.js"; depth:9; nocase; http.host; content:"8.141.13.130"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1260925/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_23; classtype:trojan-activity; sid:91260925; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ptj"; depth:4; nocase; http.host; content:"8.137.108.208"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1260924/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_23; classtype:trojan-activity; sid:91260924; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cx"; depth:3; nocase; http.host; content:"47.243.59.237"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1260923/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_23; classtype:trojan-activity; sid:91260923; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pixel.gif"; depth:10; nocase; http.host; content:"47.101.37.46"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1260922/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_23; classtype:trojan-activity; sid:91260922; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cx"; depth:3; nocase; http.host; content:"47.113.150.236"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1260921/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_23; classtype:trojan-activity; sid:91260921; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dot.gif"; depth:8; nocase; http.host; content:"120.78.139.9"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1260920/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_23; classtype:trojan-activity; sid:91260920; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/claim/v5.6/zz1qb9mls"; depth:21; nocase; http.host; content:"106.54.236.42"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1260919/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_23; classtype:trojan-activity; sid:91260919; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cm"; depth:3; nocase; http.host; content:"103.150.10.45"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1260918/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_23; classtype:trojan-activity; sid:91260918; rev:1;) alert tcp $HOME_NET any -> [43.153.202.176] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1260917/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_23; classtype:trojan-activity; sid:91260917; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/content"; depth:8; nocase; http.host; content:"api.rayob2.shop"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1260915/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_23; classtype:trojan-activity; sid:91260915; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"api.rayob2.shop"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1260916/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_23; classtype:trojan-activity; sid:91260916; rev:1;) alert tcp $HOME_NET any -> [8.137.93.215] 8888 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1260914/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_23; classtype:trojan-activity; sid:91260914; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/image/"; depth:7; nocase; http.host; content:"8.210.236.92"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1260913/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_23; classtype:trojan-activity; sid:91260913; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ga.js"; depth:6; nocase; http.host; content:"117.50.188.167"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1260912/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_23; classtype:trojan-activity; sid:91260912; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ie9compatviewlist.xml"; depth:22; nocase; http.host; content:"8.147.132.135"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1260911/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_23; classtype:trojan-activity; sid:91260911; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ca"; depth:3; nocase; http.host; content:"157.245.12.65"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1260910/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_23; classtype:trojan-activity; sid:91260910; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/en_us/all.js"; depth:13; nocase; http.host; content:"42.193.117.162"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1260908/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_23; classtype:trojan-activity; sid:91260908; rev:1;) alert tcp $HOME_NET any -> [42.193.117.162] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1260909/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_23; classtype:trojan-activity; sid:91260909; rev:1;) alert tcp $HOME_NET any -> [43.136.176.207] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1260907/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_23; classtype:trojan-activity; sid:91260907; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api/getit"; depth:10; nocase; http.host; content:"service-ldzftvcf-1252123187.sh.tencentapigw.com"; depth:47; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1260905/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_23; classtype:trojan-activity; sid:91260905; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"service-ldzftvcf-1252123187.sh.tencentapigw.com"; depth:47; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1260906/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_23; classtype:trojan-activity; sid:91260906; rev:1;) alert tcp $HOME_NET any -> [193.112.85.116] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1260904/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_23; classtype:trojan-activity; sid:91260904; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ga.js"; depth:6; nocase; http.host; content:"193.112.85.116"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1260903/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_23; classtype:trojan-activity; sid:91260903; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/__utm.gif"; depth:10; nocase; http.host; content:"47.98.247.113"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1260902/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_23; classtype:trojan-activity; sid:91260902; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api/x"; depth:6; nocase; http.host; content:"service-ku7vp6lj-1253504731.sh.tencentapigw.com"; depth:47; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1260900/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_23; classtype:trojan-activity; sid:91260900; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"service-ku7vp6lj-1253504731.sh.tencentapigw.com"; depth:47; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1260901/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_23; classtype:trojan-activity; sid:91260901; rev:1;) alert tcp $HOME_NET any -> [119.45.171.159] 8889 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1260899/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_23; classtype:trojan-activity; sid:91260899; rev:1;) alert tcp $HOME_NET any -> [8.134.113.161] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1260897/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_23; classtype:trojan-activity; sid:91260897; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cx"; depth:3; nocase; http.host; content:"62.234.223.69"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1260896/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_23; classtype:trojan-activity; sid:91260896; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/g.pixel"; depth:8; nocase; http.host; content:"156.224.25.183"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1260895/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_23; classtype:trojan-activity; sid:91260895; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ptj"; depth:4; nocase; http.host; content:"81.19.136.252"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1260894/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_23; classtype:trojan-activity; sid:91260894; rev:1;) alert tcp $HOME_NET any -> [80.66.75.9] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1260893/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_23; classtype:trojan-activity; sid:91260893; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/functionalstatus/0cmp4e8sk1rgrjhc2ncnqf2u"; depth:42; nocase; http.host; content:"facelove.life"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1260891/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_23; classtype:trojan-activity; sid:91260891; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"facelove.life"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1260892/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_23; classtype:trojan-activity; sid:91260892; rev:1;) alert tcp $HOME_NET any -> [101.201.54.74] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1260890/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_23; classtype:trojan-activity; sid:91260890; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/j.ad"; depth:5; nocase; http.host; content:"101.201.54.74"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1260889/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_23; classtype:trojan-activity; sid:91260889; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ca"; depth:3; nocase; http.host; content:"47.76.153.170"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1260888/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_23; classtype:trojan-activity; sid:91260888; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dpixel"; depth:7; nocase; http.host; content:"8.130.118.27"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1260887/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_23; classtype:trojan-activity; sid:91260887; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/__utm.gif"; depth:10; nocase; http.host; content:"121.43.33.41"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1260886/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_23; classtype:trojan-activity; sid:91260886; rev:1;) alert tcp $HOME_NET any -> [119.45.171.159] 5555 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1260885/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_23; classtype:trojan-activity; sid:91260885; rev:1;) alert tcp $HOME_NET any -> [101.33.192.242] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1260884/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_23; classtype:trojan-activity; sid:91260884; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/feedapi/v1/newsserver/api/getpassword"; depth:38; nocase; http.host; content:"43.141.50.122"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1260883/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_23; classtype:trojan-activity; sid:91260883; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/feedapi/v1/newsserver/api/getpassword"; depth:38; nocase; http.host; content:"111.51.156.246"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1260882/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_23; classtype:trojan-activity; sid:91260882; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/rewardsapp/ncfooter"; depth:20; nocase; http.host; content:"117.187.245.242"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1260881/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_23; classtype:trojan-activity; sid:91260881; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/feedapi/v1/newsserver/api/getpassword"; depth:38; nocase; http.host; content:"43.141.11.12"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1260880/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_23; classtype:trojan-activity; sid:91260880; rev:1;) alert tcp $HOME_NET any -> [139.144.33.158] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1260879/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_23; classtype:trojan-activity; sid:91260879; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/zomgapt"; depth:8; nocase; http.host; content:"38.107.146.158"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1260878/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_23; classtype:trojan-activity; sid:91260878; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/en_us/all.js"; depth:13; nocase; http.host; content:"39.104.28.176"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1260877/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_23; classtype:trojan-activity; sid:91260877; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jquery-3.3.1.min.js"; depth:20; nocase; http.host; content:"120.55.36.136"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1260875/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_23; classtype:trojan-activity; sid:91260875; rev:1;) alert tcp $HOME_NET any -> [120.55.36.136] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1260876/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_23; classtype:trojan-activity; sid:91260876; rev:1;) alert tcp $HOME_NET any -> [119.45.171.159] 6666 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1260874/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_23; classtype:trojan-activity; sid:91260874; rev:1;) alert tcp $HOME_NET any -> [43.136.38.59] 8443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1260873/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_23; classtype:trojan-activity; sid:91260873; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"oa.dahuatec.xyz"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1260872/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_23; classtype:trojan-activity; sid:91260872; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/www/handle/doc"; depth:15; nocase; http.host; content:"oa.dahuatec.xyz"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1260871/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_23; classtype:trojan-activity; sid:91260871; rev:1;) alert tcp $HOME_NET any -> [103.97.58.61] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1260870/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_23; classtype:trojan-activity; sid:91260870; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/en_us/all.js"; depth:13; nocase; http.host; content:"103.97.58.61"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1260869/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_23; classtype:trojan-activity; sid:91260869; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pixel.gif"; depth:10; nocase; http.host; content:"47.92.200.141"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1260868/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_23; classtype:trojan-activity; sid:91260868; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cx"; depth:3; nocase; http.host; content:"49.232.208.22"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1260867/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_23; classtype:trojan-activity; sid:91260867; rev:1;) alert tcp $HOME_NET any -> [104.248.6.246] 4443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1260866/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_23; classtype:trojan-activity; sid:91260866; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jquery-3.3.1.min.js"; depth:20; nocase; http.host; content:"office365.homes"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1260864/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_23; classtype:trojan-activity; sid:91260864; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"office365.homes"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1260865/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_23; classtype:trojan-activity; sid:91260865; rev:1;) alert tcp $HOME_NET any -> [38.34.166.53] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1260863/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_23; classtype:trojan-activity; sid:91260863; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jquery-3.3.1.min.js"; depth:20; nocase; http.host; content:"38.34.166.53"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1260862/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_23; classtype:trojan-activity; sid:91260862; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dot.gif"; depth:8; nocase; http.host; content:"81.19.136.252"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1260861/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_23; classtype:trojan-activity; sid:91260861; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"service-r3og53uv-1303913364.sh.tencentapigw.com"; depth:47; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1260860/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_23; classtype:trojan-activity; sid:91260860; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api/x"; depth:6; nocase; http.host; content:"service-r3og53uv-1303913364.sh.tencentapigw.com"; depth:47; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1260859/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_23; classtype:trojan-activity; sid:91260859; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/fwlink"; depth:7; nocase; http.host; content:"37.27.11.209"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1260858/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_23; classtype:trojan-activity; sid:91260858; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/claim/servlets-examples/i2i52xqkqqzf"; depth:37; nocase; http.host; content:"100.40.180.6"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1260856/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_23; classtype:trojan-activity; sid:91260856; rev:1;) alert tcp $HOME_NET any -> [111.92.243.236] 8083 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1260857/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_23; classtype:trojan-activity; sid:91260857; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pixel"; depth:6; nocase; http.host; content:"111.229.200.233"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1260855/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_23; classtype:trojan-activity; sid:91260855; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"dr-hoefler.de"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1260853/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_23; classtype:trojan-activity; sid:91260853; rev:1;) alert tcp $HOME_NET any -> [46.101.137.168] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1260854/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_23; classtype:trojan-activity; sid:91260854; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jquery-3.3.1.min.js"; depth:20; nocase; http.host; content:"dr-hoefler.de"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1260852/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_23; classtype:trojan-activity; sid:91260852; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/match"; depth:6; nocase; http.host; content:"47.76.219.122"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1260851/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_23; classtype:trojan-activity; sid:91260851; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/g.pixel"; depth:8; nocase; http.host; content:"45.207.38.71"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1260850/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_23; classtype:trojan-activity; sid:91260850; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ga.js"; depth:6; nocase; http.host; content:"114.132.62.71"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1260849/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_23; classtype:trojan-activity; sid:91260849; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ptj"; depth:4; nocase; http.host; content:"124.156.166.78"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1260848/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_23; classtype:trojan-activity; sid:91260848; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ptj"; depth:4; nocase; http.host; content:"193.112.85.116"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1260847/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_23; classtype:trojan-activity; sid:91260847; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/en_us/all.js"; depth:13; nocase; http.host; content:"8.137.108.208"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1260846/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_23; classtype:trojan-activity; sid:91260846; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/content"; depth:8; nocase; http.host; content:"8.222.176.223"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1260845/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_23; classtype:trojan-activity; sid:91260845; rev:1;) alert tcp $HOME_NET any -> [124.222.218.72] 8080 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1260844/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_23; classtype:trojan-activity; sid:91260844; rev:1;) alert tcp $HOME_NET any -> [5.188.86.28] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1260843/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_23; classtype:trojan-activity; sid:91260843; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tab_shop_active"; depth:16; nocase; http.host; content:"zx.scsvcreg.com"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1260841/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_23; classtype:trojan-activity; sid:91260841; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"zx.scsvcreg.com"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1260842/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_23; classtype:trojan-activity; sid:91260842; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"as.scsvcreg.com"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1260840/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_23; classtype:trojan-activity; sid:91260840; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/eo"; depth:3; nocase; http.host; content:"as.scsvcreg.com"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1260839/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_23; classtype:trojan-activity; sid:91260839; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tab_shop_active"; depth:16; nocase; http.host; content:"qw.scsvcreg.com"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1260837/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_23; classtype:trojan-activity; sid:91260837; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"qw.scsvcreg.com"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1260838/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_23; classtype:trojan-activity; sid:91260838; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/g.pixel"; depth:8; nocase; http.host; content:"101.201.46.105"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1260836/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_23; classtype:trojan-activity; sid:91260836; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/match"; depth:6; nocase; http.host; content:"103.47.82.210"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1260835/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_23; classtype:trojan-activity; sid:91260835; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/match"; depth:6; nocase; http.host; content:"8.141.13.130"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1260834/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_23; classtype:trojan-activity; sid:91260834; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/updates"; depth:8; nocase; http.host; content:"91.92.246.246"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1260833/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_23; classtype:trojan-activity; sid:91260833; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/j.ad"; depth:5; nocase; http.host; content:"128.199.178.134"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1260832/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_23; classtype:trojan-activity; sid:91260832; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/__utm.gif"; depth:10; nocase; http.host; content:"103.47.82.210"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1260831/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_23; classtype:trojan-activity; sid:91260831; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/visit.js"; depth:9; nocase; http.host; content:"62.204.41.11"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1260830/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_23; classtype:trojan-activity; sid:91260830; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ca"; depth:3; nocase; http.host; content:"101.201.54.74"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1260829/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_23; classtype:trojan-activity; sid:91260829; rev:1;) alert tcp $HOME_NET any -> [103.143.208.215] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1260828/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_23; classtype:trojan-activity; sid:91260828; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"www.xahoithongtins.com"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1260827/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_23; classtype:trojan-activity; sid:91260827; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jquery-3.5.6.min.js"; depth:20; nocase; http.host; content:"www.xahoithongtins.com"; depth:22; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1260826/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_23; classtype:trojan-activity; sid:91260826; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/g.pixel"; depth:8; nocase; http.host; content:"114.134.188.22"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1260824/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_23; classtype:trojan-activity; sid:91260824; rev:1;) alert tcp $HOME_NET any -> [123.206.126.95] 8081 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1260823/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_23; classtype:trojan-activity; sid:91260823; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/load"; depth:5; nocase; http.host; content:"62.204.41.11"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1260822/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_23; classtype:trojan-activity; sid:91260822; rev:1;) alert tcp $HOME_NET any -> [119.45.171.159] 7777 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1260821/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_23; classtype:trojan-activity; sid:91260821; rev:1;) alert tcp $HOME_NET any -> [118.89.72.82] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1260820/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_23; classtype:trojan-activity; sid:91260820; rev:1;) alert tcp $HOME_NET any -> [115.159.62.32] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1260819/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_23; classtype:trojan-activity; sid:91260819; rev:1;) alert tcp $HOME_NET any -> [101.42.1.218] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1260818/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_23; classtype:trojan-activity; sid:91260818; rev:1;) alert tcp $HOME_NET any -> [101.34.70.89] 9000 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1260817/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_23; classtype:trojan-activity; sid:91260817; rev:1;) alert tcp $HOME_NET any -> [81.70.236.105] 60000 (msg:"ThreatFox Viper RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1260816/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_23; classtype:trojan-activity; sid:91260816; rev:1;) alert tcp $HOME_NET any -> [81.70.236.105] 50050 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1260815/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_23; classtype:trojan-activity; sid:91260815; rev:1;) alert tcp $HOME_NET any -> [49.235.187.155] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1260814/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_23; classtype:trojan-activity; sid:91260814; rev:1;) alert tcp $HOME_NET any -> [49.233.211.19] 60000 (msg:"ThreatFox Viper RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1260813/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_23; classtype:trojan-activity; sid:91260813; rev:1;) alert tcp $HOME_NET any -> [49.233.211.19] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1260811/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_23; classtype:trojan-activity; sid:91260811; rev:1;) alert tcp $HOME_NET any -> [49.233.211.19] 50050 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1260812/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_23; classtype:trojan-activity; sid:91260812; rev:1;) alert tcp $HOME_NET any -> [43.136.109.223] 60000 (msg:"ThreatFox Viper RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1260810/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_23; classtype:trojan-activity; sid:91260810; rev:1;) alert tcp $HOME_NET any -> [43.136.109.223] 50050 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1260809/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_23; classtype:trojan-activity; sid:91260809; rev:1;) alert tcp $HOME_NET any -> [1.13.19.92] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1260808/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_23; classtype:trojan-activity; sid:91260808; rev:1;) alert tcp $HOME_NET any -> [103.254.73.249] 63305 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1260807/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_23; classtype:trojan-activity; sid:91260807; rev:1;) alert tcp $HOME_NET any -> [103.254.73.248] 63305 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1260806/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_23; classtype:trojan-activity; sid:91260806; rev:1;) alert tcp $HOME_NET any -> [94.156.8.44] 80 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1260802/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_23; classtype:trojan-activity; sid:91260802; rev:1;) alert tcp $HOME_NET any -> [94.156.8.44] 443 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1260801/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_23; classtype:trojan-activity; sid:91260801; rev:1;) alert tcp $HOME_NET any -> [94.156.10.12] 80 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1260800/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_23; classtype:trojan-activity; sid:91260800; rev:1;) alert tcp $HOME_NET any -> [94.156.10.12] 443 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1260799/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_23; classtype:trojan-activity; sid:91260799; rev:1;) alert tcp $HOME_NET any -> [94.156.79.77] 33966 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1260559/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_23; classtype:trojan-activity; sid:91260559; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"cnc.voidnet.click"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1260560/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_23; classtype:trojan-activity; sid:91260560; rev:1;) alert tcp $HOME_NET any -> [217.15.168.60] 1337 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1260579/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_23; classtype:trojan-activity; sid:91260579; rev:1;) alert tcp $HOME_NET any -> [158.51.96.17] 1025 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1260574/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_23; classtype:trojan-activity; sid:91260574; rev:1;) alert tcp $HOME_NET any -> [185.102.172.136] 999 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1260575/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_23; classtype:trojan-activity; sid:91260575; rev:1;) alert tcp $HOME_NET any -> [188.212.100.60] 1337 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1260576/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_23; classtype:trojan-activity; sid:91260576; rev:1;) alert tcp $HOME_NET any -> [193.187.174.244] 2052 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1260577/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_23; classtype:trojan-activity; sid:91260577; rev:1;) alert tcp $HOME_NET any -> [209.141.44.84] 1337 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1260578/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_23; classtype:trojan-activity; sid:91260578; rev:1;) alert tcp $HOME_NET any -> [45.128.232.210] 1337 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1260567/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_23; classtype:trojan-activity; sid:91260567; rev:1;) alert tcp $HOME_NET any -> [45.131.64.78] 2052 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1260568/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_23; classtype:trojan-activity; sid:91260568; rev:1;) alert tcp $HOME_NET any -> [82.165.230.58] 3000 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1260569/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_23; classtype:trojan-activity; sid:91260569; rev:1;) alert tcp $HOME_NET any -> [91.92.252.74] 1337 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1260570/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_23; classtype:trojan-activity; sid:91260570; rev:1;) alert tcp $HOME_NET any -> [94.156.79.33] 10000 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1260571/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_23; classtype:trojan-activity; sid:91260571; rev:1;) alert tcp $HOME_NET any -> [149.56.79.119] 1337 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1260572/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_23; classtype:trojan-activity; sid:91260572; rev:1;) alert tcp $HOME_NET any -> [152.42.239.228] 1337 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1260573/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_23; classtype:trojan-activity; sid:91260573; rev:1;) alert tcp $HOME_NET any -> [2.58.95.133] 1337 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1260561/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_23; classtype:trojan-activity; sid:91260561; rev:1;) alert tcp $HOME_NET any -> [15.204.18.234] 1337 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1260562/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_23; classtype:trojan-activity; sid:91260562; rev:1;) alert tcp $HOME_NET any -> [15.235.149.59] 666 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1260563/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_23; classtype:trojan-activity; sid:91260563; rev:1;) alert tcp $HOME_NET any -> [15.235.149.123] 888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1260564/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_23; classtype:trojan-activity; sid:91260564; rev:1;) alert tcp $HOME_NET any -> [37.114.56.22] 1337 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1260565/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_23; classtype:trojan-activity; sid:91260565; rev:1;) alert tcp $HOME_NET any -> [45.128.232.12] 1337 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1260566/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_23; classtype:trojan-activity; sid:91260566; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/javascriptpacketupdateprotectdle.php"; depth:37; nocase; http.host; content:"212.109.196.215"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1260558/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_23; classtype:trojan-activity; sid:91260558; rev:1;) alert tcp $HOME_NET any -> [65.191.34.123] 6000 (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1260518/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_23; classtype:trojan-activity; sid:91260518; rev:1;) alert tcp $HOME_NET any -> [188.49.116.130] 443 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1260528/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_23; classtype:trojan-activity; sid:91260528; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"ipscanadvsf.com"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1260529/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_23; classtype:trojan-activity; sid:91260529; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"notionso.online"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1260530/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_23; classtype:trojan-activity; sid:91260530; rev:1;) alert tcp $HOME_NET any -> [65.21.119.50] 443 (msg:"ThreatFox FAKEUPDATES payload delivery (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1260532/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_23; classtype:trojan-activity; sid:91260532; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"pdftoconvert.online"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1260533/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_23; classtype:trojan-activity; sid:91260533; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"toppdfconverter.org"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1260534/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_23; classtype:trojan-activity; sid:91260534; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"zoomis.pro"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1260535/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_23; classtype:trojan-activity; sid:91260535; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"faststaynow.duckdns.org"; depth:23; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1260556/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_23; classtype:trojan-activity; sid:91260556; rev:1;) alert tcp $HOME_NET any -> [147.78.103.228] 10134 (msg:"ThreatFox Orcus RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1260557/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_23; classtype:trojan-activity; sid:91260557; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"neger.icu"; depth:9; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1260555/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_23; classtype:trojan-activity; sid:91260555; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dashboard/attack.html"; depth:22; nocase; http.host; content:"neger.icu"; depth:9; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1260553/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_23; classtype:trojan-activity; sid:91260553; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dashboard/attack.html"; depth:22; nocase; http.host; content:"methbot-proxy.pro"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1260554/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_23; classtype:trojan-activity; sid:91260554; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dashboard/attack.html"; depth:22; nocase; http.host; content:"89.116.236.8"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1260551/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_23; classtype:trojan-activity; sid:91260551; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dashboard/attack.html"; depth:22; nocase; http.host; content:"209.141.60.189"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1260552/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_23; classtype:trojan-activity; sid:91260552; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dashboard/attack.html"; depth:22; nocase; http.host; content:"195.181.164.244"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1260549/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_23; classtype:trojan-activity; sid:91260549; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dashboard/attack.html"; depth:22; nocase; http.host; content:"74.91.116.85"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1260550/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_23; classtype:trojan-activity; sid:91260550; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dashboard/attack.html"; depth:22; nocase; http.host; content:"135.148.57.151"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1260547/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_23; classtype:trojan-activity; sid:91260547; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dashboard/attack.html"; depth:22; nocase; http.host; content:"51.81.104.112"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1260548/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_23; classtype:trojan-activity; sid:91260548; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dashboard/attack.html"; depth:22; nocase; http.host; content:"93.123.85.84"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1260545/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_23; classtype:trojan-activity; sid:91260545; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dashboard/attack.html"; depth:22; nocase; http.host; content:"2.58.95.81"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1260546/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_23; classtype:trojan-activity; sid:91260546; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dashboard/attack.html"; depth:22; nocase; http.host; content:"93.123.85.48"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1260544/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_23; classtype:trojan-activity; sid:91260544; rev:1;) alert tcp $HOME_NET any -> [45.136.15.175] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1260543/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_23; classtype:trojan-activity; sid:91260543; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pixel.gif"; depth:10; nocase; http.host; content:"45.136.15.175"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1260542/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_23; classtype:trojan-activity; sid:91260542; rev:1;) alert tcp $HOME_NET any -> [101.42.228.86] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1260541/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_23; classtype:trojan-activity; sid:91260541; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/activity"; depth:9; nocase; http.host; content:"101.42.228.86"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1260540/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_23; classtype:trojan-activity; sid:91260540; rev:1;) alert tcp $HOME_NET any -> [148.135.72.115] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1260539/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_23; classtype:trojan-activity; sid:91260539; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cm"; depth:3; nocase; http.host; content:"47.109.106.162"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1260538/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_23; classtype:trojan-activity; sid:91260538; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/_/scs/mail-static/_/js/"; depth:24; nocase; http.host; content:"148.135.72.115"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1260537/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_23; classtype:trojan-activity; sid:91260537; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/localuniversal/3dumpprocessor/gamewordpresstrack6/eternal4/flower8testdump/longpolllongpoll/securehttpwplocal.php"; depth:114; nocase; http.host; content:"82.146.61.164"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1260536/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_23; classtype:trojan-activity; sid:91260536; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"elastsolek21.duckdns.org"; depth:24; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1260531/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_23; classtype:trojan-activity; sid:91260531; rev:1;) alert tcp $HOME_NET any -> [106.75.174.5] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1260527/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_23; classtype:trojan-activity; sid:91260527; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ie9compatviewlist.xml"; depth:22; nocase; http.host; content:"106.75.104.5"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1260526/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_23; classtype:trojan-activity; sid:91260526; rev:1;) alert tcp $HOME_NET any -> [45.136.15.175] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1260525/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_23; classtype:trojan-activity; sid:91260525; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/fwlink"; depth:7; nocase; http.host; content:"45.136.15.175"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1260524/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_23; classtype:trojan-activity; sid:91260524; rev:1;) alert tcp $HOME_NET any -> [139.196.174.180] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1260523/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_23; classtype:trojan-activity; sid:91260523; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ga.js"; depth:6; nocase; http.host; content:"139.196.174.180"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1260522/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_23; classtype:trojan-activity; sid:91260522; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api/3"; depth:6; nocase; http.host; content:"webpoint.micromoto.fun"; depth:22; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1260521/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_23; classtype:trojan-activity; sid:91260521; rev:1;) alert tcp $HOME_NET any -> [148.135.72.115] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1260520/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_23; classtype:trojan-activity; sid:91260520; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/_/scs/mail-static/_/js/"; depth:24; nocase; http.host; content:"148.135.72.115"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1260519/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_23; classtype:trojan-activity; sid:91260519; rev:1;) alert tcp $HOME_NET any -> [91.92.245.231] 64418 (msg:"ThreatFox Nanocore RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1260517/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_23; classtype:trojan-activity; sid:91260517; rev:1;) alert tcp $HOME_NET any -> [193.35.18.127] 19286 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1260516/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_23; classtype:trojan-activity; sid:91260516; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/updates.rss"; depth:12; nocase; http.host; content:"121.37.214.255"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1260515/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_23; classtype:trojan-activity; sid:91260515; rev:1;) alert tcp $HOME_NET any -> [91.92.241.122] 39361 (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1260514/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_23; classtype:trojan-activity; sid:91260514; rev:1;) alert tcp $HOME_NET any -> [45.142.212.16] 80 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1260513/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_23; classtype:trojan-activity; sid:91260513; rev:1;) alert tcp $HOME_NET any -> [94.156.64.148] 80 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1260512/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_23; classtype:trojan-activity; sid:91260512; rev:1;) alert tcp $HOME_NET any -> [23.254.144.29] 80 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1260511/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_23; classtype:trojan-activity; sid:91260511; rev:1;) alert tcp $HOME_NET any -> [43.198.238.210] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1260510/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_23; classtype:trojan-activity; sid:91260510; rev:1;) alert tcp $HOME_NET any -> [117.72.38.14] 8008 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1260509/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_23; classtype:trojan-activity; sid:91260509; rev:1;) alert tcp $HOME_NET any -> [104.214.168.52] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1260508/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_23; classtype:trojan-activity; sid:91260508; rev:1;) alert tcp $HOME_NET any -> [117.72.64.94] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1260507/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_23; classtype:trojan-activity; sid:91260507; rev:1;) alert tcp $HOME_NET any -> [124.221.56.114] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1260506/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_23; classtype:trojan-activity; sid:91260506; rev:1;) alert tcp $HOME_NET any -> [46.246.84.12] 6000 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1260505/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_23; classtype:trojan-activity; sid:91260505; rev:1;) alert tcp $HOME_NET any -> [151.30.238.53] 443 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1260504/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_23; classtype:trojan-activity; sid:91260504; rev:1;) alert tcp $HOME_NET any -> [189.175.199.252] 443 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1260503/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_23; classtype:trojan-activity; sid:91260503; rev:1;) alert tcp $HOME_NET any -> [103.215.80.54] 443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1260502/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_23; classtype:trojan-activity; sid:91260502; rev:1;) alert tcp $HOME_NET any -> [3.76.124.183] 7443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1260501/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_23; classtype:trojan-activity; sid:91260501; rev:1;) alert tcp $HOME_NET any -> [45.55.38.40] 7443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1260500/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_23; classtype:trojan-activity; sid:91260500; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"bimbro.xyz"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1260492/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_23; classtype:trojan-activity; sid:91260492; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"bohot.xyz"; depth:9; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1260493/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_23; classtype:trojan-activity; sid:91260493; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"karl3on.xyz"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1260494/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_23; classtype:trojan-activity; sid:91260494; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"neuengi.top"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1260495/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_23; classtype:trojan-activity; sid:91260495; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ndearn.xyz"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1260496/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_23; classtype:trojan-activity; sid:91260496; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"almatac.top"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1260497/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_23; classtype:trojan-activity; sid:91260497; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"kartogra.top"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1260498/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_23; classtype:trojan-activity; sid:91260498; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"aktayho.top"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1260499/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_23; classtype:trojan-activity; sid:91260499; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"aktayho.top"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1260487/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_23; classtype:trojan-activity; sid:91260487; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"redddog.xyz"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1260488/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_23; classtype:trojan-activity; sid:91260488; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"eralaunch.xyz"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1260489/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_23; classtype:trojan-activity; sid:91260489; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"soka101.xyz"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1260490/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_23; classtype:trojan-activity; sid:91260490; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"tenens.xyz"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1260491/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_23; classtype:trojan-activity; sid:91260491; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"kartogra.top"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1260486/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_23; classtype:trojan-activity; sid:91260486; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"almatac.top"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1260485/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_23; classtype:trojan-activity; sid:91260485; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"ndearn.xyz"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1260484/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_23; classtype:trojan-activity; sid:91260484; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"neuengi.top"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1260483/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_23; classtype:trojan-activity; sid:91260483; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"karl3on.xyz"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1260482/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_23; classtype:trojan-activity; sid:91260482; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"bohot.xyz"; depth:9; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1260481/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_23; classtype:trojan-activity; sid:91260481; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"bimbro.xyz"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1260480/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_23; classtype:trojan-activity; sid:91260480; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"tenens.xyz"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1260479/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_23; classtype:trojan-activity; sid:91260479; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"soka101.xyz"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1260478/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_23; classtype:trojan-activity; sid:91260478; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"eralaunch.xyz"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1260477/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_23; classtype:trojan-activity; sid:91260477; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"redddog.xyz"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1260476/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_23; classtype:trojan-activity; sid:91260476; rev:1;) alert tcp $HOME_NET any -> [116.203.7.96] 443 (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1260473/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_23; classtype:trojan-activity; sid:91260473; rev:1;) alert tcp $HOME_NET any -> [95.217.9.149] 443 (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1260474/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_23; classtype:trojan-activity; sid:91260474; rev:1;) alert tcp $HOME_NET any -> [95.217.240.166] 443 (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1260475/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_23; classtype:trojan-activity; sid:91260475; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"95.217.240.166"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1260467/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_23; classtype:trojan-activity; sid:91260467; rev:1;) alert tcp $HOME_NET any -> [95.217.244.99] 5432 (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1260468/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_23; classtype:trojan-activity; sid:91260468; rev:1;) alert tcp $HOME_NET any -> [95.217.244.99] 443 (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1260469/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_23; classtype:trojan-activity; sid:91260469; rev:1;) alert tcp $HOME_NET any -> [49.13.224.6] 5432 (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1260470/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_23; classtype:trojan-activity; sid:91260470; rev:1;) alert tcp $HOME_NET any -> [65.109.241.217] 443 (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1260471/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_23; classtype:trojan-activity; sid:91260471; rev:1;) alert tcp $HOME_NET any -> [116.202.177.31] 5432 (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1260472/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_23; classtype:trojan-activity; sid:91260472; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"95.217.9.149"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1260466/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_23; classtype:trojan-activity; sid:91260466; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"116.203.7.96"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1260465/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_23; classtype:trojan-activity; sid:91260465; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"116.202.177.31"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1260464/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_23; classtype:trojan-activity; sid:91260464; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"65.109.241.217"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1260463/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_23; classtype:trojan-activity; sid:91260463; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"49.13.224.6"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1260462/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_23; classtype:trojan-activity; sid:91260462; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"95.217.244.99"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1260461/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_23; classtype:trojan-activity; sid:91260461; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"95.217.244.99"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1260460/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_23; classtype:trojan-activity; sid:91260460; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/profiles/76561199677575543"; depth:27; nocase; http.host; content:"steamcommunity.com"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1260459/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_23; classtype:trojan-activity; sid:91260459; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/snsb82"; depth:7; nocase; http.host; content:"t.me"; depth:4; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1260458/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_23; classtype:trojan-activity; sid:91260458; rev:1;) alert tcp $HOME_NET any -> [77.221.149.0] 5428 (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1260457/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_23; classtype:trojan-activity; sid:91260457; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/download/powershell/"; depth:21; nocase; http.host; content:"194.163.130.194"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1260424/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_23; classtype:trojan-activity; sid:91260424; rev:1;) alert tcp $HOME_NET any -> [194.163.130.194] 443 (msg:"ThreatFox Unknown malware payload delivery (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1260426/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_23; classtype:trojan-activity; sid:91260426; rev:1;) alert tcp $HOME_NET any -> [5.42.65.96] 28380 (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1260430/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_23; classtype:trojan-activity; sid:91260430; rev:1;) alert tcp $HOME_NET any -> [46.246.6.20] 1994 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1260431/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_23; classtype:trojan-activity; sid:91260431; rev:1;) alert tcp $HOME_NET any -> [41.200.95.182] 5552 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1260452/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_23; classtype:trojan-activity; sid:91260452; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"wscript.ddns.net"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1260453/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_23; classtype:trojan-activity; sid:91260453; rev:1;) alert tcp $HOME_NET any -> [91.92.252.191] 5667 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1260454/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_23; classtype:trojan-activity; sid:91260454; rev:1;) alert tcp $HOME_NET any -> [91.92.252.238] 5667 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1260455/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_23; classtype:trojan-activity; sid:91260455; rev:1;) alert tcp $HOME_NET any -> [103.95.97.149] 4444 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1260456/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_23; classtype:trojan-activity; sid:91260456; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/vre"; depth:4; nocase; http.host; content:"vjwmaster.duckdns.org"; depth:21; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1260451/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_23; classtype:trojan-activity; sid:91260451; rev:1;) alert tcp $HOME_NET any -> [91.92.250.88] 16964 (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1260450/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_22; classtype:trojan-activity; sid:91260450; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/providerjavascriptrequestupdate.php"; depth:36; nocase; http.host; content:"clientright.top"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1260449/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_22; classtype:trojan-activity; sid:91260449; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/data/6977722252/payment/54wa3c29/eblaghhh/confirm.php"; depth:54; nocase; http.host; content:"tech-1.org"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1260446/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_22; classtype:trojan-activity; sid:91260446; rev:1;) alert tcp $HOME_NET any -> [185.11.145.254] 443 (msg:"ThreatFox IRATA botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1260447/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_22; classtype:trojan-activity; sid:91260447; rev:1;) alert tcp $HOME_NET any -> [185.11.145.145] 443 (msg:"ThreatFox IRATA botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1260448/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_22; classtype:trojan-activity; sid:91260448; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"my-admin-sql.org"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1260445/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_22; classtype:trojan-activity; sid:91260445; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/data/6977722252/"; depth:17; nocase; http.host; content:"my-admin-sql.org"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1260444/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_22; classtype:trojan-activity; sid:91260444; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/data/6977722252/rat/"; depth:21; nocase; http.host; content:"my-admin-sql.org"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1260443/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_22; classtype:trojan-activity; sid:91260443; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/data/6977722252/rat/140wa69z/"; depth:30; nocase; http.host; content:"my-admin-sql.org"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1260442/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_22; classtype:trojan-activity; sid:91260442; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/data/6977722252/rat/140wa69z/sms.php"; depth:37; nocase; http.host; content:"my-admin-sql.org"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1260441/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_22; classtype:trojan-activity; sid:91260441; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/data/6977722252/rat/140wa69z/id.txt"; depth:36; nocase; http.host; content:"my-admin-sql.org"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1260439/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_22; classtype:trojan-activity; sid:91260439; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/data/6977722252/rat/140wa69z/requests.php"; depth:42; nocase; http.host; content:"my-admin-sql.org"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1260440/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_22; classtype:trojan-activity; sid:91260440; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/data/6977722252/rat/140wa69z/contact.php"; depth:41; nocase; http.host; content:"my-admin-sql.org"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1260438/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_22; classtype:trojan-activity; sid:91260438; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"tdinsuranceapply-a0guehftc6fzegca.a03.azurefd.net"; depth:49; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1260436/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_22; classtype:trojan-activity; sid:91260436; rev:1;) alert tcp $HOME_NET any -> [4.206.184.179] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1260437/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_22; classtype:trojan-activity; sid:91260437; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mms.html"; depth:9; nocase; http.host; content:"tdinsuranceapply-a0guehftc6fzegca.a03.azurefd.net"; depth:49; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1260435/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_22; classtype:trojan-activity; sid:91260435; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mylibs.js"; depth:10; nocase; http.host; content:"23.94.169.124"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1260433/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_22; classtype:trojan-activity; sid:91260433; rev:1;) alert tcp $HOME_NET any -> [23.94.169.124] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1260434/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_22; classtype:trojan-activity; sid:91260434; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/match"; depth:6; nocase; http.host; content:"121.37.214.255"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1260432/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_22; classtype:trojan-activity; sid:91260432; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/vgbashgdvgvbhkbjhqwrgrthyuj/hjqwretyuiopadshnjmklomfhbqaxinhgbfwrftgyujicn/iplkrtikfmjdnsbgatefv/yughghjbjgbjhsdgstgsdhysyryyrs/uhgbnte/five/fre.php"; depth:149; nocase; http.host; content:"91.92.253.228"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1260429/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_22; classtype:trojan-activity; sid:91260429; rev:1;) alert tcp $HOME_NET any -> [91.188.254.6] 50555 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1260428/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_22; classtype:trojan-activity; sid:91260428; rev:1;) alert tcp $HOME_NET any -> [181.214.147.25] 50555 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1260427/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_22; classtype:trojan-activity; sid:91260427; rev:1;) alert tcp $HOME_NET any -> [77.221.151.32] 80 (msg:"ThreatFox Meduza Stealer botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1260425/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_22; classtype:trojan-activity; sid:91260425; rev:1;) alert tcp $HOME_NET any -> [120.46.39.241] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1260423/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_22; classtype:trojan-activity; sid:91260423; rev:1;) alert tcp $HOME_NET any -> [60.204.232.46] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1260422/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_22; classtype:trojan-activity; sid:91260422; rev:1;) alert tcp $HOME_NET any -> [123.207.16.205] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1260421/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_22; classtype:trojan-activity; sid:91260421; rev:1;) alert tcp $HOME_NET any -> [47.113.219.67] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1260420/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_22; classtype:trojan-activity; sid:91260420; rev:1;) alert tcp $HOME_NET any -> [85.99.83.235] 443 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1260419/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_22; classtype:trojan-activity; sid:91260419; rev:1;) alert tcp $HOME_NET any -> [157.20.182.102] 80 (msg:"ThreatFox Responder botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1260418/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_22; classtype:trojan-activity; sid:91260418; rev:1;) alert tcp $HOME_NET any -> [45.87.155.112] 443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1260417/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_22; classtype:trojan-activity; sid:91260417; rev:1;) alert tcp $HOME_NET any -> [77.232.143.114] 40056 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1260416/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_22; classtype:trojan-activity; sid:91260416; rev:1;) alert tcp $HOME_NET any -> [165.22.72.160] 40056 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1260415/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_22; classtype:trojan-activity; sid:91260415; rev:1;) alert tcp $HOME_NET any -> [43.154.80.163] 7443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1260414/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_22; classtype:trojan-activity; sid:91260414; rev:1;) alert tcp $HOME_NET any -> [109.123.252.6] 7443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1260413/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_22; classtype:trojan-activity; sid:91260413; rev:1;) alert tcp $HOME_NET any -> [109.120.178.98] 7443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1260412/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_22; classtype:trojan-activity; sid:91260412; rev:1;) alert tcp $HOME_NET any -> [45.79.123.66] 7443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1260411/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_22; classtype:trojan-activity; sid:91260411; rev:1;) alert tcp $HOME_NET any -> [172.96.137.224] 2222 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1260410/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_22; classtype:trojan-activity; sid:91260410; rev:1;) alert tcp $HOME_NET any -> [142.93.131.96] 43122 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1260409/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_22; classtype:trojan-activity; sid:91260409; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/129edec4272dc2c8.php"; depth:21; nocase; http.host; content:"94.156.79.164"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1260408/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_22; classtype:trojan-activity; sid:91260408; rev:1;) alert tcp $HOME_NET any -> [107.175.229.136] 24775 (msg:"ThreatFox STRRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1260407/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_22; classtype:trojan-activity; sid:91260407; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/whatsappsecure.apk"; depth:19; nocase; http.host; content:"91.92.243.86"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1260397/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_22; classtype:trojan-activity; sid:91260397; rev:1;) alert tcp $HOME_NET any -> [91.92.243.86] 8000 (msg:"ThreatFox SpyNote payload delivery (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1260398/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_22; classtype:trojan-activity; sid:91260398; rev:1;) alert tcp $HOME_NET any -> [91.92.246.165] 443 (msg:"ThreatFox SpyNote payload delivery (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1260399/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_22; classtype:trojan-activity; sid:91260399; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"mypony.nl"; depth:9; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1260401/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_22; classtype:trojan-activity; sid:91260401; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/saat.apk"; depth:9; nocase; http.host; content:"91.92.246.165"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1260396/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_22; classtype:trojan-activity; sid:91260396; rev:1;) alert tcp $HOME_NET any -> [192.169.69.26] 35888 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1260125/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_22; classtype:trojan-activity; sid:91260125; rev:1;) alert tcp $HOME_NET any -> [175.178.160.155] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1260406/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_22; classtype:trojan-activity; sid:91260406; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/complete/pr/h6tcqrwr"; depth:21; nocase; http.host; content:"jxvtcm.cn"; depth:9; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1260405/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_22; classtype:trojan-activity; sid:91260405; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/complete/pr/h6tcqrwr"; depth:21; nocase; http.host; content:"175.178.160.155"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1260404/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_22; classtype:trojan-activity; sid:91260404; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mylibs.js"; depth:10; nocase; http.host; content:"flashl.tw"; depth:9; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1260402/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_22; classtype:trojan-activity; sid:91260402; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"flashl.tw"; depth:9; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1260403/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_22; classtype:trojan-activity; sid:91260403; rev:1;) alert tcp $HOME_NET any -> [193.233.132.169] 37732 (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1260395/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_22; classtype:trojan-activity; sid:91260395; rev:1;) alert tcp $HOME_NET any -> [211.194.139.155] 8080 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1260394/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_22; classtype:trojan-activity; sid:91260394; rev:1;) alert tcp $HOME_NET any -> [46.246.84.12] 8000 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1260393/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_22; classtype:trojan-activity; sid:91260393; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"dist2118.duckdns.org"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1260392/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_22; classtype:trojan-activity; sid:91260392; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/loki/five/fre.php"; depth:18; nocase; http.host; content:"mypony.nl"; depth:9; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1260391/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_22; classtype:trojan-activity; sid:91260391; rev:1;) alert tcp $HOME_NET any -> [191.82.238.74] 2000 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1260390/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_22; classtype:trojan-activity; sid:91260390; rev:1;) alert tcp $HOME_NET any -> [158.247.236.255] 443 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1260389/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_22; classtype:trojan-activity; sid:91260389; rev:1;) alert tcp $HOME_NET any -> [120.26.136.167] 8088 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1260388/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_22; classtype:trojan-activity; sid:91260388; rev:1;) alert tcp $HOME_NET any -> [103.200.124.198] 4782 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1260387/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_22; classtype:trojan-activity; sid:91260387; rev:1;) alert tcp $HOME_NET any -> [5.189.159.115] 8080 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1260386/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_22; classtype:trojan-activity; sid:91260386; rev:1;) alert tcp $HOME_NET any -> [2.56.245.124] 80 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1260385/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_22; classtype:trojan-activity; sid:91260385; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"webpoint.micromoto.fun"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1260384/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_22; classtype:trojan-activity; sid:91260384; rev:1;) alert tcp $HOME_NET any -> [64.227.107.166] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1260383/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_22; classtype:trojan-activity; sid:91260383; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/3bbf"; depth:5; nocase; http.host; content:"www.stylejason.com"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1260382/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_22; classtype:trojan-activity; sid:91260382; rev:1;) alert tcp $HOME_NET any -> [47.245.37.54] 8888 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1260381/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_22; classtype:trojan-activity; sid:91260381; rev:1;) alert tcp $HOME_NET any -> [8.222.209.150] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1260380/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_22; classtype:trojan-activity; sid:91260380; rev:1;) alert tcp $HOME_NET any -> [123.60.93.91] 4444 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1260379/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_22; classtype:trojan-activity; sid:91260379; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"hathawaya.xyz"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1260378/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_22; classtype:trojan-activity; sid:91260378; rev:1;) alert tcp $HOME_NET any -> [47.104.213.26] 7001 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1260377/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_22; classtype:trojan-activity; sid:91260377; rev:1;) alert tcp $HOME_NET any -> [8.141.13.130] 8089 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1260375/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_22; classtype:trojan-activity; sid:91260375; rev:1;) alert tcp $HOME_NET any -> [8.141.13.130] 8099 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1260376/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_22; classtype:trojan-activity; sid:91260376; rev:1;) alert tcp $HOME_NET any -> [20.222.185.152] 25651 (msg:"ThreatFox MooBot botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1260072/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_22; classtype:trojan-activity; sid:91260072; rev:1;) alert tcp $HOME_NET any -> [14.225.213.142] 73 (msg:"ThreatFox MooBot botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1260073/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_22; classtype:trojan-activity; sid:91260073; rev:1;) alert tcp $HOME_NET any -> [94.228.168.60] 1337 (msg:"ThreatFox MooBot botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1260074/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_22; classtype:trojan-activity; sid:91260074; rev:1;) alert tcp $HOME_NET any -> [206.189.49.14] 57899 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1260123/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_22; classtype:trojan-activity; sid:91260123; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"spagetti.openproxylist.info"; depth:27; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1260124/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_22; classtype:trojan-activity; sid:91260124; rev:1;) alert tcp $HOME_NET any -> [93.123.39.96] 80 (msg:"ThreatFox Amadey botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1260122/; target:src_ip; metadata: confidence_level 80, first_seen 2024_04_22; classtype:trojan-activity; sid:91260122; rev:1;) alert tcp $HOME_NET any -> [20.222.185.152] 9999 (msg:"ThreatFox MooBot botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1260121/; target:src_ip; metadata: confidence_level 80, first_seen 2024_04_22; classtype:trojan-activity; sid:91260121; rev:1;) alert tcp $HOME_NET any -> [14.225.219.227] 42597 (msg:"ThreatFox MooBot botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1260120/; target:src_ip; metadata: confidence_level 80, first_seen 2024_04_22; classtype:trojan-activity; sid:91260120; rev:1;) alert tcp $HOME_NET any -> [80.66.75.9] 44433 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1260119/; target:src_ip; metadata: confidence_level 80, first_seen 2024_04_22; classtype:trojan-activity; sid:91260119; rev:1;) alert tcp $HOME_NET any -> [109.205.213.98] 59087 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1260118/; target:src_ip; metadata: confidence_level 80, first_seen 2024_04_22; classtype:trojan-activity; sid:91260118; rev:1;) alert tcp $HOME_NET any -> [221.150.78.215] 59991 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1260117/; target:src_ip; metadata: confidence_level 80, first_seen 2024_04_22; classtype:trojan-activity; sid:91260117; rev:1;) alert tcp $HOME_NET any -> [138.197.71.186] 38721 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1260116/; target:src_ip; metadata: confidence_level 80, first_seen 2024_04_22; classtype:trojan-activity; sid:91260116; rev:1;) alert tcp $HOME_NET any -> [82.156.188.211] 41209 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1260115/; target:src_ip; metadata: confidence_level 80, first_seen 2024_04_22; classtype:trojan-activity; sid:91260115; rev:1;) alert tcp $HOME_NET any -> [121.40.139.97] 15000 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1260114/; target:src_ip; metadata: confidence_level 80, first_seen 2024_04_22; classtype:trojan-activity; sid:91260114; rev:1;) alert tcp $HOME_NET any -> [124.220.212.252] 54321 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1260113/; target:src_ip; metadata: confidence_level 80, first_seen 2024_04_22; classtype:trojan-activity; sid:91260113; rev:1;) alert tcp $HOME_NET any -> [80.66.75.52] 44433 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1260112/; target:src_ip; metadata: confidence_level 80, first_seen 2024_04_22; classtype:trojan-activity; sid:91260112; rev:1;) alert tcp $HOME_NET any -> [147.78.47.125] 50050 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1260111/; target:src_ip; metadata: confidence_level 80, first_seen 2024_04_22; classtype:trojan-activity; sid:91260111; rev:1;) alert tcp $HOME_NET any -> [45.32.100.156] 50050 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1260110/; target:src_ip; metadata: confidence_level 80, first_seen 2024_04_22; classtype:trojan-activity; sid:91260110; rev:1;) alert tcp $HOME_NET any -> [80.112.42.92] 88 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1260109/; target:src_ip; metadata: confidence_level 80, first_seen 2024_04_22; classtype:trojan-activity; sid:91260109; rev:1;) alert tcp $HOME_NET any -> [2.58.56.99] 80 (msg:"ThreatFox Hook botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1260108/; target:src_ip; metadata: confidence_level 80, first_seen 2024_04_22; classtype:trojan-activity; sid:91260108; rev:1;) alert tcp $HOME_NET any -> [94.156.64.149] 80 (msg:"ThreatFox Hook botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1260107/; target:src_ip; metadata: confidence_level 80, first_seen 2024_04_22; classtype:trojan-activity; sid:91260107; rev:1;) alert tcp $HOME_NET any -> [94.156.64.152] 80 (msg:"ThreatFox Hook botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1260106/; target:src_ip; metadata: confidence_level 80, first_seen 2024_04_22; classtype:trojan-activity; sid:91260106; rev:1;) alert tcp $HOME_NET any -> [123.127.192.55] 8081 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1260105/; target:src_ip; metadata: confidence_level 80, first_seen 2024_04_22; classtype:trojan-activity; sid:91260105; rev:1;) alert tcp $HOME_NET any -> [103.26.77.213] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1260104/; target:src_ip; metadata: confidence_level 80, first_seen 2024_04_22; classtype:trojan-activity; sid:91260104; rev:1;) alert tcp $HOME_NET any -> [213.1.229.142] 8443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1260103/; target:src_ip; metadata: confidence_level 80, first_seen 2024_04_22; classtype:trojan-activity; sid:91260103; rev:1;) alert tcp $HOME_NET any -> [193.142.146.101] 8081 (msg:"ThreatFox RisePro botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1260102/; target:src_ip; metadata: confidence_level 80, first_seen 2024_04_22; classtype:trojan-activity; sid:91260102; rev:1;) alert tcp $HOME_NET any -> [197.119.238.232] 80 (msg:"ThreatFox Orcus RAT botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1260101/; target:src_ip; metadata: confidence_level 80, first_seen 2024_04_22; classtype:trojan-activity; sid:91260101; rev:1;) alert tcp $HOME_NET any -> [95.165.149.124] 4444 (msg:"ThreatFox Orcus RAT botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1260100/; target:src_ip; metadata: confidence_level 80, first_seen 2024_04_22; classtype:trojan-activity; sid:91260100; rev:1;) alert tcp $HOME_NET any -> [77.221.151.21] 80 (msg:"ThreatFox RecordBreaker botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1260099/; target:src_ip; metadata: confidence_level 80, first_seen 2024_04_22; classtype:trojan-activity; sid:91260099; rev:1;) alert tcp $HOME_NET any -> [116.203.15.80] 80 (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1260098/; target:src_ip; metadata: confidence_level 80, first_seen 2024_04_22; classtype:trojan-activity; sid:91260098; rev:1;) alert tcp $HOME_NET any -> [77.105.162.97] 443 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1260097/; target:src_ip; metadata: confidence_level 80, first_seen 2024_04_22; classtype:trojan-activity; sid:91260097; rev:1;) alert tcp $HOME_NET any -> [193.222.96.234] 4449 (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1260096/; target:src_ip; metadata: confidence_level 80, first_seen 2024_04_22; classtype:trojan-activity; sid:91260096; rev:1;) alert tcp $HOME_NET any -> [45.85.117.76] 443 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1260095/; target:src_ip; metadata: confidence_level 80, first_seen 2024_04_22; classtype:trojan-activity; sid:91260095; rev:1;) alert tcp $HOME_NET any -> [38.180.142.98] 443 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1260094/; target:src_ip; metadata: confidence_level 80, first_seen 2024_04_22; classtype:trojan-activity; sid:91260094; rev:1;) alert tcp $HOME_NET any -> [5.182.210.52] 80 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1260093/; target:src_ip; metadata: confidence_level 80, first_seen 2024_04_22; classtype:trojan-activity; sid:91260093; rev:1;) alert tcp $HOME_NET any -> [93.123.85.91] 80 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1260092/; target:src_ip; metadata: confidence_level 80, first_seen 2024_04_22; classtype:trojan-activity; sid:91260092; rev:1;) alert tcp $HOME_NET any -> [5.42.92.89] 10134 (msg:"ThreatFox Orcus RAT botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1260091/; target:src_ip; metadata: confidence_level 80, first_seen 2024_04_22; classtype:trojan-activity; sid:91260091; rev:1;) alert tcp $HOME_NET any -> [94.98.233.242] 3460 (msg:"ThreatFox Poison Ivy botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1260090/; target:src_ip; metadata: confidence_level 80, first_seen 2024_04_22; classtype:trojan-activity; sid:91260090; rev:1;) alert tcp $HOME_NET any -> [94.98.235.90] 3460 (msg:"ThreatFox Poison Ivy botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1260089/; target:src_ip; metadata: confidence_level 80, first_seen 2024_04_22; classtype:trojan-activity; sid:91260089; rev:1;) alert tcp $HOME_NET any -> [41.46.230.155] 1177 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1260088/; target:src_ip; metadata: confidence_level 80, first_seen 2024_04_22; classtype:trojan-activity; sid:91260088; rev:1;) alert tcp $HOME_NET any -> [172.111.139.205] 54984 (msg:"ThreatFox Nanocore RAT botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1260087/; target:src_ip; metadata: confidence_level 80, first_seen 2024_04_22; classtype:trojan-activity; sid:91260087; rev:1;) alert tcp $HOME_NET any -> [24.24.236.97] 54984 (msg:"ThreatFox Nanocore RAT botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1260086/; target:src_ip; metadata: confidence_level 80, first_seen 2024_04_22; classtype:trojan-activity; sid:91260086; rev:1;) alert tcp $HOME_NET any -> [172.111.139.88] 54984 (msg:"ThreatFox Nanocore RAT botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1260085/; target:src_ip; metadata: confidence_level 80, first_seen 2024_04_22; classtype:trojan-activity; sid:91260085; rev:1;) alert tcp $HOME_NET any -> [172.111.159.146] 54984 (msg:"ThreatFox Nanocore RAT botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1260084/; target:src_ip; metadata: confidence_level 80, first_seen 2024_04_22; classtype:trojan-activity; sid:91260084; rev:1;) alert tcp $HOME_NET any -> [103.125.189.138] 54984 (msg:"ThreatFox Nanocore RAT botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1260083/; target:src_ip; metadata: confidence_level 80, first_seen 2024_04_22; classtype:trojan-activity; sid:91260083; rev:1;) alert tcp $HOME_NET any -> [72.202.37.223] 2181 (msg:"ThreatFox Xtreme RAT botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1260082/; target:src_ip; metadata: confidence_level 80, first_seen 2024_04_22; classtype:trojan-activity; sid:91260082; rev:1;) alert tcp $HOME_NET any -> [139.162.49.139] 443 (msg:"ThreatFox Empire Downloader botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1260081/; target:src_ip; metadata: confidence_level 80, first_seen 2024_04_22; classtype:trojan-activity; sid:91260081; rev:1;) alert tcp $HOME_NET any -> [134.209.99.16] 80 (msg:"ThreatFox Empire Downloader botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1260080/; target:src_ip; metadata: confidence_level 80, first_seen 2024_04_22; classtype:trojan-activity; sid:91260080; rev:1;) alert tcp $HOME_NET any -> [45.142.215.143] 3791 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1260079/; target:src_ip; metadata: confidence_level 80, first_seen 2024_04_22; classtype:trojan-activity; sid:91260079; rev:1;) alert tcp $HOME_NET any -> [45.142.213.91] 3791 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1260078/; target:src_ip; metadata: confidence_level 80, first_seen 2024_04_22; classtype:trojan-activity; sid:91260078; rev:1;) alert tcp $HOME_NET any -> [109.107.171.138] 3791 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1260077/; target:src_ip; metadata: confidence_level 80, first_seen 2024_04_22; classtype:trojan-activity; sid:91260077; rev:1;) alert tcp $HOME_NET any -> [193.233.132.253] 9091 (msg:"ThreatFox RisePro botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1260076/; target:src_ip; metadata: confidence_level 80, first_seen 2024_04_22; classtype:trojan-activity; sid:91260076; rev:1;) alert tcp $HOME_NET any -> [193.233.132.222] 8081 (msg:"ThreatFox RisePro botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1260075/; target:src_ip; metadata: confidence_level 80, first_seen 2024_04_22; classtype:trojan-activity; sid:91260075; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ca"; depth:3; nocase; http.host; content:"kh1.userjoy.com"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1260070/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_22; classtype:trojan-activity; sid:91260070; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"kh1.userjoy.com"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1260071/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_22; classtype:trojan-activity; sid:91260071; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"yamaxun.blog"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1260069/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_22; classtype:trojan-activity; sid:91260069; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/originate/v4.01/qgqtnora"; depth:25; nocase; http.host; content:"yamaxun.blog"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1260068/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_22; classtype:trojan-activity; sid:91260068; rev:1;) alert tcp $HOME_NET any -> [171.80.235.140] 25565 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1260067/; target:src_ip; metadata: confidence_level 80, first_seen 2024_04_22; classtype:trojan-activity; sid:91260067; rev:1;) alert tcp $HOME_NET any -> [47.98.97.75] 8848 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1260066/; target:src_ip; metadata: confidence_level 80, first_seen 2024_04_22; classtype:trojan-activity; sid:91260066; rev:1;) alert tcp $HOME_NET any -> [80.133.66.162] 7777 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1260065/; target:src_ip; metadata: confidence_level 80, first_seen 2024_04_22; classtype:trojan-activity; sid:91260065; rev:1;) alert tcp $HOME_NET any -> [45.74.46.58] 8848 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1260064/; target:src_ip; metadata: confidence_level 80, first_seen 2024_04_22; classtype:trojan-activity; sid:91260064; rev:1;) alert tcp $HOME_NET any -> [167.71.105.169] 80 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1260063/; target:src_ip; metadata: confidence_level 80, first_seen 2024_04_22; classtype:trojan-activity; sid:91260063; rev:1;) alert tcp $HOME_NET any -> [3.105.212.12] 443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1260062/; target:src_ip; metadata: confidence_level 80, first_seen 2024_04_22; classtype:trojan-activity; sid:91260062; rev:1;) alert tcp $HOME_NET any -> [207.231.109.20] 808 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1260061/; target:src_ip; metadata: confidence_level 80, first_seen 2024_04_22; classtype:trojan-activity; sid:91260061; rev:1;) alert tcp $HOME_NET any -> [45.137.155.47] 443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1260060/; target:src_ip; metadata: confidence_level 80, first_seen 2024_04_22; classtype:trojan-activity; sid:91260060; rev:1;) alert tcp $HOME_NET any -> [78.161.0.177] 3001 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1260059/; target:src_ip; metadata: confidence_level 80, first_seen 2024_04_22; classtype:trojan-activity; sid:91260059; rev:1;) alert tcp $HOME_NET any -> [136.175.8.35] 4444 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1260058/; target:src_ip; metadata: confidence_level 80, first_seen 2024_04_22; classtype:trojan-activity; sid:91260058; rev:1;) alert tcp $HOME_NET any -> [136.175.8.35] 444 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1260057/; target:src_ip; metadata: confidence_level 80, first_seen 2024_04_22; classtype:trojan-activity; sid:91260057; rev:1;) alert tcp $HOME_NET any -> [156.194.116.198] 443 (msg:"ThreatFox PoshC2 botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1260056/; target:src_ip; metadata: confidence_level 80, first_seen 2024_04_22; classtype:trojan-activity; sid:91260056; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sig.exe"; depth:8; nocase; http.host; content:"87.120.84.140"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1260054/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_22; classtype:trojan-activity; sid:91260054; rev:1;) alert tcp $HOME_NET any -> [87.120.84.140] 80 (msg:"ThreatFox zgRAT payload delivery (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1260055/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_22; classtype:trojan-activity; sid:91260055; rev:1;) alert tcp $HOME_NET any -> [87.120.84.140] 7702 (msg:"ThreatFox zgRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1260051/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_22; classtype:trojan-activity; sid:91260051; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cryptonrat.exe"; depth:15; nocase; http.host; content:"87.120.84.140"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1260052/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_22; classtype:trojan-activity; sid:91260052; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/yk.exe"; depth:7; nocase; http.host; content:"87.120.84.140"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1260053/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_22; classtype:trojan-activity; sid:91260053; rev:1;) alert tcp $HOME_NET any -> [31.41.44.109] 443 (msg:"ThreatFox FAKEUPDATES payload delivery (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1260048/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_22; classtype:trojan-activity; sid:91260048; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/3cd2b41cbde8fc9c.php"; depth:21; nocase; http.host; content:"185.172.128.76"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1260050/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_22; classtype:trojan-activity; sid:91260050; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/f993692117a3fda2.php"; depth:21; nocase; http.host; content:"185.172.128.111"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1260049/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_22; classtype:trojan-activity; sid:91260049; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/attachments/1227169762392674387/1231867622568493086/ikacvgbsewoudhywk67.bin"; depth:76; nocase; http.host; content:"cdn.discordapp.com"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1260047/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_22; classtype:trojan-activity; sid:91260047; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cfekrthdtjivs63.bin"; depth:20; nocase; http.host; content:"172.93.222.219"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1260044/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_22; classtype:trojan-activity; sid:91260044; rev:1;) alert tcp $HOME_NET any -> [172.93.222.219] 80 (msg:"ThreatFox Remcos payload delivery (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1260045/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_22; classtype:trojan-activity; sid:91260045; rev:1;) alert tcp $HOME_NET any -> [209.90.234.20] 2404 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1260046/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_22; classtype:trojan-activity; sid:91260046; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/low70sql/updatecdn/lowtemporarypython/eternaluploads3geo/8/eternallinetracktemp.php"; depth:84; nocase; http.host; content:"185.221.198.248"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1260043/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_22; classtype:trojan-activity; sid:91260043; rev:1;) alert tcp $HOME_NET any -> [45.141.87.215] 15647 (msg:"ThreatFox SectopRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1260042/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_22; classtype:trojan-activity; sid:91260042; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/fwlink"; depth:7; nocase; http.host; content:"1488.winstate.cc"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1260040/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_22; classtype:trojan-activity; sid:91260040; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"1488.winstate.cc"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1260041/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_22; classtype:trojan-activity; sid:91260041; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api/getit"; depth:10; nocase; http.host; content:"service-k43f6rw9-1308954353.kr.apigw.tencentcs.com"; depth:50; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1260039/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_22; classtype:trojan-activity; sid:91260039; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"6b789950.sjys66.me"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1260027/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_22; classtype:trojan-activity; sid:91260027; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"6437cf8a.sjys66.me"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1260028/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_22; classtype:trojan-activity; sid:91260028; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ccc.sjys6.top"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1260029/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_22; classtype:trojan-activity; sid:91260029; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"idc.sjys66.me"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1260030/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_22; classtype:trojan-activity; sid:91260030; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"pay.sjys6.top"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1260031/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_22; classtype:trojan-activity; sid:91260031; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"sjys6.de"; depth:8; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1260032/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_22; classtype:trojan-activity; sid:91260032; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"cdn.sjys6.top"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1260033/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_22; classtype:trojan-activity; sid:91260033; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"744fbc05.sjys66.me"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1260034/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_22; classtype:trojan-activity; sid:91260034; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"sjys6.top"; depth:9; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1260035/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_22; classtype:trojan-activity; sid:91260035; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"www.sjys6.sbs"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1260036/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_22; classtype:trojan-activity; sid:91260036; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"sjys6.sbs"; depth:9; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1260037/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_22; classtype:trojan-activity; sid:91260037; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"whcdn.sjys66.me"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1260038/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_22; classtype:trojan-activity; sid:91260038; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ppa.sjys66.me"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1260024/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_22; classtype:trojan-activity; sid:91260024; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"bbd9d414.sjys66.me"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1260025/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_22; classtype:trojan-activity; sid:91260025; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"2762da3f.sjys6.top"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1260026/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_22; classtype:trojan-activity; sid:91260026; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/view.php"; depth:9; nocase; http.host; content:"radiotvcachay.cl"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1260020/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_22; classtype:trojan-activity; sid:91260020; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/locals.txt"; depth:11; nocase; http.host; content:"kurkcu-dukkani.com"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1260021/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_22; classtype:trojan-activity; sid:91260021; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/personalmessage.php"; depth:20; nocase; http.host; content:"professionalwonders.com"; depth:23; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1260022/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_22; classtype:trojan-activity; sid:91260022; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/2345703467245762476247.txt"; depth:27; nocase; http.host; content:"extendaloan.com"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1260023/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_22; classtype:trojan-activity; sid:91260023; rev:1;) alert tcp $HOME_NET any -> [194.99.21.34] 23 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1260018/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_22; classtype:trojan-activity; sid:91260018; rev:1;) alert tcp $HOME_NET any -> [77.221.151.38] 23 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1260019/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_22; classtype:trojan-activity; sid:91260019; rev:1;) alert tcp $HOME_NET any -> [94.156.79.100] 80 (msg:"ThreatFox ERMAC botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1260017/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_22; classtype:trojan-activity; sid:91260017; rev:1;) alert tcp $HOME_NET any -> [37.60.245.93] 80 (msg:"ThreatFox ERMAC botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1260016/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_22; classtype:trojan-activity; sid:91260016; rev:1;) alert tcp $HOME_NET any -> [47.109.137.34] 9999 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1260015/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_22; classtype:trojan-activity; sid:91260015; rev:1;) alert tcp $HOME_NET any -> [175.178.54.48] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1260014/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_22; classtype:trojan-activity; sid:91260014; rev:1;) alert tcp $HOME_NET any -> [3.13.191.225] 16969 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1260004/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_22; classtype:trojan-activity; sid:91260004; rev:1;) alert tcp $HOME_NET any -> [116.203.15.80] 443 (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1260012/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_22; classtype:trojan-activity; sid:91260012; rev:1;) alert tcp $HOME_NET any -> [23.88.47.9] 5432 (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1260013/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_22; classtype:trojan-activity; sid:91260013; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"23.88.47.9"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1260009/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_22; classtype:trojan-activity; sid:91260009; rev:1;) alert tcp $HOME_NET any -> [116.202.190.202] 5432 (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1260010/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_22; classtype:trojan-activity; sid:91260010; rev:1;) alert tcp $HOME_NET any -> [95.217.29.215] 443 (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1260011/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_22; classtype:trojan-activity; sid:91260011; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"116.203.15.80"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1260008/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_22; classtype:trojan-activity; sid:91260008; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"116.203.164.39"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1260007/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_22; classtype:trojan-activity; sid:91260007; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"95.217.29.215"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1260006/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_22; classtype:trojan-activity; sid:91260006; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"116.202.190.202"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1260005/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_22; classtype:trojan-activity; sid:91260005; rev:1;) alert tcp $HOME_NET any -> [172.160.240.225] 8976 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1260003/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_22; classtype:trojan-activity; sid:91260003; rev:1;) alert tcp $HOME_NET any -> [91.92.247.15] 8008 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1260002/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_22; classtype:trojan-activity; sid:91260002; rev:1;) alert tcp $HOME_NET any -> [210.56.49.230] 8848 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1260001/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_22; classtype:trojan-activity; sid:91260001; rev:1;) alert tcp $HOME_NET any -> [203.189.234.25] 65503 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1260000/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_22; classtype:trojan-activity; sid:91260000; rev:1;) alert tcp $HOME_NET any -> [103.254.73.247] 63305 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1259999/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_22; classtype:trojan-activity; sid:91259999; rev:1;) alert tcp $HOME_NET any -> [51.68.169.120] 443 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1259998/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_22; classtype:trojan-activity; sid:91259998; rev:1;) alert tcp $HOME_NET any -> [103.249.112.118] 8848 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1259997/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_22; classtype:trojan-activity; sid:91259997; rev:1;) alert tcp $HOME_NET any -> [94.131.9.239] 80 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1259996/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_22; classtype:trojan-activity; sid:91259996; rev:1;) alert tcp $HOME_NET any -> [31.129.98.188] 80 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1259995/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_22; classtype:trojan-activity; sid:91259995; rev:1;) alert tcp $HOME_NET any -> [2.58.56.113] 80 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1259994/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_22; classtype:trojan-activity; sid:91259994; rev:1;) alert tcp $HOME_NET any -> [185.216.70.189] 50555 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1259993/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_22; classtype:trojan-activity; sid:91259993; rev:1;) alert tcp $HOME_NET any -> [23.94.66.43] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1259992/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_22; classtype:trojan-activity; sid:91259992; rev:1;) alert tcp $HOME_NET any -> [8.212.183.234] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1259991/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_22; classtype:trojan-activity; sid:91259991; rev:1;) alert tcp $HOME_NET any -> [20.240.192.104] 80 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1259990/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_22; classtype:trojan-activity; sid:91259990; rev:1;) alert tcp $HOME_NET any -> [199.192.192.93] 443 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1259989/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_22; classtype:trojan-activity; sid:91259989; rev:1;) alert tcp $HOME_NET any -> [175.10.46.187] 4432 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1259988/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_22; classtype:trojan-activity; sid:91259988; rev:1;) alert tcp $HOME_NET any -> [69.159.0.152] 2222 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1259987/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_22; classtype:trojan-activity; sid:91259987; rev:1;) alert tcp $HOME_NET any -> [45.137.155.52] 443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1259986/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_22; classtype:trojan-activity; sid:91259986; rev:1;) alert tcp $HOME_NET any -> [146.190.60.217] 443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1259985/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_22; classtype:trojan-activity; sid:91259985; rev:1;) alert tcp $HOME_NET any -> [80.71.149.154] 8686 (msg:"ThreatFox BianLian botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1259984/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_22; classtype:trojan-activity; sid:91259984; rev:1;) alert tcp $HOME_NET any -> [94.6.155.2] 8443 (msg:"ThreatFox Deimos botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1259983/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_22; classtype:trojan-activity; sid:91259983; rev:1;) alert tcp $HOME_NET any -> [38.173.107.201] 443 (msg:"ThreatFox Deimos botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1259982/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_22; classtype:trojan-activity; sid:91259982; rev:1;) alert tcp $HOME_NET any -> [61.182.130.108] 4505 (msg:"ThreatFox Deimos botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1259981/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_22; classtype:trojan-activity; sid:91259981; rev:1;) alert tcp $HOME_NET any -> [3.223.6.69] 7443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1259980/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_22; classtype:trojan-activity; sid:91259980; rev:1;) alert tcp $HOME_NET any -> [185.99.133.34] 5667 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1259970/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_22; classtype:trojan-activity; sid:91259970; rev:1;) alert tcp $HOME_NET any -> [93.123.85.69] 9932 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1259958/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_22; classtype:trojan-activity; sid:91259958; rev:1;) alert tcp $HOME_NET any -> [18.192.31.165] 11720 (msg:"ThreatFox Nanocore RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1259968/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_22; classtype:trojan-activity; sid:91259968; rev:1;) alert tcp $HOME_NET any -> [185.99.133.5] 5667 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1259969/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_22; classtype:trojan-activity; sid:91259969; rev:1;) alert tcp $HOME_NET any -> [185.99.133.18] 5667 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1259971/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_22; classtype:trojan-activity; sid:91259971; rev:1;) alert tcp $HOME_NET any -> [185.99.133.173] 5667 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1259972/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_22; classtype:trojan-activity; sid:91259972; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"cecilioisbetter.dyn"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1259973/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_22; classtype:trojan-activity; sid:91259973; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"thisisnotabotnet.pirate"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1259974/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_22; classtype:trojan-activity; sid:91259974; rev:1;) alert tcp $HOME_NET any -> [103.237.87.90] 999 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1259957/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_22; classtype:trojan-activity; sid:91259957; rev:1;) alert tcp $HOME_NET any -> [5.181.156.177] 443 (msg:"ThreatFox NetSupportManager RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1259979/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_22; classtype:trojan-activity; sid:91259979; rev:1;) alert tcp $HOME_NET any -> [162.55.134.240] 9001 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1259851/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_22; classtype:trojan-activity; sid:91259851; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/0bettertraffic2/cdn8secure/temporaryapivoiddb5/8uploads2/private/vm/dumpcpuprivate/protecttest3/externalimagevmjs.php"; depth:118; nocase; http.host; content:"185.43.4.41"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1259978/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_22; classtype:trojan-activity; sid:91259978; rev:1;) alert tcp $HOME_NET any -> [45.89.53.206] 4663 (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1259977/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_22; classtype:trojan-activity; sid:91259977; rev:1;) alert tcp $HOME_NET any -> [194.26.192.196] 1610 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1259976/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_22; classtype:trojan-activity; sid:91259976; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tjmkdc/five/fre.php"; depth:20; nocase; http.host; content:"91.92.253.228"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1259975/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_22; classtype:trojan-activity; sid:91259975; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mozi.m"; depth:7; nocase; http.host; content:"115.56.180.63"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1259967/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_22; classtype:trojan-activity; sid:91259967; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mylibs.js"; depth:10; nocase; http.host; content:"23.94.169.124"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1259966/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_21; classtype:trojan-activity; sid:91259966; rev:1;) alert tcp $HOME_NET any -> [111.229.214.58] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1259965/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_21; classtype:trojan-activity; sid:91259965; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/omp/api/micro_app/get_org_app"; depth:30; nocase; http.host; content:"61.170.44.194"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1259963/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_21; classtype:trojan-activity; sid:91259963; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/hrmregister/corptrial/get_permission"; depth:37; nocase; http.host; content:"59.80.47.124"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1259964/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_21; classtype:trojan-activity; sid:91259964; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/omp/api/micro_app/get_org_app"; depth:30; nocase; http.host; content:"111.6.56.138"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1259962/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_21; classtype:trojan-activity; sid:91259962; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/omp/api/micro_app/get_org_app"; depth:30; nocase; http.host; content:"183.232.189.148"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1259960/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_21; classtype:trojan-activity; sid:91259960; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/omp/api/get_page_config"; depth:24; nocase; http.host; content:"111.51.156.247"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1259961/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_21; classtype:trojan-activity; sid:91259961; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cm"; depth:3; nocase; http.host; content:"23.95.65.198"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1259959/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_21; classtype:trojan-activity; sid:91259959; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/129edec4272dc2c8.php"; depth:21; nocase; http.host; content:"89.105.201.188"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1259956/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_21; classtype:trojan-activity; sid:91259956; rev:1;) alert tcp $HOME_NET any -> [185.112.249.40] 443 (msg:"ThreatFox IcedID botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1259955/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_21; classtype:trojan-activity; sid:91259955; rev:1;) alert tcp $HOME_NET any -> [202.61.85.167] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1259858/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_21; classtype:trojan-activity; sid:91259858; rev:1;) alert tcp $HOME_NET any -> [202.61.85.57] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1259857/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_21; classtype:trojan-activity; sid:91259857; rev:1;) alert tcp $HOME_NET any -> [87.120.84.220] 8848 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1259856/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_21; classtype:trojan-activity; sid:91259856; rev:1;) alert tcp $HOME_NET any -> [45.77.177.125] 2053 (msg:"ThreatFox pupy botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1259855/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_21; classtype:trojan-activity; sid:91259855; rev:1;) alert tcp $HOME_NET any -> [172.104.102.237] 445 (msg:"ThreatFox Responder botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1259854/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_21; classtype:trojan-activity; sid:91259854; rev:1;) alert tcp $HOME_NET any -> [61.128.153.112] 4505 (msg:"ThreatFox Deimos botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1259853/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_21; classtype:trojan-activity; sid:91259853; rev:1;) alert tcp $HOME_NET any -> [3.27.90.144] 7443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1259852/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_21; classtype:trojan-activity; sid:91259852; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"svif-venezuela.com"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1259844/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_21; classtype:trojan-activity; sid:91259844; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"cuponerachilanga.com"; depth:20; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1259845/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_21; classtype:trojan-activity; sid:91259845; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"architecture-interior.com"; depth:25; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1259846/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_21; classtype:trojan-activity; sid:91259846; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"apieventemitter.com"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1259843/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_21; classtype:trojan-activity; sid:91259843; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"arpsychotherapy.com"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1259841/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_21; classtype:trojan-activity; sid:91259841; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"vud.register.arpsychotherapy.com"; depth:32; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1259842/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_21; classtype:trojan-activity; sid:91259842; rev:1;) alert tcp $HOME_NET any -> [85.204.116.161] 25561 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1259839/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_21; classtype:trojan-activity; sid:91259839; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"register.arpsychotherapy.com"; depth:28; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1259840/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_21; classtype:trojan-activity; sid:91259840; rev:1;) alert tcp $HOME_NET any -> [103.174.73.190] 2024 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1259837/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_21; classtype:trojan-activity; sid:91259837; rev:1;) alert tcp $HOME_NET any -> [5.181.190.250] 1475 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1259838/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_21; classtype:trojan-activity; sid:91259838; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"sonicglyder.com"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1259812/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_21; classtype:trojan-activity; sid:91259812; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"illitluckygirl.com"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1259813/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_21; classtype:trojan-activity; sid:91259813; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/downloads/underwars.rar"; depth:24; nocase; http.host; content:"under-wars.com"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1259825/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_21; classtype:trojan-activity; sid:91259825; rev:1;) alert tcp $HOME_NET any -> [62.72.191.247] 777 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1259836/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_21; classtype:trojan-activity; sid:91259836; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"under-wars.com"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1259811/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_21; classtype:trojan-activity; sid:91259811; rev:1;) alert tcp $HOME_NET any -> [98.66.170.171] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1259814/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_21; classtype:trojan-activity; sid:91259814; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/data.php"; depth:9; nocase; http.host; content:"svif-venezuela.com"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1259754/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_21; classtype:trojan-activity; sid:91259754; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"ecurs.ro"; depth:8; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1259757/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_21; classtype:trojan-activity; sid:91259757; rev:1;) alert tcp $HOME_NET any -> [195.20.16.134] 46690 (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1259771/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_21; classtype:trojan-activity; sid:91259771; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/attachments/1231360292168929434/1231360436591399053/sonic-glyder.zip"; depth:69; nocase; http.host; content:"cdn.discordapp.com"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1259826/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_21; classtype:trojan-activity; sid:91259826; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"beautyservicenearme.com"; depth:23; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1259847/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_21; classtype:trojan-activity; sid:91259847; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"onesmartiptv.com"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1259848/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_21; classtype:trojan-activity; sid:91259848; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"carlaweishale.com"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1259849/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_21; classtype:trojan-activity; sid:91259849; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/_defaultwindows.php"; depth:20; nocase; http.host; content:"cv76387.tw1.ru"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1259850/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_21; classtype:trojan-activity; sid:91259850; rev:1;) alert tcp $HOME_NET any -> [5.53.20.184] 2222 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1259835/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_21; classtype:trojan-activity; sid:91259835; rev:1;) alert tcp $HOME_NET any -> [54.224.170.33] 443 (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1259833/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_21; classtype:trojan-activity; sid:91259833; rev:1;) alert tcp $HOME_NET any -> [106.53.162.128] 8080 (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1259834/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_21; classtype:trojan-activity; sid:91259834; rev:1;) alert tcp $HOME_NET any -> [42.118.144.192] 9000 (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1259832/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_21; classtype:trojan-activity; sid:91259832; rev:1;) alert tcp $HOME_NET any -> [185.125.50.17] 80 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1259831/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_21; classtype:trojan-activity; sid:91259831; rev:1;) alert tcp $HOME_NET any -> [95.164.3.243] 4449 (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1259830/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_21; classtype:trojan-activity; sid:91259830; rev:1;) alert tcp $HOME_NET any -> [91.92.250.96] 6667 (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1259829/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_21; classtype:trojan-activity; sid:91259829; rev:1;) alert tcp $HOME_NET any -> [128.90.123.67] 9999 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1259823/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_21; classtype:trojan-activity; sid:91259823; rev:1;) alert tcp $HOME_NET any -> [193.111.125.200] 80 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1259824/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_21; classtype:trojan-activity; sid:91259824; rev:1;) alert tcp $HOME_NET any -> [2.29.196.40] 9000 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1259815/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_21; classtype:trojan-activity; sid:91259815; rev:1;) alert tcp $HOME_NET any -> [45.88.186.62] 8888 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1259816/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_21; classtype:trojan-activity; sid:91259816; rev:1;) alert tcp $HOME_NET any -> [45.141.215.159] 8088 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1259817/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_21; classtype:trojan-activity; sid:91259817; rev:1;) alert tcp $HOME_NET any -> [46.246.80.15] 9004 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1259818/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_21; classtype:trojan-activity; sid:91259818; rev:1;) alert tcp $HOME_NET any -> [51.195.94.205] 6606 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1259819/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_21; classtype:trojan-activity; sid:91259819; rev:1;) alert tcp $HOME_NET any -> [51.195.94.205] 7707 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1259820/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_21; classtype:trojan-activity; sid:91259820; rev:1;) alert tcp $HOME_NET any -> [51.195.94.205] 8808 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1259821/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_21; classtype:trojan-activity; sid:91259821; rev:1;) alert tcp $HOME_NET any -> [95.7.175.50] 20000 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1259822/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_21; classtype:trojan-activity; sid:91259822; rev:1;) alert tcp $HOME_NET any -> [159.89.124.149] 443 (msg:"ThreatFox IcedID botnet C2 traffic (ip:port - confidence level: 60%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1259810/; target:src_ip; metadata: confidence_level 60, first_seen 2024_04_21; classtype:trojan-activity; sid:91259810; rev:1;) alert tcp $HOME_NET any -> [154.44.26.34] 2053 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1259809/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_21; classtype:trojan-activity; sid:91259809; rev:1;) alert tcp $HOME_NET any -> [88.214.26.54] 40032 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1259808/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_21; classtype:trojan-activity; sid:91259808; rev:1;) alert tcp $HOME_NET any -> [103.234.72.70] 7000 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1259807/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_21; classtype:trojan-activity; sid:91259807; rev:1;) alert tcp $HOME_NET any -> [103.195.6.60] 54230 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1259806/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_21; classtype:trojan-activity; sid:91259806; rev:1;) alert tcp $HOME_NET any -> [89.187.28.116] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1259805/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_21; classtype:trojan-activity; sid:91259805; rev:1;) alert tcp $HOME_NET any -> [107.150.47.82] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1259804/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_21; classtype:trojan-activity; sid:91259804; rev:1;) alert tcp $HOME_NET any -> [54.169.155.216] 8443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1259803/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_21; classtype:trojan-activity; sid:91259803; rev:1;) alert tcp $HOME_NET any -> [185.216.117.38] 8089 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1259802/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_21; classtype:trojan-activity; sid:91259802; rev:1;) alert tcp $HOME_NET any -> [23.133.216.223] 16993 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1259801/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_21; classtype:trojan-activity; sid:91259801; rev:1;) alert tcp $HOME_NET any -> [154.29.149.248] 8088 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1259800/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_21; classtype:trojan-activity; sid:91259800; rev:1;) alert tcp $HOME_NET any -> [144.34.170.237] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1259799/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_21; classtype:trojan-activity; sid:91259799; rev:1;) alert tcp $HOME_NET any -> [156.242.40.198] 50005 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1259798/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_21; classtype:trojan-activity; sid:91259798; rev:1;) alert tcp $HOME_NET any -> [185.236.231.201] 52589 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1259797/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_21; classtype:trojan-activity; sid:91259797; rev:1;) alert tcp $HOME_NET any -> [62.204.41.11] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1259795/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_21; classtype:trojan-activity; sid:91259795; rev:1;) alert tcp $HOME_NET any -> [62.204.41.11] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1259796/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_21; classtype:trojan-activity; sid:91259796; rev:1;) alert tcp $HOME_NET any -> [154.3.1.252] 8000 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1259794/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_21; classtype:trojan-activity; sid:91259794; rev:1;) alert tcp $HOME_NET any -> [185.62.56.15] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1259793/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_21; classtype:trojan-activity; sid:91259793; rev:1;) alert tcp $HOME_NET any -> [172.121.5.230] 81 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1259792/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_21; classtype:trojan-activity; sid:91259792; rev:1;) alert tcp $HOME_NET any -> [154.204.178.55] 8000 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1259791/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_21; classtype:trojan-activity; sid:91259791; rev:1;) alert tcp $HOME_NET any -> [146.70.188.137] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1259790/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_21; classtype:trojan-activity; sid:91259790; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"stylejason.com"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1259789/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_21; classtype:trojan-activity; sid:91259789; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/infected2.ps1"; depth:14; nocase; http.host; content:"156.247.14.253"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1259788/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_21; classtype:trojan-activity; sid:91259788; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/infect.ps1"; depth:11; nocase; http.host; content:"156.247.14.253"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1259787/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_21; classtype:trojan-activity; sid:91259787; rev:1;) alert tcp $HOME_NET any -> [156.247.14.253] 2096 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1259785/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_21; classtype:trojan-activity; sid:91259785; rev:1;) alert tcp $HOME_NET any -> [156.247.14.253] 50038 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1259786/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_21; classtype:trojan-activity; sid:91259786; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"service-hcy5bcw8-1317301829.gz.tencentapigw.com.cn"; depth:50; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1259784/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_21; classtype:trojan-activity; sid:91259784; rev:1;) alert tcp $HOME_NET any -> [154.205.138.72] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1259783/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_21; classtype:trojan-activity; sid:91259783; rev:1;) alert tcp $HOME_NET any -> [206.166.251.32] 25568 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1259782/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_21; classtype:trojan-activity; sid:91259782; rev:1;) alert tcp $HOME_NET any -> [156.242.42.194] 4396 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1259781/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_21; classtype:trojan-activity; sid:91259781; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"b.citriix.org"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1259780/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_21; classtype:trojan-activity; sid:91259780; rev:1;) alert tcp $HOME_NET any -> [82.197.93.75] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1259779/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_21; classtype:trojan-activity; sid:91259779; rev:1;) alert tcp $HOME_NET any -> [156.224.25.183] 9999 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1259778/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_21; classtype:trojan-activity; sid:91259778; rev:1;) alert tcp $HOME_NET any -> [45.116.79.9] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1259777/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_21; classtype:trojan-activity; sid:91259777; rev:1;) alert tcp $HOME_NET any -> [43.129.23.221] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1259776/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_21; classtype:trojan-activity; sid:91259776; rev:1;) alert tcp $HOME_NET any -> [107.175.158.78] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1259774/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_21; classtype:trojan-activity; sid:91259774; rev:1;) alert tcp $HOME_NET any -> [107.175.158.78] 7777 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1259775/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_21; classtype:trojan-activity; sid:91259775; rev:1;) alert tcp $HOME_NET any -> [107.172.159.202] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1259773/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_21; classtype:trojan-activity; sid:91259773; rev:1;) alert tcp $HOME_NET any -> [23.94.169.124] 8888 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1259772/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_21; classtype:trojan-activity; sid:91259772; rev:1;) alert tcp $HOME_NET any -> [47.89.225.2] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1259770/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_21; classtype:trojan-activity; sid:91259770; rev:1;) alert tcp $HOME_NET any -> [47.76.153.170] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1259769/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_21; classtype:trojan-activity; sid:91259769; rev:1;) alert tcp $HOME_NET any -> [8.218.236.5] 8062 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1259768/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_21; classtype:trojan-activity; sid:91259768; rev:1;) alert tcp $HOME_NET any -> [8.217.10.117] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1259767/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_21; classtype:trojan-activity; sid:91259767; rev:1;) alert tcp $HOME_NET any -> [120.46.201.95] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1259766/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_21; classtype:trojan-activity; sid:91259766; rev:1;) alert tcp $HOME_NET any -> [123.57.167.128] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1259765/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_21; classtype:trojan-activity; sid:91259765; rev:1;) alert tcp $HOME_NET any -> [47.120.46.170] 50001 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1259764/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_21; classtype:trojan-activity; sid:91259764; rev:1;) alert tcp $HOME_NET any -> [47.97.29.241] 8088 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1259763/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_21; classtype:trojan-activity; sid:91259763; rev:1;) alert tcp $HOME_NET any -> [47.96.72.192] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1259762/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_21; classtype:trojan-activity; sid:91259762; rev:1;) alert tcp $HOME_NET any -> [47.92.221.188] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1259761/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_21; classtype:trojan-activity; sid:91259761; rev:1;) alert tcp $HOME_NET any -> [8.137.114.210] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1259760/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_21; classtype:trojan-activity; sid:91259760; rev:1;) alert tcp $HOME_NET any -> [150.158.13.117] 18888 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1259759/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_21; classtype:trojan-activity; sid:91259759; rev:1;) alert tcp $HOME_NET any -> [1.13.175.135] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1259758/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_21; classtype:trojan-activity; sid:91259758; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jquery-3.3.1.min.js"; depth:20; nocase; http.host; content:"8.220.200.34"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1259755/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_21; classtype:trojan-activity; sid:91259755; rev:1;) alert tcp $HOME_NET any -> [64.188.18.137] 1604 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1259753/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_21; classtype:trojan-activity; sid:91259753; rev:1;) alert tcp $HOME_NET any -> [195.10.205.79] 30525 (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1259752/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_21; classtype:trojan-activity; sid:91259752; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/nyashsupport.php"; depth:17; nocase; http.host; content:"34844.clmonth.nyashteam.ru"; depth:26; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1259751/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_21; classtype:trojan-activity; sid:91259751; rev:1;) alert tcp $HOME_NET any -> [47.116.33.203] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1259750/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_21; classtype:trojan-activity; sid:91259750; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/fwlink"; depth:7; nocase; http.host; content:"47.116.33.203"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1259749/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_21; classtype:trojan-activity; sid:91259749; rev:1;) alert tcp $HOME_NET any -> [38.147.171.36] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1259748/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_21; classtype:trojan-activity; sid:91259748; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/load"; depth:5; nocase; http.host; content:"38.147.171.36"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1259747/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_21; classtype:trojan-activity; sid:91259747; rev:1;) alert tcp $HOME_NET any -> [147.185.221.19] 32934 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1259745/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_21; classtype:trojan-activity; sid:91259745; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"quotes-nl.gl.at.ply.gg"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1259746/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_21; classtype:trojan-activity; sid:91259746; rev:1;) alert tcp $HOME_NET any -> [162.252.175.197] 443 (msg:"ThreatFox FAKEUPDATES botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1259743/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_21; classtype:trojan-activity; sid:91259743; rev:1;) alert tcp $HOME_NET any -> [162.252.175.197] 80 (msg:"ThreatFox FAKEUPDATES botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1259744/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_21; classtype:trojan-activity; sid:91259744; rev:1;) alert tcp $HOME_NET any -> [71.88.240.79] 443 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1259742/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_21; classtype:trojan-activity; sid:91259742; rev:1;) alert tcp $HOME_NET any -> [172.104.172.74] 443 (msg:"ThreatFox pupy botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1259741/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_21; classtype:trojan-activity; sid:91259741; rev:1;) alert tcp $HOME_NET any -> [185.150.26.240] 80 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1259740/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_21; classtype:trojan-activity; sid:91259740; rev:1;) alert tcp $HOME_NET any -> [45.137.155.36] 443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1259739/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_21; classtype:trojan-activity; sid:91259739; rev:1;) alert tcp $HOME_NET any -> [15.222.252.34] 80 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1259738/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_21; classtype:trojan-activity; sid:91259738; rev:1;) alert tcp $HOME_NET any -> [31.220.80.82] 1234 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1259737/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_21; classtype:trojan-activity; sid:91259737; rev:1;) alert tcp $HOME_NET any -> [34.142.80.46] 80 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1259736/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_21; classtype:trojan-activity; sid:91259736; rev:1;) alert tcp $HOME_NET any -> [141.195.112.200] 8443 (msg:"ThreatFox BianLian botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1259735/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_21; classtype:trojan-activity; sid:91259735; rev:1;) alert tcp $HOME_NET any -> [172.96.137.224] 8085 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1259734/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_21; classtype:trojan-activity; sid:91259734; rev:1;) alert tcp $HOME_NET any -> [85.204.116.161] 25565 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1259733/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_21; classtype:trojan-activity; sid:91259733; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"other-tours.gl.at.ply.gg"; depth:24; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1259721/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_21; classtype:trojan-activity; sid:91259721; rev:1;) alert tcp $HOME_NET any -> [3.124.142.205] 11720 (msg:"ThreatFox Nanocore RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1259540/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_21; classtype:trojan-activity; sid:91259540; rev:1;) alert tcp $HOME_NET any -> [147.185.221.17] 58503 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1259542/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_21; classtype:trojan-activity; sid:91259542; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"basic-values.gl.at.ply.gg"; depth:25; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1259543/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_21; classtype:trojan-activity; sid:91259543; rev:1;) alert tcp $HOME_NET any -> [147.185.221.19] 32481 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1259720/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_21; classtype:trojan-activity; sid:91259720; rev:1;) alert tcp $HOME_NET any -> [2.58.95.131] 65337 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1259727/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_21; classtype:trojan-activity; sid:91259727; rev:1;) alert tcp $HOME_NET any -> [34.159.237.198] 6667 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1259728/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_21; classtype:trojan-activity; sid:91259728; rev:1;) alert tcp $HOME_NET any -> [51.81.85.213] 8888 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1259729/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_21; classtype:trojan-activity; sid:91259729; rev:1;) alert tcp $HOME_NET any -> [91.92.245.231] 56648 (msg:"ThreatFox Nanocore RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1259730/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_21; classtype:trojan-activity; sid:91259730; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"116.203.13.134"; depth:14; nocase; reference:url, threatfox.abuse.ch/ioc/1259538/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_21; classtype:trojan-activity; sid:91259538; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"37.27.87.155"; depth:12; nocase; reference:url, threatfox.abuse.ch/ioc/1259539/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_21; classtype:trojan-activity; sid:91259539; rev:1;) alert tcp $HOME_NET any -> [146.70.40.235] 80 (msg:"ThreatFox solarmarker botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1259545/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_21; classtype:trojan-activity; sid:91259545; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/complete/pr/h6tcqrwr"; depth:21; nocase; http.host; content:"175.178.160.155"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1259732/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_20; classtype:trojan-activity; sid:91259732; rev:1;) alert tcp $HOME_NET any -> [186.102.167.18] 6606 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1259731/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_20; classtype:trojan-activity; sid:91259731; rev:1;) alert tcp $HOME_NET any -> [87.251.67.92] 443 (msg:"ThreatFox IcedID botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1259726/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_20; classtype:trojan-activity; sid:91259726; rev:1;) alert tcp $HOME_NET any -> [18.158.249.75] 19177 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1259725/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_20; classtype:trojan-activity; sid:91259725; rev:1;) alert tcp $HOME_NET any -> [3.125.223.134] 19177 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1259724/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_20; classtype:trojan-activity; sid:91259724; rev:1;) alert tcp $HOME_NET any -> [18.192.31.165] 19177 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1259723/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_20; classtype:trojan-activity; sid:91259723; rev:1;) alert tcp $HOME_NET any -> [3.125.209.94] 19177 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1259722/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_20; classtype:trojan-activity; sid:91259722; rev:1;) alert tcp $HOME_NET any -> [45.66.248.122] 80 (msg:"ThreatFox FAKEUPDATES botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1259718/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_20; classtype:trojan-activity; sid:91259718; rev:1;) alert tcp $HOME_NET any -> [45.66.248.122] 443 (msg:"ThreatFox FAKEUPDATES botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1259719/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_20; classtype:trojan-activity; sid:91259719; rev:1;) alert tcp $HOME_NET any -> [91.151.95.157] 80 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1259717/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_20; classtype:trojan-activity; sid:91259717; rev:1;) alert tcp $HOME_NET any -> [87.120.84.167] 80 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1259716/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_20; classtype:trojan-activity; sid:91259716; rev:1;) alert tcp $HOME_NET any -> [3.34.122.177] 80 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1259715/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_20; classtype:trojan-activity; sid:91259715; rev:1;) alert tcp $HOME_NET any -> [109.120.177.43] 80 (msg:"ThreatFox Meduza Stealer botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1259714/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_20; classtype:trojan-activity; sid:91259714; rev:1;) alert tcp $HOME_NET any -> [120.77.11.79] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1259713/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_20; classtype:trojan-activity; sid:91259713; rev:1;) alert tcp $HOME_NET any -> [1.13.175.135] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1259712/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_20; classtype:trojan-activity; sid:91259712; rev:1;) alert tcp $HOME_NET any -> [16.163.148.219] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1259711/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_20; classtype:trojan-activity; sid:91259711; rev:1;) alert tcp $HOME_NET any -> [179.13.4.37] 8000 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1259710/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_20; classtype:trojan-activity; sid:91259710; rev:1;) alert tcp $HOME_NET any -> [142.11.201.10] 80 (msg:"ThreatFox Responder botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1259709/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_20; classtype:trojan-activity; sid:91259709; rev:1;) alert tcp $HOME_NET any -> [4.227.63.81] 80 (msg:"ThreatFox Responder botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1259708/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_20; classtype:trojan-activity; sid:91259708; rev:1;) alert tcp $HOME_NET any -> [210.3.101.68] 443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1259707/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_20; classtype:trojan-activity; sid:91259707; rev:1;) alert tcp $HOME_NET any -> [45.9.148.192] 7443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1259706/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_20; classtype:trojan-activity; sid:91259706; rev:1;) alert tcp $HOME_NET any -> [45.9.148.206] 7443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1259705/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_20; classtype:trojan-activity; sid:91259705; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mozi.m"; depth:7; nocase; http.host; content:"117.204.193.116"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1259704/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_20; classtype:trojan-activity; sid:91259704; rev:1;) alert tcp $HOME_NET any -> [45.9.168.238] 1984 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1259544/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_20; classtype:trojan-activity; sid:91259544; rev:1;) alert tcp $HOME_NET any -> [83.196.78.85] 8080 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1259541/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_20; classtype:trojan-activity; sid:91259541; rev:1;) alert tcp $HOME_NET any -> [3.125.223.134] 11720 (msg:"ThreatFox Nanocore RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1259536/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_20; classtype:trojan-activity; sid:91259536; rev:1;) alert tcp $HOME_NET any -> [18.158.249.75] 11720 (msg:"ThreatFox Nanocore RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1259537/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_20; classtype:trojan-activity; sid:91259537; rev:1;) alert tcp $HOME_NET any -> [3.125.209.94] 11720 (msg:"ThreatFox Nanocore RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1259535/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_20; classtype:trojan-activity; sid:91259535; rev:1;) alert tcp $HOME_NET any -> [3.125.102.39] 11720 (msg:"ThreatFox Nanocore RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1259534/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_20; classtype:trojan-activity; sid:91259534; rev:1;) alert tcp $HOME_NET any -> [91.92.255.61] 9817 (msg:"ThreatFox PureLogs Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1259532/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_20; classtype:trojan-activity; sid:91259532; rev:1;) alert tcp $HOME_NET any -> [194.187.251.115] 14645 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1259533/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_20; classtype:trojan-activity; sid:91259533; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/img/logo2.jpg"; depth:14; nocase; http.host; content:"public-ftp.com"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1259524/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_20; classtype:trojan-activity; sid:91259524; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/img/logo.jpg"; depth:13; nocase; http.host; content:"public-ftp.com"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1259525/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_20; classtype:trojan-activity; sid:91259525; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"public-ftp.com"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1259527/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_20; classtype:trojan-activity; sid:91259527; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/img/logo3.jpg"; depth:14; nocase; http.host; content:"public-ftp.com"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1259526/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_20; classtype:trojan-activity; sid:91259526; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/zzv3"; depth:5; nocase; http.host; content:"118.89.125.171"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1259531/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_20; classtype:trojan-activity; sid:91259531; rev:1;) alert tcp $HOME_NET any -> [118.89.125.171] 886 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1259530/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_20; classtype:trojan-activity; sid:91259530; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/claim/v5.6/zz1qb9mls"; depth:21; nocase; http.host; content:"106.54.236.42"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1259528/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_20; classtype:trojan-activity; sid:91259528; rev:1;) alert tcp $HOME_NET any -> [106.54.236.42] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1259529/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_20; classtype:trojan-activity; sid:91259529; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"harassretunrstiwo.shop"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1259494/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_20; classtype:trojan-activity; sid:91259494; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"productivelookewr.shop"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1259495/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_20; classtype:trojan-activity; sid:91259495; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"tolerateilusidjukl.shop"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1259496/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_20; classtype:trojan-activity; sid:91259496; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"shatterbreathepsw.shop"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1259497/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_20; classtype:trojan-activity; sid:91259497; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"shortsvelventysjo.shop"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1259498/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_20; classtype:trojan-activity; sid:91259498; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"incredibleextedwj.shop"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1259499/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_20; classtype:trojan-activity; sid:91259499; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"alcojoldwograpciw.shop"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1259500/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_20; classtype:trojan-activity; sid:91259500; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"liabilitynighstjsko.shop"; depth:24; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1259501/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_20; classtype:trojan-activity; sid:91259501; rev:1;) alert tcp $HOME_NET any -> [193.222.96.128] 7287 (msg:"ThreatFox Venom RAT payload delivery (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1259503/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_20; classtype:trojan-activity; sid:91259503; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/.hta"; depth:5; nocase; http.host; content:"193.222.96.128"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1259504/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_20; classtype:trojan-activity; sid:91259504; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"demonstationfukewko.shop"; depth:24; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1259502/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_20; classtype:trojan-activity; sid:91259502; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/15.bat"; depth:7; nocase; http.host; content:"193.222.96.128"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1259505/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_20; classtype:trojan-activity; sid:91259505; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/security.apk"; depth:13; nocase; http.host; content:"193.222.96.20"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1259510/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_20; classtype:trojan-activity; sid:91259510; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/securitypro.apk"; depth:16; nocase; http.host; content:"193.222.96.20"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1259509/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_20; classtype:trojan-activity; sid:91259509; rev:1;) alert tcp $HOME_NET any -> [193.222.96.20] 7287 (msg:"ThreatFox SpyNote payload delivery (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1259511/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_20; classtype:trojan-activity; sid:91259511; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/securityvpro.apk"; depth:17; nocase; http.host; content:"193.222.96.20"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1259508/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_20; classtype:trojan-activity; sid:91259508; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/.hta"; depth:5; nocase; http.host; content:"193.222.96.114"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1259515/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_20; classtype:trojan-activity; sid:91259515; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/gogi.bat"; depth:9; nocase; http.host; content:"193.222.96.114"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1259516/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_20; classtype:trojan-activity; sid:91259516; rev:1;) alert tcp $HOME_NET any -> [101.78.63.44] 80 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1259521/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_20; classtype:trojan-activity; sid:91259521; rev:1;) alert tcp $HOME_NET any -> [193.222.96.114] 7287 (msg:"ThreatFox Venom RAT payload delivery (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1259519/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_20; classtype:trojan-activity; sid:91259519; rev:1;) alert tcp $HOME_NET any -> [193.222.96.20] 7771 (msg:"ThreatFox SpyNote botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1259522/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_20; classtype:trojan-activity; sid:91259522; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/uphqey"; depth:7; nocase; http.host; content:"101.78.63.44"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1259520/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_20; classtype:trojan-activity; sid:91259520; rev:1;) alert tcp $HOME_NET any -> [193.222.96.20] 7772 (msg:"ThreatFox SpyNote botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1259523/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_20; classtype:trojan-activity; sid:91259523; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"www.collegeclubapparel.com"; depth:26; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1259436/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_20; classtype:trojan-activity; sid:91259436; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"collegeclubapparel.com"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1259437/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_20; classtype:trojan-activity; sid:91259437; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"www.blueberry-breeze.com"; depth:24; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1259438/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_20; classtype:trojan-activity; sid:91259438; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"blueberry-breeze.com"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1259439/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_20; classtype:trojan-activity; sid:91259439; rev:1;) alert tcp $HOME_NET any -> [4.184.225.183] 30592 (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1259440/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_20; classtype:trojan-activity; sid:91259440; rev:1;) alert tcp $HOME_NET any -> [209.126.11.251] 31618 (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1259442/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_20; classtype:trojan-activity; sid:91259442; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bnz5/"; depth:6; nocase; http.host; content:"www.blueberry-breeze.com"; depth:24; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1259435/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_20; classtype:trojan-activity; sid:91259435; rev:1;) alert tcp $HOME_NET any -> [203.159.80.211] 80 (msg:"ThreatFox Loki Password Stealer (PWS) botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1259443/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_20; classtype:trojan-activity; sid:91259443; rev:1;) alert tcp $HOME_NET any -> [46.246.12.3] 2552 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1259447/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_20; classtype:trojan-activity; sid:91259447; rev:1;) alert tcp $HOME_NET any -> [46.246.84.16] 1994 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1259448/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_20; classtype:trojan-activity; sid:91259448; rev:1;) alert tcp $HOME_NET any -> [94.156.65.182] 80 (msg:"ThreatFox Loki Password Stealer (PWS) botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1259452/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_20; classtype:trojan-activity; sid:91259452; rev:1;) alert tcp $HOME_NET any -> [18.158.249.75] 15422 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1259449/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_20; classtype:trojan-activity; sid:91259449; rev:1;) alert tcp $HOME_NET any -> [3.125.223.134] 15422 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1259450/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_20; classtype:trojan-activity; sid:91259450; rev:1;) alert tcp $HOME_NET any -> [18.192.31.165] 10543 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1259457/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_20; classtype:trojan-activity; sid:91259457; rev:1;) alert tcp $HOME_NET any -> [204.76.203.103] 38241 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1259453/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_20; classtype:trojan-activity; sid:91259453; rev:1;) alert tcp $HOME_NET any -> [204.76.203.223] 38241 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1259454/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_20; classtype:trojan-activity; sid:91259454; rev:1;) alert tcp $HOME_NET any -> [3.125.102.39] 10543 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1259456/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_20; classtype:trojan-activity; sid:91259456; rev:1;) alert tcp $HOME_NET any -> [3.125.209.94] 14390 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1259458/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_20; classtype:trojan-activity; sid:91259458; rev:1;) alert tcp $HOME_NET any -> [3.125.102.39] 14390 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1259459/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_20; classtype:trojan-activity; sid:91259459; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/login"; depth:6; nocase; http.host; content:"5.101.4.196"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1259460/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_20; classtype:trojan-activity; sid:91259460; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/login"; depth:6; nocase; http.host; content:"5.101.4.196"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1259461/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_20; classtype:trojan-activity; sid:91259461; rev:1;) alert tcp $HOME_NET any -> [5.101.4.196] 3790 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1259463/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_20; classtype:trojan-activity; sid:91259463; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/help/zewmrgqnw.php"; depth:19; nocase; http.host; content:"svif-venezuela.com"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1259411/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_20; classtype:trojan-activity; sid:91259411; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bnz5/"; depth:6; nocase; http.host; content:"www.collegeclubapparel.com"; depth:26; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1259434/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_20; classtype:trojan-activity; sid:91259434; rev:1;) alert tcp $HOME_NET any -> [94.156.8.161] 999 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1259412/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_20; classtype:trojan-activity; sid:91259412; rev:1;) alert tcp $HOME_NET any -> [185.196.8.31] 777 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1259418/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_20; classtype:trojan-activity; sid:91259418; rev:1;) alert tcp $HOME_NET any -> [94.156.79.107] 33966 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1259419/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_20; classtype:trojan-activity; sid:91259419; rev:1;) alert tcp $HOME_NET any -> [45.178.6.2] 8090 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1259420/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_20; classtype:trojan-activity; sid:91259420; rev:1;) alert tcp $HOME_NET any -> [195.62.32.227] 1337 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1259386/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_20; classtype:trojan-activity; sid:91259386; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cdn-vs/cache.php"; depth:17; nocase; http.host; content:"svif-venezuela.com"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1259410/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_20; classtype:trojan-activity; sid:91259410; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/data.php"; depth:9; nocase; http.host; content:"94.131.101.153"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1259163/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_20; classtype:trojan-activity; sid:91259163; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/data.php"; depth:9; nocase; http.host; content:"94.131.101.153"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1259164/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_20; classtype:trojan-activity; sid:91259164; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/data.php"; depth:9; nocase; http.host; content:"go8et.lol"; depth:9; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1259165/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_20; classtype:trojan-activity; sid:91259165; rev:1;) alert tcp $HOME_NET any -> [94.131.101.153] 80 (msg:"ThreatFox NetSupportManager RAT payload delivery (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1259166/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_20; classtype:trojan-activity; sid:91259166; rev:1;) alert tcp $HOME_NET any -> [94.131.101.153] 443 (msg:"ThreatFox NetSupportManager RAT payload delivery (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1259167/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_20; classtype:trojan-activity; sid:91259167; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"go8et.lol"; depth:9; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1259168/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_20; classtype:trojan-activity; sid:91259168; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"uf.tispy.me"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1259169/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_20; classtype:trojan-activity; sid:91259169; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"demonstationfukewko.shop"; depth:24; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1259493/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_20; classtype:trojan-activity; sid:91259493; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"liabilitynighstjsko.shop"; depth:24; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1259492/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_20; classtype:trojan-activity; sid:91259492; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"alcojoldwograpciw.shop"; depth:22; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1259491/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_20; classtype:trojan-activity; sid:91259491; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"incredibleextedwj.shop"; depth:22; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1259490/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_20; classtype:trojan-activity; sid:91259490; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"shortsvelventysjo.shop"; depth:22; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1259489/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_20; classtype:trojan-activity; sid:91259489; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"shatterbreathepsw.shop"; depth:22; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1259488/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_20; classtype:trojan-activity; sid:91259488; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"tolerateilusidjukl.shop"; depth:23; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1259487/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_20; classtype:trojan-activity; sid:91259487; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"productivelookewr.shop"; depth:22; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1259486/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_20; classtype:trojan-activity; sid:91259486; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"harassretunrstiwo.shop"; depth:22; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1259485/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_20; classtype:trojan-activity; sid:91259485; rev:1;) alert tcp $HOME_NET any -> [77.238.231.212] 80 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1259484/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_20; classtype:trojan-activity; sid:91259484; rev:1;) alert tcp $HOME_NET any -> [13.213.45.189] 80 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1259483/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_20; classtype:trojan-activity; sid:91259483; rev:1;) alert tcp $HOME_NET any -> [95.70.159.193] 80 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1259482/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_20; classtype:trojan-activity; sid:91259482; rev:1;) alert tcp $HOME_NET any -> [45.152.66.244] 58082 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1259481/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_20; classtype:trojan-activity; sid:91259481; rev:1;) alert tcp $HOME_NET any -> [117.72.74.16] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1259480/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_20; classtype:trojan-activity; sid:91259480; rev:1;) alert tcp $HOME_NET any -> [45.32.111.233] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1259479/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_20; classtype:trojan-activity; sid:91259479; rev:1;) alert tcp $HOME_NET any -> [46.246.80.2] 8000 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1259478/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_20; classtype:trojan-activity; sid:91259478; rev:1;) alert tcp $HOME_NET any -> [49.1.239.101] 8080 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1259477/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_20; classtype:trojan-activity; sid:91259477; rev:1;) alert tcp $HOME_NET any -> [5.15.236.59] 443 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1259476/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_20; classtype:trojan-activity; sid:91259476; rev:1;) alert tcp $HOME_NET any -> [187.213.203.252] 443 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1259475/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_20; classtype:trojan-activity; sid:91259475; rev:1;) alert tcp $HOME_NET any -> [64.225.31.29] 445 (msg:"ThreatFox Responder botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1259474/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_20; classtype:trojan-activity; sid:91259474; rev:1;) alert tcp $HOME_NET any -> [185.64.247.78] 445 (msg:"ThreatFox Responder botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1259473/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_20; classtype:trojan-activity; sid:91259473; rev:1;) alert tcp $HOME_NET any -> [31.220.80.82] 8443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1259472/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_20; classtype:trojan-activity; sid:91259472; rev:1;) alert tcp $HOME_NET any -> [43.143.170.206] 443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1259471/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_20; classtype:trojan-activity; sid:91259471; rev:1;) alert tcp $HOME_NET any -> [45.76.190.37] 443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1259470/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_20; classtype:trojan-activity; sid:91259470; rev:1;) alert tcp $HOME_NET any -> [109.120.178.253] 8443 (msg:"ThreatFox BianLian botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1259469/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_20; classtype:trojan-activity; sid:91259469; rev:1;) alert tcp $HOME_NET any -> [3.33.182.244] 443 (msg:"ThreatFox Deimos botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1259468/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_20; classtype:trojan-activity; sid:91259468; rev:1;) alert tcp $HOME_NET any -> [3.146.206.142] 7443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1259467/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_20; classtype:trojan-activity; sid:91259467; rev:1;) alert tcp $HOME_NET any -> [54.145.56.118] 7443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1259466/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_20; classtype:trojan-activity; sid:91259466; rev:1;) alert tcp $HOME_NET any -> [172.96.137.224] 8443 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1259465/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_20; classtype:trojan-activity; sid:91259465; rev:1;) alert tcp $HOME_NET any -> [172.96.137.224] 8088 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1259464/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_20; classtype:trojan-activity; sid:91259464; rev:1;) alert tcp $HOME_NET any -> [193.161.193.99] 33547 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1259462/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_20; classtype:trojan-activity; sid:91259462; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pipejavascriptwordpress.php"; depth:28; nocase; http.host; content:"betabag.top"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1259455/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_20; classtype:trojan-activity; sid:91259455; rev:1;) alert tcp $HOME_NET any -> [147.45.47.112] 17752 (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1259451/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_20; classtype:trojan-activity; sid:91259451; rev:1;) alert tcp $HOME_NET any -> [116.203.6.63] 3306 (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1259446/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_20; classtype:trojan-activity; sid:91259446; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tomthf/cvghx/five/fre.php"; depth:26; nocase; http.host; content:"94.156.65.182"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1259445/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_19; classtype:trojan-activity; sid:91259445; rev:1;) alert tcp $HOME_NET any -> [41.142.212.85] 10000 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1259444/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_19; classtype:trojan-activity; sid:91259444; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/externalvm_cpugamewindows.php"; depth:30; nocase; http.host; content:"109.107.182.145"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1259441/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_19; classtype:trojan-activity; sid:91259441; rev:1;) alert tcp $HOME_NET any -> [173.44.141.234] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1259433/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_19; classtype:trojan-activity; sid:91259433; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jquery-3.3.1.min.js"; depth:20; nocase; http.host; content:"173.44.141.234"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1259432/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_19; classtype:trojan-activity; sid:91259432; rev:1;) alert tcp $HOME_NET any -> [106.54.236.42] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1259431/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_19; classtype:trojan-activity; sid:91259431; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/claim/v5.6/zz1qb9mls"; depth:21; nocase; http.host; content:"106.54.236.42"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1259430/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_19; classtype:trojan-activity; sid:91259430; rev:1;) alert tcp $HOME_NET any -> [106.54.236.42] 8443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1259429/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_19; classtype:trojan-activity; sid:91259429; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/claim/v5.6/zz1qb9mls"; depth:21; nocase; http.host; content:"172.247.189.234"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1259428/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_19; classtype:trojan-activity; sid:91259428; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jquery-3.3.1.min.js"; depth:20; nocase; http.host; content:"zj.court.cn.com"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1259426/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_19; classtype:trojan-activity; sid:91259426; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"zj.court.cn.com"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1259427/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_19; classtype:trojan-activity; sid:91259427; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/__utm.gif"; depth:10; nocase; http.host; content:"109.120.178.253"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1259424/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_19; classtype:trojan-activity; sid:91259424; rev:1;) alert tcp $HOME_NET any -> [109.120.178.253] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1259425/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_19; classtype:trojan-activity; sid:91259425; rev:1;) alert tcp $HOME_NET any -> [175.178.160.155] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1259423/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_19; classtype:trojan-activity; sid:91259423; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/complete/pr/h6tcqrwr"; depth:21; nocase; http.host; content:"jxvtcm.cn"; depth:9; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1259421/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_19; classtype:trojan-activity; sid:91259421; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"jxvtcm.cn"; depth:9; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1259422/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_19; classtype:trojan-activity; sid:91259422; rev:1;) alert tcp $HOME_NET any -> [64.227.147.74] 443 (msg:"ThreatFox Unidentified 111 (Latrodectus) botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1259415/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_19; classtype:trojan-activity; sid:91259415; rev:1;) alert tcp $HOME_NET any -> [146.19.143.84] 443 (msg:"ThreatFox Unidentified 111 (Latrodectus) botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1259416/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_19; classtype:trojan-activity; sid:91259416; rev:1;) alert tcp $HOME_NET any -> [91.149.219.102] 443 (msg:"ThreatFox Unidentified 111 (Latrodectus) botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1259417/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_19; classtype:trojan-activity; sid:91259417; rev:1;) alert tcp $HOME_NET any -> [66.63.188.141] 443 (msg:"ThreatFox Unidentified 111 (Latrodectus) botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1259413/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_19; classtype:trojan-activity; sid:91259413; rev:1;) alert tcp $HOME_NET any -> [185.112.249.13] 443 (msg:"ThreatFox IcedID botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1259414/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_19; classtype:trojan-activity; sid:91259414; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/e609f91d.php"; depth:13; nocase; http.host; content:"a0938829.xsph.ru"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1259409/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_19; classtype:trojan-activity; sid:91259409; rev:1;) alert tcp $HOME_NET any -> [95.164.117.2] 80 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1259408/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_19; classtype:trojan-activity; sid:91259408; rev:1;) alert tcp $HOME_NET any -> [139.99.64.79] 80 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1259407/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_19; classtype:trojan-activity; sid:91259407; rev:1;) alert tcp $HOME_NET any -> [157.230.222.248] 80 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1259406/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_19; classtype:trojan-activity; sid:91259406; rev:1;) alert tcp $HOME_NET any -> [64.23.216.132] 4000 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1259405/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_19; classtype:trojan-activity; sid:91259405; rev:1;) alert tcp $HOME_NET any -> [97.74.89.69] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1259404/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_19; classtype:trojan-activity; sid:91259404; rev:1;) alert tcp $HOME_NET any -> [46.246.80.2] 6000 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1259403/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_19; classtype:trojan-activity; sid:91259403; rev:1;) alert tcp $HOME_NET any -> [187.170.75.34] 995 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1259402/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_19; classtype:trojan-activity; sid:91259402; rev:1;) alert tcp $HOME_NET any -> [151.48.149.0] 443 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1259401/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_19; classtype:trojan-activity; sid:91259401; rev:1;) alert tcp $HOME_NET any -> [41.97.160.21] 443 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1259400/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_19; classtype:trojan-activity; sid:91259400; rev:1;) alert tcp $HOME_NET any -> [77.126.182.204] 443 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1259399/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_19; classtype:trojan-activity; sid:91259399; rev:1;) alert tcp $HOME_NET any -> [34.92.143.66] 8443 (msg:"ThreatFox pupy botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1259398/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_19; classtype:trojan-activity; sid:91259398; rev:1;) alert tcp $HOME_NET any -> [91.225.218.38] 443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1259397/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_19; classtype:trojan-activity; sid:91259397; rev:1;) alert tcp $HOME_NET any -> [45.153.229.132] 443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1259396/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_19; classtype:trojan-activity; sid:91259396; rev:1;) alert tcp $HOME_NET any -> [101.43.211.59] 443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1259395/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_19; classtype:trojan-activity; sid:91259395; rev:1;) alert tcp $HOME_NET any -> [54.66.9.58] 443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1259394/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_19; classtype:trojan-activity; sid:91259394; rev:1;) alert tcp $HOME_NET any -> [45.121.50.136] 443 (msg:"ThreatFox BianLian botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1259393/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_19; classtype:trojan-activity; sid:91259393; rev:1;) alert tcp $HOME_NET any -> [62.169.23.231] 443 (msg:"ThreatFox Deimos botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1259392/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_19; classtype:trojan-activity; sid:91259392; rev:1;) alert tcp $HOME_NET any -> [138.68.189.254] 7443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1259391/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_19; classtype:trojan-activity; sid:91259391; rev:1;) alert tcp $HOME_NET any -> [45.33.116.110] 7443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1259390/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_19; classtype:trojan-activity; sid:91259390; rev:1;) alert tcp $HOME_NET any -> [193.36.119.250] 8888 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1259389/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_19; classtype:trojan-activity; sid:91259389; rev:1;) alert tcp $HOME_NET any -> [172.96.137.224] 8081 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1259388/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_19; classtype:trojan-activity; sid:91259388; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/_defaultwindows.php"; depth:20; nocase; http.host; content:"co29474.tw1.ru"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1259387/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_19; classtype:trojan-activity; sid:91259387; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/gs3p"; depth:5; nocase; http.host; content:"47.120.39.182"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1259172/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_19; classtype:trojan-activity; sid:91259172; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cx"; depth:3; nocase; http.host; content:"47.120.39.182"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1259171/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_19; classtype:trojan-activity; sid:91259171; rev:1;) alert tcp $HOME_NET any -> [47.120.39.182] 63306 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1259170/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_19; classtype:trojan-activity; sid:91259170; rev:1;) alert tcp $HOME_NET any -> [185.73.124.164] 25 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1259041/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_19; classtype:trojan-activity; sid:91259041; rev:1;) alert tcp $HOME_NET any -> [185.73.124.164] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1259039/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_19; classtype:trojan-activity; sid:91259039; rev:1;) alert tcp $HOME_NET any -> [185.73.124.164] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1259040/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_19; classtype:trojan-activity; sid:91259040; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/help/zewmrgqnw.php"; depth:19; nocase; http.host; content:"cuponerachilanga.com"; depth:20; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1259020/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_19; classtype:trojan-activity; sid:91259020; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/data.php"; depth:9; nocase; http.host; content:"go8et.lol"; depth:9; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1259021/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_19; classtype:trojan-activity; sid:91259021; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cdn-vs/cache.php"; depth:17; nocase; http.host; content:"cuponerachilanga.com"; depth:20; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1259019/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_19; classtype:trojan-activity; sid:91259019; rev:1;) alert tcp $HOME_NET any -> [185.73.124.164] 2525 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1259042/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_19; classtype:trojan-activity; sid:91259042; rev:1;) alert tcp $HOME_NET any -> [185.73.124.164] 993 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1259043/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_19; classtype:trojan-activity; sid:91259043; rev:1;) alert tcp $HOME_NET any -> [185.73.124.164] 3389 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1259044/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_19; classtype:trojan-activity; sid:91259044; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/gnbc/"; depth:6; nocase; http.host; content:"www.oyoing.com"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1259118/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_19; classtype:trojan-activity; sid:91259118; rev:1;) alert tcp $HOME_NET any -> [184.49.69.41] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1259045/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_19; classtype:trojan-activity; sid:91259045; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"www.tyaer.com"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1259120/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_19; classtype:trojan-activity; sid:91259120; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/gnbc/"; depth:6; nocase; http.host; content:"www.megabet303.lol"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1259116/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_19; classtype:trojan-activity; sid:91259116; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/gnbc/"; depth:6; nocase; http.host; content:"www.tyaer.com"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1259117/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_19; classtype:trojan-activity; sid:91259117; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"www.megabet303.lol"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1259119/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_19; classtype:trojan-activity; sid:91259119; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"www.oyoing.com"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1259121/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_19; classtype:trojan-activity; sid:91259121; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"megabet303.lol"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1259122/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_19; classtype:trojan-activity; sid:91259122; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"tyaer.com"; depth:9; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1259123/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_19; classtype:trojan-activity; sid:91259123; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"oyoing.com"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1259124/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_19; classtype:trojan-activity; sid:91259124; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"jemyy.theworkpc.com"; depth:19; nocase; reference:url, threatfox.abuse.ch/ioc/1259158/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_19; classtype:trojan-activity; sid:91259158; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"jemyy.theworkpc.com"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1259159/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_19; classtype:trojan-activity; sid:91259159; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"94.156.71.108"; depth:13; nocase; reference:url, threatfox.abuse.ch/ioc/1259161/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_19; classtype:trojan-activity; sid:91259161; rev:1;) alert tcp $HOME_NET any -> [94.156.71.108] 1604 (msg:"ThreatFox Houdini botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1259160/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_19; classtype:trojan-activity; sid:91259160; rev:1;) alert tcp $HOME_NET any -> [109.248.151.106] 5401 (msg:"ThreatFox Vjw0rm botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1259162/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_19; classtype:trojan-activity; sid:91259162; rev:1;) alert tcp $HOME_NET any -> [206.237.6.174] 80 (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1259157/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_19; classtype:trojan-activity; sid:91259157; rev:1;) alert tcp $HOME_NET any -> [193.222.96.128] 4449 (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1259156/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_19; classtype:trojan-activity; sid:91259156; rev:1;) alert tcp $HOME_NET any -> [193.222.96.114] 4449 (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1259155/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_19; classtype:trojan-activity; sid:91259155; rev:1;) alert tcp $HOME_NET any -> [171.249.233.153] 4449 (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1259152/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_19; classtype:trojan-activity; sid:91259152; rev:1;) alert tcp $HOME_NET any -> [171.249.233.153] 8000 (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1259153/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_19; classtype:trojan-activity; sid:91259153; rev:1;) alert tcp $HOME_NET any -> [171.249.233.153] 9999 (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1259154/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_19; classtype:trojan-activity; sid:91259154; rev:1;) alert tcp $HOME_NET any -> [112.65.51.10] 60000 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1259149/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_19; classtype:trojan-activity; sid:91259149; rev:1;) alert tcp $HOME_NET any -> [121.36.248.151] 60000 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1259150/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_19; classtype:trojan-activity; sid:91259150; rev:1;) alert tcp $HOME_NET any -> [121.40.222.45] 60000 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1259151/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_19; classtype:trojan-activity; sid:91259151; rev:1;) alert tcp $HOME_NET any -> [47.95.158.44] 60000 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1259147/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_19; classtype:trojan-activity; sid:91259147; rev:1;) alert tcp $HOME_NET any -> [101.42.51.12] 60000 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1259148/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_19; classtype:trojan-activity; sid:91259148; rev:1;) alert tcp $HOME_NET any -> [45.152.64.31] 60000 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1259146/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_19; classtype:trojan-activity; sid:91259146; rev:1;) alert tcp $HOME_NET any -> [177.102.67.47] 5000 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1259145/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_19; classtype:trojan-activity; sid:91259145; rev:1;) alert tcp $HOME_NET any -> [108.46.243.201] 8000 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1259144/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_19; classtype:trojan-activity; sid:91259144; rev:1;) alert tcp $HOME_NET any -> [187.135.117.121] 1688 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1259139/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_19; classtype:trojan-activity; sid:91259139; rev:1;) alert tcp $HOME_NET any -> [187.135.117.121] 2003 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1259140/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_19; classtype:trojan-activity; sid:91259140; rev:1;) alert tcp $HOME_NET any -> [187.135.117.121] 2052 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1259141/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_19; classtype:trojan-activity; sid:91259141; rev:1;) alert tcp $HOME_NET any -> [187.135.117.121] 2061 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1259142/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_19; classtype:trojan-activity; sid:91259142; rev:1;) alert tcp $HOME_NET any -> [187.135.117.121] 2083 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1259143/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_19; classtype:trojan-activity; sid:91259143; rev:1;) alert tcp $HOME_NET any -> [187.135.93.204] 2053 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1259138/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_19; classtype:trojan-activity; sid:91259138; rev:1;) alert tcp $HOME_NET any -> [187.135.91.233] 1933 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1259134/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_19; classtype:trojan-activity; sid:91259134; rev:1;) alert tcp $HOME_NET any -> [187.135.91.233] 2053 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1259135/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_19; classtype:trojan-activity; sid:91259135; rev:1;) alert tcp $HOME_NET any -> [187.135.91.233] 2095 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1259136/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_19; classtype:trojan-activity; sid:91259136; rev:1;) alert tcp $HOME_NET any -> [187.135.91.233] 2096 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1259137/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_19; classtype:trojan-activity; sid:91259137; rev:1;) alert tcp $HOME_NET any -> [81.136.90.1] 1339 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1259133/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_19; classtype:trojan-activity; sid:91259133; rev:1;) alert tcp $HOME_NET any -> [196.74.150.120] 10000 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1259132/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_19; classtype:trojan-activity; sid:91259132; rev:1;) alert tcp $HOME_NET any -> [198.23.227.175] 8881 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1259131/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_19; classtype:trojan-activity; sid:91259131; rev:1;) alert tcp $HOME_NET any -> [172.111.169.67] 2222 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1259130/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_19; classtype:trojan-activity; sid:91259130; rev:1;) alert tcp $HOME_NET any -> [172.111.148.95] 222 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1259129/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_19; classtype:trojan-activity; sid:91259129; rev:1;) alert tcp $HOME_NET any -> [148.163.101.182] 6606 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1259128/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_19; classtype:trojan-activity; sid:91259128; rev:1;) alert tcp $HOME_NET any -> [128.90.103.12] 9999 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1259127/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_19; classtype:trojan-activity; sid:91259127; rev:1;) alert tcp $HOME_NET any -> [87.121.105.252] 6606 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1259126/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_19; classtype:trojan-activity; sid:91259126; rev:1;) alert tcp $HOME_NET any -> [46.246.80.12] 2000 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1259125/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_19; classtype:trojan-activity; sid:91259125; rev:1;) alert tcp $HOME_NET any -> [45.88.90.224] 2222 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1259115/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_19; classtype:trojan-activity; sid:91259115; rev:1;) alert tcp $HOME_NET any -> [91.92.255.248] 88 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1259114/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_19; classtype:trojan-activity; sid:91259114; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"gardeniasupplies.com"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1259113/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_19; classtype:trojan-activity; sid:91259113; rev:1;) alert tcp $HOME_NET any -> [79.132.128.96] 81 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1259111/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_19; classtype:trojan-activity; sid:91259111; rev:1;) alert tcp $HOME_NET any -> [79.132.128.96] 444 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1259112/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_19; classtype:trojan-activity; sid:91259112; rev:1;) alert tcp $HOME_NET any -> [77.221.151.31] 4444 (msg:"ThreatFox BitRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1259110/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_19; classtype:trojan-activity; sid:91259110; rev:1;) alert tcp $HOME_NET any -> [83.97.73.157] 2082 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1259108/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_19; classtype:trojan-activity; sid:91259108; rev:1;) alert tcp $HOME_NET any -> [83.97.73.157] 2083 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1259109/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_19; classtype:trojan-activity; sid:91259109; rev:1;) alert tcp $HOME_NET any -> [206.188.197.218] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1259107/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_19; classtype:trojan-activity; sid:91259107; rev:1;) alert tcp $HOME_NET any -> [18.217.214.178] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1259106/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_19; classtype:trojan-activity; sid:91259106; rev:1;) alert tcp $HOME_NET any -> [13.40.36.157] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1259105/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_19; classtype:trojan-activity; sid:91259105; rev:1;) alert tcp $HOME_NET any -> [3.71.70.1] 8443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1259104/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_19; classtype:trojan-activity; sid:91259104; rev:1;) alert tcp $HOME_NET any -> [89.251.22.32] 14791 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1259103/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_19; classtype:trojan-activity; sid:91259103; rev:1;) alert tcp $HOME_NET any -> [209.222.0.68] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1259102/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_19; classtype:trojan-activity; sid:91259102; rev:1;) alert tcp $HOME_NET any -> [45.76.178.151] 47889 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1259101/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_19; classtype:trojan-activity; sid:91259101; rev:1;) alert tcp $HOME_NET any -> [20.68.131.221] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1259100/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_19; classtype:trojan-activity; sid:91259100; rev:1;) alert tcp $HOME_NET any -> [4.191.74.1] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1259098/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_19; classtype:trojan-activity; sid:91259098; rev:1;) alert tcp $HOME_NET any -> [4.191.74.1] 3306 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1259099/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_19; classtype:trojan-activity; sid:91259099; rev:1;) alert tcp $HOME_NET any -> [47.237.26.206] 60000 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1259095/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_19; classtype:trojan-activity; sid:91259095; rev:1;) alert tcp $HOME_NET any -> [47.242.4.42] 60000 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1259096/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_19; classtype:trojan-activity; sid:91259096; rev:1;) alert tcp $HOME_NET any -> [147.139.7.182] 60000 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1259097/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_19; classtype:trojan-activity; sid:91259097; rev:1;) alert tcp $HOME_NET any -> [8.210.32.15] 60000 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1259092/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_19; classtype:trojan-activity; sid:91259092; rev:1;) alert tcp $HOME_NET any -> [8.218.8.26] 60000 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1259093/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_19; classtype:trojan-activity; sid:91259093; rev:1;) alert tcp $HOME_NET any -> [8.218.21.190] 60000 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1259094/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_19; classtype:trojan-activity; sid:91259094; rev:1;) alert tcp $HOME_NET any -> [168.76.120.120] 60000 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1259085/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_19; classtype:trojan-activity; sid:91259085; rev:1;) alert tcp $HOME_NET any -> [168.76.120.121] 60000 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1259086/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_19; classtype:trojan-activity; sid:91259086; rev:1;) alert tcp $HOME_NET any -> [168.76.120.122] 60000 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1259087/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_19; classtype:trojan-activity; sid:91259087; rev:1;) alert tcp $HOME_NET any -> [168.76.120.123] 60000 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1259088/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_19; classtype:trojan-activity; sid:91259088; rev:1;) alert tcp $HOME_NET any -> [168.76.120.124] 60000 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1259089/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_19; classtype:trojan-activity; sid:91259089; rev:1;) alert tcp $HOME_NET any -> [168.76.120.125] 60000 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1259090/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_19; classtype:trojan-activity; sid:91259090; rev:1;) alert tcp $HOME_NET any -> [168.76.120.126] 60000 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1259091/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_19; classtype:trojan-activity; sid:91259091; rev:1;) alert tcp $HOME_NET any -> [168.76.120.85] 60000 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1259077/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_19; classtype:trojan-activity; sid:91259077; rev:1;) alert tcp $HOME_NET any -> [168.76.120.86] 60000 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1259078/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_19; classtype:trojan-activity; sid:91259078; rev:1;) alert tcp $HOME_NET any -> [168.76.120.114] 60000 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1259079/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_19; classtype:trojan-activity; sid:91259079; rev:1;) alert tcp $HOME_NET any -> [168.76.120.115] 60000 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1259080/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_19; classtype:trojan-activity; sid:91259080; rev:1;) alert tcp $HOME_NET any -> [168.76.120.116] 60000 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1259081/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_19; classtype:trojan-activity; sid:91259081; rev:1;) alert tcp $HOME_NET any -> [168.76.120.117] 60000 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1259082/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_19; classtype:trojan-activity; sid:91259082; rev:1;) alert tcp $HOME_NET any -> [168.76.120.118] 60000 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1259083/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_19; classtype:trojan-activity; sid:91259083; rev:1;) alert tcp $HOME_NET any -> [168.76.120.119] 60000 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1259084/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_19; classtype:trojan-activity; sid:91259084; rev:1;) alert tcp $HOME_NET any -> [168.76.120.82] 60000 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1259074/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_19; classtype:trojan-activity; sid:91259074; rev:1;) alert tcp $HOME_NET any -> [168.76.120.83] 60000 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1259075/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_19; classtype:trojan-activity; sid:91259075; rev:1;) alert tcp $HOME_NET any -> [168.76.120.84] 60000 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1259076/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_19; classtype:trojan-activity; sid:91259076; rev:1;) alert tcp $HOME_NET any -> [168.76.255.27] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1259073/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_19; classtype:trojan-activity; sid:91259073; rev:1;) alert tcp $HOME_NET any -> [168.76.120.123] 50050 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1259069/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_19; classtype:trojan-activity; sid:91259069; rev:1;) alert tcp $HOME_NET any -> [168.76.120.124] 50050 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1259070/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_19; classtype:trojan-activity; sid:91259070; rev:1;) alert tcp $HOME_NET any -> [168.76.120.125] 50050 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1259071/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_19; classtype:trojan-activity; sid:91259071; rev:1;) alert tcp $HOME_NET any -> [168.76.120.126] 50050 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1259072/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_19; classtype:trojan-activity; sid:91259072; rev:1;) alert tcp $HOME_NET any -> [168.76.120.121] 50050 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1259067/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_19; classtype:trojan-activity; sid:91259067; rev:1;) alert tcp $HOME_NET any -> [168.76.120.122] 50050 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1259068/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_19; classtype:trojan-activity; sid:91259068; rev:1;) alert tcp $HOME_NET any -> [168.76.120.115] 50050 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1259062/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_19; classtype:trojan-activity; sid:91259062; rev:1;) alert tcp $HOME_NET any -> [168.76.120.116] 50050 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1259063/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_19; classtype:trojan-activity; sid:91259063; rev:1;) alert tcp $HOME_NET any -> [168.76.120.118] 50050 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1259064/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_19; classtype:trojan-activity; sid:91259064; rev:1;) alert tcp $HOME_NET any -> [168.76.120.119] 50050 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1259065/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_19; classtype:trojan-activity; sid:91259065; rev:1;) alert tcp $HOME_NET any -> [168.76.120.120] 50050 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1259066/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_19; classtype:trojan-activity; sid:91259066; rev:1;) alert tcp $HOME_NET any -> [168.76.120.82] 50050 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1259056/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_19; classtype:trojan-activity; sid:91259056; rev:1;) alert tcp $HOME_NET any -> [168.76.120.83] 50050 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1259057/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_19; classtype:trojan-activity; sid:91259057; rev:1;) alert tcp $HOME_NET any -> [168.76.120.84] 50050 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1259058/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_19; classtype:trojan-activity; sid:91259058; rev:1;) alert tcp $HOME_NET any -> [168.76.120.85] 50050 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1259059/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_19; classtype:trojan-activity; sid:91259059; rev:1;) alert tcp $HOME_NET any -> [168.76.120.86] 50050 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1259060/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_19; classtype:trojan-activity; sid:91259060; rev:1;) alert tcp $HOME_NET any -> [168.76.120.114] 50050 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1259061/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_19; classtype:trojan-activity; sid:91259061; rev:1;) alert tcp $HOME_NET any -> [157.230.254.3] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1259055/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_19; classtype:trojan-activity; sid:91259055; rev:1;) alert tcp $HOME_NET any -> [128.199.207.8] 4433 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1259054/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_19; classtype:trojan-activity; sid:91259054; rev:1;) alert tcp $HOME_NET any -> [121.37.41.201] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1259053/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_19; classtype:trojan-activity; sid:91259053; rev:1;) alert tcp $HOME_NET any -> [121.40.67.130] 4433 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1259052/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_19; classtype:trojan-activity; sid:91259052; rev:1;) alert tcp $HOME_NET any -> [143.244.162.41] 23 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1259051/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_19; classtype:trojan-activity; sid:91259051; rev:1;) alert tcp $HOME_NET any -> [120.24.171.139] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1259050/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_19; classtype:trojan-activity; sid:91259050; rev:1;) alert tcp $HOME_NET any -> [101.37.13.119] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1259049/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_19; classtype:trojan-activity; sid:91259049; rev:1;) alert tcp $HOME_NET any -> [47.120.12.228] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1259048/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_19; classtype:trojan-activity; sid:91259048; rev:1;) alert tcp $HOME_NET any -> [47.120.10.216] 5000 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1259047/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_19; classtype:trojan-activity; sid:91259047; rev:1;) alert tcp $HOME_NET any -> [47.113.194.22] 2222 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1259046/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_19; classtype:trojan-activity; sid:91259046; rev:1;) alert tcp $HOME_NET any -> [47.113.104.226] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1259038/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_19; classtype:trojan-activity; sid:91259038; rev:1;) alert tcp $HOME_NET any -> [47.101.37.46] 8000 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1259037/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_19; classtype:trojan-activity; sid:91259037; rev:1;) alert tcp $HOME_NET any -> [47.100.244.166] 10000 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1259036/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_19; classtype:trojan-activity; sid:91259036; rev:1;) alert tcp $HOME_NET any -> [39.108.234.47] 10000 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1259035/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_19; classtype:trojan-activity; sid:91259035; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sign.mpeg"; depth:10; nocase; http.host; content:"easthoolbook.com"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1259034/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_19; classtype:trojan-activity; sid:91259034; rev:1;) alert tcp $HOME_NET any -> [211.159.172.150] 4444 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1259033/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_19; classtype:trojan-activity; sid:91259033; rev:1;) alert tcp $HOME_NET any -> [159.75.111.243] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1259032/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_19; classtype:trojan-activity; sid:91259032; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"service-33y2vp0r-1303081427.sh.tencentapigw.com"; depth:47; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1259031/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_19; classtype:trojan-activity; sid:91259031; rev:1;) alert tcp $HOME_NET any -> [150.158.107.49] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1259029/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_19; classtype:trojan-activity; sid:91259029; rev:1;) alert tcp $HOME_NET any -> [150.158.107.49] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1259030/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_19; classtype:trojan-activity; sid:91259030; rev:1;) alert tcp $HOME_NET any -> [129.204.169.101] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1259028/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_19; classtype:trojan-activity; sid:91259028; rev:1;) alert tcp $HOME_NET any -> [124.221.95.96] 8080 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1259027/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_19; classtype:trojan-activity; sid:91259027; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/is-ready"; depth:9; nocase; http.host; content:"94.156.71.108"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1259026/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_19; classtype:trojan-activity; sid:91259026; rev:1;) alert tcp $HOME_NET any -> [122.51.81.205] 60050 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1259025/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_19; classtype:trojan-activity; sid:91259025; rev:1;) alert tcp $HOME_NET any -> [43.142.170.25] 5901 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1259023/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_19; classtype:trojan-activity; sid:91259023; rev:1;) alert tcp $HOME_NET any -> [43.142.170.25] 8888 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1259024/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_19; classtype:trojan-activity; sid:91259024; rev:1;) alert tcp $HOME_NET any -> [43.136.220.38] 8443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1259022/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_19; classtype:trojan-activity; sid:91259022; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jsbhn.js"; depth:9; nocase; http.host; content:"23.94.169.124"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1259018/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_19; classtype:trojan-activity; sid:91259018; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/auth/login"; depth:11; nocase; http.host; content:"79.137.202.152"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1259016/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_19; classtype:trojan-activity; sid:91259016; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/auth/login"; depth:11; nocase; http.host; content:"109.120.176.38"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1259017/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_19; classtype:trojan-activity; sid:91259017; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/auth/login"; depth:11; nocase; http.host; content:"109.120.178.115"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1259015/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_19; classtype:trojan-activity; sid:91259015; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/auth/login"; depth:11; nocase; http.host; content:"79.137.197.154"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1259013/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_19; classtype:trojan-activity; sid:91259013; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/auth/login"; depth:11; nocase; http.host; content:"37.221.93.9"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1259014/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_19; classtype:trojan-activity; sid:91259014; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/auth/login"; depth:11; nocase; http.host; content:"svma.arcovip.com"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1259012/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_19; classtype:trojan-activity; sid:91259012; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/auth/login"; depth:11; nocase; http.host; content:"it13.intelvpn.site"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1259010/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_19; classtype:trojan-activity; sid:91259010; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/auth/login"; depth:11; nocase; http.host; content:"ftp.huboftest.ir"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1259011/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_19; classtype:trojan-activity; sid:91259011; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/auth/login"; depth:11; nocase; http.host; content:"79.137.202.60.sslip.io"; depth:22; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1259009/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_19; classtype:trojan-activity; sid:91259009; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/auth/login"; depth:11; nocase; http.host; content:"mahdi.intelvpn.site"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1259007/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_19; classtype:trojan-activity; sid:91259007; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/auth/login"; depth:11; nocase; http.host; content:"sam.coinmarketcap-tm.ru"; depth:23; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1259008/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_19; classtype:trojan-activity; sid:91259008; rev:1;) alert tcp $HOME_NET any -> [78.142.18.109] 8081 (msg:"ThreatFox RisePro botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1259006/; target:src_ip; metadata: confidence_level 80, first_seen 2024_04_19; classtype:trojan-activity; sid:91259006; rev:1;) alert tcp $HOME_NET any -> [116.203.164.39] 443 (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1259005/; target:src_ip; metadata: confidence_level 80, first_seen 2024_04_19; classtype:trojan-activity; sid:91259005; rev:1;) alert tcp $HOME_NET any -> [116.203.164.39] 80 (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1259004/; target:src_ip; metadata: confidence_level 80, first_seen 2024_04_19; classtype:trojan-activity; sid:91259004; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/voiddbproviderserver6/auth/uploads/centralcentralline/7eternal/2_/temp/toupdategameflowertemporary.php"; depth:103; nocase; http.host; content:"minecrafthyipixel.xyz"; depth:21; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1259003/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_19; classtype:trojan-activity; sid:91259003; rev:1;) alert tcp $HOME_NET any -> [103.174.73.85] 29989 (msg:"ThreatFox MooBot botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1259002/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_19; classtype:trojan-activity; sid:91259002; rev:1;) alert tcp $HOME_NET any -> [52.37.96.65] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1259001/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_19; classtype:trojan-activity; sid:91259001; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"www.installbootstrap.com"; depth:24; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1259000/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_19; classtype:trojan-activity; sid:91259000; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books"; depth:60; nocase; http.host; content:"www.installbootstrap.com"; depth:24; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1258999/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_19; classtype:trojan-activity; sid:91258999; rev:1;) alert tcp $HOME_NET any -> [149.104.24.217] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1258998/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_19; classtype:trojan-activity; sid:91258998; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jquery-3.7.0.min.js"; depth:20; nocase; http.host; content:"149.104.24.217"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1258997/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_19; classtype:trojan-activity; sid:91258997; rev:1;) alert tcp $HOME_NET any -> [8.130.34.85] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1258996/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_19; classtype:trojan-activity; sid:91258996; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/match"; depth:6; nocase; http.host; content:"8.130.34.85"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1258995/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_19; classtype:trojan-activity; sid:91258995; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jsbhn.js"; depth:9; nocase; http.host; content:"23.94.169.124"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1258994/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_19; classtype:trojan-activity; sid:91258994; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/fwlink"; depth:7; nocase; http.host; content:"120.46.91.175"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1258993/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_19; classtype:trojan-activity; sid:91258993; rev:1;) alert tcp $HOME_NET any -> [204.12.199.30] 8808 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1258992/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_19; classtype:trojan-activity; sid:91258992; rev:1;) alert tcp $HOME_NET any -> [204.12.199.30] 7707 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1258991/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_19; classtype:trojan-activity; sid:91258991; rev:1;) alert tcp $HOME_NET any -> [204.12.199.30] 6606 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1258990/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_19; classtype:trojan-activity; sid:91258990; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"test.ravec2.xyz"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1258989/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_19; classtype:trojan-activity; sid:91258989; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"visit.startfinishthis.com"; depth:25; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1258978/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_19; classtype:trojan-activity; sid:91258978; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"net-killer.ddns.net"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1258983/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_19; classtype:trojan-activity; sid:91258983; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"net-killler.store"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1258984/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_19; classtype:trojan-activity; sid:91258984; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"proxy.heleh.vn"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1258985/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_19; classtype:trojan-activity; sid:91258985; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"bot.vptmedia.click"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1258986/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_19; classtype:trojan-activity; sid:91258986; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"botnet.paintmc.net"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1258987/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_19; classtype:trojan-activity; sid:91258987; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"yeuemvcl.cltxhot.fun"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1258988/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_19; classtype:trojan-activity; sid:91258988; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"xd.ubnutu.cyou"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1258980/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_19; classtype:trojan-activity; sid:91258980; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"lon.vani.ovh"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1258981/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_19; classtype:trojan-activity; sid:91258981; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"loz.vani.ovh"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1258982/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_19; classtype:trojan-activity; sid:91258982; rev:1;) alert tcp $HOME_NET any -> [93.123.85.170] 666 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1258979/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_19; classtype:trojan-activity; sid:91258979; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"net-killler.store"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1258976/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_19; classtype:trojan-activity; sid:91258976; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"aomacamada.ddns.net"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1258977/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_19; classtype:trojan-activity; sid:91258977; rev:1;) alert tcp $HOME_NET any -> [57.128.155.22] 8895 (msg:"ThreatFox XWorm botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1258969/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_19; classtype:trojan-activity; sid:91258969; rev:1;) alert tcp $HOME_NET any -> [194.48.251.9] 8896 (msg:"ThreatFox XWorm botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1258970/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_19; classtype:trojan-activity; sid:91258970; rev:1;) alert tcp $HOME_NET any -> [194.48.251.9] 8895 (msg:"ThreatFox XWorm botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1258971/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_19; classtype:trojan-activity; sid:91258971; rev:1;) alert tcp $HOME_NET any -> [194.48.251.9] 8890 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1258968/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_19; classtype:trojan-activity; sid:91258968; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"rootme.xyz"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1258966/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_19; classtype:trojan-activity; sid:91258966; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"rooty.shop"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1258967/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_19; classtype:trojan-activity; sid:91258967; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ca"; depth:3; nocase; http.host; content:"43.138.222.123"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1258964/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_19; classtype:trojan-activity; sid:91258964; rev:1;) alert tcp $HOME_NET any -> [43.138.222.123] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1258965/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_19; classtype:trojan-activity; sid:91258965; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/g.pixel"; depth:8; nocase; http.host; content:"8.218.236.5"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1258963/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_19; classtype:trojan-activity; sid:91258963; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/g88sks2sam/index.php"; depth:21; nocase; http.host; content:"91.202.233.180"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1258962/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_19; classtype:trojan-activity; sid:91258962; rev:1;) alert tcp $HOME_NET any -> [94.131.107.85] 80 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1258961/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_19; classtype:trojan-activity; sid:91258961; rev:1;) alert tcp $HOME_NET any -> [94.156.79.50] 80 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1258960/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_19; classtype:trojan-activity; sid:91258960; rev:1;) alert tcp $HOME_NET any -> [188.166.138.176] 80 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1258959/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_19; classtype:trojan-activity; sid:91258959; rev:1;) alert tcp $HOME_NET any -> [178.128.196.190] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1258958/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_19; classtype:trojan-activity; sid:91258958; rev:1;) alert tcp $HOME_NET any -> [146.56.237.36] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1258957/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_19; classtype:trojan-activity; sid:91258957; rev:1;) alert tcp $HOME_NET any -> [93.95.231.17] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1258956/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_19; classtype:trojan-activity; sid:91258956; rev:1;) alert tcp $HOME_NET any -> [46.246.12.2] 8000 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1258955/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_19; classtype:trojan-activity; sid:91258955; rev:1;) alert tcp $HOME_NET any -> [41.96.151.123] 443 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1258954/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_19; classtype:trojan-activity; sid:91258954; rev:1;) alert tcp $HOME_NET any -> [137.184.61.218] 445 (msg:"ThreatFox Responder botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1258953/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_19; classtype:trojan-activity; sid:91258953; rev:1;) alert tcp $HOME_NET any -> [35.89.154.15] 4443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1258952/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_19; classtype:trojan-activity; sid:91258952; rev:1;) alert tcp $HOME_NET any -> [194.87.106.163] 443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1258951/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_19; classtype:trojan-activity; sid:91258951; rev:1;) alert tcp $HOME_NET any -> [178.128.134.221] 443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1258950/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_19; classtype:trojan-activity; sid:91258950; rev:1;) alert tcp $HOME_NET any -> [138.197.134.200] 443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1258949/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_19; classtype:trojan-activity; sid:91258949; rev:1;) alert tcp $HOME_NET any -> [20.186.89.88] 443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1258948/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_19; classtype:trojan-activity; sid:91258948; rev:1;) alert tcp $HOME_NET any -> [151.236.16.48] 47163 (msg:"ThreatFox BianLian botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1258947/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_19; classtype:trojan-activity; sid:91258947; rev:1;) alert tcp $HOME_NET any -> [194.87.252.12] 4443 (msg:"ThreatFox Deimos botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1258946/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_19; classtype:trojan-activity; sid:91258946; rev:1;) alert tcp $HOME_NET any -> [121.43.94.2] 4506 (msg:"ThreatFox Deimos botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1258945/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_19; classtype:trojan-activity; sid:91258945; rev:1;) alert tcp $HOME_NET any -> [43.140.251.2] 9999 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1258944/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_19; classtype:trojan-activity; sid:91258944; rev:1;) alert tcp $HOME_NET any -> [3.125.209.94] 17393 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1258937/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_19; classtype:trojan-activity; sid:91258937; rev:1;) alert tcp $HOME_NET any -> [18.158.249.75] 17393 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1258938/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_19; classtype:trojan-activity; sid:91258938; rev:1;) alert tcp $HOME_NET any -> [3.125.102.39] 17393 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1258939/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_19; classtype:trojan-activity; sid:91258939; rev:1;) alert tcp $HOME_NET any -> [3.124.142.205] 15296 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1258940/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_19; classtype:trojan-activity; sid:91258940; rev:1;) alert tcp $HOME_NET any -> [18.158.249.75] 15296 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1258941/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_19; classtype:trojan-activity; sid:91258941; rev:1;) alert tcp $HOME_NET any -> [3.125.223.134] 15296 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1258942/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_19; classtype:trojan-activity; sid:91258942; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/l1nc0in.php"; depth:12; nocase; http.host; content:"a0945069.xsph.ru"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1258943/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_19; classtype:trojan-activity; sid:91258943; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/l1nc0in.php"; depth:12; nocase; http.host; content:"esdjasd.maxkrnldc.online"; depth:24; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1258936/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_19; classtype:trojan-activity; sid:91258936; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jquerys-6.3.5.max.js"; depth:21; nocase; http.host; content:"43.143.168.206"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1258935/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_18; classtype:trojan-activity; sid:91258935; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/minyhug/fxgsfhsdtytdjfudyjfjewrwsejyt/panel/five/fre.php"; depth:57; nocase; http.host; content:"tequilacofradiamx.com"; depth:21; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1258934/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_18; classtype:trojan-activity; sid:91258934; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/minyhug/fxgsfhsdtytdjfudyjfjewrwsejyt/panel/five/fre.php"; depth:57; nocase; http.host; content:"tequilacofradiamx.com"; depth:21; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1258933/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_18; classtype:trojan-activity; sid:91258933; rev:1;) alert tcp $HOME_NET any -> [103.186.117.171] 1188 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1258932/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_18; classtype:trojan-activity; sid:91258932; rev:1;) alert tcp $HOME_NET any -> [134.122.109.15] 80 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1258931/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_18; classtype:trojan-activity; sid:91258931; rev:1;) alert tcp $HOME_NET any -> [168.76.120.116] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1258930/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_18; classtype:trojan-activity; sid:91258930; rev:1;) alert tcp $HOME_NET any -> [168.76.120.124] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1258929/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_18; classtype:trojan-activity; sid:91258929; rev:1;) alert tcp $HOME_NET any -> [114.55.100.165] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1258928/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_18; classtype:trojan-activity; sid:91258928; rev:1;) alert tcp $HOME_NET any -> [122.51.79.87] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1258927/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_18; classtype:trojan-activity; sid:91258927; rev:1;) alert tcp $HOME_NET any -> [94.156.10.208] 8848 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1258926/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_18; classtype:trojan-activity; sid:91258926; rev:1;) alert tcp $HOME_NET any -> [188.48.107.177] 443 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1258925/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_18; classtype:trojan-activity; sid:91258925; rev:1;) alert tcp $HOME_NET any -> [41.129.161.179] 995 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1258924/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_18; classtype:trojan-activity; sid:91258924; rev:1;) alert tcp $HOME_NET any -> [8.137.171.164] 80 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1258923/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_18; classtype:trojan-activity; sid:91258923; rev:1;) alert tcp $HOME_NET any -> [185.140.12.198] 443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1258922/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_18; classtype:trojan-activity; sid:91258922; rev:1;) alert tcp $HOME_NET any -> [191.96.1.195] 443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1258921/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_18; classtype:trojan-activity; sid:91258921; rev:1;) alert tcp $HOME_NET any -> [162.252.175.170] 8443 (msg:"ThreatFox BianLian botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1258920/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_18; classtype:trojan-activity; sid:91258920; rev:1;) alert tcp $HOME_NET any -> [203.96.177.103] 8443 (msg:"ThreatFox BianLian botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1258919/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_18; classtype:trojan-activity; sid:91258919; rev:1;) alert tcp $HOME_NET any -> [89.175.170.211] 1720 (msg:"ThreatFox Deimos botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1258918/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_18; classtype:trojan-activity; sid:91258918; rev:1;) alert tcp $HOME_NET any -> [39.173.112.177] 4506 (msg:"ThreatFox Deimos botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1258917/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_18; classtype:trojan-activity; sid:91258917; rev:1;) alert tcp $HOME_NET any -> [185.170.144.142] 7443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1258916/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_18; classtype:trojan-activity; sid:91258916; rev:1;) alert tcp $HOME_NET any -> [159.100.6.45] 7443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1258915/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_18; classtype:trojan-activity; sid:91258915; rev:1;) alert tcp $HOME_NET any -> [31.129.57.189] 7443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1258914/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_18; classtype:trojan-activity; sid:91258914; rev:1;) alert tcp $HOME_NET any -> [172.104.110.118] 7443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1258913/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_18; classtype:trojan-activity; sid:91258913; rev:1;) alert tcp $HOME_NET any -> [174.138.179.149] 7443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1258912/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_18; classtype:trojan-activity; sid:91258912; rev:1;) alert tcp $HOME_NET any -> [151.115.72.13] 443 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1258911/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_18; classtype:trojan-activity; sid:91258911; rev:1;) alert tcp $HOME_NET any -> [151.115.72.13] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1258910/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_18; classtype:trojan-activity; sid:91258910; rev:1;) alert tcp $HOME_NET any -> [188.208.197.140] 5906 (msg:"ThreatFox Rhadamanthys botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1258696/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_18; classtype:trojan-activity; sid:91258696; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"theatergenerationju.shop"; depth:24; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1258697/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_18; classtype:trojan-activity; sid:91258697; rev:1;) alert tcp $HOME_NET any -> [103.79.76.40] 443 (msg:"ThreatFox pupy botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1258698/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_18; classtype:trojan-activity; sid:91258698; rev:1;) alert tcp $HOME_NET any -> [103.201.130.11] 8443 (msg:"ThreatFox pupy botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1258699/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_18; classtype:trojan-activity; sid:91258699; rev:1;) alert tcp $HOME_NET any -> [37.27.87.155] 443 (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1258694/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_18; classtype:trojan-activity; sid:91258694; rev:1;) alert tcp $HOME_NET any -> [23.88.47.9] 443 (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1258695/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_18; classtype:trojan-activity; sid:91258695; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"23.88.47.9"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1258693/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_18; classtype:trojan-activity; sid:91258693; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"37.27.87.155"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1258692/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_18; classtype:trojan-activity; sid:91258692; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 25%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/qkbfjbvzspkeqfs/hachgecttvyetqz.php"; depth:36; nocase; http.host; content:"38.180.94.120"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1258656/; target:src_ip; metadata: confidence_level 25, first_seen 2024_04_18; classtype:trojan-activity; sid:91258656; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 25%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/qkbfjbvzspkeqfs/hachgecttvyetqz.php"; depth:36; nocase; http.host; content:"15731.org"; depth:9; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1258657/; target:src_ip; metadata: confidence_level 25, first_seen 2024_04_18; classtype:trojan-activity; sid:91258657; rev:1;) alert tcp $HOME_NET any -> [38.180.94.120] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 25%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1258658/; target:src_ip; metadata: confidence_level 25, first_seen 2024_04_18; classtype:trojan-activity; sid:91258658; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 25%)"; dns_query; content:"15731.org"; depth:9; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1258659/; target:src_ip; metadata: confidence_level 25, first_seen 2024_04_18; classtype:trojan-activity; sid:91258659; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 25%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"www.slationo.com"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1258660/; target:src_ip; metadata: confidence_level 25, first_seen 2024_04_18; classtype:trojan-activity; sid:91258660; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 25%)"; dns_query; content:"www.slationo.com"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1258661/; target:src_ip; metadata: confidence_level 25, first_seen 2024_04_18; classtype:trojan-activity; sid:91258661; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 25%)"; dns_query; content:"slationo.com"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1258662/; target:src_ip; metadata: confidence_level 25, first_seen 2024_04_18; classtype:trojan-activity; sid:91258662; rev:1;) alert tcp $HOME_NET any -> [194.110.172.149] 7705 (msg:"ThreatFox XWorm botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1258686/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_18; classtype:trojan-activity; sid:91258686; rev:1;) alert tcp $HOME_NET any -> [183.238.22.22] 443 (msg:"ThreatFox IcedID botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1258691/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_18; classtype:trojan-activity; sid:91258691; rev:1;) alert tcp $HOME_NET any -> [124.71.37.149] 443 (msg:"ThreatFox IcedID botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1258689/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_18; classtype:trojan-activity; sid:91258689; rev:1;) alert tcp $HOME_NET any -> [45.129.199.161] 443 (msg:"ThreatFox IcedID botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1258688/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_18; classtype:trojan-activity; sid:91258688; rev:1;) alert tcp $HOME_NET any -> [178.208.87.204] 443 (msg:"ThreatFox IcedID botnet C2 traffic (ip:port - confidence level: 60%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1258687/; target:src_ip; metadata: confidence_level 60, first_seen 2024_04_18; classtype:trojan-activity; sid:91258687; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"87.120.84.22"; depth:12; nocase; reference:url, threatfox.abuse.ch/ioc/1258684/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_18; classtype:trojan-activity; sid:91258684; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"185.250.45.130"; depth:14; nocase; reference:url, threatfox.abuse.ch/ioc/1258685/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_18; classtype:trojan-activity; sid:91258685; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"172.214.98.73"; depth:13; nocase; reference:url, threatfox.abuse.ch/ioc/1258683/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_18; classtype:trojan-activity; sid:91258683; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"45.128.96.116"; depth:13; nocase; reference:url, threatfox.abuse.ch/ioc/1258681/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_18; classtype:trojan-activity; sid:91258681; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"193.222.96.186"; depth:14; nocase; reference:url, threatfox.abuse.ch/ioc/1258682/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_18; classtype:trojan-activity; sid:91258682; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"20.55.63.136"; depth:12; nocase; reference:url, threatfox.abuse.ch/ioc/1258680/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_18; classtype:trojan-activity; sid:91258680; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"79.133.51.234"; depth:13; nocase; reference:url, threatfox.abuse.ch/ioc/1258679/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_18; classtype:trojan-activity; sid:91258679; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"3.79.194.172"; depth:12; nocase; reference:url, threatfox.abuse.ch/ioc/1258678/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_18; classtype:trojan-activity; sid:91258678; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"35.246.183.49"; depth:13; nocase; reference:url, threatfox.abuse.ch/ioc/1258676/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_18; classtype:trojan-activity; sid:91258676; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"194.48.251.136"; depth:14; nocase; reference:url, threatfox.abuse.ch/ioc/1258677/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_18; classtype:trojan-activity; sid:91258677; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"134.122.109.15"; depth:14; nocase; reference:url, threatfox.abuse.ch/ioc/1258675/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_18; classtype:trojan-activity; sid:91258675; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"91.202.233.174"; depth:14; nocase; reference:url, threatfox.abuse.ch/ioc/1258673/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_18; classtype:trojan-activity; sid:91258673; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"107.173.140.104"; depth:15; nocase; reference:url, threatfox.abuse.ch/ioc/1258674/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_18; classtype:trojan-activity; sid:91258674; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"103.216.51.35"; depth:13; nocase; reference:url, threatfox.abuse.ch/ioc/1258672/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_18; classtype:trojan-activity; sid:91258672; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"94.156.8.125"; depth:12; nocase; reference:url, threatfox.abuse.ch/ioc/1258670/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_18; classtype:trojan-activity; sid:91258670; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"154.61.80.57"; depth:12; nocase; reference:url, threatfox.abuse.ch/ioc/1258671/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_18; classtype:trojan-activity; sid:91258671; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"185.216.70.211"; depth:14; nocase; reference:url, threatfox.abuse.ch/ioc/1258668/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_18; classtype:trojan-activity; sid:91258668; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"77.105.146.185"; depth:14; nocase; reference:url, threatfox.abuse.ch/ioc/1258669/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_18; classtype:trojan-activity; sid:91258669; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"193.233.255.105"; depth:15; nocase; reference:url, threatfox.abuse.ch/ioc/1258667/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_18; classtype:trojan-activity; sid:91258667; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"194.33.191.105"; depth:14; nocase; reference:url, threatfox.abuse.ch/ioc/1258665/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_18; classtype:trojan-activity; sid:91258665; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"185.216.70.210"; depth:14; nocase; reference:url, threatfox.abuse.ch/ioc/1258666/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_18; classtype:trojan-activity; sid:91258666; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"193.233.254.16"; depth:14; nocase; reference:url, threatfox.abuse.ch/ioc/1258664/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_18; classtype:trojan-activity; sid:91258664; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"147.78.103.174"; depth:14; nocase; reference:url, threatfox.abuse.ch/ioc/1258663/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_18; classtype:trojan-activity; sid:91258663; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/en_us/all.js"; depth:13; nocase; http.host; content:"121.41.50.152"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1258655/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_18; classtype:trojan-activity; sid:91258655; rev:1;) alert tcp $HOME_NET any -> [121.41.50.152] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1258654/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_18; classtype:trojan-activity; sid:91258654; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pixel"; depth:6; nocase; http.host; content:"121.41.50.152"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1258653/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_18; classtype:trojan-activity; sid:91258653; rev:1;) alert tcp $HOME_NET any -> [123.207.50.191] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1258652/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_18; classtype:trojan-activity; sid:91258652; rev:1;) alert tcp $HOME_NET any -> [146.70.86.229] 80 (msg:"ThreatFox Stealc botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1258651/; target:src_ip; metadata: confidence_level 80, first_seen 2024_04_18; classtype:trojan-activity; sid:91258651; rev:1;) alert tcp $HOME_NET any -> [146.70.86.229] 22 (msg:"ThreatFox Stealc botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1258650/; target:src_ip; metadata: confidence_level 80, first_seen 2024_04_18; classtype:trojan-activity; sid:91258650; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"chotsolo2nhay.info"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1258623/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_18; classtype:trojan-activity; sid:91258623; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"countdownx.info"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1258624/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_18; classtype:trojan-activity; sid:91258624; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"dfyaudiobookprofits.info"; depth:24; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1258625/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_18; classtype:trojan-activity; sid:91258625; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"difik.info"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1258626/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_18; classtype:trojan-activity; sid:91258626; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"exchangezone.info"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1258627/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_18; classtype:trojan-activity; sid:91258627; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"fins.info"; depth:9; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1258628/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_18; classtype:trojan-activity; sid:91258628; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"gcoat.info"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1258629/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_18; classtype:trojan-activity; sid:91258629; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"glowchamps.info"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1258630/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_18; classtype:trojan-activity; sid:91258630; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"impressionzone.info"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1258631/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_18; classtype:trojan-activity; sid:91258631; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"islandbooking.info"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1258632/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_18; classtype:trojan-activity; sid:91258632; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"istanbook.info"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1258633/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_18; classtype:trojan-activity; sid:91258633; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"lightmecha.info"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1258634/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_18; classtype:trojan-activity; sid:91258634; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"maramoja.info"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1258635/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_18; classtype:trojan-activity; sid:91258635; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"mesdemarches.info"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1258636/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_18; classtype:trojan-activity; sid:91258636; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"mezcallero.info"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1258637/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_18; classtype:trojan-activity; sid:91258637; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"mlmcompensationplanpdf.info"; depth:27; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1258638/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_18; classtype:trojan-activity; sid:91258638; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"monambulanceprivee.info"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1258639/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_18; classtype:trojan-activity; sid:91258639; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"njnlcompany.info"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1258640/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_18; classtype:trojan-activity; sid:91258640; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"oradifitness.info"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1258641/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_18; classtype:trojan-activity; sid:91258641; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"progastrin.info"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1258642/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_18; classtype:trojan-activity; sid:91258642; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"szekrekedes.info"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1258643/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_18; classtype:trojan-activity; sid:91258643; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"techhooks.info"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1258644/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_18; classtype:trojan-activity; sid:91258644; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"transystem.info"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1258645/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_18; classtype:trojan-activity; sid:91258645; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"vetownedhomeinspections.info"; depth:28; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1258646/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_18; classtype:trojan-activity; sid:91258646; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"wobilya.info"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1258647/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_18; classtype:trojan-activity; sid:91258647; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"womansmedia.info"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1258648/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_18; classtype:trojan-activity; sid:91258648; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"yellowbooks.info"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1258649/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_18; classtype:trojan-activity; sid:91258649; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"cabobao3.org"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1258593/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_18; classtype:trojan-activity; sid:91258593; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"durete.org"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1258594/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_18; classtype:trojan-activity; sid:91258594; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"fuwer.org"; depth:9; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1258595/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_18; classtype:trojan-activity; sid:91258595; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"gyjyhyo8.org"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1258596/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_18; classtype:trojan-activity; sid:91258596; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"hofaty.org"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1258597/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_18; classtype:trojan-activity; sid:91258597; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"intellipowerinc.com"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1258598/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_18; classtype:trojan-activity; sid:91258598; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"jurofye.org"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1258599/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_18; classtype:trojan-activity; sid:91258599; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"lyzupoy.org"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1258601/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_18; classtype:trojan-activity; sid:91258601; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"labljas.org"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1258600/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_18; classtype:trojan-activity; sid:91258600; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"mebumau.org"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1258602/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_18; classtype:trojan-activity; sid:91258602; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"mimerou.org"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1258603/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_18; classtype:trojan-activity; sid:91258603; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"nevujo.org"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1258604/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_18; classtype:trojan-activity; sid:91258604; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"pubmass.info"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1258605/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_18; classtype:trojan-activity; sid:91258605; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"pucak.org"; depth:9; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1258606/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_18; classtype:trojan-activity; sid:91258606; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"qeqady.org"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1258607/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_18; classtype:trojan-activity; sid:91258607; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"riwesi.org"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1258608/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_18; classtype:trojan-activity; sid:91258608; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"simanay.org"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1258609/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_18; classtype:trojan-activity; sid:91258609; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"suzabyu.org"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1258610/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_18; classtype:trojan-activity; sid:91258610; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"sytukoe8.org"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1258611/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_18; classtype:trojan-activity; sid:91258611; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"vajosoo.org"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1258612/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_18; classtype:trojan-activity; sid:91258612; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"vizewye.org"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1258613/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_18; classtype:trojan-activity; sid:91258613; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"vopytei.org"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1258614/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_18; classtype:trojan-activity; sid:91258614; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"vpdpkli.org"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1258615/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_18; classtype:trojan-activity; sid:91258615; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"xirygiy.org"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1258616/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_18; classtype:trojan-activity; sid:91258616; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"xmgpsmi.org"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1258617/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_18; classtype:trojan-activity; sid:91258617; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"xuhyjoe5.org"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1258618/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_18; classtype:trojan-activity; sid:91258618; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"zefos.org"; depth:9; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1258619/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_18; classtype:trojan-activity; sid:91258619; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/qtuc"; depth:5; nocase; http.host; content:"195.181.245.38"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1258622/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_18; classtype:trojan-activity; sid:91258622; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pixel.gif"; depth:10; nocase; http.host; content:"195.181.245.38"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1258621/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_18; classtype:trojan-activity; sid:91258621; rev:1;) alert tcp $HOME_NET any -> [195.181.245.38] 7966 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1258620/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_18; classtype:trojan-activity; sid:91258620; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"bezizeo9.org"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1258558/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_18; classtype:trojan-activity; sid:91258558; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"cemiwyi7.org"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1258559/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_18; classtype:trojan-activity; sid:91258559; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"cuxu.org"; depth:8; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1258560/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_18; classtype:trojan-activity; sid:91258560; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"deqytuu9.org"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1258561/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_18; classtype:trojan-activity; sid:91258561; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"fazadoe.org"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1258562/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_18; classtype:trojan-activity; sid:91258562; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"fokeqi.org"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1258563/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_18; classtype:trojan-activity; sid:91258563; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"gejyg.org"; depth:9; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1258564/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_18; classtype:trojan-activity; sid:91258564; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"gihibml.org"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1258565/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_18; classtype:trojan-activity; sid:91258565; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"gmsmwil.org"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1258566/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_18; classtype:trojan-activity; sid:91258566; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"hejoweo.org"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1258567/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_18; classtype:trojan-activity; sid:91258567; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"jesebyy.org"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1258568/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_18; classtype:trojan-activity; sid:91258568; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"lmfpbpm.org"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1258569/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_18; classtype:trojan-activity; sid:91258569; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"luhuhu.org"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1258570/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_18; classtype:trojan-activity; sid:91258570; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"mmqsrsl.org"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1258571/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_18; classtype:trojan-activity; sid:91258571; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"mmtixmm.org"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1258572/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_18; classtype:trojan-activity; sid:91258572; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"mnsmsla.org"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1258573/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_18; classtype:trojan-activity; sid:91258573; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"moxiroo.org"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1258574/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_18; classtype:trojan-activity; sid:91258574; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"nurunia.org"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1258575/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_18; classtype:trojan-activity; sid:91258575; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"pisuxy.org"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1258576/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_18; classtype:trojan-activity; sid:91258576; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"poxof.org"; depth:9; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1258577/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_18; classtype:trojan-activity; sid:91258577; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"ppmpqii.org"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1258578/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_18; classtype:trojan-activity; sid:91258578; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"pydypu.org"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1258580/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_18; classtype:trojan-activity; sid:91258580; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"pubonao.org"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1258579/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_18; classtype:trojan-activity; sid:91258579; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"qazoryy.org"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1258581/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_18; classtype:trojan-activity; sid:91258581; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"qogmjlm.org"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1258582/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_18; classtype:trojan-activity; sid:91258582; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"qoroh.org"; depth:9; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1258583/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_18; classtype:trojan-activity; sid:91258583; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"sobopnm.org"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1258584/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_18; classtype:trojan-activity; sid:91258584; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"sumuta.org"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1258585/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_18; classtype:trojan-activity; sid:91258585; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"tapyjya.org"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1258586/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_18; classtype:trojan-activity; sid:91258586; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"usprivatemoneylender.com"; depth:24; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1258587/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_18; classtype:trojan-activity; sid:91258587; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"vlbmqpm.org"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1258588/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_18; classtype:trojan-activity; sid:91258588; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"vnfmnmo.org"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1258589/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_18; classtype:trojan-activity; sid:91258589; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"wireoneinternet.info"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1258590/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_18; classtype:trojan-activity; sid:91258590; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"wpmlvii.org"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1258591/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_18; classtype:trojan-activity; sid:91258591; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"zixirml.org"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1258592/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_18; classtype:trojan-activity; sid:91258592; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"dead-cheap-doma.in"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1258557/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_18; classtype:trojan-activity; sid:91258557; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/vl.php"; depth:7; nocase; http.host; content:"gihibml.org"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1258556/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_18; classtype:trojan-activity; sid:91258556; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"gihibml.org"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1258555/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_18; classtype:trojan-activity; sid:91258555; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-content/plugins/hot-random-image/index.html"; depth:47; nocase; http.host; content:"prominencedigiworld.com"; depth:23; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1258554/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_18; classtype:trojan-activity; sid:91258554; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-content/plugins/hot-random-image/index.html"; depth:47; nocase; http.host; content:"akshayascientifics.com"; depth:22; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1258553/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_18; classtype:trojan-activity; sid:91258553; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-content/plugins/hot-random-image/index.html"; depth:47; nocase; http.host; content:"iespppomabamba.edu.pe"; depth:21; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1258552/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_18; classtype:trojan-activity; sid:91258552; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-content/plugins/hot-random-image/index.html"; depth:47; nocase; http.host; content:"www.mlmigration.com"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1258551/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_18; classtype:trojan-activity; sid:91258551; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-content/plugins/hot-random-image/index.html"; depth:47; nocase; http.host; content:"www.prottahobarta.com"; depth:21; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1258550/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_18; classtype:trojan-activity; sid:91258550; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-content/plugins/hot-random-image/index.html"; depth:47; nocase; http.host; content:"rummyking24.com"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1258549/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_18; classtype:trojan-activity; sid:91258549; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wzm.exe"; depth:8; nocase; http.host; content:"speedy34.myvnc.com"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1258548/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_18; classtype:trojan-activity; sid:91258548; rev:1;) alert tcp $HOME_NET any -> [43.138.222.123] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1258547/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_18; classtype:trojan-activity; sid:91258547; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/fwlink"; depth:7; nocase; http.host; content:"43.138.222.123"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1258546/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_18; classtype:trojan-activity; sid:91258546; rev:1;) alert tcp $HOME_NET any -> [168.76.131.64] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1258545/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_18; classtype:trojan-activity; sid:91258545; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/update"; depth:7; nocase; http.host; content:"136.244.98.80"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1258538/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_18; classtype:trojan-activity; sid:91258538; rev:1;) alert tcp $HOME_NET any -> [94.156.8.57] 59666 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1258539/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_18; classtype:trojan-activity; sid:91258539; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/run"; depth:4; nocase; http.host; content:"136.244.98.80"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1258540/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_18; classtype:trojan-activity; sid:91258540; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/x86"; depth:4; nocase; http.host; content:"136.244.98.80"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1258541/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_18; classtype:trojan-activity; sid:91258541; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/arm"; depth:4; nocase; http.host; content:"136.244.98.80"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1258542/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_18; classtype:trojan-activity; sid:91258542; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mips"; depth:5; nocase; http.host; content:"136.244.98.80"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1258543/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_18; classtype:trojan-activity; sid:91258543; rev:1;) alert tcp $HOME_NET any -> [198.23.227.230] 7777 (msg:"ThreatFox Revenge RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1258544/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_18; classtype:trojan-activity; sid:91258544; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"jswl.bzwl888.sbs"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1258536/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_18; classtype:trojan-activity; sid:91258536; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"bzwl888.sbs"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1258537/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_18; classtype:trojan-activity; sid:91258537; rev:1;) alert tcp $HOME_NET any -> [85.239.55.70] 515 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1258535/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_18; classtype:trojan-activity; sid:91258535; rev:1;) alert tcp $HOME_NET any -> [92.249.48.17] 666 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1258517/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_18; classtype:trojan-activity; sid:91258517; rev:1;) alert tcp $HOME_NET any -> [103.167.88.226] 43957 (msg:"ThreatFox MooBot botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1258533/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_18; classtype:trojan-activity; sid:91258533; rev:1;) alert tcp $HOME_NET any -> [204.76.203.101] 38241 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1258534/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_18; classtype:trojan-activity; sid:91258534; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"owo.p3pr00t.com"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1258522/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_18; classtype:trojan-activity; sid:91258522; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"hi.p3pr00t.com"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1258523/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_18; classtype:trojan-activity; sid:91258523; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"p3pr00t.com"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1258524/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_18; classtype:trojan-activity; sid:91258524; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"doxbin.top"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1258525/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_18; classtype:trojan-activity; sid:91258525; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"kayomirai.kro.kr"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1258526/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_18; classtype:trojan-activity; sid:91258526; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"cnc.atlasapi.co"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1258527/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_18; classtype:trojan-activity; sid:91258527; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"api.atlasapi.co"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1258528/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_18; classtype:trojan-activity; sid:91258528; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"superdomain.africa"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1258529/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_18; classtype:trojan-activity; sid:91258529; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"vivki.epiddserica.com"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1258530/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_18; classtype:trojan-activity; sid:91258530; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"epiddserica.com"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1258531/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_18; classtype:trojan-activity; sid:91258531; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"santc.epiddserica.com"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1258532/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_18; classtype:trojan-activity; sid:91258532; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ust.cx"; depth:6; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1258518/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_18; classtype:trojan-activity; sid:91258518; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"botnet2.vani.ovh"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1258519/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_18; classtype:trojan-activity; sid:91258519; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"graph.vani.ovh"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1258520/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_18; classtype:trojan-activity; sid:91258520; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"mirai.vani.ovh"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1258521/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_18; classtype:trojan-activity; sid:91258521; rev:1;) alert tcp $HOME_NET any -> [45.59.170.27] 443 (msg:"ThreatFox FAKEUPDATES botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1258516/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_18; classtype:trojan-activity; sid:91258516; rev:1;) alert tcp $HOME_NET any -> [45.59.170.27] 80 (msg:"ThreatFox FAKEUPDATES botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1258515/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_18; classtype:trojan-activity; sid:91258515; rev:1;) alert tcp $HOME_NET any -> [185.216.70.210] 50555 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1258514/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_18; classtype:trojan-activity; sid:91258514; rev:1;) alert tcp $HOME_NET any -> [168.76.120.86] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1258513/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_18; classtype:trojan-activity; sid:91258513; rev:1;) alert tcp $HOME_NET any -> [168.76.120.121] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1258512/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_18; classtype:trojan-activity; sid:91258512; rev:1;) alert tcp $HOME_NET any -> [168.76.120.119] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1258511/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_18; classtype:trojan-activity; sid:91258511; rev:1;) alert tcp $HOME_NET any -> [168.76.120.117] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1258510/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_18; classtype:trojan-activity; sid:91258510; rev:1;) alert tcp $HOME_NET any -> [150.158.139.136] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1258509/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_18; classtype:trojan-activity; sid:91258509; rev:1;) alert tcp $HOME_NET any -> [168.76.120.126] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1258508/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_18; classtype:trojan-activity; sid:91258508; rev:1;) alert tcp $HOME_NET any -> [119.91.141.31] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1258507/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_18; classtype:trojan-activity; sid:91258507; rev:1;) alert tcp $HOME_NET any -> [168.76.120.118] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1258506/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_18; classtype:trojan-activity; sid:91258506; rev:1;) alert tcp $HOME_NET any -> [1.92.114.234] 8000 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1258505/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_18; classtype:trojan-activity; sid:91258505; rev:1;) alert tcp $HOME_NET any -> [77.124.180.80] 443 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1258504/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_18; classtype:trojan-activity; sid:91258504; rev:1;) alert tcp $HOME_NET any -> [197.83.246.191] 443 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1258503/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_18; classtype:trojan-activity; sid:91258503; rev:1;) alert tcp $HOME_NET any -> [149.109.240.100] 443 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1258502/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_18; classtype:trojan-activity; sid:91258502; rev:1;) alert tcp $HOME_NET any -> [103.249.112.118] 8181 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1258501/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_18; classtype:trojan-activity; sid:91258501; rev:1;) alert tcp $HOME_NET any -> [185.196.11.251] 443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1258500/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_18; classtype:trojan-activity; sid:91258500; rev:1;) alert tcp $HOME_NET any -> [80.78.22.18] 80 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1258499/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_18; classtype:trojan-activity; sid:91258499; rev:1;) alert tcp $HOME_NET any -> [103.82.36.91] 8443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1258498/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_18; classtype:trojan-activity; sid:91258498; rev:1;) alert tcp $HOME_NET any -> [49.13.214.35] 443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1258497/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_18; classtype:trojan-activity; sid:91258497; rev:1;) alert tcp $HOME_NET any -> [74.208.123.12] 8443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1258496/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_18; classtype:trojan-activity; sid:91258496; rev:1;) alert tcp $HOME_NET any -> [221.211.234.138] 4506 (msg:"ThreatFox Deimos botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1258495/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_18; classtype:trojan-activity; sid:91258495; rev:1;) alert tcp $HOME_NET any -> [3.0.250.71] 8443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1258494/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_18; classtype:trojan-activity; sid:91258494; rev:1;) alert tcp $HOME_NET any -> [217.160.117.52] 7443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1258493/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_18; classtype:trojan-activity; sid:91258493; rev:1;) alert tcp $HOME_NET any -> [89.147.111.163] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1258492/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_18; classtype:trojan-activity; sid:91258492; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"94.130.189.25"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1258491/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_18; classtype:trojan-activity; sid:91258491; rev:1;) alert tcp $HOME_NET any -> [79.137.202.152] 80 (msg:"ThreatFox Meduza Stealer botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1258490/; target:src_ip; metadata: confidence_level 80, first_seen 2024_04_18; classtype:trojan-activity; sid:91258490; rev:1;) alert tcp $HOME_NET any -> [94.130.189.25] 80 (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1258489/; target:src_ip; metadata: confidence_level 80, first_seen 2024_04_18; classtype:trojan-activity; sid:91258489; rev:1;) alert tcp $HOME_NET any -> [94.130.189.25] 443 (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1258488/; target:src_ip; metadata: confidence_level 80, first_seen 2024_04_18; classtype:trojan-activity; sid:91258488; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/zdqyn2nmogezotik/"; depth:18; nocase; http.host; content:"tecklardagasda2.shop"; depth:20; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1258476/; target:src_ip; metadata: confidence_level 80, first_seen 2024_04_18; classtype:trojan-activity; sid:91258476; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/zdqyn2nmogezotik/"; depth:18; nocase; http.host; content:"maraksatandas13.shop"; depth:20; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1258477/; target:src_ip; metadata: confidence_level 80, first_seen 2024_04_18; classtype:trojan-activity; sid:91258477; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/zdqyn2nmogezotik/"; depth:18; nocase; http.host; content:"teckmarakbads2.shop"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1258478/; target:src_ip; metadata: confidence_level 80, first_seen 2024_04_18; classtype:trojan-activity; sid:91258478; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"kovey.mezo-api.xyz"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1258479/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_18; classtype:trojan-activity; sid:91258479; rev:1;) alert tcp $HOME_NET any -> [46.246.14.17] 1994 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1258486/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_18; classtype:trojan-activity; sid:91258486; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"4.245.224.165"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1258474/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_18; classtype:trojan-activity; sid:91258474; rev:1;) alert tcp $HOME_NET any -> [45.131.111.219] 33966 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1258475/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_18; classtype:trojan-activity; sid:91258475; rev:1;) alert tcp $HOME_NET any -> [4.245.224.165] 80 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1258473/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_18; classtype:trojan-activity; sid:91258473; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jquery-3.3.1.min.js"; depth:20; nocase; http.host; content:"124.222.173.133"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1258487/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_18; classtype:trojan-activity; sid:91258487; rev:1;) alert tcp $HOME_NET any -> [94.156.79.116] 22 (msg:"ThreatFox Stealc botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1258485/; target:src_ip; metadata: confidence_level 80, first_seen 2024_04_18; classtype:trojan-activity; sid:91258485; rev:1;) alert tcp $HOME_NET any -> [94.156.79.116] 80 (msg:"ThreatFox Stealc botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1258484/; target:src_ip; metadata: confidence_level 80, first_seen 2024_04_18; classtype:trojan-activity; sid:91258484; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/8bjnddcoa3/index.php"; depth:21; nocase; http.host; content:"topgamecheats.dev"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1258483/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_18; classtype:trojan-activity; sid:91258483; rev:1;) alert tcp $HOME_NET any -> [70.34.253.108] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1258482/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_17; classtype:trojan-activity; sid:91258482; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"european.pornvideo.mynetav.org"; depth:30; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1258481/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_17; classtype:trojan-activity; sid:91258481; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jquery-3.3.1.min.js"; depth:20; nocase; http.host; content:"european.pornvideo.mynetav.org"; depth:30; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1258480/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_17; classtype:trojan-activity; sid:91258480; rev:1;) alert tcp $HOME_NET any -> [194.87.39.98] 443 (msg:"ThreatFox IcedID botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1258472/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_17; classtype:trojan-activity; sid:91258472; rev:1;) alert tcp $HOME_NET any -> [104.129.20.14] 443 (msg:"ThreatFox Unidentified 111 (Latrodectus) botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1258471/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_17; classtype:trojan-activity; sid:91258471; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/javascriptpollupdategamebigloaddbbaseasynclocal.php"; depth:52; nocase; http.host; content:"91.240.84.178"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1258470/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_17; classtype:trojan-activity; sid:91258470; rev:1;) alert tcp $HOME_NET any -> [154.61.80.57] 80 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1258469/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_17; classtype:trojan-activity; sid:91258469; rev:1;) alert tcp $HOME_NET any -> [168.76.120.122] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1258468/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_17; classtype:trojan-activity; sid:91258468; rev:1;) alert tcp $HOME_NET any -> [168.76.120.115] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1258467/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_17; classtype:trojan-activity; sid:91258467; rev:1;) alert tcp $HOME_NET any -> [168.76.120.123] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1258466/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_17; classtype:trojan-activity; sid:91258466; rev:1;) alert tcp $HOME_NET any -> [168.76.120.114] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1258465/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_17; classtype:trojan-activity; sid:91258465; rev:1;) alert tcp $HOME_NET any -> [168.76.120.84] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1258464/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_17; classtype:trojan-activity; sid:91258464; rev:1;) alert tcp $HOME_NET any -> [168.76.120.82] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1258463/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_17; classtype:trojan-activity; sid:91258463; rev:1;) alert tcp $HOME_NET any -> [168.76.120.83] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1258462/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_17; classtype:trojan-activity; sid:91258462; rev:1;) alert tcp $HOME_NET any -> [168.76.120.120] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1258461/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_17; classtype:trojan-activity; sid:91258461; rev:1;) alert tcp $HOME_NET any -> [168.76.120.85] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1258460/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_17; classtype:trojan-activity; sid:91258460; rev:1;) alert tcp $HOME_NET any -> [168.76.120.125] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1258459/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_17; classtype:trojan-activity; sid:91258459; rev:1;) alert tcp $HOME_NET any -> [188.54.117.185] 443 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1258458/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_17; classtype:trojan-activity; sid:91258458; rev:1;) alert tcp $HOME_NET any -> [41.98.14.133] 443 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1258457/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_17; classtype:trojan-activity; sid:91258457; rev:1;) alert tcp $HOME_NET any -> [178.163.140.51] 445 (msg:"ThreatFox Responder botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1258456/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_17; classtype:trojan-activity; sid:91258456; rev:1;) alert tcp $HOME_NET any -> [159.100.14.172] 445 (msg:"ThreatFox Responder botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1258455/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_17; classtype:trojan-activity; sid:91258455; rev:1;) alert tcp $HOME_NET any -> [74.208.123.12] 443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1258454/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_17; classtype:trojan-activity; sid:91258454; rev:1;) alert tcp $HOME_NET any -> [172.105.81.73] 443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1258453/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_17; classtype:trojan-activity; sid:91258453; rev:1;) alert tcp $HOME_NET any -> [124.220.235.28] 1003 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1258452/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_17; classtype:trojan-activity; sid:91258452; rev:1;) alert tcp $HOME_NET any -> [167.86.85.34] 80 (msg:"ThreatFox Deimos botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1258451/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_17; classtype:trojan-activity; sid:91258451; rev:1;) alert tcp $HOME_NET any -> [103.134.144.226] 29903 (msg:"ThreatFox Deimos botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1258450/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_17; classtype:trojan-activity; sid:91258450; rev:1;) alert tcp $HOME_NET any -> [103.134.144.225] 29903 (msg:"ThreatFox Deimos botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1258449/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_17; classtype:trojan-activity; sid:91258449; rev:1;) alert tcp $HOME_NET any -> [173.242.156.181] 448 (msg:"ThreatFox Deimos botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1258448/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_17; classtype:trojan-activity; sid:91258448; rev:1;) alert tcp $HOME_NET any -> [119.96.137.30] 4506 (msg:"ThreatFox Deimos botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1258447/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_17; classtype:trojan-activity; sid:91258447; rev:1;) alert tcp $HOME_NET any -> [5.181.156.104] 7777 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1258446/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_17; classtype:trojan-activity; sid:91258446; rev:1;) alert tcp $HOME_NET any -> [93.123.39.100] 8763 (msg:"ThreatFox Nanocore RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1258185/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_17; classtype:trojan-activity; sid:91258185; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"dzn.ddns.net"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1258188/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_17; classtype:trojan-activity; sid:91258188; rev:1;) alert tcp $HOME_NET any -> [45.77.154.40] 1177 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1258189/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_17; classtype:trojan-activity; sid:91258189; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api/gateway"; depth:12; nocase; http.host; content:"85.239.53.219"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1258205/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_17; classtype:trojan-activity; sid:91258205; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api/g"; depth:6; nocase; http.host; content:"85.239.53.219"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1258206/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_17; classtype:trojan-activity; sid:91258206; rev:1;) alert tcp $HOME_NET any -> [85.239.53.219] 80 (msg:"ThreatFox Emotet botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1258207/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_17; classtype:trojan-activity; sid:91258207; rev:1;) alert tcp $HOME_NET any -> [193.233.132.168] 80 (msg:"ThreatFox AMOS botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1258246/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_17; classtype:trojan-activity; sid:91258246; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cdn-vs/cache.php"; depth:17; nocase; http.host; content:"architecture-interior.com"; depth:25; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1258247/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_17; classtype:trojan-activity; sid:91258247; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/help/zewmrgqnw.php"; depth:19; nocase; http.host; content:"architecture-interior.com"; depth:25; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1258253/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_17; classtype:trojan-activity; sid:91258253; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mozi.m"; depth:7; nocase; http.host; content:"119.179.217.71"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1258445/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_17; classtype:trojan-activity; sid:91258445; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jquerys-6.3.5.max.js"; depth:21; nocase; http.host; content:"service-o62eztd3-1259321672.bj.tencentapigw.com.cn"; depth:50; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1258254/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_17; classtype:trojan-activity; sid:91258254; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"service-o62eztd3-1259321672.bj.tencentapigw.com.cn"; depth:50; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1258255/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_17; classtype:trojan-activity; sid:91258255; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"cncboatnetonlvu.apimomo.pro"; depth:27; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1258249/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_17; classtype:trojan-activity; sid:91258249; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"npcodaas.xyz"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1258250/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_17; classtype:trojan-activity; sid:91258250; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"botnettajima.ddns.net"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1258251/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_17; classtype:trojan-activity; sid:91258251; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"net-killer.verminteam.link"; depth:26; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1258252/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_17; classtype:trojan-activity; sid:91258252; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"legendsworld.in"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1258248/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_17; classtype:trojan-activity; sid:91258248; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/attachments/1063894486901587979/1229768405582741570/1_npp.8.6.3.portable.x64.zip"; depth:81; nocase; http.host; content:"cdn.discordapp.com"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1258245/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_17; classtype:trojan-activity; sid:91258245; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/eft-edi-customer"; depth:17; nocase; http.host; content:"pankerfan.com"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1258244/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_17; classtype:trojan-activity; sid:91258244; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/accessinformation"; depth:18; nocase; http.host; content:"pankerfan.com"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1258243/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_17; classtype:trojan-activity; sid:91258243; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-content/themes/white-rock-progression/l3h0y5.php"; depth:52; nocase; http.host; content:"www.briccodeldente.it"; depth:21; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1258242/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_17; classtype:trojan-activity; sid:91258242; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-content/themes/twentytwentyone/0srbuw.php"; depth:45; nocase; http.host; content:"dreamerz.vn"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1258241/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_17; classtype:trojan-activity; sid:91258241; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-content/themes/twentytwentyfour/vhpg2j.php"; depth:46; nocase; http.host; content:"retrobox.rocks"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1258240/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_17; classtype:trojan-activity; sid:91258240; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-content/themes/twentytwentyone/msecgc.php"; depth:45; nocase; http.host; content:"www.savetheworldpodcast.com"; depth:27; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1258239/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_17; classtype:trojan-activity; sid:91258239; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-content/themes/twentytwentyone/sb9ivy.php"; depth:45; nocase; http.host; content:"djibek.com"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1258238/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_17; classtype:trojan-activity; sid:91258238; rev:1;) alert tcp $HOME_NET any -> [147.185.221.19] 23403 (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1258237/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_17; classtype:trojan-activity; sid:91258237; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/providerpipephp_httplowupdateprotectdbpublic.php"; depth:49; nocase; http.host; content:"579050cm.nyashkoon.top"; depth:22; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1258236/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_17; classtype:trojan-activity; sid:91258236; rev:1;) alert tcp $HOME_NET any -> [103.195.236.62] 6789 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1258235/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_17; classtype:trojan-activity; sid:91258235; rev:1;) alert tcp $HOME_NET any -> [94.156.10.31] 8848 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1258234/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_17; classtype:trojan-activity; sid:91258234; rev:1;) alert tcp $HOME_NET any -> [8.217.14.132] 65503 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1258233/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_17; classtype:trojan-activity; sid:91258233; rev:1;) alert tcp $HOME_NET any -> [103.244.226.133] 8086 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1258232/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_17; classtype:trojan-activity; sid:91258232; rev:1;) alert tcp $HOME_NET any -> [13.43.245.50] 3306 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1258231/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_17; classtype:trojan-activity; sid:91258231; rev:1;) alert tcp $HOME_NET any -> [5.44.196.220] 9999 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1258230/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_17; classtype:trojan-activity; sid:91258230; rev:1;) alert tcp $HOME_NET any -> [119.28.159.21] 82 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1258229/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_17; classtype:trojan-activity; sid:91258229; rev:1;) alert tcp $HOME_NET any -> [192.227.152.217] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1258228/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_17; classtype:trojan-activity; sid:91258228; rev:1;) alert tcp $HOME_NET any -> [47.238.201.54] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1258227/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_17; classtype:trojan-activity; sid:91258227; rev:1;) alert tcp $HOME_NET any -> [8.219.146.174] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1258226/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_17; classtype:trojan-activity; sid:91258226; rev:1;) alert tcp $HOME_NET any -> [8.219.15.69] 4444 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1258225/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_17; classtype:trojan-activity; sid:91258225; rev:1;) alert tcp $HOME_NET any -> [137.184.117.57] 8080 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1258224/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_17; classtype:trojan-activity; sid:91258224; rev:1;) alert tcp $HOME_NET any -> [123.249.100.205] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1258223/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_17; classtype:trojan-activity; sid:91258223; rev:1;) alert tcp $HOME_NET any -> [120.46.91.175] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1258222/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_17; classtype:trojan-activity; sid:91258222; rev:1;) alert tcp $HOME_NET any -> [47.104.20.195] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1258221/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_17; classtype:trojan-activity; sid:91258221; rev:1;) alert tcp $HOME_NET any -> [47.108.197.14] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1258220/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_17; classtype:trojan-activity; sid:91258220; rev:1;) alert tcp $HOME_NET any -> [139.196.78.46] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1258219/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_17; classtype:trojan-activity; sid:91258219; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"nextoneup.shop"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1258218/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_17; classtype:trojan-activity; sid:91258218; rev:1;) alert tcp $HOME_NET any -> [37.44.238.78] 65001 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1258216/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_17; classtype:trojan-activity; sid:91258216; rev:1;) alert tcp $HOME_NET any -> [37.44.238.94] 9931 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1258217/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_17; classtype:trojan-activity; sid:91258217; rev:1;) alert tcp $HOME_NET any -> [175.178.50.68] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1258215/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_17; classtype:trojan-activity; sid:91258215; rev:1;) alert tcp $HOME_NET any -> [122.51.85.143] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1258214/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_17; classtype:trojan-activity; sid:91258214; rev:1;) alert tcp $HOME_NET any -> [121.4.97.220] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1258213/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_17; classtype:trojan-activity; sid:91258213; rev:1;) alert tcp $HOME_NET any -> [49.232.157.82] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1258212/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_17; classtype:trojan-activity; sid:91258212; rev:1;) alert tcp $HOME_NET any -> [116.203.13.134] 5432 (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1258210/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_17; classtype:trojan-activity; sid:91258210; rev:1;) alert tcp $HOME_NET any -> [65.109.242.73] 443 (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1258211/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_17; classtype:trojan-activity; sid:91258211; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"65.109.242.73"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1258209/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_17; classtype:trojan-activity; sid:91258209; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"116.203.13.134"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1258208/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_17; classtype:trojan-activity; sid:91258208; rev:1;) alert tcp $HOME_NET any -> [187.135.117.203] 2080 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1258200/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_17; classtype:trojan-activity; sid:91258200; rev:1;) alert tcp $HOME_NET any -> [187.135.117.203] 2083 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1258201/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_17; classtype:trojan-activity; sid:91258201; rev:1;) alert tcp $HOME_NET any -> [187.135.117.203] 2095 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1258202/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_17; classtype:trojan-activity; sid:91258202; rev:1;) alert tcp $HOME_NET any -> [187.135.117.203] 2096 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1258203/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_17; classtype:trojan-activity; sid:91258203; rev:1;) alert tcp $HOME_NET any -> [187.135.117.203] 2281 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1258204/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_17; classtype:trojan-activity; sid:91258204; rev:1;) alert tcp $HOME_NET any -> [187.135.117.203] 1911 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1258195/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_17; classtype:trojan-activity; sid:91258195; rev:1;) alert tcp $HOME_NET any -> [187.135.117.203] 2004 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1258196/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_17; classtype:trojan-activity; sid:91258196; rev:1;) alert tcp $HOME_NET any -> [187.135.117.203] 2053 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1258197/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_17; classtype:trojan-activity; sid:91258197; rev:1;) alert tcp $HOME_NET any -> [187.135.117.203] 2082 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1258198/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_17; classtype:trojan-activity; sid:91258198; rev:1;) alert tcp $HOME_NET any -> [187.135.117.203] 1801 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1258199/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_17; classtype:trojan-activity; sid:91258199; rev:1;) alert tcp $HOME_NET any -> [94.156.65.156] 4433 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1258194/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_17; classtype:trojan-activity; sid:91258194; rev:1;) alert tcp $HOME_NET any -> [91.92.253.159] 11423 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1258193/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_17; classtype:trojan-activity; sid:91258193; rev:1;) alert tcp $HOME_NET any -> [91.92.242.61] 80 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1258191/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_17; classtype:trojan-activity; sid:91258191; rev:1;) alert tcp $HOME_NET any -> [91.92.242.61] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1258192/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_17; classtype:trojan-activity; sid:91258192; rev:1;) alert tcp $HOME_NET any -> [213.195.126.87] 5001 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1258190/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_17; classtype:trojan-activity; sid:91258190; rev:1;) alert tcp $HOME_NET any -> [179.13.4.37] 8010 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1258187/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_17; classtype:trojan-activity; sid:91258187; rev:1;) alert tcp $HOME_NET any -> [179.13.4.37] 8082 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1258186/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_17; classtype:trojan-activity; sid:91258186; rev:1;) alert tcp $HOME_NET any -> [178.73.218.8] 2000 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1258184/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_17; classtype:trojan-activity; sid:91258184; rev:1;) alert tcp $HOME_NET any -> [192.210.236.212] 15111 (msg:"ThreatFox NetWire RC botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1258183/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_17; classtype:trojan-activity; sid:91258183; rev:1;) alert tcp $HOME_NET any -> [5.249.165.126] 9090 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1258182/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_17; classtype:trojan-activity; sid:91258182; rev:1;) alert tcp $HOME_NET any -> [79.132.128.95] 23 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1258181/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_17; classtype:trojan-activity; sid:91258181; rev:1;) alert tcp $HOME_NET any -> [146.190.207.195] 23 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1258180/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_17; classtype:trojan-activity; sid:91258180; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cdn-vs/cache.php"; depth:17; nocase; http.host; content:"onesmartiptv.com"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1258177/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_17; classtype:trojan-activity; sid:91258177; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/data.php"; depth:9; nocase; http.host; content:"beautyservicenearme.com"; depth:23; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1258179/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_17; classtype:trojan-activity; sid:91258179; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/help/zewmrgqnw.php"; depth:19; nocase; http.host; content:"onesmartiptv.com"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1258178/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_17; classtype:trojan-activity; sid:91258178; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"afterksmelipandmahdiimadss.ddns.net"; depth:35; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1258171/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_17; classtype:trojan-activity; sid:91258171; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 60%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmlrpc.php"; depth:11; nocase; http.host; content:"lendenclub.com"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1258172/; target:src_ip; metadata: confidence_level 60, first_seen 2024_04_17; classtype:trojan-activity; sid:91258172; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 60%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmlrpc.php"; depth:11; nocase; http.host; content:"www.adarch.de"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1258173/; target:src_ip; metadata: confidence_level 60, first_seen 2024_04_17; classtype:trojan-activity; sid:91258173; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 60%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmlrpc.php"; depth:11; nocase; http.host; content:"netedu.ir"; depth:9; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1258174/; target:src_ip; metadata: confidence_level 60, first_seen 2024_04_17; classtype:trojan-activity; sid:91258174; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 60%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmlrpc.php"; depth:11; nocase; http.host; content:"www.althaus-innenausbau.de"; depth:26; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1258175/; target:src_ip; metadata: confidence_level 60, first_seen 2024_04_17; classtype:trojan-activity; sid:91258175; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/load"; depth:5; nocase; http.host; content:"121.37.215.238"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1258176/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_17; classtype:trojan-activity; sid:91258176; rev:1;) alert tcp $HOME_NET any -> [49.13.149.95] 443 (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1258170/; target:src_ip; metadata: confidence_level 80, first_seen 2024_04_17; classtype:trojan-activity; sid:91258170; rev:1;) alert tcp $HOME_NET any -> [94.156.79.69] 3770 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1258169/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_17; classtype:trojan-activity; sid:91258169; rev:1;) alert tcp $HOME_NET any -> [66.248.207.29] 23 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1258168/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_17; classtype:trojan-activity; sid:91258168; rev:1;) alert tcp $HOME_NET any -> [51.254.53.24] 4449 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1258167/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_17; classtype:trojan-activity; sid:91258167; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"mark1234567.ddns.net"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1258166/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_17; classtype:trojan-activity; sid:91258166; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"xiaokkk.02maill.com"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1258163/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_17; classtype:trojan-activity; sid:91258163; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ss.02maill.com"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1258164/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_17; classtype:trojan-activity; sid:91258164; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"cve.02maill.com"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1258165/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_17; classtype:trojan-activity; sid:91258165; rev:1;) alert tcp $HOME_NET any -> [209.141.41.148] 9009 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1258162/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_17; classtype:trojan-activity; sid:91258162; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mi341/index.php"; depth:16; nocase; http.host; content:"ccrhs.shop"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1258161/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_17; classtype:trojan-activity; sid:91258161; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/main/assets/js/bootbox.js"; depth:26; nocase; http.host; content:"1.92.85.139"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1258160/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_17; classtype:trojan-activity; sid:91258160; rev:1;) alert tcp $HOME_NET any -> [159.203.166.179] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1258159/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_17; classtype:trojan-activity; sid:91258159; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"utilityreport.azureedge.net"; depth:27; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1258158/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_17; classtype:trojan-activity; sid:91258158; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ms-settings"; depth:12; nocase; http.host; content:"utilityreport.azureedge.net"; depth:27; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1258157/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_17; classtype:trojan-activity; sid:91258157; rev:1;) alert tcp $HOME_NET any -> [101.99.94.224] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1258156/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_17; classtype:trojan-activity; sid:91258156; rev:1;) alert tcp $HOME_NET any -> [147.185.221.19] 29750 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1258144/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_17; classtype:trojan-activity; sid:91258144; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"require-spa.gl.at.ply.gg"; depth:24; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1258145/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_17; classtype:trojan-activity; sid:91258145; rev:1;) alert tcp $HOME_NET any -> [5.230.76.134] 443 (msg:"ThreatFox Unidentified 111 (Latrodectus) botnet C2 traffic (ip:port - confidence level: 85%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1258146/; target:src_ip; metadata: confidence_level 85, first_seen 2024_04_17; classtype:trojan-activity; sid:91258146; rev:1;) alert tcp $HOME_NET any -> [45.129.199.86] 443 (msg:"ThreatFox Unidentified 111 (Latrodectus) botnet C2 traffic (ip:port - confidence level: 85%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1258147/; target:src_ip; metadata: confidence_level 85, first_seen 2024_04_17; classtype:trojan-activity; sid:91258147; rev:1;) alert tcp $HOME_NET any -> [66.63.189.8] 443 (msg:"ThreatFox Unidentified 111 (Latrodectus) botnet C2 traffic (ip:port - confidence level: 85%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1258148/; target:src_ip; metadata: confidence_level 85, first_seen 2024_04_17; classtype:trojan-activity; sid:91258148; rev:1;) alert tcp $HOME_NET any -> [77.72.85.78] 443 (msg:"ThreatFox Unidentified 111 (Latrodectus) botnet C2 traffic (ip:port - confidence level: 85%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1258149/; target:src_ip; metadata: confidence_level 85, first_seen 2024_04_17; classtype:trojan-activity; sid:91258149; rev:1;) alert tcp $HOME_NET any -> [91.149.253.77] 443 (msg:"ThreatFox Unidentified 111 (Latrodectus) botnet C2 traffic (ip:port - confidence level: 85%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1258150/; target:src_ip; metadata: confidence_level 85, first_seen 2024_04_17; classtype:trojan-activity; sid:91258150; rev:1;) alert tcp $HOME_NET any -> [94.232.45.58] 443 (msg:"ThreatFox Unidentified 111 (Latrodectus) botnet C2 traffic (ip:port - confidence level: 85%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1258151/; target:src_ip; metadata: confidence_level 85, first_seen 2024_04_17; classtype:trojan-activity; sid:91258151; rev:1;) alert tcp $HOME_NET any -> [193.168.143.179] 443 (msg:"ThreatFox Unidentified 111 (Latrodectus) botnet C2 traffic (ip:port - confidence level: 85%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1258152/; target:src_ip; metadata: confidence_level 85, first_seen 2024_04_17; classtype:trojan-activity; sid:91258152; rev:1;) alert tcp $HOME_NET any -> [193.168.143.182] 443 (msg:"ThreatFox Unidentified 111 (Latrodectus) botnet C2 traffic (ip:port - confidence level: 85%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1258153/; target:src_ip; metadata: confidence_level 85, first_seen 2024_04_17; classtype:trojan-activity; sid:91258153; rev:1;) alert tcp $HOME_NET any -> [45.88.90.110] 3050 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1258155/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_17; classtype:trojan-activity; sid:91258155; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"4-hitler.publicvm.com"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1258154/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_17; classtype:trojan-activity; sid:91258154; rev:1;) alert tcp $HOME_NET any -> [192.159.99.43] 222 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1258139/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_17; classtype:trojan-activity; sid:91258139; rev:1;) alert tcp $HOME_NET any -> [207.32.219.92] 222 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1258140/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_17; classtype:trojan-activity; sid:91258140; rev:1;) alert tcp $HOME_NET any -> [35.233.238.201] 222 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1258141/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_17; classtype:trojan-activity; sid:91258141; rev:1;) alert tcp $HOME_NET any -> [45.94.31.103] 222 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1258142/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_17; classtype:trojan-activity; sid:91258142; rev:1;) alert tcp $HOME_NET any -> [192.3.109.131] 222 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1258143/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_17; classtype:trojan-activity; sid:91258143; rev:1;) alert tcp $HOME_NET any -> [87.120.84.91] 222 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1258134/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_17; classtype:trojan-activity; sid:91258134; rev:1;) alert tcp $HOME_NET any -> [147.124.213.188] 222 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1258135/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_17; classtype:trojan-activity; sid:91258135; rev:1;) alert tcp $HOME_NET any -> [212.23.222.206] 222 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1258136/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_17; classtype:trojan-activity; sid:91258136; rev:1;) alert tcp $HOME_NET any -> [51.195.94.201] 222 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1258137/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_17; classtype:trojan-activity; sid:91258137; rev:1;) alert tcp $HOME_NET any -> [207.244.249.35] 222 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1258138/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_17; classtype:trojan-activity; sid:91258138; rev:1;) alert tcp $HOME_NET any -> [85.239.237.148] 2005 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1258132/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_17; classtype:trojan-activity; sid:91258132; rev:1;) alert tcp $HOME_NET any -> [209.145.56.0] 7788 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1258133/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_17; classtype:trojan-activity; sid:91258133; rev:1;) alert tcp $HOME_NET any -> [77.238.235.75] 80 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1258131/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_17; classtype:trojan-activity; sid:91258131; rev:1;) alert tcp $HOME_NET any -> [46.246.6.6] 8000 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1258130/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_17; classtype:trojan-activity; sid:91258130; rev:1;) alert tcp $HOME_NET any -> [85.192.63.194] 7777 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1258129/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_17; classtype:trojan-activity; sid:91258129; rev:1;) alert tcp $HOME_NET any -> [41.99.193.128] 443 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1258128/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_17; classtype:trojan-activity; sid:91258128; rev:1;) alert tcp $HOME_NET any -> [154.246.248.213] 2078 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1258127/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_17; classtype:trojan-activity; sid:91258127; rev:1;) alert tcp $HOME_NET any -> [51.15.225.131] 443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1258126/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_17; classtype:trojan-activity; sid:91258126; rev:1;) alert tcp $HOME_NET any -> [18.206.197.222] 80 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1258125/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_17; classtype:trojan-activity; sid:91258125; rev:1;) alert tcp $HOME_NET any -> [119.45.176.135] 443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1258124/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_17; classtype:trojan-activity; sid:91258124; rev:1;) alert tcp $HOME_NET any -> [62.169.25.187] 443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1258123/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_17; classtype:trojan-activity; sid:91258123; rev:1;) alert tcp $HOME_NET any -> [94.156.65.156] 443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1258121/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_17; classtype:trojan-activity; sid:91258121; rev:1;) alert tcp $HOME_NET any -> [94.156.65.156] 80 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1258122/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_17; classtype:trojan-activity; sid:91258122; rev:1;) alert tcp $HOME_NET any -> [45.121.147.117] 443 (msg:"ThreatFox BianLian botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1258120/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_17; classtype:trojan-activity; sid:91258120; rev:1;) alert tcp $HOME_NET any -> [185.234.216.209] 20022 (msg:"ThreatFox BianLian botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1258119/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_17; classtype:trojan-activity; sid:91258119; rev:1;) alert tcp $HOME_NET any -> [221.130.195.172] 4506 (msg:"ThreatFox Deimos botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1258118/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_17; classtype:trojan-activity; sid:91258118; rev:1;) alert tcp $HOME_NET any -> [65.109.240.63] 443 (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1258117/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_17; classtype:trojan-activity; sid:91258117; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"65.109.240.63"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1258115/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_17; classtype:trojan-activity; sid:91258115; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"95.217.29.187"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1258114/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_17; classtype:trojan-activity; sid:91258114; rev:1;) alert tcp $HOME_NET any -> [137.184.39.229] 7443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1258113/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_17; classtype:trojan-activity; sid:91258113; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"net-killer.ddns.net"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1258111/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_17; classtype:trojan-activity; sid:91258111; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"emv1.ib-comm-gateway.com"; depth:24; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1258112/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_17; classtype:trojan-activity; sid:91258112; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"spotslfy.com"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1258110/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_17; classtype:trojan-activity; sid:91258110; rev:1;) alert tcp $HOME_NET any -> [192.253.251.132] 1780 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1258109/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_17; classtype:trojan-activity; sid:91258109; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wnwa"; depth:5; nocase; http.host; content:"139.196.73.80"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1258108/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_17; classtype:trojan-activity; sid:91258108; rev:1;) alert tcp $HOME_NET any -> [139.196.73.80] 9902 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1258107/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_17; classtype:trojan-activity; sid:91258107; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/f993692117a3fda2.php"; depth:21; nocase; http.host; content:"185.172.128.23"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1258106/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_17; classtype:trojan-activity; sid:91258106; rev:1;) alert tcp $HOME_NET any -> [94.228.162.82] 7707 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1258104/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_17; classtype:trojan-activity; sid:91258104; rev:1;) alert tcp $HOME_NET any -> [94.228.162.82] 8808 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1258105/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_17; classtype:trojan-activity; sid:91258105; rev:1;) alert tcp $HOME_NET any -> [94.228.162.82] 6606 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1258103/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_17; classtype:trojan-activity; sid:91258103; rev:1;) alert tcp $HOME_NET any -> [147.185.221.19] 29545 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1258099/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_17; classtype:trojan-activity; sid:91258099; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"cars-fraction.gl.at.ply.gg"; depth:26; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1258100/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_17; classtype:trojan-activity; sid:91258100; rev:1;) alert tcp $HOME_NET any -> [3.14.182.203] 19044 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1258081/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_17; classtype:trojan-activity; sid:91258081; rev:1;) alert tcp $HOME_NET any -> [3.13.191.225] 19044 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1258082/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_17; classtype:trojan-activity; sid:91258082; rev:1;) alert tcp $HOME_NET any -> [91.92.253.228] 80 (msg:"ThreatFox Loki Password Stealer (PWS) botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1258096/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_17; classtype:trojan-activity; sid:91258096; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"pnauco5.ddns.net"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1258051/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_17; classtype:trojan-activity; sid:91258051; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"backupssupport.com"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1258077/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_17; classtype:trojan-activity; sid:91258077; rev:1;) alert tcp $HOME_NET any -> [3.134.125.175] 19044 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1258080/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_17; classtype:trojan-activity; sid:91258080; rev:1;) alert tcp $HOME_NET any -> [3.6.115.64] 15030 (msg:"ThreatFox Nanocore RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1258072/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_17; classtype:trojan-activity; sid:91258072; rev:1;) alert tcp $HOME_NET any -> [3.6.115.182] 15030 (msg:"ThreatFox Nanocore RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1258073/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_17; classtype:trojan-activity; sid:91258073; rev:1;) alert tcp $HOME_NET any -> [193.106.175.140] 443 (msg:"ThreatFox FAKEUPDATES payload delivery (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1258074/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_17; classtype:trojan-activity; sid:91258074; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/l1nc0in.php"; depth:12; nocase; http.host; content:"a0942660.xsph.ru"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1258102/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_17; classtype:trojan-activity; sid:91258102; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/externalvideotestdatalifeuploads.php"; depth:37; nocase; http.host; content:"porpabor.top"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1258101/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_17; classtype:trojan-activity; sid:91258101; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/index.php/08409289280180"; depth:25; nocase; http.host; content:"136.244.109.75"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1258098/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_17; classtype:trojan-activity; sid:91258098; rev:1;) alert tcp $HOME_NET any -> [45.128.96.103] 8808 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1258097/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_17; classtype:trojan-activity; sid:91258097; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/index.php/1748937"; depth:18; nocase; http.host; content:"136.244.109.75"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1258095/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_17; classtype:trojan-activity; sid:91258095; rev:1;) alert tcp $HOME_NET any -> [185.172.128.65] 8081 (msg:"ThreatFox RisePro botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1258094/; target:src_ip; metadata: confidence_level 80, first_seen 2024_04_17; classtype:trojan-activity; sid:91258094; rev:1;) alert tcp $HOME_NET any -> [193.233.132.72] 8081 (msg:"ThreatFox RisePro botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1258093/; target:src_ip; metadata: confidence_level 80, first_seen 2024_04_17; classtype:trojan-activity; sid:91258093; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/index.php/690877741063"; depth:23; nocase; http.host; content:"136.244.109.75"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1258092/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_17; classtype:trojan-activity; sid:91258092; rev:1;) alert tcp $HOME_NET any -> [45.128.96.103] 6666 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1258091/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_16; classtype:trojan-activity; sid:91258091; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api/x"; depth:6; nocase; http.host; content:"service-e1idmqlj-1259321672.bj.tencentapigw.com.cn"; depth:50; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1258089/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_16; classtype:trojan-activity; sid:91258089; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"service-e1idmqlj-1259321672.bj.tencentapigw.com.cn"; depth:50; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1258090/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_16; classtype:trojan-activity; sid:91258090; rev:1;) alert tcp $HOME_NET any -> [77.91.122.210] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1258088/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_16; classtype:trojan-activity; sid:91258088; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/demonstrate/v3.76/t35i67njako"; depth:30; nocase; http.host; content:"77.91.122.210"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1258087/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_16; classtype:trojan-activity; sid:91258087; rev:1;) alert tcp $HOME_NET any -> [175.27.133.246] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1258086/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_16; classtype:trojan-activity; sid:91258086; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jp"; depth:3; nocase; http.host; content:"154.8.187.123"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1258085/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_16; classtype:trojan-activity; sid:91258085; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jp"; depth:3; nocase; http.host; content:"192.144.195.26"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1258084/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_16; classtype:trojan-activity; sid:91258084; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/release"; depth:8; nocase; http.host; content:"154.8.187.177"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1258083/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_16; classtype:trojan-activity; sid:91258083; rev:1;) alert tcp $HOME_NET any -> [193.168.143.185] 443 (msg:"ThreatFox IcedID botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1258079/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_16; classtype:trojan-activity; sid:91258079; rev:1;) alert tcp $HOME_NET any -> [66.63.189.105] 443 (msg:"ThreatFox Unidentified 111 (Latrodectus) botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1258078/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_16; classtype:trojan-activity; sid:91258078; rev:1;) alert tcp $HOME_NET any -> [45.128.96.204] 6666 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1258076/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_16; classtype:trojan-activity; sid:91258076; rev:1;) alert tcp $HOME_NET any -> [172.111.216.199] 7707 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1258075/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_16; classtype:trojan-activity; sid:91258075; rev:1;) alert tcp $HOME_NET any -> [185.172.128.9] 80 (msg:"ThreatFox Stealc botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1258071/; target:src_ip; metadata: confidence_level 80, first_seen 2024_04_16; classtype:trojan-activity; sid:91258071; rev:1;) alert tcp $HOME_NET any -> [185.172.128.9] 22 (msg:"ThreatFox Stealc botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1258070/; target:src_ip; metadata: confidence_level 80, first_seen 2024_04_16; classtype:trojan-activity; sid:91258070; rev:1;) alert tcp $HOME_NET any -> [185.172.128.23] 80 (msg:"ThreatFox Stealc botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1258069/; target:src_ip; metadata: confidence_level 80, first_seen 2024_04_16; classtype:trojan-activity; sid:91258069; rev:1;) alert tcp $HOME_NET any -> [185.172.128.23] 22 (msg:"ThreatFox Stealc botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1258068/; target:src_ip; metadata: confidence_level 80, first_seen 2024_04_16; classtype:trojan-activity; sid:91258068; rev:1;) alert tcp $HOME_NET any -> [193.233.132.47] 8081 (msg:"ThreatFox RisePro botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1258067/; target:src_ip; metadata: confidence_level 80, first_seen 2024_04_16; classtype:trojan-activity; sid:91258067; rev:1;) alert tcp $HOME_NET any -> [213.109.202.229] 15647 (msg:"ThreatFox SectopRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1258066/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_16; classtype:trojan-activity; sid:91258066; rev:1;) alert tcp $HOME_NET any -> [77.232.40.96] 80 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1258065/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_16; classtype:trojan-activity; sid:91258065; rev:1;) alert tcp $HOME_NET any -> [103.207.68.53] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1258064/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_16; classtype:trojan-activity; sid:91258064; rev:1;) alert tcp $HOME_NET any -> [43.135.5.150] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1258063/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_16; classtype:trojan-activity; sid:91258063; rev:1;) alert tcp $HOME_NET any -> [39.40.172.160] 995 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1258062/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_16; classtype:trojan-activity; sid:91258062; rev:1;) alert tcp $HOME_NET any -> [89.148.151.61] 2222 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1258061/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_16; classtype:trojan-activity; sid:91258061; rev:1;) alert tcp $HOME_NET any -> [88.229.77.223] 443 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1258060/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_16; classtype:trojan-activity; sid:91258060; rev:1;) alert tcp $HOME_NET any -> [83.136.248.250] 445 (msg:"ThreatFox Responder botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1258059/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_16; classtype:trojan-activity; sid:91258059; rev:1;) alert tcp $HOME_NET any -> [103.82.36.91] 443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1258058/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_16; classtype:trojan-activity; sid:91258058; rev:1;) alert tcp $HOME_NET any -> [182.140.130.101] 4505 (msg:"ThreatFox Deimos botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1258057/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_16; classtype:trojan-activity; sid:91258057; rev:1;) alert tcp $HOME_NET any -> [149.28.144.85] 7443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1258056/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_16; classtype:trojan-activity; sid:91258056; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/match"; depth:6; nocase; http.host; content:"118.194.233.185"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1258055/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_16; classtype:trojan-activity; sid:91258055; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ptj"; depth:4; nocase; http.host; content:"45.55.199.36"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1258054/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_16; classtype:trojan-activity; sid:91258054; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/match"; depth:6; nocase; http.host; content:"167.71.242.213"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1258053/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_16; classtype:trojan-activity; sid:91258053; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cm"; depth:3; nocase; http.host; content:"165.227.108.186"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1258052/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_16; classtype:trojan-activity; sid:91258052; rev:1;) alert tcp $HOME_NET any -> [185.196.220.194] 80 (msg:"ThreatFox DarkGate botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1258050/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_16; classtype:trojan-activity; sid:91258050; rev:1;) alert tcp $HOME_NET any -> [103.155.93.148] 8080 (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1258049/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_16; classtype:trojan-activity; sid:91258049; rev:1;) alert tcp $HOME_NET any -> [194.48.251.169] 7287 (msg:"ThreatFox Venom RAT payload delivery (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1258043/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_16; classtype:trojan-activity; sid:91258043; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/.hta"; depth:5; nocase; http.host; content:"194.48.251.169"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1258044/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_16; classtype:trojan-activity; sid:91258044; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/2.hta"; depth:6; nocase; http.host; content:"194.48.251.169"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1258045/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_16; classtype:trojan-activity; sid:91258045; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/3.hta"; depth:6; nocase; http.host; content:"194.48.251.169"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1258046/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_16; classtype:trojan-activity; sid:91258046; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/gogis.bat"; depth:10; nocase; http.host; content:"194.48.251.169"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1258047/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_16; classtype:trojan-activity; sid:91258047; rev:1;) alert tcp $HOME_NET any -> [66.66.146.74] 9511 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1258048/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_16; classtype:trojan-activity; sid:91258048; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/data.php"; depth:9; nocase; http.host; content:"kingofdolomites.com"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1258041/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_16; classtype:trojan-activity; sid:91258041; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 50%)"; dns_query; content:"camps.topgunnbaseball.com"; depth:25; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1258042/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_16; classtype:trojan-activity; sid:91258042; rev:1;) alert tcp $HOME_NET any -> [109.107.181.83] 15666 (msg:"ThreatFox Meduza Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1258040/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_16; classtype:trojan-activity; sid:91258040; rev:1;) alert tcp $HOME_NET any -> [216.9.225.194] 80 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1258039/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_16; classtype:trojan-activity; sid:91258039; rev:1;) alert tcp $HOME_NET any -> [191.82.251.201] 2000 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1258038/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_16; classtype:trojan-activity; sid:91258038; rev:1;) alert tcp $HOME_NET any -> [194.105.5.194] 4444 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1258037/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_16; classtype:trojan-activity; sid:91258037; rev:1;) alert tcp $HOME_NET any -> [104.234.204.57] 7707 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1258036/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_16; classtype:trojan-activity; sid:91258036; rev:1;) alert tcp $HOME_NET any -> [103.47.147.18] 2000 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1258035/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_16; classtype:trojan-activity; sid:91258035; rev:1;) alert tcp $HOME_NET any -> [94.156.67.112] 6606 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1258034/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_16; classtype:trojan-activity; sid:91258034; rev:1;) alert tcp $HOME_NET any -> [80.112.42.92] 22 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1258026/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_16; classtype:trojan-activity; sid:91258026; rev:1;) alert tcp $HOME_NET any -> [43.156.80.75] 4433 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1257786/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_16; classtype:trojan-activity; sid:91257786; rev:1;) alert tcp $HOME_NET any -> [43.135.11.76] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1257785/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_16; classtype:trojan-activity; sid:91257785; rev:1;) alert tcp $HOME_NET any -> [107.172.196.210] 58000 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1257784/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_16; classtype:trojan-activity; sid:91257784; rev:1;) alert tcp $HOME_NET any -> [103.151.123.225] 5000 (msg:"ThreatFox AdWind botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1257783/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_16; classtype:trojan-activity; sid:91257783; rev:1;) alert tcp $HOME_NET any -> [23.94.66.43] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1257782/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_16; classtype:trojan-activity; sid:91257782; rev:1;) alert tcp $HOME_NET any -> [47.236.8.228] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1257781/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_16; classtype:trojan-activity; sid:91257781; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/_defaultwindows.php"; depth:20; nocase; http.host; content:"a0941979.xsph.ru"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1257780/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_16; classtype:trojan-activity; sid:91257780; rev:1;) alert tcp $HOME_NET any -> [8.218.149.242] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1257779/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_16; classtype:trojan-activity; sid:91257779; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cm"; depth:3; nocase; http.host; content:"zgjatj.com"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1257778/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_16; classtype:trojan-activity; sid:91257778; rev:1;) alert tcp $HOME_NET any -> [159.65.56.30] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1257777/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_16; classtype:trojan-activity; sid:91257777; rev:1;) alert tcp $HOME_NET any -> [124.70.102.46] 4444 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1257776/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_16; classtype:trojan-activity; sid:91257776; rev:1;) alert tcp $HOME_NET any -> [1.92.85.139] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1257775/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_16; classtype:trojan-activity; sid:91257775; rev:1;) alert tcp $HOME_NET any -> [1.92.82.206] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1257774/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_16; classtype:trojan-activity; sid:91257774; rev:1;) alert tcp $HOME_NET any -> [139.224.49.34] 7443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1257773/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_16; classtype:trojan-activity; sid:91257773; rev:1;) alert tcp $HOME_NET any -> [120.78.139.9] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1257772/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_16; classtype:trojan-activity; sid:91257772; rev:1;) alert tcp $HOME_NET any -> [115.29.202.65] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1257771/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_16; classtype:trojan-activity; sid:91257771; rev:1;) alert tcp $HOME_NET any -> [54.91.135.60] 333 (msg:"ThreatFox Revenge RAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1257770/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_16; classtype:trojan-activity; sid:91257770; rev:1;) alert tcp $HOME_NET any -> [101.200.86.176] 2096 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1257769/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_16; classtype:trojan-activity; sid:91257769; rev:1;) alert tcp $HOME_NET any -> [59.110.91.230] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1257768/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_16; classtype:trojan-activity; sid:91257768; rev:1;) alert tcp $HOME_NET any -> [47.115.215.30] 9999 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1257767/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_16; classtype:trojan-activity; sid:91257767; rev:1;) alert tcp $HOME_NET any -> [47.108.130.112] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1257766/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_16; classtype:trojan-activity; sid:91257766; rev:1;) alert tcp $HOME_NET any -> [47.92.206.180] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1257765/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_16; classtype:trojan-activity; sid:91257765; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/index.php/0672554332862"; depth:24; nocase; http.host; content:"24.199.107.111"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1257764/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_16; classtype:trojan-activity; sid:91257764; rev:1;) alert tcp $HOME_NET any -> [39.96.116.85] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1257763/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_16; classtype:trojan-activity; sid:91257763; rev:1;) alert tcp $HOME_NET any -> [8.137.11.219] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1257762/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_16; classtype:trojan-activity; sid:91257762; rev:1;) alert tcp $HOME_NET any -> [8.134.102.18] 8081 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1257761/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_16; classtype:trojan-activity; sid:91257761; rev:1;) alert tcp $HOME_NET any -> [175.178.160.155] 8080 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1257760/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_16; classtype:trojan-activity; sid:91257760; rev:1;) alert tcp $HOME_NET any -> [124.222.147.8] 8089 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1257759/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_16; classtype:trojan-activity; sid:91257759; rev:1;) alert tcp $HOME_NET any -> [43.143.168.206] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1257758/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_16; classtype:trojan-activity; sid:91257758; rev:1;) alert tcp $HOME_NET any -> [43.139.67.72] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1257757/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_16; classtype:trojan-activity; sid:91257757; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"b.doxbin.top"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1257756/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_16; classtype:trojan-activity; sid:91257756; rev:1;) alert tcp $HOME_NET any -> [107.175.229.141] 36832 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1257755/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_16; classtype:trojan-activity; sid:91257755; rev:1;) alert tcp $HOME_NET any -> [94.156.66.16] 1337 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1257735/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_16; classtype:trojan-activity; sid:91257735; rev:1;) alert tcp $HOME_NET any -> [64.95.13.160] 10000 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1257734/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_16; classtype:trojan-activity; sid:91257734; rev:1;) alert tcp $HOME_NET any -> [51.89.30.114] 9999 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1257733/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_16; classtype:trojan-activity; sid:91257733; rev:1;) alert tcp $HOME_NET any -> [51.81.0.240] 666 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1257732/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_16; classtype:trojan-activity; sid:91257732; rev:1;) alert tcp $HOME_NET any -> [51.38.67.91] 888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1257731/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_16; classtype:trojan-activity; sid:91257731; rev:1;) alert tcp $HOME_NET any -> [45.133.74.121] 1337 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1257730/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_16; classtype:trojan-activity; sid:91257730; rev:1;) alert tcp $HOME_NET any -> [45.128.232.219] 1337 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1257729/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_16; classtype:trojan-activity; sid:91257729; rev:1;) alert tcp $HOME_NET any -> [45.128.232.185] 1337 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1257728/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_16; classtype:trojan-activity; sid:91257728; rev:1;) alert tcp $HOME_NET any -> [23.160.193.106] 1225 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1257726/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_16; classtype:trojan-activity; sid:91257726; rev:1;) alert tcp $HOME_NET any -> [23.160.194.10] 1225 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1257727/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_16; classtype:trojan-activity; sid:91257727; rev:1;) alert tcp $HOME_NET any -> [15.235.149.123] 9999 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1257725/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_16; classtype:trojan-activity; sid:91257725; rev:1;) alert tcp $HOME_NET any -> [15.204.12.150] 1337 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1257724/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_16; classtype:trojan-activity; sid:91257724; rev:1;) alert tcp $HOME_NET any -> [5.181.80.35] 999 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1257723/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_16; classtype:trojan-activity; sid:91257723; rev:1;) alert tcp $HOME_NET any -> [94.156.66.184] 1337 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1257736/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_16; classtype:trojan-activity; sid:91257736; rev:1;) alert tcp $HOME_NET any -> [94.156.66.225] 1337 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1257737/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_16; classtype:trojan-activity; sid:91257737; rev:1;) alert tcp $HOME_NET any -> [94.156.67.43] 1337 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1257738/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_16; classtype:trojan-activity; sid:91257738; rev:1;) alert tcp $HOME_NET any -> [94.156.67.74] 1337 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1257739/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_16; classtype:trojan-activity; sid:91257739; rev:1;) alert tcp $HOME_NET any -> [94.228.168.28] 1337 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1257740/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_16; classtype:trojan-activity; sid:91257740; rev:1;) alert tcp $HOME_NET any -> [103.174.73.85] 9900 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1257741/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_16; classtype:trojan-activity; sid:91257741; rev:1;) alert tcp $HOME_NET any -> [141.98.7.53] 999 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1257742/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_16; classtype:trojan-activity; sid:91257742; rev:1;) alert tcp $HOME_NET any -> [141.98.7.237] 1337 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1257743/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_16; classtype:trojan-activity; sid:91257743; rev:1;) alert tcp $HOME_NET any -> [158.51.96.17] 1225 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1257744/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_16; classtype:trojan-activity; sid:91257744; rev:1;) alert tcp $HOME_NET any -> [162.214.103.215] 2052 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1257745/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_16; classtype:trojan-activity; sid:91257745; rev:1;) alert tcp $HOME_NET any -> [162.214.103.216] 2052 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1257746/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_16; classtype:trojan-activity; sid:91257746; rev:1;) alert tcp $HOME_NET any -> [172.65.152.34] 22 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1257747/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_16; classtype:trojan-activity; sid:91257747; rev:1;) alert tcp $HOME_NET any -> [185.196.8.230] 1337 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1257748/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_16; classtype:trojan-activity; sid:91257748; rev:1;) alert tcp $HOME_NET any -> [193.34.69.249] 1337 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1257749/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_16; classtype:trojan-activity; sid:91257749; rev:1;) alert tcp $HOME_NET any -> [209.141.50.91] 1337 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1257750/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_16; classtype:trojan-activity; sid:91257750; rev:1;) alert tcp $HOME_NET any -> [209.141.59.146] 1337 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1257751/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_16; classtype:trojan-activity; sid:91257751; rev:1;) alert tcp $HOME_NET any -> [209.141.62.176] 1337 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1257752/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_16; classtype:trojan-activity; sid:91257752; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"returns-vary.gl.at.ply.gg"; depth:25; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1257754/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_16; classtype:trojan-activity; sid:91257754; rev:1;) alert tcp $HOME_NET any -> [147.185.221.19] 26628 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1257753/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_16; classtype:trojan-activity; sid:91257753; rev:1;) alert tcp $HOME_NET any -> [147.185.221.19] 29058 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1257719/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_16; classtype:trojan-activity; sid:91257719; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"tue-jake.gl.at.ply.gg"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1257720/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_16; classtype:trojan-activity; sid:91257720; rev:1;) alert tcp $HOME_NET any -> [147.185.221.19] 28329 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1257721/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_16; classtype:trojan-activity; sid:91257721; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"report-dust.gl.at.ply.gg"; depth:24; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1257722/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_16; classtype:trojan-activity; sid:91257722; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"87.120.84.22"; depth:12; nocase; reference:url, threatfox.abuse.ch/ioc/1257717/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_16; classtype:trojan-activity; sid:91257717; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"87.120.84.22"; depth:12; nocase; reference:url, threatfox.abuse.ch/ioc/1257718/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_16; classtype:trojan-activity; sid:91257718; rev:1;) alert tcp $HOME_NET any -> [173.44.141.234] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1257715/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_16; classtype:trojan-activity; sid:91257715; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jquery-3.3.1.min.js"; depth:20; nocase; http.host; content:"173.44.141.234"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1257714/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_16; classtype:trojan-activity; sid:91257714; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"service-lj3klqg6-1308639534.gz.tencentapigw.com.cn"; depth:50; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1257712/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_16; classtype:trojan-activity; sid:91257712; rev:1;) alert tcp $HOME_NET any -> [111.230.25.167] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1257713/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_16; classtype:trojan-activity; sid:91257713; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api/getit"; depth:10; nocase; http.host; content:"service-lj3klqg6-1308639534.gz.tencentapigw.com.cn"; depth:50; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1257711/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_16; classtype:trojan-activity; sid:91257711; rev:1;) alert tcp $HOME_NET any -> [101.99.75.132] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1257710/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_16; classtype:trojan-activity; sid:91257710; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"microsoft-net.com"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1257709/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_16; classtype:trojan-activity; sid:91257709; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ki"; depth:3; nocase; http.host; content:"microsoft-net.com"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1257708/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_16; classtype:trojan-activity; sid:91257708; rev:1;) alert tcp $HOME_NET any -> [89.190.156.34] 33335 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1257707/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_16; classtype:trojan-activity; sid:91257707; rev:1;) alert tcp $HOME_NET any -> [185.216.70.88] 6281 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1257706/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_16; classtype:trojan-activity; sid:91257706; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/supershell/login/"; depth:18; nocase; http.host; content:"18.166.113.24"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1257639/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_16; classtype:trojan-activity; sid:91257639; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/supershell/login/"; depth:18; nocase; http.host; content:"167.71.91.12"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1257640/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_16; classtype:trojan-activity; sid:91257640; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/supershell/login/"; depth:18; nocase; http.host; content:"122.10.10.100"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1257641/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_16; classtype:trojan-activity; sid:91257641; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/supershell/login/"; depth:18; nocase; http.host; content:"34.81.83.87"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1257642/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_16; classtype:trojan-activity; sid:91257642; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/supershell/login/"; depth:18; nocase; http.host; content:"172.245.81.143"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1257643/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_16; classtype:trojan-activity; sid:91257643; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/supershell/login/"; depth:18; nocase; http.host; content:"142.171.62.107"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1257644/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_16; classtype:trojan-activity; sid:91257644; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/supershell/login/"; depth:18; nocase; http.host; content:"35.198.215.67"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1257645/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_16; classtype:trojan-activity; sid:91257645; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/supershell/login/"; depth:18; nocase; http.host; content:"111.92.243.236"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1257646/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_16; classtype:trojan-activity; sid:91257646; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/supershell/login/"; depth:18; nocase; http.host; content:"103.163.208.187"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1257647/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_16; classtype:trojan-activity; sid:91257647; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/supershell/login/"; depth:18; nocase; http.host; content:"123.1.189.241"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1257648/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_16; classtype:trojan-activity; sid:91257648; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/supershell/login/"; depth:18; nocase; http.host; content:"47.242.8.254"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1257649/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_16; classtype:trojan-activity; sid:91257649; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/supershell/login/"; depth:18; nocase; http.host; content:"222.112.93.163"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1257650/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_16; classtype:trojan-activity; sid:91257650; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/supershell/login/"; depth:18; nocase; http.host; content:"43.249.8.99"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1257651/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_16; classtype:trojan-activity; sid:91257651; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/supershell/login/"; depth:18; nocase; http.host; content:"106.75.66.128"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1257652/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_16; classtype:trojan-activity; sid:91257652; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/supershell/login/"; depth:18; nocase; http.host; content:"172.245.91.21"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1257653/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_16; classtype:trojan-activity; sid:91257653; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/supershell/login"; depth:17; nocase; http.host; content:"18.166.113.24"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1257638/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_16; classtype:trojan-activity; sid:91257638; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/supershell/login/"; depth:18; nocase; http.host; content:"202.61.141.168"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1257636/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_16; classtype:trojan-activity; sid:91257636; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/supershell/login/"; depth:18; nocase; http.host; content:"116.204.123.237"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1257637/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_16; classtype:trojan-activity; sid:91257637; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/supershell/login/"; depth:18; nocase; http.host; content:"202.61.141.147"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1257635/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_16; classtype:trojan-activity; sid:91257635; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/supershell/login/"; depth:18; nocase; http.host; content:"139.199.2.99"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1257634/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_16; classtype:trojan-activity; sid:91257634; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/supershell/login/"; depth:18; nocase; http.host; content:"43.143.112.29"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1257633/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_16; classtype:trojan-activity; sid:91257633; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/supershell/login/"; depth:18; nocase; http.host; content:"124.220.0.201"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1257632/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_16; classtype:trojan-activity; sid:91257632; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/supershell/login/"; depth:18; nocase; http.host; content:"172.245.134.75"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1257631/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_16; classtype:trojan-activity; sid:91257631; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/supershell/login/"; depth:18; nocase; http.host; content:"101.34.243.60"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1257629/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_16; classtype:trojan-activity; sid:91257629; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/supershell/login/"; depth:18; nocase; http.host; content:"202.61.141.166"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1257630/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_16; classtype:trojan-activity; sid:91257630; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/supershell/login/"; depth:18; nocase; http.host; content:"122.10.10.115"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1257628/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_16; classtype:trojan-activity; sid:91257628; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/supershell/login"; depth:17; nocase; http.host; content:"122.10.10.115"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1257627/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_16; classtype:trojan-activity; sid:91257627; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/supershell/login/"; depth:18; nocase; http.host; content:"43.128.177.204"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1257626/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_16; classtype:trojan-activity; sid:91257626; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/supershell/login/"; depth:18; nocase; http.host; content:"107.172.157.239"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1257625/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_16; classtype:trojan-activity; sid:91257625; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/supershell/login/"; depth:18; nocase; http.host; content:"111.223.247.163"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1257624/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_16; classtype:trojan-activity; sid:91257624; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/supershell/login"; depth:17; nocase; http.host; content:"43.128.177.204"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1257623/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_16; classtype:trojan-activity; sid:91257623; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/supershell/login"; depth:17; nocase; http.host; content:"107.172.157.239"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1257622/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_16; classtype:trojan-activity; sid:91257622; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/supershell/login/"; depth:18; nocase; http.host; content:"86.38.247.112"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1257621/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_16; classtype:trojan-activity; sid:91257621; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/supershell/login/"; depth:18; nocase; http.host; content:"149.129.131.163"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1257620/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_16; classtype:trojan-activity; sid:91257620; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/supershell/login/"; depth:18; nocase; http.host; content:"103.74.192.103"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1257619/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_16; classtype:trojan-activity; sid:91257619; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/supershell/login/"; depth:18; nocase; http.host; content:"150.109.241.155"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1257618/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_16; classtype:trojan-activity; sid:91257618; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/supershell/login/"; depth:18; nocase; http.host; content:"49.235.117.134"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1257617/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_16; classtype:trojan-activity; sid:91257617; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/supershell/login/"; depth:18; nocase; http.host; content:"107.172.209.239"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1257616/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_16; classtype:trojan-activity; sid:91257616; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/supershell/login/"; depth:18; nocase; http.host; content:"121.36.61.185"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1257615/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_16; classtype:trojan-activity; sid:91257615; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/supershell/login/"; depth:18; nocase; http.host; content:"47.242.4.42"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1257614/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_16; classtype:trojan-activity; sid:91257614; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/supershell/login/"; depth:18; nocase; http.host; content:"43.249.193.129"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1257613/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_16; classtype:trojan-activity; sid:91257613; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/supershell/login"; depth:17; nocase; http.host; content:"47.242.4.42"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1257612/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_16; classtype:trojan-activity; sid:91257612; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/supershell/login"; depth:17; nocase; http.host; content:"107.172.209.239"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1257611/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_16; classtype:trojan-activity; sid:91257611; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/supershell/login/"; depth:18; nocase; http.host; content:"43.132.193.188"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1257610/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_16; classtype:trojan-activity; sid:91257610; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/supershell/login"; depth:17; nocase; http.host; content:"43.249.193.129"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1257609/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_16; classtype:trojan-activity; sid:91257609; rev:1;) alert tcp $HOME_NET any -> [38.45.100.58] 80 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1257500/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_16; classtype:trojan-activity; sid:91257500; rev:1;) alert tcp $HOME_NET any -> [41.216.182.208] 80 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1257501/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_16; classtype:trojan-activity; sid:91257501; rev:1;) alert tcp $HOME_NET any -> [45.90.12.124] 80 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1257502/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_16; classtype:trojan-activity; sid:91257502; rev:1;) alert tcp $HOME_NET any -> [45.128.232.185] 80 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1257503/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_16; classtype:trojan-activity; sid:91257503; rev:1;) alert tcp $HOME_NET any -> [45.128.232.219] 80 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1257504/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_16; classtype:trojan-activity; sid:91257504; rev:1;) alert tcp $HOME_NET any -> [45.133.74.121] 80 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1257505/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_16; classtype:trojan-activity; sid:91257505; rev:1;) alert tcp $HOME_NET any -> [51.83.180.205] 80 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1257506/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_16; classtype:trojan-activity; sid:91257506; rev:1;) alert tcp $HOME_NET any -> [51.222.204.13] 80 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1257507/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_16; classtype:trojan-activity; sid:91257507; rev:1;) alert tcp $HOME_NET any -> [86.104.194.180] 80 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1257508/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_16; classtype:trojan-activity; sid:91257508; rev:1;) alert tcp $HOME_NET any -> [89.208.103.203] 80 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1257509/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_16; classtype:trojan-activity; sid:91257509; rev:1;) alert tcp $HOME_NET any -> [91.92.254.109] 80 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1257510/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_16; classtype:trojan-activity; sid:91257510; rev:1;) alert tcp $HOME_NET any -> [91.103.253.34] 80 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1257511/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_16; classtype:trojan-activity; sid:91257511; rev:1;) alert tcp $HOME_NET any -> [92.249.48.147] 80 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1257512/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_16; classtype:trojan-activity; sid:91257512; rev:1;) alert tcp $HOME_NET any -> [94.131.99.113] 80 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1257513/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_16; classtype:trojan-activity; sid:91257513; rev:1;) alert tcp $HOME_NET any -> [94.156.8.32] 80 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1257514/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_16; classtype:trojan-activity; sid:91257514; rev:1;) alert tcp $HOME_NET any -> [94.156.66.16] 80 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1257515/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_16; classtype:trojan-activity; sid:91257515; rev:1;) alert tcp $HOME_NET any -> [94.156.66.225] 80 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1257516/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_16; classtype:trojan-activity; sid:91257516; rev:1;) alert tcp $HOME_NET any -> [94.156.67.74] 80 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1257517/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_16; classtype:trojan-activity; sid:91257517; rev:1;) alert tcp $HOME_NET any -> [94.228.168.28] 80 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1257518/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_16; classtype:trojan-activity; sid:91257518; rev:1;) alert tcp $HOME_NET any -> [141.98.7.218] 80 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1257519/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_16; classtype:trojan-activity; sid:91257519; rev:1;) alert tcp $HOME_NET any -> [141.98.7.237] 80 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1257520/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_16; classtype:trojan-activity; sid:91257520; rev:1;) alert tcp $HOME_NET any -> [159.253.120.116] 80 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1257521/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_16; classtype:trojan-activity; sid:91257521; rev:1;) alert tcp $HOME_NET any -> [185.102.172.115] 80 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1257522/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_16; classtype:trojan-activity; sid:91257522; rev:1;) alert tcp $HOME_NET any -> [185.196.8.230] 80 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1257523/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_16; classtype:trojan-activity; sid:91257523; rev:1;) alert tcp $HOME_NET any -> [193.34.69.249] 80 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1257524/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_16; classtype:trojan-activity; sid:91257524; rev:1;) alert tcp $HOME_NET any -> [193.35.18.35] 88 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1257525/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_16; classtype:trojan-activity; sid:91257525; rev:1;) alert tcp $HOME_NET any -> [193.35.18.98] 80 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1257526/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_16; classtype:trojan-activity; sid:91257526; rev:1;) alert tcp $HOME_NET any -> [198.27.107.169] 80 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1257527/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_16; classtype:trojan-activity; sid:91257527; rev:1;) alert tcp $HOME_NET any -> [199.195.251.103] 80 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1257528/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_16; classtype:trojan-activity; sid:91257528; rev:1;) alert tcp $HOME_NET any -> [205.185.119.42] 80 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1257529/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_16; classtype:trojan-activity; sid:91257529; rev:1;) alert tcp $HOME_NET any -> [209.141.44.84] 80 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1257530/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_16; classtype:trojan-activity; sid:91257530; rev:1;) alert tcp $HOME_NET any -> [209.141.62.176] 80 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1257531/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_16; classtype:trojan-activity; sid:91257531; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"pickthecotton.xyz"; depth:17; nocase; reference:url, threatfox.abuse.ch/ioc/1257556/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_16; classtype:trojan-activity; sid:91257556; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"zopz-api.com"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1257557/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_16; classtype:trojan-activity; sid:91257557; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"15.204.244.125"; depth:14; nocase; reference:url, threatfox.abuse.ch/ioc/1257558/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_16; classtype:trojan-activity; sid:91257558; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"89.187.28.15"; depth:12; nocase; reference:url, threatfox.abuse.ch/ioc/1257560/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_16; classtype:trojan-activity; sid:91257560; rev:1;) alert tcp $HOME_NET any -> [164.92.166.129] 23 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1257573/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_16; classtype:trojan-activity; sid:91257573; rev:1;) alert tcp $HOME_NET any -> [51.81.38.137] 23 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1257574/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_16; classtype:trojan-activity; sid:91257574; rev:1;) alert tcp $HOME_NET any -> [64.227.166.207] 23 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1257575/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_16; classtype:trojan-activity; sid:91257575; rev:1;) alert tcp $HOME_NET any -> [188.119.103.198] 17691 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1257601/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_16; classtype:trojan-activity; sid:91257601; rev:1;) alert tcp $HOME_NET any -> [66.187.4.175] 17691 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1257602/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_16; classtype:trojan-activity; sid:91257602; rev:1;) alert tcp $HOME_NET any -> [66.187.4.175] 55650 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1257603/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_16; classtype:trojan-activity; sid:91257603; rev:1;) alert tcp $HOME_NET any -> [166.88.61.185] 10020 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1257608/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_16; classtype:trojan-activity; sid:91257608; rev:1;) alert tcp $HOME_NET any -> [5.181.190.250] 8008 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1257607/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_16; classtype:trojan-activity; sid:91257607; rev:1;) alert tcp $HOME_NET any -> [193.233.132.117] 23 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1257606/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_16; classtype:trojan-activity; sid:91257606; rev:1;) alert tcp $HOME_NET any -> [93.123.85.103] 33966 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1257605/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_16; classtype:trojan-activity; sid:91257605; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/supershell/login"; depth:17; nocase; http.host; content:"139.198.174.173"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1257604/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_16; classtype:trojan-activity; sid:91257604; rev:1;) alert tcp $HOME_NET any -> [147.185.221.19] 17455 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1257664/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_16; classtype:trojan-activity; sid:91257664; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"artist-composed.gl.at.ply.gg"; depth:28; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1257665/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_16; classtype:trojan-activity; sid:91257665; rev:1;) alert tcp $HOME_NET any -> [147.185.221.19] 28632 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1257663/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_16; classtype:trojan-activity; sid:91257663; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"tequilacofradiamx.com"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1257662/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_16; classtype:trojan-activity; sid:91257662; rev:1;) alert tcp $HOME_NET any -> [91.92.254.199] 80 (msg:"ThreatFox Loki Password Stealer (PWS) botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1257661/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_16; classtype:trojan-activity; sid:91257661; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xxx.bat"; depth:8; nocase; http.host; content:"193.222.96.41"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1257659/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_16; classtype:trojan-activity; sid:91257659; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/.hta"; depth:5; nocase; http.host; content:"193.222.96.41"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1257658/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_16; classtype:trojan-activity; sid:91257658; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"boatnet.dogzsec.org"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1257655/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_16; classtype:trojan-activity; sid:91257655; rev:1;) alert tcp $HOME_NET any -> [193.222.96.41] 7287 (msg:"ThreatFox Venom RAT payload delivery (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1257657/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_16; classtype:trojan-activity; sid:91257657; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"green-morrison.gl.at.ply.gg"; depth:27; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1257666/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_16; classtype:trojan-activity; sid:91257666; rev:1;) alert tcp $HOME_NET any -> [87.121.105.175] 14845 (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1257667/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_16; classtype:trojan-activity; sid:91257667; rev:1;) alert tcp $HOME_NET any -> [3.125.102.39] 10869 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1257671/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_16; classtype:trojan-activity; sid:91257671; rev:1;) alert tcp $HOME_NET any -> [2.58.95.131] 65480 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1257683/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_16; classtype:trojan-activity; sid:91257683; rev:1;) alert tcp $HOME_NET any -> [91.92.243.252] 80 (msg:"ThreatFox MooBot botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1257687/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_16; classtype:trojan-activity; sid:91257687; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"95.217.28.230"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1257703/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_16; classtype:trojan-activity; sid:91257703; rev:1;) alert tcp $HOME_NET any -> [116.202.185.144] 5432 (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1257704/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_16; classtype:trojan-activity; sid:91257704; rev:1;) alert tcp $HOME_NET any -> [95.217.28.230] 443 (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1257705/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_16; classtype:trojan-activity; sid:91257705; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"116.202.185.144"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1257702/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_16; classtype:trojan-activity; sid:91257702; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/irfail"; depth:7; nocase; http.host; content:"t.me"; depth:4; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1257701/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_16; classtype:trojan-activity; sid:91257701; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/profiles/76561199673019888"; depth:27; nocase; http.host; content:"steamcommunity.com"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1257700/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_16; classtype:trojan-activity; sid:91257700; rev:1;) alert tcp $HOME_NET any -> [82.146.62.51] 80 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1257699/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_16; classtype:trojan-activity; sid:91257699; rev:1;) alert tcp $HOME_NET any -> [185.173.38.173] 80 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1257698/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_16; classtype:trojan-activity; sid:91257698; rev:1;) alert tcp $HOME_NET any -> [101.37.13.119] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1257697/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_16; classtype:trojan-activity; sid:91257697; rev:1;) alert tcp $HOME_NET any -> [46.246.80.8] 6000 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1257696/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_16; classtype:trojan-activity; sid:91257696; rev:1;) alert tcp $HOME_NET any -> [178.73.192.14] 5000 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1257695/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_16; classtype:trojan-activity; sid:91257695; rev:1;) alert tcp $HOME_NET any -> [189.152.21.67] 443 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1257694/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_16; classtype:trojan-activity; sid:91257694; rev:1;) alert tcp $HOME_NET any -> [190.134.50.121] 995 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1257693/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_16; classtype:trojan-activity; sid:91257693; rev:1;) alert tcp $HOME_NET any -> [77.126.165.31] 443 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1257692/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_16; classtype:trojan-activity; sid:91257692; rev:1;) alert tcp $HOME_NET any -> [147.45.136.226] 80 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1257691/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_16; classtype:trojan-activity; sid:91257691; rev:1;) alert tcp $HOME_NET any -> [192.162.68.201] 443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1257690/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_16; classtype:trojan-activity; sid:91257690; rev:1;) alert tcp $HOME_NET any -> [128.14.237.229] 443 (msg:"ThreatFox BianLian botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1257689/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_16; classtype:trojan-activity; sid:91257689; rev:1;) alert tcp $HOME_NET any -> [77.106.68.26] 7443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1257688/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_16; classtype:trojan-activity; sid:91257688; rev:1;) alert tcp $HOME_NET any -> [185.222.58.87] 55615 (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1257686/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_16; classtype:trojan-activity; sid:91257686; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/load"; depth:5; nocase; http.host; content:"156.251.162.29"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1257682/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_16; classtype:trojan-activity; sid:91257682; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/activity"; depth:9; nocase; http.host; content:"60.204.217.11"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1257681/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_16; classtype:trojan-activity; sid:91257681; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/push"; depth:5; nocase; http.host; content:"101.133.156.69"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1257680/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_16; classtype:trojan-activity; sid:91257680; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/match"; depth:6; nocase; http.host; content:"154.201.89.19"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1257679/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_16; classtype:trojan-activity; sid:91257679; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pixel"; depth:6; nocase; http.host; content:"116.62.34.159"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1257678/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_16; classtype:trojan-activity; sid:91257678; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pixel.gif"; depth:10; nocase; http.host; content:"81.71.127.160"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1257677/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_16; classtype:trojan-activity; sid:91257677; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ca"; depth:3; nocase; http.host; content:"47.92.147.123"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1257676/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_16; classtype:trojan-activity; sid:91257676; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cx"; depth:3; nocase; http.host; content:"106.54.209.36"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1257675/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_16; classtype:trojan-activity; sid:91257675; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/match"; depth:6; nocase; http.host; content:"106.55.181.108"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1257674/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_16; classtype:trojan-activity; sid:91257674; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/visit.js"; depth:9; nocase; http.host; content:"176.32.35.104"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1257673/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_16; classtype:trojan-activity; sid:91257673; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/l1nc0in.php"; depth:12; nocase; http.host; content:"a0942630.xsph.ru"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1257672/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_16; classtype:trojan-activity; sid:91257672; rev:1;) alert tcp $HOME_NET any -> [18.158.249.75] 10869 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1257670/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_15; classtype:trojan-activity; sid:91257670; rev:1;) alert tcp $HOME_NET any -> [3.125.223.134] 10869 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1257669/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_15; classtype:trojan-activity; sid:91257669; rev:1;) alert tcp $HOME_NET any -> [3.124.142.205] 10869 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1257668/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_15; classtype:trojan-activity; sid:91257668; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jinjfg/panel/five/fre.php"; depth:26; nocase; http.host; content:"tequilacofradiamx.com"; depth:21; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1257660/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_15; classtype:trojan-activity; sid:91257660; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jinjfg/panel/five/fre.php"; depth:26; nocase; http.host; content:"tequilacofradiamx.com"; depth:21; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1257656/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_15; classtype:trojan-activity; sid:91257656; rev:1;) alert tcp $HOME_NET any -> [135.125.21.74] 4545 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1257600/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_15; classtype:trojan-activity; sid:91257600; rev:1;) alert tcp $HOME_NET any -> [77.134.63.213] 1122 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1257599/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_15; classtype:trojan-activity; sid:91257599; rev:1;) alert tcp $HOME_NET any -> [171.232.6.144] 4449 (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1257597/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_15; classtype:trojan-activity; sid:91257597; rev:1;) alert tcp $HOME_NET any -> [171.232.6.144] 8000 (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1257598/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_15; classtype:trojan-activity; sid:91257598; rev:1;) alert tcp $HOME_NET any -> [111.173.116.82] 2312 (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1257596/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_15; classtype:trojan-activity; sid:91257596; rev:1;) alert tcp $HOME_NET any -> [89.88.69.115] 8080 (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1257595/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_15; classtype:trojan-activity; sid:91257595; rev:1;) alert tcp $HOME_NET any -> [91.92.247.34] 6667 (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1257594/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_15; classtype:trojan-activity; sid:91257594; rev:1;) alert tcp $HOME_NET any -> [91.92.244.76] 4449 (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1257593/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_15; classtype:trojan-activity; sid:91257593; rev:1;) alert tcp $HOME_NET any -> [8.210.250.14] 6603 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1257591/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_15; classtype:trojan-activity; sid:91257591; rev:1;) alert tcp $HOME_NET any -> [37.235.56.182] 5000 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1257592/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_15; classtype:trojan-activity; sid:91257592; rev:1;) alert tcp $HOME_NET any -> [223.26.61.23] 5121 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1257590/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_15; classtype:trojan-activity; sid:91257590; rev:1;) alert tcp $HOME_NET any -> [91.92.251.216] 7000 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1257589/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_15; classtype:trojan-activity; sid:91257589; rev:1;) alert tcp $HOME_NET any -> [187.135.177.247] 2004 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1257588/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_15; classtype:trojan-activity; sid:91257588; rev:1;) alert tcp $HOME_NET any -> [200.9.154.160] 10000 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1257587/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_15; classtype:trojan-activity; sid:91257587; rev:1;) alert tcp $HOME_NET any -> [104.250.169.165] 2222 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1257581/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_15; classtype:trojan-activity; sid:91257581; rev:1;) alert tcp $HOME_NET any -> [128.90.122.129] 9999 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1257582/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_15; classtype:trojan-activity; sid:91257582; rev:1;) alert tcp $HOME_NET any -> [156.195.84.201] 80 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1257583/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_15; classtype:trojan-activity; sid:91257583; rev:1;) alert tcp $HOME_NET any -> [156.195.143.153] 443 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1257584/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_15; classtype:trojan-activity; sid:91257584; rev:1;) alert tcp $HOME_NET any -> [172.111.148.205] 222 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1257585/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_15; classtype:trojan-activity; sid:91257585; rev:1;) alert tcp $HOME_NET any -> [181.214.223.125] 80 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1257586/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_15; classtype:trojan-activity; sid:91257586; rev:1;) alert tcp $HOME_NET any -> [20.2.223.28] 5555 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1257576/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_15; classtype:trojan-activity; sid:91257576; rev:1;) alert tcp $HOME_NET any -> [94.156.67.103] 6606 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1257577/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_15; classtype:trojan-activity; sid:91257577; rev:1;) alert tcp $HOME_NET any -> [94.156.67.103] 7707 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1257578/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_15; classtype:trojan-activity; sid:91257578; rev:1;) alert tcp $HOME_NET any -> [94.156.67.103] 8808 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1257579/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_15; classtype:trojan-activity; sid:91257579; rev:1;) alert tcp $HOME_NET any -> [103.47.147.23] 2000 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1257580/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_15; classtype:trojan-activity; sid:91257580; rev:1;) alert tcp $HOME_NET any -> [35.221.150.166] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1257572/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_15; classtype:trojan-activity; sid:91257572; rev:1;) alert tcp $HOME_NET any -> [35.229.251.245] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1257571/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_15; classtype:trojan-activity; sid:91257571; rev:1;) alert tcp $HOME_NET any -> [88.214.27.80] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1257569/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_15; classtype:trojan-activity; sid:91257569; rev:1;) alert tcp $HOME_NET any -> [88.214.27.80] 4443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1257570/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_15; classtype:trojan-activity; sid:91257570; rev:1;) alert tcp $HOME_NET any -> [81.19.138.60] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1257567/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_15; classtype:trojan-activity; sid:91257567; rev:1;) alert tcp $HOME_NET any -> [81.19.138.60] 4443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1257568/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_15; classtype:trojan-activity; sid:91257568; rev:1;) alert tcp $HOME_NET any -> [81.19.136.252] 81 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1257565/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_15; classtype:trojan-activity; sid:91257565; rev:1;) alert tcp $HOME_NET any -> [81.19.136.252] 82 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1257566/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_15; classtype:trojan-activity; sid:91257566; rev:1;) alert tcp $HOME_NET any -> [210.56.49.167] 8880 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1257564/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_15; classtype:trojan-activity; sid:91257564; rev:1;) alert tcp $HOME_NET any -> [38.180.120.2] 80 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1257563/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_15; classtype:trojan-activity; sid:91257563; rev:1;) alert tcp $HOME_NET any -> [106.75.162.14] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1257562/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_15; classtype:trojan-activity; sid:91257562; rev:1;) alert tcp $HOME_NET any -> [149.88.78.227] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1257561/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_15; classtype:trojan-activity; sid:91257561; rev:1;) alert tcp $HOME_NET any -> [43.131.5.229] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1257559/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_15; classtype:trojan-activity; sid:91257559; rev:1;) alert tcp $HOME_NET any -> [46.246.80.8] 8000 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1257555/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_15; classtype:trojan-activity; sid:91257555; rev:1;) alert tcp $HOME_NET any -> [88.234.159.168] 443 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1257554/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_15; classtype:trojan-activity; sid:91257554; rev:1;) alert tcp $HOME_NET any -> [78.69.198.113] 2222 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1257553/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_15; classtype:trojan-activity; sid:91257553; rev:1;) alert tcp $HOME_NET any -> [151.64.244.139] 443 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1257552/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_15; classtype:trojan-activity; sid:91257552; rev:1;) alert tcp $HOME_NET any -> [158.140.128.55] 445 (msg:"ThreatFox Responder botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1257551/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_15; classtype:trojan-activity; sid:91257551; rev:1;) alert tcp $HOME_NET any -> [172.233.120.154] 40056 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1257550/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_15; classtype:trojan-activity; sid:91257550; rev:1;) alert tcp $HOME_NET any -> [54.37.226.59] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1257549/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_15; classtype:trojan-activity; sid:91257549; rev:1;) alert tcp $HOME_NET any -> [103.136.150.94] 8080 (msg:"ThreatFox BianLian botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1257548/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_15; classtype:trojan-activity; sid:91257548; rev:1;) alert tcp $HOME_NET any -> [151.236.26.171] 12041 (msg:"ThreatFox BianLian botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1257547/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_15; classtype:trojan-activity; sid:91257547; rev:1;) alert tcp $HOME_NET any -> [118.212.140.132] 4505 (msg:"ThreatFox Deimos botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1257546/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_15; classtype:trojan-activity; sid:91257546; rev:1;) alert tcp $HOME_NET any -> [35.189.178.127] 7443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1257545/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_15; classtype:trojan-activity; sid:91257545; rev:1;) alert tcp $HOME_NET any -> [38.60.217.106] 7443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1257544/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_15; classtype:trojan-activity; sid:91257544; rev:1;) alert tcp $HOME_NET any -> [159.203.125.55] 8888 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1257543/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_15; classtype:trojan-activity; sid:91257543; rev:1;) alert tcp $HOME_NET any -> [159.203.125.55] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1257542/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_15; classtype:trojan-activity; sid:91257542; rev:1;) alert tcp $HOME_NET any -> [103.149.90.58] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1257541/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_15; classtype:trojan-activity; sid:91257541; rev:1;) alert tcp $HOME_NET any -> [45.77.37.190] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1257540/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_15; classtype:trojan-activity; sid:91257540; rev:1;) alert tcp $HOME_NET any -> [103.146.159.165] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1257539/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_15; classtype:trojan-activity; sid:91257539; rev:1;) alert tcp $HOME_NET any -> [20.189.79.97] 43552 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1257538/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_15; classtype:trojan-activity; sid:91257538; rev:1;) alert tcp $HOME_NET any -> [43.132.184.81] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1257537/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_15; classtype:trojan-activity; sid:91257537; rev:1;) alert tcp $HOME_NET any -> [107.175.91.204] 8089 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1257536/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_15; classtype:trojan-activity; sid:91257536; rev:1;) alert tcp $HOME_NET any -> [164.92.249.209] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1257534/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_15; classtype:trojan-activity; sid:91257534; rev:1;) alert tcp $HOME_NET any -> [164.92.249.209] 8080 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1257535/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_15; classtype:trojan-activity; sid:91257535; rev:1;) alert tcp $HOME_NET any -> [159.89.16.208] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1257533/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_15; classtype:trojan-activity; sid:91257533; rev:1;) alert tcp $HOME_NET any -> [185.196.11.252] 1337 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1257532/; target:src_ip; metadata: confidence_level 80, first_seen 2024_04_15; classtype:trojan-activity; sid:91257532; rev:1;) alert tcp $HOME_NET any -> [59.174.112.119] 10134 (msg:"ThreatFox Orcus RAT botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1257499/; target:src_ip; metadata: confidence_level 80, first_seen 2024_04_15; classtype:trojan-activity; sid:91257499; rev:1;) alert tcp $HOME_NET any -> [176.135.229.160] 54984 (msg:"ThreatFox Nanocore RAT botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1257498/; target:src_ip; metadata: confidence_level 80, first_seen 2024_04_15; classtype:trojan-activity; sid:91257498; rev:1;) alert tcp $HOME_NET any -> [63.41.157.163] 502 (msg:"ThreatFox Xtreme RAT botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1257497/; target:src_ip; metadata: confidence_level 80, first_seen 2024_04_15; classtype:trojan-activity; sid:91257497; rev:1;) alert tcp $HOME_NET any -> [42.157.163.42] 10001 (msg:"ThreatFox Xtreme RAT botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1257496/; target:src_ip; metadata: confidence_level 80, first_seen 2024_04_15; classtype:trojan-activity; sid:91257496; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/a80d985c.php"; depth:13; nocase; http.host; content:"a0943092.xsph.ru"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1257495/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_15; classtype:trojan-activity; sid:91257495; rev:1;) alert tcp $HOME_NET any -> [152.42.139.235] 443 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1257494/; target:src_ip; metadata: confidence_level 80, first_seen 2024_04_15; classtype:trojan-activity; sid:91257494; rev:1;) alert tcp $HOME_NET any -> [8.130.69.96] 8001 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1257493/; target:src_ip; metadata: confidence_level 80, first_seen 2024_04_15; classtype:trojan-activity; sid:91257493; rev:1;) alert tcp $HOME_NET any -> [172.207.236.31] 8080 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1257492/; target:src_ip; metadata: confidence_level 80, first_seen 2024_04_15; classtype:trojan-activity; sid:91257492; rev:1;) alert tcp $HOME_NET any -> [44.222.74.172] 443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1257491/; target:src_ip; metadata: confidence_level 80, first_seen 2024_04_15; classtype:trojan-activity; sid:91257491; rev:1;) alert tcp $HOME_NET any -> [103.249.112.105] 8181 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1257490/; target:src_ip; metadata: confidence_level 80, first_seen 2024_04_15; classtype:trojan-activity; sid:91257490; rev:1;) alert tcp $HOME_NET any -> [13.82.179.86] 80 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1257489/; target:src_ip; metadata: confidence_level 80, first_seen 2024_04_15; classtype:trojan-activity; sid:91257489; rev:1;) alert tcp $HOME_NET any -> [89.190.156.227] 23 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1257203/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_15; classtype:trojan-activity; sid:91257203; rev:1;) alert tcp $HOME_NET any -> [45.125.66.100] 61192 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1257459/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_15; classtype:trojan-activity; sid:91257459; rev:1;) alert tcp $HOME_NET any -> [204.76.203.2] 1883 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1257460/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_15; classtype:trojan-activity; sid:91257460; rev:1;) alert tcp $HOME_NET any -> [204.76.203.3] 1883 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1257461/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_15; classtype:trojan-activity; sid:91257461; rev:1;) alert tcp $HOME_NET any -> [62.72.185.14] 17912 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1257483/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_15; classtype:trojan-activity; sid:91257483; rev:1;) alert tcp $HOME_NET any -> [47.245.94.124] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1257488/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_15; classtype:trojan-activity; sid:91257488; rev:1;) alert tcp $HOME_NET any -> [47.236.172.59] 10000 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1257487/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_15; classtype:trojan-activity; sid:91257487; rev:1;) alert tcp $HOME_NET any -> [47.236.96.178] 5055 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1257486/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_15; classtype:trojan-activity; sid:91257486; rev:1;) alert tcp $HOME_NET any -> [47.76.92.216] 9090 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1257485/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_15; classtype:trojan-activity; sid:91257485; rev:1;) alert tcp $HOME_NET any -> [8.219.228.10] 8888 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1257484/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_15; classtype:trojan-activity; sid:91257484; rev:1;) alert tcp $HOME_NET any -> [124.71.69.101] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1257481/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_15; classtype:trojan-activity; sid:91257481; rev:1;) alert tcp $HOME_NET any -> [124.71.69.101] 22222 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1257482/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_15; classtype:trojan-activity; sid:91257482; rev:1;) alert tcp $HOME_NET any -> [117.78.11.237] 8081 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1257480/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_15; classtype:trojan-activity; sid:91257480; rev:1;) alert tcp $HOME_NET any -> [60.204.151.207] 8081 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1257479/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_15; classtype:trojan-activity; sid:91257479; rev:1;) alert tcp $HOME_NET any -> [123.56.235.29] 9876 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1257217/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_15; classtype:trojan-activity; sid:91257217; rev:1;) alert tcp $HOME_NET any -> [118.178.195.229] 8080 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1257216/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_15; classtype:trojan-activity; sid:91257216; rev:1;) alert tcp $HOME_NET any -> [101.201.70.137] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1257215/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_15; classtype:trojan-activity; sid:91257215; rev:1;) alert tcp $HOME_NET any -> [47.120.41.137] 10001 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1257214/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_15; classtype:trojan-activity; sid:91257214; rev:1;) alert tcp $HOME_NET any -> [47.113.150.236] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1257213/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_15; classtype:trojan-activity; sid:91257213; rev:1;) alert tcp $HOME_NET any -> [39.100.120.237] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1257212/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_15; classtype:trojan-activity; sid:91257212; rev:1;) alert tcp $HOME_NET any -> [8.137.108.208] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1257210/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_15; classtype:trojan-activity; sid:91257210; rev:1;) alert tcp $HOME_NET any -> [8.137.108.208] 8000 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1257211/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_15; classtype:trojan-activity; sid:91257211; rev:1;) alert tcp $HOME_NET any -> [8.134.80.227] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1257209/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_15; classtype:trojan-activity; sid:91257209; rev:1;) alert tcp $HOME_NET any -> [8.130.30.60] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1257208/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_15; classtype:trojan-activity; sid:91257208; rev:1;) alert tcp $HOME_NET any -> [47.120.58.214] 8082 (msg:"ThreatFox VBREVSHELL botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1257206/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_15; classtype:trojan-activity; sid:91257206; rev:1;) alert tcp $HOME_NET any -> [59.110.18.123] 8082 (msg:"ThreatFox VBREVSHELL botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1257207/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_15; classtype:trojan-activity; sid:91257207; rev:1;) alert tcp $HOME_NET any -> [1.94.120.249] 8082 (msg:"ThreatFox VBREVSHELL botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1257204/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_15; classtype:trojan-activity; sid:91257204; rev:1;) alert tcp $HOME_NET any -> [8.130.24.188] 8082 (msg:"ThreatFox VBREVSHELL botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1257205/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_15; classtype:trojan-activity; sid:91257205; rev:1;) alert tcp $HOME_NET any -> [193.112.85.116] 8082 (msg:"ThreatFox VBREVSHELL botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1257202/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_15; classtype:trojan-activity; sid:91257202; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"sonic-gif.com"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1257198/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_15; classtype:trojan-activity; sid:91257198; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"sonic-gif3332.com"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1257199/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_15; classtype:trojan-activity; sid:91257199; rev:1;) alert tcp $HOME_NET any -> [185.73.125.50] 443 (msg:"ThreatFox NetSupportManager RAT botnet C2 traffic (ip:port - confidence level: 70%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1257201/; target:src_ip; metadata: confidence_level 70, first_seen 2024_04_15; classtype:trojan-activity; sid:91257201; rev:1;) alert tcp $HOME_NET any -> [193.112.85.116] 9999 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1257200/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_15; classtype:trojan-activity; sid:91257200; rev:1;) alert tcp $HOME_NET any -> [175.178.232.62] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1257197/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_15; classtype:trojan-activity; sid:91257197; rev:1;) alert tcp $HOME_NET any -> [175.27.133.246] 8888 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1257196/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_15; classtype:trojan-activity; sid:91257196; rev:1;) alert tcp $HOME_NET any -> [93.123.85.103] 43957 (msg:"ThreatFox MooBot botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1257191/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_15; classtype:trojan-activity; sid:91257191; rev:1;) alert tcp $HOME_NET any -> [152.136.43.210] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1257194/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_15; classtype:trojan-activity; sid:91257194; rev:1;) alert tcp $HOME_NET any -> [152.136.43.210] 8888 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1257195/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_15; classtype:trojan-activity; sid:91257195; rev:1;) alert tcp $HOME_NET any -> [111.230.12.198] 88 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1257193/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_15; classtype:trojan-activity; sid:91257193; rev:1;) alert tcp $HOME_NET any -> [81.70.91.34] 8001 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1257192/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_15; classtype:trojan-activity; sid:91257192; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cdn-vs/cache.php"; depth:17; nocase; http.host; content:"carlaweishale.com"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1257188/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_15; classtype:trojan-activity; sid:91257188; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/help/zewmrgqnw.php"; depth:19; nocase; http.host; content:"carlaweishale.com"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1257189/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_15; classtype:trojan-activity; sid:91257189; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/df/tt"; depth:6; nocase; http.host; content:"rtattack.baqebei1.online"; depth:24; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1257190/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_15; classtype:trojan-activity; sid:91257190; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jquery-3.3.1.min.js"; depth:20; nocase; http.host; content:"8.220.200.34"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1257187/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_15; classtype:trojan-activity; sid:91257187; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/match"; depth:6; nocase; http.host; content:"124.71.136.141"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1257186/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_15; classtype:trojan-activity; sid:91257186; rev:1;) alert tcp $HOME_NET any -> [205.185.121.20] 5386 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1257084/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_15; classtype:trojan-activity; sid:91257084; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/login"; depth:6; nocase; http.host; content:"2.58.95.100"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1257174/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_15; classtype:trojan-activity; sid:91257174; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/login"; depth:6; nocase; http.host; content:"74.91.116.85"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1257175/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_15; classtype:trojan-activity; sid:91257175; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/login"; depth:6; nocase; http.host; content:"93.123.85.53"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1257176/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_15; classtype:trojan-activity; sid:91257176; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/login"; depth:6; nocase; http.host; content:"93.123.85.48"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1257178/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_15; classtype:trojan-activity; sid:91257178; rev:1;) alert tcp $HOME_NET any -> [93.123.85.53] 999 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1257179/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_15; classtype:trojan-activity; sid:91257179; rev:1;) alert tcp $HOME_NET any -> [89.116.236.8] 1337 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1257182/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_15; classtype:trojan-activity; sid:91257182; rev:1;) alert tcp $HOME_NET any -> [93.123.85.48] 1 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1257180/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_15; classtype:trojan-activity; sid:91257180; rev:1;) alert tcp $HOME_NET any -> [167.114.127.89] 5214 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1257181/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_15; classtype:trojan-activity; sid:91257181; rev:1;) alert tcp $HOME_NET any -> [2.58.95.100] 999 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1257183/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_15; classtype:trojan-activity; sid:91257183; rev:1;) alert tcp $HOME_NET any -> [74.91.116.85] 999 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1257184/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_15; classtype:trojan-activity; sid:91257184; rev:1;) alert tcp $HOME_NET any -> [209.141.60.189] 666 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1257185/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_15; classtype:trojan-activity; sid:91257185; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/login"; depth:6; nocase; http.host; content:"167.114.127.89"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1257172/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_15; classtype:trojan-activity; sid:91257172; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/login"; depth:6; nocase; http.host; content:"89.116.236.8"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1257173/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_15; classtype:trojan-activity; sid:91257173; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/login"; depth:6; nocase; http.host; content:"209.141.60.189"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1257177/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_15; classtype:trojan-activity; sid:91257177; rev:1;) alert tcp $HOME_NET any -> [85.204.116.22] 38241 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1257071/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_15; classtype:trojan-activity; sid:91257071; rev:1;) alert tcp $HOME_NET any -> [45.125.66.100] 38241 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1257072/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_15; classtype:trojan-activity; sid:91257072; rev:1;) alert tcp $HOME_NET any -> [5.181.80.60] 38241 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1257073/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_15; classtype:trojan-activity; sid:91257073; rev:1;) alert tcp $HOME_NET any -> [85.204.116.206] 38241 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1257074/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_15; classtype:trojan-activity; sid:91257074; rev:1;) alert tcp $HOME_NET any -> [5.181.80.140] 38241 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1257075/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_15; classtype:trojan-activity; sid:91257075; rev:1;) alert tcp $HOME_NET any -> [5.181.80.61] 38241 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1257076/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_15; classtype:trojan-activity; sid:91257076; rev:1;) alert tcp $HOME_NET any -> [5.181.80.189] 38241 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1257077/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_15; classtype:trojan-activity; sid:91257077; rev:1;) alert tcp $HOME_NET any -> [62.72.185.15] 38241 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1257078/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_15; classtype:trojan-activity; sid:91257078; rev:1;) alert tcp $HOME_NET any -> [62.72.185.38] 38241 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1257079/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_15; classtype:trojan-activity; sid:91257079; rev:1;) alert tcp $HOME_NET any -> [62.72.185.90] 38241 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1257080/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_15; classtype:trojan-activity; sid:91257080; rev:1;) alert tcp $HOME_NET any -> [62.72.185.42] 38241 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1257081/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_15; classtype:trojan-activity; sid:91257081; rev:1;) alert tcp $HOME_NET any -> [85.204.116.21] 38241 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1257082/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_15; classtype:trojan-activity; sid:91257082; rev:1;) alert tcp $HOME_NET any -> [99.195.249.124] 3778 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1257083/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_15; classtype:trojan-activity; sid:91257083; rev:1;) alert tcp $HOME_NET any -> [103.35.191.158] 586 (msg:"ThreatFox STRRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1257070/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_15; classtype:trojan-activity; sid:91257070; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/load"; depth:5; nocase; http.host; content:"23.95.254.136"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1257068/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_15; classtype:trojan-activity; sid:91257068; rev:1;) alert tcp $HOME_NET any -> [23.95.254.136] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1257069/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_15; classtype:trojan-activity; sid:91257069; rev:1;) alert tcp $HOME_NET any -> [104.219.239.56] 1989 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1257067/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_15; classtype:trojan-activity; sid:91257067; rev:1;) alert tcp $HOME_NET any -> [104.219.239.56] 3956 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1257066/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_15; classtype:trojan-activity; sid:91257066; rev:1;) alert tcp $HOME_NET any -> [103.35.191.158] 4414 (msg:"ThreatFox STRRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1257065/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_15; classtype:trojan-activity; sid:91257065; rev:1;) alert tcp $HOME_NET any -> [98.66.160.134] 8848 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1257064/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_15; classtype:trojan-activity; sid:91257064; rev:1;) alert tcp $HOME_NET any -> [45.63.56.64] 1024 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1257063/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_15; classtype:trojan-activity; sid:91257063; rev:1;) alert tcp $HOME_NET any -> [172.207.236.31] 8848 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1257062/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_15; classtype:trojan-activity; sid:91257062; rev:1;) alert tcp $HOME_NET any -> [151.48.171.11] 443 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1257061/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_15; classtype:trojan-activity; sid:91257061; rev:1;) alert tcp $HOME_NET any -> [87.110.49.55] 995 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1257060/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_15; classtype:trojan-activity; sid:91257060; rev:1;) alert tcp $HOME_NET any -> [16.163.57.246] 443 (msg:"ThreatFox pupy botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1257059/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_15; classtype:trojan-activity; sid:91257059; rev:1;) alert tcp $HOME_NET any -> [172.104.25.254] 445 (msg:"ThreatFox Responder botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1257058/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_15; classtype:trojan-activity; sid:91257058; rev:1;) alert tcp $HOME_NET any -> [163.181.130.93] 4506 (msg:"ThreatFox Deimos botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1257057/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_15; classtype:trojan-activity; sid:91257057; rev:1;) alert tcp $HOME_NET any -> [34.16.198.174] 7443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1257056/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_15; classtype:trojan-activity; sid:91257056; rev:1;) alert tcp $HOME_NET any -> [61.162.223.117] 7443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1257055/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_15; classtype:trojan-activity; sid:91257055; rev:1;) alert tcp $HOME_NET any -> [95.216.176.5] 443 (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1257054/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_15; classtype:trojan-activity; sid:91257054; rev:1;) alert tcp $HOME_NET any -> [65.109.140.8] 443 (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1257050/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_15; classtype:trojan-activity; sid:91257050; rev:1;) alert tcp $HOME_NET any -> [116.202.185.144] 443 (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1257051/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_15; classtype:trojan-activity; sid:91257051; rev:1;) alert tcp $HOME_NET any -> [95.217.28.230] 5342 (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1257052/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_15; classtype:trojan-activity; sid:91257052; rev:1;) alert tcp $HOME_NET any -> [95.216.176.100] 443 (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1257053/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_15; classtype:trojan-activity; sid:91257053; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"159.69.26.61"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1257048/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_15; classtype:trojan-activity; sid:91257048; rev:1;) alert tcp $HOME_NET any -> [157.90.25.39] 5432 (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1257049/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_15; classtype:trojan-activity; sid:91257049; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"95.216.176.5"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1257047/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_15; classtype:trojan-activity; sid:91257047; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"95.216.176.100"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1257046/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_15; classtype:trojan-activity; sid:91257046; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"95.217.28.230"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1257045/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_15; classtype:trojan-activity; sid:91257045; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"116.202.185.144"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1257044/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_15; classtype:trojan-activity; sid:91257044; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"65.109.140.8"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1257043/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_15; classtype:trojan-activity; sid:91257043; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"157.90.25.39"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1257042/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_15; classtype:trojan-activity; sid:91257042; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/index.php/0699921091"; depth:21; nocase; http.host; content:"24.199.107.111"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1257041/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_15; classtype:trojan-activity; sid:91257041; rev:1;) alert tcp $HOME_NET any -> [173.211.46.114] 8808 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1257040/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_15; classtype:trojan-activity; sid:91257040; rev:1;) alert tcp $HOME_NET any -> [173.211.46.114] 7707 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1257039/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_15; classtype:trojan-activity; sid:91257039; rev:1;) alert tcp $HOME_NET any -> [173.211.46.114] 6606 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1257038/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_15; classtype:trojan-activity; sid:91257038; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"bordersoarmanusjuw.shop"; depth:23; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1257000/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_15; classtype:trojan-activity; sid:91257000; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"entitlementappwo.shop"; depth:21; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1257001/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_15; classtype:trojan-activity; sid:91257001; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"economicscreateojsu.shop"; depth:24; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1257002/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_15; classtype:trojan-activity; sid:91257002; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"pushjellysingeywus.shop"; depth:23; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1257003/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_15; classtype:trojan-activity; sid:91257003; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"suitcaseacanehalk.shop"; depth:22; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1257005/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_15; classtype:trojan-activity; sid:91257005; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"absentconvicsjawun.shop"; depth:23; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1257004/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_15; classtype:trojan-activity; sid:91257004; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"mealplayerpreceodsju.shop"; depth:25; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1257006/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_15; classtype:trojan-activity; sid:91257006; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"wifeplasterbakewis.shop"; depth:23; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1257007/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_15; classtype:trojan-activity; sid:91257007; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"bordersoarmanusjuw.shop"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1257008/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_15; classtype:trojan-activity; sid:91257008; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"entitlementappwo.shop"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1257009/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_15; classtype:trojan-activity; sid:91257009; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"economicscreateojsu.shop"; depth:24; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1257010/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_15; classtype:trojan-activity; sid:91257010; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"pushjellysingeywus.shop"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1257011/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_15; classtype:trojan-activity; sid:91257011; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"absentconvicsjawun.shop"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1257012/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_15; classtype:trojan-activity; sid:91257012; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"suitcaseacanehalk.shop"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1257013/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_15; classtype:trojan-activity; sid:91257013; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"mealplayerpreceodsju.shop"; depth:25; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1257014/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_15; classtype:trojan-activity; sid:91257014; rev:1;) alert tcp $HOME_NET any -> [35.198.149.52] 33966 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1257026/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_15; classtype:trojan-activity; sid:91257026; rev:1;) alert tcp $HOME_NET any -> [198.12.124.76] 21425 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1257028/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_15; classtype:trojan-activity; sid:91257028; rev:1;) alert tcp $HOME_NET any -> [104.168.45.11] 21425 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1257029/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_15; classtype:trojan-activity; sid:91257029; rev:1;) alert tcp $HOME_NET any -> [185.216.70.168] 21425 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1257027/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_15; classtype:trojan-activity; sid:91257027; rev:1;) alert tcp $HOME_NET any -> [172.245.119.70] 21425 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1257030/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_15; classtype:trojan-activity; sid:91257030; rev:1;) alert tcp $HOME_NET any -> [45.86.86.60] 38241 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1257025/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_15; classtype:trojan-activity; sid:91257025; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"wifeplasterbakewis.shop"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1257015/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_15; classtype:trojan-activity; sid:91257015; rev:1;) alert tcp $HOME_NET any -> [3.127.138.57] 17170 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1257016/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_15; classtype:trojan-activity; sid:91257016; rev:1;) alert tcp $HOME_NET any -> [93.123.85.167] 5555 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1257017/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_15; classtype:trojan-activity; sid:91257017; rev:1;) alert tcp $HOME_NET any -> [203.145.46.240] 2023 (msg:"ThreatFox MooBot botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1257024/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_15; classtype:trojan-activity; sid:91257024; rev:1;) alert tcp $HOME_NET any -> [172.245.119.63] 21425 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1257031/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_15; classtype:trojan-activity; sid:91257031; rev:1;) alert tcp $HOME_NET any -> [172.67.156.11] 80 (msg:"ThreatFox Loki Password Stealer (PWS) botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1257035/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_15; classtype:trojan-activity; sid:91257035; rev:1;) alert tcp $HOME_NET any -> [5.39.43.50] 8096 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1257037/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_15; classtype:trojan-activity; sid:91257037; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/toprocessordlelocalprivate.php"; depth:31; nocase; http.host; content:"276261cm.nyashkoon.top"; depth:22; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1257036/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_15; classtype:trojan-activity; sid:91257036; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/_local.php"; depth:11; nocase; http.host; content:"967183cm.nyashkoon.top"; depth:22; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1257034/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_15; classtype:trojan-activity; sid:91257034; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/index.php/720637"; depth:17; nocase; http.host; content:"24.199.107.111"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1257033/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_15; classtype:trojan-activity; sid:91257033; rev:1;) alert tcp $HOME_NET any -> [94.130.130.51] 1919 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1257032/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_15; classtype:trojan-activity; sid:91257032; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/_pollpacketmultitesttrackdletemporary.php"; depth:42; nocase; http.host; content:"330745cm.nyashkoon.top"; depth:22; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1257023/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_15; classtype:trojan-activity; sid:91257023; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/01525576.php"; depth:13; nocase; http.host; content:"a0940040.xsph.ru"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1257022/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_14; classtype:trojan-activity; sid:91257022; rev:1;) alert tcp $HOME_NET any -> [164.155.128.124] 2000 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1257021/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_14; classtype:trojan-activity; sid:91257021; rev:1;) alert tcp $HOME_NET any -> [41.248.119.194] 10000 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1257020/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_14; classtype:trojan-activity; sid:91257020; rev:1;) alert tcp $HOME_NET any -> [165.232.123.138] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1257019/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_14; classtype:trojan-activity; sid:91257019; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ca"; depth:3; nocase; http.host; content:"165.232.123.138"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1257018/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_14; classtype:trojan-activity; sid:91257018; rev:1;) alert tcp $HOME_NET any -> [206.189.246.137] 80 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1256999/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_14; classtype:trojan-activity; sid:91256999; rev:1;) alert tcp $HOME_NET any -> [170.64.197.231] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1256998/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_14; classtype:trojan-activity; sid:91256998; rev:1;) alert tcp $HOME_NET any -> [167.179.109.82] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1256997/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_14; classtype:trojan-activity; sid:91256997; rev:1;) alert tcp $HOME_NET any -> [96.237.16.249] 995 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1256996/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_14; classtype:trojan-activity; sid:91256996; rev:1;) alert tcp $HOME_NET any -> [207.180.230.175] 40056 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1256995/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_14; classtype:trojan-activity; sid:91256995; rev:1;) alert tcp $HOME_NET any -> [101.99.94.224] 4433 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1256994/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_14; classtype:trojan-activity; sid:91256994; rev:1;) alert tcp $HOME_NET any -> [163.181.142.96] 4505 (msg:"ThreatFox Deimos botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1256993/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_14; classtype:trojan-activity; sid:91256993; rev:1;) alert tcp $HOME_NET any -> [18.181.61.11] 80 (msg:"ThreatFox Brute Ratel C4 botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1256992/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_14; classtype:trojan-activity; sid:91256992; rev:1;) alert tcp $HOME_NET any -> [193.233.132.217] 8081 (msg:"ThreatFox RisePro botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1256745/; target:src_ip; metadata: confidence_level 80, first_seen 2024_04_14; classtype:trojan-activity; sid:91256745; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dot.gif"; depth:8; nocase; http.host; content:"42.51.37.127"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1256744/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_14; classtype:trojan-activity; sid:91256744; rev:1;) alert tcp $HOME_NET any -> [186.102.175.129] 1114 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1256743/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_14; classtype:trojan-activity; sid:91256743; rev:1;) alert tcp $HOME_NET any -> [94.228.162.55] 4483 (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1256742/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_14; classtype:trojan-activity; sid:91256742; rev:1;) alert tcp $HOME_NET any -> [103.237.86.195] 2024 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1256737/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_14; classtype:trojan-activity; sid:91256737; rev:1;) alert tcp $HOME_NET any -> [93.123.39.73] 400 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1256740/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_14; classtype:trojan-activity; sid:91256740; rev:1;) alert tcp $HOME_NET any -> [87.246.7.66] 52154 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1256738/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_14; classtype:trojan-activity; sid:91256738; rev:1;) alert tcp $HOME_NET any -> [203.145.46.240] 2024 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1256739/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_14; classtype:trojan-activity; sid:91256739; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/requestcpu/generatorgame/datalife02/processorserver/proton/9/centraltemp/pythontrafficvideo/4sqlserver/dbcentral7/6privatepython/1dle1/wpdle1track/62wordpress/datalife/externalexternalvoiddb/video53base/uploadsdatalife1pipe/requestlongpollflower/php_requestapiprotectwindowsasyncdatalife.php"; depth:292; nocase; http.host; content:"79.174.94.153"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1256741/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_14; classtype:trojan-activity; sid:91256741; rev:1;) alert tcp $HOME_NET any -> [23.227.196.15] 23461 (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1256736/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_14; classtype:trojan-activity; sid:91256736; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"salaamt.top"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1256727/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_14; classtype:trojan-activity; sid:91256727; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"mzile.com"; depth:9; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1256724/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_14; classtype:trojan-activity; sid:91256724; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"inspirestudiosteam.com"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1256723/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_14; classtype:trojan-activity; sid:91256723; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"neweatz.com"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1256725/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_14; classtype:trojan-activity; sid:91256725; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"purpleflowers.org"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1256726/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_14; classtype:trojan-activity; sid:91256726; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"sam.coffin-jazzed.online"; depth:24; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1256728/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_14; classtype:trojan-activity; sid:91256728; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"sam.coinmarketcap-tm.ru"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1256729/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_14; classtype:trojan-activity; sid:91256729; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"tunel.oracle-panel.online"; depth:25; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1256733/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_14; classtype:trojan-activity; sid:91256733; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"svma.arcovip.com"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1256732/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_14; classtype:trojan-activity; sid:91256732; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"elated-black.45-141-215-173.plesk.page"; depth:38; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1256720/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_14; classtype:trojan-activity; sid:91256720; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"infallible-lichterman.45-141-215-173.plesk.page"; depth:47; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1256722/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_14; classtype:trojan-activity; sid:91256722; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"great-golick.45-141-215-173.plesk.page"; depth:38; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1256721/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_14; classtype:trojan-activity; sid:91256721; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"carte-vitale-assurance.org"; depth:26; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1256719/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_14; classtype:trojan-activity; sid:91256719; rev:1;) alert tcp $HOME_NET any -> [192.53.123.224] 666 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1256712/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_14; classtype:trojan-activity; sid:91256712; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"al.salaamt.top"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1256716/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_14; classtype:trojan-activity; sid:91256716; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"ams-k-node1.vleo.ru"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1256717/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_14; classtype:trojan-activity; sid:91256717; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"bnd-servers.komakhazine.com"; depth:27; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1256718/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_14; classtype:trojan-activity; sid:91256718; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"sharp-hugle.45-141-215-173.plesk.page"; depth:37; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1256730/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_14; classtype:trojan-activity; sid:91256730; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"stupefied-germain.45-141-215-173.plesk.page"; depth:43; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1256731/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_14; classtype:trojan-activity; sid:91256731; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"www.elated-black.45-141-215-173.plesk.page"; depth:42; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1256734/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_14; classtype:trojan-activity; sid:91256734; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"www.infallible-lichterman.45-141-215-173.plesk.page"; depth:51; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1256735/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_14; classtype:trojan-activity; sid:91256735; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cx"; depth:3; nocase; http.host; content:"42.194.199.231"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1256715/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_14; classtype:trojan-activity; sid:91256715; rev:1;) alert tcp $HOME_NET any -> [94.130.130.51] 77 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1256714/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_14; classtype:trojan-activity; sid:91256714; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ie9compatviewlist.xml"; depth:22; nocase; http.host; content:"101.35.19.133"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1256713/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_14; classtype:trojan-activity; sid:91256713; rev:1;) alert tcp $HOME_NET any -> [185.173.38.38] 80 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1256711/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_14; classtype:trojan-activity; sid:91256711; rev:1;) alert tcp $HOME_NET any -> [46.101.4.16] 80 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1256710/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_14; classtype:trojan-activity; sid:91256710; rev:1;) alert tcp $HOME_NET any -> [46.246.82.6] 6000 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1256709/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_14; classtype:trojan-activity; sid:91256709; rev:1;) alert tcp $HOME_NET any -> [108.34.181.65] 443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1256708/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_14; classtype:trojan-activity; sid:91256708; rev:1;) alert tcp $HOME_NET any -> [119.96.91.140] 4506 (msg:"ThreatFox Deimos botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1256707/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_14; classtype:trojan-activity; sid:91256707; rev:1;) alert tcp $HOME_NET any -> [125.73.208.34] 4506 (msg:"ThreatFox Deimos botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1256706/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_14; classtype:trojan-activity; sid:91256706; rev:1;) alert tcp $HOME_NET any -> [82.197.65.180] 443 (msg:"ThreatFox Deimos botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1256705/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_14; classtype:trojan-activity; sid:91256705; rev:1;) alert tcp $HOME_NET any -> [39.145.65.102] 4505 (msg:"ThreatFox Deimos botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1256704/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_14; classtype:trojan-activity; sid:91256704; rev:1;) alert tcp $HOME_NET any -> [212.113.106.100] 31774 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1256703/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_14; classtype:trojan-activity; sid:91256703; rev:1;) alert tcp $HOME_NET any -> [185.196.8.31] 76 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1256702/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_14; classtype:trojan-activity; sid:91256702; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"unotree.ru"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1256655/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_14; classtype:trojan-activity; sid:91256655; rev:1;) alert tcp $HOME_NET any -> [198.46.177.144] 666 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1256676/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_14; classtype:trojan-activity; sid:91256676; rev:1;) alert tcp $HOME_NET any -> [176.123.1.215] 666 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1256674/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_14; classtype:trojan-activity; sid:91256674; rev:1;) alert tcp $HOME_NET any -> [91.92.251.238] 5366 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1256675/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_14; classtype:trojan-activity; sid:91256675; rev:1;) alert tcp $HOME_NET any -> [85.195.79.166] 9981 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1256677/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_14; classtype:trojan-activity; sid:91256677; rev:1;) alert tcp $HOME_NET any -> [18.192.31.165] 17231 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1256692/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_14; classtype:trojan-activity; sid:91256692; rev:1;) alert tcp $HOME_NET any -> [3.125.223.134] 17231 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1256693/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_14; classtype:trojan-activity; sid:91256693; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"tcp.eu.ngrok.io"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1256695/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_14; classtype:trojan-activity; sid:91256695; rev:1;) alert tcp $HOME_NET any -> [94.156.10.76] 1312 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1256685/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_14; classtype:trojan-activity; sid:91256685; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"rsx.nextoneup.shop"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1256690/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_14; classtype:trojan-activity; sid:91256690; rev:1;) alert tcp $HOME_NET any -> [176.123.1.215] 7777 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1256682/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_14; classtype:trojan-activity; sid:91256682; rev:1;) alert tcp $HOME_NET any -> [45.88.90.185] 118 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1256686/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_14; classtype:trojan-activity; sid:91256686; rev:1;) alert tcp $HOME_NET any -> [37.44.238.94] 59666 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1256689/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_14; classtype:trojan-activity; sid:91256689; rev:1;) alert tcp $HOME_NET any -> [18.192.31.165] 15640 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1256694/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_14; classtype:trojan-activity; sid:91256694; rev:1;) alert tcp $HOME_NET any -> [3.125.102.39] 15019 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1256696/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_14; classtype:trojan-activity; sid:91256696; rev:1;) alert tcp $HOME_NET any -> [46.147.123.30] 5552 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1256697/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_14; classtype:trojan-activity; sid:91256697; rev:1;) alert tcp $HOME_NET any -> [3.126.37.18] 14095 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1256700/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_14; classtype:trojan-activity; sid:91256700; rev:1;) alert tcp $HOME_NET any -> [18.156.13.209] 14095 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1256701/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_14; classtype:trojan-activity; sid:91256701; rev:1;) alert tcp $HOME_NET any -> [18.192.93.86] 14095 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1256699/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_14; classtype:trojan-activity; sid:91256699; rev:1;) alert tcp $HOME_NET any -> [18.197.239.5] 14095 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1256698/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_14; classtype:trojan-activity; sid:91256698; rev:1;) alert tcp $HOME_NET any -> [41.249.48.248] 10000 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1256691/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_14; classtype:trojan-activity; sid:91256691; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/l1nc0in.php"; depth:12; nocase; http.host; content:"a0917747.xsph.ru"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1256688/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_14; classtype:trojan-activity; sid:91256688; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/30257e4c371b49a4.php"; depth:21; nocase; http.host; content:"192.121.87.173"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1256687/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_14; classtype:trojan-activity; sid:91256687; rev:1;) alert tcp $HOME_NET any -> [147.45.47.102] 8081 (msg:"ThreatFox RisePro botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1256684/; target:src_ip; metadata: confidence_level 80, first_seen 2024_04_14; classtype:trojan-activity; sid:91256684; rev:1;) alert tcp $HOME_NET any -> [147.45.47.101] 8081 (msg:"ThreatFox RisePro botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1256683/; target:src_ip; metadata: confidence_level 80, first_seen 2024_04_14; classtype:trojan-activity; sid:91256683; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/2betterpacket/proton/7voiddbcpu2/longpoll5/5testjsmulti/packet/pollprivate.php"; depth:79; nocase; http.host; content:"109.107.182.28"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1256681/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_13; classtype:trojan-activity; sid:91256681; rev:1;) alert tcp $HOME_NET any -> [164.155.128.124] 8098 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1256680/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_13; classtype:trojan-activity; sid:91256680; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jquery-3.3.1.min.js"; depth:20; nocase; http.host; content:"172.23.87.137"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1256679/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_13; classtype:trojan-activity; sid:91256679; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/providerlongpollservermultidbwp.php"; depth:36; nocase; http.host; content:"89.23.98.225"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1256678/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_13; classtype:trojan-activity; sid:91256678; rev:1;) alert tcp $HOME_NET any -> [34.88.143.155] 1177 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1256673/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_13; classtype:trojan-activity; sid:91256673; rev:1;) alert tcp $HOME_NET any -> [188.120.240.143] 80 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1256672/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_13; classtype:trojan-activity; sid:91256672; rev:1;) alert tcp $HOME_NET any -> [94.156.8.227] 80 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1256671/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_13; classtype:trojan-activity; sid:91256671; rev:1;) alert tcp $HOME_NET any -> [47.242.4.42] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1256670/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_13; classtype:trojan-activity; sid:91256670; rev:1;) alert tcp $HOME_NET any -> [122.114.26.5] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1256669/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_13; classtype:trojan-activity; sid:91256669; rev:1;) alert tcp $HOME_NET any -> [52.185.161.226] 8848 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1256668/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_13; classtype:trojan-activity; sid:91256668; rev:1;) alert tcp $HOME_NET any -> [78.189.79.252] 443 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1256667/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_13; classtype:trojan-activity; sid:91256667; rev:1;) alert tcp $HOME_NET any -> [130.43.60.51] 995 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1256666/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_13; classtype:trojan-activity; sid:91256666; rev:1;) alert tcp $HOME_NET any -> [143.198.137.33] 443 (msg:"ThreatFox Responder botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1256665/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_13; classtype:trojan-activity; sid:91256665; rev:1;) alert tcp $HOME_NET any -> [4.236.52.255] 80 (msg:"ThreatFox Responder botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1256664/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_13; classtype:trojan-activity; sid:91256664; rev:1;) alert tcp $HOME_NET any -> [195.35.16.247] 8443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1256663/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_13; classtype:trojan-activity; sid:91256663; rev:1;) alert tcp $HOME_NET any -> [167.114.90.243] 443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1256662/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_13; classtype:trojan-activity; sid:91256662; rev:1;) alert tcp $HOME_NET any -> [185.234.216.209] 20010 (msg:"ThreatFox BianLian botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1256661/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_13; classtype:trojan-activity; sid:91256661; rev:1;) alert tcp $HOME_NET any -> [89.22.182.206] 1720 (msg:"ThreatFox Deimos botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1256660/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_13; classtype:trojan-activity; sid:91256660; rev:1;) alert tcp $HOME_NET any -> [198.90.21.114] 443 (msg:"ThreatFox Deimos botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1256659/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_13; classtype:trojan-activity; sid:91256659; rev:1;) alert tcp $HOME_NET any -> [94.198.54.202] 7443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1256658/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_13; classtype:trojan-activity; sid:91256658; rev:1;) alert tcp $HOME_NET any -> [172.111.137.180] 2222 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1256657/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_13; classtype:trojan-activity; sid:91256657; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mozi.m"; depth:7; nocase; http.host; content:"117.220.148.179"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1256656/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_13; classtype:trojan-activity; sid:91256656; rev:1;) alert tcp $HOME_NET any -> [94.156.79.32] 22 (msg:"ThreatFox Stealc botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1256654/; target:src_ip; metadata: confidence_level 80, first_seen 2024_04_13; classtype:trojan-activity; sid:91256654; rev:1;) alert tcp $HOME_NET any -> [94.156.79.32] 80 (msg:"ThreatFox Stealc botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1256653/; target:src_ip; metadata: confidence_level 80, first_seen 2024_04_13; classtype:trojan-activity; sid:91256653; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/vendorreact.dc6a29.chunk.js"; depth:28; nocase; http.host; content:"43.142.183.159"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1256652/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_13; classtype:trojan-activity; sid:91256652; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"hackerddos.x3322.net"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1256477/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_13; classtype:trojan-activity; sid:91256477; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ua.tispy.me"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1256460/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_13; classtype:trojan-activity; sid:91256460; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"tispy.me"; depth:8; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1256461/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_13; classtype:trojan-activity; sid:91256461; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ytnjmdbmotvintc3/"; depth:18; nocase; http.host; content:"boloneser.top"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1256467/; target:src_ip; metadata: confidence_level 80, first_seen 2024_04_13; classtype:trojan-activity; sid:91256467; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ytnjmdbmotvintc3/"; depth:18; nocase; http.host; content:"mulaktix.top"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1256468/; target:src_ip; metadata: confidence_level 80, first_seen 2024_04_13; classtype:trojan-activity; sid:91256468; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ytnjmdbmotvintc3/"; depth:18; nocase; http.host; content:"munison.top"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1256469/; target:src_ip; metadata: confidence_level 80, first_seen 2024_04_13; classtype:trojan-activity; sid:91256469; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ytnjmdbmotvintc3/"; depth:18; nocase; http.host; content:"udefano.top"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1256470/; target:src_ip; metadata: confidence_level 80, first_seen 2024_04_13; classtype:trojan-activity; sid:91256470; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"brb.3dtuts.by"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1256471/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_13; classtype:trojan-activity; sid:91256471; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"3dtuts.by"; depth:9; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1256472/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_13; classtype:trojan-activity; sid:91256472; rev:1;) alert tcp $HOME_NET any -> [2.58.113.208] 23 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1256476/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_13; classtype:trojan-activity; sid:91256476; rev:1;) alert tcp $HOME_NET any -> [93.123.39.73] 666 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1256475/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_13; classtype:trojan-activity; sid:91256475; rev:1;) alert tcp $HOME_NET any -> [41.249.108.177] 10000 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1256474/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_13; classtype:trojan-activity; sid:91256474; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/imagejshttpgeocpugamebigloadsqlwp.php"; depth:38; nocase; http.host; content:"77.221.158.35"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1256473/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_13; classtype:trojan-activity; sid:91256473; rev:1;) alert tcp $HOME_NET any -> [136.243.179.5] 1414 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1256466/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_13; classtype:trojan-activity; sid:91256466; rev:1;) alert tcp $HOME_NET any -> [94.156.64.237] 8081 (msg:"ThreatFox RisePro botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1256465/; target:src_ip; metadata: confidence_level 80, first_seen 2024_04_13; classtype:trojan-activity; sid:91256465; rev:1;) alert tcp $HOME_NET any -> [159.69.26.61] 443 (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1256464/; target:src_ip; metadata: confidence_level 80, first_seen 2024_04_13; classtype:trojan-activity; sid:91256464; rev:1;) alert tcp $HOME_NET any -> [159.69.26.61] 80 (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1256463/; target:src_ip; metadata: confidence_level 80, first_seen 2024_04_13; classtype:trojan-activity; sid:91256463; rev:1;) alert tcp $HOME_NET any -> [13.232.156.210] 80 (msg:"ThreatFox Mystic Stealer botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1256462/; target:src_ip; metadata: confidence_level 80, first_seen 2024_04_13; classtype:trojan-activity; sid:91256462; rev:1;) alert tcp $HOME_NET any -> [162.33.178.156] 3122 (msg:"ThreatFox NetSupportManager RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1256459/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_13; classtype:trojan-activity; sid:91256459; rev:1;) alert tcp $HOME_NET any -> [27.25.156.47] 8000 (msg:"ThreatFox Ghost RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1256458/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_13; classtype:trojan-activity; sid:91256458; rev:1;) alert tcp $HOME_NET any -> [147.45.47.93] 8081 (msg:"ThreatFox RisePro botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1256457/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_13; classtype:trojan-activity; sid:91256457; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/en_us/all.js"; depth:13; nocase; http.host; content:"165.232.75.251"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1256456/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_13; classtype:trojan-activity; sid:91256456; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dpixel"; depth:7; nocase; http.host; content:"156.251.162.29"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1256455/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_13; classtype:trojan-activity; sid:91256455; rev:1;) alert tcp $HOME_NET any -> [147.45.47.93] 58709 (msg:"ThreatFox RisePro botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1256454/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_13; classtype:trojan-activity; sid:91256454; rev:1;) alert tcp $HOME_NET any -> [128.199.178.134] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1256452/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_13; classtype:trojan-activity; sid:91256452; rev:1;) alert tcp $HOME_NET any -> [165.232.75.251] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1256453/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_13; classtype:trojan-activity; sid:91256453; rev:1;) alert tcp $HOME_NET any -> [8.137.84.140] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1256450/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_13; classtype:trojan-activity; sid:91256450; rev:1;) alert tcp $HOME_NET any -> [1.94.120.249] 8443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1256451/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_13; classtype:trojan-activity; sid:91256451; rev:1;) alert tcp $HOME_NET any -> [1.117.60.10] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1256447/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_13; classtype:trojan-activity; sid:91256447; rev:1;) alert tcp $HOME_NET any -> [101.35.173.226] 12306 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1256448/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_13; classtype:trojan-activity; sid:91256448; rev:1;) alert tcp $HOME_NET any -> [8.130.52.13] 50050 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1256449/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_13; classtype:trojan-activity; sid:91256449; rev:1;) alert tcp $HOME_NET any -> [110.42.102.204] 7000 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1256439/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_13; classtype:trojan-activity; sid:91256439; rev:1;) alert tcp $HOME_NET any -> [177.255.88.116] 8020 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1256440/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_13; classtype:trojan-activity; sid:91256440; rev:1;) alert tcp $HOME_NET any -> [207.32.217.79] 9090 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1256441/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_13; classtype:trojan-activity; sid:91256441; rev:1;) alert tcp $HOME_NET any -> [187.135.85.223] 1801 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1256442/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_13; classtype:trojan-activity; sid:91256442; rev:1;) alert tcp $HOME_NET any -> [187.135.85.223] 2087 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1256443/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_13; classtype:trojan-activity; sid:91256443; rev:1;) alert tcp $HOME_NET any -> [187.135.85.223] 2095 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1256444/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_13; classtype:trojan-activity; sid:91256444; rev:1;) alert tcp $HOME_NET any -> [193.233.132.101] 8081 (msg:"ThreatFox RisePro botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1256446/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_13; classtype:trojan-activity; sid:91256446; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"qingfengddos.x3322.net"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1256445/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_13; classtype:trojan-activity; sid:91256445; rev:1;) alert tcp $HOME_NET any -> [89.23.102.165] 158 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1256438/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_13; classtype:trojan-activity; sid:91256438; rev:1;) alert tcp $HOME_NET any -> [118.194.233.185] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1256437/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_13; classtype:trojan-activity; sid:91256437; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ga.js"; depth:6; nocase; http.host; content:"118.194.233.185"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1256436/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_13; classtype:trojan-activity; sid:91256436; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"mcnodes.zapto.org"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1256351/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_13; classtype:trojan-activity; sid:91256351; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 60%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmlrpc.php"; depth:11; nocase; http.host; content:"gemak.mk"; depth:8; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1256354/; target:src_ip; metadata: confidence_level 60, first_seen 2024_04_13; classtype:trojan-activity; sid:91256354; rev:1;) alert tcp $HOME_NET any -> [45.88.90.185] 57899 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1256350/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_13; classtype:trojan-activity; sid:91256350; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 60%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmlrpc.php"; depth:11; nocase; http.host; content:"shodo.cosavostra.com"; depth:20; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1256352/; target:src_ip; metadata: confidence_level 60, first_seen 2024_04_13; classtype:trojan-activity; sid:91256352; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 60%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmlrpc.php"; depth:11; nocase; http.host; content:"themetorrent.org"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1256353/; target:src_ip; metadata: confidence_level 60, first_seen 2024_04_13; classtype:trojan-activity; sid:91256353; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 60%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmlrpc.php"; depth:11; nocase; http.host; content:"wct-witcom.nl"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1256355/; target:src_ip; metadata: confidence_level 60, first_seen 2024_04_13; classtype:trojan-activity; sid:91256355; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"samsunguniverse.com"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1256434/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_13; classtype:trojan-activity; sid:91256434; rev:1;) alert tcp $HOME_NET any -> [46.246.14.8] 1994 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1256416/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_13; classtype:trojan-activity; sid:91256416; rev:1;) alert tcp $HOME_NET any -> [193.176.190.43] 80 (msg:"ThreatFox Amadey botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1256400/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_13; classtype:trojan-activity; sid:91256400; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"auyametemplanza.duckdns.org"; depth:27; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1256210/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_13; classtype:trojan-activity; sid:91256210; rev:1;) alert tcp $HOME_NET any -> [193.233.132.101] 58709 (msg:"ThreatFox RisePro botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1256435/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_13; classtype:trojan-activity; sid:91256435; rev:1;) alert tcp $HOME_NET any -> [77.221.149.184] 443 (msg:"ThreatFox FAKEUPDATES botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1256432/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_13; classtype:trojan-activity; sid:91256432; rev:1;) alert tcp $HOME_NET any -> [77.221.149.184] 80 (msg:"ThreatFox FAKEUPDATES botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1256433/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_13; classtype:trojan-activity; sid:91256433; rev:1;) alert tcp $HOME_NET any -> [116.255.216.145] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1256431/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_13; classtype:trojan-activity; sid:91256431; rev:1;) alert tcp $HOME_NET any -> [38.45.126.99] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1256430/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_13; classtype:trojan-activity; sid:91256430; rev:1;) alert tcp $HOME_NET any -> [43.249.193.129] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1256429/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_13; classtype:trojan-activity; sid:91256429; rev:1;) alert tcp $HOME_NET any -> [38.45.126.102] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1256428/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_13; classtype:trojan-activity; sid:91256428; rev:1;) alert tcp $HOME_NET any -> [38.45.126.100] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1256427/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_13; classtype:trojan-activity; sid:91256427; rev:1;) alert tcp $HOME_NET any -> [49.235.117.134] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1256426/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_13; classtype:trojan-activity; sid:91256426; rev:1;) alert tcp $HOME_NET any -> [38.45.126.98] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1256425/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_13; classtype:trojan-activity; sid:91256425; rev:1;) alert tcp $HOME_NET any -> [46.246.86.18] 8000 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1256424/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_13; classtype:trojan-activity; sid:91256424; rev:1;) alert tcp $HOME_NET any -> [189.140.26.156] 443 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1256423/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_13; classtype:trojan-activity; sid:91256423; rev:1;) alert tcp $HOME_NET any -> [143.198.137.33] 80 (msg:"ThreatFox Responder botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1256422/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_13; classtype:trojan-activity; sid:91256422; rev:1;) alert tcp $HOME_NET any -> [66.78.40.230] 443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1256421/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_13; classtype:trojan-activity; sid:91256421; rev:1;) alert tcp $HOME_NET any -> [157.230.66.27] 443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1256420/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_13; classtype:trojan-activity; sid:91256420; rev:1;) alert tcp $HOME_NET any -> [163.181.142.111] 4505 (msg:"ThreatFox Deimos botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1256419/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_13; classtype:trojan-activity; sid:91256419; rev:1;) alert tcp $HOME_NET any -> [116.203.6.63] 443 (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1256418/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_13; classtype:trojan-activity; sid:91256418; rev:1;) alert tcp $HOME_NET any -> [185.222.57.134] 55615 (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1256417/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_13; classtype:trojan-activity; sid:91256417; rev:1;) alert tcp $HOME_NET any -> [47.100.180.123] 56616 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1256415/; target:src_ip; metadata: confidence_level 80, first_seen 2024_04_13; classtype:trojan-activity; sid:91256415; rev:1;) alert tcp $HOME_NET any -> [124.89.53.26] 1010 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1256414/; target:src_ip; metadata: confidence_level 80, first_seen 2024_04_13; classtype:trojan-activity; sid:91256414; rev:1;) alert tcp $HOME_NET any -> [187.135.146.203] 1723 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1256413/; target:src_ip; metadata: confidence_level 80, first_seen 2024_04_13; classtype:trojan-activity; sid:91256413; rev:1;) alert tcp $HOME_NET any -> [187.135.146.203] 2047 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1256412/; target:src_ip; metadata: confidence_level 80, first_seen 2024_04_13; classtype:trojan-activity; sid:91256412; rev:1;) alert tcp $HOME_NET any -> [187.135.146.203] 2004 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1256411/; target:src_ip; metadata: confidence_level 80, first_seen 2024_04_13; classtype:trojan-activity; sid:91256411; rev:1;) alert tcp $HOME_NET any -> [187.135.146.203] 1962 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1256410/; target:src_ip; metadata: confidence_level 80, first_seen 2024_04_13; classtype:trojan-activity; sid:91256410; rev:1;) alert tcp $HOME_NET any -> [94.156.67.130] 80 (msg:"ThreatFox Hook botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1256409/; target:src_ip; metadata: confidence_level 80, first_seen 2024_04_13; classtype:trojan-activity; sid:91256409; rev:1;) alert tcp $HOME_NET any -> [43.138.0.70] 10002 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1256408/; target:src_ip; metadata: confidence_level 80, first_seen 2024_04_13; classtype:trojan-activity; sid:91256408; rev:1;) alert tcp $HOME_NET any -> [77.221.151.12] 8081 (msg:"ThreatFox RisePro botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1256407/; target:src_ip; metadata: confidence_level 80, first_seen 2024_04_13; classtype:trojan-activity; sid:91256407; rev:1;) alert tcp $HOME_NET any -> [5.181.156.17] 80 (msg:"ThreatFox solarmarker botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1256406/; target:src_ip; metadata: confidence_level 80, first_seen 2024_04_13; classtype:trojan-activity; sid:91256406; rev:1;) alert tcp $HOME_NET any -> [193.233.232.6] 80 (msg:"ThreatFox Meduza Stealer botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1256405/; target:src_ip; metadata: confidence_level 80, first_seen 2024_04_13; classtype:trojan-activity; sid:91256405; rev:1;) alert tcp $HOME_NET any -> [178.33.57.150] 443 (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1256404/; target:src_ip; metadata: confidence_level 80, first_seen 2024_04_13; classtype:trojan-activity; sid:91256404; rev:1;) alert tcp $HOME_NET any -> [171.232.6.144] 9999 (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1256403/; target:src_ip; metadata: confidence_level 80, first_seen 2024_04_13; classtype:trojan-activity; sid:91256403; rev:1;) alert tcp $HOME_NET any -> [98.181.129.31] 443 (msg:"ThreatFox Xtreme RAT botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1256402/; target:src_ip; metadata: confidence_level 80, first_seen 2024_04_13; classtype:trojan-activity; sid:91256402; rev:1;) alert tcp $HOME_NET any -> [185.241.208.113] 2404 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1256401/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_12; classtype:trojan-activity; sid:91256401; rev:1;) alert tcp $HOME_NET any -> [212.52.1.40] 80 (msg:"ThreatFox Stealc botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1256399/; target:src_ip; metadata: confidence_level 80, first_seen 2024_04_12; classtype:trojan-activity; sid:91256399; rev:1;) alert tcp $HOME_NET any -> [212.52.1.40] 22 (msg:"ThreatFox Stealc botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1256398/; target:src_ip; metadata: confidence_level 80, first_seen 2024_04_12; classtype:trojan-activity; sid:91256398; rev:1;) alert tcp $HOME_NET any -> [142.202.189.77] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1256397/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_12; classtype:trojan-activity; sid:91256397; rev:1;) alert tcp $HOME_NET any -> [103.74.192.103] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1256396/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_12; classtype:trojan-activity; sid:91256396; rev:1;) alert tcp $HOME_NET any -> [38.45.126.101] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1256395/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_12; classtype:trojan-activity; sid:91256395; rev:1;) alert tcp $HOME_NET any -> [52.185.161.226] 8080 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1256394/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_12; classtype:trojan-activity; sid:91256394; rev:1;) alert tcp $HOME_NET any -> [162.33.178.99] 4567 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1256393/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_12; classtype:trojan-activity; sid:91256393; rev:1;) alert tcp $HOME_NET any -> [46.246.14.2] 5000 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1256392/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_12; classtype:trojan-activity; sid:91256392; rev:1;) alert tcp $HOME_NET any -> [92.251.131.147] 995 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1256391/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_12; classtype:trojan-activity; sid:91256391; rev:1;) alert tcp $HOME_NET any -> [23.93.176.11] 443 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1256390/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_12; classtype:trojan-activity; sid:91256390; rev:1;) alert tcp $HOME_NET any -> [41.99.19.206] 443 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1256389/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_12; classtype:trojan-activity; sid:91256389; rev:1;) alert tcp $HOME_NET any -> [213.175.37.212] 445 (msg:"ThreatFox Responder botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1256388/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_12; classtype:trojan-activity; sid:91256388; rev:1;) alert tcp $HOME_NET any -> [67.207.68.224] 445 (msg:"ThreatFox Responder botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1256387/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_12; classtype:trojan-activity; sid:91256387; rev:1;) alert tcp $HOME_NET any -> [104.131.187.5] 7443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1256386/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_12; classtype:trojan-activity; sid:91256386; rev:1;) alert tcp $HOME_NET any -> [141.98.7.77] 1337 (msg:"ThreatFox MooBot botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1256385/; target:src_ip; metadata: confidence_level 80, first_seen 2024_04_12; classtype:trojan-activity; sid:91256385; rev:1;) alert tcp $HOME_NET any -> [47.93.222.174] 27000 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1256384/; target:src_ip; metadata: confidence_level 80, first_seen 2024_04_12; classtype:trojan-activity; sid:91256384; rev:1;) alert tcp $HOME_NET any -> [45.63.120.203] 57483 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1256383/; target:src_ip; metadata: confidence_level 80, first_seen 2024_04_12; classtype:trojan-activity; sid:91256383; rev:1;) alert tcp $HOME_NET any -> [120.78.83.129] 30050 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1256382/; target:src_ip; metadata: confidence_level 80, first_seen 2024_04_12; classtype:trojan-activity; sid:91256382; rev:1;) alert tcp $HOME_NET any -> [107.172.133.197] 16696 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1256381/; target:src_ip; metadata: confidence_level 80, first_seen 2024_04_12; classtype:trojan-activity; sid:91256381; rev:1;) alert tcp $HOME_NET any -> [103.164.49.176] 9000 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1256380/; target:src_ip; metadata: confidence_level 80, first_seen 2024_04_12; classtype:trojan-activity; sid:91256380; rev:1;) alert tcp $HOME_NET any -> [116.204.42.20] 8090 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1256379/; target:src_ip; metadata: confidence_level 80, first_seen 2024_04_12; classtype:trojan-activity; sid:91256379; rev:1;) alert tcp $HOME_NET any -> [202.79.168.65] 50050 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1256378/; target:src_ip; metadata: confidence_level 80, first_seen 2024_04_12; classtype:trojan-activity; sid:91256378; rev:1;) alert tcp $HOME_NET any -> [187.135.145.47] 2087 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1256377/; target:src_ip; metadata: confidence_level 80, first_seen 2024_04_12; classtype:trojan-activity; sid:91256377; rev:1;) alert tcp $HOME_NET any -> [194.48.251.136] 80 (msg:"ThreatFox Hook botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1256376/; target:src_ip; metadata: confidence_level 80, first_seen 2024_04_12; classtype:trojan-activity; sid:91256376; rev:1;) alert tcp $HOME_NET any -> [185.185.71.5] 80 (msg:"ThreatFox Hook botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1256375/; target:src_ip; metadata: confidence_level 80, first_seen 2024_04_12; classtype:trojan-activity; sid:91256375; rev:1;) alert tcp $HOME_NET any -> [38.181.78.247] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1256374/; target:src_ip; metadata: confidence_level 80, first_seen 2024_04_12; classtype:trojan-activity; sid:91256374; rev:1;) alert tcp $HOME_NET any -> [42.51.37.127] 8089 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1256373/; target:src_ip; metadata: confidence_level 80, first_seen 2024_04_12; classtype:trojan-activity; sid:91256373; rev:1;) alert tcp $HOME_NET any -> [42.51.37.127] 8087 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1256372/; target:src_ip; metadata: confidence_level 80, first_seen 2024_04_12; classtype:trojan-activity; sid:91256372; rev:1;) alert tcp $HOME_NET any -> [47.97.113.146] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1256371/; target:src_ip; metadata: confidence_level 80, first_seen 2024_04_12; classtype:trojan-activity; sid:91256371; rev:1;) alert tcp $HOME_NET any -> [2.58.56.221] 8081 (msg:"ThreatFox RisePro botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1256370/; target:src_ip; metadata: confidence_level 80, first_seen 2024_04_12; classtype:trojan-activity; sid:91256370; rev:1;) alert tcp $HOME_NET any -> [77.221.151.10] 8081 (msg:"ThreatFox RisePro botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1256369/; target:src_ip; metadata: confidence_level 80, first_seen 2024_04_12; classtype:trojan-activity; sid:91256369; rev:1;) alert tcp $HOME_NET any -> [217.195.207.156] 8081 (msg:"ThreatFox RisePro botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1256368/; target:src_ip; metadata: confidence_level 80, first_seen 2024_04_12; classtype:trojan-activity; sid:91256368; rev:1;) alert tcp $HOME_NET any -> [185.141.61.74] 8081 (msg:"ThreatFox RisePro botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1256367/; target:src_ip; metadata: confidence_level 80, first_seen 2024_04_12; classtype:trojan-activity; sid:91256367; rev:1;) alert tcp $HOME_NET any -> [178.20.45.159] 7777 (msg:"ThreatFox Orcus RAT botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1256366/; target:src_ip; metadata: confidence_level 80, first_seen 2024_04_12; classtype:trojan-activity; sid:91256366; rev:1;) alert tcp $HOME_NET any -> [173.44.50.82] 4433 (msg:"ThreatFox Orcus RAT botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1256365/; target:src_ip; metadata: confidence_level 80, first_seen 2024_04_12; classtype:trojan-activity; sid:91256365; rev:1;) alert tcp $HOME_NET any -> [46.226.162.32] 80 (msg:"ThreatFox RecordBreaker botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1256364/; target:src_ip; metadata: confidence_level 80, first_seen 2024_04_12; classtype:trojan-activity; sid:91256364; rev:1;) alert tcp $HOME_NET any -> [94.158.245.206] 80 (msg:"ThreatFox RecordBreaker botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1256363/; target:src_ip; metadata: confidence_level 80, first_seen 2024_04_12; classtype:trojan-activity; sid:91256363; rev:1;) alert tcp $HOME_NET any -> [45.15.158.144] 80 (msg:"ThreatFox Meduza Stealer botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1256362/; target:src_ip; metadata: confidence_level 80, first_seen 2024_04_12; classtype:trojan-activity; sid:91256362; rev:1;) alert tcp $HOME_NET any -> [49.13.125.250] 80 (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1256361/; target:src_ip; metadata: confidence_level 80, first_seen 2024_04_12; classtype:trojan-activity; sid:91256361; rev:1;) alert tcp $HOME_NET any -> [116.202.186.227] 80 (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1256360/; target:src_ip; metadata: confidence_level 80, first_seen 2024_04_12; classtype:trojan-activity; sid:91256360; rev:1;) alert tcp $HOME_NET any -> [116.203.15.18] 80 (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1256359/; target:src_ip; metadata: confidence_level 80, first_seen 2024_04_12; classtype:trojan-activity; sid:91256359; rev:1;) alert tcp $HOME_NET any -> [116.202.188.155] 80 (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1256358/; target:src_ip; metadata: confidence_level 80, first_seen 2024_04_12; classtype:trojan-activity; sid:91256358; rev:1;) alert tcp $HOME_NET any -> [3.21.170.65] 4444 (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1256357/; target:src_ip; metadata: confidence_level 80, first_seen 2024_04_12; classtype:trojan-activity; sid:91256357; rev:1;) alert tcp $HOME_NET any -> [147.189.168.81] 54984 (msg:"ThreatFox Nanocore RAT botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1256356/; target:src_ip; metadata: confidence_level 80, first_seen 2024_04_12; classtype:trojan-activity; sid:91256356; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"116.202.188.155"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1256349/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_12; classtype:trojan-activity; sid:91256349; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"49.13.32.146"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1256348/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_12; classtype:trojan-activity; sid:91256348; rev:1;) alert tcp $HOME_NET any -> [49.13.32.146] 443 (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1256346/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_12; classtype:trojan-activity; sid:91256346; rev:1;) alert tcp $HOME_NET any -> [116.202.188.155] 443 (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1256347/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_12; classtype:trojan-activity; sid:91256347; rev:1;) alert tcp $HOME_NET any -> [94.156.64.193] 10110 (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1256204/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_12; classtype:trojan-activity; sid:91256204; rev:1;) alert tcp $HOME_NET any -> [206.166.251.28] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1256205/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_12; classtype:trojan-activity; sid:91256205; rev:1;) alert tcp $HOME_NET any -> [171.250.188.12] 4449 (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1256206/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_12; classtype:trojan-activity; sid:91256206; rev:1;) alert tcp $HOME_NET any -> [171.250.188.12] 9999 (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1256207/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_12; classtype:trojan-activity; sid:91256207; rev:1;) alert tcp $HOME_NET any -> [185.216.70.75] 7771 (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1256209/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_12; classtype:trojan-activity; sid:91256209; rev:1;) alert tcp $HOME_NET any -> [45.128.96.169] 80 (msg:"ThreatFox ERMAC botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1256201/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_12; classtype:trojan-activity; sid:91256201; rev:1;) alert tcp $HOME_NET any -> [45.134.225.246] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1256202/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_12; classtype:trojan-activity; sid:91256202; rev:1;) alert tcp $HOME_NET any -> [45.134.225.246] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1256203/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_12; classtype:trojan-activity; sid:91256203; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"yourserenahelpcustom.uk"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1256190/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_12; classtype:trojan-activity; sid:91256190; rev:1;) alert tcp $HOME_NET any -> [149.248.79.62] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1256191/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_12; classtype:trojan-activity; sid:91256191; rev:1;) alert tcp $HOME_NET any -> [84.247.179.77] 587 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1256192/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_12; classtype:trojan-activity; sid:91256192; rev:1;) alert tcp $HOME_NET any -> [84.247.179.77] 8080 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1256193/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_12; classtype:trojan-activity; sid:91256193; rev:1;) alert tcp $HOME_NET any -> [118.161.124.220] 17814 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1256194/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_12; classtype:trojan-activity; sid:91256194; rev:1;) alert tcp $HOME_NET any -> [118.161.124.220] 34820 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1256195/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_12; classtype:trojan-activity; sid:91256195; rev:1;) alert tcp $HOME_NET any -> [118.161.124.220] 49078 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1256196/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_12; classtype:trojan-activity; sid:91256196; rev:1;) alert tcp $HOME_NET any -> [118.161.124.220] 6004 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1256197/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_12; classtype:trojan-activity; sid:91256197; rev:1;) alert tcp $HOME_NET any -> [177.60.18.92] 5000 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1256198/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_12; classtype:trojan-activity; sid:91256198; rev:1;) alert tcp $HOME_NET any -> [191.82.205.54] 2000 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1256199/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_12; classtype:trojan-activity; sid:91256199; rev:1;) alert tcp $HOME_NET any -> [191.82.213.14] 2000 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1256200/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_12; classtype:trojan-activity; sid:91256200; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api/connect"; depth:12; nocase; http.host; content:"149.248.79.62"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1256186/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_12; classtype:trojan-activity; sid:91256186; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api/connect"; depth:12; nocase; http.host; content:"149.248.79.62"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1256187/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_12; classtype:trojan-activity; sid:91256187; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api/connect"; depth:12; nocase; http.host; content:"yourserenahelpcustom.uk"; depth:23; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1256188/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_12; classtype:trojan-activity; sid:91256188; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api/connect"; depth:12; nocase; http.host; content:"yourserenahelpcustom.uk"; depth:23; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1256189/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_12; classtype:trojan-activity; sid:91256189; rev:1;) alert tcp $HOME_NET any -> [41.108.11.112] 6001 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1256151/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_12; classtype:trojan-activity; sid:91256151; rev:1;) alert tcp $HOME_NET any -> [105.97.37.105] 6001 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1256152/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_12; classtype:trojan-activity; sid:91256152; rev:1;) alert tcp $HOME_NET any -> [176.31.220.92] 1744 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1256153/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_12; classtype:trojan-activity; sid:91256153; rev:1;) alert tcp $HOME_NET any -> [187.135.86.1] 2095 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1256154/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_12; classtype:trojan-activity; sid:91256154; rev:1;) alert tcp $HOME_NET any -> [187.135.86.1] 1883 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1256155/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_12; classtype:trojan-activity; sid:91256155; rev:1;) alert tcp $HOME_NET any -> [187.135.86.1] 2086 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1256156/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_12; classtype:trojan-activity; sid:91256156; rev:1;) alert tcp $HOME_NET any -> [187.135.122.206] 1883 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1256157/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_12; classtype:trojan-activity; sid:91256157; rev:1;) alert tcp $HOME_NET any -> [187.135.122.206] 2181 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1256158/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_12; classtype:trojan-activity; sid:91256158; rev:1;) alert tcp $HOME_NET any -> [187.135.130.189] 2004 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1256159/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_12; classtype:trojan-activity; sid:91256159; rev:1;) alert tcp $HOME_NET any -> [187.135.130.189] 2086 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1256160/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_12; classtype:trojan-activity; sid:91256160; rev:1;) alert tcp $HOME_NET any -> [187.135.130.189] 2096 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1256161/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_12; classtype:trojan-activity; sid:91256161; rev:1;) alert tcp $HOME_NET any -> [187.135.139.240] 2080 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1256163/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_12; classtype:trojan-activity; sid:91256163; rev:1;) alert tcp $HOME_NET any -> [187.135.139.240] 2078 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1256162/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_12; classtype:trojan-activity; sid:91256162; rev:1;) alert tcp $HOME_NET any -> [187.135.139.240] 2095 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1256164/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_12; classtype:trojan-activity; sid:91256164; rev:1;) alert tcp $HOME_NET any -> [187.135.139.240] 2222 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1256165/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_12; classtype:trojan-activity; sid:91256165; rev:1;) alert tcp $HOME_NET any -> [187.135.139.240] 2281 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1256166/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_12; classtype:trojan-activity; sid:91256166; rev:1;) alert tcp $HOME_NET any -> [187.135.139.240] 2003 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1256167/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_12; classtype:trojan-activity; sid:91256167; rev:1;) alert tcp $HOME_NET any -> [187.135.139.240] 2052 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1256168/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_12; classtype:trojan-activity; sid:91256168; rev:1;) alert tcp $HOME_NET any -> [187.135.139.240] 1962 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1256169/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_12; classtype:trojan-activity; sid:91256169; rev:1;) alert tcp $HOME_NET any -> [187.135.139.240] 2083 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1256170/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_12; classtype:trojan-activity; sid:91256170; rev:1;) alert tcp $HOME_NET any -> [187.135.145.47] 2086 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1256173/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_12; classtype:trojan-activity; sid:91256173; rev:1;) alert tcp $HOME_NET any -> [187.135.139.240] 1801 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1256171/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_12; classtype:trojan-activity; sid:91256171; rev:1;) alert tcp $HOME_NET any -> [187.135.139.240] 1883 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1256172/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_12; classtype:trojan-activity; sid:91256172; rev:1;) alert tcp $HOME_NET any -> [187.135.235.218] 1883 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1256174/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_12; classtype:trojan-activity; sid:91256174; rev:1;) alert tcp $HOME_NET any -> [187.135.235.218] 2000 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1256175/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_12; classtype:trojan-activity; sid:91256175; rev:1;) alert tcp $HOME_NET any -> [187.135.235.218] 2053 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1256176/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_12; classtype:trojan-activity; sid:91256176; rev:1;) alert tcp $HOME_NET any -> [187.135.235.218] 2095 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1256177/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_12; classtype:trojan-activity; sid:91256177; rev:1;) alert tcp $HOME_NET any -> [187.135.235.218] 2222 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1256178/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_12; classtype:trojan-activity; sid:91256178; rev:1;) alert tcp $HOME_NET any -> [187.135.235.218] 1757 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1256179/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_12; classtype:trojan-activity; sid:91256179; rev:1;) alert tcp $HOME_NET any -> [187.135.235.218] 1801 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1256180/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_12; classtype:trojan-activity; sid:91256180; rev:1;) alert tcp $HOME_NET any -> [187.135.235.218] 2003 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1256181/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_12; classtype:trojan-activity; sid:91256181; rev:1;) alert tcp $HOME_NET any -> [187.135.235.218] 2078 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1256182/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_12; classtype:trojan-activity; sid:91256182; rev:1;) alert tcp $HOME_NET any -> [187.135.235.218] 2080 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1256183/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_12; classtype:trojan-activity; sid:91256183; rev:1;) alert tcp $HOME_NET any -> [187.135.235.218] 2096 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1256184/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_12; classtype:trojan-activity; sid:91256184; rev:1;) alert tcp $HOME_NET any -> [187.135.235.218] 1736 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1256185/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_12; classtype:trojan-activity; sid:91256185; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 60%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmlrpc.php"; depth:11; nocase; http.host; content:"sigortamsaglik.com"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1256083/; target:src_ip; metadata: confidence_level 60, first_seen 2024_04_12; classtype:trojan-activity; sid:91256083; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 60%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmlrpc.php"; depth:11; nocase; http.host; content:"cosplayboobies.com"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1256084/; target:src_ip; metadata: confidence_level 60, first_seen 2024_04_12; classtype:trojan-activity; sid:91256084; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 60%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmlrpc.php"; depth:11; nocase; http.host; content:"arkamaya-grhatama.com"; depth:21; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1256085/; target:src_ip; metadata: confidence_level 60, first_seen 2024_04_12; classtype:trojan-activity; sid:91256085; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 60%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmlrpc.php"; depth:11; nocase; http.host; content:"pdfkutub.net"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1256086/; target:src_ip; metadata: confidence_level 60, first_seen 2024_04_12; classtype:trojan-activity; sid:91256086; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 60%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmlrpc.php"; depth:11; nocase; http.host; content:"naghsheshahr.com"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1256087/; target:src_ip; metadata: confidence_level 60, first_seen 2024_04_12; classtype:trojan-activity; sid:91256087; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 60%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmlrpc.php"; depth:11; nocase; http.host; content:"theceostory.in"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1256088/; target:src_ip; metadata: confidence_level 60, first_seen 2024_04_12; classtype:trojan-activity; sid:91256088; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 60%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmlrpc.php"; depth:11; nocase; http.host; content:"thll.org.tw"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1256090/; target:src_ip; metadata: confidence_level 60, first_seen 2024_04_12; classtype:trojan-activity; sid:91256090; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 60%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmlrpc.php"; depth:11; nocase; http.host; content:"sparo1.se"; depth:9; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1256089/; target:src_ip; metadata: confidence_level 60, first_seen 2024_04_12; classtype:trojan-activity; sid:91256089; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 60%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmlrpc.php"; depth:11; nocase; http.host; content:"www.estedavivere.it"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1256091/; target:src_ip; metadata: confidence_level 60, first_seen 2024_04_12; classtype:trojan-activity; sid:91256091; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 60%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmlrpc.php"; depth:11; nocase; http.host; content:"freshysites.com"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1256092/; target:src_ip; metadata: confidence_level 60, first_seen 2024_04_12; classtype:trojan-activity; sid:91256092; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 60%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmlrpc.php"; depth:11; nocase; http.host; content:"www.delcas.com.br"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1256093/; target:src_ip; metadata: confidence_level 60, first_seen 2024_04_12; classtype:trojan-activity; sid:91256093; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 60%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmlrpc.php"; depth:11; nocase; http.host; content:"wahlshausen.net"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1256094/; target:src_ip; metadata: confidence_level 60, first_seen 2024_04_12; classtype:trojan-activity; sid:91256094; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 60%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmlrpc.php"; depth:11; nocase; http.host; content:"ticketneedlellc.com"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1256095/; target:src_ip; metadata: confidence_level 60, first_seen 2024_04_12; classtype:trojan-activity; sid:91256095; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 60%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmlrpc.php"; depth:11; nocase; http.host; content:"thevarsity.ca"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1256096/; target:src_ip; metadata: confidence_level 60, first_seen 2024_04_12; classtype:trojan-activity; sid:91256096; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 60%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmlrpc.php"; depth:11; nocase; http.host; content:"www.dawinmeckel.de"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1256100/; target:src_ip; metadata: confidence_level 60, first_seen 2024_04_12; classtype:trojan-activity; sid:91256100; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 60%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmlrpc.php"; depth:11; nocase; http.host; content:"etisalangy.com"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1256097/; target:src_ip; metadata: confidence_level 60, first_seen 2024_04_12; classtype:trojan-activity; sid:91256097; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 60%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmlrpc.php"; depth:11; nocase; http.host; content:"alldaily.ru"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1256099/; target:src_ip; metadata: confidence_level 60, first_seen 2024_04_12; classtype:trojan-activity; sid:91256099; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 60%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmlrpc.php"; depth:11; nocase; http.host; content:"karmanima.net"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1256098/; target:src_ip; metadata: confidence_level 60, first_seen 2024_04_12; classtype:trojan-activity; sid:91256098; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 60%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmlrpc.php"; depth:11; nocase; http.host; content:"vicbros.com"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1256101/; target:src_ip; metadata: confidence_level 60, first_seen 2024_04_12; classtype:trojan-activity; sid:91256101; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 60%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmlrpc.php"; depth:11; nocase; http.host; content:"cbseguides.com"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1256102/; target:src_ip; metadata: confidence_level 60, first_seen 2024_04_12; classtype:trojan-activity; sid:91256102; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 60%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmlrpc.php"; depth:11; nocase; http.host; content:"venousmode.com"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1256103/; target:src_ip; metadata: confidence_level 60, first_seen 2024_04_12; classtype:trojan-activity; sid:91256103; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 60%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmlrpc.php"; depth:11; nocase; http.host; content:"slimmerverdienen.nl"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1256104/; target:src_ip; metadata: confidence_level 60, first_seen 2024_04_12; classtype:trojan-activity; sid:91256104; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 60%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmlrpc.php"; depth:11; nocase; http.host; content:"teachersbadi.in"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1256105/; target:src_ip; metadata: confidence_level 60, first_seen 2024_04_12; classtype:trojan-activity; sid:91256105; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 60%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmlrpc.php"; depth:11; nocase; http.host; content:"eaalim.com"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1256106/; target:src_ip; metadata: confidence_level 60, first_seen 2024_04_12; classtype:trojan-activity; sid:91256106; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 60%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmlrpc.php"; depth:11; nocase; http.host; content:"heshamsaad.com"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1256107/; target:src_ip; metadata: confidence_level 60, first_seen 2024_04_12; classtype:trojan-activity; sid:91256107; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 60%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmlrpc.php"; depth:11; nocase; http.host; content:"giantif.com"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1256108/; target:src_ip; metadata: confidence_level 60, first_seen 2024_04_12; classtype:trojan-activity; sid:91256108; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 60%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmlrpc.php"; depth:11; nocase; http.host; content:"web-e-reputation.com"; depth:20; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1256109/; target:src_ip; metadata: confidence_level 60, first_seen 2024_04_12; classtype:trojan-activity; sid:91256109; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 60%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmlrpc.php"; depth:11; nocase; http.host; content:"javtape.net"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1256110/; target:src_ip; metadata: confidence_level 60, first_seen 2024_04_12; classtype:trojan-activity; sid:91256110; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 60%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmlrpc.php"; depth:11; nocase; http.host; content:"arabfish.net"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1256112/; target:src_ip; metadata: confidence_level 60, first_seen 2024_04_12; classtype:trojan-activity; sid:91256112; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 60%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmlrpc.php"; depth:11; nocase; http.host; content:"itigic.com"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1256111/; target:src_ip; metadata: confidence_level 60, first_seen 2024_04_12; classtype:trojan-activity; sid:91256111; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 60%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmlrpc.php"; depth:11; nocase; http.host; content:"digibaru.com"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1256113/; target:src_ip; metadata: confidence_level 60, first_seen 2024_04_12; classtype:trojan-activity; sid:91256113; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 60%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmlrpc.php"; depth:11; nocase; http.host; content:"sindipetropb.com.br"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1256114/; target:src_ip; metadata: confidence_level 60, first_seen 2024_04_12; classtype:trojan-activity; sid:91256114; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 60%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmlrpc.php"; depth:11; nocase; http.host; content:"swiatyerby.pl"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1256115/; target:src_ip; metadata: confidence_level 60, first_seen 2024_04_12; classtype:trojan-activity; sid:91256115; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 60%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmlrpc.php"; depth:11; nocase; http.host; content:"dailysonardesh.com"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1256116/; target:src_ip; metadata: confidence_level 60, first_seen 2024_04_12; classtype:trojan-activity; sid:91256116; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 60%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmlrpc.php"; depth:11; nocase; http.host; content:"www.bokenasetsadra.se"; depth:21; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1256117/; target:src_ip; metadata: confidence_level 60, first_seen 2024_04_12; classtype:trojan-activity; sid:91256117; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 60%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmlrpc.php"; depth:11; nocase; http.host; content:"lakedistrictbikes.com"; depth:21; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1256118/; target:src_ip; metadata: confidence_level 60, first_seen 2024_04_12; classtype:trojan-activity; sid:91256118; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 60%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmlrpc.php"; depth:11; nocase; http.host; content:"servicesksa.com"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1256120/; target:src_ip; metadata: confidence_level 60, first_seen 2024_04_12; classtype:trojan-activity; sid:91256120; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 60%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmlrpc.php"; depth:11; nocase; http.host; content:"www.balkanyemekleri.com"; depth:23; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1256119/; target:src_ip; metadata: confidence_level 60, first_seen 2024_04_12; classtype:trojan-activity; sid:91256119; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 60%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmlrpc.php"; depth:11; nocase; http.host; content:"openaps.org"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1256121/; target:src_ip; metadata: confidence_level 60, first_seen 2024_04_12; classtype:trojan-activity; sid:91256121; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 60%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmlrpc.php"; depth:11; nocase; http.host; content:"bookmeacookie.pl"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1256122/; target:src_ip; metadata: confidence_level 60, first_seen 2024_04_12; classtype:trojan-activity; sid:91256122; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 60%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmlrpc.php"; depth:11; nocase; http.host; content:"m-melody.jp"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1256124/; target:src_ip; metadata: confidence_level 60, first_seen 2024_04_12; classtype:trojan-activity; sid:91256124; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 60%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmlrpc.php"; depth:11; nocase; http.host; content:"measuremarketing.com"; depth:20; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1256123/; target:src_ip; metadata: confidence_level 60, first_seen 2024_04_12; classtype:trojan-activity; sid:91256123; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 60%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmlrpc.php"; depth:11; nocase; http.host; content:"ctoasaservice.org"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1256125/; target:src_ip; metadata: confidence_level 60, first_seen 2024_04_12; classtype:trojan-activity; sid:91256125; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 60%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmlrpc.php"; depth:11; nocase; http.host; content:"cocbases.com"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1256126/; target:src_ip; metadata: confidence_level 60, first_seen 2024_04_12; classtype:trojan-activity; sid:91256126; rev:1;) alert tcp $HOME_NET any -> [31.124.151.205] 9000 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1256128/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_12; classtype:trojan-activity; sid:91256128; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 60%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blog/xmlrpc.php"; depth:16; nocase; http.host; content:"www.cmorgan.com"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1256127/; target:src_ip; metadata: confidence_level 60, first_seen 2024_04_12; classtype:trojan-activity; sid:91256127; rev:1;) alert tcp $HOME_NET any -> [34.88.143.155] 8808 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1256129/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_12; classtype:trojan-activity; sid:91256129; rev:1;) alert tcp $HOME_NET any -> [45.138.16.235] 2003 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1256130/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_12; classtype:trojan-activity; sid:91256130; rev:1;) alert tcp $HOME_NET any -> [46.246.84.8] 2000 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1256131/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_12; classtype:trojan-activity; sid:91256131; rev:1;) alert tcp $HOME_NET any -> [51.116.96.182] 3000 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1256132/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_12; classtype:trojan-activity; sid:91256132; rev:1;) alert tcp $HOME_NET any -> [52.185.161.226] 8808 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1256133/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_12; classtype:trojan-activity; sid:91256133; rev:1;) alert tcp $HOME_NET any -> [94.156.65.9] 6606 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1256134/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_12; classtype:trojan-activity; sid:91256134; rev:1;) alert tcp $HOME_NET any -> [94.156.65.9] 7707 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1256135/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_12; classtype:trojan-activity; sid:91256135; rev:1;) alert tcp $HOME_NET any -> [94.156.65.9] 8808 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1256136/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_12; classtype:trojan-activity; sid:91256136; rev:1;) alert tcp $HOME_NET any -> [94.156.65.217] 6606 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1256137/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_12; classtype:trojan-activity; sid:91256137; rev:1;) alert tcp $HOME_NET any -> [94.156.65.217] 7707 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1256138/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_12; classtype:trojan-activity; sid:91256138; rev:1;) alert tcp $HOME_NET any -> [94.156.65.217] 8808 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1256139/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_12; classtype:trojan-activity; sid:91256139; rev:1;) alert tcp $HOME_NET any -> [157.254.223.38] 6606 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1256141/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_12; classtype:trojan-activity; sid:91256141; rev:1;) alert tcp $HOME_NET any -> [157.254.223.38] 8808 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1256140/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_12; classtype:trojan-activity; sid:91256140; rev:1;) alert tcp $HOME_NET any -> [163.172.59.233] 6606 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1256142/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_12; classtype:trojan-activity; sid:91256142; rev:1;) alert tcp $HOME_NET any -> [167.88.168.110] 9090 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1256143/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_12; classtype:trojan-activity; sid:91256143; rev:1;) alert tcp $HOME_NET any -> [172.111.137.179] 2222 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1256144/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_12; classtype:trojan-activity; sid:91256144; rev:1;) alert tcp $HOME_NET any -> [178.73.218.12] 2000 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1256145/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_12; classtype:trojan-activity; sid:91256145; rev:1;) alert tcp $HOME_NET any -> [179.13.3.18] 8020 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1256146/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_12; classtype:trojan-activity; sid:91256146; rev:1;) alert tcp $HOME_NET any -> [213.195.121.48] 4001 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1256147/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_12; classtype:trojan-activity; sid:91256147; rev:1;) alert tcp $HOME_NET any -> [213.195.121.48] 4002 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1256148/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_12; classtype:trojan-activity; sid:91256148; rev:1;) alert tcp $HOME_NET any -> [213.195.121.48] 6606 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1256149/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_12; classtype:trojan-activity; sid:91256149; rev:1;) alert tcp $HOME_NET any -> [213.195.121.48] 8808 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1256150/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_12; classtype:trojan-activity; sid:91256150; rev:1;) alert tcp $HOME_NET any -> [45.152.64.31] 8443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1256074/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_12; classtype:trojan-activity; sid:91256074; rev:1;) alert tcp $HOME_NET any -> [38.207.178.198] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1256075/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_12; classtype:trojan-activity; sid:91256075; rev:1;) alert tcp $HOME_NET any -> [38.207.178.198] 9999 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1256076/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_12; classtype:trojan-activity; sid:91256076; rev:1;) alert tcp $HOME_NET any -> [45.133.238.227] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1256077/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_12; classtype:trojan-activity; sid:91256077; rev:1;) alert tcp $HOME_NET any -> [198.244.135.238] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1256078/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_12; classtype:trojan-activity; sid:91256078; rev:1;) alert tcp $HOME_NET any -> [198.244.135.238] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1256079/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_12; classtype:trojan-activity; sid:91256079; rev:1;) alert tcp $HOME_NET any -> [58.185.25.6] 8089 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1256080/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_12; classtype:trojan-activity; sid:91256080; rev:1;) alert tcp $HOME_NET any -> [185.239.226.11] 7899 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1256081/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_12; classtype:trojan-activity; sid:91256081; rev:1;) alert tcp $HOME_NET any -> [209.58.183.85] 8088 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1256082/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_12; classtype:trojan-activity; sid:91256082; rev:1;) alert tcp $HOME_NET any -> [103.146.50.218] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1256067/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_12; classtype:trojan-activity; sid:91256067; rev:1;) alert tcp $HOME_NET any -> [149.28.23.34] 8081 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1256068/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_12; classtype:trojan-activity; sid:91256068; rev:1;) alert tcp $HOME_NET any -> [111.92.243.44] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1256069/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_12; classtype:trojan-activity; sid:91256069; rev:1;) alert tcp $HOME_NET any -> [170.130.55.121] 444 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1256070/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_12; classtype:trojan-activity; sid:91256070; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"nebraska-lawyers.com"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1256071/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_12; classtype:trojan-activity; sid:91256071; rev:1;) alert tcp $HOME_NET any -> [23.224.61.93] 40000 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1256072/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_12; classtype:trojan-activity; sid:91256072; rev:1;) alert tcp $HOME_NET any -> [91.92.246.246] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1256073/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_12; classtype:trojan-activity; sid:91256073; rev:1;) alert tcp $HOME_NET any -> [117.50.162.108] 8443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1256066/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_12; classtype:trojan-activity; sid:91256066; rev:1;) alert tcp $HOME_NET any -> [159.75.92.156] 50050 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1256036/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_12; classtype:trojan-activity; sid:91256036; rev:1;) alert tcp $HOME_NET any -> [175.27.166.185] 4443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1256038/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_12; classtype:trojan-activity; sid:91256038; rev:1;) alert tcp $HOME_NET any -> [159.75.103.67] 12123 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1256037/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_12; classtype:trojan-activity; sid:91256037; rev:1;) alert tcp $HOME_NET any -> [8.134.14.140] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1256039/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_12; classtype:trojan-activity; sid:91256039; rev:1;) alert tcp $HOME_NET any -> [8.138.100.71] 2222 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1256040/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_12; classtype:trojan-activity; sid:91256040; rev:1;) alert tcp $HOME_NET any -> [8.138.120.114] 4433 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1256041/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_12; classtype:trojan-activity; sid:91256041; rev:1;) alert tcp $HOME_NET any -> [47.99.56.98] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1256042/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_12; classtype:trojan-activity; sid:91256042; rev:1;) alert tcp $HOME_NET any -> [114.55.113.146] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1256047/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_12; classtype:trojan-activity; sid:91256047; rev:1;) alert tcp $HOME_NET any -> [114.55.115.0] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1256048/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_12; classtype:trojan-activity; sid:91256048; rev:1;) alert tcp $HOME_NET any -> [118.31.115.178] 4444 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1256049/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_12; classtype:trojan-activity; sid:91256049; rev:1;) alert tcp $HOME_NET any -> [120.26.169.185] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1256050/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_12; classtype:trojan-activity; sid:91256050; rev:1;) alert tcp $HOME_NET any -> [142.93.140.24] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1256052/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_12; classtype:trojan-activity; sid:91256052; rev:1;) alert tcp $HOME_NET any -> [104.236.69.99] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1256051/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_12; classtype:trojan-activity; sid:91256051; rev:1;) alert tcp $HOME_NET any -> [142.93.140.24] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1256053/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_12; classtype:trojan-activity; sid:91256053; rev:1;) alert tcp $HOME_NET any -> [143.198.70.94] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1256054/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_12; classtype:trojan-activity; sid:91256054; rev:1;) alert tcp $HOME_NET any -> [157.245.12.65] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1256055/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_12; classtype:trojan-activity; sid:91256055; rev:1;) alert tcp $HOME_NET any -> [165.232.123.138] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1256056/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_12; classtype:trojan-activity; sid:91256056; rev:1;) alert tcp $HOME_NET any -> [47.242.249.91] 2443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1256057/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_12; classtype:trojan-activity; sid:91256057; rev:1;) alert tcp $HOME_NET any -> [47.243.59.237] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1256058/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_12; classtype:trojan-activity; sid:91256058; rev:1;) alert tcp $HOME_NET any -> [43.129.201.38] 2083 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1256059/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_12; classtype:trojan-activity; sid:91256059; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"antfinancial.tech"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1256060/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_12; classtype:trojan-activity; sid:91256060; rev:1;) alert tcp $HOME_NET any -> [43.128.3.197] 2083 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1256061/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_12; classtype:trojan-activity; sid:91256061; rev:1;) alert tcp $HOME_NET any -> [43.128.40.194] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1256062/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_12; classtype:trojan-activity; sid:91256062; rev:1;) alert tcp $HOME_NET any -> [23.95.47.68] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1256064/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_12; classtype:trojan-activity; sid:91256064; rev:1;) alert tcp $HOME_NET any -> [23.95.47.68] 88 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1256063/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_12; classtype:trojan-activity; sid:91256063; rev:1;) alert tcp $HOME_NET any -> [20.27.144.160] 9002 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1256065/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_12; classtype:trojan-activity; sid:91256065; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/fabricate/state/rh3kw9xu"; depth:25; nocase; http.host; content:"43.138.208.188"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1256045/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_12; classtype:trojan-activity; sid:91256045; rev:1;) alert tcp $HOME_NET any -> [43.138.208.188] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1256046/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_12; classtype:trojan-activity; sid:91256046; rev:1;) alert tcp $HOME_NET any -> [172.234.250.226] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1256044/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_12; classtype:trojan-activity; sid:91256044; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/g.pixel"; depth:8; nocase; http.host; content:"172.234.250.226"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1256043/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_12; classtype:trojan-activity; sid:91256043; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 60%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmlrpc.php"; depth:11; nocase; http.host; content:"www.arton-bv.nl"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1256034/; target:src_ip; metadata: confidence_level 60, first_seen 2024_04_12; classtype:trojan-activity; sid:91256034; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 60%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmlrpc.php"; depth:11; nocase; http.host; content:"textis.ru"; depth:9; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1256035/; target:src_ip; metadata: confidence_level 60, first_seen 2024_04_12; classtype:trojan-activity; sid:91256035; rev:1;) alert tcp $HOME_NET any -> [193.124.113.33] 80 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1256033/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_12; classtype:trojan-activity; sid:91256033; rev:1;) alert tcp $HOME_NET any -> [45.195.54.195] 80 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1256032/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_12; classtype:trojan-activity; sid:91256032; rev:1;) alert tcp $HOME_NET any -> [45.195.54.195] 8888 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1256031/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_12; classtype:trojan-activity; sid:91256031; rev:1;) alert tcp $HOME_NET any -> [45.195.54.195] 8080 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1256030/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_12; classtype:trojan-activity; sid:91256030; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/is-ready"; depth:9; nocase; http.host; content:"46.183.223.46"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1256029/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_12; classtype:trojan-activity; sid:91256029; rev:1;) alert tcp $HOME_NET any -> [172.94.39.213] 2016 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1256028/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_12; classtype:trojan-activity; sid:91256028; rev:1;) alert tcp $HOME_NET any -> [178.73.218.12] 5000 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1256027/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_12; classtype:trojan-activity; sid:91256027; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api/firepro.php"; depth:16; nocase; http.host; content:"45.15.156.229"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1255953/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_12; classtype:trojan-activity; sid:91255953; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 60%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmlrpc.php"; depth:11; nocase; http.host; content:"wonderforest.com"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1256007/; target:src_ip; metadata: confidence_level 60, first_seen 2024_04_12; classtype:trojan-activity; sid:91256007; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 60%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmlrpc.php"; depth:11; nocase; http.host; content:"nationalviews.com"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1256008/; target:src_ip; metadata: confidence_level 60, first_seen 2024_04_12; classtype:trojan-activity; sid:91256008; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 60%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmlrpc.php"; depth:11; nocase; http.host; content:"crochetkim.com"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1256009/; target:src_ip; metadata: confidence_level 60, first_seen 2024_04_12; classtype:trojan-activity; sid:91256009; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 60%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmlrpc.php"; depth:11; nocase; http.host; content:"www.app-gehts.de"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1256011/; target:src_ip; metadata: confidence_level 60, first_seen 2024_04_12; classtype:trojan-activity; sid:91256011; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 60%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmlrpc.php"; depth:11; nocase; http.host; content:"coolskyfood.com"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1256010/; target:src_ip; metadata: confidence_level 60, first_seen 2024_04_12; classtype:trojan-activity; sid:91256010; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 60%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmlrpc.php"; depth:11; nocase; http.host; content:"salamfest.com"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1256012/; target:src_ip; metadata: confidence_level 60, first_seen 2024_04_12; classtype:trojan-activity; sid:91256012; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 60%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmlrpc.php"; depth:11; nocase; http.host; content:"voxpublica.no"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1256013/; target:src_ip; metadata: confidence_level 60, first_seen 2024_04_12; classtype:trojan-activity; sid:91256013; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 60%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmlrpc.php"; depth:11; nocase; http.host; content:"ambtenarensalaris.nl"; depth:20; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1256014/; target:src_ip; metadata: confidence_level 60, first_seen 2024_04_12; classtype:trojan-activity; sid:91256014; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 60%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmlrpc.php"; depth:11; nocase; http.host; content:"besocy.com"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1256015/; target:src_ip; metadata: confidence_level 60, first_seen 2024_04_12; classtype:trojan-activity; sid:91256015; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 60%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmlrpc.php"; depth:11; nocase; http.host; content:"entekhab.org"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1256016/; target:src_ip; metadata: confidence_level 60, first_seen 2024_04_12; classtype:trojan-activity; sid:91256016; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 60%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmlrpc.php"; depth:11; nocase; http.host; content:"rkbaienfurt.de"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1256017/; target:src_ip; metadata: confidence_level 60, first_seen 2024_04_12; classtype:trojan-activity; sid:91256017; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 60%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmlrpc.php"; depth:11; nocase; http.host; content:"amerac.org"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1256018/; target:src_ip; metadata: confidence_level 60, first_seen 2024_04_12; classtype:trojan-activity; sid:91256018; rev:1;) alert tcp $HOME_NET any -> [165.232.44.213] 445 (msg:"ThreatFox Responder botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1256026/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_12; classtype:trojan-activity; sid:91256026; rev:1;) alert tcp $HOME_NET any -> [89.38.225.168] 4433 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1256025/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_12; classtype:trojan-activity; sid:91256025; rev:1;) alert tcp $HOME_NET any -> [165.227.136.196] 443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1256024/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_12; classtype:trojan-activity; sid:91256024; rev:1;) alert tcp $HOME_NET any -> [193.226.15.100] 443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1256023/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_12; classtype:trojan-activity; sid:91256023; rev:1;) alert tcp $HOME_NET any -> [195.35.16.247] 443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1256022/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_12; classtype:trojan-activity; sid:91256022; rev:1;) alert tcp $HOME_NET any -> [195.35.16.247] 80 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1256021/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_12; classtype:trojan-activity; sid:91256021; rev:1;) alert tcp $HOME_NET any -> [144.202.47.116] 443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1256020/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_12; classtype:trojan-activity; sid:91256020; rev:1;) alert tcp $HOME_NET any -> [49.13.151.150] 443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1256019/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_12; classtype:trojan-activity; sid:91256019; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 60%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmlrpc.php"; depth:11; nocase; http.host; content:"news.mn"; depth:7; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1256004/; target:src_ip; metadata: confidence_level 60, first_seen 2024_04_12; classtype:trojan-activity; sid:91256004; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 60%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmlrpc.php"; depth:11; nocase; http.host; content:"www.casagaribaldi.it"; depth:20; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1256005/; target:src_ip; metadata: confidence_level 60, first_seen 2024_04_12; classtype:trojan-activity; sid:91256005; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 60%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmlrpc.php"; depth:11; nocase; http.host; content:"thepointsking.com"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1256006/; target:src_ip; metadata: confidence_level 60, first_seen 2024_04_12; classtype:trojan-activity; sid:91256006; rev:1;) alert tcp $HOME_NET any -> [5.42.65.50] 33080 (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1256002/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_12; classtype:trojan-activity; sid:91256002; rev:1;) alert tcp $HOME_NET any -> [5.39.43.50] 6136 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1255999/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_12; classtype:trojan-activity; sid:91255999; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api/firepro.php"; depth:16; nocase; http.host; content:"85.192.56.26"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1256001/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_12; classtype:trojan-activity; sid:91256001; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api/firecom.php"; depth:16; nocase; http.host; content:"5.42.66.10"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1255996/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_12; classtype:trojan-activity; sid:91255996; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api/firecom.php"; depth:16; nocase; http.host; content:"85.192.56.26"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1255998/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_12; classtype:trojan-activity; sid:91255998; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api/flash.php"; depth:14; nocase; http.host; content:"5.42.66.10"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1255995/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_12; classtype:trojan-activity; sid:91255995; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api/flash.php"; depth:14; nocase; http.host; content:"85.192.56.26"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1255997/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_12; classtype:trojan-activity; sid:91255997; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api/firepro.php"; depth:16; nocase; http.host; content:"5.42.66.10"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1255993/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_12; classtype:trojan-activity; sid:91255993; rev:1;) alert tcp $HOME_NET any -> [172.245.191.97] 666 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1255992/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_12; classtype:trojan-activity; sid:91255992; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/zdqyn2nmogezotik/"; depth:18; nocase; http.host; content:"tecbabbshop24578.shop"; depth:21; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1255761/; target:src_ip; metadata: confidence_level 80, first_seen 2024_04_12; classtype:trojan-activity; sid:91255761; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/zdqyn2nmogezotik/"; depth:18; nocase; http.host; content:"karamdsadvs2.shop"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1255762/; target:src_ip; metadata: confidence_level 80, first_seen 2024_04_12; classtype:trojan-activity; sid:91255762; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/zdqyn2nmogezotik/"; depth:18; nocase; http.host; content:"karakalandankasd5.com"; depth:21; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1255763/; target:src_ip; metadata: confidence_level 80, first_seen 2024_04_12; classtype:trojan-activity; sid:91255763; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/zdqyn2nmogezotik/"; depth:18; nocase; http.host; content:"tecklardankalan.shop"; depth:20; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1255764/; target:src_ip; metadata: confidence_level 80, first_seen 2024_04_12; classtype:trojan-activity; sid:91255764; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/index.php/2028"; depth:15; nocase; http.host; content:"24.199.107.111"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1256003/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_12; classtype:trojan-activity; sid:91256003; rev:1;) alert tcp $HOME_NET any -> [45.15.158.15] 6969 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1256000/; target:src_ip; metadata: confidence_level 80, first_seen 2024_04_11; classtype:trojan-activity; sid:91256000; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/index.php/927339792"; depth:20; nocase; http.host; content:"24.199.107.111"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1255994/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_11; classtype:trojan-activity; sid:91255994; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"93.123.39.11"; depth:12; nocase; reference:url, threatfox.abuse.ch/ioc/1255991/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_11; classtype:trojan-activity; sid:91255991; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"91.202.233.204"; depth:14; nocase; reference:url, threatfox.abuse.ch/ioc/1255990/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_11; classtype:trojan-activity; sid:91255990; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"193.233.132.241"; depth:15; nocase; reference:url, threatfox.abuse.ch/ioc/1255989/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_11; classtype:trojan-activity; sid:91255989; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"65.21.118.113"; depth:13; nocase; reference:url, threatfox.abuse.ch/ioc/1255987/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_11; classtype:trojan-activity; sid:91255987; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"farozinda.ru"; depth:12; nocase; reference:url, threatfox.abuse.ch/ioc/1255988/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_11; classtype:trojan-activity; sid:91255988; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"89.105.201.188"; depth:14; nocase; reference:url, threatfox.abuse.ch/ioc/1255986/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_11; classtype:trojan-activity; sid:91255986; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"top-adobe.site"; depth:14; nocase; reference:url, threatfox.abuse.ch/ioc/1255985/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_11; classtype:trojan-activity; sid:91255985; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"185.172.128.209"; depth:15; nocase; reference:url, threatfox.abuse.ch/ioc/1255983/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_11; classtype:trojan-activity; sid:91255983; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"185.216.70.109"; depth:14; nocase; reference:url, threatfox.abuse.ch/ioc/1255984/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_11; classtype:trojan-activity; sid:91255984; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"94.156.8.97"; depth:11; nocase; reference:url, threatfox.abuse.ch/ioc/1255982/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_11; classtype:trojan-activity; sid:91255982; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"unidasg.top"; depth:11; nocase; reference:url, threatfox.abuse.ch/ioc/1255981/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_11; classtype:trojan-activity; sid:91255981; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"95.216.123.85"; depth:13; nocase; reference:url, threatfox.abuse.ch/ioc/1255980/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_11; classtype:trojan-activity; sid:91255980; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"89.105.201.33"; depth:13; nocase; reference:url, threatfox.abuse.ch/ioc/1255979/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_11; classtype:trojan-activity; sid:91255979; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"abrws.com.br"; depth:12; nocase; reference:url, threatfox.abuse.ch/ioc/1255978/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_11; classtype:trojan-activity; sid:91255978; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"23.184.48.114"; depth:13; nocase; reference:url, threatfox.abuse.ch/ioc/1255977/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_11; classtype:trojan-activity; sid:91255977; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"89.105.223.142"; depth:14; nocase; reference:url, threatfox.abuse.ch/ioc/1255976/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_11; classtype:trojan-activity; sid:91255976; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"77.105.146.152"; depth:14; nocase; reference:url, threatfox.abuse.ch/ioc/1255974/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_11; classtype:trojan-activity; sid:91255974; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"62.113.119.199"; depth:14; nocase; reference:url, threatfox.abuse.ch/ioc/1255975/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_11; classtype:trojan-activity; sid:91255975; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"185.172.128.26"; depth:14; nocase; reference:url, threatfox.abuse.ch/ioc/1255973/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_11; classtype:trojan-activity; sid:91255973; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"rewe-coupouns.com"; depth:17; nocase; reference:url, threatfox.abuse.ch/ioc/1255972/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_11; classtype:trojan-activity; sid:91255972; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"52.143.157.84"; depth:13; nocase; reference:url, threatfox.abuse.ch/ioc/1255971/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_11; classtype:trojan-activity; sid:91255971; rev:1;) alert tcp $HOME_NET any -> [154.12.85.5] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1255970/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_11; classtype:trojan-activity; sid:91255970; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cx"; depth:3; nocase; http.host; content:"154.12.85.5"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1255969/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_11; classtype:trojan-activity; sid:91255969; rev:1;) alert tcp $HOME_NET any -> [62.109.5.21] 80 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1255968/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_11; classtype:trojan-activity; sid:91255968; rev:1;) alert tcp $HOME_NET any -> [212.224.88.151] 80 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1255967/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_11; classtype:trojan-activity; sid:91255967; rev:1;) alert tcp $HOME_NET any -> [149.129.131.163] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1255966/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_11; classtype:trojan-activity; sid:91255966; rev:1;) alert tcp $HOME_NET any -> [123.60.128.4] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1255965/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_11; classtype:trojan-activity; sid:91255965; rev:1;) alert tcp $HOME_NET any -> [107.167.92.76] 8848 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1255964/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_11; classtype:trojan-activity; sid:91255964; rev:1;) alert tcp $HOME_NET any -> [46.246.82.21] 8000 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1255963/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_11; classtype:trojan-activity; sid:91255963; rev:1;) alert tcp $HOME_NET any -> [139.218.246.83] 445 (msg:"ThreatFox Responder botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1255962/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_11; classtype:trojan-activity; sid:91255962; rev:1;) alert tcp $HOME_NET any -> [43.135.55.212] 8080 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1255960/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_11; classtype:trojan-activity; sid:91255960; rev:1;) alert tcp $HOME_NET any -> [43.135.55.212] 10000 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1255961/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_11; classtype:trojan-activity; sid:91255961; rev:1;) alert tcp $HOME_NET any -> [66.85.173.32] 2268 (msg:"ThreatFox BianLian botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1255959/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_11; classtype:trojan-activity; sid:91255959; rev:1;) alert tcp $HOME_NET any -> [163.181.39.67] 4506 (msg:"ThreatFox Deimos botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1255958/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_11; classtype:trojan-activity; sid:91255958; rev:1;) alert tcp $HOME_NET any -> [111.31.37.38] 4505 (msg:"ThreatFox Deimos botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1255957/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_11; classtype:trojan-activity; sid:91255957; rev:1;) alert tcp $HOME_NET any -> [5.253.43.96] 8010 (msg:"ThreatFox Brute Ratel C4 botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1255956/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_11; classtype:trojan-activity; sid:91255956; rev:1;) alert tcp $HOME_NET any -> [45.32.233.38] 7443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1255955/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_11; classtype:trojan-activity; sid:91255955; rev:1;) alert tcp $HOME_NET any -> [46.246.14.23] 1994 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1255954/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_11; classtype:trojan-activity; sid:91255954; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/download/20/zo2xy7a4bowu"; depth:25; nocase; http.host; content:"62.234.27.204"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1255952/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_11; classtype:trojan-activity; sid:91255952; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"birdpenallitysydw.shop"; depth:22; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1255809/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_11; classtype:trojan-activity; sid:91255809; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"telldruggcommitetter.shop"; depth:25; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1255808/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_11; classtype:trojan-activity; sid:91255808; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"doughmebinnybunio.shop"; depth:22; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1255807/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_11; classtype:trojan-activity; sid:91255807; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"orbitpettystudio.fun"; depth:20; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1255806/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_11; classtype:trojan-activity; sid:91255806; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"interferencesandyshiw.shop"; depth:26; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1255805/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_11; classtype:trojan-activity; sid:91255805; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"warningindicationsjw.shop"; depth:25; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1255804/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_11; classtype:trojan-activity; sid:91255804; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"concessionofsellerwo.shop"; depth:25; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1255803/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_11; classtype:trojan-activity; sid:91255803; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"strainriskpropos.store"; depth:22; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1255802/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_11; classtype:trojan-activity; sid:91255802; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"neddlepyramidfunnyjok.fun"; depth:25; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1255801/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_11; classtype:trojan-activity; sid:91255801; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"revisedrinkslappyoowi.shop"; depth:26; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1255800/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_11; classtype:trojan-activity; sid:91255800; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"birdvigorousedetertyw.shop"; depth:26; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1255799/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_11; classtype:trojan-activity; sid:91255799; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"newspaperpotatoju.shop"; depth:22; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1255798/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_11; classtype:trojan-activity; sid:91255798; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"brickbrothjorkyooe.shop"; depth:23; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1255797/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_11; classtype:trojan-activity; sid:91255797; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"peanutclutchlowwow.shop"; depth:23; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1255796/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_11; classtype:trojan-activity; sid:91255796; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"appliedgrandyjuiw.shop"; depth:22; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1255795/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_11; classtype:trojan-activity; sid:91255795; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"sailsystemeyeusjw.shop"; depth:22; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1255794/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_11; classtype:trojan-activity; sid:91255794; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"rugbysummerosodnwu.shop"; depth:23; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1255793/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_11; classtype:trojan-activity; sid:91255793; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"spokespersonunjuriwo.shop"; depth:25; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1255792/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_11; classtype:trojan-activity; sid:91255792; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"jewelbasinfrankywoi.shop"; depth:24; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1255791/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_11; classtype:trojan-activity; sid:91255791; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"convictionpartyeokwi.shop"; depth:25; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1255790/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_11; classtype:trojan-activity; sid:91255790; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"competitionpooleow.shop"; depth:23; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1255789/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_11; classtype:trojan-activity; sid:91255789; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"landgateindirectdangre.shop"; depth:27; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1255788/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_11; classtype:trojan-activity; sid:91255788; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"roundpolechildryowjv.shop"; depth:25; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1255787/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_11; classtype:trojan-activity; sid:91255787; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"democraticseekysiwo.shop"; depth:24; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1255786/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_11; classtype:trojan-activity; sid:91255786; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"prematuresolvehumoew.shop"; depth:25; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1255785/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_11; classtype:trojan-activity; sid:91255785; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"directorryversionyju.shop"; depth:25; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1255784/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_11; classtype:trojan-activity; sid:91255784; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"tearfulbashfulow.shop"; depth:21; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1255783/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_11; classtype:trojan-activity; sid:91255783; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"computerfuneralljwu.shop"; depth:24; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1255782/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_11; classtype:trojan-activity; sid:91255782; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"divosrcemusemutati.shop"; depth:23; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1255781/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_11; classtype:trojan-activity; sid:91255781; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"practicalcoherentt.shop"; depth:23; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1255780/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_11; classtype:trojan-activity; sid:91255780; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"pumpedcalmdeadpannkow.shop"; depth:26; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1255779/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_11; classtype:trojan-activity; sid:91255779; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"meadowannivejrsary.shop"; depth:23; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1255778/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_11; classtype:trojan-activity; sid:91255778; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"awardlandscareposiw.shop"; depth:24; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1255777/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_11; classtype:trojan-activity; sid:91255777; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"chokepopilarvirusew.shop"; depth:24; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1255776/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_11; classtype:trojan-activity; sid:91255776; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"disgustedsorryeedi.shop"; depth:23; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1255775/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_11; classtype:trojan-activity; sid:91255775; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"marchsensedjurkey.shop"; depth:22; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1255774/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_11; classtype:trojan-activity; sid:91255774; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"paintercrutcheniw.shop"; depth:22; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1255773/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_11; classtype:trojan-activity; sid:91255773; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"speedparticipatewo.shop"; depth:23; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1255772/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_11; classtype:trojan-activity; sid:91255772; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"wagonglidemonkywo.shop"; depth:22; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1255771/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_11; classtype:trojan-activity; sid:91255771; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"punchtelephoneverdi.store"; depth:25; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1255770/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_11; classtype:trojan-activity; sid:91255770; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"preciousenviouskakei.shop"; depth:25; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1255769/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_11; classtype:trojan-activity; sid:91255769; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"officiallongberyw.shop"; depth:22; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1255768/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_11; classtype:trojan-activity; sid:91255768; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"deadpanstupiddyjjuwk.shop"; depth:25; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1255767/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_11; classtype:trojan-activity; sid:91255767; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"combinationconventiwov.shop"; depth:27; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1255766/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_11; classtype:trojan-activity; sid:91255766; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"wpseed.com"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1255765/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_11; classtype:trojan-activity; sid:91255765; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"estesidiosplat.duckdns.org"; depth:26; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1255759/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_11; classtype:trojan-activity; sid:91255759; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"liverpool777.duckdns.org"; depth:24; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1255760/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_11; classtype:trojan-activity; sid:91255760; rev:1;) alert tcp $HOME_NET any -> [85.239.34.72] 9981 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1255758/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_11; classtype:trojan-activity; sid:91255758; rev:1;) alert tcp $HOME_NET any -> [198.46.143.219] 8888 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1255757/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_11; classtype:trojan-activity; sid:91255757; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cdn-vs/cache.php"; depth:17; nocase; http.host; content:"infineitsolutions.com"; depth:21; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1255750/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_11; classtype:trojan-activity; sid:91255750; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/help/zewmrgqnw.php"; depth:19; nocase; http.host; content:"infineitsolutions.com"; depth:21; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1255751/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_11; classtype:trojan-activity; sid:91255751; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/data.php"; depth:9; nocase; http.host; content:"gitkonus.com"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1255752/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_11; classtype:trojan-activity; sid:91255752; rev:1;) alert tcp $HOME_NET any -> [116.202.186.227] 443 (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1255756/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_11; classtype:trojan-activity; sid:91255756; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"116.202.186.227"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1255754/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_11; classtype:trojan-activity; sid:91255754; rev:1;) alert tcp $HOME_NET any -> [65.109.242.131] 443 (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1255755/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_11; classtype:trojan-activity; sid:91255755; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"65.109.242.131"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1255753/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_11; classtype:trojan-activity; sid:91255753; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/visit.js"; depth:9; nocase; http.host; content:"47.109.58.205"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1255749/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_11; classtype:trojan-activity; sid:91255749; rev:1;) alert tcp $HOME_NET any -> [8.220.200.34] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1255748/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_11; classtype:trojan-activity; sid:91255748; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jquery-3.3.1.min.js"; depth:20; nocase; http.host; content:"8.220.200.34"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1255747/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_11; classtype:trojan-activity; sid:91255747; rev:1;) alert tcp $HOME_NET any -> [124.71.150.39] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1255745/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_11; classtype:trojan-activity; sid:91255745; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jquery-3.3.1.min.js"; depth:20; nocase; http.host; content:"86.107.199.30"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1255746/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_11; classtype:trojan-activity; sid:91255746; rev:1;) alert tcp $HOME_NET any -> [182.92.79.194] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1255743/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_11; classtype:trojan-activity; sid:91255743; rev:1;) alert tcp $HOME_NET any -> [182.92.79.194] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1255744/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_11; classtype:trojan-activity; sid:91255744; rev:1;) alert tcp $HOME_NET any -> [78.142.18.222] 80 (msg:"ThreatFox DarkGate botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1255718/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_11; classtype:trojan-activity; sid:91255718; rev:1;) alert tcp $HOME_NET any -> [5.180.24.155] 445 (msg:"ThreatFox DarkGate botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1255719/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_11; classtype:trojan-activity; sid:91255719; rev:1;) alert tcp $HOME_NET any -> [118.25.150.165] 82 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1255720/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_11; classtype:trojan-activity; sid:91255720; rev:1;) alert tcp $HOME_NET any -> [118.25.150.165] 83 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1255721/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_11; classtype:trojan-activity; sid:91255721; rev:1;) alert tcp $HOME_NET any -> [119.45.171.159] 9999 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1255722/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_11; classtype:trojan-activity; sid:91255722; rev:1;) alert tcp $HOME_NET any -> [119.45.227.37] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1255723/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_11; classtype:trojan-activity; sid:91255723; rev:1;) alert tcp $HOME_NET any -> [119.45.227.37] 8088 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1255724/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_11; classtype:trojan-activity; sid:91255724; rev:1;) alert tcp $HOME_NET any -> [119.45.227.37] 8080 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1255725/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_11; classtype:trojan-activity; sid:91255725; rev:1;) alert tcp $HOME_NET any -> [124.220.6.158] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1255726/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_11; classtype:trojan-activity; sid:91255726; rev:1;) alert tcp $HOME_NET any -> [124.220.6.158] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1255727/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_11; classtype:trojan-activity; sid:91255727; rev:1;) alert tcp $HOME_NET any -> [154.8.160.93] 2222 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1255728/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_11; classtype:trojan-activity; sid:91255728; rev:1;) alert tcp $HOME_NET any -> [175.27.158.231] 30000 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1255729/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_11; classtype:trojan-activity; sid:91255729; rev:1;) alert tcp $HOME_NET any -> [42.192.42.231] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1255730/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_11; classtype:trojan-activity; sid:91255730; rev:1;) alert tcp $HOME_NET any -> [101.42.24.57] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1255731/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_11; classtype:trojan-activity; sid:91255731; rev:1;) alert tcp $HOME_NET any -> [120.53.237.23] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1255732/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_11; classtype:trojan-activity; sid:91255732; rev:1;) alert tcp $HOME_NET any -> [122.51.219.5] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1255733/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_11; classtype:trojan-activity; sid:91255733; rev:1;) alert tcp $HOME_NET any -> [124.221.237.200] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1255734/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_11; classtype:trojan-activity; sid:91255734; rev:1;) alert tcp $HOME_NET any -> [150.158.33.154] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1255735/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_11; classtype:trojan-activity; sid:91255735; rev:1;) alert tcp $HOME_NET any -> [162.14.102.251] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1255736/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_11; classtype:trojan-activity; sid:91255736; rev:1;) alert tcp $HOME_NET any -> [47.92.131.203] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1255738/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_11; classtype:trojan-activity; sid:91255738; rev:1;) alert tcp $HOME_NET any -> [175.24.189.213] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1255737/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_11; classtype:trojan-activity; sid:91255737; rev:1;) alert tcp $HOME_NET any -> [47.104.82.127] 9999 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1255739/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_11; classtype:trojan-activity; sid:91255739; rev:1;) alert tcp $HOME_NET any -> [47.120.60.63] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1255740/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_11; classtype:trojan-activity; sid:91255740; rev:1;) alert tcp $HOME_NET any -> [101.37.84.176] 20000 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1255741/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_11; classtype:trojan-activity; sid:91255741; rev:1;) alert tcp $HOME_NET any -> [139.224.231.162] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1255742/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_11; classtype:trojan-activity; sid:91255742; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/yzqynjflzje1odvm/"; depth:18; nocase; http.host; content:"212.87.204.3"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1255711/; target:src_ip; metadata: confidence_level 80, first_seen 2024_04_11; classtype:trojan-activity; sid:91255711; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/yzqynjflzje1odvm/"; depth:18; nocase; http.host; content:"germanisoppinionsi.com"; depth:22; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1255712/; target:src_ip; metadata: confidence_level 80, first_seen 2024_04_11; classtype:trojan-activity; sid:91255712; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/yzqynjflzje1odvm/"; depth:18; nocase; http.host; content:"germanisoppinionsi.net"; depth:22; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1255713/; target:src_ip; metadata: confidence_level 80, first_seen 2024_04_11; classtype:trojan-activity; sid:91255713; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/yzqynjflzje1odvm/"; depth:18; nocase; http.host; content:"germanisoppinionsi.xyz"; depth:22; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1255714/; target:src_ip; metadata: confidence_level 80, first_seen 2024_04_11; classtype:trojan-activity; sid:91255714; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/yzqynjflzje1odvm/"; depth:18; nocase; http.host; content:"germanisoppinionzani.com"; depth:24; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1255715/; target:src_ip; metadata: confidence_level 80, first_seen 2024_04_11; classtype:trojan-activity; sid:91255715; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/yzqynjflzje1odvm/"; depth:18; nocase; http.host; content:"germanisoppinionzani.net"; depth:24; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1255716/; target:src_ip; metadata: confidence_level 80, first_seen 2024_04_11; classtype:trojan-activity; sid:91255716; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/yzqynjflzje1odvm/"; depth:18; nocase; http.host; content:"germanisoppinionzani.xyz"; depth:24; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1255717/; target:src_ip; metadata: confidence_level 80, first_seen 2024_04_11; classtype:trojan-activity; sid:91255717; rev:1;) alert tcp $HOME_NET any -> [91.92.243.79] 80 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1255710/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_11; classtype:trojan-activity; sid:91255710; rev:1;) alert tcp $HOME_NET any -> [94.154.34.137] 80 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1255709/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_11; classtype:trojan-activity; sid:91255709; rev:1;) alert tcp $HOME_NET any -> [109.120.176.38] 80 (msg:"ThreatFox Meduza Stealer botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1255708/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_11; classtype:trojan-activity; sid:91255708; rev:1;) alert tcp $HOME_NET any -> [79.137.197.154] 80 (msg:"ThreatFox Meduza Stealer botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1255707/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_11; classtype:trojan-activity; sid:91255707; rev:1;) alert tcp $HOME_NET any -> [123.56.214.38] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1255706/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_11; classtype:trojan-activity; sid:91255706; rev:1;) alert tcp $HOME_NET any -> [46.246.84.8] 5000 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1255705/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_11; classtype:trojan-activity; sid:91255705; rev:1;) alert tcp $HOME_NET any -> [179.13.3.18] 8010 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1255704/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_11; classtype:trojan-activity; sid:91255704; rev:1;) alert tcp $HOME_NET any -> [190.134.136.148] 995 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1255703/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_11; classtype:trojan-activity; sid:91255703; rev:1;) alert tcp $HOME_NET any -> [41.103.240.47] 443 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1255702/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_11; classtype:trojan-activity; sid:91255702; rev:1;) alert tcp $HOME_NET any -> [175.13.33.64] 4432 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1255701/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_11; classtype:trojan-activity; sid:91255701; rev:1;) alert tcp $HOME_NET any -> [20.125.108.162] 80 (msg:"ThreatFox Responder botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1255700/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_11; classtype:trojan-activity; sid:91255700; rev:1;) alert tcp $HOME_NET any -> [45.133.238.227] 443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1255699/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_11; classtype:trojan-activity; sid:91255699; rev:1;) alert tcp $HOME_NET any -> [16.171.148.52] 443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1255698/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_11; classtype:trojan-activity; sid:91255698; rev:1;) alert tcp $HOME_NET any -> [164.215.103.89] 443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1255697/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_11; classtype:trojan-activity; sid:91255697; rev:1;) alert tcp $HOME_NET any -> [143.198.73.229] 7443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1255696/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_11; classtype:trojan-activity; sid:91255696; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"wassonite.com"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1255694/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_11; classtype:trojan-activity; sid:91255694; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-includes/putty-64bit-0.80-installer.zip"; depth:43; nocase; http.host; content:"newarticles23.com"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1255685/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_11; classtype:trojan-activity; sid:91255685; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-includes/filezilla_3.66.1_win64.zip"; depth:39; nocase; http.host; content:"amplex-amplification.com"; depth:24; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1255684/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_11; classtype:trojan-activity; sid:91255684; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 50%)"; dns_query; content:"puttyy.ca"; depth:9; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1255683/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_11; classtype:trojan-activity; sid:91255683; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 50%)"; dns_query; content:"pputy.com"; depth:9; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1255682/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_11; classtype:trojan-activity; sid:91255682; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 50%)"; dns_query; content:"puuty.org"; depth:9; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1255681/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_11; classtype:trojan-activity; sid:91255681; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 50%)"; dns_query; content:"file-zilla-projectt.org"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1255680/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_11; classtype:trojan-activity; sid:91255680; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"powerup.dynuddns.net"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1255679/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_11; classtype:trojan-activity; sid:91255679; rev:1;) alert tcp $HOME_NET any -> [104.238.137.229] 6363 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1255678/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_11; classtype:trojan-activity; sid:91255678; rev:1;) alert tcp $HOME_NET any -> [34.31.226.230] 37144 (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1255632/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_11; classtype:trojan-activity; sid:91255632; rev:1;) alert tcp $HOME_NET any -> [45.13.227.109] 23 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1255633/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_11; classtype:trojan-activity; sid:91255633; rev:1;) alert tcp $HOME_NET any -> [192.54.57.69] 3884 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1255673/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_11; classtype:trojan-activity; sid:91255673; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"jaztc.duckdns.org"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1255674/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_11; classtype:trojan-activity; sid:91255674; rev:1;) alert tcp $HOME_NET any -> [45.86.86.60] 5555 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1255675/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_11; classtype:trojan-activity; sid:91255675; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-includes/putty-64bit-0.80-installer.zip"; depth:43; nocase; http.host; content:"support.hosting-hero.com"; depth:24; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1255686/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_11; classtype:trojan-activity; sid:91255686; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/installer.zip"; depth:14; nocase; http.host; content:"mkt.geostrategy-ec.com"; depth:22; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1255687/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_11; classtype:trojan-activity; sid:91255687; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-includes/putty-64bit-0.80-installer.zip"; depth:43; nocase; http.host; content:"mail.smartnet-support.com"; depth:25; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1255688/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_11; classtype:trojan-activity; sid:91255688; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 50%)"; dns_query; content:"infoputty.com"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1255689/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_11; classtype:trojan-activity; sid:91255689; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 50%)"; dns_query; content:"putt-get.com"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1255690/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_11; classtype:trojan-activity; sid:91255690; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 50%)"; dns_query; content:"ssh-client.co"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1255691/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_11; classtype:trojan-activity; sid:91255691; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 50%)"; dns_query; content:"putty-ssh.com"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1255692/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_11; classtype:trojan-activity; sid:91255692; rev:1;) alert tcp $HOME_NET any -> [207.32.216.126] 30685 (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1255693/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_11; classtype:trojan-activity; sid:91255693; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/y2jhnzzhzwrjmzlm/"; depth:18; nocase; http.host; content:"makaraaras.shop"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1255492/; target:src_ip; metadata: confidence_level 80, first_seen 2024_04_11; classtype:trojan-activity; sid:91255492; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/y2jhnzzhzwrjmzlm/"; depth:18; nocase; http.host; content:"mabelkanadan.shop"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1255493/; target:src_ip; metadata: confidence_level 80, first_seen 2024_04_11; classtype:trojan-activity; sid:91255493; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/y2jhnzzhzwrjmzlm/"; depth:18; nocase; http.host; content:"karamdasn2.shop"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1255494/; target:src_ip; metadata: confidence_level 80, first_seen 2024_04_11; classtype:trojan-activity; sid:91255494; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/y2jhnzzhzwrjmzlm/"; depth:18; nocase; http.host; content:"karakalandan5.com"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1255495/; target:src_ip; metadata: confidence_level 80, first_seen 2024_04_11; classtype:trojan-activity; sid:91255495; rev:1;) alert tcp $HOME_NET any -> [179.13.2.154] 5050 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1255518/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_11; classtype:trojan-activity; sid:91255518; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"parahoyestsidio.duckdns.org"; depth:27; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1255519/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_11; classtype:trojan-activity; sid:91255519; rev:1;) alert tcp $HOME_NET any -> [179.13.0.175] 5557 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1255520/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_11; classtype:trojan-activity; sid:91255520; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/index.php/88746289041"; depth:22; nocase; http.host; content:"24.199.107.111"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1255676/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_10; classtype:trojan-activity; sid:91255676; rev:1;) alert tcp $HOME_NET any -> [45.61.139.225] 8081 (msg:"ThreatFox RisePro botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1255669/; target:src_ip; metadata: confidence_level 80, first_seen 2024_04_10; classtype:trojan-activity; sid:91255669; rev:1;) alert tcp $HOME_NET any -> [38.92.40.19] 8081 (msg:"ThreatFox RisePro botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1255668/; target:src_ip; metadata: confidence_level 80, first_seen 2024_04_10; classtype:trojan-activity; sid:91255668; rev:1;) alert tcp $HOME_NET any -> [45.128.232.135] 80 (msg:"ThreatFox FAKEUPDATES botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1255667/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_10; classtype:trojan-activity; sid:91255667; rev:1;) alert tcp $HOME_NET any -> [45.128.232.135] 443 (msg:"ThreatFox FAKEUPDATES botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1255666/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_10; classtype:trojan-activity; sid:91255666; rev:1;) alert tcp $HOME_NET any -> [92.63.96.171] 80 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1255665/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_10; classtype:trojan-activity; sid:91255665; rev:1;) alert tcp $HOME_NET any -> [91.92.252.146] 80 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1255664/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_10; classtype:trojan-activity; sid:91255664; rev:1;) alert tcp $HOME_NET any -> [154.40.47.121] 80 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1255663/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_10; classtype:trojan-activity; sid:91255663; rev:1;) alert tcp $HOME_NET any -> [47.108.204.218] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1255662/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_10; classtype:trojan-activity; sid:91255662; rev:1;) alert tcp $HOME_NET any -> [43.128.177.204] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1255661/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_10; classtype:trojan-activity; sid:91255661; rev:1;) alert tcp $HOME_NET any -> [47.93.174.136] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1255660/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_10; classtype:trojan-activity; sid:91255660; rev:1;) alert tcp $HOME_NET any -> [123.57.137.235] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1255659/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_10; classtype:trojan-activity; sid:91255659; rev:1;) alert tcp $HOME_NET any -> [47.93.173.235] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1255658/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_10; classtype:trojan-activity; sid:91255658; rev:1;) alert tcp $HOME_NET any -> [46.246.82.12] 7000 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1255657/; target:src_ip; metadata: confidence_level 80, first_seen 2024_04_10; classtype:trojan-activity; sid:91255657; rev:1;) alert tcp $HOME_NET any -> [171.41.198.122] 25565 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1255656/; target:src_ip; metadata: confidence_level 80, first_seen 2024_04_10; classtype:trojan-activity; sid:91255656; rev:1;) alert tcp $HOME_NET any -> [216.83.36.247] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1255655/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_10; classtype:trojan-activity; sid:91255655; rev:1;) alert tcp $HOME_NET any -> [103.186.108.212] 8848 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1255654/; target:src_ip; metadata: confidence_level 80, first_seen 2024_04_10; classtype:trojan-activity; sid:91255654; rev:1;) alert tcp $HOME_NET any -> [94.156.10.201] 8848 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1255652/; target:src_ip; metadata: confidence_level 80, first_seen 2024_04_10; classtype:trojan-activity; sid:91255652; rev:1;) alert tcp $HOME_NET any -> [86.22.67.194] 443 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1255653/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_10; classtype:trojan-activity; sid:91255653; rev:1;) alert tcp $HOME_NET any -> [62.1.168.180] 995 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1255651/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_10; classtype:trojan-activity; sid:91255651; rev:1;) alert tcp $HOME_NET any -> [46.246.84.3] 7000 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1255650/; target:src_ip; metadata: confidence_level 80, first_seen 2024_04_10; classtype:trojan-activity; sid:91255650; rev:1;) alert tcp $HOME_NET any -> [185.62.57.235] 445 (msg:"ThreatFox Responder botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1255649/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_10; classtype:trojan-activity; sid:91255649; rev:1;) alert tcp $HOME_NET any -> [95.172.23.98] 8848 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1255648/; target:src_ip; metadata: confidence_level 80, first_seen 2024_04_10; classtype:trojan-activity; sid:91255648; rev:1;) alert tcp $HOME_NET any -> [202.95.23.39] 5555 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1255647/; target:src_ip; metadata: confidence_level 80, first_seen 2024_04_10; classtype:trojan-activity; sid:91255647; rev:1;) alert tcp $HOME_NET any -> [88.214.59.115] 8848 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1255646/; target:src_ip; metadata: confidence_level 80, first_seen 2024_04_10; classtype:trojan-activity; sid:91255646; rev:1;) alert tcp $HOME_NET any -> [43.129.31.231] 8858 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1255645/; target:src_ip; metadata: confidence_level 80, first_seen 2024_04_10; classtype:trojan-activity; sid:91255645; rev:1;) alert tcp $HOME_NET any -> [116.177.245.48] 4505 (msg:"ThreatFox Deimos botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1255644/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_10; classtype:trojan-activity; sid:91255644; rev:1;) alert tcp $HOME_NET any -> [137.220.197.178] 80 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1255643/; target:src_ip; metadata: confidence_level 80, first_seen 2024_04_10; classtype:trojan-activity; sid:91255643; rev:1;) alert tcp $HOME_NET any -> [212.113.106.100] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1255642/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_10; classtype:trojan-activity; sid:91255642; rev:1;) alert tcp $HOME_NET any -> [3.105.98.157] 443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1255641/; target:src_ip; metadata: confidence_level 80, first_seen 2024_04_10; classtype:trojan-activity; sid:91255641; rev:1;) alert tcp $HOME_NET any -> [207.180.230.175] 9443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1255640/; target:src_ip; metadata: confidence_level 80, first_seen 2024_04_10; classtype:trojan-activity; sid:91255640; rev:1;) alert tcp $HOME_NET any -> [94.98.197.28] 3460 (msg:"ThreatFox Poison Ivy botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1255639/; target:src_ip; metadata: confidence_level 80, first_seen 2024_04_10; classtype:trojan-activity; sid:91255639; rev:1;) alert tcp $HOME_NET any -> [66.50.11.141] 1800 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1255638/; target:src_ip; metadata: confidence_level 80, first_seen 2024_04_10; classtype:trojan-activity; sid:91255638; rev:1;) alert tcp $HOME_NET any -> [174.75.184.124] 2083 (msg:"ThreatFox Xtreme RAT botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1255637/; target:src_ip; metadata: confidence_level 80, first_seen 2024_04_10; classtype:trojan-activity; sid:91255637; rev:1;) alert tcp $HOME_NET any -> [72.203.198.245] 8009 (msg:"ThreatFox Xtreme RAT botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1255636/; target:src_ip; metadata: confidence_level 80, first_seen 2024_04_10; classtype:trojan-activity; sid:91255636; rev:1;) alert tcp $HOME_NET any -> [213.195.121.48] 5001 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1255635/; target:src_ip; metadata: confidence_level 80, first_seen 2024_04_10; classtype:trojan-activity; sid:91255635; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ga.js"; depth:6; nocase; http.host; content:"123.56.226.153"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1255634/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_10; classtype:trojan-activity; sid:91255634; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api/get"; depth:8; nocase; http.host; content:"38.6.178.161"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1255631/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_10; classtype:trojan-activity; sid:91255631; rev:1;) alert tcp $HOME_NET any -> [202.144.192.44] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1255630/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_10; classtype:trojan-activity; sid:91255630; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jquery-3.3.1.min.js"; depth:20; nocase; http.host; content:"202.144.192.44"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1255629/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_10; classtype:trojan-activity; sid:91255629; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"195.201.47.150"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1255524/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_10; classtype:trojan-activity; sid:91255524; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"95.217.242.90"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1255523/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_10; classtype:trojan-activity; sid:91255523; rev:1;) alert tcp $HOME_NET any -> [195.201.47.150] 5432 (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1255522/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_10; classtype:trojan-activity; sid:91255522; rev:1;) alert tcp $HOME_NET any -> [95.217.242.90] 443 (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1255521/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_10; classtype:trojan-activity; sid:91255521; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jquery-3.3.1.min.js"; depth:20; nocase; http.host; content:"8.220.200.34"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1255517/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_10; classtype:trojan-activity; sid:91255517; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"www.microsoftonline.info"; depth:24; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1255516/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_10; classtype:trojan-activity; sid:91255516; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/j.ad"; depth:5; nocase; http.host; content:"www.microsoftonline.info"; depth:24; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1255515/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_10; classtype:trojan-activity; sid:91255515; rev:1;) alert tcp $HOME_NET any -> [47.236.185.166] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1255514/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_10; classtype:trojan-activity; sid:91255514; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/__utm.gif"; depth:10; nocase; http.host; content:"47.236.185.166"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1255513/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_10; classtype:trojan-activity; sid:91255513; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/load"; depth:5; nocase; http.host; content:"154.92.14.6"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1255512/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_10; classtype:trojan-activity; sid:91255512; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/download/20/zo2xy7a4bowu"; depth:25; nocase; http.host; content:"62.234.27.204"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1255511/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_10; classtype:trojan-activity; sid:91255511; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/fwlink"; depth:7; nocase; http.host; content:"173.249.196.234"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1255509/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_10; classtype:trojan-activity; sid:91255509; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cx"; depth:3; nocase; http.host; content:"49.232.55.153"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1255508/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_10; classtype:trojan-activity; sid:91255508; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api/get"; depth:8; nocase; http.host; content:"7b7cd24ea6f08b711cf4053beac43cc5.melonhack.top"; depth:46; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1255506/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_10; classtype:trojan-activity; sid:91255506; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"7b7cd24ea6f08b711cf4053beac43cc5.melonhack.top"; depth:46; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1255507/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_10; classtype:trojan-activity; sid:91255507; rev:1;) alert tcp $HOME_NET any -> [121.37.237.168] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1255505/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_10; classtype:trojan-activity; sid:91255505; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cx"; depth:3; nocase; http.host; content:"121.37.237.168"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1255504/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_10; classtype:trojan-activity; sid:91255504; rev:1;) alert tcp $HOME_NET any -> [154.204.177.133] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1255503/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_10; classtype:trojan-activity; sid:91255503; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ga.js"; depth:6; nocase; http.host; content:"114.132.62.71"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1255502/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_10; classtype:trojan-activity; sid:91255502; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/j.ad"; depth:5; nocase; http.host; content:"193.32.149.59"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1255501/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_10; classtype:trojan-activity; sid:91255501; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/azure/api/v2/userinfo/get"; depth:26; nocase; http.host; content:"baidu.freemetb.top"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1255499/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_10; classtype:trojan-activity; sid:91255499; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"baidu.freemetb.top"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1255500/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_10; classtype:trojan-activity; sid:91255500; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cm"; depth:3; nocase; http.host; content:"173.249.196.234"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1255498/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_10; classtype:trojan-activity; sid:91255498; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/updates.rss"; depth:12; nocase; http.host; content:"121.37.237.168"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1255497/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_10; classtype:trojan-activity; sid:91255497; rev:1;) alert tcp $HOME_NET any -> [154.204.177.133] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1255496/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_10; classtype:trojan-activity; sid:91255496; rev:1;) alert tcp $HOME_NET any -> [202.144.192.44] 53 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1255491/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_10; classtype:trojan-activity; sid:91255491; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ns1.fdsagwagfdsba.xyz"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1255490/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_10; classtype:trojan-activity; sid:91255490; rev:1;) alert tcp $HOME_NET any -> [45.61.141.168] 35228 (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1255489/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_10; classtype:trojan-activity; sid:91255489; rev:1;) alert tcp $HOME_NET any -> [89.185.84.115] 23 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1255488/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_10; classtype:trojan-activity; sid:91255488; rev:1;) alert tcp $HOME_NET any -> [93.123.85.100] 1337 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1255486/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_10; classtype:trojan-activity; sid:91255486; rev:1;) alert tcp $HOME_NET any -> [141.98.10.76] 59666 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1255487/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_10; classtype:trojan-activity; sid:91255487; rev:1;) alert tcp $HOME_NET any -> [91.92.242.187] 55555 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1255478/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_10; classtype:trojan-activity; sid:91255478; rev:1;) alert tcp $HOME_NET any -> [79.137.192.4] 80 (msg:"ThreatFox Poseidon botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1255479/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_10; classtype:trojan-activity; sid:91255479; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/match"; depth:6; nocase; http.host; content:"43.153.222.28"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1255485/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_10; classtype:trojan-activity; sid:91255485; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/updates.rss"; depth:12; nocase; http.host; content:"120.46.130.73"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1255484/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_10; classtype:trojan-activity; sid:91255484; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ptj"; depth:4; nocase; http.host; content:"156.251.162.29"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1255483/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_10; classtype:trojan-activity; sid:91255483; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-content/plugins/jetpack/json-endpoints/jetpack/hays_compiled_documents.zip"; depth:78; nocase; http.host; content:"felizcity.com"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1255482/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_10; classtype:trojan-activity; sid:91255482; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/g.pixel"; depth:8; nocase; http.host; content:"116.205.228.160"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1255481/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_10; classtype:trojan-activity; sid:91255481; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-content/unsalted-condensed-soups/"; depth:37; nocase; http.host; content:"samsunguniverse.com"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1255480/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_10; classtype:trojan-activity; sid:91255480; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mjm2ytbkogjlzju1/"; depth:18; nocase; http.host; content:"cmsdisybnererdefs.shop"; depth:22; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1255474/; target:src_ip; metadata: confidence_level 80, first_seen 2024_04_10; classtype:trojan-activity; sid:91255474; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mjm2ytbkogjlzju1/"; depth:18; nocase; http.host; content:"cmsdisybnererdasd65.shop"; depth:24; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1255475/; target:src_ip; metadata: confidence_level 80, first_seen 2024_04_10; classtype:trojan-activity; sid:91255475; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mjm2ytbkogjlzju1/"; depth:18; nocase; http.host; content:"cmsdisybnererdgfdgn2.com"; depth:24; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1255476/; target:src_ip; metadata: confidence_level 80, first_seen 2024_04_10; classtype:trojan-activity; sid:91255476; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mjm2ytbkogjlzju1/"; depth:18; nocase; http.host; content:"cmsdisybnererd5345.com"; depth:22; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1255477/; target:src_ip; metadata: confidence_level 80, first_seen 2024_04_10; classtype:trojan-activity; sid:91255477; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"dsbr.cam"; depth:8; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1255467/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_10; classtype:trojan-activity; sid:91255467; rev:1;) alert tcp $HOME_NET any -> [94.156.8.110] 80 (msg:"ThreatFox MooBot botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1255468/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_10; classtype:trojan-activity; sid:91255468; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"jswl.vipsf888.com"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1255470/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_10; classtype:trojan-activity; sid:91255470; rev:1;) alert tcp $HOME_NET any -> [14.225.219.227] 80 (msg:"ThreatFox MooBot botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1255469/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_10; classtype:trojan-activity; sid:91255469; rev:1;) alert tcp $HOME_NET any -> [23.95.254.136] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1255473/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_10; classtype:trojan-activity; sid:91255473; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jquery-3.3.1.min.js"; depth:20; nocase; http.host; content:"23.95.254.136"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1255472/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_10; classtype:trojan-activity; sid:91255472; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ie9compatviewlist.xml"; depth:22; nocase; http.host; content:"119.91.214.152"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1255471/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_10; classtype:trojan-activity; sid:91255471; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pdtzx.scr"; depth:10; nocase; http.host; content:"covid19help.top"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1255465/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_10; classtype:trojan-activity; sid:91255465; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"emv1.ib-comm-gateway.com"; depth:24; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1255460/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_10; classtype:trojan-activity; sid:91255460; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"zhudaji.com"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1255461/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_10; classtype:trojan-activity; sid:91255461; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"rubiconviewer.buzz"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1255462/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_10; classtype:trojan-activity; sid:91255462; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"hatsune.network"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1255463/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_10; classtype:trojan-activity; sid:91255463; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"int.hatsune.network"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1255464/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_10; classtype:trojan-activity; sid:91255464; rev:1;) alert tcp $HOME_NET any -> [45.148.244.74] 839 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1255459/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_10; classtype:trojan-activity; sid:91255459; rev:1;) alert tcp $HOME_NET any -> [91.92.240.123] 999 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1255458/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_10; classtype:trojan-activity; sid:91255458; rev:1;) alert tcp $HOME_NET any -> [91.92.253.58] 23 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1255457/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_10; classtype:trojan-activity; sid:91255457; rev:1;) alert tcp $HOME_NET any -> [166.88.61.185] 606 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1255456/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_10; classtype:trojan-activity; sid:91255456; rev:1;) alert tcp $HOME_NET any -> [38.89.76.175] 61915 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1255455/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_10; classtype:trojan-activity; sid:91255455; rev:1;) alert tcp $HOME_NET any -> [106.54.222.22] 80 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1255454/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_10; classtype:trojan-activity; sid:91255454; rev:1;) alert tcp $HOME_NET any -> [194.87.236.115] 80 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1255453/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_10; classtype:trojan-activity; sid:91255453; rev:1;) alert tcp $HOME_NET any -> [101.200.160.159] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1255452/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_10; classtype:trojan-activity; sid:91255452; rev:1;) alert tcp $HOME_NET any -> [121.36.61.185] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1255451/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_10; classtype:trojan-activity; sid:91255451; rev:1;) alert tcp $HOME_NET any -> [101.200.214.198] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1255450/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_10; classtype:trojan-activity; sid:91255450; rev:1;) alert tcp $HOME_NET any -> [111.223.247.163] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1255449/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_10; classtype:trojan-activity; sid:91255449; rev:1;) alert tcp $HOME_NET any -> [179.13.2.154] 2230 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1255448/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_10; classtype:trojan-activity; sid:91255448; rev:1;) alert tcp $HOME_NET any -> [46.246.14.9] 6000 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1255447/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_10; classtype:trojan-activity; sid:91255447; rev:1;) alert tcp $HOME_NET any -> [51.116.96.182] 4000 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1255446/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_10; classtype:trojan-activity; sid:91255446; rev:1;) alert tcp $HOME_NET any -> [188.126.90.3] 5000 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1255445/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_10; classtype:trojan-activity; sid:91255445; rev:1;) alert tcp $HOME_NET any -> [97.118.50.67] 993 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1255444/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_10; classtype:trojan-activity; sid:91255444; rev:1;) alert tcp $HOME_NET any -> [8.140.193.181] 8443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1255443/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_10; classtype:trojan-activity; sid:91255443; rev:1;) alert tcp $HOME_NET any -> [167.172.246.65] 80 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1255441/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_10; classtype:trojan-activity; sid:91255441; rev:1;) alert tcp $HOME_NET any -> [167.172.246.65] 443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1255442/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_10; classtype:trojan-activity; sid:91255442; rev:1;) alert tcp $HOME_NET any -> [47.236.151.19] 443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1255440/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_10; classtype:trojan-activity; sid:91255440; rev:1;) alert tcp $HOME_NET any -> [47.245.38.152] 443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1255439/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_10; classtype:trojan-activity; sid:91255439; rev:1;) alert tcp $HOME_NET any -> [167.71.105.169] 443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1255438/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_10; classtype:trojan-activity; sid:91255438; rev:1;) alert tcp $HOME_NET any -> [116.203.15.18] 443 (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1255437/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_10; classtype:trojan-activity; sid:91255437; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"116.203.15.18"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1255436/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_10; classtype:trojan-activity; sid:91255436; rev:1;) alert tcp $HOME_NET any -> [179.13.0.175] 5556 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1255424/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_10; classtype:trojan-activity; sid:91255424; rev:1;) alert tcp $HOME_NET any -> [51.68.169.77] 443 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1255422/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_10; classtype:trojan-activity; sid:91255422; rev:1;) alert tcp $HOME_NET any -> [89.105.201.98] 591 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1255423/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_10; classtype:trojan-activity; sid:91255423; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/zdfmmdlmzwe1ztji/"; depth:18; nocase; http.host; content:"ahhhuu22cxxx.com"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1255415/; target:src_ip; metadata: confidence_level 80, first_seen 2024_04_10; classtype:trojan-activity; sid:91255415; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/zdfmmdlmzwe1ztji/"; depth:18; nocase; http.host; content:"h23hxa22f3f2a.com"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1255416/; target:src_ip; metadata: confidence_level 80, first_seen 2024_04_10; classtype:trojan-activity; sid:91255416; rev:1;) alert tcp $HOME_NET any -> [47.242.231.229] 65503 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1255421/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_10; classtype:trojan-activity; sid:91255421; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/zdfmmdlmzwe1ztji/"; depth:18; nocase; http.host; content:"h13f2hah2aa.com"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1255417/; target:src_ip; metadata: confidence_level 80, first_seen 2024_04_10; classtype:trojan-activity; sid:91255417; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/zdfmmdlmzwe1ztji/"; depth:18; nocase; http.host; content:"cwcwac3f422af.com"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1255418/; target:src_ip; metadata: confidence_level 80, first_seen 2024_04_10; classtype:trojan-activity; sid:91255418; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/zdfmmdlmzwe1ztji/"; depth:18; nocase; http.host; content:"g2agfawfw.com"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1255419/; target:src_ip; metadata: confidence_level 80, first_seen 2024_04_10; classtype:trojan-activity; sid:91255419; rev:1;) alert tcp $HOME_NET any -> [77.221.137.22] 443 (msg:"ThreatFox Rhadamanthys botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1255420/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_10; classtype:trojan-activity; sid:91255420; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/lets.exe"; depth:9; nocase; http.host; content:"154.23.178.106"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1255425/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_10; classtype:trojan-activity; sid:91255425; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/lets.exe"; depth:9; nocase; http.host; content:"38.181.35.175"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1255426/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_10; classtype:trojan-activity; sid:91255426; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/lets.exe"; depth:9; nocase; http.host; content:"154.23.178.139"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1255427/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_10; classtype:trojan-activity; sid:91255427; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/lets.exe"; depth:9; nocase; http.host; content:"154.23.178.70"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1255428/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_10; classtype:trojan-activity; sid:91255428; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"kuailianv.com"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1255429/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_10; classtype:trojan-activity; sid:91255429; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"winarkamaps.com"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1255430/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_10; classtype:trojan-activity; sid:91255430; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"stratimasesstr.com"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1255431/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_10; classtype:trojan-activity; sid:91255431; rev:1;) alert tcp $HOME_NET any -> [51.79.87.4] 8732 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1255435/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_10; classtype:trojan-activity; sid:91255435; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"boom.baiduboomboom.tk"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1255433/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_10; classtype:trojan-activity; sid:91255433; rev:1;) alert tcp $HOME_NET any -> [1.15.247.249] 2096 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1255434/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_10; classtype:trojan-activity; sid:91255434; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/__utm.gif"; depth:10; nocase; http.host; content:"boom.baiduboomboom.tk"; depth:21; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1255432/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_10; classtype:trojan-activity; sid:91255432; rev:1;) alert tcp $HOME_NET any -> [94.250.249.104] 80 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1255414/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_09; classtype:trojan-activity; sid:91255414; rev:1;) alert tcp $HOME_NET any -> [178.128.106.68] 2222 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1255413/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_09; classtype:trojan-activity; sid:91255413; rev:1;) alert tcp $HOME_NET any -> [150.109.70.101] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1255412/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_09; classtype:trojan-activity; sid:91255412; rev:1;) alert tcp $HOME_NET any -> [176.96.138.72] 9191 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1255411/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_09; classtype:trojan-activity; sid:91255411; rev:1;) alert tcp $HOME_NET any -> [39.101.205.127] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1255410/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_09; classtype:trojan-activity; sid:91255410; rev:1;) alert tcp $HOME_NET any -> [39.40.139.74] 995 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1255409/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_09; classtype:trojan-activity; sid:91255409; rev:1;) alert tcp $HOME_NET any -> [198.135.163.245] 443 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1255408/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_09; classtype:trojan-activity; sid:91255408; rev:1;) alert tcp $HOME_NET any -> [159.69.195.86] 443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1255407/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_09; classtype:trojan-activity; sid:91255407; rev:1;) alert tcp $HOME_NET any -> [34.195.136.4] 7443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1255406/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_09; classtype:trojan-activity; sid:91255406; rev:1;) alert tcp $HOME_NET any -> [3.88.131.251] 7443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1255405/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_09; classtype:trojan-activity; sid:91255405; rev:1;) alert tcp $HOME_NET any -> [116.122.95.74] 80 (msg:"ThreatFox BitRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1255400/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_09; classtype:trojan-activity; sid:91255400; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"vchaonlyone.com"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1255401/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_09; classtype:trojan-activity; sid:91255401; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"senpalia.org"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1255402/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_09; classtype:trojan-activity; sid:91255402; rev:1;) alert tcp $HOME_NET any -> [46.246.82.18] 1994 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1255403/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_09; classtype:trojan-activity; sid:91255403; rev:1;) alert tcp $HOME_NET any -> [46.246.6.20] 5050 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1255404/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_09; classtype:trojan-activity; sid:91255404; rev:1;) alert tcp $HOME_NET any -> [124.221.56.114] 9999 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1255224/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_09; classtype:trojan-activity; sid:91255224; rev:1;) alert tcp $HOME_NET any -> [124.221.56.114] 10001 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1255225/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_09; classtype:trojan-activity; sid:91255225; rev:1;) alert tcp $HOME_NET any -> [111.229.158.40] 50050 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1255193/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_09; classtype:trojan-activity; sid:91255193; rev:1;) alert tcp $HOME_NET any -> [111.229.158.40] 888 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1255192/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_09; classtype:trojan-activity; sid:91255192; rev:1;) alert tcp $HOME_NET any -> [101.43.111.190] 4433 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1255174/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_09; classtype:trojan-activity; sid:91255174; rev:1;) alert tcp $HOME_NET any -> [43.139.52.213] 8088 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1255117/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_09; classtype:trojan-activity; sid:91255117; rev:1;) alert tcp $HOME_NET any -> [64.23.173.19] 8082 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1255276/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_09; classtype:trojan-activity; sid:91255276; rev:1;) alert tcp $HOME_NET any -> [128.199.0.116] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1255277/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_09; classtype:trojan-activity; sid:91255277; rev:1;) alert tcp $HOME_NET any -> [139.59.101.62] 8443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1255278/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_09; classtype:trojan-activity; sid:91255278; rev:1;) alert tcp $HOME_NET any -> [159.65.20.58] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1255279/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_09; classtype:trojan-activity; sid:91255279; rev:1;) alert tcp $HOME_NET any -> [23.95.65.198] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1255280/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_09; classtype:trojan-activity; sid:91255280; rev:1;) alert tcp $HOME_NET any -> [43.163.220.156] 808 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1255281/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_09; classtype:trojan-activity; sid:91255281; rev:1;) alert tcp $HOME_NET any -> [119.28.110.63] 8080 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1255282/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_09; classtype:trojan-activity; sid:91255282; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"tencentweb.online"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1255283/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_09; classtype:trojan-activity; sid:91255283; rev:1;) alert tcp $HOME_NET any -> [74.226.216.85] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1255284/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_09; classtype:trojan-activity; sid:91255284; rev:1;) alert tcp $HOME_NET any -> [47.76.113.146] 8888 (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1255395/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_09; classtype:trojan-activity; sid:91255395; rev:1;) alert tcp $HOME_NET any -> [74.226.216.85] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1255285/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_09; classtype:trojan-activity; sid:91255285; rev:1;) alert tcp $HOME_NET any -> [45.152.243.228] 9090 (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1255394/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_09; classtype:trojan-activity; sid:91255394; rev:1;) alert tcp $HOME_NET any -> [102.165.56.50] 4449 (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1255396/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_09; classtype:trojan-activity; sid:91255396; rev:1;) alert tcp $HOME_NET any -> [162.238.154.3] 8080 (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1255397/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_09; classtype:trojan-activity; sid:91255397; rev:1;) alert tcp $HOME_NET any -> [179.100.74.227] 1024 (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1255398/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_09; classtype:trojan-activity; sid:91255398; rev:1;) alert tcp $HOME_NET any -> [194.48.251.169] 4449 (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1255399/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_09; classtype:trojan-activity; sid:91255399; rev:1;) alert tcp $HOME_NET any -> [47.76.178.33] 10001 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1255273/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_09; classtype:trojan-activity; sid:91255273; rev:1;) alert tcp $HOME_NET any -> [64.23.173.19] 8080 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1255274/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_09; classtype:trojan-activity; sid:91255274; rev:1;) alert tcp $HOME_NET any -> [64.23.173.19] 8081 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1255275/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_09; classtype:trojan-activity; sid:91255275; rev:1;) alert tcp $HOME_NET any -> [47.76.163.6] 8888 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1255272/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_09; classtype:trojan-activity; sid:91255272; rev:1;) alert tcp $HOME_NET any -> [47.97.96.147] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1255266/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_09; classtype:trojan-activity; sid:91255266; rev:1;) alert tcp $HOME_NET any -> [1.92.79.205] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1255269/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_09; classtype:trojan-activity; sid:91255269; rev:1;) alert tcp $HOME_NET any -> [47.120.65.94] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1255267/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_09; classtype:trojan-activity; sid:91255267; rev:1;) alert tcp $HOME_NET any -> [112.124.34.225] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1255268/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_09; classtype:trojan-activity; sid:91255268; rev:1;) alert tcp $HOME_NET any -> [124.71.129.181] 8081 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1255270/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_09; classtype:trojan-activity; sid:91255270; rev:1;) alert tcp $HOME_NET any -> [23.94.148.10] 666 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1255271/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_09; classtype:trojan-activity; sid:91255271; rev:1;) alert tcp $HOME_NET any -> [47.92.200.141] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1255265/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_09; classtype:trojan-activity; sid:91255265; rev:1;) alert tcp $HOME_NET any -> [121.40.139.97] 17500 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1255263/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_09; classtype:trojan-activity; sid:91255263; rev:1;) alert tcp $HOME_NET any -> [121.40.139.97] 44888 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1255264/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_09; classtype:trojan-activity; sid:91255264; rev:1;) alert tcp $HOME_NET any -> [8.130.143.185] 8090 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1255261/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_09; classtype:trojan-activity; sid:91255261; rev:1;) alert tcp $HOME_NET any -> [120.24.170.13] 8888 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1255262/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_09; classtype:trojan-activity; sid:91255262; rev:1;) alert tcp $HOME_NET any -> [8.130.98.244] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1255259/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_09; classtype:trojan-activity; sid:91255259; rev:1;) alert tcp $HOME_NET any -> [8.130.142.27] 8090 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1255260/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_09; classtype:trojan-activity; sid:91255260; rev:1;) alert tcp $HOME_NET any -> [206.233.128.64] 8080 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1255356/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_09; classtype:trojan-activity; sid:91255356; rev:1;) alert tcp $HOME_NET any -> [45.77.24.231] 9090 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1255388/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_09; classtype:trojan-activity; sid:91255388; rev:1;) alert tcp $HOME_NET any -> [181.162.187.238] 8080 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1255353/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_09; classtype:trojan-activity; sid:91255353; rev:1;) alert tcp $HOME_NET any -> [184.190.169.22] 3389 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1255354/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_09; classtype:trojan-activity; sid:91255354; rev:1;) alert tcp $HOME_NET any -> [185.174.101.93] 6546 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1255355/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_09; classtype:trojan-activity; sid:91255355; rev:1;) alert tcp $HOME_NET any -> [8.130.34.199] 443 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1255349/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_09; classtype:trojan-activity; sid:91255349; rev:1;) alert tcp $HOME_NET any -> [150.158.139.196] 6666 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1255352/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_09; classtype:trojan-activity; sid:91255352; rev:1;) alert tcp $HOME_NET any -> [91.92.254.190] 8084 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1255350/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_09; classtype:trojan-activity; sid:91255350; rev:1;) alert tcp $HOME_NET any -> [103.143.15.58] 8080 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1255351/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_09; classtype:trojan-activity; sid:91255351; rev:1;) alert tcp $HOME_NET any -> [38.6.178.161] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1255331/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_09; classtype:trojan-activity; sid:91255331; rev:1;) alert tcp $HOME_NET any -> [38.6.178.161] 8010 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1255332/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_09; classtype:trojan-activity; sid:91255332; rev:1;) alert tcp $HOME_NET any -> [172.247.5.223] 8088 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1255329/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_09; classtype:trojan-activity; sid:91255329; rev:1;) alert tcp $HOME_NET any -> [23.224.143.16] 8888 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1255330/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_09; classtype:trojan-activity; sid:91255330; rev:1;) alert tcp $HOME_NET any -> [45.145.228.157] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1255290/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_09; classtype:trojan-activity; sid:91255290; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cdn-vs/cache.php"; depth:17; nocase; http.host; content:"fairfurryfriends.com"; depth:20; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1255308/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_09; classtype:trojan-activity; sid:91255308; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/help/zewmrgqnw.php"; depth:19; nocase; http.host; content:"fairfurryfriends.com"; depth:20; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1255309/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_09; classtype:trojan-activity; sid:91255309; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"newintento777.duckdns.org"; depth:25; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1255286/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_09; classtype:trojan-activity; sid:91255286; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/8otabr/"; depth:8; nocase; http.host; content:"akademipraktik.com"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1255287/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_09; classtype:trojan-activity; sid:91255287; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bvxny6r6"; depth:9; nocase; http.host; content:"akademipraktik.com"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1255288/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_09; classtype:trojan-activity; sid:91255288; rev:1;) alert tcp $HOME_NET any -> [91.92.255.45] 20000 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1255389/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_09; classtype:trojan-activity; sid:91255389; rev:1;) alert tcp $HOME_NET any -> [91.92.255.45] 2000 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1255390/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_09; classtype:trojan-activity; sid:91255390; rev:1;) alert tcp $HOME_NET any -> [94.156.65.159] 6606 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1255391/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_09; classtype:trojan-activity; sid:91255391; rev:1;) alert tcp $HOME_NET any -> [94.156.65.159] 7707 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1255392/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_09; classtype:trojan-activity; sid:91255392; rev:1;) alert tcp $HOME_NET any -> [49.232.55.153] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1255131/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_09; classtype:trojan-activity; sid:91255131; rev:1;) alert tcp $HOME_NET any -> [49.232.208.22] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1255144/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_09; classtype:trojan-activity; sid:91255144; rev:1;) alert tcp $HOME_NET any -> [43.136.90.70] 50034 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1255096/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_09; classtype:trojan-activity; sid:91255096; rev:1;) alert tcp $HOME_NET any -> [45.89.53.187] 445 (msg:"ThreatFox DarkGate botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1255085/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_09; classtype:trojan-activity; sid:91255085; rev:1;) alert tcp $HOME_NET any -> [159.100.30.207] 666 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1255393/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_09; classtype:trojan-activity; sid:91255393; rev:1;) alert tcp $HOME_NET any -> [193.143.1.168] 80 (msg:"ThreatFox Stealc botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1255387/; target:src_ip; metadata: confidence_level 80, first_seen 2024_04_09; classtype:trojan-activity; sid:91255387; rev:1;) alert tcp $HOME_NET any -> [193.143.1.168] 22 (msg:"ThreatFox Stealc botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1255386/; target:src_ip; metadata: confidence_level 80, first_seen 2024_04_09; classtype:trojan-activity; sid:91255386; rev:1;) alert tcp $HOME_NET any -> [93.123.39.11] 22 (msg:"ThreatFox Stealc botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1255385/; target:src_ip; metadata: confidence_level 80, first_seen 2024_04_09; classtype:trojan-activity; sid:91255385; rev:1;) alert tcp $HOME_NET any -> [93.123.39.11] 80 (msg:"ThreatFox Stealc botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1255384/; target:src_ip; metadata: confidence_level 80, first_seen 2024_04_09; classtype:trojan-activity; sid:91255384; rev:1;) alert tcp $HOME_NET any -> [52.143.157.84] 22 (msg:"ThreatFox Stealc botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1255383/; target:src_ip; metadata: confidence_level 80, first_seen 2024_04_09; classtype:trojan-activity; sid:91255383; rev:1;) alert tcp $HOME_NET any -> [52.143.157.84] 80 (msg:"ThreatFox Stealc botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1255382/; target:src_ip; metadata: confidence_level 80, first_seen 2024_04_09; classtype:trojan-activity; sid:91255382; rev:1;) alert tcp $HOME_NET any -> [185.209.162.38] 22 (msg:"ThreatFox Stealc botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1255381/; target:src_ip; metadata: confidence_level 80, first_seen 2024_04_09; classtype:trojan-activity; sid:91255381; rev:1;) alert tcp $HOME_NET any -> [185.209.162.38] 80 (msg:"ThreatFox Stealc botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1255380/; target:src_ip; metadata: confidence_level 80, first_seen 2024_04_09; classtype:trojan-activity; sid:91255380; rev:1;) alert tcp $HOME_NET any -> [185.172.128.209] 22 (msg:"ThreatFox Stealc botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1255379/; target:src_ip; metadata: confidence_level 80, first_seen 2024_04_09; classtype:trojan-activity; sid:91255379; rev:1;) alert tcp $HOME_NET any -> [185.172.128.209] 80 (msg:"ThreatFox Stealc botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1255378/; target:src_ip; metadata: confidence_level 80, first_seen 2024_04_09; classtype:trojan-activity; sid:91255378; rev:1;) alert tcp $HOME_NET any -> [95.164.2.59] 22 (msg:"ThreatFox Stealc botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1255377/; target:src_ip; metadata: confidence_level 80, first_seen 2024_04_09; classtype:trojan-activity; sid:91255377; rev:1;) alert tcp $HOME_NET any -> [95.164.2.59] 80 (msg:"ThreatFox Stealc botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1255376/; target:src_ip; metadata: confidence_level 80, first_seen 2024_04_09; classtype:trojan-activity; sid:91255376; rev:1;) alert tcp $HOME_NET any -> [62.113.119.199] 80 (msg:"ThreatFox Stealc botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1255375/; target:src_ip; metadata: confidence_level 80, first_seen 2024_04_09; classtype:trojan-activity; sid:91255375; rev:1;) alert tcp $HOME_NET any -> [62.113.119.199] 22 (msg:"ThreatFox Stealc botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1255374/; target:src_ip; metadata: confidence_level 80, first_seen 2024_04_09; classtype:trojan-activity; sid:91255374; rev:1;) alert tcp $HOME_NET any -> [185.172.128.145] 22 (msg:"ThreatFox Stealc botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1255373/; target:src_ip; metadata: confidence_level 80, first_seen 2024_04_09; classtype:trojan-activity; sid:91255373; rev:1;) alert tcp $HOME_NET any -> [193.143.1.226] 80 (msg:"ThreatFox Stealc botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1255372/; target:src_ip; metadata: confidence_level 80, first_seen 2024_04_09; classtype:trojan-activity; sid:91255372; rev:1;) alert tcp $HOME_NET any -> [193.143.1.226] 22 (msg:"ThreatFox Stealc botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1255371/; target:src_ip; metadata: confidence_level 80, first_seen 2024_04_09; classtype:trojan-activity; sid:91255371; rev:1;) alert tcp $HOME_NET any -> [185.216.70.109] 80 (msg:"ThreatFox Stealc botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1255370/; target:src_ip; metadata: confidence_level 80, first_seen 2024_04_09; classtype:trojan-activity; sid:91255370; rev:1;) alert tcp $HOME_NET any -> [185.216.70.109] 22 (msg:"ThreatFox Stealc botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1255369/; target:src_ip; metadata: confidence_level 80, first_seen 2024_04_09; classtype:trojan-activity; sid:91255369; rev:1;) alert tcp $HOME_NET any -> [217.182.197.48] 80 (msg:"ThreatFox Stealc botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1255368/; target:src_ip; metadata: confidence_level 80, first_seen 2024_04_09; classtype:trojan-activity; sid:91255368; rev:1;) alert tcp $HOME_NET any -> [217.182.197.48] 22 (msg:"ThreatFox Stealc botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1255367/; target:src_ip; metadata: confidence_level 80, first_seen 2024_04_09; classtype:trojan-activity; sid:91255367; rev:1;) alert tcp $HOME_NET any -> [185.172.128.26] 80 (msg:"ThreatFox Stealc botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1255366/; target:src_ip; metadata: confidence_level 80, first_seen 2024_04_09; classtype:trojan-activity; sid:91255366; rev:1;) alert tcp $HOME_NET any -> [185.172.128.26] 22 (msg:"ThreatFox Stealc botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1255365/; target:src_ip; metadata: confidence_level 80, first_seen 2024_04_09; classtype:trojan-activity; sid:91255365; rev:1;) alert tcp $HOME_NET any -> [185.172.128.208] 22 (msg:"ThreatFox Stealc botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1255364/; target:src_ip; metadata: confidence_level 80, first_seen 2024_04_09; classtype:trojan-activity; sid:91255364; rev:1;) alert tcp $HOME_NET any -> [185.172.128.208] 80 (msg:"ThreatFox Stealc botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1255363/; target:src_ip; metadata: confidence_level 80, first_seen 2024_04_09; classtype:trojan-activity; sid:91255363; rev:1;) alert tcp $HOME_NET any -> [94.156.8.97] 22 (msg:"ThreatFox Stealc botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1255362/; target:src_ip; metadata: confidence_level 80, first_seen 2024_04_09; classtype:trojan-activity; sid:91255362; rev:1;) alert tcp $HOME_NET any -> [94.156.8.97] 80 (msg:"ThreatFox Stealc botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1255361/; target:src_ip; metadata: confidence_level 80, first_seen 2024_04_09; classtype:trojan-activity; sid:91255361; rev:1;) alert tcp $HOME_NET any -> [91.202.233.204] 80 (msg:"ThreatFox Stealc botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1255360/; target:src_ip; metadata: confidence_level 80, first_seen 2024_04_09; classtype:trojan-activity; sid:91255360; rev:1;) alert tcp $HOME_NET any -> [91.202.233.204] 22 (msg:"ThreatFox Stealc botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1255359/; target:src_ip; metadata: confidence_level 80, first_seen 2024_04_09; classtype:trojan-activity; sid:91255359; rev:1;) alert tcp $HOME_NET any -> [147.45.78.181] 80 (msg:"ThreatFox Stealc botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1255358/; target:src_ip; metadata: confidence_level 80, first_seen 2024_04_09; classtype:trojan-activity; sid:91255358; rev:1;) alert tcp $HOME_NET any -> [147.45.78.181] 22 (msg:"ThreatFox Stealc botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1255357/; target:src_ip; metadata: confidence_level 80, first_seen 2024_04_09; classtype:trojan-activity; sid:91255357; rev:1;) alert tcp $HOME_NET any -> [188.166.232.102] 35769 (msg:"ThreatFox MooBot botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1255348/; target:src_ip; metadata: confidence_level 80, first_seen 2024_04_09; classtype:trojan-activity; sid:91255348; rev:1;) alert tcp $HOME_NET any -> [45.67.86.155] 9009 (msg:"ThreatFox MooBot botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1255347/; target:src_ip; metadata: confidence_level 80, first_seen 2024_04_09; classtype:trojan-activity; sid:91255347; rev:1;) alert tcp $HOME_NET any -> [209.141.37.216] 3074 (msg:"ThreatFox MooBot botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1255346/; target:src_ip; metadata: confidence_level 80, first_seen 2024_04_09; classtype:trojan-activity; sid:91255346; rev:1;) alert tcp $HOME_NET any -> [45.128.232.130] 1337 (msg:"ThreatFox MooBot botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1255345/; target:src_ip; metadata: confidence_level 80, first_seen 2024_04_09; classtype:trojan-activity; sid:91255345; rev:1;) alert tcp $HOME_NET any -> [45.67.86.157] 9009 (msg:"ThreatFox MooBot botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1255344/; target:src_ip; metadata: confidence_level 80, first_seen 2024_04_09; classtype:trojan-activity; sid:91255344; rev:1;) alert tcp $HOME_NET any -> [51.68.213.73] 25 (msg:"ThreatFox MooBot botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1255343/; target:src_ip; metadata: confidence_level 80, first_seen 2024_04_09; classtype:trojan-activity; sid:91255343; rev:1;) alert tcp $HOME_NET any -> [206.217.139.231] 50050 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1255342/; target:src_ip; metadata: confidence_level 80, first_seen 2024_04_09; classtype:trojan-activity; sid:91255342; rev:1;) alert tcp $HOME_NET any -> [103.97.58.61] 8888 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1255341/; target:src_ip; metadata: confidence_level 80, first_seen 2024_04_09; classtype:trojan-activity; sid:91255341; rev:1;) alert tcp $HOME_NET any -> [185.158.132.135] 80 (msg:"ThreatFox Nimplant botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1255340/; target:src_ip; metadata: confidence_level 80, first_seen 2024_04_09; classtype:trojan-activity; sid:91255340; rev:1;) alert tcp $HOME_NET any -> [79.132.140.216] 50054 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1255339/; target:src_ip; metadata: confidence_level 80, first_seen 2024_04_09; classtype:trojan-activity; sid:91255339; rev:1;) alert tcp $HOME_NET any -> [60.204.242.181] 7018 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1255338/; target:src_ip; metadata: confidence_level 80, first_seen 2024_04_09; classtype:trojan-activity; sid:91255338; rev:1;) alert tcp $HOME_NET any -> [147.78.47.15] 50050 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1255337/; target:src_ip; metadata: confidence_level 80, first_seen 2024_04_09; classtype:trojan-activity; sid:91255337; rev:1;) alert tcp $HOME_NET any -> [182.92.216.171] 57001 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1255336/; target:src_ip; metadata: confidence_level 80, first_seen 2024_04_09; classtype:trojan-activity; sid:91255336; rev:1;) alert tcp $HOME_NET any -> [91.92.252.116] 80 (msg:"ThreatFox Hook botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1255335/; target:src_ip; metadata: confidence_level 80, first_seen 2024_04_09; classtype:trojan-activity; sid:91255335; rev:1;) alert tcp $HOME_NET any -> [62.234.166.174] 6789 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1255334/; target:src_ip; metadata: confidence_level 80, first_seen 2024_04_09; classtype:trojan-activity; sid:91255334; rev:1;) alert tcp $HOME_NET any -> [81.19.137.205] 8081 (msg:"ThreatFox RisePro botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1255333/; target:src_ip; metadata: confidence_level 80, first_seen 2024_04_09; classtype:trojan-activity; sid:91255333; rev:1;) alert tcp $HOME_NET any -> [107.167.93.99] 8081 (msg:"ThreatFox RisePro botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1255328/; target:src_ip; metadata: confidence_level 80, first_seen 2024_04_09; classtype:trojan-activity; sid:91255328; rev:1;) alert tcp $HOME_NET any -> [64.94.85.165] 8081 (msg:"ThreatFox RisePro botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1255327/; target:src_ip; metadata: confidence_level 80, first_seen 2024_04_09; classtype:trojan-activity; sid:91255327; rev:1;) alert tcp $HOME_NET any -> [92.42.96.24] 8081 (msg:"ThreatFox RisePro botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1255326/; target:src_ip; metadata: confidence_level 80, first_seen 2024_04_09; classtype:trojan-activity; sid:91255326; rev:1;) alert tcp $HOME_NET any -> [77.221.156.212] 8081 (msg:"ThreatFox RisePro botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1255325/; target:src_ip; metadata: confidence_level 80, first_seen 2024_04_09; classtype:trojan-activity; sid:91255325; rev:1;) alert tcp $HOME_NET any -> [193.233.132.114] 8081 (msg:"ThreatFox RisePro botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1255324/; target:src_ip; metadata: confidence_level 80, first_seen 2024_04_09; classtype:trojan-activity; sid:91255324; rev:1;) alert tcp $HOME_NET any -> [141.195.117.127] 80 (msg:"ThreatFox solarmarker botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1255323/; target:src_ip; metadata: confidence_level 80, first_seen 2024_04_09; classtype:trojan-activity; sid:91255323; rev:1;) alert tcp $HOME_NET any -> [188.40.248.148] 80 (msg:"ThreatFox solarmarker botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1255322/; target:src_ip; metadata: confidence_level 80, first_seen 2024_04_09; classtype:trojan-activity; sid:91255322; rev:1;) alert tcp $HOME_NET any -> [91.227.40.93] 80 (msg:"ThreatFox solarmarker botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1255321/; target:src_ip; metadata: confidence_level 80, first_seen 2024_04_09; classtype:trojan-activity; sid:91255321; rev:1;) alert tcp $HOME_NET any -> [91.92.255.182] 10000 (msg:"ThreatFox solarmarker botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1255320/; target:src_ip; metadata: confidence_level 80, first_seen 2024_04_09; classtype:trojan-activity; sid:91255320; rev:1;) alert tcp $HOME_NET any -> [91.92.255.182] 80 (msg:"ThreatFox RecordBreaker botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1255319/; target:src_ip; metadata: confidence_level 80, first_seen 2024_04_09; classtype:trojan-activity; sid:91255319; rev:1;) alert tcp $HOME_NET any -> [178.62.239.104] 80 (msg:"ThreatFox RecordBreaker botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1255318/; target:src_ip; metadata: confidence_level 80, first_seen 2024_04_09; classtype:trojan-activity; sid:91255318; rev:1;) alert tcp $HOME_NET any -> [64.7.199.224] 80 (msg:"ThreatFox RecordBreaker botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1255317/; target:src_ip; metadata: confidence_level 80, first_seen 2024_04_09; classtype:trojan-activity; sid:91255317; rev:1;) alert tcp $HOME_NET any -> [89.238.170.230] 80 (msg:"ThreatFox RecordBreaker botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1255316/; target:src_ip; metadata: confidence_level 80, first_seen 2024_04_09; classtype:trojan-activity; sid:91255316; rev:1;) alert tcp $HOME_NET any -> [185.17.40.132] 80 (msg:"ThreatFox RecordBreaker botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1255315/; target:src_ip; metadata: confidence_level 80, first_seen 2024_04_09; classtype:trojan-activity; sid:91255315; rev:1;) alert tcp $HOME_NET any -> [146.70.135.158] 80 (msg:"ThreatFox RecordBreaker botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1255314/; target:src_ip; metadata: confidence_level 80, first_seen 2024_04_09; classtype:trojan-activity; sid:91255314; rev:1;) alert tcp $HOME_NET any -> [91.198.166.140] 80 (msg:"ThreatFox RecordBreaker botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1255313/; target:src_ip; metadata: confidence_level 80, first_seen 2024_04_09; classtype:trojan-activity; sid:91255313; rev:1;) alert tcp $HOME_NET any -> [192.227.94.170] 80 (msg:"ThreatFox RecordBreaker botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1255312/; target:src_ip; metadata: confidence_level 80, first_seen 2024_04_09; classtype:trojan-activity; sid:91255312; rev:1;) alert tcp $HOME_NET any -> [193.233.132.111] 80 (msg:"ThreatFox RecordBreaker botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1255311/; target:src_ip; metadata: confidence_level 80, first_seen 2024_04_09; classtype:trojan-activity; sid:91255311; rev:1;) alert tcp $HOME_NET any -> [193.233.132.38] 80 (msg:"ThreatFox RecordBreaker botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1255310/; target:src_ip; metadata: confidence_level 80, first_seen 2024_04_09; classtype:trojan-activity; sid:91255310; rev:1;) alert tcp $HOME_NET any -> [116.203.15.173] 80 (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1255307/; target:src_ip; metadata: confidence_level 80, first_seen 2024_04_09; classtype:trojan-activity; sid:91255307; rev:1;) alert tcp $HOME_NET any -> [195.201.250.50] 80 (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1255306/; target:src_ip; metadata: confidence_level 80, first_seen 2024_04_09; classtype:trojan-activity; sid:91255306; rev:1;) alert tcp $HOME_NET any -> [159.69.102.165] 80 (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1255305/; target:src_ip; metadata: confidence_level 80, first_seen 2024_04_09; classtype:trojan-activity; sid:91255305; rev:1;) alert tcp $HOME_NET any -> [195.201.47.206] 80 (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1255304/; target:src_ip; metadata: confidence_level 80, first_seen 2024_04_09; classtype:trojan-activity; sid:91255304; rev:1;) alert tcp $HOME_NET any -> [78.47.141.20] 80 (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1255303/; target:src_ip; metadata: confidence_level 80, first_seen 2024_04_09; classtype:trojan-activity; sid:91255303; rev:1;) alert tcp $HOME_NET any -> [95.217.240.145] 80 (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1255302/; target:src_ip; metadata: confidence_level 80, first_seen 2024_04_09; classtype:trojan-activity; sid:91255302; rev:1;) alert tcp $HOME_NET any -> [115.74.21.108] 9999 (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1255301/; target:src_ip; metadata: confidence_level 80, first_seen 2024_04_09; classtype:trojan-activity; sid:91255301; rev:1;) alert tcp $HOME_NET any -> [115.74.21.108] 8000 (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1255300/; target:src_ip; metadata: confidence_level 80, first_seen 2024_04_09; classtype:trojan-activity; sid:91255300; rev:1;) alert tcp $HOME_NET any -> [86.106.87.158] 2222 (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1255299/; target:src_ip; metadata: confidence_level 80, first_seen 2024_04_09; classtype:trojan-activity; sid:91255299; rev:1;) alert tcp $HOME_NET any -> [139.180.171.110] 22841 (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1255298/; target:src_ip; metadata: confidence_level 80, first_seen 2024_04_09; classtype:trojan-activity; sid:91255298; rev:1;) alert tcp $HOME_NET any -> [185.224.135.175] 4449 (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1255297/; target:src_ip; metadata: confidence_level 80, first_seen 2024_04_09; classtype:trojan-activity; sid:91255297; rev:1;) alert tcp $HOME_NET any -> [101.237.34.239] 4449 (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1255296/; target:src_ip; metadata: confidence_level 80, first_seen 2024_04_09; classtype:trojan-activity; sid:91255296; rev:1;) alert tcp $HOME_NET any -> [173.248.141.247] 8080 (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1255295/; target:src_ip; metadata: confidence_level 80, first_seen 2024_04_09; classtype:trojan-activity; sid:91255295; rev:1;) alert tcp $HOME_NET any -> [98.191.141.157] 2000 (msg:"ThreatFox Xtreme RAT botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1255294/; target:src_ip; metadata: confidence_level 80, first_seen 2024_04_09; classtype:trojan-activity; sid:91255294; rev:1;) alert tcp $HOME_NET any -> [111.173.116.170] 1235 (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1255293/; target:src_ip; metadata: confidence_level 80, first_seen 2024_04_09; classtype:trojan-activity; sid:91255293; rev:1;) alert tcp $HOME_NET any -> [37.221.93.29] 4444 (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1255292/; target:src_ip; metadata: confidence_level 80, first_seen 2024_04_09; classtype:trojan-activity; sid:91255292; rev:1;) alert tcp $HOME_NET any -> [171.249.235.149] 9999 (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1255291/; target:src_ip; metadata: confidence_level 80, first_seen 2024_04_09; classtype:trojan-activity; sid:91255291; rev:1;) alert tcp $HOME_NET any -> [154.62.175.113] 8080 (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1255289/; target:src_ip; metadata: confidence_level 80, first_seen 2024_04_09; classtype:trojan-activity; sid:91255289; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/s/ms_excel_azure_cloud_open_document.vbs"; depth:41; nocase; http.host; content:"45.89.53.187"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1255084/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_09; classtype:trojan-activity; sid:91255084; rev:1;) alert tcp $HOME_NET any -> [103.124.106.237] 80 (msg:"ThreatFox DarkGate botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1255083/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_09; classtype:trojan-activity; sid:91255083; rev:1;) alert tcp $HOME_NET any -> [192.3.95.135] 80 (msg:"ThreatFox Remcos payload delivery (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1255078/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_09; classtype:trojan-activity; sid:91255078; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xampp/kjk/weareverybeautifulgirlsxygirlwantokissmeharderthanbeforetogetmeback___sheisverybeeautifulgirlforme.doc"; depth:113; nocase; http.host; content:"192.3.95.135"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1255079/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_09; classtype:trojan-activity; sid:91255079; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/m0804t/wininit.exe"; depth:19; nocase; http.host; content:"192.3.95.135"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1255080/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_09; classtype:trojan-activity; sid:91255080; rev:1;) alert tcp $HOME_NET any -> [103.151.123.225] 1664 (msg:"ThreatFox Nanocore RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1255071/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_09; classtype:trojan-activity; sid:91255071; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"tzitziklishop4.ddns.net"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1255072/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_09; classtype:trojan-activity; sid:91255072; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/8otabr/"; depth:8; nocase; http.host; content:"bannerbarter.com"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1255074/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_09; classtype:trojan-activity; sid:91255074; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bvxny6r6"; depth:9; nocase; http.host; content:"bannerbarter.com"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1255075/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_09; classtype:trojan-activity; sid:91255075; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"shgoini.com"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1255076/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_09; classtype:trojan-activity; sid:91255076; rev:1;) alert tcp $HOME_NET any -> [107.175.229.143] 30902 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1255077/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_09; classtype:trojan-activity; sid:91255077; rev:1;) alert tcp $HOME_NET any -> [66.204.14.97] 20256 (msg:"ThreatFox Xtreme RAT botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1255073/; target:src_ip; metadata: confidence_level 80, first_seen 2024_04_09; classtype:trojan-activity; sid:91255073; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/en_us/all.js"; depth:13; nocase; http.host; content:"47.236.171.179"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1255070/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_09; classtype:trojan-activity; sid:91255070; rev:1;) alert tcp $HOME_NET any -> [8.220.200.34] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1255069/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_09; classtype:trojan-activity; sid:91255069; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jquery-3.3.1.min.js"; depth:20; nocase; http.host; content:"8.220.200.34"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1255068/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_09; classtype:trojan-activity; sid:91255068; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ptj"; depth:4; nocase; http.host; content:"39.100.107.190"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1255066/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_09; classtype:trojan-activity; sid:91255066; rev:1;) alert tcp $HOME_NET any -> [39.100.107.190] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1255067/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_09; classtype:trojan-activity; sid:91255067; rev:1;) alert tcp $HOME_NET any -> [141.98.7.91] 23 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1255064/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_09; classtype:trojan-activity; sid:91255064; rev:1;) alert tcp $HOME_NET any -> [107.172.148.197] 4781 (msg:"ThreatFox STRRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1255065/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_09; classtype:trojan-activity; sid:91255065; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tdpzx.scr"; depth:10; nocase; http.host; content:"universalmovies.top"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1255063/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_09; classtype:trojan-activity; sid:91255063; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"psolver827.ddns.net"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1255062/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_09; classtype:trojan-activity; sid:91255062; rev:1;) alert tcp $HOME_NET any -> [141.98.7.218] 1337 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1255060/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_09; classtype:trojan-activity; sid:91255060; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pixel.gif"; depth:10; nocase; http.host; content:"117.50.182.87"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1255061/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_09; classtype:trojan-activity; sid:91255061; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ga.js"; depth:6; nocase; http.host; content:"service-cedqvyh7-1322145958.sh.tencentapigw.com"; depth:47; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1255059/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_09; classtype:trojan-activity; sid:91255059; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/match"; depth:6; nocase; http.host; content:"101.201.46.105"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1255058/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_09; classtype:trojan-activity; sid:91255058; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/j.ad"; depth:5; nocase; http.host; content:"116.205.228.160"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1255057/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_09; classtype:trojan-activity; sid:91255057; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pixel.gif"; depth:10; nocase; http.host; content:"206.189.182.123"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1255056/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_09; classtype:trojan-activity; sid:91255056; rev:1;) alert tcp $HOME_NET any -> [192.3.216.142] 7232 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1255055/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_09; classtype:trojan-activity; sid:91255055; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/de17fs"; depth:7; nocase; http.host; content:"t.me"; depth:4; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1255054/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_09; classtype:trojan-activity; sid:91255054; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/profiles/76561199667616374"; depth:27; nocase; http.host; content:"steamcommunity.com"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1255053/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_09; classtype:trojan-activity; sid:91255053; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"65.109.243.220"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1255052/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_09; classtype:trojan-activity; sid:91255052; rev:1;) alert tcp $HOME_NET any -> [65.109.243.220] 443 (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1255051/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_09; classtype:trojan-activity; sid:91255051; rev:1;) alert tcp $HOME_NET any -> [147.135.119.43] 8081 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1255046/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_09; classtype:trojan-activity; sid:91255046; rev:1;) alert tcp $HOME_NET any -> [134.255.218.111] 8081 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1255047/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_09; classtype:trojan-activity; sid:91255047; rev:1;) alert tcp $HOME_NET any -> [147.135.119.43] 1337 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1255048/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_09; classtype:trojan-activity; sid:91255048; rev:1;) alert tcp $HOME_NET any -> [134.255.218.111] 1337 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1255049/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_09; classtype:trojan-activity; sid:91255049; rev:1;) alert tcp $HOME_NET any -> [185.150.26.199] 9931 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1255050/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_09; classtype:trojan-activity; sid:91255050; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cx"; depth:3; nocase; http.host; content:"79.124.40.106"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1255045/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_09; classtype:trojan-activity; sid:91255045; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/__utm.gif"; depth:10; nocase; http.host; content:"176.32.35.104"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1255044/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_09; classtype:trojan-activity; sid:91255044; rev:1;) alert tcp $HOME_NET any -> [195.133.44.41] 2295 (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1255043/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_09; classtype:trojan-activity; sid:91255043; rev:1;) alert tcp $HOME_NET any -> [164.155.128.124] 8081 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1255042/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_09; classtype:trojan-activity; sid:91255042; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jquery-3.3.1.min.js"; depth:20; nocase; http.host; content:"172.18.202.226"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1255041/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_09; classtype:trojan-activity; sid:91255041; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/updates.rss"; depth:12; nocase; http.host; content:"114.55.1.119"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1255040/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_09; classtype:trojan-activity; sid:91255040; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dpixel"; depth:7; nocase; http.host; content:"120.55.65.99"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1255039/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_09; classtype:trojan-activity; sid:91255039; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/load"; depth:5; nocase; http.host; content:"176.32.35.104"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1255038/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_09; classtype:trojan-activity; sid:91255038; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/updates.rss"; depth:12; nocase; http.host; content:"114.55.1.119"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1255037/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_09; classtype:trojan-activity; sid:91255037; rev:1;) alert tcp $HOME_NET any -> [23.95.182.33] 443 (msg:"ThreatFox FAKEUPDATES botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1255036/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_09; classtype:trojan-activity; sid:91255036; rev:1;) alert tcp $HOME_NET any -> [23.95.182.33] 80 (msg:"ThreatFox FAKEUPDATES botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1255035/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_09; classtype:trojan-activity; sid:91255035; rev:1;) alert tcp $HOME_NET any -> [193.57.41.184] 80 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1255034/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_09; classtype:trojan-activity; sid:91255034; rev:1;) alert tcp $HOME_NET any -> [193.57.41.185] 80 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1255033/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_09; classtype:trojan-activity; sid:91255033; rev:1;) alert tcp $HOME_NET any -> [178.128.106.68] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1255032/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_09; classtype:trojan-activity; sid:91255032; rev:1;) alert tcp $HOME_NET any -> [3.22.252.148] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1255031/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_09; classtype:trojan-activity; sid:91255031; rev:1;) alert tcp $HOME_NET any -> [109.107.181.48] 80 (msg:"ThreatFox Meduza Stealer botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1255030/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_09; classtype:trojan-activity; sid:91255030; rev:1;) alert tcp $HOME_NET any -> [109.120.178.115] 80 (msg:"ThreatFox Meduza Stealer botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1255029/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_09; classtype:trojan-activity; sid:91255029; rev:1;) alert tcp $HOME_NET any -> [111.231.145.137] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1255028/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_09; classtype:trojan-activity; sid:91255028; rev:1;) alert tcp $HOME_NET any -> [45.61.150.7] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1255027/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_09; classtype:trojan-activity; sid:91255027; rev:1;) alert tcp $HOME_NET any -> [185.123.53.157] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1255026/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_09; classtype:trojan-activity; sid:91255026; rev:1;) alert tcp $HOME_NET any -> [34.84.42.35] 2095 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1255025/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_09; classtype:trojan-activity; sid:91255025; rev:1;) alert tcp $HOME_NET any -> [148.66.5.228] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1255024/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_09; classtype:trojan-activity; sid:91255024; rev:1;) alert tcp $HOME_NET any -> [111.223.247.232] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1255023/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_09; classtype:trojan-activity; sid:91255023; rev:1;) alert tcp $HOME_NET any -> [8.140.205.59] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1255022/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_09; classtype:trojan-activity; sid:91255022; rev:1;) alert tcp $HOME_NET any -> [45.76.142.33] 1604 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1255021/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_09; classtype:trojan-activity; sid:91255021; rev:1;) alert tcp $HOME_NET any -> [85.209.195.22] 1337 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1255020/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_09; classtype:trojan-activity; sid:91255020; rev:1;) alert tcp $HOME_NET any -> [151.30.250.89] 443 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1255019/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_09; classtype:trojan-activity; sid:91255019; rev:1;) alert tcp $HOME_NET any -> [165.227.223.174] 80 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1255018/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_09; classtype:trojan-activity; sid:91255018; rev:1;) alert tcp $HOME_NET any -> [165.227.223.174] 443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1255017/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_09; classtype:trojan-activity; sid:91255017; rev:1;) alert tcp $HOME_NET any -> [138.197.80.243] 443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1255016/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_09; classtype:trojan-activity; sid:91255016; rev:1;) alert tcp $HOME_NET any -> [68.183.56.211] 80 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1255014/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_09; classtype:trojan-activity; sid:91255014; rev:1;) alert tcp $HOME_NET any -> [68.183.56.211] 443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1255015/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_09; classtype:trojan-activity; sid:91255015; rev:1;) alert tcp $HOME_NET any -> [137.184.78.220] 443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1255013/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_09; classtype:trojan-activity; sid:91255013; rev:1;) alert tcp $HOME_NET any -> [159.223.0.103] 443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1255012/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_09; classtype:trojan-activity; sid:91255012; rev:1;) alert tcp $HOME_NET any -> [185.234.216.209] 20006 (msg:"ThreatFox BianLian botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1255011/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_09; classtype:trojan-activity; sid:91255011; rev:1;) alert tcp $HOME_NET any -> [203.96.177.103] 8080 (msg:"ThreatFox BianLian botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1255010/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_09; classtype:trojan-activity; sid:91255010; rev:1;) alert tcp $HOME_NET any -> [99.83.207.194] 443 (msg:"ThreatFox Deimos botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1255009/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_09; classtype:trojan-activity; sid:91255009; rev:1;) alert tcp $HOME_NET any -> [39.100.72.235] 7443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1255008/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_09; classtype:trojan-activity; sid:91255008; rev:1;) alert tcp $HOME_NET any -> [165.227.90.98] 7443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1255007/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_09; classtype:trojan-activity; sid:91255007; rev:1;) alert tcp $HOME_NET any -> [3.125.188.168] 13306 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1255004/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_09; classtype:trojan-activity; sid:91255004; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"appdiscordgg.duckdns.org"; depth:24; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1254995/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_09; classtype:trojan-activity; sid:91254995; rev:1;) alert tcp $HOME_NET any -> [18.192.93.86] 14391 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254991/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_09; classtype:trojan-activity; sid:91254991; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"firmes777.duckdns.org"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1254988/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_09; classtype:trojan-activity; sid:91254988; rev:1;) alert tcp $HOME_NET any -> [172.94.73.133] 2222 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254967/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_09; classtype:trojan-activity; sid:91254967; rev:1;) alert tcp $HOME_NET any -> [179.13.0.175] 5555 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254987/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_09; classtype:trojan-activity; sid:91254987; rev:1;) alert tcp $HOME_NET any -> [128.90.123.160] 9999 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254966/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_09; classtype:trojan-activity; sid:91254966; rev:1;) alert tcp $HOME_NET any -> [93.183.95.223] 8081 (msg:"ThreatFox RisePro botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1255006/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_09; classtype:trojan-activity; sid:91255006; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/990ecb7630625681.php"; depth:21; nocase; http.host; content:"93.123.39.11"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1255005/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_09; classtype:trojan-activity; sid:91255005; rev:1;) alert tcp $HOME_NET any -> [3.67.15.169] 13306 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1255003/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_09; classtype:trojan-activity; sid:91255003; rev:1;) alert tcp $HOME_NET any -> [3.68.56.232] 13306 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1255002/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_09; classtype:trojan-activity; sid:91255002; rev:1;) alert tcp $HOME_NET any -> [3.126.224.214] 13306 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1255000/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_09; classtype:trojan-activity; sid:91255000; rev:1;) alert tcp $HOME_NET any -> [3.124.67.191] 13306 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1255001/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_09; classtype:trojan-activity; sid:91255001; rev:1;) alert tcp $HOME_NET any -> [35.157.111.131] 13306 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254999/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_09; classtype:trojan-activity; sid:91254999; rev:1;) alert tcp $HOME_NET any -> [105.154.228.255] 10000 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254998/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_09; classtype:trojan-activity; sid:91254998; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-includes/pomo/po.php"; depth:24; nocase; http.host; content:"kenesrakishev.net"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1254997/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_08; classtype:trojan-activity; sid:91254997; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/vsdjcn3khs/index.php"; depth:21; nocase; http.host; content:"atillapro.com"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1254996/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_08; classtype:trojan-activity; sid:91254996; rev:1;) alert tcp $HOME_NET any -> [200.217.111.70] 54984 (msg:"ThreatFox Nanocore RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254994/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_08; classtype:trojan-activity; sid:91254994; rev:1;) alert tcp $HOME_NET any -> [191.89.247.6] 6606 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254993/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_08; classtype:trojan-activity; sid:91254993; rev:1;) alert tcp $HOME_NET any -> [81.214.136.253] 125 (msg:"ThreatFox CyberGate botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254992/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_08; classtype:trojan-activity; sid:91254992; rev:1;) alert tcp $HOME_NET any -> [91.207.102.163] 9899 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254990/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_08; classtype:trojan-activity; sid:91254990; rev:1;) alert tcp $HOME_NET any -> [45.129.199.228] 443 (msg:"ThreatFox Unidentified 111 (Latrodectus) botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254989/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_08; classtype:trojan-activity; sid:91254989; rev:1;) alert tcp $HOME_NET any -> [23.137.253.76] 80 (msg:"ThreatFox FAKEUPDATES botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254986/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_08; classtype:trojan-activity; sid:91254986; rev:1;) alert tcp $HOME_NET any -> [23.137.253.76] 443 (msg:"ThreatFox FAKEUPDATES botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254985/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_08; classtype:trojan-activity; sid:91254985; rev:1;) alert tcp $HOME_NET any -> [91.215.85.131] 80 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254984/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_08; classtype:trojan-activity; sid:91254984; rev:1;) alert tcp $HOME_NET any -> [45.88.90.80] 80 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254983/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_08; classtype:trojan-activity; sid:91254983; rev:1;) alert tcp $HOME_NET any -> [147.45.69.114] 80 (msg:"ThreatFox Meduza Stealer botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254982/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_08; classtype:trojan-activity; sid:91254982; rev:1;) alert tcp $HOME_NET any -> [37.221.93.9] 80 (msg:"ThreatFox Meduza Stealer botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254981/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_08; classtype:trojan-activity; sid:91254981; rev:1;) alert tcp $HOME_NET any -> [107.172.157.239] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254980/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_08; classtype:trojan-activity; sid:91254980; rev:1;) alert tcp $HOME_NET any -> [8.218.138.77] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254979/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_08; classtype:trojan-activity; sid:91254979; rev:1;) alert tcp $HOME_NET any -> [117.50.179.126] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254978/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_08; classtype:trojan-activity; sid:91254978; rev:1;) alert tcp $HOME_NET any -> [46.246.4.6] 6000 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254977/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_08; classtype:trojan-activity; sid:91254977; rev:1;) alert tcp $HOME_NET any -> [217.165.15.163] 22 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254976/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_08; classtype:trojan-activity; sid:91254976; rev:1;) alert tcp $HOME_NET any -> [78.172.87.190] 443 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254975/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_08; classtype:trojan-activity; sid:91254975; rev:1;) alert tcp $HOME_NET any -> [1.161.123.219] 443 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254974/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_08; classtype:trojan-activity; sid:91254974; rev:1;) alert tcp $HOME_NET any -> [23.95.182.10] 445 (msg:"ThreatFox Responder botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254973/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_08; classtype:trojan-activity; sid:91254973; rev:1;) alert tcp $HOME_NET any -> [154.12.179.67] 80 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254972/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_08; classtype:trojan-activity; sid:91254972; rev:1;) alert tcp $HOME_NET any -> [185.234.216.209] 20011 (msg:"ThreatFox BianLian botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254970/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_08; classtype:trojan-activity; sid:91254970; rev:1;) alert tcp $HOME_NET any -> [185.234.216.209] 20012 (msg:"ThreatFox BianLian botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254971/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_08; classtype:trojan-activity; sid:91254971; rev:1;) alert tcp $HOME_NET any -> [128.14.226.110] 448 (msg:"ThreatFox BianLian botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254969/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_08; classtype:trojan-activity; sid:91254969; rev:1;) alert tcp $HOME_NET any -> [139.144.96.187] 7443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254968/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_08; classtype:trojan-activity; sid:91254968; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pages/login.php"; depth:16; nocase; http.host; content:"linkerfunyfile.store"; depth:20; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1254964/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_08; classtype:trojan-activity; sid:91254964; rev:1;) alert tcp $HOME_NET any -> [38.180.62.112] 2222 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254965/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_08; classtype:trojan-activity; sid:91254965; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"kibagendi.org"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1254961/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_08; classtype:trojan-activity; sid:91254961; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"karmaandfate.com"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1254962/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_08; classtype:trojan-activity; sid:91254962; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"playfulyogi.org"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1254963/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_08; classtype:trojan-activity; sid:91254963; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bvxny6r6"; depth:9; nocase; http.host; content:"gteairfone.com"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1254953/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_08; classtype:trojan-activity; sid:91254953; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"christmascookie.org"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1254954/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_08; classtype:trojan-activity; sid:91254954; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"salesoftskills.com"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1254955/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_08; classtype:trojan-activity; sid:91254955; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"whattotext.net"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1254956/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_08; classtype:trojan-activity; sid:91254956; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"beaulieuhome.com"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1254957/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_08; classtype:trojan-activity; sid:91254957; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"gteairfone.com"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1254958/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_08; classtype:trojan-activity; sid:91254958; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"pillowscrawler.xyz"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1254959/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_08; classtype:trojan-activity; sid:91254959; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"000111.org"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1254960/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_08; classtype:trojan-activity; sid:91254960; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/8otabr/"; depth:8; nocase; http.host; content:"playfulyogi.org"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1254952/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_08; classtype:trojan-activity; sid:91254952; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/8otabr/"; depth:8; nocase; http.host; content:"karmaandfate.com"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1254951/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_08; classtype:trojan-activity; sid:91254951; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/8otabr/"; depth:8; nocase; http.host; content:"kibagendi.org"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1254950/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_08; classtype:trojan-activity; sid:91254950; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/8otabr/"; depth:8; nocase; http.host; content:"000111.org"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1254949/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_08; classtype:trojan-activity; sid:91254949; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/8otabr/"; depth:8; nocase; http.host; content:"pillowscrawler.xyz"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1254948/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_08; classtype:trojan-activity; sid:91254948; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/8otabr/"; depth:8; nocase; http.host; content:"gteairfone.com"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1254947/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_08; classtype:trojan-activity; sid:91254947; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/8otabr/"; depth:8; nocase; http.host; content:"beaulieuhome.com"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1254946/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_08; classtype:trojan-activity; sid:91254946; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/8otabr/"; depth:8; nocase; http.host; content:"whattotext.net"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1254945/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_08; classtype:trojan-activity; sid:91254945; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/8otabr/"; depth:8; nocase; http.host; content:"salesoftskills.com"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1254944/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_08; classtype:trojan-activity; sid:91254944; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/8otabr/"; depth:8; nocase; http.host; content:"christmascookie.org"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1254943/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_08; classtype:trojan-activity; sid:91254943; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"stodia.fun"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1254938/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_08; classtype:trojan-activity; sid:91254938; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"cytuns.xyz"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1254939/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_08; classtype:trojan-activity; sid:91254939; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"galvins.xyz"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1254940/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_08; classtype:trojan-activity; sid:91254940; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"disear.xyz"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1254941/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_08; classtype:trojan-activity; sid:91254941; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"yetties.xyz"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1254942/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_08; classtype:trojan-activity; sid:91254942; rev:1;) alert tcp $HOME_NET any -> [95.217.241.187] 443 (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254931/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_08; classtype:trojan-activity; sid:91254931; rev:1;) alert tcp $HOME_NET any -> [49.13.149.204] 9000 (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254932/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_08; classtype:trojan-activity; sid:91254932; rev:1;) alert tcp $HOME_NET any -> [195.201.250.50] 443 (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254933/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_08; classtype:trojan-activity; sid:91254933; rev:1;) alert tcp $HOME_NET any -> [65.109.242.143] 443 (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254934/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_08; classtype:trojan-activity; sid:91254934; rev:1;) alert tcp $HOME_NET any -> [94.130.188.149] 9000 (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254935/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_08; classtype:trojan-activity; sid:91254935; rev:1;) alert tcp $HOME_NET any -> [116.203.12.29] 9000 (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254936/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_08; classtype:trojan-activity; sid:91254936; rev:1;) alert tcp $HOME_NET any -> [116.203.14.84] 5432 (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254937/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_08; classtype:trojan-activity; sid:91254937; rev:1;) alert tcp $HOME_NET any -> [95.217.212.139] 443 (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254929/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_08; classtype:trojan-activity; sid:91254929; rev:1;) alert tcp $HOME_NET any -> [95.217.27.87] 443 (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254930/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_08; classtype:trojan-activity; sid:91254930; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"yetties.xyz"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1254928/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_08; classtype:trojan-activity; sid:91254928; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"disear.xyz"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1254927/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_08; classtype:trojan-activity; sid:91254927; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"galvins.xyz"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1254926/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_08; classtype:trojan-activity; sid:91254926; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"cytuns.xyz"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1254925/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_08; classtype:trojan-activity; sid:91254925; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"stodia.fun"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1254924/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_08; classtype:trojan-activity; sid:91254924; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"116.203.14.84"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1254923/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_08; classtype:trojan-activity; sid:91254923; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"116.203.12.29"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1254922/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_08; classtype:trojan-activity; sid:91254922; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"94.130.188.149"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1254921/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_08; classtype:trojan-activity; sid:91254921; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"65.109.242.143"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1254920/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_08; classtype:trojan-activity; sid:91254920; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"195.201.250.50"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1254919/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_08; classtype:trojan-activity; sid:91254919; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"49.13.149.204"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1254918/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_08; classtype:trojan-activity; sid:91254918; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"95.217.241.187"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1254917/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_08; classtype:trojan-activity; sid:91254917; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"95.217.27.87"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1254916/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_08; classtype:trojan-activity; sid:91254916; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"95.217.212.139"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1254915/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_08; classtype:trojan-activity; sid:91254915; rev:1;) alert tcp $HOME_NET any -> [51.79.171.174] 1337 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254914/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_08; classtype:trojan-activity; sid:91254914; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"51.81.17.166"; depth:12; nocase; reference:url, threatfox.abuse.ch/ioc/1254676/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_08; classtype:trojan-activity; sid:91254676; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"zopz-api.com"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1254678/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_08; classtype:trojan-activity; sid:91254678; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"167.114.127.93"; depth:14; nocase; reference:url, threatfox.abuse.ch/ioc/1254677/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_08; classtype:trojan-activity; sid:91254677; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"nuclear.mom"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1254679/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_08; classtype:trojan-activity; sid:91254679; rev:1;) alert tcp $HOME_NET any -> [51.81.230.244] 9900 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254577/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_08; classtype:trojan-activity; sid:91254577; rev:1;) alert tcp $HOME_NET any -> [51.89.251.242] 1337 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254578/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_08; classtype:trojan-activity; sid:91254578; rev:1;) alert tcp $HOME_NET any -> [51.222.204.13] 1337 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254579/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_08; classtype:trojan-activity; sid:91254579; rev:1;) alert tcp $HOME_NET any -> [79.133.46.200] 1337 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254580/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_08; classtype:trojan-activity; sid:91254580; rev:1;) alert tcp $HOME_NET any -> [79.137.203.236] 1337 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254581/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_08; classtype:trojan-activity; sid:91254581; rev:1;) alert tcp $HOME_NET any -> [84.54.51.107] 7070 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254582/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_08; classtype:trojan-activity; sid:91254582; rev:1;) alert tcp $HOME_NET any -> [84.54.51.132] 7070 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254583/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_08; classtype:trojan-activity; sid:91254583; rev:1;) alert tcp $HOME_NET any -> [84.54.51.144] 7070 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254584/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_08; classtype:trojan-activity; sid:91254584; rev:1;) alert tcp $HOME_NET any -> [84.54.51.195] 7070 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254585/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_08; classtype:trojan-activity; sid:91254585; rev:1;) alert tcp $HOME_NET any -> [84.54.51.205] 7070 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254586/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_08; classtype:trojan-activity; sid:91254586; rev:1;) alert tcp $HOME_NET any -> [84.54.51.206] 10000 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254587/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_08; classtype:trojan-activity; sid:91254587; rev:1;) alert tcp $HOME_NET any -> [84.54.51.207] 7070 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254588/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_08; classtype:trojan-activity; sid:91254588; rev:1;) alert tcp $HOME_NET any -> [84.54.51.208] 7070 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254589/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_08; classtype:trojan-activity; sid:91254589; rev:1;) alert tcp $HOME_NET any -> [85.203.42.64] 1337 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254590/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_08; classtype:trojan-activity; sid:91254590; rev:1;) alert tcp $HOME_NET any -> [86.104.194.180] 1337 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254591/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_08; classtype:trojan-activity; sid:91254591; rev:1;) alert tcp $HOME_NET any -> [91.92.255.74] 999 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254592/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_08; classtype:trojan-activity; sid:91254592; rev:1;) alert tcp $HOME_NET any -> [91.103.253.34] 1337 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254593/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_08; classtype:trojan-activity; sid:91254593; rev:1;) alert tcp $HOME_NET any -> [92.249.48.147] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254594/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_08; classtype:trojan-activity; sid:91254594; rev:1;) alert tcp $HOME_NET any -> [93.123.85.172] 1337 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254595/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_08; classtype:trojan-activity; sid:91254595; rev:1;) alert tcp $HOME_NET any -> [94.156.8.32] 9900 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254596/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_08; classtype:trojan-activity; sid:91254596; rev:1;) alert tcp $HOME_NET any -> [94.156.8.72] 7777 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254597/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_08; classtype:trojan-activity; sid:91254597; rev:1;) alert tcp $HOME_NET any -> [94.156.8.79] 7777 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254598/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_08; classtype:trojan-activity; sid:91254598; rev:1;) alert tcp $HOME_NET any -> [94.156.71.51] 1337 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254599/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_08; classtype:trojan-activity; sid:91254599; rev:1;) alert tcp $HOME_NET any -> [94.156.71.66] 1337 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254600/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_08; classtype:trojan-activity; sid:91254600; rev:1;) alert tcp $HOME_NET any -> [94.156.71.193] 1337 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254601/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_08; classtype:trojan-activity; sid:91254601; rev:1;) alert tcp $HOME_NET any -> [103.82.135.217] 9900 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254602/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_08; classtype:trojan-activity; sid:91254602; rev:1;) alert tcp $HOME_NET any -> [135.148.124.223] 1337 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254603/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_08; classtype:trojan-activity; sid:91254603; rev:1;) alert tcp $HOME_NET any -> [141.98.7.123] 1337 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254604/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_08; classtype:trojan-activity; sid:91254604; rev:1;) alert tcp $HOME_NET any -> [141.98.7.200] 1337 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254605/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_08; classtype:trojan-activity; sid:91254605; rev:1;) alert tcp $HOME_NET any -> [144.172.73.9] 10000 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254606/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_08; classtype:trojan-activity; sid:91254606; rev:1;) alert tcp $HOME_NET any -> [144.172.73.20] 1337 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254607/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_08; classtype:trojan-activity; sid:91254607; rev:1;) alert tcp $HOME_NET any -> [144.172.73.25] 1337 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254608/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_08; classtype:trojan-activity; sid:91254608; rev:1;) alert tcp $HOME_NET any -> [144.172.73.26] 1337 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254609/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_08; classtype:trojan-activity; sid:91254609; rev:1;) alert tcp $HOME_NET any -> [144.172.73.28] 10000 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254610/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_08; classtype:trojan-activity; sid:91254610; rev:1;) alert tcp $HOME_NET any -> [144.172.73.44] 1337 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254611/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_08; classtype:trojan-activity; sid:91254611; rev:1;) alert tcp $HOME_NET any -> [144.217.16.164] 9900 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254612/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_08; classtype:trojan-activity; sid:91254612; rev:1;) alert tcp $HOME_NET any -> [146.19.254.219] 1337 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254613/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_08; classtype:trojan-activity; sid:91254613; rev:1;) alert tcp $HOME_NET any -> [149.56.79.118] 9999 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254614/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_08; classtype:trojan-activity; sid:91254614; rev:1;) alert tcp $HOME_NET any -> [172.65.149.128] 22 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254616/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_08; classtype:trojan-activity; sid:91254616; rev:1;) alert tcp $HOME_NET any -> [159.253.120.116] 7777 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254615/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_08; classtype:trojan-activity; sid:91254615; rev:1;) alert tcp $HOME_NET any -> [185.91.127.66] 1337 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254617/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_08; classtype:trojan-activity; sid:91254617; rev:1;) alert tcp $HOME_NET any -> [185.171.121.161] 420 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254618/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_08; classtype:trojan-activity; sid:91254618; rev:1;) alert tcp $HOME_NET any -> [195.58.39.34] 6643 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254619/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_08; classtype:trojan-activity; sid:91254619; rev:1;) alert tcp $HOME_NET any -> [198.98.57.36] 1337 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254620/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_08; classtype:trojan-activity; sid:91254620; rev:1;) alert tcp $HOME_NET any -> [198.98.58.246] 1337 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254621/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_08; classtype:trojan-activity; sid:91254621; rev:1;) alert tcp $HOME_NET any -> [205.185.119.42] 1337 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254623/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_08; classtype:trojan-activity; sid:91254623; rev:1;) alert tcp $HOME_NET any -> [199.195.251.103] 22 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254622/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_08; classtype:trojan-activity; sid:91254622; rev:1;) alert tcp $HOME_NET any -> [209.141.35.229] 27358 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254624/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_08; classtype:trojan-activity; sid:91254624; rev:1;) alert tcp $HOME_NET any -> [216.107.139.159] 9966 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254625/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_08; classtype:trojan-activity; sid:91254625; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ninja-cnc.xyz"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1254638/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_08; classtype:trojan-activity; sid:91254638; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"poggo-proxy.lol"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1254636/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_08; classtype:trojan-activity; sid:91254636; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"cdnet-web.com"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1254637/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_08; classtype:trojan-activity; sid:91254637; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"leanc2.xyz"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1254634/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_08; classtype:trojan-activity; sid:91254634; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"poggo-proxy.online"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1254635/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_08; classtype:trojan-activity; sid:91254635; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"naucosi.cfd"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1254633/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_08; classtype:trojan-activity; sid:91254633; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"proxy-voidc2.xyz"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1254630/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_08; classtype:trojan-activity; sid:91254630; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"cumshot.vip"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1254631/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_08; classtype:trojan-activity; sid:91254631; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"nuclear.baby"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1254632/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_08; classtype:trojan-activity; sid:91254632; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"lydiari.mrbonus.com"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1254628/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_08; classtype:trojan-activity; sid:91254628; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"pf7.prsv.ch"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1254629/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_08; classtype:trojan-activity; sid:91254629; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"fuzzyproxy.cc"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1254627/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_08; classtype:trojan-activity; sid:91254627; rev:1;) alert tcp $HOME_NET any -> [94.156.71.184] 8848 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254626/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_08; classtype:trojan-activity; sid:91254626; rev:1;) alert tcp $HOME_NET any -> [45.141.202.79] 1337 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254575/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_08; classtype:trojan-activity; sid:91254575; rev:1;) alert tcp $HOME_NET any -> [51.81.115.26] 1337 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254576/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_08; classtype:trojan-activity; sid:91254576; rev:1;) alert tcp $HOME_NET any -> [45.140.188.47] 911 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254574/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_08; classtype:trojan-activity; sid:91254574; rev:1;) alert tcp $HOME_NET any -> [45.128.232.138] 7070 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254572/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_08; classtype:trojan-activity; sid:91254572; rev:1;) alert tcp $HOME_NET any -> [45.128.232.169] 1337 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254573/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_08; classtype:trojan-activity; sid:91254573; rev:1;) alert tcp $HOME_NET any -> [45.128.232.85] 1337 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254570/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_08; classtype:trojan-activity; sid:91254570; rev:1;) alert tcp $HOME_NET any -> [45.128.232.100] 1337 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254571/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_08; classtype:trojan-activity; sid:91254571; rev:1;) alert tcp $HOME_NET any -> [41.216.182.208] 1337 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254569/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_08; classtype:trojan-activity; sid:91254569; rev:1;) alert tcp $HOME_NET any -> [23.160.193.4] 1225 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254565/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_08; classtype:trojan-activity; sid:91254565; rev:1;) alert tcp $HOME_NET any -> [23.160.193.10] 1225 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254566/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_08; classtype:trojan-activity; sid:91254566; rev:1;) alert tcp $HOME_NET any -> [23.160.194.106] 1225 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254567/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_08; classtype:trojan-activity; sid:91254567; rev:1;) alert tcp $HOME_NET any -> [38.45.100.58] 1337 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254568/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_08; classtype:trojan-activity; sid:91254568; rev:1;) alert tcp $HOME_NET any -> [15.204.18.204] 1337 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254561/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_08; classtype:trojan-activity; sid:91254561; rev:1;) alert tcp $HOME_NET any -> [15.204.211.81] 5000 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254563/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_08; classtype:trojan-activity; sid:91254563; rev:1;) alert tcp $HOME_NET any -> [15.204.240.170] 1337 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254564/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_08; classtype:trojan-activity; sid:91254564; rev:1;) alert tcp $HOME_NET any -> [5.196.239.182] 1337 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254560/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_08; classtype:trojan-activity; sid:91254560; rev:1;) alert tcp $HOME_NET any -> [15.204.22.165] 1337 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254562/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_08; classtype:trojan-activity; sid:91254562; rev:1;) alert tcp $HOME_NET any -> [5.39.34.46] 9999 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254557/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_08; classtype:trojan-activity; sid:91254557; rev:1;) alert tcp $HOME_NET any -> [5.196.162.1] 9999 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254559/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_08; classtype:trojan-activity; sid:91254559; rev:1;) alert tcp $HOME_NET any -> [5.181.80.64] 999 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254558/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_08; classtype:trojan-activity; sid:91254558; rev:1;) alert tcp $HOME_NET any -> [2.58.95.55] 1337 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254556/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_08; classtype:trojan-activity; sid:91254556; rev:1;) alert tcp $HOME_NET any -> [185.216.70.169] 21425 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254675/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_08; classtype:trojan-activity; sid:91254675; rev:1;) alert tcp $HOME_NET any -> [85.204.116.22] 61616 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254673/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_08; classtype:trojan-activity; sid:91254673; rev:1;) alert tcp $HOME_NET any -> [85.204.116.206] 61616 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254674/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_08; classtype:trojan-activity; sid:91254674; rev:1;) alert tcp $HOME_NET any -> [85.204.116.20] 61616 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254671/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_08; classtype:trojan-activity; sid:91254671; rev:1;) alert tcp $HOME_NET any -> [85.204.116.21] 61616 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254672/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_08; classtype:trojan-activity; sid:91254672; rev:1;) alert tcp $HOME_NET any -> [62.72.185.38] 61616 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254670/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_08; classtype:trojan-activity; sid:91254670; rev:1;) alert tcp $HOME_NET any -> [62.72.185.4] 16726 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254669/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_08; classtype:trojan-activity; sid:91254669; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"tcpsyn.xyz"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1254667/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_08; classtype:trojan-activity; sid:91254667; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"tcpfin.xyz"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1254668/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_08; classtype:trojan-activity; sid:91254668; rev:1;) alert tcp $HOME_NET any -> [45.55.197.133] 8080 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254647/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_08; classtype:trojan-activity; sid:91254647; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"api.mypowerzip.com"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1254648/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_08; classtype:trojan-activity; sid:91254648; rev:1;) alert tcp $HOME_NET any -> [139.59.127.44] 8080 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254645/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_08; classtype:trojan-activity; sid:91254645; rev:1;) alert tcp $HOME_NET any -> [146.190.5.80] 8080 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254646/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_08; classtype:trojan-activity; sid:91254646; rev:1;) alert tcp $HOME_NET any -> [51.195.124.239] 8080 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254644/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_08; classtype:trojan-activity; sid:91254644; rev:1;) alert tcp $HOME_NET any -> [62.122.184.51] 6017 (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254641/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_08; classtype:trojan-activity; sid:91254641; rev:1;) alert tcp $HOME_NET any -> [193.26.115.240] 80 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 25%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254642/; target:src_ip; metadata: confidence_level 25, first_seen 2024_04_08; classtype:trojan-activity; sid:91254642; rev:1;) alert tcp $HOME_NET any -> [80.66.87.240] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254666/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_08; classtype:trojan-activity; sid:91254666; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pixel"; depth:6; nocase; http.host; content:"80.66.87.240"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1254665/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_08; classtype:trojan-activity; sid:91254665; rev:1;) alert tcp $HOME_NET any -> [54.144.199.247] 8080 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254664/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_08; classtype:trojan-activity; sid:91254664; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/page/7384/word-macros-not-working/"; depth:35; nocase; http.host; content:"defender.us.org"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1254662/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_08; classtype:trojan-activity; sid:91254662; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"defender.us.org"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1254663/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_08; classtype:trojan-activity; sid:91254663; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/g.pixel"; depth:8; nocase; http.host; content:"81.71.127.160"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1254661/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_08; classtype:trojan-activity; sid:91254661; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"taek.cp-redteam.com"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1254660/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_08; classtype:trojan-activity; sid:91254660; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pixel.gif"; depth:10; nocase; http.host; content:"taek.cp-redteam.com"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1254659/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_08; classtype:trojan-activity; sid:91254659; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cm"; depth:3; nocase; http.host; content:"176.32.35.104"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1254658/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_08; classtype:trojan-activity; sid:91254658; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dot.gif"; depth:8; nocase; http.host; content:"42.51.37.127"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1254657/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_08; classtype:trojan-activity; sid:91254657; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ie9compatviewlist.xml"; depth:22; nocase; http.host; content:"154.8.157.205"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1254656/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_08; classtype:trojan-activity; sid:91254656; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ptj"; depth:4; nocase; http.host; content:"8.134.89.221"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1254655/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_08; classtype:trojan-activity; sid:91254655; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/hubcap/mayo-clinic-radio-full-shows/"; depth:37; nocase; http.host; content:"185.196.10.121"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1254654/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_08; classtype:trojan-activity; sid:91254654; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/g.pixel"; depth:8; nocase; http.host; content:"170.106.178.146"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1254653/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_08; classtype:trojan-activity; sid:91254653; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp06/wp-includes/po.php"; depth:24; nocase; http.host; content:"1.14.69.16"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1254652/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_08; classtype:trojan-activity; sid:91254652; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/en-us/silentauth"; depth:17; nocase; http.host; content:"111.123.250.68"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1254651/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_08; classtype:trojan-activity; sid:91254651; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/match"; depth:6; nocase; http.host; content:"43.251.159.58"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1254650/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_08; classtype:trojan-activity; sid:91254650; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/load"; depth:5; nocase; http.host; content:"123.207.45.112"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1254649/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_08; classtype:trojan-activity; sid:91254649; rev:1;) alert tcp $HOME_NET any -> [81.17.17.70] 1198 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254643/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_08; classtype:trojan-activity; sid:91254643; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/__utm.gif"; depth:10; nocase; http.host; content:"176.32.35.104"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1254640/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_08; classtype:trojan-activity; sid:91254640; rev:1;) alert tcp $HOME_NET any -> [93.183.95.223] 50500 (msg:"ThreatFox RisePro botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254639/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_08; classtype:trojan-activity; sid:91254639; rev:1;) alert tcp $HOME_NET any -> [103.35.191.158] 5851 (msg:"ThreatFox STRRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254555/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_08; classtype:trojan-activity; sid:91254555; rev:1;) alert tcp $HOME_NET any -> [121.37.237.168] 10001 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254553/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_08; classtype:trojan-activity; sid:91254553; rev:1;) alert tcp $HOME_NET any -> [121.37.237.168] 9999 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254554/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_08; classtype:trojan-activity; sid:91254554; rev:1;) alert tcp $HOME_NET any -> [110.41.21.197] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254552/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_08; classtype:trojan-activity; sid:91254552; rev:1;) alert tcp $HOME_NET any -> [141.98.7.56] 4258 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254551/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_08; classtype:trojan-activity; sid:91254551; rev:1;) alert tcp $HOME_NET any -> [8.137.116.204] 8888 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254548/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_08; classtype:trojan-activity; sid:91254548; rev:1;) alert tcp $HOME_NET any -> [175.178.78.176] 8001 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254547/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_08; classtype:trojan-activity; sid:91254547; rev:1;) alert tcp $HOME_NET any -> [39.105.141.35] 22222 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254549/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_08; classtype:trojan-activity; sid:91254549; rev:1;) alert tcp $HOME_NET any -> [92.249.48.39] 23 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254550/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_08; classtype:trojan-activity; sid:91254550; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"193.34.69.249"; depth:13; nocase; reference:url, threatfox.abuse.ch/ioc/1254508/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_08; classtype:trojan-activity; sid:91254508; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"198.27.107.169"; depth:14; nocase; reference:url, threatfox.abuse.ch/ioc/1254509/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_08; classtype:trojan-activity; sid:91254509; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"38.45.100.58"; depth:12; nocase; reference:url, threatfox.abuse.ch/ioc/1254510/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_08; classtype:trojan-activity; sid:91254510; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"51.89.251.242"; depth:13; nocase; reference:url, threatfox.abuse.ch/ioc/1254511/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_08; classtype:trojan-activity; sid:91254511; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"41.216.182.208"; depth:14; nocase; reference:url, threatfox.abuse.ch/ioc/1254512/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_08; classtype:trojan-activity; sid:91254512; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"141.98.7.123"; depth:12; nocase; reference:url, threatfox.abuse.ch/ioc/1254513/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_08; classtype:trojan-activity; sid:91254513; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"91.103.253.34"; depth:13; nocase; reference:url, threatfox.abuse.ch/ioc/1254514/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_08; classtype:trojan-activity; sid:91254514; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"141.98.10.46"; depth:12; nocase; reference:url, threatfox.abuse.ch/ioc/1254515/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_08; classtype:trojan-activity; sid:91254515; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"79.133.46.200"; depth:13; nocase; reference:url, threatfox.abuse.ch/ioc/1254516/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_08; classtype:trojan-activity; sid:91254516; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"51.222.204.13"; depth:13; nocase; reference:url, threatfox.abuse.ch/ioc/1254517/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_08; classtype:trojan-activity; sid:91254517; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"91.92.254.109"; depth:13; nocase; reference:url, threatfox.abuse.ch/ioc/1254518/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_08; classtype:trojan-activity; sid:91254518; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"205.185.119.42"; depth:14; nocase; reference:url, threatfox.abuse.ch/ioc/1254521/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_08; classtype:trojan-activity; sid:91254521; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"193.35.18.98"; depth:12; nocase; reference:url, threatfox.abuse.ch/ioc/1254519/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_08; classtype:trojan-activity; sid:91254519; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"85.203.42.64"; depth:12; nocase; reference:url, threatfox.abuse.ch/ioc/1254520/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_08; classtype:trojan-activity; sid:91254520; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"199.195.251.103"; depth:15; nocase; reference:url, threatfox.abuse.ch/ioc/1254522/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_08; classtype:trojan-activity; sid:91254522; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"94.131.99.113"; depth:13; nocase; reference:url, threatfox.abuse.ch/ioc/1254523/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_08; classtype:trojan-activity; sid:91254523; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"159.253.120.116"; depth:15; nocase; reference:url, threatfox.abuse.ch/ioc/1254524/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_08; classtype:trojan-activity; sid:91254524; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"193.35.18.35"; depth:12; nocase; reference:url, threatfox.abuse.ch/ioc/1254525/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_08; classtype:trojan-activity; sid:91254525; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"141.98.7.217"; depth:12; nocase; reference:url, threatfox.abuse.ch/ioc/1254526/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_08; classtype:trojan-activity; sid:91254526; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"92.249.48.147"; depth:13; nocase; reference:url, threatfox.abuse.ch/ioc/1254527/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_08; classtype:trojan-activity; sid:91254527; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"89.208.103.203"; depth:14; nocase; reference:url, threatfox.abuse.ch/ioc/1254528/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_08; classtype:trojan-activity; sid:91254528; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"94.156.71.66"; depth:12; nocase; reference:url, threatfox.abuse.ch/ioc/1254529/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_08; classtype:trojan-activity; sid:91254529; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"45.128.232.43"; depth:13; nocase; reference:url, threatfox.abuse.ch/ioc/1254530/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_08; classtype:trojan-activity; sid:91254530; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"45.140.188.47"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1254542/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_08; classtype:trojan-activity; sid:91254542; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"45.61.188.140"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1254539/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_08; classtype:trojan-activity; sid:91254539; rev:1;) alert tcp $HOME_NET any -> [45.178.6.2] 4444 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254531/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_08; classtype:trojan-activity; sid:91254531; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"peurnick24.bumbleshrimp.com"; depth:27; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1254532/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_08; classtype:trojan-activity; sid:91254532; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"45.140.143.161"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1254540/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_08; classtype:trojan-activity; sid:91254540; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"188.93.233.235"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1254541/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_08; classtype:trojan-activity; sid:91254541; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"171.244.42.47"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1254545/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_08; classtype:trojan-activity; sid:91254545; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"51.81.230.244"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1254543/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_08; classtype:trojan-activity; sid:91254543; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"54.39.252.71"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1254544/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_08; classtype:trojan-activity; sid:91254544; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"92.249.48.78"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1254546/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_08; classtype:trojan-activity; sid:91254546; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/activity"; depth:9; nocase; http.host; content:"120.48.75.31"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1254538/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_08; classtype:trojan-activity; sid:91254538; rev:1;) alert tcp $HOME_NET any -> [49.234.17.50] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254537/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_08; classtype:trojan-activity; sid:91254537; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/load"; depth:5; nocase; http.host; content:"49.234.17.50"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1254536/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_08; classtype:trojan-activity; sid:91254536; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dpixel"; depth:7; nocase; http.host; content:"120.48.75.31"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1254535/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_08; classtype:trojan-activity; sid:91254535; rev:1;) alert tcp $HOME_NET any -> [116.205.228.160] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254534/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_08; classtype:trojan-activity; sid:91254534; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/match"; depth:6; nocase; http.host; content:"116.205.228.160"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1254533/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_08; classtype:trojan-activity; sid:91254533; rev:1;) alert tcp $HOME_NET any -> [45.88.90.160] 80 (msg:"ThreatFox Socks5 Systemz botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254507/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_08; classtype:trojan-activity; sid:91254507; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"packetinfo.com"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1254499/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_08; classtype:trojan-activity; sid:91254499; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"bot.ddosvps.cc"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1254500/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_08; classtype:trojan-activity; sid:91254500; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ddosvps.cc"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1254501/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_08; classtype:trojan-activity; sid:91254501; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"botnet.przsc.cn"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1254502/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_08; classtype:trojan-activity; sid:91254502; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"net.przsc.cn"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1254503/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_08; classtype:trojan-activity; sid:91254503; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"api.przsc.cn"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1254504/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_08; classtype:trojan-activity; sid:91254504; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"przsc.cn"; depth:8; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1254505/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_08; classtype:trojan-activity; sid:91254505; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"wcjwcj.lol"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1254506/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_08; classtype:trojan-activity; sid:91254506; rev:1;) alert tcp $HOME_NET any -> [212.109.221.128] 80 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254498/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_08; classtype:trojan-activity; sid:91254498; rev:1;) alert tcp $HOME_NET any -> [193.143.1.161] 80 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254497/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_08; classtype:trojan-activity; sid:91254497; rev:1;) alert tcp $HOME_NET any -> [93.123.39.127] 50555 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254496/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_08; classtype:trojan-activity; sid:91254496; rev:1;) alert tcp $HOME_NET any -> [42.96.5.32] 80 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254495/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_08; classtype:trojan-activity; sid:91254495; rev:1;) alert tcp $HOME_NET any -> [91.92.250.167] 80 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254494/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_08; classtype:trojan-activity; sid:91254494; rev:1;) alert tcp $HOME_NET any -> [82.147.85.159] 80 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254493/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_08; classtype:trojan-activity; sid:91254493; rev:1;) alert tcp $HOME_NET any -> [38.180.45.153] 80 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254492/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_08; classtype:trojan-activity; sid:91254492; rev:1;) alert tcp $HOME_NET any -> [91.202.233.174] 80 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254491/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_08; classtype:trojan-activity; sid:91254491; rev:1;) alert tcp $HOME_NET any -> [45.82.152.138] 80 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254490/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_08; classtype:trojan-activity; sid:91254490; rev:1;) alert tcp $HOME_NET any -> [109.120.184.181] 80 (msg:"ThreatFox Meduza Stealer botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254489/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_08; classtype:trojan-activity; sid:91254489; rev:1;) alert tcp $HOME_NET any -> [38.47.101.176] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254488/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_08; classtype:trojan-activity; sid:91254488; rev:1;) alert tcp $HOME_NET any -> [99.196.212.115] 443 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254487/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_08; classtype:trojan-activity; sid:91254487; rev:1;) alert tcp $HOME_NET any -> [39.106.250.105] 443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254486/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_08; classtype:trojan-activity; sid:91254486; rev:1;) alert tcp $HOME_NET any -> [39.106.250.105] 80 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254485/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_08; classtype:trojan-activity; sid:91254485; rev:1;) alert tcp $HOME_NET any -> [143.244.200.146] 443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254484/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_08; classtype:trojan-activity; sid:91254484; rev:1;) alert tcp $HOME_NET any -> [185.234.216.209] 20008 (msg:"ThreatFox BianLian botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254483/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_08; classtype:trojan-activity; sid:91254483; rev:1;) alert tcp $HOME_NET any -> [167.71.184.214] 808 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254482/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_08; classtype:trojan-activity; sid:91254482; rev:1;) alert tcp $HOME_NET any -> [34.159.237.198] 6668 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254322/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_08; classtype:trojan-activity; sid:91254322; rev:1;) alert tcp $HOME_NET any -> [5.253.246.12] 23 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254321/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_08; classtype:trojan-activity; sid:91254321; rev:1;) alert tcp $HOME_NET any -> [193.181.23.187] 23 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254323/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_08; classtype:trojan-activity; sid:91254323; rev:1;) alert tcp $HOME_NET any -> [154.44.25.185] 36912 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254477/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_08; classtype:trojan-activity; sid:91254477; rev:1;) alert tcp $HOME_NET any -> [41.142.31.190] 10000 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254479/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_08; classtype:trojan-activity; sid:91254479; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/index.php/927339792"; depth:20; nocase; http.host; content:"140.82.61.49"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1254481/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_08; classtype:trojan-activity; sid:91254481; rev:1;) alert tcp $HOME_NET any -> [193.222.96.11] 57484 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254480/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_08; classtype:trojan-activity; sid:91254480; rev:1;) alert tcp $HOME_NET any -> [103.35.191.158] 5515 (msg:"ThreatFox STRRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254478/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_08; classtype:trojan-activity; sid:91254478; rev:1;) alert tcp $HOME_NET any -> [172.111.131.97] 8808 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254476/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_07; classtype:trojan-activity; sid:91254476; rev:1;) alert tcp $HOME_NET any -> [193.32.149.59] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254475/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_07; classtype:trojan-activity; sid:91254475; rev:1;) alert tcp $HOME_NET any -> [45.84.1.227] 45451 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254474/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_07; classtype:trojan-activity; sid:91254474; rev:1;) alert tcp $HOME_NET any -> [45.141.87.233] 39200 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254473/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_07; classtype:trojan-activity; sid:91254473; rev:1;) alert tcp $HOME_NET any -> [185.154.52.150] 45451 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254472/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_07; classtype:trojan-activity; sid:91254472; rev:1;) alert tcp $HOME_NET any -> [38.60.200.161] 2086 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254471/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_07; classtype:trojan-activity; sid:91254471; rev:1;) alert tcp $HOME_NET any -> [38.54.111.45] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254470/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_07; classtype:trojan-activity; sid:91254470; rev:1;) alert tcp $HOME_NET any -> [154.12.30.6] 3333 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254469/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_07; classtype:trojan-activity; sid:91254469; rev:1;) alert tcp $HOME_NET any -> [35.241.117.103] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254468/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_07; classtype:trojan-activity; sid:91254468; rev:1;) alert tcp $HOME_NET any -> [35.234.1.138] 8088 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254466/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_07; classtype:trojan-activity; sid:91254466; rev:1;) alert tcp $HOME_NET any -> [35.234.1.138] 8060 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254467/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_07; classtype:trojan-activity; sid:91254467; rev:1;) alert tcp $HOME_NET any -> [43.251.159.58] 46675 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254465/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_07; classtype:trojan-activity; sid:91254465; rev:1;) alert tcp $HOME_NET any -> [43.245.199.144] 10 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254464/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_07; classtype:trojan-activity; sid:91254464; rev:1;) alert tcp $HOME_NET any -> [38.147.171.19] 2095 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254462/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_07; classtype:trojan-activity; sid:91254462; rev:1;) alert tcp $HOME_NET any -> [38.147.171.19] 2096 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254463/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_07; classtype:trojan-activity; sid:91254463; rev:1;) alert tcp $HOME_NET any -> [38.147.171.19] 2087 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254461/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_07; classtype:trojan-activity; sid:91254461; rev:1;) alert tcp $HOME_NET any -> [114.115.220.199] 9963 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254460/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_07; classtype:trojan-activity; sid:91254460; rev:1;) alert tcp $HOME_NET any -> [206.237.2.159] 8080 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254459/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_07; classtype:trojan-activity; sid:91254459; rev:1;) alert tcp $HOME_NET any -> [148.135.72.115] 8081 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254458/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_07; classtype:trojan-activity; sid:91254458; rev:1;) alert tcp $HOME_NET any -> [54.250.253.8] 88 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254456/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_07; classtype:trojan-activity; sid:91254456; rev:1;) alert tcp $HOME_NET any -> [54.250.253.8] 4444 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254457/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_07; classtype:trojan-activity; sid:91254457; rev:1;) alert tcp $HOME_NET any -> [18.176.57.203] 8080 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254455/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_07; classtype:trojan-activity; sid:91254455; rev:1;) alert tcp $HOME_NET any -> [154.92.14.6] 4444 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254454/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_07; classtype:trojan-activity; sid:91254454; rev:1;) alert tcp $HOME_NET any -> [20.237.62.65] 50050 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254453/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_07; classtype:trojan-activity; sid:91254453; rev:1;) alert tcp $HOME_NET any -> [20.124.95.169] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254451/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_07; classtype:trojan-activity; sid:91254451; rev:1;) alert tcp $HOME_NET any -> [20.124.95.169] 50050 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254452/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_07; classtype:trojan-activity; sid:91254452; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"irreceiver.com"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1254450/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_07; classtype:trojan-activity; sid:91254450; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"hk.luckyu.icu"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1254449/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_07; classtype:trojan-activity; sid:91254449; rev:1;) alert tcp $HOME_NET any -> [192.227.155.158] 2052 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254448/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_07; classtype:trojan-activity; sid:91254448; rev:1;) alert tcp $HOME_NET any -> [23.95.254.136] 888 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254447/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_07; classtype:trojan-activity; sid:91254447; rev:1;) alert tcp $HOME_NET any -> [23.94.123.235] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254446/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_07; classtype:trojan-activity; sid:91254446; rev:1;) alert tcp $HOME_NET any -> [206.189.182.123] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254445/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_07; classtype:trojan-activity; sid:91254445; rev:1;) alert tcp $HOME_NET any -> [206.189.182.123] 88 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254444/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_07; classtype:trojan-activity; sid:91254444; rev:1;) alert tcp $HOME_NET any -> [206.189.113.118] 50050 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254443/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_07; classtype:trojan-activity; sid:91254443; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"alipan.lol"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1254442/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_07; classtype:trojan-activity; sid:91254442; rev:1;) alert tcp $HOME_NET any -> [152.42.188.132] 2083 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254440/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_07; classtype:trojan-activity; sid:91254440; rev:1;) alert tcp $HOME_NET any -> [152.42.188.132] 8443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254441/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_07; classtype:trojan-activity; sid:91254441; rev:1;) alert tcp $HOME_NET any -> [47.236.185.166] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254438/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_07; classtype:trojan-activity; sid:91254438; rev:1;) alert tcp $HOME_NET any -> [47.236.185.166] 8443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254439/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_07; classtype:trojan-activity; sid:91254439; rev:1;) alert tcp $HOME_NET any -> [47.236.171.179] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254437/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_07; classtype:trojan-activity; sid:91254437; rev:1;) alert tcp $HOME_NET any -> [8.212.71.0] 8008 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254436/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_07; classtype:trojan-activity; sid:91254436; rev:1;) alert tcp $HOME_NET any -> [124.70.158.35] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254435/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_07; classtype:trojan-activity; sid:91254435; rev:1;) alert tcp $HOME_NET any -> [116.205.185.98] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254434/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_07; classtype:trojan-activity; sid:91254434; rev:1;) alert tcp $HOME_NET any -> [110.41.17.183] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254433/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_07; classtype:trojan-activity; sid:91254433; rev:1;) alert tcp $HOME_NET any -> [60.204.217.11] 9998 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254432/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_07; classtype:trojan-activity; sid:91254432; rev:1;) alert tcp $HOME_NET any -> [1.94.2.161] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254431/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_07; classtype:trojan-activity; sid:91254431; rev:1;) alert tcp $HOME_NET any -> [123.56.182.19] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254430/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_07; classtype:trojan-activity; sid:91254430; rev:1;) alert tcp $HOME_NET any -> [47.98.247.113] 9999 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254422/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_07; classtype:trojan-activity; sid:91254422; rev:1;) alert tcp $HOME_NET any -> [47.116.213.137] 8090 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254423/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_07; classtype:trojan-activity; sid:91254423; rev:1;) alert tcp $HOME_NET any -> [101.201.54.74] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254424/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_07; classtype:trojan-activity; sid:91254424; rev:1;) alert tcp $HOME_NET any -> [101.201.54.74] 4444 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254425/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_07; classtype:trojan-activity; sid:91254425; rev:1;) alert tcp $HOME_NET any -> [114.55.1.119] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254426/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_07; classtype:trojan-activity; sid:91254426; rev:1;) alert tcp $HOME_NET any -> [114.55.1.119] 81 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254427/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_07; classtype:trojan-activity; sid:91254427; rev:1;) alert tcp $HOME_NET any -> [120.55.75.220] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254428/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_07; classtype:trojan-activity; sid:91254428; rev:1;) alert tcp $HOME_NET any -> [120.78.90.43] 8888 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254429/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_07; classtype:trojan-activity; sid:91254429; rev:1;) alert tcp $HOME_NET any -> [39.100.111.77] 8080 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254417/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_07; classtype:trojan-activity; sid:91254417; rev:1;) alert tcp $HOME_NET any -> [39.101.204.250] 8081 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254418/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_07; classtype:trojan-activity; sid:91254418; rev:1;) alert tcp $HOME_NET any -> [39.104.200.45] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254419/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_07; classtype:trojan-activity; sid:91254419; rev:1;) alert tcp $HOME_NET any -> [39.106.77.203] 6666 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254420/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_07; classtype:trojan-activity; sid:91254420; rev:1;) alert tcp $HOME_NET any -> [47.98.247.113] 2222 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254421/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_07; classtype:trojan-activity; sid:91254421; rev:1;) alert tcp $HOME_NET any -> [8.130.118.27] 8888 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254414/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_07; classtype:trojan-activity; sid:91254414; rev:1;) alert tcp $HOME_NET any -> [8.130.121.45] 9000 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254415/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_07; classtype:trojan-activity; sid:91254415; rev:1;) alert tcp $HOME_NET any -> [39.100.107.190] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254416/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_07; classtype:trojan-activity; sid:91254416; rev:1;) alert tcp $HOME_NET any -> [43.143.170.206] 8888 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254408/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_07; classtype:trojan-activity; sid:91254408; rev:1;) alert tcp $HOME_NET any -> [81.71.18.121] 8888 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254409/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_07; classtype:trojan-activity; sid:91254409; rev:1;) alert tcp $HOME_NET any -> [81.71.127.160] 8888 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254410/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_07; classtype:trojan-activity; sid:91254410; rev:1;) alert tcp $HOME_NET any -> [101.34.221.218] 8888 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254411/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_07; classtype:trojan-activity; sid:91254411; rev:1;) alert tcp $HOME_NET any -> [114.132.62.71] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254412/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_07; classtype:trojan-activity; sid:91254412; rev:1;) alert tcp $HOME_NET any -> [175.24.133.215] 4444 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254413/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_07; classtype:trojan-activity; sid:91254413; rev:1;) alert tcp $HOME_NET any -> [1.14.202.205] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254402/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_07; classtype:trojan-activity; sid:91254402; rev:1;) alert tcp $HOME_NET any -> [1.14.202.205] 8443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254403/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_07; classtype:trojan-activity; sid:91254403; rev:1;) alert tcp $HOME_NET any -> [42.192.53.52] 8089 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254404/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_07; classtype:trojan-activity; sid:91254404; rev:1;) alert tcp $HOME_NET any -> [43.138.72.60] 8088 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254405/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_07; classtype:trojan-activity; sid:91254405; rev:1;) alert tcp $HOME_NET any -> [43.138.111.120] 50050 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254406/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_07; classtype:trojan-activity; sid:91254406; rev:1;) alert tcp $HOME_NET any -> [43.143.165.217] 8081 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254407/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_07; classtype:trojan-activity; sid:91254407; rev:1;) alert tcp $HOME_NET any -> [187.135.122.238] 2079 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254401/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_07; classtype:trojan-activity; sid:91254401; rev:1;) alert tcp $HOME_NET any -> [187.135.122.238] 2096 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254391/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_07; classtype:trojan-activity; sid:91254391; rev:1;) alert tcp $HOME_NET any -> [187.135.122.238] 1604 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254392/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_07; classtype:trojan-activity; sid:91254392; rev:1;) alert tcp $HOME_NET any -> [187.135.122.238] 1801 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254393/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_07; classtype:trojan-activity; sid:91254393; rev:1;) alert tcp $HOME_NET any -> [187.135.122.238] 1911 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254394/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_07; classtype:trojan-activity; sid:91254394; rev:1;) alert tcp $HOME_NET any -> [187.135.122.238] 2003 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254395/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_07; classtype:trojan-activity; sid:91254395; rev:1;) alert tcp $HOME_NET any -> [187.135.122.238] 2095 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254396/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_07; classtype:trojan-activity; sid:91254396; rev:1;) alert tcp $HOME_NET any -> [187.135.122.238] 2181 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254397/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_07; classtype:trojan-activity; sid:91254397; rev:1;) alert tcp $HOME_NET any -> [187.135.122.238] 1883 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254398/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_07; classtype:trojan-activity; sid:91254398; rev:1;) alert tcp $HOME_NET any -> [187.135.122.238] 2053 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254399/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_07; classtype:trojan-activity; sid:91254399; rev:1;) alert tcp $HOME_NET any -> [187.135.122.238] 2078 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254400/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_07; classtype:trojan-activity; sid:91254400; rev:1;) alert tcp $HOME_NET any -> [187.135.178.42] 2222 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254381/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_07; classtype:trojan-activity; sid:91254381; rev:1;) alert tcp $HOME_NET any -> [187.135.178.42] 2004 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254382/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_07; classtype:trojan-activity; sid:91254382; rev:1;) alert tcp $HOME_NET any -> [187.135.178.42] 2052 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254383/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_07; classtype:trojan-activity; sid:91254383; rev:1;) alert tcp $HOME_NET any -> [187.135.178.42] 1892 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254384/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_07; classtype:trojan-activity; sid:91254384; rev:1;) alert tcp $HOME_NET any -> [187.135.178.42] 2000 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254385/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_07; classtype:trojan-activity; sid:91254385; rev:1;) alert tcp $HOME_NET any -> [187.135.178.42] 1648 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254386/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_07; classtype:trojan-activity; sid:91254386; rev:1;) alert tcp $HOME_NET any -> [187.135.178.42] 1801 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254387/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_07; classtype:trojan-activity; sid:91254387; rev:1;) alert tcp $HOME_NET any -> [187.135.122.238] 2004 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254388/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_07; classtype:trojan-activity; sid:91254388; rev:1;) alert tcp $HOME_NET any -> [187.135.122.238] 2086 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254389/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_07; classtype:trojan-activity; sid:91254389; rev:1;) alert tcp $HOME_NET any -> [187.135.122.238] 2077 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254390/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_07; classtype:trojan-activity; sid:91254390; rev:1;) alert tcp $HOME_NET any -> [187.135.141.72] 2079 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254372/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_07; classtype:trojan-activity; sid:91254372; rev:1;) alert tcp $HOME_NET any -> [187.135.141.72] 2078 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254373/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_07; classtype:trojan-activity; sid:91254373; rev:1;) alert tcp $HOME_NET any -> [187.135.122.251] 1883 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254374/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_07; classtype:trojan-activity; sid:91254374; rev:1;) alert tcp $HOME_NET any -> [187.135.122.251] 1962 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254375/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_07; classtype:trojan-activity; sid:91254375; rev:1;) alert tcp $HOME_NET any -> [187.135.122.251] 2003 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254376/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_07; classtype:trojan-activity; sid:91254376; rev:1;) alert tcp $HOME_NET any -> [187.135.122.251] 2080 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254377/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_07; classtype:trojan-activity; sid:91254377; rev:1;) alert tcp $HOME_NET any -> [187.135.122.251] 2096 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254378/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_07; classtype:trojan-activity; sid:91254378; rev:1;) alert tcp $HOME_NET any -> [187.135.178.42] 2078 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254379/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_07; classtype:trojan-activity; sid:91254379; rev:1;) alert tcp $HOME_NET any -> [187.135.178.42] 2096 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254380/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_07; classtype:trojan-activity; sid:91254380; rev:1;) alert tcp $HOME_NET any -> [187.135.141.72] 2222 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254362/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_07; classtype:trojan-activity; sid:91254362; rev:1;) alert tcp $HOME_NET any -> [187.135.141.72] 2000 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254363/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_07; classtype:trojan-activity; sid:91254363; rev:1;) alert tcp $HOME_NET any -> [187.135.141.72] 2052 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254364/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_07; classtype:trojan-activity; sid:91254364; rev:1;) alert tcp $HOME_NET any -> [187.135.141.72] 2053 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254365/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_07; classtype:trojan-activity; sid:91254365; rev:1;) alert tcp $HOME_NET any -> [187.135.141.72] 1801 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254366/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_07; classtype:trojan-activity; sid:91254366; rev:1;) alert tcp $HOME_NET any -> [187.135.141.72] 1911 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254367/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_07; classtype:trojan-activity; sid:91254367; rev:1;) alert tcp $HOME_NET any -> [187.135.141.72] 1982 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254368/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_07; classtype:trojan-activity; sid:91254368; rev:1;) alert tcp $HOME_NET any -> [187.135.141.72] 2003 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254369/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_07; classtype:trojan-activity; sid:91254369; rev:1;) alert tcp $HOME_NET any -> [187.135.141.72] 2077 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254370/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_07; classtype:trojan-activity; sid:91254370; rev:1;) alert tcp $HOME_NET any -> [187.135.141.72] 1723 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254371/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_07; classtype:trojan-activity; sid:91254371; rev:1;) alert tcp $HOME_NET any -> [187.135.94.250] 2222 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254356/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_07; classtype:trojan-activity; sid:91254356; rev:1;) alert tcp $HOME_NET any -> [187.135.94.250] 2281 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254357/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_07; classtype:trojan-activity; sid:91254357; rev:1;) alert tcp $HOME_NET any -> [187.135.94.250] 2079 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254358/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_07; classtype:trojan-activity; sid:91254358; rev:1;) alert tcp $HOME_NET any -> [187.135.94.250] 2086 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254359/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_07; classtype:trojan-activity; sid:91254359; rev:1;) alert tcp $HOME_NET any -> [187.135.141.72] 2096 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254360/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_07; classtype:trojan-activity; sid:91254360; rev:1;) alert tcp $HOME_NET any -> [187.135.141.72] 2181 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254361/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_07; classtype:trojan-activity; sid:91254361; rev:1;) alert tcp $HOME_NET any -> [105.101.65.139] 6001 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254355/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_07; classtype:trojan-activity; sid:91254355; rev:1;) alert tcp $HOME_NET any -> [172.111.245.98] 2222 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254354/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_07; classtype:trojan-activity; sid:91254354; rev:1;) alert tcp $HOME_NET any -> [128.90.103.14] 9999 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254349/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_07; classtype:trojan-activity; sid:91254349; rev:1;) alert tcp $HOME_NET any -> [128.90.103.14] 1018 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254350/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_07; classtype:trojan-activity; sid:91254350; rev:1;) alert tcp $HOME_NET any -> [146.103.11.88] 7707 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254351/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_07; classtype:trojan-activity; sid:91254351; rev:1;) alert tcp $HOME_NET any -> [172.94.8.100] 2222 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254352/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_07; classtype:trojan-activity; sid:91254352; rev:1;) alert tcp $HOME_NET any -> [172.111.245.38] 2222 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254353/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_07; classtype:trojan-activity; sid:91254353; rev:1;) alert tcp $HOME_NET any -> [5.63.21.76] 1604 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254342/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_07; classtype:trojan-activity; sid:91254342; rev:1;) alert tcp $HOME_NET any -> [15.204.170.41] 8808 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254343/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_07; classtype:trojan-activity; sid:91254343; rev:1;) alert tcp $HOME_NET any -> [38.180.31.223] 2222 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254344/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_07; classtype:trojan-activity; sid:91254344; rev:1;) alert tcp $HOME_NET any -> [95.216.41.33] 82 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254345/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_07; classtype:trojan-activity; sid:91254345; rev:1;) alert tcp $HOME_NET any -> [103.47.147.22] 2000 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254346/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_07; classtype:trojan-activity; sid:91254346; rev:1;) alert tcp $HOME_NET any -> [123.253.32.76] 22 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254347/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_07; classtype:trojan-activity; sid:91254347; rev:1;) alert tcp $HOME_NET any -> [128.90.102.230] 9999 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254348/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_07; classtype:trojan-activity; sid:91254348; rev:1;) alert tcp $HOME_NET any -> [193.222.96.186] 80 (msg:"ThreatFox ERMAC botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254341/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_07; classtype:trojan-activity; sid:91254341; rev:1;) alert tcp $HOME_NET any -> [185.102.172.72] 80 (msg:"ThreatFox ERMAC botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254340/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_07; classtype:trojan-activity; sid:91254340; rev:1;) alert tcp $HOME_NET any -> [173.212.219.194] 80 (msg:"ThreatFox ERMAC botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254339/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_07; classtype:trojan-activity; sid:91254339; rev:1;) alert tcp $HOME_NET any -> [91.92.255.150] 80 (msg:"ThreatFox ERMAC botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254338/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_07; classtype:trojan-activity; sid:91254338; rev:1;) alert tcp $HOME_NET any -> [45.128.96.116] 80 (msg:"ThreatFox ERMAC botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254337/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_07; classtype:trojan-activity; sid:91254337; rev:1;) alert tcp $HOME_NET any -> [20.55.63.136] 80 (msg:"ThreatFox ERMAC botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254336/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_07; classtype:trojan-activity; sid:91254336; rev:1;) alert tcp $HOME_NET any -> [79.137.207.33] 50555 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254335/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_07; classtype:trojan-activity; sid:91254335; rev:1;) alert tcp $HOME_NET any -> [159.203.174.80] 80 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254334/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_07; classtype:trojan-activity; sid:91254334; rev:1;) alert tcp $HOME_NET any -> [39.99.225.218] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254333/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_07; classtype:trojan-activity; sid:91254333; rev:1;) alert tcp $HOME_NET any -> [184.89.62.16] 443 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254332/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_07; classtype:trojan-activity; sid:91254332; rev:1;) alert tcp $HOME_NET any -> [173.255.230.190] 80 (msg:"ThreatFox Responder botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254331/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_07; classtype:trojan-activity; sid:91254331; rev:1;) alert tcp $HOME_NET any -> [8.217.88.225] 443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254330/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_07; classtype:trojan-activity; sid:91254330; rev:1;) alert tcp $HOME_NET any -> [154.12.179.67] 10000 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254329/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_07; classtype:trojan-activity; sid:91254329; rev:1;) alert tcp $HOME_NET any -> [110.40.133.81] 80 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254328/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_07; classtype:trojan-activity; sid:91254328; rev:1;) alert tcp $HOME_NET any -> [137.220.197.178] 443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254327/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_07; classtype:trojan-activity; sid:91254327; rev:1;) alert tcp $HOME_NET any -> [116.203.56.238] 1194 (msg:"ThreatFox BianLian botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254326/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_07; classtype:trojan-activity; sid:91254326; rev:1;) alert tcp $HOME_NET any -> [103.137.27.83] 443 (msg:"ThreatFox Deimos botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254325/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_07; classtype:trojan-activity; sid:91254325; rev:1;) alert tcp $HOME_NET any -> [103.99.178.207] 443 (msg:"ThreatFox Deimos botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254324/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_07; classtype:trojan-activity; sid:91254324; rev:1;) alert tcp $HOME_NET any -> [194.26.192.34] 666 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254265/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_07; classtype:trojan-activity; sid:91254265; rev:1;) alert tcp $HOME_NET any -> [2.58.56.66] 4443 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254266/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_07; classtype:trojan-activity; sid:91254266; rev:1;) alert tcp $HOME_NET any -> [86.242.42.233] 1194 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254267/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_07; classtype:trojan-activity; sid:91254267; rev:1;) alert tcp $HOME_NET any -> [128.199.66.119] 18982 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254268/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_07; classtype:trojan-activity; sid:91254268; rev:1;) alert tcp $HOME_NET any -> [181.162.141.33] 8080 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254270/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_07; classtype:trojan-activity; sid:91254270; rev:1;) alert tcp $HOME_NET any -> [147.45.189.30] 8080 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254269/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_07; classtype:trojan-activity; sid:91254269; rev:1;) alert tcp $HOME_NET any -> [181.162.177.83] 8080 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254271/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_07; classtype:trojan-activity; sid:91254271; rev:1;) alert tcp $HOME_NET any -> [185.245.183.74] 2 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254272/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_07; classtype:trojan-activity; sid:91254272; rev:1;) alert tcp $HOME_NET any -> [187.35.7.95] 5000 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254273/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_07; classtype:trojan-activity; sid:91254273; rev:1;) alert tcp $HOME_NET any -> [189.110.0.220] 6653 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254274/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_07; classtype:trojan-activity; sid:91254274; rev:1;) alert tcp $HOME_NET any -> [191.82.201.30] 2000 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254275/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_07; classtype:trojan-activity; sid:91254275; rev:1;) alert tcp $HOME_NET any -> [191.82.231.105] 2000 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254276/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_07; classtype:trojan-activity; sid:91254276; rev:1;) alert tcp $HOME_NET any -> [128.199.66.119] 57411 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254277/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_07; classtype:trojan-activity; sid:91254277; rev:1;) alert tcp $HOME_NET any -> [1.14.126.22] 8848 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254280/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_07; classtype:trojan-activity; sid:91254280; rev:1;) alert tcp $HOME_NET any -> [8.210.3.81] 65503 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254281/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_07; classtype:trojan-activity; sid:91254281; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"cd.qqweixinzhuce.top"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1254320/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_07; classtype:trojan-activity; sid:91254320; rev:1;) alert tcp $HOME_NET any -> [8.217.88.225] 65503 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254282/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_07; classtype:trojan-activity; sid:91254282; rev:1;) alert tcp $HOME_NET any -> [8.217.140.110] 65503 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254283/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_07; classtype:trojan-activity; sid:91254283; rev:1;) alert tcp $HOME_NET any -> [8.217.225.19] 65503 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254284/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_07; classtype:trojan-activity; sid:91254284; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/include/template/isx.php"; depth:25; nocase; http.host; content:"cd.qqweixinzhuce.top"; depth:20; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1254319/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_07; classtype:trojan-activity; sid:91254319; rev:1;) alert tcp $HOME_NET any -> [8.218.27.81] 65503 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254285/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_07; classtype:trojan-activity; sid:91254285; rev:1;) alert tcp $HOME_NET any -> [38.147.172.16] 443 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254286/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_07; classtype:trojan-activity; sid:91254286; rev:1;) alert tcp $HOME_NET any -> [39.101.177.68] 8848 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254287/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_07; classtype:trojan-activity; sid:91254287; rev:1;) alert tcp $HOME_NET any -> [47.76.41.68] 65503 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254288/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_07; classtype:trojan-activity; sid:91254288; rev:1;) alert tcp $HOME_NET any -> [47.242.64.202] 65503 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254289/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_07; classtype:trojan-activity; sid:91254289; rev:1;) alert tcp $HOME_NET any -> [47.243.4.123] 65503 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254290/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_07; classtype:trojan-activity; sid:91254290; rev:1;) alert tcp $HOME_NET any -> [58.87.70.252] 8848 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254291/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_07; classtype:trojan-activity; sid:91254291; rev:1;) alert tcp $HOME_NET any -> [88.99.214.187] 3232 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254292/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_07; classtype:trojan-activity; sid:91254292; rev:1;) alert tcp $HOME_NET any -> [89.105.201.158] 591 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254293/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_07; classtype:trojan-activity; sid:91254293; rev:1;) alert tcp $HOME_NET any -> [89.105.201.158] 4444 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254294/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_07; classtype:trojan-activity; sid:91254294; rev:1;) alert tcp $HOME_NET any -> [89.105.201.158] 8080 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254295/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_07; classtype:trojan-activity; sid:91254295; rev:1;) alert tcp $HOME_NET any -> [89.105.201.158] 8090 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254296/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_07; classtype:trojan-activity; sid:91254296; rev:1;) alert tcp $HOME_NET any -> [91.92.250.207] 8081 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254297/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_07; classtype:trojan-activity; sid:91254297; rev:1;) alert tcp $HOME_NET any -> [91.92.255.244] 8845 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254298/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_07; classtype:trojan-activity; sid:91254298; rev:1;) alert tcp $HOME_NET any -> [91.92.255.244] 8848 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254299/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_07; classtype:trojan-activity; sid:91254299; rev:1;) alert tcp $HOME_NET any -> [91.92.255.249] 8845 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254300/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_07; classtype:trojan-activity; sid:91254300; rev:1;) alert tcp $HOME_NET any -> [91.92.255.249] 8848 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254301/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_07; classtype:trojan-activity; sid:91254301; rev:1;) alert tcp $HOME_NET any -> [144.91.127.15] 4546 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254302/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_07; classtype:trojan-activity; sid:91254302; rev:1;) alert tcp $HOME_NET any -> [160.20.109.7] 2003 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254303/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_07; classtype:trojan-activity; sid:91254303; rev:1;) alert tcp $HOME_NET any -> [206.233.128.142] 65503 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254304/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_07; classtype:trojan-activity; sid:91254304; rev:1;) alert tcp $HOME_NET any -> [206.238.43.147] 65503 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254305/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_07; classtype:trojan-activity; sid:91254305; rev:1;) alert tcp $HOME_NET any -> [206.238.196.192] 8090 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254306/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_07; classtype:trojan-activity; sid:91254306; rev:1;) alert tcp $HOME_NET any -> [211.101.247.89] 8848 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254307/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_07; classtype:trojan-activity; sid:91254307; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"marinion.online"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1254308/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_07; classtype:trojan-activity; sid:91254308; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"rooty.cc"; depth:8; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1254309/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_07; classtype:trojan-activity; sid:91254309; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"net-killer.ddns.net"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1254310/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_07; classtype:trojan-activity; sid:91254310; rev:1;) alert tcp $HOME_NET any -> [103.67.197.152] 2023 (msg:"ThreatFox MooBot botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254311/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_07; classtype:trojan-activity; sid:91254311; rev:1;) alert tcp $HOME_NET any -> [84.54.51.35] 6788 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254312/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_07; classtype:trojan-activity; sid:91254312; rev:1;) alert tcp $HOME_NET any -> [23.95.182.31] 1024 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254313/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_07; classtype:trojan-activity; sid:91254313; rev:1;) alert tcp $HOME_NET any -> [46.102.174.17] 1024 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254314/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_07; classtype:trojan-activity; sid:91254314; rev:1;) alert tcp $HOME_NET any -> [185.65.205.158] 1024 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254315/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_07; classtype:trojan-activity; sid:91254315; rev:1;) alert tcp $HOME_NET any -> [185.224.128.34] 1312 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254316/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_07; classtype:trojan-activity; sid:91254316; rev:1;) alert tcp $HOME_NET any -> [185.94.29.111] 1302 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254317/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_07; classtype:trojan-activity; sid:91254317; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pages/login.php"; depth:16; nocase; http.host; content:"softultra.info"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1254318/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_07; classtype:trojan-activity; sid:91254318; rev:1;) alert tcp $HOME_NET any -> [137.184.10.195] 9511 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254278/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_07; classtype:trojan-activity; sid:91254278; rev:1;) alert tcp $HOME_NET any -> [185.196.10.155] 1337 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254279/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_07; classtype:trojan-activity; sid:91254279; rev:1;) alert tcp $HOME_NET any -> [81.19.137.171] 80 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254258/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_07; classtype:trojan-activity; sid:91254258; rev:1;) alert tcp $HOME_NET any -> [91.92.248.202] 2301 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254259/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_07; classtype:trojan-activity; sid:91254259; rev:1;) alert tcp $HOME_NET any -> [91.92.254.44] 1339 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254260/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_07; classtype:trojan-activity; sid:91254260; rev:1;) alert tcp $HOME_NET any -> [94.156.64.122] 9999 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254261/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_07; classtype:trojan-activity; sid:91254261; rev:1;) alert tcp $HOME_NET any -> [172.94.73.162] 2222 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254262/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_07; classtype:trojan-activity; sid:91254262; rev:1;) alert tcp $HOME_NET any -> [192.210.255.140] 8080 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254263/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_07; classtype:trojan-activity; sid:91254263; rev:1;) alert tcp $HOME_NET any -> [18.198.77.177] 14620 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254264/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_07; classtype:trojan-activity; sid:91254264; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"net-killer.ddns.net"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1254256/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_07; classtype:trojan-activity; sid:91254256; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"sex.secure-cyber-security-rebirthltd.su"; depth:39; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1254255/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_07; classtype:trojan-activity; sid:91254255; rev:1;) alert tcp $HOME_NET any -> [185.196.11.209] 59962 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254257/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_07; classtype:trojan-activity; sid:91254257; rev:1;) alert tcp $HOME_NET any -> [52.28.112.211] 12117 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254253/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_07; classtype:trojan-activity; sid:91254253; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"secure-network-rebirthltd.ru"; depth:28; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1254254/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_07; classtype:trojan-activity; sid:91254254; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/j.ad"; depth:5; nocase; http.host; content:"124.71.5.199"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1254252/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_07; classtype:trojan-activity; sid:91254252; rev:1;) alert tcp $HOME_NET any -> [193.149.187.16] 443 (msg:"ThreatFox Raccoon botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254251/; target:src_ip; metadata: confidence_level 80, first_seen 2024_04_07; classtype:trojan-activity; sid:91254251; rev:1;) alert tcp $HOME_NET any -> [94.98.185.133] 3460 (msg:"ThreatFox Poison Ivy botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254250/; target:src_ip; metadata: confidence_level 80, first_seen 2024_04_07; classtype:trojan-activity; sid:91254250; rev:1;) alert tcp $HOME_NET any -> [45.154.96.48] 54984 (msg:"ThreatFox Nanocore RAT botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254249/; target:src_ip; metadata: confidence_level 80, first_seen 2024_04_07; classtype:trojan-activity; sid:91254249; rev:1;) alert tcp $HOME_NET any -> [82.67.69.234] 54984 (msg:"ThreatFox Nanocore RAT botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254248/; target:src_ip; metadata: confidence_level 80, first_seen 2024_04_07; classtype:trojan-activity; sid:91254248; rev:1;) alert tcp $HOME_NET any -> [45.74.50.53] 54984 (msg:"ThreatFox Nanocore RAT botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254247/; target:src_ip; metadata: confidence_level 80, first_seen 2024_04_07; classtype:trojan-activity; sid:91254247; rev:1;) alert tcp $HOME_NET any -> [185.174.101.246] 4444 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254246/; target:src_ip; metadata: confidence_level 80, first_seen 2024_04_07; classtype:trojan-activity; sid:91254246; rev:1;) alert tcp $HOME_NET any -> [195.3.223.146] 4443 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254245/; target:src_ip; metadata: confidence_level 80, first_seen 2024_04_07; classtype:trojan-activity; sid:91254245; rev:1;) alert tcp $HOME_NET any -> [128.90.103.14] 9443 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254244/; target:src_ip; metadata: confidence_level 80, first_seen 2024_04_07; classtype:trojan-activity; sid:91254244; rev:1;) alert tcp $HOME_NET any -> [2.58.56.216] 38382 (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254243/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_07; classtype:trojan-activity; sid:91254243; rev:1;) alert tcp $HOME_NET any -> [45.63.121.237] 8082 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254242/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_07; classtype:trojan-activity; sid:91254242; rev:1;) alert tcp $HOME_NET any -> [23.224.4.162] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254241/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_07; classtype:trojan-activity; sid:91254241; rev:1;) alert tcp $HOME_NET any -> [139.180.157.87] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254240/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_07; classtype:trojan-activity; sid:91254240; rev:1;) alert tcp $HOME_NET any -> [91.92.252.114] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254239/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_07; classtype:trojan-activity; sid:91254239; rev:1;) alert tcp $HOME_NET any -> [108.61.250.107] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254238/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_07; classtype:trojan-activity; sid:91254238; rev:1;) alert tcp $HOME_NET any -> [146.56.214.238] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254237/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_07; classtype:trojan-activity; sid:91254237; rev:1;) alert tcp $HOME_NET any -> [154.90.63.63] 443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254236/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_07; classtype:trojan-activity; sid:91254236; rev:1;) alert tcp $HOME_NET any -> [45.152.115.131] 8000 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254235/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_07; classtype:trojan-activity; sid:91254235; rev:1;) alert tcp $HOME_NET any -> [45.156.85.187] 80 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254234/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_07; classtype:trojan-activity; sid:91254234; rev:1;) alert tcp $HOME_NET any -> [94.237.56.207] 7443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254233/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_07; classtype:trojan-activity; sid:91254233; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"wave-assistant.com"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1254223/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_07; classtype:trojan-activity; sid:91254223; rev:1;) alert tcp $HOME_NET any -> [185.125.50.49] 48860 (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254229/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_07; classtype:trojan-activity; sid:91254229; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/secure7multi/temporaryjavascript0base/7/eternalimagetoprocessorcentral.php"; depth:75; nocase; http.host; content:"77.105.161.180"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1254232/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_07; classtype:trojan-activity; sid:91254232; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/c9cac53e5e9ec7ba.php"; depth:21; nocase; http.host; content:"62.113.119.199"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1254231/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_07; classtype:trojan-activity; sid:91254231; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bigloadtempcentraldownloads.php"; depth:32; nocase; http.host; content:"267097cm.n9shteam1.top"; depth:22; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1254230/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_07; classtype:trojan-activity; sid:91254230; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ptj"; depth:4; nocase; http.host; content:"39.100.111.77"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1254228/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_06; classtype:trojan-activity; sid:91254228; rev:1;) alert tcp $HOME_NET any -> [160.178.39.123] 10000 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254227/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_06; classtype:trojan-activity; sid:91254227; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/yixc"; depth:5; nocase; http.host; content:"120.78.65.206"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1254226/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_06; classtype:trojan-activity; sid:91254226; rev:1;) alert tcp $HOME_NET any -> [120.78.65.206] 44444 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254225/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_06; classtype:trojan-activity; sid:91254225; rev:1;) alert tcp $HOME_NET any -> [185.123.53.250] 443 (msg:"ThreatFox Unidentified 111 (Latrodectus) botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254224/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_06; classtype:trojan-activity; sid:91254224; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/login.php"; depth:10; nocase; http.host; content:"194.33.191.246"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1254185/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_06; classtype:trojan-activity; sid:91254185; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/login.php"; depth:10; nocase; http.host; content:"24.199.71.49"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1254187/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_06; classtype:trojan-activity; sid:91254187; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/login.php"; depth:10; nocase; http.host; content:"64.23.168.181"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1254186/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_06; classtype:trojan-activity; sid:91254186; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/login.php"; depth:10; nocase; http.host; content:"103.54.57.251"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1254188/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_06; classtype:trojan-activity; sid:91254188; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/login.php"; depth:10; nocase; http.host; content:"91.194.135.254"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1254189/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_06; classtype:trojan-activity; sid:91254189; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/login.php"; depth:10; nocase; http.host; content:"147.45.45.131"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1254191/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_06; classtype:trojan-activity; sid:91254191; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/login.php"; depth:10; nocase; http.host; content:"212.64.217.73"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1254190/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_06; classtype:trojan-activity; sid:91254190; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/webpanel/login.php"; depth:19; nocase; http.host; content:"www.guncelmetin2hile.com"; depth:24; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1254192/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_06; classtype:trojan-activity; sid:91254192; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/login.php"; depth:10; nocase; http.host; content:"mileminer.000webhostapp.com"; depth:27; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1254193/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_06; classtype:trojan-activity; sid:91254193; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/unamwebpanel-master/unamwebpanel/pages/login.php"; depth:49; nocase; http.host; content:"toktokwebpanel.elementfx.com"; depth:28; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1254194/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_06; classtype:trojan-activity; sid:91254194; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pages/login.php"; depth:16; nocase; http.host; content:"scarwrld.xyz"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1254196/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_06; classtype:trojan-activity; sid:91254196; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pages/login.php"; depth:16; nocase; http.host; content:"badtrippaap.store"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1254197/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_06; classtype:trojan-activity; sid:91254197; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/nam/pages/login.php"; depth:20; nocase; http.host; content:"anbu.bond"; depth:9; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1254198/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_06; classtype:trojan-activity; sid:91254198; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/login.php"; depth:10; nocase; http.host; content:"173.201.180.75"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1254199/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_06; classtype:trojan-activity; sid:91254199; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pages/login.php"; depth:16; nocase; http.host; content:"modules.su"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1254200/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_06; classtype:trojan-activity; sid:91254200; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pages/login.php"; depth:16; nocase; http.host; content:"linkerfunyfile.store"; depth:20; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1254201/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_06; classtype:trojan-activity; sid:91254201; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/awdrgyj/pages/login.php"; depth:24; nocase; http.host; content:"46.23.108.253"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1254202/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_06; classtype:trojan-activity; sid:91254202; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pages/login.php"; depth:16; nocase; http.host; content:"dvr.getenjoyment.net"; depth:20; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1254203/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_06; classtype:trojan-activity; sid:91254203; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pages/login.php"; depth:16; nocase; http.host; content:"95.216.253.55"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1254204/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_06; classtype:trojan-activity; sid:91254204; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/login.php"; depth:10; nocase; http.host; content:"vh373519.hostline.su"; depth:20; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1254205/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_06; classtype:trojan-activity; sid:91254205; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/login.php"; depth:10; nocase; http.host; content:"smartpanel.top"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1254206/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_06; classtype:trojan-activity; sid:91254206; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pages/login.php"; depth:16; nocase; http.host; content:"18.191.246.30"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1254207/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_06; classtype:trojan-activity; sid:91254207; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"dxrxcloud.com"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1254143/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_06; classtype:trojan-activity; sid:91254143; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"12pintsandacurry.com"; depth:20; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1254144/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_06; classtype:trojan-activity; sid:91254144; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"temptraffsolutions.com"; depth:22; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1254145/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_06; classtype:trojan-activity; sid:91254145; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"ultralowsulphurgas.net"; depth:22; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1254146/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_06; classtype:trojan-activity; sid:91254146; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"mailhost.freemsk.org"; depth:20; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1254147/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_06; classtype:trojan-activity; sid:91254147; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"gordeeva.org"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1254148/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_06; classtype:trojan-activity; sid:91254148; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"trattles.com"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1254149/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_06; classtype:trojan-activity; sid:91254149; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"whukkers.net"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1254150/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_06; classtype:trojan-activity; sid:91254150; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"davidpeterinteriors.com"; depth:23; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1254151/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_06; classtype:trojan-activity; sid:91254151; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"simplyavailable.com"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1254152/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_06; classtype:trojan-activity; sid:91254152; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"cartelsclothing.com"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1254153/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_06; classtype:trojan-activity; sid:91254153; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"blythwood-plant.com"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1254154/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_06; classtype:trojan-activity; sid:91254154; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"dumpthedebt.com"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1254155/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_06; classtype:trojan-activity; sid:91254155; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"miopart.com"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1254156/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_06; classtype:trojan-activity; sid:91254156; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"celebrationgenerator.com"; depth:24; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1254157/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_06; classtype:trojan-activity; sid:91254157; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"reginacrowley.com"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1254158/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_06; classtype:trojan-activity; sid:91254158; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"diyshopper.com"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1254159/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_06; classtype:trojan-activity; sid:91254159; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"designgeneralstore.com"; depth:22; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1254160/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_06; classtype:trojan-activity; sid:91254160; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"office.freemsk.org"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1254162/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_06; classtype:trojan-activity; sid:91254162; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"eastlothianpropertymanagement.com"; depth:33; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1254161/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_06; classtype:trojan-activity; sid:91254161; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"5.42.66.25"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1254163/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_06; classtype:trojan-activity; sid:91254163; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"freemsk.org"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1254165/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_06; classtype:trojan-activity; sid:91254165; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"www.simplyavailable.com"; depth:23; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1254164/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_06; classtype:trojan-activity; sid:91254164; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"5.42.66.4"; depth:9; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1254166/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_06; classtype:trojan-activity; sid:91254166; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"ganjawars.org"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1254167/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_06; classtype:trojan-activity; sid:91254167; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"0p2q9.com.ru"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1254168/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_06; classtype:trojan-activity; sid:91254168; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pages/login.php"; depth:16; nocase; http.host; content:"tectumio.xyz"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1254208/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_06; classtype:trojan-activity; sid:91254208; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/auth/login"; depth:11; nocase; http.host; content:"5.182.86.229"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1254094/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_06; classtype:trojan-activity; sid:91254094; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/auth/login"; depth:11; nocase; http.host; content:"77.221.148.13"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1254096/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_06; classtype:trojan-activity; sid:91254096; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/auth/login"; depth:11; nocase; http.host; content:"46.226.166.200"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1254095/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_06; classtype:trojan-activity; sid:91254095; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/auth/login"; depth:11; nocase; http.host; content:"79.137.202.60"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1254097/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_06; classtype:trojan-activity; sid:91254097; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/auth/login"; depth:11; nocase; http.host; content:"85.192.40.131"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1254098/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_06; classtype:trojan-activity; sid:91254098; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/auth/login"; depth:11; nocase; http.host; content:"91.103.255.188"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1254099/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_06; classtype:trojan-activity; sid:91254099; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/auth/login"; depth:11; nocase; http.host; content:"109.120.177.177"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1254100/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_06; classtype:trojan-activity; sid:91254100; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/auth/login"; depth:11; nocase; http.host; content:"217.196.98.138"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1254101/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_06; classtype:trojan-activity; sid:91254101; rev:1;) alert tcp $HOME_NET any -> [147.45.47.65] 47232 (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254102/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_06; classtype:trojan-activity; sid:91254102; rev:1;) alert tcp $HOME_NET any -> [91.92.253.221] 80 (msg:"ThreatFox Loki Password Stealer (PWS) botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254138/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_06; classtype:trojan-activity; sid:91254138; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dtyedh/five/fre.php"; depth:20; nocase; http.host; content:"91.92.253.221"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1254137/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_06; classtype:trojan-activity; sid:91254137; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/medical/plan/oslo/"; depth:19; nocase; http.host; content:"iseberkis.com"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1254139/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_06; classtype:trojan-activity; sid:91254139; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/medical/plan/oslo/"; depth:19; nocase; http.host; content:"dumingas.com"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1254142/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_06; classtype:trojan-activity; sid:91254142; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/medical/plan/oslo/"; depth:19; nocase; http.host; content:"musarno.app"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1254140/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_06; classtype:trojan-activity; sid:91254140; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/medical/plan/oslo/"; depth:19; nocase; http.host; content:"somakop.app"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1254141/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_06; classtype:trojan-activity; sid:91254141; rev:1;) alert tcp $HOME_NET any -> [185.196.10.155] 1312 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254171/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_06; classtype:trojan-activity; sid:91254171; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/push"; depth:5; nocase; http.host; content:"47.109.58.205"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1254222/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_06; classtype:trojan-activity; sid:91254222; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/category/research-2/"; depth:21; nocase; http.host; content:"185.196.10.121"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1254221/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_06; classtype:trojan-activity; sid:91254221; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cx"; depth:3; nocase; http.host; content:"154.201.89.19"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1254220/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_06; classtype:trojan-activity; sid:91254220; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/visit.js"; depth:9; nocase; http.host; content:"chniabank.com"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1254219/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_06; classtype:trojan-activity; sid:91254219; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dpixel"; depth:7; nocase; http.host; content:"172.121.5.230"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1254218/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_06; classtype:trojan-activity; sid:91254218; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ca"; depth:3; nocase; http.host; content:"147.78.47.184"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1254217/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_06; classtype:trojan-activity; sid:91254217; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ca"; depth:3; nocase; http.host; content:"134.122.75.115"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1254216/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_06; classtype:trojan-activity; sid:91254216; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ie9compatviewlist.xml"; depth:22; nocase; http.host; content:"156.251.162.29"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1254215/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_06; classtype:trojan-activity; sid:91254215; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dot.gif"; depth:8; nocase; http.host; content:"134.122.75.115"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1254214/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_06; classtype:trojan-activity; sid:91254214; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dpixel"; depth:7; nocase; http.host; content:"134.122.75.115"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1254213/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_06; classtype:trojan-activity; sid:91254213; rev:1;) alert tcp $HOME_NET any -> [78.24.217.201] 80 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254212/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_06; classtype:trojan-activity; sid:91254212; rev:1;) alert tcp $HOME_NET any -> [45.63.121.237] 80 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254211/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_06; classtype:trojan-activity; sid:91254211; rev:1;) alert tcp $HOME_NET any -> [149.88.67.97] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254210/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_06; classtype:trojan-activity; sid:91254210; rev:1;) alert tcp $HOME_NET any -> [23.224.4.163] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254209/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_06; classtype:trojan-activity; sid:91254209; rev:1;) alert tcp $HOME_NET any -> [23.224.4.165] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254195/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_06; classtype:trojan-activity; sid:91254195; rev:1;) alert tcp $HOME_NET any -> [130.43.22.207] 995 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254184/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_06; classtype:trojan-activity; sid:91254184; rev:1;) alert tcp $HOME_NET any -> [165.22.39.29] 443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254183/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_06; classtype:trojan-activity; sid:91254183; rev:1;) alert tcp $HOME_NET any -> [185.234.216.209] 20017 (msg:"ThreatFox BianLian botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254182/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_06; classtype:trojan-activity; sid:91254182; rev:1;) alert tcp $HOME_NET any -> [185.234.216.209] 20007 (msg:"ThreatFox BianLian botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254181/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_06; classtype:trojan-activity; sid:91254181; rev:1;) alert tcp $HOME_NET any -> [185.234.216.209] 20009 (msg:"ThreatFox BianLian botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254179/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_06; classtype:trojan-activity; sid:91254179; rev:1;) alert tcp $HOME_NET any -> [185.234.216.209] 20002 (msg:"ThreatFox BianLian botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254180/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_06; classtype:trojan-activity; sid:91254180; rev:1;) alert tcp $HOME_NET any -> [185.234.216.209] 20005 (msg:"ThreatFox BianLian botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254178/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_06; classtype:trojan-activity; sid:91254178; rev:1;) alert tcp $HOME_NET any -> [185.234.216.209] 20003 (msg:"ThreatFox BianLian botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254176/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_06; classtype:trojan-activity; sid:91254176; rev:1;) alert tcp $HOME_NET any -> [185.234.216.209] 20004 (msg:"ThreatFox BianLian botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254177/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_06; classtype:trojan-activity; sid:91254177; rev:1;) alert tcp $HOME_NET any -> [72.255.55.82] 443 (msg:"ThreatFox Deimos botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254175/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_06; classtype:trojan-activity; sid:91254175; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cx"; depth:3; nocase; http.host; content:"172.111.218.218"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1254174/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_06; classtype:trojan-activity; sid:91254174; rev:1;) alert tcp $HOME_NET any -> [217.237.84.33] 3389 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254173/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_06; classtype:trojan-activity; sid:91254173; rev:1;) alert tcp $HOME_NET any -> [94.237.50.44] 7443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254172/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_06; classtype:trojan-activity; sid:91254172; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mozi.m"; depth:7; nocase; http.host; content:"102.33.34.34"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1254170/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_06; classtype:trojan-activity; sid:91254170; rev:1;) alert tcp $HOME_NET any -> [89.105.201.43] 4001 (msg:"ThreatFox SystemBC botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254124/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_06; classtype:trojan-activity; sid:91254124; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"altaskifer.sbs"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1254060/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_06; classtype:trojan-activity; sid:91254060; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/8otabr/"; depth:8; nocase; http.host; content:"christmascookie.org"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1254079/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_06; classtype:trojan-activity; sid:91254079; rev:1;) alert tcp $HOME_NET any -> [185.196.10.207] 60195 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254087/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_06; classtype:trojan-activity; sid:91254087; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"ezz.ust.cx"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1254088/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_06; classtype:trojan-activity; sid:91254088; rev:1;) alert tcp $HOME_NET any -> [93.123.85.166] 606 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254090/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_06; classtype:trojan-activity; sid:91254090; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmp/index.php"; depth:14; nocase; http.host; content:"zarya-amura.ru"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1254093/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_06; classtype:trojan-activity; sid:91254093; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmp/index.php"; depth:14; nocase; http.host; content:"sunvi.org"; depth:9; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1254092/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_06; classtype:trojan-activity; sid:91254092; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmp/index.php"; depth:14; nocase; http.host; content:"akros.in.net"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1254091/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_06; classtype:trojan-activity; sid:91254091; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/4d4d3a49ccbc77eb.php"; depth:21; nocase; http.host; content:"89.105.201.33"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1254089/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_06; classtype:trojan-activity; sid:91254089; rev:1;) alert tcp $HOME_NET any -> [149.129.131.163] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254086/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_06; classtype:trojan-activity; sid:91254086; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jquery-3.3.1.min.js"; depth:20; nocase; http.host; content:"nodejsmysql.com"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1254085/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_06; classtype:trojan-activity; sid:91254085; rev:1;) alert tcp $HOME_NET any -> [154.204.176.13] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254084/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_06; classtype:trojan-activity; sid:91254084; rev:1;) alert tcp $HOME_NET any -> [149.129.131.163] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254083/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_06; classtype:trojan-activity; sid:91254083; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"nodejsmysql.com"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1254082/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_06; classtype:trojan-activity; sid:91254082; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jquery-3.3.1.min.js"; depth:20; nocase; http.host; content:"nodejsmysql.com"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1254081/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_06; classtype:trojan-activity; sid:91254081; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pixel"; depth:6; nocase; http.host; content:"49.232.214.141"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1254080/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_06; classtype:trojan-activity; sid:91254080; rev:1;) alert tcp $HOME_NET any -> [164.155.128.124] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254078/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_06; classtype:trojan-activity; sid:91254078; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jquery-3.3.1.min.js"; depth:20; nocase; http.host; content:"164.155.128.124"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1254077/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_06; classtype:trojan-activity; sid:91254077; rev:1;) alert tcp $HOME_NET any -> [123.57.143.169] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254076/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_06; classtype:trojan-activity; sid:91254076; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/vendorreact.dc6a29.chunk.js"; depth:28; nocase; http.host; content:"123.57.143.169"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1254075/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_06; classtype:trojan-activity; sid:91254075; rev:1;) alert tcp $HOME_NET any -> [154.204.176.13] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254074/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_06; classtype:trojan-activity; sid:91254074; rev:1;) alert tcp $HOME_NET any -> [111.230.117.89] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254073/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_06; classtype:trojan-activity; sid:91254073; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/hp/api/v1/carousel"; depth:19; nocase; http.host; content:"111.230.207.253"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1254072/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_06; classtype:trojan-activity; sid:91254072; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/feedapi/v1/newsserver/api/getpassword"; depth:38; nocase; http.host; content:"111.230.117.89"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1254071/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_06; classtype:trojan-activity; sid:91254071; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/feedapi/v1/newsserver/api/getpassword"; depth:38; nocase; http.host; content:"111.230.121.187"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1254070/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_06; classtype:trojan-activity; sid:91254070; rev:1;) alert tcp $HOME_NET any -> [42.192.53.52] 8088 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254069/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_06; classtype:trojan-activity; sid:91254069; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ca"; depth:3; nocase; http.host; content:"i.xlei.cc"; depth:9; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1254067/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_06; classtype:trojan-activity; sid:91254067; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"i.xlei.cc"; depth:9; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1254068/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_06; classtype:trojan-activity; sid:91254068; rev:1;) alert tcp $HOME_NET any -> [116.205.189.199] 3333 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254066/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_06; classtype:trojan-activity; sid:91254066; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/owa/"; depth:5; nocase; http.host; content:"206.189.182.123"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1254065/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_06; classtype:trojan-activity; sid:91254065; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pixel"; depth:6; nocase; http.host; content:"47.236.230.99"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1254064/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_06; classtype:trojan-activity; sid:91254064; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ga.js"; depth:6; nocase; http.host; content:"107.151.247.136"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1254063/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_06; classtype:trojan-activity; sid:91254063; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/match"; depth:6; nocase; http.host; content:"107.151.247.136"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1254062/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_06; classtype:trojan-activity; sid:91254062; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/en_us/all.js"; depth:13; nocase; http.host; content:"110.34.30.9"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1254061/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_06; classtype:trojan-activity; sid:91254061; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pws/fre.php"; depth:12; nocase; http.host; content:"altaskifer.sbs"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1254058/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_06; classtype:trojan-activity; sid:91254058; rev:1;) alert tcp $HOME_NET any -> [89.105.201.240] 80 (msg:"ThreatFox Socks5 Systemz botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254057/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_06; classtype:trojan-activity; sid:91254057; rev:1;) alert tcp $HOME_NET any -> [154.9.255.11] 80 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254056/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_06; classtype:trojan-activity; sid:91254056; rev:1;) alert tcp $HOME_NET any -> [109.120.177.177] 80 (msg:"ThreatFox Meduza Stealer botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254055/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_06; classtype:trojan-activity; sid:91254055; rev:1;) alert tcp $HOME_NET any -> [23.224.4.166] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254054/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_06; classtype:trojan-activity; sid:91254054; rev:1;) alert tcp $HOME_NET any -> [23.224.4.164] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254053/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_06; classtype:trojan-activity; sid:91254053; rev:1;) alert tcp $HOME_NET any -> [216.224.119.201] 8889 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254052/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_06; classtype:trojan-activity; sid:91254052; rev:1;) alert tcp $HOME_NET any -> [74.48.129.190] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254051/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_06; classtype:trojan-activity; sid:91254051; rev:1;) alert tcp $HOME_NET any -> [41.97.189.195] 443 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254050/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_06; classtype:trojan-activity; sid:91254050; rev:1;) alert tcp $HOME_NET any -> [4.236.36.4] 80 (msg:"ThreatFox Responder botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254049/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_06; classtype:trojan-activity; sid:91254049; rev:1;) alert tcp $HOME_NET any -> [62.72.26.78] 443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254048/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_06; classtype:trojan-activity; sid:91254048; rev:1;) alert tcp $HOME_NET any -> [52.223.20.75] 8443 (msg:"ThreatFox Deimos botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254047/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_06; classtype:trojan-activity; sid:91254047; rev:1;) alert tcp $HOME_NET any -> [88.130.123.89] 443 (msg:"ThreatFox Deimos botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254046/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_06; classtype:trojan-activity; sid:91254046; rev:1;) alert tcp $HOME_NET any -> [104.156.255.239] 7443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254045/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_06; classtype:trojan-activity; sid:91254045; rev:1;) alert tcp $HOME_NET any -> [185.196.8.48] 7443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254044/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_06; classtype:trojan-activity; sid:91254044; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"135.125.124.72"; depth:14; nocase; reference:url, threatfox.abuse.ch/ioc/1253950/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_06; classtype:trojan-activity; sid:91253950; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"8.20.255.249"; depth:12; nocase; reference:url, threatfox.abuse.ch/ioc/1253951/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_06; classtype:trojan-activity; sid:91253951; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"201.222.146.184"; depth:15; nocase; reference:url, threatfox.abuse.ch/ioc/1253953/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_06; classtype:trojan-activity; sid:91253953; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"148.153.34.82"; depth:13; nocase; reference:url, threatfox.abuse.ch/ioc/1253949/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_06; classtype:trojan-activity; sid:91253949; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"132.148.79.222"; depth:14; nocase; reference:url, threatfox.abuse.ch/ioc/1253947/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_06; classtype:trojan-activity; sid:91253947; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"132.148.73.117"; depth:14; nocase; reference:url, threatfox.abuse.ch/ioc/1253948/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_06; classtype:trojan-activity; sid:91253948; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"139.144.31.103"; depth:14; nocase; reference:url, threatfox.abuse.ch/ioc/1253939/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_06; classtype:trojan-activity; sid:91253939; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"45.131.108.250"; depth:14; nocase; reference:url, threatfox.abuse.ch/ioc/1253945/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_06; classtype:trojan-activity; sid:91253945; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"38.242.240.28"; depth:13; nocase; reference:url, threatfox.abuse.ch/ioc/1253946/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_06; classtype:trojan-activity; sid:91253946; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"51.68.146.19"; depth:12; nocase; reference:url, threatfox.abuse.ch/ioc/1253942/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_06; classtype:trojan-activity; sid:91253942; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"94.16.122.250"; depth:13; nocase; reference:url, threatfox.abuse.ch/ioc/1253944/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_06; classtype:trojan-activity; sid:91253944; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"185.106.94.174"; depth:14; nocase; reference:url, threatfox.abuse.ch/ioc/1253943/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_06; classtype:trojan-activity; sid:91253943; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"15.235.143.190"; depth:14; nocase; reference:url, threatfox.abuse.ch/ioc/1253941/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_06; classtype:trojan-activity; sid:91253941; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"104.200.28.75"; depth:13; nocase; reference:url, threatfox.abuse.ch/ioc/1253937/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_06; classtype:trojan-activity; sid:91253937; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"45.76.223.93"; depth:12; nocase; reference:url, threatfox.abuse.ch/ioc/1253938/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_06; classtype:trojan-activity; sid:91253938; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"45.79.174.92"; depth:12; nocase; reference:url, threatfox.abuse.ch/ioc/1253940/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_06; classtype:trojan-activity; sid:91253940; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"161.97.98.95"; depth:12; nocase; reference:url, threatfox.abuse.ch/ioc/1253935/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_06; classtype:trojan-activity; sid:91253935; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"154.61.75.156"; depth:13; nocase; reference:url, threatfox.abuse.ch/ioc/1253936/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_06; classtype:trojan-activity; sid:91253936; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"161.97.97.181"; depth:13; nocase; reference:url, threatfox.abuse.ch/ioc/1253933/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_06; classtype:trojan-activity; sid:91253933; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"158.220.90.199"; depth:14; nocase; reference:url, threatfox.abuse.ch/ioc/1253934/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_06; classtype:trojan-activity; sid:91253934; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"155.138.203.158"; depth:15; nocase; reference:url, threatfox.abuse.ch/ioc/1253932/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_06; classtype:trojan-activity; sid:91253932; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"57.128.83.129"; depth:13; nocase; reference:url, threatfox.abuse.ch/ioc/1253930/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_06; classtype:trojan-activity; sid:91253930; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"139.180.185.171"; depth:15; nocase; reference:url, threatfox.abuse.ch/ioc/1253931/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_06; classtype:trojan-activity; sid:91253931; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"141.95.108.252"; depth:14; nocase; reference:url, threatfox.abuse.ch/ioc/1253929/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_06; classtype:trojan-activity; sid:91253929; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"66.135.31.146"; depth:13; nocase; reference:url, threatfox.abuse.ch/ioc/1253928/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_06; classtype:trojan-activity; sid:91253928; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"172.232.186.100"; depth:15; nocase; reference:url, threatfox.abuse.ch/ioc/1253922/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_06; classtype:trojan-activity; sid:91253922; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"23.226.138.143"; depth:14; nocase; reference:url, threatfox.abuse.ch/ioc/1253923/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_06; classtype:trojan-activity; sid:91253923; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"154.12.248.41"; depth:13; nocase; reference:url, threatfox.abuse.ch/ioc/1253920/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_06; classtype:trojan-activity; sid:91253920; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"178.18.246.136"; depth:14; nocase; reference:url, threatfox.abuse.ch/ioc/1253921/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_06; classtype:trojan-activity; sid:91253921; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"94.72.104.80"; depth:12; nocase; reference:url, threatfox.abuse.ch/ioc/1253918/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_06; classtype:trojan-activity; sid:91253918; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"209.126.86.48"; depth:13; nocase; reference:url, threatfox.abuse.ch/ioc/1253919/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_06; classtype:trojan-activity; sid:91253919; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"192.9.135.73"; depth:12; nocase; reference:url, threatfox.abuse.ch/ioc/1253917/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_06; classtype:trojan-activity; sid:91253917; rev:1;) alert tcp $HOME_NET any -> [8.220.200.34] 10086 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1253909/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_06; classtype:trojan-activity; sid:91253909; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"194.233.91.144"; depth:14; nocase; reference:url, threatfox.abuse.ch/ioc/1253916/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_06; classtype:trojan-activity; sid:91253916; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"172.232.173.13"; depth:14; nocase; reference:url, threatfox.abuse.ch/ioc/1253927/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_06; classtype:trojan-activity; sid:91253927; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"139.180.137.30"; depth:14; nocase; reference:url, threatfox.abuse.ch/ioc/1253925/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_06; classtype:trojan-activity; sid:91253925; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"149.28.189.244"; depth:14; nocase; reference:url, threatfox.abuse.ch/ioc/1253926/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_06; classtype:trojan-activity; sid:91253926; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"vmd129057.contaboserver.net"; depth:27; nocase; reference:url, threatfox.abuse.ch/ioc/1253924/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_06; classtype:trojan-activity; sid:91253924; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"24.199.109.6"; depth:12; nocase; reference:url, threatfox.abuse.ch/ioc/1253952/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_06; classtype:trojan-activity; sid:91253952; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"45.154.24.57"; depth:12; nocase; reference:url, threatfox.abuse.ch/ioc/1253954/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_06; classtype:trojan-activity; sid:91253954; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"103.151.20.137"; depth:14; nocase; reference:url, threatfox.abuse.ch/ioc/1253955/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_06; classtype:trojan-activity; sid:91253955; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"129.153.135.83"; depth:14; nocase; reference:url, threatfox.abuse.ch/ioc/1253956/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_06; classtype:trojan-activity; sid:91253956; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"129.213.54.49"; depth:13; nocase; reference:url, threatfox.abuse.ch/ioc/1253958/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_06; classtype:trojan-activity; sid:91253958; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"193.122.200.171"; depth:15; nocase; reference:url, threatfox.abuse.ch/ioc/1253957/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_06; classtype:trojan-activity; sid:91253957; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"91.134.126.43"; depth:13; nocase; reference:url, threatfox.abuse.ch/ioc/1253959/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_06; classtype:trojan-activity; sid:91253959; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"85.215.162.167"; depth:14; nocase; reference:url, threatfox.abuse.ch/ioc/1253960/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_06; classtype:trojan-activity; sid:91253960; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"67.21.33.208"; depth:12; nocase; reference:url, threatfox.abuse.ch/ioc/1253961/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_06; classtype:trojan-activity; sid:91253961; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"45.85.235.39"; depth:12; nocase; reference:url, threatfox.abuse.ch/ioc/1253962/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_06; classtype:trojan-activity; sid:91253962; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"109.123.244.131"; depth:15; nocase; reference:url, threatfox.abuse.ch/ioc/1253963/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_06; classtype:trojan-activity; sid:91253963; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"185.87.148.132"; depth:14; nocase; reference:url, threatfox.abuse.ch/ioc/1253964/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_06; classtype:trojan-activity; sid:91253964; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"193.122.186.107"; depth:15; nocase; reference:url, threatfox.abuse.ch/ioc/1253965/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_06; classtype:trojan-activity; sid:91253965; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"129.213.79.229"; depth:14; nocase; reference:url, threatfox.abuse.ch/ioc/1253966/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_06; classtype:trojan-activity; sid:91253966; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"193.122.128.77"; depth:14; nocase; reference:url, threatfox.abuse.ch/ioc/1253967/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_06; classtype:trojan-activity; sid:91253967; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"129.80.253.141"; depth:14; nocase; reference:url, threatfox.abuse.ch/ioc/1253968/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_06; classtype:trojan-activity; sid:91253968; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"150.136.16.205"; depth:14; nocase; reference:url, threatfox.abuse.ch/ioc/1253969/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_06; classtype:trojan-activity; sid:91253969; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/supershell/login"; depth:17; nocase; http.host; content:"202.61.141.147"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1253973/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_06; classtype:trojan-activity; sid:91253973; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/supershell/login/"; depth:18; nocase; http.host; content:"103.229.60.151"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1253974/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_06; classtype:trojan-activity; sid:91253974; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/supershell/login/"; depth:18; nocase; http.host; content:"104.168.122.113"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1253975/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_06; classtype:trojan-activity; sid:91253975; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/supershell/login/"; depth:18; nocase; http.host; content:"8.134.69.22"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1253976/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_06; classtype:trojan-activity; sid:91253976; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/supershell/login/"; depth:18; nocase; http.host; content:"39.101.70.82"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1253977/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_06; classtype:trojan-activity; sid:91253977; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/supershell/login/"; depth:18; nocase; http.host; content:"38.6.218.204"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1253978/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_06; classtype:trojan-activity; sid:91253978; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/supershell/login/"; depth:18; nocase; http.host; content:"107.175.35.40"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1253979/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_06; classtype:trojan-activity; sid:91253979; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/supershell/login/"; depth:18; nocase; http.host; content:"120.48.99.76"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1253980/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_06; classtype:trojan-activity; sid:91253980; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/supershell/login/"; depth:18; nocase; http.host; content:"117.72.9.31"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1253981/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_06; classtype:trojan-activity; sid:91253981; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/supershell/login/"; depth:18; nocase; http.host; content:"124.70.143.234"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1253982/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_06; classtype:trojan-activity; sid:91253982; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/supershell/login/"; depth:18; nocase; http.host; content:"101.35.198.120"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1253983/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_06; classtype:trojan-activity; sid:91253983; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/supershell/login/"; depth:18; nocase; http.host; content:"122.10.5.85"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1253984/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_06; classtype:trojan-activity; sid:91253984; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/supershell/login"; depth:17; nocase; http.host; content:"20.205.173.250"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1253985/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_06; classtype:trojan-activity; sid:91253985; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/supershell/login"; depth:17; nocase; http.host; content:"43.132.193.188"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1253986/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_06; classtype:trojan-activity; sid:91253986; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/supershell/login"; depth:17; nocase; http.host; content:"103.163.208.187"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1253987/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_06; classtype:trojan-activity; sid:91253987; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/supershell/login"; depth:17; nocase; http.host; content:"142.171.62.107"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1253988/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_06; classtype:trojan-activity; sid:91253988; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/supershell/login"; depth:17; nocase; http.host; content:"111.92.243.236"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1253989/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_06; classtype:trojan-activity; sid:91253989; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/supershell/login"; depth:17; nocase; http.host; content:"43.136.20.206"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1253990/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_06; classtype:trojan-activity; sid:91253990; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/supershell/login"; depth:17; nocase; http.host; content:"167.71.91.12"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1253991/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_06; classtype:trojan-activity; sid:91253991; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/supershell/login"; depth:17; nocase; http.host; content:"172.245.81.143"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1253992/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_06; classtype:trojan-activity; sid:91253992; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/supershell/login"; depth:17; nocase; http.host; content:"34.81.83.87"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1253993/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_06; classtype:trojan-activity; sid:91253993; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/supershell/login"; depth:17; nocase; http.host; content:"123.1.189.241"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1253994/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_06; classtype:trojan-activity; sid:91253994; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/supershell/login"; depth:17; nocase; http.host; content:"122.10.10.100"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1253995/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_06; classtype:trojan-activity; sid:91253995; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/8bvxwqdec3/login.php"; depth:21; nocase; http.host; content:"platformforcreateinterest.com"; depth:29; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1254000/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_06; classtype:trojan-activity; sid:91254000; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/8bvxwqdec3/login.php"; depth:21; nocase; http.host; content:"bestofthebesttraining.com"; depth:25; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1254002/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_06; classtype:trojan-activity; sid:91254002; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/7vaficzogd/login.php"; depth:21; nocase; http.host; content:"pleasurecanbesafe.com"; depth:21; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1254003/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_06; classtype:trojan-activity; sid:91254003; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/j4fvskd3/login.php"; depth:19; nocase; http.host; content:"topgamecheats.dev"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1254004/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_06; classtype:trojan-activity; sid:91254004; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pneh2sxqk0/login.php"; depth:21; nocase; http.host; content:"193.233.132.56"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1254005/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_06; classtype:trojan-activity; sid:91254005; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/j4fvskd3/login.php"; depth:19; nocase; http.host; content:"ruspyc.top"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1254006/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_06; classtype:trojan-activity; sid:91254006; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/yandex/login.php"; depth:17; nocase; http.host; content:"185.215.113.32"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1254007/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_06; classtype:trojan-activity; sid:91254007; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/enigma/login.php"; depth:17; nocase; http.host; content:"193.233.132.167"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1254008/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_06; classtype:trojan-activity; sid:91254008; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/b8sdjsdks/login.php"; depth:20; nocase; http.host; content:"185.196.10.34"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1254009/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_06; classtype:trojan-activity; sid:91254009; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/u8v5zeq/login.php"; depth:18; nocase; http.host; content:"193.3.19.114"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1254010/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_06; classtype:trojan-activity; sid:91254010; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jd9dd3vw/login.php"; depth:19; nocase; http.host; content:"second.amadgood.com"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1254011/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_06; classtype:trojan-activity; sid:91254011; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 60%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmlrpc.php"; depth:11; nocase; http.host; content:"retromuzsika.hu"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1253867/; target:src_ip; metadata: confidence_level 60, first_seen 2024_04_06; classtype:trojan-activity; sid:91253867; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 60%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmlrpc.php"; depth:11; nocase; http.host; content:"kawapopularna.pl"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1253868/; target:src_ip; metadata: confidence_level 60, first_seen 2024_04_06; classtype:trojan-activity; sid:91253868; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 60%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmlrpc.php"; depth:11; nocase; http.host; content:"smartgamepiano.com"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1253869/; target:src_ip; metadata: confidence_level 60, first_seen 2024_04_06; classtype:trojan-activity; sid:91253869; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 60%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmlrpc.php"; depth:11; nocase; http.host; content:"www.eurotranschanet.fr"; depth:22; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1253870/; target:src_ip; metadata: confidence_level 60, first_seen 2024_04_06; classtype:trojan-activity; sid:91253870; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 60%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmlrpc.php"; depth:11; nocase; http.host; content:"americanbussales.net"; depth:20; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1253871/; target:src_ip; metadata: confidence_level 60, first_seen 2024_04_06; classtype:trojan-activity; sid:91253871; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 60%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmlrpc.php"; depth:11; nocase; http.host; content:"mediterranews.org"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1253879/; target:src_ip; metadata: confidence_level 60, first_seen 2024_04_06; classtype:trojan-activity; sid:91253879; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 60%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmlrpc.php"; depth:11; nocase; http.host; content:"shodo.cosavostra.com"; depth:20; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1253880/; target:src_ip; metadata: confidence_level 60, first_seen 2024_04_06; classtype:trojan-activity; sid:91253880; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 60%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmlrpc.php"; depth:11; nocase; http.host; content:"tophomenews.com"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1253881/; target:src_ip; metadata: confidence_level 60, first_seen 2024_04_06; classtype:trojan-activity; sid:91253881; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 60%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmlrpc.php"; depth:11; nocase; http.host; content:"osinkokuningas.fi"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1253882/; target:src_ip; metadata: confidence_level 60, first_seen 2024_04_06; classtype:trojan-activity; sid:91253882; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 60%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmlrpc.php"; depth:11; nocase; http.host; content:"iveri.com"; depth:9; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1253883/; target:src_ip; metadata: confidence_level 60, first_seen 2024_04_06; classtype:trojan-activity; sid:91253883; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 60%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmlrpc.php"; depth:11; nocase; http.host; content:"atvtrade.ru"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1253884/; target:src_ip; metadata: confidence_level 60, first_seen 2024_04_06; classtype:trojan-activity; sid:91253884; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 60%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmlrpc.php"; depth:11; nocase; http.host; content:"systra-logistik.de"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1253885/; target:src_ip; metadata: confidence_level 60, first_seen 2024_04_06; classtype:trojan-activity; sid:91253885; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 60%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmlrpc.php"; depth:11; nocase; http.host; content:"www.cremer-fliesen.de"; depth:21; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1253886/; target:src_ip; metadata: confidence_level 60, first_seen 2024_04_06; classtype:trojan-activity; sid:91253886; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"asegurar1s.duckdns.org"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1253887/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_06; classtype:trojan-activity; sid:91253887; rev:1;) alert tcp $HOME_NET any -> [147.185.221.18] 18746 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1253908/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_06; classtype:trojan-activity; sid:91253908; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/7t6x/certificate.crt"; depth:21; nocase; http.host; content:"cdnforfiles.xyz"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1253970/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_06; classtype:trojan-activity; sid:91253970; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/7t6x/certificate.crt"; depth:21; nocase; http.host; content:"file-transfer.xyz"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1253971/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_06; classtype:trojan-activity; sid:91253971; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/login/index"; depth:12; nocase; http.host; content:"107.175.28.248"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1254035/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_06; classtype:trojan-activity; sid:91254035; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/auth/login"; depth:11; nocase; http.host; content:"45.120.177.167"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1254033/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_06; classtype:trojan-activity; sid:91254033; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/login/index"; depth:12; nocase; http.host; content:"8.134.126.121"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1254034/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_06; classtype:trojan-activity; sid:91254034; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/auth/login"; depth:11; nocase; http.host; content:"103.161.224.131"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1254030/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_06; classtype:trojan-activity; sid:91254030; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/auth/login"; depth:11; nocase; http.host; content:"5.42.106.164"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1254031/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_06; classtype:trojan-activity; sid:91254031; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/auth/login"; depth:11; nocase; http.host; content:"46.226.164.150"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1254032/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_06; classtype:trojan-activity; sid:91254032; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/auth/login"; depth:11; nocase; http.host; content:"huboftest.ir"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1254028/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_06; classtype:trojan-activity; sid:91254028; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/auth/login"; depth:11; nocase; http.host; content:"94.156.10.121"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1254029/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_06; classtype:trojan-activity; sid:91254029; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/login"; depth:6; nocase; http.host; content:"193.233.132.48"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1254026/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_06; classtype:trojan-activity; sid:91254026; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/admin/login.php"; depth:16; nocase; http.host; content:"65.20.106.109"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1254027/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_06; classtype:trojan-activity; sid:91254027; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/login"; depth:6; nocase; http.host; content:"193.233.132.226"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1254023/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_06; classtype:trojan-activity; sid:91254023; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/login"; depth:6; nocase; http.host; content:"193.233.132.58"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1254024/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_06; classtype:trojan-activity; sid:91254024; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/login"; depth:6; nocase; http.host; content:"94.156.8.188"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1254025/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_06; classtype:trojan-activity; sid:91254025; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/login"; depth:6; nocase; http.host; content:"193.233.132.253"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1254021/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_06; classtype:trojan-activity; sid:91254021; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/login"; depth:6; nocase; http.host; content:"45.138.16.166"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1254022/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_06; classtype:trojan-activity; sid:91254022; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/login"; depth:6; nocase; http.host; content:"45.15.156.142"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1254019/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_06; classtype:trojan-activity; sid:91254019; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/login"; depth:6; nocase; http.host; content:"193.233.132.106"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1254020/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_06; classtype:trojan-activity; sid:91254020; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/login"; depth:6; nocase; http.host; content:"5.42.65.117"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1254016/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_06; classtype:trojan-activity; sid:91254016; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/login"; depth:6; nocase; http.host; content:"5.42.92.73"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1254018/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_06; classtype:trojan-activity; sid:91254018; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/login"; depth:6; nocase; http.host; content:"193.233.132.108"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1254013/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_06; classtype:trojan-activity; sid:91254013; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/login"; depth:6; nocase; http.host; content:"101.99.92.169"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1254014/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_06; classtype:trojan-activity; sid:91254014; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/login"; depth:6; nocase; http.host; content:"193.233.132.11"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1254015/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_06; classtype:trojan-activity; sid:91254015; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/login"; depth:6; nocase; http.host; content:"95.216.41.236"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1254017/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_06; classtype:trojan-activity; sid:91254017; rev:1;) alert tcp $HOME_NET any -> [179.13.0.175] 5554 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254012/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_06; classtype:trojan-activity; sid:91254012; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/8otabr/"; depth:8; nocase; http.host; content:"whattotext.net"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1253912/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_06; classtype:trojan-activity; sid:91253912; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bvxny6r6"; depth:9; nocase; http.host; content:"gteairfone.com"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1253913/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_06; classtype:trojan-activity; sid:91253913; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/7t6x/certificate.crt"; depth:21; nocase; http.host; content:"thecheapestcdn.site"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1253914/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_06; classtype:trojan-activity; sid:91253914; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ketmqfqxwbukenxmtkckkwyggqmbotuiaokzmnlumqfbcfiwdzobpipfkkymzpqlmqofkodnko"; depth:75; nocase; http.host; content:"thecheapestcdn.site"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1253915/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_06; classtype:trojan-activity; sid:91253915; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/8otabr/"; depth:8; nocase; http.host; content:"salesoftskills.com"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1254040/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_06; classtype:trojan-activity; sid:91254040; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"wasted9sss1-57718.portmap.host"; depth:30; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1254041/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_06; classtype:trojan-activity; sid:91254041; rev:1;) alert tcp $HOME_NET any -> [16.171.25.219] 8099 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254043/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_06; classtype:trojan-activity; sid:91254043; rev:1;) alert tcp $HOME_NET any -> [77.221.157.58] 38538 (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254042/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_06; classtype:trojan-activity; sid:91254042; rev:1;) alert tcp $HOME_NET any -> [162.209.178.189] 38433 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254001/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_05; classtype:trojan-activity; sid:91254001; rev:1;) alert tcp $HOME_NET any -> [162.209.178.188] 38433 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1253999/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_05; classtype:trojan-activity; sid:91253999; rev:1;) alert tcp $HOME_NET any -> [162.209.178.187] 38433 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1253998/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_05; classtype:trojan-activity; sid:91253998; rev:1;) alert tcp $HOME_NET any -> [162.209.178.190] 38433 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1253997/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_05; classtype:trojan-activity; sid:91253997; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/accelerate/members/9zbukm2fct"; depth:30; nocase; http.host; content:"162.209.178.186"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1253996/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_05; classtype:trojan-activity; sid:91253996; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"dcnlaleanae8.com"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1253910/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_05; classtype:trojan-activity; sid:91253910; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"dcnlaleanae9.com"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1253911/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_05; classtype:trojan-activity; sid:91253911; rev:1;) alert tcp $HOME_NET any -> [193.143.1.197] 443 (msg:"ThreatFox Matanbuchus botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1253907/; target:src_ip; metadata: confidence_level 80, first_seen 2024_04_05; classtype:trojan-activity; sid:91253907; rev:1;) alert tcp $HOME_NET any -> [195.211.124.144] 80 (msg:"ThreatFox Amadey botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1253906/; target:src_ip; metadata: confidence_level 80, first_seen 2024_04_05; classtype:trojan-activity; sid:91253906; rev:1;) alert tcp $HOME_NET any -> [212.224.86.223] 8056 (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1253905/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_05; classtype:trojan-activity; sid:91253905; rev:1;) alert tcp $HOME_NET any -> [62.109.2.162] 80 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1253904/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_05; classtype:trojan-activity; sid:91253904; rev:1;) alert tcp $HOME_NET any -> [89.208.103.64] 50555 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1253903/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_05; classtype:trojan-activity; sid:91253903; rev:1;) alert tcp $HOME_NET any -> [94.156.8.125] 50555 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1253902/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_05; classtype:trojan-activity; sid:91253902; rev:1;) alert tcp $HOME_NET any -> [57.151.90.74] 80 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1253901/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_05; classtype:trojan-activity; sid:91253901; rev:1;) alert tcp $HOME_NET any -> [106.53.186.12] 8012 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1253900/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_05; classtype:trojan-activity; sid:91253900; rev:1;) alert tcp $HOME_NET any -> [46.246.84.3] 6000 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1253899/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_05; classtype:trojan-activity; sid:91253899; rev:1;) alert tcp $HOME_NET any -> [20.199.44.70] 1024 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1253898/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_05; classtype:trojan-activity; sid:91253898; rev:1;) alert tcp $HOME_NET any -> [85.101.93.234] 443 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1253897/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_05; classtype:trojan-activity; sid:91253897; rev:1;) alert tcp $HOME_NET any -> [149.88.67.40] 443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1253896/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_05; classtype:trojan-activity; sid:91253896; rev:1;) alert tcp $HOME_NET any -> [141.164.57.125] 8080 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1253895/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_05; classtype:trojan-activity; sid:91253895; rev:1;) alert tcp $HOME_NET any -> [93.127.163.159] 4433 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1253894/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_05; classtype:trojan-activity; sid:91253894; rev:1;) alert tcp $HOME_NET any -> [38.55.201.92] 443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1253893/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_05; classtype:trojan-activity; sid:91253893; rev:1;) alert tcp $HOME_NET any -> [45.66.217.179] 45 (msg:"ThreatFox Deimos botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1253892/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_05; classtype:trojan-activity; sid:91253892; rev:1;) alert tcp $HOME_NET any -> [128.199.224.162] 8443 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1253891/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_05; classtype:trojan-activity; sid:91253891; rev:1;) alert tcp $HOME_NET any -> [128.199.224.162] 63333 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1253890/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_05; classtype:trojan-activity; sid:91253890; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pixel.gif"; depth:10; nocase; http.host; content:"154.201.89.19"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1253889/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_05; classtype:trojan-activity; sid:91253889; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dot.gif"; depth:8; nocase; http.host; content:"47.113.195.22"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1253888/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_05; classtype:trojan-activity; sid:91253888; rev:1;) alert tcp $HOME_NET any -> [46.246.84.18] 5050 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1253878/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_05; classtype:trojan-activity; sid:91253878; rev:1;) alert tcp $HOME_NET any -> [3.69.157.220] 11964 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1253877/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_05; classtype:trojan-activity; sid:91253877; rev:1;) alert tcp $HOME_NET any -> [18.197.239.109] 11964 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1253876/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_05; classtype:trojan-activity; sid:91253876; rev:1;) alert tcp $HOME_NET any -> [3.66.38.117] 11964 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1253875/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_05; classtype:trojan-activity; sid:91253875; rev:1;) alert tcp $HOME_NET any -> [3.68.171.119] 11964 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1253874/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_05; classtype:trojan-activity; sid:91253874; rev:1;) alert tcp $HOME_NET any -> [52.28.247.255] 11964 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1253873/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_05; classtype:trojan-activity; sid:91253873; rev:1;) alert tcp $HOME_NET any -> [3.69.115.178] 11964 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1253872/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_05; classtype:trojan-activity; sid:91253872; rev:1;) alert tcp $HOME_NET any -> [141.11.228.23] 65483 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1253866/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_05; classtype:trojan-activity; sid:91253866; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 60%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmlrpc.php"; depth:11; nocase; http.host; content:"www.bgagro.bg"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1253841/; target:src_ip; metadata: confidence_level 60, first_seen 2024_04_05; classtype:trojan-activity; sid:91253841; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 60%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmlrpc.php"; depth:11; nocase; http.host; content:"pinokiosacz.pl"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1253842/; target:src_ip; metadata: confidence_level 60, first_seen 2024_04_05; classtype:trojan-activity; sid:91253842; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 60%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmlrpc.php"; depth:11; nocase; http.host; content:"spinmortgage.com"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1253843/; target:src_ip; metadata: confidence_level 60, first_seen 2024_04_05; classtype:trojan-activity; sid:91253843; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 60%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmlrpc.php"; depth:11; nocase; http.host; content:"javtorrent.me"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1253844/; target:src_ip; metadata: confidence_level 60, first_seen 2024_04_05; classtype:trojan-activity; sid:91253844; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 60%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmlrpc.php"; depth:11; nocase; http.host; content:"adktechs.com"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1253845/; target:src_ip; metadata: confidence_level 60, first_seen 2024_04_05; classtype:trojan-activity; sid:91253845; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 60%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmlrpc.php"; depth:11; nocase; http.host; content:"janniolssondeler.com"; depth:20; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1253846/; target:src_ip; metadata: confidence_level 60, first_seen 2024_04_05; classtype:trojan-activity; sid:91253846; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 60%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmlrpc.php"; depth:11; nocase; http.host; content:"hubby69.com"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1253847/; target:src_ip; metadata: confidence_level 60, first_seen 2024_04_05; classtype:trojan-activity; sid:91253847; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 60%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmlrpc.php"; depth:11; nocase; http.host; content:"eneva.ru"; depth:8; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1253848/; target:src_ip; metadata: confidence_level 60, first_seen 2024_04_05; classtype:trojan-activity; sid:91253848; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 60%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmlrpc.php"; depth:11; nocase; http.host; content:"www.debarcadere.be"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1253849/; target:src_ip; metadata: confidence_level 60, first_seen 2024_04_05; classtype:trojan-activity; sid:91253849; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 60%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmlrpc.php"; depth:11; nocase; http.host; content:"www.bluewateryoga.com.au"; depth:24; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1253850/; target:src_ip; metadata: confidence_level 60, first_seen 2024_04_05; classtype:trojan-activity; sid:91253850; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 60%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmlrpc.php"; depth:11; nocase; http.host; content:"atasafaris.com"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1253851/; target:src_ip; metadata: confidence_level 60, first_seen 2024_04_05; classtype:trojan-activity; sid:91253851; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 60%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmlrpc.php"; depth:11; nocase; http.host; content:"granitedevices.com"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1253852/; target:src_ip; metadata: confidence_level 60, first_seen 2024_04_05; classtype:trojan-activity; sid:91253852; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 60%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmlrpc.php"; depth:11; nocase; http.host; content:"76crimes.com"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1253853/; target:src_ip; metadata: confidence_level 60, first_seen 2024_04_05; classtype:trojan-activity; sid:91253853; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 60%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmlrpc.php"; depth:11; nocase; http.host; content:"guitardivision.com"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1253854/; target:src_ip; metadata: confidence_level 60, first_seen 2024_04_05; classtype:trojan-activity; sid:91253854; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 60%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmlrpc.php"; depth:11; nocase; http.host; content:"activefisher.net"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1253856/; target:src_ip; metadata: confidence_level 60, first_seen 2024_04_05; classtype:trojan-activity; sid:91253856; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 60%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmlrpc.php"; depth:11; nocase; http.host; content:"searkweather.com"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1253855/; target:src_ip; metadata: confidence_level 60, first_seen 2024_04_05; classtype:trojan-activity; sid:91253855; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 60%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmlrpc.php"; depth:11; nocase; http.host; content:"waheeda.nl"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1253857/; target:src_ip; metadata: confidence_level 60, first_seen 2024_04_05; classtype:trojan-activity; sid:91253857; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 60%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmlrpc.php"; depth:11; nocase; http.host; content:"wakapi.com"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1253858/; target:src_ip; metadata: confidence_level 60, first_seen 2024_04_05; classtype:trojan-activity; sid:91253858; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 60%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmlrpc.php"; depth:11; nocase; http.host; content:"limatuju.com"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1253859/; target:src_ip; metadata: confidence_level 60, first_seen 2024_04_05; classtype:trojan-activity; sid:91253859; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 60%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmlrpc.php"; depth:11; nocase; http.host; content:"www.absoluteestimating.com"; depth:26; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1253860/; target:src_ip; metadata: confidence_level 60, first_seen 2024_04_05; classtype:trojan-activity; sid:91253860; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 60%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmlrpc.php"; depth:11; nocase; http.host; content:"canadajobbank.org"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1253861/; target:src_ip; metadata: confidence_level 60, first_seen 2024_04_05; classtype:trojan-activity; sid:91253861; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 60%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmlrpc.php"; depth:11; nocase; http.host; content:"xvideospornor.com"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1253862/; target:src_ip; metadata: confidence_level 60, first_seen 2024_04_05; classtype:trojan-activity; sid:91253862; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 60%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmlrpc.php"; depth:11; nocase; http.host; content:"sterling-sound.com"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1253863/; target:src_ip; metadata: confidence_level 60, first_seen 2024_04_05; classtype:trojan-activity; sid:91253863; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 60%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmlrpc.php"; depth:11; nocase; http.host; content:"fantasy-hive.co.uk"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1253864/; target:src_ip; metadata: confidence_level 60, first_seen 2024_04_05; classtype:trojan-activity; sid:91253864; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 60%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmlrpc.php"; depth:11; nocase; http.host; content:"virusvaria.nl"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1253865/; target:src_ip; metadata: confidence_level 60, first_seen 2024_04_05; classtype:trojan-activity; sid:91253865; rev:1;) alert tcp $HOME_NET any -> [179.13.0.175] 5553 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1253838/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_05; classtype:trojan-activity; sid:91253838; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"promesasalvaro1.duckdns.org"; depth:27; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1253839/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_05; classtype:trojan-activity; sid:91253839; rev:1;) alert tcp $HOME_NET any -> [104.198.2.251] 80 (msg:"ThreatFox Loki Password Stealer (PWS) botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1253671/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_05; classtype:trojan-activity; sid:91253671; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"jyiikm.xyz"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1253672/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_05; classtype:trojan-activity; sid:91253672; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mjm2ytbkogjlzju1/"; depth:18; nocase; http.host; content:"kapandayarankal.shop"; depth:20; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1253674/; target:src_ip; metadata: confidence_level 80, first_seen 2024_04_05; classtype:trojan-activity; sid:91253674; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mjm2ytbkogjlzju1/"; depth:18; nocase; http.host; content:"kanepedeyatan.shop"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1253675/; target:src_ip; metadata: confidence_level 80, first_seen 2024_04_05; classtype:trojan-activity; sid:91253675; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mjm2ytbkogjlzju1/"; depth:18; nocase; http.host; content:"kapandayarkarnaval.shop"; depth:23; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1253676/; target:src_ip; metadata: confidence_level 80, first_seen 2024_04_05; classtype:trojan-activity; sid:91253676; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mjm2ytbkogjlzju1/"; depth:18; nocase; http.host; content:"karakasabadakan.online"; depth:22; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1253677/; target:src_ip; metadata: confidence_level 80, first_seen 2024_04_05; classtype:trojan-activity; sid:91253677; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mjm2ytbkogjlzju1/"; depth:18; nocase; http.host; content:"karakamazandar.com"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1253678/; target:src_ip; metadata: confidence_level 80, first_seen 2024_04_05; classtype:trojan-activity; sid:91253678; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/securebigloadprotecttemporary.php"; depth:34; nocase; http.host; content:"38.180.35.114"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1253673/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_05; classtype:trojan-activity; sid:91253673; rev:1;) alert tcp $HOME_NET any -> [193.222.96.75] 8823 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1253670/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_05; classtype:trojan-activity; sid:91253670; rev:1;) alert tcp $HOME_NET any -> [93.123.85.47] 3778 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1253669/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_05; classtype:trojan-activity; sid:91253669; rev:1;) alert tcp $HOME_NET any -> [45.87.153.190] 1111 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1253668/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_05; classtype:trojan-activity; sid:91253668; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dot.gif"; depth:8; nocase; http.host; content:"47.109.58.205"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1253667/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_05; classtype:trojan-activity; sid:91253667; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/en_us/all.js"; depth:13; nocase; http.host; content:"chniabank.com"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1253666/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_05; classtype:trojan-activity; sid:91253666; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pixel"; depth:6; nocase; http.host; content:"service-43eyvs26-1312185610.gz.tencentapigw.com.cn"; depth:50; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1253665/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_05; classtype:trojan-activity; sid:91253665; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/improve/ustats/kozht9uj"; depth:24; nocase; http.host; content:"47.236.43.234"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1253664/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_05; classtype:trojan-activity; sid:91253664; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/load"; depth:5; nocase; http.host; content:"43.138.0.70"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1253663/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_05; classtype:trojan-activity; sid:91253663; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/_defaultwindows.php"; depth:20; nocase; http.host; content:"a0938913.xsph.ru"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1253662/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_05; classtype:trojan-activity; sid:91253662; rev:1;) alert tcp $HOME_NET any -> [46.29.234.85] 35727 (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1253661/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_05; classtype:trojan-activity; sid:91253661; rev:1;) alert tcp $HOME_NET any -> [154.204.177.22] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1253660/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_05; classtype:trojan-activity; sid:91253660; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/j.ad"; depth:5; nocase; http.host; content:"cs.xfdaili.com"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1253659/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_05; classtype:trojan-activity; sid:91253659; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dpixel"; depth:7; nocase; http.host; content:"154.201.89.19"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1253657/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_05; classtype:trojan-activity; sid:91253657; rev:1;) alert tcp $HOME_NET any -> [154.201.89.19] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1253658/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_05; classtype:trojan-activity; sid:91253658; rev:1;) alert tcp $HOME_NET any -> [107.149.240.218] 8443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1253656/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_05; classtype:trojan-activity; sid:91253656; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jquery-3.3.1.min.js"; depth:20; nocase; http.host; content:"update.winservers-network.com"; depth:29; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1253654/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_05; classtype:trojan-activity; sid:91253654; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"update.winservers-network.com"; depth:29; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1253655/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_05; classtype:trojan-activity; sid:91253655; rev:1;) alert tcp $HOME_NET any -> [154.204.177.22] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1253653/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_05; classtype:trojan-activity; sid:91253653; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/load"; depth:5; nocase; http.host; content:"cs.xfdaili.com"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1253652/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_05; classtype:trojan-activity; sid:91253652; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dpixel"; depth:7; nocase; http.host; content:"101.201.155.239"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1253651/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_05; classtype:trojan-activity; sid:91253651; rev:1;) alert tcp $HOME_NET any -> [122.51.59.18] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1253650/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_05; classtype:trojan-activity; sid:91253650; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jquery-3.3.1.min.js"; depth:20; nocase; http.host; content:"122.51.59.18"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1253649/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_05; classtype:trojan-activity; sid:91253649; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jquery-3.3.1.min.js"; depth:20; nocase; http.host; content:"119.3.190.89"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1253648/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_05; classtype:trojan-activity; sid:91253648; rev:1;) alert tcp $HOME_NET any -> [122.51.59.18] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1253647/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_05; classtype:trojan-activity; sid:91253647; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jquery-3.3.1.min.js"; depth:20; nocase; http.host; content:"122.51.59.18"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1253646/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_05; classtype:trojan-activity; sid:91253646; rev:1;) alert tcp $HOME_NET any -> [43.139.48.143] 1450 (msg:"ThreatFox Ghost RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1253645/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_05; classtype:trojan-activity; sid:91253645; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"platformforcreateinterest.com"; depth:29; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1253640/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_05; classtype:trojan-activity; sid:91253640; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"cdnforbusiness.com"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1253642/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_05; classtype:trojan-activity; sid:91253642; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"creationofprogress.com"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1253641/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_05; classtype:trojan-activity; sid:91253641; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"fastestfreecdn.com"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1253643/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_05; classtype:trojan-activity; sid:91253643; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pufpufooootools/150_clwwfhzotee"; depth:32; nocase; http.host; content:"leibk.com"; depth:9; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1253644/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_05; classtype:trojan-activity; sid:91253644; rev:1;) alert tcp $HOME_NET any -> [172.233.155.253] 2078 (msg:"ThreatFox Pikabot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1253639/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_05; classtype:trojan-activity; sid:91253639; rev:1;) alert tcp $HOME_NET any -> [212.192.15.251] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1253638/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_05; classtype:trojan-activity; sid:91253638; rev:1;) alert tcp $HOME_NET any -> [45.241.37.251] 995 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1253637/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_05; classtype:trojan-activity; sid:91253637; rev:1;) alert tcp $HOME_NET any -> [41.96.66.25] 443 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1253636/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_05; classtype:trojan-activity; sid:91253636; rev:1;) alert tcp $HOME_NET any -> [141.164.57.125] 443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1253635/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_05; classtype:trojan-activity; sid:91253635; rev:1;) alert tcp $HOME_NET any -> [217.196.60.141] 443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1253634/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_05; classtype:trojan-activity; sid:91253634; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"bestofthebesttraining.com"; depth:25; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1253633/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_05; classtype:trojan-activity; sid:91253633; rev:1;) alert tcp $HOME_NET any -> [18.192.31.165] 10468 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1253625/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_05; classtype:trojan-activity; sid:91253625; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"newnano-shel.duckdns.org"; depth:24; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1253624/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_05; classtype:trojan-activity; sid:91253624; rev:1;) alert tcp $HOME_NET any -> [209.73.100.130] 6969 (msg:"ThreatFox Nanocore RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1253621/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_05; classtype:trojan-activity; sid:91253621; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"kingjoker420.ddnsking.com"; depth:25; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1253622/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_05; classtype:trojan-activity; sid:91253622; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"njpantalla.4cloud.click"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1253623/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_05; classtype:trojan-activity; sid:91253623; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"bestofthebesttraining.com"; depth:25; nocase; reference:url, threatfox.abuse.ch/ioc/1253604/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_05; classtype:trojan-activity; sid:91253604; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/8bvxwqdec3/index.php"; depth:21; nocase; http.host; content:"bestofthebesttraining.com"; depth:25; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1253605/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_05; classtype:trojan-activity; sid:91253605; rev:1;) alert tcp $HOME_NET any -> [93.123.85.135] 118 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1253617/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_05; classtype:trojan-activity; sid:91253617; rev:1;) alert tcp $HOME_NET any -> [18.192.31.165] 18511 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1253626/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_05; classtype:trojan-activity; sid:91253626; rev:1;) alert tcp $HOME_NET any -> [3.125.102.39] 18511 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1253627/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_05; classtype:trojan-activity; sid:91253627; rev:1;) alert tcp $HOME_NET any -> [3.124.142.205] 18511 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1253628/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_05; classtype:trojan-activity; sid:91253628; rev:1;) alert tcp $HOME_NET any -> [18.158.249.75] 14390 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1253629/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_05; classtype:trojan-activity; sid:91253629; rev:1;) alert tcp $HOME_NET any -> [3.125.209.94] 10543 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1253630/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_05; classtype:trojan-activity; sid:91253630; rev:1;) alert tcp $HOME_NET any -> [18.192.31.165] 14390 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1253631/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_05; classtype:trojan-activity; sid:91253631; rev:1;) alert tcp $HOME_NET any -> [35.158.159.254] 11464 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1253632/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_05; classtype:trojan-activity; sid:91253632; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/l1nc0in.php"; depth:12; nocase; http.host; content:"a0938327.xsph.ru"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1253620/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_05; classtype:trojan-activity; sid:91253620; rev:1;) alert tcp $HOME_NET any -> [105.154.98.75] 10000 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1253619/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_05; classtype:trojan-activity; sid:91253619; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"192.227.94.170"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1253618/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_05; classtype:trojan-activity; sid:91253618; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"oraclecloudsig.com"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1253615/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_04; classtype:trojan-activity; sid:91253615; rev:1;) alert tcp $HOME_NET any -> [31.172.87.230] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1253616/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_04; classtype:trojan-activity; sid:91253616; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/translated"; depth:11; nocase; http.host; content:"oraclecloudsig.com"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1253614/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_04; classtype:trojan-activity; sid:91253614; rev:1;) alert tcp $HOME_NET any -> [38.180.82.154] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1253613/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_04; classtype:trojan-activity; sid:91253613; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/updates.rss"; depth:12; nocase; http.host; content:"38.180.82.154"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1253612/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_04; classtype:trojan-activity; sid:91253612; rev:1;) alert tcp $HOME_NET any -> [193.143.1.198] 443 (msg:"ThreatFox Matanbuchus botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1253611/; target:src_ip; metadata: confidence_level 80, first_seen 2024_04_04; classtype:trojan-activity; sid:91253611; rev:1;) alert tcp $HOME_NET any -> [193.143.1.207] 443 (msg:"ThreatFox Matanbuchus botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1253610/; target:src_ip; metadata: confidence_level 80, first_seen 2024_04_04; classtype:trojan-activity; sid:91253610; rev:1;) alert tcp $HOME_NET any -> [193.143.1.196] 443 (msg:"ThreatFox Matanbuchus botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1253609/; target:src_ip; metadata: confidence_level 80, first_seen 2024_04_04; classtype:trojan-activity; sid:91253609; rev:1;) alert tcp $HOME_NET any -> [193.233.132.58] 8081 (msg:"ThreatFox RisePro botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1253608/; target:src_ip; metadata: confidence_level 80, first_seen 2024_04_04; classtype:trojan-activity; sid:91253608; rev:1;) alert tcp $HOME_NET any -> [91.92.253.115] 80 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1253603/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_04; classtype:trojan-activity; sid:91253603; rev:1;) alert tcp $HOME_NET any -> [20.124.81.203] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1253602/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_04; classtype:trojan-activity; sid:91253602; rev:1;) alert tcp $HOME_NET any -> [43.143.112.29] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1253601/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_04; classtype:trojan-activity; sid:91253601; rev:1;) alert tcp $HOME_NET any -> [178.73.218.14] 5000 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1253600/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_04; classtype:trojan-activity; sid:91253600; rev:1;) alert tcp $HOME_NET any -> [46.246.82.18] 6000 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1253599/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_04; classtype:trojan-activity; sid:91253599; rev:1;) alert tcp $HOME_NET any -> [78.161.126.239] 443 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1253598/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_04; classtype:trojan-activity; sid:91253598; rev:1;) alert tcp $HOME_NET any -> [104.236.70.31] 443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1253597/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_04; classtype:trojan-activity; sid:91253597; rev:1;) alert tcp $HOME_NET any -> [141.164.57.125] 80 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1253596/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_04; classtype:trojan-activity; sid:91253596; rev:1;) alert tcp $HOME_NET any -> [162.33.177.165] 40056 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1253595/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_04; classtype:trojan-activity; sid:91253595; rev:1;) alert tcp $HOME_NET any -> [86.125.229.50] 443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1253594/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_04; classtype:trojan-activity; sid:91253594; rev:1;) alert tcp $HOME_NET any -> [47.243.188.147] 443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1253593/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_04; classtype:trojan-activity; sid:91253593; rev:1;) alert tcp $HOME_NET any -> [47.238.200.165] 443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1253592/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_04; classtype:trojan-activity; sid:91253592; rev:1;) alert tcp $HOME_NET any -> [151.236.220.113] 443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1253591/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_04; classtype:trojan-activity; sid:91253591; rev:1;) alert tcp $HOME_NET any -> [81.43.22.106] 443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1253590/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_04; classtype:trojan-activity; sid:91253590; rev:1;) alert tcp $HOME_NET any -> [192.121.162.196] 8443 (msg:"ThreatFox BianLian botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1253589/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_04; classtype:trojan-activity; sid:91253589; rev:1;) alert tcp $HOME_NET any -> [109.116.170.118] 7443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1253588/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_04; classtype:trojan-activity; sid:91253588; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/4/longpoll/6/secure/eternallowdatalifebetter/linuxpublic4base/longpollwindowsprocessor/0poll/line/poll38processor/request7serverapi/dleupdate6/eternallowprocessorauthdblocaluploads.php"; depth:185; nocase; http.host; content:"80.71.227.167"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1253587/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_04; classtype:trojan-activity; sid:91253587; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/qs5d"; depth:5; nocase; http.host; content:"123.60.162.164"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1253586/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_04; classtype:trojan-activity; sid:91253586; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/discussion/mayo-clinic-radio-als/"; depth:34; nocase; http.host; content:"185.196.10.121"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1253585/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_04; classtype:trojan-activity; sid:91253585; rev:1;) alert tcp $HOME_NET any -> [46.246.84.9] 3030 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1253584/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_04; classtype:trojan-activity; sid:91253584; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"lesserafimeasy.site"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1253583/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_04; classtype:trojan-activity; sid:91253583; rev:1;) alert tcp $HOME_NET any -> [45.147.229.134] 80 (msg:"ThreatFox SharkBot botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1253581/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_04; classtype:trojan-activity; sid:91253581; rev:1;) alert tcp $HOME_NET any -> [45.155.250.106] 80 (msg:"ThreatFox SharkBot botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1253582/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_04; classtype:trojan-activity; sid:91253582; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/useraccount.aspx"; depth:17; nocase; http.host; content:"iseberkis.com"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1253367/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_04; classtype:trojan-activity; sid:91253367; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/useraccount.aspx"; depth:17; nocase; http.host; content:"dumingas.com"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1253368/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_04; classtype:trojan-activity; sid:91253368; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/index.aspx"; depth:11; nocase; http.host; content:"somakop.app"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1253369/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_04; classtype:trojan-activity; sid:91253369; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/index.aspx"; depth:11; nocase; http.host; content:"musarno.app"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1253370/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_04; classtype:trojan-activity; sid:91253370; rev:1;) alert tcp $HOME_NET any -> [179.13.0.175] 5552 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1253366/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_04; classtype:trojan-activity; sid:91253366; rev:1;) alert tcp $HOME_NET any -> [91.92.241.169] 3434 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1253365/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_04; classtype:trojan-activity; sid:91253365; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"nt-stealer.com"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1253349/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_04; classtype:trojan-activity; sid:91253349; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"nt-stealer.online"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1253350/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_04; classtype:trojan-activity; sid:91253350; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"bbystealer.com.tr"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1253351/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_04; classtype:trojan-activity; sid:91253351; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"nt-stealer.xyz"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1253352/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_04; classtype:trojan-activity; sid:91253352; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"bbystealer.online"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1253354/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_04; classtype:trojan-activity; sid:91253354; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"bbystealer.com"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1253353/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_04; classtype:trojan-activity; sid:91253353; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"bbystealer.xyz"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1253355/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_04; classtype:trojan-activity; sid:91253355; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"20.110.42.40"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1253356/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_04; classtype:trojan-activity; sid:91253356; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"nt-stealer.com"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1253357/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_04; classtype:trojan-activity; sid:91253357; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"nt-stealer.online"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1253358/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_04; classtype:trojan-activity; sid:91253358; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"bbystealer.com.tr"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1253359/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_04; classtype:trojan-activity; sid:91253359; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"nt-stealer.xyz"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1253360/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_04; classtype:trojan-activity; sid:91253360; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"bbystealer.com"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1253361/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_04; classtype:trojan-activity; sid:91253361; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"bbystealer.online"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1253362/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_04; classtype:trojan-activity; sid:91253362; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"bbystealer.xyz"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1253363/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_04; classtype:trojan-activity; sid:91253363; rev:1;) alert tcp $HOME_NET any -> [20.110.42.40] 80 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1253364/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_04; classtype:trojan-activity; sid:91253364; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pixel"; depth:6; nocase; http.host; content:"64.176.41.98"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1253348/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_04; classtype:trojan-activity; sid:91253348; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mall_100_100.html"; depth:18; nocase; http.host; content:"47.92.140.21"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1253347/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_04; classtype:trojan-activity; sid:91253347; rev:1;) alert tcp $HOME_NET any -> [104.168.145.228] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1253346/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_04; classtype:trojan-activity; sid:91253346; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ipv6.beijing-qax.top"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1253345/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_04; classtype:trojan-activity; sid:91253345; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jquery-3.3.1.min.js"; depth:20; nocase; http.host; content:"ipv6.beijing-qax.top"; depth:20; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1253344/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_04; classtype:trojan-activity; sid:91253344; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"canarapay-f5agf9ccgteqbpg2.z03.azurefd.net"; depth:42; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1253343/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_04; classtype:trojan-activity; sid:91253343; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/safebrowsing/i7f9l/s0rm6wozidfyrb6yai2d"; depth:40; nocase; http.host; content:"canarapay-f5agf9ccgteqbpg2.z03.azurefd.net"; depth:42; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1253342/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_04; classtype:trojan-activity; sid:91253342; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ga.js"; depth:6; nocase; http.host; content:"49.233.244.7"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1253341/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_04; classtype:trojan-activity; sid:91253341; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/j.ad"; depth:5; nocase; http.host; content:"106.75.6.207"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1253340/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_04; classtype:trojan-activity; sid:91253340; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/match"; depth:6; nocase; http.host; content:"64.176.41.98"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1253339/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_04; classtype:trojan-activity; sid:91253339; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/visit.js"; depth:9; nocase; http.host; content:"shop.amazon-aws.fr"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1253338/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_04; classtype:trojan-activity; sid:91253338; rev:1;) alert tcp $HOME_NET any -> [129.211.26.3] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1253337/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_04; classtype:trojan-activity; sid:91253337; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ptj"; depth:4; nocase; http.host; content:"129.211.26.3"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1253336/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_04; classtype:trojan-activity; sid:91253336; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/updates.rss"; depth:12; nocase; http.host; content:"154.201.89.19"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1253335/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_04; classtype:trojan-activity; sid:91253335; rev:1;) alert tcp $HOME_NET any -> [81.17.17.70] 62520 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1253334/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_04; classtype:trojan-activity; sid:91253334; rev:1;) alert tcp $HOME_NET any -> [141.98.102.227] 30311 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1253333/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_04; classtype:trojan-activity; sid:91253333; rev:1;) alert tcp $HOME_NET any -> [74.91.29.102] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1253332/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_04; classtype:trojan-activity; sid:91253332; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/display/chan/ib61i7mya"; depth:23; nocase; http.host; content:"74.91.29.102"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1253331/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_04; classtype:trojan-activity; sid:91253331; rev:1;) alert tcp $HOME_NET any -> [45.88.186.209] 4782 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1253330/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_04; classtype:trojan-activity; sid:91253330; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/yjm2njm4yte3zjq2/"; depth:18; nocase; http.host; content:"185.161.248.52"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1253314/; target:src_ip; metadata: confidence_level 80, first_seen 2024_04_04; classtype:trojan-activity; sid:91253314; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ythimdnq4mgqwzti1/"; depth:19; nocase; http.host; content:"psgrcsklmmallocprisma.net"; depth:25; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1253315/; target:src_ip; metadata: confidence_level 80, first_seen 2024_04_04; classtype:trojan-activity; sid:91253315; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ythimeq4mgqwzti1/"; depth:18; nocase; http.host; content:"psgrcsklmmalloc2prisma.net"; depth:26; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1253316/; target:src_ip; metadata: confidence_level 80, first_seen 2024_04_04; classtype:trojan-activity; sid:91253316; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ythimvq4mgqwzti1/"; depth:18; nocase; http.host; content:"psgrcsklmmalloc3prisma.net"; depth:26; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1253317/; target:src_ip; metadata: confidence_level 80, first_seen 2024_04_04; classtype:trojan-activity; sid:91253317; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ythimeq4mgqwzti1/"; depth:18; nocase; http.host; content:"psgrcsklmmalloc5prisma.net"; depth:26; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1253319/; target:src_ip; metadata: confidence_level 80, first_seen 2024_04_04; classtype:trojan-activity; sid:91253319; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ythimrq4mgqwzti1/"; depth:18; nocase; http.host; content:"psgrcsklmmalloc4prisma.net"; depth:26; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1253318/; target:src_ip; metadata: confidence_level 80, first_seen 2024_04_04; classtype:trojan-activity; sid:91253318; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ythimmdmq4mgqwzti1/"; depth:20; nocase; http.host; content:"psgrcsklmmalloc6prisma.net"; depth:26; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1253320/; target:src_ip; metadata: confidence_level 80, first_seen 2024_04_04; classtype:trojan-activity; sid:91253320; rev:1;) alert tcp $HOME_NET any -> [147.45.47.64] 11837 (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1253329/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_04; classtype:trojan-activity; sid:91253329; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ga.js"; depth:6; nocase; http.host; content:"154.12.30.6"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1253328/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_04; classtype:trojan-activity; sid:91253328; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ptj"; depth:4; nocase; http.host; content:"43.159.58.81"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1253327/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_04; classtype:trojan-activity; sid:91253327; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dot.gif"; depth:8; nocase; http.host; content:"118.25.182.25"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1253326/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_04; classtype:trojan-activity; sid:91253326; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ie9compatviewlist.xml"; depth:22; nocase; http.host; content:"60.204.217.11"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1253325/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_04; classtype:trojan-activity; sid:91253325; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pixel"; depth:6; nocase; http.host; content:"101.201.155.239"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1253324/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_04; classtype:trojan-activity; sid:91253324; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books"; depth:60; nocase; http.host; content:"47.109.137.235"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1253323/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_04; classtype:trojan-activity; sid:91253323; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/en_us/all.js"; depth:13; nocase; http.host; content:"49.233.244.7"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1253322/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_04; classtype:trojan-activity; sid:91253322; rev:1;) alert tcp $HOME_NET any -> [139.9.193.13] 8090 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1253321/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_04; classtype:trojan-activity; sid:91253321; rev:1;) alert tcp $HOME_NET any -> [192.3.216.139] 44800 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1253313/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_04; classtype:trojan-activity; sid:91253313; rev:1;) alert tcp $HOME_NET any -> [91.92.253.150] 2505 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1253312/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_04; classtype:trojan-activity; sid:91253312; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pws/fre.php"; depth:12; nocase; http.host; content:"bertol-metal.site"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1253311/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_04; classtype:trojan-activity; sid:91253311; rev:1;) alert tcp $HOME_NET any -> [212.109.220.144] 80 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1253310/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_04; classtype:trojan-activity; sid:91253310; rev:1;) alert tcp $HOME_NET any -> [45.32.156.218] 80 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1253309/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_04; classtype:trojan-activity; sid:91253309; rev:1;) alert tcp $HOME_NET any -> [172.233.221.61] 5938 (msg:"ThreatFox Pikabot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1253308/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_04; classtype:trojan-activity; sid:91253308; rev:1;) alert tcp $HOME_NET any -> [124.223.180.54] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1253307/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_04; classtype:trojan-activity; sid:91253307; rev:1;) alert tcp $HOME_NET any -> [104.168.122.113] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1253306/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_04; classtype:trojan-activity; sid:91253306; rev:1;) alert tcp $HOME_NET any -> [103.229.60.151] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1253305/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_04; classtype:trojan-activity; sid:91253305; rev:1;) alert tcp $HOME_NET any -> [18.167.51.188] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1253304/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_04; classtype:trojan-activity; sid:91253304; rev:1;) alert tcp $HOME_NET any -> [46.246.80.9] 5000 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1253303/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_04; classtype:trojan-activity; sid:91253303; rev:1;) alert tcp $HOME_NET any -> [70.31.125.224] 2222 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1253302/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_04; classtype:trojan-activity; sid:91253302; rev:1;) alert tcp $HOME_NET any -> [94.98.76.27] 443 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1253301/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_04; classtype:trojan-activity; sid:91253301; rev:1;) alert tcp $HOME_NET any -> [41.96.20.226] 443 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1253300/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_04; classtype:trojan-activity; sid:91253300; rev:1;) alert tcp $HOME_NET any -> [159.246.29.74] 445 (msg:"ThreatFox Responder botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1253299/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_04; classtype:trojan-activity; sid:91253299; rev:1;) alert tcp $HOME_NET any -> [104.236.70.31] 80 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1253298/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_04; classtype:trojan-activity; sid:91253298; rev:1;) alert tcp $HOME_NET any -> [86.104.72.149] 443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1253297/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_04; classtype:trojan-activity; sid:91253297; rev:1;) alert tcp $HOME_NET any -> [43.198.82.119] 443 (msg:"ThreatFox Deimos botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1253296/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_04; classtype:trojan-activity; sid:91253296; rev:1;) alert tcp $HOME_NET any -> [80.87.206.160] 7443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1253295/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_04; classtype:trojan-activity; sid:91253295; rev:1;) alert tcp $HOME_NET any -> [172.96.137.224] 14555 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1253294/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_04; classtype:trojan-activity; sid:91253294; rev:1;) alert tcp $HOME_NET any -> [148.135.40.198] 60000 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1253293/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_04; classtype:trojan-activity; sid:91253293; rev:1;) alert tcp $HOME_NET any -> [148.135.40.198] 8080 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1253292/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_04; classtype:trojan-activity; sid:91253292; rev:1;) alert tcp $HOME_NET any -> [148.135.40.198] 443 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1253291/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_04; classtype:trojan-activity; sid:91253291; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"195.201.47.206"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1253290/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_04; classtype:trojan-activity; sid:91253290; rev:1;) alert tcp $HOME_NET any -> [195.201.47.206] 443 (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1253289/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_04; classtype:trojan-activity; sid:91253289; rev:1;) alert tcp $HOME_NET any -> [185.174.101.164] 8888 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1253228/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_04; classtype:trojan-activity; sid:91253228; rev:1;) alert tcp $HOME_NET any -> [185.174.101.246] 6006 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1253229/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_04; classtype:trojan-activity; sid:91253229; rev:1;) alert tcp $HOME_NET any -> [101.43.219.232] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1253230/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_04; classtype:trojan-activity; sid:91253230; rev:1;) alert tcp $HOME_NET any -> [172.111.137.194] 2222 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1253227/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_04; classtype:trojan-activity; sid:91253227; rev:1;) alert tcp $HOME_NET any -> [128.90.122.249] 9999 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1253225/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_04; classtype:trojan-activity; sid:91253225; rev:1;) alert tcp $HOME_NET any -> [128.90.123.31] 9999 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1253226/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_04; classtype:trojan-activity; sid:91253226; rev:1;) alert tcp $HOME_NET any -> [91.92.254.251] 8808 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1253224/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_04; classtype:trojan-activity; sid:91253224; rev:1;) alert tcp $HOME_NET any -> [91.92.242.190] 82 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1253223/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_04; classtype:trojan-activity; sid:91253223; rev:1;) alert tcp $HOME_NET any -> [106.53.164.29] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1253231/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_04; classtype:trojan-activity; sid:91253231; rev:1;) alert tcp $HOME_NET any -> [124.222.52.190] 8880 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1253232/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_04; classtype:trojan-activity; sid:91253232; rev:1;) alert tcp $HOME_NET any -> [124.223.15.17] 6666 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1253233/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_04; classtype:trojan-activity; sid:91253233; rev:1;) alert tcp $HOME_NET any -> [124.223.15.17] 49227 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1253234/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_04; classtype:trojan-activity; sid:91253234; rev:1;) alert tcp $HOME_NET any -> [162.14.73.154] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1253235/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_04; classtype:trojan-activity; sid:91253235; rev:1;) alert tcp $HOME_NET any -> [39.100.85.244] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1253236/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_04; classtype:trojan-activity; sid:91253236; rev:1;) alert tcp $HOME_NET any -> [47.94.246.144] 8080 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1253237/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_04; classtype:trojan-activity; sid:91253237; rev:1;) alert tcp $HOME_NET any -> [47.95.37.53] 88 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1253238/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_04; classtype:trojan-activity; sid:91253238; rev:1;) alert tcp $HOME_NET any -> [47.96.38.241] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1253239/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_04; classtype:trojan-activity; sid:91253239; rev:1;) alert tcp $HOME_NET any -> [47.116.33.203] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1253240/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_04; classtype:trojan-activity; sid:91253240; rev:1;) alert tcp $HOME_NET any -> [112.74.180.175] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1253241/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_04; classtype:trojan-activity; sid:91253241; rev:1;) alert tcp $HOME_NET any -> [118.178.231.167] 8080 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1253242/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_04; classtype:trojan-activity; sid:91253242; rev:1;) alert tcp $HOME_NET any -> [120.55.74.104] 7443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1253243/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_04; classtype:trojan-activity; sid:91253243; rev:1;) alert tcp $HOME_NET any -> [120.55.240.246] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1253244/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_04; classtype:trojan-activity; sid:91253244; rev:1;) alert tcp $HOME_NET any -> [1.92.112.211] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1253246/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_04; classtype:trojan-activity; sid:91253246; rev:1;) alert tcp $HOME_NET any -> [1.94.103.1] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1253247/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_04; classtype:trojan-activity; sid:91253247; rev:1;) alert tcp $HOME_NET any -> [119.3.190.89] 2082 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1253248/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_04; classtype:trojan-activity; sid:91253248; rev:1;) alert tcp $HOME_NET any -> [47.236.230.99] 8888 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1253249/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_04; classtype:trojan-activity; sid:91253249; rev:1;) alert tcp $HOME_NET any -> [8.219.48.197] 10000 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1253250/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_04; classtype:trojan-activity; sid:91253250; rev:1;) alert tcp $HOME_NET any -> [165.232.67.3] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1253251/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_04; classtype:trojan-activity; sid:91253251; rev:1;) alert tcp $HOME_NET any -> [165.232.67.3] 4848 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1253252/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_04; classtype:trojan-activity; sid:91253252; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"chu-healthcare-infra.org"; depth:24; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1253253/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_04; classtype:trojan-activity; sid:91253253; rev:1;) alert tcp $HOME_NET any -> [143.198.126.173] 50050 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1253254/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_04; classtype:trojan-activity; sid:91253254; rev:1;) alert tcp $HOME_NET any -> [107.174.90.234] 8089 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1253255/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_04; classtype:trojan-activity; sid:91253255; rev:1;) alert tcp $HOME_NET any -> [170.106.178.146] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1253256/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_04; classtype:trojan-activity; sid:91253256; rev:1;) alert tcp $HOME_NET any -> [106.75.6.207] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1253257/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_04; classtype:trojan-activity; sid:91253257; rev:1;) alert tcp $HOME_NET any -> [64.176.41.98] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1253258/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_04; classtype:trojan-activity; sid:91253258; rev:1;) alert tcp $HOME_NET any -> [64.176.41.98] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1253259/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_04; classtype:trojan-activity; sid:91253259; rev:1;) alert tcp $HOME_NET any -> [66.135.4.59] 8010 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1253260/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_04; classtype:trojan-activity; sid:91253260; rev:1;) alert tcp $HOME_NET any -> [139.180.198.241] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1253261/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_04; classtype:trojan-activity; sid:91253261; rev:1;) alert tcp $HOME_NET any -> [154.92.14.6] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1253262/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_04; classtype:trojan-activity; sid:91253262; rev:1;) alert tcp $HOME_NET any -> [66.103.204.115] 8080 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1253263/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_04; classtype:trojan-activity; sid:91253263; rev:1;) alert tcp $HOME_NET any -> [118.107.4.157] 7443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1253270/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_04; classtype:trojan-activity; sid:91253270; rev:1;) alert tcp $HOME_NET any -> [117.72.35.189] 1231 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1253271/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_04; classtype:trojan-activity; sid:91253271; rev:1;) alert tcp $HOME_NET any -> [18.119.137.185] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1253272/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_04; classtype:trojan-activity; sid:91253272; rev:1;) alert tcp $HOME_NET any -> [18.119.137.185] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1253273/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_04; classtype:trojan-activity; sid:91253273; rev:1;) alert tcp $HOME_NET any -> [43.203.118.25] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1253274/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_04; classtype:trojan-activity; sid:91253274; rev:1;) alert tcp $HOME_NET any -> [45.142.214.245] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1253275/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_04; classtype:trojan-activity; sid:91253275; rev:1;) alert tcp $HOME_NET any -> [172.98.22.48] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1253276/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_04; classtype:trojan-activity; sid:91253276; rev:1;) alert tcp $HOME_NET any -> [107.151.247.136] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1253277/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_04; classtype:trojan-activity; sid:91253277; rev:1;) alert tcp $HOME_NET any -> [107.151.247.136] 8443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1253278/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_04; classtype:trojan-activity; sid:91253278; rev:1;) alert tcp $HOME_NET any -> [103.188.244.189] 2024 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1253279/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_04; classtype:trojan-activity; sid:91253279; rev:1;) alert tcp $HOME_NET any -> [146.103.11.88] 8808 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1253288/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_04; classtype:trojan-activity; sid:91253288; rev:1;) alert tcp $HOME_NET any -> [18.158.249.75] 10468 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1253286/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_04; classtype:trojan-activity; sid:91253286; rev:1;) alert tcp $HOME_NET any -> [3.124.142.205] 10468 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1253287/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_04; classtype:trojan-activity; sid:91253287; rev:1;) alert tcp $HOME_NET any -> [3.125.223.134] 10468 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1253285/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_04; classtype:trojan-activity; sid:91253285; rev:1;) alert tcp $HOME_NET any -> [3.125.102.39] 10468 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1253284/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_04; classtype:trojan-activity; sid:91253284; rev:1;) alert tcp $HOME_NET any -> [45.133.174.81] 2020 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1253283/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_04; classtype:trojan-activity; sid:91253283; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/updatelongpollprotect.php"; depth:26; nocase; http.host; content:"77.221.143.152"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1253282/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_04; classtype:trojan-activity; sid:91253282; rev:1;) alert tcp $HOME_NET any -> [173.254.204.77] 8026 (msg:"ThreatFox STRRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1253281/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_04; classtype:trojan-activity; sid:91253281; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/2a0949c1.php"; depth:13; nocase; http.host; content:"a0933252.xsph.ru"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1253280/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_03; classtype:trojan-activity; sid:91253280; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/match"; depth:6; nocase; http.host; content:"170.106.178.146"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1253269/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_03; classtype:trojan-activity; sid:91253269; rev:1;) alert tcp $HOME_NET any -> [172.233.1.132] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1253268/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_03; classtype:trojan-activity; sid:91253268; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/resc/ewk"; depth:9; nocase; http.host; content:"172.233.1.132"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1253267/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_03; classtype:trojan-activity; sid:91253267; rev:1;) alert tcp $HOME_NET any -> [47.92.213.31] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1253266/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_03; classtype:trojan-activity; sid:91253266; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/download/20/zo2xy7a4bowu"; depth:25; nocase; http.host; content:"47.92.213.31"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1253265/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_03; classtype:trojan-activity; sid:91253265; rev:1;) alert tcp $HOME_NET any -> [193.233.132.226] 8081 (msg:"ThreatFox RisePro botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1253264/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_03; classtype:trojan-activity; sid:91253264; rev:1;) alert tcp $HOME_NET any -> [193.233.132.226] 50500 (msg:"ThreatFox RisePro botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1253245/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_03; classtype:trojan-activity; sid:91253245; rev:1;) alert tcp $HOME_NET any -> [192.236.146.112] 80 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1253222/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_03; classtype:trojan-activity; sid:91253222; rev:1;) alert tcp $HOME_NET any -> [77.221.154.28] 80 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1253221/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_03; classtype:trojan-activity; sid:91253221; rev:1;) alert tcp $HOME_NET any -> [91.92.240.202] 80 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1253220/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_03; classtype:trojan-activity; sid:91253220; rev:1;) alert tcp $HOME_NET any -> [95.164.85.68] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1253219/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_03; classtype:trojan-activity; sid:91253219; rev:1;) alert tcp $HOME_NET any -> [20.117.210.254] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1253218/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_03; classtype:trojan-activity; sid:91253218; rev:1;) alert tcp $HOME_NET any -> [5.182.86.229] 80 (msg:"ThreatFox Meduza Stealer botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1253217/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_03; classtype:trojan-activity; sid:91253217; rev:1;) alert tcp $HOME_NET any -> [79.137.202.60] 80 (msg:"ThreatFox Meduza Stealer botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1253216/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_03; classtype:trojan-activity; sid:91253216; rev:1;) alert tcp $HOME_NET any -> [91.103.255.188] 80 (msg:"ThreatFox Meduza Stealer botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1253215/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_03; classtype:trojan-activity; sid:91253215; rev:1;) alert tcp $HOME_NET any -> [38.55.201.18] 8080 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1253214/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_03; classtype:trojan-activity; sid:91253214; rev:1;) alert tcp $HOME_NET any -> [86.38.247.112] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1253213/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_03; classtype:trojan-activity; sid:91253213; rev:1;) alert tcp $HOME_NET any -> [185.23.182.196] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1253212/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_03; classtype:trojan-activity; sid:91253212; rev:1;) alert tcp $HOME_NET any -> [46.246.14.15] 6000 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1253211/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_03; classtype:trojan-activity; sid:91253211; rev:1;) alert tcp $HOME_NET any -> [105.97.193.91] 2078 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1253210/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_03; classtype:trojan-activity; sid:91253210; rev:1;) alert tcp $HOME_NET any -> [86.185.5.114] 2222 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1253209/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_03; classtype:trojan-activity; sid:91253209; rev:1;) alert tcp $HOME_NET any -> [189.140.48.94] 443 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1253208/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_03; classtype:trojan-activity; sid:91253208; rev:1;) alert tcp $HOME_NET any -> [37.114.41.230] 80 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1253207/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_03; classtype:trojan-activity; sid:91253207; rev:1;) alert tcp $HOME_NET any -> [3.83.189.245] 80 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1253206/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_03; classtype:trojan-activity; sid:91253206; rev:1;) alert tcp $HOME_NET any -> [185.149.146.252] 443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1253205/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_03; classtype:trojan-activity; sid:91253205; rev:1;) alert tcp $HOME_NET any -> [185.234.216.209] 20001 (msg:"ThreatFox BianLian botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1253204/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_03; classtype:trojan-activity; sid:91253204; rev:1;) alert tcp $HOME_NET any -> [130.193.40.102] 7443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1253203/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_03; classtype:trojan-activity; sid:91253203; rev:1;) alert tcp $HOME_NET any -> [94.156.65.115] 53535 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1253202/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_03; classtype:trojan-activity; sid:91253202; rev:1;) alert tcp $HOME_NET any -> [94.156.65.115] 8443 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1253201/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_03; classtype:trojan-activity; sid:91253201; rev:1;) alert tcp $HOME_NET any -> [45.138.16.166] 8081 (msg:"ThreatFox RisePro botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1253200/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_03; classtype:trojan-activity; sid:91253200; rev:1;) alert tcp $HOME_NET any -> [45.138.16.166] 50500 (msg:"ThreatFox RisePro botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1253199/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_03; classtype:trojan-activity; sid:91253199; rev:1;) alert tcp $HOME_NET any -> [3.125.223.134] 10543 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1253198/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_03; classtype:trojan-activity; sid:91253198; rev:1;) alert tcp $HOME_NET any -> [3.124.142.205] 10543 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1253197/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_03; classtype:trojan-activity; sid:91253197; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"healitytherapy.pro"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1252943/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_03; classtype:trojan-activity; sid:91252943; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/help/zewmrgqnw.php"; depth:19; nocase; http.host; content:"emonteiroadm.com"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1252941/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_03; classtype:trojan-activity; sid:91252941; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cdn-vs/cache.php"; depth:17; nocase; http.host; content:"emonteiroadm.com"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1252940/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_03; classtype:trojan-activity; sid:91252940; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"65.109.241.38"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1252959/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_03; classtype:trojan-activity; sid:91252959; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"95.217.31.228"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1252958/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_03; classtype:trojan-activity; sid:91252958; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"116.203.14.35"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1252957/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_03; classtype:trojan-activity; sid:91252957; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"95.216.179.73"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1252956/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_03; classtype:trojan-activity; sid:91252956; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/profiles/76561199662282318"; depth:27; nocase; http.host; content:"steamcommunity.com"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1252955/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_03; classtype:trojan-activity; sid:91252955; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/t8jmhl"; depth:7; nocase; http.host; content:"t.me"; depth:4; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1252954/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_03; classtype:trojan-activity; sid:91252954; rev:1;) alert tcp $HOME_NET any -> [95.216.179.73] 443 (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1252949/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_03; classtype:trojan-activity; sid:91252949; rev:1;) alert tcp $HOME_NET any -> [116.203.14.35] 9000 (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1252950/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_03; classtype:trojan-activity; sid:91252950; rev:1;) alert tcp $HOME_NET any -> [95.217.31.228] 5432 (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1252951/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_03; classtype:trojan-activity; sid:91252951; rev:1;) alert tcp $HOME_NET any -> [65.109.241.38] 443 (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1252952/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_03; classtype:trojan-activity; sid:91252952; rev:1;) alert tcp $HOME_NET any -> [65.109.243.191] 5432 (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1252953/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_03; classtype:trojan-activity; sid:91252953; rev:1;) alert tcp $HOME_NET any -> [146.103.11.88] 6606 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1252948/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_03; classtype:trojan-activity; sid:91252948; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bootstrap-5.3.1.min.js"; depth:23; nocase; http.host; content:"service-qwflcy7c-1305872204.gz.tencentapigw.com.cn"; depth:50; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1252946/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_03; classtype:trojan-activity; sid:91252946; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"service-qwflcy7c-1305872204.gz.tencentapigw.com.cn"; depth:50; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1252947/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_03; classtype:trojan-activity; sid:91252947; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp06/wp-includes/po.php"; depth:24; nocase; http.host; content:"154.3.8.55"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1252945/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_03; classtype:trojan-activity; sid:91252945; rev:1;) alert tcp $HOME_NET any -> [193.233.132.253] 8081 (msg:"ThreatFox RisePro botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1252944/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_03; classtype:trojan-activity; sid:91252944; rev:1;) alert tcp $HOME_NET any -> [193.233.132.253] 50500 (msg:"ThreatFox RisePro botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1252942/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_03; classtype:trojan-activity; sid:91252942; rev:1;) alert tcp $HOME_NET any -> [91.207.102.163] 9771 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1252939/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_03; classtype:trojan-activity; sid:91252939; rev:1;) alert tcp $HOME_NET any -> [194.147.140.222] 36829 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1252938/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_03; classtype:trojan-activity; sid:91252938; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/visit.js"; depth:9; nocase; http.host; content:"goldensoftware.co.uk"; depth:20; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1252937/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_03; classtype:trojan-activity; sid:91252937; rev:1;) alert tcp $HOME_NET any -> [154.221.16.3] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1252936/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_03; classtype:trojan-activity; sid:91252936; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/j.ad"; depth:5; nocase; http.host; content:"service-kjjaddjc-1309114380.gz.tencentapigw.com.cn"; depth:50; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1252935/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_03; classtype:trojan-activity; sid:91252935; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ptj"; depth:4; nocase; http.host; content:"124.222.52.190"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1252934/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_03; classtype:trojan-activity; sid:91252934; rev:1;) alert tcp $HOME_NET any -> [93.123.85.139] 7775 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1252933/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_03; classtype:trojan-activity; sid:91252933; rev:1;) alert tcp $HOME_NET any -> [154.221.16.3] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1252932/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_03; classtype:trojan-activity; sid:91252932; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"service-kjjaddjc-1309114380.gz.tencentapigw.com.cn"; depth:50; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1252931/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_03; classtype:trojan-activity; sid:91252931; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/activity"; depth:9; nocase; http.host; content:"service-kjjaddjc-1309114380.gz.tencentapigw.com.cn"; depth:50; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1252930/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_03; classtype:trojan-activity; sid:91252930; rev:1;) alert tcp $HOME_NET any -> [124.222.52.190] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1252929/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_03; classtype:trojan-activity; sid:91252929; rev:1;) alert tcp $HOME_NET any -> [65.109.13.226] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1252928/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_03; classtype:trojan-activity; sid:91252928; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"drive-east-us-fahybddhebhxejbb.z02.azurefd.net"; depth:46; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1252927/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_03; classtype:trojan-activity; sid:91252927; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/686c6c647a/api-get"; depth:19; nocase; http.host; content:"drive-east-us-fahybddhebhxejbb.z02.azurefd.net"; depth:46; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1252926/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_03; classtype:trojan-activity; sid:91252926; rev:1;) alert tcp $HOME_NET any -> [47.236.43.234] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1252925/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_03; classtype:trojan-activity; sid:91252925; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jquery-3.3.1.min.js"; depth:20; nocase; http.host; content:"47.236.43.234"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1252924/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_03; classtype:trojan-activity; sid:91252924; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pipesecure.php"; depth:15; nocase; http.host; content:"firerebbit.top"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1252923/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_03; classtype:trojan-activity; sid:91252923; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/discussion/mayo-clinic-radio-als/"; depth:34; nocase; http.host; content:"185.196.10.121"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1252922/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_03; classtype:trojan-activity; sid:91252922; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dot.gif"; depth:8; nocase; http.host; content:"134.122.75.115"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1252921/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_03; classtype:trojan-activity; sid:91252921; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cx"; depth:3; nocase; http.host; content:"newstatisc.googleinfo.se"; depth:24; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1252920/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_03; classtype:trojan-activity; sid:91252920; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pixel"; depth:6; nocase; http.host; content:"134.122.75.115"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1252919/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_03; classtype:trojan-activity; sid:91252919; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/__utm.gif"; depth:10; nocase; http.host; content:"134.122.75.115"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1252918/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_03; classtype:trojan-activity; sid:91252918; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/activity"; depth:9; nocase; http.host; content:"134.122.75.115"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1252917/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_03; classtype:trojan-activity; sid:91252917; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/fwlink"; depth:7; nocase; http.host; content:"172.121.5.230"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1252916/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_03; classtype:trojan-activity; sid:91252916; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cm"; depth:3; nocase; http.host; content:"198.251.88.196"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1252915/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_03; classtype:trojan-activity; sid:91252915; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/g.pixel"; depth:8; nocase; http.host; content:"213.109.202.227"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1252914/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_03; classtype:trojan-activity; sid:91252914; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"service-n14rot1h-1303081427.sh.tencentapigw.com"; depth:47; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1252913/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_03; classtype:trojan-activity; sid:91252913; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jquery-3.3.1.min.js"; depth:20; nocase; http.host; content:"service-n14rot1h-1303081427.sh.tencentapigw.com"; depth:47; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1252912/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_03; classtype:trojan-activity; sid:91252912; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/owa/o4gyipjzznwaey19wvgnuy7r2i"; depth:31; nocase; http.host; content:"gostatts.com"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1252911/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_03; classtype:trojan-activity; sid:91252911; rev:1;) alert tcp $HOME_NET any -> [47.92.140.21] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1252910/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_03; classtype:trojan-activity; sid:91252910; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pixel.gif"; depth:10; nocase; http.host; content:"213.109.202.135"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1252908/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_03; classtype:trojan-activity; sid:91252908; rev:1;) alert tcp $HOME_NET any -> [213.109.202.135] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1252909/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_03; classtype:trojan-activity; sid:91252909; rev:1;) alert tcp $HOME_NET any -> [46.101.71.182] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1252907/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_03; classtype:trojan-activity; sid:91252907; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/onedrive"; depth:9; nocase; http.host; content:"chu-healthcare-infra.org"; depth:24; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1252905/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_03; classtype:trojan-activity; sid:91252905; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"chu-healthcare-infra.org"; depth:24; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1252906/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_03; classtype:trojan-activity; sid:91252906; rev:1;) alert tcp $HOME_NET any -> [194.32.149.189] 80 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1252904/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_03; classtype:trojan-activity; sid:91252904; rev:1;) alert tcp $HOME_NET any -> [45.94.4.36] 80 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1252903/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_03; classtype:trojan-activity; sid:91252903; rev:1;) alert tcp $HOME_NET any -> [91.92.247.112] 80 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1252902/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_03; classtype:trojan-activity; sid:91252902; rev:1;) alert tcp $HOME_NET any -> [45.76.180.152] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1252901/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_03; classtype:trojan-activity; sid:91252901; rev:1;) alert tcp $HOME_NET any -> [70.31.125.37] 2222 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1252900/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_03; classtype:trojan-activity; sid:91252900; rev:1;) alert tcp $HOME_NET any -> [77.124.103.14] 443 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1252899/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_03; classtype:trojan-activity; sid:91252899; rev:1;) alert tcp $HOME_NET any -> [207.180.230.175] 443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1252898/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_03; classtype:trojan-activity; sid:91252898; rev:1;) alert tcp $HOME_NET any -> [91.219.236.89] 443 (msg:"ThreatFox Deimos botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1252897/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_03; classtype:trojan-activity; sid:91252897; rev:1;) alert tcp $HOME_NET any -> [168.119.236.136] 7443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1252896/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_03; classtype:trojan-activity; sid:91252896; rev:1;) alert tcp $HOME_NET any -> [193.142.146.203] 80 (msg:"ThreatFox DarkGate botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1252894/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_03; classtype:trojan-activity; sid:91252894; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/centralsql/localvmasync0/trafficwindows/apitosql/proton/pythondefaultapi/defaulteternal6/better_3/dlehttp/wordpress8/6test6/temporary4privatemulti/linejs_multiprotecttrafficpublictemp.php"; depth:188; nocase; http.host; content:"185.230.64.239"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1252895/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_03; classtype:trojan-activity; sid:91252895; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 50%)"; dns_query; content:"comigoninguempodes.shop"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1252828/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_03; classtype:trojan-activity; sid:91252828; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 50%)"; dns_query; content:"limpandoacasa.store"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1252829/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_03; classtype:trojan-activity; sid:91252829; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 50%)"; dns_query; content:"saldaolegal.shop"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1252830/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_03; classtype:trojan-activity; sid:91252830; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 50%)"; dns_query; content:"cinemaeuquero.cloud"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1252831/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_03; classtype:trojan-activity; sid:91252831; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"31yc.com"; depth:8; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1252892/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_03; classtype:trojan-activity; sid:91252892; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/project/five/fre.php"; depth:21; nocase; http.host; content:"ebnsina.top"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1252891/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_03; classtype:trojan-activity; sid:91252891; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/g.pixel"; depth:8; nocase; http.host; content:"60.204.171.143"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1252890/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_03; classtype:trojan-activity; sid:91252890; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/downloadsdump/7downloadsjs/lowmulti/generatorasyncgeneratordatalife/to/javascript/processpacket/videoimage7/linepollserverdatalife.php"; depth:135; nocase; http.host; content:"91.107.120.42"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1252889/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_03; classtype:trojan-activity; sid:91252889; rev:1;) alert tcp $HOME_NET any -> [194.147.140.167] 1986 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1252888/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_03; classtype:trojan-activity; sid:91252888; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mozi.m"; depth:7; nocase; http.host; content:"117.242.237.231"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1252887/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_03; classtype:trojan-activity; sid:91252887; rev:1;) alert tcp $HOME_NET any -> [105.155.169.10] 10000 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1252886/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_02; classtype:trojan-activity; sid:91252886; rev:1;) alert tcp $HOME_NET any -> [192.153.57.54] 80 (msg:"ThreatFox Raccoon botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1252885/; target:src_ip; metadata: confidence_level 80, first_seen 2024_04_02; classtype:trojan-activity; sid:91252885; rev:1;) alert tcp $HOME_NET any -> [52.71.150.237] 443 (msg:"ThreatFox Serpent Stealer botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1252884/; target:src_ip; metadata: confidence_level 80, first_seen 2024_04_02; classtype:trojan-activity; sid:91252884; rev:1;) alert tcp $HOME_NET any -> [100.24.150.174] 443 (msg:"ThreatFox Serpent Stealer botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1252883/; target:src_ip; metadata: confidence_level 80, first_seen 2024_04_02; classtype:trojan-activity; sid:91252883; rev:1;) alert tcp $HOME_NET any -> [44.194.68.71] 443 (msg:"ThreatFox Serpent Stealer botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1252882/; target:src_ip; metadata: confidence_level 80, first_seen 2024_04_02; classtype:trojan-activity; sid:91252882; rev:1;) alert tcp $HOME_NET any -> [5.252.177.195] 443 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1252881/; target:src_ip; metadata: confidence_level 80, first_seen 2024_04_02; classtype:trojan-activity; sid:91252881; rev:1;) alert tcp $HOME_NET any -> [14.225.208.190] 80 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1252880/; target:src_ip; metadata: confidence_level 80, first_seen 2024_04_02; classtype:trojan-activity; sid:91252880; rev:1;) alert tcp $HOME_NET any -> [144.91.109.161] 80 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1252879/; target:src_ip; metadata: confidence_level 80, first_seen 2024_04_02; classtype:trojan-activity; sid:91252879; rev:1;) alert tcp $HOME_NET any -> [103.174.73.85] 80 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1252878/; target:src_ip; metadata: confidence_level 80, first_seen 2024_04_02; classtype:trojan-activity; sid:91252878; rev:1;) alert tcp $HOME_NET any -> [91.92.254.34] 80 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1252877/; target:src_ip; metadata: confidence_level 80, first_seen 2024_04_02; classtype:trojan-activity; sid:91252877; rev:1;) alert tcp $HOME_NET any -> [14.225.213.142] 80 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1252876/; target:src_ip; metadata: confidence_level 80, first_seen 2024_04_02; classtype:trojan-activity; sid:91252876; rev:1;) alert tcp $HOME_NET any -> [51.254.186.98] 10134 (msg:"ThreatFox Orcus RAT botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1252875/; target:src_ip; metadata: confidence_level 80, first_seen 2024_04_02; classtype:trojan-activity; sid:91252875; rev:1;) alert tcp $HOME_NET any -> [94.98.181.154] 3460 (msg:"ThreatFox Poison Ivy botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1252874/; target:src_ip; metadata: confidence_level 80, first_seen 2024_04_02; classtype:trojan-activity; sid:91252874; rev:1;) alert tcp $HOME_NET any -> [94.98.186.180] 3460 (msg:"ThreatFox Poison Ivy botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1252873/; target:src_ip; metadata: confidence_level 80, first_seen 2024_04_02; classtype:trojan-activity; sid:91252873; rev:1;) alert tcp $HOME_NET any -> [66.50.8.125] 1800 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1252872/; target:src_ip; metadata: confidence_level 80, first_seen 2024_04_02; classtype:trojan-activity; sid:91252872; rev:1;) alert tcp $HOME_NET any -> [41.107.100.224] 1177 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1252871/; target:src_ip; metadata: confidence_level 80, first_seen 2024_04_02; classtype:trojan-activity; sid:91252871; rev:1;) alert tcp $HOME_NET any -> [154.197.69.33] 1177 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1252870/; target:src_ip; metadata: confidence_level 80, first_seen 2024_04_02; classtype:trojan-activity; sid:91252870; rev:1;) alert tcp $HOME_NET any -> [125.160.213.15] 1177 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1252869/; target:src_ip; metadata: confidence_level 80, first_seen 2024_04_02; classtype:trojan-activity; sid:91252869; rev:1;) alert tcp $HOME_NET any -> [41.232.216.196] 1177 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1252868/; target:src_ip; metadata: confidence_level 80, first_seen 2024_04_02; classtype:trojan-activity; sid:91252868; rev:1;) alert tcp $HOME_NET any -> [147.50.253.190] 1177 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1252867/; target:src_ip; metadata: confidence_level 80, first_seen 2024_04_02; classtype:trojan-activity; sid:91252867; rev:1;) alert tcp $HOME_NET any -> [39.120.184.43] 80 (msg:"ThreatFox Nanocore RAT botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1252866/; target:src_ip; metadata: confidence_level 80, first_seen 2024_04_02; classtype:trojan-activity; sid:91252866; rev:1;) alert tcp $HOME_NET any -> [89.213.140.91] 54984 (msg:"ThreatFox Nanocore RAT botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1252865/; target:src_ip; metadata: confidence_level 80, first_seen 2024_04_02; classtype:trojan-activity; sid:91252865; rev:1;) alert tcp $HOME_NET any -> [172.111.139.246] 54984 (msg:"ThreatFox Nanocore RAT botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1252864/; target:src_ip; metadata: confidence_level 80, first_seen 2024_04_02; classtype:trojan-activity; sid:91252864; rev:1;) alert tcp $HOME_NET any -> [23.94.30.124] 54984 (msg:"ThreatFox Nanocore RAT botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1252863/; target:src_ip; metadata: confidence_level 80, first_seen 2024_04_02; classtype:trojan-activity; sid:91252863; rev:1;) alert tcp $HOME_NET any -> [45.74.50.132] 54984 (msg:"ThreatFox Nanocore RAT botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1252862/; target:src_ip; metadata: confidence_level 80, first_seen 2024_04_02; classtype:trojan-activity; sid:91252862; rev:1;) alert tcp $HOME_NET any -> [41.68.131.21] 54984 (msg:"ThreatFox Nanocore RAT botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1252861/; target:src_ip; metadata: confidence_level 80, first_seen 2024_04_02; classtype:trojan-activity; sid:91252861; rev:1;) alert tcp $HOME_NET any -> [111.229.114.158] 54984 (msg:"ThreatFox Nanocore RAT botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1252860/; target:src_ip; metadata: confidence_level 80, first_seen 2024_04_02; classtype:trojan-activity; sid:91252860; rev:1;) alert tcp $HOME_NET any -> [2.224.144.191] 8089 (msg:"ThreatFox Xtreme RAT botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1252859/; target:src_ip; metadata: confidence_level 80, first_seen 2024_04_02; classtype:trojan-activity; sid:91252859; rev:1;) alert tcp $HOME_NET any -> [184.182.242.110] 3306 (msg:"ThreatFox Xtreme RAT botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1252858/; target:src_ip; metadata: confidence_level 80, first_seen 2024_04_02; classtype:trojan-activity; sid:91252858; rev:1;) alert tcp $HOME_NET any -> [3.17.181.161] 443 (msg:"ThreatFox Nimplant botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1252857/; target:src_ip; metadata: confidence_level 80, first_seen 2024_04_02; classtype:trojan-activity; sid:91252857; rev:1;) alert tcp $HOME_NET any -> [220.69.33.83] 443 (msg:"ThreatFox Get2 botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1252856/; target:src_ip; metadata: confidence_level 80, first_seen 2024_04_02; classtype:trojan-activity; sid:91252856; rev:1;) alert tcp $HOME_NET any -> [211.226.30.202] 443 (msg:"ThreatFox Get2 botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1252854/; target:src_ip; metadata: confidence_level 80, first_seen 2024_04_02; classtype:trojan-activity; sid:91252854; rev:1;) alert tcp $HOME_NET any -> [125.141.145.190] 443 (msg:"ThreatFox Get2 botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1252853/; target:src_ip; metadata: confidence_level 80, first_seen 2024_04_02; classtype:trojan-activity; sid:91252853; rev:1;) alert tcp $HOME_NET any -> [211.226.30.198] 443 (msg:"ThreatFox Get2 botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1252852/; target:src_ip; metadata: confidence_level 80, first_seen 2024_04_02; classtype:trojan-activity; sid:91252852; rev:1;) alert tcp $HOME_NET any -> [172.187.180.204] 443 (msg:"ThreatFox BianLian botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1252851/; target:src_ip; metadata: confidence_level 80, first_seen 2024_04_02; classtype:trojan-activity; sid:91252851; rev:1;) alert tcp $HOME_NET any -> [13.38.235.203] 443 (msg:"ThreatFox BianLian botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1252850/; target:src_ip; metadata: confidence_level 80, first_seen 2024_04_02; classtype:trojan-activity; sid:91252850; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/853aaed2e28950b2.php"; depth:21; nocase; http.host; content:"89.105.223.142"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1252849/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_02; classtype:trojan-activity; sid:91252849; rev:1;) alert tcp $HOME_NET any -> [103.180.186.144] 443 (msg:"ThreatFox IcedID botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1252848/; target:src_ip; metadata: confidence_level 80, first_seen 2024_04_02; classtype:trojan-activity; sid:91252848; rev:1;) alert tcp $HOME_NET any -> [3.92.185.192] 443 (msg:"ThreatFox IcedID botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1252847/; target:src_ip; metadata: confidence_level 80, first_seen 2024_04_02; classtype:trojan-activity; sid:91252847; rev:1;) alert tcp $HOME_NET any -> [54.226.31.121] 443 (msg:"ThreatFox IcedID botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1252846/; target:src_ip; metadata: confidence_level 80, first_seen 2024_04_02; classtype:trojan-activity; sid:91252846; rev:1;) alert tcp $HOME_NET any -> [47.120.14.97] 443 (msg:"ThreatFox IcedID botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1252845/; target:src_ip; metadata: confidence_level 80, first_seen 2024_04_02; classtype:trojan-activity; sid:91252845; rev:1;) alert tcp $HOME_NET any -> [13.200.127.74] 80 (msg:"ThreatFox Mystic Stealer botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1252844/; target:src_ip; metadata: confidence_level 80, first_seen 2024_04_02; classtype:trojan-activity; sid:91252844; rev:1;) alert tcp $HOME_NET any -> [94.156.68.16] 4443 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1252843/; target:src_ip; metadata: confidence_level 80, first_seen 2024_04_02; classtype:trojan-activity; sid:91252843; rev:1;) alert tcp $HOME_NET any -> [94.156.69.11] 1337 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1252842/; target:src_ip; metadata: confidence_level 80, first_seen 2024_04_02; classtype:trojan-activity; sid:91252842; rev:1;) alert tcp $HOME_NET any -> [82.156.43.68] 3790 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1252841/; target:src_ip; metadata: confidence_level 80, first_seen 2024_04_02; classtype:trojan-activity; sid:91252841; rev:1;) alert tcp $HOME_NET any -> [37.37.183.28] 3790 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1252840/; target:src_ip; metadata: confidence_level 80, first_seen 2024_04_02; classtype:trojan-activity; sid:91252840; rev:1;) alert tcp $HOME_NET any -> [152.42.140.119] 9001 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1252839/; target:src_ip; metadata: confidence_level 80, first_seen 2024_04_02; classtype:trojan-activity; sid:91252839; rev:1;) alert tcp $HOME_NET any -> [103.86.177.103] 443 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1252838/; target:src_ip; metadata: confidence_level 80, first_seen 2024_04_02; classtype:trojan-activity; sid:91252838; rev:1;) alert tcp $HOME_NET any -> [65.109.124.116] 3790 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1252837/; target:src_ip; metadata: confidence_level 80, first_seen 2024_04_02; classtype:trojan-activity; sid:91252837; rev:1;) alert tcp $HOME_NET any -> [156.192.141.126] 443 (msg:"ThreatFox PoshC2 botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1252836/; target:src_ip; metadata: confidence_level 80, first_seen 2024_04_02; classtype:trojan-activity; sid:91252836; rev:1;) alert tcp $HOME_NET any -> [132.145.80.201] 2376 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1252835/; target:src_ip; metadata: confidence_level 80, first_seen 2024_04_02; classtype:trojan-activity; sid:91252835; rev:1;) alert tcp $HOME_NET any -> [3.115.218.3] 80 (msg:"ThreatFox Brute Ratel C4 botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1252834/; target:src_ip; metadata: confidence_level 80, first_seen 2024_04_02; classtype:trojan-activity; sid:91252834; rev:1;) alert tcp $HOME_NET any -> [86.106.20.179] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1252833/; target:src_ip; metadata: confidence_level 80, first_seen 2024_04_02; classtype:trojan-activity; sid:91252833; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dle1update/generatorprotect00/linuxprivatedownloadsprocess/toauth/dumpmariadbbetterjavascript/privatephpline/multiprotectuploads0/baseuniversal_windows/cdn/multi/6/8wordpress/5/uploadsservercdn/http/requestgamemultidefaultdle.php"; depth:230; nocase; http.host; content:"62.109.7.175"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1252832/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_02; classtype:trojan-activity; sid:91252832; rev:1;) alert tcp $HOME_NET any -> [194.67.193.69] 80 (msg:"ThreatFox Matanbuchus botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1252827/; target:src_ip; metadata: confidence_level 80, first_seen 2024_04_02; classtype:trojan-activity; sid:91252827; rev:1;) alert tcp $HOME_NET any -> [85.114.96.4] 80 (msg:"ThreatFox Amadey botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1252826/; target:src_ip; metadata: confidence_level 80, first_seen 2024_04_02; classtype:trojan-activity; sid:91252826; rev:1;) alert tcp $HOME_NET any -> [93.123.39.96] 443 (msg:"ThreatFox Amadey botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1252825/; target:src_ip; metadata: confidence_level 80, first_seen 2024_04_02; classtype:trojan-activity; sid:91252825; rev:1;) alert tcp $HOME_NET any -> [194.116.214.7] 80 (msg:"ThreatFox Amadey botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1252824/; target:src_ip; metadata: confidence_level 80, first_seen 2024_04_02; classtype:trojan-activity; sid:91252824; rev:1;) alert tcp $HOME_NET any -> [83.136.232.33] 80 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1252823/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_02; classtype:trojan-activity; sid:91252823; rev:1;) alert tcp $HOME_NET any -> [5.42.106.136] 80 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1252822/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_02; classtype:trojan-activity; sid:91252822; rev:1;) alert tcp $HOME_NET any -> [185.216.70.67] 80 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1252821/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_02; classtype:trojan-activity; sid:91252821; rev:1;) alert tcp $HOME_NET any -> [27.124.32.60] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1252820/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_02; classtype:trojan-activity; sid:91252820; rev:1;) alert tcp $HOME_NET any -> [38.55.201.16] 8080 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1252819/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_02; classtype:trojan-activity; sid:91252819; rev:1;) alert tcp $HOME_NET any -> [1.161.115.247] 443 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1252818/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_02; classtype:trojan-activity; sid:91252818; rev:1;) alert tcp $HOME_NET any -> [103.20.60.248] 443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1252817/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_02; classtype:trojan-activity; sid:91252817; rev:1;) alert tcp $HOME_NET any -> [64.176.224.27] 443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1252816/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_02; classtype:trojan-activity; sid:91252816; rev:1;) alert tcp $HOME_NET any -> [101.33.35.171] 8081 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1252815/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_02; classtype:trojan-activity; sid:91252815; rev:1;) alert tcp $HOME_NET any -> [51.159.183.32] 9000 (msg:"ThreatFox BianLian botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1252814/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_02; classtype:trojan-activity; sid:91252814; rev:1;) alert tcp $HOME_NET any -> [64.7.198.249] 443 (msg:"ThreatFox BianLian botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1252813/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_02; classtype:trojan-activity; sid:91252813; rev:1;) alert tcp $HOME_NET any -> [103.20.60.248] 7443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1252812/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_02; classtype:trojan-activity; sid:91252812; rev:1;) alert tcp $HOME_NET any -> [62.171.158.126] 7443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1252811/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_02; classtype:trojan-activity; sid:91252811; rev:1;) alert tcp $HOME_NET any -> [206.188.196.174] 443 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1252810/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_02; classtype:trojan-activity; sid:91252810; rev:1;) alert tcp $HOME_NET any -> [206.188.196.174] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1252809/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_02; classtype:trojan-activity; sid:91252809; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"galvaoministerio.com"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1252807/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_02; classtype:trojan-activity; sid:91252807; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"brigadafraternidade.com"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1252808/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_02; classtype:trojan-activity; sid:91252808; rev:1;) alert tcp $HOME_NET any -> [3.125.223.134] 18511 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1252806/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_02; classtype:trojan-activity; sid:91252806; rev:1;) alert tcp $HOME_NET any -> [18.158.249.75] 18511 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1252805/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_02; classtype:trojan-activity; sid:91252805; rev:1;) alert tcp $HOME_NET any -> [3.125.209.94] 18511 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1252804/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_02; classtype:trojan-activity; sid:91252804; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/_defaultwindows.php"; depth:20; nocase; http.host; content:"a0938575.xsph.ru"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1252803/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_02; classtype:trojan-activity; sid:91252803; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"twiceoohah.uk"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1252800/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_02; classtype:trojan-activity; sid:91252800; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"healitytherapy.xyz"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1252802/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_02; classtype:trojan-activity; sid:91252802; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/zjm0njuxndm5mmvi/"; depth:18; nocase; http.host; content:"semikan.top"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1252798/; target:src_ip; metadata: confidence_level 80, first_seen 2024_04_02; classtype:trojan-activity; sid:91252798; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/zjm0njuxndm5mmvi/"; depth:18; nocase; http.host; content:"bavuor.bond"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1252799/; target:src_ip; metadata: confidence_level 80, first_seen 2024_04_02; classtype:trojan-activity; sid:91252799; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/feedapi/v1/newsserver/api/getpassword"; depth:38; nocase; http.host; content:"111.230.207.249"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1252801/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_02; classtype:trojan-activity; sid:91252801; rev:1;) alert tcp $HOME_NET any -> [3.124.142.205] 14390 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1252563/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_02; classtype:trojan-activity; sid:91252563; rev:1;) alert tcp $HOME_NET any -> [141.98.7.37] 65480 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1252562/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_02; classtype:trojan-activity; sid:91252562; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cdn-vs/cache.php"; depth:17; nocase; http.host; content:"ahryssa.com"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1252559/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_02; classtype:trojan-activity; sid:91252559; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/help/zewmrgqnw.php"; depth:19; nocase; http.host; content:"ahryssa.com"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1252560/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_02; classtype:trojan-activity; sid:91252560; rev:1;) alert tcp $HOME_NET any -> [185.216.70.123] 443 (msg:"ThreatFox NetSupportManager RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1252561/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_02; classtype:trojan-activity; sid:91252561; rev:1;) alert tcp $HOME_NET any -> [5.188.87.50] 81 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1252558/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_02; classtype:trojan-activity; sid:91252558; rev:1;) alert tcp $HOME_NET any -> [94.156.8.109] 671 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1252557/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_02; classtype:trojan-activity; sid:91252557; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"trembolone.duckdns.org"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1252545/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_02; classtype:trojan-activity; sid:91252545; rev:1;) alert tcp $HOME_NET any -> [91.92.252.229] 43957 (msg:"ThreatFox MooBot botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1252544/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_02; classtype:trojan-activity; sid:91252544; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/push"; depth:5; nocase; http.host; content:"81.70.232.50"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1252556/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_02; classtype:trojan-activity; sid:91252556; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/w/index.php"; depth:12; nocase; http.host; content:"116.62.34.159"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1252555/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_02; classtype:trojan-activity; sid:91252555; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/updates.rss"; depth:12; nocase; http.host; content:"120.26.243.135"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1252554/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_02; classtype:trojan-activity; sid:91252554; rev:1;) alert tcp $HOME_NET any -> [81.70.232.50] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1252553/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_02; classtype:trojan-activity; sid:91252553; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/j.ad"; depth:5; nocase; http.host; content:"81.70.232.50"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1252552/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_02; classtype:trojan-activity; sid:91252552; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ptj"; depth:4; nocase; http.host; content:"47.92.147.123"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1252551/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_02; classtype:trojan-activity; sid:91252551; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ca"; depth:3; nocase; http.host; content:"39.106.77.203"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1252550/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_02; classtype:trojan-activity; sid:91252550; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dot.gif"; depth:8; nocase; http.host; content:"5.188.87.50"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1252549/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_02; classtype:trojan-activity; sid:91252549; rev:1;) alert tcp $HOME_NET any -> [164.155.128.124] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1252548/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_02; classtype:trojan-activity; sid:91252548; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jquery-3.3.1.min.js"; depth:20; nocase; http.host; content:"164.155.128.124"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1252547/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_02; classtype:trojan-activity; sid:91252547; rev:1;) alert tcp $HOME_NET any -> [193.233.132.106] 8081 (msg:"ThreatFox RisePro botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1252546/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_02; classtype:trojan-activity; sid:91252546; rev:1;) alert tcp $HOME_NET any -> [193.233.132.106] 50500 (msg:"ThreatFox RisePro botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1252543/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_02; classtype:trojan-activity; sid:91252543; rev:1;) alert tcp $HOME_NET any -> [185.196.10.121] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1252542/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_02; classtype:trojan-activity; sid:91252542; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/push"; depth:5; nocase; http.host; content:"185.196.10.121"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1252541/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_02; classtype:trojan-activity; sid:91252541; rev:1;) alert tcp $HOME_NET any -> [42.193.17.127] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1252540/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_02; classtype:trojan-activity; sid:91252540; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/en_us/all.js"; depth:13; nocase; http.host; content:"42.193.17.127"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1252539/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_02; classtype:trojan-activity; sid:91252539; rev:1;) alert tcp $HOME_NET any -> [185.222.58.253] 55615 (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1252538/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_02; classtype:trojan-activity; sid:91252538; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cm"; depth:3; nocase; http.host; content:"134.122.75.115"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1252537/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_02; classtype:trojan-activity; sid:91252537; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/visit.js"; depth:9; nocase; http.host; content:"111.231.140.197"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1252536/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_02; classtype:trojan-activity; sid:91252536; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/visit.js"; depth:9; nocase; http.host; content:"js.msedgeupdate.com"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1252535/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_02; classtype:trojan-activity; sid:91252535; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/__utm.gif"; depth:10; nocase; http.host; content:"134.122.75.115"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1252534/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_02; classtype:trojan-activity; sid:91252534; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pixel.gif"; depth:10; nocase; http.host; content:"47.93.63.179"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1252533/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_02; classtype:trojan-activity; sid:91252533; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cm"; depth:3; nocase; http.host; content:"134.122.75.115"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1252532/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_02; classtype:trojan-activity; sid:91252532; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/__utm.gif"; depth:10; nocase; http.host; content:"service-cedqvyh7-1322145958.sh.tencentapigw.com"; depth:47; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1252531/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_02; classtype:trojan-activity; sid:91252531; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/__utm.gif"; depth:10; nocase; http.host; content:"1.117.232.76"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1252530/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_02; classtype:trojan-activity; sid:91252530; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cm"; depth:3; nocase; http.host; content:"124.222.97.236"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1252529/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_02; classtype:trojan-activity; sid:91252529; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/match"; depth:6; nocase; http.host; content:"47.104.179.218"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1252528/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_02; classtype:trojan-activity; sid:91252528; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/push"; depth:5; nocase; http.host; content:"213.109.202.227"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1252527/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_02; classtype:trojan-activity; sid:91252527; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"bind.bestresulttostart.com"; depth:26; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1252507/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_02; classtype:trojan-activity; sid:91252507; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/load"; depth:5; nocase; http.host; content:"124.220.192.251"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1252526/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_02; classtype:trojan-activity; sid:91252526; rev:1;) alert tcp $HOME_NET any -> [103.116.247.207] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1252525/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_02; classtype:trojan-activity; sid:91252525; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/push"; depth:5; nocase; http.host; content:"cs.xfdaili.com"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1252524/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_02; classtype:trojan-activity; sid:91252524; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/image/"; depth:7; nocase; http.host; content:"115.159.50.50"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1252523/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_02; classtype:trojan-activity; sid:91252523; rev:1;) alert tcp $HOME_NET any -> [103.116.247.207] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1252522/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_02; classtype:trojan-activity; sid:91252522; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"cs.xfdaili.com"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1252521/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_02; classtype:trojan-activity; sid:91252521; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ga.js"; depth:6; nocase; http.host; content:"cs.xfdaili.com"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1252520/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_02; classtype:trojan-activity; sid:91252520; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jquery-3.3.1.min.js"; depth:20; nocase; http.host; content:"47.76.218.123"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1252519/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_02; classtype:trojan-activity; sid:91252519; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/load"; depth:5; nocase; http.host; content:"42.192.36.31"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1252518/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_02; classtype:trojan-activity; sid:91252518; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jquery-3.3.1.min.js"; depth:20; nocase; http.host; content:"43.136.13.96"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1252516/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_02; classtype:trojan-activity; sid:91252516; rev:1;) alert tcp $HOME_NET any -> [43.136.13.96] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1252517/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_02; classtype:trojan-activity; sid:91252517; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jquery-3.3.1.min.js"; depth:20; nocase; http.host; content:"43.136.81.17"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1252514/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_02; classtype:trojan-activity; sid:91252514; rev:1;) alert tcp $HOME_NET any -> [43.136.81.17] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1252515/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_02; classtype:trojan-activity; sid:91252515; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/preload"; depth:8; nocase; http.host; content:"45.182.189.102"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1252512/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_02; classtype:trojan-activity; sid:91252512; rev:1;) alert tcp $HOME_NET any -> [45.182.189.102] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1252513/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_02; classtype:trojan-activity; sid:91252513; rev:1;) alert tcp $HOME_NET any -> [45.182.189.102] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1252511/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_02; classtype:trojan-activity; sid:91252511; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/preload"; depth:8; nocase; http.host; content:"45.182.189.102"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1252510/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_02; classtype:trojan-activity; sid:91252510; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api/v2/getb"; depth:12; nocase; http.host; content:"45.144.136.14"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1252509/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_02; classtype:trojan-activity; sid:91252509; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/g.pixel"; depth:8; nocase; http.host; content:"60.204.208.32"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1252508/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_02; classtype:trojan-activity; sid:91252508; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ob/fre.php"; depth:11; nocase; http.host; content:"sempersim.su"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1252506/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_02; classtype:trojan-activity; sid:91252506; rev:1;) alert tcp $HOME_NET any -> [194.147.140.157] 3361 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1252505/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_02; classtype:trojan-activity; sid:91252505; rev:1;) alert tcp $HOME_NET any -> [202.61.141.168] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1252504/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_02; classtype:trojan-activity; sid:91252504; rev:1;) alert tcp $HOME_NET any -> [202.61.141.147] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1252503/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_02; classtype:trojan-activity; sid:91252503; rev:1;) alert tcp $HOME_NET any -> [139.199.2.99] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1252502/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_02; classtype:trojan-activity; sid:91252502; rev:1;) alert tcp $HOME_NET any -> [94.156.71.212] 2222 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1252501/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_02; classtype:trojan-activity; sid:91252501; rev:1;) alert tcp $HOME_NET any -> [187.224.25.138] 443 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1252500/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_02; classtype:trojan-activity; sid:91252500; rev:1;) alert tcp $HOME_NET any -> [161.35.138.53] 80 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1252499/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_02; classtype:trojan-activity; sid:91252499; rev:1;) alert tcp $HOME_NET any -> [172.233.230.75] 443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1252498/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_02; classtype:trojan-activity; sid:91252498; rev:1;) alert tcp $HOME_NET any -> [194.246.114.147] 40050 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1252497/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_02; classtype:trojan-activity; sid:91252497; rev:1;) alert tcp $HOME_NET any -> [51.195.115.244] 7639 (msg:"ThreatFox BianLian botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1252496/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_02; classtype:trojan-activity; sid:91252496; rev:1;) alert tcp $HOME_NET any -> [13.112.154.194] 443 (msg:"ThreatFox Deimos botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1252495/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_02; classtype:trojan-activity; sid:91252495; rev:1;) alert tcp $HOME_NET any -> [104.234.155.118] 5040 (msg:"ThreatFox Deimos botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1252494/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_02; classtype:trojan-activity; sid:91252494; rev:1;) alert tcp $HOME_NET any -> [142.93.79.177] 7443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1252493/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_02; classtype:trojan-activity; sid:91252493; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cdn-vs/cache.php"; depth:17; nocase; http.host; content:"discovus.com"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1252489/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_02; classtype:trojan-activity; sid:91252489; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/help/zewmrgqnw.php"; depth:19; nocase; http.host; content:"discovus.com"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1252490/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_02; classtype:trojan-activity; sid:91252490; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/data.php"; depth:9; nocase; http.host; content:"discovus.com"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1252491/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_02; classtype:trojan-activity; sid:91252491; rev:1;) alert tcp $HOME_NET any -> [194.147.140.229] 4718 (msg:"ThreatFox STRRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1252492/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_02; classtype:trojan-activity; sid:91252492; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmlrpc.php"; depth:11; nocase; http.host; content:"saubere-dienste.de"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1252484/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_02; classtype:trojan-activity; sid:91252484; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 60%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmlrpc.php"; depth:11; nocase; http.host; content:"buhexpert8.ru"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1252485/; target:src_ip; metadata: confidence_level 60, first_seen 2024_04_02; classtype:trojan-activity; sid:91252485; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 60%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmlrpc.php"; depth:11; nocase; http.host; content:"balabaksha.kz"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1252486/; target:src_ip; metadata: confidence_level 60, first_seen 2024_04_02; classtype:trojan-activity; sid:91252486; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 60%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmlrpc.php"; depth:11; nocase; http.host; content:"alcorfund.com"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1252487/; target:src_ip; metadata: confidence_level 60, first_seen 2024_04_02; classtype:trojan-activity; sid:91252487; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 60%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmlrpc.php"; depth:11; nocase; http.host; content:"unimus.ac.id"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1252488/; target:src_ip; metadata: confidence_level 60, first_seen 2024_04_02; classtype:trojan-activity; sid:91252488; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"arquivisticalocal.com"; depth:21; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1252474/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_02; classtype:trojan-activity; sid:91252474; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"mtlaikins.com"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1252475/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_02; classtype:trojan-activity; sid:91252475; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"schedule.golfballnutz.com"; depth:25; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1252476/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_02; classtype:trojan-activity; sid:91252476; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"147.45.47.87"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1252477/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_02; classtype:trojan-activity; sid:91252477; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/scripts/theme.js"; depth:17; nocase; http.host; content:"147.45.47.87"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1252478/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_02; classtype:trojan-activity; sid:91252478; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"smtp.thanhancompony.com"; depth:23; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1252479/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_02; classtype:trojan-activity; sid:91252479; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"thanhancompony.com"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1252480/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_02; classtype:trojan-activity; sid:91252480; rev:1;) alert tcp $HOME_NET any -> [104.168.32.17] 21425 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1252473/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_02; classtype:trojan-activity; sid:91252473; rev:1;) alert tcp $HOME_NET any -> [104.234.204.151] 100 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1252471/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_02; classtype:trojan-activity; sid:91252471; rev:1;) alert tcp $HOME_NET any -> [94.156.8.116] 1337 (msg:"ThreatFox Kaiten botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1252470/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_02; classtype:trojan-activity; sid:91252470; rev:1;) alert tcp $HOME_NET any -> [185.224.128.36] 33335 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1252469/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_02; classtype:trojan-activity; sid:91252469; rev:1;) alert tcp $HOME_NET any -> [104.234.204.161] 100 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1252460/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_02; classtype:trojan-activity; sid:91252460; rev:1;) alert tcp $HOME_NET any -> [85.239.33.129] 12345 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1252459/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_02; classtype:trojan-activity; sid:91252459; rev:1;) alert tcp $HOME_NET any -> [104.234.204.151] 1 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1252440/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_02; classtype:trojan-activity; sid:91252440; rev:1;) alert tcp $HOME_NET any -> [185.141.63.27] 2023 (msg:"ThreatFox Socks5 Systemz botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1252458/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_02; classtype:trojan-activity; sid:91252458; rev:1;) alert tcp $HOME_NET any -> [195.154.173.35] 2023 (msg:"ThreatFox Socks5 Systemz botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1252457/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_02; classtype:trojan-activity; sid:91252457; rev:1;) alert tcp $HOME_NET any -> [185.216.70.250] 21425 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1252472/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_02; classtype:trojan-activity; sid:91252472; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mall_100_100.html"; depth:18; nocase; http.host; content:"47.92.34.207"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1252483/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_02; classtype:trojan-activity; sid:91252483; rev:1;) alert tcp $HOME_NET any -> [194.147.140.229] 4781 (msg:"ThreatFox STRRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1252482/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_02; classtype:trojan-activity; sid:91252482; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/l1nc0in.php"; depth:12; nocase; http.host; content:"93757283cm.whiteproducts.ru"; depth:27; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1252481/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_02; classtype:trojan-activity; sid:91252481; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"lesserafine.site"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1252468/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_01; classtype:trojan-activity; sid:91252468; rev:1;) alert tcp $HOME_NET any -> [18.175.57.54] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1252467/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_01; classtype:trojan-activity; sid:91252467; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"umo3uuoo57.execute-api.us-east-1.amazonaws.com"; depth:46; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1252466/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_01; classtype:trojan-activity; sid:91252466; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api/search/"; depth:12; nocase; http.host; content:"umo3uuoo57.execute-api.us-east-1.amazonaws.com"; depth:46; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1252465/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_01; classtype:trojan-activity; sid:91252465; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/__utm.gif"; depth:10; nocase; http.host; content:"172.111.218.218"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1252464/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_01; classtype:trojan-activity; sid:91252464; rev:1;) alert tcp $HOME_NET any -> [94.131.13.68] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1252463/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_01; classtype:trojan-activity; sid:91252463; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"api.updateservices.org"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1252462/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_01; classtype:trojan-activity; sid:91252462; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/activity"; depth:9; nocase; http.host; content:"api.updateservices.org"; depth:22; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1252461/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_01; classtype:trojan-activity; sid:91252461; rev:1;) alert tcp $HOME_NET any -> [103.145.191.100] 80 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1252456/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_01; classtype:trojan-activity; sid:91252456; rev:1;) alert tcp $HOME_NET any -> [202.61.141.166] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1252455/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_01; classtype:trojan-activity; sid:91252455; rev:1;) alert tcp $HOME_NET any -> [149.104.30.4] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1252454/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_01; classtype:trojan-activity; sid:91252454; rev:1;) alert tcp $HOME_NET any -> [150.109.241.155] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1252453/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_01; classtype:trojan-activity; sid:91252453; rev:1;) alert tcp $HOME_NET any -> [46.246.86.15] 7000 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1252452/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_01; classtype:trojan-activity; sid:91252452; rev:1;) alert tcp $HOME_NET any -> [46.246.86.15] 6000 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1252451/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_01; classtype:trojan-activity; sid:91252451; rev:1;) alert tcp $HOME_NET any -> [46.246.12.2] 5000 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1252450/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_01; classtype:trojan-activity; sid:91252450; rev:1;) alert tcp $HOME_NET any -> [105.103.18.143] 2078 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1252449/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_01; classtype:trojan-activity; sid:91252449; rev:1;) alert tcp $HOME_NET any -> [78.181.209.3] 443 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1252448/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_01; classtype:trojan-activity; sid:91252448; rev:1;) alert tcp $HOME_NET any -> [39.40.151.24] 995 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1252447/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_01; classtype:trojan-activity; sid:91252447; rev:1;) alert tcp $HOME_NET any -> [41.96.91.111] 443 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1252446/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_01; classtype:trojan-activity; sid:91252446; rev:1;) alert tcp $HOME_NET any -> [151.236.26.171] 3410 (msg:"ThreatFox BianLian botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1252445/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_01; classtype:trojan-activity; sid:91252445; rev:1;) alert tcp $HOME_NET any -> [185.196.9.7] 7443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1252444/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_01; classtype:trojan-activity; sid:91252444; rev:1;) alert tcp $HOME_NET any -> [47.116.25.208] 7443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1252443/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_01; classtype:trojan-activity; sid:91252443; rev:1;) alert tcp $HOME_NET any -> [94.156.65.98] 8443 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1252442/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_01; classtype:trojan-activity; sid:91252442; rev:1;) alert tcp $HOME_NET any -> [94.156.65.98] 53535 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1252441/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_01; classtype:trojan-activity; sid:91252441; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"gostatts.com"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1252408/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_01; classtype:trojan-activity; sid:91252408; rev:1;) alert tcp $HOME_NET any -> [91.92.246.236] 80 (msg:"ThreatFox ERMAC botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1252409/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_01; classtype:trojan-activity; sid:91252409; rev:1;) alert tcp $HOME_NET any -> [103.106.203.165] 443 (msg:"ThreatFox Orcus RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1252410/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_01; classtype:trojan-activity; sid:91252410; rev:1;) alert tcp $HOME_NET any -> [94.156.10.119] 443 (msg:"ThreatFox Orcus RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1252411/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_01; classtype:trojan-activity; sid:91252411; rev:1;) alert tcp $HOME_NET any -> [41.97.204.61] 80 (msg:"ThreatFox Orcus RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1252412/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_01; classtype:trojan-activity; sid:91252412; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"applereports.ddns.net"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1252413/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_01; classtype:trojan-activity; sid:91252413; rev:1;) alert tcp $HOME_NET any -> [94.156.10.119] 4782 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1252414/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_01; classtype:trojan-activity; sid:91252414; rev:1;) alert tcp $HOME_NET any -> [45.63.52.184] 8094 (msg:"ThreatFox DarkGate botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1252415/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_01; classtype:trojan-activity; sid:91252415; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/nmvmzmjlzta2mdnm/"; depth:18; nocase; http.host; content:"axskowoe20.com"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1252435/; target:src_ip; metadata: confidence_level 80, first_seen 2024_04_01; classtype:trojan-activity; sid:91252435; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/nmvmzmjlzta2mdnm/"; depth:18; nocase; http.host; content:"fqfqosoleosak23.com"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1252436/; target:src_ip; metadata: confidence_level 80, first_seen 2024_04_01; classtype:trojan-activity; sid:91252436; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/nmvmzmjlzta2mdnm/"; depth:18; nocase; http.host; content:"xkslsxll294os.com"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1252433/; target:src_ip; metadata: confidence_level 80, first_seen 2024_04_01; classtype:trojan-activity; sid:91252433; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/nmvmzmjlzta2mdnm/"; depth:18; nocase; http.host; content:"vaodfko2342o.com"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1252434/; target:src_ip; metadata: confidence_level 80, first_seen 2024_04_01; classtype:trojan-activity; sid:91252434; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/nmvmzmjlzta2mdnm/"; depth:18; nocase; http.host; content:"kamalankaranda.com"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1252431/; target:src_ip; metadata: confidence_level 80, first_seen 2024_04_01; classtype:trojan-activity; sid:91252431; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/nmvmzmjlzta2mdnm/"; depth:18; nocase; http.host; content:"vasderosxls11.com"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1252432/; target:src_ip; metadata: confidence_level 80, first_seen 2024_04_01; classtype:trojan-activity; sid:91252432; rev:1;) alert tcp $HOME_NET any -> [45.131.111.159] 777 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1252416/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_01; classtype:trojan-activity; sid:91252416; rev:1;) alert tcp $HOME_NET any -> [67.217.60.78] 7855 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1252417/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_01; classtype:trojan-activity; sid:91252417; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/nmvmzmjlzta2mdnm/"; depth:18; nocase; http.host; content:"aaaaoooopppplllll33.com"; depth:23; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1252437/; target:src_ip; metadata: confidence_level 80, first_seen 2024_04_01; classtype:trojan-activity; sid:91252437; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/zmu2yzq2njzlnjc2/"; depth:18; nocase; http.host; content:"lauytropopo.net"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1252438/; target:src_ip; metadata: confidence_level 80, first_seen 2024_04_01; classtype:trojan-activity; sid:91252438; rev:1;) alert tcp $HOME_NET any -> [38.15.51.3] 4444 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1252338/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_01; classtype:trojan-activity; sid:91252338; rev:1;) alert tcp $HOME_NET any -> [50.34.35.222] 4444 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1252339/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_01; classtype:trojan-activity; sid:91252339; rev:1;) alert tcp $HOME_NET any -> [51.223.58.16] 2404 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1252340/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_01; classtype:trojan-activity; sid:91252340; rev:1;) alert tcp $HOME_NET any -> [82.69.26.196] 5000 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1252341/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_01; classtype:trojan-activity; sid:91252341; rev:1;) alert tcp $HOME_NET any -> [116.204.42.20] 80 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1252342/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_01; classtype:trojan-activity; sid:91252342; rev:1;) alert tcp $HOME_NET any -> [181.162.159.238] 8080 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1252343/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_01; classtype:trojan-activity; sid:91252343; rev:1;) alert tcp $HOME_NET any -> [190.203.52.245] 443 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1252344/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_01; classtype:trojan-activity; sid:91252344; rev:1;) alert tcp $HOME_NET any -> [194.48.251.116] 4782 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1252345/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_01; classtype:trojan-activity; sid:91252345; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cdn-vs/cache.php"; depth:17; nocase; http.host; content:"arquivisticalocal.com"; depth:21; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1252346/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_01; classtype:trojan-activity; sid:91252346; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/help/zewmrgqnw.php"; depth:19; nocase; http.host; content:"arquivisticalocal.com"; depth:21; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1252347/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_01; classtype:trojan-activity; sid:91252347; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/data.php"; depth:9; nocase; http.host; content:"mtlaikins.com"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1252348/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_01; classtype:trojan-activity; sid:91252348; rev:1;) alert tcp $HOME_NET any -> [173.201.180.75] 49737 (msg:"ThreatFox Agent Tesla payload delivery (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1252370/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_01; classtype:trojan-activity; sid:91252370; rev:1;) alert tcp $HOME_NET any -> [173.201.180.75] 49739 (msg:"ThreatFox Agent Tesla payload delivery (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1252371/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_01; classtype:trojan-activity; sid:91252371; rev:1;) alert tcp $HOME_NET any -> [1.14.66.185] 7443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1252372/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_01; classtype:trojan-activity; sid:91252372; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"c.bywe.xyz"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1252373/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_01; classtype:trojan-activity; sid:91252373; rev:1;) alert tcp $HOME_NET any -> [1.14.152.195] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1252374/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_01; classtype:trojan-activity; sid:91252374; rev:1;) alert tcp $HOME_NET any -> [49.233.244.7] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1252375/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_01; classtype:trojan-activity; sid:91252375; rev:1;) alert tcp $HOME_NET any -> [49.233.244.7] 4433 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1252376/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_01; classtype:trojan-activity; sid:91252376; rev:1;) alert tcp $HOME_NET any -> [124.220.192.251] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1252377/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_01; classtype:trojan-activity; sid:91252377; rev:1;) alert tcp $HOME_NET any -> [8.130.88.184] 4443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1252378/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_01; classtype:trojan-activity; sid:91252378; rev:1;) alert tcp $HOME_NET any -> [8.130.118.53] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1252379/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_01; classtype:trojan-activity; sid:91252379; rev:1;) alert tcp $HOME_NET any -> [8.137.126.202] 8888 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1252380/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_01; classtype:trojan-activity; sid:91252380; rev:1;) alert tcp $HOME_NET any -> [8.140.254.212] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1252381/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_01; classtype:trojan-activity; sid:91252381; rev:1;) alert tcp $HOME_NET any -> [47.93.12.178] 50002 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1252383/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_01; classtype:trojan-activity; sid:91252383; rev:1;) alert tcp $HOME_NET any -> [47.94.241.49] 8090 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1252384/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_01; classtype:trojan-activity; sid:91252384; rev:1;) alert tcp $HOME_NET any -> [112.124.64.105] 7894 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1252385/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_01; classtype:trojan-activity; sid:91252385; rev:1;) alert tcp $HOME_NET any -> [115.29.202.95] 8000 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1252386/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_01; classtype:trojan-activity; sid:91252386; rev:1;) alert tcp $HOME_NET any -> [118.31.8.234] 6664 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1252387/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_01; classtype:trojan-activity; sid:91252387; rev:1;) alert tcp $HOME_NET any -> [8.217.127.240] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1252388/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_01; classtype:trojan-activity; sid:91252388; rev:1;) alert tcp $HOME_NET any -> [47.76.101.44] 8089 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1252389/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_01; classtype:trojan-activity; sid:91252389; rev:1;) alert tcp $HOME_NET any -> [198.12.107.149] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1252390/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_01; classtype:trojan-activity; sid:91252390; rev:1;) alert tcp $HOME_NET any -> [116.196.92.13] 4444 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1252391/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_01; classtype:trojan-activity; sid:91252391; rev:1;) alert tcp $HOME_NET any -> [124.156.213.14] 10001 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1252393/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_01; classtype:trojan-activity; sid:91252393; rev:1;) alert tcp $HOME_NET any -> [144.202.43.169] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1252394/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_01; classtype:trojan-activity; sid:91252394; rev:1;) alert tcp $HOME_NET any -> [144.202.43.169] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1252395/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_01; classtype:trojan-activity; sid:91252395; rev:1;) alert tcp $HOME_NET any -> [128.14.229.56] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1252396/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_01; classtype:trojan-activity; sid:91252396; rev:1;) alert tcp $HOME_NET any -> [173.44.141.234] 50050 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1252397/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_01; classtype:trojan-activity; sid:91252397; rev:1;) alert tcp $HOME_NET any -> [45.135.118.251] 35201 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1252398/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_01; classtype:trojan-activity; sid:91252398; rev:1;) alert tcp $HOME_NET any -> [123.184.43.123] 4444 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1252399/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_01; classtype:trojan-activity; sid:91252399; rev:1;) alert tcp $HOME_NET any -> [89.147.108.109] 5093 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1252400/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_01; classtype:trojan-activity; sid:91252400; rev:1;) alert tcp $HOME_NET any -> [45.128.96.237] 64980 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1252401/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_01; classtype:trojan-activity; sid:91252401; rev:1;) alert tcp $HOME_NET any -> [193.32.162.70] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1252402/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_01; classtype:trojan-activity; sid:91252402; rev:1;) alert tcp $HOME_NET any -> [77.91.122.210] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1252403/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_01; classtype:trojan-activity; sid:91252403; rev:1;) alert tcp $HOME_NET any -> [91.92.244.214] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1252404/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_01; classtype:trojan-activity; sid:91252404; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 60%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmlrpc.php"; depth:11; nocase; http.host; content:"ilearnschools.org"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1252405/; target:src_ip; metadata: confidence_level 60, first_seen 2024_04_01; classtype:trojan-activity; sid:91252405; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 60%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmlrpc.php"; depth:11; nocase; http.host; content:"lokersma.info"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1252406/; target:src_ip; metadata: confidence_level 60, first_seen 2024_04_01; classtype:trojan-activity; sid:91252406; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 60%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmlrpc.php"; depth:11; nocase; http.host; content:"emmikochteinfach.de"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1252407/; target:src_ip; metadata: confidence_level 60, first_seen 2024_04_01; classtype:trojan-activity; sid:91252407; rev:1;) alert tcp $HOME_NET any -> [3.12.160.6] 8888 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1252325/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_01; classtype:trojan-activity; sid:91252325; rev:1;) alert tcp $HOME_NET any -> [20.19.89.127] 8808 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1252326/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_01; classtype:trojan-activity; sid:91252326; rev:1;) alert tcp $HOME_NET any -> [45.8.146.124] 2004 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1252327/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_01; classtype:trojan-activity; sid:91252327; rev:1;) alert tcp $HOME_NET any -> [51.195.94.201] 8808 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1252328/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_01; classtype:trojan-activity; sid:91252328; rev:1;) alert tcp $HOME_NET any -> [88.229.5.89] 20000 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1252329/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_01; classtype:trojan-activity; sid:91252329; rev:1;) alert tcp $HOME_NET any -> [88.252.160.133] 888 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1252330/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_01; classtype:trojan-activity; sid:91252330; rev:1;) alert tcp $HOME_NET any -> [91.110.144.1] 9000 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1252331/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_01; classtype:trojan-activity; sid:91252331; rev:1;) alert tcp $HOME_NET any -> [156.195.238.74] 80 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1252332/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_01; classtype:trojan-activity; sid:91252332; rev:1;) alert tcp $HOME_NET any -> [172.94.8.163] 2222 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1252333/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_01; classtype:trojan-activity; sid:91252333; rev:1;) alert tcp $HOME_NET any -> [172.94.9.138] 222 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1252334/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_01; classtype:trojan-activity; sid:91252334; rev:1;) alert tcp $HOME_NET any -> [207.180.232.14] 1973 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1252335/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_01; classtype:trojan-activity; sid:91252335; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/search"; depth:7; nocase; http.host; content:"81.181.110.95"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1252439/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_01; classtype:trojan-activity; sid:91252439; rev:1;) alert tcp $HOME_NET any -> [146.70.113.136] 53 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1252430/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_01; classtype:trojan-activity; sid:91252430; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ns2.googletagmauager.com"; depth:24; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1252429/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_01; classtype:trojan-activity; sid:91252429; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ns1.googletagmauager.com"; depth:24; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1252428/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_01; classtype:trojan-activity; sid:91252428; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"stviw.xyz"; depth:9; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1252422/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_01; classtype:trojan-activity; sid:91252422; rev:1;) alert tcp $HOME_NET any -> [78.47.221.177] 80 (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1252423/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_01; classtype:trojan-activity; sid:91252423; rev:1;) alert tcp $HOME_NET any -> [168.119.60.168] 443 (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1252424/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_01; classtype:trojan-activity; sid:91252424; rev:1;) alert tcp $HOME_NET any -> [95.217.155.87] 5432 (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1252425/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_01; classtype:trojan-activity; sid:91252425; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"mogor.xyz"; depth:9; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1252426/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_01; classtype:trojan-activity; sid:91252426; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"stviw.xyz"; depth:9; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1252427/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_01; classtype:trojan-activity; sid:91252427; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"mogor.xyz"; depth:9; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1252421/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_01; classtype:trojan-activity; sid:91252421; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"95.217.155.87"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1252420/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_01; classtype:trojan-activity; sid:91252420; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"168.119.60.168"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1252419/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_01; classtype:trojan-activity; sid:91252419; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"78.47.221.177"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1252418/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_01; classtype:trojan-activity; sid:91252418; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/l1nc0in.php"; depth:12; nocase; http.host; content:"ca87122.tw1.ru"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1252392/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_01; classtype:trojan-activity; sid:91252392; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/_defaultwindows.php"; depth:20; nocase; http.host; content:"a0934860.xsph.ru"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1252369/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_01; classtype:trojan-activity; sid:91252369; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/5bd4c8b2.php"; depth:13; nocase; http.host; content:"a0936238.xsph.ru"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1252368/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_01; classtype:trojan-activity; sid:91252368; rev:1;) alert tcp $HOME_NET any -> [77.221.156.45] 18734 (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1252367/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_01; classtype:trojan-activity; sid:91252367; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tracktrafficprivatetest/javascript/dle0/0downloads02/geocpupython/universalsecure/javascriptauth.php"; depth:101; nocase; http.host; content:"91.92.252.39"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1252366/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_01; classtype:trojan-activity; sid:91252366; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"//receive.php"; depth:13; nocase; http.host; content:"botnetera.pagekite.me"; depth:21; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1252365/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_01; classtype:trojan-activity; sid:91252365; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/l1nc0in.php"; depth:12; nocase; http.host; content:"huinyao.hunamuna.ru"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1252364/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_01; classtype:trojan-activity; sid:91252364; rev:1;) alert tcp $HOME_NET any -> [185.222.58.244] 55615 (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1252363/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_01; classtype:trojan-activity; sid:91252363; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/_defaultwindows.php"; depth:20; nocase; http.host; content:"cf73329.tw1.ru"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1252362/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_01; classtype:trojan-activity; sid:91252362; rev:1;) alert tcp $HOME_NET any -> [5.61.63.125] 35333 (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1252361/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_01; classtype:trojan-activity; sid:91252361; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/nyashsupport.php"; depth:17; nocase; http.host; content:"490523cm.nyashland.top"; depth:22; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1252360/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_01; classtype:trojan-activity; sid:91252360; rev:1;) alert tcp $HOME_NET any -> [104.250.169.162] 2222 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1252359/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_01; classtype:trojan-activity; sid:91252359; rev:1;) alert tcp $HOME_NET any -> [195.3.223.146] 6668 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1252358/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_01; classtype:trojan-activity; sid:91252358; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/longpollflower.php"; depth:19; nocase; http.host; content:"77.105.161.254"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1252357/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_01; classtype:trojan-activity; sid:91252357; rev:1;) alert tcp $HOME_NET any -> [91.92.250.84] 35966 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1252356/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_01; classtype:trojan-activity; sid:91252356; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/eb488f9cb9d466ca.php"; depth:21; nocase; http.host; content:"185.216.70.109"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1252355/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_01; classtype:trojan-activity; sid:91252355; rev:1;) alert tcp $HOME_NET any -> [144.217.189.92] 3000 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1252354/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_01; classtype:trojan-activity; sid:91252354; rev:1;) alert tcp $HOME_NET any -> [163.5.112.53] 51523 (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1252353/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_01; classtype:trojan-activity; sid:91252353; rev:1;) alert tcp $HOME_NET any -> [18.158.249.75] 18950 (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1252352/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_01; classtype:trojan-activity; sid:91252352; rev:1;) alert tcp $HOME_NET any -> [3.124.142.205] 18950 (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1252351/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_01; classtype:trojan-activity; sid:91252351; rev:1;) alert tcp $HOME_NET any -> [18.192.31.165] 18950 (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1252350/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_01; classtype:trojan-activity; sid:91252350; rev:1;) alert tcp $HOME_NET any -> [154.236.129.160] 5552 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1252349/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_01; classtype:trojan-activity; sid:91252349; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ch"; depth:3; nocase; http.host; content:"big-walls.com"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1252323/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_01; classtype:trojan-activity; sid:91252323; rev:1;) alert tcp $HOME_NET any -> [195.137.220.121] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1252324/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_01; classtype:trojan-activity; sid:91252324; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"heicehjuisyq.bond"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1252321/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_01; classtype:trojan-activity; sid:91252321; rev:1;) alert tcp $HOME_NET any -> [109.199.108.92] 8443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1252322/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_01; classtype:trojan-activity; sid:91252322; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/omentget"; depth:9; nocase; http.host; content:"heicehjuisyq.bond"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1252320/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_01; classtype:trojan-activity; sid:91252320; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cx"; depth:3; nocase; http.host; content:"156.224.24.157"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1252319/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_01; classtype:trojan-activity; sid:91252319; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ga.js"; depth:6; nocase; http.host; content:"62.234.180.148"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1252318/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_01; classtype:trojan-activity; sid:91252318; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ga.js"; depth:6; nocase; http.host; content:"154.201.89.19"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1252317/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_01; classtype:trojan-activity; sid:91252317; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/kj"; depth:3; nocase; http.host; content:"195.137.220.121"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1252315/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_01; classtype:trojan-activity; sid:91252315; rev:1;) alert tcp $HOME_NET any -> [195.137.220.121] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1252316/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_01; classtype:trojan-activity; sid:91252316; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/updates.rss"; depth:12; nocase; http.host; content:"222.112.93.163"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1252314/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_01; classtype:trojan-activity; sid:91252314; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ga.js"; depth:6; nocase; http.host; content:"123.60.162.164"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1252313/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_01; classtype:trojan-activity; sid:91252313; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ca"; depth:3; nocase; http.host; content:"62.234.180.148"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1252312/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_01; classtype:trojan-activity; sid:91252312; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/fwlink"; depth:7; nocase; http.host; content:"124.223.15.17"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1252311/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_01; classtype:trojan-activity; sid:91252311; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/visit.js"; depth:9; nocase; http.host; content:"115.29.202.95"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1252310/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_01; classtype:trojan-activity; sid:91252310; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jquery-3.3.2.n2cq4mxdz4nio9xihttp.min.js"; depth:41; nocase; http.host; content:"183.255.43.126"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1252309/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_01; classtype:trojan-activity; sid:91252309; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/hp/api/v1/carousel"; depth:19; nocase; http.host; content:"111.230.207.249"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1252307/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_01; classtype:trojan-activity; sid:91252307; rev:1;) alert tcp $HOME_NET any -> [111.230.207.249] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1252308/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_01; classtype:trojan-activity; sid:91252308; rev:1;) alert tcp $HOME_NET any -> [52.235.59.107] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1252306/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_01; classtype:trojan-activity; sid:91252306; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ldap.htm"; depth:9; nocase; http.host; content:"goliathms.azureedge.net"; depth:23; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1252304/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_01; classtype:trojan-activity; sid:91252304; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"goliathms.azureedge.net"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1252305/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_01; classtype:trojan-activity; sid:91252305; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ptj"; depth:4; nocase; http.host; content:"1.94.110.130"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1252303/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_01; classtype:trojan-activity; sid:91252303; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"rdtest.static.hao123-wise.otp.baidu.com.cn.cdn.dnsv1.com"; depth:56; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1252302/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_01; classtype:trojan-activity; sid:91252302; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/compute/cd/k7ba6v385v"; depth:22; nocase; http.host; content:"rdtest.static.hao123-wise.otp.baidu.com.cn.cdn.dnsv1.com"; depth:56; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1252301/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_01; classtype:trojan-activity; sid:91252301; rev:1;) alert tcp $HOME_NET any -> [47.101.170.17] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1252300/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_01; classtype:trojan-activity; sid:91252300; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/l1nc0in.php"; depth:12; nocase; http.host; content:"a0935095.xsph.ru"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1252299/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_01; classtype:trojan-activity; sid:91252299; rev:1;) alert tcp $HOME_NET any -> [77.91.123.52] 80 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1252298/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_01; classtype:trojan-activity; sid:91252298; rev:1;) alert tcp $HOME_NET any -> [91.92.248.125] 80 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1252297/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_01; classtype:trojan-activity; sid:91252297; rev:1;) alert tcp $HOME_NET any -> [45.77.40.77] 80 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1252296/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_01; classtype:trojan-activity; sid:91252296; rev:1;) alert tcp $HOME_NET any -> [147.78.103.240] 80 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1252295/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_01; classtype:trojan-activity; sid:91252295; rev:1;) alert tcp $HOME_NET any -> [38.6.218.204] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1252294/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_01; classtype:trojan-activity; sid:91252294; rev:1;) alert tcp $HOME_NET any -> [137.220.197.178] 8443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1252293/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_01; classtype:trojan-activity; sid:91252293; rev:1;) alert tcp $HOME_NET any -> [151.80.152.122] 443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1252292/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_01; classtype:trojan-activity; sid:91252292; rev:1;) alert tcp $HOME_NET any -> [137.220.197.198] 8080 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1252291/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_01; classtype:trojan-activity; sid:91252291; rev:1;) alert tcp $HOME_NET any -> [137.220.197.198] 443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1252290/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_01; classtype:trojan-activity; sid:91252290; rev:1;) alert tcp $HOME_NET any -> [137.220.197.198] 8443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1252289/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_01; classtype:trojan-activity; sid:91252289; rev:1;) alert tcp $HOME_NET any -> [193.124.205.100] 80 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1252288/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_01; classtype:trojan-activity; sid:91252288; rev:1;) alert tcp $HOME_NET any -> [104.248.44.99] 443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1252287/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_01; classtype:trojan-activity; sid:91252287; rev:1;) alert tcp $HOME_NET any -> [111.180.192.60] 8443 (msg:"ThreatFox BianLian botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1252286/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_01; classtype:trojan-activity; sid:91252286; rev:1;) alert tcp $HOME_NET any -> [57.180.189.117] 7443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1252285/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_01; classtype:trojan-activity; sid:91252285; rev:1;) alert tcp $HOME_NET any -> [3.36.144.103] 443 (msg:"ThreatFox Brute Ratel C4 botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1252284/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_01; classtype:trojan-activity; sid:91252284; rev:1;) alert tcp $HOME_NET any -> [23.94.44.162] 8443 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1252283/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_01; classtype:trojan-activity; sid:91252283; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"193.233.132.136"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1252252/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_01; classtype:trojan-activity; sid:91252252; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/a/z.png"; depth:8; nocase; http.host; content:"193.233.132.136"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1252253/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_01; classtype:trojan-activity; sid:91252253; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/a/0x.png"; depth:9; nocase; http.host; content:"193.233.132.136"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1252254/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_01; classtype:trojan-activity; sid:91252254; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/a/a.png"; depth:8; nocase; http.host; content:"193.233.132.136"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1252255/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_01; classtype:trojan-activity; sid:91252255; rev:1;) alert tcp $HOME_NET any -> [5.253.246.170] 1312 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1252278/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_01; classtype:trojan-activity; sid:91252278; rev:1;) alert tcp $HOME_NET any -> [8.134.126.121] 8086 (msg:"ThreatFox VBREVSHELL botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1252282/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_01; classtype:trojan-activity; sid:91252282; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"dockerupdate.xyz"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1252280/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_01; classtype:trojan-activity; sid:91252280; rev:1;) alert tcp $HOME_NET any -> [185.239.84.203] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1252281/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_01; classtype:trojan-activity; sid:91252281; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jquery-3.3.1.min.js"; depth:20; nocase; http.host; content:"dockerupdate.xyz"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1252279/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_01; classtype:trojan-activity; sid:91252279; rev:1;) alert tcp $HOME_NET any -> [195.123.217.22] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1252277/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_31; classtype:trojan-activity; sid:91252277; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books"; depth:60; nocase; http.host; content:"195.123.217.22"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1252276/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_31; classtype:trojan-activity; sid:91252276; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/push"; depth:5; nocase; http.host; content:"185.236.231.201"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1252274/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_31; classtype:trojan-activity; sid:91252274; rev:1;) alert tcp $HOME_NET any -> [185.236.231.201] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1252275/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_31; classtype:trojan-activity; sid:91252275; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/match"; depth:6; nocase; http.host; content:"172.121.5.230"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1252273/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_31; classtype:trojan-activity; sid:91252273; rev:1;) alert tcp $HOME_NET any -> [194.67.193.67] 80 (msg:"ThreatFox Matanbuchus botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1252272/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_31; classtype:trojan-activity; sid:91252272; rev:1;) alert tcp $HOME_NET any -> [193.26.115.181] 443 (msg:"ThreatFox FAKEUPDATES botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1252271/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_31; classtype:trojan-activity; sid:91252271; rev:1;) alert tcp $HOME_NET any -> [193.26.115.181] 80 (msg:"ThreatFox FAKEUPDATES botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1252270/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_31; classtype:trojan-activity; sid:91252270; rev:1;) alert tcp $HOME_NET any -> [185.43.4.238] 80 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1252269/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_31; classtype:trojan-activity; sid:91252269; rev:1;) alert tcp $HOME_NET any -> [137.184.228.202] 80 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1252268/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_31; classtype:trojan-activity; sid:91252268; rev:1;) alert tcp $HOME_NET any -> [18.166.113.24] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1252267/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_31; classtype:trojan-activity; sid:91252267; rev:1;) alert tcp $HOME_NET any -> [188.48.80.235] 443 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1252266/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_31; classtype:trojan-activity; sid:91252266; rev:1;) alert tcp $HOME_NET any -> [172.233.120.154] 443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1252265/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_31; classtype:trojan-activity; sid:91252265; rev:1;) alert tcp $HOME_NET any -> [92.116.36.36] 443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1252264/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_31; classtype:trojan-activity; sid:91252264; rev:1;) alert tcp $HOME_NET any -> [159.65.173.112] 9443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1252263/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_31; classtype:trojan-activity; sid:91252263; rev:1;) alert tcp $HOME_NET any -> [3.111.169.215] 443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1252262/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_31; classtype:trojan-activity; sid:91252262; rev:1;) alert tcp $HOME_NET any -> [146.190.108.145] 443 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1252261/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_31; classtype:trojan-activity; sid:91252261; rev:1;) alert tcp $HOME_NET any -> [146.190.108.145] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1252260/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_31; classtype:trojan-activity; sid:91252260; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/visit.js"; depth:9; nocase; http.host; content:"45.93.20.242"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1252259/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_31; classtype:trojan-activity; sid:91252259; rev:1;) alert tcp $HOME_NET any -> [8.147.132.135] 2083 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1252258/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_31; classtype:trojan-activity; sid:91252258; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/j.ad"; depth:5; nocase; http.host; content:"chniabank.com"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1252256/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_31; classtype:trojan-activity; sid:91252256; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"chniabank.com"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1252257/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_31; classtype:trojan-activity; sid:91252257; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmlrpc.php"; depth:11; nocase; http.host; content:"hentaiworld.tv"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1252248/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_31; classtype:trojan-activity; sid:91252248; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmlrpc.php"; depth:11; nocase; http.host; content:"www.8ktv-test.de"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1252249/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_31; classtype:trojan-activity; sid:91252249; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmlrpc.php"; depth:11; nocase; http.host; content:"mlwmlw.org"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1252250/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_31; classtype:trojan-activity; sid:91252250; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmlrpc.php"; depth:11; nocase; http.host; content:"seorongdaiduong.com"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1252251/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_31; classtype:trojan-activity; sid:91252251; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"serenitytherapy.xyz"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1252246/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_31; classtype:trojan-activity; sid:91252246; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"illitmagnetic.site"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1252247/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_31; classtype:trojan-activity; sid:91252247; rev:1;) alert tcp $HOME_NET any -> [93.185.166.60] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1252245/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_31; classtype:trojan-activity; sid:91252245; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/common.css"; depth:11; nocase; http.host; content:"93.185.166.60"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1252244/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_31; classtype:trojan-activity; sid:91252244; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/__utm.gif"; depth:10; nocase; http.host; content:"47.94.241.49"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1252243/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_31; classtype:trojan-activity; sid:91252243; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"update.360safety.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1252242/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_31; classtype:trojan-activity; sid:91252242; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/push"; depth:5; nocase; http.host; content:"update.360safety.xyz"; depth:20; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1252241/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_31; classtype:trojan-activity; sid:91252241; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pixel"; depth:6; nocase; http.host; content:"47.99.177.59"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1252240/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_31; classtype:trojan-activity; sid:91252240; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dot.gif"; depth:8; nocase; http.host; content:"service-43eyvs26-1312185610.gz.tencentapigw.com.cn"; depth:50; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1252239/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_31; classtype:trojan-activity; sid:91252239; rev:1;) alert tcp $HOME_NET any -> [8.147.132.135] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1252238/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_31; classtype:trojan-activity; sid:91252238; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cx"; depth:3; nocase; http.host; content:"service-43eyvs26-1312185610.gz.tencentapigw.com.cn"; depth:50; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1252236/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_31; classtype:trojan-activity; sid:91252236; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"service-43eyvs26-1312185610.gz.tencentapigw.com.cn"; depth:50; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1252237/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_31; classtype:trojan-activity; sid:91252237; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pixel.gif"; depth:10; nocase; http.host; content:"120.46.130.73"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1252235/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_31; classtype:trojan-activity; sid:91252235; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"plano-safra.online"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1252234/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_31; classtype:trojan-activity; sid:91252234; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"huboftest.ir"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1252233/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_31; classtype:trojan-activity; sid:91252233; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"bnd-servers.komakhazine.com"; depth:27; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1252232/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_31; classtype:trojan-activity; sid:91252232; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"giga.giganoob.ru"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1252231/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_31; classtype:trojan-activity; sid:91252231; rev:1;) alert tcp $HOME_NET any -> [193.141.60.143] 6789 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1252229/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_31; classtype:trojan-activity; sid:91252229; rev:1;) alert tcp $HOME_NET any -> [193.141.60.143] 59432 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1252230/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_31; classtype:trojan-activity; sid:91252230; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"giga.giganoob.xyz"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1252228/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_31; classtype:trojan-activity; sid:91252228; rev:1;) alert tcp $HOME_NET any -> [103.35.190.189] 666 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1252227/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_31; classtype:trojan-activity; sid:91252227; rev:1;) alert tcp $HOME_NET any -> [103.35.190.238] 666 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1252226/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_31; classtype:trojan-activity; sid:91252226; rev:1;) alert tcp $HOME_NET any -> [45.61.136.169] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1252225/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_31; classtype:trojan-activity; sid:91252225; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api/3"; depth:6; nocase; http.host; content:"45.61.136.169"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1252224/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_31; classtype:trojan-activity; sid:91252224; rev:1;) alert tcp $HOME_NET any -> [124.223.220.143] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1252223/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_31; classtype:trojan-activity; sid:91252223; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"3g.ali213.net"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1252222/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_31; classtype:trojan-activity; sid:91252222; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/info"; depth:5; nocase; http.host; content:"3g.ali213.net"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1252221/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_31; classtype:trojan-activity; sid:91252221; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/info"; depth:5; nocase; http.host; content:"m.old.gxjczx.gov.cn"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1252219/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_31; classtype:trojan-activity; sid:91252219; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"m.old.gxjczx.gov.cn"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1252220/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_31; classtype:trojan-activity; sid:91252220; rev:1;) alert tcp $HOME_NET any -> [154.219.177.156] 808 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1252218/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_31; classtype:trojan-activity; sid:91252218; rev:1;) alert tcp $HOME_NET any -> [192.236.176.143] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1252217/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_31; classtype:trojan-activity; sid:91252217; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cm"; depth:3; nocase; http.host; content:"192.236.176.143"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1252216/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_31; classtype:trojan-activity; sid:91252216; rev:1;) alert tcp $HOME_NET any -> [156.232.192.101] 808 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1252215/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_31; classtype:trojan-activity; sid:91252215; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api/getit"; depth:10; nocase; http.host; content:"121.199.0.54"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1252213/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_31; classtype:trojan-activity; sid:91252213; rev:1;) alert tcp $HOME_NET any -> [121.199.0.54] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1252214/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_31; classtype:trojan-activity; sid:91252214; rev:1;) alert tcp $HOME_NET any -> [185.196.10.233] 8808 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1252212/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_31; classtype:trojan-activity; sid:91252212; rev:1;) alert tcp $HOME_NET any -> [185.196.10.233] 6606 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1252210/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_31; classtype:trojan-activity; sid:91252210; rev:1;) alert tcp $HOME_NET any -> [185.196.10.233] 7707 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1252211/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_31; classtype:trojan-activity; sid:91252211; rev:1;) alert tcp $HOME_NET any -> [185.196.10.233] 4782 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1252209/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_31; classtype:trojan-activity; sid:91252209; rev:1;) alert tcp $HOME_NET any -> [45.152.86.86] 56789 (msg:"ThreatFox MooBot botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1252207/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_31; classtype:trojan-activity; sid:91252207; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"a.iruko.top"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1252208/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_31; classtype:trojan-activity; sid:91252208; rev:1;) alert tcp $HOME_NET any -> [45.138.16.150] 80 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1252206/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_31; classtype:trojan-activity; sid:91252206; rev:1;) alert tcp $HOME_NET any -> [86.38.247.37] 80 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1252205/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_31; classtype:trojan-activity; sid:91252205; rev:1;) alert tcp $HOME_NET any -> [93.123.39.201] 80 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1252204/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_31; classtype:trojan-activity; sid:91252204; rev:1;) alert tcp $HOME_NET any -> [94.228.169.68] 80 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1252203/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_31; classtype:trojan-activity; sid:91252203; rev:1;) alert tcp $HOME_NET any -> [147.78.103.54] 80 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1252202/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_31; classtype:trojan-activity; sid:91252202; rev:1;) alert tcp $HOME_NET any -> [142.11.236.34] 80 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1252201/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_31; classtype:trojan-activity; sid:91252201; rev:1;) alert tcp $HOME_NET any -> [134.209.34.122] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1252200/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_31; classtype:trojan-activity; sid:91252200; rev:1;) alert tcp $HOME_NET any -> [43.132.193.188] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1252199/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_31; classtype:trojan-activity; sid:91252199; rev:1;) alert tcp $HOME_NET any -> [38.45.126.181] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1252198/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_31; classtype:trojan-activity; sid:91252198; rev:1;) alert tcp $HOME_NET any -> [45.207.36.50] 2086 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1252197/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_31; classtype:trojan-activity; sid:91252197; rev:1;) alert tcp $HOME_NET any -> [38.45.126.182] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1252196/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_31; classtype:trojan-activity; sid:91252196; rev:1;) alert tcp $HOME_NET any -> [38.45.126.178] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1252195/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_31; classtype:trojan-activity; sid:91252195; rev:1;) alert tcp $HOME_NET any -> [71.88.244.13] 443 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1252194/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_31; classtype:trojan-activity; sid:91252194; rev:1;) alert tcp $HOME_NET any -> [175.10.220.47] 4432 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1252193/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_31; classtype:trojan-activity; sid:91252193; rev:1;) alert tcp $HOME_NET any -> [165.232.68.248] 80 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1252192/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_31; classtype:trojan-activity; sid:91252192; rev:1;) alert tcp $HOME_NET any -> [16.16.187.254] 80 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1252191/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_31; classtype:trojan-activity; sid:91252191; rev:1;) alert tcp $HOME_NET any -> [5.181.20.63] 443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1252190/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_31; classtype:trojan-activity; sid:91252190; rev:1;) alert tcp $HOME_NET any -> [15.197.164.51] 443 (msg:"ThreatFox Deimos botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1252189/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_31; classtype:trojan-activity; sid:91252189; rev:1;) alert tcp $HOME_NET any -> [43.138.0.70] 9999 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251883/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_31; classtype:trojan-activity; sid:91251883; rev:1;) alert tcp $HOME_NET any -> [42.194.251.253] 10080 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251882/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_31; classtype:trojan-activity; sid:91251882; rev:1;) alert tcp $HOME_NET any -> [42.192.36.31] 8888 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251881/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_31; classtype:trojan-activity; sid:91251881; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmlrpc.php"; depth:11; nocase; http.host; content:"hitech-us.com"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1252161/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_31; classtype:trojan-activity; sid:91252161; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmlrpc.php"; depth:11; nocase; http.host; content:"eatech.uk"; depth:9; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1252162/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_31; classtype:trojan-activity; sid:91252162; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmlrpc.php"; depth:11; nocase; http.host; content:"topcoloringpages.net"; depth:20; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1252163/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_31; classtype:trojan-activity; sid:91252163; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmlrpc.php"; depth:11; nocase; http.host; content:"seiji-folk.com"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1252164/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_31; classtype:trojan-activity; sid:91252164; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmlrpc.php"; depth:11; nocase; http.host; content:"ww4.amazila.cz"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1252165/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_31; classtype:trojan-activity; sid:91252165; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmlrpc.php"; depth:11; nocase; http.host; content:"wielkopolskamagazyn.pl"; depth:22; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1252181/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_31; classtype:trojan-activity; sid:91252181; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmlrpc.php"; depth:11; nocase; http.host; content:"tanya-tanya.com"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1252182/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_31; classtype:trojan-activity; sid:91252182; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmlrpc.php"; depth:11; nocase; http.host; content:"baaghitv.com"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1252183/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_31; classtype:trojan-activity; sid:91252183; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmlrpc.php"; depth:11; nocase; http.host; content:"192-168-1-1-admin-admin.ru"; depth:26; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1252184/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_31; classtype:trojan-activity; sid:91252184; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmlrpc.php"; depth:11; nocase; http.host; content:"lasantaespina.cat"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1252185/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_31; classtype:trojan-activity; sid:91252185; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmlrpc.php"; depth:11; nocase; http.host; content:"mepiu.it"; depth:8; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1252186/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_31; classtype:trojan-activity; sid:91252186; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmlrpc.php"; depth:11; nocase; http.host; content:"vipaco.vn"; depth:9; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1252187/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_31; classtype:trojan-activity; sid:91252187; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmlrpc.php"; depth:11; nocase; http.host; content:"www.beeldvorm.eu"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1252188/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_31; classtype:trojan-activity; sid:91252188; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"www.nocapsrt.site"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1252030/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_31; classtype:trojan-activity; sid:91252030; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"nocapsrt.site"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1252031/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_31; classtype:trojan-activity; sid:91252031; rev:1;) alert tcp $HOME_NET any -> [40.66.40.211] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251908/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_31; classtype:trojan-activity; sid:91251908; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/attachments/1076575623880921249/1223388963822375054/sky-beta-setup.rar"; depth:71; nocase; http.host; content:"cdn.discordapp.com"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1251909/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_31; classtype:trojan-activity; sid:91251909; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mozi.m"; depth:7; nocase; http.host; content:"115.49.156.167"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1252180/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_31; classtype:trojan-activity; sid:91252180; rev:1;) alert tcp $HOME_NET any -> [5.188.86.215] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1252178/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_30; classtype:trojan-activity; sid:91252178; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ab.html"; depth:8; nocase; http.host; content:"86.106.20.179"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1252177/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_30; classtype:trojan-activity; sid:91252177; rev:1;) alert tcp $HOME_NET any -> [154.219.151.250] 808 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1252176/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_30; classtype:trojan-activity; sid:91252176; rev:1;) alert tcp $HOME_NET any -> [156.232.192.121] 808 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1252175/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_30; classtype:trojan-activity; sid:91252175; rev:1;) alert tcp $HOME_NET any -> [154.219.177.143] 808 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1252174/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_30; classtype:trojan-activity; sid:91252174; rev:1;) alert tcp $HOME_NET any -> [156.232.186.206] 808 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1252173/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_30; classtype:trojan-activity; sid:91252173; rev:1;) alert tcp $HOME_NET any -> [156.232.186.214] 808 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1252172/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_30; classtype:trojan-activity; sid:91252172; rev:1;) alert tcp $HOME_NET any -> [154.219.154.71] 808 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1252171/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_30; classtype:trojan-activity; sid:91252171; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cm"; depth:3; nocase; http.host; content:"47.115.203.204"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1252170/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_30; classtype:trojan-activity; sid:91252170; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"service-bjb5aex0-1318428097.gz.tencentapigw.com.cn"; depth:50; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1252169/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_30; classtype:trojan-activity; sid:91252169; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api/user"; depth:9; nocase; http.host; content:"service-bjb5aex0-1318428097.gz.tencentapigw.com.cn"; depth:50; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1252168/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_30; classtype:trojan-activity; sid:91252168; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/visit.js"; depth:9; nocase; http.host; content:"134.122.75.115"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1252167/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_30; classtype:trojan-activity; sid:91252167; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/match"; depth:6; nocase; http.host; content:"120.46.130.73"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1252166/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_30; classtype:trojan-activity; sid:91252166; rev:1;) alert tcp $HOME_NET any -> [20.115.56.254] 80 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1252029/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_30; classtype:trojan-activity; sid:91252029; rev:1;) alert tcp $HOME_NET any -> [165.232.68.248] 443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1252028/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_30; classtype:trojan-activity; sid:91252028; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pr8c"; depth:5; nocase; http.host; content:"112.124.64.105"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1252027/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_30; classtype:trojan-activity; sid:91252027; rev:1;) alert tcp $HOME_NET any -> [197.202.118.111] 5552 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1252026/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_30; classtype:trojan-activity; sid:91252026; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ga.js"; depth:6; nocase; http.host; content:"124.71.136.141"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1252025/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_30; classtype:trojan-activity; sid:91252025; rev:1;) alert tcp $HOME_NET any -> [47.109.53.241] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1252021/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_30; classtype:trojan-activity; sid:91252021; rev:1;) alert tcp $HOME_NET any -> [38.45.126.179] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1252019/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_30; classtype:trojan-activity; sid:91252019; rev:1;) alert tcp $HOME_NET any -> [38.45.126.180] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1252020/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_30; classtype:trojan-activity; sid:91252020; rev:1;) alert tcp $HOME_NET any -> [222.112.93.163] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1252017/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_30; classtype:trojan-activity; sid:91252017; rev:1;) alert tcp $HOME_NET any -> [176.32.35.104] 81 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1252015/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_30; classtype:trojan-activity; sid:91252015; rev:1;) alert tcp $HOME_NET any -> [176.32.35.104] 82 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1252016/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_30; classtype:trojan-activity; sid:91252016; rev:1;) alert tcp $HOME_NET any -> [103.97.176.249] 10 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1252013/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_30; classtype:trojan-activity; sid:91252013; rev:1;) alert tcp $HOME_NET any -> [185.196.9.226] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1252011/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_30; classtype:trojan-activity; sid:91252011; rev:1;) alert tcp $HOME_NET any -> [185.196.9.226] 2096 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1252012/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_30; classtype:trojan-activity; sid:91252012; rev:1;) alert tcp $HOME_NET any -> [185.196.11.210] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1252010/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_30; classtype:trojan-activity; sid:91252010; rev:1;) alert tcp $HOME_NET any -> [209.141.44.168] 4433 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1252009/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_30; classtype:trojan-activity; sid:91252009; rev:1;) alert tcp $HOME_NET any -> [94.103.188.162] 443 (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1252008/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_30; classtype:trojan-activity; sid:91252008; rev:1;) alert tcp $HOME_NET any -> [198.98.53.81] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1252006/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_30; classtype:trojan-activity; sid:91252006; rev:1;) alert tcp $HOME_NET any -> [198.98.53.81] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1252007/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_30; classtype:trojan-activity; sid:91252007; rev:1;) alert tcp $HOME_NET any -> [45.15.156.142] 8081 (msg:"ThreatFox RisePro botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1252005/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_30; classtype:trojan-activity; sid:91252005; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"cleaninghouseinc.com"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1252004/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_30; classtype:trojan-activity; sid:91252004; rev:1;) alert tcp $HOME_NET any -> [170.130.55.104] 50050 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1252001/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_30; classtype:trojan-activity; sid:91252001; rev:1;) alert tcp $HOME_NET any -> [170.130.165.44] 444 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1252002/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_30; classtype:trojan-activity; sid:91252002; rev:1;) alert tcp $HOME_NET any -> [173.44.141.205] 50050 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1252003/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_30; classtype:trojan-activity; sid:91252003; rev:1;) alert tcp $HOME_NET any -> [103.30.76.64] 4444 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1252000/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_30; classtype:trojan-activity; sid:91252000; rev:1;) alert tcp $HOME_NET any -> [206.237.2.203] 28080 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251999/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_30; classtype:trojan-activity; sid:91251999; rev:1;) alert tcp $HOME_NET any -> [94.156.69.121] 50050 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251998/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_30; classtype:trojan-activity; sid:91251998; rev:1;) alert tcp $HOME_NET any -> [91.92.245.110] 88 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251996/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_30; classtype:trojan-activity; sid:91251996; rev:1;) alert tcp $HOME_NET any -> [91.92.245.110] 8081 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251997/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_30; classtype:trojan-activity; sid:91251997; rev:1;) alert tcp $HOME_NET any -> [91.92.245.111] 88 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251995/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_30; classtype:trojan-activity; sid:91251995; rev:1;) alert tcp $HOME_NET any -> [23.224.196.53] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251991/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_30; classtype:trojan-activity; sid:91251991; rev:1;) alert tcp $HOME_NET any -> [23.225.14.81] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251992/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_30; classtype:trojan-activity; sid:91251992; rev:1;) alert tcp $HOME_NET any -> [38.6.177.16] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251993/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_30; classtype:trojan-activity; sid:91251993; rev:1;) alert tcp $HOME_NET any -> [38.6.178.161] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251994/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_30; classtype:trojan-activity; sid:91251994; rev:1;) alert tcp $HOME_NET any -> [165.154.162.112] 2323 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251990/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_30; classtype:trojan-activity; sid:91251990; rev:1;) alert tcp $HOME_NET any -> [148.135.67.47] 6443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251989/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_30; classtype:trojan-activity; sid:91251989; rev:1;) alert tcp $HOME_NET any -> [148.135.127.214] 8888 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251987/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_30; classtype:trojan-activity; sid:91251987; rev:1;) alert tcp $HOME_NET any -> [148.135.127.214] 4433 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251988/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_30; classtype:trojan-activity; sid:91251988; rev:1;) alert tcp $HOME_NET any -> [117.50.188.167] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251986/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_30; classtype:trojan-activity; sid:91251986; rev:1;) alert tcp $HOME_NET any -> [172.212.14.172] 9005 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251985/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_30; classtype:trojan-activity; sid:91251985; rev:1;) alert tcp $HOME_NET any -> [20.2.85.120] 8088 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251984/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_30; classtype:trojan-activity; sid:91251984; rev:1;) alert tcp $HOME_NET any -> [182.61.148.159] 60000 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251980/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_30; classtype:trojan-activity; sid:91251980; rev:1;) alert tcp $HOME_NET any -> [192.3.128.204] 60000 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251981/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_30; classtype:trojan-activity; sid:91251981; rev:1;) alert tcp $HOME_NET any -> [208.87.201.226] 60000 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251982/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_30; classtype:trojan-activity; sid:91251982; rev:1;) alert tcp $HOME_NET any -> [211.101.244.196] 60000 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251983/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_30; classtype:trojan-activity; sid:91251983; rev:1;) alert tcp $HOME_NET any -> [149.104.26.163] 60000 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251973/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_30; classtype:trojan-activity; sid:91251973; rev:1;) alert tcp $HOME_NET any -> [154.3.2.171] 60000 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251974/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_30; classtype:trojan-activity; sid:91251974; rev:1;) alert tcp $HOME_NET any -> [154.8.177.111] 60000 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251975/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_30; classtype:trojan-activity; sid:91251975; rev:1;) alert tcp $HOME_NET any -> [154.12.19.39] 60000 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251976/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_30; classtype:trojan-activity; sid:91251976; rev:1;) alert tcp $HOME_NET any -> [166.88.61.173] 60000 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251977/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_30; classtype:trojan-activity; sid:91251977; rev:1;) alert tcp $HOME_NET any -> [172.247.34.5] 60000 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251978/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_30; classtype:trojan-activity; sid:91251978; rev:1;) alert tcp $HOME_NET any -> [182.43.85.190] 60000 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251979/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_30; classtype:trojan-activity; sid:91251979; rev:1;) alert tcp $HOME_NET any -> [123.57.65.209] 60000 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251968/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_30; classtype:trojan-activity; sid:91251968; rev:1;) alert tcp $HOME_NET any -> [123.57.237.103] 60000 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251969/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_30; classtype:trojan-activity; sid:91251969; rev:1;) alert tcp $HOME_NET any -> [124.220.70.96] 60000 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251970/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_30; classtype:trojan-activity; sid:91251970; rev:1;) alert tcp $HOME_NET any -> [124.221.254.249] 60000 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251971/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_30; classtype:trojan-activity; sid:91251971; rev:1;) alert tcp $HOME_NET any -> [139.196.84.232] 60000 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251972/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_30; classtype:trojan-activity; sid:91251972; rev:1;) alert tcp $HOME_NET any -> [111.92.241.105] 60000 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251961/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_30; classtype:trojan-activity; sid:91251961; rev:1;) alert tcp $HOME_NET any -> [115.159.149.77] 60000 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251962/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_30; classtype:trojan-activity; sid:91251962; rev:1;) alert tcp $HOME_NET any -> [118.25.195.224] 60000 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251963/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_30; classtype:trojan-activity; sid:91251963; rev:1;) alert tcp $HOME_NET any -> [120.46.65.104] 60000 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251964/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_30; classtype:trojan-activity; sid:91251964; rev:1;) alert tcp $HOME_NET any -> [120.53.241.93] 60000 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251965/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_30; classtype:trojan-activity; sid:91251965; rev:1;) alert tcp $HOME_NET any -> [120.76.250.182] 60000 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251966/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_30; classtype:trojan-activity; sid:91251966; rev:1;) alert tcp $HOME_NET any -> [123.56.22.128] 60000 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251967/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_30; classtype:trojan-activity; sid:91251967; rev:1;) alert tcp $HOME_NET any -> [103.214.174.123] 60000 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251957/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_30; classtype:trojan-activity; sid:91251957; rev:1;) alert tcp $HOME_NET any -> [103.234.72.24] 60000 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251958/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_30; classtype:trojan-activity; sid:91251958; rev:1;) alert tcp $HOME_NET any -> [106.54.62.117] 60000 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251959/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_30; classtype:trojan-activity; sid:91251959; rev:1;) alert tcp $HOME_NET any -> [107.172.159.139] 60000 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251960/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_30; classtype:trojan-activity; sid:91251960; rev:1;) alert tcp $HOME_NET any -> [47.113.144.237] 60000 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251951/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_30; classtype:trojan-activity; sid:91251951; rev:1;) alert tcp $HOME_NET any -> [47.120.34.9] 60000 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251952/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_30; classtype:trojan-activity; sid:91251952; rev:1;) alert tcp $HOME_NET any -> [47.245.117.119] 60000 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251953/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_30; classtype:trojan-activity; sid:91251953; rev:1;) alert tcp $HOME_NET any -> [74.48.220.31] 60000 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251954/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_30; classtype:trojan-activity; sid:91251954; rev:1;) alert tcp $HOME_NET any -> [81.70.207.90] 60000 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251955/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_30; classtype:trojan-activity; sid:91251955; rev:1;) alert tcp $HOME_NET any -> [82.156.183.197] 60000 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251956/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_30; classtype:trojan-activity; sid:91251956; rev:1;) alert tcp $HOME_NET any -> [39.106.7.95] 60000 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251945/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_30; classtype:trojan-activity; sid:91251945; rev:1;) alert tcp $HOME_NET any -> [39.108.11.237] 60000 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251946/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_30; classtype:trojan-activity; sid:91251946; rev:1;) alert tcp $HOME_NET any -> [45.32.8.82] 60000 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251947/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_30; classtype:trojan-activity; sid:91251947; rev:1;) alert tcp $HOME_NET any -> [47.76.197.224] 60000 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251948/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_30; classtype:trojan-activity; sid:91251948; rev:1;) alert tcp $HOME_NET any -> [47.95.39.96] 60000 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251949/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_30; classtype:trojan-activity; sid:91251949; rev:1;) alert tcp $HOME_NET any -> [47.108.145.56] 60000 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251950/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_30; classtype:trojan-activity; sid:91251950; rev:1;) alert tcp $HOME_NET any -> [8.130.36.30] 60000 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251937/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_30; classtype:trojan-activity; sid:91251937; rev:1;) alert tcp $HOME_NET any -> [8.134.166.14] 60000 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251938/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_30; classtype:trojan-activity; sid:91251938; rev:1;) alert tcp $HOME_NET any -> [8.138.16.56] 60000 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251939/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_30; classtype:trojan-activity; sid:91251939; rev:1;) alert tcp $HOME_NET any -> [8.141.82.134] 60000 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251940/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_30; classtype:trojan-activity; sid:91251940; rev:1;) alert tcp $HOME_NET any -> [14.36.168.161] 60000 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251941/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_30; classtype:trojan-activity; sid:91251941; rev:1;) alert tcp $HOME_NET any -> [16.162.105.39] 60000 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251942/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_30; classtype:trojan-activity; sid:91251942; rev:1;) alert tcp $HOME_NET any -> [27.0.232.30] 60000 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251943/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_30; classtype:trojan-activity; sid:91251943; rev:1;) alert tcp $HOME_NET any -> [38.54.85.190] 60000 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251944/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_30; classtype:trojan-activity; sid:91251944; rev:1;) alert tcp $HOME_NET any -> [1.92.66.44] 60000 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251936/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_30; classtype:trojan-activity; sid:91251936; rev:1;) alert tcp $HOME_NET any -> [38.147.170.150] 8000 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251934/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_30; classtype:trojan-activity; sid:91251934; rev:1;) alert tcp $HOME_NET any -> [38.147.170.150] 8888 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251935/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_30; classtype:trojan-activity; sid:91251935; rev:1;) alert tcp $HOME_NET any -> [149.104.30.223] 8082 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251931/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_30; classtype:trojan-activity; sid:91251931; rev:1;) alert tcp $HOME_NET any -> [149.104.26.45] 8888 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251932/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_30; classtype:trojan-activity; sid:91251932; rev:1;) alert tcp $HOME_NET any -> [45.144.136.182] 8443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251933/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_30; classtype:trojan-activity; sid:91251933; rev:1;) alert tcp $HOME_NET any -> [167.179.111.67] 8080 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251930/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_30; classtype:trojan-activity; sid:91251930; rev:1;) alert tcp $HOME_NET any -> [64.176.71.36] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251926/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_30; classtype:trojan-activity; sid:91251926; rev:1;) alert tcp $HOME_NET any -> [139.180.154.208] 9999 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251927/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_30; classtype:trojan-activity; sid:91251927; rev:1;) alert tcp $HOME_NET any -> [45.63.119.177] 445 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251928/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_30; classtype:trojan-activity; sid:91251928; rev:1;) alert tcp $HOME_NET any -> [207.148.109.8] 10001 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251929/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_30; classtype:trojan-activity; sid:91251929; rev:1;) alert tcp $HOME_NET any -> [114.115.159.80] 60443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251925/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_30; classtype:trojan-activity; sid:91251925; rev:1;) alert tcp $HOME_NET any -> [117.50.185.133] 6444 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251924/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_30; classtype:trojan-activity; sid:91251924; rev:1;) alert tcp $HOME_NET any -> [114.115.174.131] 50050 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251923/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_30; classtype:trojan-activity; sid:91251923; rev:1;) alert tcp $HOME_NET any -> [114.115.174.131] 8081 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251922/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_30; classtype:trojan-activity; sid:91251922; rev:1;) alert tcp $HOME_NET any -> [45.15.156.142] 50500 (msg:"ThreatFox RisePro botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251921/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_30; classtype:trojan-activity; sid:91251921; rev:1;) alert tcp $HOME_NET any -> [192.227.248.201] 9633 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251919/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_30; classtype:trojan-activity; sid:91251919; rev:1;) alert tcp $HOME_NET any -> [192.227.248.201] 50057 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251920/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_30; classtype:trojan-activity; sid:91251920; rev:1;) alert tcp $HOME_NET any -> [172.245.45.163] 2052 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251912/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_30; classtype:trojan-activity; sid:91251912; rev:1;) alert tcp $HOME_NET any -> [23.94.200.249] 444 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251913/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_30; classtype:trojan-activity; sid:91251913; rev:1;) alert tcp $HOME_NET any -> [23.94.200.249] 8081 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251914/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_30; classtype:trojan-activity; sid:91251914; rev:1;) alert tcp $HOME_NET any -> [23.94.200.249] 10001 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251915/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_30; classtype:trojan-activity; sid:91251915; rev:1;) alert tcp $HOME_NET any -> [107.172.157.70] 50050 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251916/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_30; classtype:trojan-activity; sid:91251916; rev:1;) alert tcp $HOME_NET any -> [107.174.254.9] 8888 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251917/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_30; classtype:trojan-activity; sid:91251917; rev:1;) alert tcp $HOME_NET any -> [107.174.254.9] 7890 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251918/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_30; classtype:trojan-activity; sid:91251918; rev:1;) alert tcp $HOME_NET any -> [107.173.114.222] 8088 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251911/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_30; classtype:trojan-activity; sid:91251911; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/match"; depth:6; nocase; http.host; content:"175.27.137.15"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1251907/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_30; classtype:trojan-activity; sid:91251907; rev:1;) alert tcp $HOME_NET any -> [47.236.41.162] 5000 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251906/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_30; classtype:trojan-activity; sid:91251906; rev:1;) alert tcp $HOME_NET any -> [8.217.117.6] 8080 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251903/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_30; classtype:trojan-activity; sid:91251903; rev:1;) alert tcp $HOME_NET any -> [8.217.117.6] 8443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251904/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_30; classtype:trojan-activity; sid:91251904; rev:1;) alert tcp $HOME_NET any -> [8.217.117.6] 8880 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251905/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_30; classtype:trojan-activity; sid:91251905; rev:1;) alert tcp $HOME_NET any -> [47.76.219.122] 8080 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251902/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_30; classtype:trojan-activity; sid:91251902; rev:1;) alert tcp $HOME_NET any -> [8.210.224.32] 8888 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251901/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_30; classtype:trojan-activity; sid:91251901; rev:1;) alert tcp $HOME_NET any -> [8.217.137.245] 60012 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251900/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_30; classtype:trojan-activity; sid:91251900; rev:1;) alert tcp $HOME_NET any -> [47.254.46.30] 60891 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251899/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_30; classtype:trojan-activity; sid:91251899; rev:1;) alert tcp $HOME_NET any -> [8.219.0.189] 50050 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251898/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_30; classtype:trojan-activity; sid:91251898; rev:1;) alert tcp $HOME_NET any -> [47.236.111.110] 8899 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251897/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_30; classtype:trojan-activity; sid:91251897; rev:1;) alert tcp $HOME_NET any -> [134.122.74.37] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251896/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_30; classtype:trojan-activity; sid:91251896; rev:1;) alert tcp $HOME_NET any -> [68.183.92.175] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251895/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_30; classtype:trojan-activity; sid:91251895; rev:1;) alert tcp $HOME_NET any -> [64.227.148.40] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251894/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_30; classtype:trojan-activity; sid:91251894; rev:1;) alert tcp $HOME_NET any -> [24.144.96.216] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251893/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_30; classtype:trojan-activity; sid:91251893; rev:1;) alert tcp $HOME_NET any -> [82.157.190.109] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251888/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_30; classtype:trojan-activity; sid:91251888; rev:1;) alert tcp $HOME_NET any -> [111.231.146.98] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251889/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_30; classtype:trojan-activity; sid:91251889; rev:1;) alert tcp $HOME_NET any -> [124.222.78.73] 8080 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251890/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_30; classtype:trojan-activity; sid:91251890; rev:1;) alert tcp $HOME_NET any -> [150.158.37.125] 55555 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251891/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_30; classtype:trojan-activity; sid:91251891; rev:1;) alert tcp $HOME_NET any -> [159.75.188.216] 50050 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251892/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_30; classtype:trojan-activity; sid:91251892; rev:1;) alert tcp $HOME_NET any -> [49.232.129.71] 9000 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251884/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_30; classtype:trojan-activity; sid:91251884; rev:1;) alert tcp $HOME_NET any -> [49.235.87.201] 8081 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251885/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_30; classtype:trojan-activity; sid:91251885; rev:1;) alert tcp $HOME_NET any -> [62.234.180.148] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251886/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_30; classtype:trojan-activity; sid:91251886; rev:1;) alert tcp $HOME_NET any -> [81.69.250.247] 4444 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251887/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_30; classtype:trojan-activity; sid:91251887; rev:1;) alert tcp $HOME_NET any -> [156.232.192.113] 808 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251880/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_30; classtype:trojan-activity; sid:91251880; rev:1;) alert tcp $HOME_NET any -> [154.219.145.67] 808 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251879/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_30; classtype:trojan-activity; sid:91251879; rev:1;) alert tcp $HOME_NET any -> [154.219.177.142] 808 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251878/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_30; classtype:trojan-activity; sid:91251878; rev:1;) alert tcp $HOME_NET any -> [156.232.192.99] 808 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251877/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_30; classtype:trojan-activity; sid:91251877; rev:1;) alert tcp $HOME_NET any -> [156.232.192.120] 808 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251876/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_30; classtype:trojan-activity; sid:91251876; rev:1;) alert tcp $HOME_NET any -> [154.219.164.205] 808 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251875/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_30; classtype:trojan-activity; sid:91251875; rev:1;) alert tcp $HOME_NET any -> [154.219.151.231] 808 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251874/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_30; classtype:trojan-activity; sid:91251874; rev:1;) alert tcp $HOME_NET any -> [154.219.151.227] 808 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251873/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_30; classtype:trojan-activity; sid:91251873; rev:1;) alert tcp $HOME_NET any -> [156.232.186.198] 808 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251872/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_30; classtype:trojan-activity; sid:91251872; rev:1;) alert tcp $HOME_NET any -> [154.219.145.80] 808 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251871/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_30; classtype:trojan-activity; sid:91251871; rev:1;) alert tcp $HOME_NET any -> [154.219.154.86] 808 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251870/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_30; classtype:trojan-activity; sid:91251870; rev:1;) alert tcp $HOME_NET any -> [154.219.177.134] 808 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251869/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_30; classtype:trojan-activity; sid:91251869; rev:1;) alert tcp $HOME_NET any -> [156.232.192.115] 808 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251868/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_30; classtype:trojan-activity; sid:91251868; rev:1;) alert tcp $HOME_NET any -> [175.27.137.15] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251867/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_30; classtype:trojan-activity; sid:91251867; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pixel.gif"; depth:10; nocase; http.host; content:"service-b7okr3qc-1300276284.nj.tencentapigw.com"; depth:47; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1251865/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_30; classtype:trojan-activity; sid:91251865; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"service-b7okr3qc-1300276284.nj.tencentapigw.com"; depth:47; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1251866/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_30; classtype:trojan-activity; sid:91251866; rev:1;) alert tcp $HOME_NET any -> [154.219.154.85] 808 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251864/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_30; classtype:trojan-activity; sid:91251864; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/fwlink"; depth:7; nocase; http.host; content:"139.198.33.161"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1251863/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_30; classtype:trojan-activity; sid:91251863; rev:1;) alert tcp $HOME_NET any -> [154.219.145.77] 808 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251862/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_30; classtype:trojan-activity; sid:91251862; rev:1;) alert tcp $HOME_NET any -> [154.219.164.203] 808 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251861/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_30; classtype:trojan-activity; sid:91251861; rev:1;) alert tcp $HOME_NET any -> [156.232.192.117] 808 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251860/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_30; classtype:trojan-activity; sid:91251860; rev:1;) alert tcp $HOME_NET any -> [154.219.151.243] 808 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251859/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_30; classtype:trojan-activity; sid:91251859; rev:1;) alert tcp $HOME_NET any -> [154.219.154.75] 808 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251858/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_30; classtype:trojan-activity; sid:91251858; rev:1;) alert tcp $HOME_NET any -> [156.232.186.194] 808 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251857/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_30; classtype:trojan-activity; sid:91251857; rev:1;) alert tcp $HOME_NET any -> [154.219.151.228] 808 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251856/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_30; classtype:trojan-activity; sid:91251856; rev:1;) alert tcp $HOME_NET any -> [156.232.186.201] 808 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251855/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_30; classtype:trojan-activity; sid:91251855; rev:1;) alert tcp $HOME_NET any -> [154.219.151.252] 808 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251854/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_30; classtype:trojan-activity; sid:91251854; rev:1;) alert tcp $HOME_NET any -> [154.219.145.75] 808 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251853/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_30; classtype:trojan-activity; sid:91251853; rev:1;) alert tcp $HOME_NET any -> [154.219.177.148] 808 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251852/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_30; classtype:trojan-activity; sid:91251852; rev:1;) alert tcp $HOME_NET any -> [156.232.192.100] 808 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251851/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_30; classtype:trojan-activity; sid:91251851; rev:1;) alert tcp $HOME_NET any -> [154.219.154.93] 808 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251850/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_30; classtype:trojan-activity; sid:91251850; rev:1;) alert tcp $HOME_NET any -> [154.219.164.210] 808 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251849/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_30; classtype:trojan-activity; sid:91251849; rev:1;) alert tcp $HOME_NET any -> [154.219.177.130] 808 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251848/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_30; classtype:trojan-activity; sid:91251848; rev:1;) alert tcp $HOME_NET any -> [156.232.186.210] 808 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251847/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_30; classtype:trojan-activity; sid:91251847; rev:1;) alert tcp $HOME_NET any -> [154.219.154.89] 808 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251846/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_30; classtype:trojan-activity; sid:91251846; rev:1;) alert tcp $HOME_NET any -> [154.219.154.82] 808 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251845/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_30; classtype:trojan-activity; sid:91251845; rev:1;) alert tcp $HOME_NET any -> [154.219.145.72] 808 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251844/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_30; classtype:trojan-activity; sid:91251844; rev:1;) alert tcp $HOME_NET any -> [154.219.151.238] 808 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251843/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_30; classtype:trojan-activity; sid:91251843; rev:1;) alert tcp $HOME_NET any -> [154.219.145.73] 808 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251842/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_30; classtype:trojan-activity; sid:91251842; rev:1;) alert tcp $HOME_NET any -> [156.232.186.215] 808 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251841/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_30; classtype:trojan-activity; sid:91251841; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/j.ad"; depth:5; nocase; http.host; content:"120.25.1.52"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1251840/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_30; classtype:trojan-activity; sid:91251840; rev:1;) alert tcp $HOME_NET any -> [137.175.88.241] 1430 (msg:"ThreatFox XOR DDoS botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251829/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_30; classtype:trojan-activity; sid:91251829; rev:1;) alert tcp $HOME_NET any -> [137.175.88.242] 1430 (msg:"ThreatFox XOR DDoS botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251830/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_30; classtype:trojan-activity; sid:91251830; rev:1;) alert tcp $HOME_NET any -> [137.175.88.243] 1430 (msg:"ThreatFox XOR DDoS botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251831/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_30; classtype:trojan-activity; sid:91251831; rev:1;) alert tcp $HOME_NET any -> [137.175.88.244] 1430 (msg:"ThreatFox XOR DDoS botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251832/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_30; classtype:trojan-activity; sid:91251832; rev:1;) alert tcp $HOME_NET any -> [137.175.88.245] 1430 (msg:"ThreatFox XOR DDoS botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251833/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_30; classtype:trojan-activity; sid:91251833; rev:1;) alert tcp $HOME_NET any -> [198.2.217.64] 1430 (msg:"ThreatFox XOR DDoS botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251834/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_30; classtype:trojan-activity; sid:91251834; rev:1;) alert tcp $HOME_NET any -> [198.2.217.65] 1430 (msg:"ThreatFox XOR DDoS botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251835/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_30; classtype:trojan-activity; sid:91251835; rev:1;) alert tcp $HOME_NET any -> [198.2.217.66] 1430 (msg:"ThreatFox XOR DDoS botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251836/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_30; classtype:trojan-activity; sid:91251836; rev:1;) alert tcp $HOME_NET any -> [198.2.217.67] 1430 (msg:"ThreatFox XOR DDoS botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251837/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_30; classtype:trojan-activity; sid:91251837; rev:1;) alert tcp $HOME_NET any -> [198.2.217.68] 1430 (msg:"ThreatFox XOR DDoS botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251838/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_30; classtype:trojan-activity; sid:91251838; rev:1;) alert tcp $HOME_NET any -> [198.2.217.69] 1430 (msg:"ThreatFox XOR DDoS botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251839/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_30; classtype:trojan-activity; sid:91251839; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"dd.nnmm234.com"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1251828/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_30; classtype:trojan-activity; sid:91251828; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"dd.xxcc789.com"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1251825/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_30; classtype:trojan-activity; sid:91251825; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"dd.jjkk567.com"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1251826/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_30; classtype:trojan-activity; sid:91251826; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"dd.vvbb321.com"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1251827/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_30; classtype:trojan-activity; sid:91251827; rev:1;) alert tcp $HOME_NET any -> [8.137.91.85] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251754/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_30; classtype:trojan-activity; sid:91251754; rev:1;) alert tcp $HOME_NET any -> [8.137.127.73] 82 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251755/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_30; classtype:trojan-activity; sid:91251755; rev:1;) alert tcp $HOME_NET any -> [8.130.48.46] 50050 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251752/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_30; classtype:trojan-activity; sid:91251752; rev:1;) alert tcp $HOME_NET any -> [8.130.165.254] 8001 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251753/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_30; classtype:trojan-activity; sid:91251753; rev:1;) alert tcp $HOME_NET any -> [8.130.37.38] 9999 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251750/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_30; classtype:trojan-activity; sid:91251750; rev:1;) alert tcp $HOME_NET any -> [8.130.45.8] 8888 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251751/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_30; classtype:trojan-activity; sid:91251751; rev:1;) alert tcp $HOME_NET any -> [172.94.8.37] 2222 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251748/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_30; classtype:trojan-activity; sid:91251748; rev:1;) alert tcp $HOME_NET any -> [8.130.34.85] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251749/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_30; classtype:trojan-activity; sid:91251749; rev:1;) alert tcp $HOME_NET any -> [91.92.120.13] 8888 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251747/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_30; classtype:trojan-activity; sid:91251747; rev:1;) alert tcp $HOME_NET any -> [77.105.219.98] 443 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251745/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_30; classtype:trojan-activity; sid:91251745; rev:1;) alert tcp $HOME_NET any -> [88.229.0.76] 20000 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251746/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_30; classtype:trojan-activity; sid:91251746; rev:1;) alert tcp $HOME_NET any -> [39.100.68.188] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251756/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_30; classtype:trojan-activity; sid:91251756; rev:1;) alert tcp $HOME_NET any -> [39.101.75.126] 37777 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251757/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_30; classtype:trojan-activity; sid:91251757; rev:1;) alert tcp $HOME_NET any -> [39.103.196.134] 33889 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251758/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_30; classtype:trojan-activity; sid:91251758; rev:1;) alert tcp $HOME_NET any -> [39.105.24.180] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251759/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_30; classtype:trojan-activity; sid:91251759; rev:1;) alert tcp $HOME_NET any -> [39.105.184.73] 8001 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251760/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_30; classtype:trojan-activity; sid:91251760; rev:1;) alert tcp $HOME_NET any -> [47.92.140.21] 8081 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251761/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_30; classtype:trojan-activity; sid:91251761; rev:1;) alert tcp $HOME_NET any -> [47.92.147.123] 8443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251762/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_30; classtype:trojan-activity; sid:91251762; rev:1;) alert tcp $HOME_NET any -> [47.94.220.159] 8080 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251763/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_30; classtype:trojan-activity; sid:91251763; rev:1;) alert tcp $HOME_NET any -> [47.105.69.34] 8443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251764/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_30; classtype:trojan-activity; sid:91251764; rev:1;) alert tcp $HOME_NET any -> [47.108.24.97] 6000 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251765/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_30; classtype:trojan-activity; sid:91251765; rev:1;) alert tcp $HOME_NET any -> [47.108.157.156] 50099 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251766/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_30; classtype:trojan-activity; sid:91251766; rev:1;) alert tcp $HOME_NET any -> [47.108.180.121] 50001 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251767/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_30; classtype:trojan-activity; sid:91251767; rev:1;) alert tcp $HOME_NET any -> [47.108.254.149] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251768/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_30; classtype:trojan-activity; sid:91251768; rev:1;) alert tcp $HOME_NET any -> [47.113.147.219] 50080 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251769/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_30; classtype:trojan-activity; sid:91251769; rev:1;) alert tcp $HOME_NET any -> [47.113.188.133] 83 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251770/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_30; classtype:trojan-activity; sid:91251770; rev:1;) alert tcp $HOME_NET any -> [47.115.210.48] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251771/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_30; classtype:trojan-activity; sid:91251771; rev:1;) alert tcp $HOME_NET any -> [47.120.45.70] 60000 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251772/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_30; classtype:trojan-activity; sid:91251772; rev:1;) alert tcp $HOME_NET any -> [59.110.142.91] 13564 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251774/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_30; classtype:trojan-activity; sid:91251774; rev:1;) alert tcp $HOME_NET any -> [47.120.67.163] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251773/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_30; classtype:trojan-activity; sid:91251773; rev:1;) alert tcp $HOME_NET any -> [60.205.2.104] 8888 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251775/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_30; classtype:trojan-activity; sid:91251775; rev:1;) alert tcp $HOME_NET any -> [101.201.53.70] 9999 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251776/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_30; classtype:trojan-activity; sid:91251776; rev:1;) alert tcp $HOME_NET any -> [106.14.56.137] 50050 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251777/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_30; classtype:trojan-activity; sid:91251777; rev:1;) alert tcp $HOME_NET any -> [116.62.4.148] 50050 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251778/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_30; classtype:trojan-activity; sid:91251778; rev:1;) alert tcp $HOME_NET any -> [116.62.34.159] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251779/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_30; classtype:trojan-activity; sid:91251779; rev:1;) alert tcp $HOME_NET any -> [120.26.102.134] 50050 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251780/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_30; classtype:trojan-activity; sid:91251780; rev:1;) alert tcp $HOME_NET any -> [120.26.195.1] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251781/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_30; classtype:trojan-activity; sid:91251781; rev:1;) alert tcp $HOME_NET any -> [120.55.47.4] 888 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251782/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_30; classtype:trojan-activity; sid:91251782; rev:1;) alert tcp $HOME_NET any -> [120.55.183.142] 9000 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251783/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_30; classtype:trojan-activity; sid:91251783; rev:1;) alert tcp $HOME_NET any -> [121.43.114.9] 8888 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251784/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_30; classtype:trojan-activity; sid:91251784; rev:1;) alert tcp $HOME_NET any -> [121.199.0.54] 14443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251785/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_30; classtype:trojan-activity; sid:91251785; rev:1;) alert tcp $HOME_NET any -> [139.224.194.38] 50050 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251786/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_30; classtype:trojan-activity; sid:91251786; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmlrpc.php"; depth:11; nocase; http.host; content:"www.donquichottedeladendre-ath.be"; depth:33; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1251798/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_30; classtype:trojan-activity; sid:91251798; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmlrpc.php"; depth:11; nocase; http.host; content:"stanta.co.uk"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1251799/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_30; classtype:trojan-activity; sid:91251799; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmlrpc.php"; depth:11; nocase; http.host; content:"juststories.se"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1251800/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_30; classtype:trojan-activity; sid:91251800; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmlrpc.php"; depth:11; nocase; http.host; content:"kemilektioner.se"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1251801/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_30; classtype:trojan-activity; sid:91251801; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmlrpc.php"; depth:11; nocase; http.host; content:"support.dotregis.com"; depth:20; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1251802/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_30; classtype:trojan-activity; sid:91251802; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmlrpc.php"; depth:11; nocase; http.host; content:"www.cantinalandi.com"; depth:20; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1251803/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_30; classtype:trojan-activity; sid:91251803; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmlrpc.php"; depth:11; nocase; http.host; content:"descarca.info"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1251804/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_30; classtype:trojan-activity; sid:91251804; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmlrpc.php"; depth:11; nocase; http.host; content:"exceloffthegrid.com"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1251805/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_30; classtype:trojan-activity; sid:91251805; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"anbu.bond"; depth:9; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1251742/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_30; classtype:trojan-activity; sid:91251742; rev:1;) alert tcp $HOME_NET any -> [167.86.115.184] 443 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251744/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_30; classtype:trojan-activity; sid:91251744; rev:1;) alert tcp $HOME_NET any -> [195.10.205.203] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251741/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_30; classtype:trojan-activity; sid:91251741; rev:1;) alert tcp $HOME_NET any -> [2.58.56.109] 9090 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251743/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_30; classtype:trojan-activity; sid:91251743; rev:1;) alert tcp $HOME_NET any -> [89.213.140.115] 443 (msg:"ThreatFox Nova Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251736/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_30; classtype:trojan-activity; sid:91251736; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"89.213.140.115.nerozix.ovh"; depth:26; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1251738/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_30; classtype:trojan-activity; sid:91251738; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"onsttuiona.com"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1251737/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_30; classtype:trojan-activity; sid:91251737; rev:1;) alert tcp $HOME_NET any -> [185.224.128.34] 33335 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251739/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_30; classtype:trojan-activity; sid:91251739; rev:1;) alert tcp $HOME_NET any -> [185.196.10.58] 5140 (msg:"ThreatFox zgRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251733/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_30; classtype:trojan-activity; sid:91251733; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/download/mauqes.rar"; depth:20; nocase; http.host; content:"www.gamerforyou.com"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1251734/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_30; classtype:trojan-activity; sid:91251734; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"bitonecore.com"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1251715/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_30; classtype:trojan-activity; sid:91251715; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/scl/fi/8xgv80zsbs5mp92wr3xrj/onebit-core.zip"; depth:45; nocase; http.host; content:"www.dropbox.com"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1251716/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_30; classtype:trojan-activity; sid:91251716; rev:1;) alert tcp $HOME_NET any -> [176.113.115.229] 36576 (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251732/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_30; classtype:trojan-activity; sid:91251732; rev:1;) alert tcp $HOME_NET any -> [18.197.239.109] 14500 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251712/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_30; classtype:trojan-activity; sid:91251712; rev:1;) alert tcp $HOME_NET any -> [92.63.192.108] 80 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251824/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_30; classtype:trojan-activity; sid:91251824; rev:1;) alert tcp $HOME_NET any -> [147.182.199.146] 80 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251823/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_30; classtype:trojan-activity; sid:91251823; rev:1;) alert tcp $HOME_NET any -> [77.221.156.22] 50555 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251822/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_30; classtype:trojan-activity; sid:91251822; rev:1;) alert tcp $HOME_NET any -> [143.198.54.223] 80 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251821/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_30; classtype:trojan-activity; sid:91251821; rev:1;) alert tcp $HOME_NET any -> [45.207.36.45] 2086 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251820/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_30; classtype:trojan-activity; sid:91251820; rev:1;) alert tcp $HOME_NET any -> [104.161.53.196] 8848 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251819/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_30; classtype:trojan-activity; sid:91251819; rev:1;) alert tcp $HOME_NET any -> [125.209.169.44] 443 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251818/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_30; classtype:trojan-activity; sid:91251818; rev:1;) alert tcp $HOME_NET any -> [41.96.180.49] 443 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251817/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_30; classtype:trojan-activity; sid:91251817; rev:1;) alert tcp $HOME_NET any -> [97.118.60.71] 993 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251816/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_30; classtype:trojan-activity; sid:91251816; rev:1;) alert tcp $HOME_NET any -> [140.246.157.86] 4433 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251815/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_30; classtype:trojan-activity; sid:91251815; rev:1;) alert tcp $HOME_NET any -> [110.40.133.81] 443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251814/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_30; classtype:trojan-activity; sid:91251814; rev:1;) alert tcp $HOME_NET any -> [92.116.39.126] 443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251813/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_30; classtype:trojan-activity; sid:91251813; rev:1;) alert tcp $HOME_NET any -> [185.234.216.209] 20000 (msg:"ThreatFox BianLian botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251812/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_30; classtype:trojan-activity; sid:91251812; rev:1;) alert tcp $HOME_NET any -> [8.219.236.149] 443 (msg:"ThreatFox Deimos botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251811/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_30; classtype:trojan-activity; sid:91251811; rev:1;) alert tcp $HOME_NET any -> [217.182.79.54] 7443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251810/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_30; classtype:trojan-activity; sid:91251810; rev:1;) alert tcp $HOME_NET any -> [217.237.82.88] 3389 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251809/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_30; classtype:trojan-activity; sid:91251809; rev:1;) alert tcp $HOME_NET any -> [121.127.33.69] 8080 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251808/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_30; classtype:trojan-activity; sid:91251808; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mozi.m"; depth:7; nocase; http.host; content:"27.215.123.243"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1251807/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_30; classtype:trojan-activity; sid:91251807; rev:1;) alert tcp $HOME_NET any -> [193.233.132.108] 8081 (msg:"ThreatFox RisePro botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251806/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_30; classtype:trojan-activity; sid:91251806; rev:1;) alert tcp $HOME_NET any -> [194.67.193.69] 443 (msg:"ThreatFox Matanbuchus botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251797/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_30; classtype:trojan-activity; sid:91251797; rev:1;) alert tcp $HOME_NET any -> [154.219.154.80] 808 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251795/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91251795; rev:1;) alert tcp $HOME_NET any -> [154.219.177.155] 808 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251794/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91251794; rev:1;) alert tcp $HOME_NET any -> [156.232.186.212] 808 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251793/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91251793; rev:1;) alert tcp $HOME_NET any -> [43.240.48.69] 809 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251792/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91251792; rev:1;) alert tcp $HOME_NET any -> [154.219.177.131] 808 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251791/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91251791; rev:1;) alert tcp $HOME_NET any -> [154.219.151.245] 808 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251790/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91251790; rev:1;) alert tcp $HOME_NET any -> [94.156.8.44] 4787 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251789/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91251789; rev:1;) alert tcp $HOME_NET any -> [217.63.234.90] 1313 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251788/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91251788; rev:1;) alert tcp $HOME_NET any -> [193.233.132.108] 50500 (msg:"ThreatFox RisePro botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251787/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91251787; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/l1nc0in.php"; depth:12; nocase; http.host; content:"a0935883.xsph.ru"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1251740/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91251740; rev:1;) alert tcp $HOME_NET any -> [185.216.70.210] 80 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251731/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_29; classtype:trojan-activity; sid:91251731; rev:1;) alert tcp $HOME_NET any -> [195.133.88.120] 80 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251730/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_29; classtype:trojan-activity; sid:91251730; rev:1;) alert tcp $HOME_NET any -> [174.138.63.63] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251729/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_29; classtype:trojan-activity; sid:91251729; rev:1;) alert tcp $HOME_NET any -> [45.207.36.33] 2086 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251728/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_29; classtype:trojan-activity; sid:91251728; rev:1;) alert tcp $HOME_NET any -> [3.125.102.39] 12853 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251727/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_29; classtype:trojan-activity; sid:91251727; rev:1;) alert tcp $HOME_NET any -> [45.241.43.95] 995 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251726/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_29; classtype:trojan-activity; sid:91251726; rev:1;) alert tcp $HOME_NET any -> [2.50.51.175] 443 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251725/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_29; classtype:trojan-activity; sid:91251725; rev:1;) alert tcp $HOME_NET any -> [185.239.209.56] 80 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251724/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_29; classtype:trojan-activity; sid:91251724; rev:1;) alert tcp $HOME_NET any -> [62.171.158.126] 8080 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251723/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_29; classtype:trojan-activity; sid:91251723; rev:1;) alert tcp $HOME_NET any -> [45.77.255.164] 443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251722/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_29; classtype:trojan-activity; sid:91251722; rev:1;) alert tcp $HOME_NET any -> [183.36.40.98] 10004 (msg:"ThreatFox Deimos botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251721/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_29; classtype:trojan-activity; sid:91251721; rev:1;) alert tcp $HOME_NET any -> [103.169.126.238] 44447 (msg:"ThreatFox Deimos botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251720/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_29; classtype:trojan-activity; sid:91251720; rev:1;) alert tcp $HOME_NET any -> [164.90.238.212] 7443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251719/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_29; classtype:trojan-activity; sid:91251719; rev:1;) alert tcp $HOME_NET any -> [210.215.129.104] 7443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251718/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_29; classtype:trojan-activity; sid:91251718; rev:1;) alert tcp $HOME_NET any -> [193.233.132.169] 8081 (msg:"ThreatFox RisePro botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251714/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_29; classtype:trojan-activity; sid:91251714; rev:1;) alert tcp $HOME_NET any -> [162.120.71.68] 4483 (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251713/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91251713; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"widur.xyz"; depth:9; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1251711/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91251711; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"95.216.176.246"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1251709/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91251709; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"78.47.221.177"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1251710/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91251710; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"widur.xyz"; depth:9; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1251708/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91251708; rev:1;) alert tcp $HOME_NET any -> [95.216.176.246] 5432 (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251706/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91251706; rev:1;) alert tcp $HOME_NET any -> [78.47.221.177] 443 (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251707/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91251707; rev:1;) alert tcp $HOME_NET any -> [193.233.132.169] 50500 (msg:"ThreatFox RisePro botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251705/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91251705; rev:1;) alert tcp $HOME_NET any -> [156.232.192.122] 808 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251704/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91251704; rev:1;) alert tcp $HOME_NET any -> [154.219.154.81] 808 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251703/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91251703; rev:1;) alert tcp $HOME_NET any -> [156.232.192.103] 808 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251702/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91251702; rev:1;) alert tcp $HOME_NET any -> [154.219.154.91] 808 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251701/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91251701; rev:1;) alert tcp $HOME_NET any -> [156.232.192.104] 808 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251700/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91251700; rev:1;) alert tcp $HOME_NET any -> [43.240.48.103] 809 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251699/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91251699; rev:1;) alert tcp $HOME_NET any -> [154.219.154.84] 808 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251698/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91251698; rev:1;) alert tcp $HOME_NET any -> [154.219.151.235] 808 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251697/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91251697; rev:1;) alert tcp $HOME_NET any -> [156.232.186.200] 808 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251696/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91251696; rev:1;) alert tcp $HOME_NET any -> [154.219.154.70] 808 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251695/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91251695; rev:1;) alert tcp $HOME_NET any -> [156.232.192.109] 808 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251694/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91251694; rev:1;) alert tcp $HOME_NET any -> [154.219.151.236] 808 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251693/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91251693; rev:1;) alert tcp $HOME_NET any -> [154.219.151.239] 808 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251692/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91251692; rev:1;) alert tcp $HOME_NET any -> [156.232.186.202] 808 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251691/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91251691; rev:1;) alert tcp $HOME_NET any -> [156.232.186.216] 808 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251690/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91251690; rev:1;) alert tcp $HOME_NET any -> [154.219.163.91] 808 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251689/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91251689; rev:1;) alert tcp $HOME_NET any -> [154.219.163.88] 808 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251688/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91251688; rev:1;) alert tcp $HOME_NET any -> [43.240.48.121] 809 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251687/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91251687; rev:1;) alert tcp $HOME_NET any -> [45.156.217.9] 809 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251686/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91251686; rev:1;) alert tcp $HOME_NET any -> [154.219.177.132] 808 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251685/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91251685; rev:1;) alert tcp $HOME_NET any -> [154.219.177.139] 808 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251684/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91251684; rev:1;) alert tcp $HOME_NET any -> [156.232.186.195] 808 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251683/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91251683; rev:1;) alert tcp $HOME_NET any -> [154.219.177.157] 808 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251682/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91251682; rev:1;) alert tcp $HOME_NET any -> [154.219.177.153] 808 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251681/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91251681; rev:1;) alert tcp $HOME_NET any -> [154.219.163.92] 808 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251680/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91251680; rev:1;) alert tcp $HOME_NET any -> [156.232.186.203] 808 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251679/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91251679; rev:1;) alert tcp $HOME_NET any -> [154.219.177.145] 808 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251678/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91251678; rev:1;) alert tcp $HOME_NET any -> [156.232.192.107] 808 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251677/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91251677; rev:1;) alert tcp $HOME_NET any -> [154.219.145.82] 808 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251676/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91251676; rev:1;) alert tcp $HOME_NET any -> [154.219.177.152] 808 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251675/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91251675; rev:1;) alert tcp $HOME_NET any -> [154.219.145.86] 808 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251674/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91251674; rev:1;) alert tcp $HOME_NET any -> [156.232.186.211] 808 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251673/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91251673; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/help/zewmrgqnw.php"; depth:19; nocase; http.host; content:"ezshipsy.com"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1251433/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91251433; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cdn-vs/cache.php"; depth:17; nocase; http.host; content:"ezshipsy.com"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1251432/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91251432; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/data.php"; depth:9; nocase; http.host; content:"edulokam.com"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1251434/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91251434; rev:1;) alert tcp $HOME_NET any -> [5.181.156.5] 443 (msg:"ThreatFox NetSupportManager RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251435/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91251435; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cdn-vs/cache.php"; depth:17; nocase; http.host; content:"jsluna.com"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1251436/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91251436; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/help/zewmrgqnw.php"; depth:19; nocase; http.host; content:"jsluna.com"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1251437/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91251437; rev:1;) alert tcp $HOME_NET any -> [147.185.221.19] 5491 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251652/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_29; classtype:trojan-activity; sid:91251652; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"registration-nil.gl.at.ply.gg"; depth:29; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1251653/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_29; classtype:trojan-activity; sid:91251653; rev:1;) alert tcp $HOME_NET any -> [154.219.177.149] 808 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251672/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91251672; rev:1;) alert tcp $HOME_NET any -> [156.232.192.118] 808 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251671/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91251671; rev:1;) alert tcp $HOME_NET any -> [154.219.154.79] 808 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251670/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91251670; rev:1;) alert tcp $HOME_NET any -> [156.232.192.108] 808 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251669/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91251669; rev:1;) alert tcp $HOME_NET any -> [122.10.78.230] 808 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251668/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91251668; rev:1;) alert tcp $HOME_NET any -> [154.219.151.251] 808 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251667/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91251667; rev:1;) alert tcp $HOME_NET any -> [154.219.151.234] 808 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251666/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91251666; rev:1;) alert tcp $HOME_NET any -> [154.219.163.83] 808 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251665/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91251665; rev:1;) alert tcp $HOME_NET any -> [156.232.192.119] 808 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251664/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91251664; rev:1;) alert tcp $HOME_NET any -> [45.156.217.2] 809 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251663/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91251663; rev:1;) alert tcp $HOME_NET any -> [156.232.186.218] 808 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251662/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91251662; rev:1;) alert tcp $HOME_NET any -> [43.240.48.67] 809 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251661/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91251661; rev:1;) alert tcp $HOME_NET any -> [156.232.186.221] 808 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251660/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91251660; rev:1;) alert tcp $HOME_NET any -> [154.219.163.93] 808 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251659/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91251659; rev:1;) alert tcp $HOME_NET any -> [154.219.151.237] 808 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251658/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91251658; rev:1;) alert tcp $HOME_NET any -> [154.219.145.66] 808 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251657/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91251657; rev:1;) alert tcp $HOME_NET any -> [154.219.151.246] 808 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251656/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91251656; rev:1;) alert tcp $HOME_NET any -> [154.219.151.233] 808 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251655/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91251655; rev:1;) alert tcp $HOME_NET any -> [154.219.163.71] 808 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251654/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91251654; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/vmtojssqldblinuxtrafficlocal.php"; depth:33; nocase; http.host; content:"131217cm.n9shteam3.top"; depth:22; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1251651/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91251651; rev:1;) alert tcp $HOME_NET any -> [8.218.29.187] 8099 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251431/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_29; classtype:trojan-activity; sid:91251431; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"45.140.188.212"; depth:14; nocase; reference:url, threatfox.abuse.ch/ioc/1251304/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91251304; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"45.90.13.125"; depth:12; nocase; reference:url, threatfox.abuse.ch/ioc/1251307/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91251307; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"45.141.202.78"; depth:13; nocase; reference:url, threatfox.abuse.ch/ioc/1251306/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91251306; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"45.90.12.98"; depth:11; nocase; reference:url, threatfox.abuse.ch/ioc/1251308/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91251308; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"45.140.188.152"; depth:14; nocase; reference:url, threatfox.abuse.ch/ioc/1251309/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91251309; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"45.137.207.144"; depth:14; nocase; reference:url, threatfox.abuse.ch/ioc/1251310/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91251310; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"45.141.202.71"; depth:13; nocase; reference:url, threatfox.abuse.ch/ioc/1251311/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91251311; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"45.140.188.19"; depth:13; nocase; reference:url, threatfox.abuse.ch/ioc/1251312/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91251312; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"45.128.232.85"; depth:13; nocase; reference:url, threatfox.abuse.ch/ioc/1251313/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91251313; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"//84.54.51.144:7070"; depth:19; nocase; http.host; content:"http"; depth:4; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1251315/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91251315; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"84.54.51.205"; depth:12; nocase; reference:url, threatfox.abuse.ch/ioc/1251314/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91251314; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"84.54.51.208"; depth:12; nocase; reference:url, threatfox.abuse.ch/ioc/1251316/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91251316; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"84.54.51.207"; depth:12; nocase; reference:url, threatfox.abuse.ch/ioc/1251317/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91251317; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"84.54.51.107"; depth:12; nocase; reference:url, threatfox.abuse.ch/ioc/1251318/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91251318; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"84.54.51.195"; depth:12; nocase; reference:url, threatfox.abuse.ch/ioc/1251319/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91251319; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"84.54.51.132"; depth:12; nocase; reference:url, threatfox.abuse.ch/ioc/1251320/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91251320; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"84.54.51.206"; depth:12; nocase; reference:url, threatfox.abuse.ch/ioc/1251321/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91251321; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"2.58.95.55"; depth:10; nocase; reference:url, threatfox.abuse.ch/ioc/1251322/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91251322; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"45.128.232.138"; depth:14; nocase; reference:url, threatfox.abuse.ch/ioc/1251323/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91251323; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"51.81.230.244"; depth:13; nocase; reference:url, threatfox.abuse.ch/ioc/1251325/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91251325; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"54.39.67.23"; depth:11; nocase; reference:url, threatfox.abuse.ch/ioc/1251324/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91251324; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"15.204.132.100"; depth:14; nocase; reference:url, threatfox.abuse.ch/ioc/1251326/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91251326; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"15.204.211.81"; depth:13; nocase; reference:url, threatfox.abuse.ch/ioc/1251327/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91251327; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"5.196.162.3"; depth:11; nocase; reference:url, threatfox.abuse.ch/ioc/1251328/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91251328; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"51.222.196.58"; depth:13; nocase; reference:url, threatfox.abuse.ch/ioc/1251329/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91251329; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"37.59.65.43"; depth:11; nocase; reference:url, threatfox.abuse.ch/ioc/1251330/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91251330; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"15.204.22.165"; depth:13; nocase; reference:url, threatfox.abuse.ch/ioc/1251331/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91251331; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"144.172.73.5"; depth:12; nocase; reference:url, threatfox.abuse.ch/ioc/1251334/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91251334; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"5.196.244.80"; depth:12; nocase; reference:url, threatfox.abuse.ch/ioc/1251332/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91251332; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"142.44.236.7"; depth:12; nocase; reference:url, threatfox.abuse.ch/ioc/1251333/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91251333; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"144.172.73.44"; depth:13; nocase; reference:url, threatfox.abuse.ch/ioc/1251335/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91251335; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"144.172.73.9"; depth:12; nocase; reference:url, threatfox.abuse.ch/ioc/1251336/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91251336; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"144.172.73.8"; depth:12; nocase; reference:url, threatfox.abuse.ch/ioc/1251337/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91251337; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"185.91.127.66"; depth:13; nocase; reference:url, threatfox.abuse.ch/ioc/1251338/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91251338; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"144.172.73.20"; depth:13; nocase; reference:url, threatfox.abuse.ch/ioc/1251339/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91251339; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"141.98.7.53"; depth:11; nocase; reference:url, threatfox.abuse.ch/ioc/1251341/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91251341; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"141.98.7.200"; depth:12; nocase; reference:url, threatfox.abuse.ch/ioc/1251342/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91251342; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"141.98.7.41"; depth:11; nocase; reference:url, threatfox.abuse.ch/ioc/1251340/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91251340; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"141.98.7.2"; depth:10; nocase; reference:url, threatfox.abuse.ch/ioc/1251343/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91251343; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"141.98.7.7"; depth:10; nocase; reference:url, threatfox.abuse.ch/ioc/1251345/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91251345; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"141.98.7.37"; depth:11; nocase; reference:url, threatfox.abuse.ch/ioc/1251344/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91251344; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"23.160.193.4"; depth:12; nocase; reference:url, threatfox.abuse.ch/ioc/1251346/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91251346; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"23.160.194.10"; depth:13; nocase; reference:url, threatfox.abuse.ch/ioc/1251347/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91251347; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"158.51.96.17"; depth:12; nocase; reference:url, threatfox.abuse.ch/ioc/1251348/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91251348; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"23.160.193.106"; depth:14; nocase; reference:url, threatfox.abuse.ch/ioc/1251349/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91251349; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"198.98.57.36"; depth:12; nocase; reference:url, threatfox.abuse.ch/ioc/1251350/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91251350; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"198.98.58.246"; depth:13; nocase; reference:url, threatfox.abuse.ch/ioc/1251352/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91251352; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"199.195.251.103"; depth:15; nocase; reference:url, threatfox.abuse.ch/ioc/1251351/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91251351; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"209.141.35.229"; depth:14; nocase; reference:url, threatfox.abuse.ch/ioc/1251353/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91251353; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"94.156.71.51"; depth:12; nocase; reference:url, threatfox.abuse.ch/ioc/1251355/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91251355; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"91.92.255.74"; depth:12; nocase; reference:url, threatfox.abuse.ch/ioc/1251354/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91251354; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"94.156.71.193"; depth:13; nocase; reference:url, threatfox.abuse.ch/ioc/1251356/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91251356; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"79.137.203.236"; depth:14; nocase; reference:url, threatfox.abuse.ch/ioc/1251357/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91251357; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"91.103.253.34"; depth:13; nocase; reference:url, threatfox.abuse.ch/ioc/1251358/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91251358; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"41.216.182.208"; depth:14; nocase; reference:url, threatfox.abuse.ch/ioc/1251359/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91251359; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"195.58.39.34"; depth:12; nocase; reference:url, threatfox.abuse.ch/ioc/1251360/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91251360; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"103.82.135.217"; depth:14; nocase; reference:url, threatfox.abuse.ch/ioc/1251361/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91251361; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"86.104.194.180"; depth:14; nocase; reference:url, threatfox.abuse.ch/ioc/1251362/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91251362; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"216.107.139.159"; depth:15; nocase; reference:url, threatfox.abuse.ch/ioc/1251363/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91251363; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"103.4.235.175"; depth:13; nocase; reference:url, threatfox.abuse.ch/ioc/1251364/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91251364; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"93.123.85.59"; depth:12; nocase; reference:url, threatfox.abuse.ch/ioc/1251365/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91251365; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"185.148.241.107"; depth:15; nocase; reference:url, threatfox.abuse.ch/ioc/1251366/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91251366; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"92.249.48.147"; depth:13; nocase; reference:url, threatfox.abuse.ch/ioc/1251367/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91251367; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"5.181.80.64"; depth:11; nocase; reference:url, threatfox.abuse.ch/ioc/1251368/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91251368; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"185.171.121.161"; depth:15; nocase; reference:url, threatfox.abuse.ch/ioc/1251369/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91251369; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"betaproxy.herios-stresser.space"; depth:31; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1251370/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_29; classtype:trojan-activity; sid:91251370; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"chrysler.vip"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1251371/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_29; classtype:trojan-activity; sid:91251371; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"chryslernetwork.online"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1251372/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_29; classtype:trojan-activity; sid:91251372; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"gorillaproxy.cloud"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1251375/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_29; classtype:trojan-activity; sid:91251375; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"kane.kingswoklongwood.com"; depth:25; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1251373/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_29; classtype:trojan-activity; sid:91251373; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"proxys.herios-stress.xyz"; depth:24; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1251374/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_29; classtype:trojan-activity; sid:91251374; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"gorillaproxy.su"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1251376/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_29; classtype:trojan-activity; sid:91251376; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"balkanskiskidovi.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1251377/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_29; classtype:trojan-activity; sid:91251377; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"blyndz.icu"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1251378/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_29; classtype:trojan-activity; sid:91251378; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"egirls.tech"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1251379/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_29; classtype:trojan-activity; sid:91251379; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"holding.homes"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1251380/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_29; classtype:trojan-activity; sid:91251380; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"santa.army"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1251381/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_29; classtype:trojan-activity; sid:91251381; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"seized.icu"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1251382/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_29; classtype:trojan-activity; sid:91251382; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"stitch.army"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1251383/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_29; classtype:trojan-activity; sid:91251383; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"caovh.lol"; depth:9; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1251384/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_29; classtype:trojan-activity; sid:91251384; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"ddos.nekofish.cc"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1251385/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_29; classtype:trojan-activity; sid:91251385; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"metis-kill-faggots.xyz"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1251386/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_29; classtype:trojan-activity; sid:91251386; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"niggakilla.xyz"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1251387/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_29; classtype:trojan-activity; sid:91251387; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"proxy.iswearimnotgay.net"; depth:24; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1251388/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_29; classtype:trojan-activity; sid:91251388; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"45.140.141.160"; depth:14; nocase; reference:url, threatfox.abuse.ch/ioc/1251305/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91251305; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"45.90.13.164"; depth:12; nocase; reference:url, threatfox.abuse.ch/ioc/1251303/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91251303; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"45.141.202.162"; depth:14; nocase; reference:url, threatfox.abuse.ch/ioc/1251302/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91251302; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"poggo-proxy.online"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1251392/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_29; classtype:trojan-activity; sid:91251392; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"tomware.xyz"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1251389/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_29; classtype:trojan-activity; sid:91251389; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"dash.authillusion.online"; depth:24; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1251391/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_29; classtype:trojan-activity; sid:91251391; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"eternalservices.cc"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1251390/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_29; classtype:trojan-activity; sid:91251390; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"frostedfamily.xyz"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1251393/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_29; classtype:trojan-activity; sid:91251393; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"aeicjslvodjfklllf.top"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1251394/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_29; classtype:trojan-activity; sid:91251394; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"aemvieudjkscbbb.top"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1251395/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_29; classtype:trojan-activity; sid:91251395; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"aenbcisbflkdjjjccc.top"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1251396/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_29; classtype:trojan-activity; sid:91251396; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"aeocidkcsjxxcxcc.top"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1251397/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_29; classtype:trojan-activity; sid:91251397; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"xs.ooxxoxox.win"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1251398/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_29; classtype:trojan-activity; sid:91251398; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"a.refusal.biz"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1251399/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_29; classtype:trojan-activity; sid:91251399; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"bl.refusal.biz"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1251400/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_29; classtype:trojan-activity; sid:91251400; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"cafe.refusal.biz"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1251401/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_29; classtype:trojan-activity; sid:91251401; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"info.refusal.biz"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1251402/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_29; classtype:trojan-activity; sid:91251402; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"refusal.biz"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1251403/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_29; classtype:trojan-activity; sid:91251403; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"report.refusal.biz"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1251404/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_29; classtype:trojan-activity; sid:91251404; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"sb.refusal.biz"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1251405/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_29; classtype:trojan-activity; sid:91251405; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"alo.taxido.shop"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1251407/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_29; classtype:trojan-activity; sid:91251407; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"wyng.whiting.io"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1251406/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_29; classtype:trojan-activity; sid:91251406; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"fleurs-parfaites.online"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1251408/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_29; classtype:trojan-activity; sid:91251408; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"cdnet-web.com"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1251409/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_29; classtype:trojan-activity; sid:91251409; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"185.254.198.211"; depth:15; nocase; reference:url, threatfox.abuse.ch/ioc/1251410/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91251410; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"royalparac2.xyz"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1251411/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91251411; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"royalparadisec2.xyz"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1251412/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91251412; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"madeyourbackup.com"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1251413/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91251413; rev:1;) alert tcp $HOME_NET any -> [103.173.178.208] 43957 (msg:"ThreatFox MooBot botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251428/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_29; classtype:trojan-activity; sid:91251428; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"ap.akdns.top"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1251429/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_29; classtype:trojan-activity; sid:91251429; rev:1;) alert tcp $HOME_NET any -> [91.92.253.144] 7888 (msg:"ThreatFox STRRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251430/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91251430; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/match"; depth:6; nocase; http.host; content:"198.251.88.196"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1251427/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91251427; rev:1;) alert tcp $HOME_NET any -> [47.120.13.85] 808 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251426/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91251426; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/updates.rss"; depth:12; nocase; http.host; content:"8.218.29.187"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1251425/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91251425; rev:1;) alert tcp $HOME_NET any -> [185.172.128.120] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251424/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91251424; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/faqpage.js"; depth:11; nocase; http.host; content:"averatechsolutions.com"; depth:22; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1251422/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91251422; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"averatechsolutions.com"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1251423/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91251423; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dpixel"; depth:7; nocase; http.host; content:"212.129.223.49"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1251421/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91251421; rev:1;) alert tcp $HOME_NET any -> [3.133.159.129] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251420/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91251420; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/__utm.gif"; depth:10; nocase; http.host; content:"3.133.159.129"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1251419/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91251419; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ipv6test/test"; depth:14; nocase; http.host; content:"47.113.179.177"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1251418/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91251418; rev:1;) alert tcp $HOME_NET any -> [92.63.193.141] 8443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251417/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91251417; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jquery-3.3.1.min.js"; depth:20; nocase; http.host; content:"gays.egorvlasov.ru"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1251416/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91251416; rev:1;) alert tcp $HOME_NET any -> [170.64.236.133] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251415/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91251415; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/g.pixel"; depth:8; nocase; http.host; content:"170.64.236.133"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1251414/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91251414; rev:1;) alert tcp $HOME_NET any -> [43.240.48.124] 809 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251301/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91251301; rev:1;) alert tcp $HOME_NET any -> [154.219.164.198] 808 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251300/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91251300; rev:1;) alert tcp $HOME_NET any -> [154.219.151.253] 808 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251299/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91251299; rev:1;) alert tcp $HOME_NET any -> [154.219.164.204] 808 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251298/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91251298; rev:1;) alert tcp $HOME_NET any -> [154.219.154.74] 808 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251297/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91251297; rev:1;) alert tcp $HOME_NET any -> [156.232.186.222] 808 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251296/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91251296; rev:1;) alert tcp $HOME_NET any -> [154.219.151.241] 808 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251295/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91251295; rev:1;) alert tcp $HOME_NET any -> [43.240.49.188] 809 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251294/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91251294; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dpixel"; depth:7; nocase; http.host; content:"www.xss.mba"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1251293/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91251293; rev:1;) alert tcp $HOME_NET any -> [154.219.154.94] 808 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251292/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91251292; rev:1;) alert tcp $HOME_NET any -> [43.240.48.97] 809 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251291/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91251291; rev:1;) alert tcp $HOME_NET any -> [156.232.192.124] 808 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251290/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91251290; rev:1;) alert tcp $HOME_NET any -> [154.219.145.94] 808 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251289/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91251289; rev:1;) alert tcp $HOME_NET any -> [154.219.163.82] 808 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251288/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91251288; rev:1;) alert tcp $HOME_NET any -> [156.232.192.112] 808 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251287/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91251287; rev:1;) alert tcp $HOME_NET any -> [154.219.154.87] 808 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251286/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91251286; rev:1;) alert tcp $HOME_NET any -> [43.240.48.111] 809 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251285/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91251285; rev:1;) alert tcp $HOME_NET any -> [43.240.49.183] 809 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251284/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91251284; rev:1;) alert tcp $HOME_NET any -> [156.232.192.110] 808 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251283/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91251283; rev:1;) alert tcp $HOME_NET any -> [45.156.217.49] 809 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251282/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91251282; rev:1;) alert tcp $HOME_NET any -> [156.232.186.205] 808 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251281/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91251281; rev:1;) alert tcp $HOME_NET any -> [156.232.192.126] 808 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251280/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91251280; rev:1;) alert tcp $HOME_NET any -> [154.219.177.133] 808 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251279/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91251279; rev:1;) alert tcp $HOME_NET any -> [154.219.151.232] 808 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251278/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91251278; rev:1;) alert tcp $HOME_NET any -> [156.232.192.116] 808 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251277/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91251277; rev:1;) alert tcp $HOME_NET any -> [154.219.151.249] 808 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251276/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91251276; rev:1;) alert tcp $HOME_NET any -> [154.219.145.74] 808 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251275/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91251275; rev:1;) alert tcp $HOME_NET any -> [154.219.145.85] 808 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251274/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91251274; rev:1;) alert tcp $HOME_NET any -> [154.219.145.91] 808 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251273/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91251273; rev:1;) alert tcp $HOME_NET any -> [154.219.177.135] 808 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251272/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91251272; rev:1;) alert tcp $HOME_NET any -> [43.240.49.154] 809 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251271/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91251271; rev:1;) alert tcp $HOME_NET any -> [154.219.145.76] 808 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251270/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91251270; rev:1;) alert tcp $HOME_NET any -> [156.232.192.111] 808 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251269/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91251269; rev:1;) alert tcp $HOME_NET any -> [92.63.193.141] 8080 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251268/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91251268; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"gays.egorvlasov.ru"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1251267/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91251267; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jquery-3.3.1.min.js"; depth:20; nocase; http.host; content:"gays.egorvlasov.ru"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1251266/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91251266; rev:1;) alert tcp $HOME_NET any -> [154.219.145.92] 808 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251265/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91251265; rev:1;) alert tcp $HOME_NET any -> [156.232.192.105] 808 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251264/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91251264; rev:1;) alert tcp $HOME_NET any -> [154.219.177.147] 808 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251263/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91251263; rev:1;) alert tcp $HOME_NET any -> [154.219.151.230] 808 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251262/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91251262; rev:1;) alert tcp $HOME_NET any -> [154.219.177.137] 808 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251261/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91251261; rev:1;) alert tcp $HOME_NET any -> [154.219.145.69] 808 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251260/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91251260; rev:1;) alert tcp $HOME_NET any -> [43.240.49.141] 809 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251259/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91251259; rev:1;) alert tcp $HOME_NET any -> [43.240.49.176] 809 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251258/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91251258; rev:1;) alert tcp $HOME_NET any -> [154.219.163.66] 808 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251257/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91251257; rev:1;) alert tcp $HOME_NET any -> [43.240.48.126] 809 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251256/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91251256; rev:1;) alert tcp $HOME_NET any -> [154.219.177.150] 808 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251255/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91251255; rev:1;) alert tcp $HOME_NET any -> [43.240.49.184] 809 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251254/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91251254; rev:1;) alert tcp $HOME_NET any -> [45.156.217.12] 809 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251253/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91251253; rev:1;) alert tcp $HOME_NET any -> [154.219.151.248] 808 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251252/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91251252; rev:1;) alert tcp $HOME_NET any -> [154.219.164.219] 808 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251251/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91251251; rev:1;) alert tcp $HOME_NET any -> [154.219.154.68] 808 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251250/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91251250; rev:1;) alert tcp $HOME_NET any -> [45.156.217.42] 809 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251249/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91251249; rev:1;) alert tcp $HOME_NET any -> [43.240.49.132] 809 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251248/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91251248; rev:1;) alert tcp $HOME_NET any -> [156.232.186.199] 808 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251247/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91251247; rev:1;) alert tcp $HOME_NET any -> [156.232.186.217] 808 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251246/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91251246; rev:1;) alert tcp $HOME_NET any -> [154.219.163.68] 808 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251245/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91251245; rev:1;) alert tcp $HOME_NET any -> [154.219.154.77] 808 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251244/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91251244; rev:1;) alert tcp $HOME_NET any -> [156.232.186.219] 808 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251243/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91251243; rev:1;) alert tcp $HOME_NET any -> [43.240.49.147] 809 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251242/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91251242; rev:1;) alert tcp $HOME_NET any -> [154.219.145.70] 808 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251241/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91251241; rev:1;) alert tcp $HOME_NET any -> [43.240.48.71] 809 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251240/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91251240; rev:1;) alert tcp $HOME_NET any -> [154.219.145.89] 808 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251239/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91251239; rev:1;) alert tcp $HOME_NET any -> [154.219.151.247] 808 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251238/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91251238; rev:1;) alert tcp $HOME_NET any -> [156.232.186.204] 808 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251237/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91251237; rev:1;) alert tcp $HOME_NET any -> [154.219.145.79] 808 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251236/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91251236; rev:1;) alert tcp $HOME_NET any -> [154.219.154.66] 808 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251235/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91251235; rev:1;) alert tcp $HOME_NET any -> [156.232.186.208] 808 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251234/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91251234; rev:1;) alert tcp $HOME_NET any -> [154.219.145.90] 808 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251233/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91251233; rev:1;) alert tcp $HOME_NET any -> [154.219.154.69] 808 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251232/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91251232; rev:1;) alert tcp $HOME_NET any -> [154.219.177.151] 808 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251231/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91251231; rev:1;) alert tcp $HOME_NET any -> [43.240.49.145] 809 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251230/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91251230; rev:1;) alert tcp $HOME_NET any -> [154.219.154.92] 808 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251229/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91251229; rev:1;) alert tcp $HOME_NET any -> [154.219.154.83] 808 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251228/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91251228; rev:1;) alert tcp $HOME_NET any -> [154.219.151.254] 808 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251227/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91251227; rev:1;) alert tcp $HOME_NET any -> [154.219.154.90] 808 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251226/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91251226; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dot.gif"; depth:8; nocase; http.host; content:"82.157.44.254"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1251225/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91251225; rev:1;) alert tcp $HOME_NET any -> [43.240.48.98] 809 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251224/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91251224; rev:1;) alert tcp $HOME_NET any -> [154.219.177.138] 808 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251223/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91251223; rev:1;) alert tcp $HOME_NET any -> [156.232.186.207] 808 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251222/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91251222; rev:1;) alert tcp $HOME_NET any -> [154.219.154.76] 808 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251221/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91251221; rev:1;) alert tcp $HOME_NET any -> [154.219.145.83] 808 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251220/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91251220; rev:1;) alert tcp $HOME_NET any -> [156.232.186.209] 808 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251219/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91251219; rev:1;) alert tcp $HOME_NET any -> [154.219.154.72] 808 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251218/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91251218; rev:1;) alert tcp $HOME_NET any -> [154.219.145.87] 808 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251217/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91251217; rev:1;) alert tcp $HOME_NET any -> [156.232.192.98] 808 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251216/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91251216; rev:1;) alert tcp $HOME_NET any -> [154.219.145.78] 808 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251215/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91251215; rev:1;) alert tcp $HOME_NET any -> [154.219.151.226] 808 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251214/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91251214; rev:1;) alert tcp $HOME_NET any -> [154.219.177.136] 808 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251213/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91251213; rev:1;) alert tcp $HOME_NET any -> [43.240.49.135] 809 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251212/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91251212; rev:1;) alert tcp $HOME_NET any -> [156.232.192.114] 808 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251211/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91251211; rev:1;) alert tcp $HOME_NET any -> [154.219.145.93] 808 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251210/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91251210; rev:1;) alert tcp $HOME_NET any -> [154.219.177.144] 808 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251209/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91251209; rev:1;) alert tcp $HOME_NET any -> [154.219.163.75] 808 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251208/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91251208; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/load"; depth:5; nocase; http.host; content:"161.35.168.216"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1251207/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91251207; rev:1;) alert tcp $HOME_NET any -> [156.232.192.123] 808 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251206/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91251206; rev:1;) alert tcp $HOME_NET any -> [154.219.154.78] 808 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251205/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91251205; rev:1;) alert tcp $HOME_NET any -> [43.240.49.185] 809 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251204/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91251204; rev:1;) alert tcp $HOME_NET any -> [156.232.192.102] 808 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251203/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91251203; rev:1;) alert tcp $HOME_NET any -> [45.156.217.5] 809 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251202/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91251202; rev:1;) alert tcp $HOME_NET any -> [154.219.177.154] 808 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251201/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91251201; rev:1;) alert tcp $HOME_NET any -> [43.240.48.83] 809 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251200/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91251200; rev:1;) alert tcp $HOME_NET any -> [156.232.186.213] 808 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251199/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91251199; rev:1;) alert tcp $HOME_NET any -> [45.156.217.37] 809 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251198/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91251198; rev:1;) alert tcp $HOME_NET any -> [154.219.151.229] 808 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251197/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91251197; rev:1;) alert tcp $HOME_NET any -> [154.219.154.88] 808 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251196/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91251196; rev:1;) alert tcp $HOME_NET any -> [154.219.177.158] 808 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251195/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91251195; rev:1;) alert tcp $HOME_NET any -> [154.219.177.146] 808 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251194/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91251194; rev:1;) alert tcp $HOME_NET any -> [43.240.49.177] 809 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251193/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91251193; rev:1;) alert tcp $HOME_NET any -> [154.219.145.68] 808 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251191/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91251191; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ca"; depth:3; nocase; http.host; content:"101.43.191.108"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1251192/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91251192; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/updates.rss"; depth:12; nocase; http.host; content:"43.136.218.157"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1251190/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91251190; rev:1;) alert tcp $HOME_NET any -> [154.219.145.71] 808 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251189/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91251189; rev:1;) alert tcp $HOME_NET any -> [154.219.151.244] 808 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251188/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91251188; rev:1;) alert tcp $HOME_NET any -> [156.232.186.220] 808 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251187/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91251187; rev:1;) alert tcp $HOME_NET any -> [43.240.49.163] 809 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251186/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91251186; rev:1;) alert tcp $HOME_NET any -> [156.232.192.106] 808 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251185/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91251185; rev:1;) alert tcp $HOME_NET any -> [154.219.177.141] 808 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251184/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91251184; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"z.hxhk.cc"; depth:9; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1251158/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91251158; rev:1;) alert tcp $HOME_NET any -> [154.219.145.88] 808 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251183/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91251183; rev:1;) alert tcp $HOME_NET any -> [156.232.186.196] 808 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251182/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91251182; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"rawapi.nekololis.ovh"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1251160/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91251160; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"v.hxhk.cc"; depth:9; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1251156/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91251156; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"x.hxhk.cc"; depth:9; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1251157/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91251157; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"t.hxhk.cc"; depth:9; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1251154/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91251154; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"tomhxhk.cc"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1251155/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91251155; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"cnc.hxhk.cc"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1251152/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91251152; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"hxhk.cc"; depth:7; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1251153/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91251153; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"b.hxhk.cc"; depth:9; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1251150/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91251150; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"c.hxhk.cc"; depth:9; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1251151/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91251151; rev:1;) alert tcp $HOME_NET any -> [77.73.68.225] 1688 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251147/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91251147; rev:1;) alert tcp $HOME_NET any -> [193.35.18.62] 3778 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251148/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91251148; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"a.hxhk.cc"; depth:9; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1251149/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91251149; rev:1;) alert tcp $HOME_NET any -> [84.54.51.103] 56999 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251138/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_29; classtype:trojan-activity; sid:91251138; rev:1;) alert tcp $HOME_NET any -> [147.78.103.94] 38241 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251140/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_29; classtype:trojan-activity; sid:91251140; rev:1;) alert tcp $HOME_NET any -> [197.253.114.16] 37215 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251137/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_29; classtype:trojan-activity; sid:91251137; rev:1;) alert tcp $HOME_NET any -> [177.165.108.44] 23 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251139/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_29; classtype:trojan-activity; sid:91251139; rev:1;) alert tcp $HOME_NET any -> [162.20.184.46] 37215 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251136/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_29; classtype:trojan-activity; sid:91251136; rev:1;) alert tcp $HOME_NET any -> [154.219.151.240] 808 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251181/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91251181; rev:1;) alert tcp $HOME_NET any -> [193.35.18.56] 65490 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251115/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91251115; rev:1;) alert tcp $HOME_NET any -> [45.13.226.34] 9932 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251123/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91251123; rev:1;) alert tcp $HOME_NET any -> [185.117.3.184] 3569 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251124/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91251124; rev:1;) alert tcp $HOME_NET any -> [34.125.17.32] 6668 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251125/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91251125; rev:1;) alert tcp $HOME_NET any -> [213.129.216.207] 23 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251126/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91251126; rev:1;) alert tcp $HOME_NET any -> [93.123.85.73] 6789 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251127/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91251127; rev:1;) alert tcp $HOME_NET any -> [67.217.60.78] 7854 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251128/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91251128; rev:1;) alert tcp $HOME_NET any -> [118.227.92.21] 23 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251129/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91251129; rev:1;) alert tcp $HOME_NET any -> [185.196.8.213] 6789 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251131/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91251131; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"jhbaghjbasdg.shop"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1251132/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91251132; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"cnc.nekololis.ovh"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1251159/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91251159; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"subphattai.online"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1251161/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91251161; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"161.35.249.113"; depth:14; nocase; reference:url, threatfox.abuse.ch/ioc/1251162/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_29; classtype:trojan-activity; sid:91251162; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"nt.zua6.com"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1251164/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91251164; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"103.173.178.208"; depth:15; nocase; reference:url, threatfox.abuse.ch/ioc/1251163/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_29; classtype:trojan-activity; sid:91251163; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"bt.zoml.cc"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1251165/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91251165; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"abc.anti-ddos.io.vn"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1251166/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91251166; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"fw1.anti-ddos.io.vn"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1251168/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91251168; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"fw.anti-ddos.io.vn"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1251167/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91251167; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"anti-ddos.io.vn"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1251169/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91251169; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"mainnetwork.sysromeu.eu.org"; depth:27; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1251170/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91251170; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"fdh32fsdfhs.shop"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1251171/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91251171; rev:1;) alert tcp $HOME_NET any -> [156.232.192.125] 808 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251180/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91251180; rev:1;) alert tcp $HOME_NET any -> [154.219.154.73] 808 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251179/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91251179; rev:1;) alert tcp $HOME_NET any -> [154.219.164.201] 808 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251178/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91251178; rev:1;) alert tcp $HOME_NET any -> [43.240.49.140] 809 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251177/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91251177; rev:1;) alert tcp $HOME_NET any -> [154.219.145.84] 808 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251176/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91251176; rev:1;) alert tcp $HOME_NET any -> [154.219.177.140] 808 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251175/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91251175; rev:1;) alert tcp $HOME_NET any -> [154.219.145.81] 808 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251174/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91251174; rev:1;) alert tcp $HOME_NET any -> [156.232.186.197] 808 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251173/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91251173; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"sares.xyz"; depth:9; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1251146/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91251146; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"159.69.102.165"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1251145/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91251145; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"49.13.125.250"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1251144/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91251144; rev:1;) alert tcp $HOME_NET any -> [49.13.125.250] 443 (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251142/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91251142; rev:1;) alert tcp $HOME_NET any -> [159.69.102.165] 443 (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251143/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91251143; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"sares.xyz"; depth:9; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1251141/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91251141; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blogs/skinny/bleat/index.php"; depth:29; nocase; http.host; content:"gammaproject.dev"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1251135/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_29; classtype:trojan-activity; sid:91251135; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/medical/plan/oslo/posting/index.php"; depth:36; nocase; http.host; content:"somakop.app"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1251134/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91251134; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/traffic/link/posting/index.php"; depth:31; nocase; http.host; content:"muagol.com"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1251133/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91251133; rev:1;) alert tcp $HOME_NET any -> [121.40.119.94] 8087 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251130/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_29; classtype:trojan-activity; sid:91251130; rev:1;) alert tcp $HOME_NET any -> [95.216.41.236] 50500 (msg:"ThreatFox RisePro botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251122/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91251122; rev:1;) alert tcp $HOME_NET any -> [86.106.20.179] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251121/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_29; classtype:trojan-activity; sid:91251121; rev:1;) alert tcp $HOME_NET any -> [47.99.177.59] 6666 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251120/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_29; classtype:trojan-activity; sid:91251120; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"somakop.app"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1251116/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91251116; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"dumingas.com"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1251117/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91251117; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"iseberkis.com"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1251118/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91251118; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"musarno.app"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1251119/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91251119; rev:1;) alert tcp $HOME_NET any -> [95.214.53.95] 57896 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1250910/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91250910; rev:1;) alert tcp $HOME_NET any -> [69.53.121.162] 4782 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1250908/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91250908; rev:1;) alert tcp $HOME_NET any -> [90.62.10.177] 2222 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1250909/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91250909; rev:1;) alert tcp $HOME_NET any -> [46.39.224.38] 9876 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1250906/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91250906; rev:1;) alert tcp $HOME_NET any -> [47.97.41.73] 6000 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1250907/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91250907; rev:1;) alert tcp $HOME_NET any -> [1.9.177.252] 9876 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1250904/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91250904; rev:1;) alert tcp $HOME_NET any -> [5.102.157.70] 4872 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1250905/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91250905; rev:1;) alert tcp $HOME_NET any -> [101.43.109.204] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1250894/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91250894; rev:1;) alert tcp $HOME_NET any -> [106.53.213.253] 8081 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1250895/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91250895; rev:1;) alert tcp $HOME_NET any -> [62.234.55.243] 8888 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1250896/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91250896; rev:1;) alert tcp $HOME_NET any -> [81.71.153.127] 83 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1250897/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91250897; rev:1;) alert tcp $HOME_NET any -> [101.34.93.112] 40045 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1250898/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91250898; rev:1;) alert tcp $HOME_NET any -> [192.227.177.214] 7707 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1250899/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91250899; rev:1;) alert tcp $HOME_NET any -> [172.214.98.73] 80 (msg:"ThreatFox ERMAC botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1250900/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91250900; rev:1;) alert tcp $HOME_NET any -> [170.130.55.130] 445 (msg:"ThreatFox DarkGate botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1250901/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91250901; rev:1;) alert tcp $HOME_NET any -> [82.156.211.202] 60000 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1250902/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91250902; rev:1;) alert tcp $HOME_NET any -> [80.77.23.102] 48129 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1250903/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91250903; rev:1;) alert tcp $HOME_NET any -> [43.139.21.199] 8888 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1250892/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91250892; rev:1;) alert tcp $HOME_NET any -> [43.143.112.156] 4444 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1250893/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91250893; rev:1;) alert tcp $HOME_NET any -> [1.13.169.95] 4433 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1250891/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91250891; rev:1;) alert tcp $HOME_NET any -> [119.29.238.196] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1250890/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91250890; rev:1;) alert tcp $HOME_NET any -> [111.231.18.116] 84 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1250888/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91250888; rev:1;) alert tcp $HOME_NET any -> [106.55.225.79] 8080 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1250889/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91250889; rev:1;) alert tcp $HOME_NET any -> [124.220.148.63] 8888 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1250885/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91250885; rev:1;) alert tcp $HOME_NET any -> [111.231.18.116] 81 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1250886/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91250886; rev:1;) alert tcp $HOME_NET any -> [111.231.18.116] 83 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1250887/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91250887; rev:1;) alert tcp $HOME_NET any -> [123.60.79.118] 9090 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1250882/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91250882; rev:1;) alert tcp $HOME_NET any -> [1.94.132.240] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1250883/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91250883; rev:1;) alert tcp $HOME_NET any -> [212.129.223.49] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1250884/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91250884; rev:1;) alert tcp $HOME_NET any -> [139.9.193.13] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1250881/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91250881; rev:1;) alert tcp $HOME_NET any -> [93.123.39.57] 50555 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1250966/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_29; classtype:trojan-activity; sid:91250966; rev:1;) alert tcp $HOME_NET any -> [45.67.230.75] 80 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1250965/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_29; classtype:trojan-activity; sid:91250965; rev:1;) alert tcp $HOME_NET any -> [185.216.70.211] 80 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1250964/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_29; classtype:trojan-activity; sid:91250964; rev:1;) alert tcp $HOME_NET any -> [124.13.185.107] 9876 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1250911/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91250911; rev:1;) alert tcp $HOME_NET any -> [124.223.48.86] 4285 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1250912/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91250912; rev:1;) alert tcp $HOME_NET any -> [161.97.162.173] 4782 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1250913/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91250913; rev:1;) alert tcp $HOME_NET any -> [172.111.148.62] 19933 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1250914/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91250914; rev:1;) alert tcp $HOME_NET any -> [172.111.148.69] 19933 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1250915/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91250915; rev:1;) alert tcp $HOME_NET any -> [184.107.123.217] 1990 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1250916/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91250916; rev:1;) alert tcp $HOME_NET any -> [189.78.187.139] 5000 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1250917/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91250917; rev:1;) alert tcp $HOME_NET any -> [191.82.209.29] 2000 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1250918/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91250918; rev:1;) alert tcp $HOME_NET any -> [198.167.201.212] 19132 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1250919/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91250919; rev:1;) alert tcp $HOME_NET any -> [43.129.74.117] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1250963/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_29; classtype:trojan-activity; sid:91250963; rev:1;) alert tcp $HOME_NET any -> [1.92.98.76] 9999 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1250879/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91250879; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/nmvmzmjlzta2mdnm"; depth:17; nocase; http.host; content:"kamalankaranda.com"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1250853/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_29; classtype:trojan-activity; sid:91250853; rev:1;) alert tcp $HOME_NET any -> [104.194.9.116] 7000 (msg:"ThreatFox XWorm botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1250866/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91250866; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/nmvmzmjlzta2mdnm/"; depth:18; nocase; http.host; content:"kanardansaydan1.com"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1250851/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_29; classtype:trojan-activity; sid:91250851; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/nmvmzmjlzta2mdnm/"; depth:18; nocase; http.host; content:"sayankarakam2.com"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1250852/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_29; classtype:trojan-activity; sid:91250852; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/odlimzblmgq5oguz/"; depth:18; nocase; http.host; content:"prizurisaby.com"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1250849/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_29; classtype:trojan-activity; sid:91250849; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/nmvmzmjlzta2mdnm/"; depth:18; nocase; http.host; content:"kamanbarsayan.com"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1250850/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_29; classtype:trojan-activity; sid:91250850; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/odlimzblmgq5oguz/"; depth:18; nocase; http.host; content:"iakyanalica.org"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1250848/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_29; classtype:trojan-activity; sid:91250848; rev:1;) alert tcp $HOME_NET any -> [3.125.209.94] 15422 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1250847/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_29; classtype:trojan-activity; sid:91250847; rev:1;) alert tcp $HOME_NET any -> [18.192.31.165] 15422 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1250846/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_29; classtype:trojan-activity; sid:91250846; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"zero.bbxstresser.cloud"; depth:22; nocase; reference:url, threatfox.abuse.ch/ioc/1250837/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91250837; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"cnc.bbxstresser.cloud"; depth:21; nocase; reference:url, threatfox.abuse.ch/ioc/1250838/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91250838; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"api.ngocphong.space"; depth:19; nocase; reference:url, threatfox.abuse.ch/ioc/1250839/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91250839; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"stress.ngocphong.space"; depth:22; nocase; reference:url, threatfox.abuse.ch/ioc/1250840/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91250840; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"ramagans.id"; depth:11; nocase; reference:url, threatfox.abuse.ch/ioc/1250841/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91250841; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"141.98.7.211"; depth:12; nocase; reference:url, threatfox.abuse.ch/ioc/1250842/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91250842; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"141.98.7.223"; depth:12; nocase; reference:url, threatfox.abuse.ch/ioc/1250843/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91250843; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"141.98.7.226"; depth:12; nocase; reference:url, threatfox.abuse.ch/ioc/1250844/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91250844; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"141.98.7.228"; depth:12; nocase; reference:url, threatfox.abuse.ch/ioc/1250845/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91250845; rev:1;) alert tcp $HOME_NET any -> [107.175.35.40] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1250962/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_29; classtype:trojan-activity; sid:91250962; rev:1;) alert tcp $HOME_NET any -> [38.6.190.122] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1250961/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_29; classtype:trojan-activity; sid:91250961; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"secure01-redirect.net"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1250599/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_29; classtype:trojan-activity; sid:91250599; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"servicehelper.oss"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1250594/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91250594; rev:1;) alert tcp $HOME_NET any -> [34.162.170.92] 80 (msg:"ThreatFox Loki Password Stealer (PWS) botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1250598/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_29; classtype:trojan-activity; sid:91250598; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"amandaxthomas.dyn"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1250592/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91250592; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"cynthiaoperez.geek"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1250593/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91250593; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"wowyoursocute.oss"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1250590/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91250590; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"peterhware.dyn"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1250591/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91250591; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"sydneyrmartinez.geek"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1250589/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91250589; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ashleyobyrd.oss"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1250587/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91250587; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"richardpjones.oss"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1250588/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91250588; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"luiseryan.oss"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1250586/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91250586; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"robertmlewis.dyn"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1250585/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91250585; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"aliciacmorton.oss"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1250584/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91250584; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"hailbot.geek"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1250582/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91250582; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"jiggaboo.oss"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1250583/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91250583; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"kimberlyngomez.geek"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1250581/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91250581; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"yoursocuteong.dyn"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1250579/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91250579; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"brianystafford.geek"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1250580/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91250580; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"sfdopospdofpsdo.dyn"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1250578/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91250578; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"141.98.7.226"; depth:12; nocase; reference:url, threatfox.abuse.ch/ioc/1250577/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_29; classtype:trojan-activity; sid:91250577; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"haytoplokezdolezdominec.net"; depth:27; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1250920/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91250920; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"hakolgemezedod.com"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1250921/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91250921; rev:1;) alert tcp $HOME_NET any -> [104.21.50.30] 80 (msg:"ThreatFox Loki Password Stealer (PWS) botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1250927/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_29; classtype:trojan-activity; sid:91250927; rev:1;) alert tcp $HOME_NET any -> [46.246.82.4] 5000 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1250960/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_29; classtype:trojan-activity; sid:91250960; rev:1;) alert tcp $HOME_NET any -> [72.27.97.198] 443 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1250959/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_29; classtype:trojan-activity; sid:91250959; rev:1;) alert tcp $HOME_NET any -> [41.97.143.89] 443 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1250958/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_29; classtype:trojan-activity; sid:91250958; rev:1;) alert tcp $HOME_NET any -> [64.227.25.183] 445 (msg:"ThreatFox Responder botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1250957/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_29; classtype:trojan-activity; sid:91250957; rev:1;) alert tcp $HOME_NET any -> [101.33.35.171] 10000 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1250956/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_29; classtype:trojan-activity; sid:91250956; rev:1;) alert tcp $HOME_NET any -> [52.173.131.28] 80 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1250955/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_29; classtype:trojan-activity; sid:91250955; rev:1;) alert tcp $HOME_NET any -> [192.52.166.37] 443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1250954/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_29; classtype:trojan-activity; sid:91250954; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"webstat.page"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1250932/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91250932; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"softkey.app"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1250933/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91250933; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"sweetapp.page"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1250934/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91250934; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/8polldbvoiddb/datalifeflowerwp/processbasemariadb1/defaultbigloadpython/generator/videolowupdatedbasync.php"; depth:108; nocase; http.host; content:"89.23.98.225"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1250931/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91250931; rev:1;) alert tcp $HOME_NET any -> [119.91.209.244] 6666 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1250930/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_29; classtype:trojan-activity; sid:91250930; rev:1;) alert tcp $HOME_NET any -> [101.32.37.92] 4443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1250929/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_29; classtype:trojan-activity; sid:91250929; rev:1;) alert tcp $HOME_NET any -> [39.100.86.42] 4443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1250928/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_29; classtype:trojan-activity; sid:91250928; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"spencerstuartllc.top"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1250926/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_29; classtype:trojan-activity; sid:91250926; rev:1;) alert tcp $HOME_NET any -> [160.176.152.91] 10000 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1250925/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91250925; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/document/five/fre.php"; depth:22; nocase; http.host; content:"spencerstuartllc.top"; depth:20; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1250924/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91250924; rev:1;) alert tcp $HOME_NET any -> [41.216.183.150] 32356 (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1250923/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91250923; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/l1nc0in.php"; depth:12; nocase; http.host; content:"ct22043.tw1.ru"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1250922/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91250922; rev:1;) alert tcp $HOME_NET any -> [154.219.151.242] 808 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1250880/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_28; classtype:trojan-activity; sid:91250880; rev:1;) alert tcp $HOME_NET any -> [45.156.217.3] 809 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1250878/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_28; classtype:trojan-activity; sid:91250878; rev:1;) alert tcp $HOME_NET any -> [91.92.243.149] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1250877/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_28; classtype:trojan-activity; sid:91250877; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books"; depth:60; nocase; http.host; content:"91.92.243.149"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1250876/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_28; classtype:trojan-activity; sid:91250876; rev:1;) alert tcp $HOME_NET any -> [45.156.217.25] 809 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1250875/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_28; classtype:trojan-activity; sid:91250875; rev:1;) alert tcp $HOME_NET any -> [45.156.217.29] 809 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1250874/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_28; classtype:trojan-activity; sid:91250874; rev:1;) alert tcp $HOME_NET any -> [43.240.48.84] 809 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1250873/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_28; classtype:trojan-activity; sid:91250873; rev:1;) alert tcp $HOME_NET any -> [154.219.164.197] 808 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1250872/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_28; classtype:trojan-activity; sid:91250872; rev:1;) alert tcp $HOME_NET any -> [43.240.49.146] 809 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1250871/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_28; classtype:trojan-activity; sid:91250871; rev:1;) alert tcp $HOME_NET any -> [45.156.217.21] 809 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1250870/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_28; classtype:trojan-activity; sid:91250870; rev:1;) alert tcp $HOME_NET any -> [120.46.152.202] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1250869/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_28; classtype:trojan-activity; sid:91250869; rev:1;) alert tcp $HOME_NET any -> [45.156.217.47] 809 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1250868/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_28; classtype:trojan-activity; sid:91250868; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/~zadmin/ptr5/mono.php"; depth:22; nocase; http.host; content:"31.220.1.194"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1250867/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_28; classtype:trojan-activity; sid:91250867; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/e64f36763e423a50.php"; depth:21; nocase; http.host; content:"193.233.132.241"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1250865/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_28; classtype:trojan-activity; sid:91250865; rev:1;) alert tcp $HOME_NET any -> [188.120.248.175] 80 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1250864/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_28; classtype:trojan-activity; sid:91250864; rev:1;) alert tcp $HOME_NET any -> [139.180.218.26] 80 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1250863/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_28; classtype:trojan-activity; sid:91250863; rev:1;) alert tcp $HOME_NET any -> [202.182.107.193] 666 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1250862/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_28; classtype:trojan-activity; sid:91250862; rev:1;) alert tcp $HOME_NET any -> [39.101.70.82] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1250861/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_28; classtype:trojan-activity; sid:91250861; rev:1;) alert tcp $HOME_NET any -> [70.31.125.206] 2222 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1250860/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_28; classtype:trojan-activity; sid:91250860; rev:1;) alert tcp $HOME_NET any -> [184.20.220.17] 443 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1250859/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_28; classtype:trojan-activity; sid:91250859; rev:1;) alert tcp $HOME_NET any -> [3.86.233.198] 80 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1250858/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_28; classtype:trojan-activity; sid:91250858; rev:1;) alert tcp $HOME_NET any -> [92.116.36.212] 443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1250857/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_28; classtype:trojan-activity; sid:91250857; rev:1;) alert tcp $HOME_NET any -> [192.121.162.196] 8080 (msg:"ThreatFox BianLian botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1250856/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_28; classtype:trojan-activity; sid:91250856; rev:1;) alert tcp $HOME_NET any -> [151.236.16.211] 33367 (msg:"ThreatFox BianLian botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1250855/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_28; classtype:trojan-activity; sid:91250855; rev:1;) alert tcp $HOME_NET any -> [64.176.80.227] 7443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1250854/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_28; classtype:trojan-activity; sid:91250854; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"cowspidzu.pro"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1250835/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_28; classtype:trojan-activity; sid:91250835; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"muratinue.com"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1250836/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_28; classtype:trojan-activity; sid:91250836; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"certifacto.com"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1250834/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_28; classtype:trojan-activity; sid:91250834; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"bladisuka.red"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1250833/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_28; classtype:trojan-activity; sid:91250833; rev:1;) alert tcp $HOME_NET any -> [3.125.102.39] 15422 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1250832/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_28; classtype:trojan-activity; sid:91250832; rev:1;) alert tcp $HOME_NET any -> [185.196.11.223] 1339 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1250831/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_28; classtype:trojan-activity; sid:91250831; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"141.98.7.228"; depth:12; nocase; reference:url, threatfox.abuse.ch/ioc/1250574/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_28; classtype:trojan-activity; sid:91250574; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"bbxstresser.llc"; depth:15; nocase; reference:url, threatfox.abuse.ch/ioc/1250575/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_28; classtype:trojan-activity; sid:91250575; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"brebes-bx.id"; depth:12; nocase; reference:url, threatfox.abuse.ch/ioc/1250576/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_28; classtype:trojan-activity; sid:91250576; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/providerpipepythongeoupdatebigloaddownloads.php"; depth:48; nocase; http.host; content:"opratio.top"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1250621/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_28; classtype:trojan-activity; sid:91250621; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/en_us/all.js"; depth:13; nocase; http.host; content:"122.112.192.110"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1250611/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_28; classtype:trojan-activity; sid:91250611; rev:1;) alert tcp $HOME_NET any -> [122.51.7.163] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1250610/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_28; classtype:trojan-activity; sid:91250610; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api/x"; depth:6; nocase; http.host; content:"service-ps16whvt-1304800271.sh.tencentapigw.com"; depth:47; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1250608/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_28; classtype:trojan-activity; sid:91250608; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"service-ps16whvt-1304800271.sh.tencentapigw.com"; depth:47; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1250609/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_28; classtype:trojan-activity; sid:91250609; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dpixel"; depth:7; nocase; http.host; content:"198.251.88.196"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1250607/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_28; classtype:trojan-activity; sid:91250607; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/socialapiversion=1.1"; depth:21; nocase; http.host; content:"43.134.228.94"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1250605/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_28; classtype:trojan-activity; sid:91250605; rev:1;) alert tcp $HOME_NET any -> [43.134.228.94] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1250606/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_28; classtype:trojan-activity; sid:91250606; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ca"; depth:3; nocase; http.host; content:"45.133.238.41"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1250603/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_28; classtype:trojan-activity; sid:91250603; rev:1;) alert tcp $HOME_NET any -> [45.133.238.41] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1250604/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_28; classtype:trojan-activity; sid:91250604; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/en_us/all.js"; depth:13; nocase; http.host; content:"5.161.242.2"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1250602/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_28; classtype:trojan-activity; sid:91250602; rev:1;) alert tcp $HOME_NET any -> [154.219.154.67] 808 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1250601/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_28; classtype:trojan-activity; sid:91250601; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/load"; depth:5; nocase; http.host; content:"60.205.246.3"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1250600/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_28; classtype:trojan-activity; sid:91250600; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/updates.rss"; depth:12; nocase; http.host; content:"47.113.188.133"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1250597/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_28; classtype:trojan-activity; sid:91250597; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cm"; depth:3; nocase; http.host; content:"59.110.172.50"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1250596/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_28; classtype:trojan-activity; sid:91250596; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/en_us/all.js"; depth:13; nocase; http.host; content:"43.143.143.195"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1250595/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_28; classtype:trojan-activity; sid:91250595; rev:1;) alert tcp $HOME_NET any -> [45.156.217.43] 809 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1250573/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_28; classtype:trojan-activity; sid:91250573; rev:1;) alert tcp $HOME_NET any -> [154.219.163.79] 808 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1250572/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_28; classtype:trojan-activity; sid:91250572; rev:1;) alert tcp $HOME_NET any -> [43.240.48.102] 809 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1250571/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_28; classtype:trojan-activity; sid:91250571; rev:1;) alert tcp $HOME_NET any -> [45.156.217.35] 809 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1250570/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_28; classtype:trojan-activity; sid:91250570; rev:1;) alert tcp $HOME_NET any -> [43.240.48.70] 809 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1250569/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_28; classtype:trojan-activity; sid:91250569; rev:1;) alert tcp $HOME_NET any -> [154.219.163.90] 808 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1250568/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_28; classtype:trojan-activity; sid:91250568; rev:1;) alert tcp $HOME_NET any -> [45.156.217.60] 809 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1250567/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_28; classtype:trojan-activity; sid:91250567; rev:1;) alert tcp $HOME_NET any -> [154.219.163.72] 808 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1250566/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_28; classtype:trojan-activity; sid:91250566; rev:1;) alert tcp $HOME_NET any -> [154.219.164.213] 808 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1250565/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_28; classtype:trojan-activity; sid:91250565; rev:1;) alert tcp $HOME_NET any -> [45.156.217.24] 809 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1250564/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_28; classtype:trojan-activity; sid:91250564; rev:1;) alert tcp $HOME_NET any -> [154.216.54.202] 809 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1250563/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_28; classtype:trojan-activity; sid:91250563; rev:1;) alert tcp $HOME_NET any -> [45.156.217.26] 809 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1250562/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_28; classtype:trojan-activity; sid:91250562; rev:1;) alert tcp $HOME_NET any -> [43.240.48.90] 809 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1250561/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_28; classtype:trojan-activity; sid:91250561; rev:1;) alert tcp $HOME_NET any -> [154.219.163.86] 808 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1250560/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_28; classtype:trojan-activity; sid:91250560; rev:1;) alert tcp $HOME_NET any -> [45.156.217.61] 809 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1250559/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_28; classtype:trojan-activity; sid:91250559; rev:1;) alert tcp $HOME_NET any -> [45.156.217.59] 809 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1250558/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_28; classtype:trojan-activity; sid:91250558; rev:1;) alert tcp $HOME_NET any -> [154.219.163.67] 808 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1250557/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_28; classtype:trojan-activity; sid:91250557; rev:1;) alert tcp $HOME_NET any -> [43.240.48.94] 809 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1250556/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_28; classtype:trojan-activity; sid:91250556; rev:1;) alert tcp $HOME_NET any -> [43.240.48.106] 809 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1250555/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_28; classtype:trojan-activity; sid:91250555; rev:1;) alert tcp $HOME_NET any -> [45.156.217.16] 809 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1250554/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_28; classtype:trojan-activity; sid:91250554; rev:1;) alert tcp $HOME_NET any -> [43.240.48.72] 809 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1250553/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_28; classtype:trojan-activity; sid:91250553; rev:1;) alert tcp $HOME_NET any -> [43.240.49.189] 809 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1250552/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_28; classtype:trojan-activity; sid:91250552; rev:1;) alert tcp $HOME_NET any -> [154.219.164.220] 808 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1250551/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_28; classtype:trojan-activity; sid:91250551; rev:1;) alert tcp $HOME_NET any -> [154.219.164.207] 808 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1250550/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_28; classtype:trojan-activity; sid:91250550; rev:1;) alert tcp $HOME_NET any -> [154.219.163.89] 808 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1250549/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_28; classtype:trojan-activity; sid:91250549; rev:1;) alert tcp $HOME_NET any -> [43.240.49.153] 809 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1250548/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_28; classtype:trojan-activity; sid:91250548; rev:1;) alert tcp $HOME_NET any -> [45.156.217.19] 809 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1250547/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_28; classtype:trojan-activity; sid:91250547; rev:1;) alert tcp $HOME_NET any -> [154.219.164.194] 808 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1250546/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_28; classtype:trojan-activity; sid:91250546; rev:1;) alert tcp $HOME_NET any -> [154.219.164.221] 808 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1250545/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_28; classtype:trojan-activity; sid:91250545; rev:1;) alert tcp $HOME_NET any -> [45.156.217.51] 809 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1250544/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_28; classtype:trojan-activity; sid:91250544; rev:1;) alert tcp $HOME_NET any -> [120.89.71.246] 809 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1250543/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_28; classtype:trojan-activity; sid:91250543; rev:1;) alert tcp $HOME_NET any -> [45.156.217.36] 809 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1250542/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_28; classtype:trojan-activity; sid:91250542; rev:1;) alert tcp $HOME_NET any -> [43.240.49.139] 809 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1250541/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_28; classtype:trojan-activity; sid:91250541; rev:1;) alert tcp $HOME_NET any -> [154.219.163.94] 808 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1250540/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_28; classtype:trojan-activity; sid:91250540; rev:1;) alert tcp $HOME_NET any -> [43.240.48.110] 809 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1250539/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_28; classtype:trojan-activity; sid:91250539; rev:1;) alert tcp $HOME_NET any -> [43.240.49.136] 809 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1250538/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_28; classtype:trojan-activity; sid:91250538; rev:1;) alert tcp $HOME_NET any -> [43.240.49.187] 809 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1250537/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_28; classtype:trojan-activity; sid:91250537; rev:1;) alert tcp $HOME_NET any -> [43.240.49.172] 809 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1250536/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_28; classtype:trojan-activity; sid:91250536; rev:1;) alert tcp $HOME_NET any -> [120.89.71.242] 809 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1250535/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_28; classtype:trojan-activity; sid:91250535; rev:1;) alert tcp $HOME_NET any -> [45.156.217.46] 809 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1250534/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_28; classtype:trojan-activity; sid:91250534; rev:1;) alert tcp $HOME_NET any -> [45.156.217.7] 809 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1250533/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_28; classtype:trojan-activity; sid:91250533; rev:1;) alert tcp $HOME_NET any -> [43.240.48.120] 809 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1250532/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_28; classtype:trojan-activity; sid:91250532; rev:1;) alert tcp $HOME_NET any -> [43.240.48.85] 809 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1250531/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_28; classtype:trojan-activity; sid:91250531; rev:1;) alert tcp $HOME_NET any -> [82.156.224.103] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1250530/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_28; classtype:trojan-activity; sid:91250530; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/user"; depth:5; nocase; http.host; content:"82.156.224.103"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1250529/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_28; classtype:trojan-activity; sid:91250529; rev:1;) alert tcp $HOME_NET any -> [43.240.49.174] 809 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1250528/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_28; classtype:trojan-activity; sid:91250528; rev:1;) alert tcp $HOME_NET any -> [43.240.49.165] 809 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1250527/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_28; classtype:trojan-activity; sid:91250527; rev:1;) alert tcp $HOME_NET any -> [43.240.48.82] 809 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1250526/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_28; classtype:trojan-activity; sid:91250526; rev:1;) alert tcp $HOME_NET any -> [43.240.48.74] 809 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1250525/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_28; classtype:trojan-activity; sid:91250525; rev:1;) alert tcp $HOME_NET any -> [43.240.48.114] 809 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1250524/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_28; classtype:trojan-activity; sid:91250524; rev:1;) alert tcp $HOME_NET any -> [43.240.49.175] 809 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1250523/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_28; classtype:trojan-activity; sid:91250523; rev:1;) alert tcp $HOME_NET any -> [45.156.217.14] 809 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1250522/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_28; classtype:trojan-activity; sid:91250522; rev:1;) alert tcp $HOME_NET any -> [43.240.48.78] 809 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1250521/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_28; classtype:trojan-activity; sid:91250521; rev:1;) alert tcp $HOME_NET any -> [45.156.217.17] 809 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1250520/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_28; classtype:trojan-activity; sid:91250520; rev:1;) alert tcp $HOME_NET any -> [43.240.49.143] 809 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1250519/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_28; classtype:trojan-activity; sid:91250519; rev:1;) alert tcp $HOME_NET any -> [154.219.164.216] 808 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1250518/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_28; classtype:trojan-activity; sid:91250518; rev:1;) alert tcp $HOME_NET any -> [43.240.48.100] 809 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1250517/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_28; classtype:trojan-activity; sid:91250517; rev:1;) alert tcp $HOME_NET any -> [154.216.54.243] 809 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1250516/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_28; classtype:trojan-activity; sid:91250516; rev:1;) alert tcp $HOME_NET any -> [45.156.217.13] 809 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1250515/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_28; classtype:trojan-activity; sid:91250515; rev:1;) alert tcp $HOME_NET any -> [43.240.49.181] 809 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1250514/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_28; classtype:trojan-activity; sid:91250514; rev:1;) alert tcp $HOME_NET any -> [43.240.48.105] 809 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1250513/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_28; classtype:trojan-activity; sid:91250513; rev:1;) alert tcp $HOME_NET any -> [154.219.164.215] 808 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1250512/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_28; classtype:trojan-activity; sid:91250512; rev:1;) alert tcp $HOME_NET any -> [43.240.49.133] 809 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1250511/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_28; classtype:trojan-activity; sid:91250511; rev:1;) alert tcp $HOME_NET any -> [43.240.48.68] 809 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1250510/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_28; classtype:trojan-activity; sid:91250510; rev:1;) alert tcp $HOME_NET any -> [43.240.49.162] 809 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1250509/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_28; classtype:trojan-activity; sid:91250509; rev:1;) alert tcp $HOME_NET any -> [43.240.48.76] 809 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1250508/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_28; classtype:trojan-activity; sid:91250508; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ie9compatviewlist.xml"; depth:22; nocase; http.host; content:"106.53.213.253"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1250507/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_28; classtype:trojan-activity; sid:91250507; rev:1;) alert tcp $HOME_NET any -> [154.219.163.69] 808 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1250506/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_28; classtype:trojan-activity; sid:91250506; rev:1;) alert tcp $HOME_NET any -> [45.156.217.39] 809 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1250505/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_28; classtype:trojan-activity; sid:91250505; rev:1;) alert tcp $HOME_NET any -> [43.240.49.178] 809 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1250504/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_28; classtype:trojan-activity; sid:91250504; rev:1;) alert tcp $HOME_NET any -> [43.240.48.79] 809 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1250503/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_28; classtype:trojan-activity; sid:91250503; rev:1;) alert tcp $HOME_NET any -> [154.219.163.74] 808 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1250502/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_28; classtype:trojan-activity; sid:91250502; rev:1;) alert tcp $HOME_NET any -> [43.240.48.95] 809 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1250501/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_28; classtype:trojan-activity; sid:91250501; rev:1;) alert tcp $HOME_NET any -> [45.156.217.52] 809 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1250500/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_28; classtype:trojan-activity; sid:91250500; rev:1;) alert tcp $HOME_NET any -> [154.216.54.230] 809 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1250499/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_28; classtype:trojan-activity; sid:91250499; rev:1;) alert tcp $HOME_NET any -> [154.219.164.208] 808 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1250498/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_28; classtype:trojan-activity; sid:91250498; rev:1;) alert tcp $HOME_NET any -> [154.219.164.222] 808 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1250497/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_28; classtype:trojan-activity; sid:91250497; rev:1;) alert tcp $HOME_NET any -> [43.240.49.130] 809 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1250496/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_28; classtype:trojan-activity; sid:91250496; rev:1;) alert tcp $HOME_NET any -> [43.240.49.157] 809 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1250495/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_28; classtype:trojan-activity; sid:91250495; rev:1;) alert tcp $HOME_NET any -> [43.240.48.87] 809 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1250494/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_28; classtype:trojan-activity; sid:91250494; rev:1;) alert tcp $HOME_NET any -> [43.240.49.155] 809 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1250493/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_28; classtype:trojan-activity; sid:91250493; rev:1;) alert tcp $HOME_NET any -> [45.156.217.40] 809 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1250492/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_28; classtype:trojan-activity; sid:91250492; rev:1;) alert tcp $HOME_NET any -> [45.156.217.50] 809 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1250491/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_28; classtype:trojan-activity; sid:91250491; rev:1;) alert tcp $HOME_NET any -> [43.240.48.123] 809 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1250490/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_28; classtype:trojan-activity; sid:91250490; rev:1;) alert tcp $HOME_NET any -> [43.240.49.156] 809 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1250489/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_28; classtype:trojan-activity; sid:91250489; rev:1;) alert tcp $HOME_NET any -> [45.156.217.32] 809 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1250488/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_28; classtype:trojan-activity; sid:91250488; rev:1;) alert tcp $HOME_NET any -> [45.156.217.4] 809 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1250487/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_28; classtype:trojan-activity; sid:91250487; rev:1;) alert tcp $HOME_NET any -> [43.240.48.92] 809 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1250486/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_28; classtype:trojan-activity; sid:91250486; rev:1;) alert tcp $HOME_NET any -> [43.240.48.113] 809 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1250485/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_28; classtype:trojan-activity; sid:91250485; rev:1;) alert tcp $HOME_NET any -> [120.89.71.245] 809 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1250484/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_28; classtype:trojan-activity; sid:91250484; rev:1;) alert tcp $HOME_NET any -> [43.240.49.167] 809 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1250483/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_28; classtype:trojan-activity; sid:91250483; rev:1;) alert tcp $HOME_NET any -> [43.240.49.131] 809 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1250482/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_28; classtype:trojan-activity; sid:91250482; rev:1;) alert tcp $HOME_NET any -> [120.89.71.244] 809 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1250481/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_28; classtype:trojan-activity; sid:91250481; rev:1;) alert tcp $HOME_NET any -> [43.240.49.166] 809 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1250480/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_28; classtype:trojan-activity; sid:91250480; rev:1;) alert tcp $HOME_NET any -> [43.240.48.116] 809 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1250479/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_28; classtype:trojan-activity; sid:91250479; rev:1;) alert tcp $HOME_NET any -> [43.240.48.75] 809 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1250478/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_28; classtype:trojan-activity; sid:91250478; rev:1;) alert tcp $HOME_NET any -> [154.219.163.87] 808 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1250477/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_28; classtype:trojan-activity; sid:91250477; rev:1;) alert tcp $HOME_NET any -> [43.240.49.151] 809 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1250476/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_28; classtype:trojan-activity; sid:91250476; rev:1;) alert tcp $HOME_NET any -> [43.240.49.169] 809 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1250475/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_28; classtype:trojan-activity; sid:91250475; rev:1;) alert tcp $HOME_NET any -> [154.219.163.84] 808 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1250474/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_28; classtype:trojan-activity; sid:91250474; rev:1;) alert tcp $HOME_NET any -> [43.240.48.101] 809 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1250473/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_28; classtype:trojan-activity; sid:91250473; rev:1;) alert tcp $HOME_NET any -> [43.240.49.137] 809 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1250472/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_28; classtype:trojan-activity; sid:91250472; rev:1;) alert tcp $HOME_NET any -> [45.156.217.38] 809 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1250471/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_28; classtype:trojan-activity; sid:91250471; rev:1;) alert tcp $HOME_NET any -> [43.240.49.160] 809 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1250470/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_28; classtype:trojan-activity; sid:91250470; rev:1;) alert tcp $HOME_NET any -> [154.216.54.240] 809 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1250469/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_28; classtype:trojan-activity; sid:91250469; rev:1;) alert tcp $HOME_NET any -> [43.240.49.190] 809 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1250468/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_28; classtype:trojan-activity; sid:91250468; rev:1;) alert tcp $HOME_NET any -> [45.156.217.41] 809 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1250467/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_28; classtype:trojan-activity; sid:91250467; rev:1;) alert tcp $HOME_NET any -> [45.156.217.48] 809 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1250466/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_28; classtype:trojan-activity; sid:91250466; rev:1;) alert tcp $HOME_NET any -> [154.219.164.218] 808 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1250465/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_28; classtype:trojan-activity; sid:91250465; rev:1;) alert tcp $HOME_NET any -> [154.219.164.214] 808 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1250464/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_28; classtype:trojan-activity; sid:91250464; rev:1;) alert tcp $HOME_NET any -> [154.219.163.78] 808 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1250463/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_28; classtype:trojan-activity; sid:91250463; rev:1;) alert tcp $HOME_NET any -> [43.240.49.138] 809 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1250462/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_28; classtype:trojan-activity; sid:91250462; rev:1;) alert tcp $HOME_NET any -> [43.240.49.142] 809 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1250461/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_28; classtype:trojan-activity; sid:91250461; rev:1;) alert tcp $HOME_NET any -> [154.219.164.202] 808 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1250460/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_28; classtype:trojan-activity; sid:91250460; rev:1;) alert tcp $HOME_NET any -> [43.240.49.173] 809 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1250459/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_28; classtype:trojan-activity; sid:91250459; rev:1;) alert tcp $HOME_NET any -> [43.240.49.134] 809 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1250458/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_28; classtype:trojan-activity; sid:91250458; rev:1;) alert tcp $HOME_NET any -> [43.240.49.144] 809 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1250457/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_28; classtype:trojan-activity; sid:91250457; rev:1;) alert tcp $HOME_NET any -> [43.240.48.118] 809 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1250456/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_28; classtype:trojan-activity; sid:91250456; rev:1;) alert tcp $HOME_NET any -> [43.240.48.122] 809 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1250455/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_28; classtype:trojan-activity; sid:91250455; rev:1;) alert tcp $HOME_NET any -> [43.240.48.112] 809 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1250454/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_28; classtype:trojan-activity; sid:91250454; rev:1;) alert tcp $HOME_NET any -> [43.240.48.86] 809 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1250453/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_28; classtype:trojan-activity; sid:91250453; rev:1;) alert tcp $HOME_NET any -> [45.156.217.8] 809 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1250452/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_28; classtype:trojan-activity; sid:91250452; rev:1;) alert tcp $HOME_NET any -> [45.156.217.20] 809 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1250451/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_28; classtype:trojan-activity; sid:91250451; rev:1;) alert tcp $HOME_NET any -> [45.156.217.10] 809 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1250450/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_28; classtype:trojan-activity; sid:91250450; rev:1;) alert tcp $HOME_NET any -> [154.219.164.212] 808 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1250449/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_28; classtype:trojan-activity; sid:91250449; rev:1;) alert tcp $HOME_NET any -> [154.219.163.80] 808 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1250448/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_28; classtype:trojan-activity; sid:91250448; rev:1;) alert tcp $HOME_NET any -> [154.219.163.73] 808 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1250447/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_28; classtype:trojan-activity; sid:91250447; rev:1;) alert tcp $HOME_NET any -> [45.156.217.23] 809 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1250446/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_28; classtype:trojan-activity; sid:91250446; rev:1;) alert tcp $HOME_NET any -> [45.156.217.15] 809 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1250445/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_28; classtype:trojan-activity; sid:91250445; rev:1;) alert tcp $HOME_NET any -> [43.240.49.179] 809 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1250444/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_28; classtype:trojan-activity; sid:91250444; rev:1;) alert tcp $HOME_NET any -> [43.240.49.170] 809 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1250443/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_28; classtype:trojan-activity; sid:91250443; rev:1;) alert tcp $HOME_NET any -> [43.240.48.119] 809 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1250442/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_28; classtype:trojan-activity; sid:91250442; rev:1;) alert tcp $HOME_NET any -> [45.156.217.54] 809 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1250441/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_28; classtype:trojan-activity; sid:91250441; rev:1;) alert tcp $HOME_NET any -> [43.240.49.159] 809 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1250440/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_28; classtype:trojan-activity; sid:91250440; rev:1;) alert tcp $HOME_NET any -> [154.219.163.77] 808 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1250439/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_28; classtype:trojan-activity; sid:91250439; rev:1;) alert tcp $HOME_NET any -> [43.240.49.158] 809 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1250438/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_28; classtype:trojan-activity; sid:91250438; rev:1;) alert tcp $HOME_NET any -> [45.156.217.34] 809 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1250437/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_28; classtype:trojan-activity; sid:91250437; rev:1;) alert tcp $HOME_NET any -> [45.156.217.22] 809 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1250436/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_28; classtype:trojan-activity; sid:91250436; rev:1;) alert tcp $HOME_NET any -> [43.240.48.109] 809 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1250435/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_28; classtype:trojan-activity; sid:91250435; rev:1;) alert tcp $HOME_NET any -> [43.240.49.182] 809 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1250434/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_28; classtype:trojan-activity; sid:91250434; rev:1;) alert tcp $HOME_NET any -> [154.216.54.232] 809 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1250433/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_28; classtype:trojan-activity; sid:91250433; rev:1;) alert tcp $HOME_NET any -> [45.156.217.58] 809 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1250432/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_28; classtype:trojan-activity; sid:91250432; rev:1;) alert tcp $HOME_NET any -> [43.240.48.117] 809 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1250431/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_28; classtype:trojan-activity; sid:91250431; rev:1;) alert tcp $HOME_NET any -> [43.240.49.148] 809 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1250430/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_28; classtype:trojan-activity; sid:91250430; rev:1;) alert tcp $HOME_NET any -> [154.219.164.199] 808 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1250429/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_28; classtype:trojan-activity; sid:91250429; rev:1;) alert tcp $HOME_NET any -> [45.156.217.55] 809 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1250428/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_28; classtype:trojan-activity; sid:91250428; rev:1;) alert tcp $HOME_NET any -> [45.156.217.57] 809 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1250427/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_28; classtype:trojan-activity; sid:91250427; rev:1;) alert tcp $HOME_NET any -> [43.240.48.77] 809 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1250426/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_28; classtype:trojan-activity; sid:91250426; rev:1;) alert tcp $HOME_NET any -> [45.156.217.18] 809 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1250425/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_28; classtype:trojan-activity; sid:91250425; rev:1;) alert tcp $HOME_NET any -> [43.240.48.125] 809 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1250424/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_28; classtype:trojan-activity; sid:91250424; rev:1;) alert tcp $HOME_NET any -> [43.240.49.150] 809 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1250423/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_28; classtype:trojan-activity; sid:91250423; rev:1;) alert tcp $HOME_NET any -> [45.156.217.28] 809 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1250422/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_28; classtype:trojan-activity; sid:91250422; rev:1;) alert tcp $HOME_NET any -> [43.240.49.186] 809 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1250421/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_28; classtype:trojan-activity; sid:91250421; rev:1;) alert tcp $HOME_NET any -> [43.240.49.161] 809 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1250420/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_28; classtype:trojan-activity; sid:91250420; rev:1;) alert tcp $HOME_NET any -> [43.240.49.152] 809 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1250419/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_28; classtype:trojan-activity; sid:91250419; rev:1;) alert tcp $HOME_NET any -> [154.219.163.81] 808 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1250418/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_28; classtype:trojan-activity; sid:91250418; rev:1;) alert tcp $HOME_NET any -> [45.156.217.33] 809 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1250417/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_28; classtype:trojan-activity; sid:91250417; rev:1;) alert tcp $HOME_NET any -> [43.240.48.80] 809 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1250416/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_28; classtype:trojan-activity; sid:91250416; rev:1;) alert tcp $HOME_NET any -> [43.240.48.99] 809 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1250415/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_28; classtype:trojan-activity; sid:91250415; rev:1;) alert tcp $HOME_NET any -> [43.240.48.89] 809 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1250414/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_28; classtype:trojan-activity; sid:91250414; rev:1;) alert tcp $HOME_NET any -> [45.156.217.53] 809 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1250413/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_28; classtype:trojan-activity; sid:91250413; rev:1;) alert tcp $HOME_NET any -> [43.240.48.93] 809 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1250412/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_28; classtype:trojan-activity; sid:91250412; rev:1;) alert tcp $HOME_NET any -> [45.156.217.31] 809 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1250411/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_28; classtype:trojan-activity; sid:91250411; rev:1;) alert tcp $HOME_NET any -> [45.156.217.11] 809 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1250410/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_28; classtype:trojan-activity; sid:91250410; rev:1;) alert tcp $HOME_NET any -> [154.219.164.195] 808 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1250409/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_28; classtype:trojan-activity; sid:91250409; rev:1;) alert tcp $HOME_NET any -> [43.240.48.73] 809 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1250408/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_28; classtype:trojan-activity; sid:91250408; rev:1;) alert tcp $HOME_NET any -> [45.156.217.44] 809 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1250407/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_28; classtype:trojan-activity; sid:91250407; rev:1;) alert tcp $HOME_NET any -> [45.156.217.6] 809 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1250406/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_28; classtype:trojan-activity; sid:91250406; rev:1;) alert tcp $HOME_NET any -> [45.156.217.56] 809 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1250405/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_28; classtype:trojan-activity; sid:91250405; rev:1;) alert tcp $HOME_NET any -> [43.240.48.107] 809 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1250404/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_28; classtype:trojan-activity; sid:91250404; rev:1;) alert tcp $HOME_NET any -> [43.240.48.108] 809 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1250403/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_28; classtype:trojan-activity; sid:91250403; rev:1;) alert tcp $HOME_NET any -> [154.219.164.211] 808 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1250402/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_28; classtype:trojan-activity; sid:91250402; rev:1;) alert tcp $HOME_NET any -> [43.240.48.91] 809 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1250401/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_28; classtype:trojan-activity; sid:91250401; rev:1;) alert tcp $HOME_NET any -> [43.240.49.180] 809 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1250400/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_28; classtype:trojan-activity; sid:91250400; rev:1;) alert tcp $HOME_NET any -> [45.156.217.45] 809 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1250399/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_28; classtype:trojan-activity; sid:91250399; rev:1;) alert tcp $HOME_NET any -> [154.216.54.222] 809 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1250398/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_28; classtype:trojan-activity; sid:91250398; rev:1;) alert tcp $HOME_NET any -> [45.156.217.62] 809 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1250397/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_28; classtype:trojan-activity; sid:91250397; rev:1;) alert tcp $HOME_NET any -> [43.240.48.96] 809 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1250396/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_28; classtype:trojan-activity; sid:91250396; rev:1;) alert tcp $HOME_NET any -> [154.219.164.209] 808 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1250395/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_28; classtype:trojan-activity; sid:91250395; rev:1;) alert tcp $HOME_NET any -> [45.156.217.30] 809 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1250394/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_28; classtype:trojan-activity; sid:91250394; rev:1;) alert tcp $HOME_NET any -> [43.240.49.168] 809 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1250393/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_28; classtype:trojan-activity; sid:91250393; rev:1;) alert tcp $HOME_NET any -> [43.240.49.171] 809 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1250392/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_28; classtype:trojan-activity; sid:91250392; rev:1;) alert tcp $HOME_NET any -> [43.240.48.88] 809 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1250391/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_28; classtype:trojan-activity; sid:91250391; rev:1;) alert tcp $HOME_NET any -> [154.216.54.215] 809 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1250390/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_28; classtype:trojan-activity; sid:91250390; rev:1;) alert tcp $HOME_NET any -> [154.219.164.200] 808 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1250389/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_28; classtype:trojan-activity; sid:91250389; rev:1;) alert tcp $HOME_NET any -> [154.219.163.76] 808 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1250388/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_28; classtype:trojan-activity; sid:91250388; rev:1;) alert tcp $HOME_NET any -> [154.216.54.233] 809 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1250387/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_28; classtype:trojan-activity; sid:91250387; rev:1;) alert tcp $HOME_NET any -> [154.219.164.206] 808 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1250386/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_28; classtype:trojan-activity; sid:91250386; rev:1;) alert tcp $HOME_NET any -> [154.219.164.196] 808 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1250385/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_28; classtype:trojan-activity; sid:91250385; rev:1;) alert tcp $HOME_NET any -> [43.240.49.149] 809 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1250384/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_28; classtype:trojan-activity; sid:91250384; rev:1;) alert tcp $HOME_NET any -> [43.240.48.115] 809 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1250383/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_28; classtype:trojan-activity; sid:91250383; rev:1;) alert tcp $HOME_NET any -> [43.240.48.81] 809 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1250382/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_28; classtype:trojan-activity; sid:91250382; rev:1;) alert tcp $HOME_NET any -> [43.240.48.104] 809 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1250381/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_28; classtype:trojan-activity; sid:91250381; rev:1;) alert tcp $HOME_NET any -> [43.240.49.164] 809 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1250380/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_28; classtype:trojan-activity; sid:91250380; rev:1;) alert tcp $HOME_NET any -> [154.219.163.70] 808 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1250379/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_28; classtype:trojan-activity; sid:91250379; rev:1;) alert tcp $HOME_NET any -> [154.216.54.214] 809 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1250378/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_28; classtype:trojan-activity; sid:91250378; rev:1;) alert tcp $HOME_NET any -> [120.89.71.243] 809 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1250377/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_28; classtype:trojan-activity; sid:91250377; rev:1;) alert tcp $HOME_NET any -> [154.219.164.217] 808 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1250376/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_28; classtype:trojan-activity; sid:91250376; rev:1;) alert tcp $HOME_NET any -> [45.156.217.27] 809 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1250375/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_28; classtype:trojan-activity; sid:91250375; rev:1;) alert tcp $HOME_NET any -> [5.188.88.177] 443 (msg:"ThreatFox FAKEUPDATES payload delivery (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1250374/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_28; classtype:trojan-activity; sid:91250374; rev:1;) alert tcp $HOME_NET any -> [15.204.223.49] 9931 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1250372/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_28; classtype:trojan-activity; sid:91250372; rev:1;) alert tcp $HOME_NET any -> [93.123.85.8] 666 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1250373/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_28; classtype:trojan-activity; sid:91250373; rev:1;) alert tcp $HOME_NET any -> [34.168.202.91] 443 (msg:"ThreatFox DanaBot botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1250371/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_28; classtype:trojan-activity; sid:91250371; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/localtestgeo/flower20flower/_packetwindowsvm/httpasyncbetterpacket/1/windows87downloads/temporarytraffic82/uploads/serverasyncvideoserver/geo/7/lowasyncserver/traffic66db/python/to/protonprivate3/gamegenerator/datalifedle/secure/topollhttpgeosqltestuniversaltempdownloads.php"; depth:276; nocase; http.host; content:"80.66.84.71"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1250370/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_28; classtype:trojan-activity; sid:91250370; rev:1;) alert tcp $HOME_NET any -> [194.147.140.219] 4040 (msg:"ThreatFox STRRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1250369/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_28; classtype:trojan-activity; sid:91250369; rev:1;) alert tcp $HOME_NET any -> [35.243.180.101] 443 (msg:"ThreatFox DanaBot botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1250368/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_28; classtype:trojan-activity; sid:91250368; rev:1;) alert tcp $HOME_NET any -> [34.77.22.163] 443 (msg:"ThreatFox DanaBot botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1250367/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_28; classtype:trojan-activity; sid:91250367; rev:1;) alert tcp $HOME_NET any -> [8.222.178.224] 443 (msg:"ThreatFox DanaBot botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1250366/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_28; classtype:trojan-activity; sid:91250366; rev:1;) alert tcp $HOME_NET any -> [34.22.151.45] 443 (msg:"ThreatFox DanaBot botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1250365/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_28; classtype:trojan-activity; sid:91250365; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/baseuniversaluploads.php"; depth:25; nocase; http.host; content:"531995cl.nyashtop.top"; depth:21; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1250364/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_28; classtype:trojan-activity; sid:91250364; rev:1;) alert tcp $HOME_NET any -> [79.133.51.234] 80 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1250363/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_28; classtype:trojan-activity; sid:91250363; rev:1;) alert tcp $HOME_NET any -> [54.248.193.226] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1250362/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_28; classtype:trojan-activity; sid:91250362; rev:1;) alert tcp $HOME_NET any -> [101.32.37.92] 65532 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1250361/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_28; classtype:trojan-activity; sid:91250361; rev:1;) alert tcp $HOME_NET any -> [142.171.62.107] 9999 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1250360/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_28; classtype:trojan-activity; sid:91250360; rev:1;) alert tcp $HOME_NET any -> [34.92.107.200] 8012 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1250359/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_28; classtype:trojan-activity; sid:91250359; rev:1;) alert tcp $HOME_NET any -> [41.96.114.1] 443 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1250358/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_28; classtype:trojan-activity; sid:91250358; rev:1;) alert tcp $HOME_NET any -> [76.19.90.99] 443 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1250357/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_28; classtype:trojan-activity; sid:91250357; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"gammaproject.dev"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1250356/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_28; classtype:trojan-activity; sid:91250356; rev:1;) alert tcp $HOME_NET any -> [77.232.143.114] 80 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1250355/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_28; classtype:trojan-activity; sid:91250355; rev:1;) alert tcp $HOME_NET any -> [185.94.165.191] 443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1250354/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_28; classtype:trojan-activity; sid:91250354; rev:1;) alert tcp $HOME_NET any -> [81.43.22.249] 443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1250353/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_28; classtype:trojan-activity; sid:91250353; rev:1;) alert tcp $HOME_NET any -> [43.198.243.210] 443 (msg:"ThreatFox Deimos botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1250352/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_28; classtype:trojan-activity; sid:91250352; rev:1;) alert tcp $HOME_NET any -> [172.218.112.83] 8080 (msg:"ThreatFox Deimos botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1250351/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_28; classtype:trojan-activity; sid:91250351; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmlrpc.php"; depth:11; nocase; http.host; content:"bulaintel.com"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1250331/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_28; classtype:trojan-activity; sid:91250331; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmlrpc.php"; depth:11; nocase; http.host; content:"www.bsdeboomgaard.be"; depth:20; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1250332/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_28; classtype:trojan-activity; sid:91250332; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmlrpc.php"; depth:11; nocase; http.host; content:"kayoanime.com"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1250333/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_28; classtype:trojan-activity; sid:91250333; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmlrpc.php"; depth:11; nocase; http.host; content:"www.althaus-innenausbau.de"; depth:26; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1250334/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_28; classtype:trojan-activity; sid:91250334; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmlrpc.php"; depth:11; nocase; http.host; content:"growthworks.io"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1250335/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_28; classtype:trojan-activity; sid:91250335; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmlrpc.php"; depth:11; nocase; http.host; content:"taronews.tw"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1250336/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_28; classtype:trojan-activity; sid:91250336; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmlrpc.php"; depth:11; nocase; http.host; content:"outdoorgearshub.com"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1250337/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_28; classtype:trojan-activity; sid:91250337; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmlrpc.php"; depth:11; nocase; http.host; content:"mcintoshdaily.com"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1250338/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_28; classtype:trojan-activity; sid:91250338; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmlrpc.php"; depth:11; nocase; http.host; content:"buckcenter.edu.ec"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1250339/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_28; classtype:trojan-activity; sid:91250339; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmlrpc.php"; depth:11; nocase; http.host; content:"ffteducationdatalab.org.uk"; depth:26; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1250340/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_28; classtype:trojan-activity; sid:91250340; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmlrpc.php"; depth:11; nocase; http.host; content:"www.cuinescalaf.com"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1250341/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_28; classtype:trojan-activity; sid:91250341; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmlrpc.php"; depth:11; nocase; http.host; content:"cityhomesedmonton.ca"; depth:20; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1250342/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_28; classtype:trojan-activity; sid:91250342; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmlrpc.php"; depth:11; nocase; http.host; content:"aurory.io"; depth:9; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1250343/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_28; classtype:trojan-activity; sid:91250343; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmlrpc.php"; depth:11; nocase; http.host; content:"wildundhund.de"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1250344/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_28; classtype:trojan-activity; sid:91250344; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmlrpc.php"; depth:11; nocase; http.host; content:"convertkit.com"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1250345/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_28; classtype:trojan-activity; sid:91250345; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmlrpc.php"; depth:11; nocase; http.host; content:"celeritastransporte.com"; depth:23; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1250346/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_28; classtype:trojan-activity; sid:91250346; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmlrpc.php"; depth:11; nocase; http.host; content:"overbeekphotos.com"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1250330/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_28; classtype:trojan-activity; sid:91250330; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmlrpc.php"; depth:11; nocase; http.host; content:"cumm.co.uk"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1250329/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_28; classtype:trojan-activity; sid:91250329; rev:1;) alert tcp $HOME_NET any -> [187.135.93.207] 1911 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1250307/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_28; classtype:trojan-activity; sid:91250307; rev:1;) alert tcp $HOME_NET any -> [187.135.93.207] 1962 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1250308/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_28; classtype:trojan-activity; sid:91250308; rev:1;) alert tcp $HOME_NET any -> [187.135.93.207] 2003 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1250309/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_28; classtype:trojan-activity; sid:91250309; rev:1;) alert tcp $HOME_NET any -> [187.135.93.207] 2004 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1250310/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_28; classtype:trojan-activity; sid:91250310; rev:1;) alert tcp $HOME_NET any -> [187.135.93.207] 2077 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1250311/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_28; classtype:trojan-activity; sid:91250311; rev:1;) alert tcp $HOME_NET any -> [187.135.93.207] 2078 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1250312/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_28; classtype:trojan-activity; sid:91250312; rev:1;) alert tcp $HOME_NET any -> [187.135.93.207] 2079 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1250313/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_28; classtype:trojan-activity; sid:91250313; rev:1;) alert tcp $HOME_NET any -> [187.135.93.207] 2086 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1250314/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_28; classtype:trojan-activity; sid:91250314; rev:1;) alert tcp $HOME_NET any -> [187.135.93.207] 2096 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1250315/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_28; classtype:trojan-activity; sid:91250315; rev:1;) alert tcp $HOME_NET any -> [187.135.93.207] 2174 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1250316/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_28; classtype:trojan-activity; sid:91250316; rev:1;) alert tcp $HOME_NET any -> [187.135.93.207] 2222 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1250317/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_28; classtype:trojan-activity; sid:91250317; rev:1;) alert tcp $HOME_NET any -> [187.135.93.207] 1883 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1250306/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_28; classtype:trojan-activity; sid:91250306; rev:1;) alert tcp $HOME_NET any -> [187.135.93.207] 1801 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1250305/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_28; classtype:trojan-activity; sid:91250305; rev:1;) alert tcp $HOME_NET any -> [187.135.93.207] 1723 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1250304/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_28; classtype:trojan-activity; sid:91250304; rev:1;) alert tcp $HOME_NET any -> [187.135.117.144] 1723 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1250303/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_28; classtype:trojan-activity; sid:91250303; rev:1;) alert tcp $HOME_NET any -> [187.135.117.144] 2188 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1250302/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_28; classtype:trojan-activity; sid:91250302; rev:1;) alert tcp $HOME_NET any -> [187.135.117.144] 2078 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1250301/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_28; classtype:trojan-activity; sid:91250301; rev:1;) alert tcp $HOME_NET any -> [187.135.117.144] 2053 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1250300/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_28; classtype:trojan-activity; sid:91250300; rev:1;) alert tcp $HOME_NET any -> [187.135.117.144] 2052 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1250299/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_28; classtype:trojan-activity; sid:91250299; rev:1;) alert tcp $HOME_NET any -> [187.135.117.144] 1962 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1250298/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_28; classtype:trojan-activity; sid:91250298; rev:1;) alert tcp $HOME_NET any -> [187.135.117.144] 1801 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1250297/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_28; classtype:trojan-activity; sid:91250297; rev:1;) alert tcp $HOME_NET any -> [187.135.117.144] 2087 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1250296/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_28; classtype:trojan-activity; sid:91250296; rev:1;) alert tcp $HOME_NET any -> [187.135.117.144] 2000 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1250295/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_28; classtype:trojan-activity; sid:91250295; rev:1;) alert tcp $HOME_NET any -> [43.138.0.70] 10001 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1250292/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_28; classtype:trojan-activity; sid:91250292; rev:1;) alert tcp $HOME_NET any -> [43.139.101.86] 8099 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1250291/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_28; classtype:trojan-activity; sid:91250291; rev:1;) alert tcp $HOME_NET any -> [49.235.174.175] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1250290/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_28; classtype:trojan-activity; sid:91250290; rev:1;) alert tcp $HOME_NET any -> [101.43.164.28] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1250289/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_28; classtype:trojan-activity; sid:91250289; rev:1;) alert tcp $HOME_NET any -> [124.220.80.206] 888 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1250288/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_28; classtype:trojan-activity; sid:91250288; rev:1;) alert tcp $HOME_NET any -> [150.158.19.54] 4444 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1250287/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_28; classtype:trojan-activity; sid:91250287; rev:1;) alert tcp $HOME_NET any -> [159.75.80.31] 6699 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1250286/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_28; classtype:trojan-activity; sid:91250286; rev:1;) alert tcp $HOME_NET any -> [38.180.92.22] 4444 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1250285/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_28; classtype:trojan-activity; sid:91250285; rev:1;) alert tcp $HOME_NET any -> [89.163.221.180] 8888 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1250284/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_28; classtype:trojan-activity; sid:91250284; rev:1;) alert tcp $HOME_NET any -> [89.163.221.180] 4444 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1250283/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_28; classtype:trojan-activity; sid:91250283; rev:1;) alert tcp $HOME_NET any -> [104.243.37.110] 6667 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1250282/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_28; classtype:trojan-activity; sid:91250282; rev:1;) alert tcp $HOME_NET any -> [109.199.120.42] 2023 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1250281/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_28; classtype:trojan-activity; sid:91250281; rev:1;) alert tcp $HOME_NET any -> [128.90.122.170] 9999 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1250280/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_28; classtype:trojan-activity; sid:91250280; rev:1;) alert tcp $HOME_NET any -> [142.11.201.124] 8712 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1250279/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_28; classtype:trojan-activity; sid:91250279; rev:1;) alert tcp $HOME_NET any -> [142.11.201.124] 8714 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1250278/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_28; classtype:trojan-activity; sid:91250278; rev:1;) alert tcp $HOME_NET any -> [172.94.9.23] 222 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1250274/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_28; classtype:trojan-activity; sid:91250274; rev:1;) alert tcp $HOME_NET any -> [172.94.125.164] 2222 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1250262/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_28; classtype:trojan-activity; sid:91250262; rev:1;) alert tcp $HOME_NET any -> [147.185.221.18] 54056 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1250293/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_28; classtype:trojan-activity; sid:91250293; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"results-outdoors.gl.at.ply.gg"; depth:29; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1250294/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_28; classtype:trojan-activity; sid:91250294; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmlrpc.php"; depth:11; nocase; http.host; content:"mangacrab.com"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1250328/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_28; classtype:trojan-activity; sid:91250328; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmlrpc.php"; depth:11; nocase; http.host; content:"catherinefoundation.org"; depth:23; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1250327/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_28; classtype:trojan-activity; sid:91250327; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmlrpc.php"; depth:11; nocase; http.host; content:"kinosait24.ru"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1250326/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_28; classtype:trojan-activity; sid:91250326; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmlrpc.php"; depth:11; nocase; http.host; content:"theyogainstitute.org"; depth:20; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1250325/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_28; classtype:trojan-activity; sid:91250325; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmlrpc.php"; depth:11; nocase; http.host; content:"bodylift.si"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1250324/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_28; classtype:trojan-activity; sid:91250324; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmlrpc.php"; depth:11; nocase; http.host; content:"digitalmarketingcompany.me"; depth:26; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1250323/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_28; classtype:trojan-activity; sid:91250323; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmlrpc.php"; depth:11; nocase; http.host; content:"prozhedownload.com"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1250322/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_28; classtype:trojan-activity; sid:91250322; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmlrpc.php"; depth:11; nocase; http.host; content:"telegramguru.com"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1250321/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_28; classtype:trojan-activity; sid:91250321; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmlrpc.php"; depth:11; nocase; http.host; content:"matchtime.co"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1250320/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_28; classtype:trojan-activity; sid:91250320; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"185.215.113.32"; depth:14; nocase; reference:url, threatfox.abuse.ch/ioc/1250318/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_28; classtype:trojan-activity; sid:91250318; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"193.233.132.56"; depth:14; nocase; reference:url, threatfox.abuse.ch/ioc/1250319/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_28; classtype:trojan-activity; sid:91250319; rev:1;) alert tcp $HOME_NET any -> [194.156.90.112] 6666 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1250261/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_28; classtype:trojan-activity; sid:91250261; rev:1;) alert tcp $HOME_NET any -> [206.123.132.165] 2000 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1250260/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_28; classtype:trojan-activity; sid:91250260; rev:1;) alert tcp $HOME_NET any -> [38.180.121.8] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1250259/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_28; classtype:trojan-activity; sid:91250259; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/attachments/1222548548235558974/1222550773380943902/mauqes.rar"; depth:63; nocase; http.host; content:"cdn.discordapp.com"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1250233/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_28; classtype:trojan-activity; sid:91250233; rev:1;) alert tcp $HOME_NET any -> [45.145.42.90] 6969 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1250349/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_28; classtype:trojan-activity; sid:91250349; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ie9compatviewlist.xml"; depth:22; nocase; http.host; content:"111.231.18.116"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1250348/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_28; classtype:trojan-activity; sid:91250348; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/activity"; depth:9; nocase; http.host; content:"111.231.18.116"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1250347/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_28; classtype:trojan-activity; sid:91250347; rev:1;) alert tcp $HOME_NET any -> [154.216.54.250] 809 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1250277/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_27; classtype:trojan-activity; sid:91250277; rev:1;) alert tcp $HOME_NET any -> [154.216.54.239] 809 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1250276/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_27; classtype:trojan-activity; sid:91250276; rev:1;) alert tcp $HOME_NET any -> [154.216.54.247] 809 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1250275/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_27; classtype:trojan-activity; sid:91250275; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/fwlink"; depth:7; nocase; http.host; content:"154.12.29.59"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1250273/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_27; classtype:trojan-activity; sid:91250273; rev:1;) alert tcp $HOME_NET any -> [154.216.54.211] 809 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1250272/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_27; classtype:trojan-activity; sid:91250272; rev:1;) alert tcp $HOME_NET any -> [154.216.54.216] 809 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1250271/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_27; classtype:trojan-activity; sid:91250271; rev:1;) alert tcp $HOME_NET any -> [154.216.54.237] 809 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1250270/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_27; classtype:trojan-activity; sid:91250270; rev:1;) alert tcp $HOME_NET any -> [154.216.54.228] 809 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1250269/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_27; classtype:trojan-activity; sid:91250269; rev:1;) alert tcp $HOME_NET any -> [154.216.54.254] 809 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1250268/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_27; classtype:trojan-activity; sid:91250268; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ga.js"; depth:6; nocase; http.host; content:"111.231.18.116"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1250267/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_27; classtype:trojan-activity; sid:91250267; rev:1;) alert tcp $HOME_NET any -> [154.216.54.198] 809 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1250266/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_27; classtype:trojan-activity; sid:91250266; rev:1;) alert tcp $HOME_NET any -> [154.216.54.194] 809 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1250265/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_27; classtype:trojan-activity; sid:91250265; rev:1;) alert tcp $HOME_NET any -> [154.216.54.238] 809 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1250264/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_27; classtype:trojan-activity; sid:91250264; rev:1;) alert tcp $HOME_NET any -> [154.216.54.231] 809 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1250263/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_27; classtype:trojan-activity; sid:91250263; rev:1;) alert tcp $HOME_NET any -> [5.75.211.135] 443 (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1250255/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_27; classtype:trojan-activity; sid:91250255; rev:1;) alert tcp $HOME_NET any -> [88.99.122.130] 443 (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1250256/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_27; classtype:trojan-activity; sid:91250256; rev:1;) alert tcp $HOME_NET any -> [95.217.31.143] 443 (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1250257/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_27; classtype:trojan-activity; sid:91250257; rev:1;) alert tcp $HOME_NET any -> [80.66.84.68] 443 (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1250258/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_27; classtype:trojan-activity; sid:91250258; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"alexanderalbie.xyz"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1250252/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_27; classtype:trojan-activity; sid:91250252; rev:1;) alert tcp $HOME_NET any -> [88.99.122.130] 5432 (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1250253/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_27; classtype:trojan-activity; sid:91250253; rev:1;) alert tcp $HOME_NET any -> [78.46.229.36] 443 (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1250254/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_27; classtype:trojan-activity; sid:91250254; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"suggst.xyz"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1250251/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_27; classtype:trojan-activity; sid:91250251; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"hepialid.xyz"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1250250/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_27; classtype:trojan-activity; sid:91250250; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"pvasms.top"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1250249/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_27; classtype:trojan-activity; sid:91250249; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"alexanderarthur.xyz"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1250248/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_27; classtype:trojan-activity; sid:91250248; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"80.66.84.68"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1250247/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_27; classtype:trojan-activity; sid:91250247; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"95.217.31.143"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1250246/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_27; classtype:trojan-activity; sid:91250246; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"88.99.122.130"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1250245/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_27; classtype:trojan-activity; sid:91250245; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"5.75.211.135"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1250244/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_27; classtype:trojan-activity; sid:91250244; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"78.46.229.36"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1250243/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_27; classtype:trojan-activity; sid:91250243; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"65.109.243.191"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1250242/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_27; classtype:trojan-activity; sid:91250242; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sa9ok"; depth:6; nocase; http.host; content:"t.me"; depth:4; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1250241/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_27; classtype:trojan-activity; sid:91250241; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/profiles/76561199658817715"; depth:27; nocase; http.host; content:"steamcommunity.com"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1250240/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_27; classtype:trojan-activity; sid:91250240; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"alexanderarthur.xyz"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1250235/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_27; classtype:trojan-activity; sid:91250235; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"pvasms.top"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1250236/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_27; classtype:trojan-activity; sid:91250236; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"hepialid.xyz"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1250237/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_27; classtype:trojan-activity; sid:91250237; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"suggst.xyz"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1250238/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_27; classtype:trojan-activity; sid:91250238; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"alexanderalbie.xyz"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1250239/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_27; classtype:trojan-activity; sid:91250239; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/l1nc0in.php"; depth:12; nocase; http.host; content:"f0934723.xsph.ru"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1250232/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_27; classtype:trojan-activity; sid:91250232; rev:1;) alert tcp $HOME_NET any -> [88.119.175.92] 80 (msg:"ThreatFox FAKEUPDATES botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1250231/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_27; classtype:trojan-activity; sid:91250231; rev:1;) alert tcp $HOME_NET any -> [88.119.175.92] 443 (msg:"ThreatFox FAKEUPDATES botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1250230/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_27; classtype:trojan-activity; sid:91250230; rev:1;) alert tcp $HOME_NET any -> [20.2.234.76] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1250229/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_27; classtype:trojan-activity; sid:91250229; rev:1;) alert tcp $HOME_NET any -> [20.199.87.153] 8848 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1250228/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_27; classtype:trojan-activity; sid:91250228; rev:1;) alert tcp $HOME_NET any -> [154.247.228.146] 2078 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1250227/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_27; classtype:trojan-activity; sid:91250227; rev:1;) alert tcp $HOME_NET any -> [78.168.3.237] 443 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1250226/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_27; classtype:trojan-activity; sid:91250226; rev:1;) alert tcp $HOME_NET any -> [194.67.103.231] 445 (msg:"ThreatFox Responder botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1250225/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_27; classtype:trojan-activity; sid:91250225; rev:1;) alert tcp $HOME_NET any -> [54.84.224.146] 443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1250224/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_27; classtype:trojan-activity; sid:91250224; rev:1;) alert tcp $HOME_NET any -> [77.232.143.114] 443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1250223/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_27; classtype:trojan-activity; sid:91250223; rev:1;) alert tcp $HOME_NET any -> [92.116.37.117] 443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1250222/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_27; classtype:trojan-activity; sid:91250222; rev:1;) alert tcp $HOME_NET any -> [64.23.140.175] 443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1250221/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_27; classtype:trojan-activity; sid:91250221; rev:1;) alert tcp $HOME_NET any -> [192.64.86.243] 8080 (msg:"ThreatFox BianLian botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1250220/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_27; classtype:trojan-activity; sid:91250220; rev:1;) alert tcp $HOME_NET any -> [87.120.204.101] 16053 (msg:"ThreatFox Deimos botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1250219/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_27; classtype:trojan-activity; sid:91250219; rev:1;) alert tcp $HOME_NET any -> [185.130.45.147] 443 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1250218/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_27; classtype:trojan-activity; sid:91250218; rev:1;) alert tcp $HOME_NET any -> [185.130.45.147] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1250217/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_27; classtype:trojan-activity; sid:91250217; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"prior-gently.gl.at.ply.gg"; depth:25; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1250216/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_27; classtype:trojan-activity; sid:91250216; rev:1;) alert tcp $HOME_NET any -> [91.92.252.225] 61616 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1250213/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_27; classtype:trojan-activity; sid:91250213; rev:1;) alert tcp $HOME_NET any -> [91.92.252.224] 61616 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1250214/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_27; classtype:trojan-activity; sid:91250214; rev:1;) alert tcp $HOME_NET any -> [147.185.221.19] 5585 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1250215/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_27; classtype:trojan-activity; sid:91250215; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"cdn-aws-amazon.nbcnews.site"; depth:27; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1250212/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_27; classtype:trojan-activity; sid:91250212; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bm.css"; depth:7; nocase; http.host; content:"cdn-aws-amazon.nbcnews.site"; depth:27; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1250211/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_27; classtype:trojan-activity; sid:91250211; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/push"; depth:5; nocase; http.host; content:"47.113.188.133"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1250210/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_27; classtype:trojan-activity; sid:91250210; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dot.gif"; depth:8; nocase; http.host; content:"154.221.17.44"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1250209/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_27; classtype:trojan-activity; sid:91250209; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/j.ad"; depth:5; nocase; http.host; content:"176.32.35.104"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1250208/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_27; classtype:trojan-activity; sid:91250208; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dot.gif"; depth:8; nocase; http.host; content:"176.32.35.104"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1250207/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_27; classtype:trojan-activity; sid:91250207; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ga.js"; depth:6; nocase; http.host; content:"38.207.178.141"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1250206/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_27; classtype:trojan-activity; sid:91250206; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/doc.php"; depth:8; nocase; http.host; content:"www.assamjatiyabidyalay.com"; depth:27; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1250205/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_27; classtype:trojan-activity; sid:91250205; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmlrpc.php"; depth:11; nocase; http.host; content:"designtoolsnetwork.com"; depth:22; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1250187/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_27; classtype:trojan-activity; sid:91250187; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmlrpc.php"; depth:11; nocase; http.host; content:"vsenews.kr.ua"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1250188/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_27; classtype:trojan-activity; sid:91250188; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmlrpc.php"; depth:11; nocase; http.host; content:"compose.ly"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1250189/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_27; classtype:trojan-activity; sid:91250189; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmlrpc.php"; depth:11; nocase; http.host; content:"gridlocktable.com"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1250190/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_27; classtype:trojan-activity; sid:91250190; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmlrpc.php"; depth:11; nocase; http.host; content:"wlmedia.co.uk"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1250191/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_27; classtype:trojan-activity; sid:91250191; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmlrpc.php"; depth:11; nocase; http.host; content:"animalvictory.org"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1250192/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_27; classtype:trojan-activity; sid:91250192; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmlrpc.php"; depth:11; nocase; http.host; content:"brokensilenze.one"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1250193/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_27; classtype:trojan-activity; sid:91250193; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmlrpc.php"; depth:11; nocase; http.host; content:"hidethatfat.com"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1250194/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_27; classtype:trojan-activity; sid:91250194; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmlrpc.php"; depth:11; nocase; http.host; content:"timesit.org"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1250195/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_27; classtype:trojan-activity; sid:91250195; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmlrpc.php"; depth:11; nocase; http.host; content:"amittiwari.net"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1250196/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_27; classtype:trojan-activity; sid:91250196; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmlrpc.php"; depth:11; nocase; http.host; content:"abumarketrc.com"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1250198/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_27; classtype:trojan-activity; sid:91250198; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmlrpc.php"; depth:11; nocase; http.host; content:"www.dizikonusu.com"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1250197/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_27; classtype:trojan-activity; sid:91250197; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmlrpc.php"; depth:11; nocase; http.host; content:"astrolady.org"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1250199/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_27; classtype:trojan-activity; sid:91250199; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmlrpc.php"; depth:11; nocase; http.host; content:"phongthuyphunggia.com"; depth:21; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1250200/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_27; classtype:trojan-activity; sid:91250200; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmlrpc.php"; depth:11; nocase; http.host; content:"ryver.com"; depth:9; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1250201/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_27; classtype:trojan-activity; sid:91250201; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmlrpc.php"; depth:11; nocase; http.host; content:"smokeshopdelivers.com"; depth:21; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1250202/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_27; classtype:trojan-activity; sid:91250202; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmlrpc.php"; depth:11; nocase; http.host; content:"hmidarjeeling.com"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1250203/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_27; classtype:trojan-activity; sid:91250203; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmlrpc.php"; depth:11; nocase; http.host; content:"titikdua.net"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1250204/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_27; classtype:trojan-activity; sid:91250204; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"www.feekstokandy.com"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1250160/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_27; classtype:trojan-activity; sid:91250160; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"www.nemchaprues.com"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1250161/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_27; classtype:trojan-activity; sid:91250161; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"www.fustindor.com"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1250162/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_27; classtype:trojan-activity; sid:91250162; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"www.trondisaup.com"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1250163/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_27; classtype:trojan-activity; sid:91250163; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"www.trentimarsop.com"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1250164/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_27; classtype:trojan-activity; sid:91250164; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"www.carsruitkan.com"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1250165/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_27; classtype:trojan-activity; sid:91250165; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"www.boskajean.com"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1250166/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_27; classtype:trojan-activity; sid:91250166; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"www.triopahom.com"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1250167/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_27; classtype:trojan-activity; sid:91250167; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"www.illboardinj.com"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1250168/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_27; classtype:trojan-activity; sid:91250168; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"www.transautomanf.com"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1250169/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_27; classtype:trojan-activity; sid:91250169; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"www.minesotkarpid.com"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1250170/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_27; classtype:trojan-activity; sid:91250170; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"www.dionaolesjob.com"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1250171/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_27; classtype:trojan-activity; sid:91250171; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"www.skansnekssky.com"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1250172/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_27; classtype:trojan-activity; sid:91250172; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"www.kevinbrawiewu.com"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1250173/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_27; classtype:trojan-activity; sid:91250173; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"www.troffyfrutlot.com"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1250174/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_27; classtype:trojan-activity; sid:91250174; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"www.skazifrant.com"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1250175/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_27; classtype:trojan-activity; sid:91250175; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"www.neelsmagofter.com"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1250176/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_27; classtype:trojan-activity; sid:91250176; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"www.qtargumanikar.com"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1250177/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_27; classtype:trojan-activity; sid:91250177; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"www.strastkamenhoop.com"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1250178/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_27; classtype:trojan-activity; sid:91250178; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"www.lergochatep.com"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1250179/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_27; classtype:trojan-activity; sid:91250179; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"www.clainsrimauto.com"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1250180/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_27; classtype:trojan-activity; sid:91250180; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"www.kaspimension.com"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1250181/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_27; classtype:trojan-activity; sid:91250181; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"www.askamoshopsi.com"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1250182/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_27; classtype:trojan-activity; sid:91250182; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"www.majzolimka.com"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1250183/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_27; classtype:trojan-activity; sid:91250183; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"www.spakernakurs.com"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1250184/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_27; classtype:trojan-activity; sid:91250184; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"adobeshare.info"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1250185/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_27; classtype:trojan-activity; sid:91250185; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"adobeshare.blog"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1250186/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_27; classtype:trojan-activity; sid:91250186; rev:1;) alert tcp $HOME_NET any -> [216.250.253.35] 2356 (msg:"ThreatFox Ave Maria botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1250159/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_27; classtype:trojan-activity; sid:91250159; rev:1;) alert tcp $HOME_NET any -> [5.42.65.0] 29587 (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1250158/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_27; classtype:trojan-activity; sid:91250158; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"soneypaly.club"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1250157/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_27; classtype:trojan-activity; sid:91250157; rev:1;) alert tcp $HOME_NET any -> [51.77.167.59] 5951 (msg:"ThreatFox Ave Maria botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1250128/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_27; classtype:trojan-activity; sid:91250128; rev:1;) alert tcp $HOME_NET any -> [185.130.46.168] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1249912/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_27; classtype:trojan-activity; sid:91249912; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ga.js"; depth:6; nocase; http.host; content:"38.207.178.132"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1249911/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_27; classtype:trojan-activity; sid:91249911; rev:1;) alert tcp $HOME_NET any -> [114.115.157.144] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1249910/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_27; classtype:trojan-activity; sid:91249910; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cm"; depth:3; nocase; http.host; content:"114.115.157.144"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1249909/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_27; classtype:trojan-activity; sid:91249909; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"cs.buidu.site"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1249908/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_27; classtype:trojan-activity; sid:91249908; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/load"; depth:5; nocase; http.host; content:"cs.buidu.site"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1249907/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_27; classtype:trojan-activity; sid:91249907; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/g.pixel"; depth:8; nocase; http.host; content:"60.204.133.143"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1249906/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_27; classtype:trojan-activity; sid:91249906; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/match"; depth:6; nocase; http.host; content:"38.47.101.176"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1249904/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_27; classtype:trojan-activity; sid:91249904; rev:1;) alert tcp $HOME_NET any -> [38.47.101.176] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1249905/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_27; classtype:trojan-activity; sid:91249905; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/activity"; depth:9; nocase; http.host; content:"38.207.178.141"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1249903/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_27; classtype:trojan-activity; sid:91249903; rev:1;) alert tcp $HOME_NET any -> [185.130.46.168] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1249902/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_27; classtype:trojan-activity; sid:91249902; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api/3"; depth:6; nocase; http.host; content:"tools.trtyr.top"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1249900/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_27; classtype:trojan-activity; sid:91249900; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"tools.trtyr.top"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1249901/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_27; classtype:trojan-activity; sid:91249901; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/load"; depth:5; nocase; http.host; content:"8.130.43.95"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1249899/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_27; classtype:trojan-activity; sid:91249899; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/en_us/all.js"; depth:13; nocase; http.host; content:"123.60.181.152"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1249898/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_27; classtype:trojan-activity; sid:91249898; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/vendorreact.dc6a29.chunk.js"; depth:28; nocase; http.host; content:"43.142.183.159"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1249897/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_27; classtype:trojan-activity; sid:91249897; rev:1;) alert tcp $HOME_NET any -> [45.207.58.79] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1249896/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_27; classtype:trojan-activity; sid:91249896; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"nimappche.buzz"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1249895/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_27; classtype:trojan-activity; sid:91249895; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jquery-3.3.1.min.js"; depth:20; nocase; http.host; content:"nimappche.buzz"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1249894/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_27; classtype:trojan-activity; sid:91249894; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/collector/2.0/settings/"; depth:24; nocase; http.host; content:"endpointinfrart.azureedge.net"; depth:29; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1249892/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_27; classtype:trojan-activity; sid:91249892; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"endpointinfrart.azureedge.net"; depth:29; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1249893/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_27; classtype:trojan-activity; sid:91249893; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cm"; depth:3; nocase; http.host; content:"60.205.246.3"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1249891/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_27; classtype:trojan-activity; sid:91249891; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"mariyel-therapy.com"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1249888/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_27; classtype:trojan-activity; sid:91249888; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/attachments/693775226584039476/1222130104944033792/mariyeltherapy_launcher.exe"; depth:79; nocase; http.host; content:"cdn.discordapp.com"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1249889/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_27; classtype:trojan-activity; sid:91249889; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"camps.topgunnbaseball.com"; depth:25; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1249886/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_27; classtype:trojan-activity; sid:91249886; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"146.19.254.43"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1249887/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_27; classtype:trojan-activity; sid:91249887; rev:1;) alert tcp $HOME_NET any -> [103.153.69.114] 56999 (msg:"ThreatFox MooBot botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1249881/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_27; classtype:trojan-activity; sid:91249881; rev:1;) alert tcp $HOME_NET any -> [103.188.244.189] 80 (msg:"ThreatFox MooBot botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1249882/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_27; classtype:trojan-activity; sid:91249882; rev:1;) alert tcp $HOME_NET any -> [103.67.196.77] 80 (msg:"ThreatFox MooBot botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1249883/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_27; classtype:trojan-activity; sid:91249883; rev:1;) alert tcp $HOME_NET any -> [45.128.232.82] 80 (msg:"ThreatFox MooBot botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1249884/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_27; classtype:trojan-activity; sid:91249884; rev:1;) alert tcp $HOME_NET any -> [74.50.85.233] 80 (msg:"ThreatFox MooBot botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1249885/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_27; classtype:trojan-activity; sid:91249885; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/doc.php"; depth:8; nocase; http.host; content:"www.apol.eu"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1249832/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_27; classtype:trojan-activity; sid:91249832; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/doc.php"; depth:8; nocase; http.host; content:"williesimpson.com"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1249833/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_27; classtype:trojan-activity; sid:91249833; rev:1;) alert tcp $HOME_NET any -> [139.59.88.74] 667 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1249880/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_27; classtype:trojan-activity; sid:91249880; rev:1;) alert tcp $HOME_NET any -> [154.216.54.241] 809 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1249879/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_27; classtype:trojan-activity; sid:91249879; rev:1;) alert tcp $HOME_NET any -> [154.216.54.209] 809 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1249878/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_27; classtype:trojan-activity; sid:91249878; rev:1;) alert tcp $HOME_NET any -> [154.216.54.224] 809 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1249877/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_27; classtype:trojan-activity; sid:91249877; rev:1;) alert tcp $HOME_NET any -> [154.216.54.205] 809 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1249876/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_27; classtype:trojan-activity; sid:91249876; rev:1;) alert tcp $HOME_NET any -> [154.216.54.249] 809 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1249875/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_27; classtype:trojan-activity; sid:91249875; rev:1;) alert tcp $HOME_NET any -> [154.216.54.225] 809 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1249874/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_27; classtype:trojan-activity; sid:91249874; rev:1;) alert tcp $HOME_NET any -> [154.216.54.210] 809 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1249873/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_27; classtype:trojan-activity; sid:91249873; rev:1;) alert tcp $HOME_NET any -> [154.216.54.236] 809 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1249872/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_27; classtype:trojan-activity; sid:91249872; rev:1;) alert tcp $HOME_NET any -> [154.216.54.212] 809 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1249871/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_27; classtype:trojan-activity; sid:91249871; rev:1;) alert tcp $HOME_NET any -> [154.216.54.219] 809 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1249870/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_27; classtype:trojan-activity; sid:91249870; rev:1;) alert tcp $HOME_NET any -> [154.216.54.229] 809 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1249869/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_27; classtype:trojan-activity; sid:91249869; rev:1;) alert tcp $HOME_NET any -> [154.216.54.227] 809 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1249868/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_27; classtype:trojan-activity; sid:91249868; rev:1;) alert tcp $HOME_NET any -> [154.216.54.195] 809 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1249867/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_27; classtype:trojan-activity; sid:91249867; rev:1;) alert tcp $HOME_NET any -> [154.216.54.213] 809 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1249866/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_27; classtype:trojan-activity; sid:91249866; rev:1;) alert tcp $HOME_NET any -> [154.216.54.218] 809 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1249865/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_27; classtype:trojan-activity; sid:91249865; rev:1;) alert tcp $HOME_NET any -> [154.216.54.203] 809 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1249864/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_27; classtype:trojan-activity; sid:91249864; rev:1;) alert tcp $HOME_NET any -> [154.216.54.234] 809 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1249863/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_27; classtype:trojan-activity; sid:91249863; rev:1;) alert tcp $HOME_NET any -> [154.216.54.201] 809 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1249862/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_27; classtype:trojan-activity; sid:91249862; rev:1;) alert tcp $HOME_NET any -> [154.216.54.251] 809 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1249861/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_27; classtype:trojan-activity; sid:91249861; rev:1;) alert tcp $HOME_NET any -> [154.216.54.253] 809 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1249860/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_27; classtype:trojan-activity; sid:91249860; rev:1;) alert tcp $HOME_NET any -> [154.216.54.235] 809 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1249859/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_27; classtype:trojan-activity; sid:91249859; rev:1;) alert tcp $HOME_NET any -> [154.216.54.226] 809 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1249858/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_27; classtype:trojan-activity; sid:91249858; rev:1;) alert tcp $HOME_NET any -> [154.216.54.217] 809 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1249857/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_27; classtype:trojan-activity; sid:91249857; rev:1;) alert tcp $HOME_NET any -> [154.216.54.223] 809 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1249856/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_27; classtype:trojan-activity; sid:91249856; rev:1;) alert tcp $HOME_NET any -> [154.216.54.220] 809 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1249855/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_27; classtype:trojan-activity; sid:91249855; rev:1;) alert tcp $HOME_NET any -> [154.216.54.242] 809 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1249854/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_27; classtype:trojan-activity; sid:91249854; rev:1;) alert tcp $HOME_NET any -> [154.216.54.248] 809 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1249853/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_27; classtype:trojan-activity; sid:91249853; rev:1;) alert tcp $HOME_NET any -> [154.216.54.206] 809 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1249852/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_27; classtype:trojan-activity; sid:91249852; rev:1;) alert tcp $HOME_NET any -> [154.216.54.208] 809 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1249851/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_27; classtype:trojan-activity; sid:91249851; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"service-2saemj0p-1319375115.bj.apigw.tencentcs.com"; depth:50; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1249849/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_27; classtype:trojan-activity; sid:91249849; rev:1;) alert tcp $HOME_NET any -> [107.173.144.77] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1249850/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_27; classtype:trojan-activity; sid:91249850; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/en_us/all.js"; depth:13; nocase; http.host; content:"service-2saemj0p-1319375115.bj.apigw.tencentcs.com"; depth:50; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1249848/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_27; classtype:trojan-activity; sid:91249848; rev:1;) alert tcp $HOME_NET any -> [154.216.54.200] 809 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1249847/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_27; classtype:trojan-activity; sid:91249847; rev:1;) alert tcp $HOME_NET any -> [154.216.54.252] 809 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1249846/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_27; classtype:trojan-activity; sid:91249846; rev:1;) alert tcp $HOME_NET any -> [154.216.54.244] 809 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1249845/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_27; classtype:trojan-activity; sid:91249845; rev:1;) alert tcp $HOME_NET any -> [154.216.54.204] 809 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1249844/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_27; classtype:trojan-activity; sid:91249844; rev:1;) alert tcp $HOME_NET any -> [154.216.54.196] 809 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1249843/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_27; classtype:trojan-activity; sid:91249843; rev:1;) alert tcp $HOME_NET any -> [154.216.54.207] 809 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1249842/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_27; classtype:trojan-activity; sid:91249842; rev:1;) alert tcp $HOME_NET any -> [154.216.54.197] 809 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1249841/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_27; classtype:trojan-activity; sid:91249841; rev:1;) alert tcp $HOME_NET any -> [154.216.54.245] 809 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1249840/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_27; classtype:trojan-activity; sid:91249840; rev:1;) alert tcp $HOME_NET any -> [154.216.54.221] 809 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1249839/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_27; classtype:trojan-activity; sid:91249839; rev:1;) alert tcp $HOME_NET any -> [154.216.54.246] 809 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1249838/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_27; classtype:trojan-activity; sid:91249838; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pixel.gif"; depth:10; nocase; http.host; content:"47.105.69.34"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1249837/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_27; classtype:trojan-activity; sid:91249837; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ga.js"; depth:6; nocase; http.host; content:"service-20ww8i3o-1300612713.gz.tencentapigw.com.cn"; depth:50; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1249835/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_27; classtype:trojan-activity; sid:91249835; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"service-20ww8i3o-1300612713.gz.tencentapigw.com.cn"; depth:50; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1249836/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_27; classtype:trojan-activity; sid:91249836; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/updates.rss"; depth:12; nocase; http.host; content:"content.microsoft.com.w.kunlunca.com"; depth:36; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1249834/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_27; classtype:trojan-activity; sid:91249834; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pixel.gif"; depth:10; nocase; http.host; content:"120.78.155.42"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1249831/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_27; classtype:trojan-activity; sid:91249831; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/updates.rss"; depth:12; nocase; http.host; content:"139.9.41.156"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1249830/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_27; classtype:trojan-activity; sid:91249830; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pixel.gif"; depth:10; nocase; http.host; content:"198.251.88.196"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1249829/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_27; classtype:trojan-activity; sid:91249829; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp08/wp-includes/dtcla.php"; depth:27; nocase; http.host; content:"154.3.8.55"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1249828/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_27; classtype:trojan-activity; sid:91249828; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmlrpc.php"; depth:11; nocase; http.host; content:"dakee.ir"; depth:8; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1249818/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_27; classtype:trojan-activity; sid:91249818; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmlrpc.php"; depth:11; nocase; http.host; content:"www.carercn.com"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1249819/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_27; classtype:trojan-activity; sid:91249819; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmlrpc.php"; depth:11; nocase; http.host; content:"darmanet.com"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1249820/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_27; classtype:trojan-activity; sid:91249820; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmlrpc.php"; depth:11; nocase; http.host; content:"empiretaxusa.com"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1249821/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_27; classtype:trojan-activity; sid:91249821; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmlrpc.php"; depth:11; nocase; http.host; content:"daarine.ir"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1249822/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_27; classtype:trojan-activity; sid:91249822; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmlrpc.php"; depth:11; nocase; http.host; content:"boulangeriebezencon.ch"; depth:22; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1249823/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_27; classtype:trojan-activity; sid:91249823; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmlrpc.php"; depth:11; nocase; http.host; content:"rickwire.com"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1249824/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_27; classtype:trojan-activity; sid:91249824; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmlrpc.php"; depth:11; nocase; http.host; content:"selekta.fi"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1249825/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_27; classtype:trojan-activity; sid:91249825; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmlrpc.php"; depth:11; nocase; http.host; content:"lollipophouse.ir"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1249826/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_27; classtype:trojan-activity; sid:91249826; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmlrpc.php"; depth:11; nocase; http.host; content:"www.elgreco-sindlingen.de"; depth:25; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1249827/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_27; classtype:trojan-activity; sid:91249827; rev:1;) alert tcp $HOME_NET any -> [74.50.85.233] 43957 (msg:"ThreatFox MooBot botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1249816/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_27; classtype:trojan-activity; sid:91249816; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"voidc2.xyz"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1249817/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_27; classtype:trojan-activity; sid:91249817; rev:1;) alert tcp $HOME_NET any -> [47.105.69.34] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1249815/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_27; classtype:trojan-activity; sid:91249815; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/match"; depth:6; nocase; http.host; content:"47.105.69.34"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1249814/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_27; classtype:trojan-activity; sid:91249814; rev:1;) alert tcp $HOME_NET any -> [47.105.69.34] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1249813/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_27; classtype:trojan-activity; sid:91249813; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pixel"; depth:6; nocase; http.host; content:"www.flash-update.info"; depth:21; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1249811/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_27; classtype:trojan-activity; sid:91249811; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"www.flash-update.info"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1249812/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_27; classtype:trojan-activity; sid:91249812; rev:1;) alert tcp $HOME_NET any -> [43.156.21.230] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1249810/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_27; classtype:trojan-activity; sid:91249810; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cx"; depth:3; nocase; http.host; content:"43.156.21.230"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1249809/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_27; classtype:trojan-activity; sid:91249809; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ga.js"; depth:6; nocase; http.host; content:"47.115.203.204"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1249808/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_27; classtype:trojan-activity; sid:91249808; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"74.50.85.233"; depth:12; nocase; reference:url, threatfox.abuse.ch/ioc/1249805/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_27; classtype:trojan-activity; sid:91249805; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"45.128.232.82"; depth:13; nocase; reference:url, threatfox.abuse.ch/ioc/1249806/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_27; classtype:trojan-activity; sid:91249806; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"versenet.lol"; depth:12; nocase; reference:url, threatfox.abuse.ch/ioc/1249807/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_27; classtype:trojan-activity; sid:91249807; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"apijsonparserkit.com"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1249665/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_27; classtype:trojan-activity; sid:91249665; rev:1;) alert tcp $HOME_NET any -> [1.94.11.195] 4444 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1249783/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_27; classtype:trojan-activity; sid:91249783; rev:1;) alert tcp $HOME_NET any -> [120.46.128.5] 8089 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1249782/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_27; classtype:trojan-activity; sid:91249782; rev:1;) alert tcp $HOME_NET any -> [120.26.169.152] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1249780/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_27; classtype:trojan-activity; sid:91249780; rev:1;) alert tcp $HOME_NET any -> [123.60.181.152] 8001 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1249781/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_27; classtype:trojan-activity; sid:91249781; rev:1;) alert tcp $HOME_NET any -> [118.190.147.246] 13443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1249778/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_27; classtype:trojan-activity; sid:91249778; rev:1;) alert tcp $HOME_NET any -> [120.26.105.94] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1249779/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_27; classtype:trojan-activity; sid:91249779; rev:1;) alert tcp $HOME_NET any -> [118.178.125.8] 8080 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1249777/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_27; classtype:trojan-activity; sid:91249777; rev:1;) alert tcp $HOME_NET any -> [47.109.60.225] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1249774/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_27; classtype:trojan-activity; sid:91249774; rev:1;) alert tcp $HOME_NET any -> [47.113.188.133] 81 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1249775/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_27; classtype:trojan-activity; sid:91249775; rev:1;) alert tcp $HOME_NET any -> [60.205.246.3] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1249776/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_27; classtype:trojan-activity; sid:91249776; rev:1;) alert tcp $HOME_NET any -> [139.199.77.120] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1249767/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_27; classtype:trojan-activity; sid:91249767; rev:1;) alert tcp $HOME_NET any -> [8.138.26.50] 8000 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1249772/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_27; classtype:trojan-activity; sid:91249772; rev:1;) alert tcp $HOME_NET any -> [8.130.34.85] 9999 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1249771/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_27; classtype:trojan-activity; sid:91249771; rev:1;) alert tcp $HOME_NET any -> [47.106.122.50] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1249773/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_27; classtype:trojan-activity; sid:91249773; rev:1;) alert tcp $HOME_NET any -> [129.211.26.3] 8888 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1249766/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_27; classtype:trojan-activity; sid:91249766; rev:1;) alert tcp $HOME_NET any -> [122.51.27.35] 9999 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1249764/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_27; classtype:trojan-activity; sid:91249764; rev:1;) alert tcp $HOME_NET any -> [124.221.102.26] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1249765/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_27; classtype:trojan-activity; sid:91249765; rev:1;) alert tcp $HOME_NET any -> [82.157.71.34] 7898 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1249763/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_27; classtype:trojan-activity; sid:91249763; rev:1;) alert tcp $HOME_NET any -> [43.136.99.149] 5000 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1249761/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_27; classtype:trojan-activity; sid:91249761; rev:1;) alert tcp $HOME_NET any -> [43.138.72.70] 8011 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1249762/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_27; classtype:trojan-activity; sid:91249762; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"backupitfirst.com"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1249759/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_27; classtype:trojan-activity; sid:91249759; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"withupdate.com"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1249760/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_27; classtype:trojan-activity; sid:91249760; rev:1;) alert tcp $HOME_NET any -> [179.60.147.91] 443 (msg:"ThreatFox FAKEUPDATES payload delivery (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1249738/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_27; classtype:trojan-activity; sid:91249738; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"arku.xyz"; depth:8; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1249736/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_27; classtype:trojan-activity; sid:91249736; rev:1;) alert tcp $HOME_NET any -> [3.33.130.190] 80 (msg:"ThreatFox Loki Password Stealer (PWS) botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1249735/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_27; classtype:trojan-activity; sid:91249735; rev:1;) alert tcp $HOME_NET any -> [179.60.147.94] 443 (msg:"ThreatFox FAKEUPDATES payload delivery (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1249737/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_27; classtype:trojan-activity; sid:91249737; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"usersync.tiqcdn.net"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1249734/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_27; classtype:trojan-activity; sid:91249734; rev:1;) alert tcp $HOME_NET any -> [3.127.59.75] 19387 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1249804/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_27; classtype:trojan-activity; sid:91249804; rev:1;) alert tcp $HOME_NET any -> [117.41.187.235] 60000 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1249506/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_27; classtype:trojan-activity; sid:91249506; rev:1;) alert tcp $HOME_NET any -> [176.123.169.32] 80 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1249803/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_27; classtype:trojan-activity; sid:91249803; rev:1;) alert tcp $HOME_NET any -> [45.151.44.159] 80 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1249802/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_27; classtype:trojan-activity; sid:91249802; rev:1;) alert tcp $HOME_NET any -> [77.221.154.236] 50555 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1249801/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_27; classtype:trojan-activity; sid:91249801; rev:1;) alert tcp $HOME_NET any -> [117.72.9.31] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1249800/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_27; classtype:trojan-activity; sid:91249800; rev:1;) alert tcp $HOME_NET any -> [103.165.81.103] 1145 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1249799/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_27; classtype:trojan-activity; sid:91249799; rev:1;) alert tcp $HOME_NET any -> [46.246.84.23] 5000 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1249798/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_27; classtype:trojan-activity; sid:91249798; rev:1;) alert tcp $HOME_NET any -> [70.31.125.114] 2222 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1249797/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_27; classtype:trojan-activity; sid:91249797; rev:1;) alert tcp $HOME_NET any -> [68.32.77.99] 443 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1249796/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_27; classtype:trojan-activity; sid:91249796; rev:1;) alert tcp $HOME_NET any -> [41.96.10.172] 443 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1249795/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_27; classtype:trojan-activity; sid:91249795; rev:1;) alert tcp $HOME_NET any -> [52.173.131.28] 443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1249794/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_27; classtype:trojan-activity; sid:91249794; rev:1;) alert tcp $HOME_NET any -> [54.84.224.146] 80 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1249793/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_27; classtype:trojan-activity; sid:91249793; rev:1;) alert tcp $HOME_NET any -> [92.116.36.151] 443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1249792/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_27; classtype:trojan-activity; sid:91249792; rev:1;) alert tcp $HOME_NET any -> [134.209.171.201] 7443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1249791/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_27; classtype:trojan-activity; sid:91249791; rev:1;) alert tcp $HOME_NET any -> [92.118.112.155] 443 (msg:"ThreatFox Brute Ratel C4 botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1249790/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_27; classtype:trojan-activity; sid:91249790; rev:1;) alert tcp $HOME_NET any -> [54.145.56.118] 8443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1249789/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_27; classtype:trojan-activity; sid:91249789; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/a7b6ac9c.php"; depth:13; nocase; http.host; content:"fire-studio.000webhostapp.com"; depth:29; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1249788/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_27; classtype:trojan-activity; sid:91249788; rev:1;) alert tcp $HOME_NET any -> [194.147.140.158] 2323 (msg:"ThreatFox Nanocore RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1249787/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_27; classtype:trojan-activity; sid:91249787; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/f993692117a3fda2.php"; depth:21; nocase; http.host; content:"185.172.128.26"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1249786/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_27; classtype:trojan-activity; sid:91249786; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/oudowibspr"; depth:11; nocase; http.host; content:"withupdate.com"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1249785/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_26; classtype:trojan-activity; sid:91249785; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wgfqneerod"; depth:11; nocase; http.host; content:"backupitfirst.com"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1249784/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_26; classtype:trojan-activity; sid:91249784; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/c16/fre.php"; depth:12; nocase; http.host; content:"sempersim.su"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1249770/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_26; classtype:trojan-activity; sid:91249770; rev:1;) alert tcp $HOME_NET any -> [45.11.182.29] 80 (msg:"ThreatFox Socks5 Systemz botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1249769/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_26; classtype:trojan-activity; sid:91249769; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/c16/fre.php"; depth:12; nocase; http.host; content:"sempersim.su"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1249768/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_26; classtype:trojan-activity; sid:91249768; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/attachments/1063894486901587979/1221860531594596433/2_npp.8.6.4.portable.x64.zip"; depth:81; nocase; http.host; content:"cdn.discordapp.com"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1249758/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_26; classtype:trojan-activity; sid:91249758; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/operational-resources"; depth:22; nocase; http.host; content:"apllicam.com"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1249757/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_26; classtype:trojan-activity; sid:91249757; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/corporate-financial"; depth:20; nocase; http.host; content:"apllicam.com"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1249756/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_26; classtype:trojan-activity; sid:91249756; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-content/themes/twentytwentytwo/pam8oa.php"; depth:45; nocase; http.host; content:"lurdyvanafernandesmkd.com"; depth:25; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1249755/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_26; classtype:trojan-activity; sid:91249755; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-content/themes/twentyten/b9un4f.php"; depth:39; nocase; http.host; content:"www.amysinger.com"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1249753/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_26; classtype:trojan-activity; sid:91249753; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-content/themes/twentytwentytwo/n2gd2t.php"; depth:45; nocase; http.host; content:"www.yukon.de"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1249754/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_26; classtype:trojan-activity; sid:91249754; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-content/themes/twentytwentyfour/c9wfar.php"; depth:46; nocase; http.host; content:"alternativetracks.com"; depth:21; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1249752/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_26; classtype:trojan-activity; sid:91249752; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-content/themes/twentytwentythree/t51kkf.php"; depth:47; nocase; http.host; content:"13300.org"; depth:9; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1249751/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_26; classtype:trojan-activity; sid:91249751; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-content/themes/twentytwentyfour/34uo7s.php"; depth:46; nocase; http.host; content:"www.alabamacarhorns.com"; depth:23; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1249750/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_26; classtype:trojan-activity; sid:91249750; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/assumendaipsam/point.exe"; depth:25; nocase; http.host; content:"ingatecsus.com.br"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1249749/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_26; classtype:trojan-activity; sid:91249749; rev:1;) alert tcp $HOME_NET any -> [172.232.208.90] 2223 (msg:"ThreatFox Pikabot botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1249744/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_26; classtype:trojan-activity; sid:91249744; rev:1;) alert tcp $HOME_NET any -> [213.199.41.33] 13721 (msg:"ThreatFox Pikabot botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1249745/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_26; classtype:trojan-activity; sid:91249745; rev:1;) alert tcp $HOME_NET any -> [194.233.91.144] 5000 (msg:"ThreatFox Pikabot botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1249746/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_26; classtype:trojan-activity; sid:91249746; rev:1;) alert tcp $HOME_NET any -> [158.220.95.215] 5242 (msg:"ThreatFox Pikabot botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1249747/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_26; classtype:trojan-activity; sid:91249747; rev:1;) alert tcp $HOME_NET any -> [84.247.157.112] 13783 (msg:"ThreatFox Pikabot botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1249748/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_26; classtype:trojan-activity; sid:91249748; rev:1;) alert tcp $HOME_NET any -> [158.220.95.214] 5243 (msg:"ThreatFox Pikabot botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1249742/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_26; classtype:trojan-activity; sid:91249742; rev:1;) alert tcp $HOME_NET any -> [64.23.199.206] 1194 (msg:"ThreatFox Pikabot botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1249743/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_26; classtype:trojan-activity; sid:91249743; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"g.fyss888.com"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1249740/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_26; classtype:trojan-activity; sid:91249740; rev:1;) alert tcp $HOME_NET any -> [154.219.163.85] 808 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1249741/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_26; classtype:trojan-activity; sid:91249741; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ca"; depth:3; nocase; http.host; content:"g.fyss888.com"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1249739/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_26; classtype:trojan-activity; sid:91249739; rev:1;) alert tcp $HOME_NET any -> [77.238.249.17] 80 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1249516/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_26; classtype:trojan-activity; sid:91249516; rev:1;) alert tcp $HOME_NET any -> [20.205.173.250] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1249515/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_26; classtype:trojan-activity; sid:91249515; rev:1;) alert tcp $HOME_NET any -> [122.10.10.100] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1249514/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_26; classtype:trojan-activity; sid:91249514; rev:1;) alert tcp $HOME_NET any -> [122.10.5.85] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1249513/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_26; classtype:trojan-activity; sid:91249513; rev:1;) alert tcp $HOME_NET any -> [47.236.244.14] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1249512/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_26; classtype:trojan-activity; sid:91249512; rev:1;) alert tcp $HOME_NET any -> [34.92.107.200] 8011 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1249511/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_26; classtype:trojan-activity; sid:91249511; rev:1;) alert tcp $HOME_NET any -> [91.102.163.73] 1024 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1249510/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_26; classtype:trojan-activity; sid:91249510; rev:1;) alert tcp $HOME_NET any -> [154.246.204.189] 2078 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1249509/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_26; classtype:trojan-activity; sid:91249509; rev:1;) alert tcp $HOME_NET any -> [39.40.187.88] 995 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1249508/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_26; classtype:trojan-activity; sid:91249508; rev:1;) alert tcp $HOME_NET any -> [123.247.80.47] 10250 (msg:"ThreatFox Deimos botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1249507/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_26; classtype:trojan-activity; sid:91249507; rev:1;) alert tcp $HOME_NET any -> [91.92.254.140] 562 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1249505/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_26; classtype:trojan-activity; sid:91249505; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmlrpc.php"; depth:11; nocase; http.host; content:"rosenfeldmedia.com"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1249504/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_26; classtype:trojan-activity; sid:91249504; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmlrpc.php"; depth:11; nocase; http.host; content:"1poclimaty.ru"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1249503/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_26; classtype:trojan-activity; sid:91249503; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmlrpc.php"; depth:11; nocase; http.host; content:"mindfulsearching.com"; depth:20; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1249502/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_26; classtype:trojan-activity; sid:91249502; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmlrpc.php"; depth:11; nocase; http.host; content:"psdkits.com"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1249501/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_26; classtype:trojan-activity; sid:91249501; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmlrpc.php"; depth:11; nocase; http.host; content:"porusski.me"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1249500/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_26; classtype:trojan-activity; sid:91249500; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmlrpc.php"; depth:11; nocase; http.host; content:"ketabpedia.com"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1249499/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_26; classtype:trojan-activity; sid:91249499; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmlrpc.php"; depth:11; nocase; http.host; content:"cultureroadtravel.com"; depth:21; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1249498/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_26; classtype:trojan-activity; sid:91249498; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmlrpc.php"; depth:11; nocase; http.host; content:"nzdcr.co.nz"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1249497/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_26; classtype:trojan-activity; sid:91249497; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"mythictherapy.org"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1249496/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_26; classtype:trojan-activity; sid:91249496; rev:1;) alert tcp $HOME_NET any -> [46.226.164.82] 23 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1249495/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_26; classtype:trojan-activity; sid:91249495; rev:1;) alert tcp $HOME_NET any -> [74.50.65.52] 7855 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1249494/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_26; classtype:trojan-activity; sid:91249494; rev:1;) alert tcp $HOME_NET any -> [91.92.252.207] 61616 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1249492/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_26; classtype:trojan-activity; sid:91249492; rev:1;) alert tcp $HOME_NET any -> [91.92.252.218] 61616 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1249493/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_26; classtype:trojan-activity; sid:91249493; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"www.srryontop.fr"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1249490/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_26; classtype:trojan-activity; sid:91249490; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"srryontop.fr"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1249491/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_26; classtype:trojan-activity; sid:91249491; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ptj"; depth:4; nocase; http.host; content:"129.204.201.114"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1249489/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_26; classtype:trojan-activity; sid:91249489; rev:1;) alert tcp $HOME_NET any -> [47.94.241.49] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1249488/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_26; classtype:trojan-activity; sid:91249488; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jquery-3.3.1.min.js"; depth:20; nocase; http.host; content:"172.20.16.192"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1249487/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_26; classtype:trojan-activity; sid:91249487; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/www/handle/doc"; depth:15; nocase; http.host; content:"121.36.255.43"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1249486/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_26; classtype:trojan-activity; sid:91249486; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/updates.rss"; depth:12; nocase; http.host; content:"47.99.162.137"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1249484/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_26; classtype:trojan-activity; sid:91249484; rev:1;) alert tcp $HOME_NET any -> [47.99.162.137] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1249485/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_26; classtype:trojan-activity; sid:91249485; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"lionos.xyz"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1249471/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_26; classtype:trojan-activity; sid:91249471; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"axz.lionos.xyz"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1249472/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_26; classtype:trojan-activity; sid:91249472; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"pda.lionos.xyz"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1249473/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_26; classtype:trojan-activity; sid:91249473; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ml.lionos.xyz"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1249474/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_26; classtype:trojan-activity; sid:91249474; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"goweqmcsa.xyz"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1249475/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_26; classtype:trojan-activity; sid:91249475; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"wwea.goweqmcsa.xyz"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1249476/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_26; classtype:trojan-activity; sid:91249476; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"xza.goweqmcsa.xyz"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1249477/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_26; classtype:trojan-activity; sid:91249477; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"api.virtue.ltd"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1249478/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_26; classtype:trojan-activity; sid:91249478; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"networkbn.com"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1249479/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_26; classtype:trojan-activity; sid:91249479; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"net-killer.work.gd"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1249480/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_26; classtype:trojan-activity; sid:91249480; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"bot.layer4.bf"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1249481/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_26; classtype:trojan-activity; sid:91249481; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"hiyl7.hilariocolche.com"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1249482/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_26; classtype:trojan-activity; sid:91249482; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"metis-info.com"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1249483/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_26; classtype:trojan-activity; sid:91249483; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"40.83.122.109"; depth:13; nocase; reference:url, threatfox.abuse.ch/ioc/1249467/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_26; classtype:trojan-activity; sid:91249467; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"42.112.76.107"; depth:13; nocase; reference:url, threatfox.abuse.ch/ioc/1249468/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_26; classtype:trojan-activity; sid:91249468; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"metis-black.com"; depth:15; nocase; reference:url, threatfox.abuse.ch/ioc/1249469/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_26; classtype:trojan-activity; sid:91249469; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/load"; depth:5; nocase; http.host; content:"103.150.10.45"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1249470/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_26; classtype:trojan-activity; sid:91249470; rev:1;) alert tcp $HOME_NET any -> [91.92.253.201] 6996 (msg:"ThreatFox MooBot botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1249464/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_26; classtype:trojan-activity; sid:91249464; rev:1;) alert tcp $HOME_NET any -> [103.116.52.207] 42597 (msg:"ThreatFox MooBot botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1249465/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_26; classtype:trojan-activity; sid:91249465; rev:1;) alert tcp $HOME_NET any -> [91.92.251.65] 6996 (msg:"ThreatFox MooBot botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1249466/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_26; classtype:trojan-activity; sid:91249466; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dot.gif"; depth:8; nocase; http.host; content:"120.78.155.42"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1249463/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_26; classtype:trojan-activity; sid:91249463; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dot.gif"; depth:8; nocase; http.host; content:"124.71.5.199"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1249462/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_26; classtype:trojan-activity; sid:91249462; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/en-us/silentauth"; depth:17; nocase; http.host; content:"36.25.254.124"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1249461/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_26; classtype:trojan-activity; sid:91249461; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ga.js"; depth:6; nocase; http.host; content:"42.194.199.231"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1249460/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_26; classtype:trojan-activity; sid:91249460; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ca"; depth:3; nocase; http.host; content:"39.107.89.22"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1249459/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_26; classtype:trojan-activity; sid:91249459; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ptj"; depth:4; nocase; http.host; content:"service-cedqvyh7-1322145958.sh.tencentapigw.com"; depth:47; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1249458/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_26; classtype:trojan-activity; sid:91249458; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dot.gif"; depth:8; nocase; http.host; content:"123.207.45.112"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1249457/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_26; classtype:trojan-activity; sid:91249457; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"sessionannoucemenwj.shop"; depth:24; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1249448/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_26; classtype:trojan-activity; sid:91249448; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"cleartotalfisherwo.shop"; depth:23; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1249449/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_26; classtype:trojan-activity; sid:91249449; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"worryfillvolcawoi.shop"; depth:22; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1249450/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_26; classtype:trojan-activity; sid:91249450; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"enthusiasimtitleow.shop"; depth:23; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1249451/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_26; classtype:trojan-activity; sid:91249451; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"dismissalcylinderhostw.shop"; depth:27; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1249452/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_26; classtype:trojan-activity; sid:91249452; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"affordcharmcropwo.shop"; depth:22; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1249453/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_26; classtype:trojan-activity; sid:91249453; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"diskretainvigorousiw.shop"; depth:25; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1249454/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_26; classtype:trojan-activity; sid:91249454; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"communicationgenerwo.shop"; depth:25; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1249455/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_26; classtype:trojan-activity; sid:91249455; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"pillowbrocccolipe.shop"; depth:22; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1249456/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_26; classtype:trojan-activity; sid:91249456; rev:1;) alert tcp $HOME_NET any -> [43.156.21.230] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1249447/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_26; classtype:trojan-activity; sid:91249447; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dpixel"; depth:7; nocase; http.host; content:"43.156.21.230"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1249446/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_26; classtype:trojan-activity; sid:91249446; rev:1;) alert tcp $HOME_NET any -> [43.136.59.13] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1249445/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_26; classtype:trojan-activity; sid:91249445; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cx"; depth:3; nocase; http.host; content:"154.221.17.44"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1249444/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_26; classtype:trojan-activity; sid:91249444; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dpixel"; depth:7; nocase; http.host; content:"176.32.35.104"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1249443/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_26; classtype:trojan-activity; sid:91249443; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cm"; depth:3; nocase; http.host; content:"176.32.35.104"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1249442/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_26; classtype:trojan-activity; sid:91249442; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/vogxhf/panel/five/fre.php"; depth:26; nocase; http.host; content:"www.dobiamfollollc.online"; depth:25; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1249441/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_26; classtype:trojan-activity; sid:91249441; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmlrpc.php"; depth:11; nocase; http.host; content:"www.8design.se"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1249417/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_26; classtype:trojan-activity; sid:91249417; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmlrpc.php"; depth:11; nocase; http.host; content:"prokeypc.com"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1249418/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_26; classtype:trojan-activity; sid:91249418; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmlrpc.php"; depth:11; nocase; http.host; content:"madalynsklar.com"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1249415/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_26; classtype:trojan-activity; sid:91249415; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmlrpc.php"; depth:11; nocase; http.host; content:"hortonhighschool.ca"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1249416/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_26; classtype:trojan-activity; sid:91249416; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmlrpc.php"; depth:11; nocase; http.host; content:"richardvanhooijdonk.com"; depth:23; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1249414/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_26; classtype:trojan-activity; sid:91249414; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmlrpc.php"; depth:11; nocase; http.host; content:"www.adventurewallcoverings.co.za"; depth:32; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1249411/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_26; classtype:trojan-activity; sid:91249411; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmlrpc.php"; depth:11; nocase; http.host; content:"gundrymd.com"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1249412/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_26; classtype:trojan-activity; sid:91249412; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmlrpc.php"; depth:11; nocase; http.host; content:"g8education.edu.au"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1249413/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_26; classtype:trojan-activity; sid:91249413; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmlrpc.php"; depth:11; nocase; http.host; content:"makestories.io"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1249409/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_26; classtype:trojan-activity; sid:91249409; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmlrpc.php"; depth:11; nocase; http.host; content:"abtenau-info.at"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1249410/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_26; classtype:trojan-activity; sid:91249410; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmlrpc.php"; depth:11; nocase; http.host; content:"laptop.org"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1249408/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_26; classtype:trojan-activity; sid:91249408; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmlrpc.php"; depth:11; nocase; http.host; content:"voluntariosenelmundo.com"; depth:24; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1249405/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_26; classtype:trojan-activity; sid:91249405; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmlrpc.php"; depth:11; nocase; http.host; content:"greveclimaticaestudantil.pt"; depth:27; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1249407/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_26; classtype:trojan-activity; sid:91249407; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmlrpc.php"; depth:11; nocase; http.host; content:"beginagaininstitute.com"; depth:23; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1249404/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_26; classtype:trojan-activity; sid:91249404; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmlrpc.php"; depth:11; nocase; http.host; content:"leadershipmanagement.com.au"; depth:27; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1249406/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_26; classtype:trojan-activity; sid:91249406; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmlrpc.php"; depth:11; nocase; http.host; content:"3axis.co"; depth:8; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1249402/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_26; classtype:trojan-activity; sid:91249402; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmlrpc.php"; depth:11; nocase; http.host; content:"academieairespace.com"; depth:21; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1249403/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_26; classtype:trojan-activity; sid:91249403; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmlrpc.php"; depth:11; nocase; http.host; content:"bollywoodtadka.xyz"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1249400/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_26; classtype:trojan-activity; sid:91249400; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmlrpc.php"; depth:11; nocase; http.host; content:"ccspaintingllc.com"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1249401/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_26; classtype:trojan-activity; sid:91249401; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmlrpc.php"; depth:11; nocase; http.host; content:"www.carlhansensolv.dk"; depth:21; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1249398/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_26; classtype:trojan-activity; sid:91249398; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmlrpc.php"; depth:11; nocase; http.host; content:"rondesantis.com"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1249419/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_26; classtype:trojan-activity; sid:91249419; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmlrpc.php"; depth:11; nocase; http.host; content:"sitesrip.org"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1249420/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_26; classtype:trojan-activity; sid:91249420; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmlrpc.php"; depth:11; nocase; http.host; content:"ambitiouswithcards.com"; depth:22; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1249421/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_26; classtype:trojan-activity; sid:91249421; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmlrpc.php"; depth:11; nocase; http.host; content:"zarmes.ir"; depth:9; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1249422/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_26; classtype:trojan-activity; sid:91249422; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmlrpc.php"; depth:11; nocase; http.host; content:"blackdiamondbjj.com"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1249423/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_26; classtype:trojan-activity; sid:91249423; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmlrpc.php"; depth:11; nocase; http.host; content:"cnsmaryland.org"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1249424/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_26; classtype:trojan-activity; sid:91249424; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmlrpc.php"; depth:11; nocase; http.host; content:"bearnutscomic.com"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1249425/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_26; classtype:trojan-activity; sid:91249425; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmlrpc.php"; depth:11; nocase; http.host; content:"psychosfera.kz"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1249426/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_26; classtype:trojan-activity; sid:91249426; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmlrpc.php"; depth:11; nocase; http.host; content:"www.assenmacher-koeln.de"; depth:24; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1249427/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_26; classtype:trojan-activity; sid:91249427; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmlrpc.php"; depth:11; nocase; http.host; content:"shiroutowiki.work"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1249428/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_26; classtype:trojan-activity; sid:91249428; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmlrpc.php"; depth:11; nocase; http.host; content:"gadgetstouse.com"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1249429/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_26; classtype:trojan-activity; sid:91249429; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmlrpc.php"; depth:11; nocase; http.host; content:"sim-unlock.blog"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1249430/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_26; classtype:trojan-activity; sid:91249430; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmlrpc.php"; depth:11; nocase; http.host; content:"dailyshepursues.com"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1249431/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_26; classtype:trojan-activity; sid:91249431; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmlrpc.php"; depth:11; nocase; http.host; content:"rg-adguard.net"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1249432/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_26; classtype:trojan-activity; sid:91249432; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmlrpc.php"; depth:11; nocase; http.host; content:"peacerivervet.com"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1249433/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_26; classtype:trojan-activity; sid:91249433; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmlrpc.php"; depth:11; nocase; http.host; content:"kitchenofdebjani.com"; depth:20; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1249434/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_26; classtype:trojan-activity; sid:91249434; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmlrpc.php"; depth:11; nocase; http.host; content:"xn--80ajgpcpbhkds4a4g.xn--p1ai"; depth:30; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1249435/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_26; classtype:trojan-activity; sid:91249435; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmlrpc.php"; depth:11; nocase; http.host; content:"toptorials.com"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1249436/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_26; classtype:trojan-activity; sid:91249436; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmlrpc.php"; depth:11; nocase; http.host; content:"xn--ngbeab6ar43f.com"; depth:20; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1249437/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_26; classtype:trojan-activity; sid:91249437; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmlrpc.php"; depth:11; nocase; http.host; content:"discovermass.com"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1249438/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_26; classtype:trojan-activity; sid:91249438; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmlrpc.php"; depth:11; nocase; http.host; content:"grundens.com"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1249439/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_26; classtype:trojan-activity; sid:91249439; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmlrpc.php"; depth:11; nocase; http.host; content:"www.bienenzucht-villachland.at"; depth:30; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1249440/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_26; classtype:trojan-activity; sid:91249440; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmlrpc.php"; depth:11; nocase; http.host; content:"openloadmovies.live"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1249399/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_26; classtype:trojan-activity; sid:91249399; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmlrpc.php"; depth:11; nocase; http.host; content:"businessforfilipinos.com"; depth:24; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1249395/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_26; classtype:trojan-activity; sid:91249395; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/list/xmlrpc.php"; depth:16; nocase; http.host; content:"www.doctorsacademy.org"; depth:22; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1249397/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_26; classtype:trojan-activity; sid:91249397; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmlrpc.php"; depth:11; nocase; http.host; content:"tiodonghua.com"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1249396/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_26; classtype:trojan-activity; sid:91249396; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmlrpc.php"; depth:11; nocase; http.host; content:"tobano.pl"; depth:9; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1249392/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_26; classtype:trojan-activity; sid:91249392; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmlrpc.php"; depth:11; nocase; http.host; content:"eastnaija.com"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1249393/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_26; classtype:trojan-activity; sid:91249393; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmlrpc.php"; depth:11; nocase; http.host; content:"travelperi.com"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1249394/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_26; classtype:trojan-activity; sid:91249394; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmlrpc.php"; depth:11; nocase; http.host; content:"gribnik.info"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1249389/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_26; classtype:trojan-activity; sid:91249389; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmlrpc.php"; depth:11; nocase; http.host; content:"hentai-witch.com"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1249390/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_26; classtype:trojan-activity; sid:91249390; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmlrpc.php"; depth:11; nocase; http.host; content:"paydo.com"; depth:9; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1249391/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_26; classtype:trojan-activity; sid:91249391; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmlrpc.php"; depth:11; nocase; http.host; content:"irpp.org"; depth:8; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1249388/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_26; classtype:trojan-activity; sid:91249388; rev:1;) alert tcp $HOME_NET any -> [8.220.195.197] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1249072/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_26; classtype:trojan-activity; sid:91249072; rev:1;) alert tcp $HOME_NET any -> [46.30.191.245] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1249068/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_26; classtype:trojan-activity; sid:91249068; rev:1;) alert tcp $HOME_NET any -> [197.82.164.175] 8080 (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1249065/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_26; classtype:trojan-activity; sid:91249065; rev:1;) alert tcp $HOME_NET any -> [54.39.29.90] 8808 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1249067/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_26; classtype:trojan-activity; sid:91249067; rev:1;) alert tcp $HOME_NET any -> [45.140.146.58] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1249074/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_26; classtype:trojan-activity; sid:91249074; rev:1;) alert tcp $HOME_NET any -> [82.153.138.25] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1249075/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_26; classtype:trojan-activity; sid:91249075; rev:1;) alert tcp $HOME_NET any -> [54.39.29.90] 7707 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1249066/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_26; classtype:trojan-activity; sid:91249066; rev:1;) alert tcp $HOME_NET any -> [82.153.138.222] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1249076/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_26; classtype:trojan-activity; sid:91249076; rev:1;) alert tcp $HOME_NET any -> [91.215.85.18] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1249077/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_26; classtype:trojan-activity; sid:91249077; rev:1;) alert tcp $HOME_NET any -> [104.225.238.192] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1249078/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_26; classtype:trojan-activity; sid:91249078; rev:1;) alert tcp $HOME_NET any -> [141.255.167.251] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1249079/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_26; classtype:trojan-activity; sid:91249079; rev:1;) alert tcp $HOME_NET any -> [168.100.8.112] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1249080/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_26; classtype:trojan-activity; sid:91249080; rev:1;) alert tcp $HOME_NET any -> [185.219.84.231] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1249081/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_26; classtype:trojan-activity; sid:91249081; rev:1;) alert tcp $HOME_NET any -> [187.135.117.144] 2036 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1249105/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_26; classtype:trojan-activity; sid:91249105; rev:1;) alert tcp $HOME_NET any -> [187.135.117.144] 2004 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1249104/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_26; classtype:trojan-activity; sid:91249104; rev:1;) alert tcp $HOME_NET any -> [187.135.117.144] 2003 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1249103/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_26; classtype:trojan-activity; sid:91249103; rev:1;) alert tcp $HOME_NET any -> [105.98.12.207] 6001 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1249101/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_26; classtype:trojan-activity; sid:91249101; rev:1;) alert tcp $HOME_NET any -> [187.135.130.176] 1962 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1249100/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_26; classtype:trojan-activity; sid:91249100; rev:1;) alert tcp $HOME_NET any -> [191.233.252.23] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1249083/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_26; classtype:trojan-activity; sid:91249083; rev:1;) alert tcp $HOME_NET any -> [188.166.177.25] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1249082/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_26; classtype:trojan-activity; sid:91249082; rev:1;) alert tcp $HOME_NET any -> [187.135.117.144] 2082 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1249106/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_26; classtype:trojan-activity; sid:91249106; rev:1;) alert tcp $HOME_NET any -> [187.135.117.144] 2083 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1249107/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_26; classtype:trojan-activity; sid:91249107; rev:1;) alert tcp $HOME_NET any -> [187.135.117.144] 2086 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1249108/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_26; classtype:trojan-activity; sid:91249108; rev:1;) alert tcp $HOME_NET any -> [187.135.117.144] 2096 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1249109/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_26; classtype:trojan-activity; sid:91249109; rev:1;) alert tcp $HOME_NET any -> [105.98.67.41] 6001 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1249110/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_26; classtype:trojan-activity; sid:91249110; rev:1;) alert tcp $HOME_NET any -> [193.233.132.231] 80 (msg:"ThreatFox RecordBreaker botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1249122/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_26; classtype:trojan-activity; sid:91249122; rev:1;) alert tcp $HOME_NET any -> [45.63.31.37] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1249130/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_26; classtype:trojan-activity; sid:91249130; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"nonlinearcomms.info"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1249131/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_26; classtype:trojan-activity; sid:91249131; rev:1;) alert tcp $HOME_NET any -> [15.235.131.20] 39206 (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1249387/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_26; classtype:trojan-activity; sid:91249387; rev:1;) alert tcp $HOME_NET any -> [18.192.93.86] 19282 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1249372/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_26; classtype:trojan-activity; sid:91249372; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"goingupdate.com"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1249386/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_26; classtype:trojan-activity; sid:91249386; rev:1;) alert tcp $HOME_NET any -> [80.209.238.116] 80 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1249385/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_26; classtype:trojan-activity; sid:91249385; rev:1;) alert tcp $HOME_NET any -> [111.92.243.236] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1249384/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_26; classtype:trojan-activity; sid:91249384; rev:1;) alert tcp $HOME_NET any -> [124.70.143.234] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1249383/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_26; classtype:trojan-activity; sid:91249383; rev:1;) alert tcp $HOME_NET any -> [172.245.81.143] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1249382/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_26; classtype:trojan-activity; sid:91249382; rev:1;) alert tcp $HOME_NET any -> [47.116.192.169] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1249381/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_26; classtype:trojan-activity; sid:91249381; rev:1;) alert tcp $HOME_NET any -> [189.177.5.229] 995 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1249380/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_26; classtype:trojan-activity; sid:91249380; rev:1;) alert tcp $HOME_NET any -> [41.99.6.82] 443 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1249379/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_26; classtype:trojan-activity; sid:91249379; rev:1;) alert tcp $HOME_NET any -> [46.101.94.83] 445 (msg:"ThreatFox Responder botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1249378/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_26; classtype:trojan-activity; sid:91249378; rev:1;) alert tcp $HOME_NET any -> [20.79.165.186] 443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1249377/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_26; classtype:trojan-activity; sid:91249377; rev:1;) alert tcp $HOME_NET any -> [46.101.81.127] 7443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1249376/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_26; classtype:trojan-activity; sid:91249376; rev:1;) alert tcp $HOME_NET any -> [103.40.161.185] 54321 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1249375/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_26; classtype:trojan-activity; sid:91249375; rev:1;) alert tcp $HOME_NET any -> [47.93.103.60] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1249374/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_26; classtype:trojan-activity; sid:91249374; rev:1;) alert tcp $HOME_NET any -> [47.93.103.60] 443 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1249373/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_26; classtype:trojan-activity; sid:91249373; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"froggysnow.org"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1249116/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_26; classtype:trojan-activity; sid:91249116; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"apiasyncpromise.com"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1249113/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_26; classtype:trojan-activity; sid:91249113; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"apieventemitter.com"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1249115/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_26; classtype:trojan-activity; sid:91249115; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"apifetchmethod.com"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1249112/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_26; classtype:trojan-activity; sid:91249112; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"incachespace.com"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1249111/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_26; classtype:trojan-activity; sid:91249111; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"lyddemper.com"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1249098/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_26; classtype:trojan-activity; sid:91249098; rev:1;) alert tcp $HOME_NET any -> [173.44.141.131] 443 (msg:"ThreatFox FAKEUPDATES payload delivery (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1249099/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_26; classtype:trojan-activity; sid:91249099; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"xjp.xinjiangworker.shop"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1249070/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_26; classtype:trojan-activity; sid:91249070; rev:1;) alert tcp $HOME_NET any -> [93.123.85.11] 35769 (msg:"ThreatFox MooBot botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1249069/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_26; classtype:trojan-activity; sid:91249069; rev:1;) alert tcp $HOME_NET any -> [194.87.107.145] 10480 (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1249371/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_26; classtype:trojan-activity; sid:91249371; rev:1;) alert tcp $HOME_NET any -> [185.222.58.38] 8088 (msg:"ThreatFox STRRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1249370/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_26; classtype:trojan-activity; sid:91249370; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/c13/fre.php"; depth:12; nocase; http.host; content:"sempersim.su"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1249369/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_26; classtype:trojan-activity; sid:91249369; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/c13/fre.php"; depth:12; nocase; http.host; content:"sempersim.su"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1249368/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_26; classtype:trojan-activity; sid:91249368; rev:1;) alert tcp $HOME_NET any -> [178.236.46.118] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1249129/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_25; classtype:trojan-activity; sid:91249129; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dist/css/bootstrap.min.css"; depth:27; nocase; http.host; content:"178.236.46.118"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1249128/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_25; classtype:trojan-activity; sid:91249128; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dpixel"; depth:7; nocase; http.host; content:"43.240.48.66"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1249126/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_25; classtype:trojan-activity; sid:91249126; rev:1;) alert tcp $HOME_NET any -> [154.216.54.199] 809 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1249127/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_25; classtype:trojan-activity; sid:91249127; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jquery-3.3.1.min.js"; depth:20; nocase; http.host; content:"8.222.147.15"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1249125/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_25; classtype:trojan-activity; sid:91249125; rev:1;) alert tcp $HOME_NET any -> [124.71.75.199] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1249124/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_25; classtype:trojan-activity; sid:91249124; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dpixel"; depth:7; nocase; http.host; content:"124.71.75.199"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1249123/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_25; classtype:trojan-activity; sid:91249123; rev:1;) alert tcp $HOME_NET any -> [193.233.132.109] 80 (msg:"ThreatFox RisePro botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1249121/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_25; classtype:trojan-activity; sid:91249121; rev:1;) alert tcp $HOME_NET any -> [129.159.131.26] 80 (msg:"ThreatFox Responder botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1249120/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_25; classtype:trojan-activity; sid:91249120; rev:1;) alert tcp $HOME_NET any -> [23.227.198.236] 80 (msg:"ThreatFox Responder botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1249119/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_25; classtype:trojan-activity; sid:91249119; rev:1;) alert tcp $HOME_NET any -> [4.227.54.178] 80 (msg:"ThreatFox Responder botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1249118/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_25; classtype:trojan-activity; sid:91249118; rev:1;) alert tcp $HOME_NET any -> [103.200.29.109] 1364 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1249117/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_25; classtype:trojan-activity; sid:91249117; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/c19/fre.php"; depth:12; nocase; http.host; content:"sempersim.su"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1249114/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_25; classtype:trojan-activity; sid:91249114; rev:1;) alert tcp $HOME_NET any -> [194.147.140.180] 1987 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1249102/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_25; classtype:trojan-activity; sid:91249102; rev:1;) alert tcp $HOME_NET any -> [188.120.239.6] 80 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1249097/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_25; classtype:trojan-activity; sid:91249097; rev:1;) alert tcp $HOME_NET any -> [200.234.232.196] 80 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1249096/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_25; classtype:trojan-activity; sid:91249096; rev:1;) alert tcp $HOME_NET any -> [217.196.98.138] 80 (msg:"ThreatFox Meduza Stealer botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1249095/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_25; classtype:trojan-activity; sid:91249095; rev:1;) alert tcp $HOME_NET any -> [34.92.107.200] 8001 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1249094/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_25; classtype:trojan-activity; sid:91249094; rev:1;) alert tcp $HOME_NET any -> [103.209.129.94] 1145 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1249093/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_25; classtype:trojan-activity; sid:91249093; rev:1;) alert tcp $HOME_NET any -> [39.40.158.94] 995 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1249092/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_25; classtype:trojan-activity; sid:91249092; rev:1;) alert tcp $HOME_NET any -> [154.246.154.178] 2078 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1249091/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_25; classtype:trojan-activity; sid:91249091; rev:1;) alert tcp $HOME_NET any -> [41.96.255.221] 443 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1249090/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_25; classtype:trojan-activity; sid:91249090; rev:1;) alert tcp $HOME_NET any -> [92.38.176.164] 443 (msg:"ThreatFox pupy botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1249089/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_25; classtype:trojan-activity; sid:91249089; rev:1;) alert tcp $HOME_NET any -> [45.134.9.140] 41056 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1249088/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_25; classtype:trojan-activity; sid:91249088; rev:1;) alert tcp $HOME_NET any -> [45.134.9.139] 41056 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1249087/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_25; classtype:trojan-activity; sid:91249087; rev:1;) alert tcp $HOME_NET any -> [92.116.37.99] 443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1249086/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_25; classtype:trojan-activity; sid:91249086; rev:1;) alert tcp $HOME_NET any -> [96.9.225.129] 19701 (msg:"ThreatFox BianLian botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1249085/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_25; classtype:trojan-activity; sid:91249085; rev:1;) alert tcp $HOME_NET any -> [38.60.254.215] 2112 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1249084/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_25; classtype:trojan-activity; sid:91249084; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/edf04ce5e57d0f66.php"; depth:21; nocase; http.host; content:"193.163.7.20"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1249064/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_25; classtype:trojan-activity; sid:91249064; rev:1;) alert tcp $HOME_NET any -> [91.92.247.97] 2505 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1249063/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_25; classtype:trojan-activity; sid:91249063; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"cdn.next2.cx"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1249061/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_25; classtype:trojan-activity; sid:91249061; rev:1;) alert tcp $HOME_NET any -> [107.150.18.202] 2404 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1249062/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_25; classtype:trojan-activity; sid:91249062; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/gsytvkb9"; depth:9; nocase; http.host; content:"eeatgoodx.com"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1249046/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_25; classtype:trojan-activity; sid:91249046; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/257kcwfj"; depth:9; nocase; http.host; content:"searchgear.pro"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1249047/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_25; classtype:trojan-activity; sid:91249047; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mxn9mb9h"; depth:9; nocase; http.host; content:"devqeury.org"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1249048/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_25; classtype:trojan-activity; sid:91249048; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/js/min.main.js"; depth:15; nocase; http.host; content:"sarcoma.space"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1249049/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_25; classtype:trojan-activity; sid:91249049; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/hvclbyck"; depth:9; nocase; http.host; content:"backendjs.org"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1249050/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_25; classtype:trojan-activity; sid:91249050; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmlrpc.php"; depth:11; nocase; http.host; content:"ielts.com.au"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1249051/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_25; classtype:trojan-activity; sid:91249051; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmlrpc.php"; depth:11; nocase; http.host; content:"thetip.co.kr"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1249052/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_25; classtype:trojan-activity; sid:91249052; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmlrpc.php"; depth:11; nocase; http.host; content:"panang.se"; depth:9; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1249053/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_25; classtype:trojan-activity; sid:91249053; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmlrpc.php"; depth:11; nocase; http.host; content:"restaurant-riva.net"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1249054/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_25; classtype:trojan-activity; sid:91249054; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmlrpc.php"; depth:11; nocase; http.host; content:"sirfresh.co.za"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1249055/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_25; classtype:trojan-activity; sid:91249055; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmlrpc.php"; depth:11; nocase; http.host; content:"bilyonaryo.com"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1249056/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_25; classtype:trojan-activity; sid:91249056; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmlrpc.php"; depth:11; nocase; http.host; content:"portalebambini.it"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1249057/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_25; classtype:trojan-activity; sid:91249057; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmlrpc.php"; depth:11; nocase; http.host; content:"ware2go.co"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1249058/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_25; classtype:trojan-activity; sid:91249058; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmlrpc.php"; depth:11; nocase; http.host; content:"configurelaptop.eu"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1249059/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_25; classtype:trojan-activity; sid:91249059; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmlrpc.php"; depth:11; nocase; http.host; content:"alternative-tibetaine.org"; depth:25; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1249060/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_25; classtype:trojan-activity; sid:91249060; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/spml.exe"; depth:9; nocase; http.host; content:"twizt.net"; depth:9; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1249045/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_25; classtype:trojan-activity; sid:91249045; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/async/"; depth:7; nocase; http.host; content:"cdn-serveq.net"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1249040/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_25; classtype:trojan-activity; sid:91249040; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"37.128.207.92"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1249043/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_25; classtype:trojan-activity; sid:91249043; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"welcome.visionaryyouth.org"; depth:26; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1249041/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_25; classtype:trojan-activity; sid:91249041; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"162.33.177.118"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1249042/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_25; classtype:trojan-activity; sid:91249042; rev:1;) alert tcp $HOME_NET any -> [193.233.132.109] 8081 (msg:"ThreatFox RisePro botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1249044/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_25; classtype:trojan-activity; sid:91249044; rev:1;) alert tcp $HOME_NET any -> [62.234.90.4] 8000 (msg:"ThreatFox Ghost RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1249039/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_25; classtype:trojan-activity; sid:91249039; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/c17/fre.php"; depth:12; nocase; http.host; content:"sempersim.su"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1249038/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_25; classtype:trojan-activity; sid:91249038; rev:1;) alert tcp $HOME_NET any -> [193.233.132.109] 50500 (msg:"ThreatFox RisePro botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1249037/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_25; classtype:trojan-activity; sid:91249037; rev:1;) alert tcp $HOME_NET any -> [147.78.47.83] 443 (msg:"ThreatFox FAKEUPDATES payload delivery (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1249036/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_25; classtype:trojan-activity; sid:91249036; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pixel.gif"; depth:10; nocase; http.host; content:"116.62.242.109"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1249035/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_25; classtype:trojan-activity; sid:91249035; rev:1;) alert tcp $HOME_NET any -> [52.76.173.97] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1249034/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_25; classtype:trojan-activity; sid:91249034; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/en_us/all.js"; depth:13; nocase; http.host; content:"52.76.173.97"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1249033/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_25; classtype:trojan-activity; sid:91249033; rev:1;) alert tcp $HOME_NET any -> [101.36.126.189] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1249032/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_25; classtype:trojan-activity; sid:91249032; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jquery-3.3.1.min.js"; depth:20; nocase; http.host; content:"185.130.46.168"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1249030/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_25; classtype:trojan-activity; sid:91249030; rev:1;) alert tcp $HOME_NET any -> [185.130.46.166] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1249031/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_25; classtype:trojan-activity; sid:91249031; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/__utm.gif"; depth:10; nocase; http.host; content:"1.14.206.72"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1249029/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_25; classtype:trojan-activity; sid:91249029; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/fwlink"; depth:7; nocase; http.host; content:"47.106.89.225"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1249028/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_25; classtype:trojan-activity; sid:91249028; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dpixel"; depth:7; nocase; http.host; content:"39.106.5.215"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1249027/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_25; classtype:trojan-activity; sid:91249027; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/fr.html"; depth:8; nocase; http.host; content:"101.32.37.92"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1249026/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_25; classtype:trojan-activity; sid:91249026; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/download/20/zo2xy7a4bowu"; depth:25; nocase; http.host; content:"39.100.86.42"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1249025/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_25; classtype:trojan-activity; sid:91249025; rev:1;) alert tcp $HOME_NET any -> [152.32.131.118] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1249024/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_25; classtype:trojan-activity; sid:91249024; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/push"; depth:5; nocase; http.host; content:"205.185.118.120"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1249023/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_25; classtype:trojan-activity; sid:91249023; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"cf907cd9e8f94a93937a6360363420b2.apig.cn-east-3.huaweicloudapis.com"; depth:67; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1249021/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_25; classtype:trojan-activity; sid:91249021; rev:1;) alert tcp $HOME_NET any -> [101.36.121.188] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1249022/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_25; classtype:trojan-activity; sid:91249022; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"d69b6834b7eb46fcb7bbcaa60f9f0f2d.apig.cn-east-3.huaweicloudapis.com"; depth:67; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1249019/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_25; classtype:trojan-activity; sid:91249019; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/static/askbob"; depth:14; nocase; http.host; content:"cf907cd9e8f94a93937a6360363420b2.apig.cn-east-3.huaweicloudapis.com"; depth:67; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1249020/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_25; classtype:trojan-activity; sid:91249020; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/static/askbob"; depth:14; nocase; http.host; content:"d69b6834b7eb46fcb7bbcaa60f9f0f2d.apig.cn-east-3.huaweicloudapis.com"; depth:67; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1249018/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_25; classtype:trojan-activity; sid:91249018; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/static/askbob"; depth:14; nocase; http.host; content:"f6d2b014a8664ddd8d859ce64f3741ad.apig.cn-east-3.huaweicloudapis.com"; depth:67; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1249016/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_25; classtype:trojan-activity; sid:91249016; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"f6d2b014a8664ddd8d859ce64f3741ad.apig.cn-east-3.huaweicloudapis.com"; depth:67; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1249017/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_25; classtype:trojan-activity; sid:91249017; rev:1;) alert tcp $HOME_NET any -> [74.249.43.255] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1249015/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_25; classtype:trojan-activity; sid:91249015; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mod/v2.5/pisz5tos7v"; depth:20; nocase; http.host; content:"74.249.43.255"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1249014/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_25; classtype:trojan-activity; sid:91249014; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/__utm.gif"; depth:10; nocase; http.host; content:"121.36.213.92"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1249013/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_25; classtype:trojan-activity; sid:91249013; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dot.gif"; depth:8; nocase; http.host; content:"52.76.173.97"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1249012/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_25; classtype:trojan-activity; sid:91249012; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/visit.js"; depth:9; nocase; http.host; content:"81.17.22.42"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1249011/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_25; classtype:trojan-activity; sid:91249011; rev:1;) alert tcp $HOME_NET any -> [195.181.245.38] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1249010/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_25; classtype:trojan-activity; sid:91249010; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jquery-3.3.1.min.js"; depth:20; nocase; http.host; content:"195.181.245.38"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1249009/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_25; classtype:trojan-activity; sid:91249009; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cm"; depth:3; nocase; http.host; content:"119.91.209.244"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1249008/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_25; classtype:trojan-activity; sid:91249008; rev:1;) alert tcp $HOME_NET any -> [62.72.185.90] 61616 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248999/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_25; classtype:trojan-activity; sid:91248999; rev:1;) alert tcp $HOME_NET any -> [5.181.80.130] 61616 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248996/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_25; classtype:trojan-activity; sid:91248996; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"billions.ooguy.com"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1248992/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_25; classtype:trojan-activity; sid:91248992; rev:1;) alert tcp $HOME_NET any -> [45.131.111.159] 23 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248993/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_25; classtype:trojan-activity; sid:91248993; rev:1;) alert tcp $HOME_NET any -> [5.181.80.140] 61616 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248997/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_25; classtype:trojan-activity; sid:91248997; rev:1;) alert tcp $HOME_NET any -> [62.72.185.15] 61616 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248998/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_25; classtype:trojan-activity; sid:91248998; rev:1;) alert tcp $HOME_NET any -> [91.92.249.225] 61616 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1249000/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_25; classtype:trojan-activity; sid:91249000; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/push"; depth:5; nocase; http.host; content:"121.37.215.238"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1249007/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_25; classtype:trojan-activity; sid:91249007; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cx"; depth:3; nocase; http.host; content:"cs.h1ll0.cs.in"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1249006/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_25; classtype:trojan-activity; sid:91249006; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ga.js"; depth:6; nocase; http.host; content:"47.113.188.133"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1249005/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_25; classtype:trojan-activity; sid:91249005; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ca"; depth:3; nocase; http.host; content:"124.71.222.33"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1249004/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_25; classtype:trojan-activity; sid:91249004; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/updates.rss"; depth:12; nocase; http.host; content:"124.222.97.236"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1249003/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_25; classtype:trojan-activity; sid:91249003; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/etc.clientlibs/base.min.acshash29ccd0207f7ce847c.js"; depth:52; nocase; http.host; content:"119.3.12.54"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1249002/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_25; classtype:trojan-activity; sid:91249002; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dot.gif"; depth:8; nocase; http.host; content:"8.130.48.46"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1249001/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_25; classtype:trojan-activity; sid:91249001; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/match"; depth:6; nocase; http.host; content:"81.19.138.57"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1248995/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_25; classtype:trojan-activity; sid:91248995; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/fwlink"; depth:7; nocase; http.host; content:"81.19.138.57"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1248994/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_25; classtype:trojan-activity; sid:91248994; rev:1;) alert tcp $HOME_NET any -> [94.131.122.80] 5009 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248991/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_25; classtype:trojan-activity; sid:91248991; rev:1;) alert tcp $HOME_NET any -> [185.196.10.155] 3778 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248987/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_25; classtype:trojan-activity; sid:91248987; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/temp/spp/rf/installer.zip"; depth:26; nocase; http.host; content:"www.efesmarble.com"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1248986/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_25; classtype:trojan-activity; sid:91248986; rev:1;) alert tcp $HOME_NET any -> [92.249.48.114] 1337 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248988/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_25; classtype:trojan-activity; sid:91248988; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pipe2/0javascript2private/vmgameapi/pythonprocessor/providerpollprocesslinuxuploads.php"; depth:88; nocase; http.host; content:"212.109.198.52"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1248990/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_25; classtype:trojan-activity; sid:91248990; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jquery-3.3.1.min.js"; depth:20; nocase; http.host; content:"8.222.147.15"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1248989/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_25; classtype:trojan-activity; sid:91248989; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/c6/fre.php"; depth:11; nocase; http.host; content:"sempersim.su"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1248985/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_25; classtype:trojan-activity; sid:91248985; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/eternalpythonpollhttpgamepubliccdncentral.php"; depth:46; nocase; http.host; content:"878497cm.nyashsens.top"; depth:22; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1248984/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_25; classtype:trojan-activity; sid:91248984; rev:1;) alert tcp $HOME_NET any -> [107.175.245.109] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248983/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_25; classtype:trojan-activity; sid:91248983; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/lib/v2/wcp-consent.js"; depth:22; nocase; http.host; content:"www.10086cn.xyz"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1248982/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_25; classtype:trojan-activity; sid:91248982; rev:1;) alert tcp $HOME_NET any -> [107.175.245.109] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248981/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_25; classtype:trojan-activity; sid:91248981; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/lib/v2/wcp-consent.js"; depth:22; nocase; http.host; content:"www.10086cn.xyz"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1248980/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_25; classtype:trojan-activity; sid:91248980; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"49.13.149.95"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1248979/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_25; classtype:trojan-activity; sid:91248979; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"78.47.141.20"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1248978/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_25; classtype:trojan-activity; sid:91248978; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"5.75.212.236"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1248977/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_25; classtype:trojan-activity; sid:91248977; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"135.181.97.113"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1248976/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_25; classtype:trojan-activity; sid:91248976; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"128.140.125.116"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1248975/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_25; classtype:trojan-activity; sid:91248975; rev:1;) alert tcp $HOME_NET any -> [5.75.212.236] 443 (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248972/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_25; classtype:trojan-activity; sid:91248972; rev:1;) alert tcp $HOME_NET any -> [78.47.141.20] 443 (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248973/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_25; classtype:trojan-activity; sid:91248973; rev:1;) alert tcp $HOME_NET any -> [49.13.149.95] 9001 (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248974/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_25; classtype:trojan-activity; sid:91248974; rev:1;) alert tcp $HOME_NET any -> [135.181.97.113] 8888 (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248970/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_25; classtype:trojan-activity; sid:91248970; rev:1;) alert tcp $HOME_NET any -> [128.140.125.116] 443 (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248971/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_25; classtype:trojan-activity; sid:91248971; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/e1d1eda2.php"; depth:13; nocase; http.host; content:"a0881216.xsph.ru"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1248969/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_25; classtype:trojan-activity; sid:91248969; rev:1;) alert tcp $HOME_NET any -> [109.107.182.168] 80 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248968/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_25; classtype:trojan-activity; sid:91248968; rev:1;) alert tcp $HOME_NET any -> [193.233.255.105] 50555 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248967/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_25; classtype:trojan-activity; sid:91248967; rev:1;) alert tcp $HOME_NET any -> [64.176.81.234] 80 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248966/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_25; classtype:trojan-activity; sid:91248966; rev:1;) alert tcp $HOME_NET any -> [209.236.16.248] 443 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248965/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_25; classtype:trojan-activity; sid:91248965; rev:1;) alert tcp $HOME_NET any -> [64.23.230.161] 443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248964/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_25; classtype:trojan-activity; sid:91248964; rev:1;) alert tcp $HOME_NET any -> [81.43.23.68] 443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248963/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_25; classtype:trojan-activity; sid:91248963; rev:1;) alert tcp $HOME_NET any -> [104.200.72.22] 2373 (msg:"ThreatFox BianLian botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248962/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_25; classtype:trojan-activity; sid:91248962; rev:1;) alert tcp $HOME_NET any -> [1.117.72.174] 443 (msg:"ThreatFox BianLian botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248961/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_25; classtype:trojan-activity; sid:91248961; rev:1;) alert tcp $HOME_NET any -> [193.233.132.56] 80 (msg:"ThreatFox Amadey botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248960/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_25; classtype:trojan-activity; sid:91248960; rev:1;) alert tcp $HOME_NET any -> [64.23.206.87] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248864/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_25; classtype:trojan-activity; sid:91248864; rev:1;) alert tcp $HOME_NET any -> [104.236.193.50] 2443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248865/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_25; classtype:trojan-activity; sid:91248865; rev:1;) alert tcp $HOME_NET any -> [128.199.141.212] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248866/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_25; classtype:trojan-activity; sid:91248866; rev:1;) alert tcp $HOME_NET any -> [143.198.210.118] 60060 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248867/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_25; classtype:trojan-activity; sid:91248867; rev:1;) alert tcp $HOME_NET any -> [167.71.61.64] 50050 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248868/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_25; classtype:trojan-activity; sid:91248868; rev:1;) alert tcp $HOME_NET any -> [167.71.141.159] 50050 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248869/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_25; classtype:trojan-activity; sid:91248869; rev:1;) alert tcp $HOME_NET any -> [178.128.59.129] 50050 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248870/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_25; classtype:trojan-activity; sid:91248870; rev:1;) alert tcp $HOME_NET any -> [106.38.201.196] 8443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248871/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_25; classtype:trojan-activity; sid:91248871; rev:1;) alert tcp $HOME_NET any -> [116.196.113.95] 9999 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248872/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_25; classtype:trojan-activity; sid:91248872; rev:1;) alert tcp $HOME_NET any -> [117.50.47.141] 47346 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248873/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_25; classtype:trojan-activity; sid:91248873; rev:1;) alert tcp $HOME_NET any -> [117.50.179.195] 7091 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248874/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_25; classtype:trojan-activity; sid:91248874; rev:1;) alert tcp $HOME_NET any -> [45.63.120.203] 57383 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248875/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_25; classtype:trojan-activity; sid:91248875; rev:1;) alert tcp $HOME_NET any -> [64.176.168.194] 62253 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248876/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_25; classtype:trojan-activity; sid:91248876; rev:1;) alert tcp $HOME_NET any -> [70.34.221.86] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248877/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_25; classtype:trojan-activity; sid:91248877; rev:1;) alert tcp $HOME_NET any -> [107.191.49.250] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248878/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_25; classtype:trojan-activity; sid:91248878; rev:1;) alert tcp $HOME_NET any -> [108.160.137.199] 49933 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248879/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_25; classtype:trojan-activity; sid:91248879; rev:1;) alert tcp $HOME_NET any -> [20.5.43.62] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248881/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_25; classtype:trojan-activity; sid:91248881; rev:1;) alert tcp $HOME_NET any -> [167.179.84.218] 35567 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248880/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_25; classtype:trojan-activity; sid:91248880; rev:1;) alert tcp $HOME_NET any -> [20.239.165.111] 50050 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248882/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_25; classtype:trojan-activity; sid:91248882; rev:1;) alert tcp $HOME_NET any -> [104.46.214.150] 8082 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248883/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_25; classtype:trojan-activity; sid:91248883; rev:1;) alert tcp $HOME_NET any -> [168.61.180.98] 8081 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248884/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_25; classtype:trojan-activity; sid:91248884; rev:1;) alert tcp $HOME_NET any -> [168.61.180.98] 8082 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248885/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_25; classtype:trojan-activity; sid:91248885; rev:1;) alert tcp $HOME_NET any -> [64.69.41.141] 12306 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248886/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_25; classtype:trojan-activity; sid:91248886; rev:1;) alert tcp $HOME_NET any -> [148.135.67.47] 8443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248887/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_25; classtype:trojan-activity; sid:91248887; rev:1;) alert tcp $HOME_NET any -> [39.109.113.130] 50050 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248888/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_25; classtype:trojan-activity; sid:91248888; rev:1;) alert tcp $HOME_NET any -> [154.221.16.176] 8080 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248889/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_25; classtype:trojan-activity; sid:91248889; rev:1;) alert tcp $HOME_NET any -> [45.152.64.2] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248890/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_25; classtype:trojan-activity; sid:91248890; rev:1;) alert tcp $HOME_NET any -> [45.144.136.14] 51150 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248891/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_25; classtype:trojan-activity; sid:91248891; rev:1;) alert tcp $HOME_NET any -> [149.104.29.151] 88 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248892/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_25; classtype:trojan-activity; sid:91248892; rev:1;) alert tcp $HOME_NET any -> [38.207.178.141] 2222 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248893/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_25; classtype:trojan-activity; sid:91248893; rev:1;) alert tcp $HOME_NET any -> [38.207.178.141] 9999 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248894/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_25; classtype:trojan-activity; sid:91248894; rev:1;) alert tcp $HOME_NET any -> [149.104.30.191] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248895/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_25; classtype:trojan-activity; sid:91248895; rev:1;) alert tcp $HOME_NET any -> [139.159.145.242] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248862/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_25; classtype:trojan-activity; sid:91248862; rev:1;) alert tcp $HOME_NET any -> [124.70.180.22] 65089 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248860/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_25; classtype:trojan-activity; sid:91248860; rev:1;) alert tcp $HOME_NET any -> [124.71.75.199] 8443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248861/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_25; classtype:trojan-activity; sid:91248861; rev:1;) alert tcp $HOME_NET any -> [123.60.159.23] 6666 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248859/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_25; classtype:trojan-activity; sid:91248859; rev:1;) alert tcp $HOME_NET any -> [121.36.255.43] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248856/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_25; classtype:trojan-activity; sid:91248856; rev:1;) alert tcp $HOME_NET any -> [121.37.45.205] 6443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248857/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_25; classtype:trojan-activity; sid:91248857; rev:1;) alert tcp $HOME_NET any -> [121.37.208.189] 50050 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248858/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_25; classtype:trojan-activity; sid:91248858; rev:1;) alert tcp $HOME_NET any -> [121.36.203.14] 50050 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248855/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_25; classtype:trojan-activity; sid:91248855; rev:1;) alert tcp $HOME_NET any -> [121.36.33.53] 8090 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248853/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_25; classtype:trojan-activity; sid:91248853; rev:1;) alert tcp $HOME_NET any -> [121.36.67.21] 50050 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248854/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_25; classtype:trojan-activity; sid:91248854; rev:1;) alert tcp $HOME_NET any -> [60.204.222.75] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248851/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_25; classtype:trojan-activity; sid:91248851; rev:1;) alert tcp $HOME_NET any -> [60.204.222.75] 8443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248852/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_25; classtype:trojan-activity; sid:91248852; rev:1;) alert tcp $HOME_NET any -> [60.204.133.143] 8443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248849/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_25; classtype:trojan-activity; sid:91248849; rev:1;) alert tcp $HOME_NET any -> [60.204.208.32] 8888 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248850/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_25; classtype:trojan-activity; sid:91248850; rev:1;) alert tcp $HOME_NET any -> [175.178.0.88] 33890 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248833/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_25; classtype:trojan-activity; sid:91248833; rev:1;) alert tcp $HOME_NET any -> [175.178.103.238] 3389 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248834/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_25; classtype:trojan-activity; sid:91248834; rev:1;) alert tcp $HOME_NET any -> [192.144.234.75] 60050 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248835/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_25; classtype:trojan-activity; sid:91248835; rev:1;) alert tcp $HOME_NET any -> [175.27.137.15] 50050 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248831/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_25; classtype:trojan-activity; sid:91248831; rev:1;) alert tcp $HOME_NET any -> [175.27.159.169] 55555 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248832/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_25; classtype:trojan-activity; sid:91248832; rev:1;) alert tcp $HOME_NET any -> [159.75.170.201] 42586 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248829/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_25; classtype:trojan-activity; sid:91248829; rev:1;) alert tcp $HOME_NET any -> [175.27.137.15] 8888 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248830/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_25; classtype:trojan-activity; sid:91248830; rev:1;) alert tcp $HOME_NET any -> [150.158.135.188] 49227 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248827/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_25; classtype:trojan-activity; sid:91248827; rev:1;) alert tcp $HOME_NET any -> [152.136.174.196] 82 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248828/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_25; classtype:trojan-activity; sid:91248828; rev:1;) alert tcp $HOME_NET any -> [139.155.94.15] 8080 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248826/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_25; classtype:trojan-activity; sid:91248826; rev:1;) alert tcp $HOME_NET any -> [124.223.180.89] 58808 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248825/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_25; classtype:trojan-activity; sid:91248825; rev:1;) alert tcp $HOME_NET any -> [124.222.220.126] 10086 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248824/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_25; classtype:trojan-activity; sid:91248824; rev:1;) alert tcp $HOME_NET any -> [124.221.184.239] 54321 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248821/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_25; classtype:trojan-activity; sid:91248821; rev:1;) alert tcp $HOME_NET any -> [124.222.24.208] 50050 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248822/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_25; classtype:trojan-activity; sid:91248822; rev:1;) alert tcp $HOME_NET any -> [124.222.186.209] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248823/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_25; classtype:trojan-activity; sid:91248823; rev:1;) alert tcp $HOME_NET any -> [124.220.182.36] 38927 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248818/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_25; classtype:trojan-activity; sid:91248818; rev:1;) alert tcp $HOME_NET any -> [124.221.15.74] 50520 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248819/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_25; classtype:trojan-activity; sid:91248819; rev:1;) alert tcp $HOME_NET any -> [124.221.66.75] 6000 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248820/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_25; classtype:trojan-activity; sid:91248820; rev:1;) alert tcp $HOME_NET any -> [124.220.163.73] 9999 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248817/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_25; classtype:trojan-activity; sid:91248817; rev:1;) alert tcp $HOME_NET any -> [121.5.66.186] 1082 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248814/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_25; classtype:trojan-activity; sid:91248814; rev:1;) alert tcp $HOME_NET any -> [122.51.133.143] 8080 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248815/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_25; classtype:trojan-activity; sid:91248815; rev:1;) alert tcp $HOME_NET any -> [123.207.50.191] 43252 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248816/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_25; classtype:trojan-activity; sid:91248816; rev:1;) alert tcp $HOME_NET any -> [121.5.66.186] 1083 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248813/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_25; classtype:trojan-activity; sid:91248813; rev:1;) alert tcp $HOME_NET any -> [119.45.216.34] 2096 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248811/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_25; classtype:trojan-activity; sid:91248811; rev:1;) alert tcp $HOME_NET any -> [121.4.94.121] 65335 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248812/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_25; classtype:trojan-activity; sid:91248812; rev:1;) alert tcp $HOME_NET any -> [119.45.187.65] 4433 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248810/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_25; classtype:trojan-activity; sid:91248810; rev:1;) alert tcp $HOME_NET any -> [118.25.182.25] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248809/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_25; classtype:trojan-activity; sid:91248809; rev:1;) alert tcp $HOME_NET any -> [115.159.102.112] 8933 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248808/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_25; classtype:trojan-activity; sid:91248808; rev:1;) alert tcp $HOME_NET any -> [114.132.252.93] 50050 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248807/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_25; classtype:trojan-activity; sid:91248807; rev:1;) alert tcp $HOME_NET any -> [111.230.111.186] 50050 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248806/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_25; classtype:trojan-activity; sid:91248806; rev:1;) alert tcp $HOME_NET any -> [106.55.181.95] 4488 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248803/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_25; classtype:trojan-activity; sid:91248803; rev:1;) alert tcp $HOME_NET any -> [111.230.30.197] 61234 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248804/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_25; classtype:trojan-activity; sid:91248804; rev:1;) alert tcp $HOME_NET any -> [106.54.227.54] 5566 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248802/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_25; classtype:trojan-activity; sid:91248802; rev:1;) alert tcp $HOME_NET any -> [101.43.215.118] 65530 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248800/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_25; classtype:trojan-activity; sid:91248800; rev:1;) alert tcp $HOME_NET any -> [106.52.94.23] 6001 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248801/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_25; classtype:trojan-activity; sid:91248801; rev:1;) alert tcp $HOME_NET any -> [101.43.211.190] 5003 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248798/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_25; classtype:trojan-activity; sid:91248798; rev:1;) alert tcp $HOME_NET any -> [101.43.211.190] 60050 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248799/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_25; classtype:trojan-activity; sid:91248799; rev:1;) alert tcp $HOME_NET any -> [101.43.2.116] 10086 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248796/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_25; classtype:trojan-activity; sid:91248796; rev:1;) alert tcp $HOME_NET any -> [101.43.16.149] 10086 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248797/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_25; classtype:trojan-activity; sid:91248797; rev:1;) alert tcp $HOME_NET any -> [82.157.154.247] 54321 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248794/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_25; classtype:trojan-activity; sid:91248794; rev:1;) alert tcp $HOME_NET any -> [101.35.108.141] 50050 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248795/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_25; classtype:trojan-activity; sid:91248795; rev:1;) alert tcp $HOME_NET any -> [82.157.153.82] 7979 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248793/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_25; classtype:trojan-activity; sid:91248793; rev:1;) alert tcp $HOME_NET any -> [82.157.17.183] 4418 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248792/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_25; classtype:trojan-activity; sid:91248792; rev:1;) alert tcp $HOME_NET any -> [82.156.147.236] 50050 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248790/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_25; classtype:trojan-activity; sid:91248790; rev:1;) alert tcp $HOME_NET any -> [82.156.174.51] 50050 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248791/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_25; classtype:trojan-activity; sid:91248791; rev:1;) alert tcp $HOME_NET any -> [81.71.140.170] 8081 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248788/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_25; classtype:trojan-activity; sid:91248788; rev:1;) alert tcp $HOME_NET any -> [82.156.29.211] 40089 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248789/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_25; classtype:trojan-activity; sid:91248789; rev:1;) alert tcp $HOME_NET any -> [43.143.103.235] 8989 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248785/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_25; classtype:trojan-activity; sid:91248785; rev:1;) alert tcp $HOME_NET any -> [43.143.216.15] 4434 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248786/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_25; classtype:trojan-activity; sid:91248786; rev:1;) alert tcp $HOME_NET any -> [81.68.198.185] 55555 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248787/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_25; classtype:trojan-activity; sid:91248787; rev:1;) alert tcp $HOME_NET any -> [43.138.150.136] 4488 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248783/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_25; classtype:trojan-activity; sid:91248783; rev:1;) alert tcp $HOME_NET any -> [43.139.219.102] 65360 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248784/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_25; classtype:trojan-activity; sid:91248784; rev:1;) alert tcp $HOME_NET any -> [43.138.77.115] 54666 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248782/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_25; classtype:trojan-activity; sid:91248782; rev:1;) alert tcp $HOME_NET any -> [43.136.71.208] 9856 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248780/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_25; classtype:trojan-activity; sid:91248780; rev:1;) alert tcp $HOME_NET any -> [43.136.242.247] 8001 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248781/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_25; classtype:trojan-activity; sid:91248781; rev:1;) alert tcp $HOME_NET any -> [42.193.178.194] 65530 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248778/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_25; classtype:trojan-activity; sid:91248778; rev:1;) alert tcp $HOME_NET any -> [43.136.14.250] 10000 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248779/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_25; classtype:trojan-activity; sid:91248779; rev:1;) alert tcp $HOME_NET any -> [42.193.141.172] 8888 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248775/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_25; classtype:trojan-activity; sid:91248775; rev:1;) alert tcp $HOME_NET any -> [42.193.170.176] 37019 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248776/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_25; classtype:trojan-activity; sid:91248776; rev:1;) alert tcp $HOME_NET any -> [42.193.175.123] 4443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248777/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_25; classtype:trojan-activity; sid:91248777; rev:1;) alert tcp $HOME_NET any -> [42.193.98.44] 4488 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248774/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_25; classtype:trojan-activity; sid:91248774; rev:1;) alert tcp $HOME_NET any -> [1.15.248.225] 8084 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248772/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_25; classtype:trojan-activity; sid:91248772; rev:1;) alert tcp $HOME_NET any -> [42.193.16.213] 65520 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248773/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_25; classtype:trojan-activity; sid:91248773; rev:1;) alert tcp $HOME_NET any -> [1.14.204.208] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248770/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_25; classtype:trojan-activity; sid:91248770; rev:1;) alert tcp $HOME_NET any -> [1.14.205.73] 10086 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248771/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_25; classtype:trojan-activity; sid:91248771; rev:1;) alert tcp $HOME_NET any -> [1.14.69.16] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248769/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_25; classtype:trojan-activity; sid:91248769; rev:1;) alert tcp $HOME_NET any -> [1.14.46.128] 8888 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248768/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_25; classtype:trojan-activity; sid:91248768; rev:1;) alert tcp $HOME_NET any -> [182.92.67.197] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248765/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_25; classtype:trojan-activity; sid:91248765; rev:1;) alert tcp $HOME_NET any -> [120.79.225.52] 4567 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248762/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_25; classtype:trojan-activity; sid:91248762; rev:1;) alert tcp $HOME_NET any -> [123.57.193.197] 50051 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248763/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_25; classtype:trojan-activity; sid:91248763; rev:1;) alert tcp $HOME_NET any -> [139.224.188.165] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248764/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_25; classtype:trojan-activity; sid:91248764; rev:1;) alert tcp $HOME_NET any -> [120.78.83.129] 51120 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248761/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_25; classtype:trojan-activity; sid:91248761; rev:1;) alert tcp $HOME_NET any -> [120.55.64.157] 8080 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248759/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_25; classtype:trojan-activity; sid:91248759; rev:1;) alert tcp $HOME_NET any -> [120.76.158.54] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248760/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_25; classtype:trojan-activity; sid:91248760; rev:1;) alert tcp $HOME_NET any -> [120.55.64.157] 4433 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248758/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_25; classtype:trojan-activity; sid:91248758; rev:1;) alert tcp $HOME_NET any -> [120.25.1.52] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248757/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_25; classtype:trojan-activity; sid:91248757; rev:1;) alert tcp $HOME_NET any -> [114.55.234.67] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248755/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_25; classtype:trojan-activity; sid:91248755; rev:1;) alert tcp $HOME_NET any -> [116.62.242.109] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248756/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_25; classtype:trojan-activity; sid:91248756; rev:1;) alert tcp $HOME_NET any -> [101.201.155.239] 8888 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248753/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_25; classtype:trojan-activity; sid:91248753; rev:1;) alert tcp $HOME_NET any -> [112.126.80.83] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248754/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_25; classtype:trojan-activity; sid:91248754; rev:1;) alert tcp $HOME_NET any -> [47.123.7.206] 8888 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248752/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_25; classtype:trojan-activity; sid:91248752; rev:1;) alert tcp $HOME_NET any -> [47.106.89.225] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248750/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_25; classtype:trojan-activity; sid:91248750; rev:1;) alert tcp $HOME_NET any -> [47.119.19.34] 7777 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248751/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_25; classtype:trojan-activity; sid:91248751; rev:1;) alert tcp $HOME_NET any -> [47.100.229.207] 81 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248749/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_25; classtype:trojan-activity; sid:91248749; rev:1;) alert tcp $HOME_NET any -> [47.94.196.29] 9999 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248747/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_25; classtype:trojan-activity; sid:91248747; rev:1;) alert tcp $HOME_NET any -> [47.100.182.88] 1266 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248748/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_25; classtype:trojan-activity; sid:91248748; rev:1;) alert tcp $HOME_NET any -> [39.106.5.215] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248744/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_25; classtype:trojan-activity; sid:91248744; rev:1;) alert tcp $HOME_NET any -> [39.106.74.90] 8899 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248745/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_25; classtype:trojan-activity; sid:91248745; rev:1;) alert tcp $HOME_NET any -> [47.92.75.135] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248746/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_25; classtype:trojan-activity; sid:91248746; rev:1;) alert tcp $HOME_NET any -> [8.147.132.135] 2087 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248741/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_25; classtype:trojan-activity; sid:91248741; rev:1;) alert tcp $HOME_NET any -> [39.101.198.2] 8446 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248743/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_25; classtype:trojan-activity; sid:91248743; rev:1;) alert tcp $HOME_NET any -> [8.147.132.135] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248742/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_25; classtype:trojan-activity; sid:91248742; rev:1;) alert tcp $HOME_NET any -> [8.130.101.106] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248739/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_25; classtype:trojan-activity; sid:91248739; rev:1;) alert tcp $HOME_NET any -> [8.130.122.185] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248740/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_25; classtype:trojan-activity; sid:91248740; rev:1;) alert tcp $HOME_NET any -> [91.92.245.111] 8081 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248733/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_25; classtype:trojan-activity; sid:91248733; rev:1;) alert tcp $HOME_NET any -> [8.130.43.95] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248737/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_25; classtype:trojan-activity; sid:91248737; rev:1;) alert tcp $HOME_NET any -> [8.130.81.128] 8786 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248738/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_25; classtype:trojan-activity; sid:91248738; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pneh2sxqk0/index.php"; depth:21; nocase; http.host; content:"193.233.132.56"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1248844/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_25; classtype:trojan-activity; sid:91248844; rev:1;) alert tcp $HOME_NET any -> [149.104.30.191] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248896/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_25; classtype:trojan-activity; sid:91248896; rev:1;) alert tcp $HOME_NET any -> [118.193.62.169] 16379 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248897/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_25; classtype:trojan-activity; sid:91248897; rev:1;) alert tcp $HOME_NET any -> [114.115.203.114] 46123 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248898/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_25; classtype:trojan-activity; sid:91248898; rev:1;) alert tcp $HOME_NET any -> [111.67.195.152] 3333 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248899/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_25; classtype:trojan-activity; sid:91248899; rev:1;) alert tcp $HOME_NET any -> [172.233.84.174] 3306 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248900/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_25; classtype:trojan-activity; sid:91248900; rev:1;) alert tcp $HOME_NET any -> [139.144.96.187] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248901/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_25; classtype:trojan-activity; sid:91248901; rev:1;) alert tcp $HOME_NET any -> [5.199.168.141] 80 (msg:"ThreatFox ERMAC botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248902/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_25; classtype:trojan-activity; sid:91248902; rev:1;) alert tcp $HOME_NET any -> [52.28.247.255] 12377 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248907/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_25; classtype:trojan-activity; sid:91248907; rev:1;) alert tcp $HOME_NET any -> [3.69.115.178] 12377 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248908/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_25; classtype:trojan-activity; sid:91248908; rev:1;) alert tcp $HOME_NET any -> [3.69.157.220] 12377 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248909/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_25; classtype:trojan-activity; sid:91248909; rev:1;) alert tcp $HOME_NET any -> [3.125.223.134] 11326 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248910/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_25; classtype:trojan-activity; sid:91248910; rev:1;) alert tcp $HOME_NET any -> [35.158.159.254] 18001 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248911/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_25; classtype:trojan-activity; sid:91248911; rev:1;) alert tcp $HOME_NET any -> [147.185.221.18] 64479 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248912/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_25; classtype:trojan-activity; sid:91248912; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"share-introduced.gl.at.ply.gg"; depth:29; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1248913/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_25; classtype:trojan-activity; sid:91248913; rev:1;) alert tcp $HOME_NET any -> [3.69.115.178] 14622 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248914/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_25; classtype:trojan-activity; sid:91248914; rev:1;) alert tcp $HOME_NET any -> [52.28.247.255] 14622 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248915/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_25; classtype:trojan-activity; sid:91248915; rev:1;) alert tcp $HOME_NET any -> [3.66.38.117] 14622 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248916/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_25; classtype:trojan-activity; sid:91248916; rev:1;) alert tcp $HOME_NET any -> [24.42.98.153] 195 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248917/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_25; classtype:trojan-activity; sid:91248917; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"h2cker.ddns.net"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1248918/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_25; classtype:trojan-activity; sid:91248918; rev:1;) alert tcp $HOME_NET any -> [147.185.221.18] 9626 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248919/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_25; classtype:trojan-activity; sid:91248919; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"low-feeding.gl.at.ply.gg"; depth:24; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1248920/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_25; classtype:trojan-activity; sid:91248920; rev:1;) alert tcp $HOME_NET any -> [147.185.221.16] 52522 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248921/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_25; classtype:trojan-activity; sid:91248921; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"limited-architect.gl.at.ply.gg"; depth:30; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1248922/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_25; classtype:trojan-activity; sid:91248922; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmlrpc.php"; depth:11; nocase; http.host; content:"profaj.com"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1248931/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_25; classtype:trojan-activity; sid:91248931; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmlrpc.php"; depth:11; nocase; http.host; content:"aphcareerconnect.org"; depth:20; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1248923/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_25; classtype:trojan-activity; sid:91248923; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmlrpc.php"; depth:11; nocase; http.host; content:"passikuvasuomi.fi"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1248924/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_25; classtype:trojan-activity; sid:91248924; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmlrpc.php"; depth:11; nocase; http.host; content:"stamyn.com"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1248925/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_25; classtype:trojan-activity; sid:91248925; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmlrpc.php"; depth:11; nocase; http.host; content:"freeupscmaterials.org"; depth:21; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1248927/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_25; classtype:trojan-activity; sid:91248927; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmlrpc.php"; depth:11; nocase; http.host; content:"dermcollective.com"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1248926/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_25; classtype:trojan-activity; sid:91248926; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmlrpc.php"; depth:11; nocase; http.host; content:"samsebeastrolog.online"; depth:22; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1248928/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_25; classtype:trojan-activity; sid:91248928; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmlrpc.php"; depth:11; nocase; http.host; content:"prestigiousmassage.com"; depth:22; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1248929/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_25; classtype:trojan-activity; sid:91248929; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmlrpc.php"; depth:11; nocase; http.host; content:"wakafmu.org"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1248930/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_25; classtype:trojan-activity; sid:91248930; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmlrpc.php"; depth:11; nocase; http.host; content:"wildaid.org"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1248932/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_25; classtype:trojan-activity; sid:91248932; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmlrpc.php"; depth:11; nocase; http.host; content:"ozanisguvenligi.com"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1248933/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_25; classtype:trojan-activity; sid:91248933; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmlrpc.php"; depth:11; nocase; http.host; content:"www.celinabostic.de"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1248934/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_25; classtype:trojan-activity; sid:91248934; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmlrpc.php"; depth:11; nocase; http.host; content:"www.annehemgard.se"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1248935/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_25; classtype:trojan-activity; sid:91248935; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmlrpc.php"; depth:11; nocase; http.host; content:"nematinuts.com"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1248936/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_25; classtype:trojan-activity; sid:91248936; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmlrpc.php"; depth:11; nocase; http.host; content:"mega-mkv.com"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1248937/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_25; classtype:trojan-activity; sid:91248937; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmlrpc.php"; depth:11; nocase; http.host; content:"somersetpizzamd.com"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1248938/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_25; classtype:trojan-activity; sid:91248938; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmlrpc.php"; depth:11; nocase; http.host; content:"wislah.com"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1248950/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_25; classtype:trojan-activity; sid:91248950; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmlrpc.php"; depth:11; nocase; http.host; content:"diabetesstrong.com"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1248947/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_25; classtype:trojan-activity; sid:91248947; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmlrpc.php"; depth:11; nocase; http.host; content:"cartoongayporn.com"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1248948/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_25; classtype:trojan-activity; sid:91248948; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmlrpc.php"; depth:11; nocase; http.host; content:"toivolanpiha.fi"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1248949/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_25; classtype:trojan-activity; sid:91248949; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmlrpc.php"; depth:11; nocase; http.host; content:"www.anordestdiche.com"; depth:21; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1248945/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_25; classtype:trojan-activity; sid:91248945; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmlrpc.php"; depth:11; nocase; http.host; content:"egylgs.info"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1248946/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_25; classtype:trojan-activity; sid:91248946; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmlrpc.php"; depth:11; nocase; http.host; content:"phoenixair.com"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1248942/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_25; classtype:trojan-activity; sid:91248942; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmlrpc.php"; depth:11; nocase; http.host; content:"gustancho.com"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1248943/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_25; classtype:trojan-activity; sid:91248943; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmlrpc.php"; depth:11; nocase; http.host; content:"ancestralfindings.com"; depth:21; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1248944/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_25; classtype:trojan-activity; sid:91248944; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmlrpc.php"; depth:11; nocase; http.host; content:"arduino-projects4u.com"; depth:22; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1248941/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_25; classtype:trojan-activity; sid:91248941; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmlrpc.php"; depth:11; nocase; http.host; content:"equinox-hotels.com"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1248939/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_25; classtype:trojan-activity; sid:91248939; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmlrpc.php"; depth:11; nocase; http.host; content:"bilgisebili.com"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1248951/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_25; classtype:trojan-activity; sid:91248951; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmlrpc.php"; depth:11; nocase; http.host; content:"egvisaservices.com"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1248952/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_25; classtype:trojan-activity; sid:91248952; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmlrpc.php"; depth:11; nocase; http.host; content:"www.atlantabarbellgym.com"; depth:25; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1248953/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_25; classtype:trojan-activity; sid:91248953; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmlrpc.php"; depth:11; nocase; http.host; content:"good2bsocial.com"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1248954/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_25; classtype:trojan-activity; sid:91248954; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmlrpc.php"; depth:11; nocase; http.host; content:"nokohome.se"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1248955/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_25; classtype:trojan-activity; sid:91248955; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmlrpc.php"; depth:11; nocase; http.host; content:"eddie-hernandez.com"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1248956/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_25; classtype:trojan-activity; sid:91248956; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmlrpc.php"; depth:11; nocase; http.host; content:"recetascocinaperuana.com"; depth:24; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1248958/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_25; classtype:trojan-activity; sid:91248958; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmlrpc.php"; depth:11; nocase; http.host; content:"www.appleluxurycar.com"; depth:22; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1248957/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_25; classtype:trojan-activity; sid:91248957; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmlrpc.php"; depth:11; nocase; http.host; content:"swemed.se"; depth:9; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1248959/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_25; classtype:trojan-activity; sid:91248959; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/eclipseofmasters.zip"; depth:21; nocase; http.host; content:"eclipseofmasters.com"; depth:20; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1248846/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_25; classtype:trojan-activity; sid:91248846; rev:1;) alert tcp $HOME_NET any -> [1.94.101.65] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248848/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_25; classtype:trojan-activity; sid:91248848; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"eclipseofmasters.com"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1248845/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_25; classtype:trojan-activity; sid:91248845; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/attachments/1131608743935758472/1221211365121855640/mariyeltherapyinstaller.rar"; depth:80; nocase; http.host; content:"cdn.discordapp.com"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1248766/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_25; classtype:trojan-activity; sid:91248766; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cpudlemulti/downloadsjs8/update7/cpuwp/dump48/2_public/pythondefaultdbbasetestcdn.php"; depth:86; nocase; http.host; content:"213.171.8.25"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1248906/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_24; classtype:trojan-activity; sid:91248906; rev:1;) alert tcp $HOME_NET any -> [193.233.132.67] 5000 (msg:"ThreatFox RisePro botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248905/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_24; classtype:trojan-activity; sid:91248905; rev:1;) alert tcp $HOME_NET any -> [8.130.9.110] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248904/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_24; classtype:trojan-activity; sid:91248904; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/push"; depth:5; nocase; http.host; content:"8.130.9.110"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1248903/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_24; classtype:trojan-activity; sid:91248903; rev:1;) alert tcp $HOME_NET any -> [193.233.133.152] 35515 (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248863/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_24; classtype:trojan-activity; sid:91248863; rev:1;) alert tcp $HOME_NET any -> [91.240.85.51] 80 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248843/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_24; classtype:trojan-activity; sid:91248843; rev:1;) alert tcp $HOME_NET any -> [77.221.148.13] 80 (msg:"ThreatFox Meduza Stealer botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248842/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_24; classtype:trojan-activity; sid:91248842; rev:1;) alert tcp $HOME_NET any -> [94.156.10.121] 80 (msg:"ThreatFox Meduza Stealer botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248841/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_24; classtype:trojan-activity; sid:91248841; rev:1;) alert tcp $HOME_NET any -> [120.26.224.87] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248840/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_24; classtype:trojan-activity; sid:91248840; rev:1;) alert tcp $HOME_NET any -> [34.92.107.200] 8002 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248839/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_24; classtype:trojan-activity; sid:91248839; rev:1;) alert tcp $HOME_NET any -> [154.247.80.100] 2078 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248838/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_24; classtype:trojan-activity; sid:91248838; rev:1;) alert tcp $HOME_NET any -> [104.237.233.103] 443 (msg:"ThreatFox Responder botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248837/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_24; classtype:trojan-activity; sid:91248837; rev:1;) alert tcp $HOME_NET any -> [193.169.245.94] 7443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248836/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_24; classtype:trojan-activity; sid:91248836; rev:1;) alert tcp $HOME_NET any -> [134.122.129.173] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248736/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_24; classtype:trojan-activity; sid:91248736; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/visit.js"; depth:9; nocase; http.host; content:"cs.h1ll0.cs.in"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1248735/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_24; classtype:trojan-activity; sid:91248735; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/4223af25.php"; depth:13; nocase; http.host; content:"a0933702.xsph.ru"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1248734/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_24; classtype:trojan-activity; sid:91248734; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/async/externaljavascriptsecurepacketcpugameprotectdefaultdbpublic.php"; depth:70; nocase; http.host; content:"176.124.220.79"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1248732/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_24; classtype:trojan-activity; sid:91248732; rev:1;) alert tcp $HOME_NET any -> [5.161.242.2] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248727/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_24; classtype:trojan-activity; sid:91248727; rev:1;) alert tcp $HOME_NET any -> [110.34.30.9] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248728/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_24; classtype:trojan-activity; sid:91248728; rev:1;) alert tcp $HOME_NET any -> [206.217.139.231] 8083 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248729/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_24; classtype:trojan-activity; sid:91248729; rev:1;) alert tcp $HOME_NET any -> [47.92.173.240] 8787 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248730/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_24; classtype:trojan-activity; sid:91248730; rev:1;) alert tcp $HOME_NET any -> [81.70.232.50] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248731/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_24; classtype:trojan-activity; sid:91248731; rev:1;) alert tcp $HOME_NET any -> [123.56.251.159] 18099 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248717/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_24; classtype:trojan-activity; sid:91248717; rev:1;) alert tcp $HOME_NET any -> [74.48.183.150] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248718/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_24; classtype:trojan-activity; sid:91248718; rev:1;) alert tcp $HOME_NET any -> [1.14.206.72] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248719/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_24; classtype:trojan-activity; sid:91248719; rev:1;) alert tcp $HOME_NET any -> [119.91.192.220] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248720/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_24; classtype:trojan-activity; sid:91248720; rev:1;) alert tcp $HOME_NET any -> [120.46.130.73] 6666 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248721/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_24; classtype:trojan-activity; sid:91248721; rev:1;) alert tcp $HOME_NET any -> [47.113.219.193] 11333 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248722/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_24; classtype:trojan-activity; sid:91248722; rev:1;) alert tcp $HOME_NET any -> [47.109.148.62] 1003 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248723/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_24; classtype:trojan-activity; sid:91248723; rev:1;) alert tcp $HOME_NET any -> [47.96.229.84] 9999 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248724/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_24; classtype:trojan-activity; sid:91248724; rev:1;) alert tcp $HOME_NET any -> [47.113.179.177] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248725/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_24; classtype:trojan-activity; sid:91248725; rev:1;) alert tcp $HOME_NET any -> [167.71.205.181] 44133 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248726/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_24; classtype:trojan-activity; sid:91248726; rev:1;) alert tcp $HOME_NET any -> [52.76.173.97] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248696/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_24; classtype:trojan-activity; sid:91248696; rev:1;) alert tcp $HOME_NET any -> [43.142.183.159] 8443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248697/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_24; classtype:trojan-activity; sid:91248697; rev:1;) alert tcp $HOME_NET any -> [172.111.218.218] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248698/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_24; classtype:trojan-activity; sid:91248698; rev:1;) alert tcp $HOME_NET any -> [38.47.226.69] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248700/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_24; classtype:trojan-activity; sid:91248700; rev:1;) alert tcp $HOME_NET any -> [124.222.173.69] 4433 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248699/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_24; classtype:trojan-activity; sid:91248699; rev:1;) alert tcp $HOME_NET any -> [123.56.215.15] 8888 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248701/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_24; classtype:trojan-activity; sid:91248701; rev:1;) alert tcp $HOME_NET any -> [150.158.51.99] 50050 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248703/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_24; classtype:trojan-activity; sid:91248703; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/index.php"; depth:10; nocase; http.host; content:"trad-einmyus.com"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1248704/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_24; classtype:trojan-activity; sid:91248704; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/index.php"; depth:10; nocase; http.host; content:"tradein-myus.com"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1248705/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_24; classtype:trojan-activity; sid:91248705; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/index.php"; depth:10; nocase; http.host; content:"trade-inmyus.com"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1248706/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_24; classtype:trojan-activity; sid:91248706; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/index.php"; depth:10; nocase; http.host; content:"trad-einmyus.com"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1248707/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_24; classtype:trojan-activity; sid:91248707; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/index.php"; depth:10; nocase; http.host; content:"tradein-myus.com"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1248708/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_24; classtype:trojan-activity; sid:91248708; rev:1;) alert tcp $HOME_NET any -> [115.159.195.80] 8161 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248710/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_24; classtype:trojan-activity; sid:91248710; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/index.php"; depth:10; nocase; http.host; content:"trade-inmyus.com"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1248709/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_24; classtype:trojan-activity; sid:91248709; rev:1;) alert tcp $HOME_NET any -> [67.230.163.18] 3389 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248711/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_24; classtype:trojan-activity; sid:91248711; rev:1;) alert tcp $HOME_NET any -> [114.55.74.79] 8975 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248712/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_24; classtype:trojan-activity; sid:91248712; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"himalware.cn"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1248713/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_24; classtype:trojan-activity; sid:91248713; rev:1;) alert tcp $HOME_NET any -> [64.23.174.92] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248714/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_24; classtype:trojan-activity; sid:91248714; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"sketchcolor.shop"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1248715/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_24; classtype:trojan-activity; sid:91248715; rev:1;) alert tcp $HOME_NET any -> [91.194.160.156] 9999 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248716/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_24; classtype:trojan-activity; sid:91248716; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bb0afc50.php"; depth:13; nocase; http.host; content:"a0917913.xsph.ru"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1248702/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_24; classtype:trojan-activity; sid:91248702; rev:1;) alert tcp $HOME_NET any -> [8.140.251.152] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248694/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_24; classtype:trojan-activity; sid:91248694; rev:1;) alert tcp $HOME_NET any -> [154.12.29.59] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248693/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_24; classtype:trojan-activity; sid:91248693; rev:1;) alert tcp $HOME_NET any -> [8.140.251.152] 60000 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248695/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_24; classtype:trojan-activity; sid:91248695; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"nblcc.co"; depth:8; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1248544/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_24; classtype:trojan-activity; sid:91248544; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"thpataa.chat"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1248545/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_24; classtype:trojan-activity; sid:91248545; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"aane.xyz"; depth:8; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1248546/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_24; classtype:trojan-activity; sid:91248546; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"azmmhh.tech"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1248547/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_24; classtype:trojan-activity; sid:91248547; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"eyedr.art"; depth:9; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1248548/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_24; classtype:trojan-activity; sid:91248548; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"fboadbns.shop"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1248549/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_24; classtype:trojan-activity; sid:91248549; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"hygxq.xyz"; depth:9; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1248550/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_24; classtype:trojan-activity; sid:91248550; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"us17.xyz"; depth:8; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1248551/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_24; classtype:trojan-activity; sid:91248551; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"js-min.site"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1248552/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_24; classtype:trojan-activity; sid:91248552; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"stickloader.info"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1248553/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_24; classtype:trojan-activity; sid:91248553; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"api.localadswidget.com"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1248554/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_24; classtype:trojan-activity; sid:91248554; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"assets.watchasync.com"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1248555/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_24; classtype:trojan-activity; sid:91248555; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"cdn.jsdevlvr.info"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1248556/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_24; classtype:trojan-activity; sid:91248556; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"cdn.wt-api.top"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1248557/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_24; classtype:trojan-activity; sid:91248557; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"js.abc-cdn.online"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1248558/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_24; classtype:trojan-activity; sid:91248558; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"js.opttracker.online"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1248559/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_24; classtype:trojan-activity; sid:91248559; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"js.schema-forms.org"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1248560/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_24; classtype:trojan-activity; sid:91248560; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"l.js-assets.cloud"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1248561/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_24; classtype:trojan-activity; sid:91248561; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"load.365analytics.xyz"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1248562/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_24; classtype:trojan-activity; sid:91248562; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"page.24supportkit.com"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1248563/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_24; classtype:trojan-activity; sid:91248563; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"spf.js-min.site"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1248564/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_24; classtype:trojan-activity; sid:91248564; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"stat.counter247.live"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1248565/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_24; classtype:trojan-activity; sid:91248565; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"streaming.jsonmediapacks.com"; depth:28; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1248566/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_24; classtype:trojan-activity; sid:91248566; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"stylesheet.webstaticcdn.com"; depth:27; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1248567/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_24; classtype:trojan-activity; sid:91248567; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"tags.stickloader.info"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1248568/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_24; classtype:trojan-activity; sid:91248568; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox credit card skimming (domain - confidence level: 100%)"; dns_query; content:"helpoton.quest"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1248569/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_24; classtype:bad-unknown; sid:91248569; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox credit card skimming (domain - confidence level: 100%)"; dns_query; content:"looptic.store"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1248570/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_24; classtype:bad-unknown; sid:91248570; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox credit card skimming (domain - confidence level: 100%)"; dns_query; content:"shtelpenstec.site"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1248573/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_24; classtype:bad-unknown; sid:91248573; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox credit card skimming (domain - confidence level: 100%)"; dns_query; content:"picktoc.online"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1248571/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_24; classtype:bad-unknown; sid:91248571; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox credit card skimming (domain - confidence level: 100%)"; dns_query; content:"sandton.shop"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1248572/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_24; classtype:bad-unknown; sid:91248572; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox credit card skimming (domain - confidence level: 100%)"; dns_query; content:"starlanded.click"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1248574/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_24; classtype:bad-unknown; sid:91248574; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox credit card skimming (domain - confidence level: 100%)"; dns_query; content:"cdn.helpoton.quest"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1248575/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_24; classtype:bad-unknown; sid:91248575; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox credit card skimming (domain - confidence level: 100%)"; dns_query; content:"cdn.looptic.store"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1248576/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_24; classtype:bad-unknown; sid:91248576; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox credit card skimming (domain - confidence level: 100%)"; dns_query; content:"cdn.picktoc.online"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1248577/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_24; classtype:bad-unknown; sid:91248577; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox credit card skimming (domain - confidence level: 100%)"; dns_query; content:"cdn.sandton.shop"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1248578/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_24; classtype:bad-unknown; sid:91248578; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox credit card skimming (domain - confidence level: 100%)"; dns_query; content:"cdn.shtelpenstec.site"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1248579/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_24; classtype:bad-unknown; sid:91248579; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox credit card skimming (domain - confidence level: 100%)"; dns_query; content:"cdn.starlanded.click"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1248580/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_24; classtype:bad-unknown; sid:91248580; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"flonea.live"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1248584/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_24; classtype:trojan-activity; sid:91248584; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmlrpc.php"; depth:11; nocase; http.host; content:"pvcfencingwarehouse.com.au"; depth:26; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1248684/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_24; classtype:trojan-activity; sid:91248684; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmlrpc.php"; depth:11; nocase; http.host; content:"systemtranslation.com"; depth:21; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1248685/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_24; classtype:trojan-activity; sid:91248685; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmlrpc.php"; depth:11; nocase; http.host; content:"atalyadis.com"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1248686/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_24; classtype:trojan-activity; sid:91248686; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmlrpc.php"; depth:11; nocase; http.host; content:"wordpress.itrip.ro"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1248687/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_24; classtype:trojan-activity; sid:91248687; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmlrpc.php"; depth:11; nocase; http.host; content:"seva-ese.com"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1248688/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_24; classtype:trojan-activity; sid:91248688; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmlrpc.php"; depth:11; nocase; http.host; content:"hethooghuis.nl"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1248689/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_24; classtype:trojan-activity; sid:91248689; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmlrpc.php"; depth:11; nocase; http.host; content:"wheelz.me"; depth:9; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1248691/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_24; classtype:trojan-activity; sid:91248691; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmlrpc.php"; depth:11; nocase; http.host; content:"kbjporn.com"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1248690/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_24; classtype:trojan-activity; sid:91248690; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmlrpc.php"; depth:11; nocase; http.host; content:"onlinemoneyspy.com"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1248692/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_24; classtype:trojan-activity; sid:91248692; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"grasping.oss-me-east-1.aliyuncs.com"; depth:35; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1248543/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_24; classtype:trojan-activity; sid:91248543; rev:1;) alert tcp $HOME_NET any -> [172.86.75.208] 8443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248586/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_24; classtype:trojan-activity; sid:91248586; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"360sec.online"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1248587/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_24; classtype:trojan-activity; sid:91248587; rev:1;) alert tcp $HOME_NET any -> [94.156.64.122] 8888 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248588/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_24; classtype:trojan-activity; sid:91248588; rev:1;) alert tcp $HOME_NET any -> [185.73.124.238] 30956 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248589/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_24; classtype:trojan-activity; sid:91248589; rev:1;) alert tcp $HOME_NET any -> [128.90.122.92] 9999 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248590/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_24; classtype:trojan-activity; sid:91248590; rev:1;) alert tcp $HOME_NET any -> [194.147.140.239] 7707 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248591/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_24; classtype:trojan-activity; sid:91248591; rev:1;) alert tcp $HOME_NET any -> [142.11.201.123] 8714 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248592/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_24; classtype:trojan-activity; sid:91248592; rev:1;) alert tcp $HOME_NET any -> [45.83.31.113] 2004 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248598/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_24; classtype:trojan-activity; sid:91248598; rev:1;) alert tcp $HOME_NET any -> [45.83.31.113] 8888 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248599/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_24; classtype:trojan-activity; sid:91248599; rev:1;) alert tcp $HOME_NET any -> [45.83.31.113] 9999 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248600/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_24; classtype:trojan-activity; sid:91248600; rev:1;) alert tcp $HOME_NET any -> [207.32.217.101] 8888 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248601/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_24; classtype:trojan-activity; sid:91248601; rev:1;) alert tcp $HOME_NET any -> [186.168.67.211] 2404 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248603/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_24; classtype:trojan-activity; sid:91248603; rev:1;) alert tcp $HOME_NET any -> [38.180.91.75] 4444 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248602/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_24; classtype:trojan-activity; sid:91248602; rev:1;) alert tcp $HOME_NET any -> [186.168.67.211] 8888 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248604/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_24; classtype:trojan-activity; sid:91248604; rev:1;) alert tcp $HOME_NET any -> [89.163.221.170] 4444 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248605/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_24; classtype:trojan-activity; sid:91248605; rev:1;) alert tcp $HOME_NET any -> [142.11.201.122] 8712 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248606/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_24; classtype:trojan-activity; sid:91248606; rev:1;) alert tcp $HOME_NET any -> [193.26.115.42] 100 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248607/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_24; classtype:trojan-activity; sid:91248607; rev:1;) alert tcp $HOME_NET any -> [104.243.34.3] 2003 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248608/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_24; classtype:trojan-activity; sid:91248608; rev:1;) alert tcp $HOME_NET any -> [104.243.34.3] 2004 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248609/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_24; classtype:trojan-activity; sid:91248609; rev:1;) alert tcp $HOME_NET any -> [104.243.34.3] 4016 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248610/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_24; classtype:trojan-activity; sid:91248610; rev:1;) alert tcp $HOME_NET any -> [66.135.22.80] 6000 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248611/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_24; classtype:trojan-activity; sid:91248611; rev:1;) alert tcp $HOME_NET any -> [66.135.22.80] 8000 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248612/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_24; classtype:trojan-activity; sid:91248612; rev:1;) alert tcp $HOME_NET any -> [66.135.22.80] 8808 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248613/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_24; classtype:trojan-activity; sid:91248613; rev:1;) alert tcp $HOME_NET any -> [207.32.218.138] 2002 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248614/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_24; classtype:trojan-activity; sid:91248614; rev:1;) alert tcp $HOME_NET any -> [207.32.218.138] 2003 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248615/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_24; classtype:trojan-activity; sid:91248615; rev:1;) alert tcp $HOME_NET any -> [47.76.218.123] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248683/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_24; classtype:trojan-activity; sid:91248683; rev:1;) alert tcp $HOME_NET any -> [207.32.218.138] 2004 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248616/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_24; classtype:trojan-activity; sid:91248616; rev:1;) alert tcp $HOME_NET any -> [207.32.218.138] 2005 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248617/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_24; classtype:trojan-activity; sid:91248617; rev:1;) alert tcp $HOME_NET any -> [107.148.49.57] 39632 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248618/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_24; classtype:trojan-activity; sid:91248618; rev:1;) alert tcp $HOME_NET any -> [213.195.124.90] 4001 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248619/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_24; classtype:trojan-activity; sid:91248619; rev:1;) alert tcp $HOME_NET any -> [213.195.124.90] 4002 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248620/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_24; classtype:trojan-activity; sid:91248620; rev:1;) alert tcp $HOME_NET any -> [213.195.124.90] 5001 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248621/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_24; classtype:trojan-activity; sid:91248621; rev:1;) alert tcp $HOME_NET any -> [142.11.201.126] 8712 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248622/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_24; classtype:trojan-activity; sid:91248622; rev:1;) alert tcp $HOME_NET any -> [142.11.201.126] 8714 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248623/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_24; classtype:trojan-activity; sid:91248623; rev:1;) alert tcp $HOME_NET any -> [147.124.212.80] 8888 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248624/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_24; classtype:trojan-activity; sid:91248624; rev:1;) alert tcp $HOME_NET any -> [147.124.212.80] 6606 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248625/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_24; classtype:trojan-activity; sid:91248625; rev:1;) alert tcp $HOME_NET any -> [147.124.212.80] 7707 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248626/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_24; classtype:trojan-activity; sid:91248626; rev:1;) alert tcp $HOME_NET any -> [147.124.212.80] 7777 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248627/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_24; classtype:trojan-activity; sid:91248627; rev:1;) alert tcp $HOME_NET any -> [147.124.212.80] 8808 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248628/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_24; classtype:trojan-activity; sid:91248628; rev:1;) alert tcp $HOME_NET any -> [46.246.4.5] 2000 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248630/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_24; classtype:trojan-activity; sid:91248630; rev:1;) alert tcp $HOME_NET any -> [88.232.116.241] 888 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248631/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_24; classtype:trojan-activity; sid:91248631; rev:1;) alert tcp $HOME_NET any -> [88.232.116.241] 3007 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248632/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_24; classtype:trojan-activity; sid:91248632; rev:1;) alert tcp $HOME_NET any -> [51.195.231.121] 6000 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248633/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_24; classtype:trojan-activity; sid:91248633; rev:1;) alert tcp $HOME_NET any -> [51.195.231.121] 7000 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248634/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_24; classtype:trojan-activity; sid:91248634; rev:1;) alert tcp $HOME_NET any -> [51.195.231.121] 8000 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248635/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_24; classtype:trojan-activity; sid:91248635; rev:1;) alert tcp $HOME_NET any -> [115.79.233.243] 8000 (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248636/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_24; classtype:trojan-activity; sid:91248636; rev:1;) alert tcp $HOME_NET any -> [115.79.233.243] 9999 (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248637/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_24; classtype:trojan-activity; sid:91248637; rev:1;) alert tcp $HOME_NET any -> [172.86.66.57] 8080 (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248638/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_24; classtype:trojan-activity; sid:91248638; rev:1;) alert tcp $HOME_NET any -> [121.36.213.92] 8888 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248639/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_24; classtype:trojan-activity; sid:91248639; rev:1;) alert tcp $HOME_NET any -> [139.159.253.121] 1544 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248640/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_24; classtype:trojan-activity; sid:91248640; rev:1;) alert tcp $HOME_NET any -> [139.159.253.121] 1300 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248641/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_24; classtype:trojan-activity; sid:91248641; rev:1;) alert tcp $HOME_NET any -> [123.60.222.67] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248642/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_24; classtype:trojan-activity; sid:91248642; rev:1;) alert tcp $HOME_NET any -> [192.3.12.139] 1433 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248643/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_24; classtype:trojan-activity; sid:91248643; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"vviill.com"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1248644/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_24; classtype:trojan-activity; sid:91248644; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"mosc.vviill.com"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1248645/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_24; classtype:trojan-activity; sid:91248645; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"mos4.vviill.com"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1248646/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_24; classtype:trojan-activity; sid:91248646; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"mos2.vviill.com"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1248647/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_24; classtype:trojan-activity; sid:91248647; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"mos1.vviill.com"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1248648/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_24; classtype:trojan-activity; sid:91248648; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"mos5.vviill.com"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1248649/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_24; classtype:trojan-activity; sid:91248649; rev:1;) alert tcp $HOME_NET any -> [60.204.242.181] 7015 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248650/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_24; classtype:trojan-activity; sid:91248650; rev:1;) alert tcp $HOME_NET any -> [60.204.242.181] 7016 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248651/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_24; classtype:trojan-activity; sid:91248651; rev:1;) alert tcp $HOME_NET any -> [106.38.201.39] 8000 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248652/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_24; classtype:trojan-activity; sid:91248652; rev:1;) alert tcp $HOME_NET any -> [106.38.201.39] 8555 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248653/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_24; classtype:trojan-activity; sid:91248653; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox credit card skimming (domain - confidence level: 100%)"; dns_query; content:"cristech.space"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1248654/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_24; classtype:bad-unknown; sid:91248654; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox credit card skimming (domain - confidence level: 100%)"; dns_query; content:"jelint.online"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1248655/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_24; classtype:bad-unknown; sid:91248655; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox credit card skimming (domain - confidence level: 100%)"; dns_query; content:"olynoo.site"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1248656/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_24; classtype:bad-unknown; sid:91248656; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox credit card skimming (domain - confidence level: 100%)"; dns_query; content:"seletec.fun"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1248657/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_24; classtype:bad-unknown; sid:91248657; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox credit card skimming (domain - confidence level: 100%)"; dns_query; content:"stelitech.site"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1248658/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_24; classtype:bad-unknown; sid:91248658; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox credit card skimming (domain - confidence level: 100%)"; dns_query; content:"teolydigi.online"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1248659/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_24; classtype:bad-unknown; sid:91248659; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox credit card skimming (domain - confidence level: 100%)"; dns_query; content:"tolinfore.shop"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1248660/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_24; classtype:bad-unknown; sid:91248660; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox credit card skimming (domain - confidence level: 100%)"; dns_query; content:"tucton.shop"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1248661/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_24; classtype:bad-unknown; sid:91248661; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox credit card skimming (domain - confidence level: 100%)"; dns_query; content:"veltefre.shop"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1248662/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_24; classtype:bad-unknown; sid:91248662; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox credit card skimming (domain - confidence level: 100%)"; dns_query; content:"yelubin.cfd"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1248663/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_24; classtype:bad-unknown; sid:91248663; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox credit card skimming (domain - confidence level: 100%)"; dns_query; content:"yostek.fun"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1248664/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_24; classtype:bad-unknown; sid:91248664; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox credit card skimming (domain - confidence level: 100%)"; dns_query; content:"cdn.hopefor.space"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1248665/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_24; classtype:bad-unknown; sid:91248665; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox credit card skimming (domain - confidence level: 100%)"; dns_query; content:"cdn.jelint.online"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1248666/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_24; classtype:bad-unknown; sid:91248666; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox credit card skimming (domain - confidence level: 100%)"; dns_query; content:"cdn.treimob.cfd"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1248667/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_24; classtype:bad-unknown; sid:91248667; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox credit card skimming (domain - confidence level: 100%)"; dns_query; content:"cdn.tucton.shop"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1248668/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_24; classtype:bad-unknown; sid:91248668; rev:1;) alert tcp $HOME_NET any -> [47.103.46.108] 8000 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248669/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_24; classtype:trojan-activity; sid:91248669; rev:1;) alert tcp $HOME_NET any -> [144.168.61.188] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248670/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_24; classtype:trojan-activity; sid:91248670; rev:1;) alert tcp $HOME_NET any -> [175.178.47.86] 6666 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248671/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_24; classtype:trojan-activity; sid:91248671; rev:1;) alert tcp $HOME_NET any -> [43.159.58.81] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248672/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_24; classtype:trojan-activity; sid:91248672; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmlrpc.php"; depth:11; nocase; http.host; content:"connachttribune.ie"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1248673/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_24; classtype:trojan-activity; sid:91248673; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmlrpc.php"; depth:11; nocase; http.host; content:"themodestwallet.com"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1248674/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_24; classtype:trojan-activity; sid:91248674; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmlrpc.php"; depth:11; nocase; http.host; content:"xlights.org"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1248675/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_24; classtype:trojan-activity; sid:91248675; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmlrpc.php"; depth:11; nocase; http.host; content:"www.0939it.com"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1248676/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_24; classtype:trojan-activity; sid:91248676; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmlrpc.php"; depth:11; nocase; http.host; content:"promixacademy.com"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1248677/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_24; classtype:trojan-activity; sid:91248677; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmlrpc.php"; depth:11; nocase; http.host; content:"aarch.dk"; depth:8; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1248678/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_24; classtype:trojan-activity; sid:91248678; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmlrpc.php"; depth:11; nocase; http.host; content:"michiganumc.org"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1248679/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_24; classtype:trojan-activity; sid:91248679; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmlrpc.php"; depth:11; nocase; http.host; content:"susanin.fun"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1248681/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_24; classtype:trojan-activity; sid:91248681; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmlrpc.php"; depth:11; nocase; http.host; content:"www.ama-studio.it"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1248680/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_24; classtype:trojan-activity; sid:91248680; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmlrpc.php"; depth:11; nocase; http.host; content:"themeatandwineco.com"; depth:20; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1248682/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_24; classtype:trojan-activity; sid:91248682; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/l1nc0in.php"; depth:12; nocase; http.host; content:"a0869574.xsph.ru"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1248629/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_24; classtype:trojan-activity; sid:91248629; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"find-ball.com"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1248596/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_24; classtype:trojan-activity; sid:91248596; rev:1;) alert tcp $HOME_NET any -> [45.149.172.87] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248597/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_24; classtype:trojan-activity; sid:91248597; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ch"; depth:3; nocase; http.host; content:"find-ball.com"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1248595/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_24; classtype:trojan-activity; sid:91248595; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api/sendmsg"; depth:12; nocase; http.host; content:"service-lidgmacv-1317471912.cd.tencentapigw.com"; depth:47; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1248593/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_24; classtype:trojan-activity; sid:91248593; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"service-lidgmacv-1317471912.cd.tencentapigw.com"; depth:47; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1248594/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_24; classtype:trojan-activity; sid:91248594; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/g.pixel"; depth:8; nocase; http.host; content:"43.138.72.70"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1248585/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_24; classtype:trojan-activity; sid:91248585; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dpixel"; depth:7; nocase; http.host; content:"43.138.72.70"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1248583/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_24; classtype:trojan-activity; sid:91248583; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/activity"; depth:9; nocase; http.host; content:"43.138.72.70"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1248582/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_24; classtype:trojan-activity; sid:91248582; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jquery-3.3.1.min.js"; depth:20; nocase; http.host; content:"185.130.46.168"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1248581/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_24; classtype:trojan-activity; sid:91248581; rev:1;) alert tcp $HOME_NET any -> [195.62.32.227] 666 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248539/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_24; classtype:trojan-activity; sid:91248539; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"service-75oa09db-1317471892.cd.tencentapigw.com"; depth:47; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1248542/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_24; classtype:trojan-activity; sid:91248542; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api/sendmsg"; depth:12; nocase; http.host; content:"service-75oa09db-1317471892.cd.tencentapigw.com"; depth:47; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1248541/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_24; classtype:trojan-activity; sid:91248541; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/apwpnhwkyh.php"; depth:15; nocase; http.host; content:"mars.mhsorteio.app.br"; depth:21; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1248540/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_24; classtype:trojan-activity; sid:91248540; rev:1;) alert tcp $HOME_NET any -> [18.158.249.75] 18335 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248508/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_24; classtype:trojan-activity; sid:91248508; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmlrpc.php"; depth:11; nocase; http.host; content:"zahiraccounting.com"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1248515/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_24; classtype:trojan-activity; sid:91248515; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmlrpc.php"; depth:11; nocase; http.host; content:"parentingisnteasy.co"; depth:20; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1248509/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_24; classtype:trojan-activity; sid:91248509; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmlrpc.php"; depth:11; nocase; http.host; content:"shemshad.com"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1248510/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_24; classtype:trojan-activity; sid:91248510; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmlrpc.php"; depth:11; nocase; http.host; content:"gochat247.com"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1248511/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_24; classtype:trojan-activity; sid:91248511; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmlrpc.php"; depth:11; nocase; http.host; content:"travel2next.com"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1248513/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_24; classtype:trojan-activity; sid:91248513; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/m/xmlrpc.php"; depth:13; nocase; http.host; content:"www.atemberaubende-akzente.de"; depth:29; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1248512/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_24; classtype:trojan-activity; sid:91248512; rev:1;) alert tcp $HOME_NET any -> [3.124.142.205] 13241 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248506/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_24; classtype:trojan-activity; sid:91248506; rev:1;) alert tcp $HOME_NET any -> [160.177.59.183] 10000 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248505/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_24; classtype:trojan-activity; sid:91248505; rev:1;) alert tcp $HOME_NET any -> [3.124.142.205] 18335 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248507/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_24; classtype:trojan-activity; sid:91248507; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmlrpc.php"; depth:11; nocase; http.host; content:"eshraghbook.com"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1248514/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_24; classtype:trojan-activity; sid:91248514; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmlrpc.php"; depth:11; nocase; http.host; content:"www.elbepokal.de"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1248516/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_24; classtype:trojan-activity; sid:91248516; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmlrpc.php"; depth:11; nocase; http.host; content:"pointerclicker.com"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1248517/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_24; classtype:trojan-activity; sid:91248517; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmlrpc.php"; depth:11; nocase; http.host; content:"swingandbeyond.com"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1248518/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_24; classtype:trojan-activity; sid:91248518; rev:1;) alert tcp $HOME_NET any -> [35.198.215.67] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248522/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_24; classtype:trojan-activity; sid:91248522; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/supershell/login"; depth:17; nocase; http.host; content:"35.198.215.67"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1248523/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_24; classtype:trojan-activity; sid:91248523; rev:1;) alert tcp $HOME_NET any -> [34.65.140.140] 443 (msg:"ThreatFox DanaBot botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248538/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_24; classtype:trojan-activity; sid:91248538; rev:1;) alert tcp $HOME_NET any -> [35.221.12.2] 443 (msg:"ThreatFox DanaBot botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248537/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_24; classtype:trojan-activity; sid:91248537; rev:1;) alert tcp $HOME_NET any -> [34.73.147.86] 443 (msg:"ThreatFox DanaBot botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248536/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_24; classtype:trojan-activity; sid:91248536; rev:1;) alert tcp $HOME_NET any -> [35.228.143.142] 443 (msg:"ThreatFox DanaBot botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248535/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_24; classtype:trojan-activity; sid:91248535; rev:1;) alert tcp $HOME_NET any -> [103.25.61.30] 80 (msg:"ThreatFox FAKEUPDATES botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248534/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_24; classtype:trojan-activity; sid:91248534; rev:1;) alert tcp $HOME_NET any -> [103.25.61.30] 443 (msg:"ThreatFox FAKEUPDATES botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248533/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_24; classtype:trojan-activity; sid:91248533; rev:1;) alert tcp $HOME_NET any -> [45.128.96.101] 80 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248532/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_24; classtype:trojan-activity; sid:91248532; rev:1;) alert tcp $HOME_NET any -> [185.203.117.32] 80 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248531/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_24; classtype:trojan-activity; sid:91248531; rev:1;) alert tcp $HOME_NET any -> [45.128.96.103] 80 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248530/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_24; classtype:trojan-activity; sid:91248530; rev:1;) alert tcp $HOME_NET any -> [92.116.36.5] 443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248529/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_24; classtype:trojan-activity; sid:91248529; rev:1;) alert tcp $HOME_NET any -> [45.134.9.138] 41056 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248528/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_24; classtype:trojan-activity; sid:91248528; rev:1;) alert tcp $HOME_NET any -> [124.106.197.167] 4242 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248527/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_24; classtype:trojan-activity; sid:91248527; rev:1;) alert tcp $HOME_NET any -> [84.246.85.147] 443 (msg:"ThreatFox Brute Ratel C4 botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248526/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_24; classtype:trojan-activity; sid:91248526; rev:1;) alert tcp $HOME_NET any -> [88.119.174.117] 7443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248525/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_24; classtype:trojan-activity; sid:91248525; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mozi.m"; depth:7; nocase; http.host; content:"27.106.156.105"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1248524/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_24; classtype:trojan-activity; sid:91248524; rev:1;) alert tcp $HOME_NET any -> [91.92.248.117] 65012 (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248521/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_24; classtype:trojan-activity; sid:91248521; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"128.140.90.181"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1248520/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_24; classtype:trojan-activity; sid:91248520; rev:1;) alert tcp $HOME_NET any -> [175.42.16.2] 4784 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248519/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_24; classtype:trojan-activity; sid:91248519; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"www.guerrilladefense.com"; depth:24; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1248504/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_24; classtype:trojan-activity; sid:91248504; rev:1;) alert tcp $HOME_NET any -> [5.42.65.67] 48396 (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248503/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_23; classtype:trojan-activity; sid:91248503; rev:1;) alert tcp $HOME_NET any -> [105.158.47.40] 10000 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248502/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_23; classtype:trojan-activity; sid:91248502; rev:1;) alert tcp $HOME_NET any -> [23.95.6.204] 1604 (msg:"ThreatFox Vjw0rm botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248500/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_23; classtype:trojan-activity; sid:91248500; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/is-ready"; depth:9; nocase; http.host; content:"paulrdp02.duckdns.org"; depth:21; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1248499/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_23; classtype:trojan-activity; sid:91248499; rev:1;) alert tcp $HOME_NET any -> [51.75.74.92] 80 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248498/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_23; classtype:trojan-activity; sid:91248498; rev:1;) alert tcp $HOME_NET any -> [104.131.185.229] 80 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248497/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_23; classtype:trojan-activity; sid:91248497; rev:1;) alert tcp $HOME_NET any -> [4.175.178.149] 443 (msg:"ThreatFox Pikabot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248496/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_23; classtype:trojan-activity; sid:91248496; rev:1;) alert tcp $HOME_NET any -> [45.148.244.175] 9191 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248495/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_23; classtype:trojan-activity; sid:91248495; rev:1;) alert tcp $HOME_NET any -> [119.29.249.217] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248494/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_23; classtype:trojan-activity; sid:91248494; rev:1;) alert tcp $HOME_NET any -> [46.246.86.15] 5000 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248493/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_23; classtype:trojan-activity; sid:91248493; rev:1;) alert tcp $HOME_NET any -> [189.177.47.82] 995 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248492/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_23; classtype:trojan-activity; sid:91248492; rev:1;) alert tcp $HOME_NET any -> [190.134.48.89] 995 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248491/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_23; classtype:trojan-activity; sid:91248491; rev:1;) alert tcp $HOME_NET any -> [187.170.224.77] 995 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248490/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_23; classtype:trojan-activity; sid:91248490; rev:1;) alert tcp $HOME_NET any -> [52.39.217.122] 445 (msg:"ThreatFox Responder botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248489/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_23; classtype:trojan-activity; sid:91248489; rev:1;) alert tcp $HOME_NET any -> [172.178.112.227] 443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248488/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_23; classtype:trojan-activity; sid:91248488; rev:1;) alert tcp $HOME_NET any -> [159.65.212.61] 443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248487/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_23; classtype:trojan-activity; sid:91248487; rev:1;) alert tcp $HOME_NET any -> [193.239.86.163] 443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248486/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_23; classtype:trojan-activity; sid:91248486; rev:1;) alert tcp $HOME_NET any -> [92.116.39.103] 443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248485/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_23; classtype:trojan-activity; sid:91248485; rev:1;) alert tcp $HOME_NET any -> [104.234.254.98] 7443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248484/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_23; classtype:trojan-activity; sid:91248484; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/httpcpu.php"; depth:12; nocase; http.host; content:"a0583448.xsph.ru"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1248483/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_23; classtype:trojan-activity; sid:91248483; rev:1;) alert tcp $HOME_NET any -> [45.11.183.78] 80 (msg:"ThreatFox SharkBot botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248480/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_23; classtype:trojan-activity; sid:91248480; rev:1;) alert tcp $HOME_NET any -> [80.77.23.52] 80 (msg:"ThreatFox SharkBot botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248481/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_23; classtype:trojan-activity; sid:91248481; rev:1;) alert tcp $HOME_NET any -> [185.158.251.76] 80 (msg:"ThreatFox SharkBot botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248482/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_23; classtype:trojan-activity; sid:91248482; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"mariyeltherapy.xyz"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1248476/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_23; classtype:trojan-activity; sid:91248476; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/attachments/1220454717306572985/1220735355087486986/mariyelstherapy.rar"; depth:72; nocase; http.host; content:"cdn.discordapp.com"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1248478/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_23; classtype:trojan-activity; sid:91248478; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"linnisgood.site"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1248477/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_23; classtype:trojan-activity; sid:91248477; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"mail.cliniquecomputer.com"; depth:25; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1248475/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_23; classtype:trojan-activity; sid:91248475; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"newiasc.com"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1248469/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_23; classtype:trojan-activity; sid:91248469; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"tesgdtgugdugd.com"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1248470/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_23; classtype:trojan-activity; sid:91248470; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"designerskinclinic.com"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1248467/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_23; classtype:trojan-activity; sid:91248467; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"applegrowersnc.com"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1248468/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_23; classtype:trojan-activity; sid:91248468; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ns1.securecloudmanage.com"; depth:25; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1248464/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_23; classtype:trojan-activity; sid:91248464; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"geotechprotect.com"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1248465/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_23; classtype:trojan-activity; sid:91248465; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"legionenterprises.com"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1248466/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_23; classtype:trojan-activity; sid:91248466; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ecoplantssales.uk"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1248462/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_23; classtype:trojan-activity; sid:91248462; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"goldensoftware.co.uk"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1248463/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_23; classtype:trojan-activity; sid:91248463; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"giaker.com"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1248461/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_23; classtype:trojan-activity; sid:91248461; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ns1.oneblackwood.com"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1248459/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_23; classtype:trojan-activity; sid:91248459; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ns1.shopmoneyweb.com"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1248460/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_23; classtype:trojan-activity; sid:91248460; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"albarakahhalalfood.com"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1248471/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_23; classtype:trojan-activity; sid:91248471; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"orderhalalfoodsonline.com"; depth:25; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1248472/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_23; classtype:trojan-activity; sid:91248472; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"talesfromthedoghouse.com"; depth:24; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1248473/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_23; classtype:trojan-activity; sid:91248473; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"citadelsecurityservices.com"; depth:27; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1248474/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_23; classtype:trojan-activity; sid:91248474; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"bb.markerbio.com"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1248457/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_23; classtype:trojan-activity; sid:91248457; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"bb.myserv012.com"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1248458/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_23; classtype:trojan-activity; sid:91248458; rev:1;) alert tcp $HOME_NET any -> [103.254.75.120] 13307 (msg:"ThreatFox XOR DDoS botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248456/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_23; classtype:trojan-activity; sid:91248456; rev:1;) alert tcp $HOME_NET any -> [91.92.251.30] 2025 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248455/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_23; classtype:trojan-activity; sid:91248455; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"big-walls.com"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1248450/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_23; classtype:trojan-activity; sid:91248450; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"app.wiurezende.site"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1248451/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_23; classtype:trojan-activity; sid:91248451; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"storage.wiurezende.site"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1248453/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_23; classtype:trojan-activity; sid:91248453; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"chat.wiurezende.site"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1248452/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_23; classtype:trojan-activity; sid:91248452; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"meyer-when.dpvnzorwtl.com"; depth:25; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1248454/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_23; classtype:trojan-activity; sid:91248454; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/httpsqlwordpressdlepublic.php"; depth:30; nocase; http.host; content:"926388cm.n9shteam3.top"; depth:22; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1248449/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_23; classtype:trojan-activity; sid:91248449; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/match"; depth:6; nocase; http.host; content:"121.36.33.53"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1248448/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_23; classtype:trojan-activity; sid:91248448; rev:1;) alert tcp $HOME_NET any -> [35.226.178.85] 53 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248447/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_23; classtype:trojan-activity; sid:91248447; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/visit.js"; depth:9; nocase; http.host; content:"43.138.72.70"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1248446/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_23; classtype:trojan-activity; sid:91248446; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jquery-3.3.1.min.js"; depth:20; nocase; http.host; content:"1.94.110.130"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1248445/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_23; classtype:trojan-activity; sid:91248445; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ie9compatviewlist.xml"; depth:22; nocase; http.host; content:"1.14.46.128"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1248444/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_23; classtype:trojan-activity; sid:91248444; rev:1;) alert tcp $HOME_NET any -> [3.125.52.194] 4443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248443/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_23; classtype:trojan-activity; sid:91248443; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jquery-3.3.1.min.js"; depth:20; nocase; http.host; content:"office365.press"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1248441/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_23; classtype:trojan-activity; sid:91248441; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"office365.press"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1248442/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_23; classtype:trojan-activity; sid:91248442; rev:1;) alert tcp $HOME_NET any -> [207.148.99.69] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248440/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_23; classtype:trojan-activity; sid:91248440; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/visit.js"; depth:9; nocase; http.host; content:"207.148.99.69"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1248439/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_23; classtype:trojan-activity; sid:91248439; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/en_us/all.js"; depth:13; nocase; http.host; content:"81.71.140.170"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1248438/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_23; classtype:trojan-activity; sid:91248438; rev:1;) alert tcp $HOME_NET any -> [43.198.84.164] 88 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248437/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_23; classtype:trojan-activity; sid:91248437; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jquery-3.3.1.min.js"; depth:20; nocase; http.host; content:"203.86.255.47"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1248435/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_23; classtype:trojan-activity; sid:91248435; rev:1;) alert tcp $HOME_NET any -> [203.86.255.47] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248436/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_23; classtype:trojan-activity; sid:91248436; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cx"; depth:3; nocase; http.host; content:"23.94.87.135"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1248433/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_23; classtype:trojan-activity; sid:91248433; rev:1;) alert tcp $HOME_NET any -> [23.94.87.135] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248434/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_23; classtype:trojan-activity; sid:91248434; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/fwlink"; depth:7; nocase; http.host; content:"121.40.119.94"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1248432/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_23; classtype:trojan-activity; sid:91248432; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jquery-3.3.1.min.js"; depth:20; nocase; http.host; content:"118.190.147.246"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1248431/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_23; classtype:trojan-activity; sid:91248431; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ptj"; depth:4; nocase; http.host; content:"43.139.101.86"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1248430/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_23; classtype:trojan-activity; sid:91248430; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"search.zfly.fun"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1248428/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_23; classtype:trojan-activity; sid:91248428; rev:1;) alert tcp $HOME_NET any -> [8.137.117.105] 9999 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248429/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_23; classtype:trojan-activity; sid:91248429; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jquery-3.6.0.min.js"; depth:20; nocase; http.host; content:"search.zfly.fun"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1248427/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_23; classtype:trojan-activity; sid:91248427; rev:1;) alert tcp $HOME_NET any -> [109.104.152.24] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248426/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_23; classtype:trojan-activity; sid:91248426; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tab_home.js"; depth:12; nocase; http.host; content:"shehasgone.com"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1248424/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_23; classtype:trojan-activity; sid:91248424; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"shehasgone.com"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1248425/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_23; classtype:trojan-activity; sid:91248425; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/feedapi/v1/newsserver/api/getusername"; depth:38; nocase; http.host; content:"119.45.45.138"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1248422/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_23; classtype:trojan-activity; sid:91248422; rev:1;) alert tcp $HOME_NET any -> [119.45.45.138] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248423/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_23; classtype:trojan-activity; sid:91248423; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/systemrecordscreen/autodata/phprulemobilerule/preflocal/_secureprocesstraffic.php"; depth:82; nocase; http.host; content:"212.109.193.246"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1248421/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_23; classtype:trojan-activity; sid:91248421; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"panelweb.equi-hosting.fr"; depth:24; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1248417/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_23; classtype:trojan-activity; sid:91248417; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"whoevenareyou.equi-hosting.fr"; depth:29; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1248418/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_23; classtype:trojan-activity; sid:91248418; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"plesk.equi-hosting.fr"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1248419/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_23; classtype:trojan-activity; sid:91248419; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"equi-hosting.fr"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1248420/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_23; classtype:trojan-activity; sid:91248420; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/javascriptprocessorlongpolldbtempcentraltemporary.php"; depth:54; nocase; http.host; content:"585196cm.n9shteam1.top"; depth:22; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1248416/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_23; classtype:trojan-activity; sid:91248416; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"gamerforyou.com"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1248411/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_23; classtype:trojan-activity; sid:91248411; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"www.gamerforyou.com"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1248412/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_23; classtype:trojan-activity; sid:91248412; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/__utm.gif"; depth:10; nocase; http.host; content:"101.201.46.105"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1248415/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_23; classtype:trojan-activity; sid:91248415; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ptj"; depth:4; nocase; http.host; content:"121.37.215.238"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1248414/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_23; classtype:trojan-activity; sid:91248414; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ca"; depth:3; nocase; http.host; content:"cs.h1ll0.cs.in"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1248413/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_23; classtype:trojan-activity; sid:91248413; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dot.gif"; depth:8; nocase; http.host; content:"79.124.40.106"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1248410/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_23; classtype:trojan-activity; sid:91248410; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jquery-3.3.1.min.js"; depth:20; nocase; http.host; content:"172.67.138.233"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1248409/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_23; classtype:trojan-activity; sid:91248409; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jquery-3.3.1.min.js"; depth:20; nocase; http.host; content:"104.21.56.244"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1248408/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_23; classtype:trojan-activity; sid:91248408; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jquery-3.3.1.min.js"; depth:20; nocase; http.host; content:"1.94.110.130"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1248407/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_23; classtype:trojan-activity; sid:91248407; rev:1;) alert tcp $HOME_NET any -> [148.135.103.71] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248406/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_23; classtype:trojan-activity; sid:91248406; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jquery-3.3.1.min.js"; depth:20; nocase; http.host; content:"148.135.103.71"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1248405/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_23; classtype:trojan-activity; sid:91248405; rev:1;) alert tcp $HOME_NET any -> [37.120.235.114] 2269 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248404/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_23; classtype:trojan-activity; sid:91248404; rev:1;) alert tcp $HOME_NET any -> [94.156.10.254] 80 (msg:"ThreatFox ERMAC botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248348/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_23; classtype:trojan-activity; sid:91248348; rev:1;) alert tcp $HOME_NET any -> [91.92.245.111] 8082 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248349/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_23; classtype:trojan-activity; sid:91248349; rev:1;) alert tcp $HOME_NET any -> [91.92.250.41] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248350/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_23; classtype:trojan-activity; sid:91248350; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"sharkagency.store"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1248351/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_23; classtype:trojan-activity; sid:91248351; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/match"; depth:6; nocase; http.host; content:"91.92.250.41"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1248352/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_23; classtype:trojan-activity; sid:91248352; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmlrpc.php"; depth:11; nocase; http.host; content:"webipal.com"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1248353/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_23; classtype:trojan-activity; sid:91248353; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmlrpc.php"; depth:11; nocase; http.host; content:"helpsarkari.com"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1248354/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_23; classtype:trojan-activity; sid:91248354; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmlrpc.php"; depth:11; nocase; http.host; content:"www.cittadifondazione.it"; depth:24; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1248355/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_23; classtype:trojan-activity; sid:91248355; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmlrpc.php"; depth:11; nocase; http.host; content:"irannihon.com"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1248356/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_23; classtype:trojan-activity; sid:91248356; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmlrpc.php"; depth:11; nocase; http.host; content:"shywolfsanctuary.org"; depth:20; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1248357/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_23; classtype:trojan-activity; sid:91248357; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmlrpc.php"; depth:11; nocase; http.host; content:"cathedrale-nantes.fr"; depth:20; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1248359/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_23; classtype:trojan-activity; sid:91248359; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmlrpc.php"; depth:11; nocase; http.host; content:"dgtread.com"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1248360/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_23; classtype:trojan-activity; sid:91248360; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmlrpc.php"; depth:11; nocase; http.host; content:"kresy.pl"; depth:8; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1248361/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_23; classtype:trojan-activity; sid:91248361; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmlrpc.php"; depth:11; nocase; http.host; content:"www.emeliew.se"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1248362/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_23; classtype:trojan-activity; sid:91248362; rev:1;) alert tcp $HOME_NET any -> [192.121.102.205] 8888 (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248368/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_23; classtype:trojan-activity; sid:91248368; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmlrpc.php"; depth:11; nocase; http.host; content:"smartai.com.au"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1248377/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_23; classtype:trojan-activity; sid:91248377; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmlrpc.php"; depth:11; nocase; http.host; content:"www.djurskyddetvastervik.se"; depth:27; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1248374/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_23; classtype:trojan-activity; sid:91248374; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmlrpc.php"; depth:11; nocase; http.host; content:"thechutneylife.com"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1248373/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_23; classtype:trojan-activity; sid:91248373; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"apiframeworknode.com"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1248370/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_23; classtype:trojan-activity; sid:91248370; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmlrpc.php"; depth:11; nocase; http.host; content:"healthcares.life"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1248372/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_23; classtype:trojan-activity; sid:91248372; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"apistoragecache.com"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1248371/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_23; classtype:trojan-activity; sid:91248371; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmlrpc.php"; depth:11; nocase; http.host; content:"faneuilhallmarketplace.com"; depth:26; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1248375/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_23; classtype:trojan-activity; sid:91248375; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmlrpc.php"; depth:11; nocase; http.host; content:"mycashtree.net"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1248376/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_23; classtype:trojan-activity; sid:91248376; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmlrpc.php"; depth:11; nocase; http.host; content:"gradecam.com"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1248378/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_23; classtype:trojan-activity; sid:91248378; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmlrpc.php"; depth:11; nocase; http.host; content:"sheffi-tours.co.il"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1248379/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_23; classtype:trojan-activity; sid:91248379; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmlrpc.php"; depth:11; nocase; http.host; content:"lascebrassalen.com"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1248380/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_23; classtype:trojan-activity; sid:91248380; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmlrpc.php"; depth:11; nocase; http.host; content:"www.drzewkonaprezent.pl"; depth:23; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1248381/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_23; classtype:trojan-activity; sid:91248381; rev:1;) alert tcp $HOME_NET any -> [91.92.242.57] 8989 (msg:"ThreatFox XWorm botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248388/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_23; classtype:trojan-activity; sid:91248388; rev:1;) alert tcp $HOME_NET any -> [128.254.207.82] 80 (msg:"ThreatFox FAKEUPDATES botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248403/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_23; classtype:trojan-activity; sid:91248403; rev:1;) alert tcp $HOME_NET any -> [128.254.207.82] 443 (msg:"ThreatFox FAKEUPDATES botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248402/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_23; classtype:trojan-activity; sid:91248402; rev:1;) alert tcp $HOME_NET any -> [62.109.21.73] 80 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248401/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_23; classtype:trojan-activity; sid:91248401; rev:1;) alert tcp $HOME_NET any -> [77.105.167.115] 50555 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248400/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_23; classtype:trojan-activity; sid:91248400; rev:1;) alert tcp $HOME_NET any -> [89.23.101.233] 80 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248399/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_23; classtype:trojan-activity; sid:91248399; rev:1;) alert tcp $HOME_NET any -> [109.120.184.203] 50555 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248398/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_23; classtype:trojan-activity; sid:91248398; rev:1;) alert tcp $HOME_NET any -> [137.184.41.246] 80 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248397/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_23; classtype:trojan-activity; sid:91248397; rev:1;) alert tcp $HOME_NET any -> [34.81.83.87] 8080 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248396/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_23; classtype:trojan-activity; sid:91248396; rev:1;) alert tcp $HOME_NET any -> [120.48.99.76] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248395/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_23; classtype:trojan-activity; sid:91248395; rev:1;) alert tcp $HOME_NET any -> [46.246.14.3] 5000 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248394/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_23; classtype:trojan-activity; sid:91248394; rev:1;) alert tcp $HOME_NET any -> [187.132.244.4] 443 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248393/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_23; classtype:trojan-activity; sid:91248393; rev:1;) alert tcp $HOME_NET any -> [70.31.125.53] 2222 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248392/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_23; classtype:trojan-activity; sid:91248392; rev:1;) alert tcp $HOME_NET any -> [92.116.39.245] 443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248391/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_23; classtype:trojan-activity; sid:91248391; rev:1;) alert tcp $HOME_NET any -> [194.87.71.43] 80 (msg:"ThreatFox Amadey botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248390/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_23; classtype:trojan-activity; sid:91248390; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/g9jjjbnadshz/index.php"; depth:23; nocase; http.host; content:"194.87.71.43"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1248389/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_23; classtype:trojan-activity; sid:91248389; rev:1;) alert tcp $HOME_NET any -> [185.164.163.66] 443 (msg:"ThreatFox IcedID botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248387/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_23; classtype:trojan-activity; sid:91248387; rev:1;) alert tcp $HOME_NET any -> [216.83.40.187] 7777 (msg:"ThreatFox Ghost RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248386/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_23; classtype:trojan-activity; sid:91248386; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/updateeternallongpoll/javascript6updateuniversal/linedatalife/uploadsapiauth/processphpwindows1/videodlebase/protectpublic/0/public8defaultexternal/pipedownloads/2voiddbdle/toapigenerator.php"; depth:192; nocase; http.host; content:"195.20.16.119"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1248385/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_23; classtype:trojan-activity; sid:91248385; rev:1;) alert tcp $HOME_NET any -> [45.142.214.240] 80 (msg:"ThreatFox Socks5 Systemz botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248384/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_23; classtype:trojan-activity; sid:91248384; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/c68ae6a6.php"; depth:13; nocase; http.host; content:"cf31000.tw1.ru"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1248383/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_23; classtype:trojan-activity; sid:91248383; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/vmjavascriptcpuprocessorbigloadserverwindowstestlocaldownloads.php"; depth:67; nocase; http.host; content:"181571cm.n9shteam1.top"; depth:22; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1248382/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_23; classtype:trojan-activity; sid:91248382; rev:1;) alert tcp $HOME_NET any -> [91.92.253.74] 14982 (msg:"ThreatFox LimeRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248369/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91248369; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/load"; depth:5; nocase; http.host; content:"43.143.110.110"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1248367/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91248367; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/live/"; depth:6; nocase; http.host; content:"niceburlat.me"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1248366/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91248366; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/live/"; depth:6; nocase; http.host; content:"ganstaeraop.shop"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1248365/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91248365; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/live/"; depth:6; nocase; http.host; content:"grunzalom.fun"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1248364/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91248364; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/live/"; depth:6; nocase; http.host; content:"titnovacrion.top"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1248363/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91248363; rev:1;) alert tcp $HOME_NET any -> [45.86.86.29] 443 (msg:"ThreatFox Unidentified 111 (Latrodectus) botnet C2 traffic (ip:port - confidence level: 85%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248338/; target:src_ip; metadata: confidence_level 85, first_seen 2024_03_22; classtype:trojan-activity; sid:91248338; rev:1;) alert tcp $HOME_NET any -> [5.255.115.172] 443 (msg:"ThreatFox Unidentified 111 (Latrodectus) botnet C2 traffic (ip:port - confidence level: 85%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248339/; target:src_ip; metadata: confidence_level 85, first_seen 2024_03_22; classtype:trojan-activity; sid:91248339; rev:1;) alert tcp $HOME_NET any -> [104.129.20.71] 443 (msg:"ThreatFox Unidentified 111 (Latrodectus) botnet C2 traffic (ip:port - confidence level: 85%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248340/; target:src_ip; metadata: confidence_level 85, first_seen 2024_03_22; classtype:trojan-activity; sid:91248340; rev:1;) alert tcp $HOME_NET any -> [104.237.252.28] 80 (msg:"ThreatFox Loki Password Stealer (PWS) botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248345/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_22; classtype:trojan-activity; sid:91248345; rev:1;) alert tcp $HOME_NET any -> [83.166.150.213] 4443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248347/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_22; classtype:trojan-activity; sid:91248347; rev:1;) alert tcp $HOME_NET any -> [144.91.93.153] 4444 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248346/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_22; classtype:trojan-activity; sid:91248346; rev:1;) alert tcp $HOME_NET any -> [5.75.221.51] 443 (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248343/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91248343; rev:1;) alert tcp $HOME_NET any -> [65.109.241.165] 8888 (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248344/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91248344; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"65.109.241.165"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1248342/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91248342; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"5.75.221.51"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1248341/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91248341; rev:1;) alert tcp $HOME_NET any -> [23.92.208.54] 443 (msg:"ThreatFox FAKEUPDATES botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248337/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_22; classtype:trojan-activity; sid:91248337; rev:1;) alert tcp $HOME_NET any -> [23.92.208.54] 80 (msg:"ThreatFox FAKEUPDATES botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248336/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_22; classtype:trojan-activity; sid:91248336; rev:1;) alert tcp $HOME_NET any -> [37.128.207.92] 443 (msg:"ThreatFox FAKEUPDATES botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248335/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_22; classtype:trojan-activity; sid:91248335; rev:1;) alert tcp $HOME_NET any -> [37.128.207.92] 80 (msg:"ThreatFox FAKEUPDATES botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248334/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_22; classtype:trojan-activity; sid:91248334; rev:1;) alert tcp $HOME_NET any -> [185.158.251.240] 80 (msg:"ThreatFox FAKEUPDATES botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248333/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_22; classtype:trojan-activity; sid:91248333; rev:1;) alert tcp $HOME_NET any -> [89.208.107.232] 80 (msg:"ThreatFox FAKEUPDATES botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248332/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_22; classtype:trojan-activity; sid:91248332; rev:1;) alert tcp $HOME_NET any -> [104.161.32.84] 443 (msg:"ThreatFox FAKEUPDATES botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248331/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_22; classtype:trojan-activity; sid:91248331; rev:1;) alert tcp $HOME_NET any -> [104.161.32.84] 80 (msg:"ThreatFox FAKEUPDATES botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248330/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_22; classtype:trojan-activity; sid:91248330; rev:1;) alert tcp $HOME_NET any -> [217.195.153.158] 443 (msg:"ThreatFox FAKEUPDATES botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248329/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_22; classtype:trojan-activity; sid:91248329; rev:1;) alert tcp $HOME_NET any -> [217.195.153.158] 80 (msg:"ThreatFox FAKEUPDATES botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248328/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_22; classtype:trojan-activity; sid:91248328; rev:1;) alert tcp $HOME_NET any -> [147.45.68.67] 443 (msg:"ThreatFox FAKEUPDATES botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248326/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_22; classtype:trojan-activity; sid:91248326; rev:1;) alert tcp $HOME_NET any -> [147.45.68.67] 80 (msg:"ThreatFox FAKEUPDATES botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248327/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_22; classtype:trojan-activity; sid:91248327; rev:1;) alert tcp $HOME_NET any -> [146.19.254.43] 443 (msg:"ThreatFox FAKEUPDATES botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248325/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_22; classtype:trojan-activity; sid:91248325; rev:1;) alert tcp $HOME_NET any -> [146.19.254.43] 80 (msg:"ThreatFox FAKEUPDATES botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248324/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_22; classtype:trojan-activity; sid:91248324; rev:1;) alert tcp $HOME_NET any -> [213.252.232.161] 443 (msg:"ThreatFox FAKEUPDATES botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248322/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_22; classtype:trojan-activity; sid:91248322; rev:1;) alert tcp $HOME_NET any -> [213.252.232.161] 80 (msg:"ThreatFox FAKEUPDATES botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248323/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_22; classtype:trojan-activity; sid:91248323; rev:1;) alert tcp $HOME_NET any -> [193.26.115.80] 443 (msg:"ThreatFox FAKEUPDATES botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248321/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_22; classtype:trojan-activity; sid:91248321; rev:1;) alert tcp $HOME_NET any -> [193.26.115.80] 80 (msg:"ThreatFox FAKEUPDATES botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248320/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_22; classtype:trojan-activity; sid:91248320; rev:1;) alert tcp $HOME_NET any -> [54.145.152.164] 443 (msg:"ThreatFox FAKEUPDATES botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248319/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_22; classtype:trojan-activity; sid:91248319; rev:1;) alert tcp $HOME_NET any -> [54.145.152.164] 80 (msg:"ThreatFox FAKEUPDATES botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248318/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_22; classtype:trojan-activity; sid:91248318; rev:1;) alert tcp $HOME_NET any -> [185.217.197.52] 80 (msg:"ThreatFox FAKEUPDATES botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248317/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_22; classtype:trojan-activity; sid:91248317; rev:1;) alert tcp $HOME_NET any -> [166.1.173.27] 80 (msg:"ThreatFox FAKEUPDATES botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248316/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_22; classtype:trojan-activity; sid:91248316; rev:1;) alert tcp $HOME_NET any -> [43.128.5.46] 80 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248315/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_22; classtype:trojan-activity; sid:91248315; rev:1;) alert tcp $HOME_NET any -> [108.61.202.34] 80 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248314/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_22; classtype:trojan-activity; sid:91248314; rev:1;) alert tcp $HOME_NET any -> [5.42.106.164] 80 (msg:"ThreatFox Meduza Stealer botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248313/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_22; classtype:trojan-activity; sid:91248313; rev:1;) alert tcp $HOME_NET any -> [107.172.209.239] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248312/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_22; classtype:trojan-activity; sid:91248312; rev:1;) alert tcp $HOME_NET any -> [72.27.170.148] 443 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248311/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_22; classtype:trojan-activity; sid:91248311; rev:1;) alert tcp $HOME_NET any -> [39.40.180.234] 995 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248310/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_22; classtype:trojan-activity; sid:91248310; rev:1;) alert tcp $HOME_NET any -> [191.112.21.160] 443 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248309/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_22; classtype:trojan-activity; sid:91248309; rev:1;) alert tcp $HOME_NET any -> [64.23.181.57] 443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248308/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_22; classtype:trojan-activity; sid:91248308; rev:1;) alert tcp $HOME_NET any -> [114.130.36.121] 80 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248307/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_22; classtype:trojan-activity; sid:91248307; rev:1;) alert tcp $HOME_NET any -> [4.153.122.111] 443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248306/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_22; classtype:trojan-activity; sid:91248306; rev:1;) alert tcp $HOME_NET any -> [64.23.185.215] 443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248305/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_22; classtype:trojan-activity; sid:91248305; rev:1;) alert tcp $HOME_NET any -> [185.225.70.160] 10810 (msg:"ThreatFox BianLian botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248304/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_22; classtype:trojan-activity; sid:91248304; rev:1;) alert tcp $HOME_NET any -> [192.169.7.83] 64499 (msg:"ThreatFox BianLian botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248303/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_22; classtype:trojan-activity; sid:91248303; rev:1;) alert tcp $HOME_NET any -> [97.154.97.29] 7443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248302/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_22; classtype:trojan-activity; sid:91248302; rev:1;) alert tcp $HOME_NET any -> [198.252.107.164] 8888 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248301/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_22; classtype:trojan-activity; sid:91248301; rev:1;) alert tcp $HOME_NET any -> [198.252.107.164] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248300/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_22; classtype:trojan-activity; sid:91248300; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmlrpc.php"; depth:11; nocase; http.host; content:"outsidespace.co.nz"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1248291/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91248291; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmlrpc.php"; depth:11; nocase; http.host; content:"smwroclaw.pl"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1248293/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91248293; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmlrpc.php"; depth:11; nocase; http.host; content:"jt.my"; depth:5; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1248292/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91248292; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmlrpc.php"; depth:11; nocase; http.host; content:"rahatupu.net"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1248294/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91248294; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmlrpc.php"; depth:11; nocase; http.host; content:"typhoontv.in"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1248296/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91248296; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmlrpc.php"; depth:11; nocase; http.host; content:"nitrobilisim.com.tr"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1248295/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91248295; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmlrpc.php"; depth:11; nocase; http.host; content:"www.balanceanddizzinessphysicaltherapy.com"; depth:42; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1248297/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91248297; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmlrpc.php"; depth:11; nocase; http.host; content:"divipeople.com"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1248298/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91248298; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmlrpc.php"; depth:11; nocase; http.host; content:"articuly.com"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1248299/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91248299; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"consulheartinc.com"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1248290/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91248290; rev:1;) alert tcp $HOME_NET any -> [91.92.242.227] 6606 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248289/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91248289; rev:1;) alert tcp $HOME_NET any -> [91.210.106.47] 1604 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248288/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91248288; rev:1;) alert tcp $HOME_NET any -> [52.160.82.19] 80 (msg:"ThreatFox ERMAC botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248279/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91248279; rev:1;) alert tcp $HOME_NET any -> [31.129.99.52] 80 (msg:"ThreatFox ERMAC botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248280/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91248280; rev:1;) alert tcp $HOME_NET any -> [172.208.59.226] 80 (msg:"ThreatFox ERMAC botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248281/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91248281; rev:1;) alert tcp $HOME_NET any -> [93.123.85.74] 80 (msg:"ThreatFox ERMAC botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248282/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91248282; rev:1;) alert tcp $HOME_NET any -> [166.88.61.219] 80 (msg:"ThreatFox ERMAC botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248283/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91248283; rev:1;) alert tcp $HOME_NET any -> [207.180.202.241] 80 (msg:"ThreatFox ERMAC botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248284/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91248284; rev:1;) alert tcp $HOME_NET any -> [87.120.84.22] 80 (msg:"ThreatFox ERMAC botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248285/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91248285; rev:1;) alert tcp $HOME_NET any -> [172.214.139.124] 80 (msg:"ThreatFox ERMAC botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248287/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91248287; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/game6/6videoprocess5/track/5generator/test/asynclongpolldownloadspublic/jswindows/generatorcentralcdn/wordpressvmserverto/cpuprotectbigloadwp/1external7/js00/83cpulongpoll/async0vm/pollcdn/5eternalhttphttp/towp/trafficupdate/secure6/imagejavascriptdefaultasync.php"; depth:265; nocase; http.host; content:"80.78.243.49"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1248286/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91248286; rev:1;) alert tcp $HOME_NET any -> [104.168.33.31] 1111 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248278/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_22; classtype:trojan-activity; sid:91248278; rev:1;) alert tcp $HOME_NET any -> [143.198.30.16] 53 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248277/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91248277; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"support.zodo.tech"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1248276/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91248276; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"view.msedge.live"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1248274/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91248274; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"update.winget-east.us"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1248275/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91248275; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"aka.akadns.us"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1248273/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91248273; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"abc.anti-ddos.io.vn"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1248261/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91248261; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"fw.anti-ddos.io.vn"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1248262/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91248262; rev:1;) alert tcp $HOME_NET any -> [87.98.228.243] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248263/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91248263; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"shop.amazon-aws.fr"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1248264/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91248264; rev:1;) alert tcp $HOME_NET any -> [94.23.121.241] 63420 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248265/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91248265; rev:1;) alert tcp $HOME_NET any -> [40.83.122.109] 80 (msg:"ThreatFox MooBot botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248269/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_22; classtype:trojan-activity; sid:91248269; rev:1;) alert tcp $HOME_NET any -> [89.44.9.238] 3790 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248266/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91248266; rev:1;) alert tcp $HOME_NET any -> [89.44.9.238] 11112 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248267/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91248267; rev:1;) alert tcp $HOME_NET any -> [113.22.74.126] 80 (msg:"ThreatFox MooBot botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248270/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_22; classtype:trojan-activity; sid:91248270; rev:1;) alert tcp $HOME_NET any -> [91.92.243.188] 839 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248271/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_22; classtype:trojan-activity; sid:91248271; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"newssssssssssssss.duckdns.org"; depth:29; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1248272/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91248272; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"akamaicute.online"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1248214/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91248214; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"pboc.online"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1248216/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91248216; rev:1;) alert tcp $HOME_NET any -> [115.134.90.74] 9876 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248217/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91248217; rev:1;) alert tcp $HOME_NET any -> [62.72.185.175] 1475 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248218/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91248218; rev:1;) alert tcp $HOME_NET any -> [62.72.185.201] 1451 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248222/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91248222; rev:1;) alert tcp $HOME_NET any -> [62.72.185.39] 1463 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248219/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91248219; rev:1;) alert tcp $HOME_NET any -> [62.72.185.65] 1760 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248220/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91248220; rev:1;) alert tcp $HOME_NET any -> [62.72.185.35] 61616 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248221/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91248221; rev:1;) alert tcp $HOME_NET any -> [62.72.185.20] 1581 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248223/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91248223; rev:1;) alert tcp $HOME_NET any -> [62.72.185.42] 61616 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248224/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91248224; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"www.srryontop.xyz"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1248259/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91248259; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"srryontop.xyz"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1248260/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91248260; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"sdfsdfhhps.online"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1248212/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91248212; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"hailnet.online"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1248213/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91248213; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"dgsf.cat"; depth:8; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1248215/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91248215; rev:1;) alert tcp $HOME_NET any -> [185.150.26.253] 123 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248210/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91248210; rev:1;) alert tcp $HOME_NET any -> [187.35.7.19] 5000 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248211/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91248211; rev:1;) alert tcp $HOME_NET any -> [194.68.32.11] 443 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248209/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91248209; rev:1;) alert tcp $HOME_NET any -> [172.94.54.167] 2404 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248268/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91248268; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/load"; depth:5; nocase; http.host; content:"154.8.157.205"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1248258/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91248258; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/updates.rss"; depth:12; nocase; http.host; content:"123.20.56.214"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1248257/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91248257; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pixel"; depth:6; nocase; http.host; content:"165.22.225.110"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1248256/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91248256; rev:1;) alert tcp $HOME_NET any -> [154.81.35.71] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248255/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91248255; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jquery-3.3.1.min.js"; depth:20; nocase; http.host; content:"admin.usaid2.org"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1248253/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91248253; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"admin.usaid2.org"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1248254/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91248254; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/j.ad"; depth:5; nocase; http.host; content:"119.45.187.65"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1248251/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91248251; rev:1;) alert tcp $HOME_NET any -> [119.45.187.65] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248252/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91248252; rev:1;) alert tcp $HOME_NET any -> [119.45.187.65] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248250/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91248250; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dpixel"; depth:7; nocase; http.host; content:"119.45.187.65"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1248249/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91248249; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ca"; depth:3; nocase; http.host; content:"121.40.40.101"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1248247/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91248247; rev:1;) alert tcp $HOME_NET any -> [121.40.40.101] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248248/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91248248; rev:1;) alert tcp $HOME_NET any -> [8.134.89.221] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248246/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91248246; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/users/123/1"; depth:12; nocase; http.host; content:"8.134.89.221"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1248245/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91248245; rev:1;) alert tcp $HOME_NET any -> [121.40.40.101] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248244/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91248244; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/en_us/all.js"; depth:13; nocase; http.host; content:"121.40.40.101"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1248243/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91248243; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/en_us/all.js"; depth:13; nocase; http.host; content:"152.136.174.196"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1248242/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91248242; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/load"; depth:5; nocase; http.host; content:"43.143.103.235"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1248241/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91248241; rev:1;) alert tcp $HOME_NET any -> [117.50.192.107] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248240/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91248240; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dpixel"; depth:7; nocase; http.host; content:"117.50.192.107"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1248239/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91248239; rev:1;) alert tcp $HOME_NET any -> [43.198.84.164] 8000 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248238/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91248238; rev:1;) alert tcp $HOME_NET any -> [103.146.179.119] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248237/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91248237; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/index"; depth:6; nocase; http.host; content:"49.233.94.196"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1248236/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91248236; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ur"; depth:3; nocase; http.host; content:"49.233.94.45"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1248235/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91248235; rev:1;) alert tcp $HOME_NET any -> [156.232.7.236] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248234/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91248234; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cx"; depth:3; nocase; http.host; content:"156.232.7.236"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1248233/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91248233; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/match"; depth:6; nocase; http.host; content:"45.14.245.215"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1248232/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91248232; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ca"; depth:3; nocase; http.host; content:"47.109.148.62"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1248231/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91248231; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"49.13.87.142"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1248230/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91248230; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"49.13.87.142"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1248229/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91248229; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"116.202.3.93"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1248228/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91248228; rev:1;) alert tcp $HOME_NET any -> [116.202.3.93] 443 (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248225/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91248225; rev:1;) alert tcp $HOME_NET any -> [49.13.87.142] 443 (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248226/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91248226; rev:1;) alert tcp $HOME_NET any -> [49.13.87.142] 80 (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248227/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91248227; rev:1;) alert tcp $HOME_NET any -> [143.110.191.139] 8080 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248207/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91248207; rev:1;) alert tcp $HOME_NET any -> [111.90.143.125] 8921 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248208/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91248208; rev:1;) alert tcp $HOME_NET any -> [181.162.133.144] 8080 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248202/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91248202; rev:1;) alert tcp $HOME_NET any -> [8.218.71.187] 8443 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248205/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91248205; rev:1;) alert tcp $HOME_NET any -> [5.181.80.127] 3090 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248203/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91248203; rev:1;) alert tcp $HOME_NET any -> [91.150.120.14] 25565 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248204/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91248204; rev:1;) alert tcp $HOME_NET any -> [190.205.241.70] 443 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248206/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91248206; rev:1;) alert tcp $HOME_NET any -> [187.59.70.10] 4782 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248199/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91248199; rev:1;) alert tcp $HOME_NET any -> [47.243.49.209] 8443 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248200/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91248200; rev:1;) alert tcp $HOME_NET any -> [172.111.148.93] 19933 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248201/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91248201; rev:1;) alert tcp $HOME_NET any -> [139.28.36.39] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248198/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91248198; rev:1;) alert tcp $HOME_NET any -> [95.216.117.153] 4782 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248183/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91248183; rev:1;) alert tcp $HOME_NET any -> [141.105.130.87] 7707 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248184/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91248184; rev:1;) alert tcp $HOME_NET any -> [141.105.130.87] 8808 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248185/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91248185; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"delabfactory.com"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1248197/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91248197; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books"; depth:60; nocase; http.host; content:"delabfactory.com"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1248196/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91248196; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jquery-3.3.1.min.js"; depth:20; nocase; http.host; content:"43.139.219.102"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1248195/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91248195; rev:1;) alert tcp $HOME_NET any -> [2.58.15.44] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248194/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91248194; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jquery-3.3.1.min.js"; depth:20; nocase; http.host; content:"2.58.15.44"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1248193/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91248193; rev:1;) alert tcp $HOME_NET any -> [43.143.110.110] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248192/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91248192; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dpixel"; depth:7; nocase; http.host; content:"43.143.110.110"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1248191/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91248191; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mht_image/"; depth:11; nocase; http.host; content:"8.141.95.164"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1248190/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91248190; rev:1;) alert tcp $HOME_NET any -> [84.38.183.148] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248189/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91248189; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/updates.rss"; depth:12; nocase; http.host; content:"10.127.254.209"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1248188/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91248188; rev:1;) alert tcp $HOME_NET any -> [82.65.203.196] 7474 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248187/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91248187; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/visit.js"; depth:9; nocase; http.host; content:"nocomp.freeboxos.fr"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1248186/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91248186; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmlrpc.php"; depth:11; nocase; http.host; content:"som.edu.vn"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1248172/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91248172; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmlrpc.php"; depth:11; nocase; http.host; content:"testiran.com"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1248176/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91248176; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmlrpc.php"; depth:11; nocase; http.host; content:"brainsoulsuccess.com"; depth:20; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1248174/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91248174; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmlrpc.php"; depth:11; nocase; http.host; content:"lasik2020.com"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1248173/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91248173; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmlrpc.php"; depth:11; nocase; http.host; content:"www.artisebio.com"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1248175/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91248175; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmlrpc.php"; depth:11; nocase; http.host; content:"charltonbrown.edu.au"; depth:20; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1248177/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91248177; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmlrpc.php"; depth:11; nocase; http.host; content:"weissenbach-pr.de"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1248178/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91248178; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmlrpc.php"; depth:11; nocase; http.host; content:"fuzionproscooter.com"; depth:20; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1248179/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91248179; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmlrpc.php"; depth:11; nocase; http.host; content:"shtourval.ru"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1248180/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91248180; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmlrpc.php"; depth:11; nocase; http.host; content:"allfridaystudio.com"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1248181/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91248181; rev:1;) alert tcp $HOME_NET any -> [37.197.57.116] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248182/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91248182; rev:1;) alert tcp $HOME_NET any -> [193.36.119.77] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248171/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91248171; rev:1;) alert tcp $HOME_NET any -> [185.196.9.234] 8888 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248160/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91248160; rev:1;) alert tcp $HOME_NET any -> [185.196.9.234] 8080 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248161/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91248161; rev:1;) alert tcp $HOME_NET any -> [185.196.10.224] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248163/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91248163; rev:1;) alert tcp $HOME_NET any -> [81.17.22.42] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248164/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91248164; rev:1;) alert tcp $HOME_NET any -> [185.229.237.51] 2000 (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248169/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91248169; rev:1;) alert tcp $HOME_NET any -> [185.196.9.63] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248170/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91248170; rev:1;) alert tcp $HOME_NET any -> [3.125.223.134] 13241 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248168/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91248168; rev:1;) alert tcp $HOME_NET any -> [3.125.102.39] 13241 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248167/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91248167; rev:1;) alert tcp $HOME_NET any -> [18.158.249.75] 13241 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248166/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91248166; rev:1;) alert tcp $HOME_NET any -> [3.125.209.94] 13241 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248165/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91248165; rev:1;) alert tcp $HOME_NET any -> [45.128.96.133] 8848 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248162/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_22; classtype:trojan-activity; sid:91248162; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"my.nimade.top"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1248158/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91248158; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ck.aj05.top"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1248159/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91248159; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmlrpc.php"; depth:11; nocase; http.host; content:"breckenridge-vacation-homes.com"; depth:31; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1248138/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91248138; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmlrpc.php"; depth:11; nocase; http.host; content:"www.cultus.dk"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1248139/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91248139; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmlrpc.php"; depth:11; nocase; http.host; content:"darolvakil.com"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1248140/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91248140; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmlrpc.php"; depth:11; nocase; http.host; content:"ansoffs.com"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1248142/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91248142; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmlrpc.php"; depth:11; nocase; http.host; content:"moaetscandg.org.ng"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1248141/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91248141; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wordpress/xmlrpc.php"; depth:21; nocase; http.host; content:"www.cheapandbestshopforlife.com"; depth:31; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1248143/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91248143; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmlrpc.php"; depth:11; nocase; http.host; content:"charchiinet.com"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1248144/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91248144; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmlrpc.php"; depth:11; nocase; http.host; content:"mcws.org"; depth:8; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1248145/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91248145; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmlrpc.php"; depth:11; nocase; http.host; content:"goodklei.ru"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1248146/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91248146; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmlrpc.php"; depth:11; nocase; http.host; content:"tamilcinetalk.com"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1248148/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91248148; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmlrpc.php"; depth:11; nocase; http.host; content:"dansport.is"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1248149/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91248149; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmlrpc.php"; depth:11; nocase; http.host; content:"schematherapyinstitute.com.au"; depth:29; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1248150/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91248150; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmlrpc.php"; depth:11; nocase; http.host; content:"geekville.ru"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1248151/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91248151; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmlrpc.php"; depth:11; nocase; http.host; content:"www.back-zeit.de"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1248152/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91248152; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmlrpc.php"; depth:11; nocase; http.host; content:"smokersplanet.de"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1248153/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91248153; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmlrpc.php"; depth:11; nocase; http.host; content:"www.belvederebenidorm.com"; depth:25; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1248154/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91248154; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmlrpc.php"; depth:11; nocase; http.host; content:"ragmcloud.com"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1248155/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91248155; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmlrpc.php"; depth:11; nocase; http.host; content:"52poke.com"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1248156/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91248156; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmlrpc.php"; depth:11; nocase; http.host; content:"dme.gr"; depth:6; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1248157/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91248157; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmlrpc.php"; depth:11; nocase; http.host; content:"saint-augustin.ch"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1248136/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91248136; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmlrpc.php"; depth:11; nocase; http.host; content:"specialeventservices.com"; depth:24; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1248137/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91248137; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmlrpc.php"; depth:11; nocase; http.host; content:"www.calzaturificioliberty.it"; depth:28; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1248135/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91248135; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmlrpc.php"; depth:11; nocase; http.host; content:"games-up.fr"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1248134/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91248134; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmlrpc.php"; depth:11; nocase; http.host; content:"snyk.io"; depth:7; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1248132/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91248132; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmlrpc.php"; depth:11; nocase; http.host; content:"auxiliaryenergy.com"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1248133/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91248133; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wordpress/xmlrpc.php"; depth:21; nocase; http.host; content:"www.abako.se"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1248130/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91248130; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmlrpc.php"; depth:11; nocase; http.host; content:"playgroundbaron.com"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1248131/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91248131; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmlrpc.php"; depth:11; nocase; http.host; content:"amida.se"; depth:8; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1248129/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91248129; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmlrpc.php"; depth:11; nocase; http.host; content:"mundoalbiceleste.com"; depth:20; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1248127/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91248127; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmlrpc.php"; depth:11; nocase; http.host; content:"prokirpich76.ru"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1248128/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91248128; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmlrpc.php"; depth:11; nocase; http.host; content:"rushradar.com"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1248126/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91248126; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmlrpc.php"; depth:11; nocase; http.host; content:"barn2.com"; depth:9; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1248125/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91248125; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmlrpc.php"; depth:11; nocase; http.host; content:"yekdoa.ir"; depth:9; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1248123/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91248123; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmlrpc.php"; depth:11; nocase; http.host; content:"geekhacker.ru"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1248124/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91248124; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmlrpc.php"; depth:11; nocase; http.host; content:"luxurylaunches.com"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1248119/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91248119; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmlrpc.php"; depth:11; nocase; http.host; content:"hkcapsule.com"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1248122/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91248122; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmlrpc.php"; depth:11; nocase; http.host; content:"natbooks.com.au"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1248120/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91248120; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blog/xmlrpc.php"; depth:16; nocase; http.host; content:"www.boxhaus.de"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1248121/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91248121; rev:1;) alert tcp $HOME_NET any -> [45.76.125.214] 50131 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248117/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91248117; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmlrpc.php"; depth:11; nocase; http.host; content:"www.brandweeravenhorn.nl"; depth:24; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1248118/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91248118; rev:1;) alert tcp $HOME_NET any -> [172.94.105.163] 2222 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248116/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91248116; rev:1;) alert tcp $HOME_NET any -> [192.210.201.57] 62289 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248115/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_22; classtype:trojan-activity; sid:91248115; rev:1;) alert tcp $HOME_NET any -> [176.31.196.206] 2024 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248114/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_22; classtype:trojan-activity; sid:91248114; rev:1;) alert tcp $HOME_NET any -> [41.216.182.215] 666 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248113/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_22; classtype:trojan-activity; sid:91248113; rev:1;) alert tcp $HOME_NET any -> [86.104.194.182] 666 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248112/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_22; classtype:trojan-activity; sid:91248112; rev:1;) alert tcp $HOME_NET any -> [194.169.175.20] 35342 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248111/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_22; classtype:trojan-activity; sid:91248111; rev:1;) alert tcp $HOME_NET any -> [212.57.118.90] 80 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248110/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_22; classtype:trojan-activity; sid:91248110; rev:1;) alert tcp $HOME_NET any -> [77.238.251.130] 80 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248109/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_22; classtype:trojan-activity; sid:91248109; rev:1;) alert tcp $HOME_NET any -> [45.32.62.242] 80 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248108/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_22; classtype:trojan-activity; sid:91248108; rev:1;) alert tcp $HOME_NET any -> [147.45.71.249] 80 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248107/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_22; classtype:trojan-activity; sid:91248107; rev:1;) alert tcp $HOME_NET any -> [103.161.224.131] 80 (msg:"ThreatFox Meduza Stealer botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248106/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_22; classtype:trojan-activity; sid:91248106; rev:1;) alert tcp $HOME_NET any -> [38.6.190.16] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248105/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_22; classtype:trojan-activity; sid:91248105; rev:1;) alert tcp $HOME_NET any -> [222.112.93.163] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248104/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_22; classtype:trojan-activity; sid:91248104; rev:1;) alert tcp $HOME_NET any -> [43.129.190.150] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248103/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_22; classtype:trojan-activity; sid:91248103; rev:1;) alert tcp $HOME_NET any -> [46.246.4.5] 5000 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248102/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_22; classtype:trojan-activity; sid:91248102; rev:1;) alert tcp $HOME_NET any -> [46.246.6.21] 6000 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248101/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_22; classtype:trojan-activity; sid:91248101; rev:1;) alert tcp $HOME_NET any -> [38.166.64.167] 443 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248100/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_22; classtype:trojan-activity; sid:91248100; rev:1;) alert tcp $HOME_NET any -> [187.213.241.182] 443 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248099/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_22; classtype:trojan-activity; sid:91248099; rev:1;) alert tcp $HOME_NET any -> [41.129.178.57] 995 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248098/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_22; classtype:trojan-activity; sid:91248098; rev:1;) alert tcp $HOME_NET any -> [162.33.177.165] 443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248097/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_22; classtype:trojan-activity; sid:91248097; rev:1;) alert tcp $HOME_NET any -> [92.116.37.169] 443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248096/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_22; classtype:trojan-activity; sid:91248096; rev:1;) alert tcp $HOME_NET any -> [45.140.188.133] 666 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248095/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_22; classtype:trojan-activity; sid:91248095; rev:1;) alert tcp $HOME_NET any -> [89.116.32.177] 7443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248094/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_22; classtype:trojan-activity; sid:91248094; rev:1;) alert tcp $HOME_NET any -> [95.164.45.31] 606 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248093/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_22; classtype:trojan-activity; sid:91248093; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/secure/imagepythonmulti/uploadsmultisql/packet/1authprovider4/downloadstracklowtest/api/processjavascriptproviderbetter/imageprovider/sqlcentral/processorbasehttptraffic/0_bettertraffic/game/pythonasynccentral2/eternal6async5/pipemultitest.php"; depth:244; nocase; http.host; content:"185.173.36.217"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1248092/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91248092; rev:1;) alert tcp $HOME_NET any -> [185.216.70.192] 60195 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247782/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_22; classtype:trojan-activity; sid:91247782; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"sjdkghsdughpowieugh8932.griefcube.cc"; depth:36; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1247783/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_22; classtype:trojan-activity; sid:91247783; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pythonsecuredefaultcentral.php"; depth:31; nocase; http.host; content:"839860cm.n9shteam3.top"; depth:22; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1248091/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91248091; rev:1;) alert tcp $HOME_NET any -> [107.173.30.114] 9090 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247548/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247548; rev:1;) alert tcp $HOME_NET any -> [23.224.196.53] 16271 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247550/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247550; rev:1;) alert tcp $HOME_NET any -> [47.113.227.139] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247546/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247546; rev:1;) alert tcp $HOME_NET any -> [198.46.226.224] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247547/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247547; rev:1;) alert tcp $HOME_NET any -> [8.134.249.167] 2083 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247543/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247543; rev:1;) alert tcp $HOME_NET any -> [120.55.65.99] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247544/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247544; rev:1;) alert tcp $HOME_NET any -> [172.245.110.171] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247545/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247545; rev:1;) alert tcp $HOME_NET any -> [79.132.135.149] 444 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247542/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247542; rev:1;) alert tcp $HOME_NET any -> [94.172.154.134] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247538/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247538; rev:1;) alert tcp $HOME_NET any -> [94.172.154.134] 8082 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247541/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247541; rev:1;) alert tcp $HOME_NET any -> [94.172.154.134] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247539/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247539; rev:1;) alert tcp $HOME_NET any -> [94.172.154.134] 8081 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247540/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247540; rev:1;) alert tcp $HOME_NET any -> [20.212.232.53] 30500 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247536/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247536; rev:1;) alert tcp $HOME_NET any -> [36.69.72.106] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247537/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247537; rev:1;) alert tcp $HOME_NET any -> [91.92.245.110] 8088 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247533/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247533; rev:1;) alert tcp $HOME_NET any -> [91.92.245.111] 8088 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247534/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247534; rev:1;) alert tcp $HOME_NET any -> [89.148.44.245] 443 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247535/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247535; rev:1;) alert tcp $HOME_NET any -> [192.227.249.230] 50050 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247549/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247549; rev:1;) alert tcp $HOME_NET any -> [117.50.199.153] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247551/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247551; rev:1;) alert tcp $HOME_NET any -> [104.234.254.98] 8082 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247552/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247552; rev:1;) alert tcp $HOME_NET any -> [154.40.45.37] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247553/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247553; rev:1;) alert tcp $HOME_NET any -> [23.95.90.77] 11451 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247554/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247554; rev:1;) alert tcp $HOME_NET any -> [111.231.71.122] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247555/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247555; rev:1;) alert tcp $HOME_NET any -> [93.123.85.100] 38241 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247556/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_22; classtype:trojan-activity; sid:91247556; rev:1;) alert tcp $HOME_NET any -> [87.251.79.15] 443 (msg:"ThreatFox FAKEUPDATES payload delivery (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247531/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247531; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/c18/fre.php"; depth:12; nocase; http.host; content:"sempersim.su"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1248090/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_22; classtype:trojan-activity; sid:91248090; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/c18/fre.php"; depth:12; nocase; http.host; content:"sempersim.su"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1248089/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91248089; rev:1;) alert tcp $HOME_NET any -> [173.254.204.77] 8123 (msg:"ThreatFox STRRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248088/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91248088; rev:1;) alert tcp $HOME_NET any -> [45.76.232.247] 6606 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248087/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91248087; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"cm3thejmzhlxpvowsv2dk4ybpovmoaqal7o7gqirhgvj24l4ww7w7zid.onion"; depth:62; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1248080/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91248080; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"bkc56e3jgy5zlfq7ialxyppztuh4dgranlyauupid4uc2ze5hg2cshqd.onion"; depth:62; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1248081/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91248081; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"nwgj3ux4huyfgbrwj5i2uwbxdu2ddd33eqrpq44dwooaoqo4ntmpc6qd.onion"; depth:62; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1248082/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91248082; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"obqdy2u226qjiavs42z4z6zgcf6tefsoxaqzjvohmoy7kafdwgqgjkqd.onion"; depth:62; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1248083/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91248083; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"lvyowbbwycqoqwjmpmnpfyhzdcvxthuuabmcsocjamvzfgwzdat5wwid.onion"; depth:62; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1248084/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91248084; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"vbd3hiruwgcquiwrhpvaxann2ieo3tw3iznqlrp2z6mqyaonh4rswjqd.onion"; depth:62; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1248085/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91248085; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"7sbl4dpbubwjjghdquwg47fyq7rookd4bgm2ypm2kjzkivd7tomvczqd.onion"; depth:62; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1248086/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91248086; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"jocker02.linkpc.net"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1248073/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91248073; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"best.supportredirect.net"; depth:24; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1248074/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91248074; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"gotti.ddnsgeek.com"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1248075/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91248075; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"elevenpaths.cc"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1248076/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91248076; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"bitrat.nsupdate.info"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1248077/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91248077; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"hureseyd.top"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1248078/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91248078; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"amazonservices.onthewifi.com"; depth:28; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1248079/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91248079; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"vslt.info"; depth:9; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1248065/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91248065; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"postal-23.ioomoo.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1248066/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91248066; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"dopeonlineforwarding.xyz"; depth:24; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1248067/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91248067; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"serverclient.sytes.net"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1248068/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91248068; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"firewall.publicvm.com"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1248069/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91248069; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"mfocuz.com"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1248070/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91248070; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"dns16-microsoft-health.com"; depth:26; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1248071/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91248071; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"onlyforbit.blogdns.net"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1248072/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91248072; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"pvstub.ddns.net"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1248056/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91248056; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"atdf.ddns.net"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1248057/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91248057; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"godcheatfn.ddns.net"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1248058/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91248058; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"bitratfanboy2-45086.portmap.io"; depth:30; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1248059/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91248059; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"nig.jalenscoonwog.info"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1248060/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91248060; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"hopyboss.com"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1248061/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91248061; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"bitrtdollars.itsaol.com"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1248062/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91248062; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"mianoffice221.kozow.com"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1248063/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91248063; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"cs50.publicvm.com"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1248064/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91248064; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"0b1.duckdns.org"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1248052/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91248052; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"omeno.duckdns.org"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1248053/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91248053; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"hailisbetter.ddns.net"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1248054/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91248054; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"felixgodis.ddns.net"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1248055/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91248055; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"dreamz.duckdns.org"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1248048/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91248048; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"encrypted-channel.duckdns.org"; depth:29; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1248049/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91248049; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"888myrat.duckdns.org"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1248050/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91248050; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"paintedkitty.duckdns.org"; depth:24; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1248051/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91248051; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"imen.ddns.net"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1248044/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91248044; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"eewe.ddns.net"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1248045/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91248045; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"19008198.ddns.net"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1248046/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91248046; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"yatzufn.ddns.net"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1248047/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91248047; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"serviceop091.ddns.net"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1248043/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91248043; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/httptemp.php"; depth:13; nocase; http.host; content:"onedrivepack.com"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1248042/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91248042; rev:1;) alert tcp $HOME_NET any -> [94.237.49.140] 2222 (msg:"ThreatFox BitRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248039/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91248039; rev:1;) alert tcp $HOME_NET any -> [139.28.219.45] 443 (msg:"ThreatFox BitRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248040/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91248040; rev:1;) alert tcp $HOME_NET any -> [178.20.40.235] 5555 (msg:"ThreatFox BitRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248041/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91248041; rev:1;) alert tcp $HOME_NET any -> [111.90.158.139] 1234 (msg:"ThreatFox BitRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248034/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91248034; rev:1;) alert tcp $HOME_NET any -> [51.89.205.208] 5506 (msg:"ThreatFox BitRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248035/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91248035; rev:1;) alert tcp $HOME_NET any -> [194.33.45.3] 4898 (msg:"ThreatFox BitRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248036/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91248036; rev:1;) alert tcp $HOME_NET any -> [139.28.219.47] 64576 (msg:"ThreatFox BitRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248037/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91248037; rev:1;) alert tcp $HOME_NET any -> [185.140.53.55] 5506 (msg:"ThreatFox BitRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248038/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91248038; rev:1;) alert tcp $HOME_NET any -> [95.252.122.216] 1900 (msg:"ThreatFox BitRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248027/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91248027; rev:1;) alert tcp $HOME_NET any -> [27.124.20.145] 8082 (msg:"ThreatFox BitRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248028/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91248028; rev:1;) alert tcp $HOME_NET any -> [103.153.182.89] 1234 (msg:"ThreatFox BitRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248029/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91248029; rev:1;) alert tcp $HOME_NET any -> [204.77.8.221] 5506 (msg:"ThreatFox BitRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248030/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91248030; rev:1;) alert tcp $HOME_NET any -> [185.244.36.230] 1240 (msg:"ThreatFox BitRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248031/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91248031; rev:1;) alert tcp $HOME_NET any -> [162.33.178.83] 6969 (msg:"ThreatFox BitRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248032/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91248032; rev:1;) alert tcp $HOME_NET any -> [23.105.131.237] 1734 (msg:"ThreatFox BitRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248033/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91248033; rev:1;) alert tcp $HOME_NET any -> [173.44.50.140] 4550 (msg:"ThreatFox BitRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248023/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91248023; rev:1;) alert tcp $HOME_NET any -> [202.182.106.243] 12341 (msg:"ThreatFox BitRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248024/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91248024; rev:1;) alert tcp $HOME_NET any -> [47.75.99.242] 1234 (msg:"ThreatFox BitRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248025/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91248025; rev:1;) alert tcp $HOME_NET any -> [79.134.225.73] 19099 (msg:"ThreatFox BitRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248026/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91248026; rev:1;) alert tcp $HOME_NET any -> [103.153.182.247] 6161 (msg:"ThreatFox BitRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248019/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91248019; rev:1;) alert tcp $HOME_NET any -> [194.5.98.46] 1180 (msg:"ThreatFox BitRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248020/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91248020; rev:1;) alert tcp $HOME_NET any -> [109.70.236.80] 53166 (msg:"ThreatFox BitRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248021/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91248021; rev:1;) alert tcp $HOME_NET any -> [65.21.3.192] 1234 (msg:"ThreatFox BitRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248022/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91248022; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"joscramp.top"; depth:12; nocase; reference:url, threatfox.abuse.ch/ioc/1248016/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91248016; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"rewe-coupouns.com"; depth:17; nocase; reference:url, threatfox.abuse.ch/ioc/1248017/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91248017; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"arthurmaes.top"; depth:14; nocase; reference:url, threatfox.abuse.ch/ioc/1248018/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91248018; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"46.29.234.95"; depth:12; nocase; reference:url, threatfox.abuse.ch/ioc/1248012/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91248012; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"larsvanderwal.top"; depth:17; nocase; reference:url, threatfox.abuse.ch/ioc/1248013/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91248013; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"193.163.7.160"; depth:13; nocase; reference:url, threatfox.abuse.ch/ioc/1248014/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91248014; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"91.108.240.151"; depth:14; nocase; reference:url, threatfox.abuse.ch/ioc/1248015/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91248015; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"193.143.1.226"; depth:13; nocase; reference:url, threatfox.abuse.ch/ioc/1248008/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91248008; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"45.159.248.242"; depth:14; nocase; reference:url, threatfox.abuse.ch/ioc/1248009/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91248009; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"mariles.top"; depth:11; nocase; reference:url, threatfox.abuse.ch/ioc/1248010/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91248010; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"5.75.232.223"; depth:12; nocase; reference:url, threatfox.abuse.ch/ioc/1248011/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91248011; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"185.172.128.210"; depth:15; nocase; reference:url, threatfox.abuse.ch/ioc/1248005/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91248005; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"94.156.8.100"; depth:12; nocase; reference:url, threatfox.abuse.ch/ioc/1248006/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91248006; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"79.137.206.15"; depth:13; nocase; reference:url, threatfox.abuse.ch/ioc/1248007/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91248007; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"91.92.254.245"; depth:13; nocase; reference:url, threatfox.abuse.ch/ioc/1248003/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91248003; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"37.27.52.220"; depth:12; nocase; reference:url, threatfox.abuse.ch/ioc/1248004/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91248004; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"65.109.226.91"; depth:13; nocase; reference:url, threatfox.abuse.ch/ioc/1248000/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91248000; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"147.45.47.72"; depth:12; nocase; reference:url, threatfox.abuse.ch/ioc/1248001/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91248001; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"77.105.132.208"; depth:14; nocase; reference:url, threatfox.abuse.ch/ioc/1248002/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91248002; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"185.172.128.145"; depth:15; nocase; reference:url, threatfox.abuse.ch/ioc/1247997/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247997; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"normanhoffman.top"; depth:17; nocase; reference:url, threatfox.abuse.ch/ioc/1247998/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247998; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"37.27.52.241"; depth:12; nocase; reference:url, threatfox.abuse.ch/ioc/1247999/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247999; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"185.161.248.78"; depth:14; nocase; reference:url, threatfox.abuse.ch/ioc/1247993/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247993; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"89.105.201.132"; depth:14; nocase; reference:url, threatfox.abuse.ch/ioc/1247994/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247994; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"5.75.240.249"; depth:12; nocase; reference:url, threatfox.abuse.ch/ioc/1247995/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247995; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"172.86.77.102"; depth:13; nocase; reference:url, threatfox.abuse.ch/ioc/1247996/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247996; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"37.28.157.3"; depth:11; nocase; reference:url, threatfox.abuse.ch/ioc/1247991/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247991; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"91.92.246.192"; depth:13; nocase; reference:url, threatfox.abuse.ch/ioc/1247992/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247992; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"147.45.47.71"; depth:12; nocase; reference:url, threatfox.abuse.ch/ioc/1247988/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247988; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"193.163.7.129"; depth:13; nocase; reference:url, threatfox.abuse.ch/ioc/1247989/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247989; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"193.163.7.20"; depth:12; nocase; reference:url, threatfox.abuse.ch/ioc/1247990/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247990; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"michaeljohnson.top"; depth:18; nocase; reference:url, threatfox.abuse.ch/ioc/1247985/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247985; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"publisherget.top"; depth:16; nocase; reference:url, threatfox.abuse.ch/ioc/1247986/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247986; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"23.227.202.68"; depth:13; nocase; reference:url, threatfox.abuse.ch/ioc/1247987/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247987; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"jeffmorales.top"; depth:15; nocase; reference:url, threatfox.abuse.ch/ioc/1247982/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247982; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"94.156.65.61"; depth:12; nocase; reference:url, threatfox.abuse.ch/ioc/1247983/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247983; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"5.42.64.6"; depth:9; nocase; reference:url, threatfox.abuse.ch/ioc/1247984/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247984; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"216.98.13.202"; depth:13; nocase; reference:url, threatfox.abuse.ch/ioc/1247979/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247979; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"216.98.9.109"; depth:12; nocase; reference:url, threatfox.abuse.ch/ioc/1247980/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247980; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"193.42.32.206"; depth:13; nocase; reference:url, threatfox.abuse.ch/ioc/1247981/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247981; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ser.nrovn.xyz"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1247976/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247976; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"cyesterbill.chickenkiller.com"; depth:29; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1247977/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247977; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"hassan.webhop.net"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1247978/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247978; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"sosob9ta.line.pm"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1247975/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247975; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"mydogis.onthewifi.com"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1247972/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247972; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"newhost.dyndns.info"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1247973/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247973; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"volam2.club"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1247974/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247974; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"interstellar.onthewifi.com"; depth:26; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1247970/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247970; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"www.worldxw.xyz"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1247971/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247971; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"allay.x3322.net"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1247967/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247967; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"bofa.su"; depth:7; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1247968/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247968; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"trbe.mentality.cloud"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1247969/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247969; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"asegurarasyncrat.4cloud.click"; depth:29; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1247965/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247965; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"popo.office-on-the.net"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1247966/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247966; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"mytestdns123.mooo.com"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1247963/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247963; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"1hitler.accesscam.org"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1247964/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247964; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"stormx.dynu.net"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1247960/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247960; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"hitler55.dyndns.org"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1247961/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247961; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"yy.webhop.me"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1247962/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247962; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"nso1.nsolau.net"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1247956/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247956; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"milan.giize.com"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1247957/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247957; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"hitler55.dvrdns.org"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1247958/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247958; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"sis.is-a-blogger.com"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1247959/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247959; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"asdofugugja883.xyz"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1247953/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247953; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"webjava.mywire.org"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1247954/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247954; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"nasser.is-found.org"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1247955/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247955; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"podejrzanylink.xyz"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1247950/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247950; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"shailputrimt1.publicvm.com"; depth:26; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1247951/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247951; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"testdns.ydns.eu"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1247952/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247952; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"28febnde.dynv6.net"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1247949/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247949; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"wandering-field-84417.pktriot.net"; depth:33; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1247945/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247945; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"asdugvua37vhax.cn"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1247946/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247946; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"vibrant-frost-53467.pktriot.net"; depth:31; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1247947/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247947; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"aoputer.crabdance.com"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1247948/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247948; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"sis.4cloud.click"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1247943/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247943; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"spiffy-balloon.auto.playit.gg"; depth:29; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1247944/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247944; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"azurecloud-bridge.cn"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1247942/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247942; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"alerts.linkpc.net"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1247939/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247939; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"rat2024.e3.luyouxia.net"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1247940/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247940; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"osso.camdvr.org"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1247941/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247941; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"scrubloader.ru"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1247935/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247935; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"koradon.giize.com"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1247936/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247936; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"webtool.publicvm.com"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1247937/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247937; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"drax2023.run.place"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1247938/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247938; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"999triana999.1cooldns.com"; depth:25; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1247932/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247932; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"470krlio.shenzhuo.vip"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1247933/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247933; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"proxy-shady.cloud"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1247934/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247934; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"lemback.dns.navy"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1247930/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247930; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"aliveafterguard.icu"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1247931/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247931; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"bg1.heztak.pro"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1247927/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247927; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"usaugen.xyz"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1247928/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247928; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"torenta2.vpndns.net"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1247929/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247929; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"cn-wh-plc-1.openfrp.top"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1247924/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247924; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"adad3.casacam.net"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1247925/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247925; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"5ra.webredirect.org"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1247926/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247926; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"kapobiko1.mooo.com"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1247923/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247923; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"rat.loseyourip.com"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1247921/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247921; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"rawy.ooguy.com"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1247922/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247922; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"jksdghfsd.loseyourip.com"; depth:24; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1247918/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247918; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"reyfelipeborbon.loseyourip.com"; depth:30; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1247919/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247919; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"love1.loseyourip.com"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1247920/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247920; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"vx2sw7soh8ds5.hopto.org"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1247916/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247916; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"roolingstone.sytes.net"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1247917/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247917; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"cartel.theworkpc.com"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1247913/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247913; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ekuroak.hopto.org"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1247914/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247914; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ggghmn8766vg.hopto.org"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1247915/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247915; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"tanta.theworkpc.com"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1247909/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247909; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"icant.theworkpc.com"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1247910/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247910; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"hsm.theworkpc.com"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1247911/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247911; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ech0.theworkpc.com"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1247912/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247912; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"buike.kozow.com"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1247904/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247904; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"win0090.theworkpc.com"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1247905/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247905; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"non.theworkpc.com"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1247906/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247906; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"boty.theworkpc.com"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1247907/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247907; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"utorrent.theworkpc.com"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1247908/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247908; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ancy2024.kozow.com"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1247902/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247902; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"quepasa2024.kozow.com"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1247903/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247903; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"hoes-truth.gl.at.ply.gg"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1247897/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247897; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"sunday-survivors.gl.at.ply.gg"; depth:29; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1247898/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247898; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"italy-completed.gl.at.ply.gg"; depth:28; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1247899/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247899; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"com-bg.gl.at.ply.gg"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1247900/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247900; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"mono2024.kozow.com"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1247901/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247901; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"budget-whose.gl.at.ply.gg"; depth:25; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1247892/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247892; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"loan-mode.gl.at.ply.gg"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1247893/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247893; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"fl-survivor.gl.at.ply.gg"; depth:24; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1247894/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247894; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"copyright-sofa.gl.at.ply.gg"; depth:27; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1247895/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247895; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"richard-foods.gl.at.ply.gg"; depth:26; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1247896/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247896; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"movie-responses.gl.at.ply.gg"; depth:28; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1247888/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247888; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"six-fleece.gl.at.ply.gg"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1247889/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247889; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"trying-shirts.gl.at.ply.gg"; depth:26; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1247890/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247890; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"patients-councils.gl.at.ply.gg"; depth:30; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1247891/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247891; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"danielballesterosdominper.con-ip.com"; depth:36; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1247883/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247883; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"should-nutritional.gl.at.ply.gg"; depth:31; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1247884/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247884; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"shoes-truth.gl.at.ply.gg"; depth:24; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1247885/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247885; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"government-program.gl.at.ply.gg"; depth:31; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1247886/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247886; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"horse-undertake.gl.at.ply.gg"; depth:28; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1247887/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247887; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"contodapug.con-ip.com"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1247877/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247877; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"reverseproxy.con-ip.com"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1247878/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247878; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"myryam.con-ip.com"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1247879/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247879; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"cryptojoke.con-ip.com"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1247880/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247880; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"rtx.con-ip.com"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1247881/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247881; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"armandocastillodominio.con-ip.com"; depth:33; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1247882/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247882; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"aobertoferndomip.con-ip.com"; depth:27; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1247873/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247873; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"sebastianmindioladomini.con-ip.com"; depth:34; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1247874/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247874; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"davidricardodom.con-ip.com"; depth:26; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1247875/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247875; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"sandraferreirodominiopersonal.con-ip.com"; depth:40; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1247876/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247876; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"vendjksld.duckdns.org"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1247869/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247869; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"littlenerd.duckdns.org"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1247870/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247870; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"mkys.duckdns.org"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1247871/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247871; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"jossmaybs.duckdns.org"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1247872/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247872; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"testdamahe.duckdns.org"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1247864/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247864; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"momenttoday550.duckdns.org"; depth:26; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1247865/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247865; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"dohavevictem2024.duckdns.org"; depth:28; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1247866/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247866; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"subdominiodesub.duckdns.org"; depth:27; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1247867/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247867; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"rem-new-2.duckdns.org"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1247868/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247868; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"magarodriajhsdbajifuqwe12341safqdv.duckdns.org"; depth:46; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1247859/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247859; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"nagerproxysinintercavi8464perringuta.duckdns.org"; depth:48; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1247860/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247860; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"bebefiin.duckdns.org"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1247861/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247861; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"febvenom8.duckdns.org"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1247862/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247862; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"window10.duckdns.org"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1247863/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247863; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"23preguntas.duckdns.org"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1247855/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247855; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"bestcoder.duckdns.org"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1247856/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247856; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"cocomelondc.duckdns.org"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1247857/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247857; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"selldrugs.duckdns.org"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1247858/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247858; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"mariarizazapata09.duckdns.org"; depth:29; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1247850/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247850; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"febrerososte.duckdns.org"; depth:24; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1247851/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247851; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"tularz.duckdns.org"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1247852/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247852; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"pooldiaz14.duckdns.org"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1247853/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247853; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"chichichi01.duckdns.org"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1247854/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247854; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"markvenm2.duckdns.org"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1247845/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247845; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"diciembre12.duckdns.org"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1247846/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247846; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"smoney.duckdns.org"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1247847/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247847; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"mrrxr.duckdns.org"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1247848/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247848; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"finessebitcoin.duckdns.org"; depth:26; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1247849/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247849; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"hmnms.duckdns.org"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1247840/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247840; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"xfreddy2751.duckdns.org"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1247841/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247841; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"helprxr.duckdns.org"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1247842/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247842; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"vrnmmondays.duckdns.org"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1247843/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247843; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"martingonzalessoto09.duckdns.org"; depth:32; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1247844/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247844; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"merthamurc.duckdns.org"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1247835/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247835; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"momentdhs.duckdns.org"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1247836/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247836; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"krallarcarding.duckdns.org"; depth:26; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1247837/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247837; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"jojomo.duckdns.org"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1247838/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247838; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ratdeniyoz7386.duckdns.org"; depth:26; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1247839/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247839; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"wassgoodmane-46736.portmap.host"; depth:31; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1247831/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247831; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"swifty123-23089.portmap.host"; depth:28; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1247832/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247832; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"loliletnotnoobonf-28917.portmap.host"; depth:36; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1247833/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247833; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"wassgoodmane-45751.portmap.host"; depth:31; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1247834/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247834; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"fearme-45002.portmap.host"; depth:25; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1247826/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247826; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"404nothere5-52195.portmap.io"; depth:28; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1247827/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247827; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"cutecat-46661.portmap.host"; depth:26; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1247828/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247828; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"404nothere5-62048.portmap.host"; depth:30; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1247829/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247829; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"nezo123-21027.portmap.host"; depth:26; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1247830/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247830; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"swifty123-48281.portmap.host"; depth:28; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1247822/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247822; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"lolzpopbob-31243.portmap.host"; depth:29; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1247823/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247823; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"okaa0-60956.portmap.host"; depth:24; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1247824/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247824; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"meowpc-33643.portmap.host"; depth:25; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1247825/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247825; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"404nothere5-63469.portmap.io"; depth:28; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1247817/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247817; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"mcehonline-48303.portmap.io"; depth:27; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1247818/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247818; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"chingyen-23182.portmap.host"; depth:27; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1247819/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247819; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"e7team-54210.portmap.host"; depth:25; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1247820/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247820; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"fearme-55506.portmap.host"; depth:25; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1247821/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247821; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"fearme-62451.portmap.host"; depth:25; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1247812/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247812; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"nabeellasdfasdf-52048.portmap.host"; depth:34; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1247813/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247813; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"torbrowser-39837.portmap.host"; depth:29; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1247814/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247814; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"travisway-41408.portmap.host"; depth:28; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1247815/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247815; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"mankemane-47945.portmap.io"; depth:26; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1247816/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247816; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"tobacos.ddns.net"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1247809/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247809; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"mznhr.ddns.net"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1247810/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247810; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"waytovwmk40.ddns.net"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1247811/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247811; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"kreyze.ddns.net"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1247808/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247808; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"a0979283148.ddns.net"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1247804/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247804; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"fat7ola0077.ddns.net"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1247805/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247805; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"2hitler.ddnsgeek.com"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1247806/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247806; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"talapain.ddns.net"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1247807/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247807; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"h2mhost123ontop.ddns.net"; depth:24; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1247798/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247798; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ndichinnenanna0110.ddns.net"; depth:27; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1247799/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247799; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"rqwonderworld.ddns.net"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1247800/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247800; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"spongethug.ddns.net"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1247801/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247801; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"spidermanbaba.ddns.net"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1247802/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247802; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"whiteshadows.ddns.net"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1247803/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247803; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"sdd4514136100juciywrldl.ddns.net"; depth:32; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1247794/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247794; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"w3llsfarg0h0st.ddns.net"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1247795/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247795; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"cringelord6969.ddns.net"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1247796/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247796; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"46tochristmas15dec.ddns.net"; depth:27; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1247797/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247797; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"rat34.ddns.net"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1247790/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247790; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"g6666lrd10424346129.ddns.net"; depth:28; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1247791/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247791; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"eaxhost.ddns.net"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1247792/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247792; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"roscript.ddns.net"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1247793/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247793; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"sfclog.ddns.net"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1247786/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247786; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"1tapfinn.ddns.net"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1247787/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247787; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"t3fakpraf.ddns.net"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1247788/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247788; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"powellfrank.ddns.net"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1247789/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247789; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"yubarats.ddns.net"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1247784/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247784; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"darkstorm275991.ddns.net"; depth:24; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1247785/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247785; rev:1;) alert tcp $HOME_NET any -> [123.99.200.175] 8848 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247780/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247780; rev:1;) alert tcp $HOME_NET any -> [123.99.200.184] 2140 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247781/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247781; rev:1;) alert tcp $HOME_NET any -> [45.15.143.164] 6606 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247779/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247779; rev:1;) alert tcp $HOME_NET any -> [79.134.225.82] 3004 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247778/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247778; rev:1;) alert tcp $HOME_NET any -> [113.207.105.200] 3201 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247776/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247776; rev:1;) alert tcp $HOME_NET any -> [154.48.237.186] 8808 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247777/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247777; rev:1;) alert tcp $HOME_NET any -> [147.185.221.16] 4040 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247774/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247774; rev:1;) alert tcp $HOME_NET any -> [154.91.65.153] 8848 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247775/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247775; rev:1;) alert tcp $HOME_NET any -> [212.129.30.248] 6000 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247772/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247772; rev:1;) alert tcp $HOME_NET any -> [47.94.3.159] 4455 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247773/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247773; rev:1;) alert tcp $HOME_NET any -> [47.94.3.159] 8848 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247770/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247770; rev:1;) alert tcp $HOME_NET any -> [79.134.225.35] 6606 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247771/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247771; rev:1;) alert tcp $HOME_NET any -> [20.98.80.51] 8808 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247768/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247768; rev:1;) alert tcp $HOME_NET any -> [39.103.129.63] 8808 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247769/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247769; rev:1;) alert tcp $HOME_NET any -> [38.54.1.41] 4449 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247766/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247766; rev:1;) alert tcp $HOME_NET any -> [20.69.96.235] 7707 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247767/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247767; rev:1;) alert tcp $HOME_NET any -> [79.134.225.49] 1984 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247765/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247765; rev:1;) alert tcp $HOME_NET any -> [91.92.246.52] 4789 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247763/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247763; rev:1;) alert tcp $HOME_NET any -> [81.249.25.228] 1605 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247764/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247764; rev:1;) alert tcp $HOME_NET any -> [13.36.174.17] 6606 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247762/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247762; rev:1;) alert tcp $HOME_NET any -> [109.248.201.153] 6606 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247761/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247761; rev:1;) alert tcp $HOME_NET any -> [159.146.14.122] 18068 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247759/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247759; rev:1;) alert tcp $HOME_NET any -> [192.177.111.46] 18200 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247760/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247760; rev:1;) alert tcp $HOME_NET any -> [192.161.193.99] 5228 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247758/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247758; rev:1;) alert tcp $HOME_NET any -> [45.15.143.164] 8808 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247757/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247757; rev:1;) alert tcp $HOME_NET any -> [45.94.31.248] 4447 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247756/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247756; rev:1;) alert tcp $HOME_NET any -> [139.99.86.164] 8808 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247755/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247755; rev:1;) alert tcp $HOME_NET any -> [192.161.193.99] 8848 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247754/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247754; rev:1;) alert tcp $HOME_NET any -> [113.207.105.241] 9803 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247752/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247752; rev:1;) alert tcp $HOME_NET any -> [154.221.22.54] 4449 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247753/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247753; rev:1;) alert tcp $HOME_NET any -> [52.59.51.24] 1932 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247751/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247751; rev:1;) alert tcp $HOME_NET any -> [103.74.172.94] 40288 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247750/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247750; rev:1;) alert tcp $HOME_NET any -> [45.131.111.98] 4449 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247749/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247749; rev:1;) alert tcp $HOME_NET any -> [185.234.247.30] 4449 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247747/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247747; rev:1;) alert tcp $HOME_NET any -> [20.98.80.51] 7707 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247748/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247748; rev:1;) alert tcp $HOME_NET any -> [147.185.221.18] 43941 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247745/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247745; rev:1;) alert tcp $HOME_NET any -> [13.66.133.43] 7707 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247746/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247746; rev:1;) alert tcp $HOME_NET any -> [93.190.10.16] 7707 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247744/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247744; rev:1;) alert tcp $HOME_NET any -> [193.161.193.99] 64023 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247743/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247743; rev:1;) alert tcp $HOME_NET any -> [43.240.221.130] 9833 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247742/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247742; rev:1;) alert tcp $HOME_NET any -> [198.44.167.139] 57321 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247741/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247741; rev:1;) alert tcp $HOME_NET any -> [113.207.105.229] 7302 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247740/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247740; rev:1;) alert tcp $HOME_NET any -> [124.166.95.10] 8080 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247738/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247738; rev:1;) alert tcp $HOME_NET any -> [61.14.233.111] 4404 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247739/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247739; rev:1;) alert tcp $HOME_NET any -> [185.157.162.206] 2191 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247737/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247737; rev:1;) alert tcp $HOME_NET any -> [198.44.167.215] 38795 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247735/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247735; rev:1;) alert tcp $HOME_NET any -> [113.207.105.195] 15806 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247736/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247736; rev:1;) alert tcp $HOME_NET any -> [45.141.215.32] 4449 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247733/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247733; rev:1;) alert tcp $HOME_NET any -> [157.90.112.255] 80 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247734/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247734; rev:1;) alert tcp $HOME_NET any -> [123.99.200.158] 7223 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247732/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247732; rev:1;) alert tcp $HOME_NET any -> [24.50.117.82] 8848 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247730/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247730; rev:1;) alert tcp $HOME_NET any -> [46.36.67.36] 8848 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247731/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247731; rev:1;) alert tcp $HOME_NET any -> [91.92.254.14] 58004 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247728/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247728; rev:1;) alert tcp $HOME_NET any -> [45.76.155.94] 7707 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247729/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247729; rev:1;) alert tcp $HOME_NET any -> [45.145.224.55] 7000 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247727/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247727; rev:1;) alert tcp $HOME_NET any -> [86.153.66.129] 443 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247726/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247726; rev:1;) alert tcp $HOME_NET any -> [124.248.66.160] 6422 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247725/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247725; rev:1;) alert tcp $HOME_NET any -> [91.134.150.150] 3232 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247723/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247723; rev:1;) alert tcp $HOME_NET any -> [78.186.152.249] 1938 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247724/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247724; rev:1;) alert tcp $HOME_NET any -> [95.164.3.135] 4449 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247722/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247722; rev:1;) alert tcp $HOME_NET any -> [13.66.221.58] 7707 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247720/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247720; rev:1;) alert tcp $HOME_NET any -> [50.29.244.5] 8808 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247721/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247721; rev:1;) alert tcp $HOME_NET any -> [13.66.133.43] 8808 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247719/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247719; rev:1;) alert tcp $HOME_NET any -> [194.33.191.245] 2405 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247718/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247718; rev:1;) alert tcp $HOME_NET any -> [159.146.14.122] 4040 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247717/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247717; rev:1;) alert tcp $HOME_NET any -> [43.138.156.178] 8808 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247715/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247715; rev:1;) alert tcp $HOME_NET any -> [8.140.33.34] 8808 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247716/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247716; rev:1;) alert tcp $HOME_NET any -> [76.70.94.161] 9999 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247714/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247714; rev:1;) alert tcp $HOME_NET any -> [45.138.99.2] 8808 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247713/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247713; rev:1;) alert tcp $HOME_NET any -> [134.19.177.59] 5003 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247712/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247712; rev:1;) alert tcp $HOME_NET any -> [40.66.40.50] 4173 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247711/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247711; rev:1;) alert tcp $HOME_NET any -> [8.140.33.34] 6606 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247710/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247710; rev:1;) alert tcp $HOME_NET any -> [90.8.19.214] 7006 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247709/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247709; rev:1;) alert tcp $HOME_NET any -> [39.103.129.63] 7707 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247708/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247708; rev:1;) alert tcp $HOME_NET any -> [217.64.31.3] 4871 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247707/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247707; rev:1;) alert tcp $HOME_NET any -> [192.177.111.46] 4449 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247706/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247706; rev:1;) alert tcp $HOME_NET any -> [139.99.86.164] 7707 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247705/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247705; rev:1;) alert tcp $HOME_NET any -> [8.140.33.34] 7707 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247704/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247704; rev:1;) alert tcp $HOME_NET any -> [26.199.97.56] 13377 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247703/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247703; rev:1;) alert tcp $HOME_NET any -> [5.9.194.71] 3232 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247702/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247702; rev:1;) alert tcp $HOME_NET any -> [79.134.225.35] 7707 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247701/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247701; rev:1;) alert tcp $HOME_NET any -> [45.76.155.94] 6606 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247700/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247700; rev:1;) alert tcp $HOME_NET any -> [123.99.200.157] 2802 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247699/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247699; rev:1;) alert tcp $HOME_NET any -> [147.189.161.48] 4839 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247698/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247698; rev:1;) alert tcp $HOME_NET any -> [109.248.201.153] 8808 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247696/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247696; rev:1;) alert tcp $HOME_NET any -> [154.91.65.150] 8848 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247697/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247697; rev:1;) alert tcp $HOME_NET any -> [149.127.237.203] 8808 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247693/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247693; rev:1;) alert tcp $HOME_NET any -> [141.95.84.40] 4291 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247694/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247694; rev:1;) alert tcp $HOME_NET any -> [144.208.127.116] 8808 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247695/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247695; rev:1;) alert tcp $HOME_NET any -> [43.248.140.94] 8848 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247692/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247692; rev:1;) alert tcp $HOME_NET any -> [46.36.67.36] 51566 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247690/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247690; rev:1;) alert tcp $HOME_NET any -> [96.9.215.146] 8808 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247691/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247691; rev:1;) alert tcp $HOME_NET any -> [193.233.132.186] 6606 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247689/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247689; rev:1;) alert tcp $HOME_NET any -> [193.161.193.99] 49207 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247687/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247687; rev:1;) alert tcp $HOME_NET any -> [91.134.150.149] 8808 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247688/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247688; rev:1;) alert tcp $HOME_NET any -> [45.145.229.150] 9605 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247686/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247686; rev:1;) alert tcp $HOME_NET any -> [198.44.167.139] 38795 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247684/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247684; rev:1;) alert tcp $HOME_NET any -> [3.6.115.182] 4444 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247685/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247685; rev:1;) alert tcp $HOME_NET any -> [91.92.250.147] 5038 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247682/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247682; rev:1;) alert tcp $HOME_NET any -> [147.189.161.48] 4449 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247683/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247683; rev:1;) alert tcp $HOME_NET any -> [109.205.162.97] 4739 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247679/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247679; rev:1;) alert tcp $HOME_NET any -> [213.32.243.233] 6606 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247680/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247680; rev:1;) alert tcp $HOME_NET any -> [66.154.122.230] 1337 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247681/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247681; rev:1;) alert tcp $HOME_NET any -> [31.210.20.231] 200 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247677/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247677; rev:1;) alert tcp $HOME_NET any -> [217.64.31.3] 3819 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247678/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247678; rev:1;) alert tcp $HOME_NET any -> [159.146.14.122] 18840 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247674/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247674; rev:1;) alert tcp $HOME_NET any -> [45.15.143.164] 7707 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247675/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247675; rev:1;) alert tcp $HOME_NET any -> [50.29.244.5] 7707 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247676/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247676; rev:1;) alert tcp $HOME_NET any -> [147.185.221.16] 63770 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247672/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247672; rev:1;) alert tcp $HOME_NET any -> [2.58.56.152] 3232 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247673/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247673; rev:1;) alert tcp $HOME_NET any -> [141.95.84.40] 6262 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247670/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247670; rev:1;) alert tcp $HOME_NET any -> [193.222.96.253] 4449 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247671/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247671; rev:1;) alert tcp $HOME_NET any -> [153.36.240.58] 15095 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247668/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247668; rev:1;) alert tcp $HOME_NET any -> [147.185.221.17] 50732 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247669/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247669; rev:1;) alert tcp $HOME_NET any -> [76.70.94.161] 4449 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247665/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247665; rev:1;) alert tcp $HOME_NET any -> [117.18.12.59] 8880 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247666/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247666; rev:1;) alert tcp $HOME_NET any -> [3.6.115.182] 4040 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247667/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247667; rev:1;) alert tcp $HOME_NET any -> [38.165.8.185] 7771 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247663/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247663; rev:1;) alert tcp $HOME_NET any -> [113.207.105.200] 8301 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247664/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247664; rev:1;) alert tcp $HOME_NET any -> [192.161.193.99] 5058 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247661/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247661; rev:1;) alert tcp $HOME_NET any -> [86.20.95.188] 8848 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247662/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247662; rev:1;) alert tcp $HOME_NET any -> [113.207.105.224] 16804 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247659/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247659; rev:1;) alert tcp $HOME_NET any -> [176.150.69.221] 42474 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247660/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247660; rev:1;) alert tcp $HOME_NET any -> [80.48.119.72] 8848 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247657/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247657; rev:1;) alert tcp $HOME_NET any -> [43.138.156.178] 6606 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247658/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247658; rev:1;) alert tcp $HOME_NET any -> [120.46.33.65] 8848 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247655/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247655; rev:1;) alert tcp $HOME_NET any -> [109.248.201.153] 7707 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247656/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247656; rev:1;) alert tcp $HOME_NET any -> [182.254.221.150] 4449 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247653/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247653; rev:1;) alert tcp $HOME_NET any -> [113.128.118.199] 6606 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247654/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247654; rev:1;) alert tcp $HOME_NET any -> [178.20.230.68] 4784 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247652/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247652; rev:1;) alert tcp $HOME_NET any -> [45.138.99.2] 6606 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247651/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247651; rev:1;) alert tcp $HOME_NET any -> [193.161.193.99] 8080 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247649/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247649; rev:1;) alert tcp $HOME_NET any -> [149.127.237.203] 6606 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247650/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247650; rev:1;) alert tcp $HOME_NET any -> [43.138.156.178] 7707 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247647/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247647; rev:1;) alert tcp $HOME_NET any -> [147.185.221.17] 33732 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247648/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247648; rev:1;) alert tcp $HOME_NET any -> [31.214.240.57] 3232 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247645/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247645; rev:1;) alert tcp $HOME_NET any -> [45.138.99.2] 7707 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247646/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247646; rev:1;) alert tcp $HOME_NET any -> [74.81.52.179] 33643 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247643/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247643; rev:1;) alert tcp $HOME_NET any -> [47.104.236.243] 8848 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247644/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247644; rev:1;) alert tcp $HOME_NET any -> [198.44.167.231] 41352 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247641/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247641; rev:1;) alert tcp $HOME_NET any -> [50.29.244.5] 5753 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247642/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247642; rev:1;) alert tcp $HOME_NET any -> [96.9.215.146] 6606 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247639/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247639; rev:1;) alert tcp $HOME_NET any -> [146.70.129.19] 38371 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247640/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247640; rev:1;) alert tcp $HOME_NET any -> [163.5.215.225] 1602 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247638/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247638; rev:1;) alert tcp $HOME_NET any -> [39.103.129.63] 6606 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247637/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247637; rev:1;) alert tcp $HOME_NET any -> [113.128.118.199] 8808 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247634/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247634; rev:1;) alert tcp $HOME_NET any -> [43.248.140.96] 8848 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247635/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247635; rev:1;) alert tcp $HOME_NET any -> [124.248.69.96] 4449 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247636/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247636; rev:1;) alert tcp $HOME_NET any -> [45.76.155.94] 8808 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247633/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247633; rev:1;) alert tcp $HOME_NET any -> [64.56.68.144] 8888 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247631/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247631; rev:1;) alert tcp $HOME_NET any -> [198.44.165.35] 5602 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247632/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247632; rev:1;) alert tcp $HOME_NET any -> [195.213.0.34] 2008 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247629/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247629; rev:1;) alert tcp $HOME_NET any -> [37.114.41.142] 8848 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247630/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247630; rev:1;) alert tcp $HOME_NET any -> [154.204.60.74] 6610 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247627/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247627; rev:1;) alert tcp $HOME_NET any -> [45.128.36.146] 8848 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247628/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247628; rev:1;) alert tcp $HOME_NET any -> [159.146.14.122] 1604 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247625/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247625; rev:1;) alert tcp $HOME_NET any -> [86.20.95.188] 8080 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247626/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247626; rev:1;) alert tcp $HOME_NET any -> [147.185.221.18] 35708 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247622/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247622; rev:1;) alert tcp $HOME_NET any -> [45.145.229.147] 9606 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247623/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247623; rev:1;) alert tcp $HOME_NET any -> [78.187.224.170] 1604 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247624/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247624; rev:1;) alert tcp $HOME_NET any -> [136.244.89.250] 3131 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247620/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247620; rev:1;) alert tcp $HOME_NET any -> [3.6.115.182] 13997 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247621/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247621; rev:1;) alert tcp $HOME_NET any -> [50.29.244.5] 6606 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247618/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247618; rev:1;) alert tcp $HOME_NET any -> [147.185.221.18] 7771 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247619/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247619; rev:1;) alert tcp $HOME_NET any -> [198.44.167.215] 41352 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247617/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247617; rev:1;) alert tcp $HOME_NET any -> [61.14.233.111] 5505 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247615/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247615; rev:1;) alert tcp $HOME_NET any -> [185.253.161.186] 4444 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247616/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247616; rev:1;) alert tcp $HOME_NET any -> [13.66.133.43] 6606 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247612/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247612; rev:1;) alert tcp $HOME_NET any -> [147.185.221.17] 48347 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247613/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247613; rev:1;) alert tcp $HOME_NET any -> [91.92.247.161] 5531 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247614/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247614; rev:1;) alert tcp $HOME_NET any -> [146.56.230.174] 4449 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247610/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247610; rev:1;) alert tcp $HOME_NET any -> [109.205.162.97] 8361 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247611/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247611; rev:1;) alert tcp $HOME_NET any -> [198.44.167.215] 57321 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247607/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247607; rev:1;) alert tcp $HOME_NET any -> [91.92.247.123] 5531 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247608/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247608; rev:1;) alert tcp $HOME_NET any -> [149.127.237.203] 7707 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247609/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247609; rev:1;) alert tcp $HOME_NET any -> [198.44.167.139] 41352 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247606/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247606; rev:1;) alert tcp $HOME_NET any -> [15.237.210.97] 4444 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247604/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247604; rev:1;) alert tcp $HOME_NET any -> [43.251.17.199] 4449 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247605/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247605; rev:1;) alert tcp $HOME_NET any -> [159.146.14.122] 4782 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247602/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247602; rev:1;) alert tcp $HOME_NET any -> [91.92.247.96] 5531 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247603/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247603; rev:1;) alert tcp $HOME_NET any -> [45.145.229.148] 9604 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247600/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247600; rev:1;) alert tcp $HOME_NET any -> [38.147.172.98] 6307 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247601/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247601; rev:1;) alert tcp $HOME_NET any -> [193.233.132.186] 4404 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247598/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247598; rev:1;) alert tcp $HOME_NET any -> [23.105.131.217] 83 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247599/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247599; rev:1;) alert tcp $HOME_NET any -> [47.104.179.7] 8848 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247596/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247596; rev:1;) alert tcp $HOME_NET any -> [141.94.223.150] 6677 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247597/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247597; rev:1;) alert tcp $HOME_NET any -> [154.39.238.95] 4449 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247594/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247594; rev:1;) alert tcp $HOME_NET any -> [193.222.96.47] 4462 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247595/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247595; rev:1;) alert tcp $HOME_NET any -> [153.36.240.58] 15092 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247592/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247592; rev:1;) alert tcp $HOME_NET any -> [193.222.96.47] 9471 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247593/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247593; rev:1;) alert tcp $HOME_NET any -> [147.185.221.18] 56236 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247590/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247590; rev:1;) alert tcp $HOME_NET any -> [79.134.225.21] 8646 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247591/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247591; rev:1;) alert tcp $HOME_NET any -> [64.44.167.67] 6900 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247589/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247589; rev:1;) alert tcp $HOME_NET any -> [3.6.115.182] 11800 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247588/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247588; rev:1;) alert tcp $HOME_NET any -> [139.99.86.164] 6606 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247586/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247586; rev:1;) alert tcp $HOME_NET any -> [147.185.221.18] 41437 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247587/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247587; rev:1;) alert tcp $HOME_NET any -> [193.233.132.186] 5505 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247585/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247585; rev:1;) alert tcp $HOME_NET any -> [96.9.215.146] 7707 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247584/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247584; rev:1;) alert tcp $HOME_NET any -> [13.36.174.17] 7707 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247581/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247581; rev:1;) alert tcp $HOME_NET any -> [13.66.133.43] 6821 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247582/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247582; rev:1;) alert tcp $HOME_NET any -> [64.176.178.205] 1989 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247583/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247583; rev:1;) alert tcp $HOME_NET any -> [67.205.154.243] 4431 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247579/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247579; rev:1;) alert tcp $HOME_NET any -> [45.80.158.48] 4449 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247580/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247580; rev:1;) alert tcp $HOME_NET any -> [119.42.170.7] 443 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247576/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247576; rev:1;) alert tcp $HOME_NET any -> [103.48.85.6] 4449 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247577/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247577; rev:1;) alert tcp $HOME_NET any -> [124.166.95.10] 4449 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247578/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247578; rev:1;) alert tcp $HOME_NET any -> [146.56.230.174] 1720 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247574/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247574; rev:1;) alert tcp $HOME_NET any -> [3.6.115.182] 6080 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247575/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247575; rev:1;) alert tcp $HOME_NET any -> [20.98.80.51] 6606 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247572/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247572; rev:1;) alert tcp $HOME_NET any -> [179.127.14.82] 29000 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247573/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247573; rev:1;) alert tcp $HOME_NET any -> [198.44.167.231] 38795 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247570/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247570; rev:1;) alert tcp $HOME_NET any -> [113.128.118.199] 7707 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247571/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247571; rev:1;) alert tcp $HOME_NET any -> [103.74.172.94] 4499 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247568/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247568; rev:1;) alert tcp $HOME_NET any -> [144.208.127.116] 7707 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247569/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247569; rev:1;) alert tcp $HOME_NET any -> [193.161.193.99] 4449 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247566/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247566; rev:1;) alert tcp $HOME_NET any -> [40.66.40.50] 6214 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247567/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247567; rev:1;) alert tcp $HOME_NET any -> [147.185.221.184] 41092 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247565/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247565; rev:1;) alert tcp $HOME_NET any -> [176.150.69.221] 42475 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247563/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247563; rev:1;) alert tcp $HOME_NET any -> [198.44.167.231] 57321 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247564/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247564; rev:1;) alert tcp $HOME_NET any -> [121.62.63.238] 8848 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247561/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247561; rev:1;) alert tcp $HOME_NET any -> [147.185.221.18] 4449 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247562/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247562; rev:1;) alert tcp $HOME_NET any -> [13.36.174.17] 8808 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247559/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247559; rev:1;) alert tcp $HOME_NET any -> [176.150.69.221] 4449 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247560/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247560; rev:1;) alert tcp $HOME_NET any -> [85.105.88.221] 6935 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247558/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247558; rev:1;) alert tcp $HOME_NET any -> [142.202.242.170] 6666 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247557/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247557; rev:1;) alert tcp $HOME_NET any -> [179.14.8.182] 2009 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247532/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_21; classtype:trojan-activity; sid:91247532; rev:1;) alert tcp $HOME_NET any -> [193.233.132.5] 80 (msg:"ThreatFox RisePro botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247530/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_21; classtype:trojan-activity; sid:91247530; rev:1;) alert tcp $HOME_NET any -> [8.219.183.36] 80 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247529/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_21; classtype:trojan-activity; sid:91247529; rev:1;) alert tcp $HOME_NET any -> [120.78.4.99] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247528/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_21; classtype:trojan-activity; sid:91247528; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/www/handle/doc"; depth:15; nocase; http.host; content:"120.78.4.99"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1247527/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_21; classtype:trojan-activity; sid:91247527; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pixel"; depth:6; nocase; http.host; content:"104.156.140.58"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1247526/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_21; classtype:trojan-activity; sid:91247526; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmlrpc.php"; depth:11; nocase; http.host; content:"pipingpotcurry.com"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1247515/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_21; classtype:trojan-activity; sid:91247515; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmlrpc.php"; depth:11; nocase; http.host; content:"conoleforcongress.com"; depth:21; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1247516/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_21; classtype:trojan-activity; sid:91247516; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blog/xmlrpc.php"; depth:16; nocase; http.host; content:"www.bourse-du-travail.com"; depth:25; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1247517/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_21; classtype:trojan-activity; sid:91247517; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmlrpc.php"; depth:11; nocase; http.host; content:"atlanticyachtandship.com"; depth:24; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1247519/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_21; classtype:trojan-activity; sid:91247519; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmlrpc.php"; depth:11; nocase; http.host; content:"ngajiyok.com"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1247518/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_21; classtype:trojan-activity; sid:91247518; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmlrpc.php"; depth:11; nocase; http.host; content:"zarinbano.com"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1247520/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_21; classtype:trojan-activity; sid:91247520; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmlrpc.php"; depth:11; nocase; http.host; content:"netmag.pk"; depth:9; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1247521/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_21; classtype:trojan-activity; sid:91247521; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmlrpc.php"; depth:11; nocase; http.host; content:"www.diereisedeineslebens.de"; depth:27; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1247522/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_21; classtype:trojan-activity; sid:91247522; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmlrpc.php"; depth:11; nocase; http.host; content:"palaiofaliro.gr"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1247523/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_21; classtype:trojan-activity; sid:91247523; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmlrpc.php"; depth:11; nocase; http.host; content:"livingshorespa.com"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1247524/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_21; classtype:trojan-activity; sid:91247524; rev:1;) alert tcp $HOME_NET any -> [91.92.241.71] 666 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247525/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_21; classtype:trojan-activity; sid:91247525; rev:1;) alert tcp $HOME_NET any -> [170.64.183.151] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247514/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_21; classtype:trojan-activity; sid:91247514; rev:1;) alert tcp $HOME_NET any -> [20.163.75.108] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247513/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_21; classtype:trojan-activity; sid:91247513; rev:1;) alert tcp $HOME_NET any -> [101.35.198.120] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247512/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_21; classtype:trojan-activity; sid:91247512; rev:1;) alert tcp $HOME_NET any -> [202.161.85.51] 443 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247511/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_21; classtype:trojan-activity; sid:91247511; rev:1;) alert tcp $HOME_NET any -> [46.17.107.164] 443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247510/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_21; classtype:trojan-activity; sid:91247510; rev:1;) alert tcp $HOME_NET any -> [38.47.101.176] 7443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247509/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_21; classtype:trojan-activity; sid:91247509; rev:1;) alert tcp $HOME_NET any -> [97.154.242.206] 7443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247508/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_21; classtype:trojan-activity; sid:91247508; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"meridianresourcellc.top"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1247506/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_21; classtype:trojan-activity; sid:91247506; rev:1;) alert tcp $HOME_NET any -> [185.194.140.225] 8888 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247507/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_21; classtype:trojan-activity; sid:91247507; rev:1;) alert tcp $HOME_NET any -> [3.125.209.94] 18335 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247504/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_21; classtype:trojan-activity; sid:91247504; rev:1;) alert tcp $HOME_NET any -> [3.125.223.134] 18335 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247503/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_21; classtype:trojan-activity; sid:91247503; rev:1;) alert tcp $HOME_NET any -> [18.192.31.165] 18335 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247502/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_21; classtype:trojan-activity; sid:91247502; rev:1;) alert tcp $HOME_NET any -> [3.125.102.39] 18335 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247501/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_21; classtype:trojan-activity; sid:91247501; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/storyernes.cur"; depth:15; nocase; http.host; content:"147.78.103.250"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1247499/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_21; classtype:trojan-activity; sid:91247499; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/zmgbvtlwqy81.bin"; depth:17; nocase; http.host; content:"147.78.103.250"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1247500/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_21; classtype:trojan-activity; sid:91247500; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pixel"; depth:6; nocase; http.host; content:"124.71.5.199"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1247498/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_21; classtype:trojan-activity; sid:91247498; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pixel"; depth:6; nocase; http.host; content:"106.55.102.97"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1247497/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_21; classtype:trojan-activity; sid:91247497; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/updates.rss"; depth:12; nocase; http.host; content:"124.71.130.71"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1247496/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_21; classtype:trojan-activity; sid:91247496; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/load"; depth:5; nocase; http.host; content:"47.100.99.191"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1247495/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_21; classtype:trojan-activity; sid:91247495; rev:1;) alert tcp $HOME_NET any -> [94.158.247.72] 53 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247494/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_21; classtype:trojan-activity; sid:91247494; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ns2.kogyoung.com"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1247493/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_21; classtype:trojan-activity; sid:91247493; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ns1.kogyoung.com"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1247492/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_21; classtype:trojan-activity; sid:91247492; rev:1;) alert tcp $HOME_NET any -> [154.90.63.215] 53 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247491/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_21; classtype:trojan-activity; sid:91247491; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ns9.bpibank.org"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1247490/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_21; classtype:trojan-activity; sid:91247490; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ns8.bpibank.org"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1247489/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_21; classtype:trojan-activity; sid:91247489; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"lokolojazz.club"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1247488/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_21; classtype:trojan-activity; sid:91247488; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/index.php"; depth:10; nocase; http.host; content:"casiworksplcs.xyz"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1247472/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_21; classtype:trojan-activity; sid:91247472; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/index.php"; depth:10; nocase; http.host; content:"2.56.215.211"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1247473/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_21; classtype:trojan-activity; sid:91247473; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/index.php"; depth:10; nocase; http.host; content:"javiermar2.temp.swtest.ru"; depth:25; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1247474/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_21; classtype:trojan-activity; sid:91247474; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/gate.php"; depth:9; nocase; http.host; content:"olssqh34.top"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1247476/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_21; classtype:trojan-activity; sid:91247476; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"knueoh22.top"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1247477/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_21; classtype:trojan-activity; sid:91247477; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"kypersau25.top"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1247478/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_21; classtype:trojan-activity; sid:91247478; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"lysmer21.top"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1247480/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_21; classtype:trojan-activity; sid:91247480; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"morluw04.top"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1247479/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_21; classtype:trojan-activity; sid:91247479; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"jenb128hiuedfhajduihfa.com"; depth:26; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1247487/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_21; classtype:trojan-activity; sid:91247487; rev:1;) alert tcp $HOME_NET any -> [95.217.240.145] 443 (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247485/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_21; classtype:trojan-activity; sid:91247485; rev:1;) alert tcp $HOME_NET any -> [49.13.33.8] 443 (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247486/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_21; classtype:trojan-activity; sid:91247486; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"49.13.33.8"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1247483/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_21; classtype:trojan-activity; sid:91247483; rev:1;) alert tcp $HOME_NET any -> [78.47.223.253] 443 (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247484/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_21; classtype:trojan-activity; sid:91247484; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"95.217.240.145"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1247482/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_21; classtype:trojan-activity; sid:91247482; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"78.47.223.253"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1247481/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_21; classtype:trojan-activity; sid:91247481; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/l1nc0in.php"; depth:12; nocase; http.host; content:"ct39024.tw1.ru"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1247475/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_21; classtype:trojan-activity; sid:91247475; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ie9compatviewlist.xml"; depth:22; nocase; http.host; content:"39.107.89.22"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1247471/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_21; classtype:trojan-activity; sid:91247471; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dpixel"; depth:7; nocase; http.host; content:"124.222.97.236"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1247470/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_21; classtype:trojan-activity; sid:91247470; rev:1;) alert tcp $HOME_NET any -> [103.47.82.210] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247469/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_21; classtype:trojan-activity; sid:91247469; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ptj"; depth:4; nocase; http.host; content:"103.47.82.210"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1247468/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_21; classtype:trojan-activity; sid:91247468; rev:1;) alert tcp $HOME_NET any -> [213.109.202.227] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247467/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_21; classtype:trojan-activity; sid:91247467; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/match"; depth:6; nocase; http.host; content:"213.109.202.227"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1247466/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_21; classtype:trojan-activity; sid:91247466; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jquery-3.3.1.min.js"; depth:20; nocase; http.host; content:"182.61.25.107"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1247465/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_21; classtype:trojan-activity; sid:91247465; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ie9compatviewlist.xml"; depth:22; nocase; http.host; content:"154.92.18.103"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1247463/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_21; classtype:trojan-activity; sid:91247463; rev:1;) alert tcp $HOME_NET any -> [154.92.18.103] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247464/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_21; classtype:trojan-activity; sid:91247464; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/fwlink"; depth:7; nocase; http.host; content:"120.46.130.73"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1247462/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_21; classtype:trojan-activity; sid:91247462; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ca"; depth:3; nocase; http.host; content:"94.156.67.106"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1247461/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_21; classtype:trojan-activity; sid:91247461; rev:1;) alert tcp $HOME_NET any -> [45.86.86.217] 4444 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247460/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_21; classtype:trojan-activity; sid:91247460; rev:1;) alert tcp $HOME_NET any -> [159.253.120.118] 1111 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247459/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_21; classtype:trojan-activity; sid:91247459; rev:1;) alert tcp $HOME_NET any -> [154.31.183.175] 4444 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247354/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_21; classtype:trojan-activity; sid:91247354; rev:1;) alert tcp $HOME_NET any -> [154.31.183.175] 4569 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247355/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_21; classtype:trojan-activity; sid:91247355; rev:1;) alert tcp $HOME_NET any -> [154.31.176.185] 4444 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247352/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_21; classtype:trojan-activity; sid:91247352; rev:1;) alert tcp $HOME_NET any -> [154.31.176.185] 4569 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247353/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_21; classtype:trojan-activity; sid:91247353; rev:1;) alert tcp $HOME_NET any -> [154.31.183.162] 4444 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247350/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_21; classtype:trojan-activity; sid:91247350; rev:1;) alert tcp $HOME_NET any -> [154.31.183.162] 4569 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247351/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_21; classtype:trojan-activity; sid:91247351; rev:1;) alert tcp $HOME_NET any -> [154.31.183.187] 4569 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247347/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_21; classtype:trojan-activity; sid:91247347; rev:1;) alert tcp $HOME_NET any -> [154.31.178.176] 4444 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247348/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_21; classtype:trojan-activity; sid:91247348; rev:1;) alert tcp $HOME_NET any -> [154.31.178.176] 4569 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247349/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_21; classtype:trojan-activity; sid:91247349; rev:1;) alert tcp $HOME_NET any -> [154.31.179.177] 4444 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247344/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_21; classtype:trojan-activity; sid:91247344; rev:1;) alert tcp $HOME_NET any -> [154.31.179.177] 4569 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247345/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_21; classtype:trojan-activity; sid:91247345; rev:1;) alert tcp $HOME_NET any -> [154.31.181.169] 4569 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247343/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_21; classtype:trojan-activity; sid:91247343; rev:1;) alert tcp $HOME_NET any -> [154.31.183.187] 4444 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247346/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_21; classtype:trojan-activity; sid:91247346; rev:1;) alert tcp $HOME_NET any -> [154.31.180.179] 4444 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247340/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_21; classtype:trojan-activity; sid:91247340; rev:1;) alert tcp $HOME_NET any -> [154.31.180.179] 4569 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247341/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_21; classtype:trojan-activity; sid:91247341; rev:1;) alert tcp $HOME_NET any -> [154.31.181.169] 4444 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247342/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_21; classtype:trojan-activity; sid:91247342; rev:1;) alert tcp $HOME_NET any -> [154.31.181.172] 4569 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247333/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_21; classtype:trojan-activity; sid:91247333; rev:1;) alert tcp $HOME_NET any -> [154.31.181.175] 4444 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247338/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_21; classtype:trojan-activity; sid:91247338; rev:1;) alert tcp $HOME_NET any -> [154.31.181.175] 4569 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247339/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_21; classtype:trojan-activity; sid:91247339; rev:1;) alert tcp $HOME_NET any -> [154.31.180.187] 4444 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247330/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_21; classtype:trojan-activity; sid:91247330; rev:1;) alert tcp $HOME_NET any -> [154.31.177.166] 4444 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247334/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_21; classtype:trojan-activity; sid:91247334; rev:1;) alert tcp $HOME_NET any -> [154.31.177.166] 4569 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247335/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_21; classtype:trojan-activity; sid:91247335; rev:1;) alert tcp $HOME_NET any -> [154.31.177.164] 4444 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247336/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_21; classtype:trojan-activity; sid:91247336; rev:1;) alert tcp $HOME_NET any -> [154.31.177.164] 4569 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247337/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_21; classtype:trojan-activity; sid:91247337; rev:1;) alert tcp $HOME_NET any -> [154.31.181.172] 4444 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247332/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_21; classtype:trojan-activity; sid:91247332; rev:1;) alert tcp $HOME_NET any -> [154.31.182.173] 4569 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247329/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_21; classtype:trojan-activity; sid:91247329; rev:1;) alert tcp $HOME_NET any -> [154.31.180.187] 4569 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247331/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_21; classtype:trojan-activity; sid:91247331; rev:1;) alert tcp $HOME_NET any -> [154.31.182.173] 4444 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247328/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_21; classtype:trojan-activity; sid:91247328; rev:1;) alert tcp $HOME_NET any -> [154.31.177.186] 4444 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247356/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_21; classtype:trojan-activity; sid:91247356; rev:1;) alert tcp $HOME_NET any -> [154.31.177.186] 4569 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247357/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_21; classtype:trojan-activity; sid:91247357; rev:1;) alert tcp $HOME_NET any -> [154.31.178.165] 4444 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247358/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_21; classtype:trojan-activity; sid:91247358; rev:1;) alert tcp $HOME_NET any -> [154.31.177.163] 4444 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247359/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_21; classtype:trojan-activity; sid:91247359; rev:1;) alert tcp $HOME_NET any -> [154.31.177.163] 4569 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247360/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_21; classtype:trojan-activity; sid:91247360; rev:1;) alert tcp $HOME_NET any -> [154.31.182.181] 4444 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247361/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_21; classtype:trojan-activity; sid:91247361; rev:1;) alert tcp $HOME_NET any -> [154.31.182.181] 4569 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247362/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_21; classtype:trojan-activity; sid:91247362; rev:1;) alert tcp $HOME_NET any -> [154.31.176.177] 4444 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247363/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_21; classtype:trojan-activity; sid:91247363; rev:1;) alert tcp $HOME_NET any -> [154.31.176.177] 4569 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247364/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_21; classtype:trojan-activity; sid:91247364; rev:1;) alert tcp $HOME_NET any -> [154.31.180.164] 4444 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247365/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_21; classtype:trojan-activity; sid:91247365; rev:1;) alert tcp $HOME_NET any -> [154.31.180.164] 4569 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247366/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_21; classtype:trojan-activity; sid:91247366; rev:1;) alert tcp $HOME_NET any -> [154.31.181.162] 4444 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247367/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_21; classtype:trojan-activity; sid:91247367; rev:1;) alert tcp $HOME_NET any -> [154.31.181.162] 4569 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247368/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_21; classtype:trojan-activity; sid:91247368; rev:1;) alert tcp $HOME_NET any -> [154.31.179.175] 4444 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247369/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_21; classtype:trojan-activity; sid:91247369; rev:1;) alert tcp $HOME_NET any -> [154.31.179.175] 4569 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247370/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_21; classtype:trojan-activity; sid:91247370; rev:1;) alert tcp $HOME_NET any -> [154.31.181.176] 4569 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247372/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_21; classtype:trojan-activity; sid:91247372; rev:1;) alert tcp $HOME_NET any -> [154.31.181.167] 4444 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247373/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_21; classtype:trojan-activity; sid:91247373; rev:1;) alert tcp $HOME_NET any -> [154.31.181.176] 4444 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247371/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_21; classtype:trojan-activity; sid:91247371; rev:1;) alert tcp $HOME_NET any -> [154.31.181.168] 4444 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247375/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_21; classtype:trojan-activity; sid:91247375; rev:1;) alert tcp $HOME_NET any -> [154.31.181.167] 4569 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247374/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_21; classtype:trojan-activity; sid:91247374; rev:1;) alert tcp $HOME_NET any -> [154.31.179.179] 4444 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247376/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_21; classtype:trojan-activity; sid:91247376; rev:1;) alert tcp $HOME_NET any -> [154.31.179.179] 4569 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247377/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_21; classtype:trojan-activity; sid:91247377; rev:1;) alert tcp $HOME_NET any -> [154.31.176.169] 4444 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247378/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_21; classtype:trojan-activity; sid:91247378; rev:1;) alert tcp $HOME_NET any -> [154.31.176.169] 4569 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247379/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_21; classtype:trojan-activity; sid:91247379; rev:1;) alert tcp $HOME_NET any -> [154.31.181.181] 4444 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247380/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_21; classtype:trojan-activity; sid:91247380; rev:1;) alert tcp $HOME_NET any -> [154.31.181.183] 4444 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247381/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_21; classtype:trojan-activity; sid:91247381; rev:1;) alert tcp $HOME_NET any -> [154.31.177.173] 4444 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247382/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_21; classtype:trojan-activity; sid:91247382; rev:1;) alert tcp $HOME_NET any -> [154.31.177.173] 4569 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247383/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_21; classtype:trojan-activity; sid:91247383; rev:1;) alert tcp $HOME_NET any -> [154.31.178.167] 4444 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247384/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_21; classtype:trojan-activity; sid:91247384; rev:1;) alert tcp $HOME_NET any -> [154.31.178.167] 4569 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247385/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_21; classtype:trojan-activity; sid:91247385; rev:1;) alert tcp $HOME_NET any -> [154.31.183.167] 4444 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247386/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_21; classtype:trojan-activity; sid:91247386; rev:1;) alert tcp $HOME_NET any -> [154.31.183.167] 4569 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247387/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_21; classtype:trojan-activity; sid:91247387; rev:1;) alert tcp $HOME_NET any -> [154.31.182.186] 4444 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247388/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_21; classtype:trojan-activity; sid:91247388; rev:1;) alert tcp $HOME_NET any -> [154.31.182.186] 4569 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247389/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_21; classtype:trojan-activity; sid:91247389; rev:1;) alert tcp $HOME_NET any -> [154.31.179.176] 4444 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247390/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_21; classtype:trojan-activity; sid:91247390; rev:1;) alert tcp $HOME_NET any -> [154.31.179.176] 4569 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247391/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_21; classtype:trojan-activity; sid:91247391; rev:1;) alert tcp $HOME_NET any -> [154.31.181.163] 4444 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247392/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_21; classtype:trojan-activity; sid:91247392; rev:1;) alert tcp $HOME_NET any -> [154.31.181.163] 4569 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247393/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_21; classtype:trojan-activity; sid:91247393; rev:1;) alert tcp $HOME_NET any -> [154.31.182.163] 4444 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247394/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_21; classtype:trojan-activity; sid:91247394; rev:1;) alert tcp $HOME_NET any -> [154.31.182.163] 4569 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247395/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_21; classtype:trojan-activity; sid:91247395; rev:1;) alert tcp $HOME_NET any -> [154.31.176.170] 4444 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247396/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_21; classtype:trojan-activity; sid:91247396; rev:1;) alert tcp $HOME_NET any -> [154.31.176.170] 4569 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247397/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_21; classtype:trojan-activity; sid:91247397; rev:1;) alert tcp $HOME_NET any -> [154.31.176.176] 4444 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247398/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_21; classtype:trojan-activity; sid:91247398; rev:1;) alert tcp $HOME_NET any -> [154.31.176.176] 4569 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247399/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_21; classtype:trojan-activity; sid:91247399; rev:1;) alert tcp $HOME_NET any -> [154.31.183.163] 4444 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247400/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_21; classtype:trojan-activity; sid:91247400; rev:1;) alert tcp $HOME_NET any -> [154.31.183.163] 4569 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247401/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_21; classtype:trojan-activity; sid:91247401; rev:1;) alert tcp $HOME_NET any -> [154.31.178.163] 4444 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247402/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_21; classtype:trojan-activity; sid:91247402; rev:1;) alert tcp $HOME_NET any -> [154.31.178.163] 4569 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247403/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_21; classtype:trojan-activity; sid:91247403; rev:1;) alert tcp $HOME_NET any -> [154.31.182.189] 4444 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247404/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_21; classtype:trojan-activity; sid:91247404; rev:1;) alert tcp $HOME_NET any -> [154.31.182.189] 4569 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247405/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_21; classtype:trojan-activity; sid:91247405; rev:1;) alert tcp $HOME_NET any -> [154.31.183.183] 4569 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247407/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_21; classtype:trojan-activity; sid:91247407; rev:1;) alert tcp $HOME_NET any -> [154.31.179.172] 4444 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247408/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_21; classtype:trojan-activity; sid:91247408; rev:1;) alert tcp $HOME_NET any -> [154.31.178.185] 4569 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247327/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_21; classtype:trojan-activity; sid:91247327; rev:1;) alert tcp $HOME_NET any -> [154.31.176.165] 4569 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247325/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_21; classtype:trojan-activity; sid:91247325; rev:1;) alert tcp $HOME_NET any -> [154.31.178.185] 4444 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247326/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_21; classtype:trojan-activity; sid:91247326; rev:1;) alert tcp $HOME_NET any -> [154.31.181.177] 4444 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247322/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_21; classtype:trojan-activity; sid:91247322; rev:1;) alert tcp $HOME_NET any -> [154.31.181.177] 4569 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247323/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_21; classtype:trojan-activity; sid:91247323; rev:1;) alert tcp $HOME_NET any -> [154.31.176.165] 4444 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247324/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_21; classtype:trojan-activity; sid:91247324; rev:1;) alert tcp $HOME_NET any -> [154.31.176.179] 4569 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247318/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_21; classtype:trojan-activity; sid:91247318; rev:1;) alert tcp $HOME_NET any -> [154.31.176.179] 4444 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247317/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_21; classtype:trojan-activity; sid:91247317; rev:1;) alert tcp $HOME_NET any -> [154.31.177.176] 4569 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247314/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_21; classtype:trojan-activity; sid:91247314; rev:1;) alert tcp $HOME_NET any -> [154.31.178.189] 4444 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247315/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_21; classtype:trojan-activity; sid:91247315; rev:1;) alert tcp $HOME_NET any -> [154.31.178.189] 4569 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247316/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_21; classtype:trojan-activity; sid:91247316; rev:1;) alert tcp $HOME_NET any -> [154.31.182.178] 4569 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247311/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_21; classtype:trojan-activity; sid:91247311; rev:1;) alert tcp $HOME_NET any -> [154.31.177.184] 4444 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247312/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_21; classtype:trojan-activity; sid:91247312; rev:1;) alert tcp $HOME_NET any -> [154.31.177.176] 4444 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247313/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_21; classtype:trojan-activity; sid:91247313; rev:1;) alert tcp $HOME_NET any -> [154.31.182.178] 4444 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247310/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_21; classtype:trojan-activity; sid:91247310; rev:1;) alert tcp $HOME_NET any -> [95.216.85.80] 6606 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247291/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_21; classtype:trojan-activity; sid:91247291; rev:1;) alert tcp $HOME_NET any -> [149.104.26.184] 8443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247309/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_21; classtype:trojan-activity; sid:91247309; rev:1;) alert tcp $HOME_NET any -> [149.104.26.184] 8080 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247308/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_21; classtype:trojan-activity; sid:91247308; rev:1;) alert tcp $HOME_NET any -> [54.39.29.90] 6606 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247290/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_21; classtype:trojan-activity; sid:91247290; rev:1;) alert tcp $HOME_NET any -> [141.105.130.87] 6606 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247289/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_21; classtype:trojan-activity; sid:91247289; rev:1;) alert tcp $HOME_NET any -> [154.31.183.183] 4444 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247406/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_21; classtype:trojan-activity; sid:91247406; rev:1;) alert tcp $HOME_NET any -> [154.31.179.172] 4569 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247409/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_21; classtype:trojan-activity; sid:91247409; rev:1;) alert tcp $HOME_NET any -> [154.31.183.189] 4444 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247410/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_21; classtype:trojan-activity; sid:91247410; rev:1;) alert tcp $HOME_NET any -> [154.31.183.189] 4569 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247411/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_21; classtype:trojan-activity; sid:91247411; rev:1;) alert tcp $HOME_NET any -> [154.31.182.190] 4569 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247413/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_21; classtype:trojan-activity; sid:91247413; rev:1;) alert tcp $HOME_NET any -> [154.31.182.190] 4444 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247412/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_21; classtype:trojan-activity; sid:91247412; rev:1;) alert tcp $HOME_NET any -> [154.31.179.185] 4569 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247417/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_21; classtype:trojan-activity; sid:91247417; rev:1;) alert tcp $HOME_NET any -> [154.31.179.185] 4444 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247416/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_21; classtype:trojan-activity; sid:91247416; rev:1;) alert tcp $HOME_NET any -> [154.31.177.189] 4569 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247415/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_21; classtype:trojan-activity; sid:91247415; rev:1;) alert tcp $HOME_NET any -> [154.31.177.189] 4444 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247414/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_21; classtype:trojan-activity; sid:91247414; rev:1;) alert tcp $HOME_NET any -> [154.31.179.167] 4444 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247418/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_21; classtype:trojan-activity; sid:91247418; rev:1;) alert tcp $HOME_NET any -> [154.31.179.167] 4569 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247419/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_21; classtype:trojan-activity; sid:91247419; rev:1;) alert tcp $HOME_NET any -> [154.31.179.189] 4444 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247420/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_21; classtype:trojan-activity; sid:91247420; rev:1;) alert tcp $HOME_NET any -> [154.31.179.189] 4569 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247421/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_21; classtype:trojan-activity; sid:91247421; rev:1;) alert tcp $HOME_NET any -> [154.31.183.184] 4569 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247423/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_21; classtype:trojan-activity; sid:91247423; rev:1;) alert tcp $HOME_NET any -> [154.31.183.184] 4444 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247422/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_21; classtype:trojan-activity; sid:91247422; rev:1;) alert tcp $HOME_NET any -> [154.31.181.178] 4444 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247424/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_21; classtype:trojan-activity; sid:91247424; rev:1;) alert tcp $HOME_NET any -> [154.31.181.178] 4569 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247425/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_21; classtype:trojan-activity; sid:91247425; rev:1;) alert tcp $HOME_NET any -> [154.31.179.190] 4444 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247426/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_21; classtype:trojan-activity; sid:91247426; rev:1;) alert tcp $HOME_NET any -> [154.31.179.190] 4569 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247427/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_21; classtype:trojan-activity; sid:91247427; rev:1;) alert tcp $HOME_NET any -> [154.31.177.185] 4444 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247428/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_21; classtype:trojan-activity; sid:91247428; rev:1;) alert tcp $HOME_NET any -> [154.31.177.185] 4569 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247429/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_21; classtype:trojan-activity; sid:91247429; rev:1;) alert tcp $HOME_NET any -> [154.31.177.188] 4444 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247430/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_21; classtype:trojan-activity; sid:91247430; rev:1;) alert tcp $HOME_NET any -> [154.31.177.188] 4569 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247431/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_21; classtype:trojan-activity; sid:91247431; rev:1;) alert tcp $HOME_NET any -> [154.31.178.170] 4444 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247432/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_21; classtype:trojan-activity; sid:91247432; rev:1;) alert tcp $HOME_NET any -> [154.31.178.170] 4569 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247433/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_21; classtype:trojan-activity; sid:91247433; rev:1;) alert tcp $HOME_NET any -> [154.31.182.188] 4444 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247434/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_21; classtype:trojan-activity; sid:91247434; rev:1;) alert tcp $HOME_NET any -> [154.31.182.188] 4569 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247435/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_21; classtype:trojan-activity; sid:91247435; rev:1;) alert tcp $HOME_NET any -> [154.31.178.166] 4444 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247436/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_21; classtype:trojan-activity; sid:91247436; rev:1;) alert tcp $HOME_NET any -> [154.31.178.166] 4569 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247437/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_21; classtype:trojan-activity; sid:91247437; rev:1;) alert tcp $HOME_NET any -> [154.31.183.186] 4444 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247438/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_21; classtype:trojan-activity; sid:91247438; rev:1;) alert tcp $HOME_NET any -> [154.31.183.186] 4569 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247439/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_21; classtype:trojan-activity; sid:91247439; rev:1;) alert tcp $HOME_NET any -> [154.31.176.164] 4444 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247440/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_21; classtype:trojan-activity; sid:91247440; rev:1;) alert tcp $HOME_NET any -> [154.31.176.164] 4569 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247441/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_21; classtype:trojan-activity; sid:91247441; rev:1;) alert tcp $HOME_NET any -> [154.31.183.179] 4444 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247442/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_21; classtype:trojan-activity; sid:91247442; rev:1;) alert tcp $HOME_NET any -> [154.31.183.179] 4569 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247443/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_21; classtype:trojan-activity; sid:91247443; rev:1;) alert tcp $HOME_NET any -> [154.31.182.176] 4444 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247444/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_21; classtype:trojan-activity; sid:91247444; rev:1;) alert tcp $HOME_NET any -> [154.31.182.176] 4569 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247445/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_21; classtype:trojan-activity; sid:91247445; rev:1;) alert tcp $HOME_NET any -> [154.31.177.187] 4444 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247446/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_21; classtype:trojan-activity; sid:91247446; rev:1;) alert tcp $HOME_NET any -> [154.31.177.187] 4569 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247447/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_21; classtype:trojan-activity; sid:91247447; rev:1;) alert tcp $HOME_NET any -> [154.31.176.184] 4444 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247448/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_21; classtype:trojan-activity; sid:91247448; rev:1;) alert tcp $HOME_NET any -> [154.31.176.184] 4569 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247449/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_21; classtype:trojan-activity; sid:91247449; rev:1;) alert tcp $HOME_NET any -> [154.31.178.182] 4444 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247450/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_21; classtype:trojan-activity; sid:91247450; rev:1;) alert tcp $HOME_NET any -> [154.31.178.182] 4569 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247451/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_21; classtype:trojan-activity; sid:91247451; rev:1;) alert tcp $HOME_NET any -> [154.31.182.180] 4444 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247452/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_21; classtype:trojan-activity; sid:91247452; rev:1;) alert tcp $HOME_NET any -> [154.31.182.180] 4569 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247453/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_21; classtype:trojan-activity; sid:91247453; rev:1;) alert tcp $HOME_NET any -> [154.31.182.184] 4444 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247454/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_21; classtype:trojan-activity; sid:91247454; rev:1;) alert tcp $HOME_NET any -> [154.31.182.184] 4569 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247455/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_21; classtype:trojan-activity; sid:91247455; rev:1;) alert tcp $HOME_NET any -> [154.31.182.171] 4444 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247456/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_21; classtype:trojan-activity; sid:91247456; rev:1;) alert tcp $HOME_NET any -> [154.31.182.171] 4569 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247457/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_21; classtype:trojan-activity; sid:91247457; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"alltorq-net.oncallservices.ca"; depth:29; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1247458/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_21; classtype:trojan-activity; sid:91247458; rev:1;) alert tcp $HOME_NET any -> [124.222.97.236] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247321/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_21; classtype:trojan-activity; sid:91247321; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"service-cedqvyh7-1322145958.sh.tencentapigw.com"; depth:47; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1247320/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_21; classtype:trojan-activity; sid:91247320; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ca"; depth:3; nocase; http.host; content:"service-cedqvyh7-1322145958.sh.tencentapigw.com"; depth:47; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1247319/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_21; classtype:trojan-activity; sid:91247319; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/push"; depth:5; nocase; http.host; content:"89.117.59.92"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1247307/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_21; classtype:trojan-activity; sid:91247307; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/fwlink"; depth:7; nocase; http.host; content:"116.205.189.199"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1247306/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_21; classtype:trojan-activity; sid:91247306; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cx"; depth:3; nocase; http.host; content:"bb.makkgg.fyi"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1247305/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_21; classtype:trojan-activity; sid:91247305; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cx"; depth:3; nocase; http.host; content:"111.51.156.207"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1247304/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_21; classtype:trojan-activity; sid:91247304; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dpixel"; depth:7; nocase; http.host; content:"61.170.44.209"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1247303/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_21; classtype:trojan-activity; sid:91247303; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/load"; depth:5; nocase; http.host; content:"36.131.222.214"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1247302/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_21; classtype:trojan-activity; sid:91247302; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ca"; depth:3; nocase; http.host; content:"59.80.47.124"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1247301/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_21; classtype:trojan-activity; sid:91247301; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/visit.js"; depth:9; nocase; http.host; content:"106.225.221.115"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1247300/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_21; classtype:trojan-activity; sid:91247300; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/updates.rss"; depth:12; nocase; http.host; content:"119.167.249.113"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1247299/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_21; classtype:trojan-activity; sid:91247299; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dpixel"; depth:7; nocase; http.host; content:"1.117.93.65"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1247298/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_21; classtype:trojan-activity; sid:91247298; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/j.ad"; depth:5; nocase; http.host; content:"bb.makkgg.fyi"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1247297/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_21; classtype:trojan-activity; sid:91247297; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ca"; depth:3; nocase; http.host; content:"123.20.56.214"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1247296/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_21; classtype:trojan-activity; sid:91247296; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/visit.js"; depth:9; nocase; http.host; content:"111.229.19.199"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1247295/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_21; classtype:trojan-activity; sid:91247295; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/load"; depth:5; nocase; http.host; content:"service-bvvdi136-1317500845.gz.tencentapigw.com"; depth:47; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1247294/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_21; classtype:trojan-activity; sid:91247294; rev:1;) alert tcp $HOME_NET any -> [103.78.0.39] 5200 (msg:"ThreatFox Ave Maria botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247293/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_21; classtype:trojan-activity; sid:91247293; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/eternalimagevmlineprocessorservertrackdle.php"; depth:46; nocase; http.host; content:"042506cm.n9shteam2.top"; depth:22; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1247292/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_21; classtype:trojan-activity; sid:91247292; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/l1nc0in.php"; depth:12; nocase; http.host; content:"a0932103.xsph.ru"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1247288/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_21; classtype:trojan-activity; sid:91247288; rev:1;) alert tcp $HOME_NET any -> [91.92.245.110] 8082 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247286/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_21; classtype:trojan-activity; sid:91247286; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pages/login.php"; depth:16; nocase; http.host; content:"91.92.247.46"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1247287/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_21; classtype:trojan-activity; sid:91247287; rev:1;) alert tcp $HOME_NET any -> [154.31.180.177] 4444 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247276/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_21; classtype:trojan-activity; sid:91247276; rev:1;) alert tcp $HOME_NET any -> [154.31.180.177] 4569 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247277/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_21; classtype:trojan-activity; sid:91247277; rev:1;) alert tcp $HOME_NET any -> [193.124.205.6] 80 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247285/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_21; classtype:trojan-activity; sid:91247285; rev:1;) alert tcp $HOME_NET any -> [45.128.96.99] 80 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247284/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_21; classtype:trojan-activity; sid:91247284; rev:1;) alert tcp $HOME_NET any -> [170.64.183.64] 80 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247283/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_21; classtype:trojan-activity; sid:91247283; rev:1;) alert tcp $HOME_NET any -> [46.246.82.24] 6000 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247282/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_21; classtype:trojan-activity; sid:91247282; rev:1;) alert tcp $HOME_NET any -> [70.31.125.20] 2222 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247281/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_21; classtype:trojan-activity; sid:91247281; rev:1;) alert tcp $HOME_NET any -> [72.27.97.12] 443 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247280/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_21; classtype:trojan-activity; sid:91247280; rev:1;) alert tcp $HOME_NET any -> [45.78.32.214] 40056 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247279/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_21; classtype:trojan-activity; sid:91247279; rev:1;) alert tcp $HOME_NET any -> [31.42.186.231] 443 (msg:"ThreatFox BianLian botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247278/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_21; classtype:trojan-activity; sid:91247278; rev:1;) alert tcp $HOME_NET any -> [154.31.178.168] 4569 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247275/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_21; classtype:trojan-activity; sid:91247275; rev:1;) alert tcp $HOME_NET any -> [154.31.178.168] 4444 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247274/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_21; classtype:trojan-activity; sid:91247274; rev:1;) alert tcp $HOME_NET any -> [121.5.220.61] 50050 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247270/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_21; classtype:trojan-activity; sid:91247270; rev:1;) alert tcp $HOME_NET any -> [47.109.148.62] 50050 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247272/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_21; classtype:trojan-activity; sid:91247272; rev:1;) alert tcp $HOME_NET any -> [47.109.148.62] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247271/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_21; classtype:trojan-activity; sid:91247271; rev:1;) alert tcp $HOME_NET any -> [159.89.168.138] 52293 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247273/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_21; classtype:trojan-activity; sid:91247273; rev:1;) alert tcp $HOME_NET any -> [39.100.93.48] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247268/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_21; classtype:trojan-activity; sid:91247268; rev:1;) alert tcp $HOME_NET any -> [39.100.93.48] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247269/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_21; classtype:trojan-activity; sid:91247269; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"gtldgtld.store"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1247162/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_21; classtype:trojan-activity; sid:91247162; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"softupdate.xyz"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1247163/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_21; classtype:trojan-activity; sid:91247163; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"tfirstdaily.store"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1247164/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_21; classtype:trojan-activity; sid:91247164; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"cdn-dev.helpkaspersky.top"; depth:25; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1247158/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_21; classtype:trojan-activity; sid:91247158; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"data-dev.helpkaspersky.top"; depth:26; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1247159/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_21; classtype:trojan-activity; sid:91247159; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"happy.gitweb.cloudns.nz"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1247160/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_21; classtype:trojan-activity; sid:91247160; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"support.helpkaspersky.top"; depth:25; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1247161/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_21; classtype:trojan-activity; sid:91247161; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"update.microsoft-setting.com"; depth:28; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1247156/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_21; classtype:trojan-activity; sid:91247156; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"update.windows.server-microsoft.com"; depth:35; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1247157/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_21; classtype:trojan-activity; sid:91247157; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"www.security-microsoft.net"; depth:26; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1247154/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_21; classtype:trojan-activity; sid:91247154; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"update.centos-yum.com"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1247155/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_21; classtype:trojan-activity; sid:91247155; rev:1;) alert tcp $HOME_NET any -> [186.112.193.255] 2404 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247132/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_21; classtype:trojan-activity; sid:91247132; rev:1;) alert tcp $HOME_NET any -> [181.131.216.198] 7707 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247133/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_21; classtype:trojan-activity; sid:91247133; rev:1;) alert tcp $HOME_NET any -> [186.112.203.192] 2404 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247134/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_21; classtype:trojan-activity; sid:91247134; rev:1;) alert tcp $HOME_NET any -> [168.119.211.236] 115 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247135/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_21; classtype:trojan-activity; sid:91247135; rev:1;) alert tcp $HOME_NET any -> [85.215.196.156] 2222 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247136/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_21; classtype:trojan-activity; sid:91247136; rev:1;) alert tcp $HOME_NET any -> [152.70.163.213] 80 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247137/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_21; classtype:trojan-activity; sid:91247137; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/nzlimme4mwuxnti0/"; depth:18; nocase; http.host; content:"213.109.202.108"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1247144/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_21; classtype:trojan-activity; sid:91247144; rev:1;) alert tcp $HOME_NET any -> [161.132.38.47] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247151/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_21; classtype:trojan-activity; sid:91247151; rev:1;) alert tcp $HOME_NET any -> [154.31.179.182] 4444 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247150/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_21; classtype:trojan-activity; sid:91247150; rev:1;) alert tcp $HOME_NET any -> [154.31.179.182] 4569 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247152/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_21; classtype:trojan-activity; sid:91247152; rev:1;) alert tcp $HOME_NET any -> [66.42.54.125] 56250 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247153/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_21; classtype:trojan-activity; sid:91247153; rev:1;) alert tcp $HOME_NET any -> [23.94.159.198] 8055 (msg:"ThreatFox STRRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247149/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_21; classtype:trojan-activity; sid:91247149; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/document/five/fre.php"; depth:22; nocase; http.host; content:"meridianresourcellc.top"; depth:23; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1247148/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_21; classtype:trojan-activity; sid:91247148; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/project/five/fre.php"; depth:21; nocase; http.host; content:"saldanha.top"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1247147/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_21; classtype:trojan-activity; sid:91247147; rev:1;) alert tcp $HOME_NET any -> [91.238.181.248] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247146/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_21; classtype:trojan-activity; sid:91247146; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jp.css"; depth:7; nocase; http.host; content:"91.238.181.248"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1247145/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_21; classtype:trojan-activity; sid:91247145; rev:1;) alert tcp $HOME_NET any -> [5.42.65.117] 80 (msg:"ThreatFox RisePro botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247143/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_20; classtype:trojan-activity; sid:91247143; rev:1;) alert tcp $HOME_NET any -> [5.42.92.73] 80 (msg:"ThreatFox RisePro botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247142/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_20; classtype:trojan-activity; sid:91247142; rev:1;) alert tcp $HOME_NET any -> [101.99.92.169] 80 (msg:"ThreatFox RisePro botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247141/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_20; classtype:trojan-activity; sid:91247141; rev:1;) alert tcp $HOME_NET any -> [193.233.132.11] 80 (msg:"ThreatFox RisePro botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247140/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_20; classtype:trojan-activity; sid:91247140; rev:1;) alert tcp $HOME_NET any -> [193.233.132.59] 80 (msg:"ThreatFox RisePro botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247139/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_20; classtype:trojan-activity; sid:91247139; rev:1;) alert tcp $HOME_NET any -> [37.110.19.55] 80 (msg:"ThreatFox Meduza Stealer botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247138/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_20; classtype:trojan-activity; sid:91247138; rev:1;) alert tcp $HOME_NET any -> [194.33.191.3] 7391 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247131/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_20; classtype:trojan-activity; sid:91247131; rev:1;) alert tcp $HOME_NET any -> [128.199.71.62] 8880 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247121/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_20; classtype:trojan-activity; sid:91247121; rev:1;) alert tcp $HOME_NET any -> [128.199.71.62] 88 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247119/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_20; classtype:trojan-activity; sid:91247119; rev:1;) alert tcp $HOME_NET any -> [128.199.71.62] 888 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247120/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_20; classtype:trojan-activity; sid:91247120; rev:1;) alert tcp $HOME_NET any -> [94.156.69.121] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247105/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_20; classtype:trojan-activity; sid:91247105; rev:1;) alert tcp $HOME_NET any -> [88.179.240.135] 49158 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247118/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_20; classtype:trojan-activity; sid:91247118; rev:1;) alert tcp $HOME_NET any -> [94.156.67.106] 445 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247103/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_20; classtype:trojan-activity; sid:91247103; rev:1;) alert tcp $HOME_NET any -> [5.42.65.68] 29093 (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247104/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_20; classtype:trojan-activity; sid:91247104; rev:1;) alert tcp $HOME_NET any -> [193.222.96.86] 4449 (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247102/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_20; classtype:trojan-activity; sid:91247102; rev:1;) alert tcp $HOME_NET any -> [5.255.108.187] 443 (msg:"ThreatFox Unidentified 111 (Latrodectus) botnet C2 traffic (ip:port - confidence level: 85%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247098/; target:src_ip; metadata: confidence_level 85, first_seen 2024_03_20; classtype:trojan-activity; sid:91247098; rev:1;) alert tcp $HOME_NET any -> [176.123.1.221] 443 (msg:"ThreatFox Unidentified 111 (Latrodectus) botnet C2 traffic (ip:port - confidence level: 85%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247100/; target:src_ip; metadata: confidence_level 85, first_seen 2024_03_20; classtype:trojan-activity; sid:91247100; rev:1;) alert tcp $HOME_NET any -> [104.129.21.231] 443 (msg:"ThreatFox Unidentified 111 (Latrodectus) botnet C2 traffic (ip:port - confidence level: 85%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247099/; target:src_ip; metadata: confidence_level 85, first_seen 2024_03_20; classtype:trojan-activity; sid:91247099; rev:1;) alert tcp $HOME_NET any -> [193.168.141.153] 443 (msg:"ThreatFox Unidentified 111 (Latrodectus) botnet C2 traffic (ip:port - confidence level: 85%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247101/; target:src_ip; metadata: confidence_level 85, first_seen 2024_03_20; classtype:trojan-activity; sid:91247101; rev:1;) alert tcp $HOME_NET any -> [193.233.132.190] 50500 (msg:"ThreatFox RisePro botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247130/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_20; classtype:trojan-activity; sid:91247130; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ptj"; depth:4; nocase; http.host; content:"124.71.5.199"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1247129/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_20; classtype:trojan-activity; sid:91247129; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dot.gif"; depth:8; nocase; http.host; content:"ns.b1ing.com"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1247128/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_20; classtype:trojan-activity; sid:91247128; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ca"; depth:3; nocase; http.host; content:"121.37.215.238"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1247127/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_20; classtype:trojan-activity; sid:91247127; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cm"; depth:3; nocase; http.host; content:"124.71.5.199"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1247126/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_20; classtype:trojan-activity; sid:91247126; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/functionalstatus/c6ui18im6abq8-el0qhxmang5bfkq"; depth:47; nocase; http.host; content:"80.66.75.53"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1247125/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_20; classtype:trojan-activity; sid:91247125; rev:1;) alert tcp $HOME_NET any -> [164.92.174.168] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247124/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_20; classtype:trojan-activity; sid:91247124; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/watch"; depth:6; nocase; http.host; content:"164.92.174.168"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1247123/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_20; classtype:trojan-activity; sid:91247123; rev:1;) alert tcp $HOME_NET any -> [65.21.119.55] 45110 (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247122/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_20; classtype:trojan-activity; sid:91247122; rev:1;) alert tcp $HOME_NET any -> [121.36.105.186] 8080 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247117/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_20; classtype:trojan-activity; sid:91247117; rev:1;) alert tcp $HOME_NET any -> [38.59.124.61] 8848 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247116/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_20; classtype:trojan-activity; sid:91247116; rev:1;) alert tcp $HOME_NET any -> [46.246.12.4] 5000 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247115/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_20; classtype:trojan-activity; sid:91247115; rev:1;) alert tcp $HOME_NET any -> [78.178.72.139] 443 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247114/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_20; classtype:trojan-activity; sid:91247114; rev:1;) alert tcp $HOME_NET any -> [5.163.180.48] 443 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247113/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_20; classtype:trojan-activity; sid:91247113; rev:1;) alert tcp $HOME_NET any -> [92.251.173.191] 995 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247112/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_20; classtype:trojan-activity; sid:91247112; rev:1;) alert tcp $HOME_NET any -> [91.254.253.44] 443 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247111/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_20; classtype:trojan-activity; sid:91247111; rev:1;) alert tcp $HOME_NET any -> [97.118.56.247] 993 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247110/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_20; classtype:trojan-activity; sid:91247110; rev:1;) alert tcp $HOME_NET any -> [188.170.152.11] 445 (msg:"ThreatFox Responder botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247109/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_20; classtype:trojan-activity; sid:91247109; rev:1;) alert tcp $HOME_NET any -> [103.81.38.242] 443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247108/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_20; classtype:trojan-activity; sid:91247108; rev:1;) alert tcp $HOME_NET any -> [172.172.152.168] 443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247107/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_20; classtype:trojan-activity; sid:91247107; rev:1;) alert tcp $HOME_NET any -> [95.183.54.20] 7443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247106/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_20; classtype:trojan-activity; sid:91247106; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-content/themes/twentytwentytwo/pam8oa.php"; depth:45; nocase; http.host; content:"lurdyvanafernandesmkd.com"; depth:25; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1247096/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_20; classtype:trojan-activity; sid:91247096; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-content/themes/twentytwentytwo/n2gd2t.php"; depth:45; nocase; http.host; content:"www.yukon.de"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1247097/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_20; classtype:trojan-activity; sid:91247097; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-content/themes/twentyten/b9un4f.php"; depth:39; nocase; http.host; content:"www.amysinger.com"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1247095/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_20; classtype:trojan-activity; sid:91247095; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-content/themes/twentytwentyfour/c9wfar.php"; depth:46; nocase; http.host; content:"alternativetracks.com"; depth:21; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1247094/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_20; classtype:trojan-activity; sid:91247094; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-content/themes/twentytwentythree/t51kkf.php"; depth:47; nocase; http.host; content:"13300.org"; depth:9; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1247093/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_20; classtype:trojan-activity; sid:91247093; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-content/themes/twentytwentyfour/34uo7s.php"; depth:46; nocase; http.host; content:"www.alabamacarhorns.com"; depth:23; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1247092/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_20; classtype:trojan-activity; sid:91247092; rev:1;) alert tcp $HOME_NET any -> [109.120.184.220] 50500 (msg:"ThreatFox RisePro botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247091/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_20; classtype:trojan-activity; sid:91247091; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-content/themes/twentytwentyfour/34uo7s.php"; depth:46; nocase; http.host; content:"www.alabamacarhorns.com"; depth:23; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1247085/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_20; classtype:trojan-activity; sid:91247085; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-content/themes/twentytwentyfour/c9wfar.php"; depth:46; nocase; http.host; content:"alternativetracks.com"; depth:21; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1247087/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_20; classtype:trojan-activity; sid:91247087; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-content/themes/twentytwentythree/t51kkf.php"; depth:47; nocase; http.host; content:"13300.org"; depth:9; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1247086/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_20; classtype:trojan-activity; sid:91247086; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-content/themes/twentyten/b9un4f.php"; depth:39; nocase; http.host; content:"www.amysinger.com"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1247088/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_20; classtype:trojan-activity; sid:91247088; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-content/themes/twentytwentytwo/pam8oa.php"; depth:45; nocase; http.host; content:"lurdyvanafernandesmkd.com"; depth:25; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1247089/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_20; classtype:trojan-activity; sid:91247089; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-content/themes/twentytwentytwo/n2gd2t.php"; depth:45; nocase; http.host; content:"www.yukon.de"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1247090/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_20; classtype:trojan-activity; sid:91247090; rev:1;) alert tcp $HOME_NET any -> [193.233.132.5] 8081 (msg:"ThreatFox RisePro botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247080/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_20; classtype:trojan-activity; sid:91247080; rev:1;) alert tcp $HOME_NET any -> [193.233.132.11] 8081 (msg:"ThreatFox RisePro botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247081/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_20; classtype:trojan-activity; sid:91247081; rev:1;) alert tcp $HOME_NET any -> [193.233.132.59] 8081 (msg:"ThreatFox RisePro botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247082/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_20; classtype:trojan-activity; sid:91247082; rev:1;) alert tcp $HOME_NET any -> [193.233.132.71] 8081 (msg:"ThreatFox RisePro botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247083/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_20; classtype:trojan-activity; sid:91247083; rev:1;) alert tcp $HOME_NET any -> [193.233.132.173] 8081 (msg:"ThreatFox RisePro botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247084/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_20; classtype:trojan-activity; sid:91247084; rev:1;) alert tcp $HOME_NET any -> [46.246.84.18] 3100 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247078/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_20; classtype:trojan-activity; sid:91247078; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"luisro2158.duckdns.org"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1247079/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_20; classtype:trojan-activity; sid:91247079; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox credit card skimming (domain - confidence level: 50%)"; dns_query; content:"treimob.cfd"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1247075/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_20; classtype:bad-unknown; sid:91247075; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox credit card skimming (domain - confidence level: 50%)"; dns_query; content:"hopefor.space"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1247074/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_20; classtype:bad-unknown; sid:91247074; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"gamerforyou.com"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1247065/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_20; classtype:trojan-activity; sid:91247065; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"sky-beta.com"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1247064/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_20; classtype:trojan-activity; sid:91247064; rev:1;) alert tcp $HOME_NET any -> [103.172.79.74] 2023 (msg:"ThreatFox MooBot botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247062/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_20; classtype:trojan-activity; sid:91247062; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"net-killer.work.gd"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1247063/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_20; classtype:trojan-activity; sid:91247063; rev:1;) alert tcp $HOME_NET any -> [220.158.234.115] 1311 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247039/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_20; classtype:trojan-activity; sid:91247039; rev:1;) alert tcp $HOME_NET any -> [216.73.159.58] 1311 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247040/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_20; classtype:trojan-activity; sid:91247040; rev:1;) alert tcp $HOME_NET any -> [169.239.129.35] 1311 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247041/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_20; classtype:trojan-activity; sid:91247041; rev:1;) alert tcp $HOME_NET any -> [103.208.86.69] 1311 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247042/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_20; classtype:trojan-activity; sid:91247042; rev:1;) alert tcp $HOME_NET any -> [46.23.108.239] 1311 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247043/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_20; classtype:trojan-activity; sid:91247043; rev:1;) alert tcp $HOME_NET any -> [46.23.108.240] 1311 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247044/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_20; classtype:trojan-activity; sid:91247044; rev:1;) alert tcp $HOME_NET any -> [46.23.108.241] 1311 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247045/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_20; classtype:trojan-activity; sid:91247045; rev:1;) alert tcp $HOME_NET any -> [46.23.108.242] 1311 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247046/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_20; classtype:trojan-activity; sid:91247046; rev:1;) alert tcp $HOME_NET any -> [46.23.108.243] 1311 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247047/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_20; classtype:trojan-activity; sid:91247047; rev:1;) alert tcp $HOME_NET any -> [46.23.108.244] 1311 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247048/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_20; classtype:trojan-activity; sid:91247048; rev:1;) alert tcp $HOME_NET any -> [46.23.108.245] 1311 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247049/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_20; classtype:trojan-activity; sid:91247049; rev:1;) alert tcp $HOME_NET any -> [46.23.108.246] 1311 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247050/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_20; classtype:trojan-activity; sid:91247050; rev:1;) alert tcp $HOME_NET any -> [46.23.108.247] 1311 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247051/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_20; classtype:trojan-activity; sid:91247051; rev:1;) alert tcp $HOME_NET any -> [46.23.108.249] 1311 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247052/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_20; classtype:trojan-activity; sid:91247052; rev:1;) alert tcp $HOME_NET any -> [45.95.169.100] 1311 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247053/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_20; classtype:trojan-activity; sid:91247053; rev:1;) alert tcp $HOME_NET any -> [45.95.169.101] 1311 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247054/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_20; classtype:trojan-activity; sid:91247054; rev:1;) alert tcp $HOME_NET any -> [45.95.169.105] 1311 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247055/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_20; classtype:trojan-activity; sid:91247055; rev:1;) alert tcp $HOME_NET any -> [45.95.169.113] 1311 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247056/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_20; classtype:trojan-activity; sid:91247056; rev:1;) alert tcp $HOME_NET any -> [45.95.169.117] 1311 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247057/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_20; classtype:trojan-activity; sid:91247057; rev:1;) alert tcp $HOME_NET any -> [45.95.169.150] 1311 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247058/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_20; classtype:trojan-activity; sid:91247058; rev:1;) alert tcp $HOME_NET any -> [45.95.169.152] 1311 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247059/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_20; classtype:trojan-activity; sid:91247059; rev:1;) alert tcp $HOME_NET any -> [45.95.169.153] 1311 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247060/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_20; classtype:trojan-activity; sid:91247060; rev:1;) alert tcp $HOME_NET any -> [84.54.51.124] 1311 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247061/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_20; classtype:trojan-activity; sid:91247061; rev:1;) alert tcp $HOME_NET any -> [91.92.255.88] 8088 (msg:"ThreatFox STRRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247038/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_20; classtype:trojan-activity; sid:91247038; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pixel.gif"; depth:10; nocase; http.host; content:"94.156.67.192"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1247037/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_20; classtype:trojan-activity; sid:91247037; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dpixel"; depth:7; nocase; http.host; content:"1.14.46.128"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1247036/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_20; classtype:trojan-activity; sid:91247036; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/explode/poll/ere9k18mnq"; depth:24; nocase; http.host; content:"210.79.134.20"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1247034/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_20; classtype:trojan-activity; sid:91247034; rev:1;) alert tcp $HOME_NET any -> [210.79.134.20] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247035/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_20; classtype:trojan-activity; sid:91247035; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/match"; depth:6; nocase; http.host; content:"185.196.9.234"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1247033/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_20; classtype:trojan-activity; sid:91247033; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ie9compatviewlist.xml"; depth:22; nocase; http.host; content:"43.136.242.247"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1247032/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_20; classtype:trojan-activity; sid:91247032; rev:1;) alert tcp $HOME_NET any -> [142.171.229.46] 8443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247031/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_20; classtype:trojan-activity; sid:91247031; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api/3"; depth:6; nocase; http.host; content:"21hjgt71f.sharedomain.top"; depth:25; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1247029/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_20; classtype:trojan-activity; sid:91247029; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"21hjgt71f.sharedomain.top"; depth:25; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1247030/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_20; classtype:trojan-activity; sid:91247030; rev:1;) alert tcp $HOME_NET any -> [141.98.168.246] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247028/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_20; classtype:trojan-activity; sid:91247028; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/kj"; depth:3; nocase; http.host; content:"141.98.168.246"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1247027/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_20; classtype:trojan-activity; sid:91247027; rev:1;) alert tcp $HOME_NET any -> [176.32.35.104] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247026/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_20; classtype:trojan-activity; sid:91247026; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/j.ad"; depth:5; nocase; http.host; content:"176.32.35.104"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1247025/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_20; classtype:trojan-activity; sid:91247025; rev:1;) alert tcp $HOME_NET any -> [185.161.208.123] 6655 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247024/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_20; classtype:trojan-activity; sid:91247024; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/panel/panel/index.php"; depth:22; nocase; http.host; content:"store4.ro"; depth:9; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1247023/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_20; classtype:trojan-activity; sid:91247023; rev:1;) alert tcp $HOME_NET any -> [43.129.31.231] 8848 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247022/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_20; classtype:trojan-activity; sid:91247022; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"nanomarch8100.duckdns.org"; depth:25; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1247000/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_20; classtype:trojan-activity; sid:91247000; rev:1;) alert tcp $HOME_NET any -> [85.204.116.154] 839 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247013/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_20; classtype:trojan-activity; sid:91247013; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cx"; depth:3; nocase; http.host; content:"60.204.133.143"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1247021/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_20; classtype:trojan-activity; sid:91247021; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/visit.js"; depth:9; nocase; http.host; content:"123.20.56.214"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1247020/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_20; classtype:trojan-activity; sid:91247020; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cx"; depth:3; nocase; http.host; content:"8.222.147.15"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1247019/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_20; classtype:trojan-activity; sid:91247019; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dot.gif"; depth:8; nocase; http.host; content:"176.32.35.104"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1247018/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_20; classtype:trojan-activity; sid:91247018; rev:1;) alert tcp $HOME_NET any -> [18.197.239.109] 12377 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247017/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_20; classtype:trojan-activity; sid:91247017; rev:1;) alert tcp $HOME_NET any -> [3.68.171.119] 12377 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247016/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_20; classtype:trojan-activity; sid:91247016; rev:1;) alert tcp $HOME_NET any -> [3.66.38.117] 12377 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247015/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_20; classtype:trojan-activity; sid:91247015; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/3cd2b41cbde8fc9c.php"; depth:21; nocase; http.host; content:"185.172.128.209"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1247014/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_20; classtype:trojan-activity; sid:91247014; rev:1;) alert tcp $HOME_NET any -> [123.249.30.101] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247012/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_20; classtype:trojan-activity; sid:91247012; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cm"; depth:3; nocase; http.host; content:"123.249.30.101"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1247011/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_20; classtype:trojan-activity; sid:91247011; rev:1;) alert tcp $HOME_NET any -> [103.211.56.154] 14782 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247010/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_20; classtype:trojan-activity; sid:91247010; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/vmuploadstemporary.php"; depth:23; nocase; http.host; content:"785654cm.n9shteam3.top"; depth:22; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1247009/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_20; classtype:trojan-activity; sid:91247009; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"116.202.5.172"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1247008/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_20; classtype:trojan-activity; sid:91247008; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"95.217.28.242"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1247007/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_20; classtype:trojan-activity; sid:91247007; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"78.47.57.253"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1247006/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_20; classtype:trojan-activity; sid:91247006; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"5.75.216.188"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1247005/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_20; classtype:trojan-activity; sid:91247005; rev:1;) alert tcp $HOME_NET any -> [116.202.5.172] 443 (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247004/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_20; classtype:trojan-activity; sid:91247004; rev:1;) alert tcp $HOME_NET any -> [78.47.57.253] 443 (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247001/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_20; classtype:trojan-activity; sid:91247001; rev:1;) alert tcp $HOME_NET any -> [5.75.216.188] 443 (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247002/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_20; classtype:trojan-activity; sid:91247002; rev:1;) alert tcp $HOME_NET any -> [95.217.28.242] 8888 (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247003/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_20; classtype:trojan-activity; sid:91247003; rev:1;) alert tcp $HOME_NET any -> [194.147.140.141] 8100 (msg:"ThreatFox Nanocore RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246999/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_20; classtype:trojan-activity; sid:91246999; rev:1;) alert tcp $HOME_NET any -> [93.123.39.238] 2023 (msg:"ThreatFox Socks5 Systemz botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246998/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_20; classtype:trojan-activity; sid:91246998; rev:1;) alert tcp $HOME_NET any -> [91.107.121.52] 80 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246997/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_20; classtype:trojan-activity; sid:91246997; rev:1;) alert tcp $HOME_NET any -> [84.32.214.66] 80 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246996/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_20; classtype:trojan-activity; sid:91246996; rev:1;) alert tcp $HOME_NET any -> [222.186.21.204] 80 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246995/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_20; classtype:trojan-activity; sid:91246995; rev:1;) alert tcp $HOME_NET any -> [81.161.238.163] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246994/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_20; classtype:trojan-activity; sid:91246994; rev:1;) alert tcp $HOME_NET any -> [154.16.10.161] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246993/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_20; classtype:trojan-activity; sid:91246993; rev:1;) alert tcp $HOME_NET any -> [45.76.189.78] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246992/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_20; classtype:trojan-activity; sid:91246992; rev:1;) alert tcp $HOME_NET any -> [216.83.58.188] 9999 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246991/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_20; classtype:trojan-activity; sid:91246991; rev:1;) alert tcp $HOME_NET any -> [123.253.108.131] 8886 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246990/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_20; classtype:trojan-activity; sid:91246990; rev:1;) alert tcp $HOME_NET any -> [46.246.84.14] 5000 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246989/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_20; classtype:trojan-activity; sid:91246989; rev:1;) alert tcp $HOME_NET any -> [46.246.6.15] 6000 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246988/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_20; classtype:trojan-activity; sid:91246988; rev:1;) alert tcp $HOME_NET any -> [78.169.186.24] 443 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246987/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_20; classtype:trojan-activity; sid:91246987; rev:1;) alert tcp $HOME_NET any -> [175.13.35.49] 4432 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246986/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_20; classtype:trojan-activity; sid:91246986; rev:1;) alert tcp $HOME_NET any -> [77.126.104.106] 443 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246985/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_20; classtype:trojan-activity; sid:91246985; rev:1;) alert tcp $HOME_NET any -> [72.27.209.148] 443 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246984/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_20; classtype:trojan-activity; sid:91246984; rev:1;) alert tcp $HOME_NET any -> [41.96.236.231] 443 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246983/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_20; classtype:trojan-activity; sid:91246983; rev:1;) alert tcp $HOME_NET any -> [23.227.193.238] 443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246982/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_20; classtype:trojan-activity; sid:91246982; rev:1;) alert tcp $HOME_NET any -> [192.227.234.164] 443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246981/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_20; classtype:trojan-activity; sid:91246981; rev:1;) alert tcp $HOME_NET any -> [155.138.229.25] 443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246980/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_20; classtype:trojan-activity; sid:91246980; rev:1;) alert tcp $HOME_NET any -> [139.162.51.167] 443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246979/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_20; classtype:trojan-activity; sid:91246979; rev:1;) alert tcp $HOME_NET any -> [95.179.171.52] 443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246978/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_20; classtype:trojan-activity; sid:91246978; rev:1;) alert tcp $HOME_NET any -> [62.234.28.147] 443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246977/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_20; classtype:trojan-activity; sid:91246977; rev:1;) alert tcp $HOME_NET any -> [96.9.225.129] 37826 (msg:"ThreatFox BianLian botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246976/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_20; classtype:trojan-activity; sid:91246976; rev:1;) alert tcp $HOME_NET any -> [18.162.142.16] 443 (msg:"ThreatFox Deimos botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246975/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_20; classtype:trojan-activity; sid:91246975; rev:1;) alert tcp $HOME_NET any -> [43.198.208.125] 443 (msg:"ThreatFox Deimos botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246974/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_20; classtype:trojan-activity; sid:91246974; rev:1;) alert tcp $HOME_NET any -> [34.134.107.175] 7443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246973/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_20; classtype:trojan-activity; sid:91246973; rev:1;) alert tcp $HOME_NET any -> [78.47.48.88] 8443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246972/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_20; classtype:trojan-activity; sid:91246972; rev:1;) alert tcp $HOME_NET any -> [192.210.201.57] 52748 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246971/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_20; classtype:trojan-activity; sid:91246971; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"ameerpplus.ddns.net"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1246963/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_20; classtype:trojan-activity; sid:91246963; rev:1;) alert tcp $HOME_NET any -> [24.42.99.89] 191 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246962/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_20; classtype:trojan-activity; sid:91246962; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"badbutperfect.com"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1246957/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_20; classtype:trojan-activity; sid:91246957; rev:1;) alert tcp $HOME_NET any -> [165.22.16.55] 445 (msg:"ThreatFox DarkGate payload delivery (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246958/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_20; classtype:trojan-activity; sid:91246958; rev:1;) alert tcp $HOME_NET any -> [147.78.47.15] 61227 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246959/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_20; classtype:trojan-activity; sid:91246959; rev:1;) alert tcp $HOME_NET any -> [52.157.196.2] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246960/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_20; classtype:trojan-activity; sid:91246960; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cx"; depth:3; nocase; http.host; content:"147.78.47.15"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1246961/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_20; classtype:trojan-activity; sid:91246961; rev:1;) alert tcp $HOME_NET any -> [45.120.177.167] 80 (msg:"ThreatFox Meduza Stealer botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246970/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_20; classtype:trojan-activity; sid:91246970; rev:1;) alert tcp $HOME_NET any -> [18.157.68.73] 15449 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246969/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_20; classtype:trojan-activity; sid:91246969; rev:1;) alert tcp $HOME_NET any -> [18.192.93.86] 15449 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246968/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_20; classtype:trojan-activity; sid:91246968; rev:1;) alert tcp $HOME_NET any -> [18.197.239.5] 15449 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246967/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_20; classtype:trojan-activity; sid:91246967; rev:1;) alert tcp $HOME_NET any -> [18.156.13.209] 15449 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246966/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_20; classtype:trojan-activity; sid:91246966; rev:1;) alert tcp $HOME_NET any -> [3.127.138.57] 15449 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246965/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_20; classtype:trojan-activity; sid:91246965; rev:1;) alert tcp $HOME_NET any -> [46.183.222.88] 22288 (msg:"ThreatFox AdWind botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246964/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_19; classtype:trojan-activity; sid:91246964; rev:1;) alert tcp $HOME_NET any -> [47.99.65.183] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246956/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_19; classtype:trojan-activity; sid:91246956; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/push"; depth:5; nocase; http.host; content:"47.99.65.183"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1246955/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_19; classtype:trojan-activity; sid:91246955; rev:1;) alert tcp $HOME_NET any -> [154.31.181.190] 4444 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246954/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_19; classtype:trojan-activity; sid:91246954; rev:1;) alert tcp $HOME_NET any -> [210.79.134.20] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246953/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_19; classtype:trojan-activity; sid:91246953; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/explode/poll/ere9k18mnq"; depth:24; nocase; http.host; content:"210.79.134.20"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1246952/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_19; classtype:trojan-activity; sid:91246952; rev:1;) alert tcp $HOME_NET any -> [154.31.183.188] 4444 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246951/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_19; classtype:trojan-activity; sid:91246951; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ptj"; depth:4; nocase; http.host; content:"89.117.59.92"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1246949/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_19; classtype:trojan-activity; sid:91246949; rev:1;) alert tcp $HOME_NET any -> [89.117.59.92] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246950/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_19; classtype:trojan-activity; sid:91246950; rev:1;) alert tcp $HOME_NET any -> [154.31.180.174] 4444 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246948/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_19; classtype:trojan-activity; sid:91246948; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"microsoftdell1.duckdns.org"; depth:26; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1246921/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_19; classtype:trojan-activity; sid:91246921; rev:1;) alert tcp $HOME_NET any -> [206.233.132.215] 80 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246944/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_19; classtype:trojan-activity; sid:91246944; rev:1;) alert tcp $HOME_NET any -> [206.233.132.104] 80 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246943/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_19; classtype:trojan-activity; sid:91246943; rev:1;) alert tcp $HOME_NET any -> [206.233.132.162] 80 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246942/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_19; classtype:trojan-activity; sid:91246942; rev:1;) alert tcp $HOME_NET any -> [13.214.93.225] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246941/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_19; classtype:trojan-activity; sid:91246941; rev:1;) alert tcp $HOME_NET any -> [216.83.58.191] 9999 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246940/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_19; classtype:trojan-activity; sid:91246940; rev:1;) alert tcp $HOME_NET any -> [216.83.58.190] 9999 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246939/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_19; classtype:trojan-activity; sid:91246939; rev:1;) alert tcp $HOME_NET any -> [16.162.87.219] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246938/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_19; classtype:trojan-activity; sid:91246938; rev:1;) alert tcp $HOME_NET any -> [149.104.27.148] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246937/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_19; classtype:trojan-activity; sid:91246937; rev:1;) alert tcp $HOME_NET any -> [101.34.211.170] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246936/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_19; classtype:trojan-activity; sid:91246936; rev:1;) alert tcp $HOME_NET any -> [172.245.91.21] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246935/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_19; classtype:trojan-activity; sid:91246935; rev:1;) alert tcp $HOME_NET any -> [46.246.84.16] 5000 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246934/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_19; classtype:trojan-activity; sid:91246934; rev:1;) alert tcp $HOME_NET any -> [159.0.41.140] 443 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246933/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_19; classtype:trojan-activity; sid:91246933; rev:1;) alert tcp $HOME_NET any -> [154.247.214.2] 2078 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246932/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_19; classtype:trojan-activity; sid:91246932; rev:1;) alert tcp $HOME_NET any -> [189.177.83.188] 995 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246931/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_19; classtype:trojan-activity; sid:91246931; rev:1;) alert tcp $HOME_NET any -> [70.31.125.174] 2222 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246930/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_19; classtype:trojan-activity; sid:91246930; rev:1;) alert tcp $HOME_NET any -> [41.96.246.26] 443 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246929/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_19; classtype:trojan-activity; sid:91246929; rev:1;) alert tcp $HOME_NET any -> [91.108.105.80] 443 (msg:"ThreatFox pupy botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246928/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_19; classtype:trojan-activity; sid:91246928; rev:1;) alert tcp $HOME_NET any -> [82.157.236.128] 6443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246927/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_19; classtype:trojan-activity; sid:91246927; rev:1;) alert tcp $HOME_NET any -> [185.248.143.18] 8443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246926/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_19; classtype:trojan-activity; sid:91246926; rev:1;) alert tcp $HOME_NET any -> [176.120.75.169] 443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246925/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_19; classtype:trojan-activity; sid:91246925; rev:1;) alert tcp $HOME_NET any -> [99.83.171.11] 443 (msg:"ThreatFox Deimos botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246924/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_19; classtype:trojan-activity; sid:91246924; rev:1;) alert tcp $HOME_NET any -> [130.61.212.165] 7443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246923/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_19; classtype:trojan-activity; sid:91246923; rev:1;) alert tcp $HOME_NET any -> [172.96.137.224] 80 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246922/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_19; classtype:trojan-activity; sid:91246922; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ptj"; depth:4; nocase; http.host; content:"20.107.244.135"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1246920/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_19; classtype:trojan-activity; sid:91246920; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ptj"; depth:4; nocase; http.host; content:"47.120.63.211"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1246919/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_19; classtype:trojan-activity; sid:91246919; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dpixel"; depth:7; nocase; http.host; content:"20.107.244.135"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1246918/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_19; classtype:trojan-activity; sid:91246918; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/c/msdownload/update/check"; depth:26; nocase; http.host; content:"47.100.99.191"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1246917/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_19; classtype:trojan-activity; sid:91246917; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/include/template/isx.php"; depth:25; nocase; http.host; content:"qq.qqweixinzhuce.top"; depth:20; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1246916/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_19; classtype:trojan-activity; sid:91246916; rev:1;) alert tcp $HOME_NET any -> [142.11.201.122] 7010 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246915/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_19; classtype:trojan-activity; sid:91246915; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/fam_calendar.css"; depth:17; nocase; http.host; content:"37.120.239.32"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1246914/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_19; classtype:trojan-activity; sid:91246914; rev:1;) alert tcp $HOME_NET any -> [45.32.196.110] 53 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246913/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_19; classtype:trojan-activity; sid:91246913; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"beacon.etallyall.com"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1246912/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_19; classtype:trojan-activity; sid:91246912; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"stealit.online"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1246909/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_19; classtype:trojan-activity; sid:91246909; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"blendy-game.com"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1246910/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_19; classtype:trojan-activity; sid:91246910; rev:1;) alert tcp $HOME_NET any -> [20.206.240.63] 1024 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246908/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_19; classtype:trojan-activity; sid:91246908; rev:1;) alert tcp $HOME_NET any -> [14.225.208.190] 19990 (msg:"ThreatFox MooBot botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246907/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_19; classtype:trojan-activity; sid:91246907; rev:1;) alert tcp $HOME_NET any -> [5.181.80.60] 61616 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246887/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_19; classtype:trojan-activity; sid:91246887; rev:1;) alert tcp $HOME_NET any -> [5.181.80.189] 61616 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246889/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_19; classtype:trojan-activity; sid:91246889; rev:1;) alert tcp $HOME_NET any -> [5.181.80.61] 61616 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246888/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_19; classtype:trojan-activity; sid:91246888; rev:1;) alert tcp $HOME_NET any -> [5.181.80.59] 61616 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246886/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_19; classtype:trojan-activity; sid:91246886; rev:1;) alert tcp $HOME_NET any -> [45.125.66.111] 61616 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246885/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_19; classtype:trojan-activity; sid:91246885; rev:1;) alert tcp $HOME_NET any -> [178.128.63.21] 1311 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246880/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_19; classtype:trojan-activity; sid:91246880; rev:1;) alert tcp $HOME_NET any -> [178.128.86.45] 1311 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246881/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_19; classtype:trojan-activity; sid:91246881; rev:1;) alert tcp $HOME_NET any -> [193.233.132.155] 80 (msg:"ThreatFox AMOS botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246884/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_19; classtype:trojan-activity; sid:91246884; rev:1;) alert tcp $HOME_NET any -> [157.245.193.12] 1311 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246879/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_19; classtype:trojan-activity; sid:91246879; rev:1;) alert tcp $HOME_NET any -> [152.42.163.36] 1311 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246877/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_19; classtype:trojan-activity; sid:91246877; rev:1;) alert tcp $HOME_NET any -> [157.230.41.125] 61616 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246878/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_19; classtype:trojan-activity; sid:91246878; rev:1;) alert tcp $HOME_NET any -> [146.190.81.220] 1311 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246875/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_19; classtype:trojan-activity; sid:91246875; rev:1;) alert tcp $HOME_NET any -> [152.42.163.34] 1311 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246876/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_19; classtype:trojan-activity; sid:91246876; rev:1;) alert tcp $HOME_NET any -> [128.199.168.231] 1433 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246874/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_19; classtype:trojan-activity; sid:91246874; rev:1;) alert tcp $HOME_NET any -> [128.199.100.0] 1311 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246873/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_19; classtype:trojan-activity; sid:91246873; rev:1;) alert tcp $HOME_NET any -> [193.233.132.137] 80 (msg:"ThreatFox AMOS botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246869/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_19; classtype:trojan-activity; sid:91246869; rev:1;) alert tcp $HOME_NET any -> [193.233.132.188] 80 (msg:"ThreatFox AMOS botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246864/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_19; classtype:trojan-activity; sid:91246864; rev:1;) alert tcp $HOME_NET any -> [185.198.57.73] 61616 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246857/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_19; classtype:trojan-activity; sid:91246857; rev:1;) alert tcp $HOME_NET any -> [185.198.57.78] 61616 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246858/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_19; classtype:trojan-activity; sid:91246858; rev:1;) alert tcp $HOME_NET any -> [185.141.27.17] 1311 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246854/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_19; classtype:trojan-activity; sid:91246854; rev:1;) alert tcp $HOME_NET any -> [185.141.27.200] 1311 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246855/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_19; classtype:trojan-activity; sid:91246855; rev:1;) alert tcp $HOME_NET any -> [185.183.96.15] 61616 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246856/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_19; classtype:trojan-activity; sid:91246856; rev:1;) alert tcp $HOME_NET any -> [185.117.73.134] 61616 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246852/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_19; classtype:trojan-activity; sid:91246852; rev:1;) alert tcp $HOME_NET any -> [185.117.73.187] 1311 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246853/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_19; classtype:trojan-activity; sid:91246853; rev:1;) alert tcp $HOME_NET any -> [185.45.193.151] 61616 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246850/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_19; classtype:trojan-activity; sid:91246850; rev:1;) alert tcp $HOME_NET any -> [185.82.202.236] 1311 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246851/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_19; classtype:trojan-activity; sid:91246851; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"5.75.214.171"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1246905/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_19; classtype:trojan-activity; sid:91246905; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"5.75.212.96"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1246906/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_19; classtype:trojan-activity; sid:91246906; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"5.75.212.96"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1246904/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_19; classtype:trojan-activity; sid:91246904; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"5.75.214.171"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1246903/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_19; classtype:trojan-activity; sid:91246903; rev:1;) alert tcp $HOME_NET any -> [5.75.212.96] 443 (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246902/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_19; classtype:trojan-activity; sid:91246902; rev:1;) alert tcp $HOME_NET any -> [5.75.214.171] 80 (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246899/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_19; classtype:trojan-activity; sid:91246899; rev:1;) alert tcp $HOME_NET any -> [5.75.212.96] 80 (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246900/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_19; classtype:trojan-activity; sid:91246900; rev:1;) alert tcp $HOME_NET any -> [5.75.214.171] 443 (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246901/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_19; classtype:trojan-activity; sid:91246901; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/load"; depth:5; nocase; http.host; content:"149.104.27.40"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1246898/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_19; classtype:trojan-activity; sid:91246898; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/include/template/isx.php"; depth:25; nocase; http.host; content:"154.3.8.55"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1246897/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_19; classtype:trojan-activity; sid:91246897; rev:1;) alert tcp $HOME_NET any -> [103.27.109.33] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246896/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_19; classtype:trojan-activity; sid:91246896; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"service-jby1ivts-1324864909.hk.tencentapigw.cn"; depth:46; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1246895/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_19; classtype:trojan-activity; sid:91246895; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jquery-3.3.1.min.js"; depth:20; nocase; http.host; content:"service-jby1ivts-1324864909.hk.tencentapigw.cn"; depth:46; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1246894/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_19; classtype:trojan-activity; sid:91246894; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pixel.gif"; depth:10; nocase; http.host; content:"185.91.127.221"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1246893/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_19; classtype:trojan-activity; sid:91246893; rev:1;) alert tcp $HOME_NET any -> [101.34.58.211] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246892/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_19; classtype:trojan-activity; sid:91246892; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/hp/api/v1/carousel"; depth:19; nocase; http.host; content:"101.34.58.211"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1246891/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_19; classtype:trojan-activity; sid:91246891; rev:1;) alert tcp $HOME_NET any -> [154.30.255.175] 8887 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246890/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_19; classtype:trojan-activity; sid:91246890; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/j.ad"; depth:5; nocase; http.host; content:"service-bvvdi136-1317500845.gz.tencentapigw.com"; depth:47; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1246883/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_19; classtype:trojan-activity; sid:91246883; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/visit.js"; depth:9; nocase; http.host; content:"47.120.63.211"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1246882/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_19; classtype:trojan-activity; sid:91246882; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sm.css"; depth:7; nocase; http.host; content:"apps.nbcnews.site"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1246872/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_19; classtype:trojan-activity; sid:91246872; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/activity"; depth:9; nocase; http.host; content:"16.163.149.10"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1246871/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_19; classtype:trojan-activity; sid:91246871; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/g.pixel"; depth:8; nocase; http.host; content:"123.20.56.214"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1246870/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_19; classtype:trojan-activity; sid:91246870; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/visit.js"; depth:9; nocase; http.host; content:"82.157.69.161"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1246868/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_19; classtype:trojan-activity; sid:91246868; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dot.gif"; depth:8; nocase; http.host; content:"121.37.215.238"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1246867/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_19; classtype:trojan-activity; sid:91246867; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp06/wp-includes/po.php"; depth:24; nocase; http.host; content:"test.qqweixinzhuce.top"; depth:22; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1246866/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_19; classtype:trojan-activity; sid:91246866; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pixel"; depth:6; nocase; http.host; content:"8.131.118.10"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1246865/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_19; classtype:trojan-activity; sid:91246865; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/j.ad"; depth:5; nocase; http.host; content:"47.100.229.207"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1246863/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_19; classtype:trojan-activity; sid:91246863; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/visit.js"; depth:9; nocase; http.host; content:"www.temt.top"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1246862/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_19; classtype:trojan-activity; sid:91246862; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/__utm.gif"; depth:10; nocase; http.host; content:"198.251.88.196"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1246861/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_19; classtype:trojan-activity; sid:91246861; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/en_us/all.js"; depth:13; nocase; http.host; content:"8.222.147.15"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1246860/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_19; classtype:trojan-activity; sid:91246860; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/push"; depth:5; nocase; http.host; content:"104.156.140.58"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1246859/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_19; classtype:trojan-activity; sid:91246859; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dot.gif"; depth:8; nocase; http.host; content:"150.158.37.125"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1246848/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_19; classtype:trojan-activity; sid:91246848; rev:1;) alert tcp $HOME_NET any -> [150.158.37.125] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246849/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_19; classtype:trojan-activity; sid:91246849; rev:1;) alert tcp $HOME_NET any -> [154.31.180.186] 4444 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246847/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_19; classtype:trojan-activity; sid:91246847; rev:1;) alert tcp $HOME_NET any -> [38.55.204.19] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246846/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_19; classtype:trojan-activity; sid:91246846; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jquery-3.3.1.min.js"; depth:20; nocase; http.host; content:"38.55.204.19"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1246845/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_19; classtype:trojan-activity; sid:91246845; rev:1;) alert tcp $HOME_NET any -> [154.31.181.180] 4444 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246844/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_19; classtype:trojan-activity; sid:91246844; rev:1;) alert tcp $HOME_NET any -> [154.31.180.168] 4444 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246843/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_19; classtype:trojan-activity; sid:91246843; rev:1;) alert tcp $HOME_NET any -> [154.31.177.169] 4444 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246842/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_19; classtype:trojan-activity; sid:91246842; rev:1;) alert tcp $HOME_NET any -> [154.31.181.165] 4444 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246841/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_19; classtype:trojan-activity; sid:91246841; rev:1;) alert tcp $HOME_NET any -> [123.60.135.22] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246840/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_19; classtype:trojan-activity; sid:91246840; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/g.pixel"; depth:8; nocase; http.host; content:"123.60.135.22"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1246839/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_19; classtype:trojan-activity; sid:91246839; rev:1;) alert tcp $HOME_NET any -> [3.124.142.205] 12664 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246838/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_19; classtype:trojan-activity; sid:91246838; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/lee.exe"; depth:8; nocase; http.host; content:"104.168.32.18"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1246837/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_19; classtype:trojan-activity; sid:91246837; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xampp/bll/leeisagoodmanwholovedhertrulyfromtheheartsheismycutegirl____ilovehertrulyfromtheheartwithallmylovetokissyousuccess.doc"; depth:129; nocase; http.host; content:"94.156.69.17"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1246836/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_19; classtype:trojan-activity; sid:91246836; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pixel"; depth:6; nocase; http.host; content:"185.81.68.249"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1246835/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_19; classtype:trojan-activity; sid:91246835; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/activity"; depth:9; nocase; http.host; content:"185.81.68.249"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1246834/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_19; classtype:trojan-activity; sid:91246834; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/functionalstatus/c6ui18im6abq8-el0qhxmang5bfkq"; depth:47; nocase; http.host; content:"80.66.75.53"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1246833/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_19; classtype:trojan-activity; sid:91246833; rev:1;) alert tcp $HOME_NET any -> [217.197.107.177] 50500 (msg:"ThreatFox RisePro botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246832/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_19; classtype:trojan-activity; sid:91246832; rev:1;) alert tcp $HOME_NET any -> [20.73.14.86] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246822/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_19; classtype:trojan-activity; sid:91246822; rev:1;) alert tcp $HOME_NET any -> [20.73.14.86] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246823/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_19; classtype:trojan-activity; sid:91246823; rev:1;) alert tcp $HOME_NET any -> [80.82.76.79] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246825/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_19; classtype:trojan-activity; sid:91246825; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/files/amadey.exe"; depth:17; nocase; http.host; content:"91.92.250.47"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1246826/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_19; classtype:trojan-activity; sid:91246826; rev:1;) alert tcp $HOME_NET any -> [18.158.249.75] 12664 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246831/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_19; classtype:trojan-activity; sid:91246831; rev:1;) alert tcp $HOME_NET any -> [3.125.102.39] 12664 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246830/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_19; classtype:trojan-activity; sid:91246830; rev:1;) alert tcp $HOME_NET any -> [18.192.31.165] 12664 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246829/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_19; classtype:trojan-activity; sid:91246829; rev:1;) alert tcp $HOME_NET any -> [3.125.223.134] 12664 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246828/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_19; classtype:trojan-activity; sid:91246828; rev:1;) alert tcp $HOME_NET any -> [147.45.68.14] 50500 (msg:"ThreatFox RisePro botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246827/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_19; classtype:trojan-activity; sid:91246827; rev:1;) alert tcp $HOME_NET any -> [185.255.114.127] 2404 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246824/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_19; classtype:trojan-activity; sid:91246824; rev:1;) alert tcp $HOME_NET any -> [94.156.8.116] 4258 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246821/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_19; classtype:trojan-activity; sid:91246821; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/18/gate.php"; depth:12; nocase; http.host; content:"couriercare.in"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1246820/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_19; classtype:trojan-activity; sid:91246820; rev:1;) alert tcp $HOME_NET any -> [105.98.140.166] 6001 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246765/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_19; classtype:trojan-activity; sid:91246765; rev:1;) alert tcp $HOME_NET any -> [105.99.1.231] 6001 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246766/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_19; classtype:trojan-activity; sid:91246766; rev:1;) alert tcp $HOME_NET any -> [105.98.156.131] 6001 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246767/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_19; classtype:trojan-activity; sid:91246767; rev:1;) alert tcp $HOME_NET any -> [105.102.233.51] 6001 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246768/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_19; classtype:trojan-activity; sid:91246768; rev:1;) alert tcp $HOME_NET any -> [72.167.134.164] 5055 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246771/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_19; classtype:trojan-activity; sid:91246771; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"aireynvuw.homeunix.com"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1246772/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_19; classtype:trojan-activity; sid:91246772; rev:1;) alert tcp $HOME_NET any -> [94.156.66.151] 39001 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246774/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_19; classtype:trojan-activity; sid:91246774; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ghfhhminfudk.exe"; depth:17; nocase; http.host; content:"94.156.66.151"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1246775/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_19; classtype:trojan-activity; sid:91246775; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/hghghjhfhleviticus.exe"; depth:23; nocase; http.host; content:"94.156.66.151"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1246776/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_19; classtype:trojan-activity; sid:91246776; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"gjhfhgdg.insane.wang"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1246777/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_19; classtype:trojan-activity; sid:91246777; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/download/1591130eaa3b8a96895bff8d686e7ec2697f986974508c85f0b051191a853aa069fe7ce03179e1c20ec7"; depth:94; nocase; http.host; content:"api.filedoge.com"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1246778/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_19; classtype:trojan-activity; sid:91246778; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/gfgghdhwhatsup.exe"; depth:19; nocase; http.host; content:"94.156.66.151"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1246784/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_19; classtype:trojan-activity; sid:91246784; rev:1;) alert tcp $HOME_NET any -> [154.37.51.70] 3320 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246785/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_19; classtype:trojan-activity; sid:91246785; rev:1;) alert tcp $HOME_NET any -> [154.37.51.70] 3321 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246786/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_19; classtype:trojan-activity; sid:91246786; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"buassinnndm.net"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1246792/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_19; classtype:trojan-activity; sid:91246792; rev:1;) alert tcp $HOME_NET any -> [143.198.197.14] 445 (msg:"ThreatFox DarkGate payload delivery (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246793/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_19; classtype:trojan-activity; sid:91246793; rev:1;) alert tcp $HOME_NET any -> [193.222.96.13] 4449 (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246794/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_19; classtype:trojan-activity; sid:91246794; rev:1;) alert tcp $HOME_NET any -> [3.125.209.94] 11256 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246818/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_19; classtype:trojan-activity; sid:91246818; rev:1;) alert tcp $HOME_NET any -> [3.124.142.205] 11256 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246819/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_19; classtype:trojan-activity; sid:91246819; rev:1;) alert tcp $HOME_NET any -> [45.131.108.174] 23 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246773/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_19; classtype:trojan-activity; sid:91246773; rev:1;) alert tcp $HOME_NET any -> [147.185.221.17] 57514 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246758/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_19; classtype:trojan-activity; sid:91246758; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"17.ip.gl.ply.gg"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1246759/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_19; classtype:trojan-activity; sid:91246759; rev:1;) alert tcp $HOME_NET any -> [3.66.38.117] 17008 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246760/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_19; classtype:trojan-activity; sid:91246760; rev:1;) alert tcp $HOME_NET any -> [109.248.12.212] 5501 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246761/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_19; classtype:trojan-activity; sid:91246761; rev:1;) alert tcp $HOME_NET any -> [89.245.33.102] 25565 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246762/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_19; classtype:trojan-activity; sid:91246762; rev:1;) alert tcp $HOME_NET any -> [216.83.40.68] 4433 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246763/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_19; classtype:trojan-activity; sid:91246763; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/statistic/js/stat/js"; depth:21; nocase; http.host; content:"marvin-occentus.net"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1246746/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_19; classtype:trojan-activity; sid:91246746; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/editcontent"; depth:12; nocase; http.host; content:"policy.donnafrey.com"; depth:20; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1246747/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_19; classtype:trojan-activity; sid:91246747; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"policy.donnafrey.com"; depth:20; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1246748/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_19; classtype:trojan-activity; sid:91246748; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"cf-protected-l7.com"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1246757/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_19; classtype:trojan-activity; sid:91246757; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"88.99.127.167"; depth:13; nocase; reference:url, threatfox.abuse.ch/ioc/1246743/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_19; classtype:trojan-activity; sid:91246743; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"5.75.214.7"; depth:10; nocase; reference:url, threatfox.abuse.ch/ioc/1246744/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_19; classtype:trojan-activity; sid:91246744; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"marvin-occentus.net"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1246745/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_19; classtype:trojan-activity; sid:91246745; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"49.13.89.149"; depth:12; nocase; reference:url, threatfox.abuse.ch/ioc/1246741/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_19; classtype:trojan-activity; sid:91246741; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"78.46.233.36"; depth:12; nocase; reference:url, threatfox.abuse.ch/ioc/1246742/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_19; classtype:trojan-activity; sid:91246742; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"xmr.2miners.com"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1246740/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_19; classtype:trojan-activity; sid:91246740; rev:1;) alert tcp $HOME_NET any -> [162.19.139.184] 12222 (msg:"ThreatFox xmrig botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246739/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_19; classtype:trojan-activity; sid:91246739; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"aptcorp.us"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1246737/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_19; classtype:trojan-activity; sid:91246737; rev:1;) alert tcp $HOME_NET any -> [45.128.232.250] 6149 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246738/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_19; classtype:trojan-activity; sid:91246738; rev:1;) alert tcp $HOME_NET any -> [14.224.174.212] 8889 (msg:"ThreatFox WannaCryptor payload delivery (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246735/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_19; classtype:trojan-activity; sid:91246735; rev:1;) alert tcp $HOME_NET any -> [14.224.174.212] 31705 (msg:"ThreatFox WannaCryptor payload delivery (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246736/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_19; classtype:trojan-activity; sid:91246736; rev:1;) alert tcp $HOME_NET any -> [14.224.174.212] 2014 (msg:"ThreatFox WannaCryptor payload delivery (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246732/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_19; classtype:trojan-activity; sid:91246732; rev:1;) alert tcp $HOME_NET any -> [14.224.174.212] 8080 (msg:"ThreatFox WannaCryptor payload delivery (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246733/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_19; classtype:trojan-activity; sid:91246733; rev:1;) alert tcp $HOME_NET any -> [14.224.174.212] 8888 (msg:"ThreatFox WannaCryptor payload delivery (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246734/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_19; classtype:trojan-activity; sid:91246734; rev:1;) alert tcp $HOME_NET any -> [212.113.116.216] 23 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246728/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_19; classtype:trojan-activity; sid:91246728; rev:1;) alert tcp $HOME_NET any -> [45.61.54.105] 23 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246729/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_19; classtype:trojan-activity; sid:91246729; rev:1;) alert tcp $HOME_NET any -> [14.224.174.212] 1433 (msg:"ThreatFox WannaCryptor payload delivery (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246731/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_19; classtype:trojan-activity; sid:91246731; rev:1;) alert tcp $HOME_NET any -> [14.224.174.212] 88 (msg:"ThreatFox WannaCryptor payload delivery (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246730/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_19; classtype:trojan-activity; sid:91246730; rev:1;) alert tcp $HOME_NET any -> [141.98.7.221] 1337 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246695/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_19; classtype:trojan-activity; sid:91246695; rev:1;) alert tcp $HOME_NET any -> [176.97.210.31] 23 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246727/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_19; classtype:trojan-activity; sid:91246727; rev:1;) alert tcp $HOME_NET any -> [212.109.194.186] 80 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246817/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_19; classtype:trojan-activity; sid:91246817; rev:1;) alert tcp $HOME_NET any -> [107.189.24.173] 80 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246816/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_19; classtype:trojan-activity; sid:91246816; rev:1;) alert tcp $HOME_NET any -> [65.20.71.37] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246815/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_19; classtype:trojan-activity; sid:91246815; rev:1;) alert tcp $HOME_NET any -> [46.246.82.17] 6000 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246814/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_19; classtype:trojan-activity; sid:91246814; rev:1;) alert tcp $HOME_NET any -> [154.246.189.64] 2078 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246813/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_19; classtype:trojan-activity; sid:91246813; rev:1;) alert tcp $HOME_NET any -> [193.149.189.103] 55006 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246812/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_19; classtype:trojan-activity; sid:91246812; rev:1;) alert tcp $HOME_NET any -> [207.148.73.248] 443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246811/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_19; classtype:trojan-activity; sid:91246811; rev:1;) alert tcp $HOME_NET any -> [65.108.19.239] 443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246810/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_19; classtype:trojan-activity; sid:91246810; rev:1;) alert tcp $HOME_NET any -> [172.247.113.106] 8443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246809/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_19; classtype:trojan-activity; sid:91246809; rev:1;) alert tcp $HOME_NET any -> [185.22.155.92] 443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246808/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_19; classtype:trojan-activity; sid:91246808; rev:1;) alert tcp $HOME_NET any -> [165.22.72.160] 443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246807/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_19; classtype:trojan-activity; sid:91246807; rev:1;) alert tcp $HOME_NET any -> [168.76.172.126] 15023 (msg:"ThreatFox Deimos botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246806/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_19; classtype:trojan-activity; sid:91246806; rev:1;) alert tcp $HOME_NET any -> [218.28.172.25] 80 (msg:"ThreatFox Deimos botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246805/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_19; classtype:trojan-activity; sid:91246805; rev:1;) alert tcp $HOME_NET any -> [104.236.72.104] 7443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246804/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_19; classtype:trojan-activity; sid:91246804; rev:1;) alert tcp $HOME_NET any -> [8.220.135.161] 7443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246803/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_19; classtype:trojan-activity; sid:91246803; rev:1;) alert tcp $HOME_NET any -> [39.99.251.33] 63421 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246802/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_19; classtype:trojan-activity; sid:91246802; rev:1;) alert tcp $HOME_NET any -> [18.158.249.75] 11326 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246801/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_19; classtype:trojan-activity; sid:91246801; rev:1;) alert tcp $HOME_NET any -> [3.124.142.205] 11326 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246800/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_19; classtype:trojan-activity; sid:91246800; rev:1;) alert tcp $HOME_NET any -> [3.125.102.39] 11326 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246799/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_19; classtype:trojan-activity; sid:91246799; rev:1;) alert tcp $HOME_NET any -> [3.125.209.94] 11326 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246798/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_19; classtype:trojan-activity; sid:91246798; rev:1;) alert tcp $HOME_NET any -> [18.192.31.165] 11326 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246797/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_19; classtype:trojan-activity; sid:91246797; rev:1;) alert tcp $HOME_NET any -> [93.123.39.147] 8088 (msg:"ThreatFox STRRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246796/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_19; classtype:trojan-activity; sid:91246796; rev:1;) alert tcp $HOME_NET any -> [52.27.42.38] 443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246795/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_19; classtype:trojan-activity; sid:91246795; rev:1;) alert tcp $HOME_NET any -> [154.31.180.183] 4444 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246791/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_18; classtype:trojan-activity; sid:91246791; rev:1;) alert tcp $HOME_NET any -> [154.31.181.170] 4444 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246790/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_18; classtype:trojan-activity; sid:91246790; rev:1;) alert tcp $HOME_NET any -> [154.31.179.163] 4444 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246789/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_18; classtype:trojan-activity; sid:91246789; rev:1;) alert tcp $HOME_NET any -> [154.31.183.177] 4444 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246788/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_18; classtype:trojan-activity; sid:91246788; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pixel"; depth:6; nocase; http.host; content:"154.31.176.162"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1246787/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_18; classtype:trojan-activity; sid:91246787; rev:1;) alert tcp $HOME_NET any -> [31.129.98.219] 80 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246783/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_18; classtype:trojan-activity; sid:91246783; rev:1;) alert tcp $HOME_NET any -> [41.98.246.202] 443 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246782/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_18; classtype:trojan-activity; sid:91246782; rev:1;) alert tcp $HOME_NET any -> [94.237.43.116] 445 (msg:"ThreatFox Responder botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246781/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_18; classtype:trojan-activity; sid:91246781; rev:1;) alert tcp $HOME_NET any -> [104.238.60.87] 3509 (msg:"ThreatFox BianLian botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246780/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_18; classtype:trojan-activity; sid:91246780; rev:1;) alert tcp $HOME_NET any -> [13.113.189.83] 80 (msg:"ThreatFox Brute Ratel C4 botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246779/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_18; classtype:trojan-activity; sid:91246779; rev:1;) alert tcp $HOME_NET any -> [45.140.146.74] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246770/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_18; classtype:trojan-activity; sid:91246770; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dot.gif"; depth:8; nocase; http.host; content:"45.140.146.74"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1246769/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_18; classtype:trojan-activity; sid:91246769; rev:1;) alert tcp $HOME_NET any -> [94.156.65.18] 8088 (msg:"ThreatFox STRRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246764/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_18; classtype:trojan-activity; sid:91246764; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"95.217.25.45"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1246756/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_18; classtype:trojan-activity; sid:91246756; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"5.75.210.0"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1246755/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_18; classtype:trojan-activity; sid:91246755; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/profiles/76561199654112719"; depth:27; nocase; http.host; content:"steamcommunity.com"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1246754/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_18; classtype:trojan-activity; sid:91246754; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/r2d0s"; depth:6; nocase; http.host; content:"t.me"; depth:4; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1246753/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_18; classtype:trojan-activity; sid:91246753; rev:1;) alert tcp $HOME_NET any -> [5.75.210.0] 443 (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246751/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_18; classtype:trojan-activity; sid:91246751; rev:1;) alert tcp $HOME_NET any -> [95.217.25.45] 8888 (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246752/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_18; classtype:trojan-activity; sid:91246752; rev:1;) alert tcp $HOME_NET any -> [193.233.132.74] 58709 (msg:"ThreatFox RisePro botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246750/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_18; classtype:trojan-activity; sid:91246750; rev:1;) alert tcp $HOME_NET any -> [175.42.18.7] 4784 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246749/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_18; classtype:trojan-activity; sid:91246749; rev:1;) alert tcp $HOME_NET any -> [138.197.68.179] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246726/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_18; classtype:trojan-activity; sid:91246726; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/broadcast"; depth:10; nocase; http.host; content:"138.197.68.179"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1246725/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_18; classtype:trojan-activity; sid:91246725; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jp.css"; depth:7; nocase; http.host; content:"91.238.181.248"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1246724/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_18; classtype:trojan-activity; sid:91246724; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cx"; depth:3; nocase; http.host; content:"176.32.35.104"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1246723/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_18; classtype:trojan-activity; sid:91246723; rev:1;) alert tcp $HOME_NET any -> [82.157.69.161] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246722/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_18; classtype:trojan-activity; sid:91246722; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/j.ad"; depth:5; nocase; http.host; content:"82.157.69.161"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1246721/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_18; classtype:trojan-activity; sid:91246721; rev:1;) alert tcp $HOME_NET any -> [185.130.46.166] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246720/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_18; classtype:trojan-activity; sid:91246720; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/load"; depth:5; nocase; http.host; content:"111.67.195.152"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1246719/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_18; classtype:trojan-activity; sid:91246719; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/watch"; depth:6; nocase; http.host; content:"118.31.118.253"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1246717/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_18; classtype:trojan-activity; sid:91246717; rev:1;) alert tcp $HOME_NET any -> [118.31.118.253] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246718/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_18; classtype:trojan-activity; sid:91246718; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jquery-3.3.1.min.js"; depth:20; nocase; http.host; content:"103.27.109.33"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1246716/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_18; classtype:trojan-activity; sid:91246716; rev:1;) alert tcp $HOME_NET any -> [118.31.118.253] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246715/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_18; classtype:trojan-activity; sid:91246715; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/watch"; depth:6; nocase; http.host; content:"118.31.118.253"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1246714/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_18; classtype:trojan-activity; sid:91246714; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/en_us/all.js"; depth:13; nocase; http.host; content:"47.103.218.35"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1246713/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_18; classtype:trojan-activity; sid:91246713; rev:1;) alert tcp $HOME_NET any -> [13.55.236.179] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246712/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_18; classtype:trojan-activity; sid:91246712; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pixel"; depth:6; nocase; http.host; content:"13.55.236.179"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1246711/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_18; classtype:trojan-activity; sid:91246711; rev:1;) alert tcp $HOME_NET any -> [8.217.68.27] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246710/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_18; classtype:trojan-activity; sid:91246710; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/image/"; depth:7; nocase; http.host; content:"8.217.68.27"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1246709/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_18; classtype:trojan-activity; sid:91246709; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ptj"; depth:4; nocase; http.host; content:"16.163.149.10"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1246707/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_18; classtype:trojan-activity; sid:91246707; rev:1;) alert tcp $HOME_NET any -> [16.163.149.10] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246708/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_18; classtype:trojan-activity; sid:91246708; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jquery-3.3.1.min.js"; depth:20; nocase; http.host; content:"118.25.173.86"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1246705/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_18; classtype:trojan-activity; sid:91246705; rev:1;) alert tcp $HOME_NET any -> [118.25.173.86] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246706/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_18; classtype:trojan-activity; sid:91246706; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"tgsk.xyz"; depth:8; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1246703/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_18; classtype:trojan-activity; sid:91246703; rev:1;) alert tcp $HOME_NET any -> [49.232.191.68] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246704/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_18; classtype:trojan-activity; sid:91246704; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jquery-3.3.1.min.js"; depth:20; nocase; http.host; content:"tgsk.xyz"; depth:8; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1246702/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_18; classtype:trojan-activity; sid:91246702; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jquery-3.3.1.min.js"; depth:20; nocase; http.host; content:"49.232.191.68"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1246701/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_18; classtype:trojan-activity; sid:91246701; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jquery-3.3.1.min.js"; depth:20; nocase; http.host; content:"193.222.96.156"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1246700/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_18; classtype:trojan-activity; sid:91246700; rev:1;) alert tcp $HOME_NET any -> [193.161.193.99] 41985 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246699/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_18; classtype:trojan-activity; sid:91246699; rev:1;) alert tcp $HOME_NET any -> [1.94.110.130] 53 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246698/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_18; classtype:trojan-activity; sid:91246698; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ns2.fwmtest.cn"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1246697/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_18; classtype:trojan-activity; sid:91246697; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ns1.fwmtest.cn"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1246696/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_18; classtype:trojan-activity; sid:91246696; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/test2/get.php"; depth:14; nocase; http.host; content:"sajdfue.com"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1246693/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_18; classtype:trojan-activity; sid:91246693; rev:1;) alert tcp $HOME_NET any -> [217.18.63.132] 707 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246692/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_18; classtype:trojan-activity; sid:91246692; rev:1;) alert tcp $HOME_NET any -> [94.103.188.202] 666 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246679/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_18; classtype:trojan-activity; sid:91246679; rev:1;) alert tcp $HOME_NET any -> [81.136.59.207] 1339 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246691/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_18; classtype:trojan-activity; sid:91246691; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ptj"; depth:4; nocase; http.host; content:"101.201.46.105"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1246690/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_18; classtype:trojan-activity; sid:91246690; rev:1;) alert tcp $HOME_NET any -> [120.78.133.177] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246689/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_18; classtype:trojan-activity; sid:91246689; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"service-akqr4y12-1300243308.hk.tencentapigw.cn"; depth:46; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1246688/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_18; classtype:trojan-activity; sid:91246688; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ca"; depth:3; nocase; http.host; content:"service-akqr4y12-1300243308.hk.tencentapigw.cn"; depth:46; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1246687/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_18; classtype:trojan-activity; sid:91246687; rev:1;) alert tcp $HOME_NET any -> [139.9.46.164] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246686/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_18; classtype:trojan-activity; sid:91246686; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/en_us/all.js"; depth:13; nocase; http.host; content:"8.222.147.15"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1246685/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_18; classtype:trojan-activity; sid:91246685; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pixel"; depth:6; nocase; http.host; content:"175.178.161.139"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1246684/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_18; classtype:trojan-activity; sid:91246684; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ga.js"; depth:6; nocase; http.host; content:"service-bvvdi136-1317500845.gz.tencentapigw.com"; depth:47; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1246683/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_18; classtype:trojan-activity; sid:91246683; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pixel"; depth:6; nocase; http.host; content:"service-d1ssjklq-1306655841.gz.tencentapigw.com.cn"; depth:50; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1246682/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_18; classtype:trojan-activity; sid:91246682; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pixel.gif"; depth:10; nocase; http.host; content:"8.222.147.15"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1246681/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_18; classtype:trojan-activity; sid:91246681; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pixel.gif"; depth:10; nocase; http.host; content:"123.20.56.214"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1246680/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_18; classtype:trojan-activity; sid:91246680; rev:1;) alert tcp $HOME_NET any -> [141.98.10.128] 59666 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246677/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_18; classtype:trojan-activity; sid:91246677; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"firmware.fucktheccp.top"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1246678/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_18; classtype:trojan-activity; sid:91246678; rev:1;) alert tcp $HOME_NET any -> [144.126.198.15] 80 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246676/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_18; classtype:trojan-activity; sid:91246676; rev:1;) alert tcp $HOME_NET any -> [87.120.84.73] 80 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246675/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_18; classtype:trojan-activity; sid:91246675; rev:1;) alert tcp $HOME_NET any -> [47.242.8.254] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246674/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_18; classtype:trojan-activity; sid:91246674; rev:1;) alert tcp $HOME_NET any -> [45.152.66.151] 18888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246673/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_18; classtype:trojan-activity; sid:91246673; rev:1;) alert tcp $HOME_NET any -> [103.165.81.207] 8888 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246672/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_18; classtype:trojan-activity; sid:91246672; rev:1;) alert tcp $HOME_NET any -> [190.133.143.235] 995 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246671/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_18; classtype:trojan-activity; sid:91246671; rev:1;) alert tcp $HOME_NET any -> [79.174.95.201] 443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246670/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_18; classtype:trojan-activity; sid:91246670; rev:1;) alert tcp $HOME_NET any -> [43.198.225.0] 443 (msg:"ThreatFox Deimos botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246669/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_18; classtype:trojan-activity; sid:91246669; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"qgeight8pn.top"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1246609/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_18; classtype:trojan-activity; sid:91246609; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"qftwo2vs.top"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1246608/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_18; classtype:trojan-activity; sid:91246608; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"qftwo2pt.top"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1246607/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_18; classtype:trojan-activity; sid:91246607; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"qfthre3vs.top"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1246606/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_18; classtype:trojan-activity; sid:91246606; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"qfsix6pt.top"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1246603/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_18; classtype:trojan-activity; sid:91246603; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"qfsix6vs.top"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1246604/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_18; classtype:trojan-activity; sid:91246604; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"qften10pt.top"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1246605/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_18; classtype:trojan-activity; sid:91246605; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"qfseven7vs.top"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1246602/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_18; classtype:trojan-activity; sid:91246602; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"qfleven11pt.top"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1246601/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_18; classtype:trojan-activity; sid:91246601; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"qffourt14pt.top"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1246600/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_18; classtype:trojan-activity; sid:91246600; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"qffive5sb.top"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1246599/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_18; classtype:trojan-activity; sid:91246599; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"wall4k.site"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1246598/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_18; classtype:trojan-activity; sid:91246598; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"vstoea.wiki"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1246597/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_18; classtype:trojan-activity; sid:91246597; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"qgfive5pn.top"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1246610/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_18; classtype:trojan-activity; sid:91246610; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"qgfourt14pt.top"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1246611/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_18; classtype:trojan-activity; sid:91246611; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"qgfourt14vt.top"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1246612/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_18; classtype:trojan-activity; sid:91246612; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"qgleven11vt.top"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1246613/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_18; classtype:trojan-activity; sid:91246613; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"qgnein9vt.top"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1246614/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_18; classtype:trojan-activity; sid:91246614; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"qgseven7ht.top"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1246615/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_18; classtype:trojan-activity; sid:91246615; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"qgseven7pn.top"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1246616/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_18; classtype:trojan-activity; sid:91246616; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"qgseven7sr.top"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1246617/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_18; classtype:trojan-activity; sid:91246617; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"qgsix6ht.top"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1246618/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_18; classtype:trojan-activity; sid:91246618; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"qgsix6pn.top"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1246619/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_18; classtype:trojan-activity; sid:91246619; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"qgsix6sr.top"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1246620/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_18; classtype:trojan-activity; sid:91246620; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"qgthre3ht.top"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1246621/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_18; classtype:trojan-activity; sid:91246621; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"qgthre3pn.top"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1246622/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_18; classtype:trojan-activity; sid:91246622; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"qgthre3sr.top"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1246623/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_18; classtype:trojan-activity; sid:91246623; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"emv1.qftwo2sr.top"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1246624/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_18; classtype:trojan-activity; sid:91246624; rev:1;) alert tcp $HOME_NET any -> [147.185.221.18] 41414 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246632/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_18; classtype:trojan-activity; sid:91246632; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"authority-amazon.gl.at.ply.gg"; depth:29; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1246633/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_18; classtype:trojan-activity; sid:91246633; rev:1;) alert tcp $HOME_NET any -> [185.125.50.49] 7439 (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246660/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_18; classtype:trojan-activity; sid:91246660; rev:1;) alert tcp $HOME_NET any -> [4.185.137.132] 1632 (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246661/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_18; classtype:trojan-activity; sid:91246661; rev:1;) alert tcp $HOME_NET any -> [103.153.69.99] 4258 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246668/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_18; classtype:trojan-activity; sid:91246668; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"bn.networkbn.click"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1246656/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_18; classtype:trojan-activity; sid:91246656; rev:1;) alert tcp $HOME_NET any -> [187.135.149.236] 2004 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246642/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_18; classtype:trojan-activity; sid:91246642; rev:1;) alert tcp $HOME_NET any -> [187.135.170.92] 1801 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246643/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_18; classtype:trojan-activity; sid:91246643; rev:1;) alert tcp $HOME_NET any -> [187.135.170.92] 2053 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246644/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_18; classtype:trojan-activity; sid:91246644; rev:1;) alert tcp $HOME_NET any -> [187.135.170.92] 2281 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246645/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_18; classtype:trojan-activity; sid:91246645; rev:1;) alert tcp $HOME_NET any -> [187.135.139.227] 1949 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246646/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_18; classtype:trojan-activity; sid:91246646; rev:1;) alert tcp $HOME_NET any -> [187.135.139.227] 2078 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246648/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_18; classtype:trojan-activity; sid:91246648; rev:1;) alert tcp $HOME_NET any -> [187.135.139.227] 2087 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246649/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_18; classtype:trojan-activity; sid:91246649; rev:1;) alert tcp $HOME_NET any -> [82.66.185.138] 4449 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246650/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_18; classtype:trojan-activity; sid:91246650; rev:1;) alert tcp $HOME_NET any -> [187.135.139.227] 2050 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246647/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_18; classtype:trojan-activity; sid:91246647; rev:1;) alert tcp $HOME_NET any -> [45.14.245.215] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246640/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_18; classtype:trojan-activity; sid:91246640; rev:1;) alert tcp $HOME_NET any -> [89.23.100.222] 44528 (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246641/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_18; classtype:trojan-activity; sid:91246641; rev:1;) alert tcp $HOME_NET any -> [193.222.96.14] 4449 (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246639/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_18; classtype:trojan-activity; sid:91246639; rev:1;) alert tcp $HOME_NET any -> [193.222.96.20] 4449 (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246638/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_18; classtype:trojan-activity; sid:91246638; rev:1;) alert tcp $HOME_NET any -> [193.222.96.96] 4449 (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246637/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_18; classtype:trojan-activity; sid:91246637; rev:1;) alert tcp $HOME_NET any -> [193.222.96.95] 4449 (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246636/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_18; classtype:trojan-activity; sid:91246636; rev:1;) alert tcp $HOME_NET any -> [193.222.96.41] 4449 (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246635/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_18; classtype:trojan-activity; sid:91246635; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"diveupdown.com"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1246634/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_18; classtype:trojan-activity; sid:91246634; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"viopde.fun"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1246596/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_18; classtype:trojan-activity; sid:91246596; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"utlyter.cloud"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1246595/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_18; classtype:trojan-activity; sid:91246595; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"tkteew.tech"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1246594/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_18; classtype:trojan-activity; sid:91246594; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"soudes.icu"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1246593/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_18; classtype:trojan-activity; sid:91246593; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"sotepo.info"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1246592/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_18; classtype:trojan-activity; sid:91246592; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"paolio.shop"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1246590/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_18; classtype:trojan-activity; sid:91246590; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"rknloco.tech"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1246591/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_18; classtype:trojan-activity; sid:91246591; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"pabox.cc"; depth:8; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1246589/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_18; classtype:trojan-activity; sid:91246589; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ogcegd.fun"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1246588/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_18; classtype:trojan-activity; sid:91246588; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"nowurl.me"; depth:9; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1246587/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_18; classtype:trojan-activity; sid:91246587; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"modpk.asia"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1246586/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_18; classtype:trojan-activity; sid:91246586; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"melyre.tech"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1246585/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_18; classtype:trojan-activity; sid:91246585; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"lxszgs.icu"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1246584/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_18; classtype:trojan-activity; sid:91246584; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"lpcwww.fun"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1246583/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_18; classtype:trojan-activity; sid:91246583; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"lmmqgd.website"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1246582/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_18; classtype:trojan-activity; sid:91246582; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"dre4.vip"; depth:8; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1246581/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_18; classtype:trojan-activity; sid:91246581; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"desesn.asia"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1246580/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_18; classtype:trojan-activity; sid:91246580; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"cyskop.shop"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1246579/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_18; classtype:trojan-activity; sid:91246579; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"cpritn.city"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1246578/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_18; classtype:trojan-activity; sid:91246578; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"cdrawhi.art"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1246577/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_18; classtype:trojan-activity; sid:91246577; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"6lpc.online"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1246576/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_18; classtype:trojan-activity; sid:91246576; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"4url312.vip"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1246575/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_18; classtype:trojan-activity; sid:91246575; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"4url.vip"; depth:8; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1246574/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_18; classtype:trojan-activity; sid:91246574; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"49.12.113.229"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1246667/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_18; classtype:trojan-activity; sid:91246667; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"5.75.208.102"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1246666/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_18; classtype:trojan-activity; sid:91246666; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"5.75.208.102"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1246665/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_18; classtype:trojan-activity; sid:91246665; rev:1;) alert tcp $HOME_NET any -> [5.75.208.102] 80 (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246663/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_18; classtype:trojan-activity; sid:91246663; rev:1;) alert tcp $HOME_NET any -> [49.12.113.229] 443 (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246664/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_18; classtype:trojan-activity; sid:91246664; rev:1;) alert tcp $HOME_NET any -> [5.75.208.102] 443 (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246662/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_18; classtype:trojan-activity; sid:91246662; rev:1;) alert tcp $HOME_NET any -> [194.147.140.146] 6609 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246659/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_18; classtype:trojan-activity; sid:91246659; rev:1;) alert tcp $HOME_NET any -> [89.208.107.205] 7578 (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246658/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_18; classtype:trojan-activity; sid:91246658; rev:1;) alert tcp $HOME_NET any -> [172.245.208.13] 4445 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246657/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_18; classtype:trojan-activity; sid:91246657; rev:1;) alert tcp $HOME_NET any -> [83.137.157.61] 9231 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246655/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_18; classtype:trojan-activity; sid:91246655; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/activity"; depth:9; nocase; http.host; content:"8.222.147.15"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1246654/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_17; classtype:trojan-activity; sid:91246654; rev:1;) alert tcp $HOME_NET any -> [8.222.147.15] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246653/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_17; classtype:trojan-activity; sid:91246653; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/updates.rss"; depth:12; nocase; http.host; content:"8.222.147.15"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1246652/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_17; classtype:trojan-activity; sid:91246652; rev:1;) alert tcp $HOME_NET any -> [194.233.79.198] 80 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246631/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_17; classtype:trojan-activity; sid:91246631; rev:1;) alert tcp $HOME_NET any -> [45.128.96.167] 80 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246630/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_17; classtype:trojan-activity; sid:91246630; rev:1;) alert tcp $HOME_NET any -> [20.234.62.151] 80 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246629/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_17; classtype:trojan-activity; sid:91246629; rev:1;) alert tcp $HOME_NET any -> [139.180.199.124] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246628/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_17; classtype:trojan-activity; sid:91246628; rev:1;) alert tcp $HOME_NET any -> [202.47.118.167] 8080 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246627/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_17; classtype:trojan-activity; sid:91246627; rev:1;) alert tcp $HOME_NET any -> [184.66.10.104] 443 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246626/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_17; classtype:trojan-activity; sid:91246626; rev:1;) alert tcp $HOME_NET any -> [72.27.161.187] 443 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246625/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_17; classtype:trojan-activity; sid:91246625; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"78.47.78.87"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1246573/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_17; classtype:trojan-activity; sid:91246573; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"78.47.136.81"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1246572/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_17; classtype:trojan-activity; sid:91246572; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"167.235.207.130"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1246571/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_17; classtype:trojan-activity; sid:91246571; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"65.108.83.243"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1246570/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_17; classtype:trojan-activity; sid:91246570; rev:1;) alert tcp $HOME_NET any -> [78.47.136.81] 443 (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246568/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_17; classtype:trojan-activity; sid:91246568; rev:1;) alert tcp $HOME_NET any -> [78.47.78.87] 443 (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246569/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_17; classtype:trojan-activity; sid:91246569; rev:1;) alert tcp $HOME_NET any -> [65.108.83.243] 8081 (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246566/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_17; classtype:trojan-activity; sid:91246566; rev:1;) alert tcp $HOME_NET any -> [167.235.207.130] 80 (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246567/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_17; classtype:trojan-activity; sid:91246567; rev:1;) alert tcp $HOME_NET any -> [193.161.193.99] 48079 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246556/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_17; classtype:trojan-activity; sid:91246556; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"pidorgeio-48079.portmap.host"; depth:28; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1246557/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_17; classtype:trojan-activity; sid:91246557; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"managevvb.com"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1246558/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_17; classtype:trojan-activity; sid:91246558; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"managevvb.com"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1246559/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_17; classtype:trojan-activity; sid:91246559; rev:1;) alert tcp $HOME_NET any -> [89.245.35.152] 25565 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246560/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_17; classtype:trojan-activity; sid:91246560; rev:1;) alert tcp $HOME_NET any -> [18.158.249.75] 12051 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246561/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_17; classtype:trojan-activity; sid:91246561; rev:1;) alert tcp $HOME_NET any -> [147.185.221.18] 56522 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246563/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_17; classtype:trojan-activity; sid:91246563; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"having-jackson.gl.at.ply.gg"; depth:27; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1246564/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_17; classtype:trojan-activity; sid:91246564; rev:1;) alert tcp $HOME_NET any -> [23.106.121.133] 3232 (msg:"ThreatFox STRRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246565/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_17; classtype:trojan-activity; sid:91246565; rev:1;) alert tcp $HOME_NET any -> [193.233.132.62] 58709 (msg:"ThreatFox RisePro botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246562/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_17; classtype:trojan-activity; sid:91246562; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"beuces.cool"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1246555/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_17; classtype:trojan-activity; sid:91246555; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ransomware.wannacry_plus.zip"; depth:29; nocase; http.host; content:"14.224.174.212"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1246554/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_17; classtype:trojan-activity; sid:91246554; rev:1;) alert tcp $HOME_NET any -> [172.245.72.19] 8080 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246552/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_17; classtype:trojan-activity; sid:91246552; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jquery-3.3.1.min.js"; depth:20; nocase; http.host; content:"cdn.3qweraa.beauty"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1246550/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_17; classtype:trojan-activity; sid:91246550; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"cdn.3qweraa.beauty"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1246551/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_17; classtype:trojan-activity; sid:91246551; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cm"; depth:3; nocase; http.host; content:"146.70.44.156"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1246549/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_17; classtype:trojan-activity; sid:91246549; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/activity"; depth:9; nocase; http.host; content:"47.120.63.211"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1246547/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_17; classtype:trojan-activity; sid:91246547; rev:1;) alert tcp $HOME_NET any -> [47.120.63.211] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246548/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_17; classtype:trojan-activity; sid:91246548; rev:1;) alert tcp $HOME_NET any -> [13.68.195.153] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246546/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_17; classtype:trojan-activity; sid:91246546; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/visit.js"; depth:9; nocase; http.host; content:"redir-s49f828c.eastus.cloudapp.azure.com"; depth:40; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1246544/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_17; classtype:trojan-activity; sid:91246544; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"redir-s49f828c.eastus.cloudapp.azure.com"; depth:40; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1246545/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_17; classtype:trojan-activity; sid:91246545; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/activity"; depth:9; nocase; http.host; content:"47.92.155.195"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1246543/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_17; classtype:trojan-activity; sid:91246543; rev:1;) alert tcp $HOME_NET any -> [107.175.245.109] 8443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246542/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_17; classtype:trojan-activity; sid:91246542; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jquery-3.3.1.min.js"; depth:20; nocase; http.host; content:"www.10086cn.xyz"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1246541/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_17; classtype:trojan-activity; sid:91246541; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/load"; depth:5; nocase; http.host; content:"8.134.126.121"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1246540/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_17; classtype:trojan-activity; sid:91246540; rev:1;) alert tcp $HOME_NET any -> [49.232.191.68] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246539/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_17; classtype:trojan-activity; sid:91246539; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api/x"; depth:6; nocase; http.host; content:"service-d1ssjklq-1306655841.gz.tencentapigw.com.cn"; depth:50; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1246537/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_17; classtype:trojan-activity; sid:91246537; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"service-d1ssjklq-1306655841.gz.tencentapigw.com.cn"; depth:50; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1246538/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_17; classtype:trojan-activity; sid:91246538; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/c/msdownload/update/others/2016/12/29136388_"; depth:45; nocase; http.host; content:"124.222.147.8"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1246536/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_17; classtype:trojan-activity; sid:91246536; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cm"; depth:3; nocase; http.host; content:"80.87.206.160"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1246535/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_17; classtype:trojan-activity; sid:91246535; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ga.js"; depth:6; nocase; http.host; content:"1.94.110.130"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1246534/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_17; classtype:trojan-activity; sid:91246534; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"planetstherapy.org"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1246532/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_17; classtype:trojan-activity; sid:91246532; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"www.planetstherapy.org"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1246533/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_17; classtype:trojan-activity; sid:91246533; rev:1;) alert tcp $HOME_NET any -> [37.120.239.32] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246528/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_17; classtype:trojan-activity; sid:91246528; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/link.css"; depth:9; nocase; http.host; content:"37.120.239.32"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1246527/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_17; classtype:trojan-activity; sid:91246527; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/l1nc0in.php"; depth:12; nocase; http.host; content:"cq25511.tw1.ru"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1246526/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_17; classtype:trojan-activity; sid:91246526; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"service-89u0y7ij-1305550121.sh.tencentapigw.com"; depth:47; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1246524/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_17; classtype:trojan-activity; sid:91246524; rev:1;) alert tcp $HOME_NET any -> [1.116.103.114] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246525/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_17; classtype:trojan-activity; sid:91246525; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/__utm.gif"; depth:10; nocase; http.host; content:"service-89u0y7ij-1305550121.sh.tencentapigw.com"; depth:47; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1246523/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_17; classtype:trojan-activity; sid:91246523; rev:1;) alert tcp $HOME_NET any -> [107.175.245.109] 8080 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246522/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_17; classtype:trojan-activity; sid:91246522; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jquery-3.3.1.min.js"; depth:20; nocase; http.host; content:"www.10086cn.xyz"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1246520/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_17; classtype:trojan-activity; sid:91246520; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"www.10086cn.xyz"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1246521/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_17; classtype:trojan-activity; sid:91246521; rev:1;) alert tcp $HOME_NET any -> [107.175.245.109] 8880 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246519/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_17; classtype:trojan-activity; sid:91246519; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jquery-3.3.1.min.js"; depth:20; nocase; http.host; content:"prod-ireland.arkoselabs.com"; depth:27; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1246517/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_17; classtype:trojan-activity; sid:91246517; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"prod-ireland.arkoselabs.com"; depth:27; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1246518/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_17; classtype:trojan-activity; sid:91246518; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"epic-games-api.arkoselabs.com"; depth:29; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1246516/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_17; classtype:trojan-activity; sid:91246516; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jquery-3.3.1.min.js"; depth:20; nocase; http.host; content:"epic-games-api.arkoselabs.com"; depth:29; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1246515/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_17; classtype:trojan-activity; sid:91246515; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jquery-3.3.1.min.js"; depth:20; nocase; http.host; content:"client-api.arkoselabs.com"; depth:25; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1246513/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_17; classtype:trojan-activity; sid:91246513; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/l1nc0in.php"; depth:12; nocase; http.host; content:"a0929875.xsph.ru"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1246512/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_17; classtype:trojan-activity; sid:91246512; rev:1;) alert tcp $HOME_NET any -> [23.94.104.16] 56789 (msg:"ThreatFox MooBot botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246505/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_17; classtype:trojan-activity; sid:91246505; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"4qvvg9ud51lxa5te.gta5.eu.org"; depth:28; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1246506/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_17; classtype:trojan-activity; sid:91246506; rev:1;) alert tcp $HOME_NET any -> [198.12.88.130] 1312 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246507/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_17; classtype:trojan-activity; sid:91246507; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ptj"; depth:4; nocase; http.host; content:"139.9.190.31"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1246511/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_17; classtype:trojan-activity; sid:91246511; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/en_us/all.js"; depth:13; nocase; http.host; content:"121.40.119.94"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1246510/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_17; classtype:trojan-activity; sid:91246510; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dpixel"; depth:7; nocase; http.host; content:"123.207.45.112"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1246509/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_17; classtype:trojan-activity; sid:91246509; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/en_us/all.js"; depth:13; nocase; http.host; content:"1.94.110.130"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1246508/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_17; classtype:trojan-activity; sid:91246508; rev:1;) alert tcp $HOME_NET any -> [205.185.126.140] 24124 (msg:"ThreatFox MooBot botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246504/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_17; classtype:trojan-activity; sid:91246504; rev:1;) alert tcp $HOME_NET any -> [194.169.175.43] 35342 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246503/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_17; classtype:trojan-activity; sid:91246503; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"rebirthltd.com"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1246502/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_17; classtype:trojan-activity; sid:91246502; rev:1;) alert tcp $HOME_NET any -> [78.40.117.218] 23 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246501/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_17; classtype:trojan-activity; sid:91246501; rev:1;) alert tcp $HOME_NET any -> [79.124.40.47] 4258 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246500/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_17; classtype:trojan-activity; sid:91246500; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/nzflzwiznmywzdi5/"; depth:18; nocase; http.host; content:"83.97.73.125"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1246485/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_17; classtype:trojan-activity; sid:91246485; rev:1;) alert tcp $HOME_NET any -> [89.245.33.186] 25565 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246470/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_17; classtype:trojan-activity; sid:91246470; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"huot.ltd"; depth:8; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1246479/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_17; classtype:trojan-activity; sid:91246479; rev:1;) alert tcp $HOME_NET any -> [18.197.239.109] 11599 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246480/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_17; classtype:trojan-activity; sid:91246480; rev:1;) alert tcp $HOME_NET any -> [89.245.33.186] 3000 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246469/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_17; classtype:trojan-activity; sid:91246469; rev:1;) alert tcp $HOME_NET any -> [141.95.114.229] 2351 (msg:"ThreatFox DarkGate botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246402/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_17; classtype:trojan-activity; sid:91246402; rev:1;) alert tcp $HOME_NET any -> [141.95.114.229] 8080 (msg:"ThreatFox DarkGate botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246403/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_17; classtype:trojan-activity; sid:91246403; rev:1;) alert tcp $HOME_NET any -> [45.147.228.138] 8094 (msg:"ThreatFox DarkGate botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246404/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_17; classtype:trojan-activity; sid:91246404; rev:1;) alert tcp $HOME_NET any -> [51.195.192.51] 8094 (msg:"ThreatFox DarkGate botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246405/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_17; classtype:trojan-activity; sid:91246405; rev:1;) alert tcp $HOME_NET any -> [94.156.71.75] 8094 (msg:"ThreatFox DarkGate botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246406/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_17; classtype:trojan-activity; sid:91246406; rev:1;) alert tcp $HOME_NET any -> [51.195.192.51] 7000 (msg:"ThreatFox XWorm botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246407/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_17; classtype:trojan-activity; sid:91246407; rev:1;) alert tcp $HOME_NET any -> [93.123.85.101] 3778 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246408/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_17; classtype:trojan-activity; sid:91246408; rev:1;) alert tcp $HOME_NET any -> [217.18.63.132] 12345 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246427/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_17; classtype:trojan-activity; sid:91246427; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"managedkv.com"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1246463/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_17; classtype:trojan-activity; sid:91246463; rev:1;) alert tcp $HOME_NET any -> [188.120.250.67] 80 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246499/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_17; classtype:trojan-activity; sid:91246499; rev:1;) alert tcp $HOME_NET any -> [2.31.159.75] 443 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246498/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_17; classtype:trojan-activity; sid:91246498; rev:1;) alert tcp $HOME_NET any -> [124.171.143.147] 443 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246497/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_17; classtype:trojan-activity; sid:91246497; rev:1;) alert tcp $HOME_NET any -> [70.31.125.101] 2222 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246496/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_17; classtype:trojan-activity; sid:91246496; rev:1;) alert tcp $HOME_NET any -> [62.182.80.97] 56432 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246495/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_17; classtype:trojan-activity; sid:91246495; rev:1;) alert tcp $HOME_NET any -> [37.1.210.247] 40056 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246494/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_17; classtype:trojan-activity; sid:91246494; rev:1;) alert tcp $HOME_NET any -> [51.195.91.31] 8080 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246493/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_17; classtype:trojan-activity; sid:91246493; rev:1;) alert tcp $HOME_NET any -> [89.116.22.214] 443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246492/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_17; classtype:trojan-activity; sid:91246492; rev:1;) alert tcp $HOME_NET any -> [20.197.20.154] 443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246491/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_17; classtype:trojan-activity; sid:91246491; rev:1;) alert tcp $HOME_NET any -> [3.35.14.154] 443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246490/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_17; classtype:trojan-activity; sid:91246490; rev:1;) alert tcp $HOME_NET any -> [168.76.172.111] 15023 (msg:"ThreatFox Deimos botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246489/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_17; classtype:trojan-activity; sid:91246489; rev:1;) alert tcp $HOME_NET any -> [89.223.121.240] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246488/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_17; classtype:trojan-activity; sid:91246488; rev:1;) alert tcp $HOME_NET any -> [89.223.121.240] 8888 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246487/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_17; classtype:trojan-activity; sid:91246487; rev:1;) alert tcp $HOME_NET any -> [185.194.140.225] 53 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246486/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_17; classtype:trojan-activity; sid:91246486; rev:1;) alert tcp $HOME_NET any -> [193.124.205.80] 4608 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246484/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_16; classtype:trojan-activity; sid:91246484; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/flowerpublicpacket/db8test5/wordpress02flower/processorlongpolllow/defaultprotect/_temp/bigloaddatalife7mariadb/_vmbetterimage/dumppipejavascriptpython/8default/1/trafficprovider/wp/wpapi/vmlongpoll1/6wordpresspacket/0multiupdateauth/4/pipeauthtest.php"; depth:253; nocase; http.host; content:"89.23.96.177"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1246483/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_16; classtype:trojan-activity; sid:91246483; rev:1;) alert tcp $HOME_NET any -> [103.253.73.222] 117 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246482/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_16; classtype:trojan-activity; sid:91246482; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/flowerprocessorjavascriptvideo/eternalbigload/test/4/test/16datalife8/httpwpuploads/jssqlsqlline/uploadscpuproton/dbprotect/local/update/jstemp/videolinepythonsql/flower/apiwordpresstest_/javascriptuniversal/imageapitemp.php"; depth:225; nocase; http.host; content:"89.23.97.121"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1246481/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_16; classtype:trojan-activity; sid:91246481; rev:1;) alert tcp $HOME_NET any -> [46.226.164.150] 80 (msg:"ThreatFox Meduza Stealer botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246478/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_16; classtype:trojan-activity; sid:91246478; rev:1;) alert tcp $HOME_NET any -> [154.12.28.204] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246477/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_16; classtype:trojan-activity; sid:91246477; rev:1;) alert tcp $HOME_NET any -> [151.64.220.95] 443 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246476/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_16; classtype:trojan-activity; sid:91246476; rev:1;) alert tcp $HOME_NET any -> [34.69.171.116] 443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246475/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_16; classtype:trojan-activity; sid:91246475; rev:1;) alert tcp $HOME_NET any -> [51.195.91.31] 4443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246474/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_16; classtype:trojan-activity; sid:91246474; rev:1;) alert tcp $HOME_NET any -> [146.70.100.113] 22222 (msg:"ThreatFox BianLian botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246473/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_16; classtype:trojan-activity; sid:91246473; rev:1;) alert tcp $HOME_NET any -> [113.25.150.234] 10250 (msg:"ThreatFox Deimos botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246472/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_16; classtype:trojan-activity; sid:91246472; rev:1;) alert tcp $HOME_NET any -> [178.17.170.180] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246471/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_16; classtype:trojan-activity; sid:91246471; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"bad.bois.sh"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1246467/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_16; classtype:trojan-activity; sid:91246467; rev:1;) alert tcp $HOME_NET any -> [20.55.16.22] 53 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246468/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_16; classtype:trojan-activity; sid:91246468; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"scoring.bois.sh"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1246466/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_16; classtype:trojan-activity; sid:91246466; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"good.bois.sh"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1246465/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_16; classtype:trojan-activity; sid:91246465; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dpixel"; depth:7; nocase; http.host; content:"47.96.229.84"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1246462/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_16; classtype:trojan-activity; sid:91246462; rev:1;) alert tcp $HOME_NET any -> [121.36.33.53] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246461/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_16; classtype:trojan-activity; sid:91246461; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/load"; depth:5; nocase; http.host; content:"121.36.33.53"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1246460/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_16; classtype:trojan-activity; sid:91246460; rev:1;) alert tcp $HOME_NET any -> [54.220.110.175] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246459/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_16; classtype:trojan-activity; sid:91246459; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"onlinetraveler.net"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1246458/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_16; classtype:trojan-activity; sid:91246458; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books"; depth:60; nocase; http.host; content:"onlinetraveler.net"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1246457/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_16; classtype:trojan-activity; sid:91246457; rev:1;) alert tcp $HOME_NET any -> [121.36.198.85] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246456/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_16; classtype:trojan-activity; sid:91246456; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dot.gif"; depth:8; nocase; http.host; content:"121.36.198.85"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1246455/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_16; classtype:trojan-activity; sid:91246455; rev:1;) alert tcp $HOME_NET any -> [13.201.220.120] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246454/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_16; classtype:trojan-activity; sid:91246454; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mozi.m"; depth:7; nocase; http.host; content:"182.126.66.68"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1246453/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_16; classtype:trojan-activity; sid:91246453; rev:1;) alert tcp $HOME_NET any -> [5.42.65.117] 8081 (msg:"ThreatFox RisePro botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246452/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_16; classtype:trojan-activity; sid:91246452; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/l1nc0in.php"; depth:12; nocase; http.host; content:"27925375.whiteproducts.ru"; depth:25; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1246451/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_16; classtype:trojan-activity; sid:91246451; rev:1;) alert tcp $HOME_NET any -> [154.23.178.106] 8848 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246450/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_16; classtype:trojan-activity; sid:91246450; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/en_us/all.js"; depth:13; nocase; http.host; content:"185.91.127.221"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1246449/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_16; classtype:trojan-activity; sid:91246449; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/visit.js"; depth:9; nocase; http.host; content:"101.35.19.133"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1246448/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_16; classtype:trojan-activity; sid:91246448; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/g.pixel"; depth:8; nocase; http.host; content:"175.178.47.86"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1246447/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_16; classtype:trojan-activity; sid:91246447; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ga.js"; depth:6; nocase; http.host; content:"43.153.222.28"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1246446/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_16; classtype:trojan-activity; sid:91246446; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ga.js"; depth:6; nocase; http.host; content:"111.51.156.207"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1246445/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_16; classtype:trojan-activity; sid:91246445; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/en_us/all.js"; depth:13; nocase; http.host; content:"61.170.44.209"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1246444/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_16; classtype:trojan-activity; sid:91246444; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dot.gif"; depth:8; nocase; http.host; content:"36.131.222.214"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1246443/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_16; classtype:trojan-activity; sid:91246443; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dpixel"; depth:7; nocase; http.host; content:"59.80.47.124"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1246442/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_16; classtype:trojan-activity; sid:91246442; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/activity"; depth:9; nocase; http.host; content:"106.225.221.115"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1246441/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_16; classtype:trojan-activity; sid:91246441; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/__utm.gif"; depth:10; nocase; http.host; content:"119.167.249.113"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1246440/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_16; classtype:trojan-activity; sid:91246440; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dpixel"; depth:7; nocase; http.host; content:"43.141.11.229"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1246439/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_16; classtype:trojan-activity; sid:91246439; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/match"; depth:6; nocase; http.host; content:"cdn-014.epsonupdate.uk"; depth:22; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1246438/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_16; classtype:trojan-activity; sid:91246438; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/image/"; depth:7; nocase; http.host; content:"www.baidu12366.xyz"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1246437/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_16; classtype:trojan-activity; sid:91246437; rev:1;) alert tcp $HOME_NET any -> [45.138.157.4] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246436/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_16; classtype:trojan-activity; sid:91246436; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"update.mozilia-tm.org"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1246435/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_16; classtype:trojan-activity; sid:91246435; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/load"; depth:5; nocase; http.host; content:"update.mozilia-tm.org"; depth:21; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1246434/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_16; classtype:trojan-activity; sid:91246434; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"z886888.top"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1246432/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_16; classtype:trojan-activity; sid:91246432; rev:1;) alert tcp $HOME_NET any -> [8.222.147.15] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246433/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_16; classtype:trojan-activity; sid:91246433; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ca"; depth:3; nocase; http.host; content:"z886888.top"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1246431/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_16; classtype:trojan-activity; sid:91246431; rev:1;) alert tcp $HOME_NET any -> [5.188.86.215] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246430/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_16; classtype:trojan-activity; sid:91246430; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ab.html"; depth:8; nocase; http.host; content:"86.106.20.179"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1246429/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_16; classtype:trojan-activity; sid:91246429; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jquery-3.3.1.min.js"; depth:20; nocase; http.host; content:"103.253.146.79"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1246428/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_16; classtype:trojan-activity; sid:91246428; rev:1;) alert tcp $HOME_NET any -> [5.42.65.117] 50500 (msg:"ThreatFox RisePro botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246426/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_16; classtype:trojan-activity; sid:91246426; rev:1;) alert tcp $HOME_NET any -> [188.120.231.211] 80 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246425/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_16; classtype:trojan-activity; sid:91246425; rev:1;) alert tcp $HOME_NET any -> [64.23.228.21] 80 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246424/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_16; classtype:trojan-activity; sid:91246424; rev:1;) alert tcp $HOME_NET any -> [185.80.128.10] 80 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246423/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_16; classtype:trojan-activity; sid:91246423; rev:1;) alert tcp $HOME_NET any -> [46.246.86.16] 5000 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246422/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_16; classtype:trojan-activity; sid:91246422; rev:1;) alert tcp $HOME_NET any -> [27.124.34.10] 1145 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246421/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_16; classtype:trojan-activity; sid:91246421; rev:1;) alert tcp $HOME_NET any -> [72.27.104.146] 443 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246420/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_16; classtype:trojan-activity; sid:91246420; rev:1;) alert tcp $HOME_NET any -> [189.222.127.29] 443 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246419/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_16; classtype:trojan-activity; sid:91246419; rev:1;) alert tcp $HOME_NET any -> [50.67.6.160] 995 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246418/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_16; classtype:trojan-activity; sid:91246418; rev:1;) alert tcp $HOME_NET any -> [39.105.194.87] 443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246417/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_16; classtype:trojan-activity; sid:91246417; rev:1;) alert tcp $HOME_NET any -> [37.1.210.247] 443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246416/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_16; classtype:trojan-activity; sid:91246416; rev:1;) alert tcp $HOME_NET any -> [45.134.9.138] 443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246415/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_16; classtype:trojan-activity; sid:91246415; rev:1;) alert tcp $HOME_NET any -> [47.122.6.179] 443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246414/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_16; classtype:trojan-activity; sid:91246414; rev:1;) alert tcp $HOME_NET any -> [20.127.96.164] 443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246413/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_16; classtype:trojan-activity; sid:91246413; rev:1;) alert tcp $HOME_NET any -> [94.103.87.88] 4444 (msg:"ThreatFox BianLian botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246412/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_16; classtype:trojan-activity; sid:91246412; rev:1;) alert tcp $HOME_NET any -> [140.82.20.246] 8443 (msg:"ThreatFox BianLian botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246411/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_16; classtype:trojan-activity; sid:91246411; rev:1;) alert tcp $HOME_NET any -> [23.227.202.153] 8443 (msg:"ThreatFox BianLian botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246410/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_16; classtype:trojan-activity; sid:91246410; rev:1;) alert tcp $HOME_NET any -> [34.231.255.33] 7443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246409/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_16; classtype:trojan-activity; sid:91246409; rev:1;) alert tcp $HOME_NET any -> [206.238.113.242] 80 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246401/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_15; classtype:trojan-activity; sid:91246401; rev:1;) alert tcp $HOME_NET any -> [104.233.187.229] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246400/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_15; classtype:trojan-activity; sid:91246400; rev:1;) alert tcp $HOME_NET any -> [43.143.130.124] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246399/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_15; classtype:trojan-activity; sid:91246399; rev:1;) alert tcp $HOME_NET any -> [121.41.168.126] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246398/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_15; classtype:trojan-activity; sid:91246398; rev:1;) alert tcp $HOME_NET any -> [180.76.231.105] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246397/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_15; classtype:trojan-activity; sid:91246397; rev:1;) alert tcp $HOME_NET any -> [39.51.186.81] 995 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246396/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_15; classtype:trojan-activity; sid:91246396; rev:1;) alert tcp $HOME_NET any -> [167.56.66.0] 995 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246395/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_15; classtype:trojan-activity; sid:91246395; rev:1;) alert tcp $HOME_NET any -> [46.41.139.162] 445 (msg:"ThreatFox Responder botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246394/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_15; classtype:trojan-activity; sid:91246394; rev:1;) alert tcp $HOME_NET any -> [69.30.249.147] 80 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246393/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_15; classtype:trojan-activity; sid:91246393; rev:1;) alert tcp $HOME_NET any -> [45.138.157.4] 80 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246392/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_15; classtype:trojan-activity; sid:91246392; rev:1;) alert tcp $HOME_NET any -> [103.113.68.85] 443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246390/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_15; classtype:trojan-activity; sid:91246390; rev:1;) alert tcp $HOME_NET any -> [103.113.68.85] 81 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246391/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_15; classtype:trojan-activity; sid:91246391; rev:1;) alert tcp $HOME_NET any -> [69.30.249.148] 443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246388/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_15; classtype:trojan-activity; sid:91246388; rev:1;) alert tcp $HOME_NET any -> [69.30.249.148] 80 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246389/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_15; classtype:trojan-activity; sid:91246389; rev:1;) alert tcp $HOME_NET any -> [69.30.249.148] 81 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246387/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_15; classtype:trojan-activity; sid:91246387; rev:1;) alert tcp $HOME_NET any -> [20.244.47.98] 443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246386/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_15; classtype:trojan-activity; sid:91246386; rev:1;) alert tcp $HOME_NET any -> [136.0.3.71] 49737 (msg:"ThreatFox BianLian botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246385/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_15; classtype:trojan-activity; sid:91246385; rev:1;) alert tcp $HOME_NET any -> [172.105.58.129] 7443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246384/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_15; classtype:trojan-activity; sid:91246384; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/push"; depth:5; nocase; http.host; content:"120.46.207.190"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1246383/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_15; classtype:trojan-activity; sid:91246383; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"dwai1l.papelhigienicoobjeto.ru.com"; depth:34; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1246382/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_15; classtype:trojan-activity; sid:91246382; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"w8oafr.almofadaobjeto.ru.com"; depth:28; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1246381/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_15; classtype:trojan-activity; sid:91246381; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"e3iu8c.carregadorobjeto.za.com"; depth:30; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1246379/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_15; classtype:trojan-activity; sid:91246379; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"veea5y.gpsdecarroobjeto.sa.com"; depth:30; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1246380/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_15; classtype:trojan-activity; sid:91246380; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"t2uehw.etiquetaadesivaobjeto.ru.com"; depth:35; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1246377/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_15; classtype:trojan-activity; sid:91246377; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"0buue2.padelixoobjeto.sa.com"; depth:28; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1246378/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_15; classtype:trojan-activity; sid:91246378; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"wafu.gpsdecarroobjeto.sa.com"; depth:28; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1246376/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_15; classtype:trojan-activity; sid:91246376; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"a5aoee.caixadeferramentasobjeto.za.com"; depth:38; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1246374/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_15; classtype:trojan-activity; sid:91246374; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"wadn.maquinadecafeobjeto.ru.com"; depth:31; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1246375/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_15; classtype:trojan-activity; sid:91246375; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"r6oacr.papelhigienicoobjeto.ru.com"; depth:34; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1246372/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_15; classtype:trojan-activity; sid:91246372; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"reoer.canecaobjeto.ru.com"; depth:25; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1246373/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_15; classtype:trojan-activity; sid:91246373; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"eeu6r.etiquetaadesivaobjeto.ru.com"; depth:34; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1246370/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_15; classtype:trojan-activity; sid:91246370; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"3ba7r.almofadaobjeto.ru.com"; depth:27; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1246371/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_15; classtype:trojan-activity; sid:91246371; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"rgar0.padelixoobjeto.sa.com"; depth:27; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1246369/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_15; classtype:trojan-activity; sid:91246369; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"freodr.kitdesocorrosobjeto.za.com"; depth:33; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1246367/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_15; classtype:trojan-activity; sid:91246367; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"jwafy.canecaobjeto.ru.com"; depth:25; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1246368/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_15; classtype:trojan-activity; sid:91246368; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"9ja7t.maquinadecafeobjeto.ru.com"; depth:32; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1246365/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_15; classtype:trojan-activity; sid:91246365; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"raipd.carregadorobjeto.za.com"; depth:29; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1246366/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_15; classtype:trojan-activity; sid:91246366; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"hiui7e.kitdesocorrosobjeto.za.com"; depth:33; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1246363/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_15; classtype:trojan-activity; sid:91246363; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"lwajt.caixadeferramentasobjeto.za.com"; depth:37; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1246364/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_15; classtype:trojan-activity; sid:91246364; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"reoer.canecaobjeto.ru.com"; depth:25; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1246356/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_15; classtype:trojan-activity; sid:91246356; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"rgar0.padelixoobjeto.sa.com"; depth:27; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1246357/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_15; classtype:trojan-activity; sid:91246357; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"t2uehw.etiquetaadesivaobjeto.ru.com"; depth:35; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1246358/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_15; classtype:trojan-activity; sid:91246358; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"veea5y.gpsdecarroobjeto.sa.com"; depth:30; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1246359/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_15; classtype:trojan-activity; sid:91246359; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"w8oafr.almofadaobjeto.ru.com"; depth:28; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1246360/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_15; classtype:trojan-activity; sid:91246360; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"wadn.maquinadecafeobjeto.ru.com"; depth:31; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1246361/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_15; classtype:trojan-activity; sid:91246361; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"wafu.gpsdecarroobjeto.sa.com"; depth:28; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1246362/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_15; classtype:trojan-activity; sid:91246362; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"0buue2.padelixoobjeto.sa.com"; depth:28; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1246343/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_15; classtype:trojan-activity; sid:91246343; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"3ba7r.almofadaobjeto.ru.com"; depth:27; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1246344/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_15; classtype:trojan-activity; sid:91246344; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"9ja7t.maquinadecafeobjeto.ru.com"; depth:32; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1246345/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_15; classtype:trojan-activity; sid:91246345; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"a5aoee.caixadeferramentasobjeto.za.com"; depth:38; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1246346/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_15; classtype:trojan-activity; sid:91246346; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"dwai1l.papelhigienicoobjeto.ru.com"; depth:34; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1246347/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_15; classtype:trojan-activity; sid:91246347; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"e3iu8c.carregadorobjeto.za.com"; depth:30; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1246348/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_15; classtype:trojan-activity; sid:91246348; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"eeu6r.etiquetaadesivaobjeto.ru.com"; depth:34; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1246349/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_15; classtype:trojan-activity; sid:91246349; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"freodr.kitdesocorrosobjeto.za.com"; depth:33; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1246350/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_15; classtype:trojan-activity; sid:91246350; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"hiui7e.kitdesocorrosobjeto.za.com"; depth:33; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1246351/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_15; classtype:trojan-activity; sid:91246351; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"jwafy.canecaobjeto.ru.com"; depth:25; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1246352/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_15; classtype:trojan-activity; sid:91246352; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"lwajt.caixadeferramentasobjeto.za.com"; depth:37; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1246353/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_15; classtype:trojan-activity; sid:91246353; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"r6oacr.papelhigienicoobjeto.ru.com"; depth:34; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1246354/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_15; classtype:trojan-activity; sid:91246354; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"raipd.carregadorobjeto.za.com"; depth:29; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1246355/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_15; classtype:trojan-activity; sid:91246355; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sqlcentraluploads.php"; depth:22; nocase; http.host; content:"951499cm.nyashtech.top"; depth:22; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1246342/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_15; classtype:trojan-activity; sid:91246342; rev:1;) alert tcp $HOME_NET any -> [103.119.1.73] 1111 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246341/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_15; classtype:trojan-activity; sid:91246341; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"parabmasale.com"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1246340/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_15; classtype:trojan-activity; sid:91246340; rev:1;) alert tcp $HOME_NET any -> [193.35.18.164] 59432 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246329/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_15; classtype:trojan-activity; sid:91246329; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"franco1.no-ip.org"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1246330/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_15; classtype:trojan-activity; sid:91246330; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cdn-vs/cache.php"; depth:17; nocase; http.host; content:"worldofmantas.com"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1246331/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_15; classtype:trojan-activity; sid:91246331; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/help/zewmrgqnw.php"; depth:19; nocase; http.host; content:"worldofmantas.com"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1246332/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_15; classtype:trojan-activity; sid:91246332; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"cheaterpro.live"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1246335/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_15; classtype:trojan-activity; sid:91246335; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/loader/screen/owysn2ysn2ysytasowusodysogmsotysnjqsn2ms"; depth:55; nocase; http.host; content:"213.248.43.34"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1246336/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_15; classtype:trojan-activity; sid:91246336; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/task/owysn2ysn2ysytasowusodysogmsotysnjqsn2ms"; depth:46; nocase; http.host; content:"213.248.43.34"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1246337/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_15; classtype:trojan-activity; sid:91246337; rev:1;) alert tcp $HOME_NET any -> [213.248.43.34] 80 (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246338/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_15; classtype:trojan-activity; sid:91246338; rev:1;) alert tcp $HOME_NET any -> [95.179.190.134] 53 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246334/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_15; classtype:trojan-activity; sid:91246334; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"dns.ontexcare.com"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1246333/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_15; classtype:trojan-activity; sid:91246333; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/load"; depth:5; nocase; http.host; content:"cdn-lnk-075.epsonupdate.uk"; depth:26; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1246328/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_15; classtype:trojan-activity; sid:91246328; rev:1;) alert tcp $HOME_NET any -> [128.90.128.157] 9999 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246314/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_15; classtype:trojan-activity; sid:91246314; rev:1;) alert tcp $HOME_NET any -> [193.47.46.10] 4433 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246316/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_15; classtype:trojan-activity; sid:91246316; rev:1;) alert tcp $HOME_NET any -> [105.99.46.173] 6001 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246317/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_15; classtype:trojan-activity; sid:91246317; rev:1;) alert tcp $HOME_NET any -> [187.135.82.22] 2222 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246318/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_15; classtype:trojan-activity; sid:91246318; rev:1;) alert tcp $HOME_NET any -> [187.135.82.22] 2052 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246319/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_15; classtype:trojan-activity; sid:91246319; rev:1;) alert tcp $HOME_NET any -> [23.95.132.42] 23 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246320/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_15; classtype:trojan-activity; sid:91246320; rev:1;) alert tcp $HOME_NET any -> [85.204.116.169] 666 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246321/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_15; classtype:trojan-activity; sid:91246321; rev:1;) alert tcp $HOME_NET any -> [51.79.87.4] 1482 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246322/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_15; classtype:trojan-activity; sid:91246322; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bm.css"; depth:7; nocase; http.host; content:"apps.nbcnews.site"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1246326/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_15; classtype:trojan-activity; sid:91246326; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"apps.nbcnews.site"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1246327/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_15; classtype:trojan-activity; sid:91246327; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/content"; depth:8; nocase; http.host; content:"199.195.252.200"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1246325/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_15; classtype:trojan-activity; sid:91246325; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/define/cookies/j7y8xv07bjq"; depth:27; nocase; http.host; content:"139.155.97.79"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1246324/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_15; classtype:trojan-activity; sid:91246324; rev:1;) alert tcp $HOME_NET any -> [91.92.252.232] 80 (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246323/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_15; classtype:trojan-activity; sid:91246323; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"theatergenerationju.shop"; depth:24; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1246315/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_15; classtype:trojan-activity; sid:91246315; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/en_us/all.js"; depth:13; nocase; http.host; content:"111.229.19.199"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1246313/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_15; classtype:trojan-activity; sid:91246313; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/visit.js"; depth:9; nocase; http.host; content:"1.94.52.236"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1246312/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_15; classtype:trojan-activity; sid:91246312; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pixel"; depth:6; nocase; http.host; content:"service-bvvdi136-1317500845.gz.tencentapigw.com"; depth:47; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1246311/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_15; classtype:trojan-activity; sid:91246311; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ga.js"; depth:6; nocase; http.host; content:"xunleicloud.com"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1246310/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_15; classtype:trojan-activity; sid:91246310; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ga.js"; depth:6; nocase; http.host; content:"198.251.88.196"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1246309/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_15; classtype:trojan-activity; sid:91246309; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dpixel"; depth:7; nocase; http.host; content:"192.227.155.201"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1246308/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_15; classtype:trojan-activity; sid:91246308; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/en_us/all.js"; depth:13; nocase; http.host; content:"123.20.56.214"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1246307/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_15; classtype:trojan-activity; sid:91246307; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/en-us/silentauth"; depth:17; nocase; http.host; content:"120.222.152.234"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1246306/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_15; classtype:trojan-activity; sid:91246306; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/en-us/silentauth"; depth:17; nocase; http.host; content:"120.222.152.206"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1246305/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_15; classtype:trojan-activity; sid:91246305; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/j.ad"; depth:5; nocase; http.host; content:"60.204.133.143"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1246304/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_15; classtype:trojan-activity; sid:91246304; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ie9compatviewlist.xml"; depth:22; nocase; http.host; content:"8.219.54.123"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1246303/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_15; classtype:trojan-activity; sid:91246303; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ns2.jd-vip.cn"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1246302/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_15; classtype:trojan-activity; sid:91246302; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ns1.jd-vip.cn"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1246301/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_15; classtype:trojan-activity; sid:91246301; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/boondle.txt"; depth:12; nocase; http.host; content:"tafrihafashion.com"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1246288/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_15; classtype:trojan-activity; sid:91246288; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xjadlcqfulrmbgzmnncyaldkmqglyjbkix.txt"; depth:39; nocase; http.host; content:"fatttjapan.com"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1246289/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_15; classtype:trojan-activity; sid:91246289; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"otxcosmeticscare.com"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1246295/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_15; classtype:trojan-activity; sid:91246295; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"otxcarecosmetics.com"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1246296/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_15; classtype:trojan-activity; sid:91246296; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"artstrailman.com"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1246298/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_15; classtype:trojan-activity; sid:91246298; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ontexcare.com"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1246297/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_15; classtype:trojan-activity; sid:91246297; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"trackgroup.net"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1246299/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_15; classtype:trojan-activity; sid:91246299; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"businessprofessionalllc.com"; depth:27; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1246300/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_15; classtype:trojan-activity; sid:91246300; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/updates.rss"; depth:12; nocase; http.host; content:"156.251.162.29"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1246294/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_15; classtype:trojan-activity; sid:91246294; rev:1;) alert tcp $HOME_NET any -> [77.232.143.206] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246293/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_15; classtype:trojan-activity; sid:91246293; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/j.ad"; depth:5; nocase; http.host; content:"77.232.143.206"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1246292/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_15; classtype:trojan-activity; sid:91246292; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"service-mx77zdhn-1303081427.sh.tencentapigw.com"; depth:47; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1246291/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_15; classtype:trojan-activity; sid:91246291; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jquery-3.3.1.min.js"; depth:20; nocase; http.host; content:"service-mx77zdhn-1303081427.sh.tencentapigw.com"; depth:47; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1246290/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_15; classtype:trojan-activity; sid:91246290; rev:1;) alert tcp $HOME_NET any -> [192.151.244.144] 14782 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246287/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_15; classtype:trojan-activity; sid:91246287; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/c8/fre.php"; depth:11; nocase; http.host; content:"sempersim.su"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1246286/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_15; classtype:trojan-activity; sid:91246286; rev:1;) alert tcp $HOME_NET any -> [45.125.66.54] 1311 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246277/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_15; classtype:trojan-activity; sid:91246277; rev:1;) alert tcp $HOME_NET any -> [45.125.66.37] 1311 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246276/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_15; classtype:trojan-activity; sid:91246276; rev:1;) alert tcp $HOME_NET any -> [45.125.66.61] 1311 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246278/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_15; classtype:trojan-activity; sid:91246278; rev:1;) alert tcp $HOME_NET any -> [45.125.66.64] 1311 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246279/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_15; classtype:trojan-activity; sid:91246279; rev:1;) alert tcp $HOME_NET any -> [45.125.66.68] 1311 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246280/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_15; classtype:trojan-activity; sid:91246280; rev:1;) alert tcp $HOME_NET any -> [45.125.66.95] 1311 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246281/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_15; classtype:trojan-activity; sid:91246281; rev:1;) alert tcp $HOME_NET any -> [45.125.66.109] 1311 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246282/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_15; classtype:trojan-activity; sid:91246282; rev:1;) alert tcp $HOME_NET any -> [45.125.66.137] 1311 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246283/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_15; classtype:trojan-activity; sid:91246283; rev:1;) alert tcp $HOME_NET any -> [45.125.66.146] 1311 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246284/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_15; classtype:trojan-activity; sid:91246284; rev:1;) alert tcp $HOME_NET any -> [45.125.66.152] 1311 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246285/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_15; classtype:trojan-activity; sid:91246285; rev:1;) alert tcp $HOME_NET any -> [88.198.109.225] 443 (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246275/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_15; classtype:trojan-activity; sid:91246275; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"88.198.109.225"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1246274/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_15; classtype:trojan-activity; sid:91246274; rev:1;) alert tcp $HOME_NET any -> [124.221.163.107] 61616 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246272/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_15; classtype:trojan-activity; sid:91246272; rev:1;) alert tcp $HOME_NET any -> [141.98.10.52] 61616 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246273/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_15; classtype:trojan-activity; sid:91246273; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"muggierdragstemmio.fun"; depth:22; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1246054/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_15; classtype:trojan-activity; sid:91246054; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"zamesblack.fun"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1246055/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_15; classtype:trojan-activity; sid:91246055; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"wisemassiveharmonious.shop"; depth:26; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1246056/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_15; classtype:trojan-activity; sid:91246056; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"medalappearancerackw.shop"; depth:25; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1246057/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_15; classtype:trojan-activity; sid:91246057; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"modernizepledgeoi.shop"; depth:22; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1246058/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_15; classtype:trojan-activity; sid:91246058; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"sofahuntingslidedine.shop"; depth:25; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1246059/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_15; classtype:trojan-activity; sid:91246059; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"reechoingkaolizationp.fun"; depth:25; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1246060/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_15; classtype:trojan-activity; sid:91246060; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"townsfolkhiwoeko.fun"; depth:20; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1246061/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_15; classtype:trojan-activity; sid:91246061; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"theoryapparatusjuko.fun"; depth:23; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1246062/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_15; classtype:trojan-activity; sid:91246062; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"premeritwallyoko.fun"; depth:20; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1246063/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_15; classtype:trojan-activity; sid:91246063; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"scandalbasketballoe.shop"; depth:24; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1246064/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_15; classtype:trojan-activity; sid:91246064; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"mealroomrallpassiveer.shop"; depth:26; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1246052/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_15; classtype:trojan-activity; sid:91246052; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"favourlegislatureduei.shop"; depth:26; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1246053/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_15; classtype:trojan-activity; sid:91246053; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"asleepfulltytarrtw.shop"; depth:23; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1246051/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_15; classtype:trojan-activity; sid:91246051; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"vatleaflettrusteeooj.shop"; depth:25; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1246050/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_15; classtype:trojan-activity; sid:91246050; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"questbehavixoporpo.shop"; depth:23; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1246048/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_15; classtype:trojan-activity; sid:91246048; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"greenbowelsustainny.fun"; depth:23; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1246049/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_15; classtype:trojan-activity; sid:91246049; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"fishboatnurrybeauti.fun"; depth:23; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1246047/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_15; classtype:trojan-activity; sid:91246047; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"mutterunlikelyoo.shop"; depth:21; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1246045/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_15; classtype:trojan-activity; sid:91246045; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"bicyclesunhygenico.fun"; depth:22; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1246046/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_15; classtype:trojan-activity; sid:91246046; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"executivebrakeji.shop"; depth:21; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1246044/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_15; classtype:trojan-activity; sid:91246044; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"drilmoralwandreowpops.shop"; depth:26; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1246042/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_15; classtype:trojan-activity; sid:91246042; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"blastoporicwoff.fun"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1246043/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_15; classtype:trojan-activity; sid:91246043; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"decorousnumerousieo.shop"; depth:24; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1246040/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_15; classtype:trojan-activity; sid:91246040; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"pielumchalotpostwo.fun"; depth:22; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1246041/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_15; classtype:trojan-activity; sid:91246041; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"triangleseasonbenchwj.shop"; depth:26; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1246038/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_15; classtype:trojan-activity; sid:91246038; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"fieldtrollyeowskwe.shop"; depth:23; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1246039/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_15; classtype:trojan-activity; sid:91246039; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"lightsecretatylattew.shop"; depth:25; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1246037/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_15; classtype:trojan-activity; sid:91246037; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"executrixrangedcoew.fun"; depth:23; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1246030/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_15; classtype:trojan-activity; sid:91246030; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"forknegotationaow.shop"; depth:22; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1246031/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_15; classtype:trojan-activity; sid:91246031; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"bremenessverdurewas.fun"; depth:23; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1246032/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_15; classtype:trojan-activity; sid:91246032; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"inviteaccessiblesaltw.shop"; depth:26; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1246033/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_15; classtype:trojan-activity; sid:91246033; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"fossillandscapefewkew.site"; depth:26; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1246034/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_15; classtype:trojan-activity; sid:91246034; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"relevantvoicelesskw.shop"; depth:24; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1246035/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_15; classtype:trojan-activity; sid:91246035; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"antiuncontemporary.fun"; depth:22; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1246029/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_15; classtype:trojan-activity; sid:91246029; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"peasanthovecapspll.shop"; depth:23; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1246036/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_15; classtype:trojan-activity; sid:91246036; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"likelysoarastonishiow.shop"; depth:26; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1246026/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_15; classtype:trojan-activity; sid:91246026; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"scshemevalleywelferw.site"; depth:25; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1246027/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_15; classtype:trojan-activity; sid:91246027; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"pioneerframeoakchew.fun"; depth:23; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1246028/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_15; classtype:trojan-activity; sid:91246028; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"herdbescuitinjurywu.shop"; depth:24; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1246024/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_15; classtype:trojan-activity; sid:91246024; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"smallrabbitcrossing.site"; depth:24; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1246025/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_15; classtype:trojan-activity; sid:91246025; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"improvisersmissionjuw.fun"; depth:25; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1246020/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_15; classtype:trojan-activity; sid:91246020; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"sustentatorcoagulat.fun"; depth:23; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1246022/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_15; classtype:trojan-activity; sid:91246022; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"fikkeropendorwiw.pw"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1246023/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_15; classtype:trojan-activity; sid:91246023; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"telephoneverdictyow.site"; depth:24; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1246021/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_15; classtype:trojan-activity; sid:91246021; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"explodesaildecksatt.shop"; depth:24; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1246018/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_15; classtype:trojan-activity; sid:91246018; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"donorwifeconfusionstronko.site"; depth:30; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1246019/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_15; classtype:trojan-activity; sid:91246019; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"stamprollabbeymemberw.site"; depth:26; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1246016/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_15; classtype:trojan-activity; sid:91246016; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"mazumaponyanthus.fun"; depth:20; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1246017/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_15; classtype:trojan-activity; sid:91246017; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"cattilecodereowop.pw"; depth:20; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1246014/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_15; classtype:trojan-activity; sid:91246014; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"sermonundressolcow.shop"; depth:23; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1246015/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_15; classtype:trojan-activity; sid:91246015; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"scrapedirtyieoqk.shop"; depth:21; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1246011/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_15; classtype:trojan-activity; sid:91246011; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"presencewineonnyui.shop"; depth:23; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1246012/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_15; classtype:trojan-activity; sid:91246012; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"thinrecordsunrjisow.pw"; depth:22; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1246013/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_15; classtype:trojan-activity; sid:91246013; rev:1;) alert tcp $HOME_NET any -> [34.125.56.40] 443 (msg:"ThreatFox DanaBot botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246009/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_15; classtype:trojan-activity; sid:91246009; rev:1;) alert tcp $HOME_NET any -> [138.68.78.110] 443 (msg:"ThreatFox DanaBot botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246010/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_15; classtype:trojan-activity; sid:91246010; rev:1;) alert tcp $HOME_NET any -> [35.237.192.132] 443 (msg:"ThreatFox DanaBot botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246008/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_15; classtype:trojan-activity; sid:91246008; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"audiencegafferokkow.shop"; depth:24; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1246065/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_15; classtype:trojan-activity; sid:91246065; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"prescriptionstorageag.fun"; depth:25; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1246066/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_15; classtype:trojan-activity; sid:91246066; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"snuggleapplicationswo.fun"; depth:25; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1246067/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_15; classtype:trojan-activity; sid:91246067; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"steadfastvaluabelywomo.shop"; depth:27; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1246068/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_15; classtype:trojan-activity; sid:91246068; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"breakdecisiveexpandw.fun"; depth:24; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1246069/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_15; classtype:trojan-activity; sid:91246069; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"unexaminablespectrall.fun"; depth:25; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1246070/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_15; classtype:trojan-activity; sid:91246070; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"unhappytidydryypwto.shop"; depth:24; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1246071/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_15; classtype:trojan-activity; sid:91246071; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"diamondarrivallyowju.shop"; depth:25; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1246072/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_15; classtype:trojan-activity; sid:91246072; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"regardvelvettynerverf.site"; depth:26; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1246073/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_15; classtype:trojan-activity; sid:91246073; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"isotrimorphicnongrasse.shop"; depth:27; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1246074/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_15; classtype:trojan-activity; sid:91246074; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"ironshottallinko.fun"; depth:20; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1246075/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_15; classtype:trojan-activity; sid:91246075; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"woodfeetumhblefepoj.shop"; depth:24; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1246076/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_15; classtype:trojan-activity; sid:91246076; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"additionmarriagefoewsv.shop"; depth:27; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1246077/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_15; classtype:trojan-activity; sid:91246077; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"baresoakopiniocowe.fun"; depth:22; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1246078/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_15; classtype:trojan-activity; sid:91246078; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"auctiondecadecontaii.shop"; depth:25; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1246079/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_15; classtype:trojan-activity; sid:91246079; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"syncarpiajanapiom.fun"; depth:21; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1246080/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_15; classtype:trojan-activity; sid:91246080; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"modestessayevenmilwek.shop"; depth:26; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1246081/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_15; classtype:trojan-activity; sid:91246081; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"colorfulequalugliess.shop"; depth:25; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1246082/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_15; classtype:trojan-activity; sid:91246082; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"superiorhardwaerw.pw"; depth:20; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1246083/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_15; classtype:trojan-activity; sid:91246083; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"princeaccessiblepo.shop"; depth:23; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1246084/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_15; classtype:trojan-activity; sid:91246084; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"noduscheatscake.fun"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1246085/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_15; classtype:trojan-activity; sid:91246085; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"knonkcdalfyhitt.shop"; depth:20; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1246086/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_15; classtype:trojan-activity; sid:91246086; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"culturesketchfinanciall.shop"; depth:28; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1246087/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_15; classtype:trojan-activity; sid:91246087; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"televisionstudiowmmj.shop"; depth:25; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1246089/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_15; classtype:trojan-activity; sid:91246089; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"assumptionflattyou.shop"; depth:23; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1246088/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_15; classtype:trojan-activity; sid:91246088; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"legatorypluralishrtw.shop"; depth:25; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1246090/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_15; classtype:trojan-activity; sid:91246090; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"clientgirlfrienddyjw.shop"; depth:25; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1246091/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_15; classtype:trojan-activity; sid:91246091; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"onebiogopwdsa.site"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1246092/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_15; classtype:trojan-activity; sid:91246092; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"samplepoisonbarryntj.shop"; depth:25; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1246093/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_15; classtype:trojan-activity; sid:91246093; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"villagemagneticcsa.fun"; depth:22; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1246094/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_15; classtype:trojan-activity; sid:91246094; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"avatar.ps"; depth:9; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1246239/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_15; classtype:trojan-activity; sid:91246239; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"kgj112233.codns.com"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1246241/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_15; classtype:trojan-activity; sid:91246241; rev:1;) alert tcp $HOME_NET any -> [67.213.108.79] 4782 (msg:"ThreatFox Nanocore RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246242/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_15; classtype:trojan-activity; sid:91246242; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"api.fwfy.club"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1246243/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_15; classtype:trojan-activity; sid:91246243; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"njtrial.duckdns.org"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1246244/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_15; classtype:trojan-activity; sid:91246244; rev:1;) alert tcp $HOME_NET any -> [147.185.221.18] 38122 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246245/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_15; classtype:trojan-activity; sid:91246245; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"links-annually.gl.at.ply.gg"; depth:27; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1246246/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_15; classtype:trojan-activity; sid:91246246; rev:1;) alert tcp $HOME_NET any -> [52.14.81.142] 22206 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246247/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_15; classtype:trojan-activity; sid:91246247; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"7.tcp.ngrok.io"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1246248/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_15; classtype:trojan-activity; sid:91246248; rev:1;) alert tcp $HOME_NET any -> [3.66.38.117] 13040 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246249/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_15; classtype:trojan-activity; sid:91246249; rev:1;) alert tcp $HOME_NET any -> [3.125.223.134] 12607 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246250/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_15; classtype:trojan-activity; sid:91246250; rev:1;) alert tcp $HOME_NET any -> [204.93.201.142] 80 (msg:"ThreatFox DarkGate botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246230/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_15; classtype:trojan-activity; sid:91246230; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"nextroundst.com"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1246229/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_15; classtype:trojan-activity; sid:91246229; rev:1;) alert tcp $HOME_NET any -> [170.130.165.132] 444 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246104/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_15; classtype:trojan-activity; sid:91246104; rev:1;) alert tcp $HOME_NET any -> [206.217.139.231] 8081 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246105/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_15; classtype:trojan-activity; sid:91246105; rev:1;) alert tcp $HOME_NET any -> [206.217.139.231] 8082 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246106/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_15; classtype:trojan-activity; sid:91246106; rev:1;) alert tcp $HOME_NET any -> [1.13.17.185] 50050 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246107/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_15; classtype:trojan-activity; sid:91246107; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"adfhjadfbjadbfjkhad44jka.com"; depth:28; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1246111/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_15; classtype:trojan-activity; sid:91246111; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ywzimzrmnza4nzk0/"; depth:18; nocase; http.host; content:"valeriamygirlinstripcalloc.com"; depth:30; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1246120/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_15; classtype:trojan-activity; sid:91246120; rev:1;) alert tcp $HOME_NET any -> [94.156.68.16] 137 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246140/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_15; classtype:trojan-activity; sid:91246140; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"mauricioclopatofsky.tel"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1246142/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_15; classtype:trojan-activity; sid:91246142; rev:1;) alert tcp $HOME_NET any -> [194.147.140.188] 4781 (msg:"ThreatFox STRRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246154/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_15; classtype:trojan-activity; sid:91246154; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"voshu.art"; depth:9; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1246170/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_15; classtype:trojan-activity; sid:91246170; rev:1;) alert tcp $HOME_NET any -> [51.144.73.229] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246197/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_15; classtype:trojan-activity; sid:91246197; rev:1;) alert tcp $HOME_NET any -> [5.255.123.240] 443 (msg:"ThreatFox Unidentified 111 (Latrodectus) botnet C2 traffic (ip:port - confidence level: 85%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246198/; target:src_ip; metadata: confidence_level 85, first_seen 2024_03_15; classtype:trojan-activity; sid:91246198; rev:1;) alert tcp $HOME_NET any -> [5.255.116.222] 443 (msg:"ThreatFox Unidentified 111 (Latrodectus) botnet C2 traffic (ip:port - confidence level: 85%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246199/; target:src_ip; metadata: confidence_level 85, first_seen 2024_03_15; classtype:trojan-activity; sid:91246199; rev:1;) alert tcp $HOME_NET any -> [87.251.67.74] 443 (msg:"ThreatFox Unidentified 111 (Latrodectus) botnet C2 traffic (ip:port - confidence level: 85%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246200/; target:src_ip; metadata: confidence_level 85, first_seen 2024_03_15; classtype:trojan-activity; sid:91246200; rev:1;) alert tcp $HOME_NET any -> [213.139.205.137] 443 (msg:"ThreatFox Unidentified 111 (Latrodectus) botnet C2 traffic (ip:port - confidence level: 85%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246202/; target:src_ip; metadata: confidence_level 85, first_seen 2024_03_15; classtype:trojan-activity; sid:91246202; rev:1;) alert tcp $HOME_NET any -> [91.235.234.149] 443 (msg:"ThreatFox Unidentified 111 (Latrodectus) botnet C2 traffic (ip:port - confidence level: 85%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246201/; target:src_ip; metadata: confidence_level 85, first_seen 2024_03_15; classtype:trojan-activity; sid:91246201; rev:1;) alert tcp $HOME_NET any -> [185.141.24.10] 1311 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245971/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_15; classtype:trojan-activity; sid:91245971; rev:1;) alert tcp $HOME_NET any -> [194.36.188.66] 1311 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245972/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_15; classtype:trojan-activity; sid:91245972; rev:1;) alert tcp $HOME_NET any -> [185.82.200.181] 1311 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245973/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_15; classtype:trojan-activity; sid:91245973; rev:1;) alert tcp $HOME_NET any -> [194.36.188.56] 1311 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245974/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_15; classtype:trojan-activity; sid:91245974; rev:1;) alert tcp $HOME_NET any -> [194.36.188.62] 1311 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245975/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_15; classtype:trojan-activity; sid:91245975; rev:1;) alert tcp $HOME_NET any -> [164.90.202.142] 1311 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245978/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_15; classtype:trojan-activity; sid:91245978; rev:1;) alert tcp $HOME_NET any -> [178.128.94.83] 1311 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245979/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_15; classtype:trojan-activity; sid:91245979; rev:1;) alert tcp $HOME_NET any -> [152.42.185.24] 1311 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245980/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_15; classtype:trojan-activity; sid:91245980; rev:1;) alert tcp $HOME_NET any -> [152.42.169.205] 1311 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245981/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_15; classtype:trojan-activity; sid:91245981; rev:1;) alert tcp $HOME_NET any -> [128.199.198.141] 1311 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245982/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_15; classtype:trojan-activity; sid:91245982; rev:1;) alert tcp $HOME_NET any -> [152.42.169.247] 1311 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245987/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_15; classtype:trojan-activity; sid:91245987; rev:1;) alert tcp $HOME_NET any -> [24.199.125.76] 1311 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245986/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_15; classtype:trojan-activity; sid:91245986; rev:1;) alert tcp $HOME_NET any -> [152.42.185.16] 1311 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245988/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_15; classtype:trojan-activity; sid:91245988; rev:1;) alert tcp $HOME_NET any -> [152.42.185.20] 1311 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245989/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_15; classtype:trojan-activity; sid:91245989; rev:1;) alert tcp $HOME_NET any -> [170.64.211.86] 1311 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245990/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_15; classtype:trojan-activity; sid:91245990; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"1b.cx"; depth:5; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1245992/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_15; classtype:trojan-activity; sid:91245992; rev:1;) alert tcp $HOME_NET any -> [194.36.188.83] 1311 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245970/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_15; classtype:trojan-activity; sid:91245970; rev:1;) alert tcp $HOME_NET any -> [188.116.36.109] 1311 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245969/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_15; classtype:trojan-activity; sid:91245969; rev:1;) alert tcp $HOME_NET any -> [18.144.30.84] 8000 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245976/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_15; classtype:trojan-activity; sid:91245976; rev:1;) alert tcp $HOME_NET any -> [34.216.132.82] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245977/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_15; classtype:trojan-activity; sid:91245977; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"1v.nz"; depth:5; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1245991/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_15; classtype:trojan-activity; sid:91245991; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"t6m.pics"; depth:8; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1245993/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_15; classtype:trojan-activity; sid:91245993; rev:1;) alert tcp $HOME_NET any -> [103.174.73.85] 1500 (msg:"ThreatFox MooBot botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246005/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_15; classtype:trojan-activity; sid:91246005; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"bot.nhankimcuong.vn"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1246006/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_15; classtype:trojan-activity; sid:91246006; rev:1;) alert tcp $HOME_NET any -> [94.156.71.187] 7678 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245959/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_15; classtype:trojan-activity; sid:91245959; rev:1;) alert tcp $HOME_NET any -> [80.87.206.160] 8090 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245960/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_15; classtype:trojan-activity; sid:91245960; rev:1;) alert tcp $HOME_NET any -> [45.94.31.49] 8888 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245961/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_15; classtype:trojan-activity; sid:91245961; rev:1;) alert tcp $HOME_NET any -> [85.239.33.54] 443 (msg:"ThreatFox Unidentified 111 (Latrodectus) botnet C2 traffic (ip:port - confidence level: 85%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245962/; target:src_ip; metadata: confidence_level 85, first_seen 2024_03_15; classtype:trojan-activity; sid:91245962; rev:1;) alert tcp $HOME_NET any -> [91.235.234.121] 443 (msg:"ThreatFox Unidentified 111 (Latrodectus) botnet C2 traffic (ip:port - confidence level: 85%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245963/; target:src_ip; metadata: confidence_level 85, first_seen 2024_03_15; classtype:trojan-activity; sid:91245963; rev:1;) alert tcp $HOME_NET any -> [193.168.143.173] 443 (msg:"ThreatFox Unidentified 111 (Latrodectus) botnet C2 traffic (ip:port - confidence level: 85%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245964/; target:src_ip; metadata: confidence_level 85, first_seen 2024_03_15; classtype:trojan-activity; sid:91245964; rev:1;) alert tcp $HOME_NET any -> [91.235.234.195] 443 (msg:"ThreatFox Unidentified 111 (Latrodectus) botnet C2 traffic (ip:port - confidence level: 85%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245965/; target:src_ip; metadata: confidence_level 85, first_seen 2024_03_15; classtype:trojan-activity; sid:91245965; rev:1;) alert tcp $HOME_NET any -> [5.255.108.56] 443 (msg:"ThreatFox Unidentified 111 (Latrodectus) botnet C2 traffic (ip:port - confidence level: 85%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245966/; target:src_ip; metadata: confidence_level 85, first_seen 2024_03_15; classtype:trojan-activity; sid:91245966; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/windowsflowerlongpoll/datalifemariadb0/9/requestapi/videojavascriptbigloaddefaultflowerdlecdn.php"; depth:98; nocase; http.host; content:"gaming7core.info"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1245967/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_15; classtype:trojan-activity; sid:91245967; rev:1;) alert tcp $HOME_NET any -> [185.209.160.19] 54439 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245958/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_15; classtype:trojan-activity; sid:91245958; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mdq4yzc4ntjkytg4/"; depth:18; nocase; http.host; content:"45.9.74.60"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1245913/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_15; classtype:trojan-activity; sid:91245913; rev:1;) alert tcp $HOME_NET any -> [185.209.160.19] 54438 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245957/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_15; classtype:trojan-activity; sid:91245957; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mdq4yzc4ntjkytg4/"; depth:18; nocase; http.host; content:"45.9.74.136"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1245914/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_15; classtype:trojan-activity; sid:91245914; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mdq4yzc4ntjkytg4/"; depth:18; nocase; http.host; content:"acizac12141.xyz"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1245915/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_15; classtype:trojan-activity; sid:91245915; rev:1;) alert tcp $HOME_NET any -> [51.79.87.4] 34241 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245922/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_15; classtype:trojan-activity; sid:91245922; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mdq4yzc4ntjkytg4/"; depth:18; nocase; http.host; content:"45.9.74.166"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1245912/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_15; classtype:trojan-activity; sid:91245912; rev:1;) alert tcp $HOME_NET any -> [91.92.253.149] 8080 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245890/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_15; classtype:trojan-activity; sid:91245890; rev:1;) alert tcp $HOME_NET any -> [128.90.61.78] 9999 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245892/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_15; classtype:trojan-activity; sid:91245892; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ledger-live.exe"; depth:16; nocase; http.host; content:"185.172.128.187"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1245859/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_15; classtype:trojan-activity; sid:91245859; rev:1;) alert tcp $HOME_NET any -> [185.172.128.145] 80 (msg:"ThreatFox Stealc botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245860/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_15; classtype:trojan-activity; sid:91245860; rev:1;) alert tcp $HOME_NET any -> [185.172.128.90] 80 (msg:"ThreatFox Stealc botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245861/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_15; classtype:trojan-activity; sid:91245861; rev:1;) alert tcp $HOME_NET any -> [149.50.213.215] 23 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245889/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_15; classtype:trojan-activity; sid:91245889; rev:1;) alert tcp $HOME_NET any -> [45.94.31.49] 9999 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245849/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_15; classtype:trojan-activity; sid:91245849; rev:1;) alert tcp $HOME_NET any -> [2.58.56.142] 4782 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245848/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_15; classtype:trojan-activity; sid:91245848; rev:1;) alert tcp $HOME_NET any -> [186.169.60.250] 1987 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245851/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_15; classtype:trojan-activity; sid:91245851; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ex.zip"; depth:7; nocase; http.host; content:"206.188.196.222"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1245854/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_15; classtype:trojan-activity; sid:91245854; rev:1;) alert tcp $HOME_NET any -> [45.15.157.139] 11070 (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245855/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_15; classtype:trojan-activity; sid:91245855; rev:1;) alert tcp $HOME_NET any -> [45.15.157.139] 1337 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245856/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_15; classtype:trojan-activity; sid:91245856; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/l1nc0in.php"; depth:12; nocase; http.host; content:"f0885058.xsph.ru"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1246271/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_15; classtype:trojan-activity; sid:91246271; rev:1;) alert tcp $HOME_NET any -> [124.70.78.129] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246270/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_15; classtype:trojan-activity; sid:91246270; rev:1;) alert tcp $HOME_NET any -> [97.74.95.68] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246269/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_15; classtype:trojan-activity; sid:91246269; rev:1;) alert tcp $HOME_NET any -> [140.143.125.127] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246268/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_15; classtype:trojan-activity; sid:91246268; rev:1;) alert tcp $HOME_NET any -> [172.245.34.171] 58888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246267/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_15; classtype:trojan-activity; sid:91246267; rev:1;) alert tcp $HOME_NET any -> [123.253.108.131] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246266/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_15; classtype:trojan-activity; sid:91246266; rev:1;) alert tcp $HOME_NET any -> [179.14.9.152] 4433 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246265/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_15; classtype:trojan-activity; sid:91246265; rev:1;) alert tcp $HOME_NET any -> [27.124.34.16] 1145 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246264/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_15; classtype:trojan-activity; sid:91246264; rev:1;) alert tcp $HOME_NET any -> [41.96.85.67] 443 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246263/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_15; classtype:trojan-activity; sid:91246263; rev:1;) alert tcp $HOME_NET any -> [137.103.187.32] 443 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246262/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_15; classtype:trojan-activity; sid:91246262; rev:1;) alert tcp $HOME_NET any -> [72.27.11.159] 443 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246261/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_15; classtype:trojan-activity; sid:91246261; rev:1;) alert tcp $HOME_NET any -> [172.232.14.44] 445 (msg:"ThreatFox Responder botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246260/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_15; classtype:trojan-activity; sid:91246260; rev:1;) alert tcp $HOME_NET any -> [23.227.198.236] 443 (msg:"ThreatFox Responder botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246259/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_15; classtype:trojan-activity; sid:91246259; rev:1;) alert tcp $HOME_NET any -> [46.37.96.110] 443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246258/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_15; classtype:trojan-activity; sid:91246258; rev:1;) alert tcp $HOME_NET any -> [54.209.66.233] 443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246257/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_15; classtype:trojan-activity; sid:91246257; rev:1;) alert tcp $HOME_NET any -> [139.162.180.174] 443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246256/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_15; classtype:trojan-activity; sid:91246256; rev:1;) alert tcp $HOME_NET any -> [23.95.48.151] 8443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246255/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_15; classtype:trojan-activity; sid:91246255; rev:1;) alert tcp $HOME_NET any -> [23.227.194.177] 443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246254/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_15; classtype:trojan-activity; sid:91246254; rev:1;) alert tcp $HOME_NET any -> [194.246.114.147] 443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246253/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_15; classtype:trojan-activity; sid:91246253; rev:1;) alert tcp $HOME_NET any -> [8.130.10.159] 443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246252/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_15; classtype:trojan-activity; sid:91246252; rev:1;) alert tcp $HOME_NET any -> [143.244.132.162] 7443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246251/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_15; classtype:trojan-activity; sid:91246251; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/nyashsupport.php"; depth:17; nocase; http.host; content:"392065cm.n9shteam2.top"; depth:22; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1246240/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_15; classtype:trojan-activity; sid:91246240; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dot.gif"; depth:8; nocase; http.host; content:"107.174.228.79"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1246236/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_15; classtype:trojan-activity; sid:91246236; rev:1;) alert tcp $HOME_NET any -> [222.114.183.144] 54984 (msg:"ThreatFox Nanocore RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246235/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_15; classtype:trojan-activity; sid:91246235; rev:1;) alert tcp $HOME_NET any -> [54.156.182.111] 443 (msg:"ThreatFox Serpent Stealer botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246234/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_15; classtype:trojan-activity; sid:91246234; rev:1;) alert tcp $HOME_NET any -> [139.180.144.32] 9001 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246233/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_15; classtype:trojan-activity; sid:91246233; rev:1;) alert tcp $HOME_NET any -> [85.239.238.79] 1235 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246232/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_14; classtype:trojan-activity; sid:91246232; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/eternalgeocentral.php"; depth:22; nocase; http.host; content:"91.220.109.66"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1246231/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_14; classtype:trojan-activity; sid:91246231; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/kj.html"; depth:8; nocase; http.host; content:"86.106.20.179"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1246227/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_14; classtype:trojan-activity; sid:91246227; rev:1;) alert tcp $HOME_NET any -> [5.188.86.215] 3389 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246228/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_14; classtype:trojan-activity; sid:91246228; rev:1;) alert tcp $HOME_NET any -> [107.174.228.79] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246226/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_14; classtype:trojan-activity; sid:91246226; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/g.pixel"; depth:8; nocase; http.host; content:"107.174.228.79"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1246225/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_14; classtype:trojan-activity; sid:91246225; rev:1;) alert tcp $HOME_NET any -> [82.146.59.110] 80 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246224/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_14; classtype:trojan-activity; sid:91246224; rev:1;) alert tcp $HOME_NET any -> [206.238.42.236] 80 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246223/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_14; classtype:trojan-activity; sid:91246223; rev:1;) alert tcp $HOME_NET any -> [147.78.103.233] 80 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246222/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_14; classtype:trojan-activity; sid:91246222; rev:1;) alert tcp $HOME_NET any -> [45.67.230.185] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246221/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_14; classtype:trojan-activity; sid:91246221; rev:1;) alert tcp $HOME_NET any -> [167.179.105.44] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246220/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_14; classtype:trojan-activity; sid:91246220; rev:1;) alert tcp $HOME_NET any -> [46.246.6.11] 5000 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246219/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_14; classtype:trojan-activity; sid:91246219; rev:1;) alert tcp $HOME_NET any -> [20.107.243.137] 3000 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246218/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_14; classtype:trojan-activity; sid:91246218; rev:1;) alert tcp $HOME_NET any -> [50.35.133.42] 443 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246217/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_14; classtype:trojan-activity; sid:91246217; rev:1;) alert tcp $HOME_NET any -> [54.37.138.65] 445 (msg:"ThreatFox Responder botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246216/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_14; classtype:trojan-activity; sid:91246216; rev:1;) alert tcp $HOME_NET any -> [54.245.19.64] 445 (msg:"ThreatFox Responder botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246215/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_14; classtype:trojan-activity; sid:91246215; rev:1;) alert tcp $HOME_NET any -> [23.95.48.151] 80 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246214/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_14; classtype:trojan-activity; sid:91246214; rev:1;) alert tcp $HOME_NET any -> [45.144.31.57] 8080 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246212/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_14; classtype:trojan-activity; sid:91246212; rev:1;) alert tcp $HOME_NET any -> [45.144.31.57] 40000 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246213/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_14; classtype:trojan-activity; sid:91246213; rev:1;) alert tcp $HOME_NET any -> [103.152.254.139] 443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246211/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_14; classtype:trojan-activity; sid:91246211; rev:1;) alert tcp $HOME_NET any -> [45.8.146.116] 443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246210/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_14; classtype:trojan-activity; sid:91246210; rev:1;) alert tcp $HOME_NET any -> [3.0.250.71] 7443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246209/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_14; classtype:trojan-activity; sid:91246209; rev:1;) alert tcp $HOME_NET any -> [116.203.117.12] 443 (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246208/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_14; classtype:trojan-activity; sid:91246208; rev:1;) alert tcp $HOME_NET any -> [45.144.28.165] 49119 (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246206/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_14; classtype:trojan-activity; sid:91246206; rev:1;) alert tcp $HOME_NET any -> [103.35.188.34] 39119 (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246207/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_14; classtype:trojan-activity; sid:91246207; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"116.203.117.12"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1246205/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_14; classtype:trojan-activity; sid:91246205; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"103.35.188.34"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1246204/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_14; classtype:trojan-activity; sid:91246204; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"45.144.28.165"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1246203/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_14; classtype:trojan-activity; sid:91246203; rev:1;) alert tcp $HOME_NET any -> [168.100.11.227] 53 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246196/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_14; classtype:trojan-activity; sid:91246196; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"dns.otxcarecosmetics.com"; depth:24; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1246195/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_14; classtype:trojan-activity; sid:91246195; rev:1;) alert tcp $HOME_NET any -> [134.209.87.204] 53 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246194/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_14; classtype:trojan-activity; sid:91246194; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"dns.otxcosmeticscare.com"; depth:24; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1246193/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_14; classtype:trojan-activity; sid:91246193; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"kumbaraan.com"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1246191/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_14; classtype:trojan-activity; sid:91246191; rev:1;) alert tcp $HOME_NET any -> [103.253.146.79] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246192/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_14; classtype:trojan-activity; sid:91246192; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jquery-3.3.1.min.js"; depth:20; nocase; http.host; content:"kumbaraan.com"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1246190/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_14; classtype:trojan-activity; sid:91246190; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/updates"; depth:8; nocase; http.host; content:"154.92.19.29"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1246189/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_14; classtype:trojan-activity; sid:91246189; rev:1;) alert tcp $HOME_NET any -> [185.196.9.234] 7443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246188/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_14; classtype:trojan-activity; sid:91246188; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/visit.js"; depth:9; nocase; http.host; content:"cdn-1488.winstate.cc"; depth:20; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1246186/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_14; classtype:trojan-activity; sid:91246186; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"cdn-1488.winstate.cc"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1246187/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_14; classtype:trojan-activity; sid:91246187; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cx"; depth:3; nocase; http.host; content:"37.1.197.252"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1246184/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_14; classtype:trojan-activity; sid:91246184; rev:1;) alert tcp $HOME_NET any -> [37.1.197.252] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246185/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_14; classtype:trojan-activity; sid:91246185; rev:1;) alert tcp $HOME_NET any -> [172.210.42.227] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246183/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_14; classtype:trojan-activity; sid:91246183; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ocsp/"; depth:6; nocase; http.host; content:"172.210.42.227"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1246182/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_14; classtype:trojan-activity; sid:91246182; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ga.js"; depth:6; nocase; http.host; content:"35.153.33.243"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1246181/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_14; classtype:trojan-activity; sid:91246181; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/j.ad"; depth:5; nocase; http.host; content:"42.186.17.183"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1246180/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_14; classtype:trojan-activity; sid:91246180; rev:1;) alert tcp $HOME_NET any -> [74.48.19.146] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246179/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_14; classtype:trojan-activity; sid:91246179; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books"; depth:60; nocase; http.host; content:"jspassport.ssl.qhimg.com.dsa.dnsv1.com"; depth:38; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1246177/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_14; classtype:trojan-activity; sid:91246177; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"jspassport.ssl.qhimg.com.dsa.dnsv1.com"; depth:38; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1246178/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_14; classtype:trojan-activity; sid:91246178; rev:1;) alert tcp $HOME_NET any -> [3.213.37.39] 80 (msg:"ThreatFox Serpent Stealer botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246176/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_14; classtype:trojan-activity; sid:91246176; rev:1;) alert tcp $HOME_NET any -> [3.219.159.186] 80 (msg:"ThreatFox Serpent Stealer botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246175/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_14; classtype:trojan-activity; sid:91246175; rev:1;) alert tcp $HOME_NET any -> [107.172.31.178] 2404 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246174/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_14; classtype:trojan-activity; sid:91246174; rev:1;) alert tcp $HOME_NET any -> [47.92.158.101] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246173/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_14; classtype:trojan-activity; sid:91246173; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mall_100_100.html"; depth:18; nocase; http.host; content:"res.mall.10010.cn"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1246172/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_14; classtype:trojan-activity; sid:91246172; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jquery-3.3.1.min.js"; depth:20; nocase; http.host; content:"112.124.65.163"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1246171/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_14; classtype:trojan-activity; sid:91246171; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dot.gif"; depth:8; nocase; http.host; content:"47.97.222.10"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1246169/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_14; classtype:trojan-activity; sid:91246169; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/activity"; depth:9; nocase; http.host; content:"119.91.26.244"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1246168/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_14; classtype:trojan-activity; sid:91246168; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cm"; depth:3; nocase; http.host; content:"8.219.54.123"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1246167/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_14; classtype:trojan-activity; sid:91246167; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/__utm.gif"; depth:10; nocase; http.host; content:"103.146.140.99"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1246166/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_14; classtype:trojan-activity; sid:91246166; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/en_us/all.js"; depth:13; nocase; http.host; content:"162.14.107.218"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1246165/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_14; classtype:trojan-activity; sid:91246165; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ca"; depth:3; nocase; http.host; content:"119.91.26.244"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1246164/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_14; classtype:trojan-activity; sid:91246164; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ca"; depth:3; nocase; http.host; content:"1.94.52.236"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1246163/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_14; classtype:trojan-activity; sid:91246163; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/j.ad"; depth:5; nocase; http.host; content:"xunleicloud.com"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1246162/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_14; classtype:trojan-activity; sid:91246162; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/visit.js"; depth:9; nocase; http.host; content:"120.46.207.190"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1246161/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_14; classtype:trojan-activity; sid:91246161; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/content/hot/y/liveupdate/"; depth:26; nocase; http.host; content:"docloudstorage.com"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1246159/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_14; classtype:trojan-activity; sid:91246159; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"docloudstorage.com"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1246160/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_14; classtype:trojan-activity; sid:91246160; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/static/js/jquery-3.3.1.min.js"; depth:30; nocase; http.host; content:"36.131.222.214"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1246158/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_14; classtype:trojan-activity; sid:91246158; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/static/js/jquery-3.3.1.min.js"; depth:30; nocase; http.host; content:"59.80.47.124"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1246157/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_14; classtype:trojan-activity; sid:91246157; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/static/js/jquery-3.3.1.min.js"; depth:30; nocase; http.host; content:"106.225.221.115"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1246156/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_14; classtype:trojan-activity; sid:91246156; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/static/js/jquery-3.3.1.min.js"; depth:30; nocase; http.host; content:"43.141.11.229"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1246155/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_14; classtype:trojan-activity; sid:91246155; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"159.69.103.100"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1246153/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_14; classtype:trojan-activity; sid:91246153; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"5.75.215.43"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1246152/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_14; classtype:trojan-activity; sid:91246152; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"116.203.15.173"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1246151/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_14; classtype:trojan-activity; sid:91246151; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"65.109.240.54"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1246149/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_14; classtype:trojan-activity; sid:91246149; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"5.75.208.156"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1246150/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_14; classtype:trojan-activity; sid:91246150; rev:1;) alert tcp $HOME_NET any -> [116.203.15.173] 443 (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246146/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_14; classtype:trojan-activity; sid:91246146; rev:1;) alert tcp $HOME_NET any -> [5.75.215.43] 443 (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246147/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_14; classtype:trojan-activity; sid:91246147; rev:1;) alert tcp $HOME_NET any -> [159.69.103.100] 443 (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246148/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_14; classtype:trojan-activity; sid:91246148; rev:1;) alert tcp $HOME_NET any -> [65.109.240.54] 8081 (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246143/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_14; classtype:trojan-activity; sid:91246143; rev:1;) alert tcp $HOME_NET any -> [5.75.208.156] 80 (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246144/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_14; classtype:trojan-activity; sid:91246144; rev:1;) alert tcp $HOME_NET any -> [5.75.208.156] 443 (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246145/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_14; classtype:trojan-activity; sid:91246145; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/user/five/fre.php"; depth:18; nocase; http.host; content:"mauricioclopatofsky.tel"; depth:23; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1246139/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_14; classtype:trojan-activity; sid:91246139; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/user/five/fre.php"; depth:18; nocase; http.host; content:"mauricioclopatofsky.tel"; depth:23; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1246138/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_14; classtype:trojan-activity; sid:91246138; rev:1;) alert tcp $HOME_NET any -> [124.70.19.189] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246137/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_14; classtype:trojan-activity; sid:91246137; rev:1;) alert tcp $HOME_NET any -> [123.1.189.241] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246136/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_14; classtype:trojan-activity; sid:91246136; rev:1;) alert tcp $HOME_NET any -> [46.246.80.13] 6000 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246135/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_14; classtype:trojan-activity; sid:91246135; rev:1;) alert tcp $HOME_NET any -> [78.46.191.105] 6666 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246134/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_14; classtype:trojan-activity; sid:91246134; rev:1;) alert tcp $HOME_NET any -> [27.124.34.14] 1145 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246133/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_14; classtype:trojan-activity; sid:91246133; rev:1;) alert tcp $HOME_NET any -> [41.96.78.253] 443 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246132/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_14; classtype:trojan-activity; sid:91246132; rev:1;) alert tcp $HOME_NET any -> [82.7.3.113] 443 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246131/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_14; classtype:trojan-activity; sid:91246131; rev:1;) alert tcp $HOME_NET any -> [74.138.4.64] 443 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246130/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_14; classtype:trojan-activity; sid:91246130; rev:1;) alert tcp $HOME_NET any -> [37.1.208.95] 40056 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246129/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_14; classtype:trojan-activity; sid:91246129; rev:1;) alert tcp $HOME_NET any -> [85.111.0.39] 10250 (msg:"ThreatFox Deimos botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246128/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_14; classtype:trojan-activity; sid:91246128; rev:1;) alert tcp $HOME_NET any -> [138.197.116.57] 7443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246127/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_14; classtype:trojan-activity; sid:91246127; rev:1;) alert tcp $HOME_NET any -> [51.195.231.121] 6606 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246126/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_14; classtype:trojan-activity; sid:91246126; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/l1nc0in.php"; depth:12; nocase; http.host; content:"f0929508.xsph.ru"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1246125/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_14; classtype:trojan-activity; sid:91246125; rev:1;) alert tcp $HOME_NET any -> [49.13.200.170] 7878 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246124/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_14; classtype:trojan-activity; sid:91246124; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/l1nc0in.php"; depth:12; nocase; http.host; content:"rosalihi.beget.tech"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1246123/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_14; classtype:trojan-activity; sid:91246123; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/image1/linuxhttp/_/53secure/phplocal/externalrequestlow6/cdn/multi3auth/vmmultiflower.php"; depth:90; nocase; http.host; content:"185.104.113.237"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1246122/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_14; classtype:trojan-activity; sid:91246122; rev:1;) alert tcp $HOME_NET any -> [154.23.178.70] 8848 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246121/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_14; classtype:trojan-activity; sid:91246121; rev:1;) alert tcp $HOME_NET any -> [141.255.167.251] 4760 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246119/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_13; classtype:trojan-activity; sid:91246119; rev:1;) alert tcp $HOME_NET any -> [5.181.80.13] 8848 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246118/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_13; classtype:trojan-activity; sid:91246118; rev:1;) alert tcp $HOME_NET any -> [124.106.197.167] 4343 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246117/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_13; classtype:trojan-activity; sid:91246117; rev:1;) alert tcp $HOME_NET any -> [34.162.156.94] 443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246116/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_13; classtype:trojan-activity; sid:91246116; rev:1;) alert tcp $HOME_NET any -> [3.88.102.160] 80 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246115/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_13; classtype:trojan-activity; sid:91246115; rev:1;) alert tcp $HOME_NET any -> [3.94.102.197] 80 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246114/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_13; classtype:trojan-activity; sid:91246114; rev:1;) alert tcp $HOME_NET any -> [38.242.236.116] 7777 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246113/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_13; classtype:trojan-activity; sid:91246113; rev:1;) alert tcp $HOME_NET any -> [81.94.150.166] 443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246112/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_13; classtype:trojan-activity; sid:91246112; rev:1;) alert tcp $HOME_NET any -> [142.93.97.142] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246110/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_13; classtype:trojan-activity; sid:91246110; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"newcleos.com"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1246109/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_13; classtype:trojan-activity; sid:91246109; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/appdata.aspx"; depth:13; nocase; http.host; content:"newcleos.com"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1246108/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_13; classtype:trojan-activity; sid:91246108; rev:1;) alert tcp $HOME_NET any -> [81.70.71.30] 62233 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246103/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_13; classtype:trojan-activity; sid:91246103; rev:1;) alert tcp $HOME_NET any -> [57.151.120.22] 443 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246102/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_13; classtype:trojan-activity; sid:91246102; rev:1;) alert tcp $HOME_NET any -> [187.135.82.22] 2077 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246101/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_13; classtype:trojan-activity; sid:91246101; rev:1;) alert tcp $HOME_NET any -> [187.135.82.22] 2053 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246100/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_13; classtype:trojan-activity; sid:91246100; rev:1;) alert tcp $HOME_NET any -> [187.135.82.22] 2095 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246099/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_13; classtype:trojan-activity; sid:91246099; rev:1;) alert tcp $HOME_NET any -> [187.135.82.22] 2079 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246098/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_13; classtype:trojan-activity; sid:91246098; rev:1;) alert tcp $HOME_NET any -> [129.204.201.114] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246097/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_13; classtype:trojan-activity; sid:91246097; rev:1;) alert tcp $HOME_NET any -> [193.42.63.146] 2053 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246096/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_13; classtype:trojan-activity; sid:91246096; rev:1;) alert tcp $HOME_NET any -> [147.185.221.18] 56901 (msg:"ThreatFox Orcus RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246095/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_13; classtype:trojan-activity; sid:91246095; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/receive.php"; depth:12; nocase; http.host; content:"dbhg.duckdns.org"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1246007/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_13; classtype:trojan-activity; sid:91246007; rev:1;) alert tcp $HOME_NET any -> [194.87.74.14] 80 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246004/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_13; classtype:trojan-activity; sid:91246004; rev:1;) alert tcp $HOME_NET any -> [46.246.84.5] 6000 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246003/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_13; classtype:trojan-activity; sid:91246003; rev:1;) alert tcp $HOME_NET any -> [167.56.207.201] 995 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246002/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_13; classtype:trojan-activity; sid:91246002; rev:1;) alert tcp $HOME_NET any -> [188.49.94.176] 443 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246001/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_13; classtype:trojan-activity; sid:91246001; rev:1;) alert tcp $HOME_NET any -> [185.51.171.169] 2222 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246000/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_13; classtype:trojan-activity; sid:91246000; rev:1;) alert tcp $HOME_NET any -> [92.177.126.152] 2222 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245999/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_13; classtype:trojan-activity; sid:91245999; rev:1;) alert tcp $HOME_NET any -> [157.230.175.190] 4891 (msg:"ThreatFox BianLian botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245998/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_13; classtype:trojan-activity; sid:91245998; rev:1;) alert tcp $HOME_NET any -> [103.216.51.35] 80 (msg:"ThreatFox Hook botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245997/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_13; classtype:trojan-activity; sid:91245997; rev:1;) alert tcp $HOME_NET any -> [49.232.214.141] 8888 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245996/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_13; classtype:trojan-activity; sid:91245996; rev:1;) alert tcp $HOME_NET any -> [45.89.54.206] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245995/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_13; classtype:trojan-activity; sid:91245995; rev:1;) alert tcp $HOME_NET any -> [45.157.69.156] 443 (msg:"ThreatFox Orcus RAT botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245994/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_13; classtype:trojan-activity; sid:91245994; rev:1;) alert tcp $HOME_NET any -> [146.70.44.156] 50051 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245985/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_13; classtype:trojan-activity; sid:91245985; rev:1;) alert tcp $HOME_NET any -> [14.239.3.253] 80 (msg:"ThreatFox Hook botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245984/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_13; classtype:trojan-activity; sid:91245984; rev:1;) alert tcp $HOME_NET any -> [69.30.232.226] 1433 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245983/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_13; classtype:trojan-activity; sid:91245983; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cm"; depth:3; nocase; http.host; content:"47.97.222.10"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1245968/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_13; classtype:trojan-activity; sid:91245968; rev:1;) alert tcp $HOME_NET any -> [193.233.132.57] 8081 (msg:"ThreatFox RisePro botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245956/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_13; classtype:trojan-activity; sid:91245956; rev:1;) alert tcp $HOME_NET any -> [144.91.109.161] 42597 (msg:"ThreatFox MooBot botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245955/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_13; classtype:trojan-activity; sid:91245955; rev:1;) alert tcp $HOME_NET any -> [45.154.3.56] 56789 (msg:"ThreatFox MooBot botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245954/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_13; classtype:trojan-activity; sid:91245954; rev:1;) alert tcp $HOME_NET any -> [185.11.61.124] 55779 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245953/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_13; classtype:trojan-activity; sid:91245953; rev:1;) alert tcp $HOME_NET any -> [187.135.82.30] 2181 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245952/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_13; classtype:trojan-activity; sid:91245952; rev:1;) alert tcp $HOME_NET any -> [187.135.82.30] 2087 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245951/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_13; classtype:trojan-activity; sid:91245951; rev:1;) alert tcp $HOME_NET any -> [187.135.82.30] 2082 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245950/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_13; classtype:trojan-activity; sid:91245950; rev:1;) alert tcp $HOME_NET any -> [187.135.82.30] 1911 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245949/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_13; classtype:trojan-activity; sid:91245949; rev:1;) alert tcp $HOME_NET any -> [187.135.82.30] 1801 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245948/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_13; classtype:trojan-activity; sid:91245948; rev:1;) alert tcp $HOME_NET any -> [187.135.82.30] 1761 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245947/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_13; classtype:trojan-activity; sid:91245947; rev:1;) alert tcp $HOME_NET any -> [187.135.82.30] 2083 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245946/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_13; classtype:trojan-activity; sid:91245946; rev:1;) alert tcp $HOME_NET any -> [187.135.82.30] 2079 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245945/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_13; classtype:trojan-activity; sid:91245945; rev:1;) alert tcp $HOME_NET any -> [187.135.82.30] 1723 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245944/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_13; classtype:trojan-activity; sid:91245944; rev:1;) alert tcp $HOME_NET any -> [2.45.75.48] 88 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245943/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_13; classtype:trojan-activity; sid:91245943; rev:1;) alert tcp $HOME_NET any -> [74.48.151.50] 11212 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245942/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_13; classtype:trojan-activity; sid:91245942; rev:1;) alert tcp $HOME_NET any -> [20.19.35.117] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245941/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_13; classtype:trojan-activity; sid:91245941; rev:1;) alert tcp $HOME_NET any -> [39.104.200.45] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245940/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_13; classtype:trojan-activity; sid:91245940; rev:1;) alert tcp $HOME_NET any -> [101.99.92.169] 8081 (msg:"ThreatFox RisePro botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245939/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_13; classtype:trojan-activity; sid:91245939; rev:1;) alert tcp $HOME_NET any -> [185.196.9.38] 8081 (msg:"ThreatFox RisePro botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245938/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_13; classtype:trojan-activity; sid:91245938; rev:1;) alert tcp $HOME_NET any -> [193.233.132.147] 8081 (msg:"ThreatFox RisePro botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245937/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_13; classtype:trojan-activity; sid:91245937; rev:1;) alert tcp $HOME_NET any -> [193.233.132.180] 8081 (msg:"ThreatFox RisePro botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245936/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_13; classtype:trojan-activity; sid:91245936; rev:1;) alert tcp $HOME_NET any -> [88.198.107.0] 80 (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245935/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_13; classtype:trojan-activity; sid:91245935; rev:1;) alert tcp $HOME_NET any -> [116.202.4.240] 80 (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245934/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_13; classtype:trojan-activity; sid:91245934; rev:1;) alert tcp $HOME_NET any -> [77.105.162.176] 995 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245933/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_13; classtype:trojan-activity; sid:91245933; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dolul/five/fre.php"; depth:19; nocase; http.host; content:"94.156.66.115"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1245932/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_13; classtype:trojan-activity; sid:91245932; rev:1;) alert tcp $HOME_NET any -> [193.233.132.57] 50500 (msg:"ThreatFox RisePro botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245931/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_13; classtype:trojan-activity; sid:91245931; rev:1;) alert tcp $HOME_NET any -> [121.43.55.149] 53 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245930/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_13; classtype:trojan-activity; sid:91245930; rev:1;) alert tcp $HOME_NET any -> [185.106.96.225] 53 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245929/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_13; classtype:trojan-activity; sid:91245929; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmp/index.php"; depth:14; nocase; http.host; content:"uama.com.ua"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1245928/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_13; classtype:trojan-activity; sid:91245928; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmp/index.php"; depth:14; nocase; http.host; content:"talesofpirates.net"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1245927/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_13; classtype:trojan-activity; sid:91245927; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmp/index.php"; depth:14; nocase; http.host; content:"sodez.ru"; depth:8; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1245926/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_13; classtype:trojan-activity; sid:91245926; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmp/index.php"; depth:14; nocase; http.host; content:"nidoe.org"; depth:9; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1245925/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_13; classtype:trojan-activity; sid:91245925; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dot.gif"; depth:8; nocase; http.host; content:"175.178.47.86"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1245924/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_13; classtype:trojan-activity; sid:91245924; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/__utm.gif"; depth:10; nocase; http.host; content:"47.236.111.110"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1245923/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_13; classtype:trojan-activity; sid:91245923; rev:1;) alert tcp $HOME_NET any -> [205.189.160.217] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245921/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_13; classtype:trojan-activity; sid:91245921; rev:1;) alert tcp $HOME_NET any -> [39.105.4.90] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245920/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_13; classtype:trojan-activity; sid:91245920; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pixel.gif"; depth:10; nocase; http.host; content:"39.105.4.90"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1245919/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_13; classtype:trojan-activity; sid:91245919; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ca"; depth:3; nocase; http.host; content:"175.27.162.205"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1245918/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_13; classtype:trojan-activity; sid:91245918; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/en_us/all.js"; depth:13; nocase; http.host; content:"175.27.162.205"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1245916/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_13; classtype:trojan-activity; sid:91245916; rev:1;) alert tcp $HOME_NET any -> [175.27.162.205] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245917/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_13; classtype:trojan-activity; sid:91245917; rev:1;) alert tcp $HOME_NET any -> [192.3.109.132] 4445 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245911/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_13; classtype:trojan-activity; sid:91245911; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"bachlong-sro.com"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1245910/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_13; classtype:trojan-activity; sid:91245910; rev:1;) alert tcp $HOME_NET any -> [185.172.128.146] 443 (msg:"ThreatFox Tsunami botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245909/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_13; classtype:trojan-activity; sid:91245909; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sys/index.php"; depth:14; nocase; http.host; content:"185.172.128.146"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1245908/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_13; classtype:trojan-activity; sid:91245908; rev:1;) alert tcp $HOME_NET any -> [192.210.201.57] 52499 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245907/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_13; classtype:trojan-activity; sid:91245907; rev:1;) alert tcp $HOME_NET any -> [154.90.63.253] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245906/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_13; classtype:trojan-activity; sid:91245906; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pixel"; depth:6; nocase; http.host; content:"154.90.63.253"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1245905/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_13; classtype:trojan-activity; sid:91245905; rev:1;) alert tcp $HOME_NET any -> [39.107.89.22] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245904/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_13; classtype:trojan-activity; sid:91245904; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/activity"; depth:9; nocase; http.host; content:"39.107.89.22"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1245903/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_13; classtype:trojan-activity; sid:91245903; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"service-lhtzt3wh-1319979259.sh.tencentapigw.com"; depth:47; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1245902/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_13; classtype:trojan-activity; sid:91245902; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api/getit"; depth:10; nocase; http.host; content:"service-lhtzt3wh-1319979259.sh.tencentapigw.com"; depth:47; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1245901/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_13; classtype:trojan-activity; sid:91245901; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ie9compatviewlist.xml"; depth:22; nocase; http.host; content:"139.224.188.165"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1245900/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_13; classtype:trojan-activity; sid:91245900; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/load"; depth:5; nocase; http.host; content:"117.50.162.183"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1245899/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_13; classtype:trojan-activity; sid:91245899; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/visit.js"; depth:9; nocase; http.host; content:"cdn-014.epsonupdate.uk"; depth:22; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1245898/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_13; classtype:trojan-activity; sid:91245898; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/push"; depth:5; nocase; http.host; content:"39.107.242.125"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1245897/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_13; classtype:trojan-activity; sid:91245897; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/fwlink"; depth:7; nocase; http.host; content:"1.94.110.130"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1245896/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_13; classtype:trojan-activity; sid:91245896; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/g.pixel"; depth:8; nocase; http.host; content:"120.48.5.80"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1245895/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_13; classtype:trojan-activity; sid:91245895; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp06/wp-includes/po.php"; depth:24; nocase; http.host; content:"qq.qqweixinzhuce.top"; depth:20; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1245894/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_13; classtype:trojan-activity; sid:91245894; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pixel.gif"; depth:10; nocase; http.host; content:"81.19.138.57"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1245893/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_13; classtype:trojan-activity; sid:91245893; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/eb6f29c6a60b3865.php"; depth:21; nocase; http.host; content:"147.45.47.71"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1245891/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_13; classtype:trojan-activity; sid:91245891; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"5.75.213.121"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1245887/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_13; classtype:trojan-activity; sid:91245887; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"5.75.221.28"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1245888/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_13; classtype:trojan-activity; sid:91245888; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"5.75.213.121"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1245886/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_13; classtype:trojan-activity; sid:91245886; rev:1;) alert tcp $HOME_NET any -> [5.75.213.121] 443 (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245884/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_13; classtype:trojan-activity; sid:91245884; rev:1;) alert tcp $HOME_NET any -> [5.75.221.28] 80 (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245885/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_13; classtype:trojan-activity; sid:91245885; rev:1;) alert tcp $HOME_NET any -> [5.75.213.121] 80 (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245883/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_13; classtype:trojan-activity; sid:91245883; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"82.146.45.177"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1245882/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_13; classtype:trojan-activity; sid:91245882; rev:1;) alert tcp $HOME_NET any -> [66.63.162.155] 1608 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245881/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_13; classtype:trojan-activity; sid:91245881; rev:1;) alert tcp $HOME_NET any -> [83.220.169.98] 80 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245880/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_13; classtype:trojan-activity; sid:91245880; rev:1;) alert tcp $HOME_NET any -> [213.189.201.252] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245879/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_13; classtype:trojan-activity; sid:91245879; rev:1;) alert tcp $HOME_NET any -> [37.1.205.231] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245878/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_13; classtype:trojan-activity; sid:91245878; rev:1;) alert tcp $HOME_NET any -> [178.73.192.11] 5000 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245877/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_13; classtype:trojan-activity; sid:91245877; rev:1;) alert tcp $HOME_NET any -> [46.246.80.4] 6000 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245876/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_13; classtype:trojan-activity; sid:91245876; rev:1;) alert tcp $HOME_NET any -> [58.84.90.93] 443 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245875/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_13; classtype:trojan-activity; sid:91245875; rev:1;) alert tcp $HOME_NET any -> [72.27.137.129] 443 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245874/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_13; classtype:trojan-activity; sid:91245874; rev:1;) alert tcp $HOME_NET any -> [2.50.45.215] 22 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245873/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_13; classtype:trojan-activity; sid:91245873; rev:1;) alert tcp $HOME_NET any -> [39.40.175.239] 995 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245872/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_13; classtype:trojan-activity; sid:91245872; rev:1;) alert tcp $HOME_NET any -> [24.148.11.98] 443 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245871/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_13; classtype:trojan-activity; sid:91245871; rev:1;) alert tcp $HOME_NET any -> [45.137.10.34] 80 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245870/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_13; classtype:trojan-activity; sid:91245870; rev:1;) alert tcp $HOME_NET any -> [37.1.212.112] 40056 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245869/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_13; classtype:trojan-activity; sid:91245869; rev:1;) alert tcp $HOME_NET any -> [23.227.193.87] 443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245868/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_13; classtype:trojan-activity; sid:91245868; rev:1;) alert tcp $HOME_NET any -> [37.1.208.95] 443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245867/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_13; classtype:trojan-activity; sid:91245867; rev:1;) alert tcp $HOME_NET any -> [87.122.8.35] 443 (msg:"ThreatFox Deimos botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245866/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_13; classtype:trojan-activity; sid:91245866; rev:1;) alert tcp $HOME_NET any -> [139.84.137.24] 7443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245865/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_13; classtype:trojan-activity; sid:91245865; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/129edec4272dc2c8.php"; depth:21; nocase; http.host; content:"193.143.1.226"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1245864/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_12; classtype:trojan-activity; sid:91245864; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/release_notes.js"; depth:17; nocase; http.host; content:"74.48.57.53"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1245863/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_12; classtype:trojan-activity; sid:91245863; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/69pipe4/2temp/betterpipetrackpipe/62test/geoprocessauth.php"; depth:60; nocase; http.host; content:"188.120.241.126"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1245862/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_12; classtype:trojan-activity; sid:91245862; rev:1;) alert tcp $HOME_NET any -> [43.248.129.152] 8000 (msg:"ThreatFox Ghost RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245858/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_12; classtype:trojan-activity; sid:91245858; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/processorbase.php"; depth:18; nocase; http.host; content:"737165cm.nyashsens.top"; depth:22; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1245857/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_12; classtype:trojan-activity; sid:91245857; rev:1;) alert tcp $HOME_NET any -> [124.248.69.29] 14363 (msg:"ThreatFox Ghost RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245853/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_12; classtype:trojan-activity; sid:91245853; rev:1;) alert tcp $HOME_NET any -> [115.231.218.42] 14363 (msg:"ThreatFox Ghost RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245852/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_12; classtype:trojan-activity; sid:91245852; rev:1;) alert tcp $HOME_NET any -> [110.42.102.82] 6688 (msg:"ThreatFox Ghost RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245850/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_12; classtype:trojan-activity; sid:91245850; rev:1;) alert tcp $HOME_NET any -> [114.130.36.120] 80 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245847/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_12; classtype:trojan-activity; sid:91245847; rev:1;) alert tcp $HOME_NET any -> [137.184.177.175] 80 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245846/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_12; classtype:trojan-activity; sid:91245846; rev:1;) alert tcp $HOME_NET any -> [34.81.83.87] 80 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245845/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_12; classtype:trojan-activity; sid:91245845; rev:1;) alert tcp $HOME_NET any -> [27.156.108.198] 6079 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245844/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_12; classtype:trojan-activity; sid:91245844; rev:1;) alert tcp $HOME_NET any -> [191.88.250.232] 4433 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245843/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_12; classtype:trojan-activity; sid:91245843; rev:1;) alert tcp $HOME_NET any -> [41.96.29.46] 443 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245842/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_12; classtype:trojan-activity; sid:91245842; rev:1;) alert tcp $HOME_NET any -> [51.211.208.112] 443 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245841/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_12; classtype:trojan-activity; sid:91245841; rev:1;) alert tcp $HOME_NET any -> [210.2.169.247] 443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245840/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_12; classtype:trojan-activity; sid:91245840; rev:1;) alert tcp $HOME_NET any -> [124.106.197.167] 443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245839/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_12; classtype:trojan-activity; sid:91245839; rev:1;) alert tcp $HOME_NET any -> [20.191.195.105] 443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245838/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_12; classtype:trojan-activity; sid:91245838; rev:1;) alert tcp $HOME_NET any -> [95.164.19.54] 8085 (msg:"ThreatFox BianLian botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245836/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_12; classtype:trojan-activity; sid:91245836; rev:1;) alert tcp $HOME_NET any -> [37.120.239.146] 23250 (msg:"ThreatFox BianLian botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245837/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_12; classtype:trojan-activity; sid:91245837; rev:1;) alert tcp $HOME_NET any -> [193.233.132.159] 50500 (msg:"ThreatFox RisePro botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245835/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_12; classtype:trojan-activity; sid:91245835; rev:1;) alert tcp $HOME_NET any -> [69.30.232.230] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245834/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_12; classtype:trojan-activity; sid:91245834; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ca"; depth:3; nocase; http.host; content:"69.30.232.230"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1245833/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_12; classtype:trojan-activity; sid:91245833; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/match"; depth:6; nocase; http.host; content:"69.30.232.229"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1245832/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_12; classtype:trojan-activity; sid:91245832; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cm"; depth:3; nocase; http.host; content:"69.30.232.228"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1245831/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_12; classtype:trojan-activity; sid:91245831; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ca"; depth:3; nocase; http.host; content:"69.30.232.227"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1245830/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_12; classtype:trojan-activity; sid:91245830; rev:1;) alert tcp $HOME_NET any -> [134.122.129.173] 4433 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245829/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_12; classtype:trojan-activity; sid:91245829; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ga.js"; depth:6; nocase; http.host; content:"cs.h1ll0.cs.in"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1245828/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_12; classtype:trojan-activity; sid:91245828; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"95.217.28.198"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1245824/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_12; classtype:trojan-activity; sid:91245824; rev:1;) alert tcp $HOME_NET any -> [5.75.208.68] 80 (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245825/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_12; classtype:trojan-activity; sid:91245825; rev:1;) alert tcp $HOME_NET any -> [5.75.208.68] 443 (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245826/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_12; classtype:trojan-activity; sid:91245826; rev:1;) alert tcp $HOME_NET any -> [95.217.28.198] 8081 (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245827/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_12; classtype:trojan-activity; sid:91245827; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"5.75.208.68"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1245823/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_12; classtype:trojan-activity; sid:91245823; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"5.75.208.68"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1245822/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_12; classtype:trojan-activity; sid:91245822; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"7t.nz"; depth:5; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1245821/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_12; classtype:trojan-activity; sid:91245821; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/read/timer.php"; depth:15; nocase; http.host; content:"dasmake.top"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1245819/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_12; classtype:trojan-activity; sid:91245819; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/g.pixel"; depth:8; nocase; http.host; content:"69.30.232.230"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1245805/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_12; classtype:trojan-activity; sid:91245805; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cm"; depth:3; nocase; http.host; content:"69.30.232.228"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1245803/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_12; classtype:trojan-activity; sid:91245803; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/__utm.gif"; depth:10; nocase; http.host; content:"69.30.232.229"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1245804/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_12; classtype:trojan-activity; sid:91245804; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/match"; depth:6; nocase; http.host; content:"69.30.232.227"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1245802/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_12; classtype:trojan-activity; sid:91245802; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ie9compatviewlist.xml"; depth:22; nocase; http.host; content:"69.30.232.226"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1245801/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_12; classtype:trojan-activity; sid:91245801; rev:1;) alert tcp $HOME_NET any -> [95.179.177.99] 9999 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245800/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_12; classtype:trojan-activity; sid:91245800; rev:1;) alert tcp $HOME_NET any -> [134.122.129.173] 53 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245799/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_12; classtype:trojan-activity; sid:91245799; rev:1;) alert tcp $HOME_NET any -> [3.141.100.233] 53 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245798/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_12; classtype:trojan-activity; sid:91245798; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"dns.tecbanis.com"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1245797/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_12; classtype:trojan-activity; sid:91245797; rev:1;) alert tcp $HOME_NET any -> [23.95.208.14] 53 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245796/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_12; classtype:trojan-activity; sid:91245796; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"oob.microsoft360.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1245795/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_12; classtype:trojan-activity; sid:91245795; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"bbo.microsoft360.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1245794/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_12; classtype:trojan-activity; sid:91245794; rev:1;) alert tcp $HOME_NET any -> [5.34.179.101] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245793/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_12; classtype:trojan-activity; sid:91245793; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/quit/message/amd"; depth:17; nocase; http.host; content:"5.34.179.101"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1245792/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_12; classtype:trojan-activity; sid:91245792; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jquery-3.3.1.min.js"; depth:20; nocase; http.host; content:"38.60.253.150"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1245791/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_12; classtype:trojan-activity; sid:91245791; rev:1;) alert tcp $HOME_NET any -> [5.34.179.101] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245790/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_12; classtype:trojan-activity; sid:91245790; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/quit/message/amd"; depth:17; nocase; http.host; content:"5.34.179.101"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1245789/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_12; classtype:trojan-activity; sid:91245789; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ie9compatviewlist.xml"; depth:22; nocase; http.host; content:"8.136.241.0"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1245788/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_12; classtype:trojan-activity; sid:91245788; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/fwlink"; depth:7; nocase; http.host; content:"82.157.169.10"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1245787/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_12; classtype:trojan-activity; sid:91245787; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/activity"; depth:9; nocase; http.host; content:"164.92.116.94"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1245786/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_12; classtype:trojan-activity; sid:91245786; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pixel"; depth:6; nocase; http.host; content:"88.214.27.74"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1245785/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_12; classtype:trojan-activity; sid:91245785; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/activity"; depth:9; nocase; http.host; content:"103.150.10.45"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1245784/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_12; classtype:trojan-activity; sid:91245784; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/activity"; depth:9; nocase; http.host; content:"124.222.213.61"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1245783/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_12; classtype:trojan-activity; sid:91245783; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cm"; depth:3; nocase; http.host; content:"43.143.143.195"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1245782/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_12; classtype:trojan-activity; sid:91245782; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/activity"; depth:9; nocase; http.host; content:"1.94.110.130"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1245781/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_12; classtype:trojan-activity; sid:91245781; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"nekololis.ovh"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1245775/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_12; classtype:trojan-activity; sid:91245775; rev:1;) alert tcp $HOME_NET any -> [91.92.246.100] 4443 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245776/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_12; classtype:trojan-activity; sid:91245776; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"catgirls.network"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1245774/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_12; classtype:trojan-activity; sid:91245774; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"rx.neko.ltd"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1245773/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_12; classtype:trojan-activity; sid:91245773; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"neko.ltd"; depth:8; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1245772/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_12; classtype:trojan-activity; sid:91245772; rev:1;) alert tcp $HOME_NET any -> [15.204.211.32] 888 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245769/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_12; classtype:trojan-activity; sid:91245769; rev:1;) alert tcp $HOME_NET any -> [141.98.7.7] 2 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245770/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_12; classtype:trojan-activity; sid:91245770; rev:1;) alert tcp $HOME_NET any -> [94.156.69.226] 1337 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245771/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_12; classtype:trojan-activity; sid:91245771; rev:1;) alert tcp $HOME_NET any -> [51.89.157.32] 4200 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245768/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_12; classtype:trojan-activity; sid:91245768; rev:1;) alert tcp $HOME_NET any -> [194.169.175.33] 2323 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245767/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_12; classtype:trojan-activity; sid:91245767; rev:1;) alert tcp $HOME_NET any -> [194.169.175.31] 2323 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245766/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_12; classtype:trojan-activity; sid:91245766; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jquery-3.3.1.min.js"; depth:20; nocase; http.host; content:"221.150.72.75"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1245780/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_12; classtype:trojan-activity; sid:91245780; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ptj"; depth:4; nocase; http.host; content:"81.19.138.57"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1245779/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_12; classtype:trojan-activity; sid:91245779; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pixel"; depth:6; nocase; http.host; content:"81.19.138.57"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1245778/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_12; classtype:trojan-activity; sid:91245778; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ptj"; depth:4; nocase; http.host; content:"79.124.40.106"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1245777/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_12; classtype:trojan-activity; sid:91245777; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/limitgameruleboot/systemcore/war/basewordpressdatalife.php"; depth:59; nocase; http.host; content:"185.246.67.26"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1245765/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_12; classtype:trojan-activity; sid:91245765; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ptj"; depth:4; nocase; http.host; content:"8.219.54.123"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1245764/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_12; classtype:trojan-activity; sid:91245764; rev:1;) alert tcp $HOME_NET any -> [49.13.32.231] 443 (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245761/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_12; classtype:trojan-activity; sid:91245761; rev:1;) alert tcp $HOME_NET any -> [116.202.4.240] 443 (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245762/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_12; classtype:trojan-activity; sid:91245762; rev:1;) alert tcp $HOME_NET any -> [88.198.107.0] 443 (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245763/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_12; classtype:trojan-activity; sid:91245763; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"88.198.107.0"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1245760/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_12; classtype:trojan-activity; sid:91245760; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"49.13.32.231"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1245759/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_12; classtype:trojan-activity; sid:91245759; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"116.202.4.240"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1245758/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_12; classtype:trojan-activity; sid:91245758; rev:1;) alert tcp $HOME_NET any -> [103.186.117.66] 1906 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245757/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_12; classtype:trojan-activity; sid:91245757; rev:1;) alert tcp $HOME_NET any -> [194.33.191.105] 50555 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245756/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_12; classtype:trojan-activity; sid:91245756; rev:1;) alert tcp $HOME_NET any -> [185.196.11.210] 80 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245755/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_12; classtype:trojan-activity; sid:91245755; rev:1;) alert tcp $HOME_NET any -> [143.110.180.125] 80 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245754/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_12; classtype:trojan-activity; sid:91245754; rev:1;) alert tcp $HOME_NET any -> [66.103.202.31] 80 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245753/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_12; classtype:trojan-activity; sid:91245753; rev:1;) alert tcp $HOME_NET any -> [66.103.202.47] 80 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245752/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_12; classtype:trojan-activity; sid:91245752; rev:1;) alert tcp $HOME_NET any -> [64.23.194.166] 80 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245751/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_12; classtype:trojan-activity; sid:91245751; rev:1;) alert tcp $HOME_NET any -> [23.93.94.187] 443 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245750/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_12; classtype:trojan-activity; sid:91245750; rev:1;) alert tcp $HOME_NET any -> [70.31.127.214] 2222 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245749/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_12; classtype:trojan-activity; sid:91245749; rev:1;) alert tcp $HOME_NET any -> [72.27.34.29] 443 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245748/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_12; classtype:trojan-activity; sid:91245748; rev:1;) alert tcp $HOME_NET any -> [175.10.220.200] 4432 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245747/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_12; classtype:trojan-activity; sid:91245747; rev:1;) alert tcp $HOME_NET any -> [104.248.92.16] 445 (msg:"ThreatFox Responder botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245746/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_12; classtype:trojan-activity; sid:91245746; rev:1;) alert tcp $HOME_NET any -> [122.114.225.100] 80 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245745/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_12; classtype:trojan-activity; sid:91245745; rev:1;) alert tcp $HOME_NET any -> [122.114.192.32] 80 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245744/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_12; classtype:trojan-activity; sid:91245744; rev:1;) alert tcp $HOME_NET any -> [122.114.156.47] 80 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245743/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_12; classtype:trojan-activity; sid:91245743; rev:1;) alert tcp $HOME_NET any -> [122.114.197.147] 80 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245742/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_12; classtype:trojan-activity; sid:91245742; rev:1;) alert tcp $HOME_NET any -> [122.114.10.11] 80 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245741/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_12; classtype:trojan-activity; sid:91245741; rev:1;) alert tcp $HOME_NET any -> [122.114.192.234] 80 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245740/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_12; classtype:trojan-activity; sid:91245740; rev:1;) alert tcp $HOME_NET any -> [37.1.212.112] 443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245739/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_12; classtype:trojan-activity; sid:91245739; rev:1;) alert tcp $HOME_NET any -> [154.90.49.110] 7443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245737/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_12; classtype:trojan-activity; sid:91245737; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"asyncawaitapi.com"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1245734/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_12; classtype:trojan-activity; sid:91245734; rev:1;) alert tcp $HOME_NET any -> [91.92.243.162] 45162 (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245723/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_12; classtype:trojan-activity; sid:91245723; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"apifunctioncall.com"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1245733/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_12; classtype:trojan-activity; sid:91245733; rev:1;) alert tcp $HOME_NET any -> [45.128.232.59] 59666 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245714/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_12; classtype:trojan-activity; sid:91245714; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/index.php"; depth:10; nocase; http.host; content:"xcelonline.000webhostapp.com"; depth:28; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1245736/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_12; classtype:trojan-activity; sid:91245736; rev:1;) alert tcp $HOME_NET any -> [204.95.99.109] 5552 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245735/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_12; classtype:trojan-activity; sid:91245735; rev:1;) alert tcp $HOME_NET any -> [194.165.16.59] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245732/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_11; classtype:trojan-activity; sid:91245732; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/validate/v8.18/84le6psohs"; depth:26; nocase; http.host; content:"194.165.16.59"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1245731/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_11; classtype:trojan-activity; sid:91245731; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/validate/v8.18/84le6psohs"; depth:26; nocase; http.host; content:"blm-wiki.com"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1245730/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_11; classtype:trojan-activity; sid:91245730; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/validate/v8.18/84le6psohs"; depth:26; nocase; http.host; content:"jango-pulse.com"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1245729/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_11; classtype:trojan-activity; sid:91245729; rev:1;) alert tcp $HOME_NET any -> [45.74.36.210] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245728/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_11; classtype:trojan-activity; sid:91245728; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jquery-3.3.1.min.js"; depth:20; nocase; http.host; content:"170.130.55.104"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1245727/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_11; classtype:trojan-activity; sid:91245727; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/en_us/all.js"; depth:13; nocase; http.host; content:"45.132.237.13"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1245726/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_11; classtype:trojan-activity; sid:91245726; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/updates"; depth:8; nocase; http.host; content:"154.92.19.29"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1245725/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_11; classtype:trojan-activity; sid:91245725; rev:1;) alert tcp $HOME_NET any -> [142.202.242.172] 30098 (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245724/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_11; classtype:trojan-activity; sid:91245724; rev:1;) alert tcp $HOME_NET any -> [146.56.238.25] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245722/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_11; classtype:trojan-activity; sid:91245722; rev:1;) alert tcp $HOME_NET any -> [167.88.160.158] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245721/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_11; classtype:trojan-activity; sid:91245721; rev:1;) alert tcp $HOME_NET any -> [79.114.226.14] 443 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245720/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_11; classtype:trojan-activity; sid:91245720; rev:1;) alert tcp $HOME_NET any -> [45.87.246.76] 443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245719/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_11; classtype:trojan-activity; sid:91245719; rev:1;) alert tcp $HOME_NET any -> [94.198.50.195] 10000 (msg:"ThreatFox BianLian botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245718/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_11; classtype:trojan-activity; sid:91245718; rev:1;) alert tcp $HOME_NET any -> [94.198.50.195] 9800 (msg:"ThreatFox BianLian botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245717/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_11; classtype:trojan-activity; sid:91245717; rev:1;) alert tcp $HOME_NET any -> [154.223.20.108] 8443 (msg:"ThreatFox BianLian botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245716/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_11; classtype:trojan-activity; sid:91245716; rev:1;) alert tcp $HOME_NET any -> [38.54.63.253] 7443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245715/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_11; classtype:trojan-activity; sid:91245715; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/v0/b/maga-414515.appspot.com/o/l4djx6iv5c%2fdoc_h37_93i800248-18015745p1346-4493y8.js"; depth:86; nocase; http.host; content:"firebasestorage.googleapis.com"; depth:30; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1245713/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_11; classtype:trojan-activity; sid:91245713; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"durete.org"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1245712/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_11; classtype:trojan-activity; sid:91245712; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/qbijgho"; depth:8; nocase; http.host; content:"qyjifia.org"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1245711/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_11; classtype:trojan-activity; sid:91245711; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"wcjwcj.cn"; depth:9; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1245710/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_11; classtype:trojan-activity; sid:91245710; rev:1;) alert tcp $HOME_NET any -> [154.9.29.154] 55650 (msg:"ThreatFox MooBot botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245709/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_11; classtype:trojan-activity; sid:91245709; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/live/"; depth:6; nocase; http.host; content:"drifajizo.fun"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1245708/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_11; classtype:trojan-activity; sid:91245708; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/live/"; depth:6; nocase; http.host; content:"scifimond.com"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1245707/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_11; classtype:trojan-activity; sid:91245707; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/live/"; depth:6; nocase; http.host; content:"minndarespo.icu"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1245706/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_11; classtype:trojan-activity; sid:91245706; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/live/"; depth:6; nocase; http.host; content:"ginzbargatey.tech"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1245705/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_11; classtype:trojan-activity; sid:91245705; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/live/"; depth:6; nocase; http.host; content:"popfealt.one"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1245704/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_11; classtype:trojan-activity; sid:91245704; rev:1;) alert tcp $HOME_NET any -> [89.190.156.61] 60124 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245702/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_11; classtype:trojan-activity; sid:91245702; rev:1;) alert tcp $HOME_NET any -> [141.98.7.7] 1 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245703/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_11; classtype:trojan-activity; sid:91245703; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/static/"; depth:8; nocase; http.host; content:"bellebobas.com"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1245701/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_11; classtype:trojan-activity; sid:91245701; rev:1;) alert tcp $HOME_NET any -> [217.67.178.79] 51177 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245700/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_11; classtype:trojan-activity; sid:91245700; rev:1;) alert tcp $HOME_NET any -> [85.175.101.203] 50050 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245699/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_11; classtype:trojan-activity; sid:91245699; rev:1;) alert tcp $HOME_NET any -> [193.143.1.195] 30293 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245698/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_11; classtype:trojan-activity; sid:91245698; rev:1;) alert tcp $HOME_NET any -> [193.233.132.162] 8081 (msg:"ThreatFox RisePro botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245697/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_11; classtype:trojan-activity; sid:91245697; rev:1;) alert tcp $HOME_NET any -> [45.156.21.39] 8081 (msg:"ThreatFox RisePro botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245696/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_11; classtype:trojan-activity; sid:91245696; rev:1;) alert tcp $HOME_NET any -> [188.27.166.233] 8080 (msg:"ThreatFox Orcus RAT botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245695/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_11; classtype:trojan-activity; sid:91245695; rev:1;) alert tcp $HOME_NET any -> [193.233.161.246] 443 (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245694/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_11; classtype:trojan-activity; sid:91245694; rev:1;) alert tcp $HOME_NET any -> [95.216.117.33] 8088 (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245693/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_11; classtype:trojan-activity; sid:91245693; rev:1;) alert tcp $HOME_NET any -> [77.91.124.37] 3001 (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245692/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_11; classtype:trojan-activity; sid:91245692; rev:1;) alert tcp $HOME_NET any -> [45.15.157.90] 3000 (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245691/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_11; classtype:trojan-activity; sid:91245691; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"95.217.240.152"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1245690/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_11; classtype:trojan-activity; sid:91245690; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/profiles/76561199651834633"; depth:27; nocase; http.host; content:"steamcommunity.com"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1245689/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_11; classtype:trojan-activity; sid:91245689; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"49.12.116.63"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1245688/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_11; classtype:trojan-activity; sid:91245688; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/raf6ik"; depth:7; nocase; http.host; content:"t.me"; depth:4; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1245687/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_11; classtype:trojan-activity; sid:91245687; rev:1;) alert tcp $HOME_NET any -> [49.12.116.63] 80 (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245685/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_11; classtype:trojan-activity; sid:91245685; rev:1;) alert tcp $HOME_NET any -> [95.217.240.152] 8081 (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245686/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_11; classtype:trojan-activity; sid:91245686; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dumpdlepipe/pipeprovider0python/3dumpdump/dumpsecure/db6locallow/async9/pipetosql.php"; depth:86; nocase; http.host; content:"195.2.84.94"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1245684/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_11; classtype:trojan-activity; sid:91245684; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cdn-vs/cache.php"; depth:17; nocase; http.host; content:"bestopgoespink.com"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1245669/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_11; classtype:trojan-activity; sid:91245669; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/help/zewmrgqnw.php"; depth:19; nocase; http.host; content:"bestopgoespink.com"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1245670/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_11; classtype:trojan-activity; sid:91245670; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/data.php"; depth:9; nocase; http.host; content:"digestlivepro.com"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1245671/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_11; classtype:trojan-activity; sid:91245671; rev:1;) alert tcp $HOME_NET any -> [78.40.117.110] 1311 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245673/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_11; classtype:trojan-activity; sid:91245673; rev:1;) alert tcp $HOME_NET any -> [78.40.117.169] 1311 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245674/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_11; classtype:trojan-activity; sid:91245674; rev:1;) alert tcp $HOME_NET any -> [78.40.117.174] 1311 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245675/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_11; classtype:trojan-activity; sid:91245675; rev:1;) alert tcp $HOME_NET any -> [78.40.117.251] 1311 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245676/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_11; classtype:trojan-activity; sid:91245676; rev:1;) alert tcp $HOME_NET any -> [85.204.116.126] 1311 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245678/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_11; classtype:trojan-activity; sid:91245678; rev:1;) alert tcp $HOME_NET any -> [85.204.116.143] 1311 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245679/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_11; classtype:trojan-activity; sid:91245679; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"hex.lumosora.us"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1245681/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_11; classtype:trojan-activity; sid:91245681; rev:1;) alert tcp $HOME_NET any -> [85.204.116.144] 1311 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245680/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_11; classtype:trojan-activity; sid:91245680; rev:1;) alert tcp $HOME_NET any -> [93.123.85.121] 5555 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245682/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_11; classtype:trojan-activity; sid:91245682; rev:1;) alert tcp $HOME_NET any -> [185.196.9.25] 38242 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245683/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_11; classtype:trojan-activity; sid:91245683; rev:1;) alert tcp $HOME_NET any -> [54.94.118.7] 333 (msg:"ThreatFox Revenge RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245677/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_11; classtype:trojan-activity; sid:91245677; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/c7/fre.php"; depth:11; nocase; http.host; content:"sempersim.su"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1245672/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_11; classtype:trojan-activity; sid:91245672; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/c9/fre.php"; depth:11; nocase; http.host; content:"sempersim.su"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1245667/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_11; classtype:trojan-activity; sid:91245667; rev:1;) alert tcp $HOME_NET any -> [52.28.247.255] 13672 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245666/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_11; classtype:trojan-activity; sid:91245666; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/is-ready"; depth:9; nocase; http.host; content:"46.183.223.73"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1245665/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_11; classtype:trojan-activity; sid:91245665; rev:1;) alert tcp $HOME_NET any -> [3.69.115.178] 13672 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245663/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_11; classtype:trojan-activity; sid:91245663; rev:1;) alert tcp $HOME_NET any -> [18.197.239.109] 13672 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245664/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_11; classtype:trojan-activity; sid:91245664; rev:1;) alert tcp $HOME_NET any -> [3.125.209.94] 17485 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245655/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_11; classtype:trojan-activity; sid:91245655; rev:1;) alert tcp $HOME_NET any -> [18.158.249.75] 19607 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245656/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_11; classtype:trojan-activity; sid:91245656; rev:1;) alert tcp $HOME_NET any -> [62.113.112.234] 1311 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245657/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_11; classtype:trojan-activity; sid:91245657; rev:1;) alert tcp $HOME_NET any -> [94.103.85.34] 1311 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245658/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_11; classtype:trojan-activity; sid:91245658; rev:1;) alert tcp $HOME_NET any -> [95.142.45.151] 1311 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245659/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_11; classtype:trojan-activity; sid:91245659; rev:1;) alert tcp $HOME_NET any -> [193.178.170.114] 1311 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245661/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_11; classtype:trojan-activity; sid:91245661; rev:1;) alert tcp $HOME_NET any -> [178.20.40.225] 1311 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245660/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_11; classtype:trojan-activity; sid:91245660; rev:1;) alert tcp $HOME_NET any -> [194.48.250.133] 23 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245662/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_11; classtype:trojan-activity; sid:91245662; rev:1;) alert tcp $HOME_NET any -> [147.45.77.28] 4258 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245644/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_11; classtype:trojan-activity; sid:91245644; rev:1;) alert tcp $HOME_NET any -> [3.124.142.205] 17485 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245654/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_11; classtype:trojan-activity; sid:91245654; rev:1;) alert tcp $HOME_NET any -> [18.158.249.75] 17485 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245653/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_11; classtype:trojan-activity; sid:91245653; rev:1;) alert tcp $HOME_NET any -> [3.125.102.39] 17485 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245652/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_11; classtype:trojan-activity; sid:91245652; rev:1;) alert tcp $HOME_NET any -> [3.125.223.134] 17485 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245651/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_11; classtype:trojan-activity; sid:91245651; rev:1;) alert tcp $HOME_NET any -> [18.192.31.165] 17485 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245650/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_11; classtype:trojan-activity; sid:91245650; rev:1;) alert tcp $HOME_NET any -> [3.125.209.94] 19607 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245649/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_11; classtype:trojan-activity; sid:91245649; rev:1;) alert tcp $HOME_NET any -> [3.125.223.134] 19607 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245648/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_11; classtype:trojan-activity; sid:91245648; rev:1;) alert tcp $HOME_NET any -> [3.125.102.39] 19607 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245647/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_11; classtype:trojan-activity; sid:91245647; rev:1;) alert tcp $HOME_NET any -> [18.192.31.165] 19607 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245646/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_11; classtype:trojan-activity; sid:91245646; rev:1;) alert tcp $HOME_NET any -> [3.124.142.205] 19607 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245645/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_11; classtype:trojan-activity; sid:91245645; rev:1;) alert tcp $HOME_NET any -> [93.123.85.75] 666 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245633/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_11; classtype:trojan-activity; sid:91245633; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mall_100_100.html"; depth:18; nocase; http.host; content:"47.92.158.101"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1245643/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_11; classtype:trojan-activity; sid:91245643; rev:1;) alert tcp $HOME_NET any -> [194.165.16.59] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245642/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_11; classtype:trojan-activity; sid:91245642; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/validate/v8.18/84le6psohs"; depth:26; nocase; http.host; content:"194.165.16.59"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1245641/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_11; classtype:trojan-activity; sid:91245641; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"jango-pulse.com"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1245640/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_11; classtype:trojan-activity; sid:91245640; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/validate/v8.18/84le6psohs"; depth:26; nocase; http.host; content:"jango-pulse.com"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1245639/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_11; classtype:trojan-activity; sid:91245639; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"blm-wiki.com"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1245638/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_11; classtype:trojan-activity; sid:91245638; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/validate/v8.18/84le6psohs"; depth:26; nocase; http.host; content:"blm-wiki.com"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1245637/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_11; classtype:trojan-activity; sid:91245637; rev:1;) alert tcp $HOME_NET any -> [38.181.70.201] 53 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245636/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_11; classtype:trojan-activity; sid:91245636; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ns2.dice1018.top"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1245635/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_11; classtype:trojan-activity; sid:91245635; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ns1.dice1018.top"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1245634/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_11; classtype:trojan-activity; sid:91245634; rev:1;) alert tcp $HOME_NET any -> [141.98.7.62] 44556 (msg:"ThreatFox MooBot botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245630/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_11; classtype:trojan-activity; sid:91245630; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pixel.gif"; depth:10; nocase; http.host; content:"1.94.110.130"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1245632/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_11; classtype:trojan-activity; sid:91245632; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ca"; depth:3; nocase; http.host; content:"47.99.177.59"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1245631/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_11; classtype:trojan-activity; sid:91245631; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/en_us/all.js"; depth:13; nocase; http.host; content:"124.222.173.69"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1245629/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_11; classtype:trojan-activity; sid:91245629; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ie9compatviewlist.xml"; depth:22; nocase; http.host; content:"www.test9977.tk"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1245628/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_11; classtype:trojan-activity; sid:91245628; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cx"; depth:3; nocase; http.host; content:"www.test9977.tk"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1245627/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_11; classtype:trojan-activity; sid:91245627; rev:1;) alert tcp $HOME_NET any -> [3.125.223.134] 16779 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245626/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_11; classtype:trojan-activity; sid:91245626; rev:1;) alert tcp $HOME_NET any -> [192.3.216.140] 52498 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245625/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_11; classtype:trojan-activity; sid:91245625; rev:1;) alert tcp $HOME_NET any -> [141.98.7.12] 1985 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245613/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_11; classtype:trojan-activity; sid:91245613; rev:1;) alert tcp $HOME_NET any -> [51.81.0.241] 1312 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245612/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_11; classtype:trojan-activity; sid:91245612; rev:1;) alert tcp $HOME_NET any -> [147.78.103.89] 5958 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245614/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_11; classtype:trojan-activity; sid:91245614; rev:1;) alert tcp $HOME_NET any -> [45.125.66.129] 37215 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245615/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_11; classtype:trojan-activity; sid:91245615; rev:1;) alert tcp $HOME_NET any -> [103.173.255.143] 42516 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245616/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_11; classtype:trojan-activity; sid:91245616; rev:1;) alert tcp $HOME_NET any -> [91.92.251.30] 9506 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245617/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_11; classtype:trojan-activity; sid:91245617; rev:1;) alert tcp $HOME_NET any -> [103.172.79.74] 43957 (msg:"ThreatFox MooBot botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245618/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_11; classtype:trojan-activity; sid:91245618; rev:1;) alert tcp $HOME_NET any -> [103.67.197.185] 2023 (msg:"ThreatFox MooBot botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245619/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_11; classtype:trojan-activity; sid:91245619; rev:1;) alert tcp $HOME_NET any -> [45.13.227.12] 43957 (msg:"ThreatFox MooBot botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245620/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_11; classtype:trojan-activity; sid:91245620; rev:1;) alert tcp $HOME_NET any -> [141.98.7.17] 49760 (msg:"ThreatFox MooBot botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245621/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_11; classtype:trojan-activity; sid:91245621; rev:1;) alert tcp $HOME_NET any -> [18.192.31.165] 16779 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245624/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_11; classtype:trojan-activity; sid:91245624; rev:1;) alert tcp $HOME_NET any -> [18.158.249.75] 16779 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245623/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_11; classtype:trojan-activity; sid:91245623; rev:1;) alert tcp $HOME_NET any -> [3.125.102.39] 16779 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245622/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_11; classtype:trojan-activity; sid:91245622; rev:1;) alert tcp $HOME_NET any -> [49.12.116.63] 443 (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245611/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_11; classtype:trojan-activity; sid:91245611; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"49.12.116.63"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1245610/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_11; classtype:trojan-activity; sid:91245610; rev:1;) alert tcp $HOME_NET any -> [82.156.211.202] 1145 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245609/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_11; classtype:trojan-activity; sid:91245609; rev:1;) alert tcp $HOME_NET any -> [3.127.253.86] 14314 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245607/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_11; classtype:trojan-activity; sid:91245607; rev:1;) alert tcp $HOME_NET any -> [3.127.59.75] 14314 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245608/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_11; classtype:trojan-activity; sid:91245608; rev:1;) alert tcp $HOME_NET any -> [52.28.112.211] 14314 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245606/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_11; classtype:trojan-activity; sid:91245606; rev:1;) alert tcp $HOME_NET any -> [62.109.20.47] 80 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245605/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_11; classtype:trojan-activity; sid:91245605; rev:1;) alert tcp $HOME_NET any -> [101.34.222.185] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245604/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_11; classtype:trojan-activity; sid:91245604; rev:1;) alert tcp $HOME_NET any -> [120.26.243.135] 4545 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245603/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_11; classtype:trojan-activity; sid:91245603; rev:1;) alert tcp $HOME_NET any -> [190.134.52.14] 995 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245602/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_11; classtype:trojan-activity; sid:91245602; rev:1;) alert tcp $HOME_NET any -> [75.173.32.149] 443 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245601/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_11; classtype:trojan-activity; sid:91245601; rev:1;) alert tcp $HOME_NET any -> [41.98.180.188] 443 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245600/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_11; classtype:trojan-activity; sid:91245600; rev:1;) alert tcp $HOME_NET any -> [161.97.141.230] 7443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245599/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_11; classtype:trojan-activity; sid:91245599; rev:1;) alert tcp $HOME_NET any -> [103.173.255.143] 839 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245576/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_11; classtype:trojan-activity; sid:91245576; rev:1;) alert tcp $HOME_NET any -> [94.156.8.116] 1024 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245548/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_11; classtype:trojan-activity; sid:91245548; rev:1;) alert tcp $HOME_NET any -> [193.233.132.204] 80 (msg:"ThreatFox RecordBreaker botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245581/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_11; classtype:trojan-activity; sid:91245581; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mzuymgi3mtixowfk/"; depth:18; nocase; http.host; content:"aliatabakastabumerangs.com"; depth:26; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1245586/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_11; classtype:trojan-activity; sid:91245586; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"mexico2020.duckdns.org"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1245588/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_11; classtype:trojan-activity; sid:91245588; rev:1;) alert tcp $HOME_NET any -> [3.125.209.94] 11258 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245595/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_11; classtype:trojan-activity; sid:91245595; rev:1;) alert tcp $HOME_NET any -> [46.246.6.12] 2054 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245587/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_11; classtype:trojan-activity; sid:91245587; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/default.php"; depth:12; nocase; http.host; content:"1callalert.com"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1245598/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_11; classtype:trojan-activity; sid:91245598; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/default.php"; depth:12; nocase; http.host; content:"choiceonesupport.org"; depth:20; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1245597/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_11; classtype:trojan-activity; sid:91245597; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/default.php"; depth:12; nocase; http.host; content:"criminallawdc.com"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1245596/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_11; classtype:trojan-activity; sid:91245596; rev:1;) alert tcp $HOME_NET any -> [3.125.102.39] 11258 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245594/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_11; classtype:trojan-activity; sid:91245594; rev:1;) alert tcp $HOME_NET any -> [18.192.31.165] 11258 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245592/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_11; classtype:trojan-activity; sid:91245592; rev:1;) alert tcp $HOME_NET any -> [3.124.142.205] 11258 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245593/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_11; classtype:trojan-activity; sid:91245593; rev:1;) alert tcp $HOME_NET any -> [3.125.223.134] 11258 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245591/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_11; classtype:trojan-activity; sid:91245591; rev:1;) alert tcp $HOME_NET any -> [147.45.47.39] 80 (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245590/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_11; classtype:trojan-activity; sid:91245590; rev:1;) alert tcp $HOME_NET any -> [192.3.216.131] 1808 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245589/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_11; classtype:trojan-activity; sid:91245589; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/64yz"; depth:5; nocase; http.host; content:"175.178.103.238"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1245585/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_11; classtype:trojan-activity; sid:91245585; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"umfi.live"; depth:9; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1245583/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_10; classtype:trojan-activity; sid:91245583; rev:1;) alert tcp $HOME_NET any -> [34.216.132.82] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245584/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_10; classtype:trojan-activity; sid:91245584; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pixel.gif"; depth:10; nocase; http.host; content:"umfi.live"; depth:9; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1245582/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_10; classtype:trojan-activity; sid:91245582; rev:1;) alert tcp $HOME_NET any -> [193.26.115.138] 4782 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245580/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_10; classtype:trojan-activity; sid:91245580; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/aerotable_generate_ai"; depth:22; nocase; http.host; content:"150.107.201.170"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1245579/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_10; classtype:trojan-activity; sid:91245579; rev:1;) alert tcp $HOME_NET any -> [147.185.221.18] 49626 (msg:"ThreatFox CyberGate botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245578/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_10; classtype:trojan-activity; sid:91245578; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"193.233.132.204"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1245577/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_10; classtype:trojan-activity; sid:91245577; rev:1;) alert tcp $HOME_NET any -> [123.99.198.201] 20064 (msg:"ThreatFox Ghost RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245575/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_10; classtype:trojan-activity; sid:91245575; rev:1;) alert tcp $HOME_NET any -> [82.197.93.210] 80 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245574/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_10; classtype:trojan-activity; sid:91245574; rev:1;) alert tcp $HOME_NET any -> [142.171.8.253] 80 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245573/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_10; classtype:trojan-activity; sid:91245573; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"5.75.213.155"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1245572/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_10; classtype:trojan-activity; sid:91245572; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"116.202.4.168"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1245571/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_10; classtype:trojan-activity; sid:91245571; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"78.46.233.36"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1245570/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_10; classtype:trojan-activity; sid:91245570; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"49.13.89.149"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1245569/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_10; classtype:trojan-activity; sid:91245569; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"95.217.234.153"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1245568/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_10; classtype:trojan-activity; sid:91245568; rev:1;) alert tcp $HOME_NET any -> [95.217.234.153] 443 (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245565/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_10; classtype:trojan-activity; sid:91245565; rev:1;) alert tcp $HOME_NET any -> [49.13.89.149] 443 (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245566/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_10; classtype:trojan-activity; sid:91245566; rev:1;) alert tcp $HOME_NET any -> [78.46.233.36] 9000 (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245567/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_10; classtype:trojan-activity; sid:91245567; rev:1;) alert tcp $HOME_NET any -> [103.163.208.187] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245564/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_10; classtype:trojan-activity; sid:91245564; rev:1;) alert tcp $HOME_NET any -> [94.198.54.154] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245563/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_10; classtype:trojan-activity; sid:91245563; rev:1;) alert tcp $HOME_NET any -> [72.27.110.218] 443 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245562/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_10; classtype:trojan-activity; sid:91245562; rev:1;) alert tcp $HOME_NET any -> [45.245.103.58] 995 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245561/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_10; classtype:trojan-activity; sid:91245561; rev:1;) alert tcp $HOME_NET any -> [80.75.212.148] 445 (msg:"ThreatFox Responder botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245560/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_10; classtype:trojan-activity; sid:91245560; rev:1;) alert tcp $HOME_NET any -> [179.60.149.241] 8443 (msg:"ThreatFox BianLian botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245559/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_10; classtype:trojan-activity; sid:91245559; rev:1;) alert tcp $HOME_NET any -> [66.85.27.144] 24513 (msg:"ThreatFox BianLian botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245558/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_10; classtype:trojan-activity; sid:91245558; rev:1;) alert tcp $HOME_NET any -> [151.236.16.232] 8226 (msg:"ThreatFox BianLian botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245557/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_10; classtype:trojan-activity; sid:91245557; rev:1;) alert tcp $HOME_NET any -> [163.177.79.82] 7443 (msg:"ThreatFox BianLian botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245556/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_10; classtype:trojan-activity; sid:91245556; rev:1;) alert tcp $HOME_NET any -> [34.126.126.52] 443 (msg:"ThreatFox Deimos botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245555/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_10; classtype:trojan-activity; sid:91245555; rev:1;) alert tcp $HOME_NET any -> [88.151.192.114] 443 (msg:"ThreatFox Brute Ratel C4 botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245554/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_10; classtype:trojan-activity; sid:91245554; rev:1;) alert tcp $HOME_NET any -> [167.71.184.214] 8081 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245553/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_10; classtype:trojan-activity; sid:91245553; rev:1;) alert tcp $HOME_NET any -> [167.71.184.214] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245552/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_10; classtype:trojan-activity; sid:91245552; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mozi.m"; depth:7; nocase; http.host; content:"113.26.81.251"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1245551/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_10; classtype:trojan-activity; sid:91245551; rev:1;) alert tcp $HOME_NET any -> [193.233.132.224] 8081 (msg:"ThreatFox RisePro botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245550/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_10; classtype:trojan-activity; sid:91245550; rev:1;) alert tcp $HOME_NET any -> [193.233.132.224] 50500 (msg:"ThreatFox RisePro botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245549/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_10; classtype:trojan-activity; sid:91245549; rev:1;) alert tcp $HOME_NET any -> [142.93.140.199] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245547/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_10; classtype:trojan-activity; sid:91245547; rev:1;) alert tcp $HOME_NET any -> [91.201.40.221] 80 (msg:"ThreatFox Hook botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245546/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_10; classtype:trojan-activity; sid:91245546; rev:1;) alert tcp $HOME_NET any -> [45.132.237.13] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245545/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_10; classtype:trojan-activity; sid:91245545; rev:1;) alert tcp $HOME_NET any -> [193.233.132.159] 8081 (msg:"ThreatFox RisePro botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245544/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_10; classtype:trojan-activity; sid:91245544; rev:1;) alert tcp $HOME_NET any -> [138.201.82.227] 4444 (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245543/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_10; classtype:trojan-activity; sid:91245543; rev:1;) alert tcp $HOME_NET any -> [142.202.240.134] 5555 (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245542/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_10; classtype:trojan-activity; sid:91245542; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"octopanel.cc"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1245541/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_10; classtype:trojan-activity; sid:91245541; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ipolastationplasma1bmx.net"; depth:26; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1245534/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_10; classtype:trojan-activity; sid:91245534; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ipolastationplasma2ford.com"; depth:27; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1245535/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_10; classtype:trojan-activity; sid:91245535; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ipolastationplasma3apple.net"; depth:28; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1245536/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_10; classtype:trojan-activity; sid:91245536; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ipolastationplasma4samsung.net"; depth:30; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1245537/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_10; classtype:trojan-activity; sid:91245537; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ipolastationplasma5merc.com"; depth:27; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1245538/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_10; classtype:trojan-activity; sid:91245538; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ipolastationplasma7class.net"; depth:28; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1245539/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_10; classtype:trojan-activity; sid:91245539; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ipolastationplasma8pla.com"; depth:26; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1245540/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_10; classtype:trojan-activity; sid:91245540; rev:1;) alert tcp $HOME_NET any -> [185.172.128.123] 80 (msg:"ThreatFox AMOS botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245525/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_10; classtype:trojan-activity; sid:91245525; rev:1;) alert tcp $HOME_NET any -> [34.243.217.50] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245533/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_10; classtype:trojan-activity; sid:91245533; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api/search/"; depth:12; nocase; http.host; content:"69uiu06es5.execute-api.us-east-1.amazonaws.com"; depth:46; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1245531/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_10; classtype:trojan-activity; sid:91245531; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"69uiu06es5.execute-api.us-east-1.amazonaws.com"; depth:46; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1245532/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_10; classtype:trojan-activity; sid:91245532; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/visit.js"; depth:9; nocase; http.host; content:"59.110.6.123"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1245529/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_10; classtype:trojan-activity; sid:91245529; rev:1;) alert tcp $HOME_NET any -> [59.110.6.123] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245530/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_10; classtype:trojan-activity; sid:91245530; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/www/handle/doc"; depth:15; nocase; http.host; content:"43.136.40.231"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1245528/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_10; classtype:trojan-activity; sid:91245528; rev:1;) alert tcp $HOME_NET any -> [47.76.150.79] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245527/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_10; classtype:trojan-activity; sid:91245527; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ptj"; depth:4; nocase; http.host; content:"47.76.150.79"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1245526/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_10; classtype:trojan-activity; sid:91245526; rev:1;) alert tcp $HOME_NET any -> [146.19.233.250] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245524/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_10; classtype:trojan-activity; sid:91245524; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ptj"; depth:4; nocase; http.host; content:"146.19.233.250"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1245523/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_10; classtype:trojan-activity; sid:91245523; rev:1;) alert tcp $HOME_NET any -> [120.46.207.190] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245522/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_10; classtype:trojan-activity; sid:91245522; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cx"; depth:3; nocase; http.host; content:"120.46.207.190"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1245521/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_10; classtype:trojan-activity; sid:91245521; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/c/msdownload/update/others/2020/12/29136388_"; depth:45; nocase; http.host; content:"142.171.227.68"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1245519/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_10; classtype:trojan-activity; sid:91245519; rev:1;) alert tcp $HOME_NET any -> [142.171.227.68] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245520/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_10; classtype:trojan-activity; sid:91245520; rev:1;) alert tcp $HOME_NET any -> [142.171.227.68] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245518/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_10; classtype:trojan-activity; sid:91245518; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/c/msdownload/update/others/2020/12/29136388_"; depth:45; nocase; http.host; content:"142.171.227.68"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1245517/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_10; classtype:trojan-activity; sid:91245517; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ptj"; depth:4; nocase; http.host; content:"47.76.150.79"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1245515/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_10; classtype:trojan-activity; sid:91245515; rev:1;) alert tcp $HOME_NET any -> [47.76.150.79] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245516/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_10; classtype:trojan-activity; sid:91245516; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/83/process8/windowspipe3/trackjs2/2downloads2php/linesecure/serverrequestgeo/better1processor/pipedownloads5/uploadscdn/polllowapiprotectsqlwpdlecentraldownloads.php"; depth:166; nocase; http.host; content:"62.109.7.175"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1245514/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_10; classtype:trojan-activity; sid:91245514; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ca"; depth:3; nocase; http.host; content:"1.94.110.130"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1245513/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_10; classtype:trojan-activity; sid:91245513; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cm"; depth:3; nocase; http.host; content:"119.3.123.9"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1245512/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_10; classtype:trojan-activity; sid:91245512; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/_/scs/mail-static/_/js/"; depth:24; nocase; http.host; content:"arpa.indiadreamdestinations.com"; depth:31; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1245510/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_10; classtype:trojan-activity; sid:91245510; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"arpa.indiadreamdestinations.com"; depth:31; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1245511/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_10; classtype:trojan-activity; sid:91245511; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"arpa.giodnews.com"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1245509/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_10; classtype:trojan-activity; sid:91245509; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/_/scs/mail-static/_/js/"; depth:24; nocase; http.host; content:"arpa.giodnews.com"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1245508/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_10; classtype:trojan-activity; sid:91245508; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/f993692117a3fda2.php"; depth:21; nocase; http.host; content:"185.172.128.210"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1245507/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_10; classtype:trojan-activity; sid:91245507; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pixel"; depth:6; nocase; http.host; content:"www.xss.mba"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1245506/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_10; classtype:trojan-activity; sid:91245506; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/owa/0ab7ztvql7n68tmodjmicd"; depth:27; nocase; http.host; content:"buy-dnd.shop"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1245505/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_10; classtype:trojan-activity; sid:91245505; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/l1nc0in.php"; depth:12; nocase; http.host; content:"a0927657.xsph.ru"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1245504/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_10; classtype:trojan-activity; sid:91245504; rev:1;) alert tcp $HOME_NET any -> [147.185.221.18] 47077 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245503/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_10; classtype:trojan-activity; sid:91245503; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mtrj"; depth:5; nocase; http.host; content:"23.95.90.77"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1245502/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_10; classtype:trojan-activity; sid:91245502; rev:1;) alert tcp $HOME_NET any -> [23.95.90.77] 1234 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245501/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_10; classtype:trojan-activity; sid:91245501; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"zakifail.hopto.org"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1245469/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_10; classtype:trojan-activity; sid:91245469; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/5bae"; depth:5; nocase; http.host; content:"43.153.173.61"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1245477/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_10; classtype:trojan-activity; sid:91245477; rev:1;) alert tcp $HOME_NET any -> [43.248.188.181] 9003 (msg:"ThreatFox KrBanker botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245478/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_10; classtype:trojan-activity; sid:91245478; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mgq4mde1zdk3nzc1/"; depth:18; nocase; http.host; content:"usdtzshlavsmoked.com"; depth:20; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1245488/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_10; classtype:trojan-activity; sid:91245488; rev:1;) alert tcp $HOME_NET any -> [94.250.255.6] 80 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245500/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_10; classtype:trojan-activity; sid:91245500; rev:1;) alert tcp $HOME_NET any -> [184.63.241.238] 443 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245499/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_10; classtype:trojan-activity; sid:91245499; rev:1;) alert tcp $HOME_NET any -> [149.109.123.217] 443 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245498/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_10; classtype:trojan-activity; sid:91245498; rev:1;) alert tcp $HOME_NET any -> [185.130.46.164] 443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245497/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_10; classtype:trojan-activity; sid:91245497; rev:1;) alert tcp $HOME_NET any -> [45.134.9.140] 443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245496/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_10; classtype:trojan-activity; sid:91245496; rev:1;) alert tcp $HOME_NET any -> [213.109.192.46] 443 (msg:"ThreatFox IcedID botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245494/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_10; classtype:trojan-activity; sid:91245494; rev:1;) alert tcp $HOME_NET any -> [5.252.178.5] 443 (msg:"ThreatFox IcedID botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245495/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_10; classtype:trojan-activity; sid:91245495; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/stats/save.php"; depth:15; nocase; http.host; content:"ppp-gl.biz"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1245493/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_10; classtype:trojan-activity; sid:91245493; rev:1;) alert tcp $HOME_NET any -> [135.181.10.212] 27222 (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245492/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_10; classtype:trojan-activity; sid:91245492; rev:1;) alert tcp $HOME_NET any -> [18.192.31.165] 12353 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245491/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_10; classtype:trojan-activity; sid:91245491; rev:1;) alert tcp $HOME_NET any -> [3.124.142.205] 12353 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245490/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_10; classtype:trojan-activity; sid:91245490; rev:1;) alert tcp $HOME_NET any -> [3.125.209.94] 12353 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245489/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_10; classtype:trojan-activity; sid:91245489; rev:1;) alert tcp $HOME_NET any -> [15.235.130.29] 60237 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245487/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_09; classtype:trojan-activity; sid:91245487; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dle4/javascriptrequestsecurecpuserversqlbaseflowerasynccdn.php"; depth:63; nocase; http.host; content:"62.109.11.10"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1245486/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_09; classtype:trojan-activity; sid:91245486; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jsjs/gate.php"; depth:14; nocase; http.host; content:"www.techlift.com.my"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1245485/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_09; classtype:trojan-activity; sid:91245485; rev:1;) alert tcp $HOME_NET any -> [107.172.31.19] 8823 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245484/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_09; classtype:trojan-activity; sid:91245484; rev:1;) alert tcp $HOME_NET any -> [147.45.40.66] 50555 (msg:"ThreatFox Hook botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245483/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_09; classtype:trojan-activity; sid:91245483; rev:1;) alert tcp $HOME_NET any -> [5.42.92.73] 8081 (msg:"ThreatFox RisePro botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245482/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_09; classtype:trojan-activity; sid:91245482; rev:1;) alert tcp $HOME_NET any -> [5.75.213.155] 443 (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245481/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_09; classtype:trojan-activity; sid:91245481; rev:1;) alert tcp $HOME_NET any -> [5.75.213.155] 80 (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245480/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_09; classtype:trojan-activity; sid:91245480; rev:1;) alert tcp $HOME_NET any -> [45.137.22.252] 55615 (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245479/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_09; classtype:trojan-activity; sid:91245479; rev:1;) alert tcp $HOME_NET any -> [47.100.87.177] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245476/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_09; classtype:trojan-activity; sid:91245476; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pixel"; depth:6; nocase; http.host; content:"47.100.87.177"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1245475/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_09; classtype:trojan-activity; sid:91245475; rev:1;) alert tcp $HOME_NET any -> [95.181.161.144] 443 (msg:"ThreatFox solarmarker botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245474/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_09; classtype:trojan-activity; sid:91245474; rev:1;) alert tcp $HOME_NET any -> [141.98.7.17] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245473/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_09; classtype:trojan-activity; sid:91245473; rev:1;) alert tcp $HOME_NET any -> [46.246.4.16] 6000 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245472/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_09; classtype:trojan-activity; sid:91245472; rev:1;) alert tcp $HOME_NET any -> [173.249.59.173] 445 (msg:"ThreatFox Responder botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245471/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_09; classtype:trojan-activity; sid:91245471; rev:1;) alert tcp $HOME_NET any -> [172.233.174.11] 443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245470/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_09; classtype:trojan-activity; sid:91245470; rev:1;) alert tcp $HOME_NET any -> [217.195.197.48] 80 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245468/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_09; classtype:trojan-activity; sid:91245468; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/__utm.gif"; depth:10; nocase; http.host; content:"47.109.106.162"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1245467/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_09; classtype:trojan-activity; sid:91245467; rev:1;) alert tcp $HOME_NET any -> [213.152.162.15] 53525 (msg:"ThreatFox BitRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245466/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_09; classtype:trojan-activity; sid:91245466; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/imagegeoapimultibaselinuxtracktempuploads.php"; depth:46; nocase; http.host; content:"739668cm.n9shteam2.top"; depth:22; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1245465/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_09; classtype:trojan-activity; sid:91245465; rev:1;) alert tcp $HOME_NET any -> [41.103.44.20] 999 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245464/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_09; classtype:trojan-activity; sid:91245464; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"hi.vani.ovh"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1245463/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_09; classtype:trojan-activity; sid:91245463; rev:1;) alert tcp $HOME_NET any -> [14.225.213.142] 42597 (msg:"ThreatFox MooBot botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245462/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_09; classtype:trojan-activity; sid:91245462; rev:1;) alert tcp $HOME_NET any -> [124.71.130.71] 50050 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245461/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_09; classtype:trojan-activity; sid:91245461; rev:1;) alert tcp $HOME_NET any -> [61.63.127.56] 50050 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245460/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_09; classtype:trojan-activity; sid:91245460; rev:1;) alert tcp $HOME_NET any -> [195.133.45.131] 80 (msg:"ThreatFox Hook botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245459/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_09; classtype:trojan-activity; sid:91245459; rev:1;) alert tcp $HOME_NET any -> [180.140.153.148] 30010 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245458/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_09; classtype:trojan-activity; sid:91245458; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"94.131.106.24"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1245457/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_09; classtype:trojan-activity; sid:91245457; rev:1;) alert tcp $HOME_NET any -> [103.82.24.193] 443 (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245456/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_09; classtype:trojan-activity; sid:91245456; rev:1;) alert tcp $HOME_NET any -> [124.221.98.94] 50050 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245455/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_09; classtype:trojan-activity; sid:91245455; rev:1;) alert tcp $HOME_NET any -> [31.192.236.82] 48126 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245454/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_09; classtype:trojan-activity; sid:91245454; rev:1;) alert tcp $HOME_NET any -> [167.99.250.80] 60060 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245453/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_09; classtype:trojan-activity; sid:91245453; rev:1;) alert tcp $HOME_NET any -> [172.104.242.152] 59088 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245452/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_09; classtype:trojan-activity; sid:91245452; rev:1;) alert tcp $HOME_NET any -> [159.203.25.245] 50050 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245451/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_09; classtype:trojan-activity; sid:91245451; rev:1;) alert tcp $HOME_NET any -> [188.119.67.185] 443 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245450/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_09; classtype:trojan-activity; sid:91245450; rev:1;) alert tcp $HOME_NET any -> [120.26.222.182] 8443 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245449/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_09; classtype:trojan-activity; sid:91245449; rev:1;) alert tcp $HOME_NET any -> [187.135.178.73] 2079 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245448/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_09; classtype:trojan-activity; sid:91245448; rev:1;) alert tcp $HOME_NET any -> [187.135.178.73] 2003 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245447/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_09; classtype:trojan-activity; sid:91245447; rev:1;) alert tcp $HOME_NET any -> [187.135.178.73] 1962 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245446/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_09; classtype:trojan-activity; sid:91245446; rev:1;) alert tcp $HOME_NET any -> [187.135.178.73] 1919 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245445/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_09; classtype:trojan-activity; sid:91245445; rev:1;) alert tcp $HOME_NET any -> [187.135.178.73] 1911 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245444/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_09; classtype:trojan-activity; sid:91245444; rev:1;) alert tcp $HOME_NET any -> [187.135.178.73] 1883 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245443/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_09; classtype:trojan-activity; sid:91245443; rev:1;) alert tcp $HOME_NET any -> [187.135.178.73] 1801 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245442/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_09; classtype:trojan-activity; sid:91245442; rev:1;) alert tcp $HOME_NET any -> [187.135.178.73] 2181 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245441/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_09; classtype:trojan-activity; sid:91245441; rev:1;) alert tcp $HOME_NET any -> [45.133.36.114] 8888 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245440/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_09; classtype:trojan-activity; sid:91245440; rev:1;) alert tcp $HOME_NET any -> [187.135.82.30] 2078 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245439/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_09; classtype:trojan-activity; sid:91245439; rev:1;) alert tcp $HOME_NET any -> [187.135.82.30] 2053 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245438/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_09; classtype:trojan-activity; sid:91245438; rev:1;) alert tcp $HOME_NET any -> [187.135.82.30] 1883 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245437/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_09; classtype:trojan-activity; sid:91245437; rev:1;) alert tcp $HOME_NET any -> [187.135.82.30] 2281 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245436/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_09; classtype:trojan-activity; sid:91245436; rev:1;) alert tcp $HOME_NET any -> [105.100.63.223] 6001 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245435/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_09; classtype:trojan-activity; sid:91245435; rev:1;) alert tcp $HOME_NET any -> [69.30.232.229] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245434/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_09; classtype:trojan-activity; sid:91245434; rev:1;) alert tcp $HOME_NET any -> [69.30.232.226] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245433/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_09; classtype:trojan-activity; sid:91245433; rev:1;) alert tcp $HOME_NET any -> [103.5.210.28] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245432/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_09; classtype:trojan-activity; sid:91245432; rev:1;) alert tcp $HOME_NET any -> [147.45.47.80] 8081 (msg:"ThreatFox RisePro botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245431/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_09; classtype:trojan-activity; sid:91245431; rev:1;) alert tcp $HOME_NET any -> [193.233.132.148] 8081 (msg:"ThreatFox RisePro botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245430/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_09; classtype:trojan-activity; sid:91245430; rev:1;) alert tcp $HOME_NET any -> [95.216.41.236] 8081 (msg:"ThreatFox RisePro botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245429/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_09; classtype:trojan-activity; sid:91245429; rev:1;) alert tcp $HOME_NET any -> [193.233.132.127] 8081 (msg:"ThreatFox RisePro botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245428/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_09; classtype:trojan-activity; sid:91245428; rev:1;) alert tcp $HOME_NET any -> [89.23.99.219] 8081 (msg:"ThreatFox RisePro botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245427/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_09; classtype:trojan-activity; sid:91245427; rev:1;) alert tcp $HOME_NET any -> [154.243.121.19] 80 (msg:"ThreatFox Orcus RAT botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245426/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_09; classtype:trojan-activity; sid:91245426; rev:1;) alert tcp $HOME_NET any -> [103.155.214.203] 443 (msg:"ThreatFox Orcus RAT botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245425/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_09; classtype:trojan-activity; sid:91245425; rev:1;) alert tcp $HOME_NET any -> [146.0.79.19] 80 (msg:"ThreatFox RecordBreaker botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245424/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_09; classtype:trojan-activity; sid:91245424; rev:1;) alert tcp $HOME_NET any -> [116.202.4.168] 80 (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245423/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_09; classtype:trojan-activity; sid:91245423; rev:1;) alert tcp $HOME_NET any -> [116.202.4.168] 443 (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245422/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_09; classtype:trojan-activity; sid:91245422; rev:1;) alert tcp $HOME_NET any -> [195.201.131.130] 443 (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245421/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_09; classtype:trojan-activity; sid:91245421; rev:1;) alert tcp $HOME_NET any -> [115.74.30.127] 4449 (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245420/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_09; classtype:trojan-activity; sid:91245420; rev:1;) alert tcp $HOME_NET any -> [202.134.56.2] 443 (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245419/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_09; classtype:trojan-activity; sid:91245419; rev:1;) alert tcp $HOME_NET any -> [37.114.37.177] 4444 (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245418/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_09; classtype:trojan-activity; sid:91245418; rev:1;) alert tcp $HOME_NET any -> [147.124.223.16] 5903 (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245417/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_09; classtype:trojan-activity; sid:91245417; rev:1;) alert tcp $HOME_NET any -> [171.41.198.240] 25565 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245416/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_09; classtype:trojan-activity; sid:91245416; rev:1;) alert tcp $HOME_NET any -> [95.165.99.74] 8443 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245415/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_09; classtype:trojan-activity; sid:91245415; rev:1;) alert tcp $HOME_NET any -> [179.14.8.182] 6606 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245414/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_09; classtype:trojan-activity; sid:91245414; rev:1;) alert tcp $HOME_NET any -> [46.246.84.18] 2121 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245413/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_09; classtype:trojan-activity; sid:91245413; rev:1;) alert tcp $HOME_NET any -> [65.1.107.60] 80 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245412/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_09; classtype:trojan-activity; sid:91245412; rev:1;) alert tcp $HOME_NET any -> [178.63.148.180] 5552 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245411/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_09; classtype:trojan-activity; sid:91245411; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/activity"; depth:9; nocase; http.host; content:"117.50.185.133"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1245410/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_09; classtype:trojan-activity; sid:91245410; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cm"; depth:3; nocase; http.host; content:"120.48.5.80"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1245409/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_09; classtype:trojan-activity; sid:91245409; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/push"; depth:5; nocase; http.host; content:"139.180.192.219"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1245408/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_09; classtype:trojan-activity; sid:91245408; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/activity"; depth:9; nocase; http.host; content:"47.94.241.49"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1245407/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_09; classtype:trojan-activity; sid:91245407; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pixel"; depth:6; nocase; http.host; content:"47.109.106.162"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1245406/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_09; classtype:trojan-activity; sid:91245406; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/_/scs/mail-static/_/js/"; depth:24; nocase; http.host; content:"45.74.36.78"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1245405/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_09; classtype:trojan-activity; sid:91245405; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ptj"; depth:4; nocase; http.host; content:"154.3.1.95"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1245404/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_09; classtype:trojan-activity; sid:91245404; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/_/scs/mail-static/_/js/"; depth:24; nocase; http.host; content:"45.74.36.78"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1245402/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_09; classtype:trojan-activity; sid:91245402; rev:1;) alert tcp $HOME_NET any -> [45.74.36.78] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245403/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_09; classtype:trojan-activity; sid:91245403; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ptj"; depth:4; nocase; http.host; content:"107.174.241.206"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1245401/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_09; classtype:trojan-activity; sid:91245401; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pixel"; depth:6; nocase; http.host; content:"139.180.192.219"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1245400/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_09; classtype:trojan-activity; sid:91245400; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ca"; depth:3; nocase; http.host; content:"81.71.140.170"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1245399/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_09; classtype:trojan-activity; sid:91245399; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/visit.js"; depth:9; nocase; http.host; content:"47.101.181.195"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1245398/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_09; classtype:trojan-activity; sid:91245398; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/flash_light-aligned.apk"; depth:24; nocase; http.host; content:"www.87-119-220-245.cprapid.com"; depth:30; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1245387/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_09; classtype:trojan-activity; sid:91245387; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/flash_light-aligned.apk"; depth:24; nocase; http.host; content:"87.119.220.245"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1245388/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_09; classtype:trojan-activity; sid:91245388; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/flash_light-aligned.apk"; depth:24; nocase; http.host; content:"fzmovies.space"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1245384/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_09; classtype:trojan-activity; sid:91245384; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/flashlight.apk"; depth:15; nocase; http.host; content:"fzmovies.space"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1245385/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_09; classtype:trojan-activity; sid:91245385; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/flashlight.apk"; depth:15; nocase; http.host; content:"www.87-119-220-245.cprapid.com"; depth:30; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1245386/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_09; classtype:trojan-activity; sid:91245386; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/flashlight.apk"; depth:15; nocase; http.host; content:"www.fzmovies.space"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1245382/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_09; classtype:trojan-activity; sid:91245382; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/flash_light-aligned.apk"; depth:24; nocase; http.host; content:"www.fzmovies.space"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1245383/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_09; classtype:trojan-activity; sid:91245383; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/flash_light-aligned.apk"; depth:24; nocase; http.host; content:"mail.87-119-220-245.cprapid.com"; depth:31; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1245380/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_09; classtype:trojan-activity; sid:91245380; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/flashlight.apk"; depth:15; nocase; http.host; content:"mail.87-119-220-245.cprapid.com"; depth:31; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1245381/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_09; classtype:trojan-activity; sid:91245381; rev:1;) alert tcp $HOME_NET any -> [87.119.220.245] 4456 (msg:"ThreatFox AhMyth botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245379/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_09; classtype:trojan-activity; sid:91245379; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/flashlight.apk"; depth:15; nocase; http.host; content:"87.119.220.245"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1245389/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_09; classtype:trojan-activity; sid:91245389; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"www.87-119-220-245.cprapid.com"; depth:30; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1245394/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_09; classtype:trojan-activity; sid:91245394; rev:1;) alert tcp $HOME_NET any -> [87.119.220.245] 443 (msg:"ThreatFox AhMyth payload delivery (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245393/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_09; classtype:trojan-activity; sid:91245393; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"www.fzmovies.space"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1245395/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_09; classtype:trojan-activity; sid:91245395; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"fzmovies.space"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1245396/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_09; classtype:trojan-activity; sid:91245396; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"mail.87-119-220-245.cprapid.com"; depth:31; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1245397/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_09; classtype:trojan-activity; sid:91245397; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"api.bestresulttostart.com"; depth:25; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1245374/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_09; classtype:trojan-activity; sid:91245374; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"find.bestresulttostart.com"; depth:26; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1245375/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_09; classtype:trojan-activity; sid:91245375; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"follow.bestresulttostart.com"; depth:28; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1245376/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_09; classtype:trojan-activity; sid:91245376; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"point.bestresulttostart.com"; depth:27; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1245377/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_09; classtype:trojan-activity; sid:91245377; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"right.bestresulttostart.com"; depth:27; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1245378/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_09; classtype:trojan-activity; sid:91245378; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"host.cloudsonicwave.com"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1245370/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_09; classtype:trojan-activity; sid:91245370; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ttincoming.traveltraffic.cc"; depth:27; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1245371/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_09; classtype:trojan-activity; sid:91245371; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"bestresulttostart.com"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1245372/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_09; classtype:trojan-activity; sid:91245372; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"scripts.bestresulttostart.com"; depth:29; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1245373/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_09; classtype:trojan-activity; sid:91245373; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"qtwo2ht.top"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1245341/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_09; classtype:trojan-activity; sid:91245341; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"shop.klnein9ht.top"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1245342/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_09; classtype:trojan-activity; sid:91245342; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"store.klone1vt.top"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1245343/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_09; classtype:trojan-activity; sid:91245343; rev:1;) alert tcp $HOME_NET any -> [3.66.38.117] 13672 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245349/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_09; classtype:trojan-activity; sid:91245349; rev:1;) alert tcp $HOME_NET any -> [3.69.157.220] 13672 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245350/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_09; classtype:trojan-activity; sid:91245350; rev:1;) alert tcp $HOME_NET any -> [192.169.69.26] 313 (msg:"ThreatFox Nanocore RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245358/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_09; classtype:trojan-activity; sid:91245358; rev:1;) alert tcp $HOME_NET any -> [3.121.139.82] 14314 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245359/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_09; classtype:trojan-activity; sid:91245359; rev:1;) alert tcp $HOME_NET any -> [18.198.77.177] 14314 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245360/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_09; classtype:trojan-activity; sid:91245360; rev:1;) alert tcp $HOME_NET any -> [35.158.159.254] 14314 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245361/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_09; classtype:trojan-activity; sid:91245361; rev:1;) alert tcp $HOME_NET any -> [94.156.66.44] 9090 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245035/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_09; classtype:trojan-activity; sid:91245035; rev:1;) alert tcp $HOME_NET any -> [94.156.67.106] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245037/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_09; classtype:trojan-activity; sid:91245037; rev:1;) alert tcp $HOME_NET any -> [91.92.246.100] 7707 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245038/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_09; classtype:trojan-activity; sid:91245038; rev:1;) alert tcp $HOME_NET any -> [91.92.246.100] 8808 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245039/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_09; classtype:trojan-activity; sid:91245039; rev:1;) alert tcp $HOME_NET any -> [91.92.246.100] 6606 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245040/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_09; classtype:trojan-activity; sid:91245040; rev:1;) alert tcp $HOME_NET any -> [193.149.129.251] 4443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245042/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_09; classtype:trojan-activity; sid:91245042; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"scambaiter11.ddns.net"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1245047/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_09; classtype:trojan-activity; sid:91245047; rev:1;) alert tcp $HOME_NET any -> [37.120.141.139] 1113 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245048/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_09; classtype:trojan-activity; sid:91245048; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/trs_async.exe"; depth:14; nocase; http.host; content:"91.92.254.250"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1245049/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_09; classtype:trojan-activity; sid:91245049; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"trscentral.duckdns.org"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1245050/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_09; classtype:trojan-activity; sid:91245050; rev:1;) alert tcp $HOME_NET any -> [194.9.172.135] 7730 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245033/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_09; classtype:trojan-activity; sid:91245033; rev:1;) alert tcp $HOME_NET any -> [103.153.69.114] 43046 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245034/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_09; classtype:trojan-activity; sid:91245034; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/data.php"; depth:9; nocase; http.host; content:"advanceddataenterprise.com"; depth:26; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1245032/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_09; classtype:trojan-activity; sid:91245032; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/help/zewmrgqnw.php"; depth:19; nocase; http.host; content:"advanceddataenterprise.com"; depth:26; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1245031/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_09; classtype:trojan-activity; sid:91245031; rev:1;) alert tcp $HOME_NET any -> [45.9.74.12] 80 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245029/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_09; classtype:trojan-activity; sid:91245029; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cdn-vs/cache.php"; depth:17; nocase; http.host; content:"advanceddataenterprise.com"; depth:26; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1245030/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_09; classtype:trojan-activity; sid:91245030; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/server.php"; depth:11; nocase; http.host; content:"45.9.74.12"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1245028/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_09; classtype:trojan-activity; sid:91245028; rev:1;) alert tcp $HOME_NET any -> [91.92.241.220] 59962 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245026/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_09; classtype:trojan-activity; sid:91245026; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"cnc.pr333.ggm.kr"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1245027/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_09; classtype:trojan-activity; sid:91245027; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"start.apistatexperience.com"; depth:27; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1245011/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_09; classtype:trojan-activity; sid:91245011; rev:1;) alert tcp $HOME_NET any -> [18.229.248.167] 19606 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245008/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_09; classtype:trojan-activity; sid:91245008; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"api.startservicefounds.com"; depth:26; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1245009/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_09; classtype:trojan-activity; sid:91245009; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"dns.startservicefounds.com"; depth:26; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1245010/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_09; classtype:trojan-activity; sid:91245010; rev:1;) alert tcp $HOME_NET any -> [18.231.93.153] 19606 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245007/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_09; classtype:trojan-activity; sid:91245007; rev:1;) alert tcp $HOME_NET any -> [171.228.226.103] 42597 (msg:"ThreatFox MooBot botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244982/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_09; classtype:trojan-activity; sid:91244982; rev:1;) alert tcp $HOME_NET any -> [91.92.246.154] 1370 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244985/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_09; classtype:trojan-activity; sid:91244985; rev:1;) alert tcp $HOME_NET any -> [91.92.246.213] 1289 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244986/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_09; classtype:trojan-activity; sid:91244986; rev:1;) alert tcp $HOME_NET any -> [91.92.247.229] 1311 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244988/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_09; classtype:trojan-activity; sid:91244988; rev:1;) alert tcp $HOME_NET any -> [91.92.246.211] 1311 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244987/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_09; classtype:trojan-activity; sid:91244987; rev:1;) alert tcp $HOME_NET any -> [94.156.69.14] 1311 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244989/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_09; classtype:trojan-activity; sid:91244989; rev:1;) alert tcp $HOME_NET any -> [78.40.117.219] 1311 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244990/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_09; classtype:trojan-activity; sid:91244990; rev:1;) alert tcp $HOME_NET any -> [85.204.116.143] 1296 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244991/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_09; classtype:trojan-activity; sid:91244991; rev:1;) alert tcp $HOME_NET any -> [85.204.116.144] 1284 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244992/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_09; classtype:trojan-activity; sid:91244992; rev:1;) alert tcp $HOME_NET any -> [85.204.116.139] 1311 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244993/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_09; classtype:trojan-activity; sid:91244993; rev:1;) alert tcp $HOME_NET any -> [85.204.116.124] 1311 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244994/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_09; classtype:trojan-activity; sid:91244994; rev:1;) alert tcp $HOME_NET any -> [85.204.116.126] 1294 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244995/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_09; classtype:trojan-activity; sid:91244995; rev:1;) alert tcp $HOME_NET any -> [85.204.116.131] 1311 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244996/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_09; classtype:trojan-activity; sid:91244996; rev:1;) alert tcp $HOME_NET any -> [45.95.147.168] 1311 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244997/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_09; classtype:trojan-activity; sid:91244997; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/styles.html"; depth:12; nocase; http.host; content:"38.27.163.244"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1245369/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_09; classtype:trojan-activity; sid:91245369; rev:1;) alert tcp $HOME_NET any -> [164.92.116.94] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245368/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_09; classtype:trojan-activity; sid:91245368; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/__utm.gif"; depth:10; nocase; http.host; content:"164.92.116.94"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1245367/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_09; classtype:trojan-activity; sid:91245367; rev:1;) alert tcp $HOME_NET any -> [172.86.101.115] 4483 (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245366/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_09; classtype:trojan-activity; sid:91245366; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ca"; depth:3; nocase; http.host; content:"47.236.19.63"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1245365/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_09; classtype:trojan-activity; sid:91245365; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pixel"; depth:6; nocase; http.host; content:"45.134.225.245"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1245364/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_09; classtype:trojan-activity; sid:91245364; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mgq4mde1zdk3nzc1/"; depth:18; nocase; http.host; content:"usdtzshlavkovacamoke.com"; depth:24; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1244909/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_09; classtype:trojan-activity; sid:91244909; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ztiwndezzjm4yjyw/"; depth:18; nocase; http.host; content:"2istanbullu2586.com"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1244910/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_09; classtype:trojan-activity; sid:91244910; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/owa/aftdjdu0uppzualdkjdqndbzxabxckbtm6h8zreo1wi15htkq0"; depth:55; nocase; http.host; content:"buy-dnd.shop"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1245363/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_09; classtype:trojan-activity; sid:91245363; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"botnet7.vani.ovh"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1245362/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_09; classtype:trojan-activity; sid:91245362; rev:1;) alert tcp $HOME_NET any -> [185.246.64.139] 80 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245357/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_09; classtype:trojan-activity; sid:91245357; rev:1;) alert tcp $HOME_NET any -> [178.128.122.145] 80 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245356/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_09; classtype:trojan-activity; sid:91245356; rev:1;) alert tcp $HOME_NET any -> [89.23.103.75] 80 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245355/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_09; classtype:trojan-activity; sid:91245355; rev:1;) alert tcp $HOME_NET any -> [91.202.233.135] 80 (msg:"ThreatFox Meduza Stealer botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245354/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_09; classtype:trojan-activity; sid:91245354; rev:1;) alert tcp $HOME_NET any -> [103.94.185.28] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245353/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_09; classtype:trojan-activity; sid:91245353; rev:1;) alert tcp $HOME_NET any -> [154.17.15.207] 443 (msg:"ThreatFox Deimos botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245352/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_09; classtype:trojan-activity; sid:91245352; rev:1;) alert tcp $HOME_NET any -> [157.230.247.198] 443 (msg:"ThreatFox Brute Ratel C4 botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245351/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_09; classtype:trojan-activity; sid:91245351; rev:1;) alert tcp $HOME_NET any -> [217.195.207.156] 47721 (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245348/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_09; classtype:trojan-activity; sid:91245348; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"195.20.16.127"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1245347/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_09; classtype:trojan-activity; sid:91245347; rev:1;) alert tcp $HOME_NET any -> [107.175.28.248] 8082 (msg:"ThreatFox VBREVSHELL botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245346/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_09; classtype:trojan-activity; sid:91245346; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/visit.js"; depth:9; nocase; http.host; content:"118.178.231.68"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1245345/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_08; classtype:trojan-activity; sid:91245345; rev:1;) alert tcp $HOME_NET any -> [91.92.250.61] 3232 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245344/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_08; classtype:trojan-activity; sid:91245344; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"klnein9pn.top"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1245331/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_08; classtype:trojan-activity; sid:91245331; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"klnein9sr.top"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1245332/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_08; classtype:trojan-activity; sid:91245332; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"klseven7ht.top"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1245333/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_08; classtype:trojan-activity; sid:91245333; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"klten10pn.top"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1245334/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_08; classtype:trojan-activity; sid:91245334; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"kltwo2vt.top"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1245335/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_08; classtype:trojan-activity; sid:91245335; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"qgnein9pt.top"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1245336/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_08; classtype:trojan-activity; sid:91245336; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"qgseven7sb.top"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1245337/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_08; classtype:trojan-activity; sid:91245337; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"qgthre3sb.top"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1245338/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_08; classtype:trojan-activity; sid:91245338; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"qgtwo2vs.top"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1245339/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_08; classtype:trojan-activity; sid:91245339; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"qtfive5sb.top"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1245340/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_08; classtype:trojan-activity; sid:91245340; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"jkfourt14vs.top"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1245317/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_08; classtype:trojan-activity; sid:91245317; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"jkhirteen13pt.top"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1245318/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_08; classtype:trojan-activity; sid:91245318; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"jkleven11vs.top"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1245319/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_08; classtype:trojan-activity; sid:91245319; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"jknein9vs.top"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1245320/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_08; classtype:trojan-activity; sid:91245320; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"jkten10pn.top"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1245321/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_08; classtype:trojan-activity; sid:91245321; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"klfive5ht.top"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1245322/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_08; classtype:trojan-activity; sid:91245322; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"klfive5vt.top"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1245323/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_08; classtype:trojan-activity; sid:91245323; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"klfourt14pn.top"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1245324/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_08; classtype:trojan-activity; sid:91245324; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"klfourt14sr.top"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1245325/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_08; classtype:trojan-activity; sid:91245325; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"klhirteen13pn.top"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1245326/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_08; classtype:trojan-activity; sid:91245326; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"klleven11pt.top"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1245327/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_08; classtype:trojan-activity; sid:91245327; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"klleven11sb.top"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1245328/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_08; classtype:trojan-activity; sid:91245328; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"klleven11sr.top"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1245329/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_08; classtype:trojan-activity; sid:91245329; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"klnein9ht.top"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1245330/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_08; classtype:trojan-activity; sid:91245330; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"gkone1sb.top"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1245301/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_08; classtype:trojan-activity; sid:91245301; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"gkone1sr.top"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1245302/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_08; classtype:trojan-activity; sid:91245302; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"gkone1vt.top"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1245303/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_08; classtype:trojan-activity; sid:91245303; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"gkseven7pn.top"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1245304/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_08; classtype:trojan-activity; sid:91245304; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"gkseven7sb.top"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1245305/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_08; classtype:trojan-activity; sid:91245305; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"gkseven7sr.top"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1245306/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_08; classtype:trojan-activity; sid:91245306; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"gkseven7vt.top"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1245307/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_08; classtype:trojan-activity; sid:91245307; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"gkten10pt.top"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1245308/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_08; classtype:trojan-activity; sid:91245308; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"gkthre3pn.top"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1245309/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_08; classtype:trojan-activity; sid:91245309; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"gkthre3sb.top"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1245310/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_08; classtype:trojan-activity; sid:91245310; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"gkthre3sr.top"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1245311/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_08; classtype:trojan-activity; sid:91245311; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"gkthre3vt.top"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1245312/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_08; classtype:trojan-activity; sid:91245312; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"gktwo2pn.top"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1245313/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_08; classtype:trojan-activity; sid:91245313; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"gktwo2sr.top"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1245314/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_08; classtype:trojan-activity; sid:91245314; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"jkeight8pn.top"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1245315/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_08; classtype:trojan-activity; sid:91245315; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"jkeight8vt.top"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1245316/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_08; classtype:trojan-activity; sid:91245316; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"gjthre3sr.top"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1245286/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_08; classtype:trojan-activity; sid:91245286; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"gjthre3vs.top"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1245287/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_08; classtype:trojan-activity; sid:91245287; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"gjthre3vt.top"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1245288/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_08; classtype:trojan-activity; sid:91245288; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"gjtwo2two.top"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1245289/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_08; classtype:trojan-activity; sid:91245289; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"gkeith8sb.top"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1245290/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_08; classtype:trojan-activity; sid:91245290; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"gkfive5pn.top"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1245291/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_08; classtype:trojan-activity; sid:91245291; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"gkfive5sb.top"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1245292/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_08; classtype:trojan-activity; sid:91245292; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"gkfive5vt.top"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1245293/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_08; classtype:trojan-activity; sid:91245293; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"gkfourt14ht.top"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1245294/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_08; classtype:trojan-activity; sid:91245294; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"gkfourt14pt.top"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1245295/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_08; classtype:trojan-activity; sid:91245295; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"gkhirteen13vs.top"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1245296/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_08; classtype:trojan-activity; sid:91245296; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"gkleven11ht.top"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1245297/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_08; classtype:trojan-activity; sid:91245297; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"gkleven11pt.top"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1245298/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_08; classtype:trojan-activity; sid:91245298; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"gknein9ht.top"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1245299/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_08; classtype:trojan-activity; sid:91245299; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"gknein9sb.top"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1245300/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_08; classtype:trojan-activity; sid:91245300; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"gjeight8pn.top"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1245271/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_08; classtype:trojan-activity; sid:91245271; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"gjfive5pn.top"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1245272/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_08; classtype:trojan-activity; sid:91245272; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"gjfive5sb.top"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1245273/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_08; classtype:trojan-activity; sid:91245273; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"gjfive5sr.top"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1245274/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_08; classtype:trojan-activity; sid:91245274; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"gjfive5vs.top"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1245275/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_08; classtype:trojan-activity; sid:91245275; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"gjfive5vt.top"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1245276/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_08; classtype:trojan-activity; sid:91245276; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"gjone1vs.top"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1245277/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_08; classtype:trojan-activity; sid:91245277; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"gjone1vt.top"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1245278/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_08; classtype:trojan-activity; sid:91245278; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"gjseven7sb.top"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1245279/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_08; classtype:trojan-activity; sid:91245279; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"gjseven7sr.top"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1245280/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_08; classtype:trojan-activity; sid:91245280; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"gjsix6pn.top"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1245281/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_08; classtype:trojan-activity; sid:91245281; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"gjsix6vs.top"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1245282/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_08; classtype:trojan-activity; sid:91245282; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"gjten10pn.top"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1245283/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_08; classtype:trojan-activity; sid:91245283; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"gjthre3pn.top"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1245284/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_08; classtype:trojan-activity; sid:91245284; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"gjthre3sb.top"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1245285/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_08; classtype:trojan-activity; sid:91245285; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ggsix6vs.top"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1245270/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_08; classtype:trojan-activity; sid:91245270; rev:1;) alert tcp $HOME_NET any -> [186.169.53.81] 2025 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245269/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_08; classtype:trojan-activity; sid:91245269; rev:1;) alert tcp $HOME_NET any -> [118.178.231.68] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245268/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_08; classtype:trojan-activity; sid:91245268; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pixel"; depth:6; nocase; http.host; content:"121.41.101.90"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1245267/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_08; classtype:trojan-activity; sid:91245267; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pixel"; depth:6; nocase; http.host; content:"192.227.155.201"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1245266/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_08; classtype:trojan-activity; sid:91245266; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"vdseven7pn.top"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1245256/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_08; classtype:trojan-activity; sid:91245256; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"vdseven7sr.top"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1245257/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_08; classtype:trojan-activity; sid:91245257; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"vdsix6pn.top"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1245258/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_08; classtype:trojan-activity; sid:91245258; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"vdsix6sr.top"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1245259/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_08; classtype:trojan-activity; sid:91245259; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"vdten10vt.top"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1245260/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_08; classtype:trojan-activity; sid:91245260; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"vdthre3pn.top"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1245261/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_08; classtype:trojan-activity; sid:91245261; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"vdtwelve12vt.top"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1245262/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_08; classtype:trojan-activity; sid:91245262; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"vdtwo2pn.top"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1245263/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_08; classtype:trojan-activity; sid:91245263; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"vdtwo2sr.top"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1245264/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_08; classtype:trojan-activity; sid:91245264; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"vtten10vt.top"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1245265/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_08; classtype:trojan-activity; sid:91245265; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"kzzseven7vt.top"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1245240/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_08; classtype:trojan-activity; sid:91245240; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"kzzthre3vt.top"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1245241/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_08; classtype:trojan-activity; sid:91245241; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"kzztwo2vt.top"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1245242/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_08; classtype:trojan-activity; sid:91245242; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"vdeight8ht.top"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1245243/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_08; classtype:trojan-activity; sid:91245243; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"vdeight8sr.top"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1245244/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_08; classtype:trojan-activity; sid:91245244; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"vdeight8vt.top"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1245245/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_08; classtype:trojan-activity; sid:91245245; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"vdeleven11vt.top"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1245246/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_08; classtype:trojan-activity; sid:91245246; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"vdfifteen15ht.top"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1245247/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_08; classtype:trojan-activity; sid:91245247; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"vdfifteen15vt.top"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1245248/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_08; classtype:trojan-activity; sid:91245248; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"vdfive5pn.top"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1245249/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_08; classtype:trojan-activity; sid:91245249; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"vdfive5sr.top"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1245250/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_08; classtype:trojan-activity; sid:91245250; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"vdfourteen14vt.top"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1245251/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_08; classtype:trojan-activity; sid:91245251; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"vdnine9sr.top"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1245252/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_08; classtype:trojan-activity; sid:91245252; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"vdnine9vt.top"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1245253/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_08; classtype:trojan-activity; sid:91245253; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"vdone1pn.top"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1245254/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_08; classtype:trojan-activity; sid:91245254; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"vdone1sr.top"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1245255/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_08; classtype:trojan-activity; sid:91245255; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"kznein9pt.top"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1245225/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_08; classtype:trojan-activity; sid:91245225; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"kznein9sr.top"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1245226/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_08; classtype:trojan-activity; sid:91245226; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"kznein9vt.top"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1245227/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_08; classtype:trojan-activity; sid:91245227; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"kznine9ht.top"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1245228/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_08; classtype:trojan-activity; sid:91245228; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"kzseven7ht.top"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1245229/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_08; classtype:trojan-activity; sid:91245229; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"kzseven7sr.top"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1245230/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_08; classtype:trojan-activity; sid:91245230; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"kzseven7vt.top"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1245231/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_08; classtype:trojan-activity; sid:91245231; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"kzsix6pt.top"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1245232/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_08; classtype:trojan-activity; sid:91245232; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"kzten10ht.top"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1245233/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_08; classtype:trojan-activity; sid:91245233; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"kzthre3ht.top"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1245234/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_08; classtype:trojan-activity; sid:91245234; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"kzthre3sr.top"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1245235/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_08; classtype:trojan-activity; sid:91245235; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"kztvelwe12ht.top"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1245236/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_08; classtype:trojan-activity; sid:91245236; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"kztwo2sb.top"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1245237/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_08; classtype:trojan-activity; sid:91245237; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"kzzeight8vt.top"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1245238/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_08; classtype:trojan-activity; sid:91245238; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"kzzfive5vt.top"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1245239/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_08; classtype:trojan-activity; sid:91245239; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"kvthre3pt.top"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1245210/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_08; classtype:trojan-activity; sid:91245210; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"kvthre3s.top"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1245211/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_08; classtype:trojan-activity; sid:91245211; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"kvthre3sr.top"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1245212/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_08; classtype:trojan-activity; sid:91245212; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"kvtwo2sr.top"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1245213/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_08; classtype:trojan-activity; sid:91245213; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"kzeigtht8sb.top"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1245214/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_08; classtype:trojan-activity; sid:91245214; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"kzeleven11ht.top"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1245215/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_08; classtype:trojan-activity; sid:91245215; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"kzfive5ht.top"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1245216/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_08; classtype:trojan-activity; sid:91245216; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"kzfive5sr.top"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1245217/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_08; classtype:trojan-activity; sid:91245217; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"kzfourt14pn.top"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1245218/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_08; classtype:trojan-activity; sid:91245218; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"kzfourt14pt.top"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1245219/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_08; classtype:trojan-activity; sid:91245219; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"kzfourt14vt.top"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1245220/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_08; classtype:trojan-activity; sid:91245220; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"kzfourteen14ht.top"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1245221/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_08; classtype:trojan-activity; sid:91245221; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"kzleven11pt.top"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1245222/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_08; classtype:trojan-activity; sid:91245222; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"kzleven11sr.top"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1245223/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_08; classtype:trojan-activity; sid:91245223; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"kzleven11vt.top"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1245224/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_08; classtype:trojan-activity; sid:91245224; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"kvfive5pn.top"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1245195/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_08; classtype:trojan-activity; sid:91245195; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"kvfive5pt.top"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1245196/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_08; classtype:trojan-activity; sid:91245196; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"kvfive5sb.top"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1245197/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_08; classtype:trojan-activity; sid:91245197; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"kvfive5sr.top"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1245198/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_08; classtype:trojan-activity; sid:91245198; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"kvfourteen14vs.top"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1245199/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_08; classtype:trojan-activity; sid:91245199; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"kvfourteen14vt.top"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1245200/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_08; classtype:trojan-activity; sid:91245200; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"kvfourteen14vz.top"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1245201/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_08; classtype:trojan-activity; sid:91245201; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"kvnine9pn.top"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1245202/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_08; classtype:trojan-activity; sid:91245202; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"kvnine9vs.top"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1245203/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_08; classtype:trojan-activity; sid:91245203; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"kvnine9vt.top"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1245204/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_08; classtype:trojan-activity; sid:91245204; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"kvseven7pn.top"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1245205/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_08; classtype:trojan-activity; sid:91245205; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"kvseven7pt.top"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1245206/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_08; classtype:trojan-activity; sid:91245206; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"kvseven7sb.top"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1245207/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_08; classtype:trojan-activity; sid:91245207; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"kvseven7sr.top"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1245208/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_08; classtype:trojan-activity; sid:91245208; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"kvthre3pn.top"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1245209/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_08; classtype:trojan-activity; sid:91245209; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"kllnein9pn.top"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1245181/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_08; classtype:trojan-activity; sid:91245181; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"klone1vt.top"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1245182/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_08; classtype:trojan-activity; sid:91245182; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"klseven7vs.top"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1245183/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_08; classtype:trojan-activity; sid:91245183; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"klten10pt.top"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1245184/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_08; classtype:trojan-activity; sid:91245184; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"klten10sr.top"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1245185/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_08; classtype:trojan-activity; sid:91245185; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"klthre3vt.top"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1245186/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_08; classtype:trojan-activity; sid:91245186; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"kltvelwe12sr.top"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1245187/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_08; classtype:trojan-activity; sid:91245187; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"kltwo2vs.top"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1245188/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_08; classtype:trojan-activity; sid:91245188; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"kveight8pt.top"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1245189/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_08; classtype:trojan-activity; sid:91245189; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"kveight8vt.top"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1245190/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_08; classtype:trojan-activity; sid:91245190; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"kveigth8vs.top"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1245191/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_08; classtype:trojan-activity; sid:91245191; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"kveleven11pn.top"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1245192/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_08; classtype:trojan-activity; sid:91245192; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"kveleven11vs.top"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1245193/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_08; classtype:trojan-activity; sid:91245193; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"kveleven11vt.top"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1245194/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_08; classtype:trojan-activity; sid:91245194; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"kbthirteen13pn.top"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1245167/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_08; classtype:trojan-activity; sid:91245167; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"kbthre3pn.top"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1245168/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_08; classtype:trojan-activity; sid:91245168; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"kbthre3sr.top"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1245169/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_08; classtype:trojan-activity; sid:91245169; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"kbthre3vs.top"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1245170/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_08; classtype:trojan-activity; sid:91245170; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"kbtwo2pt.top"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1245171/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_08; classtype:trojan-activity; sid:91245171; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"kceight8pn.top"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1245172/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_08; classtype:trojan-activity; sid:91245172; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"kcfourt14pn.top"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1245173/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_08; classtype:trojan-activity; sid:91245173; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"kcleven11pn.top"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1245174/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_08; classtype:trojan-activity; sid:91245174; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"kcnein9pn.top"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1245175/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_08; classtype:trojan-activity; sid:91245175; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"kctwelve12pn.top"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1245176/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_08; classtype:trojan-activity; sid:91245176; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"klfive5vs.top"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1245177/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_08; classtype:trojan-activity; sid:91245177; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"klfourt14pt.top"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1245178/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_08; classtype:trojan-activity; sid:91245178; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"klleven11pn.top"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1245179/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_08; classtype:trojan-activity; sid:91245179; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"kllfourt14pn.top"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1245180/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_08; classtype:trojan-activity; sid:91245180; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"kbfourteen14pt.top"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1245153/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_08; classtype:trojan-activity; sid:91245153; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"kbfourteen14sb.top"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1245154/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_08; classtype:trojan-activity; sid:91245154; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"kbfourteen14vt.top"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1245155/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_08; classtype:trojan-activity; sid:91245155; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"kbnine9ht.top"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1245156/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_08; classtype:trojan-activity; sid:91245156; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"kbnine9sr.top"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1245157/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_08; classtype:trojan-activity; sid:91245157; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"kbnine9vt.top"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1245158/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_08; classtype:trojan-activity; sid:91245158; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"kbone1vs.top"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1245159/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_08; classtype:trojan-activity; sid:91245159; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"kbseven7pn.top"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1245160/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_08; classtype:trojan-activity; sid:91245160; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"kbseven7sr.top"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1245161/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_08; classtype:trojan-activity; sid:91245161; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"kbseven7vs.top"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1245162/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_08; classtype:trojan-activity; sid:91245162; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"kbsix6pn.top"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1245163/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_08; classtype:trojan-activity; sid:91245163; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"kbsix6vs.top"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1245164/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_08; classtype:trojan-activity; sid:91245164; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"kbten10sb.top"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1245165/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_08; classtype:trojan-activity; sid:91245165; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"kbten10vt.top"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1245166/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_08; classtype:trojan-activity; sid:91245166; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"dbtwo2ht.top"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1245138/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_08; classtype:trojan-activity; sid:91245138; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"dbtwo2pn.top"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1245139/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_08; classtype:trojan-activity; sid:91245139; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"dbtwo2vs.top"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1245140/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_08; classtype:trojan-activity; sid:91245140; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"dbtwo2vt.top"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1245141/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_08; classtype:trojan-activity; sid:91245141; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"kbeight8ht.top"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1245142/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_08; classtype:trojan-activity; sid:91245142; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"kbeight8pn.top"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1245143/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_08; classtype:trojan-activity; sid:91245143; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"kbeight8pt.top"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1245144/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_08; classtype:trojan-activity; sid:91245144; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"kbeight8sb.top"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1245145/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_08; classtype:trojan-activity; sid:91245145; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"kbeight8vs.top"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1245146/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_08; classtype:trojan-activity; sid:91245146; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"kbeleven11pt.top"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1245147/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_08; classtype:trojan-activity; sid:91245147; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"kbeleven11sb.top"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1245148/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_08; classtype:trojan-activity; sid:91245148; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"kbeleven11vt.top"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1245149/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_08; classtype:trojan-activity; sid:91245149; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"kbfive5pn.top"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1245150/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_08; classtype:trojan-activity; sid:91245150; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"kbfive5sr.top"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1245151/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_08; classtype:trojan-activity; sid:91245151; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"kbfive5vs.top"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1245152/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_08; classtype:trojan-activity; sid:91245152; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"dbseven7sr.top"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1245123/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_08; classtype:trojan-activity; sid:91245123; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"dbseven7vs.top"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1245124/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_08; classtype:trojan-activity; sid:91245124; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"dbseven7vt.top"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1245125/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_08; classtype:trojan-activity; sid:91245125; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"dbsix6ht.top"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1245126/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_08; classtype:trojan-activity; sid:91245126; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"dbsix6pn.top"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1245127/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_08; classtype:trojan-activity; sid:91245127; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"dbsix6pt.top"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1245128/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_08; classtype:trojan-activity; sid:91245128; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"dbsix6sr.top"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1245129/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_08; classtype:trojan-activity; sid:91245129; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"dbsix6vs.top"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1245130/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_08; classtype:trojan-activity; sid:91245130; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"dbsix6vt.top"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1245131/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_08; classtype:trojan-activity; sid:91245131; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"dbten10sb.top"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1245132/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_08; classtype:trojan-activity; sid:91245132; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"dbthirteen13ht.top"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1245133/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_08; classtype:trojan-activity; sid:91245133; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"dbthre3sr.top"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1245134/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_08; classtype:trojan-activity; sid:91245134; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"dbthre3vt.top"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1245135/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_08; classtype:trojan-activity; sid:91245135; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"dbthree3ht.top"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1245136/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_08; classtype:trojan-activity; sid:91245136; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"dbthree3vs.top"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1245137/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_08; classtype:trojan-activity; sid:91245137; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"dbfive5pt.top"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1245108/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_08; classtype:trojan-activity; sid:91245108; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"dbfive5sr.top"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1245109/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_08; classtype:trojan-activity; sid:91245109; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"dbfive5vs.top"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1245110/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_08; classtype:trojan-activity; sid:91245110; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"dbfive5vt.top"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1245111/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_08; classtype:trojan-activity; sid:91245111; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"dbfourteen14sb.top"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1245112/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_08; classtype:trojan-activity; sid:91245112; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"dbnine9ht.top"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1245113/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_08; classtype:trojan-activity; sid:91245113; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"dbnine9pt.top"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1245114/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_08; classtype:trojan-activity; sid:91245114; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"dbone1ht.top"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1245115/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_08; classtype:trojan-activity; sid:91245115; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"dbone1pn.top"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1245116/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_08; classtype:trojan-activity; sid:91245116; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"dbone1sb.top"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1245117/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_08; classtype:trojan-activity; sid:91245117; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"dbone1vs.top"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1245118/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_08; classtype:trojan-activity; sid:91245118; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"dbone1vt.top"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1245119/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_08; classtype:trojan-activity; sid:91245119; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"dbseven7ht.top"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1245120/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_08; classtype:trojan-activity; sid:91245120; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"dbseven7pn.top"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1245121/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_08; classtype:trojan-activity; sid:91245121; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"dbseven7pt.top"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1245122/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_08; classtype:trojan-activity; sid:91245122; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"bdthre3ht.top"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1245093/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_08; classtype:trojan-activity; sid:91245093; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"bdthre3vs.top"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1245094/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_08; classtype:trojan-activity; sid:91245094; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"bdthree3sb.top"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1245095/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_08; classtype:trojan-activity; sid:91245095; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"bdtwelve12pt.top"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1245096/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_08; classtype:trojan-activity; sid:91245096; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"bdtwelve12sr.top"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1245097/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_08; classtype:trojan-activity; sid:91245097; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"bdtwelve12vs.top"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1245098/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_08; classtype:trojan-activity; sid:91245098; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"bdtwo2sb.top"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1245099/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_08; classtype:trojan-activity; sid:91245099; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"dbeight8ht.top"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1245100/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_08; classtype:trojan-activity; sid:91245100; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"dbeight8sr.top"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1245101/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_08; classtype:trojan-activity; sid:91245101; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"dbeight8vs.top"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1245102/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_08; classtype:trojan-activity; sid:91245102; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"dbeleven11sb.top"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1245103/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_08; classtype:trojan-activity; sid:91245103; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"dbfifteen15pt.top"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1245104/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_08; classtype:trojan-activity; sid:91245104; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"dbfifteen15sb.top"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1245105/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_08; classtype:trojan-activity; sid:91245105; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"dbfive5ht.top"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1245106/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_08; classtype:trojan-activity; sid:91245106; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"dbfive5pn.top"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1245107/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_08; classtype:trojan-activity; sid:91245107; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"bdfive5sb.top"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1245078/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_08; classtype:trojan-activity; sid:91245078; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"bdfourteen14pt.top"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1245079/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_08; classtype:trojan-activity; sid:91245079; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"bdfourteen14sr.top"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1245080/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_08; classtype:trojan-activity; sid:91245080; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"bdfourteen14vs.top"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1245081/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_08; classtype:trojan-activity; sid:91245081; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"bdnine9pt.top"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1245082/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_08; classtype:trojan-activity; sid:91245082; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"bdnine9sr.top"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1245083/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_08; classtype:trojan-activity; sid:91245083; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"bdnine9vs.top"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1245084/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_08; classtype:trojan-activity; sid:91245084; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"bdseven7ht.top"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1245085/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_08; classtype:trojan-activity; sid:91245085; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"bdseven7pt.top"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1245086/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_08; classtype:trojan-activity; sid:91245086; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"bdseven7sb.top"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1245087/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_08; classtype:trojan-activity; sid:91245087; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"bdsix6ht.top"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1245088/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_08; classtype:trojan-activity; sid:91245088; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"bdsix6sb.top"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1245089/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_08; classtype:trojan-activity; sid:91245089; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"bdten10pt.top"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1245090/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_08; classtype:trojan-activity; sid:91245090; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"bdten10sr.top"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1245091/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_08; classtype:trojan-activity; sid:91245091; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"bdten10vs.top"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1245092/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_08; classtype:trojan-activity; sid:91245092; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"bdeight8pt.top"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1245071/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_08; classtype:trojan-activity; sid:91245071; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"bdeight8sb.top"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1245072/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_08; classtype:trojan-activity; sid:91245072; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"bdeight8sr.top"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1245073/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_08; classtype:trojan-activity; sid:91245073; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"bdeleven11pt.top"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1245074/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_08; classtype:trojan-activity; sid:91245074; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"bdeleven11sr.top"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1245075/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_08; classtype:trojan-activity; sid:91245075; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"bdeleven11vs.top"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1245076/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_08; classtype:trojan-activity; sid:91245076; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"bdfive5ht.top"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1245077/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_08; classtype:trojan-activity; sid:91245077; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/test1/get.php"; depth:14; nocase; http.host; content:"sajdfue.com"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1245070/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_08; classtype:trojan-activity; sid:91245070; rev:1;) alert tcp $HOME_NET any -> [91.92.242.50] 81 (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245069/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_08; classtype:trojan-activity; sid:91245069; rev:1;) alert tcp $HOME_NET any -> [198.44.178.84] 80 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245068/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_08; classtype:trojan-activity; sid:91245068; rev:1;) alert tcp $HOME_NET any -> [124.220.200.241] 8848 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245067/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_08; classtype:trojan-activity; sid:91245067; rev:1;) alert tcp $HOME_NET any -> [46.246.14.6] 6000 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245066/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_08; classtype:trojan-activity; sid:91245066; rev:1;) alert tcp $HOME_NET any -> [46.246.80.7] 6000 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245065/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_08; classtype:trojan-activity; sid:91245065; rev:1;) alert tcp $HOME_NET any -> [39.40.181.3] 995 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245064/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_08; classtype:trojan-activity; sid:91245064; rev:1;) alert tcp $HOME_NET any -> [2.50.45.90] 22 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245063/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_08; classtype:trojan-activity; sid:91245063; rev:1;) alert tcp $HOME_NET any -> [70.31.125.235] 2222 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245062/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_08; classtype:trojan-activity; sid:91245062; rev:1;) alert tcp $HOME_NET any -> [72.27.136.137] 443 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245061/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_08; classtype:trojan-activity; sid:91245061; rev:1;) alert tcp $HOME_NET any -> [76.142.23.238] 2222 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245060/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_08; classtype:trojan-activity; sid:91245060; rev:1;) alert tcp $HOME_NET any -> [188.119.66.163] 443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245059/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_08; classtype:trojan-activity; sid:91245059; rev:1;) alert tcp $HOME_NET any -> [192.46.228.106] 445 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245058/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_08; classtype:trojan-activity; sid:91245058; rev:1;) alert tcp $HOME_NET any -> [159.69.207.158] 40056 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245057/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_08; classtype:trojan-activity; sid:91245057; rev:1;) alert tcp $HOME_NET any -> [94.232.45.42] 443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245056/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_08; classtype:trojan-activity; sid:91245056; rev:1;) alert tcp $HOME_NET any -> [136.0.3.71] 5295 (msg:"ThreatFox BianLian botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245055/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_08; classtype:trojan-activity; sid:91245055; rev:1;) alert tcp $HOME_NET any -> [162.252.175.153] 80 (msg:"ThreatFox BianLian botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245054/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_08; classtype:trojan-activity; sid:91245054; rev:1;) alert tcp $HOME_NET any -> [62.182.84.172] 443 (msg:"ThreatFox BianLian botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245053/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_08; classtype:trojan-activity; sid:91245053; rev:1;) alert tcp $HOME_NET any -> [43.198.251.145] 443 (msg:"ThreatFox Deimos botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245052/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_08; classtype:trojan-activity; sid:91245052; rev:1;) alert tcp $HOME_NET any -> [113.190.198.225] 7443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245051/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_08; classtype:trojan-activity; sid:91245051; rev:1;) alert tcp $HOME_NET any -> [185.11.61.171] 443 (msg:"ThreatFox Matanbuchus botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245045/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_08; classtype:trojan-activity; sid:91245045; rev:1;) alert tcp $HOME_NET any -> [185.11.61.172] 443 (msg:"ThreatFox Matanbuchus botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245046/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_08; classtype:trojan-activity; sid:91245046; rev:1;) alert tcp $HOME_NET any -> [185.11.61.169] 443 (msg:"ThreatFox Matanbuchus botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245043/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_08; classtype:trojan-activity; sid:91245043; rev:1;) alert tcp $HOME_NET any -> [185.11.61.170] 443 (msg:"ThreatFox Matanbuchus botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245044/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_08; classtype:trojan-activity; sid:91245044; rev:1;) alert tcp $HOME_NET any -> [185.255.114.104] 2404 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245041/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_08; classtype:trojan-activity; sid:91245041; rev:1;) alert tcp $HOME_NET any -> [65.108.20.239] 50500 (msg:"ThreatFox RisePro botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245036/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_08; classtype:trojan-activity; sid:91245036; rev:1;) alert tcp $HOME_NET any -> [20.104.183.199] 53 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245025/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_08; classtype:trojan-activity; sid:91245025; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"dnsrv.prdcdn.com"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1245024/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_08; classtype:trojan-activity; sid:91245024; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"cdn.prdcdn.com"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1245023/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_08; classtype:trojan-activity; sid:91245023; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"updates.prdcdn.com"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1245021/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_08; classtype:trojan-activity; sid:91245021; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"citrix.prdcdn.com"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1245022/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_08; classtype:trojan-activity; sid:91245022; rev:1;) alert tcp $HOME_NET any -> [103.253.146.79] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245020/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_08; classtype:trojan-activity; sid:91245020; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jquery-3.3.1.min.js"; depth:20; nocase; http.host; content:"103.253.146.79"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1245019/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_08; classtype:trojan-activity; sid:91245019; rev:1;) alert tcp $HOME_NET any -> [3.108.192.191] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245018/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_08; classtype:trojan-activity; sid:91245018; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ga.js"; depth:6; nocase; http.host; content:"3.108.192.191"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1245017/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_08; classtype:trojan-activity; sid:91245017; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/activity"; depth:9; nocase; http.host; content:"43.204.251.178"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1245016/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_08; classtype:trojan-activity; sid:91245016; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/updates"; depth:8; nocase; http.host; content:"165.154.131.126"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1245015/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_08; classtype:trojan-activity; sid:91245015; rev:1;) alert tcp $HOME_NET any -> [43.153.228.97] 8081 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245014/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_08; classtype:trojan-activity; sid:91245014; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp08/wp-includes/dtcla.php"; depth:27; nocase; http.host; content:"qq.qqweixinzhuce.top"; depth:20; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1245013/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_08; classtype:trojan-activity; sid:91245013; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pixel"; depth:6; nocase; http.host; content:"128.199.71.62"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1245012/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_08; classtype:trojan-activity; sid:91245012; rev:1;) alert tcp $HOME_NET any -> [137.184.117.57] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245006/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_08; classtype:trojan-activity; sid:91245006; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/www/handle/doc"; depth:15; nocase; http.host; content:"137.184.117.57"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1245005/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_08; classtype:trojan-activity; sid:91245005; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/updates.rss"; depth:12; nocase; http.host; content:"120.48.58.156"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1245004/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_08; classtype:trojan-activity; sid:91245004; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/match"; depth:6; nocase; http.host; content:"45.134.225.245"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1245003/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_08; classtype:trojan-activity; sid:91245003; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ptj"; depth:4; nocase; http.host; content:"101.200.164.66"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1245002/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_08; classtype:trojan-activity; sid:91245002; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/en-us/silentauth"; depth:17; nocase; http.host; content:"60.28.220.196"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1245001/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_08; classtype:trojan-activity; sid:91245001; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pixel"; depth:6; nocase; http.host; content:"8.219.54.123"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1245000/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_08; classtype:trojan-activity; sid:91245000; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/owa/hu9v3jmvtlysh83svxuafwgzv7c-wfwox8h9z"; depth:42; nocase; http.host; content:"175.197.65.135"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1244999/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_08; classtype:trojan-activity; sid:91244999; rev:1;) alert tcp $HOME_NET any -> [3.125.188.168] 14402 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244998/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_08; classtype:trojan-activity; sid:91244998; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/activity"; depth:9; nocase; http.host; content:"vip.z886888.top"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1244983/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_08; classtype:trojan-activity; sid:91244983; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"vip.z886888.top"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1244984/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_08; classtype:trojan-activity; sid:91244984; rev:1;) alert tcp $HOME_NET any -> [188.120.225.37] 80 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244981/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_08; classtype:trojan-activity; sid:91244981; rev:1;) alert tcp $HOME_NET any -> [142.171.226.188] 80 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244980/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_08; classtype:trojan-activity; sid:91244980; rev:1;) alert tcp $HOME_NET any -> [81.19.140.77] 80 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244979/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_08; classtype:trojan-activity; sid:91244979; rev:1;) alert tcp $HOME_NET any -> [142.11.199.59] 4000 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244978/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_08; classtype:trojan-activity; sid:91244978; rev:1;) alert tcp $HOME_NET any -> [95.181.173.126] 80 (msg:"ThreatFox Meduza Stealer botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244977/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_08; classtype:trojan-activity; sid:91244977; rev:1;) alert tcp $HOME_NET any -> [23.224.144.50] 20300 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244976/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_08; classtype:trojan-activity; sid:91244976; rev:1;) alert tcp $HOME_NET any -> [151.30.227.158] 443 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244975/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_08; classtype:trojan-activity; sid:91244975; rev:1;) alert tcp $HOME_NET any -> [2.88.130.140] 443 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244974/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_08; classtype:trojan-activity; sid:91244974; rev:1;) alert tcp $HOME_NET any -> [41.99.0.26] 443 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244973/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_08; classtype:trojan-activity; sid:91244973; rev:1;) alert tcp $HOME_NET any -> [72.27.99.56] 443 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244972/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_08; classtype:trojan-activity; sid:91244972; rev:1;) alert tcp $HOME_NET any -> [45.136.15.139] 53 (msg:"ThreatFox pupy botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244971/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_08; classtype:trojan-activity; sid:91244971; rev:1;) alert tcp $HOME_NET any -> [40.124.181.17] 445 (msg:"ThreatFox Responder botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244970/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_08; classtype:trojan-activity; sid:91244970; rev:1;) alert tcp $HOME_NET any -> [37.35.109.128] 445 (msg:"ThreatFox Responder botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244969/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_08; classtype:trojan-activity; sid:91244969; rev:1;) alert tcp $HOME_NET any -> [129.159.131.26] 443 (msg:"ThreatFox Responder botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244968/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_08; classtype:trojan-activity; sid:91244968; rev:1;) alert tcp $HOME_NET any -> [89.23.103.208] 443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244967/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_08; classtype:trojan-activity; sid:91244967; rev:1;) alert tcp $HOME_NET any -> [139.162.36.86] 80 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244966/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_08; classtype:trojan-activity; sid:91244966; rev:1;) alert tcp $HOME_NET any -> [194.124.33.109] 8443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244965/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_08; classtype:trojan-activity; sid:91244965; rev:1;) alert tcp $HOME_NET any -> [194.124.33.109] 443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244964/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_08; classtype:trojan-activity; sid:91244964; rev:1;) alert tcp $HOME_NET any -> [37.1.214.247] 40056 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244963/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_08; classtype:trojan-activity; sid:91244963; rev:1;) alert tcp $HOME_NET any -> [37.1.214.6] 40056 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244962/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_08; classtype:trojan-activity; sid:91244962; rev:1;) alert tcp $HOME_NET any -> [115.85.46.21] 443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244961/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_08; classtype:trojan-activity; sid:91244961; rev:1;) alert tcp $HOME_NET any -> [194.163.169.13] 7443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244960/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_08; classtype:trojan-activity; sid:91244960; rev:1;) alert tcp $HOME_NET any -> [46.8.221.19] 8443 (msg:"ThreatFox Brute Ratel C4 botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244959/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_08; classtype:trojan-activity; sid:91244959; rev:1;) alert tcp $HOME_NET any -> [46.8.221.19] 443 (msg:"ThreatFox Brute Ratel C4 botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244958/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_08; classtype:trojan-activity; sid:91244958; rev:1;) alert tcp $HOME_NET any -> [80.77.23.52] 80 (msg:"ThreatFox SharkBot botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244951/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_08; classtype:trojan-activity; sid:91244951; rev:1;) alert tcp $HOME_NET any -> [91.240.202.234] 80 (msg:"ThreatFox SharkBot botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244952/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_08; classtype:trojan-activity; sid:91244952; rev:1;) alert tcp $HOME_NET any -> [94.247.42.247] 80 (msg:"ThreatFox SharkBot botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244953/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_08; classtype:trojan-activity; sid:91244953; rev:1;) alert tcp $HOME_NET any -> [167.88.162.223] 80 (msg:"ThreatFox SharkBot botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244954/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_08; classtype:trojan-activity; sid:91244954; rev:1;) alert tcp $HOME_NET any -> [167.88.162.241] 80 (msg:"ThreatFox SharkBot botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244955/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_08; classtype:trojan-activity; sid:91244955; rev:1;) alert tcp $HOME_NET any -> [172.86.70.28] 80 (msg:"ThreatFox SharkBot botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244956/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_08; classtype:trojan-activity; sid:91244956; rev:1;) alert tcp $HOME_NET any -> [185.212.44.92] 80 (msg:"ThreatFox SharkBot botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244957/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_08; classtype:trojan-activity; sid:91244957; rev:1;) alert tcp $HOME_NET any -> [45.11.180.28] 80 (msg:"ThreatFox SharkBot botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244948/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_08; classtype:trojan-activity; sid:91244948; rev:1;) alert tcp $HOME_NET any -> [45.61.152.227] 80 (msg:"ThreatFox SharkBot botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244949/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_08; classtype:trojan-activity; sid:91244949; rev:1;) alert tcp $HOME_NET any -> [45.155.250.207] 80 (msg:"ThreatFox SharkBot botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244950/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_08; classtype:trojan-activity; sid:91244950; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"peacecheese.com"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1244938/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_08; classtype:trojan-activity; sid:91244938; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"pipelinning.com"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1244939/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_08; classtype:trojan-activity; sid:91244939; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"pixgraphie.com"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1244940/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_08; classtype:trojan-activity; sid:91244940; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"redactweb.com"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1244941/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_08; classtype:trojan-activity; sid:91244941; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"sdlsd.com"; depth:9; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1244942/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_08; classtype:trojan-activity; sid:91244942; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"shinemarksystems.com"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1244943/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_08; classtype:trojan-activity; sid:91244943; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"sms-atc.com"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1244944/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_08; classtype:trojan-activity; sid:91244944; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"strokestownlearningzone.com"; depth:27; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1244945/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_08; classtype:trojan-activity; sid:91244945; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"thebestoftenerife.com"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1244946/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_08; classtype:trojan-activity; sid:91244946; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"thesolutionmatrix.com"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1244947/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_08; classtype:trojan-activity; sid:91244947; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"a1photoprinting.com"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1244911/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_08; classtype:trojan-activity; sid:91244911; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"americanhomeservicesllc.com"; depth:27; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1244912/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_08; classtype:trojan-activity; sid:91244912; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"anambrabasiceducation.com"; depth:25; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1244913/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_08; classtype:trojan-activity; sid:91244913; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"audiolabelectronics.com"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1244914/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_08; classtype:trojan-activity; sid:91244914; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"b2bsupermarkets.com"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1244915/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_08; classtype:trojan-activity; sid:91244915; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"b2bturkishtextile.com"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1244916/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_08; classtype:trojan-activity; sid:91244916; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"chryatech.com"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1244917/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_08; classtype:trojan-activity; sid:91244917; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"cmfgsi.com"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1244918/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_08; classtype:trojan-activity; sid:91244918; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"colortreeva.com"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1244919/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_08; classtype:trojan-activity; sid:91244919; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"computerfeuerwehr.com"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1244920/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_08; classtype:trojan-activity; sid:91244920; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"crabonchips.com"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1244921/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_08; classtype:trojan-activity; sid:91244921; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"cristinastanciu.com"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1244922/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_08; classtype:trojan-activity; sid:91244922; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"daffigallery.com"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1244923/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_08; classtype:trojan-activity; sid:91244923; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"dallassutherland.com"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1244924/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_08; classtype:trojan-activity; sid:91244924; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"detectiveman.com"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1244925/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_08; classtype:trojan-activity; sid:91244925; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"etsprayfoam.com"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1244926/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_08; classtype:trojan-activity; sid:91244926; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"freeautotalk.com"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1244927/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_08; classtype:trojan-activity; sid:91244927; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"happeelearning.com"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1244928/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_08; classtype:trojan-activity; sid:91244928; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"hostel99.com"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1244929/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_08; classtype:trojan-activity; sid:91244929; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"insproscp.com"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1244930/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_08; classtype:trojan-activity; sid:91244930; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"jobmalta.com"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1244931/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_08; classtype:trojan-activity; sid:91244931; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"kingtonyamerica.com"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1244932/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_08; classtype:trojan-activity; sid:91244932; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"mello-roos.com"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1244933/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_08; classtype:trojan-activity; sid:91244933; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"michaelcaneconsultants.com"; depth:26; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1244934/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_08; classtype:trojan-activity; sid:91244934; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"mowilderness.com"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1244935/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_08; classtype:trojan-activity; sid:91244935; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"mtgimports.com"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1244936/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_08; classtype:trojan-activity; sid:91244936; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"netdognetworks.com"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1244937/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_08; classtype:trojan-activity; sid:91244937; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/imagevmjspacketupdategamebigloadtraffictestdatalife.php"; depth:56; nocase; http.host; content:"icanzuo.top"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1244907/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_07; classtype:trojan-activity; sid:91244907; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-content/themes/twentytwentythree/u7koxg.php"; depth:47; nocase; http.host; content:"www.nsglamour.de"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1244905/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_07; classtype:trojan-activity; sid:91244905; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-content/themes/twentytwenty/tlsgvu.php"; depth:42; nocase; http.host; content:"mrs-batiment.com"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1244906/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_07; classtype:trojan-activity; sid:91244906; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-content/themes/twentytwentyone/ifzgav.php"; depth:45; nocase; http.host; content:"wxgrant.com"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1244904/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_07; classtype:trojan-activity; sid:91244904; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-content/themes/twentytwentyfour/iaawld.php"; depth:46; nocase; http.host; content:"criaturafantastica.com"; depth:22; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1244903/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_07; classtype:trojan-activity; sid:91244903; rev:1;) alert tcp $HOME_NET any -> [80.87.192.43] 80 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244902/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_07; classtype:trojan-activity; sid:91244902; rev:1;) alert tcp $HOME_NET any -> [45.84.226.86] 80 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244901/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_07; classtype:trojan-activity; sid:91244901; rev:1;) alert tcp $HOME_NET any -> [167.71.91.12] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244900/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_07; classtype:trojan-activity; sid:91244900; rev:1;) alert tcp $HOME_NET any -> [119.45.162.251] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244899/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_07; classtype:trojan-activity; sid:91244899; rev:1;) alert tcp $HOME_NET any -> [46.246.86.9] 6000 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244898/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_07; classtype:trojan-activity; sid:91244898; rev:1;) alert tcp $HOME_NET any -> [189.140.59.81] 443 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244897/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_07; classtype:trojan-activity; sid:91244897; rev:1;) alert tcp $HOME_NET any -> [159.235.7.188] 443 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244896/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_07; classtype:trojan-activity; sid:91244896; rev:1;) alert tcp $HOME_NET any -> [70.31.125.31] 2222 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244895/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_07; classtype:trojan-activity; sid:91244895; rev:1;) alert tcp $HOME_NET any -> [47.236.84.82] 80 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244893/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_07; classtype:trojan-activity; sid:91244893; rev:1;) alert tcp $HOME_NET any -> [47.236.84.82] 443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244894/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_07; classtype:trojan-activity; sid:91244894; rev:1;) alert tcp $HOME_NET any -> [174.138.6.9] 443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244892/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_07; classtype:trojan-activity; sid:91244892; rev:1;) alert tcp $HOME_NET any -> [20.127.230.167] 443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244891/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_07; classtype:trojan-activity; sid:91244891; rev:1;) alert tcp $HOME_NET any -> [38.180.91.39] 443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244890/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_07; classtype:trojan-activity; sid:91244890; rev:1;) alert tcp $HOME_NET any -> [95.179.189.177] 443 (msg:"ThreatFox BianLian botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244889/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_07; classtype:trojan-activity; sid:91244889; rev:1;) alert tcp $HOME_NET any -> [185.196.11.148] 8443 (msg:"ThreatFox BianLian botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244888/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_07; classtype:trojan-activity; sid:91244888; rev:1;) alert tcp $HOME_NET any -> [104.238.35.20] 16655 (msg:"ThreatFox BianLian botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244887/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_07; classtype:trojan-activity; sid:91244887; rev:1;) alert tcp $HOME_NET any -> [47.98.126.140] 10004 (msg:"ThreatFox Deimos botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244886/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_07; classtype:trojan-activity; sid:91244886; rev:1;) alert tcp $HOME_NET any -> [37.1.208.232] 7443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244885/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_07; classtype:trojan-activity; sid:91244885; rev:1;) alert tcp $HOME_NET any -> [170.187.232.104] 7443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244884/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_07; classtype:trojan-activity; sid:91244884; rev:1;) alert tcp $HOME_NET any -> [35.233.38.208] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244883/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_07; classtype:trojan-activity; sid:91244883; rev:1;) alert tcp $HOME_NET any -> [103.193.176.76] 443 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244882/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_07; classtype:trojan-activity; sid:91244882; rev:1;) alert tcp $HOME_NET any -> [103.193.176.76] 8080 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244881/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_07; classtype:trojan-activity; sid:91244881; rev:1;) alert tcp $HOME_NET any -> [142.93.131.96] 8888 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244880/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_07; classtype:trojan-activity; sid:91244880; rev:1;) alert tcp $HOME_NET any -> [142.93.131.96] 43555 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244879/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_07; classtype:trojan-activity; sid:91244879; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/owa/8ub8qyhvfkehhmfr4dgcou1vlkki6dw1ssuj3l6p7si3omdean"; depth:55; nocase; http.host; content:"buy-dnd.shop"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1244878/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_07; classtype:trojan-activity; sid:91244878; rev:1;) alert tcp $HOME_NET any -> [91.92.241.203] 37942 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244877/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_07; classtype:trojan-activity; sid:91244877; rev:1;) alert tcp $HOME_NET any -> [172.93.160.2] 2404 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244876/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_07; classtype:trojan-activity; sid:91244876; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/eternalpythonrequestpollbaseasyncgeneratorwpdlepublic.php"; depth:58; nocase; http.host; content:"421820cm.n9shteam2.top"; depth:22; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1244875/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_07; classtype:trojan-activity; sid:91244875; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/useraccount.aspx"; depth:17; nocase; http.host; content:"muagol.com"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1244874/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_07; classtype:trojan-activity; sid:91244874; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/useraccount.aspx"; depth:17; nocase; http.host; content:"selevkis.app"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1244873/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_07; classtype:trojan-activity; sid:91244873; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/admin/view/stylesheet/50k.png"; depth:30; nocase; http.host; content:"988skins.com"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1244872/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_07; classtype:trojan-activity; sid:91244872; rev:1;) alert tcp $HOME_NET any -> [147.45.47.116] 8081 (msg:"ThreatFox RisePro botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244871/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_07; classtype:trojan-activity; sid:91244871; rev:1;) alert tcp $HOME_NET any -> [147.45.47.116] 50500 (msg:"ThreatFox RisePro botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244870/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_07; classtype:trojan-activity; sid:91244870; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/2wpcdn/multi/88/bigload/sql8defaultlow/httprequestprotonbigload/api7voiddbdatalife/publicjavascripttemp5/videobigloadmultidefaultwindowswordpresspublictemporary.php"; depth:165; nocase; http.host; content:"86.110.194.110"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1244869/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_07; classtype:trojan-activity; sid:91244869; rev:1;) alert tcp $HOME_NET any -> [194.116.173.25] 6519 (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244868/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_07; classtype:trojan-activity; sid:91244868; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"windows11.loseyourip.com"; depth:24; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1244849/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_07; classtype:trojan-activity; sid:91244849; rev:1;) alert tcp $HOME_NET any -> [124.221.133.199] 53 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244867/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_07; classtype:trojan-activity; sid:91244867; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ns1.bwork.online"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1244866/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_07; classtype:trojan-activity; sid:91244866; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/c11/fre.php"; depth:12; nocase; http.host; content:"sempersim.su"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1244865/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_07; classtype:trojan-activity; sid:91244865; rev:1;) alert tcp $HOME_NET any -> [20.121.128.235] 4876 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244864/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_07; classtype:trojan-activity; sid:91244864; rev:1;) alert tcp $HOME_NET any -> [20.121.128.235] 4845 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244863/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_07; classtype:trojan-activity; sid:91244863; rev:1;) alert tcp $HOME_NET any -> [20.121.128.235] 4834 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244862/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_07; classtype:trojan-activity; sid:91244862; rev:1;) alert tcp $HOME_NET any -> [20.121.128.235] 4674 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244861/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_07; classtype:trojan-activity; sid:91244861; rev:1;) alert tcp $HOME_NET any -> [83.97.20.141] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244860/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_07; classtype:trojan-activity; sid:91244860; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/en_us/all.js"; depth:13; nocase; http.host; content:"83.97.20.141"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1244859/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_07; classtype:trojan-activity; sid:91244859; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/push"; depth:5; nocase; http.host; content:"101.35.19.133"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1244858/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_07; classtype:trojan-activity; sid:91244858; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api/v3/s25fogl"; depth:15; nocase; http.host; content:"static.chat5188.top"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1244857/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_07; classtype:trojan-activity; sid:91244857; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp06/wp-includes/po.php"; depth:24; nocase; http.host; content:"qq.qqweixinzhuce.top"; depth:20; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1244856/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_07; classtype:trojan-activity; sid:91244856; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ca"; depth:3; nocase; http.host; content:"124.71.38.170"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1244855/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_07; classtype:trojan-activity; sid:91244855; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/push"; depth:5; nocase; http.host; content:"83.97.20.141"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1244853/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_07; classtype:trojan-activity; sid:91244853; rev:1;) alert tcp $HOME_NET any -> [83.97.20.141] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244854/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_07; classtype:trojan-activity; sid:91244854; rev:1;) alert tcp $HOME_NET any -> [47.243.108.86] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244852/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_07; classtype:trojan-activity; sid:91244852; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"static.chat5188.top"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1244851/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_07; classtype:trojan-activity; sid:91244851; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api/v3/s25fogl"; depth:15; nocase; http.host; content:"static.chat5188.top"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1244850/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_07; classtype:trojan-activity; sid:91244850; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"securecloudmanage.com"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1244844/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_07; classtype:trojan-activity; sid:91244844; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"oneblackwood.com"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1244845/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_07; classtype:trojan-activity; sid:91244845; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"buygreenstudio.com"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1244846/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_07; classtype:trojan-activity; sid:91244846; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"startupbuss.com"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1244847/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_07; classtype:trojan-activity; sid:91244847; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"topgamecheats.dev"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1244843/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_07; classtype:trojan-activity; sid:91244843; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"galaxybotnet.site"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1244840/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_07; classtype:trojan-activity; sid:91244840; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"cnc.shakeit.biz"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1244841/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_07; classtype:trojan-activity; sid:91244841; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"botnet.freetube.me"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1244842/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_07; classtype:trojan-activity; sid:91244842; rev:1;) alert tcp $HOME_NET any -> [95.217.142.46] 50500 (msg:"ThreatFox RisePro botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244839/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_07; classtype:trojan-activity; sid:91244839; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/en_us/all.js"; depth:13; nocase; http.host; content:"114.55.133.151"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1244838/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_07; classtype:trojan-activity; sid:91244838; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/activity"; depth:9; nocase; http.host; content:"45.134.225.245"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1244837/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_07; classtype:trojan-activity; sid:91244837; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ca"; depth:3; nocase; http.host; content:"192.3.101.133"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1244836/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_07; classtype:trojan-activity; sid:91244836; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/g.pixel"; depth:8; nocase; http.host; content:"121.41.107.20"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1244835/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_07; classtype:trojan-activity; sid:91244835; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/en-us/silentauth"; depth:17; nocase; http.host; content:"61.170.84.253"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1244834/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_07; classtype:trojan-activity; sid:91244834; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/en-us/silentauth"; depth:17; nocase; http.host; content:"61.170.44.209"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1244833/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_07; classtype:trojan-activity; sid:91244833; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/understand/v2.61/rylqupm8ll"; depth:28; nocase; http.host; content:"security-socks777.com"; depth:21; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1244832/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_07; classtype:trojan-activity; sid:91244832; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"security-socks777.com"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1244831/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_07; classtype:trojan-activity; sid:91244831; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/understand/v2.61/rylqupm8ll"; depth:28; nocase; http.host; content:"security-socks777.com"; depth:21; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1244830/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_07; classtype:trojan-activity; sid:91244830; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/push"; depth:5; nocase; http.host; content:"47.104.179.218"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1244829/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_07; classtype:trojan-activity; sid:91244829; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/load"; depth:5; nocase; http.host; content:"8.222.165.110"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1244828/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_07; classtype:trojan-activity; sid:91244828; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/updates.rss"; depth:12; nocase; http.host; content:"43.153.222.28"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1244827/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_07; classtype:trojan-activity; sid:91244827; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/fwlink"; depth:7; nocase; http.host; content:"192.3.101.133"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1244826/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_07; classtype:trojan-activity; sid:91244826; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ptj"; depth:4; nocase; http.host; content:"118.194.233.185"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1244825/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_07; classtype:trojan-activity; sid:91244825; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/visit.js"; depth:9; nocase; http.host; content:"81.69.242.185"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1244824/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_07; classtype:trojan-activity; sid:91244824; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dpixel"; depth:7; nocase; http.host; content:"5.101.0.245"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1244823/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_07; classtype:trojan-activity; sid:91244823; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ptj"; depth:4; nocase; http.host; content:"5.101.0.245"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1244822/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_07; classtype:trojan-activity; sid:91244822; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/fwlink"; depth:7; nocase; http.host; content:"79.124.40.106"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1244821/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_07; classtype:trojan-activity; sid:91244821; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/j.ad"; depth:5; nocase; http.host; content:"www.cloudflarecache.top"; depth:23; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1244820/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_07; classtype:trojan-activity; sid:91244820; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/functionalstatus/5gn1hb9coo2yjr2gfysvdjro2gm1e9rk"; depth:50; nocase; http.host; content:"80.66.75.53"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1244819/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_07; classtype:trojan-activity; sid:91244819; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/functionalstatus/5gn1hb9coo2yjr2gfysvdjro2gm1e9rk"; depth:50; nocase; http.host; content:"80.66.75.53"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1244818/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_07; classtype:trojan-activity; sid:91244818; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jj.jpg"; depth:7; nocase; http.host; content:"91.92.254.77"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1244816/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_07; classtype:trojan-activity; sid:91244816; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/j4fvskd3/index.php"; depth:19; nocase; http.host; content:"topgamecheats.dev"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1244817/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_07; classtype:trojan-activity; sid:91244817; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pages/login.php"; depth:16; nocase; http.host; content:"185.14.30.218"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1244813/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_07; classtype:trojan-activity; sid:91244813; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"livinglearning.info"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1244814/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_07; classtype:trojan-activity; sid:91244814; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pages/login.php"; depth:16; nocase; http.host; content:"livinglearning.info"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1244815/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_07; classtype:trojan-activity; sid:91244815; rev:1;) alert tcp $HOME_NET any -> [185.14.30.218] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244812/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_07; classtype:trojan-activity; sid:91244812; rev:1;) alert tcp $HOME_NET any -> [139.84.139.29] 5273 (msg:"ThreatFox Nanocore RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244798/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_07; classtype:trojan-activity; sid:91244798; rev:1;) alert tcp $HOME_NET any -> [3.67.161.133] 10058 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244800/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_07; classtype:trojan-activity; sid:91244800; rev:1;) alert tcp $HOME_NET any -> [3.127.181.115] 10058 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244801/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_07; classtype:trojan-activity; sid:91244801; rev:1;) alert tcp $HOME_NET any -> [193.124.205.30] 42597 (msg:"ThreatFox MooBot botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244803/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_07; classtype:trojan-activity; sid:91244803; rev:1;) alert tcp $HOME_NET any -> [85.204.116.119] 6666 (msg:"ThreatFox MooBot botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244804/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_07; classtype:trojan-activity; sid:91244804; rev:1;) alert tcp $HOME_NET any -> [94.156.66.226] 6996 (msg:"ThreatFox MooBot botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244805/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_07; classtype:trojan-activity; sid:91244805; rev:1;) alert tcp $HOME_NET any -> [185.216.70.21] 60195 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244806/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_07; classtype:trojan-activity; sid:91244806; rev:1;) alert tcp $HOME_NET any -> [185.216.70.30] 420 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244807/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_07; classtype:trojan-activity; sid:91244807; rev:1;) alert tcp $HOME_NET any -> [78.40.117.36] 1302 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244808/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_07; classtype:trojan-activity; sid:91244808; rev:1;) alert tcp $HOME_NET any -> [141.98.7.2] 1 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244809/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_07; classtype:trojan-activity; sid:91244809; rev:1;) alert tcp $HOME_NET any -> [94.156.68.231] 1312 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244810/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_07; classtype:trojan-activity; sid:91244810; rev:1;) alert tcp $HOME_NET any -> [85.204.116.119] 1234 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244811/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_07; classtype:trojan-activity; sid:91244811; rev:1;) alert tcp $HOME_NET any -> [191.88.249.10] 4433 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244802/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_07; classtype:trojan-activity; sid:91244802; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/_defaultwindows.php"; depth:20; nocase; http.host; content:"a0927241.xsph.ru"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1244799/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_07; classtype:trojan-activity; sid:91244799; rev:1;) alert tcp $HOME_NET any -> [1.94.52.236] 8443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244797/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_06; classtype:trojan-activity; sid:91244797; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"xunleicloud.com"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1244796/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_06; classtype:trojan-activity; sid:91244796; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ptj"; depth:4; nocase; http.host; content:"xunleicloud.com"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1244795/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_06; classtype:trojan-activity; sid:91244795; rev:1;) alert tcp $HOME_NET any -> [3.127.59.75] 11855 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244790/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_06; classtype:trojan-activity; sid:91244790; rev:1;) alert tcp $HOME_NET any -> [18.198.77.177] 11855 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244791/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_06; classtype:trojan-activity; sid:91244791; rev:1;) alert tcp $HOME_NET any -> [46.246.86.5] 8090 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244792/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_06; classtype:trojan-activity; sid:91244792; rev:1;) alert tcp $HOME_NET any -> [46.246.84.18] 1981 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244793/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_06; classtype:trojan-activity; sid:91244793; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"rverde.duckdns.org"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1244794/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_06; classtype:trojan-activity; sid:91244794; rev:1;) alert tcp $HOME_NET any -> [45.84.0.177] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244789/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_06; classtype:trojan-activity; sid:91244789; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/quit/message/amd"; depth:17; nocase; http.host; content:"45.84.0.177"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1244788/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_06; classtype:trojan-activity; sid:91244788; rev:1;) alert tcp $HOME_NET any -> [170.130.165.129] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244787/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_06; classtype:trojan-activity; sid:91244787; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"shopmoneyweb.com"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1244786/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_06; classtype:trojan-activity; sid:91244786; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api/accounts/v1/basic-accounts/pinned"; depth:38; nocase; http.host; content:"shopmoneyweb.com"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1244785/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_06; classtype:trojan-activity; sid:91244785; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/j.ad"; depth:5; nocase; http.host; content:"1.94.52.236"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1244784/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_06; classtype:trojan-activity; sid:91244784; rev:1;) alert tcp $HOME_NET any -> [45.84.0.177] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244783/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_06; classtype:trojan-activity; sid:91244783; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/quit/message/amd"; depth:17; nocase; http.host; content:"45.84.0.177"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1244782/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_06; classtype:trojan-activity; sid:91244782; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/understand/v2.61/rylqupm8ll"; depth:28; nocase; http.host; content:"194.165.16.55"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1244780/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_06; classtype:trojan-activity; sid:91244780; rev:1;) alert tcp $HOME_NET any -> [194.165.16.55] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244781/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_06; classtype:trojan-activity; sid:91244781; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/understand/v2.61/rylqupm8ll"; depth:28; nocase; http.host; content:"security-socks.expert"; depth:21; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1244779/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_06; classtype:trojan-activity; sid:91244779; rev:1;) alert tcp $HOME_NET any -> [52.28.112.211] 11855 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244778/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_06; classtype:trojan-activity; sid:91244778; rev:1;) alert tcp $HOME_NET any -> [35.158.159.254] 11855 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244777/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_06; classtype:trojan-activity; sid:91244777; rev:1;) alert tcp $HOME_NET any -> [192.119.110.233] 4000 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244776/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_06; classtype:trojan-activity; sid:91244776; rev:1;) alert tcp $HOME_NET any -> [161.35.62.207] 4000 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244775/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_06; classtype:trojan-activity; sid:91244775; rev:1;) alert tcp $HOME_NET any -> [51.142.10.24] 80 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244774/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_06; classtype:trojan-activity; sid:91244774; rev:1;) alert tcp $HOME_NET any -> [154.247.162.241] 2078 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244773/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_06; classtype:trojan-activity; sid:91244773; rev:1;) alert tcp $HOME_NET any -> [39.40.148.240] 995 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244772/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_06; classtype:trojan-activity; sid:91244772; rev:1;) alert tcp $HOME_NET any -> [157.245.45.26] 443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244771/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_06; classtype:trojan-activity; sid:91244771; rev:1;) alert tcp $HOME_NET any -> [8.219.183.36] 443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244770/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_06; classtype:trojan-activity; sid:91244770; rev:1;) alert tcp $HOME_NET any -> [45.152.85.15] 443 (msg:"ThreatFox BianLian botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244769/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_06; classtype:trojan-activity; sid:91244769; rev:1;) alert tcp $HOME_NET any -> [198.23.228.167] 7443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244768/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_06; classtype:trojan-activity; sid:91244768; rev:1;) alert tcp $HOME_NET any -> [5.206.224.58] 7443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244767/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_06; classtype:trojan-activity; sid:91244767; rev:1;) alert tcp $HOME_NET any -> [185.163.124.133] 80 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244761/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_06; classtype:trojan-activity; sid:91244761; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/login/"; depth:7; nocase; http.host; content:"185.163.124.133"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1244762/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_06; classtype:trojan-activity; sid:91244762; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/login/"; depth:7; nocase; http.host; content:"185.163.124.133"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1244763/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_06; classtype:trojan-activity; sid:91244763; rev:1;) alert tcp $HOME_NET any -> [91.198.77.158] 4483 (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244764/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_06; classtype:trojan-activity; sid:91244764; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/s1.exe"; depth:7; nocase; http.host; content:"91.198.77.158"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1244765/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_06; classtype:trojan-activity; sid:91244765; rev:1;) alert tcp $HOME_NET any -> [185.163.124.133] 7777 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244760/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_06; classtype:trojan-activity; sid:91244760; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"distributors.commdistinc.com"; depth:28; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1244747/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_06; classtype:trojan-activity; sid:91244747; rev:1;) alert tcp $HOME_NET any -> [87.121.58.103] 32105 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244732/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_06; classtype:trojan-activity; sid:91244732; rev:1;) alert tcp $HOME_NET any -> [84.54.51.103] 32105 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244731/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_06; classtype:trojan-activity; sid:91244731; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/owa/4xcgqyhfkt0cmh8kmdtzrh"; depth:27; nocase; http.host; content:"buy-dnd.shop"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1244766/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_06; classtype:trojan-activity; sid:91244766; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/auvm/6875"; depth:10; nocase; http.host; content:"topflowersclub.com"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1244759/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_06; classtype:trojan-activity; sid:91244759; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mrd/4462"; depth:9; nocase; http.host; content:"yourunitedlaws.com"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1244758/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_06; classtype:trojan-activity; sid:91244758; rev:1;) alert tcp $HOME_NET any -> [154.12.236.248] 13786 (msg:"ThreatFox Pikabot botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244749/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_06; classtype:trojan-activity; sid:91244749; rev:1;) alert tcp $HOME_NET any -> [158.247.240.58] 5632 (msg:"ThreatFox Pikabot botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244750/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_06; classtype:trojan-activity; sid:91244750; rev:1;) alert tcp $HOME_NET any -> [70.34.199.64] 9785 (msg:"ThreatFox Pikabot botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244751/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_06; classtype:trojan-activity; sid:91244751; rev:1;) alert tcp $HOME_NET any -> [94.72.104.77] 13724 (msg:"ThreatFox Pikabot botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244752/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_06; classtype:trojan-activity; sid:91244752; rev:1;) alert tcp $HOME_NET any -> [154.53.55.165] 13783 (msg:"ThreatFox Pikabot botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244753/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_06; classtype:trojan-activity; sid:91244753; rev:1;) alert tcp $HOME_NET any -> [45.77.63.237] 5632 (msg:"ThreatFox Pikabot botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244754/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_06; classtype:trojan-activity; sid:91244754; rev:1;) alert tcp $HOME_NET any -> [94.72.104.80] 5000 (msg:"ThreatFox Pikabot botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244755/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_06; classtype:trojan-activity; sid:91244755; rev:1;) alert tcp $HOME_NET any -> [198.38.94.213] 2224 (msg:"ThreatFox Pikabot botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244756/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_06; classtype:trojan-activity; sid:91244756; rev:1;) alert tcp $HOME_NET any -> [70.34.223.164] 5000 (msg:"ThreatFox Pikabot botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244757/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_06; classtype:trojan-activity; sid:91244757; rev:1;) alert tcp $HOME_NET any -> [209.182.234.69] 5000 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244748/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_06; classtype:trojan-activity; sid:91244748; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pixel.gif"; depth:10; nocase; http.host; content:"www.cloudflarecache.top"; depth:23; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1244745/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_06; classtype:trojan-activity; sid:91244745; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"www.cloudflarecache.top"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1244746/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_06; classtype:trojan-activity; sid:91244746; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/include/template/isx.php"; depth:25; nocase; http.host; content:"test.qqweixinzhuce.top"; depth:22; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1244744/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_06; classtype:trojan-activity; sid:91244744; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/en_us/all.js"; depth:13; nocase; http.host; content:"123.56.251.159"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1244743/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_06; classtype:trojan-activity; sid:91244743; rev:1;) alert tcp $HOME_NET any -> [34.131.18.55] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244742/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_06; classtype:trojan-activity; sid:91244742; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jquery-3.3.1.min.js"; depth:20; nocase; http.host; content:"55.18.131.34.bc.googleusercontent.com"; depth:37; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1244740/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_06; classtype:trojan-activity; sid:91244740; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"55.18.131.34.bc.googleusercontent.com"; depth:37; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1244741/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_06; classtype:trojan-activity; sid:91244741; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ca"; depth:3; nocase; http.host; content:"101.200.164.66"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1244739/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_06; classtype:trojan-activity; sid:91244739; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/g.pixel"; depth:8; nocase; http.host; content:"1.94.110.130"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1244738/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_06; classtype:trojan-activity; sid:91244738; rev:1;) alert tcp $HOME_NET any -> [206.237.16.117] 53 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244737/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_06; classtype:trojan-activity; sid:91244737; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ns2.msn-microsoft.co"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1244736/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_06; classtype:trojan-activity; sid:91244736; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ns1.msn-microsoft.co"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1244735/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_06; classtype:trojan-activity; sid:91244735; rev:1;) alert tcp $HOME_NET any -> [198.44.174.232] 10086 (msg:"ThreatFox Ghost RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244734/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_06; classtype:trojan-activity; sid:91244734; rev:1;) alert tcp $HOME_NET any -> [179.15.14.181] 9091 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244733/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_06; classtype:trojan-activity; sid:91244733; rev:1;) alert tcp $HOME_NET any -> [178.238.112.11] 56555 (msg:"ThreatFox RMS botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244730/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_06; classtype:trojan-activity; sid:91244730; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books"; depth:60; nocase; http.host; content:"i-wallet.net"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1244728/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_06; classtype:trojan-activity; sid:91244728; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"i-wallet.net"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1244729/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_06; classtype:trojan-activity; sid:91244729; rev:1;) alert tcp $HOME_NET any -> [95.141.41.8] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244727/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_06; classtype:trojan-activity; sid:91244727; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"googlesupportacc.top"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1244726/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_06; classtype:trojan-activity; sid:91244726; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bg"; depth:3; nocase; http.host; content:"googlesupportacc.top"; depth:20; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1244725/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_06; classtype:trojan-activity; sid:91244725; rev:1;) alert tcp $HOME_NET any -> [45.90.97.172] 2211 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244724/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_06; classtype:trojan-activity; sid:91244724; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/__utm.gif"; depth:10; nocase; http.host; content:"81.71.140.170"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1244722/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_06; classtype:trojan-activity; sid:91244722; rev:1;) alert tcp $HOME_NET any -> [81.71.140.170] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244723/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_06; classtype:trojan-activity; sid:91244723; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/en-us/silentauth"; depth:17; nocase; http.host; content:"14.116.174.122"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1244721/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_06; classtype:trojan-activity; sid:91244721; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"116.203.13.151"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1244720/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_06; classtype:trojan-activity; sid:91244720; rev:1;) alert tcp $HOME_NET any -> [116.203.13.151] 9494 (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244719/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_06; classtype:trojan-activity; sid:91244719; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"88.99.127.167"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1244718/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_06; classtype:trojan-activity; sid:91244718; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"95.216.183.48"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1244717/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_06; classtype:trojan-activity; sid:91244717; rev:1;) alert tcp $HOME_NET any -> [88.99.127.167] 9000 (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244715/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_06; classtype:trojan-activity; sid:91244715; rev:1;) alert tcp $HOME_NET any -> [95.216.183.48] 443 (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244716/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_06; classtype:trojan-activity; sid:91244716; rev:1;) alert tcp $HOME_NET any -> [193.57.41.76] 80 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244714/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_06; classtype:trojan-activity; sid:91244714; rev:1;) alert tcp $HOME_NET any -> [163.197.242.202] 80 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244713/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_06; classtype:trojan-activity; sid:91244713; rev:1;) alert tcp $HOME_NET any -> [209.126.86.48] 1194 (msg:"ThreatFox Pikabot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244712/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_06; classtype:trojan-activity; sid:91244712; rev:1;) alert tcp $HOME_NET any -> [46.246.80.10] 6000 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244711/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_06; classtype:trojan-activity; sid:91244711; rev:1;) alert tcp $HOME_NET any -> [89.117.23.25] 46450 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244710/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_06; classtype:trojan-activity; sid:91244710; rev:1;) alert tcp $HOME_NET any -> [70.31.125.184] 2222 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244709/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_06; classtype:trojan-activity; sid:91244709; rev:1;) alert tcp $HOME_NET any -> [72.27.199.181] 443 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244708/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_06; classtype:trojan-activity; sid:91244708; rev:1;) alert tcp $HOME_NET any -> [45.150.198.28] 443 (msg:"ThreatFox pupy botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244707/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_06; classtype:trojan-activity; sid:91244707; rev:1;) alert tcp $HOME_NET any -> [38.147.189.157] 443 (msg:"ThreatFox pupy botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244706/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_06; classtype:trojan-activity; sid:91244706; rev:1;) alert tcp $HOME_NET any -> [91.143.101.212] 445 (msg:"ThreatFox Responder botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244705/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_06; classtype:trojan-activity; sid:91244705; rev:1;) alert tcp $HOME_NET any -> [94.156.66.44] 443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244704/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_06; classtype:trojan-activity; sid:91244704; rev:1;) alert tcp $HOME_NET any -> [185.11.61.57] 443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244703/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_06; classtype:trojan-activity; sid:91244703; rev:1;) alert tcp $HOME_NET any -> [136.0.3.71] 443 (msg:"ThreatFox BianLian botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244702/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_06; classtype:trojan-activity; sid:91244702; rev:1;) alert tcp $HOME_NET any -> [20.168.0.131] 7443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244701/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_06; classtype:trojan-activity; sid:91244701; rev:1;) alert tcp $HOME_NET any -> [15.235.166.83] 80 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244700/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_06; classtype:trojan-activity; sid:91244700; rev:1;) alert tcp $HOME_NET any -> [185.233.203.43] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244641/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_06; classtype:trojan-activity; sid:91244641; rev:1;) alert tcp $HOME_NET any -> [91.92.253.149] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244637/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_06; classtype:trojan-activity; sid:91244637; rev:1;) alert tcp $HOME_NET any -> [185.237.206.57] 8081 (msg:"ThreatFox RisePro botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244642/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_06; classtype:trojan-activity; sid:91244642; rev:1;) alert tcp $HOME_NET any -> [206.188.197.213] 443 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244648/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_06; classtype:trojan-activity; sid:91244648; rev:1;) alert tcp $HOME_NET any -> [4.210.191.162] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244660/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_06; classtype:trojan-activity; sid:91244660; rev:1;) alert tcp $HOME_NET any -> [193.149.129.179] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244661/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_06; classtype:trojan-activity; sid:91244661; rev:1;) alert tcp $HOME_NET any -> [5.188.87.40] 36543 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244669/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_06; classtype:trojan-activity; sid:91244669; rev:1;) alert tcp $HOME_NET any -> [45.140.146.2] 443 (msg:"ThreatFox DarkGate botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244687/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_06; classtype:trojan-activity; sid:91244687; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mzuymgi3mtixowfk/"; depth:18; nocase; http.host; content:"83.97.73.205"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1244688/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_06; classtype:trojan-activity; sid:91244688; rev:1;) alert tcp $HOME_NET any -> [192.3.216.140] 16519 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244699/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_06; classtype:trojan-activity; sid:91244699; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/base93/3multibasetest/3/trackauth/linuxtoasync6/longpoll/cpuserver2wp/tracklinux/phpasynccentral.php"; depth:101; nocase; http.host; content:"79.174.94.173"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1244698/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_06; classtype:trojan-activity; sid:91244698; rev:1;) alert tcp $HOME_NET any -> [174.93.198.242] 10134 (msg:"ThreatFox Orcus RAT botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244697/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_06; classtype:trojan-activity; sid:91244697; rev:1;) alert tcp $HOME_NET any -> [62.122.184.95] 8888 (msg:"ThreatFox StealthWorker Go botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244696/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_06; classtype:trojan-activity; sid:91244696; rev:1;) alert tcp $HOME_NET any -> [185.158.251.20] 23 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244695/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_06; classtype:trojan-activity; sid:91244695; rev:1;) alert tcp $HOME_NET any -> [109.248.170.151] 7443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244694/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_06; classtype:trojan-activity; sid:91244694; rev:1;) alert tcp $HOME_NET any -> [45.134.225.247] 5555 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244693/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_06; classtype:trojan-activity; sid:91244693; rev:1;) alert tcp $HOME_NET any -> [124.71.9.23] 8005 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244692/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_06; classtype:trojan-activity; sid:91244692; rev:1;) alert tcp $HOME_NET any -> [47.123.4.117] 8099 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244691/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_06; classtype:trojan-activity; sid:91244691; rev:1;) alert tcp $HOME_NET any -> [39.108.229.236] 800 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244690/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_06; classtype:trojan-activity; sid:91244690; rev:1;) alert tcp $HOME_NET any -> [3.146.206.189] 8888 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244689/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_06; classtype:trojan-activity; sid:91244689; rev:1;) alert tcp $HOME_NET any -> [13.50.244.252] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244686/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_05; classtype:trojan-activity; sid:91244686; rev:1;) alert tcp $HOME_NET any -> [89.23.99.198] 8081 (msg:"ThreatFox RisePro botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244685/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_05; classtype:trojan-activity; sid:91244685; rev:1;) alert tcp $HOME_NET any -> [197.119.48.109] 80 (msg:"ThreatFox Orcus RAT botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244684/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_05; classtype:trojan-activity; sid:91244684; rev:1;) alert tcp $HOME_NET any -> [103.155.214.72] 443 (msg:"ThreatFox Orcus RAT botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244683/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_05; classtype:trojan-activity; sid:91244683; rev:1;) alert tcp $HOME_NET any -> [142.132.224.223] 80 (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244682/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_05; classtype:trojan-activity; sid:91244682; rev:1;) alert tcp $HOME_NET any -> [142.132.224.223] 443 (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244681/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_05; classtype:trojan-activity; sid:91244681; rev:1;) alert tcp $HOME_NET any -> [5.75.209.178] 5432 (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244678/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_05; classtype:trojan-activity; sid:91244678; rev:1;) alert tcp $HOME_NET any -> [20.169.80.43] 4449 (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244677/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_05; classtype:trojan-activity; sid:91244677; rev:1;) alert tcp $HOME_NET any -> [154.23.141.66] 4449 (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244676/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_05; classtype:trojan-activity; sid:91244676; rev:1;) alert tcp $HOME_NET any -> [193.124.205.30] 80 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244675/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_05; classtype:trojan-activity; sid:91244675; rev:1;) alert tcp $HOME_NET any -> [45.83.207.249] 1177 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244674/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_05; classtype:trojan-activity; sid:91244674; rev:1;) alert tcp $HOME_NET any -> [110.164.146.49] 1177 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244673/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_05; classtype:trojan-activity; sid:91244673; rev:1;) alert tcp $HOME_NET any -> [128.90.145.218] 54984 (msg:"ThreatFox Nanocore RAT botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244672/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_05; classtype:trojan-activity; sid:91244672; rev:1;) alert tcp $HOME_NET any -> [31.6.179.181] 54984 (msg:"ThreatFox Nanocore RAT botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244671/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_05; classtype:trojan-activity; sid:91244671; rev:1;) alert tcp $HOME_NET any -> [174.78.242.29] 9100 (msg:"ThreatFox Xtreme RAT botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244670/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_05; classtype:trojan-activity; sid:91244670; rev:1;) alert tcp $HOME_NET any -> [20.163.176.140] 50050 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244668/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_05; classtype:trojan-activity; sid:91244668; rev:1;) alert tcp $HOME_NET any -> [8.130.122.174] 50050 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244667/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_05; classtype:trojan-activity; sid:91244667; rev:1;) alert tcp $HOME_NET any -> [111.229.198.177] 50050 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244666/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_05; classtype:trojan-activity; sid:91244666; rev:1;) alert tcp $HOME_NET any -> [164.92.191.107] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244665/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_05; classtype:trojan-activity; sid:91244665; rev:1;) alert tcp $HOME_NET any -> [94.156.8.188] 8081 (msg:"ThreatFox RisePro botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244664/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_05; classtype:trojan-activity; sid:91244664; rev:1;) alert tcp $HOME_NET any -> [74.91.29.67] 8848 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244663/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_05; classtype:trojan-activity; sid:91244663; rev:1;) alert tcp $HOME_NET any -> [154.23.178.139] 8848 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244662/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_05; classtype:trojan-activity; sid:91244662; rev:1;) alert tcp $HOME_NET any -> [67.205.152.19] 3790 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244659/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_05; classtype:trojan-activity; sid:91244659; rev:1;) alert tcp $HOME_NET any -> [46.249.38.211] 3790 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244658/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_05; classtype:trojan-activity; sid:91244658; rev:1;) alert tcp $HOME_NET any -> [34.88.176.115] 2376 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244657/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_05; classtype:trojan-activity; sid:91244657; rev:1;) alert tcp $HOME_NET any -> [54.145.92.29] 8083 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244656/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_05; classtype:trojan-activity; sid:91244656; rev:1;) alert tcp $HOME_NET any -> [154.9.255.31] 6666 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244655/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_05; classtype:trojan-activity; sid:91244655; rev:1;) alert tcp $HOME_NET any -> [3.146.206.189] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244654/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_05; classtype:trojan-activity; sid:91244654; rev:1;) alert tcp $HOME_NET any -> [39.104.66.132] 5555 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244653/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_05; classtype:trojan-activity; sid:91244653; rev:1;) alert tcp $HOME_NET any -> [45.76.196.30] 9999 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244652/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_05; classtype:trojan-activity; sid:91244652; rev:1;) alert tcp $HOME_NET any -> [47.92.146.233] 8888 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244651/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_05; classtype:trojan-activity; sid:91244651; rev:1;) alert tcp $HOME_NET any -> [107.174.241.206] 7989 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244650/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_05; classtype:trojan-activity; sid:91244650; rev:1;) alert tcp $HOME_NET any -> [8.222.158.76] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244649/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_05; classtype:trojan-activity; sid:91244649; rev:1;) alert tcp $HOME_NET any -> [3.11.29.211] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244647/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_05; classtype:trojan-activity; sid:91244647; rev:1;) alert tcp $HOME_NET any -> [43.136.71.208] 8881 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244646/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_05; classtype:trojan-activity; sid:91244646; rev:1;) alert tcp $HOME_NET any -> [120.48.5.80] 6666 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244645/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_05; classtype:trojan-activity; sid:91244645; rev:1;) alert tcp $HOME_NET any -> [193.222.96.156] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244644/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_05; classtype:trojan-activity; sid:91244644; rev:1;) alert tcp $HOME_NET any -> [69.30.232.230] 1433 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244643/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_05; classtype:trojan-activity; sid:91244643; rev:1;) alert tcp $HOME_NET any -> [91.92.248.206] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244639/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_05; classtype:trojan-activity; sid:91244639; rev:1;) alert tcp $HOME_NET any -> [91.92.252.33] 80 (msg:"ThreatFox MooBot botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244638/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_05; classtype:trojan-activity; sid:91244638; rev:1;) alert tcp $HOME_NET any -> [37.120.141.144] 5903 (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244640/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_05; classtype:trojan-activity; sid:91244640; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ui_cache.js"; depth:12; nocase; http.host; content:"apicachebot.com"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1244586/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_05; classtype:trojan-activity; sid:91244586; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"apicachebot.com"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1244585/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_05; classtype:trojan-activity; sid:91244585; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"commdistinc.com"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1244587/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_05; classtype:trojan-activity; sid:91244587; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"128.254.207.135"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1244588/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_05; classtype:trojan-activity; sid:91244588; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"marxrwo9090.duckdns.org"; depth:23; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1244616/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_05; classtype:trojan-activity; sid:91244616; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"194.147.140.138"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1244617/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_05; classtype:trojan-activity; sid:91244617; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/img/marxrwo.txt"; depth:16; nocase; http.host; content:"nzaria.org"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1244618/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_05; classtype:trojan-activity; sid:91244618; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"193.178.170.30"; depth:14; nocase; reference:url, threatfox.abuse.ch/ioc/1244620/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_05; classtype:trojan-activity; sid:91244620; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"hzp02itt0a.com"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1244625/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_05; classtype:trojan-activity; sid:91244625; rev:1;) alert tcp $HOME_NET any -> [193.178.170.30] 7771 (msg:"ThreatFox SpyNote botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244626/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_05; classtype:trojan-activity; sid:91244626; rev:1;) alert tcp $HOME_NET any -> [91.92.252.146] 4002 (msg:"ThreatFox Loki Password Stealer (PWS) botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244632/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_05; classtype:trojan-activity; sid:91244632; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/understand/v2.61/rylqupm8ll"; depth:28; nocase; http.host; content:"194.165.16.55"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1244635/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_05; classtype:trojan-activity; sid:91244635; rev:1;) alert tcp $HOME_NET any -> [194.165.16.55] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244636/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_05; classtype:trojan-activity; sid:91244636; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"security-socks.expert"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1244634/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_05; classtype:trojan-activity; sid:91244634; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/understand/v2.61/rylqupm8ll"; depth:28; nocase; http.host; content:"security-socks.expert"; depth:21; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1244633/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_05; classtype:trojan-activity; sid:91244633; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/c12/fre.php"; depth:12; nocase; http.host; content:"sempersim.su"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1244631/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_05; classtype:trojan-activity; sid:91244631; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/providervmjs_pollauthapibasecdndownloads.php"; depth:45; nocase; http.host; content:"h172956.srv11.test-hf.su"; depth:24; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1244630/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_05; classtype:trojan-activity; sid:91244630; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/kioy/five/fre.php"; depth:18; nocase; http.host; content:"91.92.252.146"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1244629/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_05; classtype:trojan-activity; sid:91244629; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/kioy/five/fre.php"; depth:18; nocase; http.host; content:"91.92.252.146"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1244628/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_05; classtype:trojan-activity; sid:91244628; rev:1;) alert tcp $HOME_NET any -> [95.217.250.22] 36043 (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244627/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_05; classtype:trojan-activity; sid:91244627; rev:1;) alert tcp $HOME_NET any -> [18.192.31.165] 14210 (msg:"ThreatFox Ghost RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244624/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_05; classtype:trojan-activity; sid:91244624; rev:1;) alert tcp $HOME_NET any -> [18.158.249.75] 14210 (msg:"ThreatFox Ghost RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244623/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_05; classtype:trojan-activity; sid:91244623; rev:1;) alert tcp $HOME_NET any -> [3.124.142.205] 14210 (msg:"ThreatFox Ghost RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244622/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_05; classtype:trojan-activity; sid:91244622; rev:1;) alert tcp $HOME_NET any -> [3.125.223.134] 14210 (msg:"ThreatFox Ghost RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244621/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_05; classtype:trojan-activity; sid:91244621; rev:1;) alert tcp $HOME_NET any -> [181.131.218.39] 4041 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244619/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_05; classtype:trojan-activity; sid:91244619; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dot.gif"; depth:8; nocase; http.host; content:"39.107.70.26"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1244612/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_05; classtype:trojan-activity; sid:91244612; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cm"; depth:3; nocase; http.host; content:"121.5.66.186"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1244611/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_05; classtype:trojan-activity; sid:91244611; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/visit.js"; depth:9; nocase; http.host; content:"43.153.222.28"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1244610/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_05; classtype:trojan-activity; sid:91244610; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pixel"; depth:6; nocase; http.host; content:"161.35.186.154"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1244609/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_05; classtype:trojan-activity; sid:91244609; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/load"; depth:5; nocase; http.host; content:"121.5.66.186"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1244608/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_05; classtype:trojan-activity; sid:91244608; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/push"; depth:5; nocase; http.host; content:"cdn-014.epsonupdate.uk"; depth:22; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1244607/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_05; classtype:trojan-activity; sid:91244607; rev:1;) alert tcp $HOME_NET any -> [84.46.240.42] 2083 (msg:"ThreatFox Pikabot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244606/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_05; classtype:trojan-activity; sid:91244606; rev:1;) alert tcp $HOME_NET any -> [111.229.149.200] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244605/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_05; classtype:trojan-activity; sid:91244605; rev:1;) alert tcp $HOME_NET any -> [20.19.32.59] 1024 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244604/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_05; classtype:trojan-activity; sid:91244604; rev:1;) alert tcp $HOME_NET any -> [46.246.14.3] 6000 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244603/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_05; classtype:trojan-activity; sid:91244603; rev:1;) alert tcp $HOME_NET any -> [85.110.178.102] 443 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244602/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_05; classtype:trojan-activity; sid:91244602; rev:1;) alert tcp $HOME_NET any -> [37.56.108.122] 443 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244601/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_05; classtype:trojan-activity; sid:91244601; rev:1;) alert tcp $HOME_NET any -> [89.23.107.13] 80 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244600/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_05; classtype:trojan-activity; sid:91244600; rev:1;) alert tcp $HOME_NET any -> [81.95.8.174] 443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244599/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_05; classtype:trojan-activity; sid:91244599; rev:1;) alert tcp $HOME_NET any -> [172.105.0.147] 443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244598/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_05; classtype:trojan-activity; sid:91244598; rev:1;) alert tcp $HOME_NET any -> [124.223.215.119] 65413 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244597/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_05; classtype:trojan-activity; sid:91244597; rev:1;) alert tcp $HOME_NET any -> [37.1.214.247] 443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244596/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_05; classtype:trojan-activity; sid:91244596; rev:1;) alert tcp $HOME_NET any -> [172.247.113.97] 8443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244595/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_05; classtype:trojan-activity; sid:91244595; rev:1;) alert tcp $HOME_NET any -> [151.236.16.48] 5901 (msg:"ThreatFox BianLian botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244594/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_05; classtype:trojan-activity; sid:91244594; rev:1;) alert tcp $HOME_NET any -> [23.227.202.28] 35676 (msg:"ThreatFox BianLian botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244593/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_05; classtype:trojan-activity; sid:91244593; rev:1;) alert tcp $HOME_NET any -> [23.94.120.119] 80 (msg:"ThreatFox BianLian botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244592/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_05; classtype:trojan-activity; sid:91244592; rev:1;) alert tcp $HOME_NET any -> [104.238.60.87] 443 (msg:"ThreatFox BianLian botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244591/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_05; classtype:trojan-activity; sid:91244591; rev:1;) alert tcp $HOME_NET any -> [143.244.186.6] 7443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244590/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_05; classtype:trojan-activity; sid:91244590; rev:1;) alert tcp $HOME_NET any -> [69.176.89.82] 443 (msg:"ThreatFox Brute Ratel C4 botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244589/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_05; classtype:trojan-activity; sid:91244589; rev:1;) alert tcp $HOME_NET any -> [179.60.150.34] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244584/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_05; classtype:trojan-activity; sid:91244584; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/preload"; depth:8; nocase; http.host; content:"179.60.150.34"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1244583/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_05; classtype:trojan-activity; sid:91244583; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/owa/q9dyqu9x6rjwvcdqhumrmy"; depth:27; nocase; http.host; content:"buy-dnd.shop"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1244582/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_05; classtype:trojan-activity; sid:91244582; rev:1;) alert tcp $HOME_NET any -> [65.21.21.176] 8081 (msg:"ThreatFox RisePro botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244581/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_05; classtype:trojan-activity; sid:91244581; rev:1;) alert tcp $HOME_NET any -> [193.203.203.211] 443 (msg:"ThreatFox DarkGate botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244580/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_05; classtype:trojan-activity; sid:91244580; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"afdhf198jfadafdkfad.com"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1244579/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_05; classtype:trojan-activity; sid:91244579; rev:1;) alert tcp $HOME_NET any -> [65.21.21.176] 50500 (msg:"ThreatFox RisePro botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244578/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_05; classtype:trojan-activity; sid:91244578; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/externalpollsqldblinuxgenerator.php"; depth:36; nocase; http.host; content:"113304cm.n9shteam2.top"; depth:22; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1244577/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_05; classtype:trojan-activity; sid:91244577; rev:1;) alert tcp $HOME_NET any -> [65.108.20.226] 37715 (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244576/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_05; classtype:trojan-activity; sid:91244576; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"41.231.54.88"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1244570/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_05; classtype:trojan-activity; sid:91244570; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"96.126.101.138"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1244571/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_05; classtype:trojan-activity; sid:91244571; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"200.58.122.18"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1244572/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_05; classtype:trojan-activity; sid:91244572; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cdn-vs/cache.php"; depth:17; nocase; http.host; content:"briefscala.com"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1244573/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_05; classtype:trojan-activity; sid:91244573; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/help/zewmrgqnw.php"; depth:19; nocase; http.host; content:"briefscala.com"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1244574/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_05; classtype:trojan-activity; sid:91244574; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/data.php"; depth:9; nocase; http.host; content:"briefscala.com"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1244575/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_05; classtype:trojan-activity; sid:91244575; rev:1;) alert tcp $HOME_NET any -> [18.156.13.209] 17647 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244567/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_05; classtype:trojan-activity; sid:91244567; rev:1;) alert tcp $HOME_NET any -> [3.127.138.57] 17647 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244568/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_05; classtype:trojan-activity; sid:91244568; rev:1;) alert tcp $HOME_NET any -> [3.68.56.232] 10352 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244569/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_05; classtype:trojan-activity; sid:91244569; rev:1;) alert tcp $HOME_NET any -> [117.72.46.146] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244566/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_05; classtype:trojan-activity; sid:91244566; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ga.js"; depth:6; nocase; http.host; content:"117.72.46.146"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1244565/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_05; classtype:trojan-activity; sid:91244565; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mozi.m"; depth:7; nocase; http.host; content:"60.246.28.219"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1244564/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_05; classtype:trojan-activity; sid:91244564; rev:1;) alert tcp $HOME_NET any -> [104.237.252.14] 80 (msg:"ThreatFox Loki Password Stealer (PWS) botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244541/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_05; classtype:trojan-activity; sid:91244541; rev:1;) alert tcp $HOME_NET any -> [3.64.4.198] 19976 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244515/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_05; classtype:trojan-activity; sid:91244515; rev:1;) alert tcp $HOME_NET any -> [3.67.112.102] 19976 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244514/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_05; classtype:trojan-activity; sid:91244514; rev:1;) alert tcp $HOME_NET any -> [145.239.202.110] 8094 (msg:"ThreatFox DarkGate botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244545/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_05; classtype:trojan-activity; sid:91244545; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dark.vbs"; depth:9; nocase; http.host; content:"145.239.202.110"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1244546/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_05; classtype:trojan-activity; sid:91244546; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ga.js"; depth:6; nocase; http.host; content:"8.219.54.123"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1244563/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_05; classtype:trojan-activity; sid:91244563; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ca"; depth:3; nocase; http.host; content:"81.69.242.185"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1244562/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_05; classtype:trojan-activity; sid:91244562; rev:1;) alert tcp $HOME_NET any -> [159.203.67.15] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244561/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_05; classtype:trojan-activity; sid:91244561; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"wizjqpi1.azureedge.net"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1244560/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_05; classtype:trojan-activity; sid:91244560; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/filesystem.htm"; depth:15; nocase; http.host; content:"wizjqpi1.azureedge.net"; depth:22; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1244559/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_05; classtype:trojan-activity; sid:91244559; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/load"; depth:5; nocase; http.host; content:"118.194.233.185"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1244558/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_05; classtype:trojan-activity; sid:91244558; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dot.gif"; depth:8; nocase; http.host; content:"47.100.229.207"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1244557/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_05; classtype:trojan-activity; sid:91244557; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/visit.js"; depth:9; nocase; http.host; content:"60.204.133.143"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1244556/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_05; classtype:trojan-activity; sid:91244556; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/gv"; depth:3; nocase; http.host; content:"154.82.81.27"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1244555/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_05; classtype:trojan-activity; sid:91244555; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/as"; depth:3; nocase; http.host; content:"154.82.81.136"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1244554/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_05; classtype:trojan-activity; sid:91244554; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"dns.trailcocompany.com"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1244552/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_05; classtype:trojan-activity; sid:91244552; rev:1;) alert tcp $HOME_NET any -> [137.220.55.94] 53 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244553/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_05; classtype:trojan-activity; sid:91244553; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dot.gif"; depth:8; nocase; http.host; content:"43.153.222.28"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1244551/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_05; classtype:trojan-activity; sid:91244551; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/en_us/all.js"; depth:13; nocase; http.host; content:"79.124.40.106"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1244550/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_05; classtype:trojan-activity; sid:91244550; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/owa/2i00fa-t5zxohtu1hspr"; depth:25; nocase; http.host; content:"175.197.65.135"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1244549/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_05; classtype:trojan-activity; sid:91244549; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/owa/4zt2say1wkoheml0x8bbfa"; depth:27; nocase; http.host; content:"buy-dnd.shop"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1244548/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_05; classtype:trojan-activity; sid:91244548; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dam.html"; depth:9; nocase; http.host; content:"firmwarefusion.com"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1244547/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_05; classtype:trojan-activity; sid:91244547; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/vfo2"; depth:5; nocase; http.host; content:"122.51.118.39"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1244544/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_05; classtype:trojan-activity; sid:91244544; rev:1;) alert tcp $HOME_NET any -> [122.51.118.39] 23333 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244543/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_05; classtype:trojan-activity; sid:91244543; rev:1;) alert tcp $HOME_NET any -> [103.151.123.225] 7800 (msg:"ThreatFox STRRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244542/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_05; classtype:trojan-activity; sid:91244542; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/c12/fre.php"; depth:12; nocase; http.host; content:"sempersim.su"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1244540/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_05; classtype:trojan-activity; sid:91244540; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/c11/fre.php"; depth:12; nocase; http.host; content:"sempersim.su"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1244539/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_05; classtype:trojan-activity; sid:91244539; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"5.75.213.10"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1244538/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_05; classtype:trojan-activity; sid:91244538; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"95.216.180.93"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1244537/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_05; classtype:trojan-activity; sid:91244537; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/profiles/76561199649267298"; depth:27; nocase; http.host; content:"steamcommunity.com"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1244535/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_05; classtype:trojan-activity; sid:91244535; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/uprizin"; depth:8; nocase; http.host; content:"t.me"; depth:4; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1244536/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_05; classtype:trojan-activity; sid:91244536; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"95.216.180.93"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1244534/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_05; classtype:trojan-activity; sid:91244534; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"5.75.214.7"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1244533/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_05; classtype:trojan-activity; sid:91244533; rev:1;) alert tcp $HOME_NET any -> [5.75.214.7] 9000 (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244532/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_05; classtype:trojan-activity; sid:91244532; rev:1;) alert tcp $HOME_NET any -> [188.120.254.185] 80 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244531/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_05; classtype:trojan-activity; sid:91244531; rev:1;) alert tcp $HOME_NET any -> [157.245.16.54] 80 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244530/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_05; classtype:trojan-activity; sid:91244530; rev:1;) alert tcp $HOME_NET any -> [85.192.40.131] 80 (msg:"ThreatFox Meduza Stealer botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244529/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_05; classtype:trojan-activity; sid:91244529; rev:1;) alert tcp $HOME_NET any -> [59.174.225.176] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244528/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_05; classtype:trojan-activity; sid:91244528; rev:1;) alert tcp $HOME_NET any -> [46.246.12.2] 6000 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244527/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_05; classtype:trojan-activity; sid:91244527; rev:1;) alert tcp $HOME_NET any -> [41.99.9.210] 443 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244526/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_05; classtype:trojan-activity; sid:91244526; rev:1;) alert tcp $HOME_NET any -> [201.124.218.102] 995 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244525/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_05; classtype:trojan-activity; sid:91244525; rev:1;) alert tcp $HOME_NET any -> [146.19.173.108] 445 (msg:"ThreatFox Responder botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244524/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_05; classtype:trojan-activity; sid:91244524; rev:1;) alert tcp $HOME_NET any -> [185.130.46.231] 443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244523/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_05; classtype:trojan-activity; sid:91244523; rev:1;) alert tcp $HOME_NET any -> [185.94.164.105] 443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244522/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_05; classtype:trojan-activity; sid:91244522; rev:1;) alert tcp $HOME_NET any -> [37.1.214.6] 443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244521/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_05; classtype:trojan-activity; sid:91244521; rev:1;) alert tcp $HOME_NET any -> [175.197.65.135] 8082 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244520/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_05; classtype:trojan-activity; sid:91244520; rev:1;) alert tcp $HOME_NET any -> [94.103.87.88] 445 (msg:"ThreatFox BianLian botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244519/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_05; classtype:trojan-activity; sid:91244519; rev:1;) alert tcp $HOME_NET any -> [172.174.105.127] 7443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244518/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_05; classtype:trojan-activity; sid:91244518; rev:1;) alert tcp $HOME_NET any -> [179.8.14.54] 7443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244517/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_05; classtype:trojan-activity; sid:91244517; rev:1;) alert tcp $HOME_NET any -> [103.214.173.80] 20000 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244516/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_05; classtype:trojan-activity; sid:91244516; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/line/updateflower4external/eternalpacketprocesslongpollprotectbasewindowstraffictemporary.php"; depth:94; nocase; http.host; content:"95.142.35.43"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1244513/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_05; classtype:trojan-activity; sid:91244513; rev:1;) alert tcp $HOME_NET any -> [3.124.142.205] 10757 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244451/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_05; classtype:trojan-activity; sid:91244451; rev:1;) alert tcp $HOME_NET any -> [3.125.209.94] 10757 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244452/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_05; classtype:trojan-activity; sid:91244452; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"electric-guest.gl.at.ply.gg"; depth:27; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1244455/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_05; classtype:trojan-activity; sid:91244455; rev:1;) alert tcp $HOME_NET any -> [147.185.221.18] 35608 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244456/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_05; classtype:trojan-activity; sid:91244456; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"points-detect.gl.at.ply.gg"; depth:26; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1244457/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_05; classtype:trojan-activity; sid:91244457; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"artist-shared.gl.at.ply.gg"; depth:26; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1244458/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_05; classtype:trojan-activity; sid:91244458; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"stories-boulevard.gl.at.ply.gg"; depth:30; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1244459/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_05; classtype:trojan-activity; sid:91244459; rev:1;) alert tcp $HOME_NET any -> [45.85.117.121] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 85%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244468/; target:src_ip; metadata: confidence_level 85, first_seen 2024_03_05; classtype:trojan-activity; sid:91244468; rev:1;) alert tcp $HOME_NET any -> [37.221.67.4] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 85%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244467/; target:src_ip; metadata: confidence_level 85, first_seen 2024_03_05; classtype:trojan-activity; sid:91244467; rev:1;) alert tcp $HOME_NET any -> [5.255.115.46] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 85%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244465/; target:src_ip; metadata: confidence_level 85, first_seen 2024_03_05; classtype:trojan-activity; sid:91244465; rev:1;) alert tcp $HOME_NET any -> [5.255.118.76] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 85%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244466/; target:src_ip; metadata: confidence_level 85, first_seen 2024_03_05; classtype:trojan-activity; sid:91244466; rev:1;) alert tcp $HOME_NET any -> [45.61.156.54] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 85%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244463/; target:src_ip; metadata: confidence_level 85, first_seen 2024_03_05; classtype:trojan-activity; sid:91244463; rev:1;) alert tcp $HOME_NET any -> [193.168.143.128] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 85%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244464/; target:src_ip; metadata: confidence_level 85, first_seen 2024_03_05; classtype:trojan-activity; sid:91244464; rev:1;) alert tcp $HOME_NET any -> [155.94.208.159] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 85%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244462/; target:src_ip; metadata: confidence_level 85, first_seen 2024_03_05; classtype:trojan-activity; sid:91244462; rev:1;) alert tcp $HOME_NET any -> [5.255.120.61] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 85%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244461/; target:src_ip; metadata: confidence_level 85, first_seen 2024_03_05; classtype:trojan-activity; sid:91244461; rev:1;) alert tcp $HOME_NET any -> [193.168.143.114] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 85%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244460/; target:src_ip; metadata: confidence_level 85, first_seen 2024_03_05; classtype:trojan-activity; sid:91244460; rev:1;) alert tcp $HOME_NET any -> [45.129.199.202] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 85%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244469/; target:src_ip; metadata: confidence_level 85, first_seen 2024_03_05; classtype:trojan-activity; sid:91244469; rev:1;) alert tcp $HOME_NET any -> [46.246.98.52] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 85%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244470/; target:src_ip; metadata: confidence_level 85, first_seen 2024_03_05; classtype:trojan-activity; sid:91244470; rev:1;) alert tcp $HOME_NET any -> [80.66.88.70] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 85%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244471/; target:src_ip; metadata: confidence_level 85, first_seen 2024_03_05; classtype:trojan-activity; sid:91244471; rev:1;) alert tcp $HOME_NET any -> [155.94.208.162] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 85%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244472/; target:src_ip; metadata: confidence_level 85, first_seen 2024_03_05; classtype:trojan-activity; sid:91244472; rev:1;) alert tcp $HOME_NET any -> [193.168.143.165] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244473/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_05; classtype:trojan-activity; sid:91244473; rev:1;) alert tcp $HOME_NET any -> [217.195.153.215] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244474/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_05; classtype:trojan-activity; sid:91244474; rev:1;) alert tcp $HOME_NET any -> [209.54.96.58] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244475/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_05; classtype:trojan-activity; sid:91244475; rev:1;) alert tcp $HOME_NET any -> [3.125.188.168] 15966 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244486/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_05; classtype:trojan-activity; sid:91244486; rev:1;) alert tcp $HOME_NET any -> [3.68.56.232] 15966 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244484/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_05; classtype:trojan-activity; sid:91244484; rev:1;) alert tcp $HOME_NET any -> [3.124.67.191] 15966 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244485/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_05; classtype:trojan-activity; sid:91244485; rev:1;) alert tcp $HOME_NET any -> [37.44.238.80] 8190 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244483/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_05; classtype:trojan-activity; sid:91244483; rev:1;) alert tcp $HOME_NET any -> [5.199.161.93] 6783 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244512/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_05; classtype:trojan-activity; sid:91244512; rev:1;) alert tcp $HOME_NET any -> [182.149.199.249] 50050 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244511/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_05; classtype:trojan-activity; sid:91244511; rev:1;) alert tcp $HOME_NET any -> [187.135.95.46] 2053 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244510/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_05; classtype:trojan-activity; sid:91244510; rev:1;) alert tcp $HOME_NET any -> [187.135.95.46] 1723 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244509/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_05; classtype:trojan-activity; sid:91244509; rev:1;) alert tcp $HOME_NET any -> [187.135.95.46] 2222 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244508/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_05; classtype:trojan-activity; sid:91244508; rev:1;) alert tcp $HOME_NET any -> [187.135.95.46] 2095 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244507/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_05; classtype:trojan-activity; sid:91244507; rev:1;) alert tcp $HOME_NET any -> [187.135.95.46] 2086 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244506/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_05; classtype:trojan-activity; sid:91244506; rev:1;) alert tcp $HOME_NET any -> [187.135.95.46] 2083 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244505/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_05; classtype:trojan-activity; sid:91244505; rev:1;) alert tcp $HOME_NET any -> [187.135.95.46] 2082 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244504/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_05; classtype:trojan-activity; sid:91244504; rev:1;) alert tcp $HOME_NET any -> [187.135.95.46] 2080 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244503/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_05; classtype:trojan-activity; sid:91244503; rev:1;) alert tcp $HOME_NET any -> [107.148.37.67] 80 (msg:"ThreatFox Hook botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244502/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_05; classtype:trojan-activity; sid:91244502; rev:1;) alert tcp $HOME_NET any -> [89.23.103.208] 80 (msg:"ThreatFox Hook botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244501/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_05; classtype:trojan-activity; sid:91244501; rev:1;) alert tcp $HOME_NET any -> [69.30.232.226] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244500/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_05; classtype:trojan-activity; sid:91244500; rev:1;) alert tcp $HOME_NET any -> [69.30.232.229] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244499/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_05; classtype:trojan-activity; sid:91244499; rev:1;) alert tcp $HOME_NET any -> [38.207.173.147] 8443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244498/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_05; classtype:trojan-activity; sid:91244498; rev:1;) alert tcp $HOME_NET any -> [188.25.164.217] 8080 (msg:"ThreatFox Orcus RAT botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244497/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_05; classtype:trojan-activity; sid:91244497; rev:1;) alert tcp $HOME_NET any -> [193.233.132.69] 80 (msg:"ThreatFox RecordBreaker botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244496/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_05; classtype:trojan-activity; sid:91244496; rev:1;) alert tcp $HOME_NET any -> [144.202.23.219] 80 (msg:"ThreatFox Meduza Stealer botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244495/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_05; classtype:trojan-activity; sid:91244495; rev:1;) alert tcp $HOME_NET any -> [46.226.166.200] 80 (msg:"ThreatFox Meduza Stealer botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244494/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_05; classtype:trojan-activity; sid:91244494; rev:1;) alert tcp $HOME_NET any -> [95.216.180.93] 80 (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244493/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_05; classtype:trojan-activity; sid:91244493; rev:1;) alert tcp $HOME_NET any -> [95.216.180.93] 9000 (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244492/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_05; classtype:trojan-activity; sid:91244492; rev:1;) alert tcp $HOME_NET any -> [95.216.180.93] 443 (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244491/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_05; classtype:trojan-activity; sid:91244491; rev:1;) alert tcp $HOME_NET any -> [116.202.2.143] 80 (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244490/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_05; classtype:trojan-activity; sid:91244490; rev:1;) alert tcp $HOME_NET any -> [5.75.213.10] 80 (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244489/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_05; classtype:trojan-activity; sid:91244489; rev:1;) alert tcp $HOME_NET any -> [5.75.213.10] 443 (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244488/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_05; classtype:trojan-activity; sid:91244488; rev:1;) alert tcp $HOME_NET any -> [128.90.115.54] 4433 (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244487/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_05; classtype:trojan-activity; sid:91244487; rev:1;) alert tcp $HOME_NET any -> [91.92.242.139] 80 (msg:"ThreatFox Amadey botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244454/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_04; classtype:trojan-activity; sid:91244454; rev:1;) alert tcp $HOME_NET any -> [147.185.221.16] 30641 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244453/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_04; classtype:trojan-activity; sid:91244453; rev:1;) alert tcp $HOME_NET any -> [18.158.249.75] 10757 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244450/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_04; classtype:trojan-activity; sid:91244450; rev:1;) alert tcp $HOME_NET any -> [18.192.31.165] 10757 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244448/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_04; classtype:trojan-activity; sid:91244448; rev:1;) alert tcp $HOME_NET any -> [3.125.102.39] 10757 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244449/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_04; classtype:trojan-activity; sid:91244449; rev:1;) alert tcp $HOME_NET any -> [3.125.223.134] 10757 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244447/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_04; classtype:trojan-activity; sid:91244447; rev:1;) alert tcp $HOME_NET any -> [195.54.170.36] 22033 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244446/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_04; classtype:trojan-activity; sid:91244446; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pneh2sxqk0/index.php"; depth:21; nocase; http.host; content:"91.92.242.139"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1244445/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_04; classtype:trojan-activity; sid:91244445; rev:1;) alert tcp $HOME_NET any -> [157.230.110.136] 8899 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244434/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_04; classtype:trojan-activity; sid:91244434; rev:1;) alert tcp $HOME_NET any -> [45.128.232.238] 999 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244435/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_04; classtype:trojan-activity; sid:91244435; rev:1;) alert tcp $HOME_NET any -> [91.92.244.11] 6697 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244436/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_04; classtype:trojan-activity; sid:91244436; rev:1;) alert tcp $HOME_NET any -> [20.205.11.156] 9506 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244444/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_04; classtype:trojan-activity; sid:91244444; rev:1;) alert tcp $HOME_NET any -> [84.201.167.175] 80 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244443/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_04; classtype:trojan-activity; sid:91244443; rev:1;) alert tcp $HOME_NET any -> [104.233.192.16] 80 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244442/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_04; classtype:trojan-activity; sid:91244442; rev:1;) alert tcp $HOME_NET any -> [72.27.83.159] 443 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244441/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_04; classtype:trojan-activity; sid:91244441; rev:1;) alert tcp $HOME_NET any -> [152.136.171.162] 4433 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244440/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_04; classtype:trojan-activity; sid:91244440; rev:1;) alert tcp $HOME_NET any -> [175.197.65.135] 6379 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244439/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_04; classtype:trojan-activity; sid:91244439; rev:1;) alert tcp $HOME_NET any -> [154.90.62.224] 53 (msg:"ThreatFox BianLian botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244438/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_04; classtype:trojan-activity; sid:91244438; rev:1;) alert tcp $HOME_NET any -> [185.225.70.160] 43029 (msg:"ThreatFox BianLian botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244437/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_04; classtype:trojan-activity; sid:91244437; rev:1;) alert tcp $HOME_NET any -> [43.154.25.56] 8888 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244433/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_04; classtype:trojan-activity; sid:91244433; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"onedogsclub.com"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1244423/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_04; classtype:trojan-activity; sid:91244423; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"wipresolutions.com"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1244424/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_04; classtype:trojan-activity; sid:91244424; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"recentbeelive.com"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1244425/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_04; classtype:trojan-activity; sid:91244425; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"trailcocompany.com"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1244426/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_04; classtype:trojan-activity; sid:91244426; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"trailcosolutions.com"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1244427/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_04; classtype:trojan-activity; sid:91244427; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"artstrailreviews.com"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1244428/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_04; classtype:trojan-activity; sid:91244428; rev:1;) alert tcp $HOME_NET any -> [3.125.102.39] 16267 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244432/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_04; classtype:trojan-activity; sid:91244432; rev:1;) alert tcp $HOME_NET any -> [3.124.142.205] 16267 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244431/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_04; classtype:trojan-activity; sid:91244431; rev:1;) alert tcp $HOME_NET any -> [94.72.114.95] 5552 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244430/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_04; classtype:trojan-activity; sid:91244430; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/__utm.gif"; depth:10; nocase; http.host; content:"185.81.68.249"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1244429/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_04; classtype:trojan-activity; sid:91244429; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/push"; depth:5; nocase; http.host; content:"101.43.191.108"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1244422/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_04; classtype:trojan-activity; sid:91244422; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/updates.rss"; depth:12; nocase; http.host; content:"43.143.143.195"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1244421/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_04; classtype:trojan-activity; sid:91244421; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/fwlink"; depth:7; nocase; http.host; content:"121.43.62.136"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1244420/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_04; classtype:trojan-activity; sid:91244420; rev:1;) alert tcp $HOME_NET any -> [65.109.11.145] 443 (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244418/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_04; classtype:trojan-activity; sid:91244418; rev:1;) alert tcp $HOME_NET any -> [116.202.2.143] 443 (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244419/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_04; classtype:trojan-activity; sid:91244419; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"116.202.2.143"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1244416/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_04; classtype:trojan-activity; sid:91244416; rev:1;) alert tcp $HOME_NET any -> [49.12.103.42] 5432 (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244417/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_04; classtype:trojan-activity; sid:91244417; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"65.109.11.145"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1244415/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_04; classtype:trojan-activity; sid:91244415; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"49.12.103.42"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1244414/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_04; classtype:trojan-activity; sid:91244414; rev:1;) alert tcp $HOME_NET any -> [103.116.52.207] 23597 (msg:"ThreatFox MooBot botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244413/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_04; classtype:trojan-activity; sid:91244413; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"314.hongdrama.xyz"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1244411/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_04; classtype:trojan-activity; sid:91244411; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"hongdrama.xyz"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1244412/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_04; classtype:trojan-activity; sid:91244412; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/order%20list.vbs"; depth:17; nocase; http.host; content:"37.49.228.234"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1244409/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_04; classtype:trojan-activity; sid:91244409; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/purchase.vbs"; depth:13; nocase; http.host; content:"37.49.228.234"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1244410/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_04; classtype:trojan-activity; sid:91244410; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dark.vbs"; depth:9; nocase; http.host; content:"149.56.252.31"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1244408/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_04; classtype:trojan-activity; sid:91244408; rev:1;) alert tcp $HOME_NET any -> [103.78.0.41] 42597 (msg:"ThreatFox MooBot botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244239/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_04; classtype:trojan-activity; sid:91244239; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"botnet.vani.ovh"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1244240/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_04; classtype:trojan-activity; sid:91244240; rev:1;) alert tcp $HOME_NET any -> [194.127.178.5] 23597 (msg:"ThreatFox MooBot botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244249/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_04; classtype:trojan-activity; sid:91244249; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"cnc.moneymakernation.online"; depth:27; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1244250/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_04; classtype:trojan-activity; sid:91244250; rev:1;) alert tcp $HOME_NET any -> [45.155.249.96] 2023 (msg:"ThreatFox Socks5 Systemz botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244251/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_04; classtype:trojan-activity; sid:91244251; rev:1;) alert tcp $HOME_NET any -> [107.175.3.10] 7536 (msg:"ThreatFox XWorm botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244253/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_04; classtype:trojan-activity; sid:91244253; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"zofav.aus.mimico-cooperative.org"; depth:32; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1244255/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_04; classtype:trojan-activity; sid:91244255; rev:1;) alert tcp $HOME_NET any -> [149.56.252.31] 8094 (msg:"ThreatFox DarkGate botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244404/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_04; classtype:trojan-activity; sid:91244404; rev:1;) alert tcp $HOME_NET any -> [107.175.3.10] 7536 (msg:"ThreatFox XWorm botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244252/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_04; classtype:trojan-activity; sid:91244252; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"aus.mimico-cooperative.org"; depth:26; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1244254/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_04; classtype:trojan-activity; sid:91244254; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"149.56.252.31"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1244407/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_04; classtype:trojan-activity; sid:91244407; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/1/web/path/gate.php"; depth:20; nocase; http.host; content:"myetherwallet.kl.com.ua"; depth:23; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1244406/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_04; classtype:trojan-activity; sid:91244406; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/1/web/gate.php"; depth:15; nocase; http.host; content:"myetherwallet.kl.com.ua"; depth:23; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1244405/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_04; classtype:trojan-activity; sid:91244405; rev:1;) alert tcp $HOME_NET any -> [139.59.16.171] 9999 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244402/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_04; classtype:trojan-activity; sid:91244402; rev:1;) alert tcp $HOME_NET any -> [45.77.154.69] 30092 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244403/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_04; classtype:trojan-activity; sid:91244403; rev:1;) alert tcp $HOME_NET any -> [165.232.101.47] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244401/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_04; classtype:trojan-activity; sid:91244401; rev:1;) alert tcp $HOME_NET any -> [74.207.231.13] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244400/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_04; classtype:trojan-activity; sid:91244400; rev:1;) alert tcp $HOME_NET any -> [54.148.146.229] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244399/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_04; classtype:trojan-activity; sid:91244399; rev:1;) alert tcp $HOME_NET any -> [47.99.186.100] 8080 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244398/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_04; classtype:trojan-activity; sid:91244398; rev:1;) alert tcp $HOME_NET any -> [18.192.93.230] 4444 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244397/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_04; classtype:trojan-activity; sid:91244397; rev:1;) alert tcp $HOME_NET any -> [93.119.13.109] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244396/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_04; classtype:trojan-activity; sid:91244396; rev:1;) alert tcp $HOME_NET any -> [121.37.222.182] 5001 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244395/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_04; classtype:trojan-activity; sid:91244395; rev:1;) alert tcp $HOME_NET any -> [20.212.234.70] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244394/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_04; classtype:trojan-activity; sid:91244394; rev:1;) alert tcp $HOME_NET any -> [194.182.90.109] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244393/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_04; classtype:trojan-activity; sid:91244393; rev:1;) alert tcp $HOME_NET any -> [3.69.130.202] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244392/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_04; classtype:trojan-activity; sid:91244392; rev:1;) alert tcp $HOME_NET any -> [43.136.86.22] 31220 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244391/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_04; classtype:trojan-activity; sid:91244391; rev:1;) alert tcp $HOME_NET any -> [106.15.52.156] 9999 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244390/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_04; classtype:trojan-activity; sid:91244390; rev:1;) alert tcp $HOME_NET any -> [43.229.134.14] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244389/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_04; classtype:trojan-activity; sid:91244389; rev:1;) alert tcp $HOME_NET any -> [198.13.46.179] 9999 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244388/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_04; classtype:trojan-activity; sid:91244388; rev:1;) alert tcp $HOME_NET any -> [24.199.126.139] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244387/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_04; classtype:trojan-activity; sid:91244387; rev:1;) alert tcp $HOME_NET any -> [43.132.234.114] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244386/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_04; classtype:trojan-activity; sid:91244386; rev:1;) alert tcp $HOME_NET any -> [64.226.106.235] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244385/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_04; classtype:trojan-activity; sid:91244385; rev:1;) alert tcp $HOME_NET any -> [128.199.98.189] 43333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244384/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_04; classtype:trojan-activity; sid:91244384; rev:1;) alert tcp $HOME_NET any -> [54.89.6.172] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244383/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_04; classtype:trojan-activity; sid:91244383; rev:1;) alert tcp $HOME_NET any -> [3.21.161.218] 8443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244382/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_04; classtype:trojan-activity; sid:91244382; rev:1;) alert tcp $HOME_NET any -> [91.134.226.170] 2053 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244381/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_04; classtype:trojan-activity; sid:91244381; rev:1;) alert tcp $HOME_NET any -> [159.89.212.121] 4433 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244380/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_04; classtype:trojan-activity; sid:91244380; rev:1;) alert tcp $HOME_NET any -> [186.121.34.135] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244379/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_04; classtype:trojan-activity; sid:91244379; rev:1;) alert tcp $HOME_NET any -> [149.129.241.76] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244378/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_04; classtype:trojan-activity; sid:91244378; rev:1;) alert tcp $HOME_NET any -> [3.135.49.252] 8443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244377/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_04; classtype:trojan-activity; sid:91244377; rev:1;) alert tcp $HOME_NET any -> [52.28.220.250] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244376/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_04; classtype:trojan-activity; sid:91244376; rev:1;) alert tcp $HOME_NET any -> [52.28.220.250] 80 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244375/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_04; classtype:trojan-activity; sid:91244375; rev:1;) alert tcp $HOME_NET any -> [103.27.202.188] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244374/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_04; classtype:trojan-activity; sid:91244374; rev:1;) alert tcp $HOME_NET any -> [44.222.157.145] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244373/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_04; classtype:trojan-activity; sid:91244373; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"accountcapabilities-pa.accguide.com"; depth:35; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1244372/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_04; classtype:trojan-activity; sid:91244372; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ip177.ip-51-210-73.eu"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1244371/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_04; classtype:trojan-activity; sid:91244371; rev:1;) alert tcp $HOME_NET any -> [154.223.21.28] 60000 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244370/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_04; classtype:trojan-activity; sid:91244370; rev:1;) alert tcp $HOME_NET any -> [91.92.242.137] 60000 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244369/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_04; classtype:trojan-activity; sid:91244369; rev:1;) alert tcp $HOME_NET any -> [117.72.10.229] 60000 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244368/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_04; classtype:trojan-activity; sid:91244368; rev:1;) alert tcp $HOME_NET any -> [8.140.55.145] 60000 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244367/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_04; classtype:trojan-activity; sid:91244367; rev:1;) alert tcp $HOME_NET any -> [34.172.89.75] 80 (msg:"ThreatFox BlackNET RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244366/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_04; classtype:trojan-activity; sid:91244366; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"panel.niggas.icu"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1244365/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_04; classtype:trojan-activity; sid:91244365; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"binplat.elementfx.com"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1244363/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_04; classtype:trojan-activity; sid:91244363; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"se-5.ironhide.su"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1244364/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_04; classtype:trojan-activity; sid:91244364; rev:1;) alert tcp $HOME_NET any -> [134.255.254.225] 80 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244362/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_04; classtype:trojan-activity; sid:91244362; rev:1;) alert tcp $HOME_NET any -> [81.230.10.189] 80 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244361/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_04; classtype:trojan-activity; sid:91244361; rev:1;) alert tcp $HOME_NET any -> [103.116.52.207] 80 (msg:"ThreatFox MooBot botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244360/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_04; classtype:trojan-activity; sid:91244360; rev:1;) alert tcp $HOME_NET any -> [103.172.79.74] 80 (msg:"ThreatFox MooBot botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244359/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_04; classtype:trojan-activity; sid:91244359; rev:1;) alert tcp $HOME_NET any -> [194.127.178.5] 80 (msg:"ThreatFox MooBot botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244358/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_04; classtype:trojan-activity; sid:91244358; rev:1;) alert tcp $HOME_NET any -> [36.152.201.67] 65535 (msg:"ThreatFox Kaiji botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244357/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_04; classtype:trojan-activity; sid:91244357; rev:1;) alert tcp $HOME_NET any -> [183.249.20.106] 8090 (msg:"ThreatFox Kaiji botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244356/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_04; classtype:trojan-activity; sid:91244356; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ip140.ip-51-195-83.eu"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1244355/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_04; classtype:trojan-activity; sid:91244355; rev:1;) alert tcp $HOME_NET any -> [34.200.37.176] 443 (msg:"ThreatFox Serpent Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244353/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_04; classtype:trojan-activity; sid:91244353; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ec2-34-200-37-176.compute-1.amazonaws.com"; depth:41; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1244354/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_04; classtype:trojan-activity; sid:91244354; rev:1;) alert tcp $HOME_NET any -> [195.211.97.9] 80 (msg:"ThreatFox Lumma Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244352/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_04; classtype:trojan-activity; sid:91244352; rev:1;) alert tcp $HOME_NET any -> [20.77.71.31] 80 (msg:"ThreatFox ERMAC botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244351/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_04; classtype:trojan-activity; sid:91244351; rev:1;) alert tcp $HOME_NET any -> [185.78.76.40] 80 (msg:"ThreatFox ERMAC botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244350/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_04; classtype:trojan-activity; sid:91244350; rev:1;) alert tcp $HOME_NET any -> [193.222.96.33] 80 (msg:"ThreatFox ERMAC botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244349/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_04; classtype:trojan-activity; sid:91244349; rev:1;) alert tcp $HOME_NET any -> [45.128.96.74] 80 (msg:"ThreatFox ERMAC botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244348/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_04; classtype:trojan-activity; sid:91244348; rev:1;) alert tcp $HOME_NET any -> [172.208.54.18] 80 (msg:"ThreatFox ERMAC botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244347/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_04; classtype:trojan-activity; sid:91244347; rev:1;) alert tcp $HOME_NET any -> [91.92.242.137] 8443 (msg:"ThreatFox DeimosC2 botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244346/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_04; classtype:trojan-activity; sid:91244346; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"kardiocentrumnitra-fingera.com"; depth:30; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1244345/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_04; classtype:trojan-activity; sid:91244345; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"www.fresocialcasinogames.com"; depth:28; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1244344/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_04; classtype:trojan-activity; sid:91244344; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"126.124.141.34.bc.googleusercontent.com"; depth:39; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1244343/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_04; classtype:trojan-activity; sid:91244343; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ec2-54-169-174-23.ap-southeast-1.compute.amazonaws.com"; depth:54; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1244342/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_04; classtype:trojan-activity; sid:91244342; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"edgarmcneil.autos"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1244341/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_04; classtype:trojan-activity; sid:91244341; rev:1;) alert tcp $HOME_NET any -> [81.69.242.185] 443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244340/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_04; classtype:trojan-activity; sid:91244340; rev:1;) alert tcp $HOME_NET any -> [81.69.242.185] 80 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244339/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_04; classtype:trojan-activity; sid:91244339; rev:1;) alert tcp $HOME_NET any -> [191.82.223.234] 2000 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244338/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_04; classtype:trojan-activity; sid:91244338; rev:1;) alert tcp $HOME_NET any -> [14.225.210.222] 12345 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244337/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_04; classtype:trojan-activity; sid:91244337; rev:1;) alert tcp $HOME_NET any -> [181.162.168.165] 8080 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244336/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_04; classtype:trojan-activity; sid:91244336; rev:1;) alert tcp $HOME_NET any -> [185.221.198.67] 8081 (msg:"ThreatFox RisePro botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244335/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_04; classtype:trojan-activity; sid:91244335; rev:1;) alert tcp $HOME_NET any -> [45.145.42.229] 80 (msg:"ThreatFox Hook botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244334/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_04; classtype:trojan-activity; sid:91244334; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"grinevitchnicolas5.fvds.ru"; depth:26; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1244332/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_04; classtype:trojan-activity; sid:91244332; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"mesixcrypto.com"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1244333/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_04; classtype:trojan-activity; sid:91244333; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"fi119-files.canceltap.online"; depth:28; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1244330/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_04; classtype:trojan-activity; sid:91244330; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"s1.devsapi.ru"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1244331/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_04; classtype:trojan-activity; sid:91244331; rev:1;) alert tcp $HOME_NET any -> [51.195.231.121] 8808 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244329/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_04; classtype:trojan-activity; sid:91244329; rev:1;) alert tcp $HOME_NET any -> [185.174.101.80] 7707 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244328/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_04; classtype:trojan-activity; sid:91244328; rev:1;) alert tcp $HOME_NET any -> [147.124.217.110] 6666 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244327/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_04; classtype:trojan-activity; sid:91244327; rev:1;) alert tcp $HOME_NET any -> [94.156.69.174] 7707 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244326/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_04; classtype:trojan-activity; sid:91244326; rev:1;) alert tcp $HOME_NET any -> [69.64.95.233] 8808 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244324/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_04; classtype:trojan-activity; sid:91244324; rev:1;) alert tcp $HOME_NET any -> [69.64.95.233] 6606 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244325/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_04; classtype:trojan-activity; sid:91244325; rev:1;) alert tcp $HOME_NET any -> [147.124.213.188] 6606 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244323/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_04; classtype:trojan-activity; sid:91244323; rev:1;) alert tcp $HOME_NET any -> [89.117.49.133] 1996 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244322/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_04; classtype:trojan-activity; sid:91244322; rev:1;) alert tcp $HOME_NET any -> [23.26.201.73] 5555 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244321/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_04; classtype:trojan-activity; sid:91244321; rev:1;) alert tcp $HOME_NET any -> [45.138.16.125] 777 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244320/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_04; classtype:trojan-activity; sid:91244320; rev:1;) alert tcp $HOME_NET any -> [135.125.21.74] 4242 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244319/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_04; classtype:trojan-activity; sid:91244319; rev:1;) alert tcp $HOME_NET any -> [139.162.63.45] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244318/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_04; classtype:trojan-activity; sid:91244318; rev:1;) alert tcp $HOME_NET any -> [15.235.166.83] 443 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244317/; target:src_ip; metadata: confidence_level 90, first_seen 2024_03_04; classtype:trojan-activity; sid:91244317; rev:1;) alert tcp $HOME_NET any -> [5.180.151.91] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244315/; target:src_ip; metadata: confidence_level 90, first_seen 2024_03_04; classtype:trojan-activity; sid:91244315; rev:1;) alert tcp $HOME_NET any -> [91.149.253.90] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244316/; target:src_ip; metadata: confidence_level 90, first_seen 2024_03_04; classtype:trojan-activity; sid:91244316; rev:1;) alert tcp $HOME_NET any -> [194.87.213.6] 443 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244314/; target:src_ip; metadata: confidence_level 90, first_seen 2024_03_04; classtype:trojan-activity; sid:91244314; rev:1;) alert tcp $HOME_NET any -> [68.183.236.120] 443 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244313/; target:src_ip; metadata: confidence_level 90, first_seen 2024_03_04; classtype:trojan-activity; sid:91244313; rev:1;) alert tcp $HOME_NET any -> [64.225.53.227] 443 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244311/; target:src_ip; metadata: confidence_level 90, first_seen 2024_03_04; classtype:trojan-activity; sid:91244311; rev:1;) alert tcp $HOME_NET any -> [207.174.3.213] 38443 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244312/; target:src_ip; metadata: confidence_level 90, first_seen 2024_03_04; classtype:trojan-activity; sid:91244312; rev:1;) alert tcp $HOME_NET any -> [105.102.177.34] 443 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244309/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_04; classtype:trojan-activity; sid:91244309; rev:1;) alert tcp $HOME_NET any -> [47.94.241.49] 8080 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244307/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_04; classtype:trojan-activity; sid:91244307; rev:1;) alert tcp $HOME_NET any -> [121.199.40.70] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244308/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_04; classtype:trojan-activity; sid:91244308; rev:1;) alert tcp $HOME_NET any -> [121.5.69.117] 8081 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244306/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_04; classtype:trojan-activity; sid:91244306; rev:1;) alert tcp $HOME_NET any -> [47.109.106.162] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244305/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_04; classtype:trojan-activity; sid:91244305; rev:1;) alert tcp $HOME_NET any -> [124.70.158.35] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244304/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_04; classtype:trojan-activity; sid:91244304; rev:1;) alert tcp $HOME_NET any -> [101.36.111.175] 2053 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244303/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_04; classtype:trojan-activity; sid:91244303; rev:1;) alert tcp $HOME_NET any -> [1.32.228.98] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244301/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_04; classtype:trojan-activity; sid:91244301; rev:1;) alert tcp $HOME_NET any -> [209.141.44.168] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244302/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_04; classtype:trojan-activity; sid:91244302; rev:1;) alert tcp $HOME_NET any -> [120.46.94.192] 8785 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244300/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_04; classtype:trojan-activity; sid:91244300; rev:1;) alert tcp $HOME_NET any -> [8.130.105.233] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244299/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_04; classtype:trojan-activity; sid:91244299; rev:1;) alert tcp $HOME_NET any -> [148.135.127.214] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244297/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_04; classtype:trojan-activity; sid:91244297; rev:1;) alert tcp $HOME_NET any -> [148.135.127.214] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244298/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_04; classtype:trojan-activity; sid:91244298; rev:1;) alert tcp $HOME_NET any -> [95.169.24.74] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244296/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_04; classtype:trojan-activity; sid:91244296; rev:1;) alert tcp $HOME_NET any -> [47.236.248.52] 10000 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244295/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_04; classtype:trojan-activity; sid:91244295; rev:1;) alert tcp $HOME_NET any -> [47.236.248.52] 2052 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244294/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_04; classtype:trojan-activity; sid:91244294; rev:1;) alert tcp $HOME_NET any -> [193.42.61.102] 2083 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244293/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_04; classtype:trojan-activity; sid:91244293; rev:1;) alert tcp $HOME_NET any -> [61.160.207.61] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244291/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_04; classtype:trojan-activity; sid:91244291; rev:1;) alert tcp $HOME_NET any -> [101.34.243.38] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244292/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_04; classtype:trojan-activity; sid:91244292; rev:1;) alert tcp $HOME_NET any -> [123.57.204.175] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244290/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_04; classtype:trojan-activity; sid:91244290; rev:1;) alert tcp $HOME_NET any -> [8.130.119.173] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244289/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_04; classtype:trojan-activity; sid:91244289; rev:1;) alert tcp $HOME_NET any -> [94.156.66.44] 8080 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244287/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_04; classtype:trojan-activity; sid:91244287; rev:1;) alert tcp $HOME_NET any -> [8.130.119.173] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244288/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_04; classtype:trojan-activity; sid:91244288; rev:1;) alert tcp $HOME_NET any -> [146.190.160.218] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244286/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_04; classtype:trojan-activity; sid:91244286; rev:1;) alert tcp $HOME_NET any -> [45.159.210.152] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244285/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_04; classtype:trojan-activity; sid:91244285; rev:1;) alert tcp $HOME_NET any -> [60.204.133.143] 9876 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244283/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_04; classtype:trojan-activity; sid:91244283; rev:1;) alert tcp $HOME_NET any -> [45.159.210.152] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244284/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_04; classtype:trojan-activity; sid:91244284; rev:1;) alert tcp $HOME_NET any -> [107.173.171.251] 65443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244282/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_04; classtype:trojan-activity; sid:91244282; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"jovial-ellis.104-168-102-175.plesk.page"; depth:39; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1244281/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_04; classtype:trojan-activity; sid:91244281; rev:1;) alert tcp $HOME_NET any -> [49.4.115.199] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244280/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_04; classtype:trojan-activity; sid:91244280; rev:1;) alert tcp $HOME_NET any -> [185.196.10.224] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244278/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_04; classtype:trojan-activity; sid:91244278; rev:1;) alert tcp $HOME_NET any -> [185.196.10.224] 2096 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244279/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_04; classtype:trojan-activity; sid:91244279; rev:1;) alert tcp $HOME_NET any -> [43.241.16.222] 56158 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244277/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_04; classtype:trojan-activity; sid:91244277; rev:1;) alert tcp $HOME_NET any -> [49.235.169.136] 4444 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244276/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_04; classtype:trojan-activity; sid:91244276; rev:1;) alert tcp $HOME_NET any -> [101.133.148.66] 8023 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244275/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_04; classtype:trojan-activity; sid:91244275; rev:1;) alert tcp $HOME_NET any -> [43.156.27.199] 804 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244274/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_04; classtype:trojan-activity; sid:91244274; rev:1;) alert tcp $HOME_NET any -> [139.180.192.219] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244272/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_04; classtype:trojan-activity; sid:91244272; rev:1;) alert tcp $HOME_NET any -> [123.254.107.57] 8443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244273/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_04; classtype:trojan-activity; sid:91244273; rev:1;) alert tcp $HOME_NET any -> [139.180.192.219] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244271/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_04; classtype:trojan-activity; sid:91244271; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"angry-khorana.104-168-102-175.plesk.page"; depth:40; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1244270/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_04; classtype:trojan-activity; sid:91244270; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ucaresupport.com"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1244268/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_04; classtype:trojan-activity; sid:91244268; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"www.nice-torvalds.104-168-102-175.plesk.page"; depth:44; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1244269/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_04; classtype:trojan-activity; sid:91244269; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"167-71-186-178.ipv4.staticdns2.io"; depth:33; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1244267/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_04; classtype:trojan-activity; sid:91244267; rev:1;) alert tcp $HOME_NET any -> [42.192.4.189] 54333 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244265/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_04; classtype:trojan-activity; sid:91244265; rev:1;) alert tcp $HOME_NET any -> [38.6.223.9] 8888 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244266/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_04; classtype:trojan-activity; sid:91244266; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ecs-110-41-134-233.compute.hwclouds-dns.com"; depth:43; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1244264/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_04; classtype:trojan-activity; sid:91244264; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"192.lan-vg2-1.static.rozabg.com"; depth:31; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1244262/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_04; classtype:trojan-activity; sid:91244262; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"www.jovial-ellis.104-168-102-175.plesk.page"; depth:43; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1244263/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_04; classtype:trojan-activity; sid:91244263; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"dirapushka.com"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1244261/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_04; classtype:trojan-activity; sid:91244261; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"www.festive-euclid.104-168-102-175.plesk.page"; depth:45; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1244260/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_04; classtype:trojan-activity; sid:91244260; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"www.hg23jh4gk234gjhk2j3g4h2kjh3g4.xyz"; depth:37; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1244258/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_04; classtype:trojan-activity; sid:91244258; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"adoring-hellman.104-168-102-175.plesk.page"; depth:42; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1244259/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_04; classtype:trojan-activity; sid:91244259; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"www.ucaresupport.com"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1244256/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_04; classtype:trojan-activity; sid:91244256; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"beautiful-fermi.104-168-102-175.plesk.page"; depth:42; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1244257/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_04; classtype:trojan-activity; sid:91244257; rev:1;) alert tcp $HOME_NET any -> [123.60.159.23] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244248/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_04; classtype:trojan-activity; sid:91244248; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jquery-3.3.1.min.js"; depth:20; nocase; http.host; content:"1.14.28.172"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1244247/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_04; classtype:trojan-activity; sid:91244247; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/match"; depth:6; nocase; http.host; content:"49.233.44.237"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1244246/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_04; classtype:trojan-activity; sid:91244246; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/c/msdownload/update/others/2016/12/29136388_"; depth:45; nocase; http.host; content:"80.85.154.37"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1244245/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_04; classtype:trojan-activity; sid:91244245; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dpixel"; depth:7; nocase; http.host; content:"185.81.68.249"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1244244/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_04; classtype:trojan-activity; sid:91244244; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pixel.gif"; depth:10; nocase; http.host; content:"49.233.44.237"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1244243/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_04; classtype:trojan-activity; sid:91244243; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cx"; depth:3; nocase; http.host; content:"120.48.5.80"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1244242/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_04; classtype:trojan-activity; sid:91244242; rev:1;) alert tcp $HOME_NET any -> [103.67.163.213] 9462 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244241/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_04; classtype:trojan-activity; sid:91244241; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/j.ad"; depth:5; nocase; http.host; content:"121.43.33.41"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1244238/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_04; classtype:trojan-activity; sid:91244238; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/__utm.gif"; depth:10; nocase; http.host; content:"139.199.180.136"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1244237/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_04; classtype:trojan-activity; sid:91244237; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/load"; depth:5; nocase; http.host; content:"47.113.195.22"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1244236/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_04; classtype:trojan-activity; sid:91244236; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/match"; depth:6; nocase; http.host; content:"121.4.154.20"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1244235/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_04; classtype:trojan-activity; sid:91244235; rev:1;) alert tcp $HOME_NET any -> [45.77.160.60] 53 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244234/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_04; classtype:trojan-activity; sid:91244234; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"dns.recentbeelive.com"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1244233/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_04; classtype:trojan-activity; sid:91244233; rev:1;) alert tcp $HOME_NET any -> [108.61.210.72] 53 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244232/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_04; classtype:trojan-activity; sid:91244232; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ns1.netiapp.org"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1244230/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_04; classtype:trojan-activity; sid:91244230; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ns2.netiapp.org"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1244231/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_04; classtype:trojan-activity; sid:91244231; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ca"; depth:3; nocase; http.host; content:"121.4.154.20"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1244229/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_04; classtype:trojan-activity; sid:91244229; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/j.ad"; depth:5; nocase; http.host; content:"124.71.9.23"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1244228/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_04; classtype:trojan-activity; sid:91244228; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/__utm.gif"; depth:10; nocase; http.host; content:"118.194.233.185"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1244226/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_04; classtype:trojan-activity; sid:91244226; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/require-jquery-v1.js"; depth:21; nocase; http.host; content:"47.104.28.38"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1244225/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_04; classtype:trojan-activity; sid:91244225; rev:1;) alert tcp $HOME_NET any -> [206.238.199.68] 48458 (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244223/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_04; classtype:trojan-activity; sid:91244223; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/vvs/inc/c874c1a5333207.php"; depth:27; nocase; http.host; content:"www.texlandbd.com"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1244222/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_04; classtype:trojan-activity; sid:91244222; rev:1;) alert tcp $HOME_NET any -> [62.72.185.43] 61616 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244176/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_04; classtype:trojan-activity; sid:91244176; rev:1;) alert tcp $HOME_NET any -> [62.72.185.45] 61616 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244177/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_04; classtype:trojan-activity; sid:91244177; rev:1;) alert tcp $HOME_NET any -> [62.72.185.68] 61616 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244179/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_04; classtype:trojan-activity; sid:91244179; rev:1;) alert tcp $HOME_NET any -> [62.72.185.58] 61616 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244178/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_04; classtype:trojan-activity; sid:91244178; rev:1;) alert tcp $HOME_NET any -> [62.72.185.92] 61616 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244180/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_04; classtype:trojan-activity; sid:91244180; rev:1;) alert tcp $HOME_NET any -> [204.76.203.18] 61616 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244183/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_04; classtype:trojan-activity; sid:91244183; rev:1;) alert tcp $HOME_NET any -> [62.72.185.110] 61616 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244181/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_04; classtype:trojan-activity; sid:91244181; rev:1;) alert tcp $HOME_NET any -> [204.76.203.17] 61616 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244182/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_04; classtype:trojan-activity; sid:91244182; rev:1;) alert tcp $HOME_NET any -> [204.76.203.22] 1311 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244184/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_04; classtype:trojan-activity; sid:91244184; rev:1;) alert tcp $HOME_NET any -> [204.76.203.23] 1311 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244185/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_04; classtype:trojan-activity; sid:91244185; rev:1;) alert tcp $HOME_NET any -> [204.76.203.24] 1311 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244186/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_04; classtype:trojan-activity; sid:91244186; rev:1;) alert tcp $HOME_NET any -> [204.76.203.25] 1311 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244187/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_04; classtype:trojan-activity; sid:91244187; rev:1;) alert tcp $HOME_NET any -> [204.76.203.26] 1311 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244188/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_04; classtype:trojan-activity; sid:91244188; rev:1;) alert tcp $HOME_NET any -> [204.76.203.27] 1311 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244189/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_04; classtype:trojan-activity; sid:91244189; rev:1;) alert tcp $HOME_NET any -> [204.76.203.28] 1311 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244190/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_04; classtype:trojan-activity; sid:91244190; rev:1;) alert tcp $HOME_NET any -> [204.76.203.29] 1311 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244191/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_04; classtype:trojan-activity; sid:91244191; rev:1;) alert tcp $HOME_NET any -> [204.76.203.30] 1311 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244192/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_04; classtype:trojan-activity; sid:91244192; rev:1;) alert tcp $HOME_NET any -> [204.76.203.31] 1311 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244193/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_04; classtype:trojan-activity; sid:91244193; rev:1;) alert tcp $HOME_NET any -> [204.76.203.34] 1311 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244194/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_04; classtype:trojan-activity; sid:91244194; rev:1;) alert tcp $HOME_NET any -> [204.76.203.242] 61616 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244195/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_04; classtype:trojan-activity; sid:91244195; rev:1;) alert tcp $HOME_NET any -> [204.76.203.244] 61616 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244196/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_04; classtype:trojan-activity; sid:91244196; rev:1;) alert tcp $HOME_NET any -> [5.181.80.50] 61616 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244199/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_04; classtype:trojan-activity; sid:91244199; rev:1;) alert tcp $HOME_NET any -> [204.76.203.248] 61616 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244197/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_04; classtype:trojan-activity; sid:91244197; rev:1;) alert tcp $HOME_NET any -> [5.181.80.49] 61616 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244198/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_04; classtype:trojan-activity; sid:91244198; rev:1;) alert tcp $HOME_NET any -> [5.181.80.52] 61616 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244200/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_04; classtype:trojan-activity; sid:91244200; rev:1;) alert tcp $HOME_NET any -> [5.181.80.56] 61616 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244201/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_04; classtype:trojan-activity; sid:91244201; rev:1;) alert tcp $HOME_NET any -> [5.181.80.82] 3090 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244202/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_04; classtype:trojan-activity; sid:91244202; rev:1;) alert tcp $HOME_NET any -> [5.181.80.83] 3090 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244203/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_04; classtype:trojan-activity; sid:91244203; rev:1;) alert tcp $HOME_NET any -> [5.181.80.102] 3090 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244205/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_04; classtype:trojan-activity; sid:91244205; rev:1;) alert tcp $HOME_NET any -> [5.181.80.123] 3090 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244206/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_04; classtype:trojan-activity; sid:91244206; rev:1;) alert tcp $HOME_NET any -> [5.181.80.156] 3090 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244207/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_04; classtype:trojan-activity; sid:91244207; rev:1;) alert tcp $HOME_NET any -> [5.181.80.100] 3090 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244204/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_04; classtype:trojan-activity; sid:91244204; rev:1;) alert tcp $HOME_NET any -> [5.181.80.173] 3090 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244208/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_04; classtype:trojan-activity; sid:91244208; rev:1;) alert tcp $HOME_NET any -> [5.181.80.174] 3090 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244209/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_04; classtype:trojan-activity; sid:91244209; rev:1;) alert tcp $HOME_NET any -> [5.181.80.175] 3090 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244210/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_04; classtype:trojan-activity; sid:91244210; rev:1;) alert tcp $HOME_NET any -> [5.181.80.176] 3090 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244211/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_04; classtype:trojan-activity; sid:91244211; rev:1;) alert tcp $HOME_NET any -> [5.181.80.178] 3090 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244212/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_04; classtype:trojan-activity; sid:91244212; rev:1;) alert tcp $HOME_NET any -> [5.181.80.192] 38421 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244213/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_04; classtype:trojan-activity; sid:91244213; rev:1;) alert tcp $HOME_NET any -> [46.101.135.216] 1311 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244214/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_04; classtype:trojan-activity; sid:91244214; rev:1;) alert tcp $HOME_NET any -> [138.197.171.172] 1311 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244215/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_04; classtype:trojan-activity; sid:91244215; rev:1;) alert tcp $HOME_NET any -> [143.110.247.222] 1311 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244216/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_04; classtype:trojan-activity; sid:91244216; rev:1;) alert tcp $HOME_NET any -> [147.182.149.112] 1311 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244217/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_04; classtype:trojan-activity; sid:91244217; rev:1;) alert tcp $HOME_NET any -> [147.182.149.113] 1311 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244218/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_04; classtype:trojan-activity; sid:91244218; rev:1;) alert tcp $HOME_NET any -> [159.89.191.108] 1311 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244219/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_04; classtype:trojan-activity; sid:91244219; rev:1;) alert tcp $HOME_NET any -> [167.99.190.250] 1311 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244220/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_04; classtype:trojan-activity; sid:91244220; rev:1;) alert tcp $HOME_NET any -> [178.62.242.26] 1311 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244221/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_04; classtype:trojan-activity; sid:91244221; rev:1;) alert tcp $HOME_NET any -> [62.72.185.34] 61616 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244175/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_04; classtype:trojan-activity; sid:91244175; rev:1;) alert tcp $HOME_NET any -> [62.72.185.28] 61616 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244174/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_04; classtype:trojan-activity; sid:91244174; rev:1;) alert tcp $HOME_NET any -> [142.171.8.138] 80 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244173/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_04; classtype:trojan-activity; sid:91244173; rev:1;) alert tcp $HOME_NET any -> [79.137.207.163] 80 (msg:"ThreatFox Meduza Stealer botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244172/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_04; classtype:trojan-activity; sid:91244172; rev:1;) alert tcp $HOME_NET any -> [78.129.165.233] 80 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244171/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_04; classtype:trojan-activity; sid:91244171; rev:1;) alert tcp $HOME_NET any -> [3.112.78.101] 80 (msg:"ThreatFox Brute Ratel C4 botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244170/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_04; classtype:trojan-activity; sid:91244170; rev:1;) alert tcp $HOME_NET any -> [45.32.91.55] 7443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244169/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_04; classtype:trojan-activity; sid:91244169; rev:1;) alert tcp $HOME_NET any -> [185.203.116.51] 443 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244168/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_04; classtype:trojan-activity; sid:91244168; rev:1;) alert tcp $HOME_NET any -> [109.248.150.210] 50270 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244167/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_04; classtype:trojan-activity; sid:91244167; rev:1;) alert tcp $HOME_NET any -> [34.31.226.230] 37558 (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244164/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_04; classtype:trojan-activity; sid:91244164; rev:1;) alert tcp $HOME_NET any -> [103.186.117.243] 1947 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244166/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_04; classtype:trojan-activity; sid:91244166; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"originwealth.ydns.eu"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1244165/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_04; classtype:trojan-activity; sid:91244165; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sew/inc/10a5031d37bc79.php"; depth:27; nocase; http.host; content:"originwealth.ydns.eu"; depth:20; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1244163/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_03; classtype:trojan-activity; sid:91244163; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/receive.php"; depth:12; nocase; http.host; content:"ct46452.tw1.ru"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1244162/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_03; classtype:trojan-activity; sid:91244162; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ga.js"; depth:6; nocase; http.host; content:"47.92.99.156"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1244161/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_03; classtype:trojan-activity; sid:91244161; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/c44a765f550f6a2f.php"; depth:21; nocase; http.host; content:"89.105.201.132"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1244160/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_03; classtype:trojan-activity; sid:91244160; rev:1;) alert tcp $HOME_NET any -> [20.84.67.57] 80 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244159/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_03; classtype:trojan-activity; sid:91244159; rev:1;) alert tcp $HOME_NET any -> [82.120.216.108] 2222 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244158/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_03; classtype:trojan-activity; sid:91244158; rev:1;) alert tcp $HOME_NET any -> [216.238.83.84] 8000 (msg:"ThreatFox BianLian botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244157/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_03; classtype:trojan-activity; sid:91244157; rev:1;) alert tcp $HOME_NET any -> [74.48.220.34] 443 (msg:"ThreatFox Deimos botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244156/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_03; classtype:trojan-activity; sid:91244156; rev:1;) alert tcp $HOME_NET any -> [45.67.228.91] 3666 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244155/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_03; classtype:trojan-activity; sid:91244155; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/eternalimagevideopipetempdownloads.php"; depth:39; nocase; http.host; content:"82.146.60.218"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1244154/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_03; classtype:trojan-activity; sid:91244154; rev:1;) alert tcp $HOME_NET any -> [136.244.118.172] 80 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244149/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_03; classtype:trojan-activity; sid:91244149; rev:1;) alert tcp $HOME_NET any -> [143.198.136.173] 80 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244150/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_03; classtype:trojan-activity; sid:91244150; rev:1;) alert tcp $HOME_NET any -> [146.190.128.252] 80 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244151/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_03; classtype:trojan-activity; sid:91244151; rev:1;) alert tcp $HOME_NET any -> [159.223.67.132] 80 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244152/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_03; classtype:trojan-activity; sid:91244152; rev:1;) alert tcp $HOME_NET any -> [78.141.224.44] 80 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244153/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_03; classtype:trojan-activity; sid:91244153; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"78.141.224.44"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1244148/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_03; classtype:trojan-activity; sid:91244148; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"146.190.128.252"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1244146/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_03; classtype:trojan-activity; sid:91244146; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"159.223.67.132"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1244147/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_03; classtype:trojan-activity; sid:91244147; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"143.198.136.173"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1244145/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_03; classtype:trojan-activity; sid:91244145; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"136.244.118.172"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1244144/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_03; classtype:trojan-activity; sid:91244144; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pe/build.php"; depth:13; nocase; http.host; content:"yarnglove.xyz"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1244142/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_03; classtype:trojan-activity; sid:91244142; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"pstbbk.com"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1244143/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_03; classtype:trojan-activity; sid:91244143; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/du.php"; depth:7; nocase; http.host; content:"glovefire.site"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1244141/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_03; classtype:trojan-activity; sid:91244141; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dub.php"; depth:8; nocase; http.host; content:"glovefire.site"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1244140/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_03; classtype:trojan-activity; sid:91244140; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"gdfjkghndfjkghdfjkghdf.com"; depth:26; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1244138/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_03; classtype:trojan-activity; sid:91244138; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pp.php"; depth:7; nocase; http.host; content:"chessfang.online"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1244139/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_03; classtype:trojan-activity; sid:91244139; rev:1;) alert tcp $HOME_NET any -> [47.236.111.110] 50050 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244137/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_03; classtype:trojan-activity; sid:91244137; rev:1;) alert tcp $HOME_NET any -> [119.29.225.65] 50050 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244136/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_03; classtype:trojan-activity; sid:91244136; rev:1;) alert tcp $HOME_NET any -> [114.215.183.77] 10001 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244135/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_03; classtype:trojan-activity; sid:91244135; rev:1;) alert tcp $HOME_NET any -> [89.208.253.204] 4433 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244134/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_03; classtype:trojan-activity; sid:91244134; rev:1;) alert tcp $HOME_NET any -> [38.6.164.8] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244133/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_03; classtype:trojan-activity; sid:91244133; rev:1;) alert tcp $HOME_NET any -> [193.233.132.113] 8081 (msg:"ThreatFox RisePro botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244132/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_03; classtype:trojan-activity; sid:91244132; rev:1;) alert tcp $HOME_NET any -> [193.233.132.194] 8081 (msg:"ThreatFox RisePro botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244131/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_03; classtype:trojan-activity; sid:91244131; rev:1;) alert tcp $HOME_NET any -> [87.241.217.87] 4444 (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244130/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_03; classtype:trojan-activity; sid:91244130; rev:1;) alert tcp $HOME_NET any -> [65.0.98.39] 80 (msg:"ThreatFox Responder botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244129/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_03; classtype:trojan-activity; sid:91244129; rev:1;) alert tcp $HOME_NET any -> [185.62.57.11] 80 (msg:"ThreatFox Responder botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244128/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_03; classtype:trojan-activity; sid:91244128; rev:1;) alert tcp $HOME_NET any -> [184.144.200.107] 10134 (msg:"ThreatFox Orcus RAT botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244127/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_03; classtype:trojan-activity; sid:91244127; rev:1;) alert tcp $HOME_NET any -> [213.142.159.91] 10134 (msg:"ThreatFox Orcus RAT botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244126/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_03; classtype:trojan-activity; sid:91244126; rev:1;) alert tcp $HOME_NET any -> [94.98.194.203] 3460 (msg:"ThreatFox Poison Ivy botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244125/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_03; classtype:trojan-activity; sid:91244125; rev:1;) alert tcp $HOME_NET any -> [94.96.157.6] 3460 (msg:"ThreatFox Poison Ivy botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244124/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_03; classtype:trojan-activity; sid:91244124; rev:1;) alert tcp $HOME_NET any -> [94.49.180.101] 3460 (msg:"ThreatFox Poison Ivy botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244123/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_03; classtype:trojan-activity; sid:91244123; rev:1;) alert tcp $HOME_NET any -> [64.237.212.192] 1800 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244122/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_03; classtype:trojan-activity; sid:91244122; rev:1;) alert tcp $HOME_NET any -> [41.109.32.78] 1177 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244121/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_03; classtype:trojan-activity; sid:91244121; rev:1;) alert tcp $HOME_NET any -> [140.82.54.39] 54984 (msg:"ThreatFox Nanocore RAT botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244120/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_03; classtype:trojan-activity; sid:91244120; rev:1;) alert tcp $HOME_NET any -> [45.74.60.199] 54984 (msg:"ThreatFox Nanocore RAT botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244119/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_03; classtype:trojan-activity; sid:91244119; rev:1;) alert tcp $HOME_NET any -> [185.29.11.37] 54984 (msg:"ThreatFox Nanocore RAT botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244118/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_03; classtype:trojan-activity; sid:91244118; rev:1;) alert tcp $HOME_NET any -> [41.68.133.39] 54984 (msg:"ThreatFox Nanocore RAT botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244117/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_03; classtype:trojan-activity; sid:91244117; rev:1;) alert tcp $HOME_NET any -> [38.146.219.232] 54984 (msg:"ThreatFox Nanocore RAT botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244116/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_03; classtype:trojan-activity; sid:91244116; rev:1;) alert tcp $HOME_NET any -> [50.3.70.191] 54984 (msg:"ThreatFox Nanocore RAT botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244115/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_03; classtype:trojan-activity; sid:91244115; rev:1;) alert tcp $HOME_NET any -> [45.88.186.108] 54984 (msg:"ThreatFox Nanocore RAT botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244114/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_03; classtype:trojan-activity; sid:91244114; rev:1;) alert tcp $HOME_NET any -> [185.169.180.151] 82 (msg:"ThreatFox Xtreme RAT botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244113/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_03; classtype:trojan-activity; sid:91244113; rev:1;) alert tcp $HOME_NET any -> [187.135.144.103] 1741 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244112/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_03; classtype:trojan-activity; sid:91244112; rev:1;) alert tcp $HOME_NET any -> [187.135.85.245] 1925 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244111/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_03; classtype:trojan-activity; sid:91244111; rev:1;) alert tcp $HOME_NET any -> [187.135.85.245] 2154 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244110/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_03; classtype:trojan-activity; sid:91244110; rev:1;) alert tcp $HOME_NET any -> [187.135.85.245] 2081 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244109/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_03; classtype:trojan-activity; sid:91244109; rev:1;) alert tcp $HOME_NET any -> [187.135.85.245] 1604 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244108/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_03; classtype:trojan-activity; sid:91244108; rev:1;) alert tcp $HOME_NET any -> [187.135.85.245] 2222 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244107/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_03; classtype:trojan-activity; sid:91244107; rev:1;) alert tcp $HOME_NET any -> [187.135.85.245] 1911 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244106/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_03; classtype:trojan-activity; sid:91244106; rev:1;) alert tcp $HOME_NET any -> [187.135.85.245] 2121 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244105/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_03; classtype:trojan-activity; sid:91244105; rev:1;) alert tcp $HOME_NET any -> [187.135.86.23] 1801 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244104/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_03; classtype:trojan-activity; sid:91244104; rev:1;) alert tcp $HOME_NET any -> [198.50.138.20] 1604 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244103/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_03; classtype:trojan-activity; sid:91244103; rev:1;) alert tcp $HOME_NET any -> [198.27.120.255] 1604 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244102/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_03; classtype:trojan-activity; sid:91244102; rev:1;) alert tcp $HOME_NET any -> [80.253.246.36] 1604 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244101/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_03; classtype:trojan-activity; sid:91244101; rev:1;) alert tcp $HOME_NET any -> [187.135.83.6] 2222 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244100/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_03; classtype:trojan-activity; sid:91244100; rev:1;) alert tcp $HOME_NET any -> [187.135.83.6] 2121 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244099/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_03; classtype:trojan-activity; sid:91244099; rev:1;) alert tcp $HOME_NET any -> [31.156.119.149] 1604 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244098/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_03; classtype:trojan-activity; sid:91244098; rev:1;) alert tcp $HOME_NET any -> [88.243.82.116] 1604 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244097/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_03; classtype:trojan-activity; sid:91244097; rev:1;) alert tcp $HOME_NET any -> [187.135.83.7] 2002 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244096/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_03; classtype:trojan-activity; sid:91244096; rev:1;) alert tcp $HOME_NET any -> [185.219.177.105] 1604 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244095/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_03; classtype:trojan-activity; sid:91244095; rev:1;) alert tcp $HOME_NET any -> [83.229.84.160] 1604 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244094/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_03; classtype:trojan-activity; sid:91244094; rev:1;) alert tcp $HOME_NET any -> [193.222.96.115] 1604 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244093/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_03; classtype:trojan-activity; sid:91244093; rev:1;) alert tcp $HOME_NET any -> [87.120.84.188] 1604 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244092/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_03; classtype:trojan-activity; sid:91244092; rev:1;) alert tcp $HOME_NET any -> [213.14.155.98] 50050 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244091/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_03; classtype:trojan-activity; sid:91244091; rev:1;) alert tcp $HOME_NET any -> [108.165.106.7] 50050 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244090/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_03; classtype:trojan-activity; sid:91244090; rev:1;) alert tcp $HOME_NET any -> [154.197.98.85] 50050 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244089/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_03; classtype:trojan-activity; sid:91244089; rev:1;) alert tcp $HOME_NET any -> [87.121.87.101] 50050 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244088/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_03; classtype:trojan-activity; sid:91244088; rev:1;) alert tcp $HOME_NET any -> [159.65.150.184] 50050 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244087/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_03; classtype:trojan-activity; sid:91244087; rev:1;) alert tcp $HOME_NET any -> [47.92.246.30] 50050 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244086/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_03; classtype:trojan-activity; sid:91244086; rev:1;) alert tcp $HOME_NET any -> [129.226.154.245] 50050 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244085/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_03; classtype:trojan-activity; sid:91244085; rev:1;) alert tcp $HOME_NET any -> [42.193.16.213] 50050 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244084/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_03; classtype:trojan-activity; sid:91244084; rev:1;) alert tcp $HOME_NET any -> [47.97.110.109] 50050 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244083/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_03; classtype:trojan-activity; sid:91244083; rev:1;) alert tcp $HOME_NET any -> [81.70.0.37] 50050 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244082/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_03; classtype:trojan-activity; sid:91244082; rev:1;) alert tcp $HOME_NET any -> [117.50.182.87] 50050 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244081/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_03; classtype:trojan-activity; sid:91244081; rev:1;) alert tcp $HOME_NET any -> [39.105.101.138] 50050 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244080/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_03; classtype:trojan-activity; sid:91244080; rev:1;) alert tcp $HOME_NET any -> [8.222.165.110] 50050 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244079/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_03; classtype:trojan-activity; sid:91244079; rev:1;) alert tcp $HOME_NET any -> [101.43.161.148] 50050 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244078/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_03; classtype:trojan-activity; sid:91244078; rev:1;) alert tcp $HOME_NET any -> [59.110.142.91] 50050 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244077/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_03; classtype:trojan-activity; sid:91244077; rev:1;) alert tcp $HOME_NET any -> [110.41.134.233] 50050 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244076/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_03; classtype:trojan-activity; sid:91244076; rev:1;) alert tcp $HOME_NET any -> [103.191.15.10] 50050 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244075/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_03; classtype:trojan-activity; sid:91244075; rev:1;) alert tcp $HOME_NET any -> [119.3.220.200] 50050 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244074/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_03; classtype:trojan-activity; sid:91244074; rev:1;) alert tcp $HOME_NET any -> [101.133.164.210] 50050 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244073/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_03; classtype:trojan-activity; sid:91244073; rev:1;) alert tcp $HOME_NET any -> [43.136.71.208] 50050 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244072/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_03; classtype:trojan-activity; sid:91244072; rev:1;) alert tcp $HOME_NET any -> [47.119.19.34] 50050 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244071/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_03; classtype:trojan-activity; sid:91244071; rev:1;) alert tcp $HOME_NET any -> [114.132.218.55] 50050 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244070/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_03; classtype:trojan-activity; sid:91244070; rev:1;) alert tcp $HOME_NET any -> [139.9.41.156] 50050 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244069/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_03; classtype:trojan-activity; sid:91244069; rev:1;) alert tcp $HOME_NET any -> [39.104.230.184] 50050 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244068/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_03; classtype:trojan-activity; sid:91244068; rev:1;) alert tcp $HOME_NET any -> [121.40.63.121] 50050 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244067/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_03; classtype:trojan-activity; sid:91244067; rev:1;) alert tcp $HOME_NET any -> [34.82.156.114] 10000 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244066/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_03; classtype:trojan-activity; sid:91244066; rev:1;) alert tcp $HOME_NET any -> [104.225.235.101] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244065/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_03; classtype:trojan-activity; sid:91244065; rev:1;) alert tcp $HOME_NET any -> [137.220.197.164] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244064/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_03; classtype:trojan-activity; sid:91244064; rev:1;) alert tcp $HOME_NET any -> [81.19.138.57] 4443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244063/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_03; classtype:trojan-activity; sid:91244063; rev:1;) alert tcp $HOME_NET any -> [149.88.75.24] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244062/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_03; classtype:trojan-activity; sid:91244062; rev:1;) alert tcp $HOME_NET any -> [204.93.201.161] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244061/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_03; classtype:trojan-activity; sid:91244061; rev:1;) alert tcp $HOME_NET any -> [47.76.140.200] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244060/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_03; classtype:trojan-activity; sid:91244060; rev:1;) alert tcp $HOME_NET any -> [15.168.110.184] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244059/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_03; classtype:trojan-activity; sid:91244059; rev:1;) alert tcp $HOME_NET any -> [107.172.196.196] 2087 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244058/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_03; classtype:trojan-activity; sid:91244058; rev:1;) alert tcp $HOME_NET any -> [103.163.208.121] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244057/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_03; classtype:trojan-activity; sid:91244057; rev:1;) alert tcp $HOME_NET any -> [45.86.162.149] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244056/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_03; classtype:trojan-activity; sid:91244056; rev:1;) alert tcp $HOME_NET any -> [88.214.27.74] 4443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244055/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_03; classtype:trojan-activity; sid:91244055; rev:1;) alert tcp $HOME_NET any -> [64.23.179.131] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244054/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_03; classtype:trojan-activity; sid:91244054; rev:1;) alert tcp $HOME_NET any -> [107.151.240.201] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244053/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_03; classtype:trojan-activity; sid:91244053; rev:1;) alert tcp $HOME_NET any -> [85.114.96.2] 80 (msg:"ThreatFox MintStealer botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244051/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_03; classtype:trojan-activity; sid:91244051; rev:1;) alert tcp $HOME_NET any -> [54.221.151.132] 80 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244049/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_03; classtype:trojan-activity; sid:91244049; rev:1;) alert tcp $HOME_NET any -> [13.232.135.125] 443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244048/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_03; classtype:trojan-activity; sid:91244048; rev:1;) alert tcp $HOME_NET any -> [54.221.151.132] 443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244047/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_03; classtype:trojan-activity; sid:91244047; rev:1;) alert tcp $HOME_NET any -> [103.86.130.103] 443 (msg:"ThreatFox Get2 botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244046/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_03; classtype:trojan-activity; sid:91244046; rev:1;) alert tcp $HOME_NET any -> [103.86.130.78] 443 (msg:"ThreatFox Get2 botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244045/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_03; classtype:trojan-activity; sid:91244045; rev:1;) alert tcp $HOME_NET any -> [103.86.131.147] 443 (msg:"ThreatFox Get2 botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244044/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_03; classtype:trojan-activity; sid:91244044; rev:1;) alert tcp $HOME_NET any -> [220.69.33.81] 443 (msg:"ThreatFox Get2 botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244043/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_03; classtype:trojan-activity; sid:91244043; rev:1;) alert tcp $HOME_NET any -> [103.86.131.60] 443 (msg:"ThreatFox Get2 botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244042/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_03; classtype:trojan-activity; sid:91244042; rev:1;) alert tcp $HOME_NET any -> [13.37.127.130] 443 (msg:"ThreatFox BianLian botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244041/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_03; classtype:trojan-activity; sid:91244041; rev:1;) alert tcp $HOME_NET any -> [45.67.231.21] 1337 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244040/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_03; classtype:trojan-activity; sid:91244040; rev:1;) alert tcp $HOME_NET any -> [18.232.250.39] 443 (msg:"ThreatFox IcedID botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244039/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_03; classtype:trojan-activity; sid:91244039; rev:1;) alert tcp $HOME_NET any -> [172.233.33.155] 443 (msg:"ThreatFox IcedID botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244038/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_03; classtype:trojan-activity; sid:91244038; rev:1;) alert tcp $HOME_NET any -> [52.87.175.64] 443 (msg:"ThreatFox IcedID botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244037/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_03; classtype:trojan-activity; sid:91244037; rev:1;) alert tcp $HOME_NET any -> [159.100.13.218] 8889 (msg:"ThreatFox BitRAT botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244036/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_03; classtype:trojan-activity; sid:91244036; rev:1;) alert tcp $HOME_NET any -> [89.117.49.133] 1337 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244035/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_03; classtype:trojan-activity; sid:91244035; rev:1;) alert tcp $HOME_NET any -> [4.245.215.11] 3790 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244034/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_03; classtype:trojan-activity; sid:91244034; rev:1;) alert tcp $HOME_NET any -> [13.232.153.222] 3790 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244033/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_03; classtype:trojan-activity; sid:91244033; rev:1;) alert tcp $HOME_NET any -> [175.136.80.148] 3790 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244032/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_03; classtype:trojan-activity; sid:91244032; rev:1;) alert tcp $HOME_NET any -> [38.87.196.103] 3790 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244031/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_03; classtype:trojan-activity; sid:91244031; rev:1;) alert tcp $HOME_NET any -> [91.92.241.10] 3790 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244030/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_03; classtype:trojan-activity; sid:91244030; rev:1;) alert tcp $HOME_NET any -> [13.233.120.71] 3790 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244029/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_03; classtype:trojan-activity; sid:91244029; rev:1;) alert tcp $HOME_NET any -> [109.123.247.164] 3790 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244028/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_03; classtype:trojan-activity; sid:91244028; rev:1;) alert tcp $HOME_NET any -> [144.217.238.169] 3790 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244027/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_03; classtype:trojan-activity; sid:91244027; rev:1;) alert tcp $HOME_NET any -> [159.223.86.91] 3790 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244026/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_03; classtype:trojan-activity; sid:91244026; rev:1;) alert tcp $HOME_NET any -> [77.91.74.224] 3790 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244025/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_03; classtype:trojan-activity; sid:91244025; rev:1;) alert tcp $HOME_NET any -> [46.4.162.29] 3790 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244024/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_03; classtype:trojan-activity; sid:91244024; rev:1;) alert tcp $HOME_NET any -> [207.154.218.205] 3790 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244023/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_03; classtype:trojan-activity; sid:91244023; rev:1;) alert tcp $HOME_NET any -> [43.204.111.25] 3790 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244022/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_03; classtype:trojan-activity; sid:91244022; rev:1;) alert tcp $HOME_NET any -> [38.92.97.13] 3790 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244021/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_03; classtype:trojan-activity; sid:91244021; rev:1;) alert tcp $HOME_NET any -> [145.239.230.233] 3790 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244020/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_03; classtype:trojan-activity; sid:91244020; rev:1;) alert tcp $HOME_NET any -> [201.230.41.153] 3790 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244019/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_03; classtype:trojan-activity; sid:91244019; rev:1;) alert tcp $HOME_NET any -> [128.46.157.249] 3790 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244018/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_03; classtype:trojan-activity; sid:91244018; rev:1;) alert tcp $HOME_NET any -> [108.59.196.9] 3790 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244017/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_03; classtype:trojan-activity; sid:91244017; rev:1;) alert tcp $HOME_NET any -> [38.87.198.48] 3790 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244016/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_03; classtype:trojan-activity; sid:91244016; rev:1;) alert tcp $HOME_NET any -> [45.134.225.247] 3790 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244015/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_03; classtype:trojan-activity; sid:91244015; rev:1;) alert tcp $HOME_NET any -> [206.188.196.251] 3790 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244014/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_03; classtype:trojan-activity; sid:91244014; rev:1;) alert tcp $HOME_NET any -> [5.255.102.67] 3790 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244013/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_03; classtype:trojan-activity; sid:91244013; rev:1;) alert tcp $HOME_NET any -> [198.52.128.72] 3790 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244012/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_03; classtype:trojan-activity; sid:91244012; rev:1;) alert tcp $HOME_NET any -> [64.190.113.198] 3790 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244011/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_03; classtype:trojan-activity; sid:91244011; rev:1;) alert tcp $HOME_NET any -> [54.193.250.83] 3790 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244010/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_03; classtype:trojan-activity; sid:91244010; rev:1;) alert tcp $HOME_NET any -> [173.249.11.184] 3790 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244009/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_03; classtype:trojan-activity; sid:91244009; rev:1;) alert tcp $HOME_NET any -> [217.160.39.160] 3790 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244008/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_03; classtype:trojan-activity; sid:91244008; rev:1;) alert tcp $HOME_NET any -> [34.16.167.198] 3790 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244007/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_03; classtype:trojan-activity; sid:91244007; rev:1;) alert tcp $HOME_NET any -> [123.16.208.62] 3790 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244006/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_03; classtype:trojan-activity; sid:91244006; rev:1;) alert tcp $HOME_NET any -> [51.116.102.221] 3790 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244005/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_03; classtype:trojan-activity; sid:91244005; rev:1;) alert tcp $HOME_NET any -> [41.216.183.181] 3790 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244004/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_03; classtype:trojan-activity; sid:91244004; rev:1;) alert tcp $HOME_NET any -> [193.32.162.64] 3790 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244003/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_03; classtype:trojan-activity; sid:91244003; rev:1;) alert tcp $HOME_NET any -> [185.81.114.195] 3790 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244002/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_03; classtype:trojan-activity; sid:91244002; rev:1;) alert tcp $HOME_NET any -> [78.38.80.242] 3790 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244001/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_03; classtype:trojan-activity; sid:91244001; rev:1;) alert tcp $HOME_NET any -> [60.204.215.22] 3790 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244000/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_03; classtype:trojan-activity; sid:91244000; rev:1;) alert tcp $HOME_NET any -> [176.123.3.245] 3790 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243999/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_03; classtype:trojan-activity; sid:91243999; rev:1;) alert tcp $HOME_NET any -> [152.89.198.72] 3790 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243998/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_03; classtype:trojan-activity; sid:91243998; rev:1;) alert tcp $HOME_NET any -> [41.216.189.203] 3790 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243997/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_03; classtype:trojan-activity; sid:91243997; rev:1;) alert tcp $HOME_NET any -> [49.13.130.177] 3790 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243996/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_03; classtype:trojan-activity; sid:91243996; rev:1;) alert tcp $HOME_NET any -> [194.0.206.23] 3790 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243995/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_03; classtype:trojan-activity; sid:91243995; rev:1;) alert tcp $HOME_NET any -> [107.175.0.200] 3790 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243994/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_03; classtype:trojan-activity; sid:91243994; rev:1;) alert tcp $HOME_NET any -> [213.109.202.135] 3790 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243993/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_03; classtype:trojan-activity; sid:91243993; rev:1;) alert tcp $HOME_NET any -> [158.255.1.15] 3790 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243992/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_03; classtype:trojan-activity; sid:91243992; rev:1;) alert tcp $HOME_NET any -> [175.136.87.155] 3790 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243991/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_03; classtype:trojan-activity; sid:91243991; rev:1;) alert tcp $HOME_NET any -> [185.158.248.34] 3790 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243990/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_03; classtype:trojan-activity; sid:91243990; rev:1;) alert tcp $HOME_NET any -> [141.98.234.46] 3790 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243989/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_03; classtype:trojan-activity; sid:91243989; rev:1;) alert tcp $HOME_NET any -> [108.30.148.85] 3790 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243988/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_03; classtype:trojan-activity; sid:91243988; rev:1;) alert tcp $HOME_NET any -> [77.105.166.172] 3790 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243987/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_03; classtype:trojan-activity; sid:91243987; rev:1;) alert tcp $HOME_NET any -> [83.41.137.16] 3790 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243986/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_03; classtype:trojan-activity; sid:91243986; rev:1;) alert tcp $HOME_NET any -> [38.99.82.235] 3790 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243985/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_03; classtype:trojan-activity; sid:91243985; rev:1;) alert tcp $HOME_NET any -> [88.119.167.206] 3790 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243984/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_03; classtype:trojan-activity; sid:91243984; rev:1;) alert tcp $HOME_NET any -> [37.27.5.78] 3790 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243983/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_03; classtype:trojan-activity; sid:91243983; rev:1;) alert tcp $HOME_NET any -> [95.216.221.12] 3790 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243982/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_03; classtype:trojan-activity; sid:91243982; rev:1;) alert tcp $HOME_NET any -> [45.227.254.4] 3790 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243981/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_03; classtype:trojan-activity; sid:91243981; rev:1;) alert tcp $HOME_NET any -> [130.51.22.23] 3790 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243980/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_03; classtype:trojan-activity; sid:91243980; rev:1;) alert tcp $HOME_NET any -> [47.250.145.12] 3790 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243979/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_03; classtype:trojan-activity; sid:91243979; rev:1;) alert tcp $HOME_NET any -> [138.201.10.112] 3790 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243978/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_03; classtype:trojan-activity; sid:91243978; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/imagecpusql.php"; depth:16; nocase; http.host; content:"058493cm.nyashsens.top"; depth:22; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1243977/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_03; classtype:trojan-activity; sid:91243977; rev:1;) alert tcp $HOME_NET any -> [35.197.194.79] 2376 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243976/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_03; classtype:trojan-activity; sid:91243976; rev:1;) alert tcp $HOME_NET any -> [35.195.225.207] 2376 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243975/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_03; classtype:trojan-activity; sid:91243975; rev:1;) alert tcp $HOME_NET any -> [220.158.216.145] 443 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243974/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_03; classtype:trojan-activity; sid:91243974; rev:1;) alert tcp $HOME_NET any -> [35.228.165.245] 2376 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243973/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_03; classtype:trojan-activity; sid:91243973; rev:1;) alert tcp $HOME_NET any -> [34.88.169.69] 2376 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243972/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_03; classtype:trojan-activity; sid:91243972; rev:1;) alert tcp $HOME_NET any -> [38.60.191.190] 443 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243971/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_03; classtype:trojan-activity; sid:91243971; rev:1;) alert tcp $HOME_NET any -> [93.66.153.13] 9002 (msg:"ThreatFox Brute Ratel C4 botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243970/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_03; classtype:trojan-activity; sid:91243970; rev:1;) alert tcp $HOME_NET any -> [52.91.67.138] 8084 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243969/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_03; classtype:trojan-activity; sid:91243969; rev:1;) alert tcp $HOME_NET any -> [49.232.250.192] 7777 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243968/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_03; classtype:trojan-activity; sid:91243968; rev:1;) alert tcp $HOME_NET any -> [182.23.67.109] 88 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243967/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_03; classtype:trojan-activity; sid:91243967; rev:1;) alert tcp $HOME_NET any -> [47.103.218.35] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243966/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_03; classtype:trojan-activity; sid:91243966; rev:1;) alert tcp $HOME_NET any -> [3.146.206.189] 7777 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243965/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_03; classtype:trojan-activity; sid:91243965; rev:1;) alert tcp $HOME_NET any -> [121.43.58.124] 5555 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243964/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_03; classtype:trojan-activity; sid:91243964; rev:1;) alert tcp $HOME_NET any -> [38.180.105.19] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243963/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_03; classtype:trojan-activity; sid:91243963; rev:1;) alert tcp $HOME_NET any -> [111.231.140.197] 3333 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243962/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_03; classtype:trojan-activity; sid:91243962; rev:1;) alert tcp $HOME_NET any -> [38.47.123.60] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243961/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_03; classtype:trojan-activity; sid:91243961; rev:1;) alert tcp $HOME_NET any -> [101.43.191.108] 9998 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243960/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_03; classtype:trojan-activity; sid:91243960; rev:1;) alert tcp $HOME_NET any -> [107.191.53.240] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243959/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_03; classtype:trojan-activity; sid:91243959; rev:1;) alert tcp $HOME_NET any -> [47.96.174.24] 8060 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243958/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_03; classtype:trojan-activity; sid:91243958; rev:1;) alert tcp $HOME_NET any -> [49.233.44.237] 8000 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243957/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_03; classtype:trojan-activity; sid:91243957; rev:1;) alert tcp $HOME_NET any -> [80.85.154.37] 8000 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243956/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_03; classtype:trojan-activity; sid:91243956; rev:1;) alert tcp $HOME_NET any -> [49.233.44.237] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243955/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_03; classtype:trojan-activity; sid:91243955; rev:1;) alert tcp $HOME_NET any -> [94.156.64.143] 9821 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243954/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_03; classtype:trojan-activity; sid:91243954; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/topipe3process/javascripttemporarytrackcdn/universaldb1process/uploadslocalcpu/windows/externalvmproviderline/linux/10sql/1authvoiddb/updatetraffic/pipe/generatorflowersql/trafficgamevideo/tracklocal3http/authpublicupdatewindows/geocpudatalifejs/geo/poll_cpuvm/cpuprocessordefaultdblinuxgeneratordownloadstemporary.php"; depth:319; nocase; http.host; content:"80.78.243.170"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1243953/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_03; classtype:trojan-activity; sid:91243953; rev:1;) alert tcp $HOME_NET any -> [46.23.108.249] 61616 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243946/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_03; classtype:trojan-activity; sid:91243946; rev:1;) alert tcp $HOME_NET any -> [45.125.66.102] 61616 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243949/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_03; classtype:trojan-activity; sid:91243949; rev:1;) alert tcp $HOME_NET any -> [46.23.108.250] 61616 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243947/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_03; classtype:trojan-activity; sid:91243947; rev:1;) alert tcp $HOME_NET any -> [46.23.108.251] 61616 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243948/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_03; classtype:trojan-activity; sid:91243948; rev:1;) alert tcp $HOME_NET any -> [45.125.66.100] 61616 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243950/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_03; classtype:trojan-activity; sid:91243950; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ca"; depth:3; nocase; http.host; content:"103.150.10.45"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1243952/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_03; classtype:trojan-activity; sid:91243952; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/push"; depth:5; nocase; http.host; content:"111.231.140.197"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1243951/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_03; classtype:trojan-activity; sid:91243951; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mozi.m"; depth:7; nocase; http.host; content:"112.252.202.220"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1243945/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_03; classtype:trojan-activity; sid:91243945; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"jdkgradle.com"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1243944/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_03; classtype:trojan-activity; sid:91243944; rev:1;) alert tcp $HOME_NET any -> [84.54.51.142] 1337 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243943/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_03; classtype:trojan-activity; sid:91243943; rev:1;) alert tcp $HOME_NET any -> [107.148.1.128] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243942/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_03; classtype:trojan-activity; sid:91243942; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/fwlink"; depth:7; nocase; http.host; content:"107.148.1.128"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1243941/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_03; classtype:trojan-activity; sid:91243941; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/j.ad"; depth:5; nocase; http.host; content:"129.211.211.145"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1243940/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_03; classtype:trojan-activity; sid:91243940; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/__utm.gif"; depth:10; nocase; http.host; content:"120.26.196.41"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1243939/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_03; classtype:trojan-activity; sid:91243939; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-admin"; depth:9; nocase; http.host; content:"43.134.23.107"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1243938/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_03; classtype:trojan-activity; sid:91243938; rev:1;) alert tcp $HOME_NET any -> [135.181.241.148] 49113 (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243907/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_03; classtype:trojan-activity; sid:91243907; rev:1;) alert tcp $HOME_NET any -> [3.69.157.220] 12125 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243908/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_03; classtype:trojan-activity; sid:91243908; rev:1;) alert tcp $HOME_NET any -> [3.68.171.119] 12125 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243909/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_03; classtype:trojan-activity; sid:91243909; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/check.php"; depth:10; nocase; http.host; content:"5.42.65.20"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1243910/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_03; classtype:trojan-activity; sid:91243910; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sosorry.php"; depth:12; nocase; http.host; content:"5.42.65.20"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1243911/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_03; classtype:trojan-activity; sid:91243911; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bebrik.php"; depth:11; nocase; http.host; content:"5.42.65.20"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1243912/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_03; classtype:trojan-activity; sid:91243912; rev:1;) alert tcp $HOME_NET any -> [5.42.65.20] 80 (msg:"ThreatFox Phonk botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243913/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_03; classtype:trojan-activity; sid:91243913; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mzdinzu5njjkztnm/"; depth:18; nocase; http.host; content:"185.198.69.119"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1243920/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_03; classtype:trojan-activity; sid:91243920; rev:1;) alert tcp $HOME_NET any -> [3.69.157.220] 14744 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243923/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_03; classtype:trojan-activity; sid:91243923; rev:1;) alert tcp $HOME_NET any -> [3.69.115.178] 14744 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243924/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_03; classtype:trojan-activity; sid:91243924; rev:1;) alert tcp $HOME_NET any -> [62.109.6.72] 80 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243937/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_03; classtype:trojan-activity; sid:91243937; rev:1;) alert tcp $HOME_NET any -> [91.240.84.52] 80 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243936/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_03; classtype:trojan-activity; sid:91243936; rev:1;) alert tcp $HOME_NET any -> [92.246.139.121] 50555 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243935/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_03; classtype:trojan-activity; sid:91243935; rev:1;) alert tcp $HOME_NET any -> [198.46.226.223] 80 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243934/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_03; classtype:trojan-activity; sid:91243934; rev:1;) alert tcp $HOME_NET any -> [147.45.47.41] 80 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243933/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_03; classtype:trojan-activity; sid:91243933; rev:1;) alert tcp $HOME_NET any -> [91.202.233.190] 80 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243932/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_03; classtype:trojan-activity; sid:91243932; rev:1;) alert tcp $HOME_NET any -> [103.61.225.212] 80 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243931/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_03; classtype:trojan-activity; sid:91243931; rev:1;) alert tcp $HOME_NET any -> [104.238.60.87] 5995 (msg:"ThreatFox BianLian botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243930/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_03; classtype:trojan-activity; sid:91243930; rev:1;) alert tcp $HOME_NET any -> [142.129.135.121] 443 (msg:"ThreatFox BianLian botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243929/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_03; classtype:trojan-activity; sid:91243929; rev:1;) alert tcp $HOME_NET any -> [34.124.224.8] 10002 (msg:"ThreatFox Deimos botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243928/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_03; classtype:trojan-activity; sid:91243928; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mozi.m"; depth:7; nocase; http.host; content:"125.46.203.213"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1243927/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_03; classtype:trojan-activity; sid:91243927; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"pushkinorigin.ydns.eu"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1243926/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_03; classtype:trojan-activity; sid:91243926; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wiz/inc/1d7c50187af637.php"; depth:27; nocase; http.host; content:"pushkinorigin.ydns.eu"; depth:21; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1243925/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_03; classtype:trojan-activity; sid:91243925; rev:1;) alert tcp $HOME_NET any -> [154.27.70.229] 4449 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243922/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_03; classtype:trojan-activity; sid:91243922; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/9625229d.php"; depth:13; nocase; http.host; content:"a0925146.xsph.ru"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1243921/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_03; classtype:trojan-activity; sid:91243921; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ab3a3bb6.php"; depth:13; nocase; http.host; content:"a0922245.xsph.ru"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1243919/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_02; classtype:trojan-activity; sid:91243919; rev:1;) alert tcp $HOME_NET any -> [170.130.55.139] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243918/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_02; classtype:trojan-activity; sid:91243918; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api/accounts/v1/basic-accounts/pinned"; depth:38; nocase; http.host; content:"realzoogroup.com"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1243916/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_02; classtype:trojan-activity; sid:91243916; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"realzoogroup.com"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1243917/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_02; classtype:trojan-activity; sid:91243917; rev:1;) alert tcp $HOME_NET any -> [88.214.25.254] 3389 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243915/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_02; classtype:trojan-activity; sid:91243915; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ab.html"; depth:8; nocase; http.host; content:"86.106.20.179"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1243914/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_02; classtype:trojan-activity; sid:91243914; rev:1;) alert tcp $HOME_NET any -> [104.167.221.222] 555 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243906/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_02; classtype:trojan-activity; sid:91243906; rev:1;) alert tcp $HOME_NET any -> [51.250.20.138] 80 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243905/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_02; classtype:trojan-activity; sid:91243905; rev:1;) alert tcp $HOME_NET any -> [31.190.68.42] 443 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243904/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_02; classtype:trojan-activity; sid:91243904; rev:1;) alert tcp $HOME_NET any -> [64.74.160.238] 5432 (msg:"ThreatFox BianLian botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243903/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_02; classtype:trojan-activity; sid:91243903; rev:1;) alert tcp $HOME_NET any -> [45.55.128.82] 443 (msg:"ThreatFox BianLian botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243902/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_02; classtype:trojan-activity; sid:91243902; rev:1;) alert tcp $HOME_NET any -> [218.28.172.4] 80 (msg:"ThreatFox Deimos botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243901/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_02; classtype:trojan-activity; sid:91243901; rev:1;) alert tcp $HOME_NET any -> [91.92.253.185] 6996 (msg:"ThreatFox MooBot botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243900/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_02; classtype:trojan-activity; sid:91243900; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"metis-info.com"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1243899/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_02; classtype:trojan-activity; sid:91243899; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"who.juniorfoxy.ooo"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1243897/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_02; classtype:trojan-activity; sid:91243897; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"juniorfoxy.ooo"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1243898/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_02; classtype:trojan-activity; sid:91243898; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ravec2.xyz"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1243896/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_02; classtype:trojan-activity; sid:91243896; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"what.ravec2.xyz"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1243895/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_02; classtype:trojan-activity; sid:91243895; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"heihuo8.top"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1243894/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_02; classtype:trojan-activity; sid:91243894; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"botce.heihuo8.top"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1243893/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_02; classtype:trojan-activity; sid:91243893; rev:1;) alert tcp $HOME_NET any -> [3.125.102.39] 10202 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243887/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_02; classtype:trojan-activity; sid:91243887; rev:1;) alert tcp $HOME_NET any -> [147.185.221.18] 49833 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243888/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_02; classtype:trojan-activity; sid:91243888; rev:1;) alert tcp $HOME_NET any -> [209.25.141.2] 42754 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243889/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_02; classtype:trojan-activity; sid:91243889; rev:1;) alert tcp $HOME_NET any -> [209.25.141.2] 43778 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243890/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_02; classtype:trojan-activity; sid:91243890; rev:1;) alert tcp $HOME_NET any -> [209.25.141.2] 41730 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243891/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_02; classtype:trojan-activity; sid:91243891; rev:1;) alert tcp $HOME_NET any -> [209.25.141.2] 41735 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243892/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_02; classtype:trojan-activity; sid:91243892; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"remasterprodelherskjs.com"; depth:25; nocase; reference:url, threatfox.abuse.ch/ioc/1243881/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_02; classtype:trojan-activity; sid:91243881; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"cayennesxque.boo"; depth:16; nocase; reference:url, threatfox.abuse.ch/ioc/1243882/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_02; classtype:trojan-activity; sid:91243882; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"porsherses.com"; depth:14; nocase; reference:url, threatfox.abuse.ch/ioc/1243883/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_02; classtype:trojan-activity; sid:91243883; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"remasterprodelherskjs.com"; depth:25; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1243884/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_02; classtype:trojan-activity; sid:91243884; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"cayennesxque.boo"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1243885/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_02; classtype:trojan-activity; sid:91243885; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"porsherses.com"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1243886/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_02; classtype:trojan-activity; sid:91243886; rev:1;) alert tcp $HOME_NET any -> [89.117.23.25] 35888 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243823/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_02; classtype:trojan-activity; sid:91243823; rev:1;) alert tcp $HOME_NET any -> [198.46.176.140] 666 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243835/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_02; classtype:trojan-activity; sid:91243835; rev:1;) alert tcp $HOME_NET any -> [3.68.171.119] 12765 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243821/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_02; classtype:trojan-activity; sid:91243821; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mgq4mde1zdk3nzc1/"; depth:18; nocase; http.host; content:"usdtzshlavkovalasgo.com"; depth:23; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1243822/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_02; classtype:trojan-activity; sid:91243822; rev:1;) alert tcp $HOME_NET any -> [3.66.38.117] 12765 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243819/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_02; classtype:trojan-activity; sid:91243819; rev:1;) alert tcp $HOME_NET any -> [18.197.239.109] 12765 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243817/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_02; classtype:trojan-activity; sid:91243817; rev:1;) alert tcp $HOME_NET any -> [3.69.157.220] 12765 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243818/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_02; classtype:trojan-activity; sid:91243818; rev:1;) alert tcp $HOME_NET any -> [18.198.77.177] 17526 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243815/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_02; classtype:trojan-activity; sid:91243815; rev:1;) alert tcp $HOME_NET any -> [198.27.120.241] 1337 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243607/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_02; classtype:trojan-activity; sid:91243607; rev:1;) alert tcp $HOME_NET any -> [144.172.73.36] 43957 (msg:"ThreatFox MooBot botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243610/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_02; classtype:trojan-activity; sid:91243610; rev:1;) alert tcp $HOME_NET any -> [91.92.252.32] 2112 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243609/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_02; classtype:trojan-activity; sid:91243609; rev:1;) alert tcp $HOME_NET any -> [198.46.203.232] 8723 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243836/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_02; classtype:trojan-activity; sid:91243836; rev:1;) alert tcp $HOME_NET any -> [91.92.254.23] 5656 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243837/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_02; classtype:trojan-activity; sid:91243837; rev:1;) alert tcp $HOME_NET any -> [3.125.223.134] 19080 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243844/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_02; classtype:trojan-activity; sid:91243844; rev:1;) alert tcp $HOME_NET any -> [91.92.253.177] 5555 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243838/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_02; classtype:trojan-activity; sid:91243838; rev:1;) alert tcp $HOME_NET any -> [91.92.242.8] 6996 (msg:"ThreatFox MooBot botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243839/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_02; classtype:trojan-activity; sid:91243839; rev:1;) alert tcp $HOME_NET any -> [94.156.8.116] 80 (msg:"ThreatFox MooBot botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243845/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_02; classtype:trojan-activity; sid:91243845; rev:1;) alert tcp $HOME_NET any -> [94.156.8.80] 80 (msg:"ThreatFox MooBot botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243846/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_02; classtype:trojan-activity; sid:91243846; rev:1;) alert tcp $HOME_NET any -> [136.243.156.120] 53252 (msg:"ThreatFox unidentified_001 botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243855/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_02; classtype:trojan-activity; sid:91243855; rev:1;) alert tcp $HOME_NET any -> [210.117.212.93] 4242 (msg:"ThreatFox unidentified_001 botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243856/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_02; classtype:trojan-activity; sid:91243856; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tempdownloads.php"; depth:18; nocase; http.host; content:"007017cm.nyashsens.top"; depth:22; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1243880/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_02; classtype:trojan-activity; sid:91243880; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/push"; depth:5; nocase; http.host; content:"124.71.130.71"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1243879/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_02; classtype:trojan-activity; sid:91243879; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/load"; depth:5; nocase; http.host; content:"43.143.143.195"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1243878/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_02; classtype:trojan-activity; sid:91243878; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pixel"; depth:6; nocase; http.host; content:"129.211.211.145"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1243877/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_02; classtype:trojan-activity; sid:91243877; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/load"; depth:5; nocase; http.host; content:"101.43.191.108"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1243876/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_02; classtype:trojan-activity; sid:91243876; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/visit.js"; depth:9; nocase; http.host; content:"47.93.216.2"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1243875/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_02; classtype:trojan-activity; sid:91243875; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/owa/"; depth:5; nocase; http.host; content:"159.223.220.165"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1243874/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_02; classtype:trojan-activity; sid:91243874; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/push"; depth:5; nocase; http.host; content:"107.174.241.206"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1243873/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_02; classtype:trojan-activity; sid:91243873; rev:1;) alert tcp $HOME_NET any -> [18.116.36.101] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243872/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_02; classtype:trojan-activity; sid:91243872; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/g.pixel"; depth:8; nocase; http.host; content:"18.116.36.101"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1243871/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_02; classtype:trojan-activity; sid:91243871; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jquery-3.3.1.min.js"; depth:20; nocase; http.host; content:"111.231.146.154"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1243870/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_02; classtype:trojan-activity; sid:91243870; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"aerh.azureedge.net"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1243868/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_02; classtype:trojan-activity; sid:91243868; rev:1;) alert tcp $HOME_NET any -> [159.89.187.246] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243869/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_02; classtype:trojan-activity; sid:91243869; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/w3c.js"; depth:7; nocase; http.host; content:"aerh.azureedge.net"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1243867/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_02; classtype:trojan-activity; sid:91243867; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jquery-3.3.1.min.js"; depth:20; nocase; http.host; content:"47.92.146.233"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1243866/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_02; classtype:trojan-activity; sid:91243866; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/j.ad"; depth:5; nocase; http.host; content:"185.11.61.168"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1243865/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_02; classtype:trojan-activity; sid:91243865; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/image/"; depth:7; nocase; http.host; content:"47.96.174.24"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1243864/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_02; classtype:trojan-activity; sid:91243864; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/activity"; depth:9; nocase; http.host; content:"185.11.61.168"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1243863/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_02; classtype:trojan-activity; sid:91243863; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jquery-3.3.1.min.js"; depth:20; nocase; http.host; content:"38.181.70.150"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1243861/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_02; classtype:trojan-activity; sid:91243861; rev:1;) alert tcp $HOME_NET any -> [38.181.70.150] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243862/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_02; classtype:trojan-activity; sid:91243862; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cx"; depth:3; nocase; http.host; content:"8.134.221.219"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1243860/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_02; classtype:trojan-activity; sid:91243860; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/__utm.gif"; depth:10; nocase; http.host; content:"107.174.241.206"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1243859/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_02; classtype:trojan-activity; sid:91243859; rev:1;) alert tcp $HOME_NET any -> [101.34.83.35] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243858/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_02; classtype:trojan-activity; sid:91243858; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jquery-3.3.1.min.js"; depth:20; nocase; http.host; content:"101.34.83.35"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1243857/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_02; classtype:trojan-activity; sid:91243857; rev:1;) alert tcp $HOME_NET any -> [186.195.175.239] 80 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243854/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_02; classtype:trojan-activity; sid:91243854; rev:1;) alert tcp $HOME_NET any -> [47.96.143.115] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243853/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_02; classtype:trojan-activity; sid:91243853; rev:1;) alert tcp $HOME_NET any -> [124.168.78.165] 443 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243852/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_02; classtype:trojan-activity; sid:91243852; rev:1;) alert tcp $HOME_NET any -> [64.74.160.238] 1433 (msg:"ThreatFox BianLian botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243851/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_02; classtype:trojan-activity; sid:91243851; rev:1;) alert tcp $HOME_NET any -> [159.203.25.245] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243850/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_02; classtype:trojan-activity; sid:91243850; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dingo"; depth:6; nocase; http.host; content:"159.203.25.237"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1243849/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_02; classtype:trojan-activity; sid:91243849; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"www.shelter-paws.com"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1243848/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_02; classtype:trojan-activity; sid:91243848; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/visit.js"; depth:9; nocase; http.host; content:"www.shelter-paws.com"; depth:20; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1243847/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_02; classtype:trojan-activity; sid:91243847; rev:1;) alert tcp $HOME_NET any -> [3.124.142.205] 19080 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243843/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_02; classtype:trojan-activity; sid:91243843; rev:1;) alert tcp $HOME_NET any -> [18.158.249.75] 19080 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243841/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_02; classtype:trojan-activity; sid:91243841; rev:1;) alert tcp $HOME_NET any -> [3.125.102.39] 19080 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243842/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_02; classtype:trojan-activity; sid:91243842; rev:1;) alert tcp $HOME_NET any -> [18.192.31.165] 19080 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243840/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_02; classtype:trojan-activity; sid:91243840; rev:1;) alert tcp $HOME_NET any -> [45.144.166.168] 1234 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243834/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_02; classtype:trojan-activity; sid:91243834; rev:1;) alert tcp $HOME_NET any -> [45.77.72.150] 13917 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243833/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_02; classtype:trojan-activity; sid:91243833; rev:1;) alert tcp $HOME_NET any -> [43.245.199.191] 10 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243832/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_02; classtype:trojan-activity; sid:91243832; rev:1;) alert tcp $HOME_NET any -> [138.2.37.89] 36541 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243831/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_02; classtype:trojan-activity; sid:91243831; rev:1;) alert tcp $HOME_NET any -> [81.161.238.67] 8443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243830/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_02; classtype:trojan-activity; sid:91243830; rev:1;) alert tcp $HOME_NET any -> [134.209.106.235] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243829/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_02; classtype:trojan-activity; sid:91243829; rev:1;) alert tcp $HOME_NET any -> [193.233.132.67] 666 (msg:"ThreatFox RisePro botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243828/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_02; classtype:trojan-activity; sid:91243828; rev:1;) alert tcp $HOME_NET any -> [82.146.45.177] 80 (msg:"ThreatFox solarmarker botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243827/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_02; classtype:trojan-activity; sid:91243827; rev:1;) alert tcp $HOME_NET any -> [185.142.238.152] 80 (msg:"ThreatFox RecordBreaker botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243826/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_02; classtype:trojan-activity; sid:91243826; rev:1;) alert tcp $HOME_NET any -> [94.131.106.24] 80 (msg:"ThreatFox RecordBreaker botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243825/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_02; classtype:trojan-activity; sid:91243825; rev:1;) alert tcp $HOME_NET any -> [45.137.22.243] 55615 (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243824/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_02; classtype:trojan-activity; sid:91243824; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/calculate/in/s94apdy8m"; depth:23; nocase; http.host; content:"47.94.138.63"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1243820/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_01; classtype:trojan-activity; sid:91243820; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/l1nc0in.php"; depth:12; nocase; http.host; content:"a0922009.xsph.ru"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1243816/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_01; classtype:trojan-activity; sid:91243816; rev:1;) alert tcp $HOME_NET any -> [52.57.248.145] 80 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243814/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_01; classtype:trojan-activity; sid:91243814; rev:1;) alert tcp $HOME_NET any -> [34.246.235.101] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243813/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_01; classtype:trojan-activity; sid:91243813; rev:1;) alert tcp $HOME_NET any -> [185.84.162.165] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243812/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_01; classtype:trojan-activity; sid:91243812; rev:1;) alert tcp $HOME_NET any -> [185.45.195.223] 44133 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243811/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_01; classtype:trojan-activity; sid:91243811; rev:1;) alert tcp $HOME_NET any -> [20.161.143.69] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243809/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_01; classtype:trojan-activity; sid:91243809; rev:1;) alert tcp $HOME_NET any -> [20.53.122.123] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243810/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_01; classtype:trojan-activity; sid:91243810; rev:1;) alert tcp $HOME_NET any -> [40.124.178.11] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243808/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_01; classtype:trojan-activity; sid:91243808; rev:1;) alert tcp $HOME_NET any -> [3.230.227.93] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243807/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_01; classtype:trojan-activity; sid:91243807; rev:1;) alert tcp $HOME_NET any -> [172.166.109.238] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243806/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_01; classtype:trojan-activity; sid:91243806; rev:1;) alert tcp $HOME_NET any -> [20.246.36.189] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243804/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_01; classtype:trojan-activity; sid:91243804; rev:1;) alert tcp $HOME_NET any -> [148.135.18.146] 80 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243805/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_01; classtype:trojan-activity; sid:91243805; rev:1;) alert tcp $HOME_NET any -> [88.92.248.233] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243803/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_01; classtype:trojan-activity; sid:91243803; rev:1;) alert tcp $HOME_NET any -> [203.150.107.51] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243802/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_01; classtype:trojan-activity; sid:91243802; rev:1;) alert tcp $HOME_NET any -> [20.96.214.209] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243801/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_01; classtype:trojan-activity; sid:91243801; rev:1;) alert tcp $HOME_NET any -> [47.101.199.4] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243800/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_01; classtype:trojan-activity; sid:91243800; rev:1;) alert tcp $HOME_NET any -> [23.102.177.73] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243799/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_01; classtype:trojan-activity; sid:91243799; rev:1;) alert tcp $HOME_NET any -> [13.246.74.195] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243798/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_01; classtype:trojan-activity; sid:91243798; rev:1;) alert tcp $HOME_NET any -> [159.65.154.173] 9999 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243797/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_01; classtype:trojan-activity; sid:91243797; rev:1;) alert tcp $HOME_NET any -> [64.23.192.202] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243796/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_01; classtype:trojan-activity; sid:91243796; rev:1;) alert tcp $HOME_NET any -> [52.21.238.43] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243795/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_01; classtype:trojan-activity; sid:91243795; rev:1;) alert tcp $HOME_NET any -> [3.248.97.215] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243793/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_01; classtype:trojan-activity; sid:91243793; rev:1;) alert tcp $HOME_NET any -> [4.195.13.65] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243794/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_01; classtype:trojan-activity; sid:91243794; rev:1;) alert tcp $HOME_NET any -> [209.126.11.205] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243792/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_01; classtype:trojan-activity; sid:91243792; rev:1;) alert tcp $HOME_NET any -> [52.230.156.245] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243791/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_01; classtype:trojan-activity; sid:91243791; rev:1;) alert tcp $HOME_NET any -> [141.95.103.204] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243790/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_01; classtype:trojan-activity; sid:91243790; rev:1;) alert tcp $HOME_NET any -> [3.17.238.239] 8443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243789/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_01; classtype:trojan-activity; sid:91243789; rev:1;) alert tcp $HOME_NET any -> [172.105.90.105] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243788/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_01; classtype:trojan-activity; sid:91243788; rev:1;) alert tcp $HOME_NET any -> [35.91.72.47] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243787/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_01; classtype:trojan-activity; sid:91243787; rev:1;) alert tcp $HOME_NET any -> [164.90.225.172] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243786/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_01; classtype:trojan-activity; sid:91243786; rev:1;) alert tcp $HOME_NET any -> [139.224.226.16] 80 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243785/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_01; classtype:trojan-activity; sid:91243785; rev:1;) alert tcp $HOME_NET any -> [46.101.67.13] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243784/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_01; classtype:trojan-activity; sid:91243784; rev:1;) alert tcp $HOME_NET any -> [143.198.142.205] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243783/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_01; classtype:trojan-activity; sid:91243783; rev:1;) alert tcp $HOME_NET any -> [185.67.144.27] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243782/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_01; classtype:trojan-activity; sid:91243782; rev:1;) alert tcp $HOME_NET any -> [172.166.104.143] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243781/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_01; classtype:trojan-activity; sid:91243781; rev:1;) alert tcp $HOME_NET any -> [79.136.1.62] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243780/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_01; classtype:trojan-activity; sid:91243780; rev:1;) alert tcp $HOME_NET any -> [148.251.70.245] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243779/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_01; classtype:trojan-activity; sid:91243779; rev:1;) alert tcp $HOME_NET any -> [34.16.179.120] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243778/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_01; classtype:trojan-activity; sid:91243778; rev:1;) alert tcp $HOME_NET any -> [52.91.198.222] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243777/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_01; classtype:trojan-activity; sid:91243777; rev:1;) alert tcp $HOME_NET any -> [20.197.1.237] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243776/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_01; classtype:trojan-activity; sid:91243776; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"louiseanderson.top"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1243775/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_01; classtype:trojan-activity; sid:91243775; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"webmail.afld.afld.email"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1243774/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_01; classtype:trojan-activity; sid:91243774; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"mehdi.fargan.fun"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1243773/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_01; classtype:trojan-activity; sid:91243773; rev:1;) alert tcp $HOME_NET any -> [120.27.130.110] 60000 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243772/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_01; classtype:trojan-activity; sid:91243772; rev:1;) alert tcp $HOME_NET any -> [38.6.217.139] 60000 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243771/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_01; classtype:trojan-activity; sid:91243771; rev:1;) alert tcp $HOME_NET any -> [124.223.60.44] 59988 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243770/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_01; classtype:trojan-activity; sid:91243770; rev:1;) alert tcp $HOME_NET any -> [209.141.35.155] 60000 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243769/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_01; classtype:trojan-activity; sid:91243769; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"www.telefonemusk.ru"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1243768/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_01; classtype:trojan-activity; sid:91243768; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"static.55.253.216.95.clients.your-server.de"; depth:43; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1243767/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_01; classtype:trojan-activity; sid:91243767; rev:1;) alert tcp $HOME_NET any -> [94.156.65.239] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243766/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_01; classtype:trojan-activity; sid:91243766; rev:1;) alert tcp $HOME_NET any -> [94.156.65.239] 80 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243765/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_01; classtype:trojan-activity; sid:91243765; rev:1;) alert tcp $HOME_NET any -> [144.172.73.36] 80 (msg:"ThreatFox MooBot botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243764/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_01; classtype:trojan-activity; sid:91243764; rev:1;) alert tcp $HOME_NET any -> [137.175.17.137] 80 (msg:"ThreatFox MooBot botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243763/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_01; classtype:trojan-activity; sid:91243763; rev:1;) alert tcp $HOME_NET any -> [194.116.216.83] 80 (msg:"ThreatFox MooBot botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243761/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_01; classtype:trojan-activity; sid:91243761; rev:1;) alert tcp $HOME_NET any -> [194.48.250.11] 80 (msg:"ThreatFox MooBot botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243762/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_01; classtype:trojan-activity; sid:91243762; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"fsdjkhfkjsdhfkjdhfgg.cfd"; depth:24; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1243760/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_01; classtype:trojan-activity; sid:91243760; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"dqspduqsfjksdfhgjks.com"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1243759/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_01; classtype:trojan-activity; sid:91243759; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ec2-54-234-189-192.compute-1.amazonaws.com"; depth:42; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1243758/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_01; classtype:trojan-activity; sid:91243758; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"www.onceuponatimeiwent.online"; depth:29; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1243757/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_01; classtype:trojan-activity; sid:91243757; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"89-73-53-34.dynamic.chello.pl"; depth:29; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1243756/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_01; classtype:trojan-activity; sid:91243756; rev:1;) alert tcp $HOME_NET any -> [89.73.53.34] 443 (msg:"ThreatFox Nimplant botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243755/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_01; classtype:trojan-activity; sid:91243755; rev:1;) alert tcp $HOME_NET any -> [158.255.74.150] 7443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243754/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_01; classtype:trojan-activity; sid:91243754; rev:1;) alert tcp $HOME_NET any -> [94.156.69.44] 8080 (msg:"ThreatFox ERMAC botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243753/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_01; classtype:trojan-activity; sid:91243753; rev:1;) alert tcp $HOME_NET any -> [94.156.69.44] 80 (msg:"ThreatFox ERMAC botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243752/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_01; classtype:trojan-activity; sid:91243752; rev:1;) alert tcp $HOME_NET any -> [20.0.153.70] 8080 (msg:"ThreatFox ERMAC botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243751/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_01; classtype:trojan-activity; sid:91243751; rev:1;) alert tcp $HOME_NET any -> [103.215.124.119] 80 (msg:"ThreatFox ERMAC botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243750/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_01; classtype:trojan-activity; sid:91243750; rev:1;) alert tcp $HOME_NET any -> [111.90.145.26] 80 (msg:"ThreatFox ERMAC botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243748/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_01; classtype:trojan-activity; sid:91243748; rev:1;) alert tcp $HOME_NET any -> [103.215.124.60] 80 (msg:"ThreatFox ERMAC botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243749/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_01; classtype:trojan-activity; sid:91243749; rev:1;) alert tcp $HOME_NET any -> [188.119.112.64] 80 (msg:"ThreatFox ERMAC botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243747/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_01; classtype:trojan-activity; sid:91243747; rev:1;) alert tcp $HOME_NET any -> [94.156.8.224] 80 (msg:"ThreatFox ERMAC botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243746/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_01; classtype:trojan-activity; sid:91243746; rev:1;) alert tcp $HOME_NET any -> [103.155.214.134] 443 (msg:"ThreatFox Orcus RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243745/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_01; classtype:trojan-activity; sid:91243745; rev:1;) alert tcp $HOME_NET any -> [181.215.4.52] 6000 (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243744/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_01; classtype:trojan-activity; sid:91243744; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"kcrn.sk"; depth:7; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1243743/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_01; classtype:trojan-activity; sid:91243743; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"test-control.rnb-team.com"; depth:25; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1243741/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_01; classtype:trojan-activity; sid:91243741; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"211.20.97.83.ro.ovo.sc"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1243742/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_01; classtype:trojan-activity; sid:91243742; rev:1;) alert tcp $HOME_NET any -> [195.214.254.161] 4444 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243740/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_01; classtype:trojan-activity; sid:91243740; rev:1;) alert tcp $HOME_NET any -> [181.161.15.137] 8080 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243738/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_01; classtype:trojan-activity; sid:91243738; rev:1;) alert tcp $HOME_NET any -> [51.178.185.143] 443 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243739/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_01; classtype:trojan-activity; sid:91243739; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"coinprime.net"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1243737/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_01; classtype:trojan-activity; sid:91243737; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"grinevitchnicolas3.fvds.ru"; depth:26; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1243736/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_01; classtype:trojan-activity; sid:91243736; rev:1;) alert tcp $HOME_NET any -> [109.116.212.249] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243734/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_01; classtype:trojan-activity; sid:91243734; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ip181.ip-51-81-90.us"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1243733/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_01; classtype:trojan-activity; sid:91243733; rev:1;) alert tcp $HOME_NET any -> [93.148.180.205] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243732/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_01; classtype:trojan-activity; sid:91243732; rev:1;) alert tcp $HOME_NET any -> [51.195.231.121] 7707 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243731/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_01; classtype:trojan-activity; sid:91243731; rev:1;) alert tcp $HOME_NET any -> [185.174.101.80] 6606 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243729/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_01; classtype:trojan-activity; sid:91243729; rev:1;) alert tcp $HOME_NET any -> [172.111.148.11] 222 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243730/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_01; classtype:trojan-activity; sid:91243730; rev:1;) alert tcp $HOME_NET any -> [216.250.255.99] 8808 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243728/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_01; classtype:trojan-activity; sid:91243728; rev:1;) alert tcp $HOME_NET any -> [216.250.255.99] 7707 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243727/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_01; classtype:trojan-activity; sid:91243727; rev:1;) alert tcp $HOME_NET any -> [38.180.30.53] 8080 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243726/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_01; classtype:trojan-activity; sid:91243726; rev:1;) alert tcp $HOME_NET any -> [51.89.109.154] 7707 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243724/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_01; classtype:trojan-activity; sid:91243724; rev:1;) alert tcp $HOME_NET any -> [51.89.109.154] 8808 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243725/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_01; classtype:trojan-activity; sid:91243725; rev:1;) alert tcp $HOME_NET any -> [147.124.217.110] 9999 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243723/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_01; classtype:trojan-activity; sid:91243723; rev:1;) alert tcp $HOME_NET any -> [147.124.217.110] 8888 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243722/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_01; classtype:trojan-activity; sid:91243722; rev:1;) alert tcp $HOME_NET any -> [91.92.246.152] 4747 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243721/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_01; classtype:trojan-activity; sid:91243721; rev:1;) alert tcp $HOME_NET any -> [91.92.246.134] 8808 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243720/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_01; classtype:trojan-activity; sid:91243720; rev:1;) alert tcp $HOME_NET any -> [142.11.201.125] 8712 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243718/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_01; classtype:trojan-activity; sid:91243718; rev:1;) alert tcp $HOME_NET any -> [94.156.69.174] 6606 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243719/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_01; classtype:trojan-activity; sid:91243719; rev:1;) alert tcp $HOME_NET any -> [89.117.49.133] 6006 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243717/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_01; classtype:trojan-activity; sid:91243717; rev:1;) alert tcp $HOME_NET any -> [89.117.49.133] 2000 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243716/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_01; classtype:trojan-activity; sid:91243716; rev:1;) alert tcp $HOME_NET any -> [69.64.95.233] 7707 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243715/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_01; classtype:trojan-activity; sid:91243715; rev:1;) alert tcp $HOME_NET any -> [94.156.69.251] 6606 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243714/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_01; classtype:trojan-activity; sid:91243714; rev:1;) alert tcp $HOME_NET any -> [193.124.205.80] 80 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243712/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_01; classtype:trojan-activity; sid:91243712; rev:1;) alert tcp $HOME_NET any -> [188.126.90.14] 2000 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243713/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_01; classtype:trojan-activity; sid:91243713; rev:1;) alert tcp $HOME_NET any -> [128.90.122.163] 9999 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243711/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_01; classtype:trojan-activity; sid:91243711; rev:1;) alert tcp $HOME_NET any -> [192.159.99.54] 8888 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243710/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_01; classtype:trojan-activity; sid:91243710; rev:1;) alert tcp $HOME_NET any -> [172.245.134.75] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243709/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_01; classtype:trojan-activity; sid:91243709; rev:1;) alert tcp $HOME_NET any -> [38.55.204.19] 80 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243708/; target:src_ip; metadata: confidence_level 90, first_seen 2024_03_01; classtype:trojan-activity; sid:91243708; rev:1;) alert tcp $HOME_NET any -> [78.89.158.155] 8888 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243707/; target:src_ip; metadata: confidence_level 90, first_seen 2024_03_01; classtype:trojan-activity; sid:91243707; rev:1;) alert tcp $HOME_NET any -> [78.129.165.233] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243705/; target:src_ip; metadata: confidence_level 90, first_seen 2024_03_01; classtype:trojan-activity; sid:91243705; rev:1;) alert tcp $HOME_NET any -> [45.10.246.27] 443 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243706/; target:src_ip; metadata: confidence_level 90, first_seen 2024_03_01; classtype:trojan-activity; sid:91243706; rev:1;) alert tcp $HOME_NET any -> [121.43.52.194] 8443 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243704/; target:src_ip; metadata: confidence_level 90, first_seen 2024_03_01; classtype:trojan-activity; sid:91243704; rev:1;) alert tcp $HOME_NET any -> [104.40.132.124] 443 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243703/; target:src_ip; metadata: confidence_level 90, first_seen 2024_03_01; classtype:trojan-activity; sid:91243703; rev:1;) alert tcp $HOME_NET any -> [137.184.114.2] 443 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243702/; target:src_ip; metadata: confidence_level 90, first_seen 2024_03_01; classtype:trojan-activity; sid:91243702; rev:1;) alert tcp $HOME_NET any -> [195.201.223.219] 443 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243701/; target:src_ip; metadata: confidence_level 90, first_seen 2024_03_01; classtype:trojan-activity; sid:91243701; rev:1;) alert tcp $HOME_NET any -> [105.100.30.87] 1001 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243700/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_01; classtype:trojan-activity; sid:91243700; rev:1;) alert tcp $HOME_NET any -> [149.28.155.53] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243699/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_01; classtype:trojan-activity; sid:91243699; rev:1;) alert tcp $HOME_NET any -> [176.32.38.186] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243698/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_01; classtype:trojan-activity; sid:91243698; rev:1;) alert tcp $HOME_NET any -> [185.81.68.249] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243696/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_01; classtype:trojan-activity; sid:91243696; rev:1;) alert tcp $HOME_NET any -> [47.109.149.105] 8085 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243697/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_01; classtype:trojan-activity; sid:91243697; rev:1;) alert tcp $HOME_NET any -> [185.81.68.249] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243695/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_01; classtype:trojan-activity; sid:91243695; rev:1;) alert tcp $HOME_NET any -> [185.81.68.249] 445 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243694/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_01; classtype:trojan-activity; sid:91243694; rev:1;) alert tcp $HOME_NET any -> [101.36.111.175] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243692/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_01; classtype:trojan-activity; sid:91243692; rev:1;) alert tcp $HOME_NET any -> [43.134.20.68] 9520 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243693/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_01; classtype:trojan-activity; sid:91243693; rev:1;) alert tcp $HOME_NET any -> [107.172.196.196] 4433 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243691/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_01; classtype:trojan-activity; sid:91243691; rev:1;) alert tcp $HOME_NET any -> [47.98.232.222] 22311 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243690/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_01; classtype:trojan-activity; sid:91243690; rev:1;) alert tcp $HOME_NET any -> [119.91.209.244] 8088 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243689/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_01; classtype:trojan-activity; sid:91243689; rev:1;) alert tcp $HOME_NET any -> [47.109.106.162] 9999 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243687/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_01; classtype:trojan-activity; sid:91243687; rev:1;) alert tcp $HOME_NET any -> [94.156.67.192] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243688/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_01; classtype:trojan-activity; sid:91243688; rev:1;) alert tcp $HOME_NET any -> [43.140.250.89] 4444 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243686/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_01; classtype:trojan-activity; sid:91243686; rev:1;) alert tcp $HOME_NET any -> [43.140.250.89] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243685/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_01; classtype:trojan-activity; sid:91243685; rev:1;) alert tcp $HOME_NET any -> [182.149.199.249] 8123 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243684/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_01; classtype:trojan-activity; sid:91243684; rev:1;) alert tcp $HOME_NET any -> [23.26.137.225] 8080 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243683/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_01; classtype:trojan-activity; sid:91243683; rev:1;) alert tcp $HOME_NET any -> [114.116.18.42] 2087 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243681/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_01; classtype:trojan-activity; sid:91243681; rev:1;) alert tcp $HOME_NET any -> [43.139.122.66] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243682/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_01; classtype:trojan-activity; sid:91243682; rev:1;) alert tcp $HOME_NET any -> [123.57.186.159] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243680/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_01; classtype:trojan-activity; sid:91243680; rev:1;) alert tcp $HOME_NET any -> [124.71.9.23] 8500 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243679/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_01; classtype:trojan-activity; sid:91243679; rev:1;) alert tcp $HOME_NET any -> [111.231.74.147] 8888 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243678/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_01; classtype:trojan-activity; sid:91243678; rev:1;) alert tcp $HOME_NET any -> [121.36.77.90] 81 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243677/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_01; classtype:trojan-activity; sid:91243677; rev:1;) alert tcp $HOME_NET any -> [118.24.128.204] 8086 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243676/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_01; classtype:trojan-activity; sid:91243676; rev:1;) alert tcp $HOME_NET any -> [138.201.132.254] 4443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243675/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_01; classtype:trojan-activity; sid:91243675; rev:1;) alert tcp $HOME_NET any -> [185.204.0.115] 82 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243674/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_01; classtype:trojan-activity; sid:91243674; rev:1;) alert tcp $HOME_NET any -> [154.3.1.95] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243673/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_01; classtype:trojan-activity; sid:91243673; rev:1;) alert tcp $HOME_NET any -> [111.229.213.107] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243672/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_01; classtype:trojan-activity; sid:91243672; rev:1;) alert tcp $HOME_NET any -> [60.204.151.115] 3214 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243670/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_01; classtype:trojan-activity; sid:91243670; rev:1;) alert tcp $HOME_NET any -> [8.130.95.105] 8888 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243671/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_01; classtype:trojan-activity; sid:91243671; rev:1;) alert tcp $HOME_NET any -> [175.27.162.205] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243669/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_01; classtype:trojan-activity; sid:91243669; rev:1;) alert tcp $HOME_NET any -> [39.107.89.22] 4443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243668/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_01; classtype:trojan-activity; sid:91243668; rev:1;) alert tcp $HOME_NET any -> [39.105.204.175] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243667/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_01; classtype:trojan-activity; sid:91243667; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"nebula-cdn.hg23jh4gk234gjhk2j3g4h2kjh3g4.xyz"; depth:44; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1243666/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_01; classtype:trojan-activity; sid:91243666; rev:1;) alert tcp $HOME_NET any -> [123.56.251.159] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243665/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_01; classtype:trojan-activity; sid:91243665; rev:1;) alert tcp $HOME_NET any -> [43.153.228.97] 8080 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243663/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_01; classtype:trojan-activity; sid:91243663; rev:1;) alert tcp $HOME_NET any -> [43.153.228.97] 8880 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243664/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_01; classtype:trojan-activity; sid:91243664; rev:1;) alert tcp $HOME_NET any -> [39.109.127.135] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243662/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_01; classtype:trojan-activity; sid:91243662; rev:1;) alert tcp $HOME_NET any -> [159.75.104.8] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243661/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_01; classtype:trojan-activity; sid:91243661; rev:1;) alert tcp $HOME_NET any -> [47.98.120.157] 8080 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243659/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_01; classtype:trojan-activity; sid:91243659; rev:1;) alert tcp $HOME_NET any -> [117.72.46.146] 9999 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243660/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_01; classtype:trojan-activity; sid:91243660; rev:1;) alert tcp $HOME_NET any -> [47.245.122.5] 2052 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243658/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_01; classtype:trojan-activity; sid:91243658; rev:1;) alert tcp $HOME_NET any -> [119.91.214.99] 8880 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243657/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_01; classtype:trojan-activity; sid:91243657; rev:1;) alert tcp $HOME_NET any -> [8.134.221.219] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243655/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_01; classtype:trojan-activity; sid:91243655; rev:1;) alert tcp $HOME_NET any -> [119.91.214.99] 2096 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243656/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_01; classtype:trojan-activity; sid:91243656; rev:1;) alert tcp $HOME_NET any -> [172.105.37.93] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243654/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_01; classtype:trojan-activity; sid:91243654; rev:1;) alert tcp $HOME_NET any -> [103.243.212.108] 8080 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243653/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_01; classtype:trojan-activity; sid:91243653; rev:1;) alert tcp $HOME_NET any -> [8.217.186.171] 8888 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243651/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_01; classtype:trojan-activity; sid:91243651; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"odoo.tendadaalma.com"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1243652/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_01; classtype:trojan-activity; sid:91243652; rev:1;) alert tcp $HOME_NET any -> [141.98.81.98] 444 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243650/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_01; classtype:trojan-activity; sid:91243650; rev:1;) alert tcp $HOME_NET any -> [74.235.140.183] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243649/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_01; classtype:trojan-activity; sid:91243649; rev:1;) alert tcp $HOME_NET any -> [118.89.124.242] 1234 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243648/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_01; classtype:trojan-activity; sid:91243648; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"www.distracted-cannon.104-168-102-175.plesk.page"; depth:48; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1243646/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_01; classtype:trojan-activity; sid:91243646; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"pensive-cerf.104-168-102-175.plesk.page"; depth:39; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1243647/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_01; classtype:trojan-activity; sid:91243647; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"www.hungry-dijkstra.104-168-102-175.plesk.page"; depth:46; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1243644/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_01; classtype:trojan-activity; sid:91243644; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"www.adoring-hellman.104-168-102-175.plesk.page"; depth:46; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1243645/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_01; classtype:trojan-activity; sid:91243645; rev:1;) alert tcp $HOME_NET any -> [120.79.44.225] 2222 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243643/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_01; classtype:trojan-activity; sid:91243643; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ec2-18-116-36-101.us-east-2.compute.amazonaws.com"; depth:49; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1243641/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_01; classtype:trojan-activity; sid:91243641; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"www.confident-bouman.104-168-102-175.plesk.page"; depth:47; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1243642/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_01; classtype:trojan-activity; sid:91243642; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"www.friendly-dirac.104-168-102-175.plesk.page"; depth:45; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1243640/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_01; classtype:trojan-activity; sid:91243640; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"fra-col.hg23jh4gk234gjhk2j3g4h2kjh3g4.xyz"; depth:41; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1243638/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_01; classtype:trojan-activity; sid:91243638; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"optimistic-rubin.104-168-102-175.plesk.page"; depth:43; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1243639/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_01; classtype:trojan-activity; sid:91243639; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"nice-torvalds.104-168-102-175.plesk.page"; depth:40; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1243636/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_01; classtype:trojan-activity; sid:91243636; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ec2-3-75-210-134.eu-central-1.compute.amazonaws.com"; depth:51; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1243637/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_01; classtype:trojan-activity; sid:91243637; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"www.vigilant-kare.104-168-102-175.plesk.page"; depth:44; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1243635/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_01; classtype:trojan-activity; sid:91243635; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"friendly-dirac.104-168-102-175.plesk.page"; depth:41; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1243634/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_01; classtype:trojan-activity; sid:91243634; rev:1;) alert tcp $HOME_NET any -> [5.35.99.203] 80 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243633/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_01; classtype:trojan-activity; sid:91243633; rev:1;) alert tcp $HOME_NET any -> [80.253.246.232] 80 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243631/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_01; classtype:trojan-activity; sid:91243631; rev:1;) alert tcp $HOME_NET any -> [217.197.107.145] 80 (msg:"ThreatFox Meduza Stealer botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243630/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_01; classtype:trojan-activity; sid:91243630; rev:1;) alert tcp $HOME_NET any -> [65.20.69.208] 5000 (msg:"ThreatFox Pikabot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243629/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_01; classtype:trojan-activity; sid:91243629; rev:1;) alert tcp $HOME_NET any -> [180.140.129.152] 8848 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243628/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_01; classtype:trojan-activity; sid:91243628; rev:1;) alert tcp $HOME_NET any -> [193.92.248.35] 995 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243627/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_01; classtype:trojan-activity; sid:91243627; rev:1;) alert tcp $HOME_NET any -> [167.56.207.87] 995 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243626/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_01; classtype:trojan-activity; sid:91243626; rev:1;) alert tcp $HOME_NET any -> [176.44.108.225] 443 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243625/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_01; classtype:trojan-activity; sid:91243625; rev:1;) alert tcp $HOME_NET any -> [185.174.8.138] 8080 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243624/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_01; classtype:trojan-activity; sid:91243624; rev:1;) alert tcp $HOME_NET any -> [200.234.235.200] 443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243623/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_01; classtype:trojan-activity; sid:91243623; rev:1;) alert tcp $HOME_NET any -> [185.225.70.160] 27311 (msg:"ThreatFox BianLian botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243622/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_01; classtype:trojan-activity; sid:91243622; rev:1;) alert tcp $HOME_NET any -> [104.200.72.113] 40484 (msg:"ThreatFox BianLian botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243621/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_01; classtype:trojan-activity; sid:91243621; rev:1;) alert tcp $HOME_NET any -> [64.74.160.238] 3306 (msg:"ThreatFox BianLian botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243620/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_01; classtype:trojan-activity; sid:91243620; rev:1;) alert tcp $HOME_NET any -> [157.230.175.190] 49553 (msg:"ThreatFox BianLian botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243619/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_01; classtype:trojan-activity; sid:91243619; rev:1;) alert tcp $HOME_NET any -> [45.137.22.156] 55615 (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243618/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_01; classtype:trojan-activity; sid:91243618; rev:1;) alert tcp $HOME_NET any -> [2.58.85.145] 8808 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243617/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_01; classtype:trojan-activity; sid:91243617; rev:1;) alert tcp $HOME_NET any -> [194.87.252.184] 4782 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243616/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_01; classtype:trojan-activity; sid:91243616; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/httpserver0windows/wppublicjs/proton_vmpacket/generator8wpbase/external_/_wplow8/universalflower/3/line62/7publicpacket/geocpuupdatedefaultasyncpublicprivateuploadsdownloads.php"; depth:178; nocase; http.host; content:"176.124.192.196"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1243615/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_01; classtype:trojan-activity; sid:91243615; rev:1;) alert tcp $HOME_NET any -> [185.161.208.123] 8763 (msg:"ThreatFox Nanocore RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243614/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_01; classtype:trojan-activity; sid:91243614; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/9cf11b76.php"; depth:13; nocase; http.host; content:"pipikaka-ggg.000webhostapp.com"; depth:30; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1243613/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_01; classtype:trojan-activity; sid:91243613; rev:1;) alert tcp $HOME_NET any -> [162.19.208.109] 443 (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243612/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_01; classtype:trojan-activity; sid:91243612; rev:1;) alert tcp $HOME_NET any -> [94.131.11.34] 10006 (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243611/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_01; classtype:trojan-activity; sid:91243611; rev:1;) alert tcp $HOME_NET any -> [185.222.58.81] 55615 (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243608/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_01; classtype:trojan-activity; sid:91243608; rev:1;) alert tcp $HOME_NET any -> [42.237.25.52] 7899 (msg:"ThreatFox Ghost RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243606/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_01; classtype:trojan-activity; sid:91243606; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/errorpage/catzx.scr"; depth:20; nocase; http.host; content:"universalmovies.top"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1243605/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_01; classtype:trojan-activity; sid:91243605; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pollsql.php"; depth:12; nocase; http.host; content:"185.130.46.46"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1243604/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_01; classtype:trojan-activity; sid:91243604; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/l1nc0in.php"; depth:12; nocase; http.host; content:"a0924648.xsph.ru"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1243603/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_01; classtype:trojan-activity; sid:91243603; rev:1;) alert tcp $HOME_NET any -> [91.92.244.104] 655 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243582/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_01; classtype:trojan-activity; sid:91243582; rev:1;) alert tcp $HOME_NET any -> [103.173.255.143] 42597 (msg:"ThreatFox MooBot botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243600/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_01; classtype:trojan-activity; sid:91243600; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"srophuchung.com"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1243601/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_01; classtype:trojan-activity; sid:91243601; rev:1;) alert tcp $HOME_NET any -> [43.249.193.230] 8712 (msg:"ThreatFox N-W0rm botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243602/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_01; classtype:trojan-activity; sid:91243602; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/include/template/isx.php"; depth:25; nocase; http.host; content:"qq.qqweixinzhuce.top"; depth:20; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1243598/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_01; classtype:trojan-activity; sid:91243598; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"qq.qqweixinzhuce.top"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1243599/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_01; classtype:trojan-activity; sid:91243599; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/updates"; depth:8; nocase; http.host; content:"8.222.150.46"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1243597/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_01; classtype:trojan-activity; sid:91243597; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ptj"; depth:4; nocase; http.host; content:"111.229.198.177"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1243595/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_01; classtype:trojan-activity; sid:91243595; rev:1;) alert tcp $HOME_NET any -> [111.229.198.177] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243596/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_01; classtype:trojan-activity; sid:91243596; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/updates"; depth:8; nocase; http.host; content:"8.222.150.46"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1243594/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_01; classtype:trojan-activity; sid:91243594; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cx"; depth:3; nocase; http.host; content:"120.27.131.3"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1243593/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_01; classtype:trojan-activity; sid:91243593; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/g.pixel"; depth:8; nocase; http.host; content:"101.201.46.105"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1243592/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_01; classtype:trojan-activity; sid:91243592; rev:1;) alert tcp $HOME_NET any -> [107.151.246.236] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243591/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_01; classtype:trojan-activity; sid:91243591; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cs"; depth:3; nocase; http.host; content:"www.micshcnds.top"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1243589/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_01; classtype:trojan-activity; sid:91243589; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"www.micshcnds.top"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1243590/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_01; classtype:trojan-activity; sid:91243590; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pixel"; depth:6; nocase; http.host; content:"47.113.195.22"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1243588/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_01; classtype:trojan-activity; sid:91243588; rev:1;) alert tcp $HOME_NET any -> [18.192.209.34] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243587/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_01; classtype:trojan-activity; sid:91243587; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/accelerate/v3.33/1f7jw12fqr2v"; depth:30; nocase; http.host; content:"18.192.209.34"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1243586/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_01; classtype:trojan-activity; sid:91243586; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp08/wp-includes/dtcla.php"; depth:27; nocase; http.host; content:"test.qqweixinzhuce.top"; depth:22; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1243584/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_01; classtype:trojan-activity; sid:91243584; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"test.qqweixinzhuce.top"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1243585/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_01; classtype:trojan-activity; sid:91243585; rev:1;) alert tcp $HOME_NET any -> [139.64.172.17] 2404 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243583/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_01; classtype:trojan-activity; sid:91243583; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/__utm.gif"; depth:10; nocase; http.host; content:"1.94.110.130"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1243581/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_01; classtype:trojan-activity; sid:91243581; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/metro91/admin/1/ppptp.jpg"; depth:26; nocase; http.host; content:"43.134.183.43"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1243580/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_01; classtype:trojan-activity; sid:91243580; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/g.pixel"; depth:8; nocase; http.host; content:"162.14.107.218"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1243579/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_01; classtype:trojan-activity; sid:91243579; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/visit.js"; depth:9; nocase; http.host; content:"118.89.124.242"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1243578/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_01; classtype:trojan-activity; sid:91243578; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/en_us/all.js"; depth:13; nocase; http.host; content:"147.78.47.183"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1243577/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_01; classtype:trojan-activity; sid:91243577; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/j.ad"; depth:5; nocase; http.host; content:"185.91.127.221"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1243576/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_01; classtype:trojan-activity; sid:91243576; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/g.pixel"; depth:8; nocase; http.host; content:"118.89.124.242"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1243575/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_01; classtype:trojan-activity; sid:91243575; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/match"; depth:6; nocase; http.host; content:"139.199.180.136"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1243574/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_01; classtype:trojan-activity; sid:91243574; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cx"; depth:3; nocase; http.host; content:"103.150.10.45"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1243573/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_01; classtype:trojan-activity; sid:91243573; rev:1;) alert tcp $HOME_NET any -> [118.89.124.242] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243572/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_01; classtype:trojan-activity; sid:91243572; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dpixel"; depth:7; nocase; http.host; content:"118.89.124.242"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1243571/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_01; classtype:trojan-activity; sid:91243571; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/admin/facvicon.jpg"; depth:19; nocase; http.host; content:"117.50.47.141"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1243570/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_01; classtype:trojan-activity; sid:91243570; rev:1;) alert tcp $HOME_NET any -> [143.244.186.189] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243569/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_01; classtype:trojan-activity; sid:91243569; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"cdn043sc.azureedge.net"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1243568/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_01; classtype:trojan-activity; sid:91243568; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ms-settings-proximity"; depth:22; nocase; http.host; content:"cdn043sc.azureedge.net"; depth:22; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1243567/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_01; classtype:trojan-activity; sid:91243567; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/nv"; depth:3; nocase; http.host; content:"45.148.120.115"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1243566/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_01; classtype:trojan-activity; sid:91243566; rev:1;) alert tcp $HOME_NET any -> [47.92.171.109] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243565/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_01; classtype:trojan-activity; sid:91243565; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/push"; depth:5; nocase; http.host; content:"47.92.171.109"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1243564/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_01; classtype:trojan-activity; sid:91243564; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"95.217.28.14"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1243563/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_01; classtype:trojan-activity; sid:91243563; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"88.198.112.251"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1243562/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_01; classtype:trojan-activity; sid:91243562; rev:1;) alert tcp $HOME_NET any -> [88.198.112.251] 443 (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243560/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_01; classtype:trojan-activity; sid:91243560; rev:1;) alert tcp $HOME_NET any -> [95.217.28.14] 5432 (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243561/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_01; classtype:trojan-activity; sid:91243561; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cdn-vs/cache.php"; depth:17; nocase; http.host; content:"aljannatquranteach.com"; depth:22; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1243506/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_01; classtype:trojan-activity; sid:91243506; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/help/zewmrgqnw.php"; depth:19; nocase; http.host; content:"aljannatquranteach.com"; depth:22; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1243507/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_01; classtype:trojan-activity; sid:91243507; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/data.php"; depth:9; nocase; http.host; content:"aljannatquranteach.com"; depth:22; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1243508/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_01; classtype:trojan-activity; sid:91243508; rev:1;) alert tcp $HOME_NET any -> [45.142.182.90] 9931 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243509/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_01; classtype:trojan-activity; sid:91243509; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"varinspector.com"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1243515/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_01; classtype:trojan-activity; sid:91243515; rev:1;) alert tcp $HOME_NET any -> [3.124.142.205] 18909 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243525/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_01; classtype:trojan-activity; sid:91243525; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"888juantriana88.dynuddns.net"; depth:28; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1243527/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_01; classtype:trojan-activity; sid:91243527; rev:1;) alert tcp $HOME_NET any -> [147.124.205.158] 9561 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243540/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_01; classtype:trojan-activity; sid:91243540; rev:1;) alert tcp $HOME_NET any -> [104.194.157.55] 8082 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243559/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_01; classtype:trojan-activity; sid:91243559; rev:1;) alert tcp $HOME_NET any -> [104.194.157.55] 80 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243558/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_01; classtype:trojan-activity; sid:91243558; rev:1;) alert tcp $HOME_NET any -> [46.226.164.60] 50555 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243557/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_01; classtype:trojan-activity; sid:91243557; rev:1;) alert tcp $HOME_NET any -> [65.20.73.169] 13783 (msg:"ThreatFox Pikabot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243556/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_01; classtype:trojan-activity; sid:91243556; rev:1;) alert tcp $HOME_NET any -> [45.32.31.179] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243555/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_01; classtype:trojan-activity; sid:91243555; rev:1;) alert tcp $HOME_NET any -> [46.246.4.11] 6000 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243554/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_01; classtype:trojan-activity; sid:91243554; rev:1;) alert tcp $HOME_NET any -> [90.52.128.121] 2222 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243553/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_01; classtype:trojan-activity; sid:91243553; rev:1;) alert tcp $HOME_NET any -> [173.207.111.8] 443 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243552/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_01; classtype:trojan-activity; sid:91243552; rev:1;) alert tcp $HOME_NET any -> [41.97.68.49] 443 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243551/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_01; classtype:trojan-activity; sid:91243551; rev:1;) alert tcp $HOME_NET any -> [175.13.35.124] 4432 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243550/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_01; classtype:trojan-activity; sid:91243550; rev:1;) alert tcp $HOME_NET any -> [72.27.146.121] 443 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243549/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_01; classtype:trojan-activity; sid:91243549; rev:1;) alert tcp $HOME_NET any -> [106.75.66.128] 53 (msg:"ThreatFox pupy botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243548/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_01; classtype:trojan-activity; sid:91243548; rev:1;) alert tcp $HOME_NET any -> [130.193.40.155] 443 (msg:"ThreatFox Responder botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243547/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_01; classtype:trojan-activity; sid:91243547; rev:1;) alert tcp $HOME_NET any -> [201.174.9.2] 3392 (msg:"ThreatFox Responder botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243546/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_01; classtype:trojan-activity; sid:91243546; rev:1;) alert tcp $HOME_NET any -> [92.39.211.142] 4444 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243545/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_01; classtype:trojan-activity; sid:91243545; rev:1;) alert tcp $HOME_NET any -> [35.193.229.206] 60000 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243544/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_01; classtype:trojan-activity; sid:91243544; rev:1;) alert tcp $HOME_NET any -> [170.187.200.132] 443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243543/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_01; classtype:trojan-activity; sid:91243543; rev:1;) alert tcp $HOME_NET any -> [37.1.208.20] 443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243542/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_01; classtype:trojan-activity; sid:91243542; rev:1;) alert tcp $HOME_NET any -> [103.150.208.227] 443 (msg:"ThreatFox Deimos botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243541/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_01; classtype:trojan-activity; sid:91243541; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/v5jh"; depth:5; nocase; http.host; content:"103.191.15.10"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1243539/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_01; classtype:trojan-activity; sid:91243539; rev:1;) alert tcp $HOME_NET any -> [5.42.65.55] 5000 (msg:"ThreatFox AMOS botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243538/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_01; classtype:trojan-activity; sid:91243538; rev:1;) alert tcp $HOME_NET any -> [5.42.65.107] 5000 (msg:"ThreatFox AMOS botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243537/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_01; classtype:trojan-activity; sid:91243537; rev:1;) alert tcp $HOME_NET any -> [171.80.216.99] 25565 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243536/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_01; classtype:trojan-activity; sid:91243536; rev:1;) alert tcp $HOME_NET any -> [89.23.107.13] 443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243535/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_01; classtype:trojan-activity; sid:91243535; rev:1;) alert tcp $HOME_NET any -> [193.178.147.164] 80 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243534/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_01; classtype:trojan-activity; sid:91243534; rev:1;) alert tcp $HOME_NET any -> [39.100.103.225] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243533/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_29; classtype:trojan-activity; sid:91243533; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"30ht.com.w.kunlunpi.com"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1243532/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_29; classtype:trojan-activity; sid:91243532; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jquery-3.3.1.min.js"; depth:20; nocase; http.host; content:"30ht.com.w.kunlunpi.com"; depth:23; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1243531/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_29; classtype:trojan-activity; sid:91243531; rev:1;) alert tcp $HOME_NET any -> [39.108.147.5] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243530/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_29; classtype:trojan-activity; sid:91243530; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/www/handle/doc"; depth:15; nocase; http.host; content:"39.108.147.5"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1243529/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_29; classtype:trojan-activity; sid:91243529; rev:1;) alert tcp $HOME_NET any -> [39.100.103.225] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243528/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_29; classtype:trojan-activity; sid:91243528; rev:1;) alert tcp $HOME_NET any -> [191.89.247.6] 5552 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243526/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_29; classtype:trojan-activity; sid:91243526; rev:1;) alert tcp $HOME_NET any -> [46.250.238.168] 80 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243524/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_29; classtype:trojan-activity; sid:91243524; rev:1;) alert tcp $HOME_NET any -> [192.248.159.76] 2222 (msg:"ThreatFox Pikabot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243523/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_29; classtype:trojan-activity; sid:91243523; rev:1;) alert tcp $HOME_NET any -> [23.95.44.73] 65535 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243522/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_29; classtype:trojan-activity; sid:91243522; rev:1;) alert tcp $HOME_NET any -> [39.40.163.25] 995 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243521/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_29; classtype:trojan-activity; sid:91243521; rev:1;) alert tcp $HOME_NET any -> [86.225.209.225] 2222 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243520/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_29; classtype:trojan-activity; sid:91243520; rev:1;) alert tcp $HOME_NET any -> [206.81.31.145] 443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243519/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_29; classtype:trojan-activity; sid:91243519; rev:1;) alert tcp $HOME_NET any -> [198.13.47.158] 443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243518/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_29; classtype:trojan-activity; sid:91243518; rev:1;) alert tcp $HOME_NET any -> [151.236.16.11] 80 (msg:"ThreatFox BianLian botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243517/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_29; classtype:trojan-activity; sid:91243517; rev:1;) alert tcp $HOME_NET any -> [128.14.226.110] 143 (msg:"ThreatFox BianLian botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243516/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_29; classtype:trojan-activity; sid:91243516; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/0/central3cputemp/6trafficeternalgeo/dump4requestmariadb/dbexternal/cpuprotonpoll4/longpollmariadb/dlejsauthrequest/cdn/1cpubasedle/36/external9traffic/7/update/lowlocalpython/videojs_updatedefaultgeneratorwordpress.php"; depth:220; nocase; http.host; content:"193.233.255.228"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1243514/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_29; classtype:trojan-activity; sid:91243514; rev:1;) alert tcp $HOME_NET any -> [18.158.249.75] 12607 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243513/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_29; classtype:trojan-activity; sid:91243513; rev:1;) alert tcp $HOME_NET any -> [18.192.31.165] 12607 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243512/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_29; classtype:trojan-activity; sid:91243512; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/providerpythonhttplowupdateflowertrackwordpress.php"; depth:52; nocase; http.host; content:"147.45.197.82"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1243511/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_29; classtype:trojan-activity; sid:91243511; rev:1;) alert tcp $HOME_NET any -> [198.44.174.170] 10086 (msg:"ThreatFox Ghost RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243510/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_29; classtype:trojan-activity; sid:91243510; rev:1;) alert tcp $HOME_NET any -> [18.162.156.152] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243505/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_29; classtype:trojan-activity; sid:91243505; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"d9msk9dy9tbnk.cloudfront.net"; depth:28; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1243503/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_29; classtype:trojan-activity; sid:91243503; rev:1;) alert tcp $HOME_NET any -> [4.158.105.167] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243504/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_29; classtype:trojan-activity; sid:91243504; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jquery-2.8.4.min.js"; depth:20; nocase; http.host; content:"d9msk9dy9tbnk.cloudfront.net"; depth:28; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1243502/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_29; classtype:trojan-activity; sid:91243502; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/updates.rss"; depth:12; nocase; http.host; content:"47.100.170.9"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1243501/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_29; classtype:trojan-activity; sid:91243501; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/j.ad"; depth:5; nocase; http.host; content:"43.159.136.92"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1243500/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_29; classtype:trojan-activity; sid:91243500; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/push"; depth:5; nocase; http.host; content:"121.43.62.136"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1243499/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_29; classtype:trojan-activity; sid:91243499; rev:1;) alert tcp $HOME_NET any -> [18.231.151.211] 333 (msg:"ThreatFox Revenge RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243498/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_29; classtype:trojan-activity; sid:91243498; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"service-f8oy6qld-1322248009.sh.tencentapigw.com"; depth:47; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1243497/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_29; classtype:trojan-activity; sid:91243497; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jquery-3.3.1.min.js"; depth:20; nocase; http.host; content:"service-f8oy6qld-1322248009.sh.tencentapigw.com"; depth:47; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1243496/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_29; classtype:trojan-activity; sid:91243496; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"intl.ccb.com.w.cdngslb.com"; depth:26; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1243495/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_29; classtype:trojan-activity; sid:91243495; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jquery-3.3.1.min.js"; depth:20; nocase; http.host; content:"intl.ccb.com.w.cdngslb.com"; depth:26; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1243494/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_29; classtype:trojan-activity; sid:91243494; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"all.mbblitz.net.w.cdngslb.com"; depth:29; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1243493/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_29; classtype:trojan-activity; sid:91243493; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jquery-3.3.1.min.js"; depth:20; nocase; http.host; content:"all.mbblitz.net.w.cdngslb.com"; depth:29; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1243492/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_29; classtype:trojan-activity; sid:91243492; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"udptestsh6062.ialicdn.com.w.cdngslb.com"; depth:39; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1243491/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_29; classtype:trojan-activity; sid:91243491; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jquery-3.3.1.min.js"; depth:20; nocase; http.host; content:"udptestsh6062.ialicdn.com.w.cdngslb.com"; depth:39; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1243490/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_29; classtype:trojan-activity; sid:91243490; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/static/js/jquery-3.3.1.min.js"; depth:30; nocase; http.host; content:"61.170.44.194"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1243489/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_29; classtype:trojan-activity; sid:91243489; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/static/js/jquery-3.3.1.min.js"; depth:30; nocase; http.host; content:"36.150.211.193"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1243488/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_29; classtype:trojan-activity; sid:91243488; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/static/js/jquery-3.3.1.min.js"; depth:30; nocase; http.host; content:"119.167.249.113"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1243487/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_29; classtype:trojan-activity; sid:91243487; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/static/js/jquery-3.3.1.min.js"; depth:30; nocase; http.host; content:"117.34.18.87"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1243486/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_29; classtype:trojan-activity; sid:91243486; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/static/js/jquery-3.3.1.min.js"; depth:30; nocase; http.host; content:"61.170.88.242"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1243485/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_29; classtype:trojan-activity; sid:91243485; rev:1;) alert tcp $HOME_NET any -> [154.38.160.55] 35888 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243484/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_29; classtype:trojan-activity; sid:91243484; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/eternal3/0server/downloads/better/7linuxdle/traffic/processorto4default/external/wordpressimage/phpwp/lowuploads0/6processorsql/updateprocessortest/packetbigload.php"; depth:166; nocase; http.host; content:"188.120.229.213"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1243483/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_29; classtype:trojan-activity; sid:91243483; rev:1;) alert tcp $HOME_NET any -> [107.175.113.194] 2404 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243482/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_29; classtype:trojan-activity; sid:91243482; rev:1;) alert tcp $HOME_NET any -> [162.19.25.207] 8080 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243479/; target:src_ip; metadata: confidence_level 75, first_seen 2024_02_29; classtype:trojan-activity; sid:91243479; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"mrado.kozow.com"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1243480/; target:src_ip; metadata: confidence_level 75, first_seen 2024_02_29; classtype:trojan-activity; sid:91243480; rev:1;) alert tcp $HOME_NET any -> [103.77.243.215] 2404 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243481/; target:src_ip; metadata: confidence_level 75, first_seen 2024_02_29; classtype:trojan-activity; sid:91243481; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/visit.js"; depth:9; nocase; http.host; content:"121.43.62.136"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1243478/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_29; classtype:trojan-activity; sid:91243478; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"pzfdmserv275.xyz"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1243310/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_29; classtype:trojan-activity; sid:91243310; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"pzlkxadvert475.xyz"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1243311/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_29; classtype:trojan-activity; sid:91243311; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"shopweb95.xyz"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1243312/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_29; classtype:trojan-activity; sid:91243312; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"straightsboycott.com"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1243313/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_29; classtype:trojan-activity; sid:91243313; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ventafones.com"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1243314/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_29; classtype:trojan-activity; sid:91243314; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"wprogs.top"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1243315/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_29; classtype:trojan-activity; sid:91243315; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"yan0212.com"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1243316/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_29; classtype:trojan-activity; sid:91243316; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"yan0212.net"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1243317/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_29; classtype:trojan-activity; sid:91243317; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"zl0yy.ru"; depth:8; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1243318/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_29; classtype:trojan-activity; sid:91243318; rev:1;) alert tcp $HOME_NET any -> [138.201.196.90] 443 (msg:"ThreatFox SystemBC botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243319/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_29; classtype:trojan-activity; sid:91243319; rev:1;) alert tcp $HOME_NET any -> [153.92.222.162] 4001 (msg:"ThreatFox SystemBC botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243320/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_29; classtype:trojan-activity; sid:91243320; rev:1;) alert tcp $HOME_NET any -> [185.236.232.20] 445 (msg:"ThreatFox SystemBC botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243321/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_29; classtype:trojan-activity; sid:91243321; rev:1;) alert tcp $HOME_NET any -> [185.73.124.42] 4001 (msg:"ThreatFox SystemBC botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243322/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_29; classtype:trojan-activity; sid:91243322; rev:1;) alert tcp $HOME_NET any -> [192.53.123.202] 8080 (msg:"ThreatFox SystemBC botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243323/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_29; classtype:trojan-activity; sid:91243323; rev:1;) alert tcp $HOME_NET any -> [45.15.159.28] 8080 (msg:"ThreatFox SystemBC botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243325/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_29; classtype:trojan-activity; sid:91243325; rev:1;) alert tcp $HOME_NET any -> [45.63.66.10] 443 (msg:"ThreatFox SystemBC botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243326/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_29; classtype:trojan-activity; sid:91243326; rev:1;) alert tcp $HOME_NET any -> [64.176.214.51] 443 (msg:"ThreatFox SystemBC botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243327/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_29; classtype:trojan-activity; sid:91243327; rev:1;) alert tcp $HOME_NET any -> [45.147.231.86] 4254 (msg:"ThreatFox SystemBC botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243324/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_29; classtype:trojan-activity; sid:91243324; rev:1;) alert tcp $HOME_NET any -> [69.10.60.115] 4018 (msg:"ThreatFox SystemBC botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243328/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_29; classtype:trojan-activity; sid:91243328; rev:1;) alert tcp $HOME_NET any -> [80.85.84.79] 4001 (msg:"ThreatFox SystemBC botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243329/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_29; classtype:trojan-activity; sid:91243329; rev:1;) alert tcp $HOME_NET any -> [89.187.184.206] 4299 (msg:"ThreatFox SystemBC botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243330/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_29; classtype:trojan-activity; sid:91243330; rev:1;) alert tcp $HOME_NET any -> [94.198.51.247] 4337 (msg:"ThreatFox SystemBC botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243332/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_29; classtype:trojan-activity; sid:91243332; rev:1;) alert tcp $HOME_NET any -> [94.156.69.109] 4372 (msg:"ThreatFox SystemBC botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243331/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_29; classtype:trojan-activity; sid:91243331; rev:1;) alert tcp $HOME_NET any -> [94.198.55.181] 4337 (msg:"ThreatFox SystemBC botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243333/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_29; classtype:trojan-activity; sid:91243333; rev:1;) alert tcp $HOME_NET any -> [82.153.138.25] 13338 (msg:"ThreatFox xmrig payload delivery (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243429/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_29; classtype:trojan-activity; sid:91243429; rev:1;) alert tcp $HOME_NET any -> [15.204.223.194] 23 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243443/; target:src_ip; metadata: confidence_level 75, first_seen 2024_02_29; classtype:trojan-activity; sid:91243443; rev:1;) alert tcp $HOME_NET any -> [79.228.201.177] 666 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243444/; target:src_ip; metadata: confidence_level 75, first_seen 2024_02_29; classtype:trojan-activity; sid:91243444; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/yzi4mgfhzji2mmm5/"; depth:18; nocase; http.host; content:"karmelinanoonethousandbaby.net"; depth:30; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1243445/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_29; classtype:trojan-activity; sid:91243445; rev:1;) alert tcp $HOME_NET any -> [147.45.197.186] 445 (msg:"ThreatFox Pikabot payload delivery (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243475/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_29; classtype:trojan-activity; sid:91243475; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"mainnetwork.sysromeu.eu.org"; depth:27; nocase; reference:url, threatfox.abuse.ch/ioc/1243476/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_29; classtype:trojan-activity; sid:91243476; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"45.11.93.150"; depth:12; nocase; reference:url, threatfox.abuse.ch/ioc/1243477/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_29; classtype:trojan-activity; sid:91243477; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"leadsoftware.top"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1243309/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_29; classtype:trojan-activity; sid:91243309; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"advertsp74.xyz"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1243307/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_29; classtype:trojan-activity; sid:91243307; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"gam0ver.ru"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1243308/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_29; classtype:trojan-activity; sid:91243308; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"lkk.collection.aixpirts.com"; depth:27; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1243304/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_29; classtype:trojan-activity; sid:91243304; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"collection.aixpirts.com"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1243305/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_29; classtype:trojan-activity; sid:91243305; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"visitclouds.com"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1243253/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_29; classtype:trojan-activity; sid:91243253; rev:1;) alert tcp $HOME_NET any -> [185.172.129.234] 34244 (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243474/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_29; classtype:trojan-activity; sid:91243474; rev:1;) alert tcp $HOME_NET any -> [103.114.104.158] 7800 (msg:"ThreatFox STRRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243473/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_29; classtype:trojan-activity; sid:91243473; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/l1nc0in.php"; depth:12; nocase; http.host; content:"a0923143.xsph.ru"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1243472/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_29; classtype:trojan-activity; sid:91243472; rev:1;) alert tcp $HOME_NET any -> [46.226.164.18] 50555 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243471/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_29; classtype:trojan-activity; sid:91243471; rev:1;) alert tcp $HOME_NET any -> [106.75.66.128] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243470/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_29; classtype:trojan-activity; sid:91243470; rev:1;) alert tcp $HOME_NET any -> [139.9.65.87] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243469/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_29; classtype:trojan-activity; sid:91243469; rev:1;) alert tcp $HOME_NET any -> [50.35.137.22] 443 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243468/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_29; classtype:trojan-activity; sid:91243468; rev:1;) alert tcp $HOME_NET any -> [24.177.42.139] 443 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243467/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_29; classtype:trojan-activity; sid:91243467; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/l1nc0in.php"; depth:12; nocase; http.host; content:"a0922949.xsph.ru"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1243466/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_29; classtype:trojan-activity; sid:91243466; rev:1;) alert tcp $HOME_NET any -> [173.249.27.72] 443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243465/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_29; classtype:trojan-activity; sid:91243465; rev:1;) alert tcp $HOME_NET any -> [43.138.70.217] 443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243464/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_29; classtype:trojan-activity; sid:91243464; rev:1;) alert tcp $HOME_NET any -> [94.156.67.85] 443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243463/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_29; classtype:trojan-activity; sid:91243463; rev:1;) alert tcp $HOME_NET any -> [82.97.251.102] 7443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243462/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_29; classtype:trojan-activity; sid:91243462; rev:1;) alert tcp $HOME_NET any -> [70.31.125.177] 2222 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243461/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_29; classtype:trojan-activity; sid:91243461; rev:1;) alert tcp $HOME_NET any -> [41.96.34.101] 443 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243460/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_29; classtype:trojan-activity; sid:91243460; rev:1;) alert tcp $HOME_NET any -> [43.139.235.226] 5003 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243459/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_29; classtype:trojan-activity; sid:91243459; rev:1;) alert tcp $HOME_NET any -> [139.196.191.50] 3389 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243458/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_29; classtype:trojan-activity; sid:91243458; rev:1;) alert tcp $HOME_NET any -> [8.218.157.182] 4488 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243457/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_29; classtype:trojan-activity; sid:91243457; rev:1;) alert tcp $HOME_NET any -> [193.233.132.48] 8081 (msg:"ThreatFox RisePro botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243456/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_29; classtype:trojan-activity; sid:91243456; rev:1;) alert tcp $HOME_NET any -> [193.233.132.10] 8081 (msg:"ThreatFox RisePro botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243455/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_29; classtype:trojan-activity; sid:91243455; rev:1;) alert tcp $HOME_NET any -> [41.216.183.184] 80 (msg:"ThreatFox RecordBreaker botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243454/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_29; classtype:trojan-activity; sid:91243454; rev:1;) alert tcp $HOME_NET any -> [5.75.211.82] 80 (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243453/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_29; classtype:trojan-activity; sid:91243453; rev:1;) alert tcp $HOME_NET any -> [65.109.240.92] 80 (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243452/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_29; classtype:trojan-activity; sid:91243452; rev:1;) alert tcp $HOME_NET any -> [95.217.240.158] 80 (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243451/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_29; classtype:trojan-activity; sid:91243451; rev:1;) alert tcp $HOME_NET any -> [65.109.242.251] 80 (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243450/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_29; classtype:trojan-activity; sid:91243450; rev:1;) alert tcp $HOME_NET any -> [5.75.209.178] 80 (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243449/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_29; classtype:trojan-activity; sid:91243449; rev:1;) alert tcp $HOME_NET any -> [128.90.108.211] 4433 (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243448/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_29; classtype:trojan-activity; sid:91243448; rev:1;) alert tcp $HOME_NET any -> [110.41.44.130] 8888 (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243447/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_29; classtype:trojan-activity; sid:91243447; rev:1;) alert tcp $HOME_NET any -> [103.74.172.161] 4444 (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243446/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_29; classtype:trojan-activity; sid:91243446; rev:1;) alert tcp $HOME_NET any -> [175.197.65.135] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243442/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_28; classtype:trojan-activity; sid:91243442; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/owa/rtrovpivygzklxemdw38"; depth:25; nocase; http.host; content:"175.197.65.135"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1243441/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_28; classtype:trojan-activity; sid:91243441; rev:1;) alert tcp $HOME_NET any -> [15.228.170.102] 5000 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243440/; target:src_ip; metadata: confidence_level 75, first_seen 2024_02_28; classtype:trojan-activity; sid:91243440; rev:1;) alert tcp $HOME_NET any -> [186.170.114.55] 1111 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243439/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_28; classtype:trojan-activity; sid:91243439; rev:1;) alert tcp $HOME_NET any -> [83.213.157.103] 1515 (msg:"ThreatFox Nanocore RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243438/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_28; classtype:trojan-activity; sid:91243438; rev:1;) alert tcp $HOME_NET any -> [147.45.68.159] 80 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243437/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_28; classtype:trojan-activity; sid:91243437; rev:1;) alert tcp $HOME_NET any -> [187.213.196.57] 443 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243436/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_28; classtype:trojan-activity; sid:91243436; rev:1;) alert tcp $HOME_NET any -> [105.102.19.215] 443 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243435/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_28; classtype:trojan-activity; sid:91243435; rev:1;) alert tcp $HOME_NET any -> [45.120.106.149] 445 (msg:"ThreatFox Responder botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243434/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_28; classtype:trojan-activity; sid:91243434; rev:1;) alert tcp $HOME_NET any -> [5.161.64.218] 443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243433/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_28; classtype:trojan-activity; sid:91243433; rev:1;) alert tcp $HOME_NET any -> [45.61.138.43] 80 (msg:"ThreatFox BianLian botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243432/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_28; classtype:trojan-activity; sid:91243432; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ca"; depth:3; nocase; http.host; content:"122.51.118.39"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1243431/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_28; classtype:trojan-activity; sid:91243431; rev:1;) alert tcp $HOME_NET any -> [74.81.46.139] 44085 (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243430/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_28; classtype:trojan-activity; sid:91243430; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cx"; depth:3; nocase; http.host; content:"117.50.185.133"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1243428/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_28; classtype:trojan-activity; sid:91243428; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/__utm.gif"; depth:10; nocase; http.host; content:"118.89.124.242"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1243427/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_28; classtype:trojan-activity; sid:91243427; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ca"; depth:3; nocase; http.host; content:"47.110.253.157"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1243426/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_28; classtype:trojan-activity; sid:91243426; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/visit.js"; depth:9; nocase; http.host; content:"www.xss.mba"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1243425/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_28; classtype:trojan-activity; sid:91243425; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ie9compatviewlist.xml"; depth:22; nocase; http.host; content:"118.89.124.242"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1243424/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_28; classtype:trojan-activity; sid:91243424; rev:1;) alert tcp $HOME_NET any -> [45.32.7.25] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243423/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_28; classtype:trojan-activity; sid:91243423; rev:1;) alert tcp $HOME_NET any -> [143.110.247.233] 8008 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243422/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_28; classtype:trojan-activity; sid:91243422; rev:1;) alert tcp $HOME_NET any -> [123.206.115.56] 9999 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243421/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_28; classtype:trojan-activity; sid:91243421; rev:1;) alert tcp $HOME_NET any -> [185.43.222.193] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243420/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_28; classtype:trojan-activity; sid:91243420; rev:1;) alert tcp $HOME_NET any -> [185.43.221.137] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243419/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_28; classtype:trojan-activity; sid:91243419; rev:1;) alert tcp $HOME_NET any -> [3.65.151.202] 80 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243418/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_28; classtype:trojan-activity; sid:91243418; rev:1;) alert tcp $HOME_NET any -> [172.201.219.183] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243417/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_28; classtype:trojan-activity; sid:91243417; rev:1;) alert tcp $HOME_NET any -> [213.171.15.75] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243416/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_28; classtype:trojan-activity; sid:91243416; rev:1;) alert tcp $HOME_NET any -> [124.71.205.116] 13333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243415/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_28; classtype:trojan-activity; sid:91243415; rev:1;) alert tcp $HOME_NET any -> [159.138.58.51] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243414/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_28; classtype:trojan-activity; sid:91243414; rev:1;) alert tcp $HOME_NET any -> [170.64.213.114] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243413/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_28; classtype:trojan-activity; sid:91243413; rev:1;) alert tcp $HOME_NET any -> [123.60.185.117] 8443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243412/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_28; classtype:trojan-activity; sid:91243412; rev:1;) alert tcp $HOME_NET any -> [37.251.160.104] 54043 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243411/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_28; classtype:trojan-activity; sid:91243411; rev:1;) alert tcp $HOME_NET any -> [124.220.97.65] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243410/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_28; classtype:trojan-activity; sid:91243410; rev:1;) alert tcp $HOME_NET any -> [135.181.16.103] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243409/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_28; classtype:trojan-activity; sid:91243409; rev:1;) alert tcp $HOME_NET any -> [34.101.73.141] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243408/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_28; classtype:trojan-activity; sid:91243408; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ssl.deenpel.com"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1243407/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_28; classtype:trojan-activity; sid:91243407; rev:1;) alert tcp $HOME_NET any -> [1.117.229.230] 60000 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243406/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_28; classtype:trojan-activity; sid:91243406; rev:1;) alert tcp $HOME_NET any -> [49.51.68.151] 60000 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243405/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_28; classtype:trojan-activity; sid:91243405; rev:1;) alert tcp $HOME_NET any -> [154.201.66.219] 60000 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243404/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_28; classtype:trojan-activity; sid:91243404; rev:1;) alert tcp $HOME_NET any -> [150.158.137.47] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243403/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_28; classtype:trojan-activity; sid:91243403; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"trustabletechsupport.com"; depth:24; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1243402/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_28; classtype:trojan-activity; sid:91243402; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"gfdjlgkdjfgkdfjgkml.top"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1243401/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_28; classtype:trojan-activity; sid:91243401; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ec2-34-230-177-18.compute-1.amazonaws.com"; depth:41; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1243400/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_28; classtype:trojan-activity; sid:91243400; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"cpcalendars.inspirestudiosteam.com"; depth:34; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1243399/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_28; classtype:trojan-activity; sid:91243399; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"mg.inspirestudiosteam.com"; depth:25; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1243398/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_28; classtype:trojan-activity; sid:91243398; rev:1;) alert tcp $HOME_NET any -> [154.8.204.75] 58082 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243397/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_28; classtype:trojan-activity; sid:91243397; rev:1;) alert tcp $HOME_NET any -> [193.222.96.238] 80 (msg:"ThreatFox ERMAC botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243396/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_28; classtype:trojan-activity; sid:91243396; rev:1;) alert tcp $HOME_NET any -> [20.65.178.69] 80 (msg:"ThreatFox ERMAC botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243395/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_28; classtype:trojan-activity; sid:91243395; rev:1;) alert tcp $HOME_NET any -> [20.82.182.10] 8080 (msg:"ThreatFox ERMAC botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243394/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_28; classtype:trojan-activity; sid:91243394; rev:1;) alert tcp $HOME_NET any -> [20.251.169.136] 80 (msg:"ThreatFox ERMAC botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243393/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_28; classtype:trojan-activity; sid:91243393; rev:1;) alert tcp $HOME_NET any -> [188.27.189.235] 8080 (msg:"ThreatFox Orcus RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243392/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_28; classtype:trojan-activity; sid:91243392; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"lemon.haryadi.my.id"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1243391/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_28; classtype:trojan-activity; sid:91243391; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"cardiochallenge.at"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1243390/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_28; classtype:trojan-activity; sid:91243390; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"bignas.shop"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1243389/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_28; classtype:trojan-activity; sid:91243389; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"23-227-193-214.static.hvvc.us"; depth:29; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1243387/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_28; classtype:trojan-activity; sid:91243387; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ec2-3-84-126-255.compute-1.amazonaws.com"; depth:40; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1243388/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_28; classtype:trojan-activity; sid:91243388; rev:1;) alert tcp $HOME_NET any -> [223.155.16.116] 23333 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243386/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_28; classtype:trojan-activity; sid:91243386; rev:1;) alert tcp $HOME_NET any -> [5.144.177.67] 6090 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243385/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_28; classtype:trojan-activity; sid:91243385; rev:1;) alert tcp $HOME_NET any -> [194.33.191.159] 8081 (msg:"ThreatFox RisePro botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243384/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_28; classtype:trojan-activity; sid:91243384; rev:1;) alert tcp $HOME_NET any -> [213.183.63.187] 8081 (msg:"ThreatFox RisePro botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243383/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_28; classtype:trojan-activity; sid:91243383; rev:1;) alert tcp $HOME_NET any -> [107.155.112.166] 8081 (msg:"ThreatFox RisePro botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243382/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_28; classtype:trojan-activity; sid:91243382; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"cryptobetix.com"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1243381/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_28; classtype:trojan-activity; sid:91243381; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"212-70-149-199.cprapid.com"; depth:26; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1243380/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_28; classtype:trojan-activity; sid:91243380; rev:1;) alert tcp $HOME_NET any -> [151.81.14.228] 8080 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243378/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_28; classtype:trojan-activity; sid:91243378; rev:1;) alert tcp $HOME_NET any -> [216.250.255.99] 6606 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243377/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_28; classtype:trojan-activity; sid:91243377; rev:1;) alert tcp $HOME_NET any -> [45.134.83.165] 6606 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243376/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_28; classtype:trojan-activity; sid:91243376; rev:1;) alert tcp $HOME_NET any -> [191.88.250.63] 4210 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243374/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_28; classtype:trojan-activity; sid:91243374; rev:1;) alert tcp $HOME_NET any -> [172.111.148.61] 222 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243375/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_28; classtype:trojan-activity; sid:91243375; rev:1;) alert tcp $HOME_NET any -> [128.90.113.56] 9999 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243373/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_28; classtype:trojan-activity; sid:91243373; rev:1;) alert tcp $HOME_NET any -> [178.73.192.17] 2000 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243372/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_28; classtype:trojan-activity; sid:91243372; rev:1;) alert tcp $HOME_NET any -> [206.123.132.164] 2000 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243371/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_28; classtype:trojan-activity; sid:91243371; rev:1;) alert tcp $HOME_NET any -> [23.227.194.232] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243370/; target:src_ip; metadata: confidence_level 90, first_seen 2024_02_28; classtype:trojan-activity; sid:91243370; rev:1;) alert tcp $HOME_NET any -> [187.135.83.7] 2086 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243369/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_28; classtype:trojan-activity; sid:91243369; rev:1;) alert tcp $HOME_NET any -> [187.135.83.7] 2083 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243368/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_28; classtype:trojan-activity; sid:91243368; rev:1;) alert tcp $HOME_NET any -> [187.135.83.7] 1962 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243366/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_28; classtype:trojan-activity; sid:91243366; rev:1;) alert tcp $HOME_NET any -> [187.135.83.7] 2053 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243367/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_28; classtype:trojan-activity; sid:91243367; rev:1;) alert tcp $HOME_NET any -> [18.197.239.5] 15443 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243365/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_28; classtype:trojan-activity; sid:91243365; rev:1;) alert tcp $HOME_NET any -> [105.102.242.10] 6001 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243364/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_28; classtype:trojan-activity; sid:91243364; rev:1;) alert tcp $HOME_NET any -> [124.156.162.162] 8888 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243363/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_28; classtype:trojan-activity; sid:91243363; rev:1;) alert tcp $HOME_NET any -> [1.14.69.16] 8080 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243361/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_28; classtype:trojan-activity; sid:91243361; rev:1;) alert tcp $HOME_NET any -> [1.14.69.16] 8880 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243362/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_28; classtype:trojan-activity; sid:91243362; rev:1;) alert tcp $HOME_NET any -> [1.14.69.16] 2096 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243360/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_28; classtype:trojan-activity; sid:91243360; rev:1;) alert tcp $HOME_NET any -> [23.224.176.9] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243359/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_28; classtype:trojan-activity; sid:91243359; rev:1;) alert tcp $HOME_NET any -> [120.27.131.3] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243357/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_28; classtype:trojan-activity; sid:91243357; rev:1;) alert tcp $HOME_NET any -> [218.93.206.191] 8443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243358/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_28; classtype:trojan-activity; sid:91243358; rev:1;) alert tcp $HOME_NET any -> [124.222.51.98] 60081 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243355/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_28; classtype:trojan-activity; sid:91243355; rev:1;) alert tcp $HOME_NET any -> [62.234.32.192] 8085 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243356/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_28; classtype:trojan-activity; sid:91243356; rev:1;) alert tcp $HOME_NET any -> [47.98.168.171] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243354/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_28; classtype:trojan-activity; sid:91243354; rev:1;) alert tcp $HOME_NET any -> [106.52.244.189] 8000 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243353/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_28; classtype:trojan-activity; sid:91243353; rev:1;) alert tcp $HOME_NET any -> [185.11.61.168] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243351/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_28; classtype:trojan-activity; sid:91243351; rev:1;) alert tcp $HOME_NET any -> [143.110.176.113] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243352/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_28; classtype:trojan-activity; sid:91243352; rev:1;) alert tcp $HOME_NET any -> [185.11.61.168] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243350/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_28; classtype:trojan-activity; sid:91243350; rev:1;) alert tcp $HOME_NET any -> [150.158.137.47] 4433 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243349/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_28; classtype:trojan-activity; sid:91243349; rev:1;) alert tcp $HOME_NET any -> [1.14.64.150] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243348/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_28; classtype:trojan-activity; sid:91243348; rev:1;) alert tcp $HOME_NET any -> [3.75.210.134] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243347/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_28; classtype:trojan-activity; sid:91243347; rev:1;) alert tcp $HOME_NET any -> [122.51.118.39] 81 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243346/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_28; classtype:trojan-activity; sid:91243346; rev:1;) alert tcp $HOME_NET any -> [91.245.253.85] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243345/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_28; classtype:trojan-activity; sid:91243345; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"rns.hg23jh4gk234gjhk2j3g4h2kjh3g4.xyz"; depth:37; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1243343/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_28; classtype:trojan-activity; sid:91243343; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"distracted-cannon.104-168-102-175.plesk.page"; depth:44; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1243344/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_28; classtype:trojan-activity; sid:91243344; rev:1;) alert tcp $HOME_NET any -> [114.116.224.74] 8888 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243342/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_28; classtype:trojan-activity; sid:91243342; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"www.practical-black.104-168-102-175.plesk.page"; depth:46; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1243341/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_28; classtype:trojan-activity; sid:91243341; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"167-71-186-178.ipv4.staticdns3.io"; depth:33; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1243340/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_28; classtype:trojan-activity; sid:91243340; rev:1;) alert tcp $HOME_NET any -> [52.190.15.163] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243338/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_28; classtype:trojan-activity; sid:91243338; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"fairyfoxgames.com"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1243339/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_28; classtype:trojan-activity; sid:91243339; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"www.dirapushka.com"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1243337/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_28; classtype:trojan-activity; sid:91243337; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"practical-black.104-168-102-175.plesk.page"; depth:42; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1243336/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_28; classtype:trojan-activity; sid:91243336; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"dyn.hg23jh4gk234gjhk2j3g4h2kjh3g4.xyz"; depth:37; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1243335/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_28; classtype:trojan-activity; sid:91243335; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ec2-3-91-59-255.compute-1.amazonaws.com"; depth:39; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1243334/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_28; classtype:trojan-activity; sid:91243334; rev:1;) alert tcp $HOME_NET any -> [46.183.223.64] 22364 (msg:"ThreatFox AdWind botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243306/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_28; classtype:trojan-activity; sid:91243306; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"assets.samfund.co"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1243302/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_28; classtype:trojan-activity; sid:91243302; rev:1;) alert tcp $HOME_NET any -> [159.223.86.140] 53 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243303/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_28; classtype:trojan-activity; sid:91243303; rev:1;) alert tcp $HOME_NET any -> [159.223.220.165] 53 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243301/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_28; classtype:trojan-activity; sid:91243301; rev:1;) alert tcp $HOME_NET any -> [78.141.217.186] 53 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243300/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_28; classtype:trojan-activity; sid:91243300; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"dns.trailcosolutions.com"; depth:24; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1243299/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_28; classtype:trojan-activity; sid:91243299; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/visit.js"; depth:9; nocase; http.host; content:"106.52.244.189"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1243298/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_28; classtype:trojan-activity; sid:91243298; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dot.gif"; depth:8; nocase; http.host; content:"45.76.196.30"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1243297/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_28; classtype:trojan-activity; sid:91243297; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ie9compatviewlist.xml"; depth:22; nocase; http.host; content:"111.231.74.147"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1243296/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_28; classtype:trojan-activity; sid:91243296; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/load"; depth:5; nocase; http.host; content:"121.43.62.136"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1243295/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_28; classtype:trojan-activity; sid:91243295; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dpixel"; depth:7; nocase; http.host; content:"118.24.128.204"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1243294/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_28; classtype:trojan-activity; sid:91243294; rev:1;) alert tcp $HOME_NET any -> [89.185.85.207] 80 (msg:"ThreatFox Meduza Stealer botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243293/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_28; classtype:trojan-activity; sid:91243293; rev:1;) alert tcp $HOME_NET any -> [172.174.236.21] 1337 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243292/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_28; classtype:trojan-activity; sid:91243292; rev:1;) alert tcp $HOME_NET any -> [39.40.128.22] 995 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243291/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_28; classtype:trojan-activity; sid:91243291; rev:1;) alert tcp $HOME_NET any -> [2.88.198.236] 443 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243290/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_28; classtype:trojan-activity; sid:91243290; rev:1;) alert tcp $HOME_NET any -> [108.181.0.232] 58049 (msg:"ThreatFox BianLian botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243289/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_28; classtype:trojan-activity; sid:91243289; rev:1;) alert tcp $HOME_NET any -> [178.250.156.165] 80 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243288/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_28; classtype:trojan-activity; sid:91243288; rev:1;) alert tcp $HOME_NET any -> [62.109.15.31] 80 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243287/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_28; classtype:trojan-activity; sid:91243287; rev:1;) alert tcp $HOME_NET any -> [87.120.84.190] 80 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243286/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_28; classtype:trojan-activity; sid:91243286; rev:1;) alert tcp $HOME_NET any -> [62.217.179.132] 80 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243285/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_28; classtype:trojan-activity; sid:91243285; rev:1;) alert tcp $HOME_NET any -> [84.201.143.26] 80 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243284/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_28; classtype:trojan-activity; sid:91243284; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/linux/lineupdateprocessordefaultdleprivate.php"; depth:47; nocase; http.host; content:"89.23.98.146"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1243283/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_28; classtype:trojan-activity; sid:91243283; rev:1;) alert tcp $HOME_NET any -> [124.223.215.119] 443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243271/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_28; classtype:trojan-activity; sid:91243271; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/en_us/all.js"; depth:13; nocase; http.host; content:"117.50.185.133"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1243270/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_28; classtype:trojan-activity; sid:91243270; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/match"; depth:6; nocase; http.host; content:"47.92.99.156"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1243269/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_28; classtype:trojan-activity; sid:91243269; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/__utm.gif"; depth:10; nocase; http.host; content:"43.142.184.93"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1243268/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_28; classtype:trojan-activity; sid:91243268; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/load"; depth:5; nocase; http.host; content:"175.24.130.231"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1243267/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_28; classtype:trojan-activity; sid:91243267; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/j.ad"; depth:5; nocase; http.host; content:"154.8.157.205"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1243266/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_28; classtype:trojan-activity; sid:91243266; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dot.gif"; depth:8; nocase; http.host; content:"1.94.110.130"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1243265/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_28; classtype:trojan-activity; sid:91243265; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/owa/"; depth:5; nocase; http.host; content:"159.223.220.165"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1243264/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_28; classtype:trojan-activity; sid:91243264; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cm"; depth:3; nocase; http.host; content:"79.124.40.106"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1243263/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_28; classtype:trojan-activity; sid:91243263; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ssjcw.com.w.kunlunpi.com"; depth:24; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1243262/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_28; classtype:trojan-activity; sid:91243262; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jquery-3.3.1.min.js"; depth:20; nocase; http.host; content:"ssjcw.com.w.kunlunpi.com"; depth:24; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1243261/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_28; classtype:trojan-activity; sid:91243261; rev:1;) alert tcp $HOME_NET any -> [122.51.118.39] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243260/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_28; classtype:trojan-activity; sid:91243260; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/activity"; depth:9; nocase; http.host; content:"122.51.118.39"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1243259/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_28; classtype:trojan-activity; sid:91243259; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xlvc"; depth:5; nocase; http.host; content:"118.31.75.32"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1243258/; target:src_ip; metadata: confidence_level 75, first_seen 2024_02_28; classtype:trojan-activity; sid:91243258; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"5.75.209.178"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1243257/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_28; classtype:trojan-activity; sid:91243257; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"65.109.242.251"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1243256/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_28; classtype:trojan-activity; sid:91243256; rev:1;) alert tcp $HOME_NET any -> [65.109.242.251] 443 (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243254/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_28; classtype:trojan-activity; sid:91243254; rev:1;) alert tcp $HOME_NET any -> [5.75.209.178] 443 (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243255/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_28; classtype:trojan-activity; sid:91243255; rev:1;) alert tcp $HOME_NET any -> [185.217.197.52] 443 (msg:"ThreatFox FAKEUPDATES payload delivery (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243252/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_28; classtype:trojan-activity; sid:91243252; rev:1;) alert tcp $HOME_NET any -> [166.1.173.27] 443 (msg:"ThreatFox FAKEUPDATES payload delivery (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243251/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_28; classtype:trojan-activity; sid:91243251; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/nl7l"; depth:5; nocase; http.host; content:"118.31.75.32"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1243250/; target:src_ip; metadata: confidence_level 75, first_seen 2024_02_28; classtype:trojan-activity; sid:91243250; rev:1;) alert tcp $HOME_NET any -> [118.31.75.32] 1145 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243248/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_28; classtype:trojan-activity; sid:91243248; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"berlyndinero.duckdns.org"; depth:24; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1243227/; target:src_ip; metadata: confidence_level 75, first_seen 2024_02_28; classtype:trojan-activity; sid:91243227; rev:1;) alert tcp $HOME_NET any -> [46.246.14.67] 7771 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243226/; target:src_ip; metadata: confidence_level 75, first_seen 2024_02_28; classtype:trojan-activity; sid:91243226; rev:1;) alert tcp $HOME_NET any -> [192.169.69.26] 8651 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243222/; target:src_ip; metadata: confidence_level 75, first_seen 2024_02_28; classtype:trojan-activity; sid:91243222; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ntbizmm4zdq2mwy2/"; depth:18; nocase; http.host; content:"185.198.69.111"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1243221/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_28; classtype:trojan-activity; sid:91243221; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/yzi5odzlngfhyznh/"; depth:18; nocase; http.host; content:"213.109.202.210"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1243220/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_28; classtype:trojan-activity; sid:91243220; rev:1;) alert tcp $HOME_NET any -> [91.92.252.146] 8008 (msg:"ThreatFox Loki Password Stealer (PWS) botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243214/; target:src_ip; metadata: confidence_level 75, first_seen 2024_02_28; classtype:trojan-activity; sid:91243214; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"ronymahmoud.casacam.net"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1243213/; target:src_ip; metadata: confidence_level 75, first_seen 2024_02_28; classtype:trojan-activity; sid:91243213; rev:1;) alert tcp $HOME_NET any -> [45.95.169.102] 4258 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243212/; target:src_ip; metadata: confidence_level 75, first_seen 2024_02_28; classtype:trojan-activity; sid:91243212; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"brainyworkslogos.com"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1243211/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_28; classtype:trojan-activity; sid:91243211; rev:1;) alert tcp $HOME_NET any -> [103.173.254.239] 42516 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243207/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_28; classtype:trojan-activity; sid:91243207; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"212.129.36.157"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1243242/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_28; classtype:trojan-activity; sid:91243242; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"31.207.37.227"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1243243/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_28; classtype:trojan-activity; sid:91243243; rev:1;) alert tcp $HOME_NET any -> [83.69.236.128] 443 (msg:"ThreatFox FAKEUPDATES payload delivery (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243246/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_28; classtype:trojan-activity; sid:91243246; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"asyncfunctionapi.com"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1243247/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_28; classtype:trojan-activity; sid:91243247; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dpixel"; depth:7; nocase; http.host; content:"60.204.133.143"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1243245/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_28; classtype:trojan-activity; sid:91243245; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mod/layout/fd6pr1n8lq5h"; depth:24; nocase; http.host; content:"47.99.182.25"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1243244/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_28; classtype:trojan-activity; sid:91243244; rev:1;) alert tcp $HOME_NET any -> [185.161.248.199] 80 (msg:"ThreatFox Meduza Stealer botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243241/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_28; classtype:trojan-activity; sid:91243241; rev:1;) alert tcp $HOME_NET any -> [147.135.85.114] 8000 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243240/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_28; classtype:trojan-activity; sid:91243240; rev:1;) alert tcp $HOME_NET any -> [46.246.6.6] 6000 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243239/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_28; classtype:trojan-activity; sid:91243239; rev:1;) alert tcp $HOME_NET any -> [37.211.19.15] 443 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243238/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_28; classtype:trojan-activity; sid:91243238; rev:1;) alert tcp $HOME_NET any -> [75.164.85.121] 995 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243237/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_28; classtype:trojan-activity; sid:91243237; rev:1;) alert tcp $HOME_NET any -> [70.27.138.200] 2222 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243236/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_28; classtype:trojan-activity; sid:91243236; rev:1;) alert tcp $HOME_NET any -> [73.155.10.152] 443 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243235/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_28; classtype:trojan-activity; sid:91243235; rev:1;) alert tcp $HOME_NET any -> [94.237.63.16] 445 (msg:"ThreatFox Responder botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243234/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_28; classtype:trojan-activity; sid:91243234; rev:1;) alert tcp $HOME_NET any -> [172.181.54.61] 80 (msg:"ThreatFox Responder botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243233/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_28; classtype:trojan-activity; sid:91243233; rev:1;) alert tcp $HOME_NET any -> [15.228.57.29] 443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243232/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_28; classtype:trojan-activity; sid:91243232; rev:1;) alert tcp $HOME_NET any -> [23.227.194.232] 443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243231/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_28; classtype:trojan-activity; sid:91243231; rev:1;) alert tcp $HOME_NET any -> [213.226.100.35] 53 (msg:"ThreatFox BianLian botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243230/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_28; classtype:trojan-activity; sid:91243230; rev:1;) alert tcp $HOME_NET any -> [147.124.208.234] 4483 (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243229/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_28; classtype:trojan-activity; sid:91243229; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/l1nc0in.php"; depth:12; nocase; http.host; content:"a0923769.xsph.ru"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1243228/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_28; classtype:trojan-activity; sid:91243228; rev:1;) alert tcp $HOME_NET any -> [103.198.26.210] 1902 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243225/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_28; classtype:trojan-activity; sid:91243225; rev:1;) alert tcp $HOME_NET any -> [155.94.211.9] 42119 (msg:"ThreatFox AdWind botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243224/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_28; classtype:trojan-activity; sid:91243224; rev:1;) alert tcp $HOME_NET any -> [122.52.26.100] 1818 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243223/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_28; classtype:trojan-activity; sid:91243223; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-content/unsalted-condensed-soups/"; depth:37; nocase; http.host; content:"pickilish.com"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1243219/; target:src_ip; metadata: confidence_level 75, first_seen 2024_02_27; classtype:trojan-activity; sid:91243219; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-content/chunky/"; depth:19; nocase; http.host; content:"pickilish.com"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1243218/; target:src_ip; metadata: confidence_level 75, first_seen 2024_02_27; classtype:trojan-activity; sid:91243218; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/match"; depth:6; nocase; http.host; content:"49.234.185.12"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1243216/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_27; classtype:trojan-activity; sid:91243216; rev:1;) alert tcp $HOME_NET any -> [49.234.185.12] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243217/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_27; classtype:trojan-activity; sid:91243217; rev:1;) alert tcp $HOME_NET any -> [191.88.250.63] 4203 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243215/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_27; classtype:trojan-activity; sid:91243215; rev:1;) alert tcp $HOME_NET any -> [65.21.101.232] 6392 (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243210/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_27; classtype:trojan-activity; sid:91243210; rev:1;) alert tcp $HOME_NET any -> [154.246.13.166] 2078 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243209/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_27; classtype:trojan-activity; sid:91243209; rev:1;) alert tcp $HOME_NET any -> [103.179.188.223] 19990 (msg:"ThreatFox MooBot botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243206/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_27; classtype:trojan-activity; sid:91243206; rev:1;) alert tcp $HOME_NET any -> [2.57.149.235] 15647 (msg:"ThreatFox SectopRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243205/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_27; classtype:trojan-activity; sid:91243205; rev:1;) alert tcp $HOME_NET any -> [91.92.240.190] 5525 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243131/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_27; classtype:trojan-activity; sid:91243131; rev:1;) alert tcp $HOME_NET any -> [91.92.244.84] 9511 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243132/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_27; classtype:trojan-activity; sid:91243132; rev:1;) alert tcp $HOME_NET any -> [94.156.71.29] 60195 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243133/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_27; classtype:trojan-activity; sid:91243133; rev:1;) alert tcp $HOME_NET any -> [37.221.92.112] 5555 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243134/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_27; classtype:trojan-activity; sid:91243134; rev:1;) alert tcp $HOME_NET any -> [94.156.71.220] 2821 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243135/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_27; classtype:trojan-activity; sid:91243135; rev:1;) alert tcp $HOME_NET any -> [45.86.86.176] 1312 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243136/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_27; classtype:trojan-activity; sid:91243136; rev:1;) alert tcp $HOME_NET any -> [94.103.188.45] 1312 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243137/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_27; classtype:trojan-activity; sid:91243137; rev:1;) alert tcp $HOME_NET any -> [176.123.2.50] 8872 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243138/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_27; classtype:trojan-activity; sid:91243138; rev:1;) alert tcp $HOME_NET any -> [94.156.8.179] 1312 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243204/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_27; classtype:trojan-activity; sid:91243204; rev:1;) alert tcp $HOME_NET any -> [91.92.253.46] 59962 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243130/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_27; classtype:trojan-activity; sid:91243130; rev:1;) alert tcp $HOME_NET any -> [94.156.71.59] 13 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243129/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_27; classtype:trojan-activity; sid:91243129; rev:1;) alert tcp $HOME_NET any -> [94.156.66.229] 1312 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243128/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_27; classtype:trojan-activity; sid:91243128; rev:1;) alert tcp $HOME_NET any -> [193.35.18.164] 60195 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243127/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_27; classtype:trojan-activity; sid:91243127; rev:1;) alert tcp $HOME_NET any -> [91.92.254.43] 6666 (msg:"ThreatFox MooBot botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243125/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_27; classtype:trojan-activity; sid:91243125; rev:1;) alert tcp $HOME_NET any -> [185.196.10.231] 1312 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243126/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_27; classtype:trojan-activity; sid:91243126; rev:1;) alert tcp $HOME_NET any -> [185.196.11.28] 51231 (msg:"ThreatFox MooBot botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243123/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_27; classtype:trojan-activity; sid:91243123; rev:1;) alert tcp $HOME_NET any -> [185.196.9.14] 23213 (msg:"ThreatFox MooBot botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243124/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_27; classtype:trojan-activity; sid:91243124; rev:1;) alert tcp $HOME_NET any -> [185.155.186.25] 443 (msg:"ThreatFox Unknown malware payload delivery (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243120/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_27; classtype:trojan-activity; sid:91243120; rev:1;) alert tcp $HOME_NET any -> [185.155.184.55] 443 (msg:"ThreatFox Unknown malware payload delivery (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243119/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_27; classtype:trojan-activity; sid:91243119; rev:1;) alert tcp $HOME_NET any -> [193.203.238.147] 443 (msg:"ThreatFox Ave Maria botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243203/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_27; classtype:trojan-activity; sid:91243203; rev:1;) alert tcp $HOME_NET any -> [79.174.2.133] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243202/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_27; classtype:trojan-activity; sid:91243202; rev:1;) alert tcp $HOME_NET any -> [3.131.21.160] 8443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243201/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_27; classtype:trojan-activity; sid:91243201; rev:1;) alert tcp $HOME_NET any -> [91.221.22.159] 80 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243200/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_27; classtype:trojan-activity; sid:91243200; rev:1;) alert tcp $HOME_NET any -> [93.185.167.79] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243197/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_27; classtype:trojan-activity; sid:91243197; rev:1;) alert tcp $HOME_NET any -> [8.222.199.64] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243198/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_27; classtype:trojan-activity; sid:91243198; rev:1;) alert tcp $HOME_NET any -> [20.56.21.162] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243196/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_27; classtype:trojan-activity; sid:91243196; rev:1;) alert tcp $HOME_NET any -> [64.23.182.218] 3443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243195/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_27; classtype:trojan-activity; sid:91243195; rev:1;) alert tcp $HOME_NET any -> [128.199.108.110] 2087 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243194/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_27; classtype:trojan-activity; sid:91243194; rev:1;) alert tcp $HOME_NET any -> [20.96.212.59] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243193/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_27; classtype:trojan-activity; sid:91243193; rev:1;) alert tcp $HOME_NET any -> [64.23.179.200] 4000 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243192/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_27; classtype:trojan-activity; sid:91243192; rev:1;) alert tcp $HOME_NET any -> [124.222.124.9] 60000 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243191/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_27; classtype:trojan-activity; sid:91243191; rev:1;) alert tcp $HOME_NET any -> [154.201.80.138] 60000 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243190/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_27; classtype:trojan-activity; sid:91243190; rev:1;) alert tcp $HOME_NET any -> [123.254.104.237] 60000 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243189/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_27; classtype:trojan-activity; sid:91243189; rev:1;) alert tcp $HOME_NET any -> [91.92.251.210] 80 (msg:"ThreatFox BlackNET RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243188/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_27; classtype:trojan-activity; sid:91243188; rev:1;) alert tcp $HOME_NET any -> [91.208.92.66] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243187/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_27; classtype:trojan-activity; sid:91243187; rev:1;) alert tcp $HOME_NET any -> [93.123.85.60] 80 (msg:"ThreatFox MooBot botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243186/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_27; classtype:trojan-activity; sid:91243186; rev:1;) alert tcp $HOME_NET any -> [185.36.81.46] 80 (msg:"ThreatFox MooBot botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243185/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_27; classtype:trojan-activity; sid:91243185; rev:1;) alert tcp $HOME_NET any -> [18.204.80.51] 443 (msg:"ThreatFox Serpent Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243184/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_27; classtype:trojan-activity; sid:91243184; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"asqrecruitment.com"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1243183/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_27; classtype:trojan-activity; sid:91243183; rev:1;) alert tcp $HOME_NET any -> [5.199.162.93] 80 (msg:"ThreatFox ERMAC botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243182/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_27; classtype:trojan-activity; sid:91243182; rev:1;) alert tcp $HOME_NET any -> [45.15.159.44] 80 (msg:"ThreatFox ERMAC botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243180/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_27; classtype:trojan-activity; sid:91243180; rev:1;) alert tcp $HOME_NET any -> [20.0.153.70] 80 (msg:"ThreatFox ERMAC botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243181/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_27; classtype:trojan-activity; sid:91243181; rev:1;) alert tcp $HOME_NET any -> [124.156.162.114] 80 (msg:"ThreatFox ERMAC botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243179/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_27; classtype:trojan-activity; sid:91243179; rev:1;) alert tcp $HOME_NET any -> [185.16.39.117] 4449 (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243178/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_27; classtype:trojan-activity; sid:91243178; rev:1;) alert tcp $HOME_NET any -> [223.155.16.52] 23333 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243177/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_27; classtype:trojan-activity; sid:91243177; rev:1;) alert tcp $HOME_NET any -> [181.162.154.20] 8080 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243176/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_27; classtype:trojan-activity; sid:91243176; rev:1;) alert tcp $HOME_NET any -> [223.155.16.58] 23333 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243175/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_27; classtype:trojan-activity; sid:91243175; rev:1;) alert tcp $HOME_NET any -> [193.233.132.32] 8081 (msg:"ThreatFox RisePro botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243174/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_27; classtype:trojan-activity; sid:91243174; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"cenixcrypto.com"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1243173/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_27; classtype:trojan-activity; sid:91243173; rev:1;) alert tcp $HOME_NET any -> [91.142.74.218] 80 (msg:"ThreatFox Hook botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243172/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_27; classtype:trojan-activity; sid:91243172; rev:1;) alert tcp $HOME_NET any -> [23.26.201.73] 6666 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243170/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_27; classtype:trojan-activity; sid:91243170; rev:1;) alert tcp $HOME_NET any -> [51.89.109.154] 6606 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243171/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_27; classtype:trojan-activity; sid:91243171; rev:1;) alert tcp $HOME_NET any -> [45.134.83.162] 6606 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243169/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_27; classtype:trojan-activity; sid:91243169; rev:1;) alert tcp $HOME_NET any -> [45.134.83.165] 7707 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243168/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_27; classtype:trojan-activity; sid:91243168; rev:1;) alert tcp $HOME_NET any -> [46.246.84.11] 2000 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243167/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_27; classtype:trojan-activity; sid:91243167; rev:1;) alert tcp $HOME_NET any -> [191.88.250.63] 4208 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243166/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_27; classtype:trojan-activity; sid:91243166; rev:1;) alert tcp $HOME_NET any -> [128.90.113.242] 9999 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243165/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_27; classtype:trojan-activity; sid:91243165; rev:1;) alert tcp $HOME_NET any -> [85.99.80.60] 888 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243164/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_27; classtype:trojan-activity; sid:91243164; rev:1;) alert tcp $HOME_NET any -> [2.58.85.145] 6004 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243163/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_27; classtype:trojan-activity; sid:91243163; rev:1;) alert tcp $HOME_NET any -> [195.123.217.139] 443 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243162/; target:src_ip; metadata: confidence_level 90, first_seen 2024_02_27; classtype:trojan-activity; sid:91243162; rev:1;) alert tcp $HOME_NET any -> [185.142.184.93] 443 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243161/; target:src_ip; metadata: confidence_level 90, first_seen 2024_02_27; classtype:trojan-activity; sid:91243161; rev:1;) alert tcp $HOME_NET any -> [192.210.140.35] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243160/; target:src_ip; metadata: confidence_level 90, first_seen 2024_02_27; classtype:trojan-activity; sid:91243160; rev:1;) alert tcp $HOME_NET any -> [69.46.36.210] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243159/; target:src_ip; metadata: confidence_level 90, first_seen 2024_02_27; classtype:trojan-activity; sid:91243159; rev:1;) alert tcp $HOME_NET any -> [69.46.36.216] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243158/; target:src_ip; metadata: confidence_level 90, first_seen 2024_02_27; classtype:trojan-activity; sid:91243158; rev:1;) alert tcp $HOME_NET any -> [88.214.25.240] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243157/; target:src_ip; metadata: confidence_level 90, first_seen 2024_02_27; classtype:trojan-activity; sid:91243157; rev:1;) alert tcp $HOME_NET any -> [1.92.90.232] 8000 (msg:"ThreatFox Ghost RAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243156/; target:src_ip; metadata: confidence_level 75, first_seen 2024_02_27; classtype:trojan-activity; sid:91243156; rev:1;) alert tcp $HOME_NET any -> [103.108.41.242] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243155/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_27; classtype:trojan-activity; sid:91243155; rev:1;) alert tcp $HOME_NET any -> [103.142.146.7] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243154/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_27; classtype:trojan-activity; sid:91243154; rev:1;) alert tcp $HOME_NET any -> [4.210.191.162] 8443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243153/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_27; classtype:trojan-activity; sid:91243153; rev:1;) alert tcp $HOME_NET any -> [8.222.150.46] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243152/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_27; classtype:trojan-activity; sid:91243152; rev:1;) alert tcp $HOME_NET any -> [213.252.246.7] 8443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243151/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_27; classtype:trojan-activity; sid:91243151; rev:1;) alert tcp $HOME_NET any -> [185.196.10.217] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243150/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_27; classtype:trojan-activity; sid:91243150; rev:1;) alert tcp $HOME_NET any -> [23.94.240.215] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243149/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_27; classtype:trojan-activity; sid:91243149; rev:1;) alert tcp $HOME_NET any -> [43.138.101.9] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243148/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_27; classtype:trojan-activity; sid:91243148; rev:1;) alert tcp $HOME_NET any -> [136.144.240.165] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243146/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_27; classtype:trojan-activity; sid:91243146; rev:1;) alert tcp $HOME_NET any -> [149.104.27.205] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243147/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_27; classtype:trojan-activity; sid:91243147; rev:1;) alert tcp $HOME_NET any -> [23.94.240.216] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243145/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_27; classtype:trojan-activity; sid:91243145; rev:1;) alert tcp $HOME_NET any -> [120.48.5.80] 6009 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243144/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_27; classtype:trojan-activity; sid:91243144; rev:1;) alert tcp $HOME_NET any -> [121.196.221.250] 8888 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243142/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_27; classtype:trojan-activity; sid:91243142; rev:1;) alert tcp $HOME_NET any -> [103.142.146.6] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243143/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_27; classtype:trojan-activity; sid:91243143; rev:1;) alert tcp $HOME_NET any -> [103.142.146.5] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243141/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_27; classtype:trojan-activity; sid:91243141; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"bh8bwt.link"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1243140/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_27; classtype:trojan-activity; sid:91243140; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"was.hg23jh4gk234gjhk2j3g4h2kjh3g4.xyz"; depth:37; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1243139/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_27; classtype:trojan-activity; sid:91243139; rev:1;) alert tcp $HOME_NET any -> [46.246.84.5] 2054 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243117/; target:src_ip; metadata: confidence_level 75, first_seen 2024_02_27; classtype:trojan-activity; sid:91243117; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"clarosecurity-com.duckdns.org"; depth:29; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1243118/; target:src_ip; metadata: confidence_level 75, first_seen 2024_02_27; classtype:trojan-activity; sid:91243118; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/665cf811.php"; depth:13; nocase; http.host; content:"f0924067.xsph.ru"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1243116/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_27; classtype:trojan-activity; sid:91243116; rev:1;) alert tcp $HOME_NET any -> [185.244.150.230] 443 (msg:"ThreatFox Dridex botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243095/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_27; classtype:trojan-activity; sid:91243095; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 50%)"; dns_query; content:"goalmikeas.live"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1243107/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_27; classtype:trojan-activity; sid:91243107; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 50%)"; dns_query; content:"wedshotrag.live"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1243108/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_27; classtype:trojan-activity; sid:91243108; rev:1;) alert tcp $HOME_NET any -> [3.125.223.134] 12780 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243115/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_27; classtype:trojan-activity; sid:91243115; rev:1;) alert tcp $HOME_NET any -> [18.158.249.75] 12780 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243114/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_27; classtype:trojan-activity; sid:91243114; rev:1;) alert tcp $HOME_NET any -> [3.125.102.39] 12780 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243113/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_27; classtype:trojan-activity; sid:91243113; rev:1;) alert tcp $HOME_NET any -> [3.125.209.94] 12780 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243112/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_27; classtype:trojan-activity; sid:91243112; rev:1;) alert tcp $HOME_NET any -> [3.124.142.205] 12780 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243111/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_27; classtype:trojan-activity; sid:91243111; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/updates.rss"; depth:12; nocase; http.host; content:"49.234.185.12"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1243110/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_27; classtype:trojan-activity; sid:91243110; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/match"; depth:6; nocase; http.host; content:"141.98.81.98"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1243109/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_27; classtype:trojan-activity; sid:91243109; rev:1;) alert tcp $HOME_NET any -> [70.27.138.200] 2078 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243106/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_27; classtype:trojan-activity; sid:91243106; rev:1;) alert tcp $HOME_NET any -> [194.26.192.57] 443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243105/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_27; classtype:trojan-activity; sid:91243105; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/visit.js"; depth:9; nocase; http.host; content:"1.94.110.130"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1243104/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_27; classtype:trojan-activity; sid:91243104; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/load"; depth:5; nocase; http.host; content:"47.236.19.63"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1243103/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_27; classtype:trojan-activity; sid:91243103; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pixel.gif"; depth:10; nocase; http.host; content:"43.251.159.58"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1243102/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_27; classtype:trojan-activity; sid:91243102; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/visit.js"; depth:9; nocase; http.host; content:"20.107.244.135"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1243101/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_27; classtype:trojan-activity; sid:91243101; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/visit.js"; depth:9; nocase; http.host; content:"20.107.244.135"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1243100/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_27; classtype:trojan-activity; sid:91243100; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pixel"; depth:6; nocase; http.host; content:"185.193.126.187"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1243099/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_27; classtype:trojan-activity; sid:91243099; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/visit.js"; depth:9; nocase; http.host; content:"47.120.37.45"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1243098/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_27; classtype:trojan-activity; sid:91243098; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/load"; depth:5; nocase; http.host; content:"79.124.40.106"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1243097/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_27; classtype:trojan-activity; sid:91243097; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dot.gif"; depth:8; nocase; http.host; content:"43.142.90.7"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1243094/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_27; classtype:trojan-activity; sid:91243094; rev:1;) alert tcp $HOME_NET any -> [185.11.61.124] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243093/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_27; classtype:trojan-activity; sid:91243093; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ku.css"; depth:7; nocase; http.host; content:"185.11.61.124"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1243092/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_27; classtype:trojan-activity; sid:91243092; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mod/layout/fd6pr1n8lq5h"; depth:24; nocase; http.host; content:"47.99.182.25"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1243091/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_27; classtype:trojan-activity; sid:91243091; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/v1/get"; depth:7; nocase; http.host; content:"3gjanc04hk.execute-api.us-east-2.amazonaws.com"; depth:46; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1243089/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_27; classtype:trojan-activity; sid:91243089; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"3gjanc04hk.execute-api.us-east-2.amazonaws.com"; depth:46; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1243090/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_27; classtype:trojan-activity; sid:91243090; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/visit.js"; depth:9; nocase; http.host; content:"101.43.191.108"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1243088/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_27; classtype:trojan-activity; sid:91243088; rev:1;) alert tcp $HOME_NET any -> [47.76.78.183] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243087/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_27; classtype:trojan-activity; sid:91243087; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ztiwndezzjm4yjyw/"; depth:18; nocase; http.host; content:"2.57.149.150"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1243021/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_27; classtype:trojan-activity; sid:91243021; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ztiwndezzjm4yjyw/"; depth:18; nocase; http.host; content:"2istanbullu2586.xyz"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1243022/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_27; classtype:trojan-activity; sid:91243022; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ztiwndezzjm4yjyw/"; depth:18; nocase; http.host; content:"3istanbullu2586.xyz"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1243023/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_27; classtype:trojan-activity; sid:91243023; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ztiwndezzjm4yjyw/"; depth:18; nocase; http.host; content:"4istanbullu2586.xyz"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1243024/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_27; classtype:trojan-activity; sid:91243024; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ztiwndezzjm4yjyw/"; depth:18; nocase; http.host; content:"5istanbullu2586.xyz"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1243025/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_27; classtype:trojan-activity; sid:91243025; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ztiwndezzjm4yjyw/"; depth:18; nocase; http.host; content:"6istanbullu2586.xyz"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1243026/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_27; classtype:trojan-activity; sid:91243026; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ztiwndezzjm4yjyw/"; depth:18; nocase; http.host; content:"8istanbullu2586.xyz"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1243027/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_27; classtype:trojan-activity; sid:91243027; rev:1;) alert tcp $HOME_NET any -> [67.203.7.148] 2909 (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243030/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_27; classtype:trojan-activity; sid:91243030; rev:1;) alert tcp $HOME_NET any -> [34.174.78.212] 80 (msg:"ThreatFox Loki Password Stealer (PWS) botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243039/; target:src_ip; metadata: confidence_level 75, first_seen 2024_02_27; classtype:trojan-activity; sid:91243039; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"blesblochem.com"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1243040/; target:src_ip; metadata: confidence_level 75, first_seen 2024_02_27; classtype:trojan-activity; sid:91243040; rev:1;) alert tcp $HOME_NET any -> [20.218.68.91] 7690 (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243055/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_27; classtype:trojan-activity; sid:91243055; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/beacon.bin"; depth:11; nocase; http.host; content:"43.129.239.195"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1243084/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_27; classtype:trojan-activity; sid:91243084; rev:1;) alert tcp $HOME_NET any -> [91.92.252.146] 8004 (msg:"ThreatFox Loki Password Stealer (PWS) botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243079/; target:src_ip; metadata: confidence_level 75, first_seen 2024_02_27; classtype:trojan-activity; sid:91243079; rev:1;) alert tcp $HOME_NET any -> [155.94.208.137] 445 (msg:"ThreatFox Pikabot payload delivery (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243085/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_27; classtype:trojan-activity; sid:91243085; rev:1;) alert tcp $HOME_NET any -> [85.239.33.149] 445 (msg:"ThreatFox Pikabot payload delivery (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243086/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_27; classtype:trojan-activity; sid:91243086; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"5.75.211.82"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1243083/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_27; classtype:trojan-activity; sid:91243083; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"65.109.240.92"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1243082/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_27; classtype:trojan-activity; sid:91243082; rev:1;) alert tcp $HOME_NET any -> [65.109.240.92] 443 (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243080/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_27; classtype:trojan-activity; sid:91243080; rev:1;) alert tcp $HOME_NET any -> [5.75.211.82] 443 (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243081/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_27; classtype:trojan-activity; sid:91243081; rev:1;) alert tcp $HOME_NET any -> [195.16.74.230] 80 (msg:"ThreatFox Socks5 Systemz botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243078/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_27; classtype:trojan-activity; sid:91243078; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"www.hotzhuan.com.w.kunlunpi.com"; depth:31; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1243076/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_27; classtype:trojan-activity; sid:91243076; rev:1;) alert tcp $HOME_NET any -> [47.92.146.233] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243077/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_27; classtype:trojan-activity; sid:91243077; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jquery-3.3.1.min.js"; depth:20; nocase; http.host; content:"www.hotzhuan.com.w.kunlunpi.com"; depth:31; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1243075/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_27; classtype:trojan-activity; sid:91243075; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jquery-3.3.1.min.js"; depth:20; nocase; http.host; content:"sfzd.tianxuesong.com.w.kunlunpi.com"; depth:35; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1243073/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_27; classtype:trojan-activity; sid:91243073; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"sfzd.tianxuesong.com.w.kunlunpi.com"; depth:35; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1243074/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_27; classtype:trojan-activity; sid:91243074; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jquery-3.3.1.min.js"; depth:20; nocase; http.host; content:"ss.wfpay.xyz.w.kunlunpi.com"; depth:27; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1243071/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_27; classtype:trojan-activity; sid:91243071; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ss.wfpay.xyz.w.kunlunpi.com"; depth:27; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1243072/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_27; classtype:trojan-activity; sid:91243072; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"www.cdnyychanlun.com.w.kunlunpi.com"; depth:35; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1243070/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_27; classtype:trojan-activity; sid:91243070; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jquery-3.3.1.min.js"; depth:20; nocase; http.host; content:"www.cdnyychanlun.com.w.kunlunpi.com"; depth:35; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1243069/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_27; classtype:trojan-activity; sid:91243069; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/nyashsupport.php"; depth:17; nocase; http.host; content:"767163cm.nyashsens.top"; depth:22; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1243068/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_27; classtype:trojan-activity; sid:91243068; rev:1;) alert tcp $HOME_NET any -> [43.136.20.206] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243067/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_27; classtype:trojan-activity; sid:91243067; rev:1;) alert tcp $HOME_NET any -> [123.253.108.241] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243066/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_27; classtype:trojan-activity; sid:91243066; rev:1;) alert tcp $HOME_NET any -> [38.54.108.163] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243065/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_27; classtype:trojan-activity; sid:91243065; rev:1;) alert tcp $HOME_NET any -> [20.197.231.238] 8848 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243064/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_27; classtype:trojan-activity; sid:91243064; rev:1;) alert tcp $HOME_NET any -> [201.124.231.216] 995 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243063/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_27; classtype:trojan-activity; sid:91243063; rev:1;) alert tcp $HOME_NET any -> [185.17.105.152] 443 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243062/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_27; classtype:trojan-activity; sid:91243062; rev:1;) alert tcp $HOME_NET any -> [161.35.79.43] 443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243061/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_27; classtype:trojan-activity; sid:91243061; rev:1;) alert tcp $HOME_NET any -> [103.139.93.20] 80 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243060/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_27; classtype:trojan-activity; sid:91243060; rev:1;) alert tcp $HOME_NET any -> [164.92.243.255] 42691 (msg:"ThreatFox BianLian botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243058/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_27; classtype:trojan-activity; sid:91243058; rev:1;) alert tcp $HOME_NET any -> [94.103.87.88] 1433 (msg:"ThreatFox BianLian botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243057/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_27; classtype:trojan-activity; sid:91243057; rev:1;) alert tcp $HOME_NET any -> [131.186.22.89] 443 (msg:"ThreatFox Deimos botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243056/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_27; classtype:trojan-activity; sid:91243056; rev:1;) alert tcp $HOME_NET any -> [124.70.208.179] 50050 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243054/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_27; classtype:trojan-activity; sid:91243054; rev:1;) alert tcp $HOME_NET any -> [120.46.69.230] 65500 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243053/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_27; classtype:trojan-activity; sid:91243053; rev:1;) alert tcp $HOME_NET any -> [107.172.5.67] 50050 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243052/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_27; classtype:trojan-activity; sid:91243052; rev:1;) alert tcp $HOME_NET any -> [124.223.200.131] 10010 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243051/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_27; classtype:trojan-activity; sid:91243051; rev:1;) alert tcp $HOME_NET any -> [187.135.94.233] 2000 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243050/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_27; classtype:trojan-activity; sid:91243050; rev:1;) alert tcp $HOME_NET any -> [187.135.94.233] 2095 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243049/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_27; classtype:trojan-activity; sid:91243049; rev:1;) alert tcp $HOME_NET any -> [187.135.94.233] 2080 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243048/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_27; classtype:trojan-activity; sid:91243048; rev:1;) alert tcp $HOME_NET any -> [187.135.94.233] 2003 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243047/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_27; classtype:trojan-activity; sid:91243047; rev:1;) alert tcp $HOME_NET any -> [187.135.142.198] 2087 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243046/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_27; classtype:trojan-activity; sid:91243046; rev:1;) alert tcp $HOME_NET any -> [187.135.142.198] 1962 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243045/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_27; classtype:trojan-activity; sid:91243045; rev:1;) alert tcp $HOME_NET any -> [66.225.254.138] 7707 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243043/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_27; classtype:trojan-activity; sid:91243043; rev:1;) alert tcp $HOME_NET any -> [18.192.93.86] 15443 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243044/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_27; classtype:trojan-activity; sid:91243044; rev:1;) alert tcp $HOME_NET any -> [103.108.41.243] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243042/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_27; classtype:trojan-activity; sid:91243042; rev:1;) alert tcp $HOME_NET any -> [185.133.40.68] 7108 (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243041/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_27; classtype:trojan-activity; sid:91243041; rev:1;) alert tcp $HOME_NET any -> [182.18.90.146] 34444 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243038/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_26; classtype:trojan-activity; sid:91243038; rev:1;) alert tcp $HOME_NET any -> [34.86.252.187] 1177 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243037/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_26; classtype:trojan-activity; sid:91243037; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/activity"; depth:9; nocase; http.host; content:"47.109.102.98"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1243036/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_26; classtype:trojan-activity; sid:91243036; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cce379fc.php"; depth:13; nocase; http.host; content:"cs52256.tw1.ru"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1243035/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_26; classtype:trojan-activity; sid:91243035; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/checkin"; depth:8; nocase; http.host; content:"84.32.188.104"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1243034/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_26; classtype:trojan-activity; sid:91243034; rev:1;) alert tcp $HOME_NET any -> [47.92.99.156] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243033/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_26; classtype:trojan-activity; sid:91243033; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/visit.js"; depth:9; nocase; http.host; content:"47.92.99.156"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1243032/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_26; classtype:trojan-activity; sid:91243032; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/claim/servlets-examples/i2i52xqkqqzf"; depth:37; nocase; http.host; content:"111.92.243.236"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1243031/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_26; classtype:trojan-activity; sid:91243031; rev:1;) alert tcp $HOME_NET any -> [147.185.221.18] 43389 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243029/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_26; classtype:trojan-activity; sid:91243029; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/l1nc0in.php"; depth:12; nocase; http.host; content:"825947295cm.whiteproducts.ru"; depth:28; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1243028/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_26; classtype:trojan-activity; sid:91243028; rev:1;) alert tcp $HOME_NET any -> [149.102.235.115] 3000 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243020/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_26; classtype:trojan-activity; sid:91243020; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pythonwindows.php"; depth:18; nocase; http.host; content:"597359lm.nyashsens.top"; depth:22; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1243019/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_26; classtype:trojan-activity; sid:91243019; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/l1nc0in.php"; depth:12; nocase; http.host; content:"185.195.24.252"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1243018/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_26; classtype:trojan-activity; sid:91243018; rev:1;) alert tcp $HOME_NET any -> [191.88.249.121] 4433 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243017/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_26; classtype:trojan-activity; sid:91243017; rev:1;) alert tcp $HOME_NET any -> [2.88.117.178] 443 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243016/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_26; classtype:trojan-activity; sid:91243016; rev:1;) alert tcp $HOME_NET any -> [94.49.209.30] 443 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243015/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_26; classtype:trojan-activity; sid:91243015; rev:1;) alert tcp $HOME_NET any -> [78.166.15.66] 443 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243014/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_26; classtype:trojan-activity; sid:91243014; rev:1;) alert tcp $HOME_NET any -> [31.117.7.53] 2222 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243013/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_26; classtype:trojan-activity; sid:91243013; rev:1;) alert tcp $HOME_NET any -> [154.247.5.62] 993 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243012/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_26; classtype:trojan-activity; sid:91243012; rev:1;) alert tcp $HOME_NET any -> [143.110.250.237] 443 (msg:"ThreatFox Responder botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243011/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_26; classtype:trojan-activity; sid:91243011; rev:1;) alert tcp $HOME_NET any -> [103.139.93.20] 3306 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243010/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_26; classtype:trojan-activity; sid:91243010; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ptj"; depth:4; nocase; http.host; content:"47.109.102.98"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1243009/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_26; classtype:trojan-activity; sid:91243009; rev:1;) alert tcp $HOME_NET any -> [45.134.225.247] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243008/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_26; classtype:trojan-activity; sid:91243008; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jquery-3.3.1.min.js"; depth:20; nocase; http.host; content:"45.134.225.247"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1243007/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_26; classtype:trojan-activity; sid:91243007; rev:1;) alert tcp $HOME_NET any -> [54.94.248.37] 12778 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243005/; target:src_ip; metadata: confidence_level 75, first_seen 2024_02_26; classtype:trojan-activity; sid:91243005; rev:1;) alert tcp $HOME_NET any -> [204.44.127.146] 20188 (msg:"ThreatFox AdWind botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243006/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_26; classtype:trojan-activity; sid:91243006; rev:1;) alert tcp $HOME_NET any -> [18.229.146.63] 12778 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243003/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_26; classtype:trojan-activity; sid:91243003; rev:1;) alert tcp $HOME_NET any -> [18.231.93.153] 12778 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243004/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_26; classtype:trojan-activity; sid:91243004; rev:1;) alert tcp $HOME_NET any -> [18.228.115.60] 12778 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243002/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_26; classtype:trojan-activity; sid:91243002; rev:1;) alert tcp $HOME_NET any -> [18.229.248.167] 12778 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243001/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_26; classtype:trojan-activity; sid:91243001; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/auth/login"; depth:11; nocase; http.host; content:"gulfcoastcoffeeroasters.com"; depth:27; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1242677/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_26; classtype:trojan-activity; sid:91242677; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/auth/login"; depth:11; nocase; http.host; content:"inc.sshadowso.ru"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1242678/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_26; classtype:trojan-activity; sid:91242678; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/auth/login"; depth:11; nocase; http.host; content:"mail.garciaprints.com"; depth:21; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1242679/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_26; classtype:trojan-activity; sid:91242679; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/auth/login"; depth:11; nocase; http.host; content:"mail.inspirestudiosteam.com"; depth:27; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1242680/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_26; classtype:trojan-activity; sid:91242680; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/auth/login"; depth:11; nocase; http.host; content:"nice-margulis.45-138-16-132.plesk.page"; depth:38; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1242681/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_26; classtype:trojan-activity; sid:91242681; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/auth/login"; depth:11; nocase; http.host; content:"panel.swain.ir"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1242682/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_26; classtype:trojan-activity; sid:91242682; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/auth/login"; depth:11; nocase; http.host; content:"pars.northpm.xyz"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1242683/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_26; classtype:trojan-activity; sid:91242683; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/auth/login"; depth:11; nocase; http.host; content:"skinsmonkey.complete.homsiknet.com"; depth:34; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1242684/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_26; classtype:trojan-activity; sid:91242684; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/auth/login"; depth:11; nocase; http.host; content:"sw.sono.pw"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1242685/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_26; classtype:trojan-activity; sid:91242685; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/auth/login"; depth:11; nocase; http.host; content:"fleekbusiness.com"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1242675/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_26; classtype:trojan-activity; sid:91242675; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/auth/login"; depth:11; nocase; http.host; content:"garciaprints.com"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1242676/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_26; classtype:trojan-activity; sid:91242676; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/auth/login"; depth:11; nocase; http.host; content:"eloquent-germain.45-138-16-132.plesk.page"; depth:41; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1242674/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_26; classtype:trojan-activity; sid:91242674; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/auth/login"; depth:11; nocase; http.host; content:"ebookza.com"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1242673/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_26; classtype:trojan-activity; sid:91242673; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/auth/login"; depth:11; nocase; http.host; content:"cpcontacts.inspirestudiosteam.com"; depth:33; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1242672/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_26; classtype:trojan-activity; sid:91242672; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/auth/login"; depth:11; nocase; http.host; content:"cpanel.inspirestudiosteam.com"; depth:29; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1242671/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_26; classtype:trojan-activity; sid:91242671; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/auth/login"; depth:11; nocase; http.host; content:"cpanel.garciaprints.com"; depth:23; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1242670/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_26; classtype:trojan-activity; sid:91242670; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/auth/login"; depth:11; nocase; http.host; content:"buygamingnfts.com"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1242669/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_26; classtype:trojan-activity; sid:91242669; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/auth/login"; depth:11; nocase; http.host; content:"blazebit.bet"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1242668/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_26; classtype:trojan-activity; sid:91242668; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/auth/login"; depth:11; nocase; http.host; content:"autodiscover.inspirestudiosteam.com"; depth:35; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1242667/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_26; classtype:trojan-activity; sid:91242667; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/auth/login"; depth:11; nocase; http.host; content:"89.208.103.177.sslip.io"; depth:23; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1242666/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_26; classtype:trojan-activity; sid:91242666; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/auth/login"; depth:11; nocase; http.host; content:"5.42.73.150.sslip.io"; depth:20; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1242665/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_26; classtype:trojan-activity; sid:91242665; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/auth/login"; depth:11; nocase; http.host; content:"45.138.74.228.sslip.io"; depth:22; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1242664/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_26; classtype:trojan-activity; sid:91242664; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/auth/login"; depth:11; nocase; http.host; content:"147.45.42.25.sslip.io"; depth:21; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1242663/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_26; classtype:trojan-activity; sid:91242663; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/auth/login"; depth:11; nocase; http.host; content:"109.107.181.83.sslip.io"; depth:23; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1242662/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_26; classtype:trojan-activity; sid:91242662; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/auth/login"; depth:11; nocase; http.host; content:"vpnu.top"; depth:8; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1242686/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_26; classtype:trojan-activity; sid:91242686; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/auth/login"; depth:11; nocase; http.host; content:"webdisk.inspirestudiosteam.com"; depth:30; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1242687/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_26; classtype:trojan-activity; sid:91242687; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/auth/login"; depth:11; nocase; http.host; content:"webmail.inspirestudiosteam.com"; depth:30; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1242688/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_26; classtype:trojan-activity; sid:91242688; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/auth/login"; depth:11; nocase; http.host; content:"www.ebookza.com"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1242689/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_26; classtype:trojan-activity; sid:91242689; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/auth/login"; depth:11; nocase; http.host; content:"www.fleekbusiness.com"; depth:21; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1242690/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_26; classtype:trojan-activity; sid:91242690; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/auth/login"; depth:11; nocase; http.host; content:"www.garciaprints.com"; depth:20; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1242691/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_26; classtype:trojan-activity; sid:91242691; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/auth/login"; depth:11; nocase; http.host; content:"www.gulfcoastcoffeeroasters.com"; depth:31; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1242692/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_26; classtype:trojan-activity; sid:91242692; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/auth/login"; depth:11; nocase; http.host; content:"www.inspirestudiosteam.com"; depth:26; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1242693/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_26; classtype:trojan-activity; sid:91242693; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/auth/login"; depth:11; nocase; http.host; content:"www.mg.inspirestudiosteam.com"; depth:29; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1242694/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_26; classtype:trojan-activity; sid:91242694; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/auth/login"; depth:11; nocase; http.host; content:"www.mzile.com"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1242695/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_26; classtype:trojan-activity; sid:91242695; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/auth/login"; depth:11; nocase; http.host; content:"yes.homeshopdigital.site"; depth:24; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1242696/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_26; classtype:trojan-activity; sid:91242696; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/auth/login"; depth:11; nocase; http.host; content:"yes1.homeshopdigital.site"; depth:25; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1242697/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_26; classtype:trojan-activity; sid:91242697; rev:1;) alert tcp $HOME_NET any -> [3.126.37.18] 16653 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1242250/; target:src_ip; metadata: confidence_level 75, first_seen 2024_02_26; classtype:trojan-activity; sid:91242250; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"45.138.74.228.sslip.io"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242698/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_26; classtype:trojan-activity; sid:91242698; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"5.42.73.150.sslip.io"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242699/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_26; classtype:trojan-activity; sid:91242699; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"89.208.103.177.sslip.io"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242700/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_26; classtype:trojan-activity; sid:91242700; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"autodiscover.inspirestudiosteam.com"; depth:35; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242701/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_26; classtype:trojan-activity; sid:91242701; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"nice-margulis.45-138-16-132.plesk.page"; depth:38; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242715/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_26; classtype:trojan-activity; sid:91242715; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"mail.garciaprints.com"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242713/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_26; classtype:trojan-activity; sid:91242713; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"mail.inspirestudiosteam.com"; depth:27; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242714/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_26; classtype:trojan-activity; sid:91242714; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"inc.sshadowso.ru"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242712/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_26; classtype:trojan-activity; sid:91242712; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"gulfcoastcoffeeroasters.com"; depth:27; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242711/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_26; classtype:trojan-activity; sid:91242711; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"fleekbusiness.com"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242709/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_26; classtype:trojan-activity; sid:91242709; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"garciaprints.com"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242710/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_26; classtype:trojan-activity; sid:91242710; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"eloquent-germain.45-138-16-132.plesk.page"; depth:41; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242708/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_26; classtype:trojan-activity; sid:91242708; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ebookza.com"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242707/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_26; classtype:trojan-activity; sid:91242707; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"cpcontacts.inspirestudiosteam.com"; depth:33; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242706/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_26; classtype:trojan-activity; sid:91242706; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"cpanel.inspirestudiosteam.com"; depth:29; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242705/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_26; classtype:trojan-activity; sid:91242705; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"cpanel.garciaprints.com"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242704/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_26; classtype:trojan-activity; sid:91242704; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"blazebit.bet"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242702/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_26; classtype:trojan-activity; sid:91242702; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"buygamingnfts.com"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242703/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_26; classtype:trojan-activity; sid:91242703; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"panel.swain.ir"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242716/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_26; classtype:trojan-activity; sid:91242716; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"pars.northpm.xyz"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242717/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_26; classtype:trojan-activity; sid:91242717; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"skinsmonkey.complete.homsiknet.com"; depth:34; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242718/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_26; classtype:trojan-activity; sid:91242718; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"vpnu.top"; depth:8; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242719/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_26; classtype:trojan-activity; sid:91242719; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"webdisk.inspirestudiosteam.com"; depth:30; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242720/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_26; classtype:trojan-activity; sid:91242720; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"webmail.inspirestudiosteam.com"; depth:30; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242721/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_26; classtype:trojan-activity; sid:91242721; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"www.ebookza.com"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242722/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_26; classtype:trojan-activity; sid:91242722; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"www.fleekbusiness.com"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242723/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_26; classtype:trojan-activity; sid:91242723; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"www.garciaprints.com"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242724/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_26; classtype:trojan-activity; sid:91242724; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"www.gulfcoastcoffeeroasters.com"; depth:31; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242725/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_26; classtype:trojan-activity; sid:91242725; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"www.inspirestudiosteam.com"; depth:26; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242726/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_26; classtype:trojan-activity; sid:91242726; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"www.mg.inspirestudiosteam.com"; depth:29; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242727/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_26; classtype:trojan-activity; sid:91242727; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"www.mzile.com"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242728/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_26; classtype:trojan-activity; sid:91242728; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"yes.homeshopdigital.site"; depth:24; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242729/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_26; classtype:trojan-activity; sid:91242729; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"yes1.homeshopdigital.site"; depth:25; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242730/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_26; classtype:trojan-activity; sid:91242730; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/auth/login"; depth:11; nocase; http.host; content:"77.105.147.157"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1242737/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_26; classtype:trojan-activity; sid:91242737; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/auth/login"; depth:11; nocase; http.host; content:"45.138.74.228"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1242736/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_26; classtype:trojan-activity; sid:91242736; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/auth/login"; depth:11; nocase; http.host; content:"147.45.42.25"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1242735/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_26; classtype:trojan-activity; sid:91242735; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/auth/login"; depth:11; nocase; http.host; content:"109.107.181.83"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1242734/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_26; classtype:trojan-activity; sid:91242734; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/auth/login"; depth:11; nocase; http.host; content:"79.137.202.68"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1242733/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_26; classtype:trojan-activity; sid:91242733; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/auth/login"; depth:11; nocase; http.host; content:"45.138.16.132"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1242732/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_26; classtype:trojan-activity; sid:91242732; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/auth/login"; depth:11; nocase; http.host; content:"5.42.73.150"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1242731/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_26; classtype:trojan-activity; sid:91242731; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/auth/login"; depth:11; nocase; http.host; content:"92.246.136.161"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1242738/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_26; classtype:trojan-activity; sid:91242738; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/auth/login"; depth:11; nocase; http.host; content:"94.228.162.149"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1242739/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_26; classtype:trojan-activity; sid:91242739; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/auth/login"; depth:11; nocase; http.host; content:"104.21.12.116"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1242740/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_26; classtype:trojan-activity; sid:91242740; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/auth/login"; depth:11; nocase; http.host; content:"104.21.44.13"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1242741/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_26; classtype:trojan-activity; sid:91242741; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/auth/login"; depth:11; nocase; http.host; content:"172.67.152.71"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1242742/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_26; classtype:trojan-activity; sid:91242742; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/auth/login"; depth:11; nocase; http.host; content:"172.67.192.204"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1242743/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_26; classtype:trojan-activity; sid:91242743; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/auth/login"; depth:11; nocase; http.host; content:"175.110.115.65"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1242744/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_26; classtype:trojan-activity; sid:91242744; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/auth/login"; depth:11; nocase; http.host; content:"198.44.171.3"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1242745/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_26; classtype:trojan-activity; sid:91242745; rev:1;) alert tcp $HOME_NET any -> [54.234.189.192] 80 (msg:"ThreatFox Serpent Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1242981/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_26; classtype:trojan-activity; sid:91242981; rev:1;) alert tcp $HOME_NET any -> [54.237.138.159] 80 (msg:"ThreatFox Serpent Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1242971/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_26; classtype:trojan-activity; sid:91242971; rev:1;) alert tcp $HOME_NET any -> [52.23.117.205] 80 (msg:"ThreatFox Serpent Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1242969/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_26; classtype:trojan-activity; sid:91242969; rev:1;) alert tcp $HOME_NET any -> [52.22.239.204] 80 (msg:"ThreatFox Serpent Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1242968/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_26; classtype:trojan-activity; sid:91242968; rev:1;) alert tcp $HOME_NET any -> [44.196.101.127] 80 (msg:"ThreatFox Serpent Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1242966/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_26; classtype:trojan-activity; sid:91242966; rev:1;) alert tcp $HOME_NET any -> [52.205.60.154] 80 (msg:"ThreatFox Serpent Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1242964/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_26; classtype:trojan-activity; sid:91242964; rev:1;) alert tcp $HOME_NET any -> [34.197.122.235] 80 (msg:"ThreatFox Serpent Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1242965/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_26; classtype:trojan-activity; sid:91242965; rev:1;) alert tcp $HOME_NET any -> [5.161.113.150] 25658 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1242963/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_26; classtype:trojan-activity; sid:91242963; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/data.php"; depth:9; nocase; http.host; content:"bbsupplyandsalon.com"; depth:20; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1242793/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_26; classtype:trojan-activity; sid:91242793; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cdn-vs/cache.php"; depth:17; nocase; http.host; content:"bbsupplyandsalon.com"; depth:20; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1242791/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_26; classtype:trojan-activity; sid:91242791; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/help/zewmrgqnw.php"; depth:19; nocase; http.host; content:"bbsupplyandsalon.com"; depth:20; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1242792/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_26; classtype:trojan-activity; sid:91242792; rev:1;) alert tcp $HOME_NET any -> [192.151.243.135] 55650 (msg:"ThreatFox MooBot botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1242650/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_26; classtype:trojan-activity; sid:91242650; rev:1;) alert tcp $HOME_NET any -> [185.91.127.216] 5555 (msg:"ThreatFox MooBot botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1242651/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_26; classtype:trojan-activity; sid:91242651; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/data.php"; depth:9; nocase; http.host; content:"bigcuda.com"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1242621/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_26; classtype:trojan-activity; sid:91242621; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/help/zewmrgqnw.php"; depth:19; nocase; http.host; content:"bigcuda.com"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1242620/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_26; classtype:trojan-activity; sid:91242620; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cdn-vs/cache.php"; depth:17; nocase; http.host; content:"bigcuda.com"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1242619/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_26; classtype:trojan-activity; sid:91242619; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"4stvghabsy3dg893uhszgtyerecs44axutq5unuvsa7u8833eb.nl"; depth:53; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242589/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_26; classtype:trojan-activity; sid:91242589; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"refinedruffles.com"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242590/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_26; classtype:trojan-activity; sid:91242590; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"q65fpfr2wpjugu7y3ldvjjdgz8uzqak2.nl"; depth:35; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242591/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_26; classtype:trojan-activity; sid:91242591; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"pve.pezow.ovh"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242601/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_26; classtype:trojan-activity; sid:91242601; rev:1;) alert tcp $HOME_NET any -> [185.196.9.97] 38241 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1242603/; target:src_ip; metadata: confidence_level 75, first_seen 2024_02_26; classtype:trojan-activity; sid:91242603; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"mnmn.espontaneo.cc"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242604/; target:src_ip; metadata: confidence_level 75, first_seen 2024_02_26; classtype:trojan-activity; sid:91242604; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"route.qyhgroup.com"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242605/; target:src_ip; metadata: confidence_level 75, first_seen 2024_02_26; classtype:trojan-activity; sid:91242605; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"multi-bidding.gl.at.ply.gg"; depth:26; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242617/; target:src_ip; metadata: confidence_level 75, first_seen 2024_02_26; classtype:trojan-activity; sid:91242617; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"wwv.bmjz.vip"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242618/; target:src_ip; metadata: confidence_level 75, first_seen 2024_02_26; classtype:trojan-activity; sid:91242618; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/voolkisms"; depth:10; nocase; http.host; content:"t.me"; depth:4; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1243000/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_26; classtype:trojan-activity; sid:91243000; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"95.217.240.158"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1242999/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_26; classtype:trojan-activity; sid:91242999; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"88.198.112.251"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1242998/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_26; classtype:trojan-activity; sid:91242998; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/neoschats"; depth:10; nocase; http.host; content:"t.me"; depth:4; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1242997/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_26; classtype:trojan-activity; sid:91242997; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/profiles/76561199644883218"; depth:27; nocase; http.host; content:"steamcommunity.com"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1242996/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_26; classtype:trojan-activity; sid:91242996; rev:1;) alert tcp $HOME_NET any -> [88.198.112.251] 10050 (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1242994/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_26; classtype:trojan-activity; sid:91242994; rev:1;) alert tcp $HOME_NET any -> [95.217.240.158] 443 (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1242995/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_26; classtype:trojan-activity; sid:91242995; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"nxsisgod.com"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242993/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_26; classtype:trojan-activity; sid:91242993; rev:1;) alert tcp $HOME_NET any -> [104.129.20.167] 445 (msg:"ThreatFox Pikabot payload delivery (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1242989/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_26; classtype:trojan-activity; sid:91242989; rev:1;) alert tcp $HOME_NET any -> [103.124.104.22] 445 (msg:"ThreatFox Pikabot payload delivery (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1242990/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_26; classtype:trojan-activity; sid:91242990; rev:1;) alert tcp $HOME_NET any -> [204.44.125.68] 445 (msg:"ThreatFox Pikabot payload delivery (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1242991/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_26; classtype:trojan-activity; sid:91242991; rev:1;) alert tcp $HOME_NET any -> [66.63.188.19] 445 (msg:"ThreatFox Pikabot payload delivery (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1242992/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_26; classtype:trojan-activity; sid:91242992; rev:1;) alert tcp $HOME_NET any -> [146.19.213.36] 445 (msg:"ThreatFox Pikabot payload delivery (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1242982/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_26; classtype:trojan-activity; sid:91242982; rev:1;) alert tcp $HOME_NET any -> [89.117.2.33] 445 (msg:"ThreatFox Pikabot payload delivery (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1242983/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_26; classtype:trojan-activity; sid:91242983; rev:1;) alert tcp $HOME_NET any -> [176.123.2.146] 445 (msg:"ThreatFox Pikabot payload delivery (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1242984/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_26; classtype:trojan-activity; sid:91242984; rev:1;) alert tcp $HOME_NET any -> [89.117.1.161] 445 (msg:"ThreatFox Pikabot payload delivery (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1242985/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_26; classtype:trojan-activity; sid:91242985; rev:1;) alert tcp $HOME_NET any -> [89.117.2.34] 445 (msg:"ThreatFox Pikabot payload delivery (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1242986/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_26; classtype:trojan-activity; sid:91242986; rev:1;) alert tcp $HOME_NET any -> [89.117.1.160] 445 (msg:"ThreatFox Pikabot payload delivery (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1242987/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_26; classtype:trojan-activity; sid:91242987; rev:1;) alert tcp $HOME_NET any -> [103.124.104.76] 445 (msg:"ThreatFox Pikabot payload delivery (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1242988/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_26; classtype:trojan-activity; sid:91242988; rev:1;) alert tcp $HOME_NET any -> [128.199.23.68] 9999 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1242962/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_26; classtype:trojan-activity; sid:91242962; rev:1;) alert tcp $HOME_NET any -> [20.161.150.170] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1242961/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_26; classtype:trojan-activity; sid:91242961; rev:1;) alert tcp $HOME_NET any -> [3.28.252.232] 4444 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1242960/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_26; classtype:trojan-activity; sid:91242960; rev:1;) alert tcp $HOME_NET any -> [167.71.231.127] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1242958/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_26; classtype:trojan-activity; sid:91242958; rev:1;) alert tcp $HOME_NET any -> [139.196.100.176] 60080 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1242959/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_26; classtype:trojan-activity; sid:91242959; rev:1;) alert tcp $HOME_NET any -> [128.199.141.212] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1242957/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_26; classtype:trojan-activity; sid:91242957; rev:1;) alert tcp $HOME_NET any -> [165.22.73.33] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1242955/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_26; classtype:trojan-activity; sid:91242955; rev:1;) alert tcp $HOME_NET any -> [80.249.164.234] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1242956/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_26; classtype:trojan-activity; sid:91242956; rev:1;) alert tcp $HOME_NET any -> [34.125.92.141] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1242954/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_26; classtype:trojan-activity; sid:91242954; rev:1;) alert tcp $HOME_NET any -> [43.136.182.96] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1242953/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_26; classtype:trojan-activity; sid:91242953; rev:1;) alert tcp $HOME_NET any -> [157.230.24.185] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1242952/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_26; classtype:trojan-activity; sid:91242952; rev:1;) alert tcp $HOME_NET any -> [20.88.9.79] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1242951/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_26; classtype:trojan-activity; sid:91242951; rev:1;) alert tcp $HOME_NET any -> [54.194.190.84] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1242950/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_26; classtype:trojan-activity; sid:91242950; rev:1;) alert tcp $HOME_NET any -> [18.156.23.188] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1242949/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_26; classtype:trojan-activity; sid:91242949; rev:1;) alert tcp $HOME_NET any -> [3.231.20.29] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1242948/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_26; classtype:trojan-activity; sid:91242948; rev:1;) alert tcp $HOME_NET any -> [89.26.253.61] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1242947/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_26; classtype:trojan-activity; sid:91242947; rev:1;) alert tcp $HOME_NET any -> [206.221.176.188] 10718 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1242946/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_26; classtype:trojan-activity; sid:91242946; rev:1;) alert tcp $HOME_NET any -> [196.50.10.35] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1242945/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_26; classtype:trojan-activity; sid:91242945; rev:1;) alert tcp $HOME_NET any -> [107.174.250.230] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1242944/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_26; classtype:trojan-activity; sid:91242944; rev:1;) alert tcp $HOME_NET any -> [34.250.158.249] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1242942/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_26; classtype:trojan-activity; sid:91242942; rev:1;) alert tcp $HOME_NET any -> [185.43.222.163] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1242943/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_26; classtype:trojan-activity; sid:91242943; rev:1;) alert tcp $HOME_NET any -> [178.154.201.213] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1242941/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_26; classtype:trojan-activity; sid:91242941; rev:1;) alert tcp $HOME_NET any -> [64.227.66.1] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1242940/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_26; classtype:trojan-activity; sid:91242940; rev:1;) alert tcp $HOME_NET any -> [178.128.212.97] 8443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1242939/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_26; classtype:trojan-activity; sid:91242939; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"accounts.deenpel.com"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242938/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_26; classtype:trojan-activity; sid:91242938; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"port.deenpel.com"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242936/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_26; classtype:trojan-activity; sid:91242936; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ogs.deenpel.com"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242937/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_26; classtype:trojan-activity; sid:91242937; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"www3.deenpel.com"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242935/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_26; classtype:trojan-activity; sid:91242935; rev:1;) alert tcp $HOME_NET any -> [103.118.41.143] 60000 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1242934/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_26; classtype:trojan-activity; sid:91242934; rev:1;) alert tcp $HOME_NET any -> [47.109.142.156] 60000 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1242933/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_26; classtype:trojan-activity; sid:91242933; rev:1;) alert tcp $HOME_NET any -> [118.89.91.229] 60000 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1242932/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_26; classtype:trojan-activity; sid:91242932; rev:1;) alert tcp $HOME_NET any -> [123.60.16.239] 60000 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1242931/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_26; classtype:trojan-activity; sid:91242931; rev:1;) alert tcp $HOME_NET any -> [103.118.41.127] 60000 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1242930/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_26; classtype:trojan-activity; sid:91242930; rev:1;) alert tcp $HOME_NET any -> [152.42.162.0] 60000 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1242928/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_26; classtype:trojan-activity; sid:91242928; rev:1;) alert tcp $HOME_NET any -> [117.84.36.29] 8008 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1242929/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_26; classtype:trojan-activity; sid:91242929; rev:1;) alert tcp $HOME_NET any -> [18.183.219.84] 60000 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1242927/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_26; classtype:trojan-activity; sid:91242927; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ec2-16-62-149-189.eu-central-2.compute.amazonaws.com"; depth:52; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242926/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_26; classtype:trojan-activity; sid:91242926; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"nic-ns3-153548.net"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242925/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_26; classtype:trojan-activity; sid:91242925; rev:1;) alert tcp $HOME_NET any -> [91.208.92.66] 80 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1242923/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_26; classtype:trojan-activity; sid:91242923; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"telligenc.rest"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242924/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_26; classtype:trojan-activity; sid:91242924; rev:1;) alert tcp $HOME_NET any -> [93.123.85.142] 80 (msg:"ThreatFox MooBot botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1242922/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_26; classtype:trojan-activity; sid:91242922; rev:1;) alert tcp $HOME_NET any -> [51.195.83.140] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1242920/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_26; classtype:trojan-activity; sid:91242920; rev:1;) alert tcp $HOME_NET any -> [51.195.83.140] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1242921/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_26; classtype:trojan-activity; sid:91242921; rev:1;) alert tcp $HOME_NET any -> [51.195.83.140] 80 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1242919/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_26; classtype:trojan-activity; sid:91242919; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"dhjkfgdfkhjghdfjkgjdfoigjpi.ru"; depth:30; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242917/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_26; classtype:trojan-activity; sid:91242917; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"epsilonyouknow.party"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242918/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_26; classtype:trojan-activity; sid:91242918; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"my.attuneiot.com"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242915/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_26; classtype:trojan-activity; sid:91242915; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ec2-52-23-117-205.compute-1.amazonaws.com"; depth:41; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242916/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_26; classtype:trojan-activity; sid:91242916; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ec2-34-197-122-235.compute-1.amazonaws.com"; depth:42; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242914/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_26; classtype:trojan-activity; sid:91242914; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ec2-52-22-239-204.compute-1.amazonaws.com"; depth:41; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242912/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_26; classtype:trojan-activity; sid:91242912; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"maps.attuneiot.com"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242913/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_26; classtype:trojan-activity; sid:91242913; rev:1;) alert tcp $HOME_NET any -> [52.205.60.154] 443 (msg:"ThreatFox Serpent Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1242910/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_26; classtype:trojan-activity; sid:91242910; rev:1;) alert tcp $HOME_NET any -> [34.197.122.235] 443 (msg:"ThreatFox Serpent Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1242911/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_26; classtype:trojan-activity; sid:91242911; rev:1;) alert tcp $HOME_NET any -> [52.22.239.204] 443 (msg:"ThreatFox Serpent Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1242909/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_26; classtype:trojan-activity; sid:91242909; rev:1;) alert tcp $HOME_NET any -> [110.173.54.196] 80 (msg:"ThreatFox ERMAC botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1242907/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_26; classtype:trojan-activity; sid:91242907; rev:1;) alert tcp $HOME_NET any -> [20.166.248.109] 80 (msg:"ThreatFox ERMAC botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1242908/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_26; classtype:trojan-activity; sid:91242908; rev:1;) alert tcp $HOME_NET any -> [110.173.54.197] 80 (msg:"ThreatFox ERMAC botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1242906/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_26; classtype:trojan-activity; sid:91242906; rev:1;) alert tcp $HOME_NET any -> [104.43.89.110] 80 (msg:"ThreatFox ERMAC botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1242904/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_26; classtype:trojan-activity; sid:91242904; rev:1;) alert tcp $HOME_NET any -> [5.199.169.206] 80 (msg:"ThreatFox ERMAC botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1242905/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_26; classtype:trojan-activity; sid:91242905; rev:1;) alert tcp $HOME_NET any -> [110.173.54.198] 80 (msg:"ThreatFox ERMAC botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1242903/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_26; classtype:trojan-activity; sid:91242903; rev:1;) alert tcp $HOME_NET any -> [213.166.68.24] 80 (msg:"ThreatFox ERMAC botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1242901/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_26; classtype:trojan-activity; sid:91242901; rev:1;) alert tcp $HOME_NET any -> [40.119.24.133] 80 (msg:"ThreatFox ERMAC botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1242902/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_26; classtype:trojan-activity; sid:91242902; rev:1;) alert tcp $HOME_NET any -> [20.121.42.245] 80 (msg:"ThreatFox ERMAC botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1242900/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_26; classtype:trojan-activity; sid:91242900; rev:1;) alert tcp $HOME_NET any -> [110.173.54.194] 80 (msg:"ThreatFox ERMAC botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1242899/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_26; classtype:trojan-activity; sid:91242899; rev:1;) alert tcp $HOME_NET any -> [91.92.245.119] 443 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1242898/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_26; classtype:trojan-activity; sid:91242898; rev:1;) alert tcp $HOME_NET any -> [43.204.230.44] 80 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1242896/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_26; classtype:trojan-activity; sid:91242896; rev:1;) alert tcp $HOME_NET any -> [78.141.216.219] 22533 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1242897/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_26; classtype:trojan-activity; sid:91242897; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"mail.3-84-126-255.cprapid.com"; depth:29; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242895/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_26; classtype:trojan-activity; sid:91242895; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"dev2.stocktok.io"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242893/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_26; classtype:trojan-activity; sid:91242893; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"www.gbdvs.shop"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242894/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_26; classtype:trojan-activity; sid:91242894; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"accept.gbdvs.shop"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242892/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_26; classtype:trojan-activity; sid:91242892; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"gbdvs.shop"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242891/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_26; classtype:trojan-activity; sid:91242891; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"time.vmupdate.org"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242890/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_26; classtype:trojan-activity; sid:91242890; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"smtracking.web_hassinezarrat.swp23.com"; depth:38; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242889/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_26; classtype:trojan-activity; sid:91242889; rev:1;) alert tcp $HOME_NET any -> [191.82.221.165] 2000 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1242887/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_26; classtype:trojan-activity; sid:91242887; rev:1;) alert tcp $HOME_NET any -> [35.137.73.119] 22222 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1242888/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_26; classtype:trojan-activity; sid:91242888; rev:1;) alert tcp $HOME_NET any -> [181.161.4.80] 8080 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1242886/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_26; classtype:trojan-activity; sid:91242886; rev:1;) alert tcp $HOME_NET any -> [91.134.187.25] 3336 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1242885/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_26; classtype:trojan-activity; sid:91242885; rev:1;) alert tcp $HOME_NET any -> [191.82.215.55] 2000 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1242884/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_26; classtype:trojan-activity; sid:91242884; rev:1;) alert tcp $HOME_NET any -> [103.253.17.111] 8081 (msg:"ThreatFox RisePro botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1242883/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_26; classtype:trojan-activity; sid:91242883; rev:1;) alert tcp $HOME_NET any -> [94.250.252.66] 80 (msg:"ThreatFox Hook botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1242882/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_26; classtype:trojan-activity; sid:91242882; rev:1;) alert tcp $HOME_NET any -> [20.199.42.249] 80 (msg:"ThreatFox Hook botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1242881/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_26; classtype:trojan-activity; sid:91242881; rev:1;) alert tcp $HOME_NET any -> [86.110.194.106] 80 (msg:"ThreatFox Hook botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1242880/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_26; classtype:trojan-activity; sid:91242880; rev:1;) alert tcp $HOME_NET any -> [209.38.188.72] 7443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1242879/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_26; classtype:trojan-activity; sid:91242879; rev:1;) alert tcp $HOME_NET any -> [136.243.151.21] 63 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1242878/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_26; classtype:trojan-activity; sid:91242878; rev:1;) alert tcp $HOME_NET any -> [154.16.67.94] 4444 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1242877/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_26; classtype:trojan-activity; sid:91242877; rev:1;) alert tcp $HOME_NET any -> [213.195.119.244] 4001 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1242875/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_26; classtype:trojan-activity; sid:91242875; rev:1;) alert tcp $HOME_NET any -> [154.16.67.94] 4242 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1242876/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_26; classtype:trojan-activity; sid:91242876; rev:1;) alert tcp $HOME_NET any -> [51.77.68.50] 1231 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1242874/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_26; classtype:trojan-activity; sid:91242874; rev:1;) alert tcp $HOME_NET any -> [45.134.83.162] 7707 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1242873/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_26; classtype:trojan-activity; sid:91242873; rev:1;) alert tcp $HOME_NET any -> [51.161.107.68] 8808 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1242872/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_26; classtype:trojan-activity; sid:91242872; rev:1;) alert tcp $HOME_NET any -> [193.32.162.198] 8808 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1242870/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_26; classtype:trojan-activity; sid:91242870; rev:1;) alert tcp $HOME_NET any -> [23.26.201.73] 8888 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1242871/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_26; classtype:trojan-activity; sid:91242871; rev:1;) alert tcp $HOME_NET any -> [66.94.120.244] 9999 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1242869/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_26; classtype:trojan-activity; sid:91242869; rev:1;) alert tcp $HOME_NET any -> [45.240.136.144] 5055 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1242868/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_26; classtype:trojan-activity; sid:91242868; rev:1;) alert tcp $HOME_NET any -> [45.138.16.228] 9090 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1242866/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_26; classtype:trojan-activity; sid:91242866; rev:1;) alert tcp $HOME_NET any -> [142.113.120.107] 8080 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1242867/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_26; classtype:trojan-activity; sid:91242867; rev:1;) alert tcp $HOME_NET any -> [185.117.250.169] 3393 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1242865/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_26; classtype:trojan-activity; sid:91242865; rev:1;) alert tcp $HOME_NET any -> [203.30.9.90] 443 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1242863/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_26; classtype:trojan-activity; sid:91242863; rev:1;) alert tcp $HOME_NET any -> [184.147.209.221] 8080 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1242864/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_26; classtype:trojan-activity; sid:91242864; rev:1;) alert tcp $HOME_NET any -> [187.24.4.94] 9999 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1242862/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_26; classtype:trojan-activity; sid:91242862; rev:1;) alert tcp $HOME_NET any -> [23.251.37.231] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1242861/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_26; classtype:trojan-activity; sid:91242861; rev:1;) alert tcp $HOME_NET any -> [137.220.197.236] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1242860/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_26; classtype:trojan-activity; sid:91242860; rev:1;) alert tcp $HOME_NET any -> [69.46.36.211] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1242859/; target:src_ip; metadata: confidence_level 90, first_seen 2024_02_26; classtype:trojan-activity; sid:91242859; rev:1;) alert tcp $HOME_NET any -> [69.46.36.220] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1242857/; target:src_ip; metadata: confidence_level 90, first_seen 2024_02_26; classtype:trojan-activity; sid:91242857; rev:1;) alert tcp $HOME_NET any -> [69.46.36.211] 53 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1242858/; target:src_ip; metadata: confidence_level 90, first_seen 2024_02_26; classtype:trojan-activity; sid:91242858; rev:1;) alert tcp $HOME_NET any -> [69.46.36.220] 53 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1242856/; target:src_ip; metadata: confidence_level 90, first_seen 2024_02_26; classtype:trojan-activity; sid:91242856; rev:1;) alert tcp $HOME_NET any -> [69.46.36.215] 443 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1242854/; target:src_ip; metadata: confidence_level 90, first_seen 2024_02_26; classtype:trojan-activity; sid:91242854; rev:1;) alert tcp $HOME_NET any -> [69.46.36.215] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1242855/; target:src_ip; metadata: confidence_level 90, first_seen 2024_02_26; classtype:trojan-activity; sid:91242855; rev:1;) alert tcp $HOME_NET any -> [69.46.36.208] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1242853/; target:src_ip; metadata: confidence_level 90, first_seen 2024_02_26; classtype:trojan-activity; sid:91242853; rev:1;) alert tcp $HOME_NET any -> [69.46.36.219] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1242852/; target:src_ip; metadata: confidence_level 90, first_seen 2024_02_26; classtype:trojan-activity; sid:91242852; rev:1;) alert tcp $HOME_NET any -> [69.46.36.217] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1242850/; target:src_ip; metadata: confidence_level 90, first_seen 2024_02_26; classtype:trojan-activity; sid:91242850; rev:1;) alert tcp $HOME_NET any -> [91.92.243.149] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1242851/; target:src_ip; metadata: confidence_level 90, first_seen 2024_02_26; classtype:trojan-activity; sid:91242851; rev:1;) alert tcp $HOME_NET any -> [69.46.36.209] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1242849/; target:src_ip; metadata: confidence_level 90, first_seen 2024_02_26; classtype:trojan-activity; sid:91242849; rev:1;) alert tcp $HOME_NET any -> [199.248.230.106] 443 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1242847/; target:src_ip; metadata: confidence_level 90, first_seen 2024_02_26; classtype:trojan-activity; sid:91242847; rev:1;) alert tcp $HOME_NET any -> [69.46.36.218] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1242848/; target:src_ip; metadata: confidence_level 90, first_seen 2024_02_26; classtype:trojan-activity; sid:91242848; rev:1;) alert tcp $HOME_NET any -> [151.106.125.157] 443 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1242846/; target:src_ip; metadata: confidence_level 90, first_seen 2024_02_26; classtype:trojan-activity; sid:91242846; rev:1;) alert tcp $HOME_NET any -> [130.193.34.93] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1242845/; target:src_ip; metadata: confidence_level 90, first_seen 2024_02_26; classtype:trojan-activity; sid:91242845; rev:1;) alert tcp $HOME_NET any -> [44.221.44.220] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1242844/; target:src_ip; metadata: confidence_level 90, first_seen 2024_02_26; classtype:trojan-activity; sid:91242844; rev:1;) alert tcp $HOME_NET any -> [198.13.57.34] 8443 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1242843/; target:src_ip; metadata: confidence_level 90, first_seen 2024_02_26; classtype:trojan-activity; sid:91242843; rev:1;) alert tcp $HOME_NET any -> [109.107.161.51] 443 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1242842/; target:src_ip; metadata: confidence_level 90, first_seen 2024_02_26; classtype:trojan-activity; sid:91242842; rev:1;) alert tcp $HOME_NET any -> [8.130.11.62] 8000 (msg:"ThreatFox Ghost RAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1242841/; target:src_ip; metadata: confidence_level 75, first_seen 2024_02_26; classtype:trojan-activity; sid:91242841; rev:1;) alert tcp $HOME_NET any -> [154.211.15.205] 4444 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1242840/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_26; classtype:trojan-activity; sid:91242840; rev:1;) alert tcp $HOME_NET any -> [209.141.46.45] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1242838/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_26; classtype:trojan-activity; sid:91242838; rev:1;) alert tcp $HOME_NET any -> [185.196.10.62] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1242839/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_26; classtype:trojan-activity; sid:91242839; rev:1;) alert tcp $HOME_NET any -> [38.55.197.151] 2077 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1242836/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_26; classtype:trojan-activity; sid:91242836; rev:1;) alert tcp $HOME_NET any -> [47.236.86.239] 8088 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1242837/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_26; classtype:trojan-activity; sid:91242837; rev:1;) alert tcp $HOME_NET any -> [120.24.38.217] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1242835/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_26; classtype:trojan-activity; sid:91242835; rev:1;) alert tcp $HOME_NET any -> [8.130.79.120] 8787 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1242834/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_26; classtype:trojan-activity; sid:91242834; rev:1;) alert tcp $HOME_NET any -> [121.41.75.23] 8888 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1242833/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_26; classtype:trojan-activity; sid:91242833; rev:1;) alert tcp $HOME_NET any -> [91.92.241.199] 4433 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1242831/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_26; classtype:trojan-activity; sid:91242831; rev:1;) alert tcp $HOME_NET any -> [116.62.130.96] 5555 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1242832/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_26; classtype:trojan-activity; sid:91242832; rev:1;) alert tcp $HOME_NET any -> [58.87.94.238] 81 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1242830/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_26; classtype:trojan-activity; sid:91242830; rev:1;) alert tcp $HOME_NET any -> [101.133.164.210] 10001 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1242829/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_26; classtype:trojan-activity; sid:91242829; rev:1;) alert tcp $HOME_NET any -> [8.217.132.202] 4443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1242827/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_26; classtype:trojan-activity; sid:91242827; rev:1;) alert tcp $HOME_NET any -> [124.70.180.22] 89 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1242828/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_26; classtype:trojan-activity; sid:91242828; rev:1;) alert tcp $HOME_NET any -> [47.108.153.69] 7777 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1242826/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_26; classtype:trojan-activity; sid:91242826; rev:1;) alert tcp $HOME_NET any -> [111.231.74.147] 888 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1242825/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_26; classtype:trojan-activity; sid:91242825; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"www.kind-villani.104-168-102-175.plesk.page"; depth:43; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242824/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_26; classtype:trojan-activity; sid:91242824; rev:1;) alert tcp $HOME_NET any -> [165.227.172.31] 8090 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1242823/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_26; classtype:trojan-activity; sid:91242823; rev:1;) alert tcp $HOME_NET any -> [182.149.199.245] 8123 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1242822/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_26; classtype:trojan-activity; sid:91242822; rev:1;) alert tcp $HOME_NET any -> [20.106.175.213] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1242820/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_26; classtype:trojan-activity; sid:91242820; rev:1;) alert tcp $HOME_NET any -> [20.106.175.213] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1242821/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_26; classtype:trojan-activity; sid:91242821; rev:1;) alert tcp $HOME_NET any -> [8.219.189.106] 5060 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1242819/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_26; classtype:trojan-activity; sid:91242819; rev:1;) alert tcp $HOME_NET any -> [103.191.15.10] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1242818/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_26; classtype:trojan-activity; sid:91242818; rev:1;) alert tcp $HOME_NET any -> [38.6.177.108] 8088 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1242816/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_26; classtype:trojan-activity; sid:91242816; rev:1;) alert tcp $HOME_NET any -> [47.120.1.107] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1242817/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_26; classtype:trojan-activity; sid:91242817; rev:1;) alert tcp $HOME_NET any -> [175.178.124.71] 2087 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1242815/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_26; classtype:trojan-activity; sid:91242815; rev:1;) alert tcp $HOME_NET any -> [175.178.124.71] 8000 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1242813/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_26; classtype:trojan-activity; sid:91242813; rev:1;) alert tcp $HOME_NET any -> [175.178.124.71] 2083 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1242814/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_26; classtype:trojan-activity; sid:91242814; rev:1;) alert tcp $HOME_NET any -> [118.25.173.248] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1242812/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_26; classtype:trojan-activity; sid:91242812; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"104-168-102-175.plesk.page"; depth:26; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242811/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_26; classtype:trojan-activity; sid:91242811; rev:1;) alert tcp $HOME_NET any -> [1.12.231.99] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1242810/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_26; classtype:trojan-activity; sid:91242810; rev:1;) alert tcp $HOME_NET any -> [206.237.21.85] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1242809/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_26; classtype:trojan-activity; sid:91242809; rev:1;) alert tcp $HOME_NET any -> [193.112.79.19] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1242808/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_26; classtype:trojan-activity; sid:91242808; rev:1;) alert tcp $HOME_NET any -> [82.157.177.73] 8081 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1242806/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_26; classtype:trojan-activity; sid:91242806; rev:1;) alert tcp $HOME_NET any -> [82.157.177.73] 2086 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1242807/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_26; classtype:trojan-activity; sid:91242807; rev:1;) alert tcp $HOME_NET any -> [82.157.177.73] 2095 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1242805/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_26; classtype:trojan-activity; sid:91242805; rev:1;) alert tcp $HOME_NET any -> [101.42.35.218] 60020 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1242804/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_26; classtype:trojan-activity; sid:91242804; rev:1;) alert tcp $HOME_NET any -> [134.122.20.117] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1242803/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_26; classtype:trojan-activity; sid:91242803; rev:1;) alert tcp $HOME_NET any -> [118.194.233.185] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1242802/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_26; classtype:trojan-activity; sid:91242802; rev:1;) alert tcp $HOME_NET any -> [43.142.90.7] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1242800/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_26; classtype:trojan-activity; sid:91242800; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"visitor-service-eu-central-1.hg23jh4gk234gjhk2j3g4h2kjh3g4.xyz"; depth:62; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242801/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_26; classtype:trojan-activity; sid:91242801; rev:1;) alert tcp $HOME_NET any -> [120.48.5.80] 6001 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1242799/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_26; classtype:trojan-activity; sid:91242799; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"region1.hg23jh4gk234gjhk2j3g4h2kjh3g4.xyz"; depth:41; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242798/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_26; classtype:trojan-activity; sid:91242798; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"cdn.hg23jh4gk234gjhk2j3g4h2kjh3g4.xyz"; depth:37; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242797/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_26; classtype:trojan-activity; sid:91242797; rev:1;) alert tcp $HOME_NET any -> [185.44.71.197] 3790 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1242796/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_26; classtype:trojan-activity; sid:91242796; rev:1;) alert tcp $HOME_NET any -> [91.92.246.48] 443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1242795/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_26; classtype:trojan-activity; sid:91242795; rev:1;) alert tcp $HOME_NET any -> [91.92.253.59] 443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1242794/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_26; classtype:trojan-activity; sid:91242794; rev:1;) alert tcp $HOME_NET any -> [95.116.67.173] 443 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1242790/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_26; classtype:trojan-activity; sid:91242790; rev:1;) alert tcp $HOME_NET any -> [168.149.16.139] 443 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1242789/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_26; classtype:trojan-activity; sid:91242789; rev:1;) alert tcp $HOME_NET any -> [39.40.183.67] 995 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1242788/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_26; classtype:trojan-activity; sid:91242788; rev:1;) alert tcp $HOME_NET any -> [213.252.246.185] 50050 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1242787/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_26; classtype:trojan-activity; sid:91242787; rev:1;) alert tcp $HOME_NET any -> [83.97.20.183] 50050 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1242786/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_26; classtype:trojan-activity; sid:91242786; rev:1;) alert tcp $HOME_NET any -> [27.102.66.59] 35201 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1242785/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_26; classtype:trojan-activity; sid:91242785; rev:1;) alert tcp $HOME_NET any -> [192.144.219.118] 44343 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1242784/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_26; classtype:trojan-activity; sid:91242784; rev:1;) alert tcp $HOME_NET any -> [47.100.101.198] 50050 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1242783/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_26; classtype:trojan-activity; sid:91242783; rev:1;) alert tcp $HOME_NET any -> [45.9.188.11] 47134 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1242782/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_26; classtype:trojan-activity; sid:91242782; rev:1;) alert tcp $HOME_NET any -> [147.45.78.13] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1242781/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_26; classtype:trojan-activity; sid:91242781; rev:1;) alert tcp $HOME_NET any -> [111.231.146.154] 50050 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1242780/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_26; classtype:trojan-activity; sid:91242780; rev:1;) alert tcp $HOME_NET any -> [43.156.27.199] 50050 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1242779/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_26; classtype:trojan-activity; sid:91242779; rev:1;) alert tcp $HOME_NET any -> [207.174.3.213] 443 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1242778/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_26; classtype:trojan-activity; sid:91242778; rev:1;) alert tcp $HOME_NET any -> [87.98.233.247] 443 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1242777/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_26; classtype:trojan-activity; sid:91242777; rev:1;) alert tcp $HOME_NET any -> [187.135.84.81] 2052 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1242776/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_26; classtype:trojan-activity; sid:91242776; rev:1;) alert tcp $HOME_NET any -> [187.135.84.81] 2004 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1242775/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_26; classtype:trojan-activity; sid:91242775; rev:1;) alert tcp $HOME_NET any -> [187.135.84.81] 1962 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1242774/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_26; classtype:trojan-activity; sid:91242774; rev:1;) alert tcp $HOME_NET any -> [187.135.84.81] 1883 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1242773/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_26; classtype:trojan-activity; sid:91242773; rev:1;) alert tcp $HOME_NET any -> [187.135.84.81] 2095 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1242772/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_26; classtype:trojan-activity; sid:91242772; rev:1;) alert tcp $HOME_NET any -> [187.135.84.81] 2087 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1242771/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_26; classtype:trojan-activity; sid:91242771; rev:1;) alert tcp $HOME_NET any -> [187.135.84.81] 2086 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1242770/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_26; classtype:trojan-activity; sid:91242770; rev:1;) alert tcp $HOME_NET any -> [187.135.84.81] 2083 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1242769/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_26; classtype:trojan-activity; sid:91242769; rev:1;) alert tcp $HOME_NET any -> [3.127.138.57] 15443 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1242768/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_26; classtype:trojan-activity; sid:91242768; rev:1;) alert tcp $HOME_NET any -> [18.156.13.209] 15443 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1242767/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_26; classtype:trojan-activity; sid:91242767; rev:1;) alert tcp $HOME_NET any -> [89.23.98.34] 80 (msg:"ThreatFox Hook botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1242766/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_26; classtype:trojan-activity; sid:91242766; rev:1;) alert tcp $HOME_NET any -> [159.100.14.197] 80 (msg:"ThreatFox Hook botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1242765/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_26; classtype:trojan-activity; sid:91242765; rev:1;) alert tcp $HOME_NET any -> [91.92.243.141] 80 (msg:"ThreatFox Hook botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1242764/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_26; classtype:trojan-activity; sid:91242764; rev:1;) alert tcp $HOME_NET any -> [39.108.229.236] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1242763/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_26; classtype:trojan-activity; sid:91242763; rev:1;) alert tcp $HOME_NET any -> [114.132.41.186] 82 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1242762/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_26; classtype:trojan-activity; sid:91242762; rev:1;) alert tcp $HOME_NET any -> [193.181.23.156] 8081 (msg:"ThreatFox RisePro botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1242761/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_26; classtype:trojan-activity; sid:91242761; rev:1;) alert tcp $HOME_NET any -> [197.119.73.234] 80 (msg:"ThreatFox Orcus RAT botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1242760/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_26; classtype:trojan-activity; sid:91242760; rev:1;) alert tcp $HOME_NET any -> [154.245.141.251] 80 (msg:"ThreatFox Orcus RAT botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1242759/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_26; classtype:trojan-activity; sid:91242759; rev:1;) alert tcp $HOME_NET any -> [42.117.36.184] 4444 (msg:"ThreatFox Orcus RAT botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1242758/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_26; classtype:trojan-activity; sid:91242758; rev:1;) alert tcp $HOME_NET any -> [195.2.81.45] 80 (msg:"ThreatFox RecordBreaker botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1242757/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_26; classtype:trojan-activity; sid:91242757; rev:1;) alert tcp $HOME_NET any -> [65.109.242.97] 9000 (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1242756/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_26; classtype:trojan-activity; sid:91242756; rev:1;) alert tcp $HOME_NET any -> [95.217.240.44] 80 (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1242755/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_26; classtype:trojan-activity; sid:91242755; rev:1;) alert tcp $HOME_NET any -> [65.109.172.49] 80 (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1242754/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_26; classtype:trojan-activity; sid:91242754; rev:1;) alert tcp $HOME_NET any -> [37.27.36.6] 9000 (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1242753/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_26; classtype:trojan-activity; sid:91242753; rev:1;) alert tcp $HOME_NET any -> [83.242.63.186] 80 (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1242752/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_26; classtype:trojan-activity; sid:91242752; rev:1;) alert tcp $HOME_NET any -> [136.0.3.250] 4444 (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1242751/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_26; classtype:trojan-activity; sid:91242751; rev:1;) alert tcp $HOME_NET any -> [104.209.128.50] 4444 (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1242750/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_26; classtype:trojan-activity; sid:91242750; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/activity"; depth:9; nocase; http.host; content:"49.234.185.12"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1242660/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_26; classtype:trojan-activity; sid:91242660; rev:1;) alert tcp $HOME_NET any -> [49.234.185.12] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1242661/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_26; classtype:trojan-activity; sid:91242661; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp06/wp-includes/po.php"; depth:24; nocase; http.host; content:"1.14.69.16"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1242659/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_26; classtype:trojan-activity; sid:91242659; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/g.pixel"; depth:8; nocase; http.host; content:"124.71.9.23"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1242658/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_26; classtype:trojan-activity; sid:91242658; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cm"; depth:3; nocase; http.host; content:"101.133.164.210"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1242657/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_26; classtype:trojan-activity; sid:91242657; rev:1;) alert tcp $HOME_NET any -> [91.92.252.110] 7888 (msg:"ThreatFox STRRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1242656/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_26; classtype:trojan-activity; sid:91242656; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/activity"; depth:9; nocase; http.host; content:"185.193.126.187"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1242655/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_26; classtype:trojan-activity; sid:91242655; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ptj"; depth:4; nocase; http.host; content:"43.251.159.58"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1242654/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_26; classtype:trojan-activity; sid:91242654; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/__utm.gif"; depth:10; nocase; http.host; content:"106.52.244.189"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1242653/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_26; classtype:trojan-activity; sid:91242653; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/fwlink"; depth:7; nocase; http.host; content:"43.153.222.28"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1242652/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_26; classtype:trojan-activity; sid:91242652; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/owa/"; depth:5; nocase; http.host; content:"o.cirt.pro"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1242648/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_26; classtype:trojan-activity; sid:91242648; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"o.cirt.pro"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242649/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_26; classtype:trojan-activity; sid:91242649; rev:1;) alert tcp $HOME_NET any -> [154.90.62.138] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1242647/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_26; classtype:trojan-activity; sid:91242647; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/study/constants/7rmolfy0b"; depth:26; nocase; http.host; content:"154.90.62.138"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1242646/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_26; classtype:trojan-activity; sid:91242646; rev:1;) alert tcp $HOME_NET any -> [5.42.66.14] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1242645/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_26; classtype:trojan-activity; sid:91242645; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/244e7da752dca7a602d55ea79cb79681.html"; depth:38; nocase; http.host; content:"firmwarefusion.com"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1242643/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_26; classtype:trojan-activity; sid:91242643; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"firmwarefusion.com"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242644/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_26; classtype:trojan-activity; sid:91242644; rev:1;) alert tcp $HOME_NET any -> [185.117.250.169] 4483 (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1242642/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_26; classtype:trojan-activity; sid:91242642; rev:1;) alert tcp $HOME_NET any -> [93.123.39.219] 80 (msg:"ThreatFox Socks5 Systemz botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1242641/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_26; classtype:trojan-activity; sid:91242641; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ca"; depth:3; nocase; http.host; content:"104.156.140.58"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1242640/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_26; classtype:trojan-activity; sid:91242640; rev:1;) alert tcp $HOME_NET any -> [198.44.171.3] 80 (msg:"ThreatFox Meduza Stealer botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1242639/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_26; classtype:trojan-activity; sid:91242639; rev:1;) alert tcp $HOME_NET any -> [137.220.197.175] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1242638/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_26; classtype:trojan-activity; sid:91242638; rev:1;) alert tcp $HOME_NET any -> [45.152.65.230] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1242637/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_26; classtype:trojan-activity; sid:91242637; rev:1;) alert tcp $HOME_NET any -> [149.104.27.224] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1242636/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_26; classtype:trojan-activity; sid:91242636; rev:1;) alert tcp $HOME_NET any -> [69.159.0.252] 2222 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1242635/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_26; classtype:trojan-activity; sid:91242635; rev:1;) alert tcp $HOME_NET any -> [41.230.86.197] 443 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1242634/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_26; classtype:trojan-activity; sid:91242634; rev:1;) alert tcp $HOME_NET any -> [154.247.237.145] 993 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1242633/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_26; classtype:trojan-activity; sid:91242633; rev:1;) alert tcp $HOME_NET any -> [82.67.60.21] 80 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1242632/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_26; classtype:trojan-activity; sid:91242632; rev:1;) alert tcp $HOME_NET any -> [94.156.67.244] 443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1242631/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_26; classtype:trojan-activity; sid:91242631; rev:1;) alert tcp $HOME_NET any -> [185.196.9.214] 80 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1242630/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_26; classtype:trojan-activity; sid:91242630; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/8a45dff2.php"; depth:13; nocase; http.host; content:"a0914958.xsph.ru"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1242629/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_26; classtype:trojan-activity; sid:91242629; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/l1nc0in.php"; depth:12; nocase; http.host; content:"a0923400.xsph.ru"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1242628/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_25; classtype:trojan-activity; sid:91242628; rev:1;) alert tcp $HOME_NET any -> [159.223.220.165] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1242627/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_25; classtype:trojan-activity; sid:91242627; rev:1;) alert tcp $HOME_NET any -> [88.214.25.235] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1242625/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_25; classtype:trojan-activity; sid:91242625; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/externalpipetosecureasynctrackuploads.php"; depth:42; nocase; http.host; content:"80.85.246.217"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1242626/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_25; classtype:trojan-activity; sid:91242626; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/enable/v9/wdoblgwr0s"; depth:21; nocase; http.host; content:"88.214.25.235"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1242624/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_25; classtype:trojan-activity; sid:91242624; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/enable/v9/wdoblgwr0s"; depth:21; nocase; http.host; content:"igo0gle.com"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1242623/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_25; classtype:trojan-activity; sid:91242623; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/enable/v9/wdoblgwr0s"; depth:21; nocase; http.host; content:"microsoftsyst3m.com"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1242622/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_25; classtype:trojan-activity; sid:91242622; rev:1;) alert tcp $HOME_NET any -> [79.137.202.68] 80 (msg:"ThreatFox Meduza Stealer botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1242616/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_25; classtype:trojan-activity; sid:91242616; rev:1;) alert tcp $HOME_NET any -> [41.96.125.98] 443 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1242615/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_25; classtype:trojan-activity; sid:91242615; rev:1;) alert tcp $HOME_NET any -> [105.108.32.227] 2078 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1242614/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_25; classtype:trojan-activity; sid:91242614; rev:1;) alert tcp $HOME_NET any -> [79.107.151.150] 995 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1242613/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_25; classtype:trojan-activity; sid:91242613; rev:1;) alert tcp $HOME_NET any -> [154.247.237.145] 2078 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1242612/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_25; classtype:trojan-activity; sid:91242612; rev:1;) alert tcp $HOME_NET any -> [2.91.177.204] 443 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1242611/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_25; classtype:trojan-activity; sid:91242611; rev:1;) alert tcp $HOME_NET any -> [20.80.88.247] 445 (msg:"ThreatFox Responder botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1242610/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_25; classtype:trojan-activity; sid:91242610; rev:1;) alert tcp $HOME_NET any -> [136.0.3.71] 5671 (msg:"ThreatFox BianLian botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1242609/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_25; classtype:trojan-activity; sid:91242609; rev:1;) alert tcp $HOME_NET any -> [47.98.126.140] 10000 (msg:"ThreatFox Deimos botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1242608/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_25; classtype:trojan-activity; sid:91242608; rev:1;) alert tcp $HOME_NET any -> [185.250.151.246] 8443 (msg:"ThreatFox Brute Ratel C4 botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1242607/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_25; classtype:trojan-activity; sid:91242607; rev:1;) alert tcp $HOME_NET any -> [147.185.221.17] 55430 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1242606/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_25; classtype:trojan-activity; sid:91242606; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dot.gif"; depth:8; nocase; http.host; content:"121.43.58.124"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1242602/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_25; classtype:trojan-activity; sid:91242602; rev:1;) alert tcp $HOME_NET any -> [87.88.94.223] 54984 (msg:"ThreatFox Nanocore RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1242600/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_25; classtype:trojan-activity; sid:91242600; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"65.109.172.49"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1242599/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_25; classtype:trojan-activity; sid:91242599; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"95.217.240.44"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1242598/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_25; classtype:trojan-activity; sid:91242598; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"142.132.224.223"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1242596/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_25; classtype:trojan-activity; sid:91242596; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"5.75.215.159"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1242597/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_25; classtype:trojan-activity; sid:91242597; rev:1;) alert tcp $HOME_NET any -> [5.75.215.159] 9001 (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1242593/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_25; classtype:trojan-activity; sid:91242593; rev:1;) alert tcp $HOME_NET any -> [95.217.240.44] 443 (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1242594/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_25; classtype:trojan-activity; sid:91242594; rev:1;) alert tcp $HOME_NET any -> [65.109.172.49] 443 (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1242595/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_25; classtype:trojan-activity; sid:91242595; rev:1;) alert tcp $HOME_NET any -> [34.86.252.187] 5050 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1242592/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_25; classtype:trojan-activity; sid:91242592; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jquery-3.3.1.min.js"; depth:20; nocase; http.host; content:"106.54.228.198"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1242588/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_25; classtype:trojan-activity; sid:91242588; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/en_us/all.js"; depth:13; nocase; http.host; content:"45.134.225.245"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1242587/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_25; classtype:trojan-activity; sid:91242587; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/en_us/all.js"; depth:13; nocase; http.host; content:"121.43.58.124"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1242586/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_25; classtype:trojan-activity; sid:91242586; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"www.baidu12366.xyz"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242584/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_25; classtype:trojan-activity; sid:91242584; rev:1;) alert tcp $HOME_NET any -> [106.54.228.198] 8080 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1242585/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_25; classtype:trojan-activity; sid:91242585; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jquery-3.3.1.min.js"; depth:20; nocase; http.host; content:"www.baidu12366.xyz"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1242583/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_25; classtype:trojan-activity; sid:91242583; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"www.sonystore.xyz"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242581/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_25; classtype:trojan-activity; sid:91242581; rev:1;) alert tcp $HOME_NET any -> [39.98.192.104] 8443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1242582/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_25; classtype:trojan-activity; sid:91242582; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jquery-3.3.1.min.js"; depth:20; nocase; http.host; content:"www.sonystore.xyz"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1242580/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_25; classtype:trojan-activity; sid:91242580; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api/methon/scan"; depth:16; nocase; http.host; content:"43.136.71.208"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1242579/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_25; classtype:trojan-activity; sid:91242579; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ca"; depth:3; nocase; http.host; content:"154.197.98.85"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1242578/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_25; classtype:trojan-activity; sid:91242578; rev:1;) alert tcp $HOME_NET any -> [88.214.25.36] 53 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1242577/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_25; classtype:trojan-activity; sid:91242577; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"a.pain.capetown"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242576/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_25; classtype:trojan-activity; sid:91242576; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/1/eternalrequestlowtestdle.php"; depth:31; nocase; http.host; content:"5.182.87.104"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1242575/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_25; classtype:trojan-activity; sid:91242575; rev:1;) alert tcp $HOME_NET any -> [42.237.24.42] 7899 (msg:"ThreatFox Ghost RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1242574/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_25; classtype:trojan-activity; sid:91242574; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"worker-orange-unit-abfb.gwadarportt.workers.dev"; depth:47; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242573/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_25; classtype:trojan-activity; sid:91242573; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"mailpsab-modgovpk.hopto.org"; depth:27; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242545/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_25; classtype:trojan-activity; sid:91242545; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"mailsco-govpk.hopto.org"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242546/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_25; classtype:trojan-activity; sid:91242546; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"mailsco-govpk.myvnc.com"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242547/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_25; classtype:trojan-activity; sid:91242547; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"meter-ntdccompk.myvnc.com"; depth:25; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242548/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_25; classtype:trojan-activity; sid:91242548; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"meter-ntdccompk.servehttp.com"; depth:29; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242549/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_25; classtype:trojan-activity; sid:91242549; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"mof-govnp.servehttp.com"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242550/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_25; classtype:trojan-activity; sid:91242550; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"navy-govbd.servehttp.com"; depth:24; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242551/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_25; classtype:trojan-activity; sid:91242551; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"newmail-armymilbd.servehttp.com"; depth:31; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242552/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_25; classtype:trojan-activity; sid:91242552; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"news-ptvcompk.servehttp.com"; depth:27; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242553/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_25; classtype:trojan-activity; sid:91242553; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"news.ntc-telecomcorporation.workers.dev"; depth:39; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242554/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_25; classtype:trojan-activity; sid:91242554; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ntc-telecomcorporation.workers.dev"; depth:34; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242555/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_25; classtype:trojan-activity; sid:91242555; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"offer-ptclnetpk.servehttp.com"; depth:29; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242556/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_25; classtype:trojan-activity; sid:91242556; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"offers-ptclnetpk.serveblog.net"; depth:30; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242557/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_25; classtype:trojan-activity; sid:91242557; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"offers-ptclnetpk.serveftp.com"; depth:29; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242558/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_25; classtype:trojan-activity; sid:91242558; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"offers-ptclnetpk.serveirc.com"; depth:29; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242559/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_25; classtype:trojan-activity; sid:91242559; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"pak-gov-pk.workers.dev"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242560/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_25; classtype:trojan-activity; sid:91242560; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"pakistan-gov-pk.workers.dev"; depth:27; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242561/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_25; classtype:trojan-activity; sid:91242561; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"pertest-ntdccompk.ddnsking.com"; depth:30; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242562/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_25; classtype:trojan-activity; sid:91242562; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"piac-compk.servehttp.com"; depth:24; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242563/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_25; classtype:trojan-activity; sid:91242563; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"portal-ptclnetpk.servehttp.com"; depth:30; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242564/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_25; classtype:trojan-activity; sid:91242564; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"rewards-ptclnetpk.viewdns.net"; depth:29; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242565/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_25; classtype:trojan-activity; sid:91242565; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"sdmx-financegovpk.servehttp.com"; depth:31; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242566/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_25; classtype:trojan-activity; sid:91242566; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"sharepakistan-mofa.viewdns.net"; depth:30; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242567/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_25; classtype:trojan-activity; sid:91242567; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"support-ntc.servehttp.com"; depth:25; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242568/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_25; classtype:trojan-activity; sid:91242568; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"vibe-ptclnetpk.servehttp.com"; depth:28; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242569/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_25; classtype:trojan-activity; sid:91242569; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"vibe-ptclnetpk.viewdns.net"; depth:26; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242570/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_25; classtype:trojan-activity; sid:91242570; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"webmail-gda-gov-pk.gwadarportt.workers.dev"; depth:42; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242571/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_25; classtype:trojan-activity; sid:91242571; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"worker-crimson-bread-052d.crypton0019.workers.dev"; depth:49; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242572/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_25; classtype:trojan-activity; sid:91242572; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"mail-ecp-gov-pk.ntc-telecomcorporation.workers.dev"; depth:50; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242518/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_25; classtype:trojan-activity; sid:91242518; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"mail-gwadarport-gov-pk.ntc-telecomcorporation.workers.dev"; depth:57; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242519/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_25; classtype:trojan-activity; sid:91242519; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"mail-hit-gov-pk.ntc-telecomcorporation.workers.dev"; depth:50; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242520/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_25; classtype:trojan-activity; sid:91242520; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"mail-hitgovpk.myvnc.com"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242521/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_25; classtype:trojan-activity; sid:91242521; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"mail-hitgovpk.servegame.com"; depth:27; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242522/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_25; classtype:trojan-activity; sid:91242522; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"mail-hitgovpk.servehttp.com"; depth:27; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242523/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_25; classtype:trojan-activity; sid:91242523; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"mail-invest-gov-pk.gwadarportt.workers.dev"; depth:42; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242524/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_25; classtype:trojan-activity; sid:91242524; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"mail-mod-gov-pk.pakistan-gov-pk.workers.dev"; depth:43; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242525/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_25; classtype:trojan-activity; sid:91242525; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"mail-modgovpk.servehttp.com"; depth:27; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242526/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_25; classtype:trojan-activity; sid:91242526; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"mail-modp-gov-pk.government-pak.workers.dev"; depth:43; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242527/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_25; classtype:trojan-activity; sid:91242527; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"mail-modp-gov-pk.ntc-telecomcorporation.workers.dev"; depth:51; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242528/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_25; classtype:trojan-activity; sid:91242528; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"mail-modp-gov-pk.pak-gov-pk.workers.dev"; depth:39; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242529/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_25; classtype:trojan-activity; sid:91242529; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"mail-mofagovpk.ddns.net"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242530/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_25; classtype:trojan-activity; sid:91242530; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"mail-mofagovpk.gotdns.ch"; depth:24; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242531/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_25; classtype:trojan-activity; sid:91242531; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"mail-mofagovpk.myddns.me"; depth:24; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242532/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_25; classtype:trojan-activity; sid:91242532; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"mail-mofapk.servehttp.com"; depth:25; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242533/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_25; classtype:trojan-activity; sid:91242533; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"mail-nespak-com-pk.gwadarportt.workers.dev"; depth:42; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242534/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_25; classtype:trojan-activity; sid:91242534; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"mail-ntcgovpk.servehttp.com"; depth:27; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242535/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_25; classtype:trojan-activity; sid:91242535; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"mail-paf-gov-pk.ntc-telecomcorporation.workers.dev"; depth:50; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242536/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_25; classtype:trojan-activity; sid:91242536; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"mail-pc-gov-pk-login.ethanhunthero125.workers.dev"; depth:49; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242537/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_25; classtype:trojan-activity; sid:91242537; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"mail-pofgovpk.3utilities.com"; depth:28; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242538/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_25; classtype:trojan-activity; sid:91242538; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"mail-pofgovpk.sytes.net"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242539/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_25; classtype:trojan-activity; sid:91242539; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"mail-sco-gov-pk.crypton0019.workers.dev"; depth:39; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242540/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_25; classtype:trojan-activity; sid:91242540; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"mail-sco-gov-pk.ntc-telecomcorporation.workers.dev"; depth:50; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242541/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_25; classtype:trojan-activity; sid:91242541; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"mail-scogovpk.servehalflife.com"; depth:31; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242542/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_25; classtype:trojan-activity; sid:91242542; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"mail-scogovpk.servehttp.com"; depth:27; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242543/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_25; classtype:trojan-activity; sid:91242543; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"mailhit-govpk.hopto.org"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242544/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_25; classtype:trojan-activity; sid:91242544; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"diagov.ddns.net"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242494/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_25; classtype:trojan-activity; sid:91242494; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"discounts-ptclnetpk.servehttp.com"; depth:33; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242495/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_25; classtype:trojan-activity; sid:91242495; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"elccorp-net.ntc-telecomcorporation.workers.dev"; depth:46; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242496/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_25; classtype:trojan-activity; sid:91242496; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"eservice-ptclnetpk.servehttp.com"; depth:32; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242497/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_25; classtype:trojan-activity; sid:91242497; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ethanhunthero125.workers.dev"; depth:28; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242498/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_25; classtype:trojan-activity; sid:91242498; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"finance-govnp.servehalflife.com"; depth:31; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242499/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_25; classtype:trojan-activity; sid:91242499; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"finance-govpk.serveblog.net"; depth:27; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242500/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_25; classtype:trojan-activity; sid:91242500; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"finance-govpk.serveftp.com"; depth:26; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242501/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_25; classtype:trojan-activity; sid:91242501; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"govaruba.duckdns.org"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242502/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_25; classtype:trojan-activity; sid:91242502; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"government-pak.workers.dev"; depth:26; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242503/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_25; classtype:trojan-activity; sid:91242503; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"gwadarport-gov-pk.gwadarportt.workers.dev"; depth:41; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242504/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_25; classtype:trojan-activity; sid:91242504; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"hrmis-financegovpk.serveftp.com"; depth:31; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242505/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_25; classtype:trojan-activity; sid:91242505; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ideas2024-pakistan.myvnc.com"; depth:28; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242506/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_25; classtype:trojan-activity; sid:91242506; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ideaspakistan-govpk.myvnc.com"; depth:29; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242507/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_25; classtype:trojan-activity; sid:91242507; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"iportal-ntdcgovpk.myvnc.com"; depth:27; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242508/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_25; classtype:trojan-activity; sid:91242508; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"mail-armylk.myvnc.com"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242509/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_25; classtype:trojan-activity; sid:91242509; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"mail-armylk.servehalflife.com"; depth:29; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242510/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_25; classtype:trojan-activity; sid:91242510; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"mail-bafmilbd.myvnc.com"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242511/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_25; classtype:trojan-activity; sid:91242511; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"mail-bafmilbd.servequake.com"; depth:28; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242512/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_25; classtype:trojan-activity; sid:91242512; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"mail-depo-gov-pk.ntc-telecomcorporation.workers.dev"; depth:51; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242513/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_25; classtype:trojan-activity; sid:91242513; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"mail-depogovpk.myvnc.com"; depth:24; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242514/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_25; classtype:trojan-activity; sid:91242514; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"mail-depogovpk.servehttp.com"; depth:28; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242515/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_25; classtype:trojan-activity; sid:91242515; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"mail-dgdp-gov-pk.ntc-telecomcorporation.workers.dev"; depth:51; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242516/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_25; classtype:trojan-activity; sid:91242516; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"mail-dgdpgovpk.servehalflife.com"; depth:32; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242517/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_25; classtype:trojan-activity; sid:91242517; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"203-124351878443.hopto.org"; depth:26; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242486/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_25; classtype:trojan-activity; sid:91242486; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"advisory-cabinetgpk.servehttp.com"; depth:33; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242487/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_25; classtype:trojan-activity; sid:91242487; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"awards-piacaero.servehalflife.com"; depth:33; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242488/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_25; classtype:trojan-activity; sid:91242488; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"awards-piacaero.servehttp.com"; depth:29; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242489/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_25; classtype:trojan-activity; sid:91242489; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"cap-mofagovpk.servehttp.com"; depth:27; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242490/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_25; classtype:trojan-activity; sid:91242490; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"cap-mofapk.servehttp.com"; depth:24; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242491/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_25; classtype:trojan-activity; sid:91242491; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"circular-financegov.servehalflife.com"; depth:37; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242492/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_25; classtype:trojan-activity; sid:91242492; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"crypton0019.workers.dev"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242493/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_25; classtype:trojan-activity; sid:91242493; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"videoplayserhdguncelleme89.xyz"; depth:30; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242485/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_25; classtype:trojan-activity; sid:91242485; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"videoplayerizlemehdvefullucretsiz78543.xyz"; depth:42; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242466/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_25; classtype:trojan-activity; sid:91242466; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"videoplayerizlemehdvefullucretsiz7963.xyz"; depth:41; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242467/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_25; classtype:trojan-activity; sid:91242467; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"videoplayerizlemehdvefullucretsiz8456.xyz"; depth:41; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242468/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_25; classtype:trojan-activity; sid:91242468; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"videoplayerizlemehdvefullucretsiz87636.xyz"; depth:42; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242469/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_25; classtype:trojan-activity; sid:91242469; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"videoplayerizlemehdvefullucretsiz8798.xyz"; depth:41; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242470/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_25; classtype:trojan-activity; sid:91242470; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"videoplayerizlemehdvefullucretsiz9856.xyz"; depth:41; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242471/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_25; classtype:trojan-activity; sid:91242471; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"videoplayerizlemehdvefullucretsiz986.xyz"; depth:40; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242472/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_25; classtype:trojan-activity; sid:91242472; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"videoplayerizlemehdvefullucretsiz9872.xyz"; depth:41; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242473/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_25; classtype:trojan-activity; sid:91242473; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"videoplayersistemleri15547.site"; depth:31; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242474/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_25; classtype:trojan-activity; sid:91242474; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"videoplayersistemleri23547.site"; depth:31; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242475/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_25; classtype:trojan-activity; sid:91242475; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"videoplayserhdguncelleme12.xyz"; depth:30; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242476/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_25; classtype:trojan-activity; sid:91242476; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"videoplayserhdguncelleme34.xyz"; depth:30; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242477/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_25; classtype:trojan-activity; sid:91242477; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"videoplayserhdguncelleme39.xyz"; depth:30; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242478/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_25; classtype:trojan-activity; sid:91242478; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"videoplayserhdguncelleme437.xyz"; depth:31; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242479/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_25; classtype:trojan-activity; sid:91242479; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"videoplayserhdguncelleme46.xyz"; depth:30; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242480/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_25; classtype:trojan-activity; sid:91242480; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"videoplayserhdguncelleme53.xyz"; depth:30; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242481/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_25; classtype:trojan-activity; sid:91242481; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"videoplayserhdguncelleme5427.xyz"; depth:32; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242482/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_25; classtype:trojan-activity; sid:91242482; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"videoplayserhdguncelleme547.xyz"; depth:31; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242483/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_25; classtype:trojan-activity; sid:91242483; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"videoplayserhdguncelleme82.xyz"; depth:30; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242484/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_25; classtype:trojan-activity; sid:91242484; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"videoplayerizlemehdvefullucretsiz543.xyz"; depth:40; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242449/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_25; classtype:trojan-activity; sid:91242449; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"videoplayerizlemehdvefullucretsiz54453.xyz"; depth:42; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242450/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_25; classtype:trojan-activity; sid:91242450; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"videoplayerizlemehdvefullucretsiz54748.xyz"; depth:42; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242451/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_25; classtype:trojan-activity; sid:91242451; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"videoplayerizlemehdvefullucretsiz5516.xyz"; depth:41; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242452/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_25; classtype:trojan-activity; sid:91242452; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"videoplayerizlemehdvefullucretsiz5646.xyz"; depth:41; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242453/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_25; classtype:trojan-activity; sid:91242453; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"videoplayerizlemehdvefullucretsiz5736.xyz"; depth:41; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242454/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_25; classtype:trojan-activity; sid:91242454; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"videoplayerizlemehdvefullucretsiz576.xyz"; depth:40; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242455/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_25; classtype:trojan-activity; sid:91242455; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"videoplayerizlemehdvefullucretsiz657.xyz"; depth:40; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242456/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_25; classtype:trojan-activity; sid:91242456; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"videoplayerizlemehdvefullucretsiz676.xyz"; depth:40; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242457/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_25; classtype:trojan-activity; sid:91242457; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"videoplayerizlemehdvefullucretsiz6766.xyz"; depth:41; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242458/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_25; classtype:trojan-activity; sid:91242458; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"videoplayerizlemehdvefullucretsiz677.xyz"; depth:40; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242459/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_25; classtype:trojan-activity; sid:91242459; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"videoplayerizlemehdvefullucretsiz685.xyz"; depth:40; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242460/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_25; classtype:trojan-activity; sid:91242460; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"videoplayerizlemehdvefullucretsiz7554.xyz"; depth:41; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242461/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_25; classtype:trojan-activity; sid:91242461; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"videoplayerizlemehdvefullucretsiz76342.xyz"; depth:42; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242462/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_25; classtype:trojan-activity; sid:91242462; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"videoplayerizlemehdvefullucretsiz766.xyz"; depth:40; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242463/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_25; classtype:trojan-activity; sid:91242463; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"videoplayerizlemehdvefullucretsiz7693.xyz"; depth:41; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242464/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_25; classtype:trojan-activity; sid:91242464; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"videoplayerizlemehdvefullucretsiz7786.xyz"; depth:41; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242465/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_25; classtype:trojan-activity; sid:91242465; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"videoplayerizlemehdvefullucretsiz3256.xyz"; depth:41; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242430/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_25; classtype:trojan-activity; sid:91242430; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"videoplayerizlemehdvefullucretsiz345.xyz"; depth:40; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242431/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_25; classtype:trojan-activity; sid:91242431; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"videoplayerizlemehdvefullucretsiz34616.xyz"; depth:42; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242432/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_25; classtype:trojan-activity; sid:91242432; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"videoplayerizlemehdvefullucretsiz3466.xyz"; depth:41; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242433/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_25; classtype:trojan-activity; sid:91242433; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"videoplayerizlemehdvefullucretsiz36357.xyz"; depth:42; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242434/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_25; classtype:trojan-activity; sid:91242434; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"videoplayerizlemehdvefullucretsiz3786.xyz"; depth:41; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242435/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_25; classtype:trojan-activity; sid:91242435; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"videoplayerizlemehdvefullucretsiz43.xyz"; depth:39; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242436/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_25; classtype:trojan-activity; sid:91242436; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"videoplayerizlemehdvefullucretsiz436.xyz"; depth:40; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242437/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_25; classtype:trojan-activity; sid:91242437; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"videoplayerizlemehdvefullucretsiz4367.xyz"; depth:41; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242438/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_25; classtype:trojan-activity; sid:91242438; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"videoplayerizlemehdvefullucretsiz4378.xyz"; depth:41; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242439/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_25; classtype:trojan-activity; sid:91242439; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"videoplayerizlemehdvefullucretsiz4432.xyz"; depth:41; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242440/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_25; classtype:trojan-activity; sid:91242440; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"videoplayerizlemehdvefullucretsiz453.xyz"; depth:40; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242441/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_25; classtype:trojan-activity; sid:91242441; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"videoplayerizlemehdvefullucretsiz4533.xyz"; depth:41; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242442/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_25; classtype:trojan-activity; sid:91242442; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"videoplayerizlemehdvefullucretsiz45436.xyz"; depth:42; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242443/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_25; classtype:trojan-activity; sid:91242443; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"videoplayerizlemehdvefullucretsiz4567.xyz"; depth:41; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242444/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_25; classtype:trojan-activity; sid:91242444; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"videoplayerizlemehdvefullucretsiz45676.xyz"; depth:42; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242445/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_25; classtype:trojan-activity; sid:91242445; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"videoplayerizlemehdvefullucretsiz45678.xyz"; depth:42; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242446/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_25; classtype:trojan-activity; sid:91242446; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"videoplayerizlemehdvefullucretsiz525.xyz"; depth:40; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242447/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_25; classtype:trojan-activity; sid:91242447; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"videoplayerizlemehdvefullucretsiz532.xyz"; depth:40; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242448/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_25; classtype:trojan-activity; sid:91242448; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"videoplayerizlemehdvefullucretsiz138.xyz"; depth:40; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242413/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_25; classtype:trojan-activity; sid:91242413; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"videoplayerizlemehdvefullucretsiz2145vvv.xyz"; depth:44; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242414/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_25; classtype:trojan-activity; sid:91242414; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"videoplayerizlemehdvefullucretsiz2245.xyz"; depth:41; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242415/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_25; classtype:trojan-activity; sid:91242415; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"videoplayerizlemehdvefullucretsiz23.xyz"; depth:39; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242416/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_25; classtype:trojan-activity; sid:91242416; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"videoplayerizlemehdvefullucretsiz234.xyz"; depth:40; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242417/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_25; classtype:trojan-activity; sid:91242417; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"videoplayerizlemehdvefullucretsiz2346.xyz"; depth:41; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242418/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_25; classtype:trojan-activity; sid:91242418; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"videoplayerizlemehdvefullucretsiz235.xyz"; depth:40; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242419/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_25; classtype:trojan-activity; sid:91242419; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"videoplayerizlemehdvefullucretsiz2355.xyz"; depth:41; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242420/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_25; classtype:trojan-activity; sid:91242420; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"videoplayerizlemehdvefullucretsiz2356.xyz"; depth:41; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242421/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_25; classtype:trojan-activity; sid:91242421; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"videoplayerizlemehdvefullucretsiz241.xyz"; depth:40; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242422/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_25; classtype:trojan-activity; sid:91242422; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"videoplayerizlemehdvefullucretsiz2452.xyz"; depth:41; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242423/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_25; classtype:trojan-activity; sid:91242423; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"videoplayerizlemehdvefullucretsiz25.xyz"; depth:39; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242424/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_25; classtype:trojan-activity; sid:91242424; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"videoplayerizlemehdvefullucretsiz2612.xyz"; depth:41; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242425/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_25; classtype:trojan-activity; sid:91242425; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"videoplayerizlemehdvefullucretsiz3215.xyz"; depth:41; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242426/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_25; classtype:trojan-activity; sid:91242426; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"videoplayerizlemehdvefullucretsiz3245.xyz"; depth:41; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242427/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_25; classtype:trojan-activity; sid:91242427; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"videoplayerizlemehdvefullucretsiz325.xyz"; depth:40; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242428/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_25; classtype:trojan-activity; sid:91242428; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"videoplayerizlemehdvefullucretsiz325336.xyz"; depth:43; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242429/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_25; classtype:trojan-activity; sid:91242429; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"hdvideoplayersistemleri689.xyz"; depth:30; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242389/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_25; classtype:trojan-activity; sid:91242389; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"hdvideoplayersistemleri775.xyz"; depth:30; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242390/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_25; classtype:trojan-activity; sid:91242390; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"hdvideoplayersistemleri8358.xyz"; depth:31; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242391/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_25; classtype:trojan-activity; sid:91242391; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"hdvideoplayersistemleri89.xyz"; depth:29; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242392/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_25; classtype:trojan-activity; sid:91242392; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"hdvideoplayersistemleri893.xyz"; depth:30; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242393/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_25; classtype:trojan-activity; sid:91242393; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"hdvideoplayersistemleri94.xyz"; depth:29; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242394/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_25; classtype:trojan-activity; sid:91242394; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"hdvideoplayersistemleri965.xyz"; depth:30; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242395/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_25; classtype:trojan-activity; sid:91242395; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"videofullizlesite14325.site"; depth:27; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242396/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_25; classtype:trojan-activity; sid:91242396; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"videofullizlesite2432.site"; depth:26; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242397/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_25; classtype:trojan-activity; sid:91242397; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"videofullizlesite345436.site"; depth:28; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242398/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_25; classtype:trojan-activity; sid:91242398; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"videofullizlesite4352.site"; depth:26; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242399/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_25; classtype:trojan-activity; sid:91242399; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"videofullizlesite5436.site"; depth:26; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242400/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_25; classtype:trojan-activity; sid:91242400; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"videofullizlesite64378.site"; depth:27; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242401/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_25; classtype:trojan-activity; sid:91242401; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"videofullizlesite6473.site"; depth:26; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242402/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_25; classtype:trojan-activity; sid:91242402; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"videofullizlesite7865.site"; depth:26; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242403/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_25; classtype:trojan-activity; sid:91242403; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"videofullizlesite8368.site"; depth:26; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242404/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_25; classtype:trojan-activity; sid:91242404; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"videoplayerizleme11.club"; depth:24; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242405/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_25; classtype:trojan-activity; sid:91242405; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"videoplayerizleme22.club"; depth:24; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242406/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_25; classtype:trojan-activity; sid:91242406; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"videoplayerizleme39.club"; depth:24; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242407/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_25; classtype:trojan-activity; sid:91242407; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"videoplayerizleme46.club"; depth:24; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242408/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_25; classtype:trojan-activity; sid:91242408; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"videoplayerizlemehdvefullucretsiz1235.xyz"; depth:41; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242409/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_25; classtype:trojan-activity; sid:91242409; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"videoplayerizlemehdvefullucretsiz124.xyz"; depth:40; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242410/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_25; classtype:trojan-activity; sid:91242410; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"videoplayerizlemehdvefullucretsiz1245.xyz"; depth:41; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242411/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_25; classtype:trojan-activity; sid:91242411; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"videoplayerizlemehdvefullucretsiz1323.xyz"; depth:41; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242412/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_25; classtype:trojan-activity; sid:91242412; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"hdvideoplayersistemleri247.xyz"; depth:30; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242371/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_25; classtype:trojan-activity; sid:91242371; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"hdvideoplayersistemleri258.xyz"; depth:30; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242372/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_25; classtype:trojan-activity; sid:91242372; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"hdvideoplayersistemleri26.xyz"; depth:29; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242373/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_25; classtype:trojan-activity; sid:91242373; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"hdvideoplayersistemleri27.xyz"; depth:29; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242374/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_25; classtype:trojan-activity; sid:91242374; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"hdvideoplayersistemleri342.xyz"; depth:30; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242375/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_25; classtype:trojan-activity; sid:91242375; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"hdvideoplayersistemleri393.xyz"; depth:30; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242376/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_25; classtype:trojan-activity; sid:91242376; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"hdvideoplayersistemleri427.xyz"; depth:30; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242377/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_25; classtype:trojan-activity; sid:91242377; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"hdvideoplayersistemleri4537.xyz"; depth:31; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242378/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_25; classtype:trojan-activity; sid:91242378; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"hdvideoplayersistemleri456.xyz"; depth:30; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242379/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_25; classtype:trojan-activity; sid:91242379; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"hdvideoplayersistemleri457.xyz"; depth:30; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242380/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_25; classtype:trojan-activity; sid:91242380; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"hdvideoplayersistemleri4579.xyz"; depth:31; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242381/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_25; classtype:trojan-activity; sid:91242381; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"hdvideoplayersistemleri458.xyz"; depth:30; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242382/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_25; classtype:trojan-activity; sid:91242382; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"hdvideoplayersistemleri554.xyz"; depth:30; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242383/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_25; classtype:trojan-activity; sid:91242383; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"hdvideoplayersistemleri609.xyz"; depth:30; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242384/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_25; classtype:trojan-activity; sid:91242384; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"hdvideoplayersistemleri632.xyz"; depth:30; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242385/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_25; classtype:trojan-activity; sid:91242385; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"hdvideoplayersistemleri67.xyz"; depth:29; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242386/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_25; classtype:trojan-activity; sid:91242386; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"hdvideoplayersistemleri675.xyz"; depth:30; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242387/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_25; classtype:trojan-activity; sid:91242387; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"hdvideoplayersistemleri6799.xyz"; depth:31; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242388/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_25; classtype:trojan-activity; sid:91242388; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"hdvideofullizleservisi7635.xyz"; depth:30; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242346/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_25; classtype:trojan-activity; sid:91242346; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"hdvideofullizleservisi771.xyz"; depth:29; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242347/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_25; classtype:trojan-activity; sid:91242347; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"hdvideofullizleservisi8750.xyz"; depth:30; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242348/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_25; classtype:trojan-activity; sid:91242348; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"hdvideofullizleservisi883.xyz"; depth:29; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242349/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_25; classtype:trojan-activity; sid:91242349; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"hdvideoizlemesistemi956735.site"; depth:31; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242350/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_25; classtype:trojan-activity; sid:91242350; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"hdvideoizleresmi124526.website"; depth:30; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242351/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_25; classtype:trojan-activity; sid:91242351; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"hdvideoizleresmi125.website"; depth:27; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242352/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_25; classtype:trojan-activity; sid:91242352; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"hdvideoizleresmi2334.website"; depth:28; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242353/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_25; classtype:trojan-activity; sid:91242353; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"hdvideoizleresmi235.website"; depth:27; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242354/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_25; classtype:trojan-activity; sid:91242354; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"hdvideoizleresmi2356.website"; depth:28; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242355/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_25; classtype:trojan-activity; sid:91242355; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"hdvideoizleresmi326471.website"; depth:30; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242356/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_25; classtype:trojan-activity; sid:91242356; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"hdvideoizleresmi345.website"; depth:27; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242357/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_25; classtype:trojan-activity; sid:91242357; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"hdvideoizleresmi345738.website"; depth:30; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242358/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_25; classtype:trojan-activity; sid:91242358; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"hdvideoizleresmi347583.website"; depth:30; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242359/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_25; classtype:trojan-activity; sid:91242359; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"hdvideoizleresmi43435546.website"; depth:32; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242360/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_25; classtype:trojan-activity; sid:91242360; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"hdvideoizleresmi456754.website"; depth:30; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242361/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_25; classtype:trojan-activity; sid:91242361; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"hdvideoizleresmi5236.website"; depth:28; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242362/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_25; classtype:trojan-activity; sid:91242362; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"hdvideoizleresmi6395456.website"; depth:31; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242363/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_25; classtype:trojan-activity; sid:91242363; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"hdvideoizleresmi6458.website"; depth:28; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242364/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_25; classtype:trojan-activity; sid:91242364; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"hdvideoizleresmi77458.website"; depth:29; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242365/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_25; classtype:trojan-activity; sid:91242365; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"hdvideoplayersistemleri009.xyz"; depth:30; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242366/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_25; classtype:trojan-activity; sid:91242366; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"hdvideoplayersistemleri123.xyz"; depth:30; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242367/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_25; classtype:trojan-activity; sid:91242367; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"hdvideoplayersistemleri15.xyz"; depth:29; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242368/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_25; classtype:trojan-activity; sid:91242368; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"hdvideoplayersistemleri234.xyz"; depth:30; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242369/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_25; classtype:trojan-activity; sid:91242369; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"hdvideoplayersistemleri2342.xyz"; depth:31; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242370/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_25; classtype:trojan-activity; sid:91242370; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"hdvideofullizleservisi354.xyz"; depth:29; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242332/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_25; classtype:trojan-activity; sid:91242332; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"hdvideofullizleservisi441.xyz"; depth:29; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242333/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_25; classtype:trojan-activity; sid:91242333; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"hdvideofullizleservisi456.xyz"; depth:29; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242334/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_25; classtype:trojan-activity; sid:91242334; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"hdvideofullizleservisi46.xyz"; depth:28; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242335/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_25; classtype:trojan-activity; sid:91242335; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"hdvideofullizleservisi467.xyz"; depth:29; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242336/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_25; classtype:trojan-activity; sid:91242336; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"hdvideofullizleservisi541.xyz"; depth:29; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242337/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_25; classtype:trojan-activity; sid:91242337; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"hdvideofullizleservisi5567.xyz"; depth:30; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242338/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_25; classtype:trojan-activity; sid:91242338; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"hdvideofullizleservisi6076.xyz"; depth:30; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242339/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_25; classtype:trojan-activity; sid:91242339; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"hdvideofullizleservisi6539.xyz"; depth:30; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242340/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_25; classtype:trojan-activity; sid:91242340; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"hdvideofullizleservisi656.xyz"; depth:29; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242341/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_25; classtype:trojan-activity; sid:91242341; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"hdvideofullizleservisi658.xyz"; depth:29; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242342/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_25; classtype:trojan-activity; sid:91242342; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"hdvideofullizleservisi6583.xyz"; depth:30; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242343/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_25; classtype:trojan-activity; sid:91242343; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"hdvideofullizleservisi675.xyz"; depth:29; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242344/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_25; classtype:trojan-activity; sid:91242344; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"hdvideofullizleservisi679.xyz"; depth:29; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242345/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_25; classtype:trojan-activity; sid:91242345; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"fullvehdvideopleyerkurulumu4568.xyz"; depth:35; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242314/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_25; classtype:trojan-activity; sid:91242314; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"fullvehdvideopleyerkurulumu479.xyz"; depth:34; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242315/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_25; classtype:trojan-activity; sid:91242315; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"fullvehdvideopleyerkurulumu482.xyz"; depth:34; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242316/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_25; classtype:trojan-activity; sid:91242316; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"fullvehdvideopleyerkurulumu556.xyz"; depth:34; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242317/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_25; classtype:trojan-activity; sid:91242317; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"fullvehdvideopleyerkurulumu568.xyz"; depth:34; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242318/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_25; classtype:trojan-activity; sid:91242318; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"fullvehdvideopleyerkurulumu5698.xyz"; depth:35; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242319/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_25; classtype:trojan-activity; sid:91242319; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"fullvehdvideopleyerkurulumu571.xyz"; depth:34; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242320/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_25; classtype:trojan-activity; sid:91242320; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"fullvehdvideopleyerkurulumu69.xyz"; depth:33; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242321/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_25; classtype:trojan-activity; sid:91242321; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"fullvehdvideopleyerkurulumu78.xyz"; depth:33; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242322/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_25; classtype:trojan-activity; sid:91242322; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"fullvehdvideopleyerkurulumu783.xyz"; depth:34; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242323/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_25; classtype:trojan-activity; sid:91242323; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"fullvehdvideopleyerkurulumu8570.xyz"; depth:35; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242324/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_25; classtype:trojan-activity; sid:91242324; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"hdvideofullizleservisi050.xyz"; depth:29; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242325/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_25; classtype:trojan-activity; sid:91242325; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"hdvideofullizleservisi076.xyz"; depth:29; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242326/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_25; classtype:trojan-activity; sid:91242326; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"hdvideofullizleservisi1245.xyz"; depth:30; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242327/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_25; classtype:trojan-activity; sid:91242327; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"hdvideofullizleservisi156.xyz"; depth:29; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242328/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_25; classtype:trojan-activity; sid:91242328; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"hdvideofullizleservisi235.xyz"; depth:29; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242329/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_25; classtype:trojan-activity; sid:91242329; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"hdvideofullizleservisi243.xyz"; depth:29; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242330/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_25; classtype:trojan-activity; sid:91242330; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"hdvideofullizleservisi2467.xyz"; depth:30; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242331/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_25; classtype:trojan-activity; sid:91242331; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"fulllhdvideoizlemeservisi482.site"; depth:33; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242293/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_25; classtype:trojan-activity; sid:91242293; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"fulllhdvideoizlemeservisi546754.site"; depth:36; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242294/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_25; classtype:trojan-activity; sid:91242294; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"fulllhdvideoizlemeservisi5684.site"; depth:34; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242295/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_25; classtype:trojan-activity; sid:91242295; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"fulllhdvideoizlemeservisi6263.site"; depth:34; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242296/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_25; classtype:trojan-activity; sid:91242296; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"fulllhdvideoizlemeservisi66376.site"; depth:35; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242297/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_25; classtype:trojan-activity; sid:91242297; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"fulllhdvideoizlemeservisi86598.site"; depth:35; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242298/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_25; classtype:trojan-activity; sid:91242298; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"fulllhdvideoizlemeservisi882.site"; depth:33; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242299/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_25; classtype:trojan-activity; sid:91242299; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"fulllhdvideoizlemeservisi9034.site"; depth:34; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242300/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_25; classtype:trojan-activity; sid:91242300; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"fullvehdvideopleyerkurulumu05.xyz"; depth:33; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242301/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_25; classtype:trojan-activity; sid:91242301; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"fullvehdvideopleyerkurulumu093.xyz"; depth:34; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242302/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_25; classtype:trojan-activity; sid:91242302; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"fullvehdvideopleyerkurulumu1214.xyz"; depth:35; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242303/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_25; classtype:trojan-activity; sid:91242303; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"fullvehdvideopleyerkurulumu124146.xyz"; depth:37; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242304/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_25; classtype:trojan-activity; sid:91242304; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"fullvehdvideopleyerkurulumu188.xyz"; depth:34; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242305/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_25; classtype:trojan-activity; sid:91242305; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"fullvehdvideopleyerkurulumu22.xyz"; depth:33; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242306/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_25; classtype:trojan-activity; sid:91242306; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"fullvehdvideopleyerkurulumu243667.xyz"; depth:37; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242307/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_25; classtype:trojan-activity; sid:91242307; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"fullvehdvideopleyerkurulumu335.xyz"; depth:34; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242308/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_25; classtype:trojan-activity; sid:91242308; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"fullvehdvideopleyerkurulumu34521.xyz"; depth:36; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242309/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_25; classtype:trojan-activity; sid:91242309; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"fullvehdvideopleyerkurulumu345235.xyz"; depth:37; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242310/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_25; classtype:trojan-activity; sid:91242310; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"fullvehdvideopleyerkurulumu3467.xyz"; depth:35; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242311/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_25; classtype:trojan-activity; sid:91242311; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"fullvehdvideopleyerkurulumu364.xyz"; depth:34; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242312/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_25; classtype:trojan-activity; sid:91242312; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"fullvehdvideopleyerkurulumu436.xyz"; depth:34; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242313/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_25; classtype:trojan-activity; sid:91242313; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"fullhdvideopleyerizle394.site"; depth:29; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242260/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_25; classtype:trojan-activity; sid:91242260; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"fullhdvideopleyerizle42853.site"; depth:31; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242261/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_25; classtype:trojan-activity; sid:91242261; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"fullhdvideopleyerizle4326.site"; depth:30; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242262/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_25; classtype:trojan-activity; sid:91242262; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"fullhdvideopleyerizle4567.site"; depth:30; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242263/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_25; classtype:trojan-activity; sid:91242263; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"fullhdvideopleyerizle56765.site"; depth:31; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242264/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_25; classtype:trojan-activity; sid:91242264; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"fullhdvideopleyerizle6789.site"; depth:30; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242265/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_25; classtype:trojan-activity; sid:91242265; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"fullhdvideopleyerizle789.site"; depth:29; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242266/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_25; classtype:trojan-activity; sid:91242266; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"fullhdvideopleyerizle8324.site"; depth:30; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242267/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_25; classtype:trojan-activity; sid:91242267; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"fullhdvideopleyerizle9344.site"; depth:30; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242268/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_25; classtype:trojan-activity; sid:91242268; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"fullhdvideositeresmi01234.site"; depth:30; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242269/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_25; classtype:trojan-activity; sid:91242269; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"fullhdvideositeresmi0513.site"; depth:29; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242270/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_25; classtype:trojan-activity; sid:91242270; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"fullhdvideositeresmi11234.site"; depth:30; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242271/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_25; classtype:trojan-activity; sid:91242271; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"fullhdvideositeresmi12143.site"; depth:30; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242272/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_25; classtype:trojan-activity; sid:91242272; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"fullhdvideositeresmi2213.site"; depth:29; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242273/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_25; classtype:trojan-activity; sid:91242273; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"fullhdvideositeresmi2324.site"; depth:29; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242274/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_25; classtype:trojan-activity; sid:91242274; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"fullhdvideositeresmi23562.site"; depth:30; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242275/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_25; classtype:trojan-activity; sid:91242275; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"fullhdvideositeresmi3215.site"; depth:29; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242276/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_25; classtype:trojan-activity; sid:91242276; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"fullhdvideositeresmi4321.site"; depth:29; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242277/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_25; classtype:trojan-activity; sid:91242277; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"fullhdvideositeresmi43464.site"; depth:30; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242278/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_25; classtype:trojan-activity; sid:91242278; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"fullhdvideositeresmi6170.site"; depth:29; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242279/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_25; classtype:trojan-activity; sid:91242279; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"fullhdvideositeresmi78123.site"; depth:30; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242280/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_25; classtype:trojan-activity; sid:91242280; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"fullhdvideositeresmi993150.site"; depth:31; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242281/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_25; classtype:trojan-activity; sid:91242281; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"fulllhdvideoizlemeservisi0474.site"; depth:34; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242282/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_25; classtype:trojan-activity; sid:91242282; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"fulllhdvideoizlemeservisi124.site"; depth:33; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242283/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_25; classtype:trojan-activity; sid:91242283; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"fulllhdvideoizlemeservisi2246.site"; depth:34; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242284/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_25; classtype:trojan-activity; sid:91242284; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"fulllhdvideoizlemeservisi2548.site"; depth:34; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242285/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_25; classtype:trojan-activity; sid:91242285; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"fulllhdvideoizlemeservisi289.site"; depth:33; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242286/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_25; classtype:trojan-activity; sid:91242286; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"fulllhdvideoizlemeservisi34776.site"; depth:35; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242287/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_25; classtype:trojan-activity; sid:91242287; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"fulllhdvideoizlemeservisi3969.site"; depth:34; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242288/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_25; classtype:trojan-activity; sid:91242288; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"fulllhdvideoizlemeservisi437.site"; depth:33; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242289/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_25; classtype:trojan-activity; sid:91242289; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"fulllhdvideoizlemeservisi445444.site"; depth:36; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242290/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_25; classtype:trojan-activity; sid:91242290; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"fulllhdvideoizlemeservisi4583.site"; depth:34; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242291/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_25; classtype:trojan-activity; sid:91242291; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"fulllhdvideoizlemeservisi46793.site"; depth:35; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242292/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_25; classtype:trojan-activity; sid:91242292; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"fullhdvideopleyerizle015919.site"; depth:32; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242251/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_25; classtype:trojan-activity; sid:91242251; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"fullhdvideopleyerizle12321.site"; depth:31; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242252/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_25; classtype:trojan-activity; sid:91242252; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"fullhdvideopleyerizle1252.site"; depth:30; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242253/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_25; classtype:trojan-activity; sid:91242253; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"fullhdvideopleyerizle2324.site"; depth:30; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242254/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_25; classtype:trojan-activity; sid:91242254; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"fullhdvideopleyerizle23453.site"; depth:31; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242255/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_25; classtype:trojan-activity; sid:91242255; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"fullhdvideopleyerizle2357.site"; depth:30; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242256/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_25; classtype:trojan-activity; sid:91242256; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"fullhdvideopleyerizle324.site"; depth:29; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242257/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_25; classtype:trojan-activity; sid:91242257; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"fullhdvideopleyerizle3456.site"; depth:30; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242258/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_25; classtype:trojan-activity; sid:91242258; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"fullhdvideopleyerizle348.site"; depth:29; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242259/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_25; classtype:trojan-activity; sid:91242259; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cx"; depth:3; nocase; http.host; content:"101.43.12.111"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1242249/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_25; classtype:trojan-activity; sid:91242249; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"service-2kd9w0iu-1302672236.gz.tencentapigw.com.cn"; depth:50; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242248/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_25; classtype:trojan-activity; sid:91242248; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api/x"; depth:6; nocase; http.host; content:"service-2kd9w0iu-1302672236.gz.tencentapigw.com.cn"; depth:50; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1242247/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_25; classtype:trojan-activity; sid:91242247; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/load"; depth:5; nocase; http.host; content:"129.226.83.129"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1242246/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_25; classtype:trojan-activity; sid:91242246; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/en_us/all.js"; depth:13; nocase; http.host; content:"www.xss.mba"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1242245/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_25; classtype:trojan-activity; sid:91242245; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/visit.js"; depth:9; nocase; http.host; content:"185.193.126.187"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1242244/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_25; classtype:trojan-activity; sid:91242244; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cx"; depth:3; nocase; http.host; content:"3se9ewodke339f0e83.connectivitytests.com"; depth:40; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1242243/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_25; classtype:trojan-activity; sid:91242243; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api/x"; depth:6; nocase; http.host; content:"43.139.177.77"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1242242/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_25; classtype:trojan-activity; sid:91242242; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api/x"; depth:6; nocase; http.host; content:"cdn.dadadsadaccsoong.top"; depth:24; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1242241/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_25; classtype:trojan-activity; sid:91242241; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/updates.rss"; depth:12; nocase; http.host; content:"120.26.196.41"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1242240/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_25; classtype:trojan-activity; sid:91242240; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dpixel"; depth:7; nocase; http.host; content:"1.94.110.130"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1242239/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_25; classtype:trojan-activity; sid:91242239; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/_defaultwindows.php"; depth:20; nocase; http.host; content:"cz13602.tw1.ru"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1242238/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_25; classtype:trojan-activity; sid:91242238; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/microcoft-gettask.html"; depth:23; nocase; http.host; content:"20.106.175.213"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1242237/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_25; classtype:trojan-activity; sid:91242237; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"fewjfhwefhwegfgwey344.cfd"; depth:25; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242231/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_25; classtype:trojan-activity; sid:91242231; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"fhfhreeruu334345432.cfd"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242232/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_25; classtype:trojan-activity; sid:91242232; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"gftfttdrtdrrttgfderrt654.cfd"; depth:28; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242233/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_25; classtype:trojan-activity; sid:91242233; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"htyfdsdghfr65443.cfd"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242234/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_25; classtype:trojan-activity; sid:91242234; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"iefijweijfiwefiue9877.cfd"; depth:25; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242235/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_25; classtype:trojan-activity; sid:91242235; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"woolyboolydoolykooly.com"; depth:24; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242236/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_25; classtype:trojan-activity; sid:91242236; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"rebirthbot.icu"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242230/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_25; classtype:trojan-activity; sid:91242230; rev:1;) alert tcp $HOME_NET any -> [15.235.131.20] 44647 (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1242227/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_25; classtype:trojan-activity; sid:91242227; rev:1;) alert tcp $HOME_NET any -> [93.123.85.142] 43957 (msg:"ThreatFox MooBot botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1242229/; target:src_ip; metadata: confidence_level 75, first_seen 2024_02_25; classtype:trojan-activity; sid:91242229; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"botnet.loadbalance.click"; depth:24; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242228/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_25; classtype:trojan-activity; sid:91242228; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"conference-cal.gl.at.ply.gg"; depth:27; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242212/; target:src_ip; metadata: confidence_level 75, first_seen 2024_02_25; classtype:trojan-activity; sid:91242212; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mzzhmgjjztjkogi3/"; depth:18; nocase; http.host; content:"83.97.73.195"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1242210/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_25; classtype:trojan-activity; sid:91242210; rev:1;) alert tcp $HOME_NET any -> [147.185.221.17] 80 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1242211/; target:src_ip; metadata: confidence_level 75, first_seen 2024_02_25; classtype:trojan-activity; sid:91242211; rev:1;) alert tcp $HOME_NET any -> [20.218.68.91] 23100 (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1242216/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_25; classtype:trojan-activity; sid:91242216; rev:1;) alert tcp $HOME_NET any -> [77.105.147.157] 80 (msg:"ThreatFox Meduza Stealer botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1242226/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_25; classtype:trojan-activity; sid:91242226; rev:1;) alert tcp $HOME_NET any -> [71.88.241.194] 443 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1242225/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_25; classtype:trojan-activity; sid:91242225; rev:1;) alert tcp $HOME_NET any -> [167.56.121.249] 995 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1242224/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_25; classtype:trojan-activity; sid:91242224; rev:1;) alert tcp $HOME_NET any -> [78.40.117.84] 443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1242223/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_25; classtype:trojan-activity; sid:91242223; rev:1;) alert tcp $HOME_NET any -> [35.193.229.206] 443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1242222/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_25; classtype:trojan-activity; sid:91242222; rev:1;) alert tcp $HOME_NET any -> [185.198.57.41] 7443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1242221/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_25; classtype:trojan-activity; sid:91242221; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/externallinephpjavascriptsecureauthprotectlinuxuniversal.php"; depth:61; nocase; http.host; content:"82.115.223.136"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1242220/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_25; classtype:trojan-activity; sid:91242220; rev:1;) alert tcp $HOME_NET any -> [156.236.72.163] 8000 (msg:"ThreatFox Ghost RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1242219/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_25; classtype:trojan-activity; sid:91242219; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/image_securecpugamelongpollmulticentral.php"; depth:44; nocase; http.host; content:"gp104995g2.temp.swtest.ru"; depth:25; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1242218/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_25; classtype:trojan-activity; sid:91242218; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/vmcpuprocessgenerator.php"; depth:26; nocase; http.host; content:"785319cm.nyashsens.top"; depth:22; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1242217/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_25; classtype:trojan-activity; sid:91242217; rev:1;) alert tcp $HOME_NET any -> [45.92.179.244] 15647 (msg:"ThreatFox SectopRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1242215/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_25; classtype:trojan-activity; sid:91242215; rev:1;) alert tcp $HOME_NET any -> [91.92.244.67] 8081 (msg:"ThreatFox RisePro botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1242214/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_25; classtype:trojan-activity; sid:91242214; rev:1;) alert tcp $HOME_NET any -> [91.92.244.67] 50500 (msg:"ThreatFox RisePro botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1242213/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_25; classtype:trojan-activity; sid:91242213; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/fwlink"; depth:7; nocase; http.host; content:"185.193.126.187"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1242209/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_24; classtype:trojan-activity; sid:91242209; rev:1;) alert tcp $HOME_NET any -> [88.214.25.235] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1242208/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_24; classtype:trojan-activity; sid:91242208; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/enable/v9/wdoblgwr0s"; depth:21; nocase; http.host; content:"microsoftsyst3m.com"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1242207/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_24; classtype:trojan-activity; sid:91242207; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/enable/v9/wdoblgwr0s"; depth:21; nocase; http.host; content:"88.214.25.235"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1242206/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_24; classtype:trojan-activity; sid:91242206; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/enable/v9/wdoblgwr0s"; depth:21; nocase; http.host; content:"igo0gle.com"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1242205/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_24; classtype:trojan-activity; sid:91242205; rev:1;) alert tcp $HOME_NET any -> [87.98.177.182] 3131 (msg:"ThreatFox BitRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1242204/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_24; classtype:trojan-activity; sid:91242204; rev:1;) alert tcp $HOME_NET any -> [45.95.147.236] 43782 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1242203/; target:src_ip; metadata: confidence_level 75, first_seen 2024_02_24; classtype:trojan-activity; sid:91242203; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"srv.tamatri.co"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242201/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_24; classtype:trojan-activity; sid:91242201; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"tamatri.co"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242202/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_24; classtype:trojan-activity; sid:91242202; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"dw.c4kdeliver.top"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242200/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_24; classtype:trojan-activity; sid:91242200; rev:1;) alert tcp $HOME_NET any -> [147.185.221.18] 43519 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1242198/; target:src_ip; metadata: confidence_level 75, first_seen 2024_02_24; classtype:trojan-activity; sid:91242198; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"male-stephen.gl.at.ply.gg"; depth:25; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242199/; target:src_ip; metadata: confidence_level 75, first_seen 2024_02_24; classtype:trojan-activity; sid:91242199; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"fbi.su1001-2.top"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242197/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_24; classtype:trojan-activity; sid:91242197; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"fbi.su1001-2.top"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242189/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_24; classtype:trojan-activity; sid:91242189; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"dw.bpdeliver.ru"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242190/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_24; classtype:trojan-activity; sid:91242190; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"jira.letmaker.top"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242191/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_24; classtype:trojan-activity; sid:91242191; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"work.onlypirate.top"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242192/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_24; classtype:trojan-activity; sid:91242192; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"a.oracleservice.top"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242193/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_24; classtype:trojan-activity; sid:91242193; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"b.oracleservice.top"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242194/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_24; classtype:trojan-activity; sid:91242194; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"pwn.oracleservice.top"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242195/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_24; classtype:trojan-activity; sid:91242195; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"c4k-ircd.pwndns.pw"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242196/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_24; classtype:trojan-activity; sid:91242196; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmp/index.php"; depth:14; nocase; http.host; content:"teplokub.com.ua"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1242188/; target:src_ip; metadata: confidence_level 75, first_seen 2024_02_24; classtype:trojan-activity; sid:91242188; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmp/index.php"; depth:14; nocase; http.host; content:"kamsmad.com"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1242186/; target:src_ip; metadata: confidence_level 75, first_seen 2024_02_24; classtype:trojan-activity; sid:91242186; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmp/index.php"; depth:14; nocase; http.host; content:"souzhensil.ru"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1242187/; target:src_ip; metadata: confidence_level 75, first_seen 2024_02_24; classtype:trojan-activity; sid:91242187; rev:1;) alert tcp $HOME_NET any -> [193.161.193.99] 20543 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1242185/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_24; classtype:trojan-activity; sid:91242185; rev:1;) alert tcp $HOME_NET any -> [84.212.127.234] 443 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1242184/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_24; classtype:trojan-activity; sid:91242184; rev:1;) alert tcp $HOME_NET any -> [105.108.32.227] 993 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1242183/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_24; classtype:trojan-activity; sid:91242183; rev:1;) alert tcp $HOME_NET any -> [188.40.19.86] 443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1242182/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_24; classtype:trojan-activity; sid:91242182; rev:1;) alert tcp $HOME_NET any -> [64.227.179.34] 40056 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1242181/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_24; classtype:trojan-activity; sid:91242181; rev:1;) alert tcp $HOME_NET any -> [216.146.26.94] 443 (msg:"ThreatFox BianLian botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1242180/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_24; classtype:trojan-activity; sid:91242180; rev:1;) alert tcp $HOME_NET any -> [216.146.26.94] 80 (msg:"ThreatFox BianLian botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1242179/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_24; classtype:trojan-activity; sid:91242179; rev:1;) alert tcp $HOME_NET any -> [172.104.53.129] 10002 (msg:"ThreatFox Deimos botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1242178/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_24; classtype:trojan-activity; sid:91242178; rev:1;) alert tcp $HOME_NET any -> [42.2.112.129] 32002 (msg:"ThreatFox Deimos botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1242177/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_24; classtype:trojan-activity; sid:91242177; rev:1;) alert tcp $HOME_NET any -> [173.44.141.149] 4001 (msg:"ThreatFox SystemBC botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1242176/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_24; classtype:trojan-activity; sid:91242176; rev:1;) alert tcp $HOME_NET any -> [185.222.58.83] 55615 (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1242175/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_24; classtype:trojan-activity; sid:91242175; rev:1;) alert tcp $HOME_NET any -> [93.123.85.197] 606 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1242174/; target:src_ip; metadata: confidence_level 75, first_seen 2024_02_24; classtype:trojan-activity; sid:91242174; rev:1;) alert tcp $HOME_NET any -> [95.86.227.200] 25565 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1242172/; target:src_ip; metadata: confidence_level 75, first_seen 2024_02_24; classtype:trojan-activity; sid:91242172; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"kisel228.zapto.org"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242173/; target:src_ip; metadata: confidence_level 75, first_seen 2024_02_24; classtype:trojan-activity; sid:91242173; rev:1;) alert tcp $HOME_NET any -> [192.236.162.239] 80 (msg:"ThreatFox Loki Password Stealer (PWS) botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1242171/; target:src_ip; metadata: confidence_level 75, first_seen 2024_02_24; classtype:trojan-activity; sid:91242171; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mtu2owe0nzjjngy5/"; depth:18; nocase; http.host; content:"o3c31x4fqdw2.lt"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1242170/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_24; classtype:trojan-activity; sid:91242170; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mtu2owe0nzjjngy5/"; depth:18; nocase; http.host; content:"0n75w55jyk66.pw"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1242161/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_24; classtype:trojan-activity; sid:91242161; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mtu2owe0nzjjngy5/"; depth:18; nocase; http.host; content:"oylg4z486xv4.info"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1242162/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_24; classtype:trojan-activity; sid:91242162; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mtu2owe0nzjjngy5/"; depth:18; nocase; http.host; content:"13sf6uu6cvlm.la"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1242163/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_24; classtype:trojan-activity; sid:91242163; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mtu2owe0nzjjngy5/"; depth:18; nocase; http.host; content:"papricasfla.bio"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1242164/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_24; classtype:trojan-activity; sid:91242164; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mtu2owe0nzjjngy5/"; depth:18; nocase; http.host; content:"643y3mrh4m3d.in"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1242165/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_24; classtype:trojan-activity; sid:91242165; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mtu2owe0nzjjngy5/"; depth:18; nocase; http.host; content:"xivadoivxa.info"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1242166/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_24; classtype:trojan-activity; sid:91242166; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mtu2owe0nzjjngy5/"; depth:18; nocase; http.host; content:"6dtav5rvnh1q.in"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1242167/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_24; classtype:trojan-activity; sid:91242167; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mtu2owe0nzjjngy5/"; depth:18; nocase; http.host; content:"decilaxcvz.life"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1242168/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_24; classtype:trojan-activity; sid:91242168; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mtu2owe0nzjjngy5/"; depth:18; nocase; http.host; content:"9w28pp996g59.top"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1242169/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_24; classtype:trojan-activity; sid:91242169; rev:1;) alert tcp $HOME_NET any -> [185.158.251.240] 443 (msg:"ThreatFox FAKEUPDATES payload delivery (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1242160/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_24; classtype:trojan-activity; sid:91242160; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"stake.libertariancounterpoint.com"; depth:33; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242158/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_24; classtype:trojan-activity; sid:91242158; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/indigo"; depth:7; nocase; http.host; content:"moon.playstoreapi.net"; depth:21; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1242154/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_24; classtype:trojan-activity; sid:91242154; rev:1;) alert tcp $HOME_NET any -> [77.246.158.53] 13551 (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1242150/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_24; classtype:trojan-activity; sid:91242150; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"manta.brasilia.me"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242152/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_24; classtype:trojan-activity; sid:91242152; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"cloudieapp.net"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242155/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_24; classtype:trojan-activity; sid:91242155; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/voilet"; depth:7; nocase; http.host; content:"sni1.androidmetricsasia.com"; depth:27; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1242153/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_24; classtype:trojan-activity; sid:91242153; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"instantchatapp.com"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242156/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_24; classtype:trojan-activity; sid:91242156; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"funcallback.com"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242157/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_24; classtype:trojan-activity; sid:91242157; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"appserv.ddns.net"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242159/; target:src_ip; metadata: confidence_level 75, first_seen 2024_02_24; classtype:trojan-activity; sid:91242159; rev:1;) alert tcp $HOME_NET any -> [43.229.148.210] 5556 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1242151/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_24; classtype:trojan-activity; sid:91242151; rev:1;) alert tcp $HOME_NET any -> [5.42.73.150] 80 (msg:"ThreatFox Meduza Stealer botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1242149/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_24; classtype:trojan-activity; sid:91242149; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cm"; depth:3; nocase; http.host; content:"5.34.198.105"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1242148/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_24; classtype:trojan-activity; sid:91242148; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/j.ad"; depth:5; nocase; http.host; content:"111.231.74.147"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1242147/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_24; classtype:trojan-activity; sid:91242147; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sosorry.php"; depth:12; nocase; http.host; content:"185.196.8.200"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1242146/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_24; classtype:trojan-activity; sid:91242146; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"cdncloud.info"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242144/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_24; classtype:trojan-activity; sid:91242144; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mod/resellers/2e4wlr6u3uv"; depth:26; nocase; http.host; content:"cdncloud.info"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1242143/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_24; classtype:trojan-activity; sid:91242143; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mod/resellers/2e4wlr6u3uv"; depth:26; nocase; http.host; content:"ipadd.show"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1242141/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_24; classtype:trojan-activity; sid:91242141; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ipadd.show"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242142/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_24; classtype:trojan-activity; sid:91242142; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cm"; depth:3; nocase; http.host; content:"185.196.10.62"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1242140/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_24; classtype:trojan-activity; sid:91242140; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/fwlink"; depth:7; nocase; http.host; content:"1.94.110.130"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1242139/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_24; classtype:trojan-activity; sid:91242139; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/__utm.gif"; depth:10; nocase; http.host; content:"43.153.222.28"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1242138/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_24; classtype:trojan-activity; sid:91242138; rev:1;) alert tcp $HOME_NET any -> [148.72.132.181] 53 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1242137/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_24; classtype:trojan-activity; sid:91242137; rev:1;) alert tcp $HOME_NET any -> [142.132.224.223] 9001 (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1242136/; target:src_ip; metadata: confidence_level 75, first_seen 2024_02_24; classtype:trojan-activity; sid:91242136; rev:1;) alert tcp $HOME_NET any -> [18.197.239.109] 17155 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241988/; target:src_ip; metadata: confidence_level 75, first_seen 2024_02_24; classtype:trojan-activity; sid:91241988; rev:1;) alert tcp $HOME_NET any -> [52.28.247.255] 17155 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241989/; target:src_ip; metadata: confidence_level 75, first_seen 2024_02_24; classtype:trojan-activity; sid:91241989; rev:1;) alert tcp $HOME_NET any -> [3.69.157.220] 17155 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241990/; target:src_ip; metadata: confidence_level 75, first_seen 2024_02_24; classtype:trojan-activity; sid:91241990; rev:1;) alert tcp $HOME_NET any -> [3.126.37.18] 18876 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1242004/; target:src_ip; metadata: confidence_level 75, first_seen 2024_02_24; classtype:trojan-activity; sid:91242004; rev:1;) alert tcp $HOME_NET any -> [3.127.138.57] 18876 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1242012/; target:src_ip; metadata: confidence_level 75, first_seen 2024_02_24; classtype:trojan-activity; sid:91242012; rev:1;) alert tcp $HOME_NET any -> [18.156.13.209] 18876 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1242013/; target:src_ip; metadata: confidence_level 75, first_seen 2024_02_24; classtype:trojan-activity; sid:91242013; rev:1;) alert tcp $HOME_NET any -> [18.192.93.86] 18876 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1242014/; target:src_ip; metadata: confidence_level 75, first_seen 2024_02_24; classtype:trojan-activity; sid:91242014; rev:1;) alert tcp $HOME_NET any -> [18.197.239.5] 18876 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1242015/; target:src_ip; metadata: confidence_level 75, first_seen 2024_02_24; classtype:trojan-activity; sid:91242015; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"than-electoral.gl.at.ply.gg"; depth:27; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242107/; target:src_ip; metadata: confidence_level 75, first_seen 2024_02_24; classtype:trojan-activity; sid:91242107; rev:1;) alert tcp $HOME_NET any -> [147.185.221.18] 3639 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1242108/; target:src_ip; metadata: confidence_level 75, first_seen 2024_02_24; classtype:trojan-activity; sid:91242108; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"pcpanel.hackcrack.io"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242123/; target:src_ip; metadata: confidence_level 75, first_seen 2024_02_24; classtype:trojan-activity; sid:91242123; rev:1;) alert tcp $HOME_NET any -> [18.157.68.73] 15217 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1242126/; target:src_ip; metadata: confidence_level 75, first_seen 2024_02_24; classtype:trojan-activity; sid:91242126; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"nature-dawn.gl.at.ply.gg"; depth:24; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242109/; target:src_ip; metadata: confidence_level 75, first_seen 2024_02_24; classtype:trojan-activity; sid:91242109; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/zwi0ywmyymflodbl/"; depth:18; nocase; http.host; content:"194.26.135.99"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1242115/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_24; classtype:trojan-activity; sid:91242115; rev:1;) alert tcp $HOME_NET any -> [93.123.85.8] 1312 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1242128/; target:src_ip; metadata: confidence_level 75, first_seen 2024_02_24; classtype:trojan-activity; sid:91242128; rev:1;) alert tcp $HOME_NET any -> [192.169.69.26] 1177 (msg:"ThreatFox Nanocore RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1242135/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_24; classtype:trojan-activity; sid:91242135; rev:1;) alert tcp $HOME_NET any -> [45.138.74.228] 80 (msg:"ThreatFox Meduza Stealer botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1242134/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_24; classtype:trojan-activity; sid:91242134; rev:1;) alert tcp $HOME_NET any -> [13.231.247.174] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1242133/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_24; classtype:trojan-activity; sid:91242133; rev:1;) alert tcp $HOME_NET any -> [95.179.200.130] 1024 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1242132/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_24; classtype:trojan-activity; sid:91242132; rev:1;) alert tcp $HOME_NET any -> [77.49.56.209] 995 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1242131/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_24; classtype:trojan-activity; sid:91242131; rev:1;) alert tcp $HOME_NET any -> [143.198.112.191] 445 (msg:"ThreatFox Responder botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1242130/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_24; classtype:trojan-activity; sid:91242130; rev:1;) alert tcp $HOME_NET any -> [172.96.137.224] 10443 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1242129/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_24; classtype:trojan-activity; sid:91242129; rev:1;) alert tcp $HOME_NET any -> [92.246.136.169] 16668 (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1242125/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_24; classtype:trojan-activity; sid:91242125; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/l1nc0in.php"; depth:12; nocase; http.host; content:"ck07725.tw1.ru"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1242124/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_24; classtype:trojan-activity; sid:91242124; rev:1;) alert tcp $HOME_NET any -> [121.37.66.33] 50050 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1242122/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_24; classtype:trojan-activity; sid:91242122; rev:1;) alert tcp $HOME_NET any -> [105.100.10.190] 6001 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1242121/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_24; classtype:trojan-activity; sid:91242121; rev:1;) alert tcp $HOME_NET any -> [94.154.172.74] 80 (msg:"ThreatFox RecordBreaker botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1242120/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_24; classtype:trojan-activity; sid:91242120; rev:1;) alert tcp $HOME_NET any -> [49.13.32.37] 80 (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1242119/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_24; classtype:trojan-activity; sid:91242119; rev:1;) alert tcp $HOME_NET any -> [147.185.221.18] 32544 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1242118/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_24; classtype:trojan-activity; sid:91242118; rev:1;) alert tcp $HOME_NET any -> [37.120.237.196] 50500 (msg:"ThreatFox RisePro botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1242117/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_24; classtype:trojan-activity; sid:91242117; rev:1;) alert tcp $HOME_NET any -> [45.80.158.25] 5055 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1242116/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_24; classtype:trojan-activity; sid:91242116; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/load"; depth:5; nocase; http.host; content:"39.104.73.42"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1242114/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_23; classtype:trojan-activity; sid:91242114; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pixel.gif"; depth:10; nocase; http.host; content:"39.104.73.42"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1242113/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_23; classtype:trojan-activity; sid:91242113; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/imageprotect.php"; depth:17; nocase; http.host; content:"176.123.169.110"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1242112/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_23; classtype:trojan-activity; sid:91242112; rev:1;) alert tcp $HOME_NET any -> [85.159.228.138] 41572 (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1242111/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_23; classtype:trojan-activity; sid:91242111; rev:1;) alert tcp $HOME_NET any -> [213.152.162.89] 9702 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1242110/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_23; classtype:trojan-activity; sid:91242110; rev:1;) alert tcp $HOME_NET any -> [65.0.50.125] 22158 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1242106/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_23; classtype:trojan-activity; sid:91242106; rev:1;) alert tcp $HOME_NET any -> [147.185.221.18] 36364 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1242105/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_23; classtype:trojan-activity; sid:91242105; rev:1;) alert tcp $HOME_NET any -> [51.81.42.253] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1242104/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_23; classtype:trojan-activity; sid:91242104; rev:1;) alert tcp $HOME_NET any -> [20.115.87.236] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1242103/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_23; classtype:trojan-activity; sid:91242103; rev:1;) alert tcp $HOME_NET any -> [34.250.248.33] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1242102/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_23; classtype:trojan-activity; sid:91242102; rev:1;) alert tcp $HOME_NET any -> [124.223.177.244] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1242101/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_23; classtype:trojan-activity; sid:91242101; rev:1;) alert tcp $HOME_NET any -> [138.68.180.208] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1242100/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_23; classtype:trojan-activity; sid:91242100; rev:1;) alert tcp $HOME_NET any -> [52.231.117.124] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1242099/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_23; classtype:trojan-activity; sid:91242099; rev:1;) alert tcp $HOME_NET any -> [52.87.249.14] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1242098/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_23; classtype:trojan-activity; sid:91242098; rev:1;) alert tcp $HOME_NET any -> [3.65.151.202] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1242097/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_23; classtype:trojan-activity; sid:91242097; rev:1;) alert tcp $HOME_NET any -> [34.134.123.117] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1242096/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_23; classtype:trojan-activity; sid:91242096; rev:1;) alert tcp $HOME_NET any -> [4.147.26.237] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1242095/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_23; classtype:trojan-activity; sid:91242095; rev:1;) alert tcp $HOME_NET any -> [172.104.219.42] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1242094/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_23; classtype:trojan-activity; sid:91242094; rev:1;) alert tcp $HOME_NET any -> [142.93.75.136] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1242093/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_23; classtype:trojan-activity; sid:91242093; rev:1;) alert tcp $HOME_NET any -> [167.71.229.69] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1242092/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_23; classtype:trojan-activity; sid:91242092; rev:1;) alert tcp $HOME_NET any -> [84.76.152.132] 4444 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1242091/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_23; classtype:trojan-activity; sid:91242091; rev:1;) alert tcp $HOME_NET any -> [34.66.42.107] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1242090/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_23; classtype:trojan-activity; sid:91242090; rev:1;) alert tcp $HOME_NET any -> [34.88.129.107] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1242089/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_23; classtype:trojan-activity; sid:91242089; rev:1;) alert tcp $HOME_NET any -> [138.197.168.34] 1337 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1242088/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_23; classtype:trojan-activity; sid:91242088; rev:1;) alert tcp $HOME_NET any -> [47.245.122.5] 60000 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1242087/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_23; classtype:trojan-activity; sid:91242087; rev:1;) alert tcp $HOME_NET any -> [124.220.110.22] 60000 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1242086/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_23; classtype:trojan-activity; sid:91242086; rev:1;) alert tcp $HOME_NET any -> [111.231.146.154] 60000 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1242085/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_23; classtype:trojan-activity; sid:91242085; rev:1;) alert tcp $HOME_NET any -> [84.27.0.166] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1242084/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_23; classtype:trojan-activity; sid:91242084; rev:1;) alert tcp $HOME_NET any -> [93.123.85.206] 80 (msg:"ThreatFox MooBot botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1242083/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_23; classtype:trojan-activity; sid:91242083; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"epsilon7331.uk"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242082/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_23; classtype:trojan-activity; sid:91242082; rev:1;) alert tcp $HOME_NET any -> [5.42.67.10] 8080 (msg:"ThreatFox ERMAC botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1242079/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_23; classtype:trojan-activity; sid:91242079; rev:1;) alert tcp $HOME_NET any -> [5.42.67.89] 8080 (msg:"ThreatFox ERMAC botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1242077/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_23; classtype:trojan-activity; sid:91242077; rev:1;) alert tcp $HOME_NET any -> [110.173.54.195] 80 (msg:"ThreatFox ERMAC botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1242078/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_23; classtype:trojan-activity; sid:91242078; rev:1;) alert tcp $HOME_NET any -> [37.140.242.93] 80 (msg:"ThreatFox ERMAC botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1242076/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_23; classtype:trojan-activity; sid:91242076; rev:1;) alert tcp $HOME_NET any -> [46.246.86.12] 6000 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1242075/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_23; classtype:trojan-activity; sid:91242075; rev:1;) alert tcp $HOME_NET any -> [154.244.6.141] 80 (msg:"ThreatFox Orcus RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1242074/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_23; classtype:trojan-activity; sid:91242074; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"www.edgarmcneil.autos"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242072/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_23; classtype:trojan-activity; sid:91242072; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"dbdfbd.xyz"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242073/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_23; classtype:trojan-activity; sid:91242073; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"liceback.online"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242071/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_23; classtype:trojan-activity; sid:91242071; rev:1;) alert tcp $HOME_NET any -> [220.78.13.217] 8080 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1242070/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_23; classtype:trojan-activity; sid:91242070; rev:1;) alert tcp $HOME_NET any -> [181.162.129.236] 8080 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1242069/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_23; classtype:trojan-activity; sid:91242069; rev:1;) alert tcp $HOME_NET any -> [89.23.102.221] 8081 (msg:"ThreatFox RisePro botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1242068/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_23; classtype:trojan-activity; sid:91242068; rev:1;) alert tcp $HOME_NET any -> [193.233.254.32] 80 (msg:"ThreatFox Hook botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1242066/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_23; classtype:trojan-activity; sid:91242066; rev:1;) alert tcp $HOME_NET any -> [212.70.149.199] 80 (msg:"ThreatFox Hook botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1242067/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_23; classtype:trojan-activity; sid:91242067; rev:1;) alert tcp $HOME_NET any -> [86.110.194.13] 80 (msg:"ThreatFox Hook botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1242064/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_23; classtype:trojan-activity; sid:91242064; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ec2-13-214-93-225.ap-southeast-1.compute.amazonaws.com"; depth:54; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242065/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_23; classtype:trojan-activity; sid:91242065; rev:1;) alert tcp $HOME_NET any -> [185.217.197.66] 80 (msg:"ThreatFox Hook botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1242063/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_23; classtype:trojan-activity; sid:91242063; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ovh.rfc.pp.ua"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242062/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_23; classtype:trojan-activity; sid:91242062; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ec2-54-152-184-1.compute-1.amazonaws.com"; depth:40; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242061/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_23; classtype:trojan-activity; sid:91242061; rev:1;) alert tcp $HOME_NET any -> [186.170.114.55] 8888 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1242060/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_23; classtype:trojan-activity; sid:91242060; rev:1;) alert tcp $HOME_NET any -> [46.4.37.212] 100 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1242058/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_23; classtype:trojan-activity; sid:91242058; rev:1;) alert tcp $HOME_NET any -> [186.170.114.55] 2404 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1242059/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_23; classtype:trojan-activity; sid:91242059; rev:1;) alert tcp $HOME_NET any -> [213.195.119.244] 5003 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1242057/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_23; classtype:trojan-activity; sid:91242057; rev:1;) alert tcp $HOME_NET any -> [213.195.119.244] 4003 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1242055/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_23; classtype:trojan-activity; sid:91242055; rev:1;) alert tcp $HOME_NET any -> [213.195.119.244] 5001 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1242056/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_23; classtype:trojan-activity; sid:91242056; rev:1;) alert tcp $HOME_NET any -> [213.195.119.244] 4002 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1242054/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_23; classtype:trojan-activity; sid:91242054; rev:1;) alert tcp $HOME_NET any -> [82.165.208.218] 8888 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1242053/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_23; classtype:trojan-activity; sid:91242053; rev:1;) alert tcp $HOME_NET any -> [34.86.252.187] 8808 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1242052/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_23; classtype:trojan-activity; sid:91242052; rev:1;) alert tcp $HOME_NET any -> [185.87.150.199] 2222 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1242051/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_23; classtype:trojan-activity; sid:91242051; rev:1;) alert tcp $HOME_NET any -> [82.97.244.235] 443 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1242050/; target:src_ip; metadata: confidence_level 90, first_seen 2024_02_23; classtype:trojan-activity; sid:91242050; rev:1;) alert tcp $HOME_NET any -> [35.93.24.71] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1242049/; target:src_ip; metadata: confidence_level 90, first_seen 2024_02_23; classtype:trojan-activity; sid:91242049; rev:1;) alert tcp $HOME_NET any -> [114.115.129.32] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1242048/; target:src_ip; metadata: confidence_level 90, first_seen 2024_02_23; classtype:trojan-activity; sid:91242048; rev:1;) alert tcp $HOME_NET any -> [101.201.46.105] 10000 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1242047/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_23; classtype:trojan-activity; sid:91242047; rev:1;) alert tcp $HOME_NET any -> [65.20.80.197] 9999 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1242045/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_23; classtype:trojan-activity; sid:91242045; rev:1;) alert tcp $HOME_NET any -> [101.201.46.105] 8888 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1242046/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_23; classtype:trojan-activity; sid:91242046; rev:1;) alert tcp $HOME_NET any -> [65.20.80.197] 8888 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1242044/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_23; classtype:trojan-activity; sid:91242044; rev:1;) alert tcp $HOME_NET any -> [39.104.73.42] 8081 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1242043/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_23; classtype:trojan-activity; sid:91242043; rev:1;) alert tcp $HOME_NET any -> [34.168.39.155] 10000 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1242041/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_23; classtype:trojan-activity; sid:91242041; rev:1;) alert tcp $HOME_NET any -> [39.104.73.42] 8080 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1242042/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_23; classtype:trojan-activity; sid:91242042; rev:1;) alert tcp $HOME_NET any -> [176.32.38.186] 81 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1242040/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_23; classtype:trojan-activity; sid:91242040; rev:1;) alert tcp $HOME_NET any -> [182.92.207.142] 8090 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1242039/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_23; classtype:trojan-activity; sid:91242039; rev:1;) alert tcp $HOME_NET any -> [91.92.241.199] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1242038/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_23; classtype:trojan-activity; sid:91242038; rev:1;) alert tcp $HOME_NET any -> [45.159.209.194] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1242036/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_23; classtype:trojan-activity; sid:91242036; rev:1;) alert tcp $HOME_NET any -> [117.72.42.129] 8089 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1242037/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_23; classtype:trojan-activity; sid:91242037; rev:1;) alert tcp $HOME_NET any -> [8.222.150.46] 8443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1242034/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_23; classtype:trojan-activity; sid:91242034; rev:1;) alert tcp $HOME_NET any -> [8.222.150.46] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1242035/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_23; classtype:trojan-activity; sid:91242035; rev:1;) alert tcp $HOME_NET any -> [45.131.132.55] 4443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1242033/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_23; classtype:trojan-activity; sid:91242033; rev:1;) alert tcp $HOME_NET any -> [91.149.237.252] 52299 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1242032/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_23; classtype:trojan-activity; sid:91242032; rev:1;) alert tcp $HOME_NET any -> [101.200.164.66] 5555 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1242030/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_23; classtype:trojan-activity; sid:91242030; rev:1;) alert tcp $HOME_NET any -> [107.172.196.196] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1242031/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_23; classtype:trojan-activity; sid:91242031; rev:1;) alert tcp $HOME_NET any -> [154.221.17.44] 2991 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1242029/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_23; classtype:trojan-activity; sid:91242029; rev:1;) alert tcp $HOME_NET any -> [111.231.146.154] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1242027/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_23; classtype:trojan-activity; sid:91242027; rev:1;) alert tcp $HOME_NET any -> [167.71.186.178] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1242028/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_23; classtype:trojan-activity; sid:91242028; rev:1;) alert tcp $HOME_NET any -> [139.180.146.240] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1242026/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_23; classtype:trojan-activity; sid:91242026; rev:1;) alert tcp $HOME_NET any -> [43.136.71.208] 8085 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1242024/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_23; classtype:trojan-activity; sid:91242024; rev:1;) alert tcp $HOME_NET any -> [154.197.98.85] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1242025/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_23; classtype:trojan-activity; sid:91242025; rev:1;) alert tcp $HOME_NET any -> [175.24.133.171] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1242023/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_23; classtype:trojan-activity; sid:91242023; rev:1;) alert tcp $HOME_NET any -> [152.42.164.112] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1242022/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_23; classtype:trojan-activity; sid:91242022; rev:1;) alert tcp $HOME_NET any -> [221.234.36.116] 10001 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1242020/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_23; classtype:trojan-activity; sid:91242020; rev:1;) alert tcp $HOME_NET any -> [1.94.110.130] 8082 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1242021/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_23; classtype:trojan-activity; sid:91242021; rev:1;) alert tcp $HOME_NET any -> [47.254.149.115] 8080 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1242019/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_23; classtype:trojan-activity; sid:91242019; rev:1;) alert tcp $HOME_NET any -> [20.108.32.205] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1242018/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_23; classtype:trojan-activity; sid:91242018; rev:1;) alert tcp $HOME_NET any -> [52.190.15.163] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1242017/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_23; classtype:trojan-activity; sid:91242017; rev:1;) alert tcp $HOME_NET any -> [58.137.140.249] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1242016/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_23; classtype:trojan-activity; sid:91242016; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"controlopposedcallyo.shop"; depth:25; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1242011/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_23; classtype:trojan-activity; sid:91242011; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"technologyenterdo.shop"; depth:22; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1242010/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_23; classtype:trojan-activity; sid:91242010; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"lighterepisodeheighte.fun"; depth:25; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1242009/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_23; classtype:trojan-activity; sid:91242009; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"problemregardybuiwo.fun"; depth:23; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1242008/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_23; classtype:trojan-activity; sid:91242008; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"detectordiscusser.shop"; depth:22; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1242007/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_23; classtype:trojan-activity; sid:91242007; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"edurestunningcrackyow.fun"; depth:25; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1242006/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_23; classtype:trojan-activity; sid:91242006; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"pooreveningfuseor.pw"; depth:20; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1242005/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_23; classtype:trojan-activity; sid:91242005; rev:1;) alert tcp $HOME_NET any -> [192.210.136.123] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1242003/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_23; classtype:trojan-activity; sid:91242003; rev:1;) alert tcp $HOME_NET any -> [86.98.212.14] 22 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1242002/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_23; classtype:trojan-activity; sid:91242002; rev:1;) alert tcp $HOME_NET any -> [105.155.177.133] 995 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1242001/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_23; classtype:trojan-activity; sid:91242001; rev:1;) alert tcp $HOME_NET any -> [176.233.252.31] 445 (msg:"ThreatFox Responder botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1242000/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_23; classtype:trojan-activity; sid:91242000; rev:1;) alert tcp $HOME_NET any -> [195.78.220.27] 80 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241999/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_23; classtype:trojan-activity; sid:91241999; rev:1;) alert tcp $HOME_NET any -> [89.116.227.76] 443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241998/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_23; classtype:trojan-activity; sid:91241998; rev:1;) alert tcp $HOME_NET any -> [37.1.210.109] 40056 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241997/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_23; classtype:trojan-activity; sid:91241997; rev:1;) alert tcp $HOME_NET any -> [20.189.118.216] 443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241996/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_23; classtype:trojan-activity; sid:91241996; rev:1;) alert tcp $HOME_NET any -> [138.124.180.245] 443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241995/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_23; classtype:trojan-activity; sid:91241995; rev:1;) alert tcp $HOME_NET any -> [122.114.11.150] 7443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241994/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_23; classtype:trojan-activity; sid:91241994; rev:1;) alert tcp $HOME_NET any -> [130.193.34.93] 7443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241993/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_23; classtype:trojan-activity; sid:91241993; rev:1;) alert tcp $HOME_NET any -> [46.101.147.204] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241992/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_23; classtype:trojan-activity; sid:91241992; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books"; depth:60; nocase; http.host; content:"software.ftoffice.com"; depth:21; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1241991/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_23; classtype:trojan-activity; sid:91241991; rev:1;) alert tcp $HOME_NET any -> [103.178.234.224] 19990 (msg:"ThreatFox MooBot botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241987/; target:src_ip; metadata: confidence_level 75, first_seen 2024_02_23; classtype:trojan-activity; sid:91241987; rev:1;) alert tcp $HOME_NET any -> [18.158.249.75] 12044 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241982/; target:src_ip; metadata: confidence_level 75, first_seen 2024_02_23; classtype:trojan-activity; sid:91241982; rev:1;) alert tcp $HOME_NET any -> [3.125.223.134] 12044 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241983/; target:src_ip; metadata: confidence_level 75, first_seen 2024_02_23; classtype:trojan-activity; sid:91241983; rev:1;) alert tcp $HOME_NET any -> [18.192.31.165] 12044 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241984/; target:src_ip; metadata: confidence_level 75, first_seen 2024_02_23; classtype:trojan-activity; sid:91241984; rev:1;) alert tcp $HOME_NET any -> [3.125.102.39] 12044 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241985/; target:src_ip; metadata: confidence_level 75, first_seen 2024_02_23; classtype:trojan-activity; sid:91241985; rev:1;) alert tcp $HOME_NET any -> [3.125.209.94] 12044 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241986/; target:src_ip; metadata: confidence_level 75, first_seen 2024_02_23; classtype:trojan-activity; sid:91241986; rev:1;) alert tcp $HOME_NET any -> [3.125.102.39] 12607 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241977/; target:src_ip; metadata: confidence_level 75, first_seen 2024_02_23; classtype:trojan-activity; sid:91241977; rev:1;) alert tcp $HOME_NET any -> [147.185.221.16] 38277 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241978/; target:src_ip; metadata: confidence_level 75, first_seen 2024_02_23; classtype:trojan-activity; sid:91241978; rev:1;) alert tcp $HOME_NET any -> [3.125.209.94] 12607 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241979/; target:src_ip; metadata: confidence_level 75, first_seen 2024_02_23; classtype:trojan-activity; sid:91241979; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"cut-britney.gl.at.ply.gg"; depth:24; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1241980/; target:src_ip; metadata: confidence_level 75, first_seen 2024_02_23; classtype:trojan-activity; sid:91241980; rev:1;) alert tcp $HOME_NET any -> [3.124.142.205] 12607 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241981/; target:src_ip; metadata: confidence_level 75, first_seen 2024_02_23; classtype:trojan-activity; sid:91241981; rev:1;) alert tcp $HOME_NET any -> [23.106.121.133] 1177 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241976/; target:src_ip; metadata: confidence_level 75, first_seen 2024_02_23; classtype:trojan-activity; sid:91241976; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"jnchina.ydns.eu"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1241975/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_23; classtype:trojan-activity; sid:91241975; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"eu.webmailservice.at"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1241973/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_23; classtype:trojan-activity; sid:91241973; rev:1;) alert tcp $HOME_NET any -> [20.170.19.248] 53 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241974/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_23; classtype:trojan-activity; sid:91241974; rev:1;) alert tcp $HOME_NET any -> [18.219.198.202] 53 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241972/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_23; classtype:trojan-activity; sid:91241972; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"dns.byresolved.com"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1241971/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_23; classtype:trojan-activity; sid:91241971; rev:1;) alert tcp $HOME_NET any -> [46.101.147.204] 53 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241970/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_23; classtype:trojan-activity; sid:91241970; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ns1.ftoffice.com"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1241969/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_23; classtype:trojan-activity; sid:91241969; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"178.20.43.58"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1241968/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_23; classtype:trojan-activity; sid:91241968; rev:1;) alert tcp $HOME_NET any -> [45.76.123.14] 53 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241967/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_23; classtype:trojan-activity; sid:91241967; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"rd.0x3f34.dev"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1241965/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_23; classtype:trojan-activity; sid:91241965; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"rd.0x115c.click"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1241966/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_23; classtype:trojan-activity; sid:91241966; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cdn-vs/cache.php"; depth:17; nocase; http.host; content:"machineryideas.com"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1241963/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_23; classtype:trojan-activity; sid:91241963; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/help/zewmrgqnw.php"; depth:19; nocase; http.host; content:"machineryideas.com"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1241964/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_23; classtype:trojan-activity; sid:91241964; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-content/themes/twentytwentyfour/c2hitq.php"; depth:46; nocase; http.host; content:"www.marioagozzino.it"; depth:20; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1241962/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_23; classtype:trojan-activity; sid:91241962; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-content/themes/twentytwentyfour/dqyzqp.php"; depth:46; nocase; http.host; content:"www.erasnetwork.eu"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1241961/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_23; classtype:trojan-activity; sid:91241961; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-content/themes/twentytwentythree/hyhnv3.php"; depth:47; nocase; http.host; content:"propertystats.net"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1241960/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_23; classtype:trojan-activity; sid:91241960; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-content/themes/twentytwentythree/ovqugo.php"; depth:47; nocase; http.host; content:"osakaimchk.com"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1241959/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_23; classtype:trojan-activity; sid:91241959; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-content/themes/twentytwentytwo/nnzknr.php"; depth:45; nocase; http.host; content:"carritosdelacompra.com"; depth:22; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1241958/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_23; classtype:trojan-activity; sid:91241958; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/externalsecuredlecentral.php"; depth:29; nocase; http.host; content:"113754cm.nyashtech.top"; depth:22; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1241957/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_23; classtype:trojan-activity; sid:91241957; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dot.gif"; depth:8; nocase; http.host; content:"39.106.26.184"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1241956/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_23; classtype:trojan-activity; sid:91241956; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jquery-3.3.1.min.js"; depth:20; nocase; http.host; content:"47.92.146.233"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1241955/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_23; classtype:trojan-activity; sid:91241955; rev:1;) alert tcp $HOME_NET any -> [5.181.80.195] 4258 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241954/; target:src_ip; metadata: confidence_level 75, first_seen 2024_02_23; classtype:trojan-activity; sid:91241954; rev:1;) alert tcp $HOME_NET any -> [193.233.132.89] 8081 (msg:"ThreatFox RisePro botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241953/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_23; classtype:trojan-activity; sid:91241953; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"sluitionsbad.tech"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1241952/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_23; classtype:trojan-activity; sid:91241952; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/live/"; depth:6; nocase; http.host; content:"sluitionsbad.tech"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1241951/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_23; classtype:trojan-activity; sid:91241951; rev:1;) alert tcp $HOME_NET any -> [185.209.162.106] 80 (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241949/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_23; classtype:trojan-activity; sid:91241949; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"mezla.site"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1241950/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_23; classtype:trojan-activity; sid:91241950; rev:1;) alert tcp $HOME_NET any -> [45.11.93.150] 8964 (msg:"ThreatFox MooBot botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241936/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_23; classtype:trojan-activity; sid:91241936; rev:1;) alert tcp $HOME_NET any -> [193.23.55.21] 56789 (msg:"ThreatFox MooBot botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241937/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_23; classtype:trojan-activity; sid:91241937; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/j.ad"; depth:5; nocase; http.host; content:"43.153.222.28"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1241948/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_23; classtype:trojan-activity; sid:91241948; rev:1;) alert tcp $HOME_NET any -> [193.233.132.89] 50500 (msg:"ThreatFox RisePro botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241947/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_23; classtype:trojan-activity; sid:91241947; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/g.pixel"; depth:8; nocase; http.host; content:"68.183.111.170"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1241946/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_23; classtype:trojan-activity; sid:91241946; rev:1;) alert tcp $HOME_NET any -> [38.180.71.140] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241945/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_23; classtype:trojan-activity; sid:91241945; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pixel.gif"; depth:10; nocase; http.host; content:"38.180.71.140"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1241944/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_23; classtype:trojan-activity; sid:91241944; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ie9compatviewlist.xml"; depth:22; nocase; http.host; content:"78.40.116.82"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1241943/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_23; classtype:trojan-activity; sid:91241943; rev:1;) alert tcp $HOME_NET any -> [159.65.130.146] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241942/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_23; classtype:trojan-activity; sid:91241942; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/activity"; depth:9; nocase; http.host; content:"159.65.130.146"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1241941/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_23; classtype:trojan-activity; sid:91241941; rev:1;) alert tcp $HOME_NET any -> [20.91.244.250] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241940/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_23; classtype:trojan-activity; sid:91241940; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"cyprusvillahomes.com"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1241939/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_23; classtype:trojan-activity; sid:91241939; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/assets/scripts/a0aba203-e3f4-4a26-81f8/get/jquery-ui-1.12.1"; depth:60; nocase; http.host; content:"cyprusvillahomes.com"; depth:20; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1241938/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_23; classtype:trojan-activity; sid:91241938; rev:1;) alert tcp $HOME_NET any -> [49.13.32.37] 443 (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241935/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_23; classtype:trojan-activity; sid:91241935; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"49.13.32.37"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1241934/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_23; classtype:trojan-activity; sid:91241934; rev:1;) alert tcp $HOME_NET any -> [192.227.231.5] 23 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241931/; target:src_ip; metadata: confidence_level 75, first_seen 2024_02_23; classtype:trojan-activity; sid:91241931; rev:1;) alert tcp $HOME_NET any -> [203.25.119.136] 48748 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241932/; target:src_ip; metadata: confidence_level 75, first_seen 2024_02_23; classtype:trojan-activity; sid:91241932; rev:1;) alert tcp $HOME_NET any -> [178.79.150.75] 4444 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241929/; target:src_ip; metadata: confidence_level 75, first_seen 2024_02_23; classtype:trojan-activity; sid:91241929; rev:1;) alert tcp $HOME_NET any -> [185.209.160.19] 8872 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241930/; target:src_ip; metadata: confidence_level 75, first_seen 2024_02_23; classtype:trojan-activity; sid:91241930; rev:1;) alert tcp $HOME_NET any -> [141.98.7.15] 1915 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241926/; target:src_ip; metadata: confidence_level 75, first_seen 2024_02_23; classtype:trojan-activity; sid:91241926; rev:1;) alert tcp $HOME_NET any -> [146.59.12.246] 20002 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241927/; target:src_ip; metadata: confidence_level 75, first_seen 2024_02_23; classtype:trojan-activity; sid:91241927; rev:1;) alert tcp $HOME_NET any -> [146.190.53.148] 81 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241928/; target:src_ip; metadata: confidence_level 75, first_seen 2024_02_23; classtype:trojan-activity; sid:91241928; rev:1;) alert tcp $HOME_NET any -> [134.209.111.71] 9999 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241924/; target:src_ip; metadata: confidence_level 75, first_seen 2024_02_23; classtype:trojan-activity; sid:91241924; rev:1;) alert tcp $HOME_NET any -> [141.95.81.119] 2300 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241925/; target:src_ip; metadata: confidence_level 75, first_seen 2024_02_23; classtype:trojan-activity; sid:91241925; rev:1;) alert tcp $HOME_NET any -> [114.67.217.170] 1312 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241923/; target:src_ip; metadata: confidence_level 75, first_seen 2024_02_23; classtype:trojan-activity; sid:91241923; rev:1;) alert tcp $HOME_NET any -> [87.121.58.103] 32015 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241921/; target:src_ip; metadata: confidence_level 75, first_seen 2024_02_23; classtype:trojan-activity; sid:91241921; rev:1;) alert tcp $HOME_NET any -> [93.123.85.181] 1337 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241922/; target:src_ip; metadata: confidence_level 75, first_seen 2024_02_23; classtype:trojan-activity; sid:91241922; rev:1;) alert tcp $HOME_NET any -> [78.31.67.78] 2300 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241919/; target:src_ip; metadata: confidence_level 75, first_seen 2024_02_23; classtype:trojan-activity; sid:91241919; rev:1;) alert tcp $HOME_NET any -> [84.54.51.103] 32015 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241920/; target:src_ip; metadata: confidence_level 75, first_seen 2024_02_23; classtype:trojan-activity; sid:91241920; rev:1;) alert tcp $HOME_NET any -> [47.105.86.47] 21997 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241917/; target:src_ip; metadata: confidence_level 75, first_seen 2024_02_23; classtype:trojan-activity; sid:91241917; rev:1;) alert tcp $HOME_NET any -> [62.173.140.174] 17900 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241918/; target:src_ip; metadata: confidence_level 75, first_seen 2024_02_23; classtype:trojan-activity; sid:91241918; rev:1;) alert tcp $HOME_NET any -> [45.154.1.68] 1420 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241915/; target:src_ip; metadata: confidence_level 75, first_seen 2024_02_23; classtype:trojan-activity; sid:91241915; rev:1;) alert tcp $HOME_NET any -> [46.19.140.242] 32465 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241916/; target:src_ip; metadata: confidence_level 75, first_seen 2024_02_23; classtype:trojan-activity; sid:91241916; rev:1;) alert tcp $HOME_NET any -> [31.222.202.156] 5555 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241914/; target:src_ip; metadata: confidence_level 75, first_seen 2024_02_23; classtype:trojan-activity; sid:91241914; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/owa/nvycjtpinaaq4eamnkgwj2"; depth:27; nocase; http.host; content:"buy-dnd.shop"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1241933/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_23; classtype:trojan-activity; sid:91241933; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"service-hlaqy0v7-1303081427.sh.tencentapigw.com"; depth:47; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1241912/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_23; classtype:trojan-activity; sid:91241912; rev:1;) alert tcp $HOME_NET any -> [106.54.228.198] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241913/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_23; classtype:trojan-activity; sid:91241913; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jquery-3.3.1.min.js"; depth:20; nocase; http.host; content:"service-hlaqy0v7-1303081427.sh.tencentapigw.com"; depth:47; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1241911/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_23; classtype:trojan-activity; sid:91241911; rev:1;) alert tcp $HOME_NET any -> [185.196.10.134] 6117 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241910/; target:src_ip; metadata: confidence_level 75, first_seen 2024_02_23; classtype:trojan-activity; sid:91241910; rev:1;) alert tcp $HOME_NET any -> [154.222.236.61] 56999 (msg:"ThreatFox MooBot botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241909/; target:src_ip; metadata: confidence_level 75, first_seen 2024_02_23; classtype:trojan-activity; sid:91241909; rev:1;) alert tcp $HOME_NET any -> [94.103.188.173] 666 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241908/; target:src_ip; metadata: confidence_level 75, first_seen 2024_02_23; classtype:trojan-activity; sid:91241908; rev:1;) alert tcp $HOME_NET any -> [142.171.33.169] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241907/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_23; classtype:trojan-activity; sid:91241907; rev:1;) alert tcp $HOME_NET any -> [89.190.156.176] 8872 (msg:"ThreatFox MooBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241882/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_23; classtype:trojan-activity; sid:91241882; rev:1;) alert tcp $HOME_NET any -> [185.226.106.107] 666 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241894/; target:src_ip; metadata: confidence_level 75, first_seen 2024_02_23; classtype:trojan-activity; sid:91241894; rev:1;) alert tcp $HOME_NET any -> [194.147.140.242] 2202 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241906/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_23; classtype:trojan-activity; sid:91241906; rev:1;) alert tcp $HOME_NET any -> [154.247.12.253] 993 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241905/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_23; classtype:trojan-activity; sid:91241905; rev:1;) alert tcp $HOME_NET any -> [209.151.153.136] 445 (msg:"ThreatFox Responder botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241904/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_23; classtype:trojan-activity; sid:91241904; rev:1;) alert tcp $HOME_NET any -> [103.27.132.105] 445 (msg:"ThreatFox Responder botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241903/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_23; classtype:trojan-activity; sid:91241903; rev:1;) alert tcp $HOME_NET any -> [37.1.210.109] 443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241902/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_23; classtype:trojan-activity; sid:91241902; rev:1;) alert tcp $HOME_NET any -> [34.116.205.0] 443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241901/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_23; classtype:trojan-activity; sid:91241901; rev:1;) alert tcp $HOME_NET any -> [165.227.122.136] 80 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241900/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_23; classtype:trojan-activity; sid:91241900; rev:1;) alert tcp $HOME_NET any -> [58.65.172.132] 443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241899/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_23; classtype:trojan-activity; sid:91241899; rev:1;) alert tcp $HOME_NET any -> [23.227.193.214] 443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241898/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_23; classtype:trojan-activity; sid:91241898; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"lastaflirtely.me"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1241897/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_23; classtype:trojan-activity; sid:91241897; rev:1;) alert tcp $HOME_NET any -> [209.9.200.69] 32002 (msg:"ThreatFox Deimos botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241896/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_23; classtype:trojan-activity; sid:91241896; rev:1;) alert tcp $HOME_NET any -> [51.250.74.43] 7443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241895/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_23; classtype:trojan-activity; sid:91241895; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/_defaultwindows.php"; depth:20; nocase; http.host; content:"cm65198.tw1.ru"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1241893/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_23; classtype:trojan-activity; sid:91241893; rev:1;) alert tcp $HOME_NET any -> [91.202.233.133] 8848 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241892/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_23; classtype:trojan-activity; sid:91241892; rev:1;) alert tcp $HOME_NET any -> [212.192.12.222] 5008 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241891/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_23; classtype:trojan-activity; sid:91241891; rev:1;) alert tcp $HOME_NET any -> [91.92.252.227] 1000 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241890/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_23; classtype:trojan-activity; sid:91241890; rev:1;) alert tcp $HOME_NET any -> [83.217.9.199] 8848 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241889/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_23; classtype:trojan-activity; sid:91241889; rev:1;) alert tcp $HOME_NET any -> [106.53.186.12] 8848 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241888/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_23; classtype:trojan-activity; sid:91241888; rev:1;) alert tcp $HOME_NET any -> [166.88.61.138] 8848 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241887/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_23; classtype:trojan-activity; sid:91241887; rev:1;) alert tcp $HOME_NET any -> [18.153.179.54] 443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241886/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_23; classtype:trojan-activity; sid:91241886; rev:1;) alert tcp $HOME_NET any -> [35.178.199.73] 80 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241885/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_23; classtype:trojan-activity; sid:91241885; rev:1;) alert tcp $HOME_NET any -> [3.253.247.39] 443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241884/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_23; classtype:trojan-activity; sid:91241884; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jquery-3.3.1.min.js"; depth:20; nocase; http.host; content:"mscs.v1.vscll.com"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1241883/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_22; classtype:trojan-activity; sid:91241883; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/generatorexternal9windows/local74/3processor/js/updatebigloadprocess/httptest/uploads9universaltest/trackflower6/pipe0wp/trafficlinegameprovider/publiclocal80/6better9/processorphp/6defaultserver/0javascript/multi8external/5betterrequestlinux/uploadswindowslow/tobigloadmultiflowerasyncwptempdownloads.php"; depth:306; nocase; http.host; content:"79.137.207.120"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1241881/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_22; classtype:trojan-activity; sid:91241881; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-content/themes/twentytwentytwo/nnzknr.php"; depth:45; nocase; http.host; content:"carritosdelacompra.com"; depth:22; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1241844/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_22; classtype:trojan-activity; sid:91241844; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-content/themes/twentytwentythree/hyhnv3.php"; depth:47; nocase; http.host; content:"propertystats.net"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1241845/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_22; classtype:trojan-activity; sid:91241845; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-content/themes/twentytwentyfour/dqyzqp.php"; depth:46; nocase; http.host; content:"www.erasnetwork.eu"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1241846/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_22; classtype:trojan-activity; sid:91241846; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-content/themes/twentytwentyfour/c2hitq.php"; depth:46; nocase; http.host; content:"www.marioagozzino.it"; depth:20; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1241847/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_22; classtype:trojan-activity; sid:91241847; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-content/themes/twentytwentythree/ovqugo.php"; depth:47; nocase; http.host; content:"osakaimchk.com"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1241848/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_22; classtype:trojan-activity; sid:91241848; rev:1;) alert tcp $HOME_NET any -> [45.95.169.14] 9931 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241849/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_22; classtype:trojan-activity; sid:91241849; rev:1;) alert tcp $HOME_NET any -> [147.185.221.18] 37064 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241850/; target:src_ip; metadata: confidence_level 75, first_seen 2024_02_22; classtype:trojan-activity; sid:91241850; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"training-invasion.gl.at.ply.gg"; depth:30; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1241851/; target:src_ip; metadata: confidence_level 75, first_seen 2024_02_22; classtype:trojan-activity; sid:91241851; rev:1;) alert tcp $HOME_NET any -> [185.196.9.97] 48795 (msg:"ThreatFox MooBot botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241874/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_22; classtype:trojan-activity; sid:91241874; rev:1;) alert tcp $HOME_NET any -> [193.35.18.127] 51321 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241872/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_22; classtype:trojan-activity; sid:91241872; rev:1;) alert tcp $HOME_NET any -> [185.196.9.97] 43957 (msg:"ThreatFox MooBot botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241875/; target:src_ip; metadata: confidence_level 75, first_seen 2024_02_22; classtype:trojan-activity; sid:91241875; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"79-9-691.581-alps.qyhgroup.com"; depth:30; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1241876/; target:src_ip; metadata: confidence_level 75, first_seen 2024_02_22; classtype:trojan-activity; sid:91241876; rev:1;) alert tcp $HOME_NET any -> [38.147.172.234] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241880/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_22; classtype:trojan-activity; sid:91241880; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jquery-3.3.1.min.js"; depth:20; nocase; http.host; content:"mscs.v1.vscll.com"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1241879/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_22; classtype:trojan-activity; sid:91241879; rev:1;) alert tcp $HOME_NET any -> [159.223.220.165] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241878/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_22; classtype:trojan-activity; sid:91241878; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/__utm.gif"; depth:10; nocase; http.host; content:"39.104.73.42"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1241877/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_22; classtype:trojan-activity; sid:91241877; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/eternalhttp2db/longpollvoiddb2server/longpollsecure3bigload/196downloads/32proton/061/imagevmproton/1pipe/dlebigloadcentral/game/50uploadscentral/phpbigload9/externalimageapigeneratoruniversalwordpresslocalcdn.php"; depth:214; nocase; http.host; content:"77.91.124.57"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1241873/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_22; classtype:trojan-activity; sid:91241873; rev:1;) alert tcp $HOME_NET any -> [79.131.125.79] 2222 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241871/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_22; classtype:trojan-activity; sid:91241871; rev:1;) alert tcp $HOME_NET any -> [154.246.82.173] 2078 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241870/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_22; classtype:trojan-activity; sid:91241870; rev:1;) alert tcp $HOME_NET any -> [75.90.82.104] 995 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241869/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_22; classtype:trojan-activity; sid:91241869; rev:1;) alert tcp $HOME_NET any -> [154.247.12.253] 995 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241868/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_22; classtype:trojan-activity; sid:91241868; rev:1;) alert tcp $HOME_NET any -> [24.90.18.97] 443 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241867/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_22; classtype:trojan-activity; sid:91241867; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mozi.m"; depth:7; nocase; http.host; content:"190.182.251.4"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1241866/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_22; classtype:trojan-activity; sid:91241866; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mozi.m"; depth:7; nocase; http.host; content:"102.33.76.214"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1241865/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_22; classtype:trojan-activity; sid:91241865; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/visit.js"; depth:9; nocase; http.host; content:"124.71.108.110"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1241864/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_22; classtype:trojan-activity; sid:91241864; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/en_us/all.js"; depth:13; nocase; http.host; content:"45.131.132.55"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1241863/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_22; classtype:trojan-activity; sid:91241863; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cm"; depth:3; nocase; http.host; content:"39.106.74.90"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1241862/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_22; classtype:trojan-activity; sid:91241862; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ga.js"; depth:6; nocase; http.host; content:"117.50.162.183"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1241861/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_22; classtype:trojan-activity; sid:91241861; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/push"; depth:5; nocase; http.host; content:"1.94.67.222"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1241860/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_22; classtype:trojan-activity; sid:91241860; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/attachments/1130829539006750833/1210266320600301709/4_npp.8.6.3.portable.x64.zip"; depth:81; nocase; http.host; content:"cdn.discordapp.com"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1241859/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_22; classtype:trojan-activity; sid:91241859; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/onmicrosoft"; depth:12; nocase; http.host; content:"workstatpasing.com"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1241858/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_22; classtype:trojan-activity; sid:91241858; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/nationwide_services"; depth:20; nocase; http.host; content:"workstatpasing.com"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1241857/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_22; classtype:trojan-activity; sid:91241857; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-content/themes/twentytwentyfour/c2hitq.php"; depth:46; nocase; http.host; content:"www.marioagozzino.it"; depth:20; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1241856/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_22; classtype:trojan-activity; sid:91241856; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-content/themes/twentytwentyfour/dqyzqp.php"; depth:46; nocase; http.host; content:"www.erasnetwork.eu"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1241855/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_22; classtype:trojan-activity; sid:91241855; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-content/themes/twentytwentythree/hyhnv3.php"; depth:47; nocase; http.host; content:"propertystats.net"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1241854/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_22; classtype:trojan-activity; sid:91241854; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-content/themes/twentytwentytwo/nnzknr.php"; depth:45; nocase; http.host; content:"carritosdelacompra.com"; depth:22; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1241853/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_22; classtype:trojan-activity; sid:91241853; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-content/themes/twentytwentythree/ovqugo.php"; depth:47; nocase; http.host; content:"osakaimchk.com"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1241852/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_22; classtype:trojan-activity; sid:91241852; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/w2p/panel/gate.php"; depth:19; nocase; http.host; content:"yourstudyway.com"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1241843/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_22; classtype:trojan-activity; sid:91241843; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cdn-vs/get.php"; depth:15; nocase; http.host; content:"machineryideas.com"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1241759/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_22; classtype:trojan-activity; sid:91241759; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/help/zzrgqnaww.php"; depth:19; nocase; http.host; content:"machineryideas.com"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1241760/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_22; classtype:trojan-activity; sid:91241760; rev:1;) alert tcp $HOME_NET any -> [103.35.189.93] 10443 (msg:"ThreatFox BianLian botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241842/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_22; classtype:trojan-activity; sid:91241842; rev:1;) alert tcp $HOME_NET any -> [147.189.175.79] 443 (msg:"ThreatFox Ave Maria botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241841/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_22; classtype:trojan-activity; sid:91241841; rev:1;) alert tcp $HOME_NET any -> [34.72.103.8] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241839/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_22; classtype:trojan-activity; sid:91241839; rev:1;) alert tcp $HOME_NET any -> [34.118.85.166] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241840/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_22; classtype:trojan-activity; sid:91241840; rev:1;) alert tcp $HOME_NET any -> [54.206.231.185] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241838/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_22; classtype:trojan-activity; sid:91241838; rev:1;) alert tcp $HOME_NET any -> [3.110.14.54] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241837/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_22; classtype:trojan-activity; sid:91241837; rev:1;) alert tcp $HOME_NET any -> [172.187.145.182] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241836/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_22; classtype:trojan-activity; sid:91241836; rev:1;) alert tcp $HOME_NET any -> [138.197.13.114] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241835/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_22; classtype:trojan-activity; sid:91241835; rev:1;) alert tcp $HOME_NET any -> [34.16.51.172] 10443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241834/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_22; classtype:trojan-activity; sid:91241834; rev:1;) alert tcp $HOME_NET any -> [96.231.143.205] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241833/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_22; classtype:trojan-activity; sid:91241833; rev:1;) alert tcp $HOME_NET any -> [137.184.150.67] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241832/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_22; classtype:trojan-activity; sid:91241832; rev:1;) alert tcp $HOME_NET any -> [164.177.30.14] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241831/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_22; classtype:trojan-activity; sid:91241831; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"hwsrv-1126965.hostwindsdns.com"; depth:30; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1241830/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_22; classtype:trojan-activity; sid:91241830; rev:1;) alert tcp $HOME_NET any -> [39.107.109.9] 60000 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241829/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_22; classtype:trojan-activity; sid:91241829; rev:1;) alert tcp $HOME_NET any -> [38.54.119.156] 60000 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241828/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_22; classtype:trojan-activity; sid:91241828; rev:1;) alert tcp $HOME_NET any -> [45.207.58.56] 60000 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241827/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_22; classtype:trojan-activity; sid:91241827; rev:1;) alert tcp $HOME_NET any -> [219.147.89.12] 60000 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241826/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_22; classtype:trojan-activity; sid:91241826; rev:1;) alert tcp $HOME_NET any -> [51.11.25.174] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241825/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_22; classtype:trojan-activity; sid:91241825; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"linkerfunyfile.store"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1241824/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_22; classtype:trojan-activity; sid:91241824; rev:1;) alert tcp $HOME_NET any -> [95.216.253.55] 80 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241822/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_22; classtype:trojan-activity; sid:91241822; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"striperouter.supelle.co"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1241823/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_22; classtype:trojan-activity; sid:91241823; rev:1;) alert tcp $HOME_NET any -> [45.95.169.135] 80 (msg:"ThreatFox MooBot botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241821/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_22; classtype:trojan-activity; sid:91241821; rev:1;) alert tcp $HOME_NET any -> [108.174.198.206] 80 (msg:"ThreatFox MooBot botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241820/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_22; classtype:trojan-activity; sid:91241820; rev:1;) alert tcp $HOME_NET any -> [209.141.35.151] 888 (msg:"ThreatFox Kaiji botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241819/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_22; classtype:trojan-activity; sid:91241819; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ec2-54-88-105-125.compute-1.amazonaws.com"; depth:41; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1241818/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_22; classtype:trojan-activity; sid:91241818; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"nice-margulis.45-138-16-132.plesk.page"; depth:38; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1241817/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_22; classtype:trojan-activity; sid:91241817; rev:1;) alert tcp $HOME_NET any -> [34.118.33.152] 5000 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241816/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_22; classtype:trojan-activity; sid:91241816; rev:1;) alert tcp $HOME_NET any -> [91.151.88.209] 4449 (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241815/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_22; classtype:trojan-activity; sid:91241815; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"recruitis.josefbenjac.cz"; depth:24; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1241813/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_22; classtype:trojan-activity; sid:91241813; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"digital20.agriprotechx.com"; depth:26; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1241814/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_22; classtype:trojan-activity; sid:91241814; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"static.77.129.13.49.clients.your-server.de"; depth:42; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1241812/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_22; classtype:trojan-activity; sid:91241812; rev:1;) alert tcp $HOME_NET any -> [20.56.35.166] 8443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241810/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_22; classtype:trojan-activity; sid:91241810; rev:1;) alert tcp $HOME_NET any -> [107.173.118.89] 443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241811/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_22; classtype:trojan-activity; sid:91241811; rev:1;) alert tcp $HOME_NET any -> [52.184.85.209] 443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241809/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_22; classtype:trojan-activity; sid:91241809; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"the.networkguru.com"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1241807/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_22; classtype:trojan-activity; sid:91241807; rev:1;) alert tcp $HOME_NET any -> [166.88.132.139] 8443 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241808/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_22; classtype:trojan-activity; sid:91241808; rev:1;) alert tcp $HOME_NET any -> [94.156.69.145] 7539 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241806/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_22; classtype:trojan-activity; sid:91241806; rev:1;) alert tcp $HOME_NET any -> [3.99.102.8] 80 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241805/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_22; classtype:trojan-activity; sid:91241805; rev:1;) alert tcp $HOME_NET any -> [162.222.206.193] 4782 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241804/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_22; classtype:trojan-activity; sid:91241804; rev:1;) alert tcp $HOME_NET any -> [94.156.69.246] 8081 (msg:"ThreatFox RisePro botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241803/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_22; classtype:trojan-activity; sid:91241803; rev:1;) alert tcp $HOME_NET any -> [47.128.64.139] 443 (msg:"ThreatFox Hook botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241802/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_22; classtype:trojan-activity; sid:91241802; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"49.183.246.35.bc.googleusercontent.com"; depth:38; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1241801/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_22; classtype:trojan-activity; sid:91241801; rev:1;) alert tcp $HOME_NET any -> [185.146.157.85] 80 (msg:"ThreatFox Hook botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241800/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_22; classtype:trojan-activity; sid:91241800; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"grinevitchnicolas4.fvds.ru"; depth:26; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1241799/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_22; classtype:trojan-activity; sid:91241799; rev:1;) alert tcp $HOME_NET any -> [91.92.250.168] 80 (msg:"ThreatFox Hook botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241798/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_22; classtype:trojan-activity; sid:91241798; rev:1;) alert tcp $HOME_NET any -> [172.188.29.138] 80 (msg:"ThreatFox Hook botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241797/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_22; classtype:trojan-activity; sid:91241797; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"data.iexcom.de"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1241796/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_22; classtype:trojan-activity; sid:91241796; rev:1;) alert tcp $HOME_NET any -> [91.92.253.26] 7443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241794/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_22; classtype:trojan-activity; sid:91241794; rev:1;) alert tcp $HOME_NET any -> [78.129.165.233] 7443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241795/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_22; classtype:trojan-activity; sid:91241795; rev:1;) alert tcp $HOME_NET any -> [45.88.186.65] 6606 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241793/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_22; classtype:trojan-activity; sid:91241793; rev:1;) alert tcp $HOME_NET any -> [136.243.111.71] 5900 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241792/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_22; classtype:trojan-activity; sid:91241792; rev:1;) alert tcp $HOME_NET any -> [113.174.1.186] 8080 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241790/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_22; classtype:trojan-activity; sid:91241790; rev:1;) alert tcp $HOME_NET any -> [181.131.216.198] 6606 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241791/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_22; classtype:trojan-activity; sid:91241791; rev:1;) alert tcp $HOME_NET any -> [172.111.148.12] 222 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241789/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_22; classtype:trojan-activity; sid:91241789; rev:1;) alert tcp $HOME_NET any -> [78.40.116.82] 5005 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241788/; target:src_ip; metadata: confidence_level 90, first_seen 2024_02_22; classtype:trojan-activity; sid:91241788; rev:1;) alert tcp $HOME_NET any -> [216.245.181.105] 443 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241787/; target:src_ip; metadata: confidence_level 90, first_seen 2024_02_22; classtype:trojan-activity; sid:91241787; rev:1;) alert tcp $HOME_NET any -> [91.92.243.90] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241786/; target:src_ip; metadata: confidence_level 90, first_seen 2024_02_22; classtype:trojan-activity; sid:91241786; rev:1;) alert tcp $HOME_NET any -> [42.193.178.194] 55443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241785/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_22; classtype:trojan-activity; sid:91241785; rev:1;) alert tcp $HOME_NET any -> [39.104.73.42] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241784/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_22; classtype:trojan-activity; sid:91241784; rev:1;) alert tcp $HOME_NET any -> [5.34.198.105] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241783/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_22; classtype:trojan-activity; sid:91241783; rev:1;) alert tcp $HOME_NET any -> [23.26.137.225] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241781/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_22; classtype:trojan-activity; sid:91241781; rev:1;) alert tcp $HOME_NET any -> [23.26.137.225] 8181 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241782/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_22; classtype:trojan-activity; sid:91241782; rev:1;) alert tcp $HOME_NET any -> [104.168.54.228] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241780/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_22; classtype:trojan-activity; sid:91241780; rev:1;) alert tcp $HOME_NET any -> [47.113.195.22] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241778/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_22; classtype:trojan-activity; sid:91241778; rev:1;) alert tcp $HOME_NET any -> [101.42.47.72] 8000 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241779/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_22; classtype:trojan-activity; sid:91241779; rev:1;) alert tcp $HOME_NET any -> [38.60.253.150] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241777/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_22; classtype:trojan-activity; sid:91241777; rev:1;) alert tcp $HOME_NET any -> [118.31.75.32] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241776/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_22; classtype:trojan-activity; sid:91241776; rev:1;) alert tcp $HOME_NET any -> [74.235.199.105] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241774/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_22; classtype:trojan-activity; sid:91241774; rev:1;) alert tcp $HOME_NET any -> [124.223.97.173] 8000 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241775/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_22; classtype:trojan-activity; sid:91241775; rev:1;) alert tcp $HOME_NET any -> [74.235.199.105] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241773/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_22; classtype:trojan-activity; sid:91241773; rev:1;) alert tcp $HOME_NET any -> [103.191.15.189] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241772/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_22; classtype:trojan-activity; sid:91241772; rev:1;) alert tcp $HOME_NET any -> [111.92.243.96] 8080 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241770/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_22; classtype:trojan-activity; sid:91241770; rev:1;) alert tcp $HOME_NET any -> [94.156.69.227] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241771/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_22; classtype:trojan-activity; sid:91241771; rev:1;) alert tcp $HOME_NET any -> [175.178.48.91] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241769/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_22; classtype:trojan-activity; sid:91241769; rev:1;) alert tcp $HOME_NET any -> [47.98.214.54] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241768/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_22; classtype:trojan-activity; sid:91241768; rev:1;) alert tcp $HOME_NET any -> [47.101.160.122] 8888 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241767/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_22; classtype:trojan-activity; sid:91241767; rev:1;) alert tcp $HOME_NET any -> [124.222.114.227] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241766/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_22; classtype:trojan-activity; sid:91241766; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"hr-helpdesk.org"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1241765/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_22; classtype:trojan-activity; sid:91241765; rev:1;) alert tcp $HOME_NET any -> [59.110.142.91] 8888 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241764/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_22; classtype:trojan-activity; sid:91241764; rev:1;) alert tcp $HOME_NET any -> [39.105.194.11] 8088 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241763/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_22; classtype:trojan-activity; sid:91241763; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"software.ftoffice.com"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1241762/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_22; classtype:trojan-activity; sid:91241762; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"139-162-155-161.ip.linodeusercontent.com"; depth:40; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1241761/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_22; classtype:trojan-activity; sid:91241761; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"grebiunti.top"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1241758/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_22; classtype:trojan-activity; sid:91241758; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/live/"; depth:6; nocase; http.host; content:"grebiunti.top"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1241757/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_22; classtype:trojan-activity; sid:91241757; rev:1;) alert tcp $HOME_NET any -> [31.10.67.116] 5552 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241755/; target:src_ip; metadata: confidence_level 75, first_seen 2024_02_22; classtype:trojan-activity; sid:91241755; rev:1;) alert tcp $HOME_NET any -> [95.216.104.115] 4328 (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241756/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_22; classtype:trojan-activity; sid:91241756; rev:1;) alert tcp $HOME_NET any -> [37.221.65.78] 63645 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241754/; target:src_ip; metadata: confidence_level 75, first_seen 2024_02_22; classtype:trojan-activity; sid:91241754; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"37.221.65.78"; depth:12; nocase; reference:url, threatfox.abuse.ch/ioc/1241746/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_22; classtype:trojan-activity; sid:91241746; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"chernobyl.fun"; depth:13; nocase; reference:url, threatfox.abuse.ch/ioc/1241747/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_22; classtype:trojan-activity; sid:91241747; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"auth.tesla-alert.com"; depth:20; nocase; reference:url, threatfox.abuse.ch/ioc/1241748/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_22; classtype:trojan-activity; sid:91241748; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"app.tesla-alert.com"; depth:19; nocase; reference:url, threatfox.abuse.ch/ioc/1241749/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_22; classtype:trojan-activity; sid:91241749; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"mafiakorea.com"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1241750/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_22; classtype:trojan-activity; sid:91241750; rev:1;) alert tcp $HOME_NET any -> [185.158.248.141] 1344 (msg:"ThreatFox NetSupportManager RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241753/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_22; classtype:trojan-activity; sid:91241753; rev:1;) alert tcp $HOME_NET any -> [129.153.86.0] 8778 (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241752/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_22; classtype:trojan-activity; sid:91241752; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/nyashsupport.php"; depth:17; nocase; http.host; content:"356873cm.nyashtyan.top"; depth:22; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1241745/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_22; classtype:trojan-activity; sid:91241745; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/metro91/admin/1/ppptp.jpg"; depth:26; nocase; http.host; content:"45.134.225.247"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1241744/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_22; classtype:trojan-activity; sid:91241744; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/j.ad"; depth:5; nocase; http.host; content:"45.131.132.55"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1241743/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_22; classtype:trojan-activity; sid:91241743; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/activity"; depth:9; nocase; http.host; content:"124.71.108.110"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1241742/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_22; classtype:trojan-activity; sid:91241742; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"ecuaecua.duckdns.org"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1241741/; target:src_ip; metadata: confidence_level 75, first_seen 2024_02_22; classtype:trojan-activity; sid:91241741; rev:1;) alert tcp $HOME_NET any -> [46.246.12.6] 2054 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241740/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_22; classtype:trojan-activity; sid:91241740; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/__utm.gif"; depth:10; nocase; http.host; content:"199.195.252.200"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1241739/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_22; classtype:trojan-activity; sid:91241739; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/en_us/all.js"; depth:13; nocase; http.host; content:"94.156.69.227"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1241738/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_22; classtype:trojan-activity; sid:91241738; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/match"; depth:6; nocase; http.host; content:"221.150.72.75"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1241737/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_22; classtype:trojan-activity; sid:91241737; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/etc.clientlibs/base.min.acshash29ccd0207f7ce847c.js"; depth:52; nocase; http.host; content:"119.3.12.54"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1241736/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_22; classtype:trojan-activity; sid:91241736; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dot.gif"; depth:8; nocase; http.host; content:"8.142.5.148"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1241735/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_22; classtype:trojan-activity; sid:91241735; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/en_us/all.js"; depth:13; nocase; http.host; content:"124.222.64.203"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1241734/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_22; classtype:trojan-activity; sid:91241734; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ga.js"; depth:6; nocase; http.host; content:"122.51.220.170"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1241733/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_22; classtype:trojan-activity; sid:91241733; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/match"; depth:6; nocase; http.host; content:"103.191.15.189"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1241732/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_22; classtype:trojan-activity; sid:91241732; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/activity"; depth:9; nocase; http.host; content:"43.153.222.28"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1241731/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_22; classtype:trojan-activity; sid:91241731; rev:1;) alert tcp $HOME_NET any -> [212.102.39.208] 58095 (msg:"ThreatFox MooBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241723/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_22; classtype:trojan-activity; sid:91241723; rev:1;) alert tcp $HOME_NET any -> [124.71.108.110] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241730/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_22; classtype:trojan-activity; sid:91241730; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ptj"; depth:4; nocase; http.host; content:"124.71.108.110"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1241729/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_22; classtype:trojan-activity; sid:91241729; rev:1;) alert tcp $HOME_NET any -> [193.29.56.130] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241728/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_22; classtype:trojan-activity; sid:91241728; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/load"; depth:5; nocase; http.host; content:"193.29.56.130"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1241727/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_22; classtype:trojan-activity; sid:91241727; rev:1;) alert tcp $HOME_NET any -> [173.44.141.86] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241726/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_22; classtype:trojan-activity; sid:91241726; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"realusatruck.com"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1241725/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_22; classtype:trojan-activity; sid:91241725; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api/accounts/v1/basic-accounts/pinned"; depth:38; nocase; http.host; content:"realusatruck.com"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1241724/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_22; classtype:trojan-activity; sid:91241724; rev:1;) alert tcp $HOME_NET any -> [45.142.107.117] 3549 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241717/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_22; classtype:trojan-activity; sid:91241717; rev:1;) alert tcp $HOME_NET any -> [185.196.10.139] 59666 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241721/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_22; classtype:trojan-activity; sid:91241721; rev:1;) alert tcp $HOME_NET any -> [91.92.240.13] 9511 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241718/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_22; classtype:trojan-activity; sid:91241718; rev:1;) alert tcp $HOME_NET any -> [185.196.10.164] 59312 (msg:"ThreatFox MooBot botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241719/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_22; classtype:trojan-activity; sid:91241719; rev:1;) alert tcp $HOME_NET any -> [185.196.10.60] 55655 (msg:"ThreatFox MooBot botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241720/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_22; classtype:trojan-activity; sid:91241720; rev:1;) alert tcp $HOME_NET any -> [185.196.9.223] 1302 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241722/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_22; classtype:trojan-activity; sid:91241722; rev:1;) alert tcp $HOME_NET any -> [94.156.8.116] 43957 (msg:"ThreatFox MooBot botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241716/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_22; classtype:trojan-activity; sid:91241716; rev:1;) alert tcp $HOME_NET any -> [185.91.127.233] 3778 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241712/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_22; classtype:trojan-activity; sid:91241712; rev:1;) alert tcp $HOME_NET any -> [37.221.94.43] 5555 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241713/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_22; classtype:trojan-activity; sid:91241713; rev:1;) alert tcp $HOME_NET any -> [146.19.191.200] 69 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241714/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_22; classtype:trojan-activity; sid:91241714; rev:1;) alert tcp $HOME_NET any -> [45.138.174.72] 3778 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241715/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_22; classtype:trojan-activity; sid:91241715; rev:1;) alert tcp $HOME_NET any -> [185.91.127.216] 55555 (msg:"ThreatFox MooBot botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241710/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_22; classtype:trojan-activity; sid:91241710; rev:1;) alert tcp $HOME_NET any -> [185.91.127.233] 56999 (msg:"ThreatFox MooBot botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241711/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_22; classtype:trojan-activity; sid:91241711; rev:1;) alert tcp $HOME_NET any -> [5.181.80.126] 35769 (msg:"ThreatFox MooBot botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241709/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_22; classtype:trojan-activity; sid:91241709; rev:1;) alert tcp $HOME_NET any -> [5.181.80.27] 3090 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241705/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_22; classtype:trojan-activity; sid:91241705; rev:1;) alert tcp $HOME_NET any -> [5.181.80.153] 3090 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241706/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_22; classtype:trojan-activity; sid:91241706; rev:1;) alert tcp $HOME_NET any -> [5.181.80.116] 3090 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241707/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_22; classtype:trojan-activity; sid:91241707; rev:1;) alert tcp $HOME_NET any -> [5.181.80.177] 3090 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241708/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_22; classtype:trojan-activity; sid:91241708; rev:1;) alert tcp $HOME_NET any -> [64.176.178.205] 2017 (msg:"ThreatFox Ave Maria botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241704/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_22; classtype:trojan-activity; sid:91241704; rev:1;) alert tcp $HOME_NET any -> [103.233.11.14] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241703/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_22; classtype:trojan-activity; sid:91241703; rev:1;) alert tcp $HOME_NET any -> [103.233.11.13] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241702/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_22; classtype:trojan-activity; sid:91241702; rev:1;) alert tcp $HOME_NET any -> [165.232.41.54] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241701/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_22; classtype:trojan-activity; sid:91241701; rev:1;) alert tcp $HOME_NET any -> [5.42.92.25] 8848 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241700/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_22; classtype:trojan-activity; sid:91241700; rev:1;) alert tcp $HOME_NET any -> [41.96.190.102] 443 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241699/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_22; classtype:trojan-activity; sid:91241699; rev:1;) alert tcp $HOME_NET any -> [41.97.43.5] 443 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241698/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_22; classtype:trojan-activity; sid:91241698; rev:1;) alert tcp $HOME_NET any -> [154.246.82.173] 995 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241697/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_22; classtype:trojan-activity; sid:91241697; rev:1;) alert tcp $HOME_NET any -> [193.239.86.189] 443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241696/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_22; classtype:trojan-activity; sid:91241696; rev:1;) alert tcp $HOME_NET any -> [103.35.189.93] 8443 (msg:"ThreatFox BianLian botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241695/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_22; classtype:trojan-activity; sid:91241695; rev:1;) alert tcp $HOME_NET any -> [103.35.189.93] 443 (msg:"ThreatFox BianLian botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241694/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_22; classtype:trojan-activity; sid:91241694; rev:1;) alert tcp $HOME_NET any -> [159.89.204.198] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241693/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_22; classtype:trojan-activity; sid:91241693; rev:1;) alert tcp $HOME_NET any -> [159.89.204.198] 8888 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241692/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_22; classtype:trojan-activity; sid:91241692; rev:1;) alert tcp $HOME_NET any -> [147.182.190.27] 8888 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241691/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_22; classtype:trojan-activity; sid:91241691; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"amma.myftp.biz"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1241658/; target:src_ip; metadata: confidence_level 75, first_seen 2024_02_22; classtype:trojan-activity; sid:91241658; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ywrmzmu3odrmy2q4/"; depth:18; nocase; http.host; content:"45.93.20.145"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1241659/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_22; classtype:trojan-activity; sid:91241659; rev:1;) alert tcp $HOME_NET any -> [5.75.162.217] 43724 (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241660/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_22; classtype:trojan-activity; sid:91241660; rev:1;) alert tcp $HOME_NET any -> [185.133.40.202] 80 (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241689/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_22; classtype:trojan-activity; sid:91241689; rev:1;) alert tcp $HOME_NET any -> [222.186.174.9] 43268 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241690/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_22; classtype:trojan-activity; sid:91241690; rev:1;) alert tcp $HOME_NET any -> [103.28.33.96] 2023 (msg:"ThreatFox MooBot botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241688/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_22; classtype:trojan-activity; sid:91241688; rev:1;) alert tcp $HOME_NET any -> [139.159.197.241] 50050 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241687/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_22; classtype:trojan-activity; sid:91241687; rev:1;) alert tcp $HOME_NET any -> [161.35.203.116] 50050 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241686/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_22; classtype:trojan-activity; sid:91241686; rev:1;) alert tcp $HOME_NET any -> [5.188.87.36] 36543 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241685/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_22; classtype:trojan-activity; sid:91241685; rev:1;) alert tcp $HOME_NET any -> [43.137.5.20] 8888 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241684/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_22; classtype:trojan-activity; sid:91241684; rev:1;) alert tcp $HOME_NET any -> [103.151.217.93] 50050 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241683/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_22; classtype:trojan-activity; sid:91241683; rev:1;) alert tcp $HOME_NET any -> [43.139.74.167] 50034 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241682/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_22; classtype:trojan-activity; sid:91241682; rev:1;) alert tcp $HOME_NET any -> [164.90.169.184] 31228 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241681/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_22; classtype:trojan-activity; sid:91241681; rev:1;) alert tcp $HOME_NET any -> [104.129.182.25] 80 (msg:"ThreatFox Hook botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241680/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_22; classtype:trojan-activity; sid:91241680; rev:1;) alert tcp $HOME_NET any -> [91.92.250.128] 80 (msg:"ThreatFox Hook botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241679/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_22; classtype:trojan-activity; sid:91241679; rev:1;) alert tcp $HOME_NET any -> [20.106.172.90] 80 (msg:"ThreatFox Hook botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241678/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_22; classtype:trojan-activity; sid:91241678; rev:1;) alert tcp $HOME_NET any -> [4.233.217.146] 80 (msg:"ThreatFox Hook botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241677/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_22; classtype:trojan-activity; sid:91241677; rev:1;) alert tcp $HOME_NET any -> [20.215.188.233] 8081 (msg:"ThreatFox RisePro botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241676/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_22; classtype:trojan-activity; sid:91241676; rev:1;) alert tcp $HOME_NET any -> [193.233.132.235] 8081 (msg:"ThreatFox RisePro botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241675/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_22; classtype:trojan-activity; sid:91241675; rev:1;) alert tcp $HOME_NET any -> [193.233.132.18] 8081 (msg:"ThreatFox RisePro botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241674/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_22; classtype:trojan-activity; sid:91241674; rev:1;) alert tcp $HOME_NET any -> [92.223.106.203] 12134 (msg:"ThreatFox Orcus RAT botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241673/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_22; classtype:trojan-activity; sid:91241673; rev:1;) alert tcp $HOME_NET any -> [193.233.132.75] 80 (msg:"ThreatFox RecordBreaker botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241672/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_22; classtype:trojan-activity; sid:91241672; rev:1;) alert tcp $HOME_NET any -> [193.233.132.21] 80 (msg:"ThreatFox RecordBreaker botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241671/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_22; classtype:trojan-activity; sid:91241671; rev:1;) alert tcp $HOME_NET any -> [116.203.3.120] 80 (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241670/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_22; classtype:trojan-activity; sid:91241670; rev:1;) alert tcp $HOME_NET any -> [95.217.29.171] 80 (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241669/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_22; classtype:trojan-activity; sid:91241669; rev:1;) alert tcp $HOME_NET any -> [49.13.32.193] 80 (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241668/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_22; classtype:trojan-activity; sid:91241668; rev:1;) alert tcp $HOME_NET any -> [95.217.31.198] 80 (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241667/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_22; classtype:trojan-activity; sid:91241667; rev:1;) alert tcp $HOME_NET any -> [65.109.242.25] 5432 (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241666/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_22; classtype:trojan-activity; sid:91241666; rev:1;) alert tcp $HOME_NET any -> [65.109.242.25] 80 (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241665/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_22; classtype:trojan-activity; sid:91241665; rev:1;) alert tcp $HOME_NET any -> [159.69.103.8] 443 (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241664/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_22; classtype:trojan-activity; sid:91241664; rev:1;) alert tcp $HOME_NET any -> [159.69.103.8] 80 (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241663/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_22; classtype:trojan-activity; sid:91241663; rev:1;) alert tcp $HOME_NET any -> [45.148.4.19] 8888 (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241662/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_22; classtype:trojan-activity; sid:91241662; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/load"; depth:5; nocase; http.host; content:"68.183.111.170"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1241661/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_22; classtype:trojan-activity; sid:91241661; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jquery-3.3.1.min.js"; depth:20; nocase; http.host; content:"43.138.212.90"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1241657/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_21; classtype:trojan-activity; sid:91241657; rev:1;) alert tcp $HOME_NET any -> [121.43.55.149] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241656/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_21; classtype:trojan-activity; sid:91241656; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jquery-3.3.1.min.js"; depth:20; nocase; http.host; content:"218.94.206.222"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1241655/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_21; classtype:trojan-activity; sid:91241655; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jquery-3.3.1.min.js"; depth:20; nocase; http.host; content:"121.17.123.105"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1241654/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_21; classtype:trojan-activity; sid:91241654; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jquery-3.3.1.min.js"; depth:20; nocase; http.host; content:"116.211.153.240"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1241653/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_21; classtype:trojan-activity; sid:91241653; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jquery-3.3.1.min.js"; depth:20; nocase; http.host; content:"223.68.136.206"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1241652/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_21; classtype:trojan-activity; sid:91241652; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jquery-3.3.1.min.js"; depth:20; nocase; http.host; content:"61.159.80.241"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1241651/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_21; classtype:trojan-activity; sid:91241651; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jquery-3.3.1.min.js"; depth:20; nocase; http.host; content:"112.28.231.110"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1241650/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_21; classtype:trojan-activity; sid:91241650; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jquery-3.3.1.min.js"; depth:20; nocase; http.host; content:"120.39.197.231"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1241649/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_21; classtype:trojan-activity; sid:91241649; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/g.pixel"; depth:8; nocase; http.host; content:"139.162.155.161"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1241648/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_21; classtype:trojan-activity; sid:91241648; rev:1;) alert tcp $HOME_NET any -> [193.168.173.45] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241647/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_21; classtype:trojan-activity; sid:91241647; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/en_us/all.js"; depth:13; nocase; http.host; content:"193.168.173.45"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1241646/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_21; classtype:trojan-activity; sid:91241646; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ca"; depth:3; nocase; http.host; content:"68.183.111.170"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1241645/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_21; classtype:trojan-activity; sid:91241645; rev:1;) alert tcp $HOME_NET any -> [102.47.184.255] 1177 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241644/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_21; classtype:trojan-activity; sid:91241644; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/geogeneratorwp.php"; depth:19; nocase; http.host; content:"102822cm.nyashsens.top"; depth:22; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1241643/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_21; classtype:trojan-activity; sid:91241643; rev:1;) alert tcp $HOME_NET any -> [52.28.247.255] 19437 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241642/; target:src_ip; metadata: confidence_level 75, first_seen 2024_02_21; classtype:trojan-activity; sid:91241642; rev:1;) alert tcp $HOME_NET any -> [54.84.110.180] 443 (msg:"ThreatFox Pikabot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241641/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_21; classtype:trojan-activity; sid:91241641; rev:1;) alert tcp $HOME_NET any -> [95.219.218.28] 443 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241640/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_21; classtype:trojan-activity; sid:91241640; rev:1;) alert tcp $HOME_NET any -> [5.15.83.50] 443 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241639/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_21; classtype:trojan-activity; sid:91241639; rev:1;) alert tcp $HOME_NET any -> [142.154.28.33] 443 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241638/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_21; classtype:trojan-activity; sid:91241638; rev:1;) alert tcp $HOME_NET any -> [41.227.173.126] 443 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241637/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_21; classtype:trojan-activity; sid:91241637; rev:1;) alert tcp $HOME_NET any -> [141.164.48.82] 8443 (msg:"ThreatFox pupy botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241636/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_21; classtype:trojan-activity; sid:91241636; rev:1;) alert tcp $HOME_NET any -> [51.159.178.12] 445 (msg:"ThreatFox Responder botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241635/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_21; classtype:trojan-activity; sid:91241635; rev:1;) alert tcp $HOME_NET any -> [94.102.49.161] 8080 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241634/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_21; classtype:trojan-activity; sid:91241634; rev:1;) alert tcp $HOME_NET any -> [145.239.230.233] 8443 (msg:"ThreatFox BianLian botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241633/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_21; classtype:trojan-activity; sid:91241633; rev:1;) alert tcp $HOME_NET any -> [38.132.122.178] 443 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241632/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_21; classtype:trojan-activity; sid:91241632; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mozi.m"; depth:7; nocase; http.host; content:"116.72.22.117"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1241631/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_21; classtype:trojan-activity; sid:91241631; rev:1;) alert tcp $HOME_NET any -> [45.77.72.150] 53 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241630/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_21; classtype:trojan-activity; sid:91241630; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"dns.artstrailreviews.com"; depth:24; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1241629/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_21; classtype:trojan-activity; sid:91241629; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"95.217.29.171"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1241628/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_21; classtype:trojan-activity; sid:91241628; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"49.13.32.193"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1241627/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_21; classtype:trojan-activity; sid:91241627; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"116.203.12.183"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1241626/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_21; classtype:trojan-activity; sid:91241626; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"116.203.12.183"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1241625/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_21; classtype:trojan-activity; sid:91241625; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"159.69.103.8"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1241624/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_21; classtype:trojan-activity; sid:91241624; rev:1;) alert tcp $HOME_NET any -> [49.13.32.193] 443 (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241622/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_21; classtype:trojan-activity; sid:91241622; rev:1;) alert tcp $HOME_NET any -> [95.217.29.171] 443 (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241623/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_21; classtype:trojan-activity; sid:91241623; rev:1;) alert tcp $HOME_NET any -> [159.69.103.8] 9001 (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241619/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_21; classtype:trojan-activity; sid:91241619; rev:1;) alert tcp $HOME_NET any -> [116.203.12.183] 443 (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241620/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_21; classtype:trojan-activity; sid:91241620; rev:1;) alert tcp $HOME_NET any -> [116.203.12.183] 9000 (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241621/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_21; classtype:trojan-activity; sid:91241621; rev:1;) alert tcp $HOME_NET any -> [94.156.65.180] 34241 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241618/; target:src_ip; metadata: confidence_level 75, first_seen 2024_02_21; classtype:trojan-activity; sid:91241618; rev:1;) alert tcp $HOME_NET any -> [195.201.121.240] 40819 (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241617/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_21; classtype:trojan-activity; sid:91241617; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cdn-vs/cache.php"; depth:17; nocase; http.host; content:"ads-quantum.com"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1241615/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_21; classtype:trojan-activity; sid:91241615; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cache/ezrgqnaww.php"; depth:20; nocase; http.host; content:"ads-quantum.com"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1241616/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_21; classtype:trojan-activity; sid:91241616; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"turkeyunlikelyofw.shop"; depth:22; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1241613/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_21; classtype:trojan-activity; sid:91241613; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"resergvearyinitiani.shop"; depth:24; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1241612/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_21; classtype:trojan-activity; sid:91241612; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"associationokeo.shop"; depth:20; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1241614/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_21; classtype:trojan-activity; sid:91241614; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dpixel"; depth:7; nocase; http.host; content:"68.183.111.170"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1241611/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_21; classtype:trojan-activity; sid:91241611; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ptj"; depth:4; nocase; http.host; content:"185.196.10.62"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1241610/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_21; classtype:trojan-activity; sid:91241610; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/en_us/all.js"; depth:13; nocase; http.host; content:"104.234.240.6"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1241609/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_21; classtype:trojan-activity; sid:91241609; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pixel"; depth:6; nocase; http.host; content:"152.136.100.26"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1241608/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_21; classtype:trojan-activity; sid:91241608; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/visit.js"; depth:9; nocase; http.host; content:"101.42.228.86"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1241607/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_21; classtype:trojan-activity; sid:91241607; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"aitcaid.com"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1241595/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_21; classtype:trojan-activity; sid:91241595; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"eeatgoodx.com"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1241597/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_21; classtype:trojan-activity; sid:91241597; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"81.94.150.21"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1241598/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_21; classtype:trojan-activity; sid:91241598; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cm"; depth:3; nocase; http.host; content:"8.142.5.148"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1241606/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_21; classtype:trojan-activity; sid:91241606; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/__utm.gif"; depth:10; nocase; http.host; content:"182.23.67.109"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1241605/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_21; classtype:trojan-activity; sid:91241605; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cx"; depth:3; nocase; http.host; content:"service-bvvdi136-1317500845.gz.tencentapigw.com"; depth:47; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1241604/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_21; classtype:trojan-activity; sid:91241604; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sm.css"; depth:7; nocase; http.host; content:"www.nbcnews.site"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1241602/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_21; classtype:trojan-activity; sid:91241602; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"www.nbcnews.site"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1241603/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_21; classtype:trojan-activity; sid:91241603; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ga.js"; depth:6; nocase; http.host; content:"123.20.56.214"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1241601/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_21; classtype:trojan-activity; sid:91241601; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/activity"; depth:9; nocase; http.host; content:"134.122.75.115"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1241600/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_21; classtype:trojan-activity; sid:91241600; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ie9compatviewlist.xml"; depth:22; nocase; http.host; content:"134.122.75.115"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1241599/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_21; classtype:trojan-activity; sid:91241599; rev:1;) alert tcp $HOME_NET any -> [46.246.14.2] 1998 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241596/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_21; classtype:trojan-activity; sid:91241596; rev:1;) alert tcp $HOME_NET any -> [3.124.142.205] 19599 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241593/; target:src_ip; metadata: confidence_level 75, first_seen 2024_02_21; classtype:trojan-activity; sid:91241593; rev:1;) alert tcp $HOME_NET any -> [3.127.181.115] 13326 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241594/; target:src_ip; metadata: confidence_level 75, first_seen 2024_02_21; classtype:trojan-activity; sid:91241594; rev:1;) alert tcp $HOME_NET any -> [152.89.198.197] 443 (msg:"ThreatFox Ave Maria botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241592/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_21; classtype:trojan-activity; sid:91241592; rev:1;) alert tcp $HOME_NET any -> [172.160.250.195] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241591/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_21; classtype:trojan-activity; sid:91241591; rev:1;) alert tcp $HOME_NET any -> [178.73.210.202] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241590/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_21; classtype:trojan-activity; sid:91241590; rev:1;) alert tcp $HOME_NET any -> [104.238.214.185] 4444 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241589/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_21; classtype:trojan-activity; sid:91241589; rev:1;) alert tcp $HOME_NET any -> [34.170.222.164] 10443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241588/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_21; classtype:trojan-activity; sid:91241588; rev:1;) alert tcp $HOME_NET any -> [20.75.254.123] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241587/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_21; classtype:trojan-activity; sid:91241587; rev:1;) alert tcp $HOME_NET any -> [3.84.189.215] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241586/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_21; classtype:trojan-activity; sid:91241586; rev:1;) alert tcp $HOME_NET any -> [18.218.56.158] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241585/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_21; classtype:trojan-activity; sid:91241585; rev:1;) alert tcp $HOME_NET any -> [51.210.242.251] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241584/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_21; classtype:trojan-activity; sid:91241584; rev:1;) alert tcp $HOME_NET any -> [43.139.47.68] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241583/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_21; classtype:trojan-activity; sid:91241583; rev:1;) alert tcp $HOME_NET any -> [103.140.187.137] 60000 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241582/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_21; classtype:trojan-activity; sid:91241582; rev:1;) alert tcp $HOME_NET any -> [106.54.200.213] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241581/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_21; classtype:trojan-activity; sid:91241581; rev:1;) alert tcp $HOME_NET any -> [106.54.200.213] 80 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241580/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_21; classtype:trojan-activity; sid:91241580; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ec2-52-20-229-84.compute-1.amazonaws.com"; depth:40; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1241579/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_21; classtype:trojan-activity; sid:91241579; rev:1;) alert tcp $HOME_NET any -> [52.23.117.205] 443 (msg:"ThreatFox Serpent Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241578/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_21; classtype:trojan-activity; sid:91241578; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ftp.huboftest.ir"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1241577/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_21; classtype:trojan-activity; sid:91241577; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"109.107.181.83.sslip.io"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1241576/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_21; classtype:trojan-activity; sid:91241576; rev:1;) alert tcp $HOME_NET any -> [45.138.16.132] 80 (msg:"ThreatFox Meduza Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241575/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_21; classtype:trojan-activity; sid:91241575; rev:1;) alert tcp $HOME_NET any -> [203.161.60.175] 80 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241573/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_21; classtype:trojan-activity; sid:91241573; rev:1;) alert tcp $HOME_NET any -> [203.161.60.175] 5000 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241574/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_21; classtype:trojan-activity; sid:91241574; rev:1;) alert tcp $HOME_NET any -> [89.163.145.141] 5000 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241572/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_21; classtype:trojan-activity; sid:91241572; rev:1;) alert tcp $HOME_NET any -> [38.242.144.29] 7049 (msg:"ThreatFox Ares botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241571/; target:src_ip; metadata: confidence_level 90, first_seen 2024_02_21; classtype:trojan-activity; sid:91241571; rev:1;) alert tcp $HOME_NET any -> [35.177.215.200] 80 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241570/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_21; classtype:trojan-activity; sid:91241570; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"www.maribelgould.autos"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1241569/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_21; classtype:trojan-activity; sid:91241569; rev:1;) alert tcp $HOME_NET any -> [3.84.126.255] 443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241567/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_21; classtype:trojan-activity; sid:91241567; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"www.kendraesparza.autos"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1241568/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_21; classtype:trojan-activity; sid:91241568; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"irenecameron.autos"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1241566/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_21; classtype:trojan-activity; sid:91241566; rev:1;) alert tcp $HOME_NET any -> [49.13.129.77] 443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241565/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_21; classtype:trojan-activity; sid:91241565; rev:1;) alert tcp $HOME_NET any -> [167.172.87.109] 8080 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241563/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_21; classtype:trojan-activity; sid:91241563; rev:1;) alert tcp $HOME_NET any -> [185.196.8.93] 4782 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241564/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_21; classtype:trojan-activity; sid:91241564; rev:1;) alert tcp $HOME_NET any -> [177.103.63.67] 5000 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241562/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_21; classtype:trojan-activity; sid:91241562; rev:1;) alert tcp $HOME_NET any -> [20.42.80.234] 8080 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241561/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_21; classtype:trojan-activity; sid:91241561; rev:1;) alert tcp $HOME_NET any -> [181.161.23.232] 8080 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241560/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_21; classtype:trojan-activity; sid:91241560; rev:1;) alert tcp $HOME_NET any -> [91.92.242.86] 8081 (msg:"ThreatFox RisePro botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241558/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_21; classtype:trojan-activity; sid:91241558; rev:1;) alert tcp $HOME_NET any -> [193.233.132.234] 8081 (msg:"ThreatFox RisePro botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241559/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_21; classtype:trojan-activity; sid:91241559; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"hg88654.cc"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1241557/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_21; classtype:trojan-activity; sid:91241557; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ok.system111.top"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1241555/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_21; classtype:trojan-activity; sid:91241555; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"bistoxcrypto.com"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1241556/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_21; classtype:trojan-activity; sid:91241556; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"157.32.125.34.bc.googleusercontent.com"; depth:38; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1241554/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_21; classtype:trojan-activity; sid:91241554; rev:1;) alert tcp $HOME_NET any -> [64.23.186.161] 80 (msg:"ThreatFox Hook botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241553/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_21; classtype:trojan-activity; sid:91241553; rev:1;) alert tcp $HOME_NET any -> [139.162.249.47] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241552/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_21; classtype:trojan-activity; sid:91241552; rev:1;) alert tcp $HOME_NET any -> [109.199.104.52] 8888 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241551/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_21; classtype:trojan-activity; sid:91241551; rev:1;) alert tcp $HOME_NET any -> [45.138.16.248] 9090 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241550/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_21; classtype:trojan-activity; sid:91241550; rev:1;) alert tcp $HOME_NET any -> [89.117.21.203] 6606 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241548/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_21; classtype:trojan-activity; sid:91241548; rev:1;) alert tcp $HOME_NET any -> [89.117.21.203] 7707 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241549/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_21; classtype:trojan-activity; sid:91241549; rev:1;) alert tcp $HOME_NET any -> [172.111.148.20] 222 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241547/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_21; classtype:trojan-activity; sid:91241547; rev:1;) alert tcp $HOME_NET any -> [104.210.36.227] 8808 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241546/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_21; classtype:trojan-activity; sid:91241546; rev:1;) alert tcp $HOME_NET any -> [194.67.204.7] 88 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241545/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_21; classtype:trojan-activity; sid:91241545; rev:1;) alert tcp $HOME_NET any -> [147.189.172.103] 6969 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241544/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_21; classtype:trojan-activity; sid:91241544; rev:1;) alert tcp $HOME_NET any -> [106.54.207.116] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241543/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_21; classtype:trojan-activity; sid:91241543; rev:1;) alert tcp $HOME_NET any -> [15.206.179.62] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241542/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_21; classtype:trojan-activity; sid:91241542; rev:1;) alert tcp $HOME_NET any -> [167.71.51.239] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241541/; target:src_ip; metadata: confidence_level 90, first_seen 2024_02_21; classtype:trojan-activity; sid:91241541; rev:1;) alert tcp $HOME_NET any -> [187.135.83.6] 1883 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241540/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_21; classtype:trojan-activity; sid:91241540; rev:1;) alert tcp $HOME_NET any -> [206.188.196.107] 8080 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241538/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_21; classtype:trojan-activity; sid:91241538; rev:1;) alert tcp $HOME_NET any -> [187.135.122.195] 2222 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241539/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_21; classtype:trojan-activity; sid:91241539; rev:1;) alert tcp $HOME_NET any -> [1.14.69.16] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241537/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_21; classtype:trojan-activity; sid:91241537; rev:1;) alert tcp $HOME_NET any -> [182.23.67.109] 8080 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241535/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_21; classtype:trojan-activity; sid:91241535; rev:1;) alert tcp $HOME_NET any -> [101.42.47.72] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241536/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_21; classtype:trojan-activity; sid:91241536; rev:1;) alert tcp $HOME_NET any -> [47.120.50.234] 57777 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241534/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_21; classtype:trojan-activity; sid:91241534; rev:1;) alert tcp $HOME_NET any -> [139.162.155.161] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241533/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_21; classtype:trojan-activity; sid:91241533; rev:1;) alert tcp $HOME_NET any -> [139.9.52.98] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241531/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_21; classtype:trojan-activity; sid:91241531; rev:1;) alert tcp $HOME_NET any -> [120.55.183.201] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241532/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_21; classtype:trojan-activity; sid:91241532; rev:1;) alert tcp $HOME_NET any -> [146.70.44.156] 8443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241530/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_21; classtype:trojan-activity; sid:91241530; rev:1;) alert tcp $HOME_NET any -> [38.55.197.151] 2053 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241529/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_21; classtype:trojan-activity; sid:91241529; rev:1;) alert tcp $HOME_NET any -> [82.157.164.51] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241528/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_21; classtype:trojan-activity; sid:91241528; rev:1;) alert tcp $HOME_NET any -> [123.57.181.89] 6000 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241526/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_21; classtype:trojan-activity; sid:91241526; rev:1;) alert tcp $HOME_NET any -> [1.14.255.248] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241527/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_21; classtype:trojan-activity; sid:91241527; rev:1;) alert tcp $HOME_NET any -> [124.71.108.110] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241524/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_21; classtype:trojan-activity; sid:91241524; rev:1;) alert tcp $HOME_NET any -> [121.43.58.124] 4444 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241525/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_21; classtype:trojan-activity; sid:91241525; rev:1;) alert tcp $HOME_NET any -> [103.108.107.231] 1024 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241523/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_21; classtype:trojan-activity; sid:91241523; rev:1;) alert tcp $HOME_NET any -> [45.152.66.209] 7121 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241522/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_21; classtype:trojan-activity; sid:91241522; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"93-33-203-219.ip46.fastwebnet.it"; depth:32; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1241520/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_21; classtype:trojan-activity; sid:91241520; rev:1;) alert tcp $HOME_NET any -> [95.215.108.98] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241521/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_21; classtype:trojan-activity; sid:91241521; rev:1;) alert tcp $HOME_NET any -> [43.136.40.231] 888 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241519/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_21; classtype:trojan-activity; sid:91241519; rev:1;) alert tcp $HOME_NET any -> [149.88.78.241] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241517/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_21; classtype:trojan-activity; sid:91241517; rev:1;) alert tcp $HOME_NET any -> [116.204.37.20] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241518/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_21; classtype:trojan-activity; sid:91241518; rev:1;) alert tcp $HOME_NET any -> [185.222.58.252] 1992 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241516/; target:src_ip; metadata: confidence_level 75, first_seen 2024_02_21; classtype:trojan-activity; sid:91241516; rev:1;) alert tcp $HOME_NET any -> [3.125.223.134] 19599 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241515/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_21; classtype:trojan-activity; sid:91241515; rev:1;) alert tcp $HOME_NET any -> [3.125.209.94] 19599 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241514/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_21; classtype:trojan-activity; sid:91241514; rev:1;) alert tcp $HOME_NET any -> [18.158.249.75] 19599 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241513/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_21; classtype:trojan-activity; sid:91241513; rev:1;) alert tcp $HOME_NET any -> [3.125.102.39] 19599 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241512/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_21; classtype:trojan-activity; sid:91241512; rev:1;) alert tcp $HOME_NET any -> [18.192.31.165] 19599 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241511/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_21; classtype:trojan-activity; sid:91241511; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/c1/fre.php"; depth:11; nocase; http.host; content:"sempersim.su"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1241510/; target:src_ip; metadata: confidence_level 75, first_seen 2024_02_21; classtype:trojan-activity; sid:91241510; rev:1;) alert tcp $HOME_NET any -> [18.158.58.205] 13326 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241509/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_21; classtype:trojan-activity; sid:91241509; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/_/static/plugins/jquery/jquery.cookie.js"; depth:41; nocase; http.host; content:"47.122.24.43"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1241498/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_21; classtype:trojan-activity; sid:91241498; rev:1;) alert tcp $HOME_NET any -> [83.69.236.143] 443 (msg:"ThreatFox FAKEUPDATES payload delivery (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241499/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_21; classtype:trojan-activity; sid:91241499; rev:1;) alert tcp $HOME_NET any -> [34.168.39.155] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241508/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_21; classtype:trojan-activity; sid:91241508; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books"; depth:60; nocase; http.host; content:"34.168.39.155"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1241507/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_21; classtype:trojan-activity; sid:91241507; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ie9compatviewlist.xml"; depth:22; nocase; http.host; content:"116.62.130.96"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1241506/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_21; classtype:trojan-activity; sid:91241506; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/g.pixel"; depth:8; nocase; http.host; content:"1.117.60.33"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1241505/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_21; classtype:trojan-activity; sid:91241505; rev:1;) alert tcp $HOME_NET any -> [94.156.69.224] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241504/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_21; classtype:trojan-activity; sid:91241504; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/fwlink"; depth:7; nocase; http.host; content:"94.156.69.227"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1241503/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_21; classtype:trojan-activity; sid:91241503; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pixel"; depth:6; nocase; http.host; content:"47.108.153.69"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1241502/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_21; classtype:trojan-activity; sid:91241502; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pixel"; depth:6; nocase; http.host; content:"124.70.180.22"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1241501/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_21; classtype:trojan-activity; sid:91241501; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pixel.gif"; depth:10; nocase; http.host; content:"116.62.130.96"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1241500/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_21; classtype:trojan-activity; sid:91241500; rev:1;) alert tcp $HOME_NET any -> [170.75.170.7] 443 (msg:"ThreatFox FAKEUPDATES payload delivery (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241483/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_21; classtype:trojan-activity; sid:91241483; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"event.coachgreb.com"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1241484/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_21; classtype:trojan-activity; sid:91241484; rev:1;) alert tcp $HOME_NET any -> [84.54.51.103] 6666 (msg:"ThreatFox MooBot botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241494/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_21; classtype:trojan-activity; sid:91241494; rev:1;) alert tcp $HOME_NET any -> [87.121.58.103] 6666 (msg:"ThreatFox MooBot botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241495/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_21; classtype:trojan-activity; sid:91241495; rev:1;) alert tcp $HOME_NET any -> [93.123.39.166] 671 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241496/; target:src_ip; metadata: confidence_level 75, first_seen 2024_02_21; classtype:trojan-activity; sid:91241496; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/129edec4272dc2c8.php"; depth:21; nocase; http.host; content:"91.92.246.192"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1241497/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_21; classtype:trojan-activity; sid:91241497; rev:1;) alert tcp $HOME_NET any -> [193.92.234.217] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241493/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_21; classtype:trojan-activity; sid:91241493; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"hathat.azureedge.net"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1241492/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_21; classtype:trojan-activity; sid:91241492; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jquery-3.3.1.min.js"; depth:20; nocase; http.host; content:"hathat.azureedge.net"; depth:20; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1241491/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_21; classtype:trojan-activity; sid:91241491; rev:1;) alert tcp $HOME_NET any -> [94.156.71.76] 8080 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241490/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_21; classtype:trojan-activity; sid:91241490; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books"; depth:60; nocase; http.host; content:"104.21.80.122"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1241489/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_21; classtype:trojan-activity; sid:91241489; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"www.nkbiky.cn"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1241488/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_21; classtype:trojan-activity; sid:91241488; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books"; depth:60; nocase; http.host; content:"www.nkbiky.cn"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1241487/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_21; classtype:trojan-activity; sid:91241487; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"www.ynpuning.cn"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1241486/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_21; classtype:trojan-activity; sid:91241486; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books"; depth:60; nocase; http.host; content:"www.ynpuning.cn"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1241485/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_21; classtype:trojan-activity; sid:91241485; rev:1;) alert tcp $HOME_NET any -> [93.123.85.113] 1312 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241470/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_21; classtype:trojan-activity; sid:91241470; rev:1;) alert tcp $HOME_NET any -> [93.123.85.127] 5555 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241471/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_21; classtype:trojan-activity; sid:91241471; rev:1;) alert tcp $HOME_NET any -> [93.123.85.109] 5555 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241472/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_21; classtype:trojan-activity; sid:91241472; rev:1;) alert tcp $HOME_NET any -> [93.123.85.136] 5555 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241473/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_21; classtype:trojan-activity; sid:91241473; rev:1;) alert tcp $HOME_NET any -> [91.92.252.208] 1312 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241474/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_21; classtype:trojan-activity; sid:91241474; rev:1;) alert tcp $HOME_NET any -> [94.156.68.104] 55555 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241475/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_21; classtype:trojan-activity; sid:91241475; rev:1;) alert tcp $HOME_NET any -> [45.95.146.89] 7788 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241476/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_21; classtype:trojan-activity; sid:91241476; rev:1;) alert tcp $HOME_NET any -> [45.95.146.38] 1312 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241477/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_21; classtype:trojan-activity; sid:91241477; rev:1;) alert tcp $HOME_NET any -> [93.123.85.49] 1312 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241469/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_21; classtype:trojan-activity; sid:91241469; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"germanclics.com"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1241467/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_21; classtype:trojan-activity; sid:91241467; rev:1;) alert tcp $HOME_NET any -> [173.44.141.244] 443 (msg:"ThreatFox FAKEUPDATES payload delivery (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241468/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_21; classtype:trojan-activity; sid:91241468; rev:1;) alert tcp $HOME_NET any -> [194.169.175.31] 38245 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241478/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_21; classtype:trojan-activity; sid:91241478; rev:1;) alert tcp $HOME_NET any -> [85.239.34.84] 23 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241479/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_21; classtype:trojan-activity; sid:91241479; rev:1;) alert tcp $HOME_NET any -> [94.156.8.80] 43957 (msg:"ThreatFox MooBot botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241480/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_21; classtype:trojan-activity; sid:91241480; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"stealit.onrender.com"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1241481/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_21; classtype:trojan-activity; sid:91241481; rev:1;) alert tcp $HOME_NET any -> [20.127.165.86] 80 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241482/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_21; classtype:trojan-activity; sid:91241482; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/fwlink"; depth:7; nocase; http.host; content:"81.19.138.57"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1241466/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_21; classtype:trojan-activity; sid:91241466; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/f8a8b9ed.php"; depth:13; nocase; http.host; content:"f0914549.xsph.ru"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1241465/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_21; classtype:trojan-activity; sid:91241465; rev:1;) alert tcp $HOME_NET any -> [157.230.180.251] 43624 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241462/; target:src_ip; metadata: confidence_level 75, first_seen 2024_02_21; classtype:trojan-activity; sid:91241462; rev:1;) alert tcp $HOME_NET any -> [157.230.180.251] 49838 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241463/; target:src_ip; metadata: confidence_level 75, first_seen 2024_02_21; classtype:trojan-activity; sid:91241463; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/l1nc0in.php"; depth:12; nocase; http.host; content:"f0918974.xsph.ru"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1241464/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_21; classtype:trojan-activity; sid:91241464; rev:1;) alert tcp $HOME_NET any -> [91.223.3.151] 4508 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241461/; target:src_ip; metadata: confidence_level 75, first_seen 2024_02_21; classtype:trojan-activity; sid:91241461; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"ronreznick.com"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1241460/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_21; classtype:trojan-activity; sid:91241460; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/externalservertrackwordpresspublicprivate.php"; depth:46; nocase; http.host; content:"969727cm.nyashsens.top"; depth:22; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1241459/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_21; classtype:trojan-activity; sid:91241459; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pixel.gif"; depth:10; nocase; http.host; content:"buy-dnd.shop"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1241458/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_21; classtype:trojan-activity; sid:91241458; rev:1;) alert tcp $HOME_NET any -> [45.95.146.3] 8872 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241405/; target:src_ip; metadata: confidence_level 75, first_seen 2024_02_21; classtype:trojan-activity; sid:91241405; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"db2017417b23.zapto.org"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1241406/; target:src_ip; metadata: confidence_level 75, first_seen 2024_02_21; classtype:trojan-activity; sid:91241406; rev:1;) alert tcp $HOME_NET any -> [185.91.127.233] 23 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241441/; target:src_ip; metadata: confidence_level 75, first_seen 2024_02_21; classtype:trojan-activity; sid:91241441; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"jmoha66808.ddns.net"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1241457/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_21; classtype:trojan-activity; sid:91241457; rev:1;) alert tcp $HOME_NET any -> [185.29.10.51] 5211 (msg:"ThreatFox Nanocore RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241456/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_21; classtype:trojan-activity; sid:91241456; rev:1;) alert tcp $HOME_NET any -> [45.67.34.69] 443 (msg:"ThreatFox DarkGate botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241455/; target:src_ip; metadata: confidence_level 75, first_seen 2024_02_21; classtype:trojan-activity; sid:91241455; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"rourtmanjsdadhfakja.com"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1241454/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_21; classtype:trojan-activity; sid:91241454; rev:1;) alert tcp $HOME_NET any -> [178.33.57.148] 7634 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241453/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_21; classtype:trojan-activity; sid:91241453; rev:1;) alert tcp $HOME_NET any -> [185.16.38.147] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241452/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_21; classtype:trojan-activity; sid:91241452; rev:1;) alert tcp $HOME_NET any -> [154.7.14.19] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241451/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_21; classtype:trojan-activity; sid:91241451; rev:1;) alert tcp $HOME_NET any -> [5.163.163.158] 995 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241450/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_21; classtype:trojan-activity; sid:91241450; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/get_file"; depth:9; nocase; http.host; content:"posiit.com"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1241418/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_21; classtype:trojan-activity; sid:91241418; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"nanocore73.zapto.org"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1241410/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_21; classtype:trojan-activity; sid:91241410; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/shared-services/j.js"; depth:21; nocase; http.host; content:"peeriosity.com"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1241417/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_21; classtype:trojan-activity; sid:91241417; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cookies"; depth:8; nocase; http.host; content:"posiit.com"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1241419/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_21; classtype:trojan-activity; sid:91241419; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/traffic"; depth:8; nocase; http.host; content:"soundsend.com"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1241420/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_21; classtype:trojan-activity; sid:91241420; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/intl/en/chrome/next-steps.html"; depth:31; nocase; http.host; content:"chrome.freegeneratorai.com"; depth:26; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1241422/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_21; classtype:trojan-activity; sid:91241422; rev:1;) alert tcp $HOME_NET any -> [41.96.168.36] 443 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241449/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_21; classtype:trojan-activity; sid:91241449; rev:1;) alert tcp $HOME_NET any -> [77.72.85.124] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241402/; target:src_ip; metadata: confidence_level 90, first_seen 2024_02_21; classtype:trojan-activity; sid:91241402; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/yzi4mgfhzji2mmm5/"; depth:18; nocase; http.host; content:"83.97.73.254"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1241408/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_21; classtype:trojan-activity; sid:91241408; rev:1;) alert tcp $HOME_NET any -> [88.165.236.23] 64278 (msg:"ThreatFox Nanocore RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241409/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_21; classtype:trojan-activity; sid:91241409; rev:1;) alert tcp $HOME_NET any -> [3.134.39.220] 18237 (msg:"ThreatFox Nanocore RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241421/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_21; classtype:trojan-activity; sid:91241421; rev:1;) alert tcp $HOME_NET any -> [88.165.236.23] 54985 (msg:"ThreatFox Nanocore RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241423/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_21; classtype:trojan-activity; sid:91241423; rev:1;) alert tcp $HOME_NET any -> [95.20.241.161] 443 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241448/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_21; classtype:trojan-activity; sid:91241448; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api/get_file_drop"; depth:18; nocase; http.host; content:"phpsearch.com"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1241424/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_21; classtype:trojan-activity; sid:91241424; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api/set_v_2_new_uuid"; depth:21; nocase; http.host; content:"student-voice.com"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1241425/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_21; classtype:trojan-activity; sid:91241425; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"soundsend.com"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1241426/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_21; classtype:trojan-activity; sid:91241426; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"mozila.freegeneratorai.com"; depth:26; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1241428/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_21; classtype:trojan-activity; sid:91241428; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"opera.freegeneratorai.com"; depth:25; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1241429/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_21; classtype:trojan-activity; sid:91241429; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/01u1w1.php"; depth:11; nocase; http.host; content:"nrf2station.com"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1241431/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_21; classtype:trojan-activity; sid:91241431; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/w8rcye.php"; depth:11; nocase; http.host; content:"fumicenter.com"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1241432/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_21; classtype:trojan-activity; sid:91241432; rev:1;) alert tcp $HOME_NET any -> [189.253.236.111] 443 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241447/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_21; classtype:trojan-activity; sid:91241447; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ui610y.php"; depth:11; nocase; http.host; content:"terravilla.fr"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1241433/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_21; classtype:trojan-activity; sid:91241433; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jz0tno.php"; depth:11; nocase; http.host; content:"u3faktory.com"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1241434/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_21; classtype:trojan-activity; sid:91241434; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/o2pmcb.php"; depth:11; nocase; http.host; content:"traidinnovation.com"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1241435/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_21; classtype:trojan-activity; sid:91241435; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sk5w8b.php"; depth:11; nocase; http.host; content:"401cssabatino.com"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1241436/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_21; classtype:trojan-activity; sid:91241436; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wdswbw.php"; depth:11; nocase; http.host; content:"ourzanzibar-portal.com"; depth:22; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1241437/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_21; classtype:trojan-activity; sid:91241437; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/s1btpl.php"; depth:11; nocase; http.host; content:"www.alroaaacademy.com"; depth:21; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1241438/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_21; classtype:trojan-activity; sid:91241438; rev:1;) alert tcp $HOME_NET any -> [46.246.6.4] 1994 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241440/; target:src_ip; metadata: confidence_level 75, first_seen 2024_02_21; classtype:trojan-activity; sid:91241440; rev:1;) alert tcp $HOME_NET any -> [95.20.240.52] 443 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241446/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_21; classtype:trojan-activity; sid:91241446; rev:1;) alert tcp $HOME_NET any -> [91.35.211.80] 995 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241445/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_21; classtype:trojan-activity; sid:91241445; rev:1;) alert tcp $HOME_NET any -> [20.218.68.91] 13817 (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241390/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_21; classtype:trojan-activity; sid:91241390; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"elianisgalidon3020.duckdns.org"; depth:30; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1241399/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_21; classtype:trojan-activity; sid:91241399; rev:1;) alert tcp $HOME_NET any -> [5.181.202.117] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241400/; target:src_ip; metadata: confidence_level 90, first_seen 2024_02_21; classtype:trojan-activity; sid:91241400; rev:1;) alert tcp $HOME_NET any -> [213.139.205.174] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241401/; target:src_ip; metadata: confidence_level 90, first_seen 2024_02_21; classtype:trojan-activity; sid:91241401; rev:1;) alert tcp $HOME_NET any -> [193.168.141.40] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241403/; target:src_ip; metadata: confidence_level 90, first_seen 2024_02_21; classtype:trojan-activity; sid:91241403; rev:1;) alert tcp $HOME_NET any -> [5.255.117.32] 4971 (msg:"ThreatFox BianLian botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241444/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_21; classtype:trojan-activity; sid:91241444; rev:1;) alert tcp $HOME_NET any -> [158.160.97.165] 7443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241443/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_21; classtype:trojan-activity; sid:91241443; rev:1;) alert tcp $HOME_NET any -> [193.149.180.213] 7443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241442/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_21; classtype:trojan-activity; sid:91241442; rev:1;) alert tcp $HOME_NET any -> [185.222.58.40] 1978 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241439/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_21; classtype:trojan-activity; sid:91241439; rev:1;) alert tcp $HOME_NET any -> [167.235.36.34] 8056 (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241430/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_21; classtype:trojan-activity; sid:91241430; rev:1;) alert tcp $HOME_NET any -> [147.45.47.35] 80 (msg:"ThreatFox Amadey botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241427/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_21; classtype:trojan-activity; sid:91241427; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bdjkb2xsd/index.php"; depth:20; nocase; http.host; content:"147.45.47.35"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1241416/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_21; classtype:trojan-activity; sid:91241416; rev:1;) alert tcp $HOME_NET any -> [3.14.182.203] 18237 (msg:"ThreatFox Nanocore RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241415/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_21; classtype:trojan-activity; sid:91241415; rev:1;) alert tcp $HOME_NET any -> [3.13.191.225] 18237 (msg:"ThreatFox Nanocore RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241414/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_21; classtype:trojan-activity; sid:91241414; rev:1;) alert tcp $HOME_NET any -> [3.17.7.232] 18237 (msg:"ThreatFox Nanocore RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241413/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_21; classtype:trojan-activity; sid:91241413; rev:1;) alert tcp $HOME_NET any -> [3.134.125.175] 18237 (msg:"ThreatFox Nanocore RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241412/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_21; classtype:trojan-activity; sid:91241412; rev:1;) alert tcp $HOME_NET any -> [3.22.30.40] 18237 (msg:"ThreatFox Nanocore RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241411/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_21; classtype:trojan-activity; sid:91241411; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-content/unsalted-condensed-soups/"; depth:37; nocase; http.host; content:"horseridinghotel.com"; depth:20; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1241407/; target:src_ip; metadata: confidence_level 75, first_seen 2024_02_20; classtype:trojan-activity; sid:91241407; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/push"; depth:5; nocase; http.host; content:"111.230.51.186"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1241404/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_20; classtype:trojan-activity; sid:91241404; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"5.252.118.12"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1241397/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_20; classtype:trojan-activity; sid:91241397; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"5.182.86.94"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1241398/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_20; classtype:trojan-activity; sid:91241398; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"193.203.164.168"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1241396/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_20; classtype:trojan-activity; sid:91241396; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"116.203.3.120"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1241395/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_20; classtype:trojan-activity; sid:91241395; rev:1;) alert tcp $HOME_NET any -> [116.203.3.120] 443 (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241391/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_20; classtype:trojan-activity; sid:91241391; rev:1;) alert tcp $HOME_NET any -> [193.203.164.168] 80 (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241392/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_20; classtype:trojan-activity; sid:91241392; rev:1;) alert tcp $HOME_NET any -> [5.252.118.12] 80 (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241393/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_20; classtype:trojan-activity; sid:91241393; rev:1;) alert tcp $HOME_NET any -> [5.182.86.94] 80 (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241394/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_20; classtype:trojan-activity; sid:91241394; rev:1;) alert tcp $HOME_NET any -> [5.75.210.22] 443 (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241389/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_20; classtype:trojan-activity; sid:91241389; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"chrome-online.site"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1241388/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_20; classtype:trojan-activity; sid:91241388; rev:1;) alert tcp $HOME_NET any -> [40.127.104.147] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241387/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_20; classtype:trojan-activity; sid:91241387; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"sudarshanadisk.com"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1241386/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_20; classtype:trojan-activity; sid:91241386; rev:1;) alert tcp $HOME_NET any -> [45.77.55.133] 2078 (msg:"ThreatFox Pikabot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241385/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_20; classtype:trojan-activity; sid:91241385; rev:1;) alert tcp $HOME_NET any -> [45.32.204.175] 2222 (msg:"ThreatFox Pikabot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241384/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_20; classtype:trojan-activity; sid:91241384; rev:1;) alert tcp $HOME_NET any -> [72.27.83.111] 443 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241383/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_20; classtype:trojan-activity; sid:91241383; rev:1;) alert tcp $HOME_NET any -> [41.250.184.191] 995 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241382/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_20; classtype:trojan-activity; sid:91241382; rev:1;) alert tcp $HOME_NET any -> [39.40.162.179] 995 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241381/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_20; classtype:trojan-activity; sid:91241381; rev:1;) alert tcp $HOME_NET any -> [41.227.100.131] 443 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241380/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_20; classtype:trojan-activity; sid:91241380; rev:1;) alert tcp $HOME_NET any -> [2.6.198.137] 2222 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241379/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_20; classtype:trojan-activity; sid:91241379; rev:1;) alert tcp $HOME_NET any -> [103.92.113.14] 443 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241378/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_20; classtype:trojan-activity; sid:91241378; rev:1;) alert tcp $HOME_NET any -> [104.248.1.234] 443 (msg:"ThreatFox Responder botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241377/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_20; classtype:trojan-activity; sid:91241377; rev:1;) alert tcp $HOME_NET any -> [159.223.178.234] 443 (msg:"ThreatFox Responder botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241376/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_20; classtype:trojan-activity; sid:91241376; rev:1;) alert tcp $HOME_NET any -> [159.100.6.118] 443 (msg:"ThreatFox Responder botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241375/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_20; classtype:trojan-activity; sid:91241375; rev:1;) alert tcp $HOME_NET any -> [147.182.158.99] 7443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241374/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_20; classtype:trojan-activity; sid:91241374; rev:1;) alert tcp $HOME_NET any -> [38.132.122.178] 8443 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241373/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_20; classtype:trojan-activity; sid:91241373; rev:1;) alert tcp $HOME_NET any -> [89.248.225.196] 443 (msg:"ThreatFox NetSupportManager RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241372/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_20; classtype:trojan-activity; sid:91241372; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/match"; depth:6; nocase; http.host; content:"1.94.110.130"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1241371/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_20; classtype:trojan-activity; sid:91241371; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/5dce321003e6a6b5.php"; depth:21; nocase; http.host; content:"94.156.8.100"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1241370/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_20; classtype:trojan-activity; sid:91241370; rev:1;) alert tcp $HOME_NET any -> [193.233.132.81] 8081 (msg:"ThreatFox RisePro botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241369/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_20; classtype:trojan-activity; sid:91241369; rev:1;) alert tcp $HOME_NET any -> [94.198.50.195] 8000 (msg:"ThreatFox BianLian botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241368/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_20; classtype:trojan-activity; sid:91241368; rev:1;) alert tcp $HOME_NET any -> [51.159.183.32] 443 (msg:"ThreatFox BianLian botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241367/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_20; classtype:trojan-activity; sid:91241367; rev:1;) alert tcp $HOME_NET any -> [34.122.164.64] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241366/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_20; classtype:trojan-activity; sid:91241366; rev:1;) alert tcp $HOME_NET any -> [212.81.188.105] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241365/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_20; classtype:trojan-activity; sid:91241365; rev:1;) alert tcp $HOME_NET any -> [34.163.246.120] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241364/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_20; classtype:trojan-activity; sid:91241364; rev:1;) alert tcp $HOME_NET any -> [185.119.57.49] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241363/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_20; classtype:trojan-activity; sid:91241363; rev:1;) alert tcp $HOME_NET any -> [116.202.176.116] 1403 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241362/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_20; classtype:trojan-activity; sid:91241362; rev:1;) alert tcp $HOME_NET any -> [54.173.139.125] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241361/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_20; classtype:trojan-activity; sid:91241361; rev:1;) alert tcp $HOME_NET any -> [139.59.80.33] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241360/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_20; classtype:trojan-activity; sid:91241360; rev:1;) alert tcp $HOME_NET any -> [107.151.244.111] 60000 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241359/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_20; classtype:trojan-activity; sid:91241359; rev:1;) alert tcp $HOME_NET any -> [165.154.55.190] 60000 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241357/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_20; classtype:trojan-activity; sid:91241357; rev:1;) alert tcp $HOME_NET any -> [103.139.93.20] 60000 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241358/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_20; classtype:trojan-activity; sid:91241358; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"webpanel.space"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1241356/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_20; classtype:trojan-activity; sid:91241356; rev:1;) alert tcp $HOME_NET any -> [38.6.167.222] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241355/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_20; classtype:trojan-activity; sid:91241355; rev:1;) alert tcp $HOME_NET any -> [38.6.167.222] 80 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241354/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_20; classtype:trojan-activity; sid:91241354; rev:1;) alert tcp $HOME_NET any -> [49.13.170.9] 5000 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241352/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_20; classtype:trojan-activity; sid:91241352; rev:1;) alert tcp $HOME_NET any -> [77.105.132.58] 8080 (msg:"ThreatFox ERMAC botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241351/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_20; classtype:trojan-activity; sid:91241351; rev:1;) alert tcp $HOME_NET any -> [77.105.132.58] 80 (msg:"ThreatFox ERMAC botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241350/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_20; classtype:trojan-activity; sid:91241350; rev:1;) alert tcp $HOME_NET any -> [164.90.183.39] 443 (msg:"ThreatFox PoshC2 botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241349/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_20; classtype:trojan-activity; sid:91241349; rev:1;) alert tcp $HOME_NET any -> [82.115.223.46] 7777 (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241348/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_20; classtype:trojan-activity; sid:91241348; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"kendraesparza.autos"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1241347/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_20; classtype:trojan-activity; sid:91241347; rev:1;) alert tcp $HOME_NET any -> [212.47.244.109] 443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241346/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_20; classtype:trojan-activity; sid:91241346; rev:1;) alert tcp $HOME_NET any -> [102.117.113.205] 63696 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241345/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_20; classtype:trojan-activity; sid:91241345; rev:1;) alert tcp $HOME_NET any -> [102.117.113.205] 9142 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241343/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_20; classtype:trojan-activity; sid:91241343; rev:1;) alert tcp $HOME_NET any -> [102.117.113.205] 36945 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241344/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_20; classtype:trojan-activity; sid:91241344; rev:1;) alert tcp $HOME_NET any -> [102.117.113.205] 2004 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241342/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_20; classtype:trojan-activity; sid:91241342; rev:1;) alert tcp $HOME_NET any -> [102.117.113.205] 465 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241340/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_20; classtype:trojan-activity; sid:91241340; rev:1;) alert tcp $HOME_NET any -> [102.117.113.205] 631 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241341/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_20; classtype:trojan-activity; sid:91241341; rev:1;) alert tcp $HOME_NET any -> [102.117.113.205] 57609 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241339/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_20; classtype:trojan-activity; sid:91241339; rev:1;) alert tcp $HOME_NET any -> [102.117.113.205] 48087 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241338/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_20; classtype:trojan-activity; sid:91241338; rev:1;) alert tcp $HOME_NET any -> [102.117.113.205] 17393 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241336/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_20; classtype:trojan-activity; sid:91241336; rev:1;) alert tcp $HOME_NET any -> [102.117.113.205] 27646 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241337/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_20; classtype:trojan-activity; sid:91241337; rev:1;) alert tcp $HOME_NET any -> [102.117.113.205] 2404 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241335/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_20; classtype:trojan-activity; sid:91241335; rev:1;) alert tcp $HOME_NET any -> [102.117.113.205] 41489 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241333/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_20; classtype:trojan-activity; sid:91241333; rev:1;) alert tcp $HOME_NET any -> [102.117.113.205] 389 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241334/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_20; classtype:trojan-activity; sid:91241334; rev:1;) alert tcp $HOME_NET any -> [102.117.113.205] 8082 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241332/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_20; classtype:trojan-activity; sid:91241332; rev:1;) alert tcp $HOME_NET any -> [102.117.113.205] 51005 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241330/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_20; classtype:trojan-activity; sid:91241330; rev:1;) alert tcp $HOME_NET any -> [102.117.113.205] 2053 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241331/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_20; classtype:trojan-activity; sid:91241331; rev:1;) alert tcp $HOME_NET any -> [102.117.113.205] 2380 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241329/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_20; classtype:trojan-activity; sid:91241329; rev:1;) alert tcp $HOME_NET any -> [102.117.113.205] 27049 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241328/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_20; classtype:trojan-activity; sid:91241328; rev:1;) alert tcp $HOME_NET any -> [102.117.113.205] 9653 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241326/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_20; classtype:trojan-activity; sid:91241326; rev:1;) alert tcp $HOME_NET any -> [102.117.113.205] 26238 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241327/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_20; classtype:trojan-activity; sid:91241327; rev:1;) alert tcp $HOME_NET any -> [102.117.113.205] 2455 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241324/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_20; classtype:trojan-activity; sid:91241324; rev:1;) alert tcp $HOME_NET any -> [102.117.113.205] 56832 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241325/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_20; classtype:trojan-activity; sid:91241325; rev:1;) alert tcp $HOME_NET any -> [102.117.113.205] 53311 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241323/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_20; classtype:trojan-activity; sid:91241323; rev:1;) alert tcp $HOME_NET any -> [102.117.113.205] 4444 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241321/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_20; classtype:trojan-activity; sid:91241321; rev:1;) alert tcp $HOME_NET any -> [102.117.113.205] 18084 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241322/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_20; classtype:trojan-activity; sid:91241322; rev:1;) alert tcp $HOME_NET any -> [102.117.113.205] 21 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241320/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_20; classtype:trojan-activity; sid:91241320; rev:1;) alert tcp $HOME_NET any -> [102.117.113.205] 50995 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241318/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_20; classtype:trojan-activity; sid:91241318; rev:1;) alert tcp $HOME_NET any -> [102.117.113.205] 58603 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241319/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_20; classtype:trojan-activity; sid:91241319; rev:1;) alert tcp $HOME_NET any -> [102.117.113.205] 25516 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241317/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_20; classtype:trojan-activity; sid:91241317; rev:1;) alert tcp $HOME_NET any -> [102.117.113.205] 13946 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241316/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_20; classtype:trojan-activity; sid:91241316; rev:1;) alert tcp $HOME_NET any -> [102.117.113.205] 4572 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241314/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_20; classtype:trojan-activity; sid:91241314; rev:1;) alert tcp $HOME_NET any -> [102.117.113.205] 7077 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241315/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_20; classtype:trojan-activity; sid:91241315; rev:1;) alert tcp $HOME_NET any -> [102.117.113.205] 36249 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241313/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_20; classtype:trojan-activity; sid:91241313; rev:1;) alert tcp $HOME_NET any -> [102.117.113.205] 8418 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241311/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_20; classtype:trojan-activity; sid:91241311; rev:1;) alert tcp $HOME_NET any -> [102.117.113.205] 29975 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241312/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_20; classtype:trojan-activity; sid:91241312; rev:1;) alert tcp $HOME_NET any -> [102.117.113.205] 8088 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241310/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_20; classtype:trojan-activity; sid:91241310; rev:1;) alert tcp $HOME_NET any -> [102.117.113.205] 4433 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241308/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_20; classtype:trojan-activity; sid:91241308; rev:1;) alert tcp $HOME_NET any -> [102.117.113.205] 5060 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241309/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_20; classtype:trojan-activity; sid:91241309; rev:1;) alert tcp $HOME_NET any -> [102.117.113.205] 1883 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241307/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_20; classtype:trojan-activity; sid:91241307; rev:1;) alert tcp $HOME_NET any -> [102.117.113.205] 1024 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241306/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_20; classtype:trojan-activity; sid:91241306; rev:1;) alert tcp $HOME_NET any -> [102.117.113.205] 40240 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241304/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_20; classtype:trojan-activity; sid:91241304; rev:1;) alert tcp $HOME_NET any -> [102.117.113.205] 65245 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241305/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_20; classtype:trojan-activity; sid:91241305; rev:1;) alert tcp $HOME_NET any -> [102.117.113.205] 26641 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241303/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_20; classtype:trojan-activity; sid:91241303; rev:1;) alert tcp $HOME_NET any -> [102.117.113.205] 56597 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241301/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_20; classtype:trojan-activity; sid:91241301; rev:1;) alert tcp $HOME_NET any -> [102.117.113.205] 18080 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241302/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_20; classtype:trojan-activity; sid:91241302; rev:1;) alert tcp $HOME_NET any -> [102.117.113.205] 40961 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241300/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_20; classtype:trojan-activity; sid:91241300; rev:1;) alert tcp $HOME_NET any -> [102.117.113.205] 40022 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241298/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_20; classtype:trojan-activity; sid:91241298; rev:1;) alert tcp $HOME_NET any -> [102.117.113.205] 39109 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241299/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_20; classtype:trojan-activity; sid:91241299; rev:1;) alert tcp $HOME_NET any -> [102.117.113.205] 4125 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241297/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_20; classtype:trojan-activity; sid:91241297; rev:1;) alert tcp $HOME_NET any -> [102.117.113.205] 13999 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241295/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_20; classtype:trojan-activity; sid:91241295; rev:1;) alert tcp $HOME_NET any -> [102.117.113.205] 49502 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241296/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_20; classtype:trojan-activity; sid:91241296; rev:1;) alert tcp $HOME_NET any -> [102.117.113.205] 8080 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241294/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_20; classtype:trojan-activity; sid:91241294; rev:1;) alert tcp $HOME_NET any -> [102.117.113.205] 636 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241292/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_20; classtype:trojan-activity; sid:91241292; rev:1;) alert tcp $HOME_NET any -> [102.117.113.205] 4721 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241293/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_20; classtype:trojan-activity; sid:91241293; rev:1;) alert tcp $HOME_NET any -> [102.117.113.205] 47800 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241291/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_20; classtype:trojan-activity; sid:91241291; rev:1;) alert tcp $HOME_NET any -> [193.181.41.109] 443 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241289/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_20; classtype:trojan-activity; sid:91241289; rev:1;) alert tcp $HOME_NET any -> [102.117.113.205] 1492 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241290/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_20; classtype:trojan-activity; sid:91241290; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"www.liceback.online"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1241288/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_20; classtype:trojan-activity; sid:91241288; rev:1;) alert tcp $HOME_NET any -> [94.156.66.50] 82 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241286/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_20; classtype:trojan-activity; sid:91241286; rev:1;) alert tcp $HOME_NET any -> [45.84.198.9] 30120 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241287/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_20; classtype:trojan-activity; sid:91241287; rev:1;) alert tcp $HOME_NET any -> [191.82.250.214] 2000 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241285/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_20; classtype:trojan-activity; sid:91241285; rev:1;) alert tcp $HOME_NET any -> [45.94.31.31] 80 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241284/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_20; classtype:trojan-activity; sid:91241284; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ok.system-samsung.com"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1241283/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_20; classtype:trojan-activity; sid:91241283; rev:1;) alert tcp $HOME_NET any -> [92.63.98.227] 80 (msg:"ThreatFox Hook botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241282/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_20; classtype:trojan-activity; sid:91241282; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"evgenytchurakin1.fvds.ru"; depth:24; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1241281/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_20; classtype:trojan-activity; sid:91241281; rev:1;) alert tcp $HOME_NET any -> [38.242.236.116] 7707 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241279/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_20; classtype:trojan-activity; sid:91241279; rev:1;) alert tcp $HOME_NET any -> [85.239.237.148] 2006 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241280/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_20; classtype:trojan-activity; sid:91241280; rev:1;) alert tcp $HOME_NET any -> [45.88.186.65] 8808 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241278/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_20; classtype:trojan-activity; sid:91241278; rev:1;) alert tcp $HOME_NET any -> [85.215.197.98] 8888 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241277/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_20; classtype:trojan-activity; sid:91241277; rev:1;) alert tcp $HOME_NET any -> [91.92.243.63] 5000 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241276/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_20; classtype:trojan-activity; sid:91241276; rev:1;) alert tcp $HOME_NET any -> [103.146.179.82] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241275/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_20; classtype:trojan-activity; sid:91241275; rev:1;) alert tcp $HOME_NET any -> [69.172.74.108] 4443 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241274/; target:src_ip; metadata: confidence_level 90, first_seen 2024_02_20; classtype:trojan-activity; sid:91241274; rev:1;) alert tcp $HOME_NET any -> [31.156.119.149] 88 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241273/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_20; classtype:trojan-activity; sid:91241273; rev:1;) alert tcp $HOME_NET any -> [1.14.69.16] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241272/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_20; classtype:trojan-activity; sid:91241272; rev:1;) alert tcp $HOME_NET any -> [123.57.235.196] 8888 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241271/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_20; classtype:trojan-activity; sid:91241271; rev:1;) alert tcp $HOME_NET any -> [112.74.72.133] 8080 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241270/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_20; classtype:trojan-activity; sid:91241270; rev:1;) alert tcp $HOME_NET any -> [154.9.255.31] 9999 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241269/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_20; classtype:trojan-activity; sid:91241269; rev:1;) alert tcp $HOME_NET any -> [40.113.7.196] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241268/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_20; classtype:trojan-activity; sid:91241268; rev:1;) alert tcp $HOME_NET any -> [43.142.183.159] 8080 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241267/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_20; classtype:trojan-activity; sid:91241267; rev:1;) alert tcp $HOME_NET any -> [1.94.110.130] 808 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241265/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_20; classtype:trojan-activity; sid:91241265; rev:1;) alert tcp $HOME_NET any -> [101.201.100.74] 8888 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241266/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_20; classtype:trojan-activity; sid:91241266; rev:1;) alert tcp $HOME_NET any -> [8.210.229.211] 8090 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241264/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_20; classtype:trojan-activity; sid:91241264; rev:1;) alert tcp $HOME_NET any -> [149.104.23.176] 8080 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241263/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_20; classtype:trojan-activity; sid:91241263; rev:1;) alert tcp $HOME_NET any -> [128.199.252.34] 8080 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241261/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_20; classtype:trojan-activity; sid:91241261; rev:1;) alert tcp $HOME_NET any -> [1.14.255.248] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241262/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_20; classtype:trojan-activity; sid:91241262; rev:1;) alert tcp $HOME_NET any -> [39.100.90.171] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241260/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_20; classtype:trojan-activity; sid:91241260; rev:1;) alert tcp $HOME_NET any -> [13.72.106.240] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241259/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_20; classtype:trojan-activity; sid:91241259; rev:1;) alert tcp $HOME_NET any -> [154.92.18.140] 8880 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241258/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_20; classtype:trojan-activity; sid:91241258; rev:1;) alert tcp $HOME_NET any -> [78.40.116.82] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241257/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_20; classtype:trojan-activity; sid:91241257; rev:1;) alert tcp $HOME_NET any -> [154.3.8.55] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241255/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_20; classtype:trojan-activity; sid:91241255; rev:1;) alert tcp $HOME_NET any -> [42.192.37.195] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241256/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_20; classtype:trojan-activity; sid:91241256; rev:1;) alert tcp $HOME_NET any -> [114.132.41.186] 81 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241254/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_20; classtype:trojan-activity; sid:91241254; rev:1;) alert tcp $HOME_NET any -> [217.23.9.168] 53 (msg:"ThreatFox Socks5 Systemz botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241250/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_20; classtype:trojan-activity; sid:91241250; rev:1;) alert tcp $HOME_NET any -> [91.211.247.248] 53 (msg:"ThreatFox Socks5 Systemz botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241251/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_20; classtype:trojan-activity; sid:91241251; rev:1;) alert tcp $HOME_NET any -> [152.89.198.214] 53 (msg:"ThreatFox Socks5 Systemz botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241252/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_20; classtype:trojan-activity; sid:91241252; rev:1;) alert tcp $HOME_NET any -> [81.31.197.38] 53 (msg:"ThreatFox Socks5 Systemz botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241253/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_20; classtype:trojan-activity; sid:91241253; rev:1;) alert tcp $HOME_NET any -> [77.83.242.244] 1664 (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241249/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_20; classtype:trojan-activity; sid:91241249; rev:1;) alert tcp $HOME_NET any -> [193.233.132.81] 50500 (msg:"ThreatFox RisePro botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241248/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_20; classtype:trojan-activity; sid:91241248; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/match"; depth:6; nocase; http.host; content:"122.51.220.170"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1241247/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_20; classtype:trojan-activity; sid:91241247; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pixel.gif"; depth:10; nocase; http.host; content:"182.23.67.109"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1241246/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_20; classtype:trojan-activity; sid:91241246; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ga.js"; depth:6; nocase; http.host; content:"199.195.252.200"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1241245/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_20; classtype:trojan-activity; sid:91241245; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ca"; depth:3; nocase; http.host; content:"service-bvvdi136-1317500845.gz.tencentapigw.com"; depth:47; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1241244/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_20; classtype:trojan-activity; sid:91241244; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ptj"; depth:4; nocase; http.host; content:"122.51.220.170"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1241243/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_20; classtype:trojan-activity; sid:91241243; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ie9compatviewlist.xml"; depth:22; nocase; http.host; content:"123.20.56.214"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1241242/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_20; classtype:trojan-activity; sid:91241242; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cx"; depth:3; nocase; http.host; content:"117.50.162.183"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1241241/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_20; classtype:trojan-activity; sid:91241241; rev:1;) alert tcp $HOME_NET any -> [80.66.89.64] 32557 (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241240/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_20; classtype:trojan-activity; sid:91241240; rev:1;) alert tcp $HOME_NET any -> [46.246.12.11] 2054 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241239/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_20; classtype:trojan-activity; sid:91241239; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"mangaforme.cloud"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1241237/; target:src_ip; metadata: confidence_level 75, first_seen 2024_02_20; classtype:trojan-activity; sid:91241237; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/5441a82c9941418d.php"; depth:21; nocase; http.host; content:"91.108.240.151"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1241238/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_20; classtype:trojan-activity; sid:91241238; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api/user"; depth:9; nocase; http.host; content:"service-qzxfb4ay-1318428097.gz.tencentapigw.com.cn"; depth:50; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1241235/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_20; classtype:trojan-activity; sid:91241235; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"service-qzxfb4ay-1318428097.gz.tencentapigw.com.cn"; depth:50; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1241236/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_20; classtype:trojan-activity; sid:91241236; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api/x"; depth:6; nocase; http.host; content:"42.193.178.194"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1241234/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_20; classtype:trojan-activity; sid:91241234; rev:1;) alert tcp $HOME_NET any -> [109.248.151.96] 52048 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241233/; target:src_ip; metadata: confidence_level 75, first_seen 2024_02_20; classtype:trojan-activity; sid:91241233; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/g.pixel"; depth:8; nocase; http.host; content:"106.54.202.74"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1241232/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_20; classtype:trojan-activity; sid:91241232; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/match"; depth:6; nocase; http.host; content:"107.189.14.144"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1241231/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_20; classtype:trojan-activity; sid:91241231; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/__utm.gif"; depth:10; nocase; http.host; content:"8.222.165.110"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1241230/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_20; classtype:trojan-activity; sid:91241230; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api/x"; depth:6; nocase; http.host; content:"service-mlanbdgq-1301500665.gz.tencentapigw.com.cn"; depth:50; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1241228/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_20; classtype:trojan-activity; sid:91241228; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"service-mlanbdgq-1301500665.gz.tencentapigw.com.cn"; depth:50; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1241229/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_20; classtype:trojan-activity; sid:91241229; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/__utm.gif"; depth:10; nocase; http.host; content:"1.94.110.130"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1241227/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_20; classtype:trojan-activity; sid:91241227; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dot.gif"; depth:8; nocase; http.host; content:"104.234.240.6"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1241226/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_20; classtype:trojan-activity; sid:91241226; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/fwlink"; depth:7; nocase; http.host; content:"107.189.14.144"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1241225/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_20; classtype:trojan-activity; sid:91241225; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/_defaultwindows.php"; depth:20; nocase; http.host; content:"cs52010.tw1.ru"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1241224/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_20; classtype:trojan-activity; sid:91241224; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/en_us/all.js"; depth:13; nocase; http.host; content:"101.201.46.105"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1241223/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_20; classtype:trojan-activity; sid:91241223; rev:1;) alert tcp $HOME_NET any -> [83.137.157.54] 9231 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241222/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_20; classtype:trojan-activity; sid:91241222; rev:1;) alert tcp $HOME_NET any -> [81.19.138.57] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241221/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_20; classtype:trojan-activity; sid:91241221; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ie9compatviewlist.xml"; depth:22; nocase; http.host; content:"81.19.138.57"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1241220/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_20; classtype:trojan-activity; sid:91241220; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"service-3rca94g4-1319979259.hk.tencentapigw.cn"; depth:46; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1241218/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_20; classtype:trojan-activity; sid:91241218; rev:1;) alert tcp $HOME_NET any -> [45.152.66.91] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241219/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_20; classtype:trojan-activity; sid:91241219; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api/getit"; depth:10; nocase; http.host; content:"service-3rca94g4-1319979259.hk.tencentapigw.cn"; depth:46; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1241217/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_20; classtype:trojan-activity; sid:91241217; rev:1;) alert tcp $HOME_NET any -> [81.19.138.57] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241216/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_20; classtype:trojan-activity; sid:91241216; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cx"; depth:3; nocase; http.host; content:"81.19.138.57"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1241215/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_20; classtype:trojan-activity; sid:91241215; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/3cd2b41cbde8fc9c.php"; depth:21; nocase; http.host; content:"185.172.128.145"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1241214/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_20; classtype:trojan-activity; sid:91241214; rev:1;) alert tcp $HOME_NET any -> [91.92.242.176] 51480 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241213/; target:src_ip; metadata: confidence_level 75, first_seen 2024_02_20; classtype:trojan-activity; sid:91241213; rev:1;) alert tcp $HOME_NET any -> [103.186.117.77] 1761 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241212/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_20; classtype:trojan-activity; sid:91241212; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cdn-vs/cache.php"; depth:17; nocase; http.host; content:"vfxfilmschool.com"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1241209/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_20; classtype:trojan-activity; sid:91241209; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cache/ezrgqnaww.php"; depth:20; nocase; http.host; content:"vfxfilmschool.com"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1241210/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_20; classtype:trojan-activity; sid:91241210; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/data.php"; depth:9; nocase; http.host; content:"vfxfilmschool.com"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1241211/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_20; classtype:trojan-activity; sid:91241211; rev:1;) alert tcp $HOME_NET any -> [103.186.117.238] 1941 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241208/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_20; classtype:trojan-activity; sid:91241208; rev:1;) alert tcp $HOME_NET any -> [65.109.242.97] 443 (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241207/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_20; classtype:trojan-activity; sid:91241207; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"65.109.242.97"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1241206/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_20; classtype:trojan-activity; sid:91241206; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"37.27.36.6"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1241205/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_20; classtype:trojan-activity; sid:91241205; rev:1;) alert tcp $HOME_NET any -> [194.169.175.233] 3609 (msg:"ThreatFox Vjw0rm botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241204/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_20; classtype:trojan-activity; sid:91241204; rev:1;) alert tcp $HOME_NET any -> [43.229.115.106] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241203/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_20; classtype:trojan-activity; sid:91241203; rev:1;) alert tcp $HOME_NET any -> [43.229.115.109] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241202/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_20; classtype:trojan-activity; sid:91241202; rev:1;) alert tcp $HOME_NET any -> [43.229.115.107] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241201/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_20; classtype:trojan-activity; sid:91241201; rev:1;) alert tcp $HOME_NET any -> [95.20.241.10] 443 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241200/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_20; classtype:trojan-activity; sid:91241200; rev:1;) alert tcp $HOME_NET any -> [216.137.233.159] 443 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241199/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_20; classtype:trojan-activity; sid:91241199; rev:1;) alert tcp $HOME_NET any -> [201.137.233.254] 443 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241198/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_20; classtype:trojan-activity; sid:91241198; rev:1;) alert tcp $HOME_NET any -> [175.10.223.19] 4432 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241197/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_20; classtype:trojan-activity; sid:91241197; rev:1;) alert tcp $HOME_NET any -> [89.137.186.176] 443 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241196/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_20; classtype:trojan-activity; sid:91241196; rev:1;) alert tcp $HOME_NET any -> [2.50.137.96] 995 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241195/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_20; classtype:trojan-activity; sid:91241195; rev:1;) alert tcp $HOME_NET any -> [45.150.67.45] 8081 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241194/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_20; classtype:trojan-activity; sid:91241194; rev:1;) alert tcp $HOME_NET any -> [23.88.118.173] 443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241193/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_20; classtype:trojan-activity; sid:91241193; rev:1;) alert tcp $HOME_NET any -> [94.130.169.13] 443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241192/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_20; classtype:trojan-activity; sid:91241192; rev:1;) alert tcp $HOME_NET any -> [88.214.25.240] 7443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241191/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_20; classtype:trojan-activity; sid:91241191; rev:1;) alert tcp $HOME_NET any -> [52.162.200.36] 7443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241190/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_20; classtype:trojan-activity; sid:91241190; rev:1;) alert tcp $HOME_NET any -> [146.71.78.14] 151 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241189/; target:src_ip; metadata: confidence_level 75, first_seen 2024_02_20; classtype:trojan-activity; sid:91241189; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"bonet.networkbn.com"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1241188/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_20; classtype:trojan-activity; sid:91241188; rev:1;) alert tcp $HOME_NET any -> [103.172.79.74] 2807 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241187/; target:src_ip; metadata: confidence_level 75, first_seen 2024_02_20; classtype:trojan-activity; sid:91241187; rev:1;) alert tcp $HOME_NET any -> [41.216.183.27] 5034 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241186/; target:src_ip; metadata: confidence_level 75, first_seen 2024_02_20; classtype:trojan-activity; sid:91241186; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ywiymjlizgqwy2fk/"; depth:18; nocase; http.host; content:"176.113.115.235"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1241165/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_20; classtype:trojan-activity; sid:91241165; rev:1;) alert tcp $HOME_NET any -> [156.96.155.234] 56999 (msg:"ThreatFox MooBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241158/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_20; classtype:trojan-activity; sid:91241158; rev:1;) alert tcp $HOME_NET any -> [93.123.85.174] 43957 (msg:"ThreatFox MooBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241159/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_20; classtype:trojan-activity; sid:91241159; rev:1;) alert tcp $HOME_NET any -> [141.98.168.167] 9222 (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241185/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_20; classtype:trojan-activity; sid:91241185; rev:1;) alert tcp $HOME_NET any -> [171.233.98.70] 18274 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241184/; target:src_ip; metadata: confidence_level 75, first_seen 2024_02_20; classtype:trojan-activity; sid:91241184; rev:1;) alert tcp $HOME_NET any -> [159.89.209.22] 2525 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241183/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_20; classtype:trojan-activity; sid:91241183; rev:1;) alert tcp $HOME_NET any -> [123.57.193.197] 50050 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241182/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_20; classtype:trojan-activity; sid:91241182; rev:1;) alert tcp $HOME_NET any -> [110.42.209.75] 50050 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241181/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_20; classtype:trojan-activity; sid:91241181; rev:1;) alert tcp $HOME_NET any -> [47.99.93.124] 50050 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241180/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_20; classtype:trojan-activity; sid:91241180; rev:1;) alert tcp $HOME_NET any -> [3.136.160.122] 20755 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241179/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_20; classtype:trojan-activity; sid:91241179; rev:1;) alert tcp $HOME_NET any -> [80.66.75.53] 50050 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241178/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_20; classtype:trojan-activity; sid:91241178; rev:1;) alert tcp $HOME_NET any -> [185.196.8.37] 10003 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241177/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_20; classtype:trojan-activity; sid:91241177; rev:1;) alert tcp $HOME_NET any -> [187.135.83.6] 1895 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241176/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_20; classtype:trojan-activity; sid:91241176; rev:1;) alert tcp $HOME_NET any -> [187.135.83.6] 1723 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241175/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_20; classtype:trojan-activity; sid:91241175; rev:1;) alert tcp $HOME_NET any -> [74.248.32.95] 8081 (msg:"ThreatFox RisePro botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241174/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_20; classtype:trojan-activity; sid:91241174; rev:1;) alert tcp $HOME_NET any -> [193.233.132.216] 8081 (msg:"ThreatFox RisePro botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241173/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_20; classtype:trojan-activity; sid:91241173; rev:1;) alert tcp $HOME_NET any -> [37.27.36.6] 443 (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241172/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_20; classtype:trojan-activity; sid:91241172; rev:1;) alert tcp $HOME_NET any -> [37.27.36.6] 80 (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241171/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_20; classtype:trojan-activity; sid:91241171; rev:1;) alert tcp $HOME_NET any -> [185.147.34.93] 55615 (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241170/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_20; classtype:trojan-activity; sid:91241170; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"cdn-analytic.com"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1241169/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_20; classtype:trojan-activity; sid:91241169; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bdjkb2xsd/index.php"; depth:20; nocase; http.host; content:"cdn-analytic.com"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1241168/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_20; classtype:trojan-activity; sid:91241168; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/129edec4272dc2c8.php"; depth:21; nocase; http.host; content:"94.156.65.61"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1241167/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_20; classtype:trojan-activity; sid:91241167; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/l1nc0in.php"; depth:12; nocase; http.host; content:"miwekahb.beget.tech"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1241166/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_20; classtype:trojan-activity; sid:91241166; rev:1;) alert tcp $HOME_NET any -> [172.86.69.21] 4042 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241164/; target:src_ip; metadata: confidence_level 75, first_seen 2024_02_19; classtype:trojan-activity; sid:91241164; rev:1;) alert tcp $HOME_NET any -> [103.77.243.159] 4042 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241163/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_19; classtype:trojan-activity; sid:91241163; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/j.ad"; depth:5; nocase; http.host; content:"199.195.252.200"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1241162/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_19; classtype:trojan-activity; sid:91241162; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/validate/v10.6/w2ge3sc8"; depth:24; nocase; http.host; content:"91.238.181.238"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1241161/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_19; classtype:trojan-activity; sid:91241161; rev:1;) alert tcp $HOME_NET any -> [158.101.28.51] 8778 (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241160/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_19; classtype:trojan-activity; sid:91241160; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"followcache.com"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1241156/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_19; classtype:trojan-activity; sid:91241156; rev:1;) alert tcp $HOME_NET any -> [43.229.115.110] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241155/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_19; classtype:trojan-activity; sid:91241155; rev:1;) alert tcp $HOME_NET any -> [94.49.14.17] 995 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241154/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_19; classtype:trojan-activity; sid:91241154; rev:1;) alert tcp $HOME_NET any -> [154.246.249.128] 2078 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241153/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_19; classtype:trojan-activity; sid:91241153; rev:1;) alert tcp $HOME_NET any -> [78.101.24.11] 443 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241152/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_19; classtype:trojan-activity; sid:91241152; rev:1;) alert tcp $HOME_NET any -> [24.88.87.29] 445 (msg:"ThreatFox Responder botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241151/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_19; classtype:trojan-activity; sid:91241151; rev:1;) alert tcp $HOME_NET any -> [5.226.137.157] 443 (msg:"ThreatFox Responder botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241150/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_19; classtype:trojan-activity; sid:91241150; rev:1;) alert tcp $HOME_NET any -> [46.246.80.3] 1994 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241149/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_19; classtype:trojan-activity; sid:91241149; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"02maill.com"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1241147/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_19; classtype:trojan-activity; sid:91241147; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"syn.02maill.com"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1241148/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_19; classtype:trojan-activity; sid:91241148; rev:1;) alert tcp $HOME_NET any -> [198.98.56.144] 6001 (msg:"ThreatFox MrBlack botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241146/; target:src_ip; metadata: confidence_level 75, first_seen 2024_02_19; classtype:trojan-activity; sid:91241146; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"syn.xsvi.cc"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1241145/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_19; classtype:trojan-activity; sid:91241145; rev:1;) alert tcp $HOME_NET any -> [205.234.200.26] 44188 (msg:"ThreatFox ConnectBack botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241144/; target:src_ip; metadata: confidence_level 75, first_seen 2024_02_19; classtype:trojan-activity; sid:91241144; rev:1;) alert tcp $HOME_NET any -> [3.142.167.54] 19346 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241141/; target:src_ip; metadata: confidence_level 75, first_seen 2024_02_19; classtype:trojan-activity; sid:91241141; rev:1;) alert tcp $HOME_NET any -> [3.142.167.4] 19346 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241142/; target:src_ip; metadata: confidence_level 75, first_seen 2024_02_19; classtype:trojan-activity; sid:91241142; rev:1;) alert tcp $HOME_NET any -> [3.19.130.43] 19346 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241143/; target:src_ip; metadata: confidence_level 75, first_seen 2024_02_19; classtype:trojan-activity; sid:91241143; rev:1;) alert tcp $HOME_NET any -> [57.128.165.176] 13721 (msg:"ThreatFox Pikabot botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241132/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_19; classtype:trojan-activity; sid:91241132; rev:1;) alert tcp $HOME_NET any -> [141.95.106.106] 2967 (msg:"ThreatFox Pikabot botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241133/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_19; classtype:trojan-activity; sid:91241133; rev:1;) alert tcp $HOME_NET any -> [154.12.248.41] 5000 (msg:"ThreatFox Pikabot botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241134/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_19; classtype:trojan-activity; sid:91241134; rev:1;) alert tcp $HOME_NET any -> [145.239.135.24] 5243 (msg:"ThreatFox Pikabot botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241135/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_19; classtype:trojan-activity; sid:91241135; rev:1;) alert tcp $HOME_NET any -> [89.117.23.186] 5632 (msg:"ThreatFox Pikabot botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241136/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_19; classtype:trojan-activity; sid:91241136; rev:1;) alert tcp $HOME_NET any -> [148.113.141.220] 2224 (msg:"ThreatFox Pikabot botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241137/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_19; classtype:trojan-activity; sid:91241137; rev:1;) alert tcp $HOME_NET any -> [154.38.175.241] 13721 (msg:"ThreatFox Pikabot botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241138/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_19; classtype:trojan-activity; sid:91241138; rev:1;) alert tcp $HOME_NET any -> [109.199.99.131] 13721 (msg:"ThreatFox Pikabot botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241139/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_19; classtype:trojan-activity; sid:91241139; rev:1;) alert tcp $HOME_NET any -> [154.12.233.66] 2224 (msg:"ThreatFox Pikabot botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241140/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_19; classtype:trojan-activity; sid:91241140; rev:1;) alert tcp $HOME_NET any -> [89.117.23.34] 5938 (msg:"ThreatFox Pikabot botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241130/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_19; classtype:trojan-activity; sid:91241130; rev:1;) alert tcp $HOME_NET any -> [89.117.23.185] 2221 (msg:"ThreatFox Pikabot botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241131/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_19; classtype:trojan-activity; sid:91241131; rev:1;) alert tcp $HOME_NET any -> [78.168.81.13] 443 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241129/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_19; classtype:trojan-activity; sid:91241129; rev:1;) alert tcp $HOME_NET any -> [210.16.120.210] 53 (msg:"ThreatFox BianLian botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241128/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_19; classtype:trojan-activity; sid:91241128; rev:1;) alert tcp $HOME_NET any -> [185.161.248.231] 443 (msg:"ThreatFox Ave Maria botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241127/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_19; classtype:trojan-activity; sid:91241127; rev:1;) alert tcp $HOME_NET any -> [3.120.71.192] 80 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241126/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_19; classtype:trojan-activity; sid:91241126; rev:1;) alert tcp $HOME_NET any -> [54.83.238.42] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241125/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_19; classtype:trojan-activity; sid:91241125; rev:1;) alert tcp $HOME_NET any -> [18.135.30.45] 4024 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241124/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_19; classtype:trojan-activity; sid:91241124; rev:1;) alert tcp $HOME_NET any -> [1.12.64.19] 53333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241123/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_19; classtype:trojan-activity; sid:91241123; rev:1;) alert tcp $HOME_NET any -> [24.212.223.72] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241122/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_19; classtype:trojan-activity; sid:91241122; rev:1;) alert tcp $HOME_NET any -> [139.59.57.167] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241121/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_19; classtype:trojan-activity; sid:91241121; rev:1;) alert tcp $HOME_NET any -> [176.98.250.99] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241119/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_19; classtype:trojan-activity; sid:91241119; rev:1;) alert tcp $HOME_NET any -> [35.157.195.58] 80 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241120/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_19; classtype:trojan-activity; sid:91241120; rev:1;) alert tcp $HOME_NET any -> [52.18.172.73] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241118/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_19; classtype:trojan-activity; sid:91241118; rev:1;) alert tcp $HOME_NET any -> [52.29.64.25] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241117/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_19; classtype:trojan-activity; sid:91241117; rev:1;) alert tcp $HOME_NET any -> [52.29.64.25] 80 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241116/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_19; classtype:trojan-activity; sid:91241116; rev:1;) alert tcp $HOME_NET any -> [172.174.252.134] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241115/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_19; classtype:trojan-activity; sid:91241115; rev:1;) alert tcp $HOME_NET any -> [43.139.192.157] 4444 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241113/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_19; classtype:trojan-activity; sid:91241113; rev:1;) alert tcp $HOME_NET any -> [3.110.143.241] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241114/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_19; classtype:trojan-activity; sid:91241114; rev:1;) alert tcp $HOME_NET any -> [51.81.237.25] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241112/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_19; classtype:trojan-activity; sid:91241112; rev:1;) alert tcp $HOME_NET any -> [172.234.228.130] 1724 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241111/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_19; classtype:trojan-activity; sid:91241111; rev:1;) alert tcp $HOME_NET any -> [34.247.215.92] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241110/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_19; classtype:trojan-activity; sid:91241110; rev:1;) alert tcp $HOME_NET any -> [167.99.92.251] 9999 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241109/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_19; classtype:trojan-activity; sid:91241109; rev:1;) alert tcp $HOME_NET any -> [35.91.153.140] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241108/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_19; classtype:trojan-activity; sid:91241108; rev:1;) alert tcp $HOME_NET any -> [172.166.231.240] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241107/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_19; classtype:trojan-activity; sid:91241107; rev:1;) alert tcp $HOME_NET any -> [193.106.196.165] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241106/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_19; classtype:trojan-activity; sid:91241106; rev:1;) alert tcp $HOME_NET any -> [212.44.236.195] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241105/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_19; classtype:trojan-activity; sid:91241105; rev:1;) alert tcp $HOME_NET any -> [44.217.121.181] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241104/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_19; classtype:trojan-activity; sid:91241104; rev:1;) alert tcp $HOME_NET any -> [143.110.153.37] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241103/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_19; classtype:trojan-activity; sid:91241103; rev:1;) alert tcp $HOME_NET any -> [115.159.198.207] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241102/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_19; classtype:trojan-activity; sid:91241102; rev:1;) alert tcp $HOME_NET any -> [13.245.182.184] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241101/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_19; classtype:trojan-activity; sid:91241101; rev:1;) alert tcp $HOME_NET any -> [34.206.107.177] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241100/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_19; classtype:trojan-activity; sid:91241100; rev:1;) alert tcp $HOME_NET any -> [18.208.197.178] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241099/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_19; classtype:trojan-activity; sid:91241099; rev:1;) alert tcp $HOME_NET any -> [101.52.133.2] 8443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241098/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_19; classtype:trojan-activity; sid:91241098; rev:1;) alert tcp $HOME_NET any -> [137.184.239.148] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241097/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_19; classtype:trojan-activity; sid:91241097; rev:1;) alert tcp $HOME_NET any -> [82.67.20.246] 80 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241096/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_19; classtype:trojan-activity; sid:91241096; rev:1;) alert tcp $HOME_NET any -> [20.47.112.27] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241094/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_19; classtype:trojan-activity; sid:91241094; rev:1;) alert tcp $HOME_NET any -> [139.199.168.248] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241095/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_19; classtype:trojan-activity; sid:91241095; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"analytics.deenpel.com"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1241092/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_19; classtype:trojan-activity; sid:91241092; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"microsoft-fonts.net"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1241093/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_19; classtype:trojan-activity; sid:91241093; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"mail.deenpel.com"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1241091/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_19; classtype:trojan-activity; sid:91241091; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"159-223-204-229.ipv4.staticdns2.io"; depth:34; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1241089/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_19; classtype:trojan-activity; sid:91241089; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"charming-wright.142-11-199-59.plesk.page"; depth:40; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1241090/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_19; classtype:trojan-activity; sid:91241090; rev:1;) alert tcp $HOME_NET any -> [39.106.145.100] 60000 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241088/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_19; classtype:trojan-activity; sid:91241088; rev:1;) alert tcp $HOME_NET any -> [43.136.242.247] 60000 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241087/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_19; classtype:trojan-activity; sid:91241087; rev:1;) alert tcp $HOME_NET any -> [172.245.131.108] 60000 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241086/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_19; classtype:trojan-activity; sid:91241086; rev:1;) alert tcp $HOME_NET any -> [106.14.24.198] 60000 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241084/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_19; classtype:trojan-activity; sid:91241084; rev:1;) alert tcp $HOME_NET any -> [154.92.18.140] 60000 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241085/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_19; classtype:trojan-activity; sid:91241085; rev:1;) alert tcp $HOME_NET any -> [180.113.169.93] 8008 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241083/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_19; classtype:trojan-activity; sid:91241083; rev:1;) alert tcp $HOME_NET any -> [58.59.222.234] 60000 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241081/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_19; classtype:trojan-activity; sid:91241081; rev:1;) alert tcp $HOME_NET any -> [82.97.251.102] 60000 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241082/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_19; classtype:trojan-activity; sid:91241082; rev:1;) alert tcp $HOME_NET any -> [91.92.241.253] 80 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241079/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_19; classtype:trojan-activity; sid:91241079; rev:1;) alert tcp $HOME_NET any -> [91.92.241.253] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241080/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_19; classtype:trojan-activity; sid:91241080; rev:1;) alert tcp $HOME_NET any -> [92.246.137.230] 80 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241078/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_19; classtype:trojan-activity; sid:91241078; rev:1;) alert tcp $HOME_NET any -> [94.156.8.46] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241077/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_19; classtype:trojan-activity; sid:91241077; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"www.sanctamsolutions.com"; depth:24; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1241075/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_19; classtype:trojan-activity; sid:91241075; rev:1;) alert tcp $HOME_NET any -> [94.156.8.46] 80 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241076/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_19; classtype:trojan-activity; sid:91241076; rev:1;) alert tcp $HOME_NET any -> [93.0.93.225] 80 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241074/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_19; classtype:trojan-activity; sid:91241074; rev:1;) alert tcp $HOME_NET any -> [103.180.149.224] 80 (msg:"ThreatFox MooBot botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241073/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_19; classtype:trojan-activity; sid:91241073; rev:1;) alert tcp $HOME_NET any -> [51.250.71.111] 443 (msg:"ThreatFox MooBot botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241072/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_19; classtype:trojan-activity; sid:91241072; rev:1;) alert tcp $HOME_NET any -> [39.134.69.79] 17080 (msg:"ThreatFox Kaiji botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241071/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_19; classtype:trojan-activity; sid:91241071; rev:1;) alert tcp $HOME_NET any -> [54.234.189.192] 443 (msg:"ThreatFox Serpent Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241069/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_19; classtype:trojan-activity; sid:91241069; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ec2-18-206-73-190.compute-1.amazonaws.com"; depth:41; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1241070/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_19; classtype:trojan-activity; sid:91241070; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"147.45.42.25.sslip.io"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1241068/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_19; classtype:trojan-activity; sid:91241068; rev:1;) alert tcp $HOME_NET any -> [109.107.161.51] 5000 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241067/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_19; classtype:trojan-activity; sid:91241067; rev:1;) alert tcp $HOME_NET any -> [34.118.125.155] 5000 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241066/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_19; classtype:trojan-activity; sid:91241066; rev:1;) alert tcp $HOME_NET any -> [45.136.6.149] 80 (msg:"ThreatFox ERMAC botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241065/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_19; classtype:trojan-activity; sid:91241065; rev:1;) alert tcp $HOME_NET any -> [34.16.134.132] 80 (msg:"ThreatFox ERMAC botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241063/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_19; classtype:trojan-activity; sid:91241063; rev:1;) alert tcp $HOME_NET any -> [77.105.132.32] 80 (msg:"ThreatFox ERMAC botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241064/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_19; classtype:trojan-activity; sid:91241064; rev:1;) alert tcp $HOME_NET any -> [197.82.164.175] 4444 (msg:"ThreatFox Orcus RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241062/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_19; classtype:trojan-activity; sid:91241062; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ec2-43-204-230-44.ap-south-1.compute.amazonaws.com"; depth:50; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1241061/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_19; classtype:trojan-activity; sid:91241061; rev:1;) alert tcp $HOME_NET any -> [45.148.4.18] 8888 (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241060/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_19; classtype:trojan-activity; sid:91241060; rev:1;) alert tcp $HOME_NET any -> [147.189.161.48] 4444 (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241059/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_19; classtype:trojan-activity; sid:91241059; rev:1;) alert tcp $HOME_NET any -> [192.71.172.113] 8888 (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241058/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_19; classtype:trojan-activity; sid:91241058; rev:1;) alert tcp $HOME_NET any -> [178.168.70.101] 443 (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241057/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_19; classtype:trojan-activity; sid:91241057; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"linki.one"; depth:9; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1241055/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_19; classtype:trojan-activity; sid:91241055; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"www.reneesellers.autos"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1241056/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_19; classtype:trojan-activity; sid:91241056; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"smtracking.suparamining.swp23.com"; depth:33; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1241054/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_19; classtype:trojan-activity; sid:91241054; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"24-199-107-91.ipv4.staticdns3.io"; depth:32; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1241053/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_19; classtype:trojan-activity; sid:91241053; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"109.179.76.34.bc.googleusercontent.com"; depth:38; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1241051/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_19; classtype:trojan-activity; sid:91241051; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"maribelgould.autos"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1241052/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_19; classtype:trojan-activity; sid:91241052; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"vps-zap859144-11.zap-srv.com"; depth:28; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1241049/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_19; classtype:trojan-activity; sid:91241049; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"reneesellers.autos"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1241050/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_19; classtype:trojan-activity; sid:91241050; rev:1;) alert tcp $HOME_NET any -> [185.236.234.129] 80 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241047/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_19; classtype:trojan-activity; sid:91241047; rev:1;) alert tcp $HOME_NET any -> [139.84.137.249] 443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241048/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_19; classtype:trojan-activity; sid:91241048; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"vps-zap1030125-1.zap-srv.com"; depth:28; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1241046/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_19; classtype:trojan-activity; sid:91241046; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ciscointernship.com"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1241044/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_19; classtype:trojan-activity; sid:91241044; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ec2-13-233-144-170.ap-south-1.compute.amazonaws.com"; depth:51; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1241045/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_19; classtype:trojan-activity; sid:91241045; rev:1;) alert tcp $HOME_NET any -> [45.63.120.163] 443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241043/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_19; classtype:trojan-activity; sid:91241043; rev:1;) alert tcp $HOME_NET any -> [146.70.79.64] 443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241042/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_19; classtype:trojan-activity; sid:91241042; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"www2.laboratoriodiagnosticoescobar.com"; depth:38; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1241041/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_19; classtype:trojan-activity; sid:91241041; rev:1;) alert tcp $HOME_NET any -> [141.94.221.216] 443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241040/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_19; classtype:trojan-activity; sid:91241040; rev:1;) alert tcp $HOME_NET any -> [213.176.29.29] 10000 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241039/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_19; classtype:trojan-activity; sid:91241039; rev:1;) alert tcp $HOME_NET any -> [146.190.103.72] 8080 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241038/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_19; classtype:trojan-activity; sid:91241038; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"vmi1502970.contaboserver.net"; depth:28; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1241036/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_19; classtype:trojan-activity; sid:91241036; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"vmi1528797.contaboserver.net"; depth:28; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1241037/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_19; classtype:trojan-activity; sid:91241037; rev:1;) alert tcp $HOME_NET any -> [94.156.69.145] 7000 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241034/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_19; classtype:trojan-activity; sid:91241034; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ec2-3-99-102-8.ca-central-1.compute.amazonaws.com"; depth:49; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1241035/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_19; classtype:trojan-activity; sid:91241035; rev:1;) alert tcp $HOME_NET any -> [50.34.48.26] 4444 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241033/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_19; classtype:trojan-activity; sid:91241033; rev:1;) alert tcp $HOME_NET any -> [51.103.213.60] 8080 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241032/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_19; classtype:trojan-activity; sid:91241032; rev:1;) alert tcp $HOME_NET any -> [192.121.102.70] 443 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241031/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_19; classtype:trojan-activity; sid:91241031; rev:1;) alert tcp $HOME_NET any -> [190.9.208.167] 8081 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241030/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_19; classtype:trojan-activity; sid:91241030; rev:1;) alert tcp $HOME_NET any -> [193.233.132.190] 8081 (msg:"ThreatFox RisePro botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241029/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_19; classtype:trojan-activity; sid:91241029; rev:1;) alert tcp $HOME_NET any -> [193.233.132.223] 8081 (msg:"ThreatFox RisePro botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241028/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_19; classtype:trojan-activity; sid:91241028; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"nv567.net"; depth:9; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1241027/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_19; classtype:trojan-activity; sid:91241027; rev:1;) alert tcp $HOME_NET any -> [94.156.67.40] 80 (msg:"ThreatFox Hook botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241025/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_19; classtype:trojan-activity; sid:91241025; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"evgenytchurakin3.fvds.ru"; depth:24; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1241023/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_19; classtype:trojan-activity; sid:91241023; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"kozak.timur.fvds.ru"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1241024/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_19; classtype:trojan-activity; sid:91241024; rev:1;) alert tcp $HOME_NET any -> [46.149.77.191] 80 (msg:"ThreatFox Hook botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241022/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_19; classtype:trojan-activity; sid:91241022; rev:1;) alert tcp $HOME_NET any -> [37.46.132.116] 80 (msg:"ThreatFox Hook botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241021/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_19; classtype:trojan-activity; sid:91241021; rev:1;) alert tcp $HOME_NET any -> [91.92.240.49] 80 (msg:"ThreatFox Hook botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241020/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_19; classtype:trojan-activity; sid:91241020; rev:1;) alert tcp $HOME_NET any -> [178.62.237.92] 7443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241019/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_19; classtype:trojan-activity; sid:91241019; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"trainlog.de"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1241018/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_19; classtype:trojan-activity; sid:91241018; rev:1;) alert tcp $HOME_NET any -> [38.60.216.65] 7443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241017/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_19; classtype:trojan-activity; sid:91241017; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"kitrknis.com"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1241016/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_19; classtype:trojan-activity; sid:91241016; rev:1;) alert tcp $HOME_NET any -> [38.60.249.75] 7443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241015/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_19; classtype:trojan-activity; sid:91241015; rev:1;) alert tcp $HOME_NET any -> [46.246.4.7] 2000 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241014/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_19; classtype:trojan-activity; sid:91241014; rev:1;) alert tcp $HOME_NET any -> [213.195.118.64] 4001 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241013/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_19; classtype:trojan-activity; sid:91241013; rev:1;) alert tcp $HOME_NET any -> [91.92.242.57] 8008 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241012/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_19; classtype:trojan-activity; sid:91241012; rev:1;) alert tcp $HOME_NET any -> [206.123.135.63] 2020 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241010/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_19; classtype:trojan-activity; sid:91241010; rev:1;) alert tcp $HOME_NET any -> [192.250.225.3] 7000 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241011/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_19; classtype:trojan-activity; sid:91241011; rev:1;) alert tcp $HOME_NET any -> [147.135.97.94] 7707 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241009/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_19; classtype:trojan-activity; sid:91241009; rev:1;) alert tcp $HOME_NET any -> [147.135.97.94] 8808 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241008/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_19; classtype:trojan-activity; sid:91241008; rev:1;) alert tcp $HOME_NET any -> [147.124.213.188] 4444 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241007/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_19; classtype:trojan-activity; sid:91241007; rev:1;) alert tcp $HOME_NET any -> [147.124.213.188] 8008 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241006/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_19; classtype:trojan-activity; sid:91241006; rev:1;) alert tcp $HOME_NET any -> [207.231.111.88] 7707 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241004/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_19; classtype:trojan-activity; sid:91241004; rev:1;) alert tcp $HOME_NET any -> [147.124.213.188] 6006 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241005/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_19; classtype:trojan-activity; sid:91241005; rev:1;) alert tcp $HOME_NET any -> [207.231.111.88] 6606 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241003/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_19; classtype:trojan-activity; sid:91241003; rev:1;) alert tcp $HOME_NET any -> [193.26.115.42] 7707 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241002/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_19; classtype:trojan-activity; sid:91241002; rev:1;) alert tcp $HOME_NET any -> [193.26.115.42] 6606 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241001/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_19; classtype:trojan-activity; sid:91241001; rev:1;) alert tcp $HOME_NET any -> [186.170.98.239] 2404 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240999/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_19; classtype:trojan-activity; sid:91240999; rev:1;) alert tcp $HOME_NET any -> [186.170.98.239] 8888 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241000/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_19; classtype:trojan-activity; sid:91241000; rev:1;) alert tcp $HOME_NET any -> [89.117.21.203] 8808 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240998/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_19; classtype:trojan-activity; sid:91240998; rev:1;) alert tcp $HOME_NET any -> [38.242.236.116] 8808 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240996/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_19; classtype:trojan-activity; sid:91240996; rev:1;) alert tcp $HOME_NET any -> [34.176.21.185] 8808 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240997/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_19; classtype:trojan-activity; sid:91240997; rev:1;) alert tcp $HOME_NET any -> [186.112.207.226] 8888 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240995/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_19; classtype:trojan-activity; sid:91240995; rev:1;) alert tcp $HOME_NET any -> [186.112.207.226] 2404 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240994/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_19; classtype:trojan-activity; sid:91240994; rev:1;) alert tcp $HOME_NET any -> [207.32.217.170] 2004 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240993/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_19; classtype:trojan-activity; sid:91240993; rev:1;) alert tcp $HOME_NET any -> [172.94.111.213] 8888 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240992/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_19; classtype:trojan-activity; sid:91240992; rev:1;) alert tcp $HOME_NET any -> [136.243.179.5] 8888 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240990/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_19; classtype:trojan-activity; sid:91240990; rev:1;) alert tcp $HOME_NET any -> [88.214.59.174] 9090 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240991/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_19; classtype:trojan-activity; sid:91240991; rev:1;) alert tcp $HOME_NET any -> [204.12.229.169] 5600 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240989/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_19; classtype:trojan-activity; sid:91240989; rev:1;) alert tcp $HOME_NET any -> [123.249.35.1] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240988/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_19; classtype:trojan-activity; sid:91240988; rev:1;) alert tcp $HOME_NET any -> [43.229.115.108] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240987/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_19; classtype:trojan-activity; sid:91240987; rev:1;) alert tcp $HOME_NET any -> [50.78.185.152] 443 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240986/; target:src_ip; metadata: confidence_level 90, first_seen 2024_02_19; classtype:trojan-activity; sid:91240986; rev:1;) alert tcp $HOME_NET any -> [143.198.214.96] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240985/; target:src_ip; metadata: confidence_level 90, first_seen 2024_02_19; classtype:trojan-activity; sid:91240985; rev:1;) alert tcp $HOME_NET any -> [34.162.114.31] 443 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240984/; target:src_ip; metadata: confidence_level 90, first_seen 2024_02_19; classtype:trojan-activity; sid:91240984; rev:1;) alert tcp $HOME_NET any -> [20.115.68.15] 443 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240983/; target:src_ip; metadata: confidence_level 90, first_seen 2024_02_19; classtype:trojan-activity; sid:91240983; rev:1;) alert tcp $HOME_NET any -> [98.71.17.145] 443 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240982/; target:src_ip; metadata: confidence_level 90, first_seen 2024_02_19; classtype:trojan-activity; sid:91240982; rev:1;) alert tcp $HOME_NET any -> [175.178.103.238] 4444 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240981/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_19; classtype:trojan-activity; sid:91240981; rev:1;) alert tcp $HOME_NET any -> [8.219.54.123] 5060 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240980/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_19; classtype:trojan-activity; sid:91240980; rev:1;) alert tcp $HOME_NET any -> [8.219.54.123] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240979/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_19; classtype:trojan-activity; sid:91240979; rev:1;) alert tcp $HOME_NET any -> [47.101.181.195] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240978/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_19; classtype:trojan-activity; sid:91240978; rev:1;) alert tcp $HOME_NET any -> [101.201.81.175] 8888 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240977/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_19; classtype:trojan-activity; sid:91240977; rev:1;) alert tcp $HOME_NET any -> [43.143.169.86] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240976/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_19; classtype:trojan-activity; sid:91240976; rev:1;) alert tcp $HOME_NET any -> [47.115.206.4] 53080 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240975/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_19; classtype:trojan-activity; sid:91240975; rev:1;) alert tcp $HOME_NET any -> [150.107.201.170] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240974/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_19; classtype:trojan-activity; sid:91240974; rev:1;) alert tcp $HOME_NET any -> [150.107.201.170] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240973/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_19; classtype:trojan-activity; sid:91240973; rev:1;) alert tcp $HOME_NET any -> [152.136.55.237] 8088 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240972/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_19; classtype:trojan-activity; sid:91240972; rev:1;) alert tcp $HOME_NET any -> [154.12.29.22] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240971/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_19; classtype:trojan-activity; sid:91240971; rev:1;) alert tcp $HOME_NET any -> [206.237.7.51] 6000 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240970/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_19; classtype:trojan-activity; sid:91240970; rev:1;) alert tcp $HOME_NET any -> [47.108.145.250] 8080 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240969/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_19; classtype:trojan-activity; sid:91240969; rev:1;) alert tcp $HOME_NET any -> [47.92.80.115] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240968/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_19; classtype:trojan-activity; sid:91240968; rev:1;) alert tcp $HOME_NET any -> [34.168.39.155] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240967/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_19; classtype:trojan-activity; sid:91240967; rev:1;) alert tcp $HOME_NET any -> [45.95.174.47] 2053 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240966/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_19; classtype:trojan-activity; sid:91240966; rev:1;) alert tcp $HOME_NET any -> [123.60.60.29] 8001 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240965/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_19; classtype:trojan-activity; sid:91240965; rev:1;) alert tcp $HOME_NET any -> [42.193.16.213] 9981 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240964/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_19; classtype:trojan-activity; sid:91240964; rev:1;) alert tcp $HOME_NET any -> [5.78.103.127] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240963/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_19; classtype:trojan-activity; sid:91240963; rev:1;) alert tcp $HOME_NET any -> [103.146.179.104] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240962/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_19; classtype:trojan-activity; sid:91240962; rev:1;) alert tcp $HOME_NET any -> [93.177.75.125] 12121 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240960/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_19; classtype:trojan-activity; sid:91240960; rev:1;) alert tcp $HOME_NET any -> [8.130.130.59] 8080 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240961/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_19; classtype:trojan-activity; sid:91240961; rev:1;) alert tcp $HOME_NET any -> [124.221.133.199] 33891 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240959/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_19; classtype:trojan-activity; sid:91240959; rev:1;) alert tcp $HOME_NET any -> [109.205.61.95] 8080 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240958/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_19; classtype:trojan-activity; sid:91240958; rev:1;) alert tcp $HOME_NET any -> [115.159.195.80] 1234 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240956/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_19; classtype:trojan-activity; sid:91240956; rev:1;) alert tcp $HOME_NET any -> [152.42.134.17] 4433 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240957/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_19; classtype:trojan-activity; sid:91240957; rev:1;) alert tcp $HOME_NET any -> [43.135.34.148] 17843 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240955/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_19; classtype:trojan-activity; sid:91240955; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"blissful-jackson.216-238-76-219.plesk.page"; depth:42; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1240954/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_19; classtype:trojan-activity; sid:91240954; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"155.39.168.34.bc.googleusercontent.com"; depth:38; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1240952/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_19; classtype:trojan-activity; sid:91240952; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"static.86.70.78.5.clients.your-server.de"; depth:40; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1240953/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_19; classtype:trojan-activity; sid:91240953; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ecs-123-60-57-13.compute.hwclouds-dns.com"; depth:41; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1240951/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_19; classtype:trojan-activity; sid:91240951; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ninhobaby.com.br"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1240950/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_19; classtype:trojan-activity; sid:91240950; rev:1;) alert tcp $HOME_NET any -> [95.179.137.233] 53 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240949/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_19; classtype:trojan-activity; sid:91240949; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"95.217.31.198"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1240948/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_19; classtype:trojan-activity; sid:91240948; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"5.75.209.12"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1240947/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_19; classtype:trojan-activity; sid:91240947; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/profiles/76561199642171824"; depth:27; nocase; http.host; content:"steamcommunity.com"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1240946/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_19; classtype:trojan-activity; sid:91240946; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/hypergog"; depth:9; nocase; http.host; content:"t.me"; depth:4; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1240945/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_19; classtype:trojan-activity; sid:91240945; rev:1;) alert tcp $HOME_NET any -> [5.75.209.12] 9001 (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240943/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_19; classtype:trojan-activity; sid:91240943; rev:1;) alert tcp $HOME_NET any -> [95.217.31.198] 443 (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240944/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_19; classtype:trojan-activity; sid:91240944; rev:1;) alert tcp $HOME_NET any -> [18.158.249.75] 16904 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240935/; target:src_ip; metadata: confidence_level 75, first_seen 2024_02_19; classtype:trojan-activity; sid:91240935; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cdn-vs/cache.php"; depth:17; nocase; http.host; content:"jimissupercool.com"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1240940/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_19; classtype:trojan-activity; sid:91240940; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cache/ezrgqnaww.php"; depth:20; nocase; http.host; content:"jimissupercool.com"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1240941/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_19; classtype:trojan-activity; sid:91240941; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/data.php"; depth:9; nocase; http.host; content:"myclubpicks.com"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1240942/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_19; classtype:trojan-activity; sid:91240942; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pixel"; depth:6; nocase; http.host; content:"101.201.46.105"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1240939/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_19; classtype:trojan-activity; sid:91240939; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/fwlink"; depth:7; nocase; http.host; content:"101.201.46.105"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1240938/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_19; classtype:trojan-activity; sid:91240938; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pixel"; depth:6; nocase; http.host; content:"104.234.240.6"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1240937/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_19; classtype:trojan-activity; sid:91240937; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/l1nc0in.php"; depth:12; nocase; http.host; content:"vamknigi.mcdir.me"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1240936/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_19; classtype:trojan-activity; sid:91240936; rev:1;) alert tcp $HOME_NET any -> [3.125.223.134] 16904 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240934/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_19; classtype:trojan-activity; sid:91240934; rev:1;) alert tcp $HOME_NET any -> [3.125.102.39] 16904 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240933/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_19; classtype:trojan-activity; sid:91240933; rev:1;) alert tcp $HOME_NET any -> [3.125.209.94] 16904 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240932/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_19; classtype:trojan-activity; sid:91240932; rev:1;) alert tcp $HOME_NET any -> [185.196.8.191] 1290 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240931/; target:src_ip; metadata: confidence_level 75, first_seen 2024_02_19; classtype:trojan-activity; sid:91240931; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"lkasjdfhsdag.servebeer.com"; depth:26; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1240930/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_19; classtype:trojan-activity; sid:91240930; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/en-us/silentauth"; depth:17; nocase; http.host; content:"61.170.88.228"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1240929/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_19; classtype:trojan-activity; sid:91240929; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ca"; depth:3; nocase; http.host; content:"1.94.110.130"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1240928/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_19; classtype:trojan-activity; sid:91240928; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/g.pixel"; depth:8; nocase; http.host; content:"45.93.20.242"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1240927/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_19; classtype:trojan-activity; sid:91240927; rev:1;) alert tcp $HOME_NET any -> [106.54.202.74] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240926/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_19; classtype:trojan-activity; sid:91240926; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/fwlink"; depth:7; nocase; http.host; content:"106.54.202.74"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1240925/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_19; classtype:trojan-activity; sid:91240925; rev:1;) alert tcp $HOME_NET any -> [185.222.58.40] 1990 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240924/; target:src_ip; metadata: confidence_level 75, first_seen 2024_02_19; classtype:trojan-activity; sid:91240924; rev:1;) alert tcp $HOME_NET any -> [93.123.85.73] 4258 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240922/; target:src_ip; metadata: confidence_level 75, first_seen 2024_02_19; classtype:trojan-activity; sid:91240922; rev:1;) alert tcp $HOME_NET any -> [93.123.85.141] 666 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240923/; target:src_ip; metadata: confidence_level 75, first_seen 2024_02_19; classtype:trojan-activity; sid:91240923; rev:1;) alert tcp $HOME_NET any -> [45.128.96.16] 4449 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240921/; target:src_ip; metadata: confidence_level 75, first_seen 2024_02_19; classtype:trojan-activity; sid:91240921; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ga.js"; depth:6; nocase; http.host; content:"101.201.46.105"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1240920/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_19; classtype:trojan-activity; sid:91240920; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/www/handle/doc"; depth:15; nocase; http.host; content:"cn.bing.com"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1240918/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_19; classtype:trojan-activity; sid:91240918; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/www/handle/doc"; depth:15; nocase; http.host; content:"abillioncoin.com"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1240917/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_19; classtype:trojan-activity; sid:91240917; rev:1;) alert tcp $HOME_NET any -> [159.223.196.192] 56999 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240916/; target:src_ip; metadata: confidence_level 75, first_seen 2024_02_19; classtype:trojan-activity; sid:91240916; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"botnet.layer4.bf"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1240915/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_19; classtype:trojan-activity; sid:91240915; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"95.217.243.152"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1240914/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_19; classtype:trojan-activity; sid:91240914; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"95.217.31.190"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1240913/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_19; classtype:trojan-activity; sid:91240913; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"95.217.31.190"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1240912/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_19; classtype:trojan-activity; sid:91240912; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"65.109.241.164"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1240911/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_19; classtype:trojan-activity; sid:91240911; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"65.109.241.164"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1240910/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_19; classtype:trojan-activity; sid:91240910; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"95.217.237.91"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1240909/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_19; classtype:trojan-activity; sid:91240909; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"23.88.117.132"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1240908/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_19; classtype:trojan-activity; sid:91240908; rev:1;) alert tcp $HOME_NET any -> [95.217.31.190] 9000 (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240905/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_19; classtype:trojan-activity; sid:91240905; rev:1;) alert tcp $HOME_NET any -> [95.217.31.190] 443 (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240906/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_19; classtype:trojan-activity; sid:91240906; rev:1;) alert tcp $HOME_NET any -> [95.217.243.152] 443 (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240907/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_19; classtype:trojan-activity; sid:91240907; rev:1;) alert tcp $HOME_NET any -> [23.88.117.132] 5432 (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240901/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_19; classtype:trojan-activity; sid:91240901; rev:1;) alert tcp $HOME_NET any -> [95.217.237.91] 443 (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240902/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_19; classtype:trojan-activity; sid:91240902; rev:1;) alert tcp $HOME_NET any -> [65.109.241.164] 9000 (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240903/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_19; classtype:trojan-activity; sid:91240903; rev:1;) alert tcp $HOME_NET any -> [65.109.241.164] 443 (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240904/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_19; classtype:trojan-activity; sid:91240904; rev:1;) alert tcp $HOME_NET any -> [109.107.181.83] 80 (msg:"ThreatFox Meduza Stealer botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240900/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_19; classtype:trojan-activity; sid:91240900; rev:1;) alert tcp $HOME_NET any -> [104.233.187.165] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240899/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_19; classtype:trojan-activity; sid:91240899; rev:1;) alert tcp $HOME_NET any -> [104.233.187.164] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240898/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_19; classtype:trojan-activity; sid:91240898; rev:1;) alert tcp $HOME_NET any -> [104.233.244.97] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240897/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_19; classtype:trojan-activity; sid:91240897; rev:1;) alert tcp $HOME_NET any -> [20.26.126.28] 80 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240896/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_19; classtype:trojan-activity; sid:91240896; rev:1;) alert tcp $HOME_NET any -> [20.117.169.244] 80 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240895/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_19; classtype:trojan-activity; sid:91240895; rev:1;) alert tcp $HOME_NET any -> [167.56.71.240] 995 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240894/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_19; classtype:trojan-activity; sid:91240894; rev:1;) alert tcp $HOME_NET any -> [79.131.125.30] 2222 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240893/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_19; classtype:trojan-activity; sid:91240893; rev:1;) alert tcp $HOME_NET any -> [189.177.0.136] 995 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240892/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_19; classtype:trojan-activity; sid:91240892; rev:1;) alert tcp $HOME_NET any -> [72.27.101.0] 443 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240891/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_19; classtype:trojan-activity; sid:91240891; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"elccorp-net.ntc-telecomcorporation.workers.dev"; depth:46; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1240879/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_19; classtype:trojan-activity; sid:91240879; rev:1;) alert tcp $HOME_NET any -> [147.45.47.100] 24854 (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240870/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_19; classtype:trojan-activity; sid:91240870; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"gwadarportt.workers.dev"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1240877/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_19; classtype:trojan-activity; sid:91240877; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"gwadarport-gov-pk.gwadarportt.workers.dev"; depth:41; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1240878/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_19; classtype:trojan-activity; sid:91240878; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"mail-ecp-gov-pk.ntc-telecomcorporation.workers.dev"; depth:50; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1240880/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_19; classtype:trojan-activity; sid:91240880; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"mail-gwadarport-gov-pk.ntc-telecomcorporation.workers.dev"; depth:57; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1240881/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_19; classtype:trojan-activity; sid:91240881; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"mail-sco-gov-pk.ntc-telecomcorporation.workers.dev"; depth:50; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1240882/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_19; classtype:trojan-activity; sid:91240882; rev:1;) alert tcp $HOME_NET any -> [3.127.138.57] 13627 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240847/; target:src_ip; metadata: confidence_level 75, first_seen 2024_02_19; classtype:trojan-activity; sid:91240847; rev:1;) alert tcp $HOME_NET any -> [207.246.120.23] 8140 (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240861/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_19; classtype:trojan-activity; sid:91240861; rev:1;) alert tcp $HOME_NET any -> [3.125.209.94] 13406 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240868/; target:src_ip; metadata: confidence_level 75, first_seen 2024_02_19; classtype:trojan-activity; sid:91240868; rev:1;) alert tcp $HOME_NET any -> [18.158.249.75] 13406 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240869/; target:src_ip; metadata: confidence_level 75, first_seen 2024_02_19; classtype:trojan-activity; sid:91240869; rev:1;) alert tcp $HOME_NET any -> [185.172.128.33] 8970 (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240848/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_19; classtype:trojan-activity; sid:91240848; rev:1;) alert tcp $HOME_NET any -> [87.3.215.35] 65199 (msg:"ThreatFox Nanocore RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240855/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_19; classtype:trojan-activity; sid:91240855; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ihateciroparisi.serveminecraft.net"; depth:34; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1240856/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_19; classtype:trojan-activity; sid:91240856; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"foodmattkent.live"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1240857/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_19; classtype:trojan-activity; sid:91240857; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"day.50adayplan.com"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1240859/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_19; classtype:trojan-activity; sid:91240859; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 50%)"; dns_query; content:"winvipbonus.life"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1240860/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_19; classtype:trojan-activity; sid:91240860; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"news.ntc-telecomcorporation.workers.dev"; depth:39; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1240883/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_19; classtype:trojan-activity; sid:91240883; rev:1;) alert tcp $HOME_NET any -> [94.103.87.88] 3306 (msg:"ThreatFox BianLian botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240890/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_19; classtype:trojan-activity; sid:91240890; rev:1;) alert tcp $HOME_NET any -> [94.103.87.88] 465 (msg:"ThreatFox BianLian botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240889/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_19; classtype:trojan-activity; sid:91240889; rev:1;) alert tcp $HOME_NET any -> [43.198.89.50] 443 (msg:"ThreatFox Deimos botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240888/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_19; classtype:trojan-activity; sid:91240888; rev:1;) alert tcp $HOME_NET any -> [74.48.56.81] 7443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240887/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_19; classtype:trojan-activity; sid:91240887; rev:1;) alert tcp $HOME_NET any -> [13.113.86.16] 80 (msg:"ThreatFox Brute Ratel C4 botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240886/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_19; classtype:trojan-activity; sid:91240886; rev:1;) alert tcp $HOME_NET any -> [194.147.140.132] 9231 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240885/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_19; classtype:trojan-activity; sid:91240885; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mc341/index.php"; depth:16; nocase; http.host; content:"mhlc.shop"; depth:9; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1240884/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_19; classtype:trojan-activity; sid:91240884; rev:1;) alert tcp $HOME_NET any -> [172.94.111.9] 5200 (msg:"ThreatFox Ave Maria botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240876/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_19; classtype:trojan-activity; sid:91240876; rev:1;) alert tcp $HOME_NET any -> [144.76.184.11] 8081 (msg:"ThreatFox RisePro botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240875/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_19; classtype:trojan-activity; sid:91240875; rev:1;) alert tcp $HOME_NET any -> [144.76.184.11] 50500 (msg:"ThreatFox RisePro botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240874/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_19; classtype:trojan-activity; sid:91240874; rev:1;) alert tcp $HOME_NET any -> [196.112.147.229] 5577 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240873/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_19; classtype:trojan-activity; sid:91240873; rev:1;) alert tcp $HOME_NET any -> [196.112.147.229] 5588 (msg:"ThreatFox Loda botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240872/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_19; classtype:trojan-activity; sid:91240872; rev:1;) alert tcp $HOME_NET any -> [196.112.147.229] 5566 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240871/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_19; classtype:trojan-activity; sid:91240871; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/l1nc0in.php"; depth:12; nocase; http.host; content:"a0916796.xsph.ru"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1240867/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_19; classtype:trojan-activity; sid:91240867; rev:1;) alert tcp $HOME_NET any -> [18.192.31.165] 13406 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240866/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_19; classtype:trojan-activity; sid:91240866; rev:1;) alert tcp $HOME_NET any -> [3.125.102.39] 13406 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240865/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_19; classtype:trojan-activity; sid:91240865; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/9bc7b45d.php"; depth:13; nocase; http.host; content:"a0919334.xsph.ru"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1240864/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_18; classtype:trojan-activity; sid:91240864; rev:1;) alert tcp $HOME_NET any -> [116.203.63.87] 9216 (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240863/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_18; classtype:trojan-activity; sid:91240863; rev:1;) alert tcp $HOME_NET any -> [46.183.220.203] 35966 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240862/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_18; classtype:trojan-activity; sid:91240862; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/l1nc0in.php"; depth:12; nocase; http.host; content:"a0916462.xsph.ru"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1240858/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_18; classtype:trojan-activity; sid:91240858; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/__utm.gif"; depth:10; nocase; http.host; content:"107.189.14.144"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1240854/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_18; classtype:trojan-activity; sid:91240854; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/load"; depth:5; nocase; http.host; content:"111.231.22.61"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1240853/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_18; classtype:trojan-activity; sid:91240853; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pixel"; depth:6; nocase; http.host; content:"117.50.162.183"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1240852/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_18; classtype:trojan-activity; sid:91240852; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ca"; depth:3; nocase; http.host; content:"43.251.159.58"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1240851/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_18; classtype:trojan-activity; sid:91240851; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/updates.rss"; depth:12; nocase; http.host; content:"110.41.134.233"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1240850/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_18; classtype:trojan-activity; sid:91240850; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dot.gif"; depth:8; nocase; http.host; content:"107.189.14.144"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1240849/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_18; classtype:trojan-activity; sid:91240849; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/_defaultwindows.php"; depth:20; nocase; http.host; content:"a0913701.xsph.ru"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1240846/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_18; classtype:trojan-activity; sid:91240846; rev:1;) alert tcp $HOME_NET any -> [65.21.212.74] 7800 (msg:"ThreatFox STRRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240845/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_18; classtype:trojan-activity; sid:91240845; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cx"; depth:3; nocase; http.host; content:"88.214.27.74"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1240844/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_18; classtype:trojan-activity; sid:91240844; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/en_us/all.js"; depth:13; nocase; http.host; content:"88.214.27.74"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1240843/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_18; classtype:trojan-activity; sid:91240843; rev:1;) alert tcp $HOME_NET any -> [91.92.251.16] 80 (msg:"ThreatFox Amadey botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240842/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_18; classtype:trojan-activity; sid:91240842; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"aquabotnet.xyz"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1240839/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_18; classtype:trojan-activity; sid:91240839; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"botnet.zapto.org"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1240840/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_18; classtype:trojan-activity; sid:91240840; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"bulldognet.info"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1240841/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_18; classtype:trojan-activity; sid:91240841; rev:1;) alert tcp $HOME_NET any -> [104.233.244.98] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240838/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_18; classtype:trojan-activity; sid:91240838; rev:1;) alert tcp $HOME_NET any -> [102.113.143.173] 443 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240837/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_18; classtype:trojan-activity; sid:91240837; rev:1;) alert tcp $HOME_NET any -> [77.49.51.87] 995 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240836/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_18; classtype:trojan-activity; sid:91240836; rev:1;) alert tcp $HOME_NET any -> [142.247.95.55] 443 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240835/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_18; classtype:trojan-activity; sid:91240835; rev:1;) alert tcp $HOME_NET any -> [45.245.101.32] 995 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240834/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_18; classtype:trojan-activity; sid:91240834; rev:1;) alert tcp $HOME_NET any -> [66.187.7.174] 3074 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240833/; target:src_ip; metadata: confidence_level 75, first_seen 2024_02_18; classtype:trojan-activity; sid:91240833; rev:1;) alert tcp $HOME_NET any -> [20.212.217.245] 10002 (msg:"ThreatFox Deimos botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240832/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_18; classtype:trojan-activity; sid:91240832; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"discounts-ptclnetpk.servehttp.com"; depth:33; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1240827/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_18; classtype:trojan-activity; sid:91240827; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"offers-ptclnetpk.serveftp.com"; depth:29; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1240828/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_18; classtype:trojan-activity; sid:91240828; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"rewards-ptclnetpk.viewdns.net"; depth:29; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1240829/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_18; classtype:trojan-activity; sid:91240829; rev:1;) alert tcp $HOME_NET any -> [51.159.167.215] 34241 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240830/; target:src_ip; metadata: confidence_level 75, first_seen 2024_02_18; classtype:trojan-activity; sid:91240830; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"visualstudiomacupdate.com"; depth:25; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1240831/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_18; classtype:trojan-activity; sid:91240831; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"nanoudu30-31620.portmap.host"; depth:28; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1240826/; target:src_ip; metadata: confidence_level 75, first_seen 2024_02_18; classtype:trojan-activity; sid:91240826; rev:1;) alert tcp $HOME_NET any -> [193.161.193.99] 31620 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240825/; target:src_ip; metadata: confidence_level 75, first_seen 2024_02_18; classtype:trojan-activity; sid:91240825; rev:1;) alert tcp $HOME_NET any -> [129.159.55.240] 56636 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240816/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_18; classtype:trojan-activity; sid:91240816; rev:1;) alert tcp $HOME_NET any -> [149.50.209.216] 43957 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240818/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_18; classtype:trojan-activity; sid:91240818; rev:1;) alert tcp $HOME_NET any -> [185.196.9.72] 56537 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240819/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_18; classtype:trojan-activity; sid:91240819; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"plus-subcommittee.gl.at.ply.gg"; depth:30; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1240824/; target:src_ip; metadata: confidence_level 75, first_seen 2024_02_18; classtype:trojan-activity; sid:91240824; rev:1;) alert tcp $HOME_NET any -> [141.98.11.208] 16837 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240817/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_18; classtype:trojan-activity; sid:91240817; rev:1;) alert tcp $HOME_NET any -> [1.162.151.116] 39167 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240813/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_18; classtype:trojan-activity; sid:91240813; rev:1;) alert tcp $HOME_NET any -> [103.106.228.99] 11259 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240814/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_18; classtype:trojan-activity; sid:91240814; rev:1;) alert tcp $HOME_NET any -> [111.243.109.76] 41465 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240815/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_18; classtype:trojan-activity; sid:91240815; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"weilaibot.net"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1240811/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_18; classtype:trojan-activity; sid:91240811; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"zunbot.awuam.com"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1240812/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_18; classtype:trojan-activity; sid:91240812; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"mirailovers.ddns.net"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1240808/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_18; classtype:trojan-activity; sid:91240808; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"nw.awuam.com"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1240809/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_18; classtype:trojan-activity; sid:91240809; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"qwerty.awuam.com"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1240810/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_18; classtype:trojan-activity; sid:91240810; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"bots.awuam.com"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1240804/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_18; classtype:trojan-activity; sid:91240804; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"feckoffbr0.sbs"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1240807/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_18; classtype:trojan-activity; sid:91240807; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ddns.awuam.com"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1240805/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_18; classtype:trojan-activity; sid:91240805; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ddos.sdxpay.cn"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1240806/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_18; classtype:trojan-activity; sid:91240806; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ackcm.awuam.com"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1240801/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_18; classtype:trojan-activity; sid:91240801; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"awuam.com"; depth:9; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1240802/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_18; classtype:trojan-activity; sid:91240802; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"botnet.awuam.com"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1240803/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_18; classtype:trojan-activity; sid:91240803; rev:1;) alert tcp $HOME_NET any -> [185.196.9.72] 62452 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240820/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_18; classtype:trojan-activity; sid:91240820; rev:1;) alert tcp $HOME_NET any -> [199.195.249.78] 13145 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240821/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_18; classtype:trojan-activity; sid:91240821; rev:1;) alert tcp $HOME_NET any -> [46.3.113.170] 8778 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240822/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_18; classtype:trojan-activity; sid:91240822; rev:1;) alert tcp $HOME_NET any -> [93.123.85.174] 9931 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240823/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_18; classtype:trojan-activity; sid:91240823; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"714745cm.nyashland.top"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1240795/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_18; classtype:trojan-activity; sid:91240795; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"finance-govnp.servehalflife.com"; depth:31; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1240796/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_18; classtype:trojan-activity; sid:91240796; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"mail-ntcgovpk.servehttp.com"; depth:27; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1240797/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_18; classtype:trojan-activity; sid:91240797; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"mail-scogovpk.servehttp.com"; depth:27; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1240798/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_18; classtype:trojan-activity; sid:91240798; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"mof-govnp.servehttp.com"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1240799/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_18; classtype:trojan-activity; sid:91240799; rev:1;) alert tcp $HOME_NET any -> [18.134.234.207] 3306 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240800/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_18; classtype:trojan-activity; sid:91240800; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"net-killer.online"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1240792/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_18; classtype:trojan-activity; sid:91240792; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"botnet.serveblog.net"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1240793/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_18; classtype:trojan-activity; sid:91240793; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"net-killer.servehttp.com"; depth:24; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1240794/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_18; classtype:trojan-activity; sid:91240794; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"mostnet.servegame.com"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1240791/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_18; classtype:trojan-activity; sid:91240791; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"net-killer.servehttp.com"; depth:24; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1240790/; target:src_ip; metadata: confidence_level 75, first_seen 2024_02_18; classtype:trojan-activity; sid:91240790; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cx"; depth:3; nocase; http.host; content:"152.136.55.237"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1240789/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_18; classtype:trojan-activity; sid:91240789; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pixel.gif"; depth:10; nocase; http.host; content:"213.109.202.222"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1240788/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_18; classtype:trojan-activity; sid:91240788; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ga.js"; depth:6; nocase; http.host; content:"139.155.127.233"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1240787/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_18; classtype:trojan-activity; sid:91240787; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/azure/api/v2/userinfo/get"; depth:26; nocase; http.host; content:"106.12.124.212"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1240786/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_18; classtype:trojan-activity; sid:91240786; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dot.gif"; depth:8; nocase; http.host; content:"154.9.255.31"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1240785/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_18; classtype:trojan-activity; sid:91240785; rev:1;) alert tcp $HOME_NET any -> [45.86.86.60] 3912 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240784/; target:src_ip; metadata: confidence_level 75, first_seen 2024_02_18; classtype:trojan-activity; sid:91240784; rev:1;) alert tcp $HOME_NET any -> [91.92.240.138] 2023 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240779/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_18; classtype:trojan-activity; sid:91240779; rev:1;) alert tcp $HOME_NET any -> [154.82.81.136] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240783/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_18; classtype:trojan-activity; sid:91240783; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/gv"; depth:3; nocase; http.host; content:"154.82.81.136"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1240782/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_18; classtype:trojan-activity; sid:91240782; rev:1;) alert tcp $HOME_NET any -> [5.78.70.86] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240781/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_18; classtype:trojan-activity; sid:91240781; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api/3"; depth:6; nocase; http.host; content:"5.78.103.127"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1240780/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_18; classtype:trojan-activity; sid:91240780; rev:1;) alert tcp $HOME_NET any -> [91.92.240.138] 56999 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240778/; target:src_ip; metadata: confidence_level 75, first_seen 2024_02_18; classtype:trojan-activity; sid:91240778; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"botnet.networkbotbet.top"; depth:24; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1240776/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_18; classtype:trojan-activity; sid:91240776; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"networkbotbet.top"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1240777/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_18; classtype:trojan-activity; sid:91240777; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/live/"; depth:6; nocase; http.host; content:"antyparkov.site"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1240775/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_18; classtype:trojan-activity; sid:91240775; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/live/"; depth:6; nocase; http.host; content:"saicetyapy.space"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1240774/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_18; classtype:trojan-activity; sid:91240774; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"saicetyapy.space"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1240772/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_18; classtype:trojan-activity; sid:91240772; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"antyparkov.site"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1240773/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_18; classtype:trojan-activity; sid:91240773; rev:1;) alert tcp $HOME_NET any -> [147.185.221.18] 35017 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240730/; target:src_ip; metadata: confidence_level 75, first_seen 2024_02_18; classtype:trojan-activity; sid:91240730; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"content-royal.gl.at.ply.gg"; depth:26; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1240731/; target:src_ip; metadata: confidence_level 75, first_seen 2024_02_18; classtype:trojan-activity; sid:91240731; rev:1;) alert tcp $HOME_NET any -> [3.125.209.94] 10540 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240732/; target:src_ip; metadata: confidence_level 75, first_seen 2024_02_18; classtype:trojan-activity; sid:91240732; rev:1;) alert tcp $HOME_NET any -> [18.158.249.75] 10540 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240733/; target:src_ip; metadata: confidence_level 75, first_seen 2024_02_18; classtype:trojan-activity; sid:91240733; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"mary-cottage.gl.at.ply.gg"; depth:25; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1240747/; target:src_ip; metadata: confidence_level 75, first_seen 2024_02_18; classtype:trojan-activity; sid:91240747; rev:1;) alert tcp $HOME_NET any -> [3.125.209.94] 18563 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240748/; target:src_ip; metadata: confidence_level 75, first_seen 2024_02_18; classtype:trojan-activity; sid:91240748; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"gemcreedarticulateod.shop"; depth:25; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1240752/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_18; classtype:trojan-activity; sid:91240752; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"secretionsuitcasenioise.shop"; depth:28; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1240753/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_18; classtype:trojan-activity; sid:91240753; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"claimconcessionrebe.shop"; depth:24; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1240754/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_18; classtype:trojan-activity; sid:91240754; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"liabilityarrangemenyit.shop"; depth:27; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1240755/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_18; classtype:trojan-activity; sid:91240755; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"gemcreedarticulateod.shop"; depth:25; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1240756/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_18; classtype:trojan-activity; sid:91240756; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"claimconcessionrebe.shop"; depth:24; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1240757/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_18; classtype:trojan-activity; sid:91240757; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"liabilityarrangemenyit.shop"; depth:27; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1240758/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_18; classtype:trojan-activity; sid:91240758; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ptj"; depth:4; nocase; http.host; content:"129.211.211.145"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1240771/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_18; classtype:trojan-activity; sid:91240771; rev:1;) alert tcp $HOME_NET any -> [14.202.148.249] 443 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240770/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_18; classtype:trojan-activity; sid:91240770; rev:1;) alert tcp $HOME_NET any -> [41.98.29.102] 443 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240769/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_18; classtype:trojan-activity; sid:91240769; rev:1;) alert tcp $HOME_NET any -> [175.10.222.136] 4432 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240768/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_18; classtype:trojan-activity; sid:91240768; rev:1;) alert tcp $HOME_NET any -> [94.237.54.16] 445 (msg:"ThreatFox Responder botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240767/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_18; classtype:trojan-activity; sid:91240767; rev:1;) alert tcp $HOME_NET any -> [24.199.107.91] 443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240766/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_18; classtype:trojan-activity; sid:91240766; rev:1;) alert tcp $HOME_NET any -> [191.96.53.132] 443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240765/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_18; classtype:trojan-activity; sid:91240765; rev:1;) alert tcp $HOME_NET any -> [185.83.113.126] 32004 (msg:"ThreatFox BianLian botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240764/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_18; classtype:trojan-activity; sid:91240764; rev:1;) alert tcp $HOME_NET any -> [37.120.239.146] 8085 (msg:"ThreatFox BianLian botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240763/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_18; classtype:trojan-activity; sid:91240763; rev:1;) alert tcp $HOME_NET any -> [43.198.108.245] 443 (msg:"ThreatFox Deimos botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240762/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_18; classtype:trojan-activity; sid:91240762; rev:1;) alert tcp $HOME_NET any -> [2.34.147.152] 9002 (msg:"ThreatFox Brute Ratel C4 botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240761/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_18; classtype:trojan-activity; sid:91240761; rev:1;) alert tcp $HOME_NET any -> [147.185.221.18] 29182 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240760/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_17; classtype:trojan-activity; sid:91240760; rev:1;) alert tcp $HOME_NET any -> [49.13.194.252] 10919 (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240759/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_17; classtype:trojan-activity; sid:91240759; rev:1;) alert tcp $HOME_NET any -> [193.233.21.140] 4001 (msg:"ThreatFox SystemBC botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240751/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_17; classtype:trojan-activity; sid:91240751; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/requesthttpupdategamebigloadasyncuploads.php"; depth:45; nocase; http.host; content:"chromestartup.top"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1240750/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_17; classtype:trojan-activity; sid:91240750; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/index.php"; depth:10; nocase; http.host; content:"parals.ac.ug"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1240749/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_17; classtype:trojan-activity; sid:91240749; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/f95721327cee196f.php"; depth:21; nocase; http.host; content:"193.163.7.160"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1240746/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_17; classtype:trojan-activity; sid:91240746; rev:1;) alert tcp $HOME_NET any -> [147.185.221.17] 10652 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240745/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_17; classtype:trojan-activity; sid:91240745; rev:1;) alert tcp $HOME_NET any -> [3.6.98.232] 17383 (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240744/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_17; classtype:trojan-activity; sid:91240744; rev:1;) alert tcp $HOME_NET any -> [3.6.122.107] 17383 (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240743/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_17; classtype:trojan-activity; sid:91240743; rev:1;) alert tcp $HOME_NET any -> [3.124.142.205] 18563 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240742/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_17; classtype:trojan-activity; sid:91240742; rev:1;) alert tcp $HOME_NET any -> [3.125.102.39] 18563 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240741/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_17; classtype:trojan-activity; sid:91240741; rev:1;) alert tcp $HOME_NET any -> [18.192.31.165] 18563 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240740/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_17; classtype:trojan-activity; sid:91240740; rev:1;) alert tcp $HOME_NET any -> [18.158.249.75] 18563 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240739/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_17; classtype:trojan-activity; sid:91240739; rev:1;) alert tcp $HOME_NET any -> [113.141.94.195] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240738/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_17; classtype:trojan-activity; sid:91240738; rev:1;) alert tcp $HOME_NET any -> [79.130.49.211] 2222 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240737/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_17; classtype:trojan-activity; sid:91240737; rev:1;) alert tcp $HOME_NET any -> [51.210.244.254] 443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240736/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_17; classtype:trojan-activity; sid:91240736; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mozi.m"; depth:7; nocase; http.host; content:"117.252.165.6"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1240735/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_17; classtype:trojan-activity; sid:91240735; rev:1;) alert tcp $HOME_NET any -> [193.178.172.180] 16346 (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240734/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_17; classtype:trojan-activity; sid:91240734; rev:1;) alert tcp $HOME_NET any -> [147.45.40.62] 9931 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240727/; target:src_ip; metadata: confidence_level 75, first_seen 2024_02_17; classtype:trojan-activity; sid:91240727; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"software.dth.wtf"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1240728/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_17; classtype:trojan-activity; sid:91240728; rev:1;) alert tcp $HOME_NET any -> [82.117.230.122] 54984 (msg:"ThreatFox Nanocore RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240729/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_17; classtype:trojan-activity; sid:91240729; rev:1;) alert tcp $HOME_NET any -> [91.92.244.21] 40096 (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240726/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_17; classtype:trojan-activity; sid:91240726; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"cholin777.con-ip.com"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1240712/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_17; classtype:trojan-activity; sid:91240712; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"elgigante.con-ip.com"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1240713/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_17; classtype:trojan-activity; sid:91240713; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"elgrande.con-ip.com"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1240714/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_17; classtype:trojan-activity; sid:91240714; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"gomelo.con-ip.com"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1240715/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_17; classtype:trojan-activity; sid:91240715; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"hebreo.con-ip.com"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1240716/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_17; classtype:trojan-activity; sid:91240716; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"jerusalen.con-ip.com"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1240717/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_17; classtype:trojan-activity; sid:91240717; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"lesbiano.con-ip.com"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1240718/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_17; classtype:trojan-activity; sid:91240718; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ruby.con-ip.com"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1240719/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_17; classtype:trojan-activity; sid:91240719; rev:1;) alert tcp $HOME_NET any -> [194.110.247.222] 59666 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240725/; target:src_ip; metadata: confidence_level 75, first_seen 2024_02_17; classtype:trojan-activity; sid:91240725; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"fucktheccp.top"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1240724/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_17; classtype:trojan-activity; sid:91240724; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pixel"; depth:6; nocase; http.host; content:"134.122.75.115"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1240723/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_17; classtype:trojan-activity; sid:91240723; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dpixel"; depth:7; nocase; http.host; content:"134.122.75.115"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1240722/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_17; classtype:trojan-activity; sid:91240722; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cx"; depth:3; nocase; http.host; content:"134.122.75.115"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1240721/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_17; classtype:trojan-activity; sid:91240721; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ie9compatviewlist.xml"; depth:22; nocase; http.host; content:"68.183.111.170"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1240720/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_17; classtype:trojan-activity; sid:91240720; rev:1;) alert tcp $HOME_NET any -> [43.139.177.244] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240711/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_17; classtype:trojan-activity; sid:91240711; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cm"; depth:3; nocase; http.host; content:"1.94.110.130"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1240709/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_17; classtype:trojan-activity; sid:91240709; rev:1;) alert tcp $HOME_NET any -> [1.94.110.130] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240710/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_17; classtype:trojan-activity; sid:91240710; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"abundancia777.con-ip.com"; depth:24; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1240681/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_17; classtype:trojan-activity; sid:91240681; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"caramelo.con-ip.com"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1240682/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_17; classtype:trojan-activity; sid:91240682; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"mazaltov.con-ip.com"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1240683/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_17; classtype:trojan-activity; sid:91240683; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"krater1.con-ip.com"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1240684/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_17; classtype:trojan-activity; sid:91240684; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"graciasdiosito.con-ip.com"; depth:25; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1240685/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_17; classtype:trojan-activity; sid:91240685; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"deusdsfduhfdjisjdfasaxc.con-ip.com"; depth:34; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1240686/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_17; classtype:trojan-activity; sid:91240686; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"sssssssdhhdiodhuhdisdisgi.con-ip.com"; depth:36; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1240687/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_17; classtype:trojan-activity; sid:91240687; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"gamin.con-ip.com"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1240688/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_17; classtype:trojan-activity; sid:91240688; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"redentor.con-ip.com"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1240689/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_17; classtype:trojan-activity; sid:91240689; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"salud77.con-ip.com"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1240690/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_17; classtype:trojan-activity; sid:91240690; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"yahweh.con-ip.com"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1240691/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_17; classtype:trojan-activity; sid:91240691; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"anguila.con-ip.com"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1240692/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_17; classtype:trojan-activity; sid:91240692; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"jireh.con-ip.com"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1240693/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_17; classtype:trojan-activity; sid:91240693; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"farsante9.con-ip.com"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1240694/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_17; classtype:trojan-activity; sid:91240694; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"matusalen77.con-ip.com"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1240695/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_17; classtype:trojan-activity; sid:91240695; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"anhelo.con-ip.com"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1240696/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_17; classtype:trojan-activity; sid:91240696; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"bendecidos.con-ip.com"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1240697/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_17; classtype:trojan-activity; sid:91240697; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"dsfkdsvnlsnvklvdsnvodv.con-ip.com"; depth:33; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1240698/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_17; classtype:trojan-activity; sid:91240698; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"edden.con-ip.com"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1240699/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_17; classtype:trojan-activity; sid:91240699; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"enticonfio.con-ip.com"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1240700/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_17; classtype:trojan-activity; sid:91240700; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ergdsbsicshdfsijfsiudhf.con-ip.com"; depth:34; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1240701/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_17; classtype:trojan-activity; sid:91240701; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"galaxia.con-ip.com"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1240702/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_17; classtype:trojan-activity; sid:91240702; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"memorias.con-ip.com"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1240703/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_17; classtype:trojan-activity; sid:91240703; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"nuevocomienzo777.con-ip.com"; depth:27; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1240704/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_17; classtype:trojan-activity; sid:91240704; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ostentar.con-ip.com"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1240705/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_17; classtype:trojan-activity; sid:91240705; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"persistencia.con-ip.com"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1240706/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_17; classtype:trojan-activity; sid:91240706; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"salomon77.con-ip.com"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1240707/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_17; classtype:trojan-activity; sid:91240707; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"sion.con-ip.com"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1240708/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_17; classtype:trojan-activity; sid:91240708; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ns1.usaglobalnews.com"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1240674/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_17; classtype:trojan-activity; sid:91240674; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"waltontechnical.com"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1240675/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_17; classtype:trojan-activity; sid:91240675; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ns1.waltontechnical.com"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1240676/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_17; classtype:trojan-activity; sid:91240676; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"myinternationalsolutions.com"; depth:28; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1240677/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_17; classtype:trojan-activity; sid:91240677; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ns1.myinternationalsolutions.com"; depth:32; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1240678/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_17; classtype:trojan-activity; sid:91240678; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ns1.topglobaltv.com"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1240679/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_17; classtype:trojan-activity; sid:91240679; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"www.southernlandmortgage.cloud"; depth:30; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1240680/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_17; classtype:trojan-activity; sid:91240680; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/processtestpublic.php"; depth:22; nocase; http.host; content:"514885cm.nyashsens.top"; depth:22; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1240673/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_17; classtype:trojan-activity; sid:91240673; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mzrlzgfmyzq5nzc0/"; depth:18; nocase; http.host; content:"2.57.149.104"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1240646/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_17; classtype:trojan-activity; sid:91240646; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"abc.anti-ddos.io.vn"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1240575/; target:src_ip; metadata: confidence_level 75, first_seen 2024_02_17; classtype:trojan-activity; sid:91240575; rev:1;) alert tcp $HOME_NET any -> [81.94.150.21] 443 (msg:"ThreatFox FAKEUPDATES payload delivery (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240572/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_17; classtype:trojan-activity; sid:91240572; rev:1;) alert tcp $HOME_NET any -> [103.47.195.200] 42597 (msg:"ThreatFox MooBot botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240574/; target:src_ip; metadata: confidence_level 75, first_seen 2024_02_17; classtype:trojan-activity; sid:91240574; rev:1;) alert tcp $HOME_NET any -> [172.232.190.57] 2224 (msg:"ThreatFox Pikabot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240672/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_17; classtype:trojan-activity; sid:91240672; rev:1;) alert tcp $HOME_NET any -> [88.153.94.39] 4444 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240671/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_17; classtype:trojan-activity; sid:91240671; rev:1;) alert tcp $HOME_NET any -> [160.176.70.45] 995 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240670/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_17; classtype:trojan-activity; sid:91240670; rev:1;) alert tcp $HOME_NET any -> [72.27.104.149] 443 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240669/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_17; classtype:trojan-activity; sid:91240669; rev:1;) alert tcp $HOME_NET any -> [141.164.161.19] 443 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240668/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_17; classtype:trojan-activity; sid:91240668; rev:1;) alert tcp $HOME_NET any -> [146.190.165.243] 443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240667/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_17; classtype:trojan-activity; sid:91240667; rev:1;) alert tcp $HOME_NET any -> [185.83.113.126] 32023 (msg:"ThreatFox BianLian botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240665/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_17; classtype:trojan-activity; sid:91240665; rev:1;) alert tcp $HOME_NET any -> [185.11.61.124] 20000 (msg:"ThreatFox BianLian botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240666/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_17; classtype:trojan-activity; sid:91240666; rev:1;) alert tcp $HOME_NET any -> [185.83.113.126] 32012 (msg:"ThreatFox BianLian botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240664/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_17; classtype:trojan-activity; sid:91240664; rev:1;) alert tcp $HOME_NET any -> [185.83.113.126] 32005 (msg:"ThreatFox BianLian botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240663/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_17; classtype:trojan-activity; sid:91240663; rev:1;) alert tcp $HOME_NET any -> [185.83.113.126] 32031 (msg:"ThreatFox BianLian botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240662/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_17; classtype:trojan-activity; sid:91240662; rev:1;) alert tcp $HOME_NET any -> [45.61.138.43] 20000 (msg:"ThreatFox BianLian botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240661/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_17; classtype:trojan-activity; sid:91240661; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/17303af8450cc290.php"; depth:21; nocase; http.host; content:"37.28.157.3"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1240660/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_17; classtype:trojan-activity; sid:91240660; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/g.pixel"; depth:8; nocase; http.host; content:"8.222.165.110"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1240659/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_17; classtype:trojan-activity; sid:91240659; rev:1;) alert tcp $HOME_NET any -> [162.244.80.14] 17124 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240658/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_17; classtype:trojan-activity; sid:91240658; rev:1;) alert tcp $HOME_NET any -> [43.156.108.42] 32323 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240657/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_17; classtype:trojan-activity; sid:91240657; rev:1;) alert tcp $HOME_NET any -> [157.245.78.225] 42718 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240656/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_17; classtype:trojan-activity; sid:91240656; rev:1;) alert tcp $HOME_NET any -> [154.92.14.41] 50050 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240655/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_17; classtype:trojan-activity; sid:91240655; rev:1;) alert tcp $HOME_NET any -> [36.111.166.231] 50050 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240654/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_17; classtype:trojan-activity; sid:91240654; rev:1;) alert tcp $HOME_NET any -> [114.115.159.80] 50050 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240653/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_17; classtype:trojan-activity; sid:91240653; rev:1;) alert tcp $HOME_NET any -> [124.121.18.177] 8080 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240652/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_17; classtype:trojan-activity; sid:91240652; rev:1;) alert tcp $HOME_NET any -> [34.125.32.157] 80 (msg:"ThreatFox Hook botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240651/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_17; classtype:trojan-activity; sid:91240651; rev:1;) alert tcp $HOME_NET any -> [40.113.117.114] 1337 (msg:"ThreatFox Orcus RAT botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240650/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_17; classtype:trojan-activity; sid:91240650; rev:1;) alert tcp $HOME_NET any -> [46.151.31.26] 80 (msg:"ThreatFox RecordBreaker botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240649/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_17; classtype:trojan-activity; sid:91240649; rev:1;) alert tcp $HOME_NET any -> [116.203.165.197] 443 (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240648/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_17; classtype:trojan-activity; sid:91240648; rev:1;) alert tcp $HOME_NET any -> [45.148.4.76] 8888 (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240647/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_17; classtype:trojan-activity; sid:91240647; rev:1;) alert tcp $HOME_NET any -> [5.252.176.25] 3306 (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240645/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_16; classtype:trojan-activity; sid:91240645; rev:1;) alert tcp $HOME_NET any -> [109.200.24.62] 443 (msg:"ThreatFox Empire Downloader botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240644/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_16; classtype:trojan-activity; sid:91240644; rev:1;) alert tcp $HOME_NET any -> [171.41.251.198] 25565 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240643/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_16; classtype:trojan-activity; sid:91240643; rev:1;) alert tcp $HOME_NET any -> [171.41.197.221] 25565 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240642/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_16; classtype:trojan-activity; sid:91240642; rev:1;) alert tcp $HOME_NET any -> [45.78.32.214] 8080 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240641/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_16; classtype:trojan-activity; sid:91240641; rev:1;) alert tcp $HOME_NET any -> [45.59.118.25] 443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240640/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_16; classtype:trojan-activity; sid:91240640; rev:1;) alert tcp $HOME_NET any -> [35.178.199.78] 80 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240639/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_16; classtype:trojan-activity; sid:91240639; rev:1;) alert tcp $HOME_NET any -> [104.243.46.129] 6666 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240638/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_16; classtype:trojan-activity; sid:91240638; rev:1;) alert tcp $HOME_NET any -> [60.50.255.168] 443 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240637/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_16; classtype:trojan-activity; sid:91240637; rev:1;) alert tcp $HOME_NET any -> [197.83.246.32] 443 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240636/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_16; classtype:trojan-activity; sid:91240636; rev:1;) alert tcp $HOME_NET any -> [168.119.96.5] 40056 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240635/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_16; classtype:trojan-activity; sid:91240635; rev:1;) alert tcp $HOME_NET any -> [174.138.6.9] 7443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240634/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_16; classtype:trojan-activity; sid:91240634; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/providervmto.php"; depth:17; nocase; http.host; content:"gafisezs.beget.tech"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1240633/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_16; classtype:trojan-activity; sid:91240633; rev:1;) alert tcp $HOME_NET any -> [185.83.113.126] 32017 (msg:"ThreatFox BianLian botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240632/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_16; classtype:trojan-activity; sid:91240632; rev:1;) alert tcp $HOME_NET any -> [167.71.231.122] 9999 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240631/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_16; classtype:trojan-activity; sid:91240631; rev:1;) alert tcp $HOME_NET any -> [35.157.195.58] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240629/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_16; classtype:trojan-activity; sid:91240629; rev:1;) alert tcp $HOME_NET any -> [3.85.194.45] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240630/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_16; classtype:trojan-activity; sid:91240630; rev:1;) alert tcp $HOME_NET any -> [20.117.112.154] 52525 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240628/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_16; classtype:trojan-activity; sid:91240628; rev:1;) alert tcp $HOME_NET any -> [18.202.134.235] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240626/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_16; classtype:trojan-activity; sid:91240626; rev:1;) alert tcp $HOME_NET any -> [35.208.245.146] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240627/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_16; classtype:trojan-activity; sid:91240627; rev:1;) alert tcp $HOME_NET any -> [3.120.71.192] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240625/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_16; classtype:trojan-activity; sid:91240625; rev:1;) alert tcp $HOME_NET any -> [34.101.86.127] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240624/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_16; classtype:trojan-activity; sid:91240624; rev:1;) alert tcp $HOME_NET any -> [34.123.222.44] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240623/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_16; classtype:trojan-activity; sid:91240623; rev:1;) alert tcp $HOME_NET any -> [13.127.226.130] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240622/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_16; classtype:trojan-activity; sid:91240622; rev:1;) alert tcp $HOME_NET any -> [135.181.20.182] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240621/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_16; classtype:trojan-activity; sid:91240621; rev:1;) alert tcp $HOME_NET any -> [146.190.9.102] 9999 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240620/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_16; classtype:trojan-activity; sid:91240620; rev:1;) alert tcp $HOME_NET any -> [3.250.162.249] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240619/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_16; classtype:trojan-activity; sid:91240619; rev:1;) alert tcp $HOME_NET any -> [44.218.45.27] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240618/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_16; classtype:trojan-activity; sid:91240618; rev:1;) alert tcp $HOME_NET any -> [18.118.138.192] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240617/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_16; classtype:trojan-activity; sid:91240617; rev:1;) alert tcp $HOME_NET any -> [14.225.19.116] 60000 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240616/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_16; classtype:trojan-activity; sid:91240616; rev:1;) alert tcp $HOME_NET any -> [47.242.21.119] 60000 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240615/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_16; classtype:trojan-activity; sid:91240615; rev:1;) alert tcp $HOME_NET any -> [103.47.195.200] 80 (msg:"ThreatFox MooBot botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240614/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_16; classtype:trojan-activity; sid:91240614; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ip136.ip-51-195-83.eu"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1240613/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_16; classtype:trojan-activity; sid:91240613; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"epsilon1337.fr"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1240612/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_16; classtype:trojan-activity; sid:91240612; rev:1;) alert tcp $HOME_NET any -> [185.249.227.27] 80 (msg:"ThreatFox ERMAC botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240611/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_16; classtype:trojan-activity; sid:91240611; rev:1;) alert tcp $HOME_NET any -> [94.156.66.77] 8080 (msg:"ThreatFox Orcus RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240610/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_16; classtype:trojan-activity; sid:91240610; rev:1;) alert tcp $HOME_NET any -> [159.223.52.78] 9782 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240609/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_16; classtype:trojan-activity; sid:91240609; rev:1;) alert tcp $HOME_NET any -> [5.189.175.70] 443 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240608/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_16; classtype:trojan-activity; sid:91240608; rev:1;) alert tcp $HOME_NET any -> [181.162.178.142] 8080 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240606/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_16; classtype:trojan-activity; sid:91240606; rev:1;) alert tcp $HOME_NET any -> [107.148.237.29] 8088 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240607/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_16; classtype:trojan-activity; sid:91240607; rev:1;) alert tcp $HOME_NET any -> [209.126.7.24] 4444 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240605/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_16; classtype:trojan-activity; sid:91240605; rev:1;) alert tcp $HOME_NET any -> [185.146.156.85] 80 (msg:"ThreatFox Hook botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240604/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_16; classtype:trojan-activity; sid:91240604; rev:1;) alert tcp $HOME_NET any -> [45.83.31.204] 80 (msg:"ThreatFox Hook botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240603/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_16; classtype:trojan-activity; sid:91240603; rev:1;) alert tcp $HOME_NET any -> [51.81.90.181] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240602/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_16; classtype:trojan-activity; sid:91240602; rev:1;) alert tcp $HOME_NET any -> [23.101.226.140] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240601/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_16; classtype:trojan-activity; sid:91240601; rev:1;) alert tcp $HOME_NET any -> [13.237.100.49] 7443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240600/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_16; classtype:trojan-activity; sid:91240600; rev:1;) alert tcp $HOME_NET any -> [193.26.115.221] 6606 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240599/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_16; classtype:trojan-activity; sid:91240599; rev:1;) alert tcp $HOME_NET any -> [186.112.206.181] 8888 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240598/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_16; classtype:trojan-activity; sid:91240598; rev:1;) alert tcp $HOME_NET any -> [147.135.97.94] 6606 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240597/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_16; classtype:trojan-activity; sid:91240597; rev:1;) alert tcp $HOME_NET any -> [45.134.83.162] 8808 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240596/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_16; classtype:trojan-activity; sid:91240596; rev:1;) alert tcp $HOME_NET any -> [216.245.181.92] 443 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240595/; target:src_ip; metadata: confidence_level 90, first_seen 2024_02_16; classtype:trojan-activity; sid:91240595; rev:1;) alert tcp $HOME_NET any -> [5.250.189.135] 40750 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240594/; target:src_ip; metadata: confidence_level 90, first_seen 2024_02_16; classtype:trojan-activity; sid:91240594; rev:1;) alert tcp $HOME_NET any -> [4.145.90.29] 443 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240593/; target:src_ip; metadata: confidence_level 90, first_seen 2024_02_16; classtype:trojan-activity; sid:91240593; rev:1;) alert tcp $HOME_NET any -> [187.135.86.23] 2271 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240592/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_16; classtype:trojan-activity; sid:91240592; rev:1;) alert tcp $HOME_NET any -> [187.135.86.23] 2082 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240590/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_16; classtype:trojan-activity; sid:91240590; rev:1;) alert tcp $HOME_NET any -> [187.135.86.23] 2222 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240591/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_16; classtype:trojan-activity; sid:91240591; rev:1;) alert tcp $HOME_NET any -> [187.135.86.23] 2004 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240589/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_16; classtype:trojan-activity; sid:91240589; rev:1;) alert tcp $HOME_NET any -> [187.135.86.23] 1899 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240588/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_16; classtype:trojan-activity; sid:91240588; rev:1;) alert tcp $HOME_NET any -> [187.135.86.23] 1723 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240587/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_16; classtype:trojan-activity; sid:91240587; rev:1;) alert tcp $HOME_NET any -> [187.135.86.23] 2281 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240585/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_16; classtype:trojan-activity; sid:91240585; rev:1;) alert tcp $HOME_NET any -> [187.135.86.23] 1656 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240586/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_16; classtype:trojan-activity; sid:91240586; rev:1;) alert tcp $HOME_NET any -> [45.131.132.55] 5520 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240584/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_16; classtype:trojan-activity; sid:91240584; rev:1;) alert tcp $HOME_NET any -> [45.131.132.55] 9995 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240583/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_16; classtype:trojan-activity; sid:91240583; rev:1;) alert tcp $HOME_NET any -> [118.193.62.169] 3026 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240582/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_16; classtype:trojan-activity; sid:91240582; rev:1;) alert tcp $HOME_NET any -> [167.99.112.140] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240581/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_16; classtype:trojan-activity; sid:91240581; rev:1;) alert tcp $HOME_NET any -> [120.27.132.223] 8888 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240580/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_16; classtype:trojan-activity; sid:91240580; rev:1;) alert tcp $HOME_NET any -> [120.78.83.129] 52120 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240579/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_16; classtype:trojan-activity; sid:91240579; rev:1;) alert tcp $HOME_NET any -> [60.204.249.34] 8080 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240578/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_16; classtype:trojan-activity; sid:91240578; rev:1;) alert tcp $HOME_NET any -> [185.193.126.187] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240577/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_16; classtype:trojan-activity; sid:91240577; rev:1;) alert tcp $HOME_NET any -> [8.222.184.154] 10000 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240576/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_16; classtype:trojan-activity; sid:91240576; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/vre"; depth:4; nocase; http.host; content:"newyear7250.duckdns.org"; depth:23; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1240573/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_16; classtype:trojan-activity; sid:91240573; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/gka/index.php"; depth:14; nocase; http.host; content:"185.79.156.18"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1240567/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_16; classtype:trojan-activity; sid:91240567; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/austino/index.php"; depth:18; nocase; http.host; content:"45.95.147.64"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1240568/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_16; classtype:trojan-activity; sid:91240568; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/index.php"; depth:10; nocase; http.host; content:"i42325.hostru2.fornex.org"; depth:25; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1240569/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_16; classtype:trojan-activity; sid:91240569; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/index.php"; depth:10; nocase; http.host; content:"bruxara.com"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1240570/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_16; classtype:trojan-activity; sid:91240570; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/index.php"; depth:10; nocase; http.host; content:"sm.jrworcester.org"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1240571/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_16; classtype:trojan-activity; sid:91240571; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"absolutecache.com"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1240565/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_16; classtype:trojan-activity; sid:91240565; rev:1;) alert tcp $HOME_NET any -> [179.43.175.207] 809 (msg:"ThreatFox Cobalt Strike payload delivery (ip:port - confidence level: 25%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240394/; target:src_ip; metadata: confidence_level 25, first_seen 2024_02_16; classtype:trojan-activity; sid:91240394; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"poseidon99.duckdns.org"; depth:22; nocase; reference:url, threatfox.abuse.ch/ioc/1240562/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_16; classtype:trojan-activity; sid:91240562; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"trabajovalle2019.duckdns.org"; depth:28; nocase; reference:url, threatfox.abuse.ch/ioc/1240563/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_16; classtype:trojan-activity; sid:91240563; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"harold.jetos.com"; depth:16; nocase; reference:url, threatfox.abuse.ch/ioc/1240564/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_16; classtype:trojan-activity; sid:91240564; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"fokuti41.top"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1240556/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_16; classtype:trojan-activity; sid:91240556; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"haiwpj11.top"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1240557/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_16; classtype:trojan-activity; sid:91240557; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"rasbrq34.top"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1240558/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_16; classtype:trojan-activity; sid:91240558; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"xokecn54.top"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1240559/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_16; classtype:trojan-activity; sid:91240559; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ewamcd41.top"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1240560/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_16; classtype:trojan-activity; sid:91240560; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"nekyil22.top"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1240561/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_16; classtype:trojan-activity; sid:91240561; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"saas01.pro"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1240539/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_16; classtype:trojan-activity; sid:91240539; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ewabpl55.top"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1240540/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_16; classtype:trojan-activity; sid:91240540; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"rasrzh25.top"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1240541/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_16; classtype:trojan-activity; sid:91240541; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"knudqw18.top"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1240542/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_16; classtype:trojan-activity; sid:91240542; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ewafal62.top"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1240543/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_16; classtype:trojan-activity; sid:91240543; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ewawtm26.top"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1240544/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_16; classtype:trojan-activity; sid:91240544; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"dyxlx33.top"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1240545/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_16; classtype:trojan-activity; sid:91240545; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"moraku02.top"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1240546/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_16; classtype:trojan-activity; sid:91240546; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"morhas01.top"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1240547/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_16; classtype:trojan-activity; sid:91240547; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"haijwd23.top"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1240548/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_16; classtype:trojan-activity; sid:91240548; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ewaunl38.top"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1240549/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_16; classtype:trojan-activity; sid:91240549; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ewaosm65.top"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1240550/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_16; classtype:trojan-activity; sid:91240550; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"morfiw05.top"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1240551/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_16; classtype:trojan-activity; sid:91240551; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"rasctx32.top"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1240552/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_16; classtype:trojan-activity; sid:91240552; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ewadgz11.top"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1240553/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_16; classtype:trojan-activity; sid:91240553; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"raspdh35.top"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1240554/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_16; classtype:trojan-activity; sid:91240554; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"hairdx22.top"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1240555/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_16; classtype:trojan-activity; sid:91240555; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"befrgv71.top"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1240521/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_16; classtype:trojan-activity; sid:91240521; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"chuawt52.top"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1240522/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_16; classtype:trojan-activity; sid:91240522; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"befixc63.top"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1240523/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_16; classtype:trojan-activity; sid:91240523; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"moryei03.top"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1240524/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_16; classtype:trojan-activity; sid:91240524; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"knurxh28.top"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1240525/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_16; classtype:trojan-activity; sid:91240525; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ewavmp35.top"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1240526/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_16; classtype:trojan-activity; sid:91240526; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"beflku61.top"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1240527/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_16; classtype:trojan-activity; sid:91240527; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"haiezf32.top"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1240528/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_16; classtype:trojan-activity; sid:91240528; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"morcgu03.top"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1240529/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_16; classtype:trojan-activity; sid:91240529; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ewafxq25.top"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1240530/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_16; classtype:trojan-activity; sid:91240530; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"pacter42.top"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1240531/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_16; classtype:trojan-activity; sid:91240531; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ewauhc58.top"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1240532/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_16; classtype:trojan-activity; sid:91240532; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"mortiq04.top"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1240533/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_16; classtype:trojan-activity; sid:91240533; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ewaumk24.top"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1240534/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_16; classtype:trojan-activity; sid:91240534; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"fokacv34.top"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1240535/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_16; classtype:trojan-activity; sid:91240535; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ewaymo21.top"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1240536/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_16; classtype:trojan-activity; sid:91240536; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"mortbo03.top"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1240537/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_16; classtype:trojan-activity; sid:91240537; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"befuwa51.top"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1240538/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_16; classtype:trojan-activity; sid:91240538; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ewayky18.top"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1240503/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_16; classtype:trojan-activity; sid:91240503; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"morcyr03.top"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1240504/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_16; classtype:trojan-activity; sid:91240504; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"rasqdc22.top"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1240505/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_16; classtype:trojan-activity; sid:91240505; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ewaisb31.top"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1240506/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_16; classtype:trojan-activity; sid:91240506; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"lyswug41.top"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1240507/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_16; classtype:trojan-activity; sid:91240507; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"smajug75.top"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1240508/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_16; classtype:trojan-activity; sid:91240508; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"smainz71.top"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1240509/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_16; classtype:trojan-activity; sid:91240509; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"befuak48.top"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1240510/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_16; classtype:trojan-activity; sid:91240510; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"befkap57.top"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1240511/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_16; classtype:trojan-activity; sid:91240511; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ewadmw53.top"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1240512/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_16; classtype:trojan-activity; sid:91240512; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"fokfgl36.top"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1240513/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_16; classtype:trojan-activity; sid:91240513; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"morsyr05.top"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1240514/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_16; classtype:trojan-activity; sid:91240514; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"smadyi56.top"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1240515/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_16; classtype:trojan-activity; sid:91240515; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"morsuq02.top"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1240516/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_16; classtype:trojan-activity; sid:91240516; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"morwiv04.top"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1240517/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_16; classtype:trojan-activity; sid:91240517; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ewasic56.top"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1240518/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_16; classtype:trojan-activity; sid:91240518; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"morekt05.top"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1240519/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_16; classtype:trojan-activity; sid:91240519; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ewaqfe45.top"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1240520/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_16; classtype:trojan-activity; sid:91240520; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"morqoi02.top"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1240493/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_16; classtype:trojan-activity; sid:91240493; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"morhaq06.top"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1240494/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_16; classtype:trojan-activity; sid:91240494; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"tuytee11.top"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1240495/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_16; classtype:trojan-activity; sid:91240495; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"lysayu42.top"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1240496/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_16; classtype:trojan-activity; sid:91240496; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"marjkc03.top"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1240497/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_16; classtype:trojan-activity; sid:91240497; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"haiolr12.top"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1240498/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_16; classtype:trojan-activity; sid:91240498; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"befzco47.top"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1240499/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_16; classtype:trojan-activity; sid:91240499; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"morbyn04.top"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1240500/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_16; classtype:trojan-activity; sid:91240500; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"morups07.top"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1240501/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_16; classtype:trojan-activity; sid:91240501; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"haizul15.top"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1240502/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_16; classtype:trojan-activity; sid:91240502; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"cdn-uk.widgetsfordeploy.com"; depth:27; nocase; reference:url, threatfox.abuse.ch/ioc/1240492/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_16; classtype:trojan-activity; sid:91240492; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"lovuterry.best"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1240491/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_16; classtype:trojan-activity; sid:91240491; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"jazzcity.top"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1240484/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_16; classtype:trojan-activity; sid:91240484; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"merknegrok.me"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1240485/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_16; classtype:trojan-activity; sid:91240485; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"warrioruno.top"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1240486/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_16; classtype:trojan-activity; sid:91240486; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"loadkanoe.casa"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1240487/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_16; classtype:trojan-activity; sid:91240487; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"puppybloder.pw"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1240488/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_16; classtype:trojan-activity; sid:91240488; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"bloadypupper.best"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1240489/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_16; classtype:trojan-activity; sid:91240489; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"warriordos.top"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1240490/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_16; classtype:trojan-activity; sid:91240490; rev:1;) alert tcp $HOME_NET any -> [91.241.19.100] 80 (msg:"ThreatFox Ficker Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240483/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_16; classtype:trojan-activity; sid:91240483; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"adverting-cdn.com"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1240481/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_16; classtype:trojan-activity; sid:91240481; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"441autoparts.com"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1240482/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_16; classtype:trojan-activity; sid:91240482; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"xiaoyuwudi.e3.luyouxia.net"; depth:26; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1240474/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_16; classtype:trojan-activity; sid:91240474; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"www.996m2m2.top"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1240475/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_16; classtype:trojan-activity; sid:91240475; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"54412.e3.luyouxia.net"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1240476/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_16; classtype:trojan-activity; sid:91240476; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ad2916985983.e2.luyouxia.net"; depth:28; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1240477/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_16; classtype:trojan-activity; sid:91240477; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"free.idcfengye.com"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1240478/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_16; classtype:trojan-activity; sid:91240478; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"gx121.e1.luyouxia.net"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1240479/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_16; classtype:trojan-activity; sid:91240479; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"xc091221.e2.luyouxia.net"; depth:24; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1240480/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_16; classtype:trojan-activity; sid:91240480; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"zxyhwww.top"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1240465/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_16; classtype:trojan-activity; sid:91240465; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"cn-he-plc-2.openfrp.top"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1240466/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_16; classtype:trojan-activity; sid:91240466; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"66ddjkr.e3.luyouxia.net"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1240467/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_16; classtype:trojan-activity; sid:91240467; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"kx5555.e3.luyouxia.net"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1240468/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_16; classtype:trojan-activity; sid:91240468; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"p.f2pool.info"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1240469/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_16; classtype:trojan-activity; sid:91240469; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"hfs666.top"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1240470/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_16; classtype:trojan-activity; sid:91240470; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"latiao.ddns.net"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1240471/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_16; classtype:trojan-activity; sid:91240471; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"asjidoaiosdjo.e3.luyouxia.net"; depth:29; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1240472/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_16; classtype:trojan-activity; sid:91240472; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"fdsfhkjf.e3.luyouxia.net"; depth:24; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1240473/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_16; classtype:trojan-activity; sid:91240473; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"bubbebottle.xyz"; depth:15; nocase; reference:url, threatfox.abuse.ch/ioc/1240463/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_16; classtype:trojan-activity; sid:91240463; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"5.42.66.36"; depth:10; nocase; reference:url, threatfox.abuse.ch/ioc/1240464/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_16; classtype:trojan-activity; sid:91240464; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"185.244.48.135"; depth:14; nocase; reference:url, threatfox.abuse.ch/ioc/1240461/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_16; classtype:trojan-activity; sid:91240461; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"176.124.198.17"; depth:14; nocase; reference:url, threatfox.abuse.ch/ioc/1240462/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_16; classtype:trojan-activity; sid:91240462; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"185.17.40.133"; depth:13; nocase; reference:url, threatfox.abuse.ch/ioc/1240459/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_16; classtype:trojan-activity; sid:91240459; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"ffud666.com"; depth:11; nocase; reference:url, threatfox.abuse.ch/ioc/1240460/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_16; classtype:trojan-activity; sid:91240460; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"91.242.229.100"; depth:14; nocase; reference:url, threatfox.abuse.ch/ioc/1240457/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_16; classtype:trojan-activity; sid:91240457; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"193.163.7.111"; depth:13; nocase; reference:url, threatfox.abuse.ch/ioc/1240458/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_16; classtype:trojan-activity; sid:91240458; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"80.89.239.178"; depth:13; nocase; reference:url, threatfox.abuse.ch/ioc/1240455/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_16; classtype:trojan-activity; sid:91240455; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"95.216.72.17"; depth:12; nocase; reference:url, threatfox.abuse.ch/ioc/1240456/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_16; classtype:trojan-activity; sid:91240456; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"77.105.132.229"; depth:14; nocase; reference:url, threatfox.abuse.ch/ioc/1240452/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_16; classtype:trojan-activity; sid:91240452; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"5.42.64.41"; depth:10; nocase; reference:url, threatfox.abuse.ch/ioc/1240453/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_16; classtype:trojan-activity; sid:91240453; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"77.91.123.99"; depth:12; nocase; reference:url, threatfox.abuse.ch/ioc/1240454/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_16; classtype:trojan-activity; sid:91240454; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"92.246.138.149"; depth:14; nocase; reference:url, threatfox.abuse.ch/ioc/1240450/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_16; classtype:trojan-activity; sid:91240450; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"104.245.33.157"; depth:14; nocase; reference:url, threatfox.abuse.ch/ioc/1240451/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_16; classtype:trojan-activity; sid:91240451; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"194.120.116.120"; depth:15; nocase; reference:url, threatfox.abuse.ch/ioc/1240449/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_16; classtype:trojan-activity; sid:91240449; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"138.201.196.248"; depth:15; nocase; reference:url, threatfox.abuse.ch/ioc/1240447/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_16; classtype:trojan-activity; sid:91240447; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"florianhabeler.icu"; depth:18; nocase; reference:url, threatfox.abuse.ch/ioc/1240448/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_16; classtype:trojan-activity; sid:91240448; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"5.75.177.20"; depth:11; nocase; reference:url, threatfox.abuse.ch/ioc/1240444/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_16; classtype:trojan-activity; sid:91240444; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"phoenixexec.icu"; depth:15; nocase; reference:url, threatfox.abuse.ch/ioc/1240445/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_16; classtype:trojan-activity; sid:91240445; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"5.42.66.57"; depth:10; nocase; reference:url, threatfox.abuse.ch/ioc/1240446/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_16; classtype:trojan-activity; sid:91240446; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"45.87.153.135"; depth:13; nocase; reference:url, threatfox.abuse.ch/ioc/1240442/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_16; classtype:trojan-activity; sid:91240442; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"77.91.76.36"; depth:11; nocase; reference:url, threatfox.abuse.ch/ioc/1240443/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_16; classtype:trojan-activity; sid:91240443; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"109.107.181.33"; depth:14; nocase; reference:url, threatfox.abuse.ch/ioc/1240440/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_16; classtype:trojan-activity; sid:91240440; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"82.115.223.88"; depth:13; nocase; reference:url, threatfox.abuse.ch/ioc/1240441/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_16; classtype:trojan-activity; sid:91240441; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"80.66.85.128"; depth:12; nocase; reference:url, threatfox.abuse.ch/ioc/1240438/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_16; classtype:trojan-activity; sid:91240438; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"5.42.66.58"; depth:10; nocase; reference:url, threatfox.abuse.ch/ioc/1240439/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_16; classtype:trojan-activity; sid:91240439; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"janmorath.icu"; depth:13; nocase; reference:url, threatfox.abuse.ch/ioc/1240436/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_16; classtype:trojan-activity; sid:91240436; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"82.115.223.87"; depth:13; nocase; reference:url, threatfox.abuse.ch/ioc/1240437/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_16; classtype:trojan-activity; sid:91240437; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"149.255.35.132"; depth:14; nocase; reference:url, threatfox.abuse.ch/ioc/1240434/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_16; classtype:trojan-activity; sid:91240434; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"dskflherlkhopihsf.com"; depth:21; nocase; reference:url, threatfox.abuse.ch/ioc/1240435/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_16; classtype:trojan-activity; sid:91240435; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"116.203.180.34"; depth:14; nocase; reference:url, threatfox.abuse.ch/ioc/1240431/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_16; classtype:trojan-activity; sid:91240431; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"5.42.65.54"; depth:10; nocase; reference:url, threatfox.abuse.ch/ioc/1240432/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_16; classtype:trojan-activity; sid:91240432; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"ettoregiardina.icu"; depth:18; nocase; reference:url, threatfox.abuse.ch/ioc/1240433/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_16; classtype:trojan-activity; sid:91240433; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"109.107.182.60"; depth:14; nocase; reference:url, threatfox.abuse.ch/ioc/1240430/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_16; classtype:trojan-activity; sid:91240430; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"77.105.132.216"; depth:14; nocase; reference:url, threatfox.abuse.ch/ioc/1240427/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_16; classtype:trojan-activity; sid:91240427; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"finnmanninger.icu"; depth:17; nocase; reference:url, threatfox.abuse.ch/ioc/1240428/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_16; classtype:trojan-activity; sid:91240428; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"raphaelbischoff.icu"; depth:19; nocase; reference:url, threatfox.abuse.ch/ioc/1240429/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_16; classtype:trojan-activity; sid:91240429; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"185.172.128.24"; depth:14; nocase; reference:url, threatfox.abuse.ch/ioc/1240425/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_16; classtype:trojan-activity; sid:91240425; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"giveapp.pro"; depth:11; nocase; reference:url, threatfox.abuse.ch/ioc/1240426/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_16; classtype:trojan-activity; sid:91240426; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"185.172.128.79"; depth:14; nocase; reference:url, threatfox.abuse.ch/ioc/1240424/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_16; classtype:trojan-activity; sid:91240424; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/check/safe"; depth:11; nocase; http.host; content:"app.alie3ksgaa.com"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1240423/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_16; classtype:trojan-activity; sid:91240423; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"carvewomanflavourwop.site"; depth:25; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1240414/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_16; classtype:trojan-activity; sid:91240414; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"negliganceassumeruew.site"; depth:25; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1240415/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_16; classtype:trojan-activity; sid:91240415; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"crisisestimatehealtwh.site"; depth:26; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1240416/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_16; classtype:trojan-activity; sid:91240416; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"sayleafletcamerakwov.site"; depth:25; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1240417/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_16; classtype:trojan-activity; sid:91240417; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"brickabsorptiondullyi.site"; depth:26; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1240418/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_16; classtype:trojan-activity; sid:91240418; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"assaultseekwoodywod.pw"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1240419/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_16; classtype:trojan-activity; sid:91240419; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"retainfactorypunishjkw.site"; depth:27; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1240420/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_16; classtype:trojan-activity; sid:91240420; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"communicationinchoicer.site"; depth:27; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1240421/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_16; classtype:trojan-activity; sid:91240421; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"braidfadefriendklypk.site"; depth:25; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1240422/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_16; classtype:trojan-activity; sid:91240422; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"fleetconsciousnessjuiw.site"; depth:27; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1240395/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_16; classtype:trojan-activity; sid:91240395; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"oluaskaz.pw"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1240396/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_16; classtype:trojan-activity; sid:91240396; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"contextsuffreintymore.fun"; depth:25; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1240397/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_16; classtype:trojan-activity; sid:91240397; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"joystickempiricalhirpw.site"; depth:27; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1240398/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_16; classtype:trojan-activity; sid:91240398; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"makeexpectentrypon.pw"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1240399/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_16; classtype:trojan-activity; sid:91240399; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"attachmentartikidw.fun"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1240400/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_16; classtype:trojan-activity; sid:91240400; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"willpoweragreebokkskiew.site"; depth:28; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1240401/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_16; classtype:trojan-activity; sid:91240401; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"racerecessionrestrai.site"; depth:25; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1240402/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_16; classtype:trojan-activity; sid:91240402; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"vesselspeedcrosswakew.site"; depth:26; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1240403/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_16; classtype:trojan-activity; sid:91240403; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"goddirtybrilliancece.fun"; depth:24; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1240404/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_16; classtype:trojan-activity; sid:91240404; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"consciouosoepewmausj.site"; depth:25; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1240405/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_16; classtype:trojan-activity; sid:91240405; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"beaturifuelministyuowwas.site"; depth:29; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1240406/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_16; classtype:trojan-activity; sid:91240406; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"conferenctdressingshrw.site"; depth:27; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1240407/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_16; classtype:trojan-activity; sid:91240407; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"cooperatecliqueobstac.site"; depth:26; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1240408/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_16; classtype:trojan-activity; sid:91240408; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"tvoikcloud.pw"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1240409/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_16; classtype:trojan-activity; sid:91240409; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"gearboomchocolateowfs.site"; depth:26; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1240410/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_16; classtype:trojan-activity; sid:91240410; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"radicalleafletmissfoxw.pw"; depth:25; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1240411/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_16; classtype:trojan-activity; sid:91240411; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"evokenumberpottruckere.fun"; depth:26; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1240412/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_16; classtype:trojan-activity; sid:91240412; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"doonwload.fun"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1240413/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_16; classtype:trojan-activity; sid:91240413; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"communicationinchoicer.site"; depth:27; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1240393/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_16; classtype:trojan-activity; sid:91240393; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"retainfactorypunishjkw.site"; depth:27; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1240392/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_16; classtype:trojan-activity; sid:91240392; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"assaultseekwoodywod.pw"; depth:22; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1240391/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_16; classtype:trojan-activity; sid:91240391; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"brickabsorptiondullyi.site"; depth:26; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1240390/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_16; classtype:trojan-activity; sid:91240390; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"sayleafletcamerakwov.site"; depth:25; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1240389/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_16; classtype:trojan-activity; sid:91240389; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"crisisestimatehealtwh.site"; depth:26; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1240388/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_16; classtype:trojan-activity; sid:91240388; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"carvewomanflavourwop.site"; depth:25; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1240387/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_16; classtype:trojan-activity; sid:91240387; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"doonwload.fun"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1240386/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_16; classtype:trojan-activity; sid:91240386; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"radicalleafletmissfoxw.pw"; depth:25; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1240385/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_16; classtype:trojan-activity; sid:91240385; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"gearboomchocolateowfs.site"; depth:26; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1240384/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_16; classtype:trojan-activity; sid:91240384; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"tvoikcloud.pw"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1240383/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_16; classtype:trojan-activity; sid:91240383; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"cooperatecliqueobstac.site"; depth:26; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1240382/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_16; classtype:trojan-activity; sid:91240382; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"beaturifuelministyuowwas.site"; depth:29; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1240381/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_16; classtype:trojan-activity; sid:91240381; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"consciouosoepewmausj.site"; depth:25; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1240380/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_16; classtype:trojan-activity; sid:91240380; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"vesselspeedcrosswakew.site"; depth:26; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1240379/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_16; classtype:trojan-activity; sid:91240379; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"pavementpreferencewjiao.site"; depth:28; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1240378/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_16; classtype:trojan-activity; sid:91240378; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"racerecessionrestrai.site"; depth:25; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1240377/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_16; classtype:trojan-activity; sid:91240377; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"willpoweragreebokkskiew.site"; depth:28; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1240376/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_16; classtype:trojan-activity; sid:91240376; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"joystickempiricalhirpw.site"; depth:27; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1240375/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_16; classtype:trojan-activity; sid:91240375; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"contextsuffreintymore.fun"; depth:25; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1240374/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_16; classtype:trojan-activity; sid:91240374; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"fleetconsciousnessjuiw.site"; depth:27; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1240373/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_16; classtype:trojan-activity; sid:91240373; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/match"; depth:6; nocase; http.host; content:"152.136.100.26"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1240372/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_16; classtype:trojan-activity; sid:91240372; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/fwlink"; depth:7; nocase; http.host; content:"141.98.81.98"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1240371/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_16; classtype:trojan-activity; sid:91240371; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pixel"; depth:6; nocase; http.host; content:"52.91.67.138"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1240370/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_16; classtype:trojan-activity; sid:91240370; rev:1;) alert tcp $HOME_NET any -> [185.179.217.216] 9785 (msg:"ThreatFox Pikabot botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240368/; target:src_ip; metadata: confidence_level 75, first_seen 2024_02_16; classtype:trojan-activity; sid:91240368; rev:1;) alert tcp $HOME_NET any -> [172.232.174.6] 5242 (msg:"ThreatFox Pikabot botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240369/; target:src_ip; metadata: confidence_level 75, first_seen 2024_02_16; classtype:trojan-activity; sid:91240369; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ga.js"; depth:6; nocase; http.host; content:"152.136.55.237"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1240367/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_16; classtype:trojan-activity; sid:91240367; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/en_us/all.js"; depth:13; nocase; http.host; content:"68.183.111.170"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1240366/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_16; classtype:trojan-activity; sid:91240366; rev:1;) alert tcp $HOME_NET any -> [103.178.235.32] 19990 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240365/; target:src_ip; metadata: confidence_level 75, first_seen 2024_02_16; classtype:trojan-activity; sid:91240365; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"qiefuwuqi.20242525.xyz"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1240364/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_16; classtype:trojan-activity; sid:91240364; rev:1;) alert tcp $HOME_NET any -> [175.24.197.196] 888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240363/; target:src_ip; metadata: confidence_level 75, first_seen 2024_02_16; classtype:trojan-activity; sid:91240363; rev:1;) alert tcp $HOME_NET any -> [52.91.67.138] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240362/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_16; classtype:trojan-activity; sid:91240362; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/g.pixel"; depth:8; nocase; http.host; content:"52.91.67.138"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1240361/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_16; classtype:trojan-activity; sid:91240361; rev:1;) alert tcp $HOME_NET any -> [130.185.249.90] 6667 (msg:"ThreatFox Tsunami botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240360/; target:src_ip; metadata: confidence_level 75, first_seen 2024_02_16; classtype:trojan-activity; sid:91240360; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"95.216.182.244"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1240359/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_16; classtype:trojan-activity; sid:91240359; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"78.46.234.146"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1240358/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_16; classtype:trojan-activity; sid:91240358; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"95.217.24.13"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1240357/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_16; classtype:trojan-activity; sid:91240357; rev:1;) alert tcp $HOME_NET any -> [95.217.24.13] 443 (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240354/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_16; classtype:trojan-activity; sid:91240354; rev:1;) alert tcp $HOME_NET any -> [78.46.234.146] 5432 (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240355/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_16; classtype:trojan-activity; sid:91240355; rev:1;) alert tcp $HOME_NET any -> [95.216.182.244] 443 (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240356/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_16; classtype:trojan-activity; sid:91240356; rev:1;) alert tcp $HOME_NET any -> [1.14.206.144] 6606 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240353/; target:src_ip; metadata: confidence_level 75, first_seen 2024_02_16; classtype:trojan-activity; sid:91240353; rev:1;) alert tcp $HOME_NET any -> [193.233.255.127] 36579 (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240352/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_16; classtype:trojan-activity; sid:91240352; rev:1;) alert tcp $HOME_NET any -> [143.198.95.76] 42061 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240351/; target:src_ip; metadata: confidence_level 75, first_seen 2024_02_16; classtype:trojan-activity; sid:91240351; rev:1;) alert tcp $HOME_NET any -> [147.45.42.25] 80 (msg:"ThreatFox Meduza Stealer botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240350/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_16; classtype:trojan-activity; sid:91240350; rev:1;) alert tcp $HOME_NET any -> [122.10.49.62] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240349/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_16; classtype:trojan-activity; sid:91240349; rev:1;) alert tcp $HOME_NET any -> [122.10.27.225] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240348/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_16; classtype:trojan-activity; sid:91240348; rev:1;) alert tcp $HOME_NET any -> [122.10.110.233] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240347/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_16; classtype:trojan-activity; sid:91240347; rev:1;) alert tcp $HOME_NET any -> [86.121.139.203] 2222 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240346/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_16; classtype:trojan-activity; sid:91240346; rev:1;) alert tcp $HOME_NET any -> [189.140.70.226] 443 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240345/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_16; classtype:trojan-activity; sid:91240345; rev:1;) alert tcp $HOME_NET any -> [75.173.26.183] 443 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240344/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_16; classtype:trojan-activity; sid:91240344; rev:1;) alert tcp $HOME_NET any -> [72.27.169.43] 443 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240343/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_16; classtype:trojan-activity; sid:91240343; rev:1;) alert tcp $HOME_NET any -> [50.35.143.32] 443 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240342/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_16; classtype:trojan-activity; sid:91240342; rev:1;) alert tcp $HOME_NET any -> [189.253.230.198] 443 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240341/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_16; classtype:trojan-activity; sid:91240341; rev:1;) alert tcp $HOME_NET any -> [41.147.196.189] 80 (msg:"ThreatFox pupy botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240340/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_16; classtype:trojan-activity; sid:91240340; rev:1;) alert tcp $HOME_NET any -> [107.189.31.164] 445 (msg:"ThreatFox Responder botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240339/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_16; classtype:trojan-activity; sid:91240339; rev:1;) alert tcp $HOME_NET any -> [173.237.206.178] 80 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240338/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_16; classtype:trojan-activity; sid:91240338; rev:1;) alert tcp $HOME_NET any -> [47.232.161.146] 443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240337/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_16; classtype:trojan-activity; sid:91240337; rev:1;) alert tcp $HOME_NET any -> [89.147.111.163] 443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240336/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_16; classtype:trojan-activity; sid:91240336; rev:1;) alert tcp $HOME_NET any -> [34.141.124.126] 443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240335/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_16; classtype:trojan-activity; sid:91240335; rev:1;) alert tcp $HOME_NET any -> [95.217.6.101] 7443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240334/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_16; classtype:trojan-activity; sid:91240334; rev:1;) alert tcp $HOME_NET any -> [20.41.216.145] 7443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240333/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_16; classtype:trojan-activity; sid:91240333; rev:1;) alert tcp $HOME_NET any -> [69.46.36.217] 7443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240332/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_16; classtype:trojan-activity; sid:91240332; rev:1;) alert tcp $HOME_NET any -> [137.184.96.202] 22 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240331/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_16; classtype:trojan-activity; sid:91240331; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"basenetgear.world"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1240304/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_16; classtype:trojan-activity; sid:91240304; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"eeatgoodx.com"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1240305/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_16; classtype:trojan-activity; sid:91240305; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"frenchpies.org"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1240306/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_16; classtype:trojan-activity; sid:91240306; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"tnoodlezy.com"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1240307/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_16; classtype:trojan-activity; sid:91240307; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mgq4mde1zdk3nzc1/"; depth:18; nocase; http.host; content:"31.41.244.178"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1240319/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_16; classtype:trojan-activity; sid:91240319; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/oda3zdkzymfjmddm/"; depth:18; nocase; http.host; content:"194.26.135.62"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1240320/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_16; classtype:trojan-activity; sid:91240320; rev:1;) alert tcp $HOME_NET any -> [103.195.236.98] 23 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240321/; target:src_ip; metadata: confidence_level 75, first_seen 2024_02_16; classtype:trojan-activity; sid:91240321; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"persikmonkiey7drone.com"; depth:23; nocase; reference:url, threatfox.abuse.ch/ioc/1240322/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_16; classtype:trojan-activity; sid:91240322; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"persikmonkiey7drone.com"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1240323/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_16; classtype:trojan-activity; sid:91240323; rev:1;) alert tcp $HOME_NET any -> [3.127.138.57] 15020 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240324/; target:src_ip; metadata: confidence_level 75, first_seen 2024_02_16; classtype:trojan-activity; sid:91240324; rev:1;) alert tcp $HOME_NET any -> [3.126.37.18] 15020 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240325/; target:src_ip; metadata: confidence_level 75, first_seen 2024_02_16; classtype:trojan-activity; sid:91240325; rev:1;) alert tcp $HOME_NET any -> [172.67.167.246] 80 (msg:"ThreatFox Loki Password Stealer (PWS) botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240328/; target:src_ip; metadata: confidence_level 75, first_seen 2024_02_16; classtype:trojan-activity; sid:91240328; rev:1;) alert tcp $HOME_NET any -> [91.92.242.133] 2025 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240330/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_16; classtype:trojan-activity; sid:91240330; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/_defaultwindows.php"; depth:20; nocase; http.host; content:"cy58784.tw1.ru"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1240329/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_16; classtype:trojan-activity; sid:91240329; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/l1nc0in.php"; depth:12; nocase; http.host; content:"a0919167.xsph.ru"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1240327/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_16; classtype:trojan-activity; sid:91240327; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/vmdlecentral.php"; depth:17; nocase; http.host; content:"386958cm.nyashsens.top"; depth:22; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1240326/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_16; classtype:trojan-activity; sid:91240326; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/polltrack2/traffic3/6datalife9/line0api/privatevmapi/wpwindows6/server3image/flowerwindowswindows/wordpresspublictest/mariadbasyncwordpress/1sql/phptracktesttemporary/http/8eternal0/httpapidefaultcdn.php"; depth:204; nocase; http.host; content:"159.89.17.81"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1240318/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_15; classtype:trojan-activity; sid:91240318; rev:1;) alert tcp $HOME_NET any -> [91.92.250.122] 2404 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240317/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_15; classtype:trojan-activity; sid:91240317; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"41.216.183.87"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1240316/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_15; classtype:trojan-activity; sid:91240316; rev:1;) alert tcp $HOME_NET any -> [93.177.75.98] 56816 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240315/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_15; classtype:trojan-activity; sid:91240315; rev:1;) alert tcp $HOME_NET any -> [179.60.149.220] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240314/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_15; classtype:trojan-activity; sid:91240314; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/produce/editorial/ydpobkjg"; depth:27; nocase; http.host; content:"saturnexa.com"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1240313/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_15; classtype:trojan-activity; sid:91240313; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bot/regex"; depth:10; nocase; http.host; content:"ww25.searchseedphase.online"; depth:27; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1240312/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_15; classtype:trojan-activity; sid:91240312; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bot/regex"; depth:10; nocase; http.host; content:"ww25.searchseedphase.online"; depth:27; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1240311/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_15; classtype:trojan-activity; sid:91240311; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bot/regex"; depth:10; nocase; http.host; content:"ww25.searchseedphase.online"; depth:27; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1240310/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_15; classtype:trojan-activity; sid:91240310; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bot/regex"; depth:10; nocase; http.host; content:"ww25.searchseedphase.online"; depth:27; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1240309/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_15; classtype:trojan-activity; sid:91240309; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bot/regex"; depth:10; nocase; http.host; content:"ww25.searchseedphase.online"; depth:27; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1240308/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_15; classtype:trojan-activity; sid:91240308; rev:1;) alert tcp $HOME_NET any -> [35.157.111.131] 15119 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240302/; target:src_ip; metadata: confidence_level 75, first_seen 2024_02_15; classtype:trojan-activity; sid:91240302; rev:1;) alert tcp $HOME_NET any -> [3.124.67.191] 15119 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240303/; target:src_ip; metadata: confidence_level 75, first_seen 2024_02_15; classtype:trojan-activity; sid:91240303; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/l1nc0in.php"; depth:12; nocase; http.host; content:"a0918108.xsph.ru"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1240301/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_15; classtype:trojan-activity; sid:91240301; rev:1;) alert tcp $HOME_NET any -> [86.98.19.74] 443 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240300/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_15; classtype:trojan-activity; sid:91240300; rev:1;) alert tcp $HOME_NET any -> [197.204.24.19] 443 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240299/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_15; classtype:trojan-activity; sid:91240299; rev:1;) alert tcp $HOME_NET any -> [31.117.25.91] 2222 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240298/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_15; classtype:trojan-activity; sid:91240298; rev:1;) alert tcp $HOME_NET any -> [124.149.139.54] 2222 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240297/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_15; classtype:trojan-activity; sid:91240297; rev:1;) alert tcp $HOME_NET any -> [95.7.52.25] 443 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240296/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_15; classtype:trojan-activity; sid:91240296; rev:1;) alert tcp $HOME_NET any -> [70.31.125.111] 2078 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240295/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_15; classtype:trojan-activity; sid:91240295; rev:1;) alert tcp $HOME_NET any -> [145.82.207.217] 443 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240294/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_15; classtype:trojan-activity; sid:91240294; rev:1;) alert tcp $HOME_NET any -> [128.199.116.190] 5000 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240293/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_15; classtype:trojan-activity; sid:91240293; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"yuya0415.duckdns.org"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1240282/; target:src_ip; metadata: confidence_level 75, first_seen 2024_02_15; classtype:trojan-activity; sid:91240282; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-content/themes/twentytwentyone/tb9ayt.php"; depth:45; nocase; http.host; content:"www.itechatglance.com"; depth:21; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1240287/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_15; classtype:trojan-activity; sid:91240287; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-content/themes/twentytwentyone/sfodyf.php"; depth:45; nocase; http.host; content:"wiseloose.com"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1240288/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_15; classtype:trojan-activity; sid:91240288; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-content/themes/twentytwentyone/dyyxgt.php"; depth:45; nocase; http.host; content:"www.bianca-maria-roth.de"; depth:24; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1240289/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_15; classtype:trojan-activity; sid:91240289; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/elperiodico/wp-content/themes/twentytwentyfour/ahkmwa.php"; depth:58; nocase; http.host; content:"elperiodicopanama.com"; depth:21; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1240290/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_15; classtype:trojan-activity; sid:91240290; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-content/themes/hub/bbpress/ny9jlw.php"; depth:41; nocase; http.host; content:"aquatest.it"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1240291/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_15; classtype:trojan-activity; sid:91240291; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/nyashsupport.php"; depth:17; nocase; http.host; content:"88888cl.nyashtyan.top"; depth:21; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1240292/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_15; classtype:trojan-activity; sid:91240292; rev:1;) alert tcp $HOME_NET any -> [95.217.244.208] 443 (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240285/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_15; classtype:trojan-activity; sid:91240285; rev:1;) alert tcp $HOME_NET any -> [95.217.244.208] 9000 (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240286/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_15; classtype:trojan-activity; sid:91240286; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"95.217.244.208"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1240284/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_15; classtype:trojan-activity; sid:91240284; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"95.217.244.208"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1240283/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_15; classtype:trojan-activity; sid:91240283; rev:1;) alert tcp $HOME_NET any -> [46.246.86.20] 415 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240281/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_15; classtype:trojan-activity; sid:91240281; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wnx/fgb"; depth:8; nocase; http.host; content:"globalpanelinc.com"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1240280/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_15; classtype:trojan-activity; sid:91240280; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wfe/sdq"; depth:8; nocase; http.host; content:"realponti.com"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1240279/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_15; classtype:trojan-activity; sid:91240279; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/attachments/1063900897270304770/1207265114458161172/4_npp.8.6.portable.x64.zip"; depth:79; nocase; http.host; content:"cdn.discordapp.com"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1240278/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_15; classtype:trojan-activity; sid:91240278; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/additional_details"; depth:19; nocase; http.host; content:"miosecurezza.com"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1240277/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_15; classtype:trojan-activity; sid:91240277; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/financial_access"; depth:17; nocase; http.host; content:"miosecurezza.com"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1240276/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_15; classtype:trojan-activity; sid:91240276; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-content/themes/twentytwenty/u7arje.php"; depth:42; nocase; http.host; content:"www.joannamalecka.pl"; depth:20; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1240275/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_15; classtype:trojan-activity; sid:91240275; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-content/themes/twentythirteen/hcslmt.php"; depth:44; nocase; http.host; content:"mediterraneaclean.com"; depth:21; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1240274/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_15; classtype:trojan-activity; sid:91240274; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-content/themes/twentytwentyone/nhdxtk.php"; depth:45; nocase; http.host; content:"mesabierta.org"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1240273/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_15; classtype:trojan-activity; sid:91240273; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/web/wp-content/themes/twentytwenty/ayboiw.php"; depth:46; nocase; http.host; content:"miguelkhoury.com"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1240272/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_15; classtype:trojan-activity; sid:91240272; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/l1nc0in.php"; depth:12; nocase; http.host; content:"watermjx.beget.tech"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1240271/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_15; classtype:trojan-activity; sid:91240271; rev:1;) alert tcp $HOME_NET any -> [46.183.223.29] 2404 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240270/; target:src_ip; metadata: confidence_level 75, first_seen 2024_02_15; classtype:trojan-activity; sid:91240270; rev:1;) alert tcp $HOME_NET any -> [172.96.14.33] 6789 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240269/; target:src_ip; metadata: confidence_level 75, first_seen 2024_02_15; classtype:trojan-activity; sid:91240269; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/nme4nzy2mmizmtm2/"; depth:18; nocase; http.host; content:"mine-495834.xyz"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1240267/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_15; classtype:trojan-activity; sid:91240267; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ztzkntjjntkwyzk3/"; depth:18; nocase; http.host; content:"feeeleen.top"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1240268/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_15; classtype:trojan-activity; sid:91240268; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/nme4nzy2mmizmtm2/"; depth:18; nocase; http.host; content:"mine-495834.info"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1240265/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_15; classtype:trojan-activity; sid:91240265; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/nme4nzy2mmizmtm2/"; depth:18; nocase; http.host; content:"mine-495834.org"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1240266/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_15; classtype:trojan-activity; sid:91240266; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/nme4nzy2mmizmtm2/"; depth:18; nocase; http.host; content:"mine-495834.net"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1240264/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_15; classtype:trojan-activity; sid:91240264; rev:1;) alert tcp $HOME_NET any -> [193.233.255.60] 15666 (msg:"ThreatFox Meduza Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240260/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_15; classtype:trojan-activity; sid:91240260; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/nme4nzy2mmizmtm2/"; depth:18; nocase; http.host; content:"mine-495834.com"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1240263/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_15; classtype:trojan-activity; sid:91240263; rev:1;) alert tcp $HOME_NET any -> [20.218.68.91] 9552 (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240212/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_15; classtype:trojan-activity; sid:91240212; rev:1;) alert tcp $HOME_NET any -> [46.246.12.14] 1995 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240211/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_15; classtype:trojan-activity; sid:91240211; rev:1;) alert tcp $HOME_NET any -> [207.246.74.189] 53 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240262/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_15; classtype:trojan-activity; sid:91240262; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"dns.freshstartupusa.org"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1240261/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_15; classtype:trojan-activity; sid:91240261; rev:1;) alert tcp $HOME_NET any -> [3.224.37.105] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240259/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_15; classtype:trojan-activity; sid:91240259; rev:1;) alert tcp $HOME_NET any -> [20.235.118.171] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240258/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_15; classtype:trojan-activity; sid:91240258; rev:1;) alert tcp $HOME_NET any -> [175.24.133.171] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240257/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_15; classtype:trojan-activity; sid:91240257; rev:1;) alert tcp $HOME_NET any -> [54.92.160.242] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240256/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_15; classtype:trojan-activity; sid:91240256; rev:1;) alert tcp $HOME_NET any -> [165.227.95.225] 1724 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240254/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_15; classtype:trojan-activity; sid:91240254; rev:1;) alert tcp $HOME_NET any -> [51.81.237.25] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240255/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_15; classtype:trojan-activity; sid:91240255; rev:1;) alert tcp $HOME_NET any -> [16.170.251.183] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240253/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_15; classtype:trojan-activity; sid:91240253; rev:1;) alert tcp $HOME_NET any -> [13.50.203.223] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240252/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_15; classtype:trojan-activity; sid:91240252; rev:1;) alert tcp $HOME_NET any -> [170.64.157.219] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240251/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_15; classtype:trojan-activity; sid:91240251; rev:1;) alert tcp $HOME_NET any -> [139.59.19.90] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240250/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_15; classtype:trojan-activity; sid:91240250; rev:1;) alert tcp $HOME_NET any -> [18.210.152.248] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240249/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_15; classtype:trojan-activity; sid:91240249; rev:1;) alert tcp $HOME_NET any -> [165.227.68.176] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240248/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_15; classtype:trojan-activity; sid:91240248; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"play.deenpel.com"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1240247/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_15; classtype:trojan-activity; sid:91240247; rev:1;) alert tcp $HOME_NET any -> [49.12.123.28] 60000 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240245/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_15; classtype:trojan-activity; sid:91240245; rev:1;) alert tcp $HOME_NET any -> [106.15.234.107] 60000 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240246/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_15; classtype:trojan-activity; sid:91240246; rev:1;) alert tcp $HOME_NET any -> [43.131.253.190] 60000 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240244/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_15; classtype:trojan-activity; sid:91240244; rev:1;) alert tcp $HOME_NET any -> [39.109.86.101] 34013 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240243/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_15; classtype:trojan-activity; sid:91240243; rev:1;) alert tcp $HOME_NET any -> [128.199.116.190] 7443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240242/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_15; classtype:trojan-activity; sid:91240242; rev:1;) alert tcp $HOME_NET any -> [74.234.3.141] 8080 (msg:"ThreatFox ERMAC botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240241/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_15; classtype:trojan-activity; sid:91240241; rev:1;) alert tcp $HOME_NET any -> [154.82.85.78] 80 (msg:"ThreatFox ERMAC botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240240/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_15; classtype:trojan-activity; sid:91240240; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"l3mon.emilemilchen.de"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1240239/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_15; classtype:trojan-activity; sid:91240239; rev:1;) alert tcp $HOME_NET any -> [115.74.30.127] 8000 (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240238/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_15; classtype:trojan-activity; sid:91240238; rev:1;) alert tcp $HOME_NET any -> [178.62.57.69] 80 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240237/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_15; classtype:trojan-activity; sid:91240237; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"static.181.200.107.91.clients.your-server.de"; depth:44; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1240236/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_15; classtype:trojan-activity; sid:91240236; rev:1;) alert tcp $HOME_NET any -> [188.166.194.125] 80 (msg:"ThreatFox Hook botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240235/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_15; classtype:trojan-activity; sid:91240235; rev:1;) alert tcp $HOME_NET any -> [82.146.52.203] 80 (msg:"ThreatFox Hook botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240234/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_15; classtype:trojan-activity; sid:91240234; rev:1;) alert tcp $HOME_NET any -> [91.92.249.161] 80 (msg:"ThreatFox Hook botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240233/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_15; classtype:trojan-activity; sid:91240233; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"www.qq00.cc"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1240232/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_15; classtype:trojan-activity; sid:91240232; rev:1;) alert tcp $HOME_NET any -> [45.14.247.89] 80 (msg:"ThreatFox Hook botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240231/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_15; classtype:trojan-activity; sid:91240231; rev:1;) alert tcp $HOME_NET any -> [164.92.238.134] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240230/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_15; classtype:trojan-activity; sid:91240230; rev:1;) alert tcp $HOME_NET any -> [192.250.225.3] 8000 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240229/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_15; classtype:trojan-activity; sid:91240229; rev:1;) alert tcp $HOME_NET any -> [46.246.82.18] 2000 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240228/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_15; classtype:trojan-activity; sid:91240228; rev:1;) alert tcp $HOME_NET any -> [193.26.115.221] 8808 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240227/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_15; classtype:trojan-activity; sid:91240227; rev:1;) alert tcp $HOME_NET any -> [45.40.96.97] 9441 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240226/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_15; classtype:trojan-activity; sid:91240226; rev:1;) alert tcp $HOME_NET any -> [45.134.83.165] 8808 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240224/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_15; classtype:trojan-activity; sid:91240224; rev:1;) alert tcp $HOME_NET any -> [147.189.172.2] 6666 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240225/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_15; classtype:trojan-activity; sid:91240225; rev:1;) alert tcp $HOME_NET any -> [132.145.209.99] 443 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240223/; target:src_ip; metadata: confidence_level 90, first_seen 2024_02_15; classtype:trojan-activity; sid:91240223; rev:1;) alert tcp $HOME_NET any -> [4.157.160.27] 8444 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240222/; target:src_ip; metadata: confidence_level 90, first_seen 2024_02_15; classtype:trojan-activity; sid:91240222; rev:1;) alert tcp $HOME_NET any -> [35.208.198.77] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240221/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_15; classtype:trojan-activity; sid:91240221; rev:1;) alert tcp $HOME_NET any -> [35.208.198.77] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240220/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_15; classtype:trojan-activity; sid:91240220; rev:1;) alert tcp $HOME_NET any -> [172.233.67.44] 1433 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240219/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_15; classtype:trojan-activity; sid:91240219; rev:1;) alert tcp $HOME_NET any -> [104.168.173.70] 20000 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240218/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_15; classtype:trojan-activity; sid:91240218; rev:1;) alert tcp $HOME_NET any -> [106.54.227.54] 6655 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240217/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_15; classtype:trojan-activity; sid:91240217; rev:1;) alert tcp $HOME_NET any -> [8.148.10.39] 8888 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240216/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_15; classtype:trojan-activity; sid:91240216; rev:1;) alert tcp $HOME_NET any -> [210.114.11.173] 806 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240215/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_15; classtype:trojan-activity; sid:91240215; rev:1;) alert tcp $HOME_NET any -> [47.92.27.147] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240214/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_15; classtype:trojan-activity; sid:91240214; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ecs-124-71-158-221.compute.hwclouds-dns.com"; depth:43; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1240213/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_15; classtype:trojan-activity; sid:91240213; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bot5358754228:aae42hagw1bzipxu7ivrc_96iduhcwsjjvo/sendmessage"; depth:62; nocase; http.host; content:"api.telegram.org"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1240209/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_15; classtype:trojan-activity; sid:91240209; rev:1;) alert tcp $HOME_NET any -> [154.197.124.161] 1111 (msg:"ThreatFox DBatLoader botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240210/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_15; classtype:trojan-activity; sid:91240210; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/abotihy.exe"; depth:12; nocase; http.host; content:"llllllllllllllllllllllllllll.site"; depth:33; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1240206/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_15; classtype:trojan-activity; sid:91240206; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/client.exe"; depth:11; nocase; http.host; content:"llllllllllllllllllllllllllll.site"; depth:33; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1240207/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_15; classtype:trojan-activity; sid:91240207; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/build.exe"; depth:10; nocase; http.host; content:"llllllllllllllllllllllllllll.site"; depth:33; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1240208/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_15; classtype:trojan-activity; sid:91240208; rev:1;) alert tcp $HOME_NET any -> [192.177.98.104] 1337 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240205/; target:src_ip; metadata: confidence_level 75, first_seen 2024_02_15; classtype:trojan-activity; sid:91240205; rev:1;) alert tcp $HOME_NET any -> [154.197.124.161] 2222 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240203/; target:src_ip; metadata: confidence_level 75, first_seen 2024_02_15; classtype:trojan-activity; sid:91240203; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"llllllllllllllllllllllllllll.site"; depth:33; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1240204/; target:src_ip; metadata: confidence_level 75, first_seen 2024_02_15; classtype:trojan-activity; sid:91240204; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pixel.gif"; depth:10; nocase; http.host; content:"42.193.16.213"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1240202/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_15; classtype:trojan-activity; sid:91240202; rev:1;) alert tcp $HOME_NET any -> [5.181.80.192] 38241 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240198/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_15; classtype:trojan-activity; sid:91240198; rev:1;) alert tcp $HOME_NET any -> [5.181.80.173] 38241 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240199/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_15; classtype:trojan-activity; sid:91240199; rev:1;) alert tcp $HOME_NET any -> [5.181.80.175] 38241 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240200/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_15; classtype:trojan-activity; sid:91240200; rev:1;) alert tcp $HOME_NET any -> [45.156.21.39] 3443 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240201/; target:src_ip; metadata: confidence_level 75, first_seen 2024_02_15; classtype:trojan-activity; sid:91240201; rev:1;) alert tcp $HOME_NET any -> [194.169.175.233] 3608 (msg:"ThreatFox STRRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240197/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_15; classtype:trojan-activity; sid:91240197; rev:1;) alert tcp $HOME_NET any -> [5.252.176.25] 443 (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240196/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_15; classtype:trojan-activity; sid:91240196; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/geolongpollbaselinuxtraffictrackdatalifetemporary.php"; depth:54; nocase; http.host; content:"372451cm.nyashtech.top"; depth:22; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1240195/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_15; classtype:trojan-activity; sid:91240195; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/aaaad/httppacketcpubigloadgeneratorwordpressprivatetemporary.php"; depth:65; nocase; http.host; content:"109.107.182.163"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1240194/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_15; classtype:trojan-activity; sid:91240194; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/login/index"; depth:12; nocase; http.host; content:"164.155.206.126"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1240183/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_15; classtype:trojan-activity; sid:91240183; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/login/index"; depth:12; nocase; http.host; content:"8.134.166.14"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1240184/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_15; classtype:trojan-activity; sid:91240184; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/login/index"; depth:12; nocase; http.host; content:"180.76.179.154"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1240185/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_15; classtype:trojan-activity; sid:91240185; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/login/index"; depth:12; nocase; http.host; content:"134.122.132.52"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1240186/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_15; classtype:trojan-activity; sid:91240186; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/login/index"; depth:12; nocase; http.host; content:"134.122.132.23"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1240187/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_15; classtype:trojan-activity; sid:91240187; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/login/index"; depth:12; nocase; http.host; content:"82.157.154.37"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1240188/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_15; classtype:trojan-activity; sid:91240188; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/login/index"; depth:12; nocase; http.host; content:"116.204.110.99"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1240189/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_15; classtype:trojan-activity; sid:91240189; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/auth/login"; depth:11; nocase; http.host; content:"94.228.162.3"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1240169/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_15; classtype:trojan-activity; sid:91240169; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/auth/login"; depth:11; nocase; http.host; content:"5.182.87.145"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1240170/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_15; classtype:trojan-activity; sid:91240170; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/auth/login"; depth:11; nocase; http.host; content:"147.45.75.185"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1240171/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_15; classtype:trojan-activity; sid:91240171; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/auth/login"; depth:11; nocase; http.host; content:"2.56.109.134"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1240172/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_15; classtype:trojan-activity; sid:91240172; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/auth/login"; depth:11; nocase; http.host; content:"5.42.73.251"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1240173/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_15; classtype:trojan-activity; sid:91240173; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/auth/login"; depth:11; nocase; http.host; content:"147.45.40.196"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1240174/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_15; classtype:trojan-activity; sid:91240174; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/auth/login"; depth:11; nocase; http.host; content:"147.45.40.99"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1240176/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_15; classtype:trojan-activity; sid:91240176; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/auth/login"; depth:11; nocase; http.host; content:"5.182.86.194"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1240175/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_15; classtype:trojan-activity; sid:91240175; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/auth/login"; depth:11; nocase; http.host; content:"212.113.116.110"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1240177/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_15; classtype:trojan-activity; sid:91240177; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/auth/login"; depth:11; nocase; http.host; content:"103.241.72.56"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1240178/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_15; classtype:trojan-activity; sid:91240178; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/auth/login"; depth:11; nocase; http.host; content:"139.180.191.68"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1240179/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_15; classtype:trojan-activity; sid:91240179; rev:1;) alert tcp $HOME_NET any -> [45.93.9.119] 1311 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240180/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_15; classtype:trojan-activity; sid:91240180; rev:1;) alert tcp $HOME_NET any -> [45.93.9.98] 1311 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240181/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_15; classtype:trojan-activity; sid:91240181; rev:1;) alert tcp $HOME_NET any -> [45.93.9.108] 1311 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240182/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_15; classtype:trojan-activity; sid:91240182; rev:1;) alert tcp $HOME_NET any -> [87.121.112.29] 1311 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240162/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_15; classtype:trojan-activity; sid:91240162; rev:1;) alert tcp $HOME_NET any -> [87.121.112.41] 1311 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240163/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_15; classtype:trojan-activity; sid:91240163; rev:1;) alert tcp $HOME_NET any -> [94.131.13.80] 1311 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240164/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_15; classtype:trojan-activity; sid:91240164; rev:1;) alert tcp $HOME_NET any -> [20.187.91.63] 59413 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240165/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_15; classtype:trojan-activity; sid:91240165; rev:1;) alert tcp $HOME_NET any -> [85.204.116.230] 1311 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240166/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_15; classtype:trojan-activity; sid:91240166; rev:1;) alert tcp $HOME_NET any -> [85.204.116.231] 1288 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240167/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_15; classtype:trojan-activity; sid:91240167; rev:1;) alert tcp $HOME_NET any -> [85.204.116.128] 1287 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240168/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_15; classtype:trojan-activity; sid:91240168; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/fwlink"; depth:7; nocase; http.host; content:"service-bzbl2uq7-1312255927.bj.apigw.tencentcs.com"; depth:50; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1240193/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_15; classtype:trojan-activity; sid:91240193; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/j.ad"; depth:5; nocase; http.host; content:"120.24.179.84"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1240192/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_15; classtype:trojan-activity; sid:91240192; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/updates"; depth:8; nocase; http.host; content:"42.3.121.142"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1240191/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_15; classtype:trojan-activity; sid:91240191; rev:1;) alert tcp $HOME_NET any -> [212.193.11.40] 7707 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240190/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_15; classtype:trojan-activity; sid:91240190; rev:1;) alert tcp $HOME_NET any -> [195.133.88.98] 443 (msg:"ThreatFox DanaBot botnet C2 traffic (ip:port - confidence level: 99%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240155/; target:src_ip; metadata: confidence_level 99, first_seen 2024_02_15; classtype:trojan-activity; sid:91240155; rev:1;) alert tcp $HOME_NET any -> [91.201.67.85] 443 (msg:"ThreatFox DanaBot botnet C2 traffic (ip:port - confidence level: 99%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240156/; target:src_ip; metadata: confidence_level 99, first_seen 2024_02_15; classtype:trojan-activity; sid:91240156; rev:1;) alert tcp $HOME_NET any -> [161.35.88.106] 1311 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240157/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_15; classtype:trojan-activity; sid:91240157; rev:1;) alert tcp $HOME_NET any -> [161.35.89.255] 1311 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240158/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_15; classtype:trojan-activity; sid:91240158; rev:1;) alert tcp $HOME_NET any -> [161.35.90.184] 1311 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240159/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_15; classtype:trojan-activity; sid:91240159; rev:1;) alert tcp $HOME_NET any -> [165.22.201.172] 1288 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240160/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_15; classtype:trojan-activity; sid:91240160; rev:1;) alert tcp $HOME_NET any -> [24.144.81.7] 1302 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240161/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_15; classtype:trojan-activity; sid:91240161; rev:1;) alert tcp $HOME_NET any -> [91.92.252.34] 6667 (msg:"ThreatFox Tsunami botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240154/; target:src_ip; metadata: confidence_level 75, first_seen 2024_02_15; classtype:trojan-activity; sid:91240154; rev:1;) alert tcp $HOME_NET any -> [172.232.186.100] 2083 (msg:"ThreatFox Pikabot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240153/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_15; classtype:trojan-activity; sid:91240153; rev:1;) alert tcp $HOME_NET any -> [41.96.151.65] 443 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240152/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_15; classtype:trojan-activity; sid:91240152; rev:1;) alert tcp $HOME_NET any -> [79.107.137.189] 995 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240151/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_15; classtype:trojan-activity; sid:91240151; rev:1;) alert tcp $HOME_NET any -> [197.204.251.116] 443 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240150/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_15; classtype:trojan-activity; sid:91240150; rev:1;) alert tcp $HOME_NET any -> [68.56.172.196] 443 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240149/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_15; classtype:trojan-activity; sid:91240149; rev:1;) alert tcp $HOME_NET any -> [78.101.28.103] 443 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240148/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_15; classtype:trojan-activity; sid:91240148; rev:1;) alert tcp $HOME_NET any -> [70.31.125.111] 2222 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240147/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_15; classtype:trojan-activity; sid:91240147; rev:1;) alert tcp $HOME_NET any -> [2.49.60.224] 2222 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240146/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_15; classtype:trojan-activity; sid:91240146; rev:1;) alert tcp $HOME_NET any -> [118.38.132.38] 443 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240145/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_15; classtype:trojan-activity; sid:91240145; rev:1;) alert tcp $HOME_NET any -> [209.94.58.96] 445 (msg:"ThreatFox Responder botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240144/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_15; classtype:trojan-activity; sid:91240144; rev:1;) alert tcp $HOME_NET any -> [34.76.179.109] 443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240143/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_15; classtype:trojan-activity; sid:91240143; rev:1;) alert tcp $HOME_NET any -> [13.233.144.170] 80 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240142/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_15; classtype:trojan-activity; sid:91240142; rev:1;) alert tcp $HOME_NET any -> [88.214.25.240] 443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240141/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_15; classtype:trojan-activity; sid:91240141; rev:1;) alert tcp $HOME_NET any -> [45.55.200.153] 443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240140/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_15; classtype:trojan-activity; sid:91240140; rev:1;) alert tcp $HOME_NET any -> [34.138.61.159] 443 (msg:"ThreatFox Deimos botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240139/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_15; classtype:trojan-activity; sid:91240139; rev:1;) alert tcp $HOME_NET any -> [157.90.120.132] 7443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240138/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_15; classtype:trojan-activity; sid:91240138; rev:1;) alert tcp $HOME_NET any -> [34.82.156.114] 7443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240137/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_15; classtype:trojan-activity; sid:91240137; rev:1;) alert tcp $HOME_NET any -> [185.196.9.214] 445 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240136/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_15; classtype:trojan-activity; sid:91240136; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/poll8trafficcpu/gameflowerlocal/update/cpugeneratortotrack/testpipe/secure/datalifecpu/uploads5/93image0/downloadsproton6/providercpusqlflowerasynclocaluploads.php"; depth:164; nocase; http.host; content:"80.66.89.102"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1240135/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_15; classtype:trojan-activity; sid:91240135; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ywrmzmu3odrmy2q4/"; depth:18; nocase; http.host; content:"185.11.61.219"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1240112/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_15; classtype:trojan-activity; sid:91240112; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mgq4mde1zdk3nzc1/"; depth:18; nocase; http.host; content:"usdtzshlavkovavolvo.com"; depth:23; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1240111/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_15; classtype:trojan-activity; sid:91240111; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/data.php"; depth:9; nocase; http.host; content:"grantallardserver.com"; depth:21; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1240110/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_15; classtype:trojan-activity; sid:91240110; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cdn-vs/cache.php"; depth:17; nocase; http.host; content:"casinovipclubs.com"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1240108/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_15; classtype:trojan-activity; sid:91240108; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cache/ezrgqnaww.php"; depth:20; nocase; http.host; content:"casinovipclubs.com"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1240109/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_15; classtype:trojan-activity; sid:91240109; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"saturnexa.com"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1240095/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_15; classtype:trojan-activity; sid:91240095; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/gdl7ghmq"; depth:9; nocase; http.host; content:"snackfunp.com"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1240089/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_15; classtype:trojan-activity; sid:91240089; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"snackfunp.com"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1240088/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_15; classtype:trojan-activity; sid:91240088; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/hh3w6zc6"; depth:9; nocase; http.host; content:"gspiceyl.com"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1240087/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_15; classtype:trojan-activity; sid:91240087; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"gspiceyl.com"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1240086/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_15; classtype:trojan-activity; sid:91240086; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"usaglobalnews.com"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1240082/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_15; classtype:trojan-activity; sid:91240082; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"topglobaltv.com"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1240083/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_15; classtype:trojan-activity; sid:91240083; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"startupmartec.net"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1240084/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_15; classtype:trojan-activity; sid:91240084; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ztzkntjjntkwyzk3/"; depth:18; nocase; http.host; content:"domnicaa.top"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1240085/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_15; classtype:trojan-activity; sid:91240085; rev:1;) alert tcp $HOME_NET any -> [49.13.89.187] 443 (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240134/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_15; classtype:trojan-activity; sid:91240134; rev:1;) alert tcp $HOME_NET any -> [103.114.104.158] 1663 (msg:"ThreatFox Nanocore RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240133/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_15; classtype:trojan-activity; sid:91240133; rev:1;) alert tcp $HOME_NET any -> [101.200.172.125] 50050 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240132/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_15; classtype:trojan-activity; sid:91240132; rev:1;) alert tcp $HOME_NET any -> [115.159.102.112] 8778 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240131/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_15; classtype:trojan-activity; sid:91240131; rev:1;) alert tcp $HOME_NET any -> [192.3.189.182] 51938 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240130/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_15; classtype:trojan-activity; sid:91240130; rev:1;) alert tcp $HOME_NET any -> [114.115.210.125] 50050 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240129/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_15; classtype:trojan-activity; sid:91240129; rev:1;) alert tcp $HOME_NET any -> [124.223.62.233] 50050 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240128/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_15; classtype:trojan-activity; sid:91240128; rev:1;) alert tcp $HOME_NET any -> [198.244.144.231] 50050 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240127/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_15; classtype:trojan-activity; sid:91240127; rev:1;) alert tcp $HOME_NET any -> [193.17.92.248] 45451 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240126/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_15; classtype:trojan-activity; sid:91240126; rev:1;) alert tcp $HOME_NET any -> [43.129.239.195] 61111 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240125/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_15; classtype:trojan-activity; sid:91240125; rev:1;) alert tcp $HOME_NET any -> [47.94.120.34] 65521 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240124/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_15; classtype:trojan-activity; sid:91240124; rev:1;) alert tcp $HOME_NET any -> [47.93.254.171] 5470 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240123/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_15; classtype:trojan-activity; sid:91240123; rev:1;) alert tcp $HOME_NET any -> [187.135.85.245] 2281 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240122/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_15; classtype:trojan-activity; sid:91240122; rev:1;) alert tcp $HOME_NET any -> [187.135.85.245] 1962 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240121/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_15; classtype:trojan-activity; sid:91240121; rev:1;) alert tcp $HOME_NET any -> [187.135.85.245] 2077 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240120/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_15; classtype:trojan-activity; sid:91240120; rev:1;) alert tcp $HOME_NET any -> [187.135.85.245] 1801 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240119/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_15; classtype:trojan-activity; sid:91240119; rev:1;) alert tcp $HOME_NET any -> [154.91.83.163] 80 (msg:"ThreatFox Hook botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240118/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_15; classtype:trojan-activity; sid:91240118; rev:1;) alert tcp $HOME_NET any -> [193.233.132.193] 8081 (msg:"ThreatFox RisePro botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240117/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_15; classtype:trojan-activity; sid:91240117; rev:1;) alert tcp $HOME_NET any -> [194.116.173.154] 80 (msg:"ThreatFox RecordBreaker botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240116/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_15; classtype:trojan-activity; sid:91240116; rev:1;) alert tcp $HOME_NET any -> [45.14.244.72] 80 (msg:"ThreatFox RecordBreaker botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240115/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_15; classtype:trojan-activity; sid:91240115; rev:1;) alert tcp $HOME_NET any -> [95.216.177.94] 80 (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240114/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_15; classtype:trojan-activity; sid:91240114; rev:1;) alert tcp $HOME_NET any -> [88.198.108.242] 443 (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240113/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_15; classtype:trojan-activity; sid:91240113; rev:1;) alert tcp $HOME_NET any -> [20.226.21.146] 53092 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240107/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_14; classtype:trojan-activity; sid:91240107; rev:1;) alert tcp $HOME_NET any -> [159.112.177.137] 53092 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240106/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_14; classtype:trojan-activity; sid:91240106; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pkg/b/"; depth:7; nocase; http.host; content:"teamsupd.azurewebsites.net"; depth:26; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1240104/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_14; classtype:trojan-activity; sid:91240104; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"teamsupd.azurewebsites.net"; depth:26; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1240105/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_14; classtype:trojan-activity; sid:91240105; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pkg/b/"; depth:7; nocase; http.host; content:"23.101.122.219"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1240102/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_14; classtype:trojan-activity; sid:91240102; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pkg/b/"; depth:7; nocase; http.host; content:"13.82.186.9"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1240103/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_14; classtype:trojan-activity; sid:91240103; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"www.itaberabanoticias.com"; depth:25; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1240100/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_14; classtype:trojan-activity; sid:91240100; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pkg/b/"; depth:7; nocase; http.host; content:"40.86.174.181"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1240101/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_14; classtype:trojan-activity; sid:91240101; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pkg/b/"; depth:7; nocase; http.host; content:"www.itaberabanoticias.com"; depth:25; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1240099/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_14; classtype:trojan-activity; sid:91240099; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pkg/b/"; depth:7; nocase; http.host; content:"www2.itaberabanoticias.com"; depth:26; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1240097/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_14; classtype:trojan-activity; sid:91240097; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"www2.itaberabanoticias.com"; depth:26; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1240098/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_14; classtype:trojan-activity; sid:91240098; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pkg/b/"; depth:7; nocase; http.host; content:"msupdate.brazilsouth.cloudapp.azure.com"; depth:39; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1240096/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_14; classtype:trojan-activity; sid:91240096; rev:1;) alert tcp $HOME_NET any -> [138.68.40.6] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240094/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_14; classtype:trojan-activity; sid:91240094; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api/accounts/v1/basic-accounts/pinned"; depth:38; nocase; http.host; content:"cb.1ancast3r.top"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1240092/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_14; classtype:trojan-activity; sid:91240092; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"cb.1ancast3r.top"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1240093/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_14; classtype:trojan-activity; sid:91240093; rev:1;) alert tcp $HOME_NET any -> [49.13.89.187] 3306 (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240091/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_14; classtype:trojan-activity; sid:91240091; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xwork/panel/five/fre.php"; depth:25; nocase; http.host; content:"www.makeyourbrandz.com"; depth:22; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1240090/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_14; classtype:trojan-activity; sid:91240090; rev:1;) alert tcp $HOME_NET any -> [91.92.246.233] 2897 (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240081/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_14; classtype:trojan-activity; sid:91240081; rev:1;) alert tcp $HOME_NET any -> [175.110.115.65] 80 (msg:"ThreatFox Meduza Stealer botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240080/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_14; classtype:trojan-activity; sid:91240080; rev:1;) alert tcp $HOME_NET any -> [139.198.160.133] 59900 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240079/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_14; classtype:trojan-activity; sid:91240079; rev:1;) alert tcp $HOME_NET any -> [31.117.122.184] 2222 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240078/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_14; classtype:trojan-activity; sid:91240078; rev:1;) alert tcp $HOME_NET any -> [45.59.118.25] 80 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240077/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_14; classtype:trojan-activity; sid:91240077; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"qltuh.thunderdepthsforger.top"; depth:29; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1240069/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_14; classtype:trojan-activity; sid:91240069; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"new-bestfortunes.life"; depth:21; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1240070/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_14; classtype:trojan-activity; sid:91240070; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"canopusacrux.top"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1240071/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_14; classtype:trojan-activity; sid:91240071; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"thunderdepthsforger.top"; depth:23; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1240072/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_14; classtype:trojan-activity; sid:91240072; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"cdnstatic.thunderdepthsforger.top"; depth:33; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1240073/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_14; classtype:trojan-activity; sid:91240073; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"tnoodlezy.com"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1240074/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_14; classtype:trojan-activity; sid:91240074; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/y562rjrt"; depth:9; nocase; http.host; content:"tnoodlezy.com"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1240075/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_14; classtype:trojan-activity; sid:91240075; rev:1;) alert tcp $HOME_NET any -> [172.212.163.113] 7443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240076/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_14; classtype:trojan-activity; sid:91240076; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/alert/welcome/qj81aiz9qhk"; depth:26; nocase; http.host; content:"saturnreviews.com"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1240068/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_14; classtype:trojan-activity; sid:91240068; rev:1;) alert tcp $HOME_NET any -> [179.60.149.231] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240067/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_14; classtype:trojan-activity; sid:91240067; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/alert/welcome/qj81aiz9qhk"; depth:26; nocase; http.host; content:"saturnreviews.com"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1240065/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_14; classtype:trojan-activity; sid:91240065; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"saturnreviews.com"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1240066/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_14; classtype:trojan-activity; sid:91240066; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"65.109.242.48"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1240064/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_14; classtype:trojan-activity; sid:91240064; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"65.109.242.48"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1240063/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_14; classtype:trojan-activity; sid:91240063; rev:1;) alert tcp $HOME_NET any -> [65.109.242.48] 443 (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240062/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_14; classtype:trojan-activity; sid:91240062; rev:1;) alert tcp $HOME_NET any -> [65.109.242.48] 9000 (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240061/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_14; classtype:trojan-activity; sid:91240061; rev:1;) alert tcp $HOME_NET any -> [185.99.133.77] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240058/; target:src_ip; metadata: confidence_level 90, first_seen 2024_02_14; classtype:trojan-activity; sid:91240058; rev:1;) alert tcp $HOME_NET any -> [5.255.116.158] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240059/; target:src_ip; metadata: confidence_level 90, first_seen 2024_02_14; classtype:trojan-activity; sid:91240059; rev:1;) alert tcp $HOME_NET any -> [85.239.34.138] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240060/; target:src_ip; metadata: confidence_level 90, first_seen 2024_02_14; classtype:trojan-activity; sid:91240060; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"ebnsina.top"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1240057/; target:src_ip; metadata: confidence_level 75, first_seen 2024_02_14; classtype:trojan-activity; sid:91240057; rev:1;) alert tcp $HOME_NET any -> [95.179.189.177] 53 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240056/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_14; classtype:trojan-activity; sid:91240056; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"dns.artstrailman.com"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1240055/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_14; classtype:trojan-activity; sid:91240055; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/unitylibrarymanager.exe"; depth:24; nocase; http.host; content:"3psilonapi.com"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1240054/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_14; classtype:trojan-activity; sid:91240054; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/kelvin/five/fre.php"; depth:20; nocase; http.host; content:"ebnsina.top"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1240053/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_14; classtype:trojan-activity; sid:91240053; rev:1;) alert tcp $HOME_NET any -> [188.116.23.142] 23033 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240052/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_14; classtype:trojan-activity; sid:91240052; rev:1;) alert tcp $HOME_NET any -> [5.39.43.50] 1050 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240051/; target:src_ip; metadata: confidence_level 75, first_seen 2024_02_14; classtype:trojan-activity; sid:91240051; rev:1;) alert tcp $HOME_NET any -> [86.38.225.109] 13724 (msg:"ThreatFox Pikabot botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240045/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_14; classtype:trojan-activity; sid:91240045; rev:1;) alert tcp $HOME_NET any -> [172.232.189.219] 2224 (msg:"ThreatFox Pikabot botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240046/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_14; classtype:trojan-activity; sid:91240046; rev:1;) alert tcp $HOME_NET any -> [198.44.187.12] 2224 (msg:"ThreatFox Pikabot botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240047/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_14; classtype:trojan-activity; sid:91240047; rev:1;) alert tcp $HOME_NET any -> [45.32.21.184] 5242 (msg:"ThreatFox Pikabot botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240048/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_14; classtype:trojan-activity; sid:91240048; rev:1;) alert tcp $HOME_NET any -> [172.232.189.10] 1194 (msg:"ThreatFox Pikabot botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240049/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_14; classtype:trojan-activity; sid:91240049; rev:1;) alert tcp $HOME_NET any -> [172.232.162.97] 13783 (msg:"ThreatFox Pikabot botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240050/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_14; classtype:trojan-activity; sid:91240050; rev:1;) alert tcp $HOME_NET any -> [131.153.231.178] 2221 (msg:"ThreatFox Pikabot botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240042/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_14; classtype:trojan-activity; sid:91240042; rev:1;) alert tcp $HOME_NET any -> [95.179.135.3] 2225 (msg:"ThreatFox Pikabot botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240043/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_14; classtype:trojan-activity; sid:91240043; rev:1;) alert tcp $HOME_NET any -> [155.138.147.62] 2223 (msg:"ThreatFox Pikabot botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240044/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_14; classtype:trojan-activity; sid:91240044; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/js/"; depth:4; nocase; http.host; content:"grpt.ca"; depth:7; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1239949/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_14; classtype:trojan-activity; sid:91239949; rev:1;) alert tcp $HOME_NET any -> [190.135.174.163] 995 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240041/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_14; classtype:trojan-activity; sid:91240041; rev:1;) alert tcp $HOME_NET any -> [185.83.113.126] 32009 (msg:"ThreatFox BianLian botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240040/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_14; classtype:trojan-activity; sid:91240040; rev:1;) alert tcp $HOME_NET any -> [51.15.220.70] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240039/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_14; classtype:trojan-activity; sid:91240039; rev:1;) alert tcp $HOME_NET any -> [139.59.3.90] 5000 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240038/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_14; classtype:trojan-activity; sid:91240038; rev:1;) alert tcp $HOME_NET any -> [185.88.196.130] 4433 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240037/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_14; classtype:trojan-activity; sid:91240037; rev:1;) alert tcp $HOME_NET any -> [202.83.25.9] 4433 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240036/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_14; classtype:trojan-activity; sid:91240036; rev:1;) alert tcp $HOME_NET any -> [1.12.221.30] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240035/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_14; classtype:trojan-activity; sid:91240035; rev:1;) alert tcp $HOME_NET any -> [198.199.121.71] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240034/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_14; classtype:trojan-activity; sid:91240034; rev:1;) alert tcp $HOME_NET any -> [5.9.185.124] 2083 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240033/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_14; classtype:trojan-activity; sid:91240033; rev:1;) alert tcp $HOME_NET any -> [20.211.122.42] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240032/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_14; classtype:trojan-activity; sid:91240032; rev:1;) alert tcp $HOME_NET any -> [138.91.109.82] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240031/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_14; classtype:trojan-activity; sid:91240031; rev:1;) alert tcp $HOME_NET any -> [110.42.163.130] 36699 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240030/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_14; classtype:trojan-activity; sid:91240030; rev:1;) alert tcp $HOME_NET any -> [20.105.186.218] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240029/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_14; classtype:trojan-activity; sid:91240029; rev:1;) alert tcp $HOME_NET any -> [35.233.72.158] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240028/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_14; classtype:trojan-activity; sid:91240028; rev:1;) alert tcp $HOME_NET any -> [99.81.225.111] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240027/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_14; classtype:trojan-activity; sid:91240027; rev:1;) alert tcp $HOME_NET any -> [4.175.95.128] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240026/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_14; classtype:trojan-activity; sid:91240026; rev:1;) alert tcp $HOME_NET any -> [172.234.228.130] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240025/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_14; classtype:trojan-activity; sid:91240025; rev:1;) alert tcp $HOME_NET any -> [45.61.158.17] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240023/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_14; classtype:trojan-activity; sid:91240023; rev:1;) alert tcp $HOME_NET any -> [20.54.117.62] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240024/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_14; classtype:trojan-activity; sid:91240024; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"142-11-199-59.plesk.page"; depth:24; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1240022/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_14; classtype:trojan-activity; sid:91240022; rev:1;) alert tcp $HOME_NET any -> [104.225.235.101] 60000 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240021/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_14; classtype:trojan-activity; sid:91240021; rev:1;) alert tcp $HOME_NET any -> [123.206.227.241] 60000 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240020/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_14; classtype:trojan-activity; sid:91240020; rev:1;) alert tcp $HOME_NET any -> [79.137.207.38] 80 (msg:"ThreatFox MooBot botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240019/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_14; classtype:trojan-activity; sid:91240019; rev:1;) alert tcp $HOME_NET any -> [109.107.181.93] 80 (msg:"ThreatFox MooBot botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240018/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_14; classtype:trojan-activity; sid:91240018; rev:1;) alert tcp $HOME_NET any -> [52.20.229.84] 443 (msg:"ThreatFox Serpent Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240017/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_14; classtype:trojan-activity; sid:91240017; rev:1;) alert tcp $HOME_NET any -> [129.152.4.113] 5000 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240016/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_14; classtype:trojan-activity; sid:91240016; rev:1;) alert tcp $HOME_NET any -> [51.107.41.155] 80 (msg:"ThreatFox ERMAC botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240015/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_14; classtype:trojan-activity; sid:91240015; rev:1;) alert tcp $HOME_NET any -> [95.214.177.31] 80 (msg:"ThreatFox ERMAC botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240014/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_14; classtype:trojan-activity; sid:91240014; rev:1;) alert tcp $HOME_NET any -> [195.206.235.241] 80 (msg:"ThreatFox ERMAC botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240012/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_14; classtype:trojan-activity; sid:91240012; rev:1;) alert tcp $HOME_NET any -> [74.234.3.141] 80 (msg:"ThreatFox ERMAC botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240013/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_14; classtype:trojan-activity; sid:91240013; rev:1;) alert tcp $HOME_NET any -> [115.74.30.127] 9999 (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240011/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_14; classtype:trojan-activity; sid:91240011; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"wapt.dgcs.cloud"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1240009/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_14; classtype:trojan-activity; sid:91240009; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"imperiummalczyc.pl"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1240010/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_14; classtype:trojan-activity; sid:91240010; rev:1;) alert tcp $HOME_NET any -> [193.233.132.214] 8081 (msg:"ThreatFox RisePro botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240008/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_14; classtype:trojan-activity; sid:91240008; rev:1;) alert tcp $HOME_NET any -> [167.235.136.41] 8081 (msg:"ThreatFox RisePro botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240007/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_14; classtype:trojan-activity; sid:91240007; rev:1;) alert tcp $HOME_NET any -> [185.209.30.141] 80 (msg:"ThreatFox Hook botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240006/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_14; classtype:trojan-activity; sid:91240006; rev:1;) alert tcp $HOME_NET any -> [64.226.76.253] 80 (msg:"ThreatFox Hook botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240005/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_14; classtype:trojan-activity; sid:91240005; rev:1;) alert tcp $HOME_NET any -> [45.138.16.161] 80 (msg:"ThreatFox Hook botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240004/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_14; classtype:trojan-activity; sid:91240004; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"evgenytchurakin6.fvds.ru"; depth:24; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1240002/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_14; classtype:trojan-activity; sid:91240002; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"jovial-wescoff.45-138-16-161.plesk.page"; depth:39; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1240003/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_14; classtype:trojan-activity; sid:91240003; rev:1;) alert tcp $HOME_NET any -> [69.46.36.209] 7443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240000/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_14; classtype:trojan-activity; sid:91240000; rev:1;) alert tcp $HOME_NET any -> [69.46.36.219] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240001/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_14; classtype:trojan-activity; sid:91240001; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"238.200.202.35.bc.googleusercontent.com"; depth:39; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1239999/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_14; classtype:trojan-activity; sid:91239999; rev:1;) alert tcp $HOME_NET any -> [69.46.36.210] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239998/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_14; classtype:trojan-activity; sid:91239998; rev:1;) alert tcp $HOME_NET any -> [185.81.157.103] 8888 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239997/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_14; classtype:trojan-activity; sid:91239997; rev:1;) alert tcp $HOME_NET any -> [192.250.225.3] 6000 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239996/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_14; classtype:trojan-activity; sid:91239996; rev:1;) alert tcp $HOME_NET any -> [154.212.146.81] 7707 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239994/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_14; classtype:trojan-activity; sid:91239994; rev:1;) alert tcp $HOME_NET any -> [154.212.146.81] 8808 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239995/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_14; classtype:trojan-activity; sid:91239995; rev:1;) alert tcp $HOME_NET any -> [186.170.96.237] 2404 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239993/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_14; classtype:trojan-activity; sid:91239993; rev:1;) alert tcp $HOME_NET any -> [185.81.157.106] 443 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239991/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_14; classtype:trojan-activity; sid:91239991; rev:1;) alert tcp $HOME_NET any -> [45.88.186.16] 8808 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239992/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_14; classtype:trojan-activity; sid:91239992; rev:1;) alert tcp $HOME_NET any -> [178.33.203.39] 7707 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239990/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_14; classtype:trojan-activity; sid:91239990; rev:1;) alert tcp $HOME_NET any -> [5.252.74.133] 8080 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239988/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_14; classtype:trojan-activity; sid:91239988; rev:1;) alert tcp $HOME_NET any -> [178.33.203.39] 8808 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239989/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_14; classtype:trojan-activity; sid:91239989; rev:1;) alert tcp $HOME_NET any -> [5.252.74.133] 80 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239987/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_14; classtype:trojan-activity; sid:91239987; rev:1;) alert tcp $HOME_NET any -> [193.26.115.221] 7707 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239986/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_14; classtype:trojan-activity; sid:91239986; rev:1;) alert tcp $HOME_NET any -> [185.81.157.21] 8808 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239984/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_14; classtype:trojan-activity; sid:91239984; rev:1;) alert tcp $HOME_NET any -> [186.112.206.181] 2404 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239985/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_14; classtype:trojan-activity; sid:91239985; rev:1;) alert tcp $HOME_NET any -> [185.81.157.21] 7707 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239983/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_14; classtype:trojan-activity; sid:91239983; rev:1;) alert tcp $HOME_NET any -> [46.246.6.5] 2000 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239982/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_14; classtype:trojan-activity; sid:91239982; rev:1;) alert tcp $HOME_NET any -> [209.141.54.92] 443 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239981/; target:src_ip; metadata: confidence_level 90, first_seen 2024_02_14; classtype:trojan-activity; sid:91239981; rev:1;) alert tcp $HOME_NET any -> [78.129.165.233] 443 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239980/; target:src_ip; metadata: confidence_level 90, first_seen 2024_02_14; classtype:trojan-activity; sid:91239980; rev:1;) alert tcp $HOME_NET any -> [187.135.85.245] 2078 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239978/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_14; classtype:trojan-activity; sid:91239978; rev:1;) alert tcp $HOME_NET any -> [187.135.85.245] 2087 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239979/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_14; classtype:trojan-activity; sid:91239979; rev:1;) alert tcp $HOME_NET any -> [187.135.85.245] 2053 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239977/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_14; classtype:trojan-activity; sid:91239977; rev:1;) alert tcp $HOME_NET any -> [187.135.85.245] 2095 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239976/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_14; classtype:trojan-activity; sid:91239976; rev:1;) alert tcp $HOME_NET any -> [187.135.85.245] 1723 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239974/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_14; classtype:trojan-activity; sid:91239974; rev:1;) alert tcp $HOME_NET any -> [187.135.85.245] 2096 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239975/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_14; classtype:trojan-activity; sid:91239975; rev:1;) alert tcp $HOME_NET any -> [187.135.85.245] 1672 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239973/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_14; classtype:trojan-activity; sid:91239973; rev:1;) alert tcp $HOME_NET any -> [187.135.85.245] 1666 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239972/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_14; classtype:trojan-activity; sid:91239972; rev:1;) alert tcp $HOME_NET any -> [187.135.85.245] 2079 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239970/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_14; classtype:trojan-activity; sid:91239970; rev:1;) alert tcp $HOME_NET any -> [187.135.85.245] 2082 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239971/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_14; classtype:trojan-activity; sid:91239971; rev:1;) alert tcp $HOME_NET any -> [187.135.85.245] 2052 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239969/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_14; classtype:trojan-activity; sid:91239969; rev:1;) alert tcp $HOME_NET any -> [187.135.85.245] 2000 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239968/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_14; classtype:trojan-activity; sid:91239968; rev:1;) alert tcp $HOME_NET any -> [187.135.85.245] 1883 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239967/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_14; classtype:trojan-activity; sid:91239967; rev:1;) alert tcp $HOME_NET any -> [86.107.199.30] 10101 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239966/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_14; classtype:trojan-activity; sid:91239966; rev:1;) alert tcp $HOME_NET any -> [45.134.225.245] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239965/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_14; classtype:trojan-activity; sid:91239965; rev:1;) alert tcp $HOME_NET any -> [146.70.149.184] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239964/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_14; classtype:trojan-activity; sid:91239964; rev:1;) alert tcp $HOME_NET any -> [106.75.240.189] 4090 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239963/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_14; classtype:trojan-activity; sid:91239963; rev:1;) alert tcp $HOME_NET any -> [117.50.178.197] 33221 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239962/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_14; classtype:trojan-activity; sid:91239962; rev:1;) alert tcp $HOME_NET any -> [5.161.85.189] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239961/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_14; classtype:trojan-activity; sid:91239961; rev:1;) alert tcp $HOME_NET any -> [185.158.248.34] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239960/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_14; classtype:trojan-activity; sid:91239960; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"eganet.linkpc.net"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1239959/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_14; classtype:trojan-activity; sid:91239959; rev:1;) alert tcp $HOME_NET any -> [154.44.10.51] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239957/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_14; classtype:trojan-activity; sid:91239957; rev:1;) alert tcp $HOME_NET any -> [103.146.179.72] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239958/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_14; classtype:trojan-activity; sid:91239958; rev:1;) alert tcp $HOME_NET any -> [23.160.193.182] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239956/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_14; classtype:trojan-activity; sid:91239956; rev:1;) alert tcp $HOME_NET any -> [42.186.17.183] 8080 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239955/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_14; classtype:trojan-activity; sid:91239955; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"api.hg23jh4gk234gjhk2j3g4h2kjh3g4.xyz"; depth:37; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1239954/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_14; classtype:trojan-activity; sid:91239954; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"77.198.208.35.bc.googleusercontent.com"; depth:38; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1239953/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_14; classtype:trojan-activity; sid:91239953; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/visit.js"; depth:9; nocase; http.host; content:"122.51.220.170"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1239952/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_14; classtype:trojan-activity; sid:91239952; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dot.gif"; depth:8; nocase; http.host; content:"122.51.220.170"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1239951/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_14; classtype:trojan-activity; sid:91239951; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jquery-3.3.1.min.js"; depth:20; nocase; http.host; content:"cdn.dadadsadaccsoong.top"; depth:24; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1239950/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_14; classtype:trojan-activity; sid:91239950; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/js/index.php"; depth:13; nocase; http.host; content:"grpt.ca"; depth:7; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1239944/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_14; classtype:trojan-activity; sid:91239944; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/documents/build-x64.zip/build-x64.msi"; depth:38; nocase; http.host; content:"95.164.63.54"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1239945/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_14; classtype:trojan-activity; sid:91239945; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/documents/build-x64.zip"; depth:24; nocase; http.host; content:"95.164.63.54"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1239946/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_14; classtype:trojan-activity; sid:91239946; rev:1;) alert tcp $HOME_NET any -> [95.164.63.54] 80 (msg:"ThreatFox DarkGate payload delivery (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239947/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_14; classtype:trojan-activity; sid:91239947; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/en_us/all.js"; depth:13; nocase; http.host; content:"103.150.10.45"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1239943/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_14; classtype:trojan-activity; sid:91239943; rev:1;) alert tcp $HOME_NET any -> [68.183.111.170] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239942/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_14; classtype:trojan-activity; sid:91239942; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/__utm.gif"; depth:10; nocase; http.host; content:"68.183.111.170"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1239941/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_14; classtype:trojan-activity; sid:91239941; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/metro91/admin/1/ppptp.jpg"; depth:26; nocase; http.host; content:"45.134.225.247"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1239940/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_14; classtype:trojan-activity; sid:91239940; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jquery-3.3.1.min.js"; depth:20; nocase; http.host; content:"43.139.177.77"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1239939/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_14; classtype:trojan-activity; sid:91239939; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"cdn.dadadsadaccsoong.top"; depth:24; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1239937/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_14; classtype:trojan-activity; sid:91239937; rev:1;) alert tcp $HOME_NET any -> [43.139.177.77] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239938/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_14; classtype:trojan-activity; sid:91239938; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jquery-3.3.1.min.js"; depth:20; nocase; http.host; content:"cdn.dadadsadaccsoong.top"; depth:24; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1239936/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_14; classtype:trojan-activity; sid:91239936; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ie9compatviewlist.xml"; depth:22; nocase; http.host; content:"20.163.176.140"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1239935/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_14; classtype:trojan-activity; sid:91239935; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jquery-3.3.2.n2cq4mxdz4nio9xihttp.min.js"; depth:41; nocase; http.host; content:"47.123.4.117"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1239934/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_14; classtype:trojan-activity; sid:91239934; rev:1;) alert tcp $HOME_NET any -> [77.105.132.92] 80 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239932/; target:src_ip; metadata: confidence_level 75, first_seen 2024_02_14; classtype:trojan-activity; sid:91239932; rev:1;) alert tcp $HOME_NET any -> [77.105.132.92] 81 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239933/; target:src_ip; metadata: confidence_level 75, first_seen 2024_02_14; classtype:trojan-activity; sid:91239933; rev:1;) alert tcp $HOME_NET any -> [77.105.132.92] 60989 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239931/; target:src_ip; metadata: confidence_level 75, first_seen 2024_02_14; classtype:trojan-activity; sid:91239931; rev:1;) alert tcp $HOME_NET any -> [77.105.132.92] 465 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239929/; target:src_ip; metadata: confidence_level 75, first_seen 2024_02_14; classtype:trojan-activity; sid:91239929; rev:1;) alert tcp $HOME_NET any -> [77.105.132.92] 4899 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239930/; target:src_ip; metadata: confidence_level 75, first_seen 2024_02_14; classtype:trojan-activity; sid:91239930; rev:1;) alert tcp $HOME_NET any -> [77.105.132.92] 463 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239928/; target:src_ip; metadata: confidence_level 75, first_seen 2024_02_14; classtype:trojan-activity; sid:91239928; rev:1;) alert tcp $HOME_NET any -> [77.105.132.92] 21 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239926/; target:src_ip; metadata: confidence_level 75, first_seen 2024_02_14; classtype:trojan-activity; sid:91239926; rev:1;) alert tcp $HOME_NET any -> [77.105.132.92] 2404 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239927/; target:src_ip; metadata: confidence_level 75, first_seen 2024_02_14; classtype:trojan-activity; sid:91239927; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"qrchq.vrhoeas.com"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1239925/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_14; classtype:trojan-activity; sid:91239925; rev:1;) alert tcp $HOME_NET any -> [8.222.251.253] 43001 (msg:"ThreatFox Triada botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239924/; target:src_ip; metadata: confidence_level 75, first_seen 2024_02_14; classtype:trojan-activity; sid:91239924; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"qrchq.vrhoeas.com"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1239923/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_14; classtype:trojan-activity; sid:91239923; rev:1;) alert tcp $HOME_NET any -> [43.229.78.74] 2226 (msg:"ThreatFox Pikabot botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239919/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_14; classtype:trojan-activity; sid:91239919; rev:1;) alert tcp $HOME_NET any -> [154.201.81.8] 2967 (msg:"ThreatFox Pikabot botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239920/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_14; classtype:trojan-activity; sid:91239920; rev:1;) alert tcp $HOME_NET any -> [108.61.78.17] 13783 (msg:"ThreatFox Pikabot botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239921/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_14; classtype:trojan-activity; sid:91239921; rev:1;) alert tcp $HOME_NET any -> [104.156.233.235] 2226 (msg:"ThreatFox Pikabot botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239922/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_14; classtype:trojan-activity; sid:91239922; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/l1nc0in.php"; depth:12; nocase; http.host; content:"a0919021.xsph.ru"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1239918/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_14; classtype:trojan-activity; sid:91239918; rev:1;) alert tcp $HOME_NET any -> [141.98.10.72] 1024 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239916/; target:src_ip; metadata: confidence_level 75, first_seen 2024_02_14; classtype:trojan-activity; sid:91239916; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/j.ad"; depth:5; nocase; http.host; content:"68.183.111.170"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1239917/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_14; classtype:trojan-activity; sid:91239917; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/__utm.gif"; depth:10; nocase; http.host; content:"122.51.220.170"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1239915/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_14; classtype:trojan-activity; sid:91239915; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cm"; depth:3; nocase; http.host; content:"122.51.220.170"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1239914/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_14; classtype:trojan-activity; sid:91239914; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/load"; depth:5; nocase; http.host; content:"116.198.46.64"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1239913/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_14; classtype:trojan-activity; sid:91239913; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/activity"; depth:9; nocase; http.host; content:"139.9.41.156"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1239912/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_14; classtype:trojan-activity; sid:91239912; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"dadadsadaccsoong.top"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1239911/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_14; classtype:trojan-activity; sid:91239911; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/match"; depth:6; nocase; http.host; content:"dadadsadaccsoong.top"; depth:20; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1239910/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_14; classtype:trojan-activity; sid:91239910; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/load"; depth:5; nocase; http.host; content:"92.118.36.235"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1239909/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_14; classtype:trojan-activity; sid:91239909; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ogyyzmmyzmvlmgi0/"; depth:18; nocase; http.host; content:"4232fdnsjds.top"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1239908/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_14; classtype:trojan-activity; sid:91239908; rev:1;) alert tcp $HOME_NET any -> [95.216.177.94] 443 (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239906/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_14; classtype:trojan-activity; sid:91239906; rev:1;) alert tcp $HOME_NET any -> [78.47.117.126] 443 (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239907/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_14; classtype:trojan-activity; sid:91239907; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"95.216.177.94"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1239905/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_14; classtype:trojan-activity; sid:91239905; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"78.47.117.126"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1239904/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_14; classtype:trojan-activity; sid:91239904; rev:1;) alert tcp $HOME_NET any -> [103.155.81.228] 1234 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239903/; target:src_ip; metadata: confidence_level 75, first_seen 2024_02_14; classtype:trojan-activity; sid:91239903; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"botnet.nguyennghi.info"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1239902/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_14; classtype:trojan-activity; sid:91239902; rev:1;) alert tcp $HOME_NET any -> [93.123.85.140] 9932 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239901/; target:src_ip; metadata: confidence_level 75, first_seen 2024_02_14; classtype:trojan-activity; sid:91239901; rev:1;) alert tcp $HOME_NET any -> [91.92.251.202] 2024 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239900/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_14; classtype:trojan-activity; sid:91239900; rev:1;) alert tcp $HOME_NET any -> [101.34.243.60] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239899/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_14; classtype:trojan-activity; sid:91239899; rev:1;) alert tcp $HOME_NET any -> [47.236.115.26] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239898/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_14; classtype:trojan-activity; sid:91239898; rev:1;) alert tcp $HOME_NET any -> [41.96.83.214] 443 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239897/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_14; classtype:trojan-activity; sid:91239897; rev:1;) alert tcp $HOME_NET any -> [72.27.170.157] 443 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239896/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_14; classtype:trojan-activity; sid:91239896; rev:1;) alert tcp $HOME_NET any -> [38.142.20.186] 445 (msg:"ThreatFox Responder botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239895/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_14; classtype:trojan-activity; sid:91239895; rev:1;) alert tcp $HOME_NET any -> [158.101.163.23] 443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239894/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_14; classtype:trojan-activity; sid:91239894; rev:1;) alert tcp $HOME_NET any -> [45.45.219.118] 80 (msg:"ThreatFox BianLian botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239893/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_14; classtype:trojan-activity; sid:91239893; rev:1;) alert tcp $HOME_NET any -> [218.28.172.11] 80 (msg:"ThreatFox Deimos botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239892/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_14; classtype:trojan-activity; sid:91239892; rev:1;) alert tcp $HOME_NET any -> [69.46.36.210] 7443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239891/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_14; classtype:trojan-activity; sid:91239891; rev:1;) alert tcp $HOME_NET any -> [69.46.36.216] 7443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239890/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_14; classtype:trojan-activity; sid:91239890; rev:1;) alert tcp $HOME_NET any -> [69.46.36.220] 7443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239889/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_14; classtype:trojan-activity; sid:91239889; rev:1;) alert tcp $HOME_NET any -> [5.39.43.50] 3456 (msg:"ThreatFox Nanocore RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239869/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_14; classtype:trojan-activity; sid:91239869; rev:1;) alert tcp $HOME_NET any -> [188.116.21.141] 20213 (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239872/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_14; classtype:trojan-activity; sid:91239872; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"frightyserver.org"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1239884/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_14; classtype:trojan-activity; sid:91239884; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bgkc244p"; depth:9; nocase; http.host; content:"frightyserver.org"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1239885/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_14; classtype:trojan-activity; sid:91239885; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"winvipbonus.life"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1239886/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_14; classtype:trojan-activity; sid:91239886; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"weapkd4.jarteaused.live"; depth:23; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1239887/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_14; classtype:trojan-activity; sid:91239887; rev:1;) alert tcp $HOME_NET any -> [191.248.177.208] 15833 (msg:"ThreatFox N-W0rm botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239888/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_14; classtype:trojan-activity; sid:91239888; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"45.14.244.72"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1239883/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_14; classtype:trojan-activity; sid:91239883; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/linewindowstrack.php"; depth:21; nocase; http.host; content:"81.200.146.58"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1239882/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_14; classtype:trojan-activity; sid:91239882; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/proton/cdndump/0pipe4/processtemp0/generator304/requestcdn/2baseasyncauth/flower/8mariadbbetter/2wp/eternalcpubigloadtemporary.php"; depth:131; nocase; http.host; content:"45.9.73.82"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1239881/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_13; classtype:trojan-activity; sid:91239881; rev:1;) alert tcp $HOME_NET any -> [68.183.111.170] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239880/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_13; classtype:trojan-activity; sid:91239880; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ga.js"; depth:6; nocase; http.host; content:"68.183.111.170"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1239879/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_13; classtype:trojan-activity; sid:91239879; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/videovmsecureupdateauthserverbasepublic.php"; depth:44; nocase; http.host; content:"209374cm.nyashsens.top"; depth:22; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1239878/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_13; classtype:trojan-activity; sid:91239878; rev:1;) alert tcp $HOME_NET any -> [104.129.55.106] 13783 (msg:"ThreatFox Pikabot botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239873/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_13; classtype:trojan-activity; sid:91239873; rev:1;) alert tcp $HOME_NET any -> [45.32.248.100] 2226 (msg:"ThreatFox Pikabot botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239874/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_13; classtype:trojan-activity; sid:91239874; rev:1;) alert tcp $HOME_NET any -> [45.76.251.190] 5631 (msg:"ThreatFox Pikabot botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239875/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_13; classtype:trojan-activity; sid:91239875; rev:1;) alert tcp $HOME_NET any -> [103.82.243.5] 13785 (msg:"ThreatFox Pikabot botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239876/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_13; classtype:trojan-activity; sid:91239876; rev:1;) alert tcp $HOME_NET any -> [104.129.55.105] 2223 (msg:"ThreatFox Pikabot botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239877/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_13; classtype:trojan-activity; sid:91239877; rev:1;) alert tcp $HOME_NET any -> [94.103.94.25] 13581 (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239871/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_13; classtype:trojan-activity; sid:91239871; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/secure/gametemporaryvoiddb7/3protonpythongame/publicprotonsecure0/updateto/7vm/update5processor3/dlewindowsrequest/low6proton/servereternal/geo/vm_updategeneratordatalife.php"; depth:175; nocase; http.host; content:"195.43.142.35"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1239870/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_13; classtype:trojan-activity; sid:91239870; rev:1;) alert tcp $HOME_NET any -> [149.248.3.194] 443 (msg:"ThreatFox SystemBC botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239868/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_13; classtype:trojan-activity; sid:91239868; rev:1;) alert tcp $HOME_NET any -> [111.67.195.90] 6000 (msg:"ThreatFox Ghost RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239867/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_13; classtype:trojan-activity; sid:91239867; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"prodomainnameeforappru.com"; depth:26; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1239854/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_13; classtype:trojan-activity; sid:91239854; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"prodomainnameeforappru.com"; depth:26; nocase; reference:url, threatfox.abuse.ch/ioc/1239855/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_13; classtype:trojan-activity; sid:91239855; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/live/"; depth:6; nocase; http.host; content:"plwskoret.top"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1239856/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_13; classtype:trojan-activity; sid:91239856; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/live/"; depth:6; nocase; http.host; content:"miistoria.com"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1239857/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_13; classtype:trojan-activity; sid:91239857; rev:1;) alert tcp $HOME_NET any -> [87.11.7.161] 443 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239866/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_13; classtype:trojan-activity; sid:91239866; rev:1;) alert tcp $HOME_NET any -> [31.117.164.92] 2222 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239865/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_13; classtype:trojan-activity; sid:91239865; rev:1;) alert tcp $HOME_NET any -> [77.0.149.167] 443 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239864/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_13; classtype:trojan-activity; sid:91239864; rev:1;) alert tcp $HOME_NET any -> [71.250.202.197] 443 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239863/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_13; classtype:trojan-activity; sid:91239863; rev:1;) alert tcp $HOME_NET any -> [188.54.71.27] 995 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239862/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_13; classtype:trojan-activity; sid:91239862; rev:1;) alert tcp $HOME_NET any -> [154.13.28.16] 46321 (msg:"ThreatFox Deimos botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239861/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_13; classtype:trojan-activity; sid:91239861; rev:1;) alert tcp $HOME_NET any -> [185.209.30.112] 9202 (msg:"ThreatFox Rhadamanthys botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239860/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_13; classtype:trojan-activity; sid:91239860; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/rf/imagevideo_securesqlasynctrackuploads.php"; depth:45; nocase; http.host; content:"109.107.182.163"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1239859/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_13; classtype:trojan-activity; sid:91239859; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-content/chunky/"; depth:19; nocase; http.host; content:"horseridinghotel.com"; depth:20; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1239858/; target:src_ip; metadata: confidence_level 75, first_seen 2024_02_13; classtype:trojan-activity; sid:91239858; rev:1;) alert tcp $HOME_NET any -> [95.20.241.72] 443 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239853/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_13; classtype:trojan-activity; sid:91239853; rev:1;) alert tcp $HOME_NET any -> [172.205.219.119] 80 (msg:"ThreatFox BianLian botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239852/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_13; classtype:trojan-activity; sid:91239852; rev:1;) alert tcp $HOME_NET any -> [5.249.160.250] 80 (msg:"ThreatFox Ave Maria botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239851/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_13; classtype:trojan-activity; sid:91239851; rev:1;) alert tcp $HOME_NET any -> [119.91.248.126] 8421 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239850/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_13; classtype:trojan-activity; sid:91239850; rev:1;) alert tcp $HOME_NET any -> [44.213.214.182] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239849/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_13; classtype:trojan-activity; sid:91239849; rev:1;) alert tcp $HOME_NET any -> [64.176.169.200] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239848/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_13; classtype:trojan-activity; sid:91239848; rev:1;) alert tcp $HOME_NET any -> [52.188.58.183] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239847/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_13; classtype:trojan-activity; sid:91239847; rev:1;) alert tcp $HOME_NET any -> [176.53.182.97] 4444 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239846/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_13; classtype:trojan-activity; sid:91239846; rev:1;) alert tcp $HOME_NET any -> [34.121.174.173] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239845/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_13; classtype:trojan-activity; sid:91239845; rev:1;) alert tcp $HOME_NET any -> [185.199.52.140] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239844/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_13; classtype:trojan-activity; sid:91239844; rev:1;) alert tcp $HOME_NET any -> [3.12.9.12] 8443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239843/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_13; classtype:trojan-activity; sid:91239843; rev:1;) alert tcp $HOME_NET any -> [87.106.121.244] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239842/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_13; classtype:trojan-activity; sid:91239842; rev:1;) alert tcp $HOME_NET any -> [147.45.106.5] 1234 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239841/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_13; classtype:trojan-activity; sid:91239841; rev:1;) alert tcp $HOME_NET any -> [64.225.28.1] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239840/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_13; classtype:trojan-activity; sid:91239840; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"www.cranky-easley.142-11-199-59.plesk.page"; depth:42; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1239839/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_13; classtype:trojan-activity; sid:91239839; rev:1;) alert tcp $HOME_NET any -> [137.184.234.102] 60000 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239838/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_13; classtype:trojan-activity; sid:91239838; rev:1;) alert tcp $HOME_NET any -> [24.199.69.112] 60000 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239837/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_13; classtype:trojan-activity; sid:91239837; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"static.156.235.21.65.clients.your-server.de"; depth:43; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1239836/; target:src_ip; metadata: confidence_level 75, first_seen 2024_02_13; classtype:trojan-activity; sid:91239836; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"www.miner.bitron-mining.online"; depth:30; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1239834/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_13; classtype:trojan-activity; sid:91239834; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"miner.bitron-mining.online"; depth:26; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1239835/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_13; classtype:trojan-activity; sid:91239835; rev:1;) alert tcp $HOME_NET any -> [188.116.24.193] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239833/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_13; classtype:trojan-activity; sid:91239833; rev:1;) alert tcp $HOME_NET any -> [188.116.24.193] 80 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239832/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_13; classtype:trojan-activity; sid:91239832; rev:1;) alert tcp $HOME_NET any -> [147.45.45.0] 80 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239831/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_13; classtype:trojan-activity; sid:91239831; rev:1;) alert tcp $HOME_NET any -> [34.116.204.231] 5000 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239830/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_13; classtype:trojan-activity; sid:91239830; rev:1;) alert tcp $HOME_NET any -> [77.105.132.7] 80 (msg:"ThreatFox ERMAC botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239829/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_13; classtype:trojan-activity; sid:91239829; rev:1;) alert tcp $HOME_NET any -> [85.202.160.45] 80 (msg:"ThreatFox ERMAC botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239828/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_13; classtype:trojan-activity; sid:91239828; rev:1;) alert tcp $HOME_NET any -> [3.68.135.109] 80 (msg:"ThreatFox ERMAC botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239827/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_13; classtype:trojan-activity; sid:91239827; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"www.glptestasets.com"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1239826/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_13; classtype:trojan-activity; sid:91239826; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"vps-zap477067-1.zap-srv.com"; depth:27; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1239825/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_13; classtype:trojan-activity; sid:91239825; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"161-35-239-147.cprapid.com"; depth:26; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1239823/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_13; classtype:trojan-activity; sid:91239823; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"glptestasets.com"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1239824/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_13; classtype:trojan-activity; sid:91239824; rev:1;) alert tcp $HOME_NET any -> [94.156.65.16] 443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239822/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_13; classtype:trojan-activity; sid:91239822; rev:1;) alert tcp $HOME_NET any -> [51.159.175.8] 443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239820/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_13; classtype:trojan-activity; sid:91239820; rev:1;) alert tcp $HOME_NET any -> [185.236.234.129] 443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239821/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_13; classtype:trojan-activity; sid:91239821; rev:1;) alert tcp $HOME_NET any -> [27.124.46.142] 8080 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239819/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_13; classtype:trojan-activity; sid:91239819; rev:1;) alert tcp $HOME_NET any -> [88.184.9.216] 4444 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239818/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_13; classtype:trojan-activity; sid:91239818; rev:1;) alert tcp $HOME_NET any -> [27.124.46.236] 8080 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239816/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_13; classtype:trojan-activity; sid:91239816; rev:1;) alert tcp $HOME_NET any -> [27.124.46.227] 8080 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239817/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_13; classtype:trojan-activity; sid:91239817; rev:1;) alert tcp $HOME_NET any -> [181.161.13.84] 8080 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239815/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_13; classtype:trojan-activity; sid:91239815; rev:1;) alert tcp $HOME_NET any -> [172.207.72.220] 80 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239814/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_13; classtype:trojan-activity; sid:91239814; rev:1;) alert tcp $HOME_NET any -> [46.246.12.14] 1994 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239751/; target:src_ip; metadata: confidence_level 75, first_seen 2024_02_13; classtype:trojan-activity; sid:91239751; rev:1;) alert tcp $HOME_NET any -> [194.147.140.176] 2222 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239813/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_13; classtype:trojan-activity; sid:91239813; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"funny-kirch.62-210-130-233.plesk.page"; depth:37; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1239812/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_13; classtype:trojan-activity; sid:91239812; rev:1;) alert tcp $HOME_NET any -> [146.190.36.87] 80 (msg:"ThreatFox Hook botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239811/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_13; classtype:trojan-activity; sid:91239811; rev:1;) alert tcp $HOME_NET any -> [185.216.70.107] 80 (msg:"ThreatFox Hook botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239809/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_13; classtype:trojan-activity; sid:91239809; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"great-burnell.62-210-130-233.plesk.page"; depth:39; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1239810/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_13; classtype:trojan-activity; sid:91239810; rev:1;) alert tcp $HOME_NET any -> [185.216.70.198] 80 (msg:"ThreatFox Hook botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239808/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_13; classtype:trojan-activity; sid:91239808; rev:1;) alert tcp $HOME_NET any -> [176.123.168.157] 80 (msg:"ThreatFox Hook botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239807/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_13; classtype:trojan-activity; sid:91239807; rev:1;) alert tcp $HOME_NET any -> [69.46.36.218] 7443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239806/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_13; classtype:trojan-activity; sid:91239806; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"townsfolkhiwoeko.fun"; depth:20; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1239804/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_13; classtype:trojan-activity; sid:91239804; rev:1;) alert tcp $HOME_NET any -> [69.46.36.218] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239805/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_13; classtype:trojan-activity; sid:91239805; rev:1;) alert tcp $HOME_NET any -> [69.46.36.211] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239800/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_13; classtype:trojan-activity; sid:91239800; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"hunterstrawmersp.homes"; depth:22; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1239801/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_13; classtype:trojan-activity; sid:91239801; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"mercyaloofprincipleo.pics"; depth:25; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1239802/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_13; classtype:trojan-activity; sid:91239802; rev:1;) alert tcp $HOME_NET any -> [69.46.36.211] 7443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239803/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_13; classtype:trojan-activity; sid:91239803; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"gymlog.de"; depth:9; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1239798/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_13; classtype:trojan-activity; sid:91239798; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"lawwormroleveinn.mom"; depth:20; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1239799/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_13; classtype:trojan-activity; sid:91239799; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"developmentalveiop.homes"; depth:24; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1239795/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_13; classtype:trojan-activity; sid:91239795; rev:1;) alert tcp $HOME_NET any -> [69.46.36.208] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239796/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_13; classtype:trojan-activity; sid:91239796; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"baketransparentadw.pics"; depth:23; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1239797/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_13; classtype:trojan-activity; sid:91239797; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"brakesummitfiightre.pics"; depth:24; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1239791/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_13; classtype:trojan-activity; sid:91239791; rev:1;) alert tcp $HOME_NET any -> [69.46.36.219] 7443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239792/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_13; classtype:trojan-activity; sid:91239792; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"legislationdictater.mom"; depth:23; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1239793/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_13; classtype:trojan-activity; sid:91239793; rev:1;) alert tcp $HOME_NET any -> [134.255.233.199] 63443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239794/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_13; classtype:trojan-activity; sid:91239794; rev:1;) alert tcp $HOME_NET any -> [69.46.36.217] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239789/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_13; classtype:trojan-activity; sid:91239789; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"bleednumberrottern.homes"; depth:24; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1239790/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_13; classtype:trojan-activity; sid:91239790; rev:1;) alert tcp $HOME_NET any -> [69.46.36.216] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239788/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_13; classtype:trojan-activity; sid:91239788; rev:1;) alert tcp $HOME_NET any -> [69.46.36.220] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239787/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_13; classtype:trojan-activity; sid:91239787; rev:1;) alert tcp $HOME_NET any -> [69.46.36.209] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239786/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_13; classtype:trojan-activity; sid:91239786; rev:1;) alert tcp $HOME_NET any -> [69.46.36.215] 7443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239785/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_13; classtype:trojan-activity; sid:91239785; rev:1;) alert tcp $HOME_NET any -> [37.1.214.209] 1111 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239784/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_13; classtype:trojan-activity; sid:91239784; rev:1;) alert tcp $HOME_NET any -> [138.201.176.60] 8808 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239783/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_13; classtype:trojan-activity; sid:91239783; rev:1;) alert tcp $HOME_NET any -> [138.201.176.60] 6606 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239782/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_13; classtype:trojan-activity; sid:91239782; rev:1;) alert tcp $HOME_NET any -> [178.73.218.5] 2000 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239781/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_13; classtype:trojan-activity; sid:91239781; rev:1;) alert tcp $HOME_NET any -> [192.250.225.3] 8088 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239779/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_13; classtype:trojan-activity; sid:91239779; rev:1;) alert tcp $HOME_NET any -> [186.170.96.237] 8888 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239780/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_13; classtype:trojan-activity; sid:91239780; rev:1;) alert tcp $HOME_NET any -> [51.89.199.122] 6606 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239778/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_13; classtype:trojan-activity; sid:91239778; rev:1;) alert tcp $HOME_NET any -> [103.66.59.20] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239777/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_13; classtype:trojan-activity; sid:91239777; rev:1;) alert tcp $HOME_NET any -> [187.135.95.35] 2078 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239776/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_13; classtype:trojan-activity; sid:91239776; rev:1;) alert tcp $HOME_NET any -> [119.91.200.209] 24443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239775/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_13; classtype:trojan-activity; sid:91239775; rev:1;) alert tcp $HOME_NET any -> [68.183.111.170] 81 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239773/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_13; classtype:trojan-activity; sid:91239773; rev:1;) alert tcp $HOME_NET any -> [139.9.62.69] 8080 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239774/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_13; classtype:trojan-activity; sid:91239774; rev:1;) alert tcp $HOME_NET any -> [43.251.159.58] 8637 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239772/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_13; classtype:trojan-activity; sid:91239772; rev:1;) alert tcp $HOME_NET any -> [110.40.168.108] 2053 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239771/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_13; classtype:trojan-activity; sid:91239771; rev:1;) alert tcp $HOME_NET any -> [139.9.41.156] 81 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239770/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_13; classtype:trojan-activity; sid:91239770; rev:1;) alert tcp $HOME_NET any -> [39.104.230.184] 6667 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239768/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_13; classtype:trojan-activity; sid:91239768; rev:1;) alert tcp $HOME_NET any -> [167.235.58.45] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239769/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_13; classtype:trojan-activity; sid:91239769; rev:1;) alert tcp $HOME_NET any -> [108.165.106.7] 4433 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239767/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_13; classtype:trojan-activity; sid:91239767; rev:1;) alert tcp $HOME_NET any -> [43.139.177.77] 88 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239766/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_13; classtype:trojan-activity; sid:91239766; rev:1;) alert tcp $HOME_NET any -> [185.233.203.43] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239765/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_13; classtype:trojan-activity; sid:91239765; rev:1;) alert tcp $HOME_NET any -> [185.165.169.113] 34443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239763/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_13; classtype:trojan-activity; sid:91239763; rev:1;) alert tcp $HOME_NET any -> [84.46.79.30] 4433 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239764/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_13; classtype:trojan-activity; sid:91239764; rev:1;) alert tcp $HOME_NET any -> [42.193.10.78] 48086 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239762/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_13; classtype:trojan-activity; sid:91239762; rev:1;) alert tcp $HOME_NET any -> [45.148.244.206] 18443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239761/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_13; classtype:trojan-activity; sid:91239761; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ec2-13-214-29-253.ap-southeast-1.compute.amazonaws.com"; depth:54; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1239760/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_13; classtype:trojan-activity; sid:91239760; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/refqdk/"; depth:8; nocase; http.host; content:"qxjjj.j7ute.com"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1239759/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_13; classtype:trojan-activity; sid:91239759; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/rdsrmpgsqf/"; depth:12; nocase; http.host; content:"is5jg.3zweuj.com"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1239758/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_13; classtype:trojan-activity; sid:91239758; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"is5jg.3zweuj.com"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1239756/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_13; classtype:trojan-activity; sid:91239756; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"qxjjj.j7ute.com"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1239757/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_13; classtype:trojan-activity; sid:91239757; rev:1;) alert tcp $HOME_NET any -> [8.222.251.253] 32091 (msg:"ThreatFox Triada botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239754/; target:src_ip; metadata: confidence_level 75, first_seen 2024_02_13; classtype:trojan-activity; sid:91239754; rev:1;) alert tcp $HOME_NET any -> [8.219.196.124] 18038 (msg:"ThreatFox Triada botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239755/; target:src_ip; metadata: confidence_level 75, first_seen 2024_02_13; classtype:trojan-activity; sid:91239755; rev:1;) alert tcp $HOME_NET any -> [45.140.147.91] 4001 (msg:"ThreatFox SystemBC botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239753/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_13; classtype:trojan-activity; sid:91239753; rev:1;) alert tcp $HOME_NET any -> [181.71.216.30] 4040 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239752/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_13; classtype:trojan-activity; sid:91239752; rev:1;) alert tcp $HOME_NET any -> [77.105.132.94] 8080 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239750/; target:src_ip; metadata: confidence_level 75, first_seen 2024_02_13; classtype:trojan-activity; sid:91239750; rev:1;) alert tcp $HOME_NET any -> [77.105.132.94] 80 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239749/; target:src_ip; metadata: confidence_level 75, first_seen 2024_02_13; classtype:trojan-activity; sid:91239749; rev:1;) alert tcp $HOME_NET any -> [77.105.132.94] 465 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239748/; target:src_ip; metadata: confidence_level 75, first_seen 2024_02_13; classtype:trojan-activity; sid:91239748; rev:1;) alert tcp $HOME_NET any -> [77.105.132.94] 4449 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239747/; target:src_ip; metadata: confidence_level 75, first_seen 2024_02_13; classtype:trojan-activity; sid:91239747; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"www.qichen.fun"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1239745/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_13; classtype:trojan-activity; sid:91239745; rev:1;) alert tcp $HOME_NET any -> [125.70.238.9] 8123 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239746/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_13; classtype:trojan-activity; sid:91239746; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dot.gif"; depth:8; nocase; http.host; content:"www.qichen.fun"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1239744/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_13; classtype:trojan-activity; sid:91239744; rev:1;) alert tcp $HOME_NET any -> [42.3.121.142] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239743/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_13; classtype:trojan-activity; sid:91239743; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/auth/login"; depth:11; nocase; http.host; content:"79.137.207.35"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1239738/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_13; classtype:trojan-activity; sid:91239738; rev:1;) alert tcp $HOME_NET any -> [79.137.207.35] 15666 (msg:"ThreatFox Meduza Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239739/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_13; classtype:trojan-activity; sid:91239739; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pixel.gif"; depth:10; nocase; http.host; content:"122.51.220.170"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1239742/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_13; classtype:trojan-activity; sid:91239742; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/__utm.gif"; depth:10; nocase; http.host; content:"39.104.230.184"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1239741/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_13; classtype:trojan-activity; sid:91239741; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/adcac1e6.php"; depth:13; nocase; http.host; content:"vilon.000webhostapp.com"; depth:23; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1239740/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_13; classtype:trojan-activity; sid:91239740; rev:1;) alert tcp $HOME_NET any -> [154.12.84.6] 53 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239737/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_13; classtype:trojan-activity; sid:91239737; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"bigballz.bounceme.net"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1239732/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_13; classtype:trojan-activity; sid:91239732; rev:1;) alert tcp $HOME_NET any -> [204.76.203.129] 7645 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239731/; target:src_ip; metadata: confidence_level 75, first_seen 2024_02_13; classtype:trojan-activity; sid:91239731; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"138.201.119.252"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1239730/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_13; classtype:trojan-activity; sid:91239730; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"95.217.27.143"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1239729/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_13; classtype:trojan-activity; sid:91239729; rev:1;) alert tcp $HOME_NET any -> [95.217.27.143] 443 (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239727/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_13; classtype:trojan-activity; sid:91239727; rev:1;) alert tcp $HOME_NET any -> [138.201.119.252] 3000 (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239728/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_13; classtype:trojan-activity; sid:91239728; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/nme4nzy2mmizmtm2/"; depth:18; nocase; http.host; content:"hk-49847.info"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1239673/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_13; classtype:trojan-activity; sid:91239673; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/nme4nzy2mmizmtm2/"; depth:18; nocase; http.host; content:"hk-49847.org"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1239674/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_13; classtype:trojan-activity; sid:91239674; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/nme4nzy2mmizmtm2/"; depth:18; nocase; http.host; content:"hk-49847.xyz"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1239675/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_13; classtype:trojan-activity; sid:91239675; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/njqyndcymje3zwu3/"; depth:18; nocase; http.host; content:"asamanaproductioneditionksla.net"; depth:32; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1239676/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_13; classtype:trojan-activity; sid:91239676; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/njqyndcymje3zwu3/"; depth:18; nocase; http.host; content:"asamanaproductioneditionalsk.com"; depth:32; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1239677/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_13; classtype:trojan-activity; sid:91239677; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/njqyndcymje3zwu3/"; depth:18; nocase; http.host; content:"asamanaproductioneditionpskl.net"; depth:32; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1239678/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_13; classtype:trojan-activity; sid:91239678; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/njqyndcymje3zwu3/"; depth:18; nocase; http.host; content:"asamanaproductioneditionctfm.com"; depth:32; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1239679/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_13; classtype:trojan-activity; sid:91239679; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/njqyndcymje3zwu3/"; depth:18; nocase; http.host; content:"asamanaproductioneditiontsma.net"; depth:32; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1239680/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_13; classtype:trojan-activity; sid:91239680; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/njqyndcymje3zwu3/"; depth:18; nocase; http.host; content:"asamanaproductioneditiontols.com"; depth:32; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1239681/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_13; classtype:trojan-activity; sid:91239681; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/njqyndcymje3zwu3/"; depth:18; nocase; http.host; content:"asamanaproductioneditionkdna.net"; depth:32; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1239682/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_13; classtype:trojan-activity; sid:91239682; rev:1;) alert tcp $HOME_NET any -> [103.28.32.56] 2023 (msg:"ThreatFox MooBot botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239685/; target:src_ip; metadata: confidence_level 75, first_seen 2024_02_13; classtype:trojan-activity; sid:91239685; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"net-killer.servehttp.com"; depth:24; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1239686/; target:src_ip; metadata: confidence_level 75, first_seen 2024_02_13; classtype:trojan-activity; sid:91239686; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/nme4nzy2mmizmtm2/"; depth:18; nocase; http.host; content:"hk-49847.com"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1239672/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_13; classtype:trojan-activity; sid:91239672; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/loader/screen/owysn2ysn2ysytasowusodysogmsotysnjqsn2ms"; depth:55; nocase; http.host; content:"213.248.43.58"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1239654/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_13; classtype:trojan-activity; sid:91239654; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/task/owysn2ysn2ysytasowusodysogmsotysnjqsn2ms"; depth:46; nocase; http.host; content:"213.248.43.58"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1239655/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_13; classtype:trojan-activity; sid:91239655; rev:1;) alert tcp $HOME_NET any -> [213.248.43.58] 80 (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239656/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_13; classtype:trojan-activity; sid:91239656; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"cheatlab.live"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1239667/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_13; classtype:trojan-activity; sid:91239667; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/microsoft/vcpkg/files/14125503/cheat.lab.2.7.2.zip"; depth:51; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1239668/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_13; classtype:trojan-activity; sid:91239668; rev:1;) alert tcp $HOME_NET any -> [216.118.230.115] 33452 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239726/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_13; classtype:trojan-activity; sid:91239726; rev:1;) alert tcp $HOME_NET any -> [181.141.40.47] 4433 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239725/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_13; classtype:trojan-activity; sid:91239725; rev:1;) alert tcp $HOME_NET any -> [41.99.82.76] 443 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239724/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_13; classtype:trojan-activity; sid:91239724; rev:1;) alert tcp $HOME_NET any -> [95.20.17.129] 443 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239723/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_13; classtype:trojan-activity; sid:91239723; rev:1;) alert tcp $HOME_NET any -> [105.102.99.5] 443 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239722/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_13; classtype:trojan-activity; sid:91239722; rev:1;) alert tcp $HOME_NET any -> [70.31.125.60] 2222 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239721/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_13; classtype:trojan-activity; sid:91239721; rev:1;) alert tcp $HOME_NET any -> [92.97.115.164] 2222 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239720/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_13; classtype:trojan-activity; sid:91239720; rev:1;) alert tcp $HOME_NET any -> [138.197.56.161] 9001 (msg:"ThreatFox pupy botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239719/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_13; classtype:trojan-activity; sid:91239719; rev:1;) alert tcp $HOME_NET any -> [203.41.157.230] 445 (msg:"ThreatFox Responder botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239718/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_13; classtype:trojan-activity; sid:91239718; rev:1;) alert tcp $HOME_NET any -> [159.253.120.2] 443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239717/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_13; classtype:trojan-activity; sid:91239717; rev:1;) alert tcp $HOME_NET any -> [192.109.241.139] 443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239716/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_13; classtype:trojan-activity; sid:91239716; rev:1;) alert tcp $HOME_NET any -> [23.229.31.21] 39561 (msg:"ThreatFox BianLian botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239715/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_13; classtype:trojan-activity; sid:91239715; rev:1;) alert tcp $HOME_NET any -> [37.128.207.56] 53 (msg:"ThreatFox BianLian botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239714/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_13; classtype:trojan-activity; sid:91239714; rev:1;) alert tcp $HOME_NET any -> [157.230.175.190] 6534 (msg:"ThreatFox BianLian botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239713/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_13; classtype:trojan-activity; sid:91239713; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/vmmultiwordpress.php"; depth:21; nocase; http.host; content:"91.107.121.93"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1239712/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_13; classtype:trojan-activity; sid:91239712; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/021322b478b21e87.php"; depth:21; nocase; http.host; content:"77.105.132.208"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1239711/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_13; classtype:trojan-activity; sid:91239711; rev:1;) alert tcp $HOME_NET any -> [45.227.255.164] 58888 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239710/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_13; classtype:trojan-activity; sid:91239710; rev:1;) alert tcp $HOME_NET any -> [101.132.192.106] 60010 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239709/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_13; classtype:trojan-activity; sid:91239709; rev:1;) alert tcp $HOME_NET any -> [43.138.128.109] 12345 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239708/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_13; classtype:trojan-activity; sid:91239708; rev:1;) alert tcp $HOME_NET any -> [42.194.210.177] 50040 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239707/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_13; classtype:trojan-activity; sid:91239707; rev:1;) alert tcp $HOME_NET any -> [47.113.147.154] 50050 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239706/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_13; classtype:trojan-activity; sid:91239706; rev:1;) alert tcp $HOME_NET any -> [139.224.194.38] 50005 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239705/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_13; classtype:trojan-activity; sid:91239705; rev:1;) alert tcp $HOME_NET any -> [140.143.142.107] 50050 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239704/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_13; classtype:trojan-activity; sid:91239704; rev:1;) alert tcp $HOME_NET any -> [121.37.11.148] 50050 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239703/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_13; classtype:trojan-activity; sid:91239703; rev:1;) alert tcp $HOME_NET any -> [122.51.243.31] 50266 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239702/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_13; classtype:trojan-activity; sid:91239702; rev:1;) alert tcp $HOME_NET any -> [110.41.4.168] 50050 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239701/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_13; classtype:trojan-activity; sid:91239701; rev:1;) alert tcp $HOME_NET any -> [62.234.46.238] 6543 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239700/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_13; classtype:trojan-activity; sid:91239700; rev:1;) alert tcp $HOME_NET any -> [91.103.253.227] 80 (msg:"ThreatFox Meduza Stealer botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239699/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_13; classtype:trojan-activity; sid:91239699; rev:1;) alert tcp $HOME_NET any -> [107.189.14.144] 50050 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239698/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_13; classtype:trojan-activity; sid:91239698; rev:1;) alert tcp $HOME_NET any -> [187.135.95.35] 1981 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239697/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_13; classtype:trojan-activity; sid:91239697; rev:1;) alert tcp $HOME_NET any -> [187.135.95.35] 2045 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239696/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_13; classtype:trojan-activity; sid:91239696; rev:1;) alert tcp $HOME_NET any -> [187.135.95.35] 1801 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239695/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_13; classtype:trojan-activity; sid:91239695; rev:1;) alert tcp $HOME_NET any -> [187.135.95.35] 2096 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239694/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_13; classtype:trojan-activity; sid:91239694; rev:1;) alert tcp $HOME_NET any -> [187.135.95.35] 2095 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239693/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_13; classtype:trojan-activity; sid:91239693; rev:1;) alert tcp $HOME_NET any -> [20.7.67.78] 443 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239692/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_13; classtype:trojan-activity; sid:91239692; rev:1;) alert tcp $HOME_NET any -> [185.216.70.11] 80 (msg:"ThreatFox Hook botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239691/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_13; classtype:trojan-activity; sid:91239691; rev:1;) alert tcp $HOME_NET any -> [194.116.173.129] 80 (msg:"ThreatFox RecordBreaker botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239690/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_13; classtype:trojan-activity; sid:91239690; rev:1;) alert tcp $HOME_NET any -> [116.202.0.229] 2271 (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239689/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_13; classtype:trojan-activity; sid:91239689; rev:1;) alert tcp $HOME_NET any -> [116.202.0.229] 80 (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239688/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_13; classtype:trojan-activity; sid:91239688; rev:1;) alert tcp $HOME_NET any -> [147.45.75.185] 80 (msg:"ThreatFox Meduza Stealer botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239687/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_13; classtype:trojan-activity; sid:91239687; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/_/scs/mail-static/_/js/"; depth:24; nocase; http.host; content:"134.122.52.228"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1239684/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_12; classtype:trojan-activity; sid:91239684; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ptj"; depth:4; nocase; http.host; content:"121.41.50.152"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1239683/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_12; classtype:trojan-activity; sid:91239683; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"janxworm9090.duckdns.org"; depth:24; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1239671/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_12; classtype:trojan-activity; sid:91239671; rev:1;) alert tcp $HOME_NET any -> [194.147.140.138] 9090 (msg:"ThreatFox XWorm botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239670/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_12; classtype:trojan-activity; sid:91239670; rev:1;) alert tcp $HOME_NET any -> [46.246.82.7] 6000 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239666/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_12; classtype:trojan-activity; sid:91239666; rev:1;) alert tcp $HOME_NET any -> [187.170.239.221] 995 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239665/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_12; classtype:trojan-activity; sid:91239665; rev:1;) alert tcp $HOME_NET any -> [41.96.177.159] 443 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239664/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_12; classtype:trojan-activity; sid:91239664; rev:1;) alert tcp $HOME_NET any -> [121.121.101.183] 995 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239663/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_12; classtype:trojan-activity; sid:91239663; rev:1;) alert tcp $HOME_NET any -> [41.136.51.241] 443 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239662/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_12; classtype:trojan-activity; sid:91239662; rev:1;) alert tcp $HOME_NET any -> [197.14.148.208] 443 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239661/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_12; classtype:trojan-activity; sid:91239661; rev:1;) alert tcp $HOME_NET any -> [70.31.125.60] 2078 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239660/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_12; classtype:trojan-activity; sid:91239660; rev:1;) alert tcp $HOME_NET any -> [170.187.207.78] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239659/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_12; classtype:trojan-activity; sid:91239659; rev:1;) alert tcp $HOME_NET any -> [170.187.207.78] 8888 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239658/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_12; classtype:trojan-activity; sid:91239658; rev:1;) alert tcp $HOME_NET any -> [5.75.211.197] 3306 (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239657/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_12; classtype:trojan-activity; sid:91239657; rev:1;) alert tcp $HOME_NET any -> [5.39.43.50] 1610 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239652/; target:src_ip; metadata: confidence_level 75, first_seen 2024_02_12; classtype:trojan-activity; sid:91239652; rev:1;) alert tcp $HOME_NET any -> [94.156.68.226] 3787 (msg:"ThreatFox Ave Maria botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239653/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_12; classtype:trojan-activity; sid:91239653; rev:1;) alert tcp $HOME_NET any -> [45.155.91.135] 21425 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239651/; target:src_ip; metadata: confidence_level 75, first_seen 2024_02_12; classtype:trojan-activity; sid:91239651; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"116.203.6.77"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1239650/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_12; classtype:trojan-activity; sid:91239650; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"116.203.165.197"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1239649/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_12; classtype:trojan-activity; sid:91239649; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/karl3on"; depth:8; nocase; http.host; content:"t.me"; depth:4; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1239648/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_12; classtype:trojan-activity; sid:91239648; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"159.69.101.193"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1239647/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_12; classtype:trojan-activity; sid:91239647; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"65.109.242.25"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1239646/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_12; classtype:trojan-activity; sid:91239646; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/profiles/76561199637071579"; depth:27; nocase; http.host; content:"steamcommunity.com"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1239645/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_12; classtype:trojan-activity; sid:91239645; rev:1;) alert tcp $HOME_NET any -> [65.109.242.25] 443 (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239641/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_12; classtype:trojan-activity; sid:91239641; rev:1;) alert tcp $HOME_NET any -> [159.69.101.193] 5432 (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239642/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_12; classtype:trojan-activity; sid:91239642; rev:1;) alert tcp $HOME_NET any -> [116.203.6.77] 9000 (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239643/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_12; classtype:trojan-activity; sid:91239643; rev:1;) alert tcp $HOME_NET any -> [116.203.165.197] 9000 (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239644/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_12; classtype:trojan-activity; sid:91239644; rev:1;) alert tcp $HOME_NET any -> [46.246.80.9] 1995 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239640/; target:src_ip; metadata: confidence_level 75, first_seen 2024_02_12; classtype:trojan-activity; sid:91239640; rev:1;) alert tcp $HOME_NET any -> [5.39.43.50] 1609 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239639/; target:src_ip; metadata: confidence_level 75, first_seen 2024_02_12; classtype:trojan-activity; sid:91239639; rev:1;) alert tcp $HOME_NET any -> [194.38.20.230] 6666 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239638/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_12; classtype:trojan-activity; sid:91239638; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"file.fmwhat.download"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1239635/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_12; classtype:trojan-activity; sid:91239635; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/fmwhatsapp_v9.98.apk"; depth:21; nocase; http.host; content:"file.fmwhat.download"; depth:20; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1239636/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_12; classtype:trojan-activity; sid:91239636; rev:1;) alert tcp $HOME_NET any -> [95.20.241.182] 443 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239634/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_12; classtype:trojan-activity; sid:91239634; rev:1;) alert tcp $HOME_NET any -> [46.232.249.112] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239633/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_12; classtype:trojan-activity; sid:91239633; rev:1;) alert tcp $HOME_NET any -> [135.148.115.76] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239632/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_12; classtype:trojan-activity; sid:91239632; rev:1;) alert tcp $HOME_NET any -> [128.199.65.13] 80 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239631/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_12; classtype:trojan-activity; sid:91239631; rev:1;) alert tcp $HOME_NET any -> [116.118.49.164] 80 (msg:"ThreatFox MooBot botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239630/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_12; classtype:trojan-activity; sid:91239630; rev:1;) alert tcp $HOME_NET any -> [45.153.229.71] 5000 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239629/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_12; classtype:trojan-activity; sid:91239629; rev:1;) alert tcp $HOME_NET any -> [34.116.253.50] 5000 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239628/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_12; classtype:trojan-activity; sid:91239628; rev:1;) alert tcp $HOME_NET any -> [5.206.224.7] 80 (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239627/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_12; classtype:trojan-activity; sid:91239627; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"23-26-55-9.cprapid.com"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1239626/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_12; classtype:trojan-activity; sid:91239626; rev:1;) alert tcp $HOME_NET any -> [185.16.39.253] 8888 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239625/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_12; classtype:trojan-activity; sid:91239625; rev:1;) alert tcp $HOME_NET any -> [177.138.248.251] 5000 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239624/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_12; classtype:trojan-activity; sid:91239624; rev:1;) alert tcp $HOME_NET any -> [204.44.124.8] 4782 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239623/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_12; classtype:trojan-activity; sid:91239623; rev:1;) alert tcp $HOME_NET any -> [62.210.130.233] 80 (msg:"ThreatFox Hook botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239622/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_12; classtype:trojan-activity; sid:91239622; rev:1;) alert tcp $HOME_NET any -> [69.46.36.208] 7443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239621/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_12; classtype:trojan-activity; sid:91239621; rev:1;) alert tcp $HOME_NET any -> [154.212.146.81] 8008 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239620/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_12; classtype:trojan-activity; sid:91239620; rev:1;) alert tcp $HOME_NET any -> [45.88.186.16] 7707 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239619/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_12; classtype:trojan-activity; sid:91239619; rev:1;) alert tcp $HOME_NET any -> [185.196.9.6] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239618/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_12; classtype:trojan-activity; sid:91239618; rev:1;) alert tcp $HOME_NET any -> [139.9.62.69] 8090 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239617/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_12; classtype:trojan-activity; sid:91239617; rev:1;) alert tcp $HOME_NET any -> [37.32.13.166] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239616/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_12; classtype:trojan-activity; sid:91239616; rev:1;) alert tcp $HOME_NET any -> [148.72.132.181] 43255 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239615/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_12; classtype:trojan-activity; sid:91239615; rev:1;) alert tcp $HOME_NET any -> [185.229.225.190] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239614/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_12; classtype:trojan-activity; sid:91239614; rev:1;) alert tcp $HOME_NET any -> [54.169.210.113] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239613/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_12; classtype:trojan-activity; sid:91239613; rev:1;) alert tcp $HOME_NET any -> [143.110.176.113] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239612/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_12; classtype:trojan-activity; sid:91239612; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"static.127.103.78.5.clients.your-server.de"; depth:42; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1239611/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_12; classtype:trojan-activity; sid:91239611; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"199.60.149.34.bc.googleusercontent.com"; depth:38; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1239610/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_12; classtype:trojan-activity; sid:91239610; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/500ae1b3.php"; depth:13; nocase; http.host; content:"lilbabyfan.000webhostapp.com"; depth:28; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1239609/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_12; classtype:trojan-activity; sid:91239609; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/zmd/0.015044926305028627.dat"; depth:29; nocase; http.host; content:"musicclubcompany.com"; depth:20; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1239608/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_12; classtype:trojan-activity; sid:91239608; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cvv/0.7619553765651503.dat"; depth:27; nocase; http.host; content:"finderunion.com"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1239607/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_12; classtype:trojan-activity; sid:91239607; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/0bvkz/0.16410464051883017.dat"; depth:30; nocase; http.host; content:"berringtonnews.com"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1239606/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_12; classtype:trojan-activity; sid:91239606; rev:1;) alert tcp $HOME_NET any -> [86.38.225.108] 2226 (msg:"ThreatFox Pikabot botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239603/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_12; classtype:trojan-activity; sid:91239603; rev:1;) alert tcp $HOME_NET any -> [86.38.225.106] 2221 (msg:"ThreatFox Pikabot botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239604/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_12; classtype:trojan-activity; sid:91239604; rev:1;) alert tcp $HOME_NET any -> [86.38.225.105] 13721 (msg:"ThreatFox Pikabot botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239605/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_12; classtype:trojan-activity; sid:91239605; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/c/msdownload/update/others/2016/12/29136388_"; depth:45; nocase; http.host; content:"108.165.106.7"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1239602/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_12; classtype:trojan-activity; sid:91239602; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ie9compatviewlist.xml"; depth:22; nocase; http.host; content:"13.36.225.33"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1239601/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_12; classtype:trojan-activity; sid:91239601; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/match"; depth:6; nocase; http.host; content:"117.50.185.133"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1239600/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_12; classtype:trojan-activity; sid:91239600; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ie9compatviewlist.xml"; depth:22; nocase; http.host; content:"185.216.70.81"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1239599/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_12; classtype:trojan-activity; sid:91239599; rev:1;) alert tcp $HOME_NET any -> [13.36.225.33] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239598/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_12; classtype:trojan-activity; sid:91239598; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ca"; depth:3; nocase; http.host; content:"13.36.225.33"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1239597/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_12; classtype:trojan-activity; sid:91239597; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/en_us/all.js"; depth:13; nocase; http.host; content:"175.24.130.231"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1239596/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_12; classtype:trojan-activity; sid:91239596; rev:1;) alert tcp $HOME_NET any -> [3.127.181.115] 19920 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239595/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_12; classtype:trojan-activity; sid:91239595; rev:1;) alert tcp $HOME_NET any -> [3.67.161.133] 19920 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239594/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_12; classtype:trojan-activity; sid:91239594; rev:1;) alert tcp $HOME_NET any -> [3.67.62.142] 19920 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239593/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_12; classtype:trojan-activity; sid:91239593; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/match"; depth:6; nocase; http.host; content:"117.50.162.183"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1239592/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_12; classtype:trojan-activity; sid:91239592; rev:1;) alert tcp $HOME_NET any -> [18.158.58.205] 19920 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239591/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_12; classtype:trojan-activity; sid:91239591; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"haha.skyljne.click"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1239590/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_12; classtype:trojan-activity; sid:91239590; rev:1;) alert tcp $HOME_NET any -> [103.174.73.85] 19990 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239589/; target:src_ip; metadata: confidence_level 75, first_seen 2024_02_12; classtype:trojan-activity; sid:91239589; rev:1;) alert tcp $HOME_NET any -> [146.190.244.20] 9932 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239588/; target:src_ip; metadata: confidence_level 75, first_seen 2024_02_12; classtype:trojan-activity; sid:91239588; rev:1;) alert tcp $HOME_NET any -> [108.165.106.7] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239587/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_12; classtype:trojan-activity; sid:91239587; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/c/msdownload/update/others/2016/12/29136388_"; depth:45; nocase; http.host; content:"108.165.106.7"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1239586/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_12; classtype:trojan-activity; sid:91239586; rev:1;) alert tcp $HOME_NET any -> [159.100.30.156] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239585/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_12; classtype:trojan-activity; sid:91239585; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/css"; depth:4; nocase; http.host; content:"sbdatabase.com"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1239584/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_12; classtype:trojan-activity; sid:91239584; rev:1;) alert tcp $HOME_NET any -> [95.217.209.180] 443 (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239582/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_12; classtype:trojan-activity; sid:91239582; rev:1;) alert tcp $HOME_NET any -> [95.217.243.137] 443 (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239583/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_12; classtype:trojan-activity; sid:91239583; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"49.12.118.45"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1239578/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_12; classtype:trojan-activity; sid:91239578; rev:1;) alert tcp $HOME_NET any -> [78.47.174.101] 9000 (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239579/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_12; classtype:trojan-activity; sid:91239579; rev:1;) alert tcp $HOME_NET any -> [78.47.191.114] 9000 (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239580/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_12; classtype:trojan-activity; sid:91239580; rev:1;) alert tcp $HOME_NET any -> [49.12.101.249] 9000 (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239581/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_12; classtype:trojan-activity; sid:91239581; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"78.47.174.101"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1239577/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_12; classtype:trojan-activity; sid:91239577; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"78.47.191.114"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1239576/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_12; classtype:trojan-activity; sid:91239576; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"95.217.243.137"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1239575/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_12; classtype:trojan-activity; sid:91239575; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"95.217.209.180"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1239574/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_12; classtype:trojan-activity; sid:91239574; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"49.12.101.249"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1239573/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_12; classtype:trojan-activity; sid:91239573; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pipetopythonjsrequesthttpwordpress.php"; depth:39; nocase; http.host; content:"bobrcurw.top"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1239572/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_12; classtype:trojan-activity; sid:91239572; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/l1nc0in.php"; depth:12; nocase; http.host; content:"a0914338.xsph.ru"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1239571/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_12; classtype:trojan-activity; sid:91239571; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"mb-testing.azureedge.net"; depth:24; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1239565/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_12; classtype:trojan-activity; sid:91239565; rev:1;) alert tcp $HOME_NET any -> [216.118.230.114] 33452 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239570/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_12; classtype:trojan-activity; sid:91239570; rev:1;) alert tcp $HOME_NET any -> [216.118.230.116] 33452 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239569/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_12; classtype:trojan-activity; sid:91239569; rev:1;) alert tcp $HOME_NET any -> [79.107.157.38] 995 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239568/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_12; classtype:trojan-activity; sid:91239568; rev:1;) alert tcp $HOME_NET any -> [5.194.147.107] 2222 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239567/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_12; classtype:trojan-activity; sid:91239567; rev:1;) alert tcp $HOME_NET any -> [72.27.164.56] 443 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239566/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_12; classtype:trojan-activity; sid:91239566; rev:1;) alert tcp $HOME_NET any -> [45.95.169.103] 2545 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239564/; target:src_ip; metadata: confidence_level 75, first_seen 2024_02_12; classtype:trojan-activity; sid:91239564; rev:1;) alert tcp $HOME_NET any -> [188.127.235.191] 59666 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239563/; target:src_ip; metadata: confidence_level 75, first_seen 2024_02_12; classtype:trojan-activity; sid:91239563; rev:1;) alert tcp $HOME_NET any -> [46.246.84.5] 7771 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239473/; target:src_ip; metadata: confidence_level 75, first_seen 2024_02_12; classtype:trojan-activity; sid:91239473; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"berlyndnero.duckdns.org"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1239474/; target:src_ip; metadata: confidence_level 75, first_seen 2024_02_12; classtype:trojan-activity; sid:91239474; rev:1;) alert tcp $HOME_NET any -> [46.246.6.12] 1995 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239560/; target:src_ip; metadata: confidence_level 75, first_seen 2024_02_12; classtype:trojan-activity; sid:91239560; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jsprocessflowertrafficdownloads.php"; depth:36; nocase; http.host; content:"685938cm.nyashtech.top"; depth:22; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1239562/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_12; classtype:trojan-activity; sid:91239562; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/privateto_/universaldownloads/better/publichttpwindows9/request2/serverdownloads6sql/936/httphttplocalsql/31/cpu0temppublic/requestwordpressgametest/linux5dlegame/wordpress2privatedump/imagegame_protect/vmprotect.php"; depth:217; nocase; http.host; content:"62.109.13.250"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1239561/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_12; classtype:trojan-activity; sid:91239561; rev:1;) alert tcp $HOME_NET any -> [142.154.95.21] 443 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239559/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_12; classtype:trojan-activity; sid:91239559; rev:1;) alert tcp $HOME_NET any -> [13.246.66.162] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239558/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_12; classtype:trojan-activity; sid:91239558; rev:1;) alert tcp $HOME_NET any -> [43.139.43.200] 31220 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239557/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_12; classtype:trojan-activity; sid:91239557; rev:1;) alert tcp $HOME_NET any -> [194.163.154.118] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239556/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_12; classtype:trojan-activity; sid:91239556; rev:1;) alert tcp $HOME_NET any -> [137.184.108.32] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239555/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_12; classtype:trojan-activity; sid:91239555; rev:1;) alert tcp $HOME_NET any -> [185.7.52.219] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239554/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_12; classtype:trojan-activity; sid:91239554; rev:1;) alert tcp $HOME_NET any -> [49.13.48.92] 53721 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239553/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_12; classtype:trojan-activity; sid:91239553; rev:1;) alert tcp $HOME_NET any -> [54.155.137.99] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239552/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_12; classtype:trojan-activity; sid:91239552; rev:1;) alert tcp $HOME_NET any -> [31.223.68.157] 2223 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239551/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_12; classtype:trojan-activity; sid:91239551; rev:1;) alert tcp $HOME_NET any -> [159.146.122.238] 2223 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239550/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_12; classtype:trojan-activity; sid:91239550; rev:1;) alert tcp $HOME_NET any -> [34.230.194.184] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239549/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_12; classtype:trojan-activity; sid:91239549; rev:1;) alert tcp $HOME_NET any -> [195.35.52.127] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239548/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_12; classtype:trojan-activity; sid:91239548; rev:1;) alert tcp $HOME_NET any -> [185.247.224.35] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239547/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_12; classtype:trojan-activity; sid:91239547; rev:1;) alert tcp $HOME_NET any -> [35.200.164.35] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239546/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_12; classtype:trojan-activity; sid:91239546; rev:1;) alert tcp $HOME_NET any -> [51.68.175.177] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239545/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_12; classtype:trojan-activity; sid:91239545; rev:1;) alert tcp $HOME_NET any -> [34.130.87.37] 60000 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239544/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_12; classtype:trojan-activity; sid:91239544; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"linkerjeki.fun"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1239543/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_12; classtype:trojan-activity; sid:91239543; rev:1;) alert tcp $HOME_NET any -> [212.64.217.73] 8686 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239542/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_12; classtype:trojan-activity; sid:91239542; rev:1;) alert tcp $HOME_NET any -> [204.216.223.114] 80 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239541/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_12; classtype:trojan-activity; sid:91239541; rev:1;) alert tcp $HOME_NET any -> [42.96.2.220] 80 (msg:"ThreatFox MooBot botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239539/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_12; classtype:trojan-activity; sid:91239539; rev:1;) alert tcp $HOME_NET any -> [42.119.113.85] 80 (msg:"ThreatFox MooBot botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239540/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_12; classtype:trojan-activity; sid:91239540; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ec2-54-86-17-63.compute-1.amazonaws.com"; depth:39; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1239538/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_12; classtype:trojan-activity; sid:91239538; rev:1;) alert tcp $HOME_NET any -> [54.88.105.125] 443 (msg:"ThreatFox Serpent Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239537/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_12; classtype:trojan-activity; sid:91239537; rev:1;) alert tcp $HOME_NET any -> [94.156.65.246] 80 (msg:"ThreatFox Meduza Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239536/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_12; classtype:trojan-activity; sid:91239536; rev:1;) alert tcp $HOME_NET any -> [83.97.73.229] 80 (msg:"ThreatFox ERMAC botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239535/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_12; classtype:trojan-activity; sid:91239535; rev:1;) alert tcp $HOME_NET any -> [77.232.130.4] 80 (msg:"ThreatFox ERMAC botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239534/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_12; classtype:trojan-activity; sid:91239534; rev:1;) alert tcp $HOME_NET any -> [194.48.251.184] 80 (msg:"ThreatFox ERMAC botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239533/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_12; classtype:trojan-activity; sid:91239533; rev:1;) alert tcp $HOME_NET any -> [197.119.85.192] 80 (msg:"ThreatFox Orcus RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239532/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_12; classtype:trojan-activity; sid:91239532; rev:1;) alert tcp $HOME_NET any -> [123.206.29.183] 10134 (msg:"ThreatFox Orcus RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239531/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_12; classtype:trojan-activity; sid:91239531; rev:1;) alert tcp $HOME_NET any -> [86.126.4.236] 8080 (msg:"ThreatFox Orcus RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239530/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_12; classtype:trojan-activity; sid:91239530; rev:1;) alert tcp $HOME_NET any -> [154.245.89.99] 80 (msg:"ThreatFox Orcus RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239529/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_12; classtype:trojan-activity; sid:91239529; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"reporttest.rubecon.co.za"; depth:24; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1239528/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_12; classtype:trojan-activity; sid:91239528; rev:1;) alert tcp $HOME_NET any -> [45.79.196.203] 4443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239527/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_12; classtype:trojan-activity; sid:91239527; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"45-79-196-203.ip.linodeusercontent.com"; depth:38; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1239526/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_12; classtype:trojan-activity; sid:91239526; rev:1;) alert tcp $HOME_NET any -> [51.120.7.94] 1337 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239525/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_12; classtype:trojan-activity; sid:91239525; rev:1;) alert tcp $HOME_NET any -> [185.81.157.203] 9090 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239523/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_12; classtype:trojan-activity; sid:91239523; rev:1;) alert tcp $HOME_NET any -> [82.102.23.170] 8081 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239524/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_12; classtype:trojan-activity; sid:91239524; rev:1;) alert tcp $HOME_NET any -> [185.81.157.211] 9191 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239522/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_12; classtype:trojan-activity; sid:91239522; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"static.197.203.76.144.clients.your-server.de"; depth:44; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1239521/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_12; classtype:trojan-activity; sid:91239521; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"883217.cc"; depth:9; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1239520/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_12; classtype:trojan-activity; sid:91239520; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"dgaf.catboy.me"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1239518/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_12; classtype:trojan-activity; sid:91239518; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"grinevitchnicolas.fvds.ru"; depth:25; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1239519/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_12; classtype:trojan-activity; sid:91239519; rev:1;) alert tcp $HOME_NET any -> [89.23.103.187] 80 (msg:"ThreatFox Hook botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239516/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_12; classtype:trojan-activity; sid:91239516; rev:1;) alert tcp $HOME_NET any -> [93.123.39.152] 50555 (msg:"ThreatFox Hook botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239517/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_12; classtype:trojan-activity; sid:91239517; rev:1;) alert tcp $HOME_NET any -> [95.216.123.85] 80 (msg:"ThreatFox Hook botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239515/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_12; classtype:trojan-activity; sid:91239515; rev:1;) alert tcp $HOME_NET any -> [185.172.128.148] 80 (msg:"ThreatFox Hook botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239514/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_12; classtype:trojan-activity; sid:91239514; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ansible-tower-pocket-node1.validatorsheaven.network"; depth:51; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1239513/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_12; classtype:trojan-activity; sid:91239513; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"64-225-100-2.cprapid.com"; depth:24; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1239512/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_12; classtype:trojan-activity; sid:91239512; rev:1;) alert tcp $HOME_NET any -> [185.196.9.10] 7443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239510/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_12; classtype:trojan-activity; sid:91239510; rev:1;) alert tcp $HOME_NET any -> [46.101.195.151] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239511/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_12; classtype:trojan-activity; sid:91239511; rev:1;) alert tcp $HOME_NET any -> [35.202.200.238] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239509/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_12; classtype:trojan-activity; sid:91239509; rev:1;) alert tcp $HOME_NET any -> [91.92.255.64] 8000 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239507/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_12; classtype:trojan-activity; sid:91239507; rev:1;) alert tcp $HOME_NET any -> [91.92.255.64] 8088 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239508/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_12; classtype:trojan-activity; sid:91239508; rev:1;) alert tcp $HOME_NET any -> [91.92.255.64] 6000 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239506/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_12; classtype:trojan-activity; sid:91239506; rev:1;) alert tcp $HOME_NET any -> [78.161.49.74] 3003 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239504/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_12; classtype:trojan-activity; sid:91239504; rev:1;) alert tcp $HOME_NET any -> [78.161.49.74] 888 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239505/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_12; classtype:trojan-activity; sid:91239505; rev:1;) alert tcp $HOME_NET any -> [20.81.43.192] 8080 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239503/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_12; classtype:trojan-activity; sid:91239503; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"srxy123.is-a-geek.com"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1239502/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_12; classtype:trojan-activity; sid:91239502; rev:1;) alert tcp $HOME_NET any -> [185.81.157.106] 777 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239500/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_12; classtype:trojan-activity; sid:91239500; rev:1;) alert tcp $HOME_NET any -> [185.81.157.183] 9696 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239501/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_12; classtype:trojan-activity; sid:91239501; rev:1;) alert tcp $HOME_NET any -> [216.118.230.117] 33452 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239499/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_12; classtype:trojan-activity; sid:91239499; rev:1;) alert tcp $HOME_NET any -> [20.52.118.210] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239498/; target:src_ip; metadata: confidence_level 90, first_seen 2024_02_12; classtype:trojan-activity; sid:91239498; rev:1;) alert tcp $HOME_NET any -> [187.135.95.35] 2086 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239497/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_12; classtype:trojan-activity; sid:91239497; rev:1;) alert tcp $HOME_NET any -> [187.135.95.35] 2083 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239496/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_12; classtype:trojan-activity; sid:91239496; rev:1;) alert tcp $HOME_NET any -> [187.135.95.35] 2080 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239495/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_12; classtype:trojan-activity; sid:91239495; rev:1;) alert tcp $HOME_NET any -> [187.135.95.35] 1628 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239493/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_12; classtype:trojan-activity; sid:91239493; rev:1;) alert tcp $HOME_NET any -> [187.135.95.35] 2000 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239494/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_12; classtype:trojan-activity; sid:91239494; rev:1;) alert tcp $HOME_NET any -> [187.135.95.35] 2280 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239492/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_12; classtype:trojan-activity; sid:91239492; rev:1;) alert tcp $HOME_NET any -> [187.135.95.35] 2082 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239490/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_12; classtype:trojan-activity; sid:91239490; rev:1;) alert tcp $HOME_NET any -> [187.135.95.35] 2181 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239491/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_12; classtype:trojan-activity; sid:91239491; rev:1;) alert tcp $HOME_NET any -> [187.135.95.35] 2077 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239489/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_12; classtype:trojan-activity; sid:91239489; rev:1;) alert tcp $HOME_NET any -> [187.135.95.35] 2004 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239488/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_12; classtype:trojan-activity; sid:91239488; rev:1;) alert tcp $HOME_NET any -> [187.135.95.35] 1723 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239486/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_12; classtype:trojan-activity; sid:91239486; rev:1;) alert tcp $HOME_NET any -> [187.135.95.35] 1962 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239487/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_12; classtype:trojan-activity; sid:91239487; rev:1;) alert tcp $HOME_NET any -> [177.222.224.56] 8080 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239485/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_12; classtype:trojan-activity; sid:91239485; rev:1;) alert tcp $HOME_NET any -> [31.43.159.234] 1605 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239484/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_12; classtype:trojan-activity; sid:91239484; rev:1;) alert tcp $HOME_NET any -> [42.192.45.240] 4444 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239482/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_12; classtype:trojan-activity; sid:91239482; rev:1;) alert tcp $HOME_NET any -> [51.38.226.86] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239483/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_12; classtype:trojan-activity; sid:91239483; rev:1;) alert tcp $HOME_NET any -> [83.97.20.183] 48080 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239481/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_12; classtype:trojan-activity; sid:91239481; rev:1;) alert tcp $HOME_NET any -> [86.107.199.30] 11011 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239480/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_12; classtype:trojan-activity; sid:91239480; rev:1;) alert tcp $HOME_NET any -> [8.137.50.92] 8000 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239479/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_12; classtype:trojan-activity; sid:91239479; rev:1;) alert tcp $HOME_NET any -> [108.165.106.7] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239478/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_12; classtype:trojan-activity; sid:91239478; rev:1;) alert tcp $HOME_NET any -> [111.90.150.185] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239477/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_12; classtype:trojan-activity; sid:91239477; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"smtp.pioneerprinters.co.uk"; depth:26; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1239476/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_12; classtype:trojan-activity; sid:91239476; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cdn/9/9/windowspublic/5voiddb/6process3/8/serverdbdatalifedle.php"; depth:66; nocase; http.host; content:"91.107.121.253"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1239475/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_12; classtype:trojan-activity; sid:91239475; rev:1;) alert tcp $HOME_NET any -> [173.212.224.123] 53 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239472/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_11; classtype:trojan-activity; sid:91239472; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"hom.cabul.bbtecno.com"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1239471/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_11; classtype:trojan-activity; sid:91239471; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"dev.cabul.bbtecno.com"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1239470/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_11; classtype:trojan-activity; sid:91239470; rev:1;) alert tcp $HOME_NET any -> [64.225.111.119] 53 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239469/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_11; classtype:trojan-activity; sid:91239469; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ns1.mb-testing.de"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1239468/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_11; classtype:trojan-activity; sid:91239468; rev:1;) alert tcp $HOME_NET any -> [103.186.215.56] 53 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239467/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_11; classtype:trojan-activity; sid:91239467; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pixel.gif"; depth:10; nocase; http.host; content:"107.189.14.144"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1239465/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_11; classtype:trojan-activity; sid:91239465; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ptj"; depth:4; nocase; http.host; content:"122.51.220.170"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1239464/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_11; classtype:trojan-activity; sid:91239464; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pixel"; depth:6; nocase; http.host; content:"122.51.220.170"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1239463/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_11; classtype:trojan-activity; sid:91239463; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ptj"; depth:4; nocase; http.host; content:"107.189.14.144"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1239462/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_11; classtype:trojan-activity; sid:91239462; rev:1;) alert tcp $HOME_NET any -> [5.182.87.145] 80 (msg:"ThreatFox Meduza Stealer botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239461/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_11; classtype:trojan-activity; sid:91239461; rev:1;) alert tcp $HOME_NET any -> [78.19.61.12] 2222 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239460/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_11; classtype:trojan-activity; sid:91239460; rev:1;) alert tcp $HOME_NET any -> [157.254.20.34] 6607 (msg:"ThreatFox Deimos botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239459/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_11; classtype:trojan-activity; sid:91239459; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mozi.m"; depth:7; nocase; http.host; content:"61.163.138.230"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1239458/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_11; classtype:trojan-activity; sid:91239458; rev:1;) alert tcp $HOME_NET any -> [193.242.211.154] 80 (msg:"ThreatFox Socks5 Systemz botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239457/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_11; classtype:trojan-activity; sid:91239457; rev:1;) alert tcp $HOME_NET any -> [91.211.247.89] 80 (msg:"ThreatFox Socks5 Systemz botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239456/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_11; classtype:trojan-activity; sid:91239456; rev:1;) alert tcp $HOME_NET any -> [185.237.206.77] 80 (msg:"ThreatFox Socks5 Systemz botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239455/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_11; classtype:trojan-activity; sid:91239455; rev:1;) alert tcp $HOME_NET any -> [117.50.162.183] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239454/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_11; classtype:trojan-activity; sid:91239454; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dot.gif"; depth:8; nocase; http.host; content:"117.50.162.183"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1239453/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_11; classtype:trojan-activity; sid:91239453; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ccuk.edenexit.com"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1239449/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_11; classtype:trojan-activity; sid:91239449; rev:1;) alert tcp $HOME_NET any -> [94.156.69.147] 61616 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239451/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_11; classtype:trojan-activity; sid:91239451; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"winkimedia.it"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1239450/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_11; classtype:trojan-activity; sid:91239450; rev:1;) alert tcp $HOME_NET any -> [94.156.71.221] 1291 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239452/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_11; classtype:trojan-activity; sid:91239452; rev:1;) alert tcp $HOME_NET any -> [5.39.43.50] 7777 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239448/; target:src_ip; metadata: confidence_level 75, first_seen 2024_02_11; classtype:trojan-activity; sid:91239448; rev:1;) alert tcp $HOME_NET any -> [45.153.230.56] 7777 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239446/; target:src_ip; metadata: confidence_level 75, first_seen 2024_02_11; classtype:trojan-activity; sid:91239446; rev:1;) alert tcp $HOME_NET any -> [3.125.209.94] 14114 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239447/; target:src_ip; metadata: confidence_level 75, first_seen 2024_02_11; classtype:trojan-activity; sid:91239447; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"53d5-66-154-102-195.ngrok-free.app"; depth:34; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1239445/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_11; classtype:trojan-activity; sid:91239445; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/j.ad"; depth:5; nocase; http.host; content:"43.251.159.58"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1239444/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_11; classtype:trojan-activity; sid:91239444; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ca"; depth:3; nocase; http.host; content:"81.68.248.191"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1239443/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_11; classtype:trojan-activity; sid:91239443; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cx"; depth:3; nocase; http.host; content:"139.196.191.50"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1239442/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_11; classtype:trojan-activity; sid:91239442; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/0linuxcdnpipe/windowsto/providerproton/347/auth5dumpjs/84geotemporary/vmto_processauthlongpolltraffictrackcdn.php"; depth:114; nocase; http.host; content:"217.25.94.158"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1239441/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_11; classtype:trojan-activity; sid:91239441; rev:1;) alert tcp $HOME_NET any -> [85.192.32.83] 1194 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239440/; target:src_ip; metadata: confidence_level 75, first_seen 2024_02_11; classtype:trojan-activity; sid:91239440; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/_defaultwindows.php"; depth:20; nocase; http.host; content:"cr13705.tw1.ru"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1239439/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_11; classtype:trojan-activity; sid:91239439; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"sbdatabase.com"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1239438/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_11; classtype:trojan-activity; sid:91239438; rev:1;) alert tcp $HOME_NET any -> [18.197.239.109] 17032 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239073/; target:src_ip; metadata: confidence_level 75, first_seen 2024_02_11; classtype:trojan-activity; sid:91239073; rev:1;) alert tcp $HOME_NET any -> [3.66.38.117] 17032 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239074/; target:src_ip; metadata: confidence_level 75, first_seen 2024_02_11; classtype:trojan-activity; sid:91239074; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"teaigame.com"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1239070/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_11; classtype:trojan-activity; sid:91239070; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/game/teai_demo.exe"; depth:19; nocase; http.host; content:"teaigame.com"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1239071/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_11; classtype:trojan-activity; sid:91239071; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pixel"; depth:6; nocase; http.host; content:"78.85.17.88"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1239072/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_11; classtype:trojan-activity; sid:91239072; rev:1;) alert tcp $HOME_NET any -> [104.236.71.61] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239069/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_11; classtype:trojan-activity; sid:91239069; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/s/ref=nb_sb_noss_1/926-87643065-0301867/field-keywords=time"; depth:60; nocase; http.host; content:"104.236.71.61"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1239068/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_11; classtype:trojan-activity; sid:91239068; rev:1;) alert tcp $HOME_NET any -> [193.233.132.167] 80 (msg:"ThreatFox Amadey botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239067/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_11; classtype:trojan-activity; sid:91239067; rev:1;) alert tcp $HOME_NET any -> [185.215.113.32] 80 (msg:"ThreatFox Amadey botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239066/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_11; classtype:trojan-activity; sid:91239066; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"support-ntc.servehttp.com"; depth:25; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1238934/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_11; classtype:trojan-activity; sid:91238934; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"sdmx-financegovpk.servehttp.com"; depth:31; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1238932/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_11; classtype:trojan-activity; sid:91238932; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"sharepakistan-mofa.viewdns.net"; depth:30; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1238933/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_11; classtype:trojan-activity; sid:91238933; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ogdcl.servehttp.com"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1238929/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_11; classtype:trojan-activity; sid:91238929; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"portal-ptclnetpk.servehttp.com"; depth:30; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1238931/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_11; classtype:trojan-activity; sid:91238931; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"piac-compk.servehttp.com"; depth:24; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1238930/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_11; classtype:trojan-activity; sid:91238930; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"offers-ptclnetpk.serveirc.com"; depth:29; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1238928/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_11; classtype:trojan-activity; sid:91238928; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"offers-ptclnetpk.serveblog.net"; depth:30; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1238926/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_11; classtype:trojan-activity; sid:91238926; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"offers-ptclnetpk.serveftp.com"; depth:29; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1238927/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_11; classtype:trojan-activity; sid:91238927; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"news-ptvcompk.servehttp.com"; depth:27; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1238924/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_11; classtype:trojan-activity; sid:91238924; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"offer-ptclnetpk.servehttp.com"; depth:29; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1238925/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_11; classtype:trojan-activity; sid:91238925; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"newmail-armymilbd.servehttp.com"; depth:31; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1238923/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_11; classtype:trojan-activity; sid:91238923; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"navy-govbd.servehttp.com"; depth:24; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1238922/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_11; classtype:trojan-activity; sid:91238922; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"mailhitgovpk.servehalflife.com"; depth:30; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1238920/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_11; classtype:trojan-activity; sid:91238920; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"nanfung.servehttp.com"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1238921/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_11; classtype:trojan-activity; sid:91238921; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"mail-scogovpk.servehalflife.com"; depth:31; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1238919/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_11; classtype:trojan-activity; sid:91238919; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"mail-mofagovpk.myddns.me"; depth:24; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1238917/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_11; classtype:trojan-activity; sid:91238917; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"mail-mofapk.servehttp.com"; depth:25; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1238918/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_11; classtype:trojan-activity; sid:91238918; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"mail-mofagovpk.ddns.net"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1238915/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_11; classtype:trojan-activity; sid:91238915; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"mail-mofagovpk.gotdns.ch"; depth:24; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1238916/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_11; classtype:trojan-activity; sid:91238916; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"mail-modgovpk.servehttp.com"; depth:27; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1238914/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_11; classtype:trojan-activity; sid:91238914; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"mail-depogovpk.servehttp.com"; depth:28; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1238912/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_11; classtype:trojan-activity; sid:91238912; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"mail-dgdpgovpk.servehalflife.com"; depth:32; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1238913/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_11; classtype:trojan-activity; sid:91238913; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"hrmis-financegovpk.serveftp.com"; depth:31; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1238910/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_11; classtype:trojan-activity; sid:91238910; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"mail-bafmilbd.servequake.com"; depth:28; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1238911/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_11; classtype:trojan-activity; sid:91238911; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"finance-govpk.serveblog.net"; depth:27; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1238907/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_11; classtype:trojan-activity; sid:91238907; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"finance-govpk.serveftp.com"; depth:26; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1238908/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_11; classtype:trojan-activity; sid:91238908; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"financegovpk.servehttp.com"; depth:26; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1238909/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_11; classtype:trojan-activity; sid:91238909; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"circular-financegov.servehalflife.com"; depth:37; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1238905/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_11; classtype:trojan-activity; sid:91238905; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"eservice-ptclnetpk.servehttp.com"; depth:32; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1238906/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_11; classtype:trojan-activity; sid:91238906; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"cap-mofapk.servehttp.com"; depth:24; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1238904/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_11; classtype:trojan-activity; sid:91238904; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"awards-piacaero.servehalflife.com"; depth:33; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1238901/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_11; classtype:trojan-activity; sid:91238901; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"awards-piacaero.servehttp.com"; depth:29; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1238902/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_11; classtype:trojan-activity; sid:91238902; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"cap-mofagovpk.servehttp.com"; depth:27; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1238903/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_11; classtype:trojan-activity; sid:91238903; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"advisory-cabinetgpk.servehttp.com"; depth:33; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1238900/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_11; classtype:trojan-activity; sid:91238900; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"peces.duckdns.org"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1238884/; target:src_ip; metadata: confidence_level 75, first_seen 2024_02_11; classtype:trojan-activity; sid:91238884; rev:1;) alert tcp $HOME_NET any -> [46.246.84.15] 1995 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1238802/; target:src_ip; metadata: confidence_level 75, first_seen 2024_02_11; classtype:trojan-activity; sid:91238802; rev:1;) alert tcp $HOME_NET any -> [171.228.211.109] 56999 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1238805/; target:src_ip; metadata: confidence_level 75, first_seen 2024_02_11; classtype:trojan-activity; sid:91238805; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"kami.shopkami.site"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1238806/; target:src_ip; metadata: confidence_level 75, first_seen 2024_02_11; classtype:trojan-activity; sid:91238806; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"vibe-ptclnetpk.servehttp.com"; depth:28; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1238935/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_11; classtype:trojan-activity; sid:91238935; rev:1;) alert tcp $HOME_NET any -> [3.67.161.133] 13977 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239002/; target:src_ip; metadata: confidence_level 75, first_seen 2024_02_11; classtype:trojan-activity; sid:91239002; rev:1;) alert tcp $HOME_NET any -> [45.95.146.13] 38241 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239003/; target:src_ip; metadata: confidence_level 75, first_seen 2024_02_11; classtype:trojan-activity; sid:91239003; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"win32avemaria.com"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1239006/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_11; classtype:trojan-activity; sid:91239006; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"serenys.xyz"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1239011/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_11; classtype:trojan-activity; sid:91239011; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/enigma/index.php"; depth:17; nocase; http.host; content:"193.233.132.167"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1239012/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_11; classtype:trojan-activity; sid:91239012; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/yandex/index.php"; depth:17; nocase; http.host; content:"185.215.113.32"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1239013/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_11; classtype:trojan-activity; sid:91239013; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"junio2023.duckdns.org"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1239017/; target:src_ip; metadata: confidence_level 75, first_seen 2024_02_11; classtype:trojan-activity; sid:91239017; rev:1;) alert tcp $HOME_NET any -> [3.66.38.117] 16992 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239046/; target:src_ip; metadata: confidence_level 75, first_seen 2024_02_11; classtype:trojan-activity; sid:91239046; rev:1;) alert tcp $HOME_NET any -> [3.68.171.119] 16992 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239047/; target:src_ip; metadata: confidence_level 75, first_seen 2024_02_11; classtype:trojan-activity; sid:91239047; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"vibe-ptclnetpk.viewdns.net"; depth:26; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1239065/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_11; classtype:trojan-activity; sid:91239065; rev:1;) alert tcp $HOME_NET any -> [216.118.230.118] 33452 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239064/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_11; classtype:trojan-activity; sid:91239064; rev:1;) alert tcp $HOME_NET any -> [154.9.249.116] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239063/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_11; classtype:trojan-activity; sid:91239063; rev:1;) alert tcp $HOME_NET any -> [185.193.126.155] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239062/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_11; classtype:trojan-activity; sid:91239062; rev:1;) alert tcp $HOME_NET any -> [124.220.0.201] 4849 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239061/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_11; classtype:trojan-activity; sid:91239061; rev:1;) alert tcp $HOME_NET any -> [41.98.245.251] 443 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239060/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_11; classtype:trojan-activity; sid:91239060; rev:1;) alert tcp $HOME_NET any -> [160.176.66.130] 995 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239059/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_11; classtype:trojan-activity; sid:91239059; rev:1;) alert tcp $HOME_NET any -> [151.30.51.255] 443 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239058/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_11; classtype:trojan-activity; sid:91239058; rev:1;) alert tcp $HOME_NET any -> [84.155.10.84] 995 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239057/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_11; classtype:trojan-activity; sid:91239057; rev:1;) alert tcp $HOME_NET any -> [117.200.61.202] 445 (msg:"ThreatFox Responder botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239056/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_11; classtype:trojan-activity; sid:91239056; rev:1;) alert tcp $HOME_NET any -> [5.182.36.131] 80 (msg:"ThreatFox Responder botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239055/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_11; classtype:trojan-activity; sid:91239055; rev:1;) alert tcp $HOME_NET any -> [121.127.33.246] 80 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239054/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_11; classtype:trojan-activity; sid:91239054; rev:1;) alert tcp $HOME_NET any -> [43.132.212.200] 22694 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239053/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_11; classtype:trojan-activity; sid:91239053; rev:1;) alert tcp $HOME_NET any -> [45.61.159.30] 443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239052/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_11; classtype:trojan-activity; sid:91239052; rev:1;) alert tcp $HOME_NET any -> [159.69.207.158] 443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239051/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_11; classtype:trojan-activity; sid:91239051; rev:1;) alert tcp $HOME_NET any -> [193.178.147.164] 443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239050/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_11; classtype:trojan-activity; sid:91239050; rev:1;) alert tcp $HOME_NET any -> [91.238.181.248] 8080 (msg:"ThreatFox BianLian botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239049/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_11; classtype:trojan-activity; sid:91239049; rev:1;) alert tcp $HOME_NET any -> [45.76.46.64] 6606 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239048/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_11; classtype:trojan-activity; sid:91239048; rev:1;) alert tcp $HOME_NET any -> [3.69.115.178] 16992 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239045/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_11; classtype:trojan-activity; sid:91239045; rev:1;) alert tcp $HOME_NET any -> [18.197.239.109] 16992 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239044/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_11; classtype:trojan-activity; sid:91239044; rev:1;) alert tcp $HOME_NET any -> [132.226.123.210] 1337 (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239043/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_11; classtype:trojan-activity; sid:91239043; rev:1;) alert tcp $HOME_NET any -> [47.120.50.234] 35550 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239042/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_11; classtype:trojan-activity; sid:91239042; rev:1;) alert tcp $HOME_NET any -> [43.154.39.87] 28080 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239041/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_11; classtype:trojan-activity; sid:91239041; rev:1;) alert tcp $HOME_NET any -> [149.50.211.216] 50050 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239040/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_11; classtype:trojan-activity; sid:91239040; rev:1;) alert tcp $HOME_NET any -> [106.52.244.189] 10000 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239039/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_11; classtype:trojan-activity; sid:91239039; rev:1;) alert tcp $HOME_NET any -> [8.218.137.213] 50017 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239038/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_11; classtype:trojan-activity; sid:91239038; rev:1;) alert tcp $HOME_NET any -> [31.192.235.73] 48126 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239037/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_11; classtype:trojan-activity; sid:91239037; rev:1;) alert tcp $HOME_NET any -> [101.43.2.243] 26356 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239036/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_11; classtype:trojan-activity; sid:91239036; rev:1;) alert tcp $HOME_NET any -> [175.178.83.204] 50050 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239035/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_11; classtype:trojan-activity; sid:91239035; rev:1;) alert tcp $HOME_NET any -> [208.68.36.130] 50050 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239034/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_11; classtype:trojan-activity; sid:91239034; rev:1;) alert tcp $HOME_NET any -> [120.79.154.38] 55667 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239033/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_11; classtype:trojan-activity; sid:91239033; rev:1;) alert tcp $HOME_NET any -> [1.117.117.147] 2020 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239032/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_11; classtype:trojan-activity; sid:91239032; rev:1;) alert tcp $HOME_NET any -> [74.48.158.197] 30080 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239031/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_11; classtype:trojan-activity; sid:91239031; rev:1;) alert tcp $HOME_NET any -> [1.15.248.225] 38248 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239030/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_11; classtype:trojan-activity; sid:91239030; rev:1;) alert tcp $HOME_NET any -> [124.222.234.106] 12345 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239029/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_11; classtype:trojan-activity; sid:91239029; rev:1;) alert tcp $HOME_NET any -> [20.231.208.182] 7788 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239028/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_11; classtype:trojan-activity; sid:91239028; rev:1;) alert tcp $HOME_NET any -> [101.201.224.75] 50050 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239027/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_11; classtype:trojan-activity; sid:91239027; rev:1;) alert tcp $HOME_NET any -> [159.223.77.150] 58393 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239026/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_11; classtype:trojan-activity; sid:91239026; rev:1;) alert tcp $HOME_NET any -> [117.72.35.189] 50050 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239025/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_11; classtype:trojan-activity; sid:91239025; rev:1;) alert tcp $HOME_NET any -> [120.48.101.89] 37128 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239024/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_11; classtype:trojan-activity; sid:91239024; rev:1;) alert tcp $HOME_NET any -> [68.183.86.25] 49492 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239023/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_11; classtype:trojan-activity; sid:91239023; rev:1;) alert tcp $HOME_NET any -> [78.40.116.82] 9090 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239022/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_11; classtype:trojan-activity; sid:91239022; rev:1;) alert tcp $HOME_NET any -> [78.47.191.114] 443 (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239020/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_11; classtype:trojan-activity; sid:91239020; rev:1;) alert tcp $HOME_NET any -> [78.47.191.114] 80 (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239019/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_11; classtype:trojan-activity; sid:91239019; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/l1nc0in.php"; depth:12; nocase; http.host; content:"a0905554.xsph.ru"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1239018/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_11; classtype:trojan-activity; sid:91239018; rev:1;) alert tcp $HOME_NET any -> [167.86.86.15] 3333 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239016/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_10; classtype:trojan-activity; sid:91239016; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/load"; depth:5; nocase; http.host; content:"23.94.202.169"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1239015/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_10; classtype:trojan-activity; sid:91239015; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cm"; depth:3; nocase; http.host; content:"23.94.202.169"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1239014/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_10; classtype:trojan-activity; sid:91239014; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/_defaultwindows.php"; depth:20; nocase; http.host; content:"45.90.217.194"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1239010/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_10; classtype:trojan-activity; sid:91239010; rev:1;) alert tcp $HOME_NET any -> [20.226.21.146] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239009/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_10; classtype:trojan-activity; sid:91239009; rev:1;) alert tcp $HOME_NET any -> [5.42.64.44] 80 (msg:"ThreatFox Amadey botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239008/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_10; classtype:trojan-activity; sid:91239008; rev:1;) alert tcp $HOME_NET any -> [45.77.240.40] 25887 (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239007/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_10; classtype:trojan-activity; sid:91239007; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blsswk93ex/index.php"; depth:21; nocase; http.host; content:"5.42.64.44"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1239005/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_10; classtype:trojan-activity; sid:91239005; rev:1;) alert tcp $HOME_NET any -> [185.103.100.197] 19049 (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239004/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_10; classtype:trojan-activity; sid:91239004; rev:1;) alert tcp $HOME_NET any -> [67.71.30.57] 2078 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239001/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_10; classtype:trojan-activity; sid:91239001; rev:1;) alert tcp $HOME_NET any -> [149.109.109.136] 2087 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239000/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_10; classtype:trojan-activity; sid:91239000; rev:1;) alert tcp $HOME_NET any -> [78.18.250.125] 2222 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1238999/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_10; classtype:trojan-activity; sid:91238999; rev:1;) alert tcp $HOME_NET any -> [39.40.155.114] 995 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1238998/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_10; classtype:trojan-activity; sid:91238998; rev:1;) alert tcp $HOME_NET any -> [45.66.248.84] 42282 (msg:"ThreatFox BianLian botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1238997/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_10; classtype:trojan-activity; sid:91238997; rev:1;) alert tcp $HOME_NET any -> [163.197.247.155] 8889 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1238996/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_10; classtype:trojan-activity; sid:91238996; rev:1;) alert tcp $HOME_NET any -> [40.87.135.62] 443 (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1238995/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_10; classtype:trojan-activity; sid:91238995; rev:1;) alert tcp $HOME_NET any -> [65.21.64.132] 34779 (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1238994/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_10; classtype:trojan-activity; sid:91238994; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cm"; depth:3; nocase; http.host; content:"23.94.202.169"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238993/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_10; classtype:trojan-activity; sid:91238993; rev:1;) alert tcp $HOME_NET any -> [34.34.10.37] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1238992/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_10; classtype:trojan-activity; sid:91238992; rev:1;) alert tcp $HOME_NET any -> [3.75.189.17] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1238991/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_10; classtype:trojan-activity; sid:91238991; rev:1;) alert tcp $HOME_NET any -> [165.232.179.158] 4444 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1238990/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_10; classtype:trojan-activity; sid:91238990; rev:1;) alert tcp $HOME_NET any -> [181.32.143.15] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1238989/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_10; classtype:trojan-activity; sid:91238989; rev:1;) alert tcp $HOME_NET any -> [13.49.116.113] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1238988/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_10; classtype:trojan-activity; sid:91238988; rev:1;) alert tcp $HOME_NET any -> [122.150.85.11] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1238987/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_10; classtype:trojan-activity; sid:91238987; rev:1;) alert tcp $HOME_NET any -> [173.212.228.153] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1238986/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_10; classtype:trojan-activity; sid:91238986; rev:1;) alert tcp $HOME_NET any -> [41.78.73.219] 8443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1238985/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_10; classtype:trojan-activity; sid:91238985; rev:1;) alert tcp $HOME_NET any -> [78.186.239.172] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1238984/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_10; classtype:trojan-activity; sid:91238984; rev:1;) alert tcp $HOME_NET any -> [172.174.245.183] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1238983/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_10; classtype:trojan-activity; sid:91238983; rev:1;) alert tcp $HOME_NET any -> [54.198.97.186] 5432 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1238982/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_10; classtype:trojan-activity; sid:91238982; rev:1;) alert tcp $HOME_NET any -> [118.31.49.59] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1238981/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_10; classtype:trojan-activity; sid:91238981; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"blogger.deenpel.com"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1238980/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_10; classtype:trojan-activity; sid:91238980; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"eco-academy.virtualidevs.com"; depth:28; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1238979/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_10; classtype:trojan-activity; sid:91238979; rev:1;) alert tcp $HOME_NET any -> [49.51.69.128] 4000 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1238978/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_10; classtype:trojan-activity; sid:91238978; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"www.nanasuuakiaa.host"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1238977/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_10; classtype:trojan-activity; sid:91238977; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"www.x3qc.com"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1238976/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_10; classtype:trojan-activity; sid:91238976; rev:1;) alert tcp $HOME_NET any -> [103.65.235.21] 80 (msg:"ThreatFox MooBot botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1238975/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_10; classtype:trojan-activity; sid:91238975; rev:1;) alert tcp $HOME_NET any -> [93.123.39.165] 80 (msg:"ThreatFox MooBot botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1238974/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_10; classtype:trojan-activity; sid:91238974; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ec2-54-175-203-218.compute-1.amazonaws.com"; depth:42; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1238973/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_10; classtype:trojan-activity; sid:91238973; rev:1;) alert tcp $HOME_NET any -> [23.94.66.115] 7443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1238972/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_10; classtype:trojan-activity; sid:91238972; rev:1;) alert tcp $HOME_NET any -> [185.194.216.22] 80 (msg:"ThreatFox ERMAC botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1238970/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_10; classtype:trojan-activity; sid:91238970; rev:1;) alert tcp $HOME_NET any -> [87.98.147.251] 80 (msg:"ThreatFox ERMAC botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1238971/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_10; classtype:trojan-activity; sid:91238971; rev:1;) alert tcp $HOME_NET any -> [4.178.96.222] 80 (msg:"ThreatFox ERMAC botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1238969/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_10; classtype:trojan-activity; sid:91238969; rev:1;) alert tcp $HOME_NET any -> [113.30.191.40] 80 (msg:"ThreatFox ERMAC botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1238968/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_10; classtype:trojan-activity; sid:91238968; rev:1;) alert tcp $HOME_NET any -> [176.113.115.243] 80 (msg:"ThreatFox ERMAC botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1238967/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_10; classtype:trojan-activity; sid:91238967; rev:1;) alert tcp $HOME_NET any -> [193.222.96.48] 80 (msg:"ThreatFox ERMAC botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1238966/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_10; classtype:trojan-activity; sid:91238966; rev:1;) alert tcp $HOME_NET any -> [178.33.57.149] 5000 (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1238965/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_10; classtype:trojan-activity; sid:91238965; rev:1;) alert tcp $HOME_NET any -> [178.33.57.149] 4444 (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1238964/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_10; classtype:trojan-activity; sid:91238964; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"staging.recruitis.josefbenjac.cz"; depth:32; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1238963/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_10; classtype:trojan-activity; sid:91238963; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"panel.dalkson.com"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1238962/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_10; classtype:trojan-activity; sid:91238962; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ec2-34-244-129-215.eu-west-1.compute.amazonaws.com"; depth:50; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1238960/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_10; classtype:trojan-activity; sid:91238960; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"zqpvr01.sandcats.io"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1238961/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_10; classtype:trojan-activity; sid:91238961; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ec2-54-199-117-47.ap-northeast-1.compute.amazonaws.com"; depth:54; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1238959/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_10; classtype:trojan-activity; sid:91238959; rev:1;) alert tcp $HOME_NET any -> [159.100.13.218] 1606 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1238958/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_10; classtype:trojan-activity; sid:91238958; rev:1;) alert tcp $HOME_NET any -> [37.120.237.196] 8081 (msg:"ThreatFox RisePro botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1238957/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_10; classtype:trojan-activity; sid:91238957; rev:1;) alert tcp $HOME_NET any -> [185.216.70.225] 80 (msg:"ThreatFox Hook botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1238956/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_10; classtype:trojan-activity; sid:91238956; rev:1;) alert tcp $HOME_NET any -> [185.216.70.224] 80 (msg:"ThreatFox Hook botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1238955/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_10; classtype:trojan-activity; sid:91238955; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"056hg568786.f4r5t5y8hh8.click"; depth:29; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1238954/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_10; classtype:trojan-activity; sid:91238954; rev:1;) alert tcp $HOME_NET any -> [92.63.104.174] 80 (msg:"ThreatFox Hook botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1238952/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_10; classtype:trojan-activity; sid:91238952; rev:1;) alert tcp $HOME_NET any -> [77.73.129.77] 80 (msg:"ThreatFox Hook botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1238953/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_10; classtype:trojan-activity; sid:91238953; rev:1;) alert tcp $HOME_NET any -> [185.189.196.191] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1238950/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_10; classtype:trojan-activity; sid:91238950; rev:1;) alert tcp $HOME_NET any -> [34.72.157.21] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1238951/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_10; classtype:trojan-activity; sid:91238951; rev:1;) alert tcp $HOME_NET any -> [40.66.42.165] 8808 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1238949/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_10; classtype:trojan-activity; sid:91238949; rev:1;) alert tcp $HOME_NET any -> [104.156.247.38] 8000 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1238948/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_10; classtype:trojan-activity; sid:91238948; rev:1;) alert tcp $HOME_NET any -> [114.116.231.53] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1238947/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_10; classtype:trojan-activity; sid:91238947; rev:1;) alert tcp $HOME_NET any -> [163.197.247.155] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1238946/; target:src_ip; metadata: confidence_level 90, first_seen 2024_02_10; classtype:trojan-activity; sid:91238946; rev:1;) alert tcp $HOME_NET any -> [119.91.77.189] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1238945/; target:src_ip; metadata: confidence_level 90, first_seen 2024_02_10; classtype:trojan-activity; sid:91238945; rev:1;) alert tcp $HOME_NET any -> [5.45.111.146] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1238943/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_10; classtype:trojan-activity; sid:91238943; rev:1;) alert tcp $HOME_NET any -> [5.45.111.146] 4433 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1238944/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_10; classtype:trojan-activity; sid:91238944; rev:1;) alert tcp $HOME_NET any -> [78.40.116.82] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1238942/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_10; classtype:trojan-activity; sid:91238942; rev:1;) alert tcp $HOME_NET any -> [124.220.53.223] 4543 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1238941/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_10; classtype:trojan-activity; sid:91238941; rev:1;) alert tcp $HOME_NET any -> [134.122.164.195] 5566 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1238940/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_10; classtype:trojan-activity; sid:91238940; rev:1;) alert tcp $HOME_NET any -> [51.38.226.86] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1238939/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_10; classtype:trojan-activity; sid:91238939; rev:1;) alert tcp $HOME_NET any -> [201.27.182.215] 8081 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1238937/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_10; classtype:trojan-activity; sid:91238937; rev:1;) alert tcp $HOME_NET any -> [196.235.228.141] 4444 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1238938/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_10; classtype:trojan-activity; sid:91238938; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"v2202305171327228750.powersrv.de"; depth:32; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1238936/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_10; classtype:trojan-activity; sid:91238936; rev:1;) alert tcp $HOME_NET any -> [147.45.47.96] 8081 (msg:"ThreatFox RisePro botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1238899/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_10; classtype:trojan-activity; sid:91238899; rev:1;) alert tcp $HOME_NET any -> [91.92.241.128] 2023 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1238898/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_10; classtype:trojan-activity; sid:91238898; rev:1;) alert tcp $HOME_NET any -> [46.246.6.2] 2121 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1238897/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_10; classtype:trojan-activity; sid:91238897; rev:1;) alert tcp $HOME_NET any -> [91.92.241.121] 2023 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1238896/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_10; classtype:trojan-activity; sid:91238896; rev:1;) alert tcp $HOME_NET any -> [91.92.241.39] 2023 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1238895/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_10; classtype:trojan-activity; sid:91238895; rev:1;) alert tcp $HOME_NET any -> [150.143.137.163] 443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1238894/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_10; classtype:trojan-activity; sid:91238894; rev:1;) alert tcp $HOME_NET any -> [54.169.174.23] 443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1238893/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_10; classtype:trojan-activity; sid:91238893; rev:1;) alert tcp $HOME_NET any -> [45.79.196.203] 8080 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1238892/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_10; classtype:trojan-activity; sid:91238892; rev:1;) alert tcp $HOME_NET any -> [61.19.254.6] 2123 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1238891/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_10; classtype:trojan-activity; sid:91238891; rev:1;) alert tcp $HOME_NET any -> [165.154.132.129] 50013 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1238890/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_10; classtype:trojan-activity; sid:91238890; rev:1;) alert tcp $HOME_NET any -> [18.117.144.139] 80 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1238889/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_10; classtype:trojan-activity; sid:91238889; rev:1;) alert tcp $HOME_NET any -> [40.90.255.165] 80 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1238888/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_10; classtype:trojan-activity; sid:91238888; rev:1;) alert tcp $HOME_NET any -> [136.54.125.106] 80 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1238887/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_10; classtype:trojan-activity; sid:91238887; rev:1;) alert tcp $HOME_NET any -> [43.132.212.200] 443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1238886/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_10; classtype:trojan-activity; sid:91238886; rev:1;) alert tcp $HOME_NET any -> [185.119.118.59] 8080 (msg:"ThreatFox WhiteSnake Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1238885/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_10; classtype:trojan-activity; sid:91238885; rev:1;) alert tcp $HOME_NET any -> [46.246.82.3] 5552 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1238883/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_10; classtype:trojan-activity; sid:91238883; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05b89c2203fb7bde.php"; depth:21; nocase; http.host; content:"77.105.132.197"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238882/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_10; classtype:trojan-activity; sid:91238882; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pythonjavascriptjsdownloads.php"; depth:32; nocase; http.host; content:"007017cm.nyashsens.top"; depth:22; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238881/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_10; classtype:trojan-activity; sid:91238881; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dot.gif"; depth:8; nocase; http.host; content:"134.122.75.115"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238880/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_10; classtype:trojan-activity; sid:91238880; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cx"; depth:3; nocase; http.host; content:"185.91.127.221"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238879/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_10; classtype:trojan-activity; sid:91238879; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/en_us/all.js"; depth:13; nocase; http.host; content:"134.122.75.115"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238878/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_10; classtype:trojan-activity; sid:91238878; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/en_us/all.js"; depth:13; nocase; http.host; content:"134.122.75.115"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238877/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_10; classtype:trojan-activity; sid:91238877; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/fwlink"; depth:7; nocase; http.host; content:"134.122.75.115"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238876/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_10; classtype:trojan-activity; sid:91238876; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/match"; depth:6; nocase; http.host; content:"122.51.220.170"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238875/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_10; classtype:trojan-activity; sid:91238875; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dpixel"; depth:7; nocase; http.host; content:"122.51.220.170"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238874/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_10; classtype:trojan-activity; sid:91238874; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ga.js"; depth:6; nocase; http.host; content:"88.214.27.53"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238873/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_10; classtype:trojan-activity; sid:91238873; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/l1nc0in.php"; depth:12; nocase; http.host; content:"a0916186.xsph.ru"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238872/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_10; classtype:trojan-activity; sid:91238872; rev:1;) alert tcp $HOME_NET any -> [5.42.66.25] 3000 (msg:"ThreatFox ObserverStealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1238871/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_10; classtype:trojan-activity; sid:91238871; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"vpn.nsgocus.cn.com"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1238869/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_10; classtype:trojan-activity; sid:91238869; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ns2.0-2.pw"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1238858/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_10; classtype:trojan-activity; sid:91238858; rev:1;) alert tcp $HOME_NET any -> [178.128.229.91] 53 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1238859/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_10; classtype:trojan-activity; sid:91238859; rev:1;) alert tcp $HOME_NET any -> [154.22.123.68] 53 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1238857/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_10; classtype:trojan-activity; sid:91238857; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"update.theasiagroupai.com"; depth:25; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1238856/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_10; classtype:trojan-activity; sid:91238856; rev:1;) alert tcp $HOME_NET any -> [45.77.116.186] 53 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1238855/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_10; classtype:trojan-activity; sid:91238855; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"dns.startupmartec.net"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1238854/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_10; classtype:trojan-activity; sid:91238854; rev:1;) alert tcp $HOME_NET any -> [199.247.30.209] 53 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1238853/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_10; classtype:trojan-activity; sid:91238853; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"dns.thenewbees.org"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1238852/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_10; classtype:trojan-activity; sid:91238852; rev:1;) alert tcp $HOME_NET any -> [18.222.142.217] 53 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1238851/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_10; classtype:trojan-activity; sid:91238851; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"dns.sstr.com.br"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1238850/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_10; classtype:trojan-activity; sid:91238850; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"dns.pwd-reset.net"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1238848/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_10; classtype:trojan-activity; sid:91238848; rev:1;) alert tcp $HOME_NET any -> [63.34.195.83] 53 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1238849/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_10; classtype:trojan-activity; sid:91238849; rev:1;) alert tcp $HOME_NET any -> [173.212.224.123] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1238847/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_10; classtype:trojan-activity; sid:91238847; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"cupdater.bbtecno.com"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1238846/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_10; classtype:trojan-activity; sid:91238846; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/download/"; depth:10; nocase; http.host; content:"cupdater.bbtecno.com"; depth:20; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238845/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_10; classtype:trojan-activity; sid:91238845; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pixel"; depth:6; nocase; http.host; content:"94.156.65.204"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238844/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_10; classtype:trojan-activity; sid:91238844; rev:1;) alert tcp $HOME_NET any -> [146.235.52.69] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1238843/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_10; classtype:trojan-activity; sid:91238843; rev:1;) alert tcp $HOME_NET any -> [13.82.186.9] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1238842/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_10; classtype:trojan-activity; sid:91238842; rev:1;) alert tcp $HOME_NET any -> [94.156.68.217] 3162 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1238841/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_10; classtype:trojan-activity; sid:91238841; rev:1;) alert tcp $HOME_NET any -> [31.117.188.253] 2222 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1238840/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_10; classtype:trojan-activity; sid:91238840; rev:1;) alert tcp $HOME_NET any -> [105.155.185.229] 995 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1238839/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_10; classtype:trojan-activity; sid:91238839; rev:1;) alert tcp $HOME_NET any -> [50.35.141.245] 443 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1238838/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_10; classtype:trojan-activity; sid:91238838; rev:1;) alert tcp $HOME_NET any -> [109.154.155.130] 443 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1238837/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_10; classtype:trojan-activity; sid:91238837; rev:1;) alert tcp $HOME_NET any -> [117.200.61.203] 445 (msg:"ThreatFox Responder botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1238836/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_10; classtype:trojan-activity; sid:91238836; rev:1;) alert tcp $HOME_NET any -> [117.200.61.205] 445 (msg:"ThreatFox Responder botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1238835/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_10; classtype:trojan-activity; sid:91238835; rev:1;) alert tcp $HOME_NET any -> [5.182.36.131] 443 (msg:"ThreatFox Responder botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1238834/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_10; classtype:trojan-activity; sid:91238834; rev:1;) alert tcp $HOME_NET any -> [185.189.196.191] 40056 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1238833/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_10; classtype:trojan-activity; sid:91238833; rev:1;) alert tcp $HOME_NET any -> [114.29.237.119] 443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1238832/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_10; classtype:trojan-activity; sid:91238832; rev:1;) alert tcp $HOME_NET any -> [172.202.30.12] 443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1238831/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_10; classtype:trojan-activity; sid:91238831; rev:1;) alert tcp $HOME_NET any -> [104.238.60.87] 2696 (msg:"ThreatFox BianLian botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1238830/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_10; classtype:trojan-activity; sid:91238830; rev:1;) alert tcp $HOME_NET any -> [45.148.132.134] 12345 (msg:"ThreatFox Deimos botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1238829/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_10; classtype:trojan-activity; sid:91238829; rev:1;) alert tcp $HOME_NET any -> [167.86.85.34] 443 (msg:"ThreatFox Deimos botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1238828/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_10; classtype:trojan-activity; sid:91238828; rev:1;) alert tcp $HOME_NET any -> [5.189.152.51] 443 (msg:"ThreatFox Deimos botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1238827/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_10; classtype:trojan-activity; sid:91238827; rev:1;) alert tcp $HOME_NET any -> [13.52.244.83] 7443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1238826/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_10; classtype:trojan-activity; sid:91238826; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/l1nc0in.php"; depth:12; nocase; http.host; content:"a0909872.xsph.ru"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238825/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_10; classtype:trojan-activity; sid:91238825; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/db059622.php"; depth:13; nocase; http.host; content:"a0916535.xsph.ru"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238824/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_10; classtype:trojan-activity; sid:91238824; rev:1;) alert tcp $HOME_NET any -> [124.71.84.65] 8062 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1238823/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_10; classtype:trojan-activity; sid:91238823; rev:1;) alert tcp $HOME_NET any -> [111.92.240.246] 50550 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1238822/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_10; classtype:trojan-activity; sid:91238822; rev:1;) alert tcp $HOME_NET any -> [187.135.144.103] 1883 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1238821/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_10; classtype:trojan-activity; sid:91238821; rev:1;) alert tcp $HOME_NET any -> [187.135.144.103] 1710 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1238820/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_10; classtype:trojan-activity; sid:91238820; rev:1;) alert tcp $HOME_NET any -> [187.135.144.103] 2095 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1238819/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_10; classtype:trojan-activity; sid:91238819; rev:1;) alert tcp $HOME_NET any -> [187.135.144.103] 2082 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1238818/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_10; classtype:trojan-activity; sid:91238818; rev:1;) alert tcp $HOME_NET any -> [187.135.144.103] 2053 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1238817/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_10; classtype:trojan-activity; sid:91238817; rev:1;) alert tcp $HOME_NET any -> [187.135.144.103] 2000 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1238816/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_10; classtype:trojan-activity; sid:91238816; rev:1;) alert tcp $HOME_NET any -> [187.135.144.103] 2077 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1238815/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_10; classtype:trojan-activity; sid:91238815; rev:1;) alert tcp $HOME_NET any -> [187.135.144.103] 1962 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1238814/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_10; classtype:trojan-activity; sid:91238814; rev:1;) alert tcp $HOME_NET any -> [187.135.144.103] 2222 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1238813/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_10; classtype:trojan-activity; sid:91238813; rev:1;) alert tcp $HOME_NET any -> [187.135.144.103] 2086 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1238812/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_10; classtype:trojan-activity; sid:91238812; rev:1;) alert tcp $HOME_NET any -> [34.141.15.123] 80 (msg:"ThreatFox Hook botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1238811/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_10; classtype:trojan-activity; sid:91238811; rev:1;) alert tcp $HOME_NET any -> [35.246.183.49] 80 (msg:"ThreatFox Hook botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1238810/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_10; classtype:trojan-activity; sid:91238810; rev:1;) alert tcp $HOME_NET any -> [154.245.7.231] 80 (msg:"ThreatFox Orcus RAT botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1238809/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_10; classtype:trojan-activity; sid:91238809; rev:1;) alert tcp $HOME_NET any -> [92.246.136.161] 80 (msg:"ThreatFox Meduza Stealer botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1238808/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_10; classtype:trojan-activity; sid:91238808; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dpixel"; depth:7; nocase; http.host; content:"192.3.101.133"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238807/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_10; classtype:trojan-activity; sid:91238807; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/l1nc0in.php"; depth:12; nocase; http.host; content:"workonz7.beget.tech"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238804/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_10; classtype:trojan-activity; sid:91238804; rev:1;) alert tcp $HOME_NET any -> [91.92.244.55] 13002 (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1238803/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_10; classtype:trojan-activity; sid:91238803; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mozi.m"; depth:7; nocase; http.host; content:"123.234.75.154"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238801/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_10; classtype:trojan-activity; sid:91238801; rev:1;) alert tcp $HOME_NET any -> [3.6.98.232] 15032 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1238800/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238800; rev:1;) alert tcp $HOME_NET any -> [3.6.115.182] 15032 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1238798/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238798; rev:1;) alert tcp $HOME_NET any -> [3.6.122.107] 15032 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1238799/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238799; rev:1;) alert tcp $HOME_NET any -> [3.6.115.64] 15032 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1238797/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238797; rev:1;) alert tcp $HOME_NET any -> [38.255.33.106] 7896 (msg:"ThreatFox Ave Maria botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1238796/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238796; rev:1;) alert tcp $HOME_NET any -> [8.213.208.58] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1238795/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_09; classtype:trojan-activity; sid:91238795; rev:1;) alert tcp $HOME_NET any -> [8.134.69.22] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1238794/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_09; classtype:trojan-activity; sid:91238794; rev:1;) alert tcp $HOME_NET any -> [41.96.89.253] 443 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1238793/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_09; classtype:trojan-activity; sid:91238793; rev:1;) alert tcp $HOME_NET any -> [78.167.158.62] 443 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1238792/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_09; classtype:trojan-activity; sid:91238792; rev:1;) alert tcp $HOME_NET any -> [109.145.252.188] 2222 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1238791/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_09; classtype:trojan-activity; sid:91238791; rev:1;) alert tcp $HOME_NET any -> [31.53.190.47] 443 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1238790/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_09; classtype:trojan-activity; sid:91238790; rev:1;) alert tcp $HOME_NET any -> [216.137.205.249] 443 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1238789/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_09; classtype:trojan-activity; sid:91238789; rev:1;) alert tcp $HOME_NET any -> [117.200.61.201] 445 (msg:"ThreatFox Responder botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1238788/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_09; classtype:trojan-activity; sid:91238788; rev:1;) alert tcp $HOME_NET any -> [165.227.122.136] 443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1238787/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_09; classtype:trojan-activity; sid:91238787; rev:1;) alert tcp $HOME_NET any -> [108.181.0.232] 80 (msg:"ThreatFox BianLian botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1238786/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_09; classtype:trojan-activity; sid:91238786; rev:1;) alert tcp $HOME_NET any -> [143.110.192.8] 58637 (msg:"ThreatFox BianLian botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1238785/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_09; classtype:trojan-activity; sid:91238785; rev:1;) alert tcp $HOME_NET any -> [178.189.215.120] 443 (msg:"ThreatFox Deimos botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1238784/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_09; classtype:trojan-activity; sid:91238784; rev:1;) alert tcp $HOME_NET any -> [168.100.8.112] 7443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1238783/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_09; classtype:trojan-activity; sid:91238783; rev:1;) alert tcp $HOME_NET any -> [193.233.132.195] 8081 (msg:"ThreatFox RisePro botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1238782/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_09; classtype:trojan-activity; sid:91238782; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"serviceicloud.com"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1238714/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238714; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/visualstudioupdater"; depth:20; nocase; http.host; content:"linksammosupply.com"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238717/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238717; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cache/data.php"; depth:15; nocase; http.host; content:"mysticselect.com"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238709/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238709; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"maconlineoffice.com"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1238713/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238713; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/zshrc2"; depth:7; nocase; http.host; content:"linksammosupply.com"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238715/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238715; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/visualstudioupdaterls2"; depth:23; nocase; http.host; content:"linksammosupply.com"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238716/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238716; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/zshrc"; depth:6; nocase; http.host; content:"sarkerrentacars.com"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238718/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238718; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/previewers"; depth:11; nocase; http.host; content:"turkishfurniture.blog"; depth:21; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238719/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238719; rev:1;) alert tcp $HOME_NET any -> [193.29.13.167] 80 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1238720/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238720; rev:1;) alert tcp $HOME_NET any -> [88.214.26.22] 80 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1238721/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238721; rev:1;) alert tcp $HOME_NET any -> [193.29.13.167] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1238722/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238722; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"cdn-uk.widgetsfordeploy.com"; depth:27; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1238779/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238779; rev:1;) alert tcp $HOME_NET any -> [88.214.26.22] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1238723/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238723; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"trans1ategooglecom.com"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1238780/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238780; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"saintelzearlava.com"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1238781/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238781; rev:1;) alert tcp $HOME_NET any -> [80.66.85.145] 27441 (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1238704/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238704; rev:1;) alert tcp $HOME_NET any -> [5.231.1.213] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1238706/; target:src_ip; metadata: confidence_level 90, first_seen 2024_02_09; classtype:trojan-activity; sid:91238706; rev:1;) alert tcp $HOME_NET any -> [5.181.202.164] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1238707/; target:src_ip; metadata: confidence_level 90, first_seen 2024_02_09; classtype:trojan-activity; sid:91238707; rev:1;) alert tcp $HOME_NET any -> [45.129.199.163] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1238708/; target:src_ip; metadata: confidence_level 90, first_seen 2024_02_09; classtype:trojan-activity; sid:91238708; rev:1;) alert tcp $HOME_NET any -> [47.115.206.4] 54321 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1238778/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_09; classtype:trojan-activity; sid:91238778; rev:1;) alert tcp $HOME_NET any -> [54.169.49.63] 10080 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1238777/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_09; classtype:trojan-activity; sid:91238777; rev:1;) alert tcp $HOME_NET any -> [163.5.169.23] 50050 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1238776/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_09; classtype:trojan-activity; sid:91238776; rev:1;) alert tcp $HOME_NET any -> [86.107.199.30] 14014 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1238775/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_09; classtype:trojan-activity; sid:91238775; rev:1;) alert tcp $HOME_NET any -> [58.53.128.67] 40000 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1238774/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_09; classtype:trojan-activity; sid:91238774; rev:1;) alert tcp $HOME_NET any -> [74.48.164.62] 8040 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1238773/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_09; classtype:trojan-activity; sid:91238773; rev:1;) alert tcp $HOME_NET any -> [108.160.135.65] 8888 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1238772/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_09; classtype:trojan-activity; sid:91238772; rev:1;) alert tcp $HOME_NET any -> [154.223.17.64] 3306 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1238771/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_09; classtype:trojan-activity; sid:91238771; rev:1;) alert tcp $HOME_NET any -> [47.104.179.218] 65534 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1238770/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_09; classtype:trojan-activity; sid:91238770; rev:1;) alert tcp $HOME_NET any -> [82.117.255.175] 51150 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1238769/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_09; classtype:trojan-activity; sid:91238769; rev:1;) alert tcp $HOME_NET any -> [111.231.22.61] 50050 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1238768/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_09; classtype:trojan-activity; sid:91238768; rev:1;) alert tcp $HOME_NET any -> [8.140.147.193] 55555 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1238767/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_09; classtype:trojan-activity; sid:91238767; rev:1;) alert tcp $HOME_NET any -> [91.245.253.68] 37982 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1238766/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_09; classtype:trojan-activity; sid:91238766; rev:1;) alert tcp $HOME_NET any -> [194.26.135.115] 11699 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1238765/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_09; classtype:trojan-activity; sid:91238765; rev:1;) alert tcp $HOME_NET any -> [43.132.175.126] 60666 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1238764/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_09; classtype:trojan-activity; sid:91238764; rev:1;) alert tcp $HOME_NET any -> [208.83.237.247] 50050 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1238763/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_09; classtype:trojan-activity; sid:91238763; rev:1;) alert tcp $HOME_NET any -> [124.220.185.197] 50050 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1238762/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_09; classtype:trojan-activity; sid:91238762; rev:1;) alert tcp $HOME_NET any -> [43.139.189.54] 9999 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1238761/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_09; classtype:trojan-activity; sid:91238761; rev:1;) alert tcp $HOME_NET any -> [101.43.127.45] 50050 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1238760/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_09; classtype:trojan-activity; sid:91238760; rev:1;) alert tcp $HOME_NET any -> [47.99.151.68] 50050 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1238759/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_09; classtype:trojan-activity; sid:91238759; rev:1;) alert tcp $HOME_NET any -> [8.219.228.210] 50010 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1238758/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_09; classtype:trojan-activity; sid:91238758; rev:1;) alert tcp $HOME_NET any -> [5.255.124.188] 33136 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1238757/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_09; classtype:trojan-activity; sid:91238757; rev:1;) alert tcp $HOME_NET any -> [61.75.17.84] 59991 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1238756/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_09; classtype:trojan-activity; sid:91238756; rev:1;) alert tcp $HOME_NET any -> [176.97.73.6] 443 (msg:"ThreatFox Gozi botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1238755/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_09; classtype:trojan-activity; sid:91238755; rev:1;) alert tcp $HOME_NET any -> [193.233.132.195] 50500 (msg:"ThreatFox RisePro botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1238754/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238754; rev:1;) alert tcp $HOME_NET any -> [195.2.76.141] 80 (msg:"ThreatFox RecordBreaker botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1238753/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_09; classtype:trojan-activity; sid:91238753; rev:1;) alert tcp $HOME_NET any -> [193.233.132.152] 80 (msg:"ThreatFox RecordBreaker botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1238752/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_09; classtype:trojan-activity; sid:91238752; rev:1;) alert tcp $HOME_NET any -> [45.15.156.161] 80 (msg:"ThreatFox RecordBreaker botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1238751/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_09; classtype:trojan-activity; sid:91238751; rev:1;) alert tcp $HOME_NET any -> [195.20.16.225] 80 (msg:"ThreatFox RecordBreaker botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1238750/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_09; classtype:trojan-activity; sid:91238750; rev:1;) alert tcp $HOME_NET any -> [41.216.183.87] 80 (msg:"ThreatFox RecordBreaker botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1238749/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_09; classtype:trojan-activity; sid:91238749; rev:1;) alert tcp $HOME_NET any -> [195.20.16.127] 80 (msg:"ThreatFox RecordBreaker botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1238748/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_09; classtype:trojan-activity; sid:91238748; rev:1;) alert tcp $HOME_NET any -> [195.20.16.226] 80 (msg:"ThreatFox RecordBreaker botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1238747/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_09; classtype:trojan-activity; sid:91238747; rev:1;) alert tcp $HOME_NET any -> [195.20.16.227] 80 (msg:"ThreatFox RecordBreaker botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1238746/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_09; classtype:trojan-activity; sid:91238746; rev:1;) alert tcp $HOME_NET any -> [116.202.3.242] 80 (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1238745/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_09; classtype:trojan-activity; sid:91238745; rev:1;) alert tcp $HOME_NET any -> [88.198.107.6] 80 (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1238744/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_09; classtype:trojan-activity; sid:91238744; rev:1;) alert tcp $HOME_NET any -> [95.217.215.24] 80 (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1238743/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_09; classtype:trojan-activity; sid:91238743; rev:1;) alert tcp $HOME_NET any -> [78.46.251.181] 80 (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1238742/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_09; classtype:trojan-activity; sid:91238742; rev:1;) alert tcp $HOME_NET any -> [88.99.38.67] 80 (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1238741/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_09; classtype:trojan-activity; sid:91238741; rev:1;) alert tcp $HOME_NET any -> [5.75.209.125] 80 (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1238740/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_09; classtype:trojan-activity; sid:91238740; rev:1;) alert tcp $HOME_NET any -> [5.75.215.113] 80 (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1238739/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_09; classtype:trojan-activity; sid:91238739; rev:1;) alert tcp $HOME_NET any -> [49.12.118.45] 80 (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1238738/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_09; classtype:trojan-activity; sid:91238738; rev:1;) alert tcp $HOME_NET any -> [49.12.118.45] 443 (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1238737/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_09; classtype:trojan-activity; sid:91238737; rev:1;) alert tcp $HOME_NET any -> [5.75.211.127] 80 (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1238736/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_09; classtype:trojan-activity; sid:91238736; rev:1;) alert tcp $HOME_NET any -> [94.158.247.56] 443 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1238735/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_09; classtype:trojan-activity; sid:91238735; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/j.ad"; depth:5; nocase; http.host; content:"8.130.79.120"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238734/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238734; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/fwlink"; depth:7; nocase; http.host; content:"129.226.154.245"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238733/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238733; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jp.css"; depth:7; nocase; http.host; content:"78.128.112.205"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238732/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238732; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/g.pixel"; depth:8; nocase; http.host; content:"111.230.12.198"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238731/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238731; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"cdn-lnk-075.epsonupdate.uk"; depth:26; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1238730/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238730; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ie9compatviewlist.xml"; depth:22; nocase; http.host; content:"cdn-lnk-075.epsonupdate.uk"; depth:26; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238729/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238729; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pixel"; depth:6; nocase; http.host; content:"43.153.34.124"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238728/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238728; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/updates.rss"; depth:12; nocase; http.host; content:"192.3.101.133"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238727/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238727; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/c/msdownload/update/others/2022/11/lvjh6wkebixyop5aqcjtb"; depth:57; nocase; http.host; content:"aws-apps.net"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238725/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238725; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"aws-apps.net"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1238726/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238726; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ie9compatviewlist.xml"; depth:22; nocase; http.host; content:"101.201.46.105"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238724/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238724; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ydr/1337.dat"; depth:13; nocase; http.host; content:"allstocksinc.com"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238712/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238712; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/vno/1337.dat"; depth:13; nocase; http.host; content:"muellerinfo.com"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238711/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238711; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/vuihcgp/1337.dat"; depth:17; nocase; http.host; content:"toptrinityblog.com"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238710/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238710; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/imagetodle.php"; depth:15; nocase; http.host; content:"lest1kkror.ru.swtest.ru"; depth:23; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238705/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238705; rev:1;) alert tcp $HOME_NET any -> [107.148.1.41] 53 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1238703/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238703; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"vpn.nsfocus.cn.com"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1238702/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238702; rev:1;) alert tcp $HOME_NET any -> [94.20.88.63] 53 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1238701/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238701; rev:1;) alert tcp $HOME_NET any -> [23.226.138.161] 5242 (msg:"ThreatFox Pikabot botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1238699/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238699; rev:1;) alert tcp $HOME_NET any -> [37.60.242.86] 2967 (msg:"ThreatFox Pikabot botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1238700/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238700; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/t6f5gi/1337.dat"; depth:16; nocase; http.host; content:"professionalficars.com"; depth:22; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238698/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238698; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ts5/1337.dat"; depth:13; nocase; http.host; content:"wealthygradi.com"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238697/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238697; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pixel.gif"; depth:10; nocase; http.host; content:"120.48.96.69"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238696/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238696; rev:1;) alert tcp $HOME_NET any -> [129.151.142.36] 8080 (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1238695/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238695; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cm"; depth:3; nocase; http.host; content:"154.8.157.205"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238694/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238694; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/g.pixel"; depth:8; nocase; http.host; content:"219.151.137.139"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238693/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238693; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/match"; depth:6; nocase; http.host; content:"120.222.152.106"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238692/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238692; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pixel"; depth:6; nocase; http.host; content:"1.62.64.108"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238691/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238691; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ptj"; depth:4; nocase; http.host; content:"120.222.152.85"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238690/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238690; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ie9compatviewlist.xml"; depth:22; nocase; http.host; content:"124.225.14.210"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238689/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238689; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/load"; depth:5; nocase; http.host; content:"122.51.220.170"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238688/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238688; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/updates.rss"; depth:12; nocase; http.host; content:"154.8.157.205"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238687/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238687; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/__utm.gif"; depth:10; nocase; http.host; content:"rw1.dbgblack.com"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238686/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238686; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ie9compatviewlist.xml"; depth:22; nocase; http.host; content:"23.94.202.169"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238685/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238685; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ie9compatviewlist.xml"; depth:22; nocase; http.host; content:"120.48.96.69"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238684/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238684; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/c/msdownload/update/others/2020/10/29136388_"; depth:45; nocase; http.host; content:"64.226.76.0"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238683/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238683; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ptj"; depth:4; nocase; http.host; content:"185.91.127.221"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238682/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238682; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/g.pixel"; depth:8; nocase; http.host; content:"134.122.75.115"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238681/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238681; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/g.pixel"; depth:8; nocase; http.host; content:"114.115.210.125"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238680/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238680; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cx"; depth:3; nocase; http.host; content:"122.51.220.170"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238679/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238679; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/visit.js"; depth:9; nocase; http.host; content:"107.189.14.144"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238678/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238678; rev:1;) alert tcp $HOME_NET any -> [18.192.93.86] 13056 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1238676/; target:src_ip; metadata: confidence_level 75, first_seen 2024_02_09; classtype:trojan-activity; sid:91238676; rev:1;) alert tcp $HOME_NET any -> [18.197.239.5] 13056 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1238677/; target:src_ip; metadata: confidence_level 75, first_seen 2024_02_09; classtype:trojan-activity; sid:91238677; rev:1;) alert tcp $HOME_NET any -> [3.70.168.173] 2376 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1238675/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_09; classtype:trojan-activity; sid:91238675; rev:1;) alert tcp $HOME_NET any -> [23.226.138.143] 2083 (msg:"ThreatFox Pikabot botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1238674/; target:src_ip; metadata: confidence_level 75, first_seen 2024_02_09; classtype:trojan-activity; sid:91238674; rev:1;) alert tcp $HOME_NET any -> [46.151.214.122] 9090 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1238673/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238673; rev:1;) alert tcp $HOME_NET any -> [47.99.188.195] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1238672/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238672; rev:1;) alert tcp $HOME_NET any -> [128.199.20.195] 5000 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1238671/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238671; rev:1;) alert tcp $HOME_NET any -> [157.245.104.17] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1238670/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238670; rev:1;) alert tcp $HOME_NET any -> [159.69.179.190] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1238669/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238669; rev:1;) alert tcp $HOME_NET any -> [172.105.90.105] 81 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1238667/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238667; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"webdisk.dnl-l.ooguy.com"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1238665/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238665; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"notifications.deenpel.com"; depth:25; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1238666/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238666; rev:1;) alert tcp $HOME_NET any -> [124.222.21.138] 60000 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1238663/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238663; rev:1;) alert tcp $HOME_NET any -> [180.140.153.238] 60000 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1238664/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238664; rev:1;) alert tcp $HOME_NET any -> [103.16.224.239] 80 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1238662/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238662; rev:1;) alert tcp $HOME_NET any -> [147.45.45.131] 80 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1238660/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238660; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"x3qc.com"; depth:8; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1238661/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238661; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ec2-52-200-22-116.compute-1.amazonaws.com"; depth:41; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1238659/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238659; rev:1;) alert tcp $HOME_NET any -> [54.175.203.218] 443 (msg:"ThreatFox Serpent Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1238658/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238658; rev:1;) alert tcp $HOME_NET any -> [2.36.57.107] 8000 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1238657/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238657; rev:1;) alert tcp $HOME_NET any -> [185.250.45.130] 80 (msg:"ThreatFox ERMAC botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1238656/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238656; rev:1;) alert tcp $HOME_NET any -> [20.241.69.111] 8080 (msg:"ThreatFox ERMAC botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1238655/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238655; rev:1;) alert tcp $HOME_NET any -> [5.42.92.165] 80 (msg:"ThreatFox ERMAC botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1238653/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238653; rev:1;) alert tcp $HOME_NET any -> [20.241.69.111] 80 (msg:"ThreatFox ERMAC botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1238654/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238654; rev:1;) alert tcp $HOME_NET any -> [94.156.64.66] 8080 (msg:"ThreatFox Orcus RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1238652/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238652; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"moodle1.feja111.de"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1238651/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238651; rev:1;) alert tcp $HOME_NET any -> [93.177.100.138] 8080 (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1238650/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238650; rev:1;) alert tcp $HOME_NET any -> [194.48.251.220] 4449 (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1238649/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238649; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"static.129.149.13.49.clients.your-server.de"; depth:43; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1238648/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238648; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"mail.161-35-239-147.cprapid.com"; depth:31; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1238646/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238646; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ec2-18-153-179-54.eu-central-1.compute.amazonaws.com"; depth:52; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1238647/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238647; rev:1;) alert tcp $HOME_NET any -> [51.103.213.14] 443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1238644/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238644; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"qa-dhs.wavenet-solutions.com"; depth:28; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1238645/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238645; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"159-203-167-57.ipv4.staticdns2.io"; depth:33; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1238642/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238642; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"healthpips.com"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1238643/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238643; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"172-105-14-104.ip.linodeusercontent.com"; depth:39; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1238641/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238641; rev:1;) alert tcp $HOME_NET any -> [162.55.40.203] 443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1238640/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238640; rev:1;) alert tcp $HOME_NET any -> [73.186.83.59] 4782 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1238639/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238639; rev:1;) alert tcp $HOME_NET any -> [103.120.201.75] 2222 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1238638/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238638; rev:1;) alert tcp $HOME_NET any -> [147.45.45.67] 8081 (msg:"ThreatFox RisePro botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1238637/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238637; rev:1;) alert tcp $HOME_NET any -> [91.92.254.225] 80 (msg:"ThreatFox Hook botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1238636/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238636; rev:1;) alert tcp $HOME_NET any -> [150.107.201.68] 80 (msg:"ThreatFox Hook botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1238635/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238635; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ec2-3-79-194-172.eu-central-1.compute.amazonaws.com"; depth:51; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1238633/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238633; rev:1;) alert tcp $HOME_NET any -> [95.181.173.164] 80 (msg:"ThreatFox Hook botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1238634/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238634; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"android.l3harris.pro"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1238632/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238632; rev:1;) alert tcp $HOME_NET any -> [185.216.70.225] 8082 (msg:"ThreatFox Hook botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1238631/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238631; rev:1;) alert tcp $HOME_NET any -> [185.216.70.224] 8082 (msg:"ThreatFox Hook botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1238630/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238630; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"www.kitrknis.com"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1238629/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238629; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"21.157.72.34.bc.googleusercontent.com"; depth:37; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1238628/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238628; rev:1;) alert tcp $HOME_NET any -> [94.156.69.196] 8000 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1238627/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238627; rev:1;) alert tcp $HOME_NET any -> [94.156.69.196] 6000 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1238626/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238626; rev:1;) alert tcp $HOME_NET any -> [206.123.132.240] 2000 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1238625/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238625; rev:1;) alert tcp $HOME_NET any -> [138.201.176.60] 7707 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1238624/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238624; rev:1;) alert tcp $HOME_NET any -> [20.15.234.170] 443 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1238623/; target:src_ip; metadata: confidence_level 90, first_seen 2024_02_09; classtype:trojan-activity; sid:91238623; rev:1;) alert tcp $HOME_NET any -> [187.135.146.194] 2095 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1238621/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238621; rev:1;) alert tcp $HOME_NET any -> [187.135.146.194] 2143 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1238622/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238622; rev:1;) alert tcp $HOME_NET any -> [187.135.146.194] 2078 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1238620/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238620; rev:1;) alert tcp $HOME_NET any -> [187.135.146.194] 2079 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1238619/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238619; rev:1;) alert tcp $HOME_NET any -> [47.97.37.19] 4444 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1238618/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238618; rev:1;) alert tcp $HOME_NET any -> [62.133.60.192] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1238617/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238617; rev:1;) alert tcp $HOME_NET any -> [134.175.236.110] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1238616/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238616; rev:1;) alert tcp $HOME_NET any -> [93.33.203.219] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1238615/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238615; rev:1;) alert tcp $HOME_NET any -> [192.3.98.165] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1238614/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238614; rev:1;) alert tcp $HOME_NET any -> [196.235.2.142] 8080 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1238613/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238613; rev:1;) alert tcp $HOME_NET any -> [141.98.81.98] 81 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1238612/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238612; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"rw1.dbgblack.com"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1238611/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238611; rev:1;) alert tcp $HOME_NET any -> [172.245.208.5] 2060 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1238609/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238609; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"merckllc.top"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1238610/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238610; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/11da1c02f1899731.php"; depth:21; nocase; http.host; content:"217.196.98.10"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238608/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238608; rev:1;) alert tcp $HOME_NET any -> [47.88.53.49] 10001 (msg:"ThreatFox Xtreme RAT botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1238607/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_09; classtype:trojan-activity; sid:91238607; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ee48257d.php"; depth:13; nocase; http.host; content:"a0905211.xsph.ru"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238606/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238606; rev:1;) alert tcp $HOME_NET any -> [88.214.25.254] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1238605/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238605; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/validate/v10.6/w2ge3sc8"; depth:24; nocase; http.host; content:"192.0.2.30"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238604/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238604; rev:1;) alert tcp $HOME_NET any -> [34.79.80.97] 2376 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1238603/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_09; classtype:trojan-activity; sid:91238603; rev:1;) alert tcp $HOME_NET any -> [84.38.132.126] 61445 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1238602/; target:src_ip; metadata: confidence_level 75, first_seen 2024_02_09; classtype:trojan-activity; sid:91238602; rev:1;) alert tcp $HOME_NET any -> [66.204.14.174] 4506 (msg:"ThreatFox Xtreme RAT botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1238601/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_09; classtype:trojan-activity; sid:91238601; rev:1;) alert tcp $HOME_NET any -> [103.86.131.101] 443 (msg:"ThreatFox Get2 botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1238600/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_09; classtype:trojan-activity; sid:91238600; rev:1;) alert tcp $HOME_NET any -> [164.92.225.82] 3790 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1238599/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_09; classtype:trojan-activity; sid:91238599; rev:1;) alert tcp $HOME_NET any -> [178.18.246.136] 2078 (msg:"ThreatFox Pikabot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1238598/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_09; classtype:trojan-activity; sid:91238598; rev:1;) alert tcp $HOME_NET any -> [40.66.42.165] 1024 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1238597/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_09; classtype:trojan-activity; sid:91238597; rev:1;) alert tcp $HOME_NET any -> [20.117.106.245] 80 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1238596/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_09; classtype:trojan-activity; sid:91238596; rev:1;) alert tcp $HOME_NET any -> [97.118.34.90] 993 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1238595/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_09; classtype:trojan-activity; sid:91238595; rev:1;) alert tcp $HOME_NET any -> [67.71.30.57] 2222 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1238594/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_09; classtype:trojan-activity; sid:91238594; rev:1;) alert tcp $HOME_NET any -> [12.22.160.81] 445 (msg:"ThreatFox Responder botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1238593/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_09; classtype:trojan-activity; sid:91238593; rev:1;) alert tcp $HOME_NET any -> [79.113.86.126] 443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1238592/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_09; classtype:trojan-activity; sid:91238592; rev:1;) alert tcp $HOME_NET any -> [104.236.67.20] 443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1238591/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_09; classtype:trojan-activity; sid:91238591; rev:1;) alert tcp $HOME_NET any -> [159.203.167.57] 443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1238590/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_09; classtype:trojan-activity; sid:91238590; rev:1;) alert tcp $HOME_NET any -> [91.107.200.181] 443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1238589/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_09; classtype:trojan-activity; sid:91238589; rev:1;) alert tcp $HOME_NET any -> [15.235.167.60] 7443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1238588/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_09; classtype:trojan-activity; sid:91238588; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/index.php"; depth:10; nocase; http.host; content:"selebration17io.io"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238044/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238044; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/index.php"; depth:10; nocase; http.host; content:"vacantion18ffeu.cc"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238045/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238045; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/index.php"; depth:10; nocase; http.host; content:"valarioulinity1.net"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238046/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238046; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/index.php"; depth:10; nocase; http.host; content:"buriatiarutuhuob.net"; depth:20; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238047/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238047; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/index.php"; depth:10; nocase; http.host; content:"cassiosssionunu.me"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238048/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238048; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/index.php"; depth:10; nocase; http.host; content:"sulugilioiu19.net"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238049/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238049; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/index.php"; depth:10; nocase; http.host; content:"goodfooggooftool.net"; depth:20; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238050/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238050; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmp/index.php"; depth:14; nocase; http.host; content:"sjyey.com"; depth:9; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238051/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238051; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmp/index.php"; depth:14; nocase; http.host; content:"babonwo.ru"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238052/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238052; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmp/index.php"; depth:14; nocase; http.host; content:"mth.com.ua"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238053/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238053; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmp/index.php"; depth:14; nocase; http.host; content:"piratia.pw"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238054/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238054; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmp/index.php"; depth:14; nocase; http.host; content:"go-piratia.ru"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238055/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238055; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmp/index.php"; depth:14; nocase; http.host; content:"go-piratia.ru"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238056/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238056; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/index.php"; depth:10; nocase; http.host; content:"trad-einmyus.com"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238057/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238057; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/index.php"; depth:10; nocase; http.host; content:"tradein-myus.com"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238058/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238058; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/index.php"; depth:10; nocase; http.host; content:"trade-inmyus.com"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238059/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238059; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmp/index.php"; depth:14; nocase; http.host; content:"go-piratia.ru"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238060/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238060; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/index.php"; depth:10; nocase; http.host; content:"trad-einmyus.com"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238061/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238061; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/index.php"; depth:10; nocase; http.host; content:"tradein-myus.com"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238062/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238062; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/index.php"; depth:10; nocase; http.host; content:"trade-inmyus.com"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238063/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238063; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmp/index.php"; depth:14; nocase; http.host; content:"go-piratia.ru"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238064/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238064; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/njqyndcymje3zwu3/"; depth:18; nocase; http.host; content:"91.240.118.224"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238104/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238104; rev:1;) alert tcp $HOME_NET any -> [3.125.102.39] 17888 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1238097/; target:src_ip; metadata: confidence_level 75, first_seen 2024_02_09; classtype:trojan-activity; sid:91238097; rev:1;) alert tcp $HOME_NET any -> [147.185.221.18] 5204 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1238075/; target:src_ip; metadata: confidence_level 75, first_seen 2024_02_09; classtype:trojan-activity; sid:91238075; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 85%)"; dns_query; content:"microbanafler.com"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1238066/; target:src_ip; metadata: confidence_level 85, first_seen 2024_02_09; classtype:trojan-activity; sid:91238066; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pythonlowdbtrafficpublic.php"; depth:29; nocase; http.host; content:"837376cm.nyashsens.top"; depth:22; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238587/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238587; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/l1nc0in.php"; depth:12; nocase; http.host; content:"exhaustless-bracket.000webhostapp.com"; depth:37; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238586/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238586; rev:1;) alert tcp $HOME_NET any -> [101.201.46.105] 8989 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1238585/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_09; classtype:trojan-activity; sid:91238585; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-content/plugins/all-in-one-wp-migration/lib/vendor/servmask/servmask.php"; depth:76; nocase; http.host; content:"takartboutique.com"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238583/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238583; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-content/plugins/litespeed-cache/lib/css-min/css-min.php"; depth:59; nocase; http.host; content:"nctest.syndicatedcapitalgh.com"; depth:30; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238584/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238584; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-admin/css/colors/blue/blue.php"; depth:34; nocase; http.host; content:"cafemocha.thehostmandu.com"; depth:26; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238581/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238581; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-admin/css/colors/ectoplasm/ectoplasm/ectoplasm.php"; depth:54; nocase; http.host; content:"thegardengasteiz.com"; depth:20; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238582/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238582; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/modules/9abb03e812/includes/functions/functions.php"; depth:52; nocase; http.host; content:"tneacounseling.com"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238579/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238579; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-content/cache/wp-rocket/3d-development.com/santacon/santacon.php"; depth:68; nocase; http.host; content:"thesantacon.com"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238580/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238580; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-content/plugins/all-in-one-wp-migration/lib/vendor/bandar/bandar/lib/lib.php"; depth:80; nocase; http.host; content:"new.usmortgage.com"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238577/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238577; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/v2_backup/wp-content/plugins/all-in-one-wp-migration/lib/controller/controller.php"; depth:83; nocase; http.host; content:"uhappyevents.com"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238578/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238578; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-admin/images/images.php"; depth:27; nocase; http.host; content:"v775136o.beget.tech"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238575/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238575; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-content/plugins/advanced-product-search-for-woo/lib/predic-widget/assets/sass/sass.php"; depth:90; nocase; http.host; content:"ventasdetodoloqueseteocurra.com"; depth:31; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238576/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238576; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-content/plugins/elementor/app/assets/styles/styles.php"; depth:58; nocase; http.host; content:"w3qualitytime.com"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238573/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238573; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-content/plugins/advanced-custom-fields/assets/images/field-states/field-states.php"; depth:86; nocase; http.host; content:"mytrucknow.volomoso.com"; depth:23; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238574/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238574; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-content/plugins/ad-inserter/includes/google-api/vendor/firebase/php-jwt/php-jwt.php"; depth:87; nocase; http.host; content:"altcoin-cryptocurrency-trading-platform.what-todo.com"; depth:53; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238571/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238571; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/app_templates/web/up_codelogin_old/documentation/assets/blueprint-css/plugins/buttons/buttons.php"; depth:98; nocase; http.host; content:"wanimation.com"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238572/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238572; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-admin/css/colors/colors.php"; depth:31; nocase; http.host; content:"www.autojaro.sk"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238569/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238569; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cgi-bin/cgi-bin/cgi-bin/cgi-bin/cgi-bin/cgi-bin.php"; depth:52; nocase; http.host; content:"wynton45.com"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238570/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238570; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/backup/skyjumpertrampolinepark_20190301/skyjumpertrampolinepark_20190301.php"; depth:77; nocase; http.host; content:"youlovesports.com"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238567/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238567; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/guestregsystem/wp-content/plugins/all-in-one-wp-migration-with-import-master/lib/view/assets/css/css.php"; depth:105; nocase; http.host; content:"aridient.com"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238568/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238568; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/awlandsafaris.com.php"; depth:22; nocase; http.host; content:"awlandsafaris.com"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238565/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238565; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-admin/css/colors/blue/blue.php"; depth:34; nocase; http.host; content:"zado-shoes.com"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238566/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238566; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bulksmspull/assets/plugins/datatables-fixedheader/css/css.php"; depth:62; nocase; http.host; content:"staging.secuodsoft.com"; depth:22; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238563/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238563; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-content/languages/plugins/plugins.php"; depth:41; nocase; http.host; content:"lms.tonalismo.com"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238564/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238564; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-content/plugins/affiliate-wp/includes/admin/payouts/payouts.js"; depth:66; nocase; http.host; content:"student.simplelifestrategies.com"; depth:32; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238561/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238561; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wordpress/wp-content/themes/twentyfifteen/genericons/genericons/genericons.php"; depth:79; nocase; http.host; content:"www.darskhososy.com"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238562/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238562; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-content/plugins/amp/assets/images/reader-themes/reader-themes.php"; depth:69; nocase; http.host; content:"noticiaseh.com.ar"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238559/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238559; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/netzheft/wp-admin/css/colors/blue/blue.php"; depth:43; nocase; http.host; content:"netzheft.frnrw.de"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238560/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238560; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-content/plugins/all-in-one-wp-migration/lib/vendor/bandar/bandar/lib/lib.php"; depth:80; nocase; http.host; content:"employee1.1ummah.org.au"; depth:23; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238557/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238557; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-content/plugins/advanced-custom-fields-pro-master/assets/js/js.php"; depth:70; nocase; http.host; content:"staging.aspectuw.com.au"; depth:23; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238558/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238558; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bakup4_21_2021/wp-content/cache/page_enhanced/www.yourchoiceplumbers.com.au/2017/06/06.php"; depth:91; nocase; http.host; content:"www.yourchoiceplumbers.com.au"; depth:29; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238555/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238555; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-content/plugins/cf7-conditional-fields/jsdoc-out/scripts/prettify/prettify.php"; depth:82; nocase; http.host; content:"assuredtreecare.com.au"; depth:22; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238556/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238556; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cache/cache.php"; depth:16; nocase; http.host; content:"dreclass.com"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238553/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238553; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-admin/css/colors/blue/blue.php"; depth:34; nocase; http.host; content:"www.noels.be"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238554/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238554; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-content/plugins/plugin_epayco_woocommerce/includes/admin/admin.php"; depth:70; nocase; http.host; content:"tcmtecnologia.com"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238551/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238551; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-content/plugins/all-in-one-wp-migration/lib/vendor/bandar/bandar/lib/lib.js"; depth:79; nocase; http.host; content:"nimbroeducation.000webhostapp.com"; depth:33; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238552/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238552; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/app/mu-plugins/acf-medium-editor-field/assets/vendor/medium-editor/css/themes/themes.php"; depth:89; nocase; http.host; content:"dev.edades-west.make.technology"; depth:31; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238549/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238549; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/well-known/acme-challenge/a/a/a/a/a.php"; depth:40; nocase; http.host; content:"formulario1.frontec.cl"; depth:22; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238550/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238550; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-admin/css/colors/colors.php"; depth:31; nocase; http.host; content:"druck.7uptheme.net"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238546/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238546; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/old/wp-content/plugins/contact-form-7/includes/js/jquery-ui/jquery-ui.php"; depth:74; nocase; http.host; content:"jac.b-a.group"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238547/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238547; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-content/plugins/all-in-one-wp-security-and-firewall/all-in-one-wp-security-and-firewall.php"; depth:95; nocase; http.host; content:"vselectrics.gr"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238548/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238548; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/iraq/wp-content/plugins/accesspress-social-counter/inc/backend/boards/boards.php"; depth:81; nocase; http.host; content:"nidaagroup.net"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238545/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238545; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ar/wp-content/plugins/dopts/libraries/gui/images/colorpicker/colorpicker.js"; depth:76; nocase; http.host; content:"drsohrabi.net"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238543/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238543; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-content/plugins/code-snippets/css/min/editor-themes/editor-themes.php"; depth:73; nocase; http.host; content:"car.hapeye.net"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238544/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238544; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-admin/css/colors/blue/blue.php"; depth:34; nocase; http.host; content:"new.mullicatownship.org"; depth:23; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238541/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238541; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-content/newfold-page-cache/unpicturesquely9lbcy/2f56bactos463103/2f56bactos463103.php"; depth:89; nocase; http.host; content:"danieltravels.net"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238542/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238542; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-content/languages/plugins/plugins.php"; depth:41; nocase; http.host; content:"lawconsult.pe"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238539/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238539; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-content/endurance-page-cache/2022/01/138-student-living-uwi-agree-new-concession-terms-business/138-student-living-uwi-agree-new-concession-terms-business.php"; depth:162; nocase; http.host; content:"bellejamaica.com"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238540/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238540; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-content/themes/twentyseventeen/assets/fonts/libre-franklin/libre-franklin.js"; depth:80; nocase; http.host; content:"www.fbstapes.ru"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238537/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238537; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-admin/css/colors/colors.php"; depth:31; nocase; http.host; content:"serwis-impacto.pl"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238538/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238538; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-content/plugins/contact-form-7/includes/js/jquery-ui/jquery-ui.php"; depth:70; nocase; http.host; content:"crossco.semseo3.beget.tech"; depth:26; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238535/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238535; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-content/plugins/builderall-cheetah-for-wp/extensions/ba-cheetah-cache-helper/classes/classes.php"; depth:100; nocase; http.host; content:"idt.builderallwppro.com"; depth:23; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238536/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238536; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-content/plugins/advanced-custom-fields-pro/assets/images/field-states/field-states.php"; depth:90; nocase; http.host; content:"demo3.itaoda.com"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238532/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238532; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-content/plugins/all-in-one-wp-migration/lib/vendor/servmask/archiver/archiver.php"; depth:85; nocase; http.host; content:"demo31.itaoda.com"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238533/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238533; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-content/plugins/advanced-custom-fields-pro/assets/inc/timepicker/timepicker.php"; depth:83; nocase; http.host; content:"demo56.itaoda.com"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238534/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238534; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-content/plugins/advanced-custom-fields-pro/assets/inc/timepicker/timepicker.php"; depth:83; nocase; http.host; content:"demo21.itaoda.com"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238530/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238530; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-content/plugins/adminify-pro/inc/modules/admincolumns/assets/css/css.php"; depth:76; nocase; http.host; content:"demo40.itaoda.com"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238531/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238531; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-content/plugins/advanced-custom-fields-pro/assets/inc/timepicker/timepicker.php"; depth:83; nocase; http.host; content:"demo5.itaoda.com"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238528/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238528; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-content/plugins/astra-addon/addons/advanced-headers/assets/js/minified/minified.php"; depth:87; nocase; http.host; content:"demo1.itaoda.com"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238529/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238529; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-content/plugins/contact-form-7/includes/js/jquery-ui/themes/smoothness/smoothness.php"; depth:89; nocase; http.host; content:"test.bigbeautifulbuys.com"; depth:25; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238526/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238526; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-content/plugins/adminify-pro/inc/modules/admincolumns/assets/assets.php"; depth:75; nocase; http.host; content:"demo46.itaoda.com"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238527/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238527; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-admin/css/colors/blue/blue.php"; depth:34; nocase; http.host; content:"progeturepublica.net"; depth:20; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238524/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238524; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-content/cache/object/042/9f1/9f1.php"; depth:40; nocase; http.host; content:"sakarealestate.co.uk"; depth:20; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238525/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238525; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-content/plugins/wp-statistics/assets/dev/sass/component/placeholder/placeholder.php"; depth:87; nocase; http.host; content:"regaloscaos.es.ht"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238522/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238522; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-content/plugins/advanced-custom-fields/assets/images/field-states/field-states.php"; depth:86; nocase; http.host; content:"tsc.signalovernoise.co.uk"; depth:25; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238523/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238523; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-content/plugins/all-in-one-wp-migration/lib/vendor/servmask/archiver/archiver.js"; depth:84; nocase; http.host; content:"florquedafulgor.000webhostapp.com"; depth:33; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238520/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238520; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-content/plugins/all-in-one-wp-migration/lib/vendor/bandar/bandar/lib/exceptions/exceptions.js"; depth:97; nocase; http.host; content:"alyamama78.000webhostapp.com"; depth:28; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238521/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238521; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-content/plugins/all-in-one-wp-migration/lib/view/assets/css/css.js"; depth:70; nocase; http.host; content:"bhawpals.000webhostapp.com"; depth:26; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238517/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238517; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-content/plugins/all-in-one-wp-migration/lib/vendor/bandar/bandar/lib/lib.js"; depth:79; nocase; http.host; content:"moveterramogi.000webhostapp.com"; depth:31; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238518/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238518; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-content/plugins/all-in-one-wp-migration/lib/vendor/bandar/bandar/lib/lib.js"; depth:79; nocase; http.host; content:"merelio.000webhostapp.com"; depth:25; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238519/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238519; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-content/plugins/all-in-one-wp-migration/lib/vendor/servmask/archiver/archiver.js"; depth:84; nocase; http.host; content:"computerteknik.000webhostapp.com"; depth:32; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238515/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238515; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-content/plugins/all-in-one-wp-migration/lib/vendor/bandar/bandar/lib/lib.js"; depth:79; nocase; http.host; content:"latinate-matters.000webhostapp.com"; depth:34; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238516/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238516; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-content/plugins/all-in-one-wp-migration/lib/vendor/bandar/bandar/lib/lib.js"; depth:79; nocase; http.host; content:"ygbrandmaker.000webhostapp.com"; depth:30; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238513/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238513; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-content/plugins/all-in-one-wp-migration/lib/vendor/servmask/archiver/archiver.js"; depth:84; nocase; http.host; content:"ybc77.000webhostapp.com"; depth:23; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238514/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238514; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/baystate/wp-content/plugins/cherry-plugin/lib/js/flexslider/fonts/fonts.php"; depth:76; nocase; http.host; content:"aclarilari.com"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238511/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238511; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-admin/wp-admin.php"; depth:22; nocase; http.host; content:"medisur-rgl.com.ar"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238512/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238512; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/img/distant/jpg/jpg.php"; depth:24; nocase; http.host; content:"www.ccfg-conakry.org"; depth:20; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238509/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238509; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/core/languages/plugins/plugins.php"; depth:35; nocase; http.host; content:"szerviz.microstore.hu"; depth:21; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238510/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238510; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-includes/simplepie/xml/declaration/declaration.php"; depth:54; nocase; http.host; content:"store.powermatic.co.th"; depth:22; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238507/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238507; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-content/plugins/ajax-search-lite/backend/settings/assets/icons/icons.php"; depth:76; nocase; http.host; content:"annybrenn.com"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238508/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238508; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-admin/css/colors/blue/blue.php"; depth:34; nocase; http.host; content:"rashidaljabrigroup.com"; depth:22; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238505/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238505; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-admin/css/css.php"; depth:21; nocase; http.host; content:"shrachirealty.com"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238506/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238506; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-content/plugins/all-in-one-wp-migration/lib/vendor/bandar/bandar/lib/lib.php"; depth:80; nocase; http.host; content:"emvision.com.my"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238504/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238504; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-content/cache/page_enhanced/track.dioslogistics.com/category/uncategorized/uncategorized.php"; depth:96; nocase; http.host; content:"track.dioslogistics.com"; depth:23; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238502/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238502; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp/wp-content/themes/twentytwenty/assets/images/images.php"; depth:59; nocase; http.host; content:"roughdiamond.jp"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238503/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238503; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-content/languages/languages.php"; depth:35; nocase; http.host; content:"xbaseweb.com"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238500/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238500; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-content/plugins/all-in-one-wp-migration/lib/vendor/bandar/bandar/lib/exceptions/exceptions.js"; depth:97; nocase; http.host; content:"femza.org.ar"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238501/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238501; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-content/plugins/all-in-one-wp-migration/lib/vendor/bandar/bandar/lib/exceptions/exceptions.php"; depth:98; nocase; http.host; content:"www.7-dots.com"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238498/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238498; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-admin/css/colors/blue/blue.php"; depth:34; nocase; http.host; content:"relacion.traxxcp.com.au"; depth:23; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238499/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238499; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-content/cache/supercache/pharmahome.ae/ar/comments/feed/feed.php"; depth:68; nocase; http.host; content:"pharmahome.ae"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238496/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238496; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-content/plugins/bluehost-wordpress-plugin/vendor/doctrine/inflector/lib/doctrine/common/common.php"; depth:102; nocase; http.host; content:"matesonthemove.org"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238497/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238497; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-content/plugins/blog-manager-wp/assets/images/arrow/arrow.php"; depth:65; nocase; http.host; content:"ssl.news"; depth:8; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238493/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238493; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-content/plugins/ebor-framework-master/metaboxes/css/sass/partials/partials.php"; depth:82; nocase; http.host; content:"interplast.com"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238494/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238494; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-content/cache/object/037/b5a/b5a.js"; depth:39; nocase; http.host; content:"english.cabrerallamas.com"; depth:25; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238495/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238495; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-content/endurance-page-cache/category/uncategorized/uncategorized.php"; depth:73; nocase; http.host; content:"wheelsonthedanforth.ca"; depth:22; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238491/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238491; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-content/plugins/advanced-custom-fields-pro/assets/css/css.php"; depth:65; nocase; http.host; content:"balangabriel.com"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238492/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238492; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-admin/css/colors/blue/blue.php"; depth:34; nocase; http.host; content:"sanicorpec.com"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238489/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238489; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-content/plugins/bodycenter-extra/lib/scssphp/compass/stylesheets/compass/utilities/color/color.php"; depth:102; nocase; http.host; content:"www.comunidadfit.com"; depth:20; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238490/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238490; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-content/plugins/all-in-one-wp-migration/lib/vendor/servmask/archiver/archiver.php"; depth:85; nocase; http.host; content:"bp8k4k.serveravatartmp.com"; depth:26; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238487/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238487; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-content/plugins/classic-editor/classic-editor.js"; depth:52; nocase; http.host; content:"cvts.rut.digital"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238488/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238488; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-content/plugins/duplicator-pro/assets/css/images/images.php"; depth:63; nocase; http.host; content:"giraganaceuti.compradondevives.es"; depth:33; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238485/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238485; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-content/plugins/contact-form-7/includes/js/jquery-ui/themes/smoothness/smoothness.php"; depth:89; nocase; http.host; content:"mercadochubut.gob.ar"; depth:20; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238486/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238486; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-content/plugins/advanced-iframe/css/css.php"; depth:47; nocase; http.host; content:"appercity.com"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238483/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238483; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-content/plugins/all-in-one-seo-pack/app/common/api/integrations/integrations.php"; depth:84; nocase; http.host; content:"e-tirechains.com"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238484/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238484; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-content/cache/object/010/449/449.php"; depth:40; nocase; http.host; content:"mobile.wisechoicesupplements.ph"; depth:31; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238481/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238481; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-content/plugins/contact-form-7/includes/js/jquery-ui/themes/smoothness/images/images.js"; depth:91; nocase; http.host; content:"www.jrun.com.hk"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238482/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238482; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/test/wordpress/wp-content/themes/twentynineteen/template-parts/content/content.js"; depth:82; nocase; http.host; content:"blog.learningpie.in"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238479/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238479; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-admin/css/colors/blue/blue.php"; depth:34; nocase; http.host; content:"1storiginal.com"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238480/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238480; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/1tambon1school/schsurvey/core/core.php"; depth:39; nocase; http.host; content:"inno.obec.go.th"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238477/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238477; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-content/plugins/all-in-one-wp-migration/lib/vendor/servmask/archiver/archiver.php"; depth:85; nocase; http.host; content:"www.bericht.es"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238478/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238478; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-content/plugins/coming-soon/languages/languages.php"; depth:55; nocase; http.host; content:"iscrizione.handmadecampania.it"; depth:30; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238475/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238475; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-content/plugins/burst-statistics/assets/css/admin/modules/dashboard/dashboard.php"; depth:85; nocase; http.host; content:"archiwummuzeumziemizbaszynskiej.zck.org.pl"; depth:42; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238476/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238476; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/__macosx/img/portfolio/fullsize/fullsize.php"; depth:45; nocase; http.host; content:"lisbonvinylcutters.com"; depth:22; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238473/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238473; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-content/plugins/all-in-one-seo-pack/app/common/api/integrations/integrations.php"; depth:84; nocase; http.host; content:"job-test.ifrigate.ru"; depth:20; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238474/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238474; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-content/plugins/admin-menu-editor/modules/access-editor/access-editor.php"; depth:77; nocase; http.host; content:"noonanwaste.com"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238471/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238471; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-content/plugins/advanced-custom-fields/assets/inc/datepicker/images/images.php"; depth:82; nocase; http.host; content:"abrito.wecreateyou.pt"; depth:21; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238472/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238472; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-admin/css/colors/blue/blue.php"; depth:34; nocase; http.host; content:"legrainparis.fr"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238469/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238469; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/admin/counter/change_images/logo/logo.php"; depth:42; nocase; http.host; content:"teamvedika.com"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238470/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238470; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/demos/1stbeauty/wp-content/plugins/better-search-replace/assets/img/img.php"; depth:76; nocase; http.host; content:"cactusgroupwebtest.com"; depth:22; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238467/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238467; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-content/plugins/contact-form-7/includes/js/jquery-ui/themes/smoothness/smoothness.php"; depth:89; nocase; http.host; content:"a-onevacuums.com"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238468/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238468; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/admin/tool/availabilityconditions/tests/behat/behat.php"; depth:56; nocase; http.host; content:"hlcelms-new.herminahospitals.com"; depth:32; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238465/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238465; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-content/plugins/astra-sites/inc/classes/compatibility/astra-pro/astra-pro.php"; depth:81; nocase; http.host; content:"insureafrica.co.za"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238466/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238466; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-content/plugins/advanced-custom-fields-pro/assets/inc/timepicker/timepicker.php"; depth:83; nocase; http.host; content:"ec2-175-41-161-53.ap-southeast-1.compute.amazonaws.com"; depth:54; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238463/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238463; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/demo/wp-content/plugins/elementor/assets/images/app/site-editor/site-editor.php"; depth:80; nocase; http.host; content:"cxosnextgen.com"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238464/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238464; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-content/endurance-page-cache/endurance-page-cache.php"; depth:57; nocase; http.host; content:"dental.simptomi.rs"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238461/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238461; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-admin/css/colors/blue/blue.php"; depth:34; nocase; http.host; content:"garage.the-namers.com"; depth:21; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238462/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238462; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-content/plugins/elementor/app/modules/kit-library/data/kits/endpoints/endpoints.php"; depth:87; nocase; http.host; content:"sosiologi.fisip.unpad.ac.id"; depth:27; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238459/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238459; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-content/cache/min/1/wp-content/plugins/social-feed-widgets-for-elementor-using-smash-balloon/assets/css/css.php"; depth:115; nocase; http.host; content:"uat.zeroowatch.com"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238460/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238460; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/financials/unaud30092007_files/sheet001_files/sheet001_files.php"; depth:65; nocase; http.host; content:"jkagri.com"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238457/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238457; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/phpmyadmin/js/vendor/jqplot/plugins/plugins.php"; depth:48; nocase; http.host; content:"proxyknow.com"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238458/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238458; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/well-known/acme-challenge/a/a/b/a/a.php"; depth:40; nocase; http.host; content:"www.xinyizhou0310.com"; depth:21; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238455/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238455; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wordpress/wp-content/plugins/layerslider/static/codemirror/codemirror.php"; depth:74; nocase; http.host; content:"ade.tw"; depth:6; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238456/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238456; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-content/wp-content.php"; depth:26; nocase; http.host; content:"plazanorte.pe"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238453/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238453; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp/wp-content/plugins/attachments/deprecated/css/css.php"; depth:57; nocase; http.host; content:"rossanalabs.com"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238454/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238454; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-content/plugins/_ithemes-security-pro/core/lib/lockout/execute-lock/execute-lock.php"; depth:88; nocase; http.host; content:"anfal.com.pk"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238451/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238451; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-content/plugins/all-in-one-seo-pack/app/common/schema/graphs/traits/traits.php"; depth:82; nocase; http.host; content:"blog.qrstaff.in"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238452/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238452; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-content/plugins/all-in-one-wp-migration/lib/vendor/servmask/archiver/archiver.js"; depth:84; nocase; http.host; content:"hamza738.000webhostapp.com"; depth:26; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238449/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238449; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-admin/css/colors/blue/blue.php"; depth:34; nocase; http.host; content:"trialstaging.trialrun.us"; depth:24; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238450/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238450; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-content/plugins/all-in-one-wp-migration/lib/vendor/bandar/bandar/lib/lib.js"; depth:79; nocase; http.host; content:"go4clinic.000webhostapp.com"; depth:27; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238447/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238447; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-content/plugins/all-in-one-wp-migration/lib/vendor/bandar/bandar/lib/lib.js"; depth:79; nocase; http.host; content:"savemuch.000webhostapp.com"; depth:26; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238448/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238448; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-content/plugins/all-in-one-wp-migration/lib/vendor/servmask/archiver/archiver.js"; depth:84; nocase; http.host; content:"firdesktop.000webhostapp.com"; depth:28; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238444/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238444; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-content/plugins/all-in-one-wp-migration/lib/vendor/bandar/bandar/lib/exceptions/exceptions.js"; depth:97; nocase; http.host; content:"congregacionkoinonia.000webhostapp.com"; depth:38; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238445/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238445; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-content/plugins/all-in-one-wp-migration/lib/vendor/bandar/bandar/lib/lib.js"; depth:79; nocase; http.host; content:"jenniferhallasi652005.000webhostapp.com"; depth:39; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238446/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238446; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-content/plugins/all-in-one-wp-migration/lib/vendor/servmask/archiver/archiver.js"; depth:84; nocase; http.host; content:"gtaonlinestore.000webhostapp.com"; depth:32; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238442/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238442; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-content/plugins/all-in-one-wp-migration/lib/vendor/servmask/archiver/archiver.js"; depth:84; nocase; http.host; content:"0777arsy.000webhostapp.com"; depth:26; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238443/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238443; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-content/plugins/all-in-one-wp-migration/lib/vendor/servmask/archiver/archiver.js"; depth:84; nocase; http.host; content:"cartwheels.000webhostapp.com"; depth:28; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238440/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238440; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-content/plugins/all-in-one-seo-pack/app/common/searchstatistics/searchstatistics.js"; depth:87; nocase; http.host; content:"battological-envelo.000webhostapp.com"; depth:37; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238441/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238441; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-content/plugins/all-in-one-wp-migration/lib/view/assets/img/whats-new/whats-new.js"; depth:86; nocase; http.host; content:"lonuestrogsm.000webhostapp.com"; depth:30; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238438/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238438; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-content/plugins/all-in-one-wp-migration/lib/vendor/bandar/bandar/lib/exceptions/exceptions.js"; depth:97; nocase; http.host; content:"paperbound-bulk.000webhostapp.com"; depth:33; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238439/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238439; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-content/plugins/all-in-one-wp-migration/lib/vendor/bandar/bandar/lib/exceptions/exceptions.js"; depth:97; nocase; http.host; content:"swedenborgian-gangw.000webhostapp.com"; depth:37; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238436/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238436; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-content/plugins/all-in-one-wp-migration/lib/vendor/servmask/archiver/archiver.js"; depth:84; nocase; http.host; content:"coccal-pocket.000webhostapp.com"; depth:31; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238437/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238437; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-admin/css/colors/modern/modern/modern/modern/modern/modern.php"; depth:66; nocase; http.host; content:"www.asterism.co.nz"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238434/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238434; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-content/plugins/all-in-one-seo-pack/app/common/integrations/integrations.php"; depth:80; nocase; http.host; content:"nikesoccerbootoutletol.com"; depth:26; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238435/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238435; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-content/languages/plugins/plugins.php"; depth:41; nocase; http.host; content:"wp.korinek.link"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238431/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238431; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/2015inreview/especial2015/images/prettyphoto/dark_rounded/dark_rounded.js"; depth:74; nocase; http.host; content:"www.chequeado.com"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238432/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238432; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/storage/framework/cache/cache.php"; depth:34; nocase; http.host; content:"version.urban-truth.com"; depth:23; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238433/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238433; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/spero/vendor/automattic/woocommerce/tests/woocommerce/tests/tests.php"; depth:70; nocase; http.host; content:"www.kwik.tn"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238429/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238429; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-content/plugins/all-in-one-wp-migration/lib/vendor/servmask/archiver/archiver.php"; depth:85; nocase; http.host; content:"jaimefoxmusic.com"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238430/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238430; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-content/plugins/advanced-custom-fields-pro/pro/admin/views/views.php"; depth:72; nocase; http.host; content:"clanped2025.com.br"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238428/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238428; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-content/plugins/all-in-one-seo-pack/app/common/schema/graphs/graphs.php"; depth:75; nocase; http.host; content:"boomndeal.com"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238425/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238425; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-content/plugins/advanced-custom-fields/assets/inc/color-picker-alpha/color-picker-alpha.php"; depth:95; nocase; http.host; content:"bmn-es.com"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238426/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238426; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-includes/simplepie/content/type/type.php"; depth:44; nocase; http.host; content:"39.99.63.187"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238427/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238427; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-content/languages/plugins/plugins.php"; depth:41; nocase; http.host; content:"shgl.chao1227.com"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238423/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238423; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-content/cache/wp-rocket/erolsalcan.com/bilgilendirme-tesekkuru/bilgilendirme-tesekkuru.php"; depth:94; nocase; http.host; content:"erolsalcan.com"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238424/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238424; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-includes/simplepie/decode/html/html.php"; depth:43; nocase; http.host; content:"devsite.scarlettslandscaping.com"; depth:32; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238421/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238421; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/paginaviejita/fancybox/recursos/nova-multipurpose-site-template/nova/images/sample/sample.php"; depth:94; nocase; http.host; content:"elparian.com.mx"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238422/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238422; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-admin/css/colors/blue/blue.php"; depth:34; nocase; http.host; content:"mehryar.mazyar.org"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238419/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238419; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-content/plugins/admin-menu-editor/modules/access-editor/access-editor.php"; depth:77; nocase; http.host; content:"api.algoyab.com"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238420/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238420; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/prod_link/wp-admin/css/colors/blue/blue.php"; depth:44; nocase; http.host; content:"topsportsteams.com"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238417/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238417; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/fgs/vendor/bmwfont/specimen_files/specimen_files.php"; depth:53; nocase; http.host; content:"fixituae.com"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238418/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238418; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-content/plugins/advanced-custom-fields/assets/build/css/css.php"; depth:67; nocase; http.host; content:"stage.idandigitali.co.il"; depth:24; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238415/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238415; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-content/plugins/all-in-one-wp-migration/lib/vendor/servmask/archiver/archiver.php"; depth:85; nocase; http.host; content:"cruxbd.com"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238416/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238416; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/configofr/configofr.php"; depth:24; nocase; http.host; content:"139.99.50.175"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238413/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238413; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-content/plugins/all-in-one-wp-migration/lib/vendor/servmask/archiver/archiver.php"; depth:85; nocase; http.host; content:"www.atouchoflovechildrenscenter.com"; depth:35; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238414/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238414; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sky/wp-content/plugins/apollo13-framework-extensions/design_importer/a13-wordpress-importer/a13-wordpress-importer.php"; depth:119; nocase; http.host; content:"chatsky.club"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238412/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238412; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/aroma/dark/assets/plugins/datatable/css/css.js"; depth:47; nocase; http.host; content:"projects.njgraphica.com"; depth:23; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238409/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238409; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-admin/css/colors/blue/blue.php"; depth:34; nocase; http.host; content:"versitaopen.com"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238410/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238410; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-content/plugins/layerslider/assets/static/admin/img/slider/slider.php"; depth:73; nocase; http.host; content:"dsefaywhq.preview.infomaniak.website"; depth:36; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238411/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238411; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-content/plugins/all-in-one-seo-pack/app/common/schema/graphs/graphs.php"; depth:75; nocase; http.host; content:"3.110.136.110"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238407/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238407; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-content/plugins/acf-quickedit-fields/include/acfquickedit/acfquickedit.php"; depth:78; nocase; http.host; content:"shop.ggarabia.com"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238408/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238408; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-content/plugins/backup/all-in-one-seo-pack-pro/app/common/importexport/rankmath/rankmath.js"; depth:95; nocase; http.host; content:"www.indian-designs.com"; depth:22; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238405/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238405; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-admin/css/colors/blue/blue.php"; depth:34; nocase; http.host; content:"wholesaletoys.pk"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238406/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238406; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-content/plugins/ag-custom-admin/images/images.php"; depth:53; nocase; http.host; content:"juliem-ladeco.fr"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238403/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238403; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-includes/simplepie/content/type/type.php"; depth:44; nocase; http.host; content:"burialinsurancepro.org"; depth:22; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238404/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238404; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/player-api-master/actionscript/deploy/assets/assets.php"; depth:56; nocase; http.host; content:"vidhionline.com"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238401/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238401; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-content/cache/page_enhanced/www.easisell.com/best-way-to-use-colour-wheel-for-website-design-2/best-way-to-use-colour-wheel-for-website-design-2.php"; depth:152; nocase; http.host; content:"www.easisell.com"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238402/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238402; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/impresistem/guzzlehttp/adapter/curl/curl.php"; depth:45; nocase; http.host; content:"digitalepartner.com"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238399/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238399; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-includes/simplepie/content/type/type.js"; depth:43; nocase; http.host; content:"skincare.7uptheme.net"; depth:21; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238400/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238400; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-admin/css/colors/colors.php"; depth:31; nocase; http.host; content:"handy.7uptheme.net"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238397/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238397; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-content/cache/page_enhanced/www.cronoscapitalpartners.it/www.cronoscapitalpartners.it.php"; depth:93; nocase; http.host; content:"www.cronoscapitalpartners.it"; depth:28; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238398/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238398; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-content/plugins/advanced-custom-fields/assets/inc/datepicker/images/images.php"; depth:82; nocase; http.host; content:"iserveindia.com"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238395/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238395; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/assinatura/wp-admin/css/colors/blue/blue.php"; depth:45; nocase; http.host; content:"petdelicia.com.br"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238396/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238396; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/home-elevators/images/authors/authors.php"; depth:42; nocase; http.host; content:"eliteelevators.in"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238393/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238393; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/backups/wp-content/plugins/acf-extended/includes/admin/views/views.php"; depth:71; nocase; http.host; content:"brown1.ezmartech.com"; depth:20; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238394/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238394; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/naacmodules/jquery-ui-1.12.1.custom/images/images.php"; depth:54; nocase; http.host; content:"skillhut.com"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238391/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238391; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/atlas/mobile/javascript/javascript.php"; depth:39; nocase; http.host; content:"psiewdr.org"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238392/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238392; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-admin/css/colors/colors.php"; depth:31; nocase; http.host; content:"iustore.7uptheme.net"; depth:20; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238389/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238389; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-admin/css/colors/colors.php"; depth:31; nocase; http.host; content:"haustiere.7uptheme.net"; depth:22; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238390/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238390; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/backup29112022/wp-admin/css/colors/blue/blue.php"; depth:49; nocase; http.host; content:"futxtrm.com"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238387/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238387; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/nseit/wp-content/plugins/advanced-custom-fields/assets/images/field-states/field-states.js"; depth:91; nocase; http.host; content:"www.nseituat.com"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238388/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238388; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/360/sap/sap_3data/cafe_2_105/html5/html5.php"; depth:45; nocase; http.host; content:"mmoseronelink.com"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238385/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238385; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wordpress/wp-content/cache/db/singletables/3e7/d91/d91.php"; depth:59; nocase; http.host; content:"idiomas2.8belts.com"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238386/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238386; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-admin/css/colors/blue/blue.php"; depth:34; nocase; http.host; content:"www.scatolificiosantanna.it"; depth:27; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238383/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238383; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-content/cache/libarts.pnu.ac.th/all/1649/feed/feed.js"; depth:57; nocase; http.host; content:"libarts.pnu.ac.th"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238384/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238384; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-content/cache/min/1/wp-content/plugins/pressapps-login-access/includes/skelet/assets/assets.php"; depth:99; nocase; http.host; content:"www.buildingblocksacademy.net"; depth:29; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238381/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238381; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-admin/css/colors/blue/blue.php"; depth:34; nocase; http.host; content:"www.buildingblocksacademyalvin.com"; depth:34; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238382/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238382; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jspdf/docs/scripts/prettify/prettify.php"; depth:41; nocase; http.host; content:"neicweb.com"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238380/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238380; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-content/plugins/page-scroll-to-id/includes/blocks/blocks.php"; depth:64; nocase; http.host; content:"cc.fenxiang.xyz"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238378/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238378; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-content/cache/min/1/wp-content/plugins/drag-and-drop-multiple-file-upload-contact-form-7/drag-and-drop-multiple-file-upload-contact-form-7.php"; depth:146; nocase; http.host; content:"ajustsolutions.com"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238379/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238379; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-content/plugins/creame-whatsapp-me/public/css/css.php"; depth:57; nocase; http.host; content:"conectadosradio.com"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238376/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238376; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tsure/wp-content/themes/twentytwentyone/assets/sass/06-components/06-components.php"; depth:84; nocase; http.host; content:"toyotamanilabay.com.ph"; depth:22; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238377/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238377; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/admin/controller/extension/module/waclient/waclient.php"; depth:56; nocase; http.host; content:"goldenringsoman.com"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238373/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238373; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-content/plugins/themeisle-companion/obfx_modules/beaver-widgets/custom-fields/number-field/number-field.php"; depth:111; nocase; http.host; content:"49.232.231.163"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238374/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238374; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-content/plugins/all-in-one-wp-migration/lib/view/view.php"; depth:61; nocase; http.host; content:"starzbus.com"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238375/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238375; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/test/administrator/components/com_actionlogs/src/controller/controller.php"; depth:75; nocase; http.host; content:"uranustechnepal.com"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238372/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238372; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-content/plugins/litespeed-cache/lib/css-min/css-min.php"; depth:59; nocase; http.host; content:"nctest.syndicatedcapitalgh.com"; depth:30; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238370/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238370; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-content/plugins/ad-ace/includes/plugins/visual-composer/elements/elements.php"; depth:81; nocase; http.host; content:"cleverthings.org"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238371/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238371; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-content/plugins/all-in-one-wp-migration/lib/vendor/servmask/servmask.php"; depth:76; nocase; http.host; content:"takartboutique.com"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238369/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238369; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-admin/css/colors/ectoplasm/ectoplasm/ectoplasm.php"; depth:54; nocase; http.host; content:"thegardengasteiz.com"; depth:20; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238368/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238368; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-content/cache/wp-rocket/3d-development.com/santacon/santacon.php"; depth:68; nocase; http.host; content:"thesantacon.com"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238366/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238366; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-admin/css/colors/blue/blue.php"; depth:34; nocase; http.host; content:"cafemocha.thehostmandu.com"; depth:26; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238367/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238367; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-content/astra-local-fonts/josefin-sans/josefin-sans.php"; depth:59; nocase; http.host; content:"cashoutphone.com"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238365/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238365; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/modules/9abb03e812/includes/functions/functions.php"; depth:52; nocase; http.host; content:"tneacounseling.com"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238364/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238364; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/v2_backup/wp-content/plugins/all-in-one-wp-migration/lib/controller/controller.php"; depth:83; nocase; http.host; content:"uhappyevents.com"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238363/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238363; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-content/plugins/advanced-custom-fields/assets/images/field-states/field-states.php"; depth:86; nocase; http.host; content:"mytrucknow.volomoso.com"; depth:23; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238362/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238362; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-content/plugins/ad-inserter/includes/google-api/vendor/firebase/php-jwt/php-jwt.php"; depth:87; nocase; http.host; content:"altcoin-cryptocurrency-trading-platform.what-todo.com"; depth:53; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238360/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238360; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/app_templates/web/up_codelogin_old/documentation/assets/blueprint-css/plugins/buttons/buttons.php"; depth:98; nocase; http.host; content:"wanimation.com"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238361/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238361; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cgi-bin/cgi-bin/cgi-bin/cgi-bin/cgi-bin/cgi-bin.php"; depth:52; nocase; http.host; content:"wynton45.com"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238359/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238359; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-admin/css/colors/colors.php"; depth:31; nocase; http.host; content:"www.autojaro.sk"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238358/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238358; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/guestregsystem/wp-content/plugins/all-in-one-wp-migration-with-import-master/lib/view/assets/css/css.php"; depth:105; nocase; http.host; content:"aridient.com"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238356/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238356; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-content/plugins/anywhere-elementor/freemius/assets/css/admin/admin.php"; depth:74; nocase; http.host; content:"autoblazquez.com"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238357/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238357; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/backup/skyjumpertrampolinepark_20190301/skyjumpertrampolinepark_20190301.php"; depth:77; nocase; http.host; content:"youlovesports.com"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238355/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238355; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-admin/css/colors/blue/blue.php"; depth:34; nocase; http.host; content:"zado-shoes.com"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238354/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238354; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/awlandsafaris.com.php"; depth:22; nocase; http.host; content:"awlandsafaris.com"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238353/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238353; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bulksmspull/assets/plugins/datatables-fixedheader/css/css.php"; depth:62; nocase; http.host; content:"staging.secuodsoft.com"; depth:22; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238352/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238352; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wordpress/wp-content/themes/twentyfifteen/genericons/genericons/genericons.php"; depth:79; nocase; http.host; content:"www.darskhososy.com"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238351/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238351; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/netzheft/wp-admin/css/colors/blue/blue.php"; depth:43; nocase; http.host; content:"netzheft.frnrw.de"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238349/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238349; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-content/plugins/affiliate-wp/includes/admin/payouts/payouts.js"; depth:66; nocase; http.host; content:"student.simplelifestrategies.com"; depth:32; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238350/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238350; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-content/cache/min/1/c/6.3.2/wp-includes/css/dist/dist.js"; depth:60; nocase; http.host; content:"urlaubspanda.at"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238348/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238348; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-content/plugins/advanced-custom-fields-pro-master/assets/js/js.php"; depth:70; nocase; http.host; content:"staging.aspectuw.com.au"; depth:23; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238347/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238347; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-content/plugins/all-in-one-wp-migration/lib/vendor/bandar/bandar/lib/lib.php"; depth:80; nocase; http.host; content:"employee1.1ummah.org.au"; depth:23; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238346/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238346; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/well-known/acme-challenge/a/a/b/b.js"; depth:37; nocase; http.host; content:"backdr.com.au"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238344/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238344; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bakup4_21_2021/wp-content/cache/page_enhanced/www.yourchoiceplumbers.com.au/2017/06/06.php"; depth:91; nocase; http.host; content:"www.yourchoiceplumbers.com.au"; depth:29; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238345/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238345; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cache/cache.php"; depth:16; nocase; http.host; content:"dreclass.com"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238343/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238343; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-content/cache/min/1/wp-content/plugins/elementor/assets/lib/eicons/css/css.php"; depth:82; nocase; http.host; content:"enso.atrevia-dev.com"; depth:20; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238342/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238342; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-admin/css/colors/colors.php"; depth:31; nocase; http.host; content:"micar.7uptheme.net"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238341/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238341; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-content/plugins/plugin_epayco_woocommerce/includes/admin/admin.php"; depth:70; nocase; http.host; content:"tcmtecnologia.com"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238340/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238340; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/new-website/staging-ammartou/wp-content/plugins/acf-flexible-content/includes/5-0/5-0.php"; depth:90; nocase; http.host; content:"ammartours.com"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238339/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238339; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/app/mu-plugins/acf-medium-editor-field/assets/vendor/medium-editor/css/themes/themes.php"; depth:89; nocase; http.host; content:"dev.edades-west.make.technology"; depth:31; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238337/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238337; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/well-known/acme-challenge/a/a/a/a/a.php"; depth:40; nocase; http.host; content:"formulario1.frontec.cl"; depth:22; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238338/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238338; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-includes/simplepie/content/type/type.js"; depth:43; nocase; http.host; content:"fruitshop.7uptheme.net"; depth:22; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238336/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238336; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-admin/css/colors/colors.php"; depth:31; nocase; http.host; content:"garten.7uptheme.net"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238335/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238335; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-includes/simplepie/content/type/type.js"; depth:43; nocase; http.host; content:"mmasport.7uptheme.net"; depth:21; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238334/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238334; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-includes/simplepie/content/type/type.js"; depth:43; nocase; http.host; content:"macy.7uptheme.net"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238333/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238333; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/old/wp-content/plugins/contact-form-7/includes/js/jquery-ui/jquery-ui.php"; depth:74; nocase; http.host; content:"jac.b-a.group"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238332/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238332; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-content/cache/wp-rocket/rebelradio.cultnerds.io/2020/03/page/2/2.php"; depth:72; nocase; http.host; content:"rebelradio.cultnerds.io"; depth:23; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238330/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238330; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/a1/synergetic/wp-content/plugins/elementor/app/modules/import-export/compatibility/compatibility.php"; depth:101; nocase; http.host; content:"imsx7.com"; depth:9; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238331/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238331; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dup-installer/assets/font-awesome/css/css.php"; depth:46; nocase; http.host; content:"sebti.ir"; depth:8; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238329/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238329; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-content/plugins/all-in-one-wp-migration/lib/vendor/bandar/bandar/bandar.php"; depth:79; nocase; http.host; content:"gmgfavvocati.it"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238328/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238328; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-content/plugins/contact-form-7/admin/css/css.php"; depth:52; nocase; http.host; content:"airsoftgear.mx"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238326/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238326; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-admin/css/colors/blue/blue.php"; depth:34; nocase; http.host; content:"refonte.notaire-reuter.lu"; depth:25; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238327/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238327; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-content/cache/speedycache/consilior.com.mx/consilior.com.mx.php"; depth:67; nocase; http.host; content:"consilior.com.mx"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238325/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238325; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/iraq/wp-content/plugins/accesspress-social-counter/inc/backend/boards/boards.php"; depth:81; nocase; http.host; content:"nidaagroup.net"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238324/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238324; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-admin/css/colors/colors.php"; depth:31; nocase; http.host; content:"geschaft.7uptheme.net"; depth:21; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238323/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238323; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ar/wp-content/plugins/dopts/libraries/gui/images/colorpicker/colorpicker.js"; depth:76; nocase; http.host; content:"drsohrabi.net"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238322/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238322; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-content/backups-dup-lite/installer/installer.php"; depth:52; nocase; http.host; content:"www.gttours.co.ke"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238320/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238320; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-content/newfold-page-cache/unpicturesquely9lbcy/2f56bactos463103/2f56bactos463103.php"; depth:89; nocase; http.host; content:"danieltravels.net"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238321/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238321; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/booking.grimerud.no/wp-content/plugins/elementor/app/modules/import-export/runners/export/export.php"; depth:101; nocase; http.host; content:"grimerud.no"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238319/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238319; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-content/plugins/cf7-conditional-fields/jsdoc-out/scripts/prettify/prettify.php"; depth:82; nocase; http.host; content:"assuredtreecare.com.au"; depth:22; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238318/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238318; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-content/plugins/bluehost-wordpress-plugin/inc/restapi/restapi.php"; depth:69; nocase; http.host; content:"aquaticasolutions.co.za"; depth:23; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238317/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238317; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-admin/images/images.php"; depth:27; nocase; http.host; content:"www.redtbs.org"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238315/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238315; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-includes/simplepie/xml/declaration/declaration.php"; depth:54; nocase; http.host; content:"danza.lpgc.online"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238316/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238316; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bolsadetrabajo/wp-content/plugins/all-in-one-seo-pack/app/common/integrations/integrations.php"; depth:95; nocase; http.host; content:"liceodeartesyoficios.org"; depth:24; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238314/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238314; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-admin/css/colors/blue/blue.php"; depth:34; nocase; http.host; content:"new.mullicatownship.org"; depth:23; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238313/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238313; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-content/plugins/ays-popup-box/admin/partials/export-import/export-import.php"; depth:80; nocase; http.host; content:"dev.jobsacademy.co"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238312/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238312; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-includes/blocks/archives/archives.js"; depth:40; nocase; http.host; content:"hama.7uptheme.net"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238311/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238311; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-includes/simplepie/content/type/type.js"; depth:43; nocase; http.host; content:"isone.7uptheme.net"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238310/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238310; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-admin/css/colors/colors.php"; depth:31; nocase; http.host; content:"kuteshop.7uptheme.net"; depth:21; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238308/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238308; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-admin/css/colors/colors.php"; depth:31; nocase; http.host; content:"lamerfashion.7uptheme.net"; depth:25; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238309/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238309; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-admin/css/colors/colors.php"; depth:31; nocase; http.host; content:"larcorso.7uptheme.net"; depth:21; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238307/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238307; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/chat_server/node_modules/express/node_modules/accepts/node_modules/negotiator/lib/lib.php"; depth:90; nocase; http.host; content:"akastars.com"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238306/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238306; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-content/plugins/advanced-custom-fields-pro/assets/build/css/pro/pro.php"; depth:75; nocase; http.host; content:"marybanksconsult.com"; depth:20; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238305/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238305; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cms/assets/bootstrap/css/css.php"; depth:33; nocase; http.host; content:"knrpjatim.org"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238304/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238304; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-content/cache/wp-rocket/fastboss.ai/4677-2/automation/27/27.php"; depth:67; nocase; http.host; content:"fastboss.ai"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238303/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238303; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-content/plugins/astra-sites/inc/classes/compatibility/astra-pro/astra-pro.php"; depth:81; nocase; http.host; content:"civicom.org"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238302/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238302; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-content/endurance-page-cache/2022/01/138-student-living-uwi-agree-new-concession-terms-business/138-student-living-uwi-agree-new-concession-terms-business.php"; depth:162; nocase; http.host; content:"bellejamaica.com"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238301/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238301; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/test11/wp-content/plugins/creative-mail-by-constant-contact/assets/images/admin-dashboard-widget/admin-dashboard-widget.php"; depth:124; nocase; http.host; content:"skingetsperfect.org"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238300/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238300; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-content/plugins/chaty/admin/assets/css/css.php"; depth:50; nocase; http.host; content:"conversemos.itaca.com.pe"; depth:24; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238298/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238298; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-content/endurance-page-cache/abiitqx885984/abiitqx885984.php"; depth:64; nocase; http.host; content:"mortoncountyslc.com"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238299/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238299; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-content/languages/plugins/plugins.php"; depth:41; nocase; http.host; content:"lawconsult.pe"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238297/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238297; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/backups/wp-admin/css/colors/blue/blue.php"; depth:42; nocase; http.host; content:"www.leroyschroeder.com"; depth:22; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238296/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238296; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-admin/css/colors/colors.php"; depth:31; nocase; http.host; content:"serwis-impacto.pl"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238294/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238294; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-content/cache/object/087/c3e/c3e.php"; depth:40; nocase; http.host; content:"projekty-wloszczowa.pl"; depth:22; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238295/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238295; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-content/plugins/samsyssync_pluginwp/assets/css/css.php"; depth:58; nocase; http.host; content:"ambience.lab.webdados.pt"; depth:24; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238293/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238293; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-content/plugins/all-in-one-seo-pack/app/common/schema/graphs/traits/traits.php"; depth:82; nocase; http.host; content:"heli-school.ru"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238292/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238292; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-content/plugins/contact-form-7/includes/js/jquery-ui/themes/smoothness/images/images.js"; depth:91; nocase; http.host; content:"www.jrun.com.hk"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238290/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238290; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wordpress/wp-content/themes/twentytwentyone/assets/sass/06-components/06-components.php"; depth:88; nocase; http.host; content:"www.inovcargo.com"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238291/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238291; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-admin/css/colors/blue/blue.php"; depth:34; nocase; http.host; content:"science-house.ru"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238289/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238289; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-content/plugins/contact-form-7/includes/js/jquery-ui/themes/smoothness/smoothness.php"; depth:89; nocase; http.host; content:"cki-company.ru"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238288/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238288; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-content/cache/wp-rocket/www.femenino.mx/author/admin/page/page.php"; depth:70; nocase; http.host; content:"femenino.mx"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238287/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238287; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xwp-includes/simplepie/xml/declaration/declaration.js"; depth:54; nocase; http.host; content:"reoninternational.org"; depth:21; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238286/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238286; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-content/plugins/all-in-one-wp-migration/lib/vendor/servmask/archiver/archiver.php"; depth:85; nocase; http.host; content:"newvivarch.cignature.com.sg"; depth:27; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238284/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238284; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-content/plugins/builderall-cheetah-for-wp/extensions/ba-cheetah-cache-helper/classes/classes.php"; depth:100; nocase; http.host; content:"idt.builderallwppro.com"; depth:23; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238285/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238285; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-content/plugins/addons-for-elementor/assets/css/fonts/fonts.php"; depth:67; nocase; http.host; content:"maternews.aprovar.site"; depth:22; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238283/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238283; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-content/plugins/elementor/app/modules/import-export/runners/export/export.php"; depth:81; nocase; http.host; content:"temp.4-b.site"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238282/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238282; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-admin/css/colors/blue/blue.php"; depth:34; nocase; http.host; content:"clinicavale.com"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238280/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238280; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-content/plugins/advanced-cf7-db/admin/admin.php"; depth:51; nocase; http.host; content:"www.rivabeachbari.com"; depth:21; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238281/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238281; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-content/plugins/admin-menu-editor/modules/access-editor/access-editor.php"; depth:77; nocase; http.host; content:"api.algoyab.com"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238279/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238279; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/player-api-master/actionscript/deploy/assets/assets.php"; depth:56; nocase; http.host; content:"vidhionline.com"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238278/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238278; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/travis/deployment/ambidon/certifications/certifications.php"; depth:60; nocase; http.host; content:"blog.ambidon.com"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238277/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238277; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-content/configzei/jump/0-linkgwth/alfa_data/alfacgiapi/alfacgiapi.php"; depth:73; nocase; http.host; content:"linkgrowth.co.uk"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238276/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238276; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/storage/framework/cache/cache.php"; depth:34; nocase; http.host; content:"version.urban-truth.com"; depth:23; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238274/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238274; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-content/cache/object/042/9f1/9f1.php"; depth:40; nocase; http.host; content:"sakarealestate.co.uk"; depth:20; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238275/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238275; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-content/plugins/advanced-custom-fields/assets/images/field-states/field-states.php"; depth:86; nocase; http.host; content:"tsc.signalovernoise.co.uk"; depth:25; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238273/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238273; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-content/plugins/wp-statistics/assets/dev/sass/component/placeholder/placeholder.php"; depth:87; nocase; http.host; content:"regaloscaos.es.ht"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238272/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238272; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/360/aviadores/tiles/node1/cf_0/l_1/c_0/c_0.php"; depth:47; nocase; http.host; content:"www.araguahost.com.ve"; depth:21; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238270/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238270; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-content/plugins/automatic-translator-addon-for-loco-translate/includes/feedback/feedback.php"; depth:96; nocase; http.host; content:"loja.billiecombina.com.vc"; depth:25; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238271/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238271; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-content/languages/plugins/plugins.php"; depth:41; nocase; http.host; content:"vv.zgwc.vip"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238269/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238269; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-content/plugins/advanced-uptime-monitor-extension/app/views/admin/admin.php"; depth:79; nocase; http.host; content:"www.arya.digidom.xyz"; depth:20; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238268/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238268; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-admin/css/colors/blue/blue.php"; depth:34; nocase; http.host; content:"www.jelliemons.com"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238267/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238267; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-content/plugins/insert-headers-and-footers/includes/auto-insert/auto-insert.php"; depth:83; nocase; http.host; content:"006.qndxx.xyz"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238266/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238266; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-content/plugins/all-in-one-wp-security-and-firewall/classes/grade-system/grade-system.js"; depth:92; nocase; http.host; content:"phanergy.com"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238264/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238264; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-content/plugins/charitable/assets/images/campaign-builder/settings/payment/education/education.php"; depth:102; nocase; http.host; content:"orji.kalu.apc.com.ng"; depth:20; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238265/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238265; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-admin/wp-admin.php"; depth:22; nocase; http.host; content:"medisur-rgl.com.ar"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238263/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238263; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/core/languages/plugins/plugins.php"; depth:35; nocase; http.host; content:"szerviz.microstore.hu"; depth:21; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238262/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238262; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/30anos/administrator/components/com_actionlogs/views/actionlogs/tmpl/tmpl.js"; depth:77; nocase; http.host; content:"apav.pt"; depth:7; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238261/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238261; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/new/wp-content/plugins/aislin-testimonials/src/compatibility/plugins/testimonial_rotator/testimonial_rotator.php"; depth:113; nocase; http.host; content:"flyholisticschools.com"; depth:22; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238260/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238260; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-content/plugins/ajax-search-lite/backend/settings/assets/icons/icons.php"; depth:76; nocase; http.host; content:"annybrenn.com"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238258/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238258; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/img/distant/jpg/jpg.php"; depth:24; nocase; http.host; content:"www.ccfg-conakry.org"; depth:20; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238259/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238259; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-includes/simplepie/xml/declaration/declaration.php"; depth:54; nocase; http.host; content:"store.powermatic.co.th"; depth:22; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238257/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238257; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp/wp-content/themes/twentytwenty/assets/images/images.php"; depth:59; nocase; http.host; content:"roughdiamond.jp"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238256/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238256; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-content/cache/object/142/4fb/4fb.php"; depth:40; nocase; http.host; content:"contrade-co.com"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238255/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238255; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-content/plugins/all-in-one-wp-migration/lib/vendor/servmask/archiver/archiver.php"; depth:85; nocase; http.host; content:"www.atouchoflovechildrenscenter.com"; depth:35; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238254/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238254; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-content/cache/page_enhanced/track.dioslogistics.com/category/uncategorized/uncategorized.php"; depth:96; nocase; http.host; content:"track.dioslogistics.com"; depth:23; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238253/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238253; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-content/plugins/admin-menu-editor/modules/access-editor/access-editor.php"; depth:77; nocase; http.host; content:"noonanwaste.com"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238251/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238251; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp/wp-content/plugins/autodescription/inc/classes/admin/seobar/builder/builder.php"; depth:83; nocase; http.host; content:"eautofsm.com"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238252/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238252; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-content/cache/object/037/b5a/b5a.js"; depth:39; nocase; http.host; content:"english.cabrerallamas.com"; depth:25; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238250/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238250; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-admin/css/colors/blue/blue.php"; depth:34; nocase; http.host; content:"relacion.traxxcp.com.au"; depth:23; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238249/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238249; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-content/languages/languages.php"; depth:35; nocase; http.host; content:"xbaseweb.com"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238248/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238248; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-content/plugins/all-in-one-wp-migration/lib/vendor/bandar/bandar/lib/exceptions/exceptions.php"; depth:98; nocase; http.host; content:"www.7-dots.com"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238247/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238247; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-content/cache/supercache/pharmahome.ae/ar/comments/feed/feed.php"; depth:68; nocase; http.host; content:"pharmahome.ae"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238246/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238246; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-content/plugins/bluehost-wordpress-plugin/vendor/doctrine/inflector/lib/doctrine/common/common.php"; depth:102; nocase; http.host; content:"matesonthemove.org"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238245/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238245; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-content/plugins/ebor-framework-master/metaboxes/css/sass/partials/partials.php"; depth:82; nocase; http.host; content:"interplast.com"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238244/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238244; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-content/plugins/advanced-custom-fields-pro/assets/css/css.php"; depth:65; nocase; http.host; content:"balangabriel.com"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238242/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238242; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-content/plugins/blog-manager-wp/assets/images/arrow/arrow.php"; depth:65; nocase; http.host; content:"ssl.news"; depth:8; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238243/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238243; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/leos/public/app-assets/css/plugins/forms/pickers/pickers.php"; depth:61; nocase; http.host; content:"nisecurityservices.ae"; depth:21; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238241/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238241; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-content/endurance-page-cache/category/uncategorized/uncategorized.php"; depth:73; nocase; http.host; content:"wheelsonthedanforth.ca"; depth:22; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238240/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238240; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-content/plugins/bodycenter-extra/lib/scssphp/compass/stylesheets/compass/utilities/color/color.php"; depth:102; nocase; http.host; content:"www.comunidadfit.com"; depth:20; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238239/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238239; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-content/plugins/classic-editor/classic-editor.js"; depth:52; nocase; http.host; content:"cvts.rut.digital"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238238/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238238; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-content/plugins/ultimate_vc_addons/admin/bsf-core/assets/assets.php"; depth:71; nocase; http.host; content:"camtechuganda.must.ac.ug"; depth:24; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238237/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238237; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-content/plugins/contact-form-7/includes/js/jquery-ui/themes/smoothness/smoothness.php"; depth:89; nocase; http.host; content:"mercadochubut.gob.ar"; depth:20; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238236/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238236; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ujian/assets/html2pdf/spipu/html2pdf/src/extension/core/core.php"; depth:65; nocase; http.host; content:"lsp.unisba.ac.id"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238234/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238234; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-content/plugins/duplicator-pro/assets/css/images/images.php"; depth:63; nocase; http.host; content:"giraganaceuti.compradondevives.es"; depth:33; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238235/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238235; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/vendor/composer/composer/doc/fixtures/repo-composer-with-providers/p/bar/bar.js"; depth:80; nocase; http.host; content:"europeanplasticspact.org"; depth:24; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238233/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238233; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-content/cache/object/010/449/449.php"; depth:40; nocase; http.host; content:"mobile.wisechoicesupplements.ph"; depth:31; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238231/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238231; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-content/plugins/advanced-iframe/css/css.php"; depth:47; nocase; http.host; content:"appercity.com"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238232/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238232; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/__macosx/wp-includes/simplepie/xml/declaration/declaration.php"; depth:63; nocase; http.host; content:"zuarifarmhub.com"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238230/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238230; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-content/plugins/builderall-cheetah-for-wp/extensions/ba-cheetah-user-templates/classes/classes.php"; depth:102; nocase; http.host; content:"pizzaria.builderallwppro.com"; depth:28; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238229/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238229; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-content/plugins/contact-form-7/includes/js/jquery-ui/themes/smoothness/images/images.php"; depth:92; nocase; http.host; content:"uptpkp.kaltimbkd.info"; depth:21; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238228/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238228; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/test/wordpress/wp-content/themes/twentynineteen/template-parts/content/content.js"; depth:82; nocase; http.host; content:"blog.learningpie.in"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238227/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238227; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-content/plugins/all-in-one-wp-migration/lib/vendor/servmask/archiver/archiver.php"; depth:85; nocase; http.host; content:"www.bericht.es"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238226/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238226; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/1tambon1school/schsurvey/core/core.php"; depth:39; nocase; http.host; content:"inno.obec.go.th"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238225/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238225; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-content/plugins/burst-statistics/assets/css/admin/modules/dashboard/dashboard.php"; depth:85; nocase; http.host; content:"archiwummuzeumziemizbaszynskiej.zck.org.pl"; depth:42; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238224/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238224; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-content/plugins/coming-soon/languages/languages.php"; depth:55; nocase; http.host; content:"iscrizione.handmadecampania.it"; depth:30; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238223/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238223; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mainsite/wp-content/plugins/download-plugins-dashboard/langs/langs.php"; depth:71; nocase; http.host; content:"staging-wordpress.xyz"; depth:21; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238222/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238222; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/__macosx/img/portfolio/fullsize/fullsize.php"; depth:45; nocase; http.host; content:"lisbonvinylcutters.com"; depth:22; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238221/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238221; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-content/plugins/advanced-custom-fields/assets/inc/datepicker/images/images.php"; depth:82; nocase; http.host; content:"abrito.wecreateyou.pt"; depth:21; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238220/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238220; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-content/languages/plugins/plugins.php"; depth:41; nocase; http.host; content:"lms.tonalismo.com"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238219/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238219; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/admin/counter/change_images/logo/logo.php"; depth:42; nocase; http.host; content:"teamvedika.com"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238218/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238218; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/gallery/backroom/imelda-cajipe-endaya/feed/feed.php"; depth:52; nocase; http.host; content:"www.hiraya.com"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238217/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238217; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-admin/css/colors/blue/blue.php"; depth:34; nocase; http.host; content:"legrainparis.fr"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238216/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238216; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/demos/1stbeauty/wp-content/plugins/better-search-replace/assets/img/img.php"; depth:76; nocase; http.host; content:"cactusgroupwebtest.com"; depth:22; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238214/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238214; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-content/plugins/contact-form-7/includes/js/jquery-ui/themes/smoothness/smoothness.php"; depth:89; nocase; http.host; content:"a-onevacuums.com"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238215/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238215; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-content/plugins/astra-sites/inc/classes/compatibility/astra-pro/astra-pro.php"; depth:81; nocase; http.host; content:"insureafrica.co.za"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238213/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238213; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/admin/tool/availabilityconditions/tests/behat/behat.php"; depth:56; nocase; http.host; content:"hlcelms-new.herminahospitals.com"; depth:32; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238212/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238212; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/demo/wp-content/plugins/elementor/assets/images/app/site-editor/site-editor.php"; depth:80; nocase; http.host; content:"cxosnextgen.com"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238211/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238211; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-admin/css/colors/blue/blue.php"; depth:34; nocase; http.host; content:"garage.the-namers.com"; depth:21; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238210/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238210; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-content/endurance-page-cache/endurance-page-cache.php"; depth:57; nocase; http.host; content:"dental.simptomi.rs"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238209/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238209; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-content/cache/min/1/wp-content/plugins/social-feed-widgets-for-elementor-using-smash-balloon/assets/css/css.php"; depth:115; nocase; http.host; content:"uat.zeroowatch.com"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238208/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238208; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-content/plugins/elementor/app/modules/kit-library/data/kits/endpoints/endpoints.php"; depth:87; nocase; http.host; content:"sosiologi.fisip.unpad.ac.id"; depth:27; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238207/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238207; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/phpexcel/classes/phpexcel/shared/escher/dggcontainer/bstorecontainer/bstorecontainer.php"; depth:89; nocase; http.host; content:"lanchi.vn"; depth:9; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238206/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238206; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-content/plugins/all-in-one-wp-security-and-firewall/classes/firewall/rule/rules/6g/6g.js"; depth:92; nocase; http.host; content:"athena.vm.cs.tcu.ac.jp"; depth:22; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238205/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238205; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/phpmyadmin/js/vendor/jqplot/plugins/plugins.php"; depth:48; nocase; http.host; content:"proxyknow.com"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238204/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238204; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/financials/unaud30092007_files/sheet001_files/sheet001_files.php"; depth:65; nocase; http.host; content:"jkagri.com"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238203/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238203; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-content/plugins/contact-form-7/includes/js/jquery-ui/themes/smoothness/images/images.js"; depth:91; nocase; http.host; content:"municipio-digital.silice.si"; depth:27; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238202/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238202; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/administrator/components/com_admin/views/sysinfo/tmpl/tmpl.php"; depth:63; nocase; http.host; content:"clear.community"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238201/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238201; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/well-known/acme-challenge/a/a/b/a/a.php"; depth:40; nocase; http.host; content:"www.xinyizhou0310.com"; depth:21; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238200/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238200; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/atlas/mobile/javascript/javascript.php"; depth:39; nocase; http.host; content:"psiewdr.org"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238199/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238199; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-content/wp-content.php"; depth:26; nocase; http.host; content:"plazanorte.pe"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238198/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238198; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-content/plugins/all-in-one-seo-pack/app/common/schema/graphs/traits/traits.php"; depth:82; nocase; http.host; content:"blog.qrstaff.in"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238197/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238197; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-content/plugins/_ithemes-security-pro/core/lib/lockout/execute-lock/execute-lock.php"; depth:88; nocase; http.host; content:"anfal.com.pk"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238196/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238196; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-content/plugins/all-in-one-wp-migration/lib/vendor/bandar/bandar/lib/exceptions/exceptions.js"; depth:97; nocase; http.host; content:"congregacionkoinonia.000webhostapp.com"; depth:38; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238194/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238194; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-admin/css/colors/blue/blue.php"; depth:34; nocase; http.host; content:"trialstaging.trialrun.us"; depth:24; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238195/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238195; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-admin/css/colors/modern/modern/modern/modern/modern/modern.php"; depth:66; nocase; http.host; content:"www.asterism.co.nz"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238193/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238193; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-content/languages/plugins/plugins.php"; depth:41; nocase; http.host; content:"wp.korinek.link"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238192/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238192; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/spero/vendor/automattic/woocommerce/tests/woocommerce/tests/tests.php"; depth:70; nocase; http.host; content:"www.kwik.tn"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238191/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238191; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/assets/bootstrap-carousel-swipe/bootstrap-carousel-swipe.php"; depth:61; nocase; http.host; content:"intranet.solucionesbpo.com"; depth:26; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238190/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238190; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-content/plugins/advanced-custom-fields-pro/pro/admin/views/views.php"; depth:72; nocase; http.host; content:"clanped2025.com.br"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238189/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238189; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/home-elevators/images/authors/authors.php"; depth:42; nocase; http.host; content:"eliteelevators.in"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238188/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238188; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-content/plugins/advanced-custom-fields/assets/inc/color-picker-alpha/color-picker-alpha.php"; depth:95; nocase; http.host; content:"bmn-es.com"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238187/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238187; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-content/cache/wp-rocket/cmmlconferences.us/author/cmmlconferences/cmmlconferences.php"; depth:89; nocase; http.host; content:"cmmlconferences.us"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238186/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238186; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-content/plugins/advanced-access-manager/application/backend/feature/main/main.php"; depth:85; nocase; http.host; content:"almacenesespana.com.ec"; depth:22; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238185/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238185; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-content/languages/plugins/plugins.php"; depth:41; nocase; http.host; content:"shgl.chao1227.com"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238184/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238184; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-includes/simplepie/decode/html/html.php"; depth:43; nocase; http.host; content:"devsite.scarlettslandscaping.com"; depth:32; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238183/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238183; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/paginaviejita/fancybox/recursos/nova-multipurpose-site-template/nova/images/sample/sample.php"; depth:94; nocase; http.host; content:"elparian.com.mx"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238181/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238181; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-content/cache/wp-rocket/erolsalcan.com/bilgilendirme-tesekkuru/bilgilendirme-tesekkuru.php"; depth:94; nocase; http.host; content:"erolsalcan.com"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238182/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238182; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-admin/css/colors/blue/blue.php"; depth:34; nocase; http.host; content:"mehryar.mazyar.org"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238180/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238180; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/admin-panel/js/pages/cards/cards.php"; depth:37; nocase; http.host; content:"robord.ir"; depth:9; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238179/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238179; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/configofr/configofr.php"; depth:24; nocase; http.host; content:"139.99.50.175"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238178/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238178; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-content/plugins/click-to-chat-for-whatsapp/new/admin/admin_assets/css/dev/dev.php"; depth:85; nocase; http.host; content:"puertovaras.org"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238177/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238177; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/fgs/vendor/bmwfont/specimen_files/specimen_files.php"; depth:53; nocase; http.host; content:"fixituae.com"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238176/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238176; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/prod_link/wp-admin/css/colors/blue/blue.php"; depth:44; nocase; http.host; content:"topsportsteams.com"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238175/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238175; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/aab/wp-content/plugins/expandcollapse-funk/icon-font/icon-font.php"; depth:67; nocase; http.host; content:"biomechanik.pl"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238174/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238174; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-content/plugins/all-in-one-seo-pack/app/common/api/integrations/integrations.php"; depth:84; nocase; http.host; content:"fmtrack.cl"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238173/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238173; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-content/plugins/all-in-one-wp-migration/lib/vendor/servmask/archiver/archiver.php"; depth:85; nocase; http.host; content:"cruxbd.com"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238171/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238171; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-content/languages/plugins/plugins.php"; depth:41; nocase; http.host; content:"design-panama.com"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238172/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238172; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-content/plugins/advanced-custom-fields/assets/build/css/css.php"; depth:67; nocase; http.host; content:"stage.idandigitali.co.il"; depth:24; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238170/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238170; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/old/administrator/components/com_banners/views/banners/tmpl/tmpl.php"; depth:69; nocase; http.host; content:"marcelalobos.com"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238169/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238169; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/fmjoven/fmjoven.php"; depth:20; nocase; http.host; content:"portalmedios.cl"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238168/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238168; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-content/plugins/layerslider/assets/static/admin/img/slider/slider.php"; depth:73; nocase; http.host; content:"dsefaywhq.preview.infomaniak.website"; depth:36; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238167/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238167; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-admin/css/colors/blue/blue.php"; depth:34; nocase; http.host; content:"versitaopen.com"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238166/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238166; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/backup-1477507809-wp-includes/requests/exception/http/http.php"; depth:63; nocase; http.host; content:"carolgraceserves.com"; depth:20; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238165/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238165; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/aroma/dark/assets/plugins/datatable/css/css.js"; depth:47; nocase; http.host; content:"projects.njgraphica.com"; depth:23; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238164/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238164; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-content/plugins/acf-quickedit-fields/include/acfquickedit/acfquickedit.php"; depth:78; nocase; http.host; content:"shop.ggarabia.com"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238163/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238163; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/emailcorporativo/bercati/bercati.php"; depth:37; nocase; http.host; content:"vielco.com"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238162/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238162; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-content/plugins/backup/all-in-one-seo-pack-pro/app/common/importexport/rankmath/rankmath.js"; depth:95; nocase; http.host; content:"www.indian-designs.com"; depth:22; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238161/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238161; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-content/plugins/ag-custom-admin/images/images.php"; depth:53; nocase; http.host; content:"juliem-ladeco.fr"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238160/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238160; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-content/cache/page_enhanced/www.easisell.com/best-way-to-use-colour-wheel-for-website-design-2/best-way-to-use-colour-wheel-for-website-design-2.php"; depth:152; nocase; http.host; content:"www.easisell.com"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238159/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238159; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-includes/simplepie/content/type/type.js"; depth:43; nocase; http.host; content:"skincare.7uptheme.net"; depth:21; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238158/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238158; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-admin/css/colors/blue/blue.php"; depth:34; nocase; http.host; content:"www.maaviformazione.it"; depth:22; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238157/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238157; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-content/cache/min/1/wp-content/plugins/briefcase-elementor-widgets/assets/css/css.php"; depth:89; nocase; http.host; content:"musicaenalcala.com"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238156/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238156; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-content/plugins/all-in-one-wp-migration/lib/vendor/bandar/bandar/lib/lib.php"; depth:80; nocase; http.host; content:"wijmakencomputers.nl"; depth:20; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238155/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238155; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/impresistem/guzzlehttp/adapter/curl/curl.php"; depth:45; nocase; http.host; content:"digitalepartner.com"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238154/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238154; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-admin/css/colors/colors.php"; depth:31; nocase; http.host; content:"handy.7uptheme.net"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238153/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238153; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-content/cache/page_enhanced/www.cronoscapitalpartners.it/www.cronoscapitalpartners.it.php"; depth:93; nocase; http.host; content:"www.cronoscapitalpartners.it"; depth:28; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238152/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238152; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-content/plugins/advanced-custom-fields/assets/inc/datepicker/images/images.php"; depth:82; nocase; http.host; content:"iserveindia.com"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238150/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238150; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/assinatura/wp-admin/css/colors/blue/blue.php"; depth:45; nocase; http.host; content:"petdelicia.com.br"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238151/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238151; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/backups/wp-content/plugins/acf-extended/includes/admin/views/views.php"; depth:71; nocase; http.host; content:"brown1.ezmartech.com"; depth:20; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238149/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238149; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/naacmodules/jquery-ui-1.12.1.custom/images/images.php"; depth:54; nocase; http.host; content:"skillhut.com"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238148/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238148; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-admin/css/colors/colors.php"; depth:31; nocase; http.host; content:"haustiere.7uptheme.net"; depth:22; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238147/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238147; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-admin/css/colors/colors.php"; depth:31; nocase; http.host; content:"iustore.7uptheme.net"; depth:20; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238146/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238146; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-content/plugins/all-in-one-wp-migration-unlimited-extension/all-in-one-wp-migration-unlimited-extension.js"; depth:110; nocase; http.host; content:"www.bkkps.co.th"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238145/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238145; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-admin/css/css.php"; depth:21; nocase; http.host; content:"shrachirealty.com"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238144/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238144; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/nseit/wp-content/plugins/advanced-custom-fields/assets/images/field-states/field-states.js"; depth:91; nocase; http.host; content:"www.nseituat.com"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238143/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238143; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wordpress/wp-content/cache/db/singletables/3e7/d91/d91.php"; depth:59; nocase; http.host; content:"idiomas2.8belts.com"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238141/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238141; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/backup29112022/wp-admin/css/colors/blue/blue.php"; depth:49; nocase; http.host; content:"futxtrm.com"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238142/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238142; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/360/sap/sap_3data/cafe_2_105/html5/html5.php"; depth:45; nocase; http.host; content:"mmoseronelink.com"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238140/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238140; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cgi-bin/cgi-bin/cgi-bin/cgi-bin/cgi-bin/cgi-bin/cgi-bin/cgi-bin/cgi-bin/cgi-bin/cgi-bin/cgi-bin/cgi-bin/cgi-bin/cgi-bin/cgi-bin/cgi-bin/cgi-bin.php"; depth:148; nocase; http.host; content:"academia.canaturh.org"; depth:21; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238139/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238139; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-content/cache/libarts.pnu.ac.th/all/1649/feed/feed.js"; depth:57; nocase; http.host; content:"libarts.pnu.ac.th"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238138/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238138; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-admin/css/colors/blue/blue.php"; depth:34; nocase; http.host; content:"www.scatolificiosantanna.it"; depth:27; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238137/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238137; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-admin/css/colors/blue/blue.php"; depth:34; nocase; http.host; content:"www.buildingblocksacademyalvin.com"; depth:34; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238136/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238136; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-content/cache/min/1/wp-content/plugins/pressapps-login-access/includes/skelet/assets/assets.php"; depth:99; nocase; http.host; content:"www.buildingblocksacademypasadena.com"; depth:37; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238135/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238135; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-content/cache/min/1/wp-content/plugins/pressapps-login-access/includes/skelet/assets/assets.php"; depth:99; nocase; http.host; content:"www.buildingblocksacademy.net"; depth:29; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238134/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238134; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jspdf/docs/scripts/prettify/prettify.php"; depth:41; nocase; http.host; content:"neicweb.com"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238133/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238133; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/admin/controller/extension/module/waclient/waclient.php"; depth:56; nocase; http.host; content:"goldenringsoman.com"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238132/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238132; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/test/administrator/components/com_actionlogs/src/controller/controller.php"; depth:75; nocase; http.host; content:"uranustechnepal.com"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238131/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238131; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-admin/css/colors/blue/blue.php"; depth:34; nocase; http.host; content:"sanicorpec.com"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238130/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238130; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/genus-solar-rooftop/plugins/slick/fonts/fonts.php"; depth:50; nocase; http.host; content:"www.genusinnovation.com"; depth:23; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238129/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238129; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-content/plugins/ultimate_vc_addons/admin/bsf-analytics/assets/css/minified/minified.js"; depth:90; nocase; http.host; content:"iaces.es"; depth:8; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238128/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238128; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-content/plugins/admin-menu-editor-pro/modules/highlight-new-menus/assets/assets.php"; depth:87; nocase; http.host; content:"v.elegantchina.net"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238127/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238127; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-includes/simplepie/content/type/type.php"; depth:44; nocase; http.host; content:"burialinsurancepro.org"; depth:22; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238126/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238126; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-content/themes/twentytwentyfour/assets/fonts/cardo/cardo.php"; depth:64; nocase; http.host; content:"thzweb.freesite.host"; depth:20; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238125/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238125; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-admin/css/colors/blue/blue.php"; depth:34; nocase; http.host; content:"calendar-pro.com"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238123/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238123; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/en/wp-admin/css/colors/blue/blue.php"; depth:37; nocase; http.host; content:"www.itenas.ac.id"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238124/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238124; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-content/plugins/layerslider/assets/static/dashicons/dashicons.php"; depth:69; nocase; http.host; content:"soundculture.pl"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238122/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238122; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blog/wp-content/plugins/iwp-client/lib/dropbox/oauth/consumer/consumer.php"; depth:75; nocase; http.host; content:"www.dewildepinchetti.com"; depth:24; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238121/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238121; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-content/plugins/all-in-one-wp-migration/lib/vendor/bandar/bandar.php"; depth:72; nocase; http.host; content:"www.concretosflorense.com.br"; depth:28; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238120/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238120; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-content/plugins/astra-sites/admin/bsf-analytics/assets/css/minified/minified.php"; depth:84; nocase; http.host; content:"cyberuonline.rsu.ac.th"; depth:22; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238119/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238119; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/administrator/components/com_admin/views/sysinfo/tmpl/tmpl.php"; depth:63; nocase; http.host; content:"clear.community"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238118/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238118; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-content/advanced-nocaptcha-recaptcha/freemius/templates/account/partials/partials.php"; depth:89; nocase; http.host; content:"www.batondejoie.fr"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238116/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238116; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-content/plugins/admin-menu-editor-pro/modules/highlight-new-menus/assets/assets.php"; depth:87; nocase; http.host; content:"v.elegantchina.net"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238117/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238117; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/en/wp-admin/css/colors/blue/blue.php"; depth:37; nocase; http.host; content:"www.itenas.ac.id"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238114/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238114; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-content/themes/twentytwentyfour/assets/fonts/cardo/cardo.php"; depth:64; nocase; http.host; content:"thzweb.freesite.host"; depth:20; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238115/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238115; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-content/plugins/layerslider/assets/static/dashicons/dashicons.php"; depth:69; nocase; http.host; content:"soundculture.pl"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238112/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238112; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-admin/css/colors/blue/blue.php"; depth:34; nocase; http.host; content:"calendar-pro.com"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238113/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238113; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/backup-1477507809-wp-includes/requests/exception/http/http.php"; depth:63; nocase; http.host; content:"carolgraceserves.com"; depth:20; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238110/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238110; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-content/plugins/adthrive/components/static-files/partials/adcentric/adcentric.php"; depth:85; nocase; http.host; content:"182.92.201.189"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238111/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238111; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blog/wp-content/plugins/iwp-client/lib/dropbox/oauth/consumer/consumer.php"; depth:75; nocase; http.host; content:"www.dewildepinchetti.com"; depth:24; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238109/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238109; rev:1;) alert tcp $HOME_NET any -> [192.210.236.218] 3790 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1238108/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_09; classtype:trojan-activity; sid:91238108; rev:1;) alert tcp $HOME_NET any -> [110.139.46.105] 36969 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1238107/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238107; rev:1;) alert tcp $HOME_NET any -> [137.220.197.155] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1238106/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_09; classtype:trojan-activity; sid:91238106; rev:1;) alert tcp $HOME_NET any -> [72.69.74.23] 54984 (msg:"ThreatFox Nanocore RAT botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1238105/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_09; classtype:trojan-activity; sid:91238105; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/gamebigloadwindowscdnuploadstemporary.php"; depth:42; nocase; http.host; content:"265003cm.nyashtech.top"; depth:22; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238103/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_08; classtype:trojan-activity; sid:91238103; rev:1;) alert tcp $HOME_NET any -> [5.42.65.101] 11084 (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1238102/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_08; classtype:trojan-activity; sid:91238102; rev:1;) alert tcp $HOME_NET any -> [116.196.106.249] 50050 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1238101/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_08; classtype:trojan-activity; sid:91238101; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/fwlink"; depth:7; nocase; http.host; content:"18.118.35.133"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238099/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_08; classtype:trojan-activity; sid:91238099; rev:1;) alert tcp $HOME_NET any -> [101.37.14.112] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1238100/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_08; classtype:trojan-activity; sid:91238100; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/visit.js"; depth:9; nocase; http.host; content:"134.122.75.115"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238098/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_08; classtype:trojan-activity; sid:91238098; rev:1;) alert tcp $HOME_NET any -> [3.124.142.205] 17888 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1238096/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_08; classtype:trojan-activity; sid:91238096; rev:1;) alert tcp $HOME_NET any -> [18.158.249.75] 17888 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1238095/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_08; classtype:trojan-activity; sid:91238095; rev:1;) alert tcp $HOME_NET any -> [3.125.223.134] 17888 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1238094/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_08; classtype:trojan-activity; sid:91238094; rev:1;) alert tcp $HOME_NET any -> [18.192.31.165] 17888 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1238093/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_08; classtype:trojan-activity; sid:91238093; rev:1;) alert tcp $HOME_NET any -> [3.125.209.94] 17888 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1238092/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_08; classtype:trojan-activity; sid:91238092; rev:1;) alert tcp $HOME_NET any -> [159.112.177.137] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1238091/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_08; classtype:trojan-activity; sid:91238091; rev:1;) alert tcp $HOME_NET any -> [88.214.25.254] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1238090/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_08; classtype:trojan-activity; sid:91238090; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/validate/v10.6/w2ge3sc8"; depth:24; nocase; http.host; content:"88.214.25.254"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238089/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_08; classtype:trojan-activity; sid:91238089; rev:1;) alert tcp $HOME_NET any -> [40.86.174.181] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1238088/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_08; classtype:trojan-activity; sid:91238088; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/download/"; depth:10; nocase; http.host; content:"159.112.177.137"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238087/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_08; classtype:trojan-activity; sid:91238087; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/download/"; depth:10; nocase; http.host; content:"146.235.52.69"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238086/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_08; classtype:trojan-activity; sid:91238086; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/download/"; depth:10; nocase; http.host; content:"update.westus.cloudapp.azure.com"; depth:32; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238084/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_08; classtype:trojan-activity; sid:91238084; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"update.westus.cloudapp.azure.com"; depth:32; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1238085/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_08; classtype:trojan-activity; sid:91238085; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"update37.eastus.cloudapp.azure.com"; depth:34; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1238083/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_08; classtype:trojan-activity; sid:91238083; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"msdn1357.centralus.cloudapp.azure.com"; depth:37; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1238081/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_08; classtype:trojan-activity; sid:91238081; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/download/"; depth:10; nocase; http.host; content:"update37.eastus.cloudapp.azure.com"; depth:34; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238082/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_08; classtype:trojan-activity; sid:91238082; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/download/"; depth:10; nocase; http.host; content:"msdn1357.centralus.cloudapp.azure.com"; depth:37; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238080/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_08; classtype:trojan-activity; sid:91238080; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"msupdate.brazilsouth.cloudapp.azure.com"; depth:39; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1238079/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_08; classtype:trojan-activity; sid:91238079; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/download/"; depth:10; nocase; http.host; content:"msupdate.brazilsouth.cloudapp.azure.com"; depth:39; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238078/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_08; classtype:trojan-activity; sid:91238078; rev:1;) alert tcp $HOME_NET any -> [185.196.9.234] 8443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1238077/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_08; classtype:trojan-activity; sid:91238077; rev:1;) alert tcp $HOME_NET any -> [18.118.35.133] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1238074/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_08; classtype:trojan-activity; sid:91238074; rev:1;) alert tcp $HOME_NET any -> [139.84.237.229] 2967 (msg:"ThreatFox Pikabot botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1238067/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_08; classtype:trojan-activity; sid:91238067; rev:1;) alert tcp $HOME_NET any -> [104.129.55.104] 2223 (msg:"ThreatFox Pikabot botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1238068/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_08; classtype:trojan-activity; sid:91238068; rev:1;) alert tcp $HOME_NET any -> [37.60.242.85] 9785 (msg:"ThreatFox Pikabot botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1238069/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_08; classtype:trojan-activity; sid:91238069; rev:1;) alert tcp $HOME_NET any -> [95.179.191.137] 5938 (msg:"ThreatFox Pikabot botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1238070/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_08; classtype:trojan-activity; sid:91238070; rev:1;) alert tcp $HOME_NET any -> [65.20.66.218] 5938 (msg:"ThreatFox Pikabot botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1238071/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_08; classtype:trojan-activity; sid:91238071; rev:1;) alert tcp $HOME_NET any -> [158.220.80.157] 9785 (msg:"ThreatFox Pikabot botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1238072/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_08; classtype:trojan-activity; sid:91238072; rev:1;) alert tcp $HOME_NET any -> [104.129.55.103] 2224 (msg:"ThreatFox Pikabot botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1238073/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_08; classtype:trojan-activity; sid:91238073; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/9/gate.php"; depth:11; nocase; http.host; content:"couriercare.in"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238065/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_08; classtype:trojan-activity; sid:91238065; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"keywordslive.com"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1238025/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_08; classtype:trojan-activity; sid:91238025; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"gardenplaid.com"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1238026/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_08; classtype:trojan-activity; sid:91238026; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"gibbselectrics.com"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1238027/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_08; classtype:trojan-activity; sid:91238027; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"gloverstech.com"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1238028/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_08; classtype:trojan-activity; sid:91238028; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"investechnical.com"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1238029/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_08; classtype:trojan-activity; sid:91238029; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"brookselectrics.com"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1238030/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_08; classtype:trojan-activity; sid:91238030; rev:1;) alert tcp $HOME_NET any -> [85.239.243.155] 5000 (msg:"ThreatFox Pikabot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1238043/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_08; classtype:trojan-activity; sid:91238043; rev:1;) alert tcp $HOME_NET any -> [41.99.49.71] 443 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1238042/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_08; classtype:trojan-activity; sid:91238042; rev:1;) alert tcp $HOME_NET any -> [121.121.101.33] 995 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1238041/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_08; classtype:trojan-activity; sid:91238041; rev:1;) alert tcp $HOME_NET any -> [69.58.144.52] 2078 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1238040/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_08; classtype:trojan-activity; sid:91238040; rev:1;) alert tcp $HOME_NET any -> [45.243.131.12] 995 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1238039/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_08; classtype:trojan-activity; sid:91238039; rev:1;) alert tcp $HOME_NET any -> [86.194.132.111] 2222 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1238038/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_08; classtype:trojan-activity; sid:91238038; rev:1;) alert tcp $HOME_NET any -> [46.19.67.107] 445 (msg:"ThreatFox Responder botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1238037/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_08; classtype:trojan-activity; sid:91238037; rev:1;) alert tcp $HOME_NET any -> [40.113.39.99] 445 (msg:"ThreatFox Responder botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1238036/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_08; classtype:trojan-activity; sid:91238036; rev:1;) alert tcp $HOME_NET any -> [78.45.49.197] 445 (msg:"ThreatFox Responder botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1238035/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_08; classtype:trojan-activity; sid:91238035; rev:1;) alert tcp $HOME_NET any -> [32.143.50.222] 445 (msg:"ThreatFox Responder botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1238034/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_08; classtype:trojan-activity; sid:91238034; rev:1;) alert tcp $HOME_NET any -> [185.62.57.11] 443 (msg:"ThreatFox Responder botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1238033/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_08; classtype:trojan-activity; sid:91238033; rev:1;) alert tcp $HOME_NET any -> [49.13.149.129] 80 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1238032/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_08; classtype:trojan-activity; sid:91238032; rev:1;) alert tcp $HOME_NET any -> [37.152.191.55] 7777 (msg:"ThreatFox Deimos botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1238031/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_08; classtype:trojan-activity; sid:91238031; rev:1;) alert tcp $HOME_NET any -> [45.93.20.76] 7443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1238024/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_08; classtype:trojan-activity; sid:91238024; rev:1;) alert tcp $HOME_NET any -> [45.95.146.22] 9931 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1238023/; target:src_ip; metadata: confidence_level 75, first_seen 2024_02_08; classtype:trojan-activity; sid:91238023; rev:1;) alert tcp $HOME_NET any -> [45.95.146.22] 42421 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1238022/; target:src_ip; metadata: confidence_level 75, first_seen 2024_02_08; classtype:trojan-activity; sid:91238022; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tjwz9/"; depth:7; nocase; http.host; content:"gloverstech.com"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238021/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_08; classtype:trojan-activity; sid:91238021; rev:1;) alert tcp $HOME_NET any -> [54.224.134.117] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1238020/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_08; classtype:trojan-activity; sid:91238020; rev:1;) alert tcp $HOME_NET any -> [158.220.80.167] 2967 (msg:"ThreatFox Pikabot botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1238019/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_08; classtype:trojan-activity; sid:91238019; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api/3"; depth:6; nocase; http.host; content:"107.174.253.49"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238018/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_08; classtype:trojan-activity; sid:91238018; rev:1;) alert tcp $HOME_NET any -> [107.174.253.49] 8443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1238017/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_08; classtype:trojan-activity; sid:91238017; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api/3"; depth:6; nocase; http.host; content:"www.fucksec.buzz"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238015/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_08; classtype:trojan-activity; sid:91238015; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"www.fucksec.buzz"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1238016/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_08; classtype:trojan-activity; sid:91238016; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ponyb/gate.php"; depth:15; nocase; http.host; content:"siteseoguide.com"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238014/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_08; classtype:trojan-activity; sid:91238014; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/better/multi2eternalrequest/6/mariadbuniversalmariadbexternal/tempdatalife/024update/auth/downloadsflower5downloads/dle/4temporarysql/apicpu53/wordpressdownloads.php"; depth:166; nocase; http.host; content:"185.16.39.248"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238013/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_08; classtype:trojan-activity; sid:91238013; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ponyd/gate.php"; depth:15; nocase; http.host; content:"6.magicalomaha.co"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238012/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_08; classtype:trojan-activity; sid:91238012; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"116.202.3.242"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238011/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_08; classtype:trojan-activity; sid:91238011; rev:1;) alert tcp $HOME_NET any -> [116.202.3.242] 443 (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1238010/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_08; classtype:trojan-activity; sid:91238010; rev:1;) alert tcp $HOME_NET any -> [45.142.182.104] 15352 (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1238009/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_08; classtype:trojan-activity; sid:91238009; rev:1;) alert tcp $HOME_NET any -> [8.130.79.120] 8003 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1238008/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_08; classtype:trojan-activity; sid:91238008; rev:1;) alert tcp $HOME_NET any -> [2.50.137.183] 995 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1238007/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_08; classtype:trojan-activity; sid:91238007; rev:1;) alert tcp $HOME_NET any -> [170.64.155.70] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1238006/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_08; classtype:trojan-activity; sid:91238006; rev:1;) alert tcp $HOME_NET any -> [138.68.141.212] 10443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1238005/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_08; classtype:trojan-activity; sid:91238005; rev:1;) alert tcp $HOME_NET any -> [3.65.82.134] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1238004/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_08; classtype:trojan-activity; sid:91238004; rev:1;) alert tcp $HOME_NET any -> [118.193.38.211] 54322 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1238003/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_08; classtype:trojan-activity; sid:91238003; rev:1;) alert tcp $HOME_NET any -> [159.203.160.168] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1238002/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_08; classtype:trojan-activity; sid:91238002; rev:1;) alert tcp $HOME_NET any -> [51.75.194.165] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1238001/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_08; classtype:trojan-activity; sid:91238001; rev:1;) alert tcp $HOME_NET any -> [171.35.43.158] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1238000/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_08; classtype:trojan-activity; sid:91238000; rev:1;) alert tcp $HOME_NET any -> [35.158.74.188] 80 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237999/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_08; classtype:trojan-activity; sid:91237999; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"fonts.g-a.fun"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1237998/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_08; classtype:trojan-activity; sid:91237998; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"findajobforme.linkedin.loginfor.me"; depth:34; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1237997/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_08; classtype:trojan-activity; sid:91237997; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ssl.g-a.fun"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1237996/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_08; classtype:trojan-activity; sid:91237996; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"content.g-a.fun"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1237994/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_08; classtype:trojan-activity; sid:91237994; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"clients5.g-a.fun"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1237995/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_08; classtype:trojan-activity; sid:91237995; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"xenodochial-austin.142-11-199-59.plesk.page"; depth:43; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1237993/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_08; classtype:trojan-activity; sid:91237993; rev:1;) alert tcp $HOME_NET any -> [178.79.138.91] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237992/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_08; classtype:trojan-activity; sid:91237992; rev:1;) alert tcp $HOME_NET any -> [121.127.252.248] 60000 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237991/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_08; classtype:trojan-activity; sid:91237991; rev:1;) alert tcp $HOME_NET any -> [149.104.27.224] 60000 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237990/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_08; classtype:trojan-activity; sid:91237990; rev:1;) alert tcp $HOME_NET any -> [103.16.224.239] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237989/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_08; classtype:trojan-activity; sid:91237989; rev:1;) alert tcp $HOME_NET any -> [51.77.121.144] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237988/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_08; classtype:trojan-activity; sid:91237988; rev:1;) alert tcp $HOME_NET any -> [37.221.92.58] 80 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237987/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_08; classtype:trojan-activity; sid:91237987; rev:1;) alert tcp $HOME_NET any -> [146.19.191.178] 80 (msg:"ThreatFox MooBot botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237986/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_08; classtype:trojan-activity; sid:91237986; rev:1;) alert tcp $HOME_NET any -> [20.151.153.84] 80 (msg:"ThreatFox ERMAC botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237985/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_08; classtype:trojan-activity; sid:91237985; rev:1;) alert tcp $HOME_NET any -> [164.215.103.171] 80 (msg:"ThreatFox ERMAC botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237984/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_08; classtype:trojan-activity; sid:91237984; rev:1;) alert tcp $HOME_NET any -> [134.255.254.225] 5051 (msg:"ThreatFox Orcus RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237983/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_08; classtype:trojan-activity; sid:91237983; rev:1;) alert tcp $HOME_NET any -> [194.48.251.10] 4449 (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237982/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_08; classtype:trojan-activity; sid:91237982; rev:1;) alert tcp $HOME_NET any -> [194.48.251.120] 4449 (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237980/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_08; classtype:trojan-activity; sid:91237980; rev:1;) alert tcp $HOME_NET any -> [194.48.251.189] 4449 (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237981/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_08; classtype:trojan-activity; sid:91237981; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"vps-zap449572-1.zap-srv.com"; depth:27; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1237979/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_08; classtype:trojan-activity; sid:91237979; rev:1;) alert tcp $HOME_NET any -> [154.61.74.84] 4782 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237978/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_08; classtype:trojan-activity; sid:91237978; rev:1;) alert tcp $HOME_NET any -> [181.161.3.29] 8080 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237976/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_08; classtype:trojan-activity; sid:91237976; rev:1;) alert tcp $HOME_NET any -> [114.104.183.54] 4782 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237977/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_08; classtype:trojan-activity; sid:91237977; rev:1;) alert tcp $HOME_NET any -> [194.147.140.234] 82 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237975/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_08; classtype:trojan-activity; sid:91237975; rev:1;) alert tcp $HOME_NET any -> [185.78.76.85] 443 (msg:"ThreatFox Hook botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237973/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_08; classtype:trojan-activity; sid:91237973; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"photopoiskvk.pro"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1237972/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_08; classtype:trojan-activity; sid:91237972; rev:1;) alert tcp $HOME_NET any -> [3.79.194.172] 443 (msg:"ThreatFox Hook botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237971/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_08; classtype:trojan-activity; sid:91237971; rev:1;) alert tcp $HOME_NET any -> [191.7.32.19] 80 (msg:"ThreatFox Hook botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237970/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_08; classtype:trojan-activity; sid:91237970; rev:1;) alert tcp $HOME_NET any -> [93.123.39.192] 50555 (msg:"ThreatFox Hook botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237969/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_08; classtype:trojan-activity; sid:91237969; rev:1;) alert tcp $HOME_NET any -> [94.156.69.93] 80 (msg:"ThreatFox Hook botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237967/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_08; classtype:trojan-activity; sid:91237967; rev:1;) alert tcp $HOME_NET any -> [194.26.192.66] 80 (msg:"ThreatFox Hook botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237968/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_08; classtype:trojan-activity; sid:91237968; rev:1;) alert tcp $HOME_NET any -> [94.177.106.44] 80 (msg:"ThreatFox Hook botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237966/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_08; classtype:trojan-activity; sid:91237966; rev:1;) alert tcp $HOME_NET any -> [164.92.189.59] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237965/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_08; classtype:trojan-activity; sid:91237965; rev:1;) alert tcp $HOME_NET any -> [80.90.179.251] 7443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237964/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_08; classtype:trojan-activity; sid:91237964; rev:1;) alert tcp $HOME_NET any -> [185.81.157.179] 8808 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237963/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_08; classtype:trojan-activity; sid:91237963; rev:1;) alert tcp $HOME_NET any -> [187.24.66.48] 9999 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237962/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_08; classtype:trojan-activity; sid:91237962; rev:1;) alert tcp $HOME_NET any -> [181.235.80.187] 2404 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237960/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_08; classtype:trojan-activity; sid:91237960; rev:1;) alert tcp $HOME_NET any -> [181.235.80.187] 8888 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237961/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_08; classtype:trojan-activity; sid:91237961; rev:1;) alert tcp $HOME_NET any -> [154.16.67.94] 8088 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237958/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_08; classtype:trojan-activity; sid:91237958; rev:1;) alert tcp $HOME_NET any -> [46.246.82.3] 2000 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237959/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_08; classtype:trojan-activity; sid:91237959; rev:1;) alert tcp $HOME_NET any -> [93.242.137.1] 51124 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237957/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_08; classtype:trojan-activity; sid:91237957; rev:1;) alert tcp $HOME_NET any -> [154.212.145.72] 8008 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237956/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_08; classtype:trojan-activity; sid:91237956; rev:1;) alert tcp $HOME_NET any -> [187.135.146.194] 2004 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237954/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_08; classtype:trojan-activity; sid:91237954; rev:1;) alert tcp $HOME_NET any -> [187.135.146.194] 2052 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237955/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_08; classtype:trojan-activity; sid:91237955; rev:1;) alert tcp $HOME_NET any -> [187.135.146.194] 2000 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237953/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_08; classtype:trojan-activity; sid:91237953; rev:1;) alert tcp $HOME_NET any -> [187.135.146.194] 1723 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237951/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_08; classtype:trojan-activity; sid:91237951; rev:1;) alert tcp $HOME_NET any -> [187.135.146.194] 1883 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237952/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_08; classtype:trojan-activity; sid:91237952; rev:1;) alert tcp $HOME_NET any -> [187.135.146.194] 2281 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237950/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_08; classtype:trojan-activity; sid:91237950; rev:1;) alert tcp $HOME_NET any -> [187.135.146.194] 2083 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237948/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_08; classtype:trojan-activity; sid:91237948; rev:1;) alert tcp $HOME_NET any -> [187.135.146.194] 2181 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237949/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_08; classtype:trojan-activity; sid:91237949; rev:1;) alert tcp $HOME_NET any -> [187.135.146.194] 2082 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237947/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_08; classtype:trojan-activity; sid:91237947; rev:1;) alert tcp $HOME_NET any -> [187.135.146.194] 1801 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237945/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_08; classtype:trojan-activity; sid:91237945; rev:1;) alert tcp $HOME_NET any -> [187.135.146.194] 2053 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237946/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_08; classtype:trojan-activity; sid:91237946; rev:1;) alert tcp $HOME_NET any -> [187.135.146.194] 1756 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237944/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_08; classtype:trojan-activity; sid:91237944; rev:1;) alert tcp $HOME_NET any -> [187.135.146.194] 2086 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237943/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_08; classtype:trojan-activity; sid:91237943; rev:1;) alert tcp $HOME_NET any -> [187.135.146.194] 2077 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237941/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_08; classtype:trojan-activity; sid:91237941; rev:1;) alert tcp $HOME_NET any -> [187.135.146.194] 2080 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237942/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_08; classtype:trojan-activity; sid:91237942; rev:1;) alert tcp $HOME_NET any -> [187.135.146.194] 1911 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237940/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_08; classtype:trojan-activity; sid:91237940; rev:1;) alert tcp $HOME_NET any -> [116.212.120.32] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237939/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_08; classtype:trojan-activity; sid:91237939; rev:1;) alert tcp $HOME_NET any -> [116.212.120.32] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237938/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_08; classtype:trojan-activity; sid:91237938; rev:1;) alert tcp $HOME_NET any -> [196.235.104.22] 8080 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237936/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_08; classtype:trojan-activity; sid:91237936; rev:1;) alert tcp $HOME_NET any -> [43.128.85.89] 8011 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237937/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_08; classtype:trojan-activity; sid:91237937; rev:1;) alert tcp $HOME_NET any -> [43.228.89.247] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237935/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_08; classtype:trojan-activity; sid:91237935; rev:1;) alert tcp $HOME_NET any -> [43.228.89.247] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237934/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_08; classtype:trojan-activity; sid:91237934; rev:1;) alert tcp $HOME_NET any -> [205.234.233.180] 2082 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237933/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_08; classtype:trojan-activity; sid:91237933; rev:1;) alert tcp $HOME_NET any -> [43.228.89.246] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237931/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_08; classtype:trojan-activity; sid:91237931; rev:1;) alert tcp $HOME_NET any -> [43.228.89.246] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237932/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_08; classtype:trojan-activity; sid:91237932; rev:1;) alert tcp $HOME_NET any -> [43.228.89.248] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237930/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_08; classtype:trojan-activity; sid:91237930; rev:1;) alert tcp $HOME_NET any -> [43.228.89.248] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237929/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_08; classtype:trojan-activity; sid:91237929; rev:1;) alert tcp $HOME_NET any -> [120.48.96.69] 9001 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237928/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_08; classtype:trojan-activity; sid:91237928; rev:1;) alert tcp $HOME_NET any -> [65.20.81.7] 8080 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237926/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_08; classtype:trojan-activity; sid:91237926; rev:1;) alert tcp $HOME_NET any -> [94.156.69.169] 2000 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237927/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_08; classtype:trojan-activity; sid:91237927; rev:1;) alert tcp $HOME_NET any -> [115.126.107.244] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237925/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_08; classtype:trojan-activity; sid:91237925; rev:1;) alert tcp $HOME_NET any -> [101.201.46.105] 1234 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237923/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_08; classtype:trojan-activity; sid:91237923; rev:1;) alert tcp $HOME_NET any -> [115.126.107.244] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237924/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_08; classtype:trojan-activity; sid:91237924; rev:1;) alert tcp $HOME_NET any -> [43.228.89.245] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237922/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_08; classtype:trojan-activity; sid:91237922; rev:1;) alert tcp $HOME_NET any -> [43.228.89.245] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237921/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_08; classtype:trojan-activity; sid:91237921; rev:1;) alert tcp $HOME_NET any -> [8.137.50.92] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237919/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_08; classtype:trojan-activity; sid:91237919; rev:1;) alert tcp $HOME_NET any -> [79.132.140.216] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237920/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_08; classtype:trojan-activity; sid:91237920; rev:1;) alert tcp $HOME_NET any -> [81.56.212.102] 49443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237918/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_08; classtype:trojan-activity; sid:91237918; rev:1;) alert tcp $HOME_NET any -> [103.228.108.247] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237917/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_08; classtype:trojan-activity; sid:91237917; rev:1;) alert tcp $HOME_NET any -> [47.98.178.246] 4567 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237915/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_08; classtype:trojan-activity; sid:91237915; rev:1;) alert tcp $HOME_NET any -> [103.228.108.247] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237916/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_08; classtype:trojan-activity; sid:91237916; rev:1;) alert tcp $HOME_NET any -> [163.53.216.157] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237914/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_08; classtype:trojan-activity; sid:91237914; rev:1;) alert tcp $HOME_NET any -> [163.53.216.157] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237913/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_08; classtype:trojan-activity; sid:91237913; rev:1;) alert tcp $HOME_NET any -> [213.109.202.222] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237912/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_08; classtype:trojan-activity; sid:91237912; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"gifted-khayyam.104-168-102-175.plesk.page"; depth:41; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1237910/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_08; classtype:trojan-activity; sid:91237910; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"pensive-brattain.104-168-102-175.plesk.page"; depth:43; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1237911/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_08; classtype:trojan-activity; sid:91237911; rev:1;) alert tcp $HOME_NET any -> [49.232.220.17] 7000 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237909/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_08; classtype:trojan-activity; sid:91237909; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"lucid-albattani.104-168-102-175.plesk.page"; depth:42; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1237908/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_08; classtype:trojan-activity; sid:91237908; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"bold-clarke.104-168-102-175.plesk.page"; depth:38; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1237906/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_08; classtype:trojan-activity; sid:91237906; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"www.priceless-bose.104-168-102-175.plesk.page"; depth:45; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1237907/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_08; classtype:trojan-activity; sid:91237907; rev:1;) alert tcp $HOME_NET any -> [5.42.65.38] 46185 (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237905/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_08; classtype:trojan-activity; sid:91237905; rev:1;) alert tcp $HOME_NET any -> [23.155.8.220] 2404 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237904/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_08; classtype:trojan-activity; sid:91237904; rev:1;) alert tcp $HOME_NET any -> [103.186.117.77] 1760 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237903/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_08; classtype:trojan-activity; sid:91237903; rev:1;) alert tcp $HOME_NET any -> [45.81.23.13] 1433 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237862/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_08; classtype:trojan-activity; sid:91237862; rev:1;) alert tcp $HOME_NET any -> [45.95.146.13] 61616 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237863/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_08; classtype:trojan-activity; sid:91237863; rev:1;) alert tcp $HOME_NET any -> [89.190.156.172] 1311 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237864/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_08; classtype:trojan-activity; sid:91237864; rev:1;) alert tcp $HOME_NET any -> [89.190.156.173] 1306 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237865/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_08; classtype:trojan-activity; sid:91237865; rev:1;) alert tcp $HOME_NET any -> [89.190.156.174] 1311 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237866/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_08; classtype:trojan-activity; sid:91237866; rev:1;) alert tcp $HOME_NET any -> [89.190.156.175] 1517 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237867/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_08; classtype:trojan-activity; sid:91237867; rev:1;) alert tcp $HOME_NET any -> [89.190.156.176] 1311 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237868/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_08; classtype:trojan-activity; sid:91237868; rev:1;) alert tcp $HOME_NET any -> [89.190.156.182] 1725 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237869/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_08; classtype:trojan-activity; sid:91237869; rev:1;) alert tcp $HOME_NET any -> [89.190.156.253] 61616 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237871/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_08; classtype:trojan-activity; sid:91237871; rev:1;) alert tcp $HOME_NET any -> [89.190.156.211] 1311 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237870/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_08; classtype:trojan-activity; sid:91237870; rev:1;) alert tcp $HOME_NET any -> [185.224.128.49] 1311 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237872/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_08; classtype:trojan-activity; sid:91237872; rev:1;) alert tcp $HOME_NET any -> [185.224.128.50] 1311 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237873/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_08; classtype:trojan-activity; sid:91237873; rev:1;) alert tcp $HOME_NET any -> [185.224.128.51] 1435 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237874/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_08; classtype:trojan-activity; sid:91237874; rev:1;) alert tcp $HOME_NET any -> [185.224.128.52] 2053 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237875/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_08; classtype:trojan-activity; sid:91237875; rev:1;) alert tcp $HOME_NET any -> [185.224.128.53] 2079 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237876/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_08; classtype:trojan-activity; sid:91237876; rev:1;) alert tcp $HOME_NET any -> [185.224.128.54] 1629 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237877/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_08; classtype:trojan-activity; sid:91237877; rev:1;) alert tcp $HOME_NET any -> [185.224.128.55] 1713 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237878/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_08; classtype:trojan-activity; sid:91237878; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/owuyyziynzhjmjk4/"; depth:18; nocase; http.host; content:"sybrstrmteknopark.net"; depth:21; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1237879/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_08; classtype:trojan-activity; sid:91237879; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/owuyyziynzhjmjk4/"; depth:18; nocase; http.host; content:"sybrstrmteknokalak.net"; depth:22; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1237880/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_08; classtype:trojan-activity; sid:91237880; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/owuyyziynzhjmjk4/"; depth:18; nocase; http.host; content:"sybrstrmtdiyari.com"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1237881/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_08; classtype:trojan-activity; sid:91237881; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/nzbkmwe2zdm0mwe2/"; depth:18; nocase; http.host; content:"hk-49847.com"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1237884/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_08; classtype:trojan-activity; sid:91237884; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ywfim2vkmmfmnwfh/"; depth:18; nocase; http.host; content:"jolaxodanser.xyz"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1237882/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_08; classtype:trojan-activity; sid:91237882; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ywfim2vkmmfmnwfh/"; depth:18; nocase; http.host; content:"jolaxodanserxyz.net"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1237883/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_08; classtype:trojan-activity; sid:91237883; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/nzbkmwe2zdm0mwe2/"; depth:18; nocase; http.host; content:"hk-49847.net"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1237885/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_08; classtype:trojan-activity; sid:91237885; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/nzbkmwe2zdm0mwe2/"; depth:18; nocase; http.host; content:"hk-49847.info"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1237886/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_08; classtype:trojan-activity; sid:91237886; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/nzbkmwe2zdm0mwe2/"; depth:18; nocase; http.host; content:"hk-49847.org"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1237887/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_08; classtype:trojan-activity; sid:91237887; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/nzbkmwe2zdm0mwe2/"; depth:18; nocase; http.host; content:"hk-49847.xyz"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1237888/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_08; classtype:trojan-activity; sid:91237888; rev:1;) alert tcp $HOME_NET any -> [3.124.67.191] 12609 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237894/; target:src_ip; metadata: confidence_level 75, first_seen 2024_02_08; classtype:trojan-activity; sid:91237894; rev:1;) alert tcp $HOME_NET any -> [3.125.188.168] 12609 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237895/; target:src_ip; metadata: confidence_level 75, first_seen 2024_02_08; classtype:trojan-activity; sid:91237895; rev:1;) alert tcp $HOME_NET any -> [3.133.207.110] 16825 (msg:"ThreatFox Nanocore RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237902/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_08; classtype:trojan-activity; sid:91237902; rev:1;) alert tcp $HOME_NET any -> [94.156.64.202] 4036 (msg:"ThreatFox Ave Maria botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237901/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_08; classtype:trojan-activity; sid:91237901; rev:1;) alert tcp $HOME_NET any -> [103.186.117.181] 1775 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237900/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_08; classtype:trojan-activity; sid:91237900; rev:1;) alert tcp $HOME_NET any -> [3.136.65.236] 16825 (msg:"ThreatFox Nanocore RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237899/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_08; classtype:trojan-activity; sid:91237899; rev:1;) alert tcp $HOME_NET any -> [3.131.147.49] 16825 (msg:"ThreatFox Nanocore RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237898/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_08; classtype:trojan-activity; sid:91237898; rev:1;) alert tcp $HOME_NET any -> [3.138.180.119] 16825 (msg:"ThreatFox Nanocore RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237897/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_08; classtype:trojan-activity; sid:91237897; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/eternalgameserveruniversal.php"; depth:31; nocase; http.host; content:"103761cm.nyashsens.top"; depth:22; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1237896/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_08; classtype:trojan-activity; sid:91237896; rev:1;) alert tcp $HOME_NET any -> [80.66.66.97] 3790 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237893/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_08; classtype:trojan-activity; sid:91237893; rev:1;) alert tcp $HOME_NET any -> [5.42.65.38] 2642 (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237892/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_08; classtype:trojan-activity; sid:91237892; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mod/resellers/2e4wlr6u3uv"; depth:26; nocase; http.host; content:"172.200.160.7"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1237890/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_08; classtype:trojan-activity; sid:91237890; rev:1;) alert tcp $HOME_NET any -> [172.200.160.7] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237891/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_08; classtype:trojan-activity; sid:91237891; rev:1;) alert tcp $HOME_NET any -> [34.147.242.231] 2376 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237889/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_08; classtype:trojan-activity; sid:91237889; rev:1;) alert tcp $HOME_NET any -> [185.172.128.136] 32260 (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237861/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_08; classtype:trojan-activity; sid:91237861; rev:1;) alert tcp $HOME_NET any -> [95.217.243.137] 80 (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237860/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_08; classtype:trojan-activity; sid:91237860; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"95.217.243.137"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1237859/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_08; classtype:trojan-activity; sid:91237859; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"5.75.209.125"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1237858/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_08; classtype:trojan-activity; sid:91237858; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"49.13.33.99"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1237857/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_08; classtype:trojan-activity; sid:91237857; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"116.202.184.165"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1237856/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_08; classtype:trojan-activity; sid:91237856; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"88.198.108.242"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1237855/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_08; classtype:trojan-activity; sid:91237855; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"116.202.0.229"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1237854/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_08; classtype:trojan-activity; sid:91237854; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"5.75.211.127"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1237853/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_08; classtype:trojan-activity; sid:91237853; rev:1;) alert tcp $HOME_NET any -> [49.13.33.99] 443 (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237848/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_08; classtype:trojan-activity; sid:91237848; rev:1;) alert tcp $HOME_NET any -> [5.75.211.127] 443 (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237849/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_08; classtype:trojan-activity; sid:91237849; rev:1;) alert tcp $HOME_NET any -> [88.198.108.242] 9000 (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237850/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_08; classtype:trojan-activity; sid:91237850; rev:1;) alert tcp $HOME_NET any -> [5.75.209.125] 443 (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237851/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_08; classtype:trojan-activity; sid:91237851; rev:1;) alert tcp $HOME_NET any -> [116.202.0.229] 443 (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237852/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_08; classtype:trojan-activity; sid:91237852; rev:1;) alert tcp $HOME_NET any -> [116.202.184.165] 9000 (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237847/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_08; classtype:trojan-activity; sid:91237847; rev:1;) alert tcp $HOME_NET any -> [45.11.180.127] 3120 (msg:"ThreatFox NetSupportManager RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237846/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_08; classtype:trojan-activity; sid:91237846; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tosecurepacketgeocpuauthsqlwindowspublictemp.php"; depth:49; nocase; http.host; content:"553689cm.nyashsens.top"; depth:22; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1237845/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_08; classtype:trojan-activity; sid:91237845; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"kiwtreyy456rwty.duckdns.org"; depth:27; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1237842/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_08; classtype:trojan-activity; sid:91237842; rev:1;) alert tcp $HOME_NET any -> [5.180.155.218] 1337 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237844/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_08; classtype:trojan-activity; sid:91237844; rev:1;) alert tcp $HOME_NET any -> [185.81.157.14] 8181 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237843/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_08; classtype:trojan-activity; sid:91237843; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/g8samsa2/index.php"; depth:19; nocase; http.host; content:"5.42.66.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1237841/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_08; classtype:trojan-activity; sid:91237841; rev:1;) alert tcp $HOME_NET any -> [193.111.248.167] 2003 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237840/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_08; classtype:trojan-activity; sid:91237840; rev:1;) alert tcp $HOME_NET any -> [189.140.16.135] 443 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237839/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_08; classtype:trojan-activity; sid:91237839; rev:1;) alert tcp $HOME_NET any -> [176.44.89.132] 995 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237838/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_08; classtype:trojan-activity; sid:91237838; rev:1;) alert tcp $HOME_NET any -> [201.124.86.37] 995 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237837/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_08; classtype:trojan-activity; sid:91237837; rev:1;) alert tcp $HOME_NET any -> [145.82.129.126] 443 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237836/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_08; classtype:trojan-activity; sid:91237836; rev:1;) alert tcp $HOME_NET any -> [49.12.7.88] 443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237835/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_08; classtype:trojan-activity; sid:91237835; rev:1;) alert tcp $HOME_NET any -> [172.105.14.104] 4444 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237834/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_08; classtype:trojan-activity; sid:91237834; rev:1;) alert tcp $HOME_NET any -> [51.15.235.86] 53 (msg:"ThreatFox BianLian botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237833/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_08; classtype:trojan-activity; sid:91237833; rev:1;) alert tcp $HOME_NET any -> [31.220.80.82] 53 (msg:"ThreatFox BianLian botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237832/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_08; classtype:trojan-activity; sid:91237832; rev:1;) alert tcp $HOME_NET any -> [209.127.186.234] 64242 (msg:"ThreatFox BianLian botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237831/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_08; classtype:trojan-activity; sid:91237831; rev:1;) alert tcp $HOME_NET any -> [43.198.240.228] 443 (msg:"ThreatFox Deimos botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237830/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_08; classtype:trojan-activity; sid:91237830; rev:1;) alert tcp $HOME_NET any -> [82.146.39.80] 7443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237829/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_08; classtype:trojan-activity; sid:91237829; rev:1;) alert tcp $HOME_NET any -> [46.183.220.203] 40935 (msg:"ThreatFox Nanocore RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237828/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_08; classtype:trojan-activity; sid:91237828; rev:1;) alert tcp $HOME_NET any -> [5.42.67.14] 80 (msg:"ThreatFox Amadey botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237827/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_08; classtype:trojan-activity; sid:91237827; rev:1;) alert tcp $HOME_NET any -> [103.67.196.125] 4505 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237826/; target:src_ip; metadata: confidence_level 75, first_seen 2024_02_08; classtype:trojan-activity; sid:91237826; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api/flash.php"; depth:14; nocase; http.host; content:"195.20.16.45"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1237824/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_08; classtype:trojan-activity; sid:91237824; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/doctr8fb7z9/index.php"; depth:22; nocase; http.host; content:"5.42.67.14"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1237825/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_08; classtype:trojan-activity; sid:91237825; rev:1;) alert tcp $HOME_NET any -> [5.255.113.34] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 95%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237805/; target:src_ip; metadata: confidence_level 95, first_seen 2024_02_08; classtype:trojan-activity; sid:91237805; rev:1;) alert tcp $HOME_NET any -> [5.255.126.243] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 95%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237806/; target:src_ip; metadata: confidence_level 95, first_seen 2024_02_08; classtype:trojan-activity; sid:91237806; rev:1;) alert tcp $HOME_NET any -> [45.59.118.118] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 95%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237807/; target:src_ip; metadata: confidence_level 95, first_seen 2024_02_08; classtype:trojan-activity; sid:91237807; rev:1;) alert tcp $HOME_NET any -> [185.99.133.228] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 95%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237809/; target:src_ip; metadata: confidence_level 95, first_seen 2024_02_08; classtype:trojan-activity; sid:91237809; rev:1;) alert tcp $HOME_NET any -> [5.230.74.51] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 95%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237804/; target:src_ip; metadata: confidence_level 95, first_seen 2024_02_08; classtype:trojan-activity; sid:91237804; rev:1;) alert tcp $HOME_NET any -> [146.19.143.113] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 95%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237808/; target:src_ip; metadata: confidence_level 95, first_seen 2024_02_08; classtype:trojan-activity; sid:91237808; rev:1;) alert tcp $HOME_NET any -> [5.101.44.49] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 95%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237802/; target:src_ip; metadata: confidence_level 95, first_seen 2024_02_08; classtype:trojan-activity; sid:91237802; rev:1;) alert tcp $HOME_NET any -> [5.230.68.180] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 95%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237803/; target:src_ip; metadata: confidence_level 95, first_seen 2024_02_08; classtype:trojan-activity; sid:91237803; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/9659650c81ce1b984c58.js"; depth:24; nocase; http.host; content:"aitcaid.com"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1237777/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_08; classtype:trojan-activity; sid:91237777; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/lbk9ko6q3vnxkieio4arsueqh7l82d/o+dxbsug="; depth:41; nocase; http.host; content:"pluralism.themancav.com"; depth:23; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1237778/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_08; classtype:trojan-activity; sid:91237778; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"aitcaid.com"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1237779/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_08; classtype:trojan-activity; sid:91237779; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"pluralism.themancav.com"; depth:23; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1237780/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_08; classtype:trojan-activity; sid:91237780; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/25012024.js"; depth:12; nocase; http.host; content:"mwasro.com"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1237781/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_08; classtype:trojan-activity; sid:91237781; rev:1;) alert tcp $HOME_NET any -> [193.233.132.64] 50500 (msg:"ThreatFox RisePro botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237791/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_08; classtype:trojan-activity; sid:91237791; rev:1;) alert tcp $HOME_NET any -> [45.134.26.17] 50500 (msg:"ThreatFox RisePro botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237792/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_08; classtype:trojan-activity; sid:91237792; rev:1;) alert tcp $HOME_NET any -> [185.172.128.103] 50500 (msg:"ThreatFox RisePro botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237794/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_08; classtype:trojan-activity; sid:91237794; rev:1;) alert tcp $HOME_NET any -> [193.233.132.135] 50500 (msg:"ThreatFox RisePro botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237793/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_08; classtype:trojan-activity; sid:91237793; rev:1;) alert tcp $HOME_NET any -> [94.156.69.28] 50500 (msg:"ThreatFox RisePro botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237795/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_08; classtype:trojan-activity; sid:91237795; rev:1;) alert tcp $HOME_NET any -> [185.215.113.67] 26260 (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237800/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_08; classtype:trojan-activity; sid:91237800; rev:1;) alert tcp $HOME_NET any -> [185.106.102.82] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 95%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237810/; target:src_ip; metadata: confidence_level 95, first_seen 2024_02_08; classtype:trojan-activity; sid:91237810; rev:1;) alert tcp $HOME_NET any -> [5.255.113.36] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 85%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237811/; target:src_ip; metadata: confidence_level 85, first_seen 2024_02_08; classtype:trojan-activity; sid:91237811; rev:1;) alert tcp $HOME_NET any -> [193.168.143.133] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 85%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237812/; target:src_ip; metadata: confidence_level 85, first_seen 2024_02_08; classtype:trojan-activity; sid:91237812; rev:1;) alert tcp $HOME_NET any -> [15.204.245.61] 23 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237816/; target:src_ip; metadata: confidence_level 75, first_seen 2024_02_08; classtype:trojan-activity; sid:91237816; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api/firecom.php"; depth:16; nocase; http.host; content:"195.20.16.45"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1237823/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_08; classtype:trojan-activity; sid:91237823; rev:1;) alert tcp $HOME_NET any -> [47.115.203.204] 50050 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237822/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_08; classtype:trojan-activity; sid:91237822; rev:1;) alert tcp $HOME_NET any -> [52.144.124.61] 3790 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237821/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_08; classtype:trojan-activity; sid:91237821; rev:1;) alert tcp $HOME_NET any -> [39.106.74.90] 50050 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237820/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_08; classtype:trojan-activity; sid:91237820; rev:1;) alert tcp $HOME_NET any -> [47.104.232.113] 50050 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237819/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_08; classtype:trojan-activity; sid:91237819; rev:1;) alert tcp $HOME_NET any -> [121.36.226.214] 50050 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237818/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_08; classtype:trojan-activity; sid:91237818; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/_defaultwindows.php"; depth:20; nocase; http.host; content:"cd43986.tw1.ru"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1237817/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_08; classtype:trojan-activity; sid:91237817; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mozi.m"; depth:7; nocase; http.host; content:"27.215.214.58"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1237815/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_08; classtype:trojan-activity; sid:91237815; rev:1;) alert tcp $HOME_NET any -> [111.230.12.198] 8071 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237814/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_08; classtype:trojan-activity; sid:91237814; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/l1nc0in.php"; depth:12; nocase; http.host; content:"f0915140.xsph.ru"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1237813/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_07; classtype:trojan-activity; sid:91237813; rev:1;) alert tcp $HOME_NET any -> [90.15.154.112] 4789 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237801/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_07; classtype:trojan-activity; sid:91237801; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/7b7c07c1b3625773.php"; depth:21; nocase; http.host; content:"193.187.174.182"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1237799/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_07; classtype:trojan-activity; sid:91237799; rev:1;) alert tcp $HOME_NET any -> [23.101.122.219] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237798/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_07; classtype:trojan-activity; sid:91237798; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/download/"; depth:10; nocase; http.host; content:"173.212.224.123"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1237797/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_07; classtype:trojan-activity; sid:91237797; rev:1;) alert tcp $HOME_NET any -> [103.86.130.84] 443 (msg:"ThreatFox Get2 botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237796/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_07; classtype:trojan-activity; sid:91237796; rev:1;) alert tcp $HOME_NET any -> [178.73.218.9] 2222 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237790/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_07; classtype:trojan-activity; sid:91237790; rev:1;) alert tcp $HOME_NET any -> [181.141.40.28] 4433 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237789/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_07; classtype:trojan-activity; sid:91237789; rev:1;) alert tcp $HOME_NET any -> [60.241.11.63] 443 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237788/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_07; classtype:trojan-activity; sid:91237788; rev:1;) alert tcp $HOME_NET any -> [188.25.142.172] 443 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237787/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_07; classtype:trojan-activity; sid:91237787; rev:1;) alert tcp $HOME_NET any -> [149.109.109.136] 443 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237786/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_07; classtype:trojan-activity; sid:91237786; rev:1;) alert tcp $HOME_NET any -> [154.247.41.221] 2078 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237785/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_07; classtype:trojan-activity; sid:91237785; rev:1;) alert tcp $HOME_NET any -> [99.83.220.181] 443 (msg:"ThreatFox Deimos botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237784/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_07; classtype:trojan-activity; sid:91237784; rev:1;) alert tcp $HOME_NET any -> [172.245.156.157] 7443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237783/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_07; classtype:trojan-activity; sid:91237783; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/image/"; depth:7; nocase; http.host; content:"194.26.135.115"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1237776/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_07; classtype:trojan-activity; sid:91237776; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"du7wh8bicca0t.cloudfront.net"; depth:28; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1237774/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_07; classtype:trojan-activity; sid:91237774; rev:1;) alert tcp $HOME_NET any -> [3.208.85.37] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237775/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_07; classtype:trojan-activity; sid:91237775; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/functionalstatus/2k69twx54rr2wjefwla6zyrx9va"; depth:45; nocase; http.host; content:"du7wh8bicca0t.cloudfront.net"; depth:28; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1237773/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_07; classtype:trojan-activity; sid:91237773; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/zc"; depth:3; nocase; http.host; content:"64.226.76.0"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1237772/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_07; classtype:trojan-activity; sid:91237772; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/zc"; depth:3; nocase; http.host; content:"64.226.76.0"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1237771/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_07; classtype:trojan-activity; sid:91237771; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pixel"; depth:6; nocase; http.host; content:"39.105.101.138"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1237770/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_07; classtype:trojan-activity; sid:91237770; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"mythic-slender.online"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1237768/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_07; classtype:trojan-activity; sid:91237768; rev:1;) alert tcp $HOME_NET any -> [3.68.56.232] 12555 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237769/; target:src_ip; metadata: confidence_level 75, first_seen 2024_02_07; classtype:trojan-activity; sid:91237769; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"lookup-domain.com"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1237752/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_07; classtype:trojan-activity; sid:91237752; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"qltuh.canopusacrux.top"; depth:22; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1237753/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_07; classtype:trojan-activity; sid:91237753; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"qltuh.shadowflameartisan.top"; depth:28; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1237754/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_07; classtype:trojan-activity; sid:91237754; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"new-bestfortunes.life"; depth:21; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1237755/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_07; classtype:trojan-activity; sid:91237755; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"re-captha-version-3-21.icu"; depth:26; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1237756/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_07; classtype:trojan-activity; sid:91237756; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"webdatatrace.com"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1237757/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_07; classtype:trojan-activity; sid:91237757; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-content/themes/twentyseventeen/et3tah.php"; depth:45; nocase; http.host; content:"www.dicatindustrial.com"; depth:23; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1237767/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_07; classtype:trojan-activity; sid:91237767; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-content/themes/twentytwentyone/3jubhh.php"; depth:45; nocase; http.host; content:"jubileemovement.org"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1237766/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_07; classtype:trojan-activity; sid:91237766; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-content/themes/twentytwenty/zaevgn.php"; depth:42; nocase; http.host; content:"helpforhypnotherapists.com"; depth:26; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1237765/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_07; classtype:trojan-activity; sid:91237765; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/assets/css/oxewdf.php"; depth:22; nocase; http.host; content:"emprendi2.com"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1237764/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_07; classtype:trojan-activity; sid:91237764; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-content/themes/twentytwentyone/vu0bkq.php"; depth:45; nocase; http.host; content:"1oneventos.com"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1237763/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_07; classtype:trojan-activity; sid:91237763; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"1oneventos.com"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1237758/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_07; classtype:trojan-activity; sid:91237758; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"emprendi2.com"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1237759/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_07; classtype:trojan-activity; sid:91237759; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"helpforhypnotherapists.com"; depth:26; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1237760/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_07; classtype:trojan-activity; sid:91237760; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"jubileemovement.org"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1237761/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_07; classtype:trojan-activity; sid:91237761; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"dicatindustrial.com"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1237762/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_07; classtype:trojan-activity; sid:91237762; rev:1;) alert tcp $HOME_NET any -> [193.161.193.99] 30650 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237751/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_07; classtype:trojan-activity; sid:91237751; rev:1;) alert tcp $HOME_NET any -> [218.156.253.232] 80 (msg:"ThreatFox Nanocore RAT botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237750/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_07; classtype:trojan-activity; sid:91237750; rev:1;) alert tcp $HOME_NET any -> [74.81.37.165] 666 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237749/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_07; classtype:trojan-activity; sid:91237749; rev:1;) alert tcp $HOME_NET any -> [192.169.69.26] 64418 (msg:"ThreatFox Nanocore RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237739/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_07; classtype:trojan-activity; sid:91237739; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tprobuzixc8/index.php"; depth:22; nocase; http.host; content:"autogrant.pw"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1237747/; target:src_ip; metadata: confidence_level 75, first_seen 2024_02_07; classtype:trojan-activity; sid:91237747; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tprobuzixc8/index.php"; depth:22; nocase; http.host; content:"bytehom.online"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1237748/; target:src_ip; metadata: confidence_level 75, first_seen 2024_02_07; classtype:trojan-activity; sid:91237748; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tprobuzixc8/index.php"; depth:22; nocase; http.host; content:"bytehom.online"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1237746/; target:src_ip; metadata: confidence_level 75, first_seen 2024_02_07; classtype:trojan-activity; sid:91237746; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tprobuzixc8/index.php"; depth:22; nocase; http.host; content:"autogrant.pw"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1237745/; target:src_ip; metadata: confidence_level 75, first_seen 2024_02_07; classtype:trojan-activity; sid:91237745; rev:1;) alert tcp $HOME_NET any -> [107.174.138.159] 1900 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237744/; target:src_ip; metadata: confidence_level 75, first_seen 2024_02_07; classtype:trojan-activity; sid:91237744; rev:1;) alert tcp $HOME_NET any -> [193.233.132.32] 36599 (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237743/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_07; classtype:trojan-activity; sid:91237743; rev:1;) alert tcp $HOME_NET any -> [84.17.61.179] 54984 (msg:"ThreatFox Nanocore RAT botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237742/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_07; classtype:trojan-activity; sid:91237742; rev:1;) alert tcp $HOME_NET any -> [91.92.252.26] 7766 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237741/; target:src_ip; metadata: confidence_level 75, first_seen 2024_02_07; classtype:trojan-activity; sid:91237741; rev:1;) alert tcp $HOME_NET any -> [155.254.24.167] 5400 (msg:"ThreatFox Ave Maria botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237740/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_07; classtype:trojan-activity; sid:91237740; rev:1;) alert tcp $HOME_NET any -> [125.16.112.10] 33333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237738/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_07; classtype:trojan-activity; sid:91237738; rev:1;) alert tcp $HOME_NET any -> [162.19.246.26] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237737/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_07; classtype:trojan-activity; sid:91237737; rev:1;) alert tcp $HOME_NET any -> [64.227.96.80] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237736/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_07; classtype:trojan-activity; sid:91237736; rev:1;) alert tcp $HOME_NET any -> [13.126.10.251] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237735/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_07; classtype:trojan-activity; sid:91237735; rev:1;) alert tcp $HOME_NET any -> [142.93.31.17] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237734/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_07; classtype:trojan-activity; sid:91237734; rev:1;) alert tcp $HOME_NET any -> [18.197.24.167] 4444 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237733/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_07; classtype:trojan-activity; sid:91237733; rev:1;) alert tcp $HOME_NET any -> [52.77.99.94] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237732/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_07; classtype:trojan-activity; sid:91237732; rev:1;) alert tcp $HOME_NET any -> [146.235.47.45] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237731/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_07; classtype:trojan-activity; sid:91237731; rev:1;) alert tcp $HOME_NET any -> [64.226.125.104] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237730/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_07; classtype:trojan-activity; sid:91237730; rev:1;) alert tcp $HOME_NET any -> [51.144.174.31] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237729/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_07; classtype:trojan-activity; sid:91237729; rev:1;) alert tcp $HOME_NET any -> [16.171.24.155] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237728/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_07; classtype:trojan-activity; sid:91237728; rev:1;) alert tcp $HOME_NET any -> [34.176.172.223] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237727/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_07; classtype:trojan-activity; sid:91237727; rev:1;) alert tcp $HOME_NET any -> [35.158.74.188] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237726/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_07; classtype:trojan-activity; sid:91237726; rev:1;) alert tcp $HOME_NET any -> [138.197.47.129] 4444 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237725/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_07; classtype:trojan-activity; sid:91237725; rev:1;) alert tcp $HOME_NET any -> [20.53.247.128] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237724/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_07; classtype:trojan-activity; sid:91237724; rev:1;) alert tcp $HOME_NET any -> [3.82.152.9] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237723/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_07; classtype:trojan-activity; sid:91237723; rev:1;) alert tcp $HOME_NET any -> [34.202.144.74] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237722/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_07; classtype:trojan-activity; sid:91237722; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"cranky-easley.142-11-199-59.plesk.page"; depth:38; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1237721/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_07; classtype:trojan-activity; sid:91237721; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"deenpel.com"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1237720/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_07; classtype:trojan-activity; sid:91237720; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"awesome-villani.142-11-199-59.plesk.page"; depth:40; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1237719/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_07; classtype:trojan-activity; sid:91237719; rev:1;) alert tcp $HOME_NET any -> [64.226.76.0] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237717/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_07; classtype:trojan-activity; sid:91237717; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"www.admiring-pascal.142-11-199-59.plesk.page"; depth:44; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1237718/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_07; classtype:trojan-activity; sid:91237718; rev:1;) alert tcp $HOME_NET any -> [43.139.175.28] 60000 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237716/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_07; classtype:trojan-activity; sid:91237716; rev:1;) alert tcp $HOME_NET any -> [121.40.146.236] 60000 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237715/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_07; classtype:trojan-activity; sid:91237715; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/massaction.html"; depth:16; nocase; http.host; content:"0.0xo.lat"; depth:9; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1237714/; target:src_ip; metadata: confidence_level 75, first_seen 2024_02_07; classtype:trojan-activity; sid:91237714; rev:1;) alert tcp $HOME_NET any -> [156.227.6.70] 60000 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237713/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_07; classtype:trojan-activity; sid:91237713; rev:1;) alert tcp $HOME_NET any -> [172.206.26.225] 80 (msg:"ThreatFox BlackNET RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237712/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_07; classtype:trojan-activity; sid:91237712; rev:1;) alert tcp $HOME_NET any -> [167.172.131.98] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237711/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_07; classtype:trojan-activity; sid:91237711; rev:1;) alert tcp $HOME_NET any -> [164.90.246.103] 80 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237710/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_07; classtype:trojan-activity; sid:91237710; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"web-panel.su"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1237709/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_07; classtype:trojan-activity; sid:91237709; rev:1;) alert tcp $HOME_NET any -> [51.77.121.144] 80 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237708/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_07; classtype:trojan-activity; sid:91237708; rev:1;) alert tcp $HOME_NET any -> [23.26.247.122] 80 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237707/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_07; classtype:trojan-activity; sid:91237707; rev:1;) alert tcp $HOME_NET any -> [45.77.240.70] 80 (msg:"ThreatFox MooBot botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237706/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_07; classtype:trojan-activity; sid:91237706; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"3psilonapi.com"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1237705/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_07; classtype:trojan-activity; sid:91237705; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ec2-3-210-242-78.compute-1.amazonaws.com"; depth:40; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1237704/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_07; classtype:trojan-activity; sid:91237704; rev:1;) alert tcp $HOME_NET any -> [54.86.17.63] 443 (msg:"ThreatFox Serpent Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237702/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_07; classtype:trojan-activity; sid:91237702; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ec2-54-237-138-159.compute-1.amazonaws.com"; depth:42; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1237703/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_07; classtype:trojan-activity; sid:91237703; rev:1;) alert tcp $HOME_NET any -> [185.221.198.84] 80 (msg:"ThreatFox ERMAC botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237701/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_07; classtype:trojan-activity; sid:91237701; rev:1;) alert tcp $HOME_NET any -> [85.105.91.170] 4449 (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237700/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_07; classtype:trojan-activity; sid:91237700; rev:1;) alert tcp $HOME_NET any -> [147.50.240.224] 4444 (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237699/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_07; classtype:trojan-activity; sid:91237699; rev:1;) alert tcp $HOME_NET any -> [47.92.123.66] 1311 (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237697/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_07; classtype:trojan-activity; sid:91237697; rev:1;) alert tcp $HOME_NET any -> [45.112.205.126] 5588 (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237698/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_07; classtype:trojan-activity; sid:91237698; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"great-mcnulty.164-92-180-123.plesk.page"; depth:39; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1237695/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_07; classtype:trojan-activity; sid:91237695; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"mail.23-26-55-9.cprapid.com"; depth:27; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1237696/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_07; classtype:trojan-activity; sid:91237696; rev:1;) alert tcp $HOME_NET any -> [122.114.156.104] 80 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237694/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_07; classtype:trojan-activity; sid:91237694; rev:1;) alert tcp $HOME_NET any -> [40.90.255.165] 443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237693/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_07; classtype:trojan-activity; sid:91237693; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"goofy-satoshi.142-202-191-144.plesk.page"; depth:40; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1237692/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_07; classtype:trojan-activity; sid:91237692; rev:1;) alert tcp $HOME_NET any -> [142.202.191.144] 443 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237691/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_07; classtype:trojan-activity; sid:91237691; rev:1;) alert tcp $HOME_NET any -> [45.195.198.204] 443 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237689/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_07; classtype:trojan-activity; sid:91237689; rev:1;) alert tcp $HOME_NET any -> [79.109.104.58] 2222 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237690/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_07; classtype:trojan-activity; sid:91237690; rev:1;) alert tcp $HOME_NET any -> [167.86.86.15] 1010 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237688/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_07; classtype:trojan-activity; sid:91237688; rev:1;) alert tcp $HOME_NET any -> [8.222.144.134] 443 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237687/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_07; classtype:trojan-activity; sid:91237687; rev:1;) alert tcp $HOME_NET any -> [14.225.210.222] 12024 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237686/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_07; classtype:trojan-activity; sid:91237686; rev:1;) alert tcp $HOME_NET any -> [193.233.132.135] 8081 (msg:"ThreatFox RisePro botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237684/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_07; classtype:trojan-activity; sid:91237684; rev:1;) alert tcp $HOME_NET any -> [45.134.26.17] 8081 (msg:"ThreatFox RisePro botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237685/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_07; classtype:trojan-activity; sid:91237685; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"d.kfaaa.top"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1237683/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_07; classtype:trojan-activity; sid:91237683; rev:1;) alert tcp $HOME_NET any -> [93.123.39.225] 50555 (msg:"ThreatFox Hook botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237682/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_07; classtype:trojan-activity; sid:91237682; rev:1;) alert tcp $HOME_NET any -> [35.246.175.130] 80 (msg:"ThreatFox Hook botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237681/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_07; classtype:trojan-activity; sid:91237681; rev:1;) alert tcp $HOME_NET any -> [154.91.83.247] 80 (msg:"ThreatFox Hook botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237680/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_07; classtype:trojan-activity; sid:91237680; rev:1;) alert tcp $HOME_NET any -> [185.216.70.118] 80 (msg:"ThreatFox Hook botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237679/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_07; classtype:trojan-activity; sid:91237679; rev:1;) alert tcp $HOME_NET any -> [185.81.157.179] 7707 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237678/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_07; classtype:trojan-activity; sid:91237678; rev:1;) alert tcp $HOME_NET any -> [185.81.157.179] 6606 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237677/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_07; classtype:trojan-activity; sid:91237677; rev:1;) alert tcp $HOME_NET any -> [45.145.55.81] 7707 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237676/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_07; classtype:trojan-activity; sid:91237676; rev:1;) alert tcp $HOME_NET any -> [172.96.172.203] 6606 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237675/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_07; classtype:trojan-activity; sid:91237675; rev:1;) alert tcp $HOME_NET any -> [185.81.157.104] 7707 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237673/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_07; classtype:trojan-activity; sid:91237673; rev:1;) alert tcp $HOME_NET any -> [185.81.157.104] 8808 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237674/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_07; classtype:trojan-activity; sid:91237674; rev:1;) alert tcp $HOME_NET any -> [185.81.157.104] 6606 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237672/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_07; classtype:trojan-activity; sid:91237672; rev:1;) alert tcp $HOME_NET any -> [161.97.151.222] 2011 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237671/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_07; classtype:trojan-activity; sid:91237671; rev:1;) alert tcp $HOME_NET any -> [45.141.215.222] 6606 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237670/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_07; classtype:trojan-activity; sid:91237670; rev:1;) alert tcp $HOME_NET any -> [107.161.81.150] 7707 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237669/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_07; classtype:trojan-activity; sid:91237669; rev:1;) alert tcp $HOME_NET any -> [107.161.81.150] 6606 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237668/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_07; classtype:trojan-activity; sid:91237668; rev:1;) alert tcp $HOME_NET any -> [78.161.49.74] 20000 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237667/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_07; classtype:trojan-activity; sid:91237667; rev:1;) alert tcp $HOME_NET any -> [20.253.24.99] 8444 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237666/; target:src_ip; metadata: confidence_level 90, first_seen 2024_02_07; classtype:trojan-activity; sid:91237666; rev:1;) alert tcp $HOME_NET any -> [34.162.154.209] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237665/; target:src_ip; metadata: confidence_level 90, first_seen 2024_02_07; classtype:trojan-activity; sid:91237665; rev:1;) alert tcp $HOME_NET any -> [62.113.115.249] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237664/; target:src_ip; metadata: confidence_level 90, first_seen 2024_02_07; classtype:trojan-activity; sid:91237664; rev:1;) alert tcp $HOME_NET any -> [67.217.228.4] 443 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237663/; target:src_ip; metadata: confidence_level 90, first_seen 2024_02_07; classtype:trojan-activity; sid:91237663; rev:1;) alert tcp $HOME_NET any -> [187.135.83.117] 2177 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237662/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_07; classtype:trojan-activity; sid:91237662; rev:1;) alert tcp $HOME_NET any -> [187.135.83.117] 2087 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237661/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_07; classtype:trojan-activity; sid:91237661; rev:1;) alert tcp $HOME_NET any -> [187.135.83.117] 2078 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237659/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_07; classtype:trojan-activity; sid:91237659; rev:1;) alert tcp $HOME_NET any -> [187.135.83.117] 2079 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237660/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_07; classtype:trojan-activity; sid:91237660; rev:1;) alert tcp $HOME_NET any -> [187.135.83.117] 1962 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237658/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_07; classtype:trojan-activity; sid:91237658; rev:1;) alert tcp $HOME_NET any -> [187.135.83.117] 1723 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237657/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_07; classtype:trojan-activity; sid:91237657; rev:1;) alert tcp $HOME_NET any -> [187.135.83.117] 2000 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237655/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_07; classtype:trojan-activity; sid:91237655; rev:1;) alert tcp $HOME_NET any -> [187.135.83.117] 2077 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237656/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_07; classtype:trojan-activity; sid:91237656; rev:1;) alert tcp $HOME_NET any -> [187.135.83.117] 1883 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237654/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_07; classtype:trojan-activity; sid:91237654; rev:1;) alert tcp $HOME_NET any -> [187.135.83.117] 1901 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237653/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_07; classtype:trojan-activity; sid:91237653; rev:1;) alert tcp $HOME_NET any -> [187.135.83.117] 2181 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237652/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_07; classtype:trojan-activity; sid:91237652; rev:1;) alert tcp $HOME_NET any -> [187.135.83.117] 2003 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237650/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_07; classtype:trojan-activity; sid:91237650; rev:1;) alert tcp $HOME_NET any -> [187.135.83.117] 2086 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237651/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_07; classtype:trojan-activity; sid:91237651; rev:1;) alert tcp $HOME_NET any -> [187.135.83.117] 1718 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237649/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_07; classtype:trojan-activity; sid:91237649; rev:1;) alert tcp $HOME_NET any -> [154.223.17.64] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237648/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_07; classtype:trojan-activity; sid:91237648; rev:1;) alert tcp $HOME_NET any -> [34.149.60.199] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237647/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_07; classtype:trojan-activity; sid:91237647; rev:1;) alert tcp $HOME_NET any -> [173.212.224.123] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237646/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_07; classtype:trojan-activity; sid:91237646; rev:1;) alert tcp $HOME_NET any -> [117.72.36.211] 8888 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237645/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_07; classtype:trojan-activity; sid:91237645; rev:1;) alert tcp $HOME_NET any -> [205.234.233.180] 8080 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237644/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_07; classtype:trojan-activity; sid:91237644; rev:1;) alert tcp $HOME_NET any -> [175.178.175.168] 9100 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237643/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_07; classtype:trojan-activity; sid:91237643; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"98.lan-za2-1.static.rozabg.com"; depth:30; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1237642/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_07; classtype:trojan-activity; sid:91237642; rev:1;) alert tcp $HOME_NET any -> [94.156.65.98] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237641/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_07; classtype:trojan-activity; sid:91237641; rev:1;) alert tcp $HOME_NET any -> [94.156.65.98] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237640/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_07; classtype:trojan-activity; sid:91237640; rev:1;) alert tcp $HOME_NET any -> [114.116.18.42] 82 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237639/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_07; classtype:trojan-activity; sid:91237639; rev:1;) alert tcp $HOME_NET any -> [45.131.132.55] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237638/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_07; classtype:trojan-activity; sid:91237638; rev:1;) alert tcp $HOME_NET any -> [121.40.185.132] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237637/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_07; classtype:trojan-activity; sid:91237637; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"priceless-bose.104-168-102-175.plesk.page"; depth:41; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1237636/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_07; classtype:trojan-activity; sid:91237636; rev:1;) alert tcp $HOME_NET any -> [103.35.191.158] 5344 (msg:"ThreatFox XpertRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237635/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_07; classtype:trojan-activity; sid:91237635; rev:1;) alert tcp $HOME_NET any -> [103.86.130.61] 443 (msg:"ThreatFox Get2 botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237634/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_07; classtype:trojan-activity; sid:91237634; rev:1;) alert tcp $HOME_NET any -> [34.32.44.11] 3790 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237633/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_07; classtype:trojan-activity; sid:91237633; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mozi.m"; depth:7; nocase; http.host; content:"39.174.238.52"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1237632/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_07; classtype:trojan-activity; sid:91237632; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"pastratas.ac.ug"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1237631/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_07; classtype:trojan-activity; sid:91237631; rev:1;) alert tcp $HOME_NET any -> [165.232.113.85] 443 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237630/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_07; classtype:trojan-activity; sid:91237630; rev:1;) alert tcp $HOME_NET any -> [82.147.85.148] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237629/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_07; classtype:trojan-activity; sid:91237629; rev:1;) alert tcp $HOME_NET any -> [42.3.134.97] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237628/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_07; classtype:trojan-activity; sid:91237628; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/updates"; depth:8; nocase; http.host; content:"42.3.134.97"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1237627/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_07; classtype:trojan-activity; sid:91237627; rev:1;) alert tcp $HOME_NET any -> [179.60.147.175] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237626/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_07; classtype:trojan-activity; sid:91237626; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/fam_calendar"; depth:13; nocase; http.host; content:"zx.regcssv.com"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1237624/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_07; classtype:trojan-activity; sid:91237624; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"zx.regcssv.com"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1237625/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_07; classtype:trojan-activity; sid:91237625; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/fam_calendar"; depth:13; nocase; http.host; content:"as.regcssv.com"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1237622/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_07; classtype:trojan-activity; sid:91237622; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"as.regcssv.com"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1237623/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_07; classtype:trojan-activity; sid:91237623; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"qw.regcssv.com"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1237621/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_07; classtype:trojan-activity; sid:91237621; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/fam_calendar"; depth:13; nocase; http.host; content:"qw.regcssv.com"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1237620/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_07; classtype:trojan-activity; sid:91237620; rev:1;) alert tcp $HOME_NET any -> [103.86.131.70] 443 (msg:"ThreatFox Get2 botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237619/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_07; classtype:trojan-activity; sid:91237619; rev:1;) alert tcp $HOME_NET any -> [103.186.117.232] 1985 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237618/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_07; classtype:trojan-activity; sid:91237618; rev:1;) alert tcp $HOME_NET any -> [194.143.146.147] 1311 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237608/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_07; classtype:trojan-activity; sid:91237608; rev:1;) alert tcp $HOME_NET any -> [194.143.146.141] 1521 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237609/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_07; classtype:trojan-activity; sid:91237609; rev:1;) alert tcp $HOME_NET any -> [194.143.146.152] 1433 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237610/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_07; classtype:trojan-activity; sid:91237610; rev:1;) alert tcp $HOME_NET any -> [87.121.112.29] 1294 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237611/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_07; classtype:trojan-activity; sid:91237611; rev:1;) alert tcp $HOME_NET any -> [87.121.112.41] 1299 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237612/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_07; classtype:trojan-activity; sid:91237612; rev:1;) alert tcp $HOME_NET any -> [195.14.123.125] 1311 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237613/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_07; classtype:trojan-activity; sid:91237613; rev:1;) alert tcp $HOME_NET any -> [195.14.123.126] 1311 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237614/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_07; classtype:trojan-activity; sid:91237614; rev:1;) alert tcp $HOME_NET any -> [51.195.61.8] 65535 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237615/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_07; classtype:trojan-activity; sid:91237615; rev:1;) alert tcp $HOME_NET any -> [195.85.114.141] 65535 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237616/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_07; classtype:trojan-activity; sid:91237616; rev:1;) alert tcp $HOME_NET any -> [185.196.10.27] 1311 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237617/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_07; classtype:trojan-activity; sid:91237617; rev:1;) alert tcp $HOME_NET any -> [193.233.132.169] 2880 (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237607/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_07; classtype:trojan-activity; sid:91237607; rev:1;) alert tcp $HOME_NET any -> [185.74.222.151] 1295 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237603/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_07; classtype:trojan-activity; sid:91237603; rev:1;) alert tcp $HOME_NET any -> [80.92.206.176] 1311 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237604/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_07; classtype:trojan-activity; sid:91237604; rev:1;) alert tcp $HOME_NET any -> [74.119.193.126] 1297 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237605/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_07; classtype:trojan-activity; sid:91237605; rev:1;) alert tcp $HOME_NET any -> [94.131.13.80] 1288 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237606/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_07; classtype:trojan-activity; sid:91237606; rev:1;) alert tcp $HOME_NET any -> [204.76.203.68] 1311 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237509/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_07; classtype:trojan-activity; sid:91237509; rev:1;) alert tcp $HOME_NET any -> [62.72.185.36] 1311 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237510/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_07; classtype:trojan-activity; sid:91237510; rev:1;) alert tcp $HOME_NET any -> [62.72.185.39] 1311 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237511/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_07; classtype:trojan-activity; sid:91237511; rev:1;) alert tcp $HOME_NET any -> [62.72.185.40] 1311 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237513/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_07; classtype:trojan-activity; sid:91237513; rev:1;) alert tcp $HOME_NET any -> [62.72.185.35] 1311 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237515/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_07; classtype:trojan-activity; sid:91237515; rev:1;) alert tcp $HOME_NET any -> [62.72.185.25] 1299 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237518/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_07; classtype:trojan-activity; sid:91237518; rev:1;) alert tcp $HOME_NET any -> [204.76.203.52] 1310 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237519/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_07; classtype:trojan-activity; sid:91237519; rev:1;) alert tcp $HOME_NET any -> [62.72.185.27] 1311 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237520/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_07; classtype:trojan-activity; sid:91237520; rev:1;) alert tcp $HOME_NET any -> [62.72.185.12] 1311 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237521/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_07; classtype:trojan-activity; sid:91237521; rev:1;) alert tcp $HOME_NET any -> [204.76.203.51] 1307 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237522/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_07; classtype:trojan-activity; sid:91237522; rev:1;) alert tcp $HOME_NET any -> [204.76.203.49] 1311 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237523/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_07; classtype:trojan-activity; sid:91237523; rev:1;) alert tcp $HOME_NET any -> [204.76.203.56] 61616 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237524/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_07; classtype:trojan-activity; sid:91237524; rev:1;) alert tcp $HOME_NET any -> [62.72.185.49] 61616 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237525/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_07; classtype:trojan-activity; sid:91237525; rev:1;) alert tcp $HOME_NET any -> [62.72.185.46] 61616 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237526/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_07; classtype:trojan-activity; sid:91237526; rev:1;) alert tcp $HOME_NET any -> [85.204.116.128] 1294 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237598/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_07; classtype:trojan-activity; sid:91237598; rev:1;) alert tcp $HOME_NET any -> [204.76.203.54] 61616 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237527/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_07; classtype:trojan-activity; sid:91237527; rev:1;) alert tcp $HOME_NET any -> [204.76.203.32] 61616 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237528/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_07; classtype:trojan-activity; sid:91237528; rev:1;) alert tcp $HOME_NET any -> [85.204.116.230] 1287 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237599/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_07; classtype:trojan-activity; sid:91237599; rev:1;) alert tcp $HOME_NET any -> [85.204.116.237] 1284 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237600/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_07; classtype:trojan-activity; sid:91237600; rev:1;) alert tcp $HOME_NET any -> [85.204.116.247] 1295 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237601/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_07; classtype:trojan-activity; sid:91237601; rev:1;) alert tcp $HOME_NET any -> [85.204.116.24] 1293 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237602/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_07; classtype:trojan-activity; sid:91237602; rev:1;) alert tcp $HOME_NET any -> [204.76.203.55] 61616 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237529/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_07; classtype:trojan-activity; sid:91237529; rev:1;) alert tcp $HOME_NET any -> [62.72.185.50] 61616 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237530/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_07; classtype:trojan-activity; sid:91237530; rev:1;) alert tcp $HOME_NET any -> [204.76.203.20] 61616 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237531/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_07; classtype:trojan-activity; sid:91237531; rev:1;) alert tcp $HOME_NET any -> [204.76.203.48] 61616 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237532/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_07; classtype:trojan-activity; sid:91237532; rev:1;) alert tcp $HOME_NET any -> [204.76.203.156] 61616 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237534/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_07; classtype:trojan-activity; sid:91237534; rev:1;) alert tcp $HOME_NET any -> [204.76.203.30] 61616 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237533/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_07; classtype:trojan-activity; sid:91237533; rev:1;) alert tcp $HOME_NET any -> [204.76.203.57] 61616 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237535/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_07; classtype:trojan-activity; sid:91237535; rev:1;) alert tcp $HOME_NET any -> [204.76.203.21] 61616 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237538/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_07; classtype:trojan-activity; sid:91237538; rev:1;) alert tcp $HOME_NET any -> [204.76.203.58] 61616 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237536/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_07; classtype:trojan-activity; sid:91237536; rev:1;) alert tcp $HOME_NET any -> [204.76.203.31] 61616 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237537/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_07; classtype:trojan-activity; sid:91237537; rev:1;) alert tcp $HOME_NET any -> [204.76.203.42] 1332 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237539/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_07; classtype:trojan-activity; sid:91237539; rev:1;) alert tcp $HOME_NET any -> [62.72.185.26] 1303 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237540/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_07; classtype:trojan-activity; sid:91237540; rev:1;) alert tcp $HOME_NET any -> [62.72.185.28] 1291 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237541/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_07; classtype:trojan-activity; sid:91237541; rev:1;) alert tcp $HOME_NET any -> [204.76.203.43] 61616 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237542/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_07; classtype:trojan-activity; sid:91237542; rev:1;) alert tcp $HOME_NET any -> [204.76.203.36] 61616 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237543/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_07; classtype:trojan-activity; sid:91237543; rev:1;) alert tcp $HOME_NET any -> [204.76.203.45] 1433 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237544/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_07; classtype:trojan-activity; sid:91237544; rev:1;) alert tcp $HOME_NET any -> [204.76.203.50] 61616 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237545/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_07; classtype:trojan-activity; sid:91237545; rev:1;) alert tcp $HOME_NET any -> [204.76.203.60] 61616 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237546/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_07; classtype:trojan-activity; sid:91237546; rev:1;) alert tcp $HOME_NET any -> [204.76.203.230] 61616 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237547/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_07; classtype:trojan-activity; sid:91237547; rev:1;) alert tcp $HOME_NET any -> [204.76.203.53] 61616 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237548/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_07; classtype:trojan-activity; sid:91237548; rev:1;) alert tcp $HOME_NET any -> [62.72.185.47] 61616 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237549/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_07; classtype:trojan-activity; sid:91237549; rev:1;) alert tcp $HOME_NET any -> [204.76.203.19] 61616 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237550/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_07; classtype:trojan-activity; sid:91237550; rev:1;) alert tcp $HOME_NET any -> [5.181.80.111] 1289 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237551/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_07; classtype:trojan-activity; sid:91237551; rev:1;) alert tcp $HOME_NET any -> [5.181.80.223] 1288 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237552/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_07; classtype:trojan-activity; sid:91237552; rev:1;) alert tcp $HOME_NET any -> [5.181.80.231] 1288 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237553/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_07; classtype:trojan-activity; sid:91237553; rev:1;) alert tcp $HOME_NET any -> [5.181.80.100] 1311 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237554/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_07; classtype:trojan-activity; sid:91237554; rev:1;) alert tcp $HOME_NET any -> [45.93.9.113] 1311 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237592/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_07; classtype:trojan-activity; sid:91237592; rev:1;) alert tcp $HOME_NET any -> [45.93.9.116] 1311 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237593/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_07; classtype:trojan-activity; sid:91237593; rev:1;) alert tcp $HOME_NET any -> [45.93.9.107] 1311 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237594/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_07; classtype:trojan-activity; sid:91237594; rev:1;) alert tcp $HOME_NET any -> [45.93.9.108] 1299 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237595/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_07; classtype:trojan-activity; sid:91237595; rev:1;) alert tcp $HOME_NET any -> [45.93.9.100] 1311 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237596/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_07; classtype:trojan-activity; sid:91237596; rev:1;) alert tcp $HOME_NET any -> [45.93.9.98] 1285 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237597/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_07; classtype:trojan-activity; sid:91237597; rev:1;) alert tcp $HOME_NET any -> [62.72.185.23] 1311 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237512/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_07; classtype:trojan-activity; sid:91237512; rev:1;) alert tcp $HOME_NET any -> [62.72.185.31] 1311 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237514/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_07; classtype:trojan-activity; sid:91237514; rev:1;) alert tcp $HOME_NET any -> [62.72.185.24] 1311 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237516/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_07; classtype:trojan-activity; sid:91237516; rev:1;) alert tcp $HOME_NET any -> [62.72.185.37] 1311 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237517/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_07; classtype:trojan-activity; sid:91237517; rev:1;) alert tcp $HOME_NET any -> [62.72.185.20] 1311 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237508/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_07; classtype:trojan-activity; sid:91237508; rev:1;) alert tcp $HOME_NET any -> [62.72.185.44] 1311 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237505/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_07; classtype:trojan-activity; sid:91237505; rev:1;) alert tcp $HOME_NET any -> [62.72.185.6] 1298 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237507/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_07; classtype:trojan-activity; sid:91237507; rev:1;) alert tcp $HOME_NET any -> [204.76.203.65] 1302 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237506/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_07; classtype:trojan-activity; sid:91237506; rev:1;) alert tcp $HOME_NET any -> [62.72.185.14] 1311 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237504/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_07; classtype:trojan-activity; sid:91237504; rev:1;) alert tcp $HOME_NET any -> [62.72.185.5] 1311 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237503/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_07; classtype:trojan-activity; sid:91237503; rev:1;) alert tcp $HOME_NET any -> [204.76.203.61] 1291 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237502/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_07; classtype:trojan-activity; sid:91237502; rev:1;) alert tcp $HOME_NET any -> [204.76.203.72] 1311 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237500/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_07; classtype:trojan-activity; sid:91237500; rev:1;) alert tcp $HOME_NET any -> [204.76.203.71] 1311 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237501/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_07; classtype:trojan-activity; sid:91237501; rev:1;) alert tcp $HOME_NET any -> [62.72.185.4] 1375 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237497/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_07; classtype:trojan-activity; sid:91237497; rev:1;) alert tcp $HOME_NET any -> [62.72.185.17] 1311 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237498/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_07; classtype:trojan-activity; sid:91237498; rev:1;) alert tcp $HOME_NET any -> [62.72.185.16] 1311 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237499/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_07; classtype:trojan-activity; sid:91237499; rev:1;) alert tcp $HOME_NET any -> [62.72.185.7] 1311 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237494/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_07; classtype:trojan-activity; sid:91237494; rev:1;) alert tcp $HOME_NET any -> [62.72.185.32] 1311 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237496/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_07; classtype:trojan-activity; sid:91237496; rev:1;) alert tcp $HOME_NET any -> [62.72.185.21] 1311 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237495/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_07; classtype:trojan-activity; sid:91237495; rev:1;) alert tcp $HOME_NET any -> [62.72.185.9] 1311 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237492/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_07; classtype:trojan-activity; sid:91237492; rev:1;) alert tcp $HOME_NET any -> [204.76.203.2] 1311 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237493/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_07; classtype:trojan-activity; sid:91237493; rev:1;) alert tcp $HOME_NET any -> [204.76.203.69] 1311 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237490/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_07; classtype:trojan-activity; sid:91237490; rev:1;) alert tcp $HOME_NET any -> [62.72.185.41] 1311 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237491/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_07; classtype:trojan-activity; sid:91237491; rev:1;) alert tcp $HOME_NET any -> [62.72.185.18] 1311 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237488/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_07; classtype:trojan-activity; sid:91237488; rev:1;) alert tcp $HOME_NET any -> [62.72.185.3] 1311 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237489/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_07; classtype:trojan-activity; sid:91237489; rev:1;) alert tcp $HOME_NET any -> [62.72.185.43] 1311 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237486/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_07; classtype:trojan-activity; sid:91237486; rev:1;) alert tcp $HOME_NET any -> [62.72.185.22] 1311 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237487/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_07; classtype:trojan-activity; sid:91237487; rev:1;) alert tcp $HOME_NET any -> [62.72.185.38] 1311 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237483/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_07; classtype:trojan-activity; sid:91237483; rev:1;) alert tcp $HOME_NET any -> [204.76.203.66] 1311 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237484/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_07; classtype:trojan-activity; sid:91237484; rev:1;) alert tcp $HOME_NET any -> [62.72.185.45] 1311 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237485/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_07; classtype:trojan-activity; sid:91237485; rev:1;) alert tcp $HOME_NET any -> [204.76.203.44] 1311 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237482/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_07; classtype:trojan-activity; sid:91237482; rev:1;) alert tcp $HOME_NET any -> [62.72.185.13] 1311 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237480/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_07; classtype:trojan-activity; sid:91237480; rev:1;) alert tcp $HOME_NET any -> [204.76.203.41] 1311 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237481/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_07; classtype:trojan-activity; sid:91237481; rev:1;) alert tcp $HOME_NET any -> [62.72.185.33] 1311 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237478/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_07; classtype:trojan-activity; sid:91237478; rev:1;) alert tcp $HOME_NET any -> [62.72.185.11] 1311 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237479/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_07; classtype:trojan-activity; sid:91237479; rev:1;) alert tcp $HOME_NET any -> [62.72.185.34] 1311 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237476/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_07; classtype:trojan-activity; sid:91237476; rev:1;) alert tcp $HOME_NET any -> [62.72.185.30] 1311 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237477/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_07; classtype:trojan-activity; sid:91237477; rev:1;) alert tcp $HOME_NET any -> [62.72.185.42] 1311 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237474/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_07; classtype:trojan-activity; sid:91237474; rev:1;) alert tcp $HOME_NET any -> [204.76.203.70] 1311 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237475/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_07; classtype:trojan-activity; sid:91237475; rev:1;) alert tcp $HOME_NET any -> [5.181.80.221] 1311 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237555/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_07; classtype:trojan-activity; sid:91237555; rev:1;) alert tcp $HOME_NET any -> [5.181.80.103] 1311 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237556/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_07; classtype:trojan-activity; sid:91237556; rev:1;) alert tcp $HOME_NET any -> [5.181.80.38] 61616 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237557/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_07; classtype:trojan-activity; sid:91237557; rev:1;) alert tcp $HOME_NET any -> [5.181.80.39] 61616 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237558/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_07; classtype:trojan-activity; sid:91237558; rev:1;) alert tcp $HOME_NET any -> [5.181.80.41] 61616 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237560/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_07; classtype:trojan-activity; sid:91237560; rev:1;) alert tcp $HOME_NET any -> [5.181.80.40] 61616 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237559/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_07; classtype:trojan-activity; sid:91237559; rev:1;) alert tcp $HOME_NET any -> [5.181.80.43] 61616 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237561/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_07; classtype:trojan-activity; sid:91237561; rev:1;) alert tcp $HOME_NET any -> [5.181.80.53] 61616 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237562/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_07; classtype:trojan-activity; sid:91237562; rev:1;) alert tcp $HOME_NET any -> [5.181.80.54] 61616 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237563/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_07; classtype:trojan-activity; sid:91237563; rev:1;) alert tcp $HOME_NET any -> [5.181.80.150] 61616 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237564/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_07; classtype:trojan-activity; sid:91237564; rev:1;) alert tcp $HOME_NET any -> [5.181.80.151] 61616 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237565/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_07; classtype:trojan-activity; sid:91237565; rev:1;) alert tcp $HOME_NET any -> [5.181.80.152] 61616 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237566/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_07; classtype:trojan-activity; sid:91237566; rev:1;) alert tcp $HOME_NET any -> [5.181.80.153] 61616 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237567/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_07; classtype:trojan-activity; sid:91237567; rev:1;) alert tcp $HOME_NET any -> [94.156.71.216] 1311 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237585/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_07; classtype:trojan-activity; sid:91237585; rev:1;) alert tcp $HOME_NET any -> [94.156.71.219] 1290 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237582/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_07; classtype:trojan-activity; sid:91237582; rev:1;) alert tcp $HOME_NET any -> [94.156.71.222] 1310 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237583/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_07; classtype:trojan-activity; sid:91237583; rev:1;) alert tcp $HOME_NET any -> [94.156.71.218] 1294 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237584/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_07; classtype:trojan-activity; sid:91237584; rev:1;) alert tcp $HOME_NET any -> [64.227.106.194] 1288 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237580/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_07; classtype:trojan-activity; sid:91237580; rev:1;) alert tcp $HOME_NET any -> [134.209.94.234] 1310 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237581/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_07; classtype:trojan-activity; sid:91237581; rev:1;) alert tcp $HOME_NET any -> [157.230.244.224] 1311 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237578/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_07; classtype:trojan-activity; sid:91237578; rev:1;) alert tcp $HOME_NET any -> [170.64.202.30] 1311 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237579/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_07; classtype:trojan-activity; sid:91237579; rev:1;) alert tcp $HOME_NET any -> [165.22.101.63] 1311 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237575/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_07; classtype:trojan-activity; sid:91237575; rev:1;) alert tcp $HOME_NET any -> [68.183.187.38] 1311 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237576/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_07; classtype:trojan-activity; sid:91237576; rev:1;) alert tcp $HOME_NET any -> [159.223.89.203] 1311 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237577/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_07; classtype:trojan-activity; sid:91237577; rev:1;) alert tcp $HOME_NET any -> [157.230.242.17] 1311 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237573/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_07; classtype:trojan-activity; sid:91237573; rev:1;) alert tcp $HOME_NET any -> [68.183.183.68] 1311 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237574/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_07; classtype:trojan-activity; sid:91237574; rev:1;) alert tcp $HOME_NET any -> [165.22.96.144] 1311 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237571/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_07; classtype:trojan-activity; sid:91237571; rev:1;) alert tcp $HOME_NET any -> [159.223.89.252] 1311 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237572/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_07; classtype:trojan-activity; sid:91237572; rev:1;) alert tcp $HOME_NET any -> [104.248.129.146] 1311 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237570/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_07; classtype:trojan-activity; sid:91237570; rev:1;) alert tcp $HOME_NET any -> [159.223.90.237] 1311 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237569/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_07; classtype:trojan-activity; sid:91237569; rev:1;) alert tcp $HOME_NET any -> [3.121.139.82] 19762 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237568/; target:src_ip; metadata: confidence_level 75, first_seen 2024_02_07; classtype:trojan-activity; sid:91237568; rev:1;) alert tcp $HOME_NET any -> [91.92.251.113] 61616 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237586/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_07; classtype:trojan-activity; sid:91237586; rev:1;) alert tcp $HOME_NET any -> [94.156.67.13] 61616 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237587/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_07; classtype:trojan-activity; sid:91237587; rev:1;) alert tcp $HOME_NET any -> [94.156.67.14] 61616 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237588/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_07; classtype:trojan-activity; sid:91237588; rev:1;) alert tcp $HOME_NET any -> [94.156.71.50] 61616 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237589/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_07; classtype:trojan-activity; sid:91237589; rev:1;) alert tcp $HOME_NET any -> [94.156.71.52] 61616 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237590/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_07; classtype:trojan-activity; sid:91237590; rev:1;) alert tcp $HOME_NET any -> [94.156.71.53] 61616 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237591/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_07; classtype:trojan-activity; sid:91237591; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"159.89.175.38"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1237473/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_07; classtype:trojan-activity; sid:91237473; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"65.21.133.187"; depth:13; nocase; reference:url, threatfox.abuse.ch/ioc/1237467/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_07; classtype:trojan-activity; sid:91237467; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"masjidalfurqon.id"; depth:17; nocase; reference:url, threatfox.abuse.ch/ioc/1237468/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_07; classtype:trojan-activity; sid:91237468; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"masjidalfurqon.id"; depth:17; nocase; reference:url, threatfox.abuse.ch/ioc/1237469/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_07; classtype:trojan-activity; sid:91237469; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"161.97.132.85"; depth:13; nocase; reference:url, threatfox.abuse.ch/ioc/1237470/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_07; classtype:trojan-activity; sid:91237470; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"159.253.214.149"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1237471/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_07; classtype:trojan-activity; sid:91237471; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"stutti.de"; depth:9; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1237472/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_07; classtype:trojan-activity; sid:91237472; rev:1;) alert tcp $HOME_NET any -> [185.236.228.203] 2024 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237466/; target:src_ip; metadata: confidence_level 75, first_seen 2024_02_07; classtype:trojan-activity; sid:91237466; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cm"; depth:3; nocase; http.host; content:"117.50.162.183"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1237464/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_07; classtype:trojan-activity; sid:91237464; rev:1;) alert tcp $HOME_NET any -> [117.50.162.183] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237465/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_07; classtype:trojan-activity; sid:91237465; rev:1;) alert tcp $HOME_NET any -> [35.158.159.254] 19762 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237462/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_07; classtype:trojan-activity; sid:91237462; rev:1;) alert tcp $HOME_NET any -> [3.127.59.75] 19762 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237463/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_07; classtype:trojan-activity; sid:91237463; rev:1;) alert tcp $HOME_NET any -> [18.198.77.177] 19762 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237461/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_07; classtype:trojan-activity; sid:91237461; rev:1;) alert tcp $HOME_NET any -> [89.249.73.162] 2479 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237460/; target:src_ip; metadata: confidence_level 75, first_seen 2024_02_07; classtype:trojan-activity; sid:91237460; rev:1;) alert tcp $HOME_NET any -> [194.156.98.232] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237459/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_07; classtype:trojan-activity; sid:91237459; rev:1;) alert tcp $HOME_NET any -> [46.246.84.13] 2222 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237458/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_07; classtype:trojan-activity; sid:91237458; rev:1;) alert tcp $HOME_NET any -> [178.73.218.6] 2222 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237457/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_07; classtype:trojan-activity; sid:91237457; rev:1;) alert tcp $HOME_NET any -> [67.71.30.49] 2078 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237456/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_07; classtype:trojan-activity; sid:91237456; rev:1;) alert tcp $HOME_NET any -> [86.98.222.105] 443 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237455/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_07; classtype:trojan-activity; sid:91237455; rev:1;) alert tcp $HOME_NET any -> [149.28.94.80] 445 (msg:"ThreatFox Responder botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237454/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_07; classtype:trojan-activity; sid:91237454; rev:1;) alert tcp $HOME_NET any -> [71.187.88.67] 445 (msg:"ThreatFox Responder botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237453/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_07; classtype:trojan-activity; sid:91237453; rev:1;) alert tcp $HOME_NET any -> [138.68.169.56] 445 (msg:"ThreatFox Responder botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237452/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_07; classtype:trojan-activity; sid:91237452; rev:1;) alert tcp $HOME_NET any -> [172.105.14.104] 443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237451/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_07; classtype:trojan-activity; sid:91237451; rev:1;) alert tcp $HOME_NET any -> [164.90.233.164] 443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237450/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_07; classtype:trojan-activity; sid:91237450; rev:1;) alert tcp $HOME_NET any -> [23.229.31.21] 25623 (msg:"ThreatFox BianLian botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237449/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_07; classtype:trojan-activity; sid:91237449; rev:1;) alert tcp $HOME_NET any -> [220.77.118.115] 53 (msg:"ThreatFox BianLian botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237448/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_07; classtype:trojan-activity; sid:91237448; rev:1;) alert tcp $HOME_NET any -> [119.190.136.165] 9000 (msg:"ThreatFox Deimos botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237447/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_07; classtype:trojan-activity; sid:91237447; rev:1;) alert tcp $HOME_NET any -> [65.153.151.175] 10010 (msg:"ThreatFox Deimos botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237446/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_07; classtype:trojan-activity; sid:91237446; rev:1;) alert tcp $HOME_NET any -> [45.33.59.99] 10724 (msg:"ThreatFox Deimos botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237445/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_07; classtype:trojan-activity; sid:91237445; rev:1;) alert tcp $HOME_NET any -> [191.252.214.5] 7443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237444/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_07; classtype:trojan-activity; sid:91237444; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/gjvjls3jd2v/login.php"; depth:22; nocase; http.host; content:"193.233.132.73"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1237403/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_07; classtype:trojan-activity; sid:91237403; rev:1;) alert tcp $HOME_NET any -> [37.60.227.156] 7 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237406/; target:src_ip; metadata: confidence_level 75, first_seen 2024_02_07; classtype:trojan-activity; sid:91237406; rev:1;) alert tcp $HOME_NET any -> [91.92.246.148] 3362 (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237405/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_07; classtype:trojan-activity; sid:91237405; rev:1;) alert tcp $HOME_NET any -> [216.218.135.118] 9583 (msg:"ThreatFox Nanocore RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237410/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_07; classtype:trojan-activity; sid:91237410; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"gigeconomycase.com"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1237429/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_07; classtype:trojan-activity; sid:91237429; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"pngairservices.com"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1237430/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_07; classtype:trojan-activity; sid:91237430; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"basicincomeonline.com"; depth:21; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1237431/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_07; classtype:trojan-activity; sid:91237431; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api/connect"; depth:12; nocase; http.host; content:"basicincomeonline.com"; depth:21; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1237432/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_07; classtype:trojan-activity; sid:91237432; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"213.109.202.161"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1237433/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_07; classtype:trojan-activity; sid:91237433; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bm341/index.php"; depth:16; nocase; http.host; content:"bmld.shop"; depth:9; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1237443/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_07; classtype:trojan-activity; sid:91237443; rev:1;) alert tcp $HOME_NET any -> [185.196.8.220] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237442/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_07; classtype:trojan-activity; sid:91237442; rev:1;) alert tcp $HOME_NET any -> [94.232.45.52] 443 (msg:"ThreatFox IcedID botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237440/; target:src_ip; metadata: confidence_level 75, first_seen 2024_02_07; classtype:trojan-activity; sid:91237440; rev:1;) alert tcp $HOME_NET any -> [46.105.141.60] 443 (msg:"ThreatFox IcedID botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237441/; target:src_ip; metadata: confidence_level 75, first_seen 2024_02_07; classtype:trojan-activity; sid:91237441; rev:1;) alert tcp $HOME_NET any -> [37.120.247.104] 443 (msg:"ThreatFox IcedID botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237438/; target:src_ip; metadata: confidence_level 75, first_seen 2024_02_07; classtype:trojan-activity; sid:91237438; rev:1;) alert tcp $HOME_NET any -> [5.255.119.56] 443 (msg:"ThreatFox IcedID botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237439/; target:src_ip; metadata: confidence_level 75, first_seen 2024_02_07; classtype:trojan-activity; sid:91237439; rev:1;) alert tcp $HOME_NET any -> [65.0.50.125] 22220 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237437/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_07; classtype:trojan-activity; sid:91237437; rev:1;) alert tcp $HOME_NET any -> [187.135.83.117] 1741 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237436/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_07; classtype:trojan-activity; sid:91237436; rev:1;) alert tcp $HOME_NET any -> [187.135.83.117] 1604 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237435/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_07; classtype:trojan-activity; sid:91237435; rev:1;) alert tcp $HOME_NET any -> [94.232.47.185] 3790 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237434/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_07; classtype:trojan-activity; sid:91237434; rev:1;) alert tcp $HOME_NET any -> [3.127.138.57] 10445 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237428/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_07; classtype:trojan-activity; sid:91237428; rev:1;) alert tcp $HOME_NET any -> [18.192.93.86] 10445 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237427/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_07; classtype:trojan-activity; sid:91237427; rev:1;) alert tcp $HOME_NET any -> [18.156.13.209] 10445 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237426/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_07; classtype:trojan-activity; sid:91237426; rev:1;) alert tcp $HOME_NET any -> [3.126.37.18] 10445 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237425/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_07; classtype:trojan-activity; sid:91237425; rev:1;) alert tcp $HOME_NET any -> [18.197.239.5] 10445 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237424/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_07; classtype:trojan-activity; sid:91237424; rev:1;) alert tcp $HOME_NET any -> [18.157.68.73] 10445 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237423/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_07; classtype:trojan-activity; sid:91237423; rev:1;) alert tcp $HOME_NET any -> [103.86.130.83] 443 (msg:"ThreatFox Get2 botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237422/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_07; classtype:trojan-activity; sid:91237422; rev:1;) alert tcp $HOME_NET any -> [104.225.142.194] 3790 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237421/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_07; classtype:trojan-activity; sid:91237421; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ie9compatviewlist.xml"; depth:22; nocase; http.host; content:"101.201.46.105"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1237420/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_06; classtype:trojan-activity; sid:91237420; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jquery-3.3.1.min.js"; depth:20; nocase; http.host; content:"47.57.12.167"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1237419/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_06; classtype:trojan-activity; sid:91237419; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cx"; depth:3; nocase; http.host; content:"101.201.46.105"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1237418/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_06; classtype:trojan-activity; sid:91237418; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ca"; depth:3; nocase; http.host; content:"119.3.220.200"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1237417/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_06; classtype:trojan-activity; sid:91237417; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/6provider/_cdn/baseupdatelinux/trafficasyncwprequest/imagevmdefaultbaselinuxasyncuniversaltemporary.php"; depth:104; nocase; http.host; content:"194.87.93.199"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1237416/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_06; classtype:trojan-activity; sid:91237416; rev:1;) alert tcp $HOME_NET any -> [117.72.15.82] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237415/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_06; classtype:trojan-activity; sid:91237415; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/push"; depth:5; nocase; http.host; content:"117.72.15.82"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1237414/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_06; classtype:trojan-activity; sid:91237414; rev:1;) alert tcp $HOME_NET any -> [187.135.83.117] 1800 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237413/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_06; classtype:trojan-activity; sid:91237413; rev:1;) alert tcp $HOME_NET any -> [41.96.128.248] 1177 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237412/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_06; classtype:trojan-activity; sid:91237412; rev:1;) alert tcp $HOME_NET any -> [187.135.83.117] 2259 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237411/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_06; classtype:trojan-activity; sid:91237411; rev:1;) alert tcp $HOME_NET any -> [46.149.77.41] 443 (msg:"ThreatFox DanaBot botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237409/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_06; classtype:trojan-activity; sid:91237409; rev:1;) alert tcp $HOME_NET any -> [109.234.38.247] 443 (msg:"ThreatFox DanaBot botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237408/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_06; classtype:trojan-activity; sid:91237408; rev:1;) alert tcp $HOME_NET any -> [91.92.255.145] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237407/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_06; classtype:trojan-activity; sid:91237407; rev:1;) alert tcp $HOME_NET any -> [92.246.138.88] 3790 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237404/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_06; classtype:trojan-activity; sid:91237404; rev:1;) alert tcp $HOME_NET any -> [94.156.65.204] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237402/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_06; classtype:trojan-activity; sid:91237402; rev:1;) alert tcp $HOME_NET any -> [39.105.101.138] 9999 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237401/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_06; classtype:trojan-activity; sid:91237401; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"alma27.duckdns.org"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1237390/; target:src_ip; metadata: confidence_level 75, first_seen 2024_02_06; classtype:trojan-activity; sid:91237390; rev:1;) alert tcp $HOME_NET any -> [79.137.203.183] 36235 (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237391/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_06; classtype:trojan-activity; sid:91237391; rev:1;) alert tcp $HOME_NET any -> [139.59.10.184] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237400/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_06; classtype:trojan-activity; sid:91237400; rev:1;) alert tcp $HOME_NET any -> [188.54.98.85] 995 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237399/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_06; classtype:trojan-activity; sid:91237399; rev:1;) alert tcp $HOME_NET any -> [190.28.91.39] 443 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237398/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_06; classtype:trojan-activity; sid:91237398; rev:1;) alert tcp $HOME_NET any -> [103.152.221.43] 6607 (msg:"ThreatFox Deimos botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237397/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_06; classtype:trojan-activity; sid:91237397; rev:1;) alert tcp $HOME_NET any -> [217.114.43.93] 7443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237396/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_06; classtype:trojan-activity; sid:91237396; rev:1;) alert tcp $HOME_NET any -> [143.198.131.4] 7443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237395/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_06; classtype:trojan-activity; sid:91237395; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/updates.rss"; depth:12; nocase; http.host; content:"5.101.0.245"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1237394/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_06; classtype:trojan-activity; sid:91237394; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/functionalstatus/nprgttmfrtmijp7xaraq7p87jp9"; depth:45; nocase; http.host; content:"80.66.75.53"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1237393/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_06; classtype:trojan-activity; sid:91237393; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/functionalstatus/nprgttmfrtmijp7xaraq7p87jp9"; depth:45; nocase; http.host; content:"80.66.75.53"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1237392/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_06; classtype:trojan-activity; sid:91237392; rev:1;) alert tcp $HOME_NET any -> [185.202.239.171] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237389/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_06; classtype:trojan-activity; sid:91237389; rev:1;) alert tcp $HOME_NET any -> [46.246.80.14] 2054 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237388/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_06; classtype:trojan-activity; sid:91237388; rev:1;) alert tcp $HOME_NET any -> [46.246.14.16] 2552 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237387/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_06; classtype:trojan-activity; sid:91237387; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api/flash.php"; depth:14; nocase; http.host; content:"77.105.147.130"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1237386/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_06; classtype:trojan-activity; sid:91237386; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api/flash.php"; depth:14; nocase; http.host; content:"45.15.156.229"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1237385/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_06; classtype:trojan-activity; sid:91237385; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"yaniqueque.sytes.net"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1237384/; target:src_ip; metadata: confidence_level 75, first_seen 2024_02_06; classtype:trojan-activity; sid:91237384; rev:1;) alert tcp $HOME_NET any -> [62.204.41.234] 2222 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237383/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_06; classtype:trojan-activity; sid:91237383; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"xmail.cfd"; depth:9; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1237282/; target:src_ip; metadata: confidence_level 75, first_seen 2024_02_06; classtype:trojan-activity; sid:91237282; rev:1;) alert tcp $HOME_NET any -> [103.186.117.186] 2404 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237382/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_06; classtype:trojan-activity; sid:91237382; rev:1;) alert tcp $HOME_NET any -> [157.230.175.190] 7754 (msg:"ThreatFox BianLian botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237381/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_06; classtype:trojan-activity; sid:91237381; rev:1;) alert tcp $HOME_NET any -> [45.128.133.21] 443 (msg:"ThreatFox BianLian botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237380/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_06; classtype:trojan-activity; sid:91237380; rev:1;) alert tcp $HOME_NET any -> [185.202.175.208] 54600 (msg:"ThreatFox Ave Maria botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237379/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_06; classtype:trojan-activity; sid:91237379; rev:1;) alert tcp $HOME_NET any -> [185.236.203.102] 54600 (msg:"ThreatFox Ave Maria botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237378/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_06; classtype:trojan-activity; sid:91237378; rev:1;) alert tcp $HOME_NET any -> [174.138.56.147] 8080 (msg:"ThreatFox Octopus botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237377/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_06; classtype:trojan-activity; sid:91237377; rev:1;) alert tcp $HOME_NET any -> [20.234.140.27] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237376/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_06; classtype:trojan-activity; sid:91237376; rev:1;) alert tcp $HOME_NET any -> [46.151.214.196] 9090 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237374/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_06; classtype:trojan-activity; sid:91237374; rev:1;) alert tcp $HOME_NET any -> [152.32.131.171] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237375/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_06; classtype:trojan-activity; sid:91237375; rev:1;) alert tcp $HOME_NET any -> [161.97.89.128] 3000 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237373/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_06; classtype:trojan-activity; sid:91237373; rev:1;) alert tcp $HOME_NET any -> [20.126.32.228] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237372/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_06; classtype:trojan-activity; sid:91237372; rev:1;) alert tcp $HOME_NET any -> [13.244.70.207] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237371/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_06; classtype:trojan-activity; sid:91237371; rev:1;) alert tcp $HOME_NET any -> [54.252.170.245] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237370/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_06; classtype:trojan-activity; sid:91237370; rev:1;) alert tcp $HOME_NET any -> [40.68.94.216] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237369/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_06; classtype:trojan-activity; sid:91237369; rev:1;) alert tcp $HOME_NET any -> [20.73.188.143] 3000 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237368/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_06; classtype:trojan-activity; sid:91237368; rev:1;) alert tcp $HOME_NET any -> [3.18.169.79] 8443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237367/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_06; classtype:trojan-activity; sid:91237367; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"apis.deenpel.com"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1237366/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_06; classtype:trojan-activity; sid:91237366; rev:1;) alert tcp $HOME_NET any -> [154.12.25.252] 60000 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237365/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_06; classtype:trojan-activity; sid:91237365; rev:1;) alert tcp $HOME_NET any -> [103.52.154.243] 60000 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237364/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_06; classtype:trojan-activity; sid:91237364; rev:1;) alert tcp $HOME_NET any -> [182.16.35.146] 60000 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237362/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_06; classtype:trojan-activity; sid:91237362; rev:1;) alert tcp $HOME_NET any -> [107.172.144.7] 60000 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237363/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_06; classtype:trojan-activity; sid:91237363; rev:1;) alert tcp $HOME_NET any -> [182.16.35.150] 60000 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237361/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_06; classtype:trojan-activity; sid:91237361; rev:1;) alert tcp $HOME_NET any -> [182.16.35.148] 60000 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237360/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_06; classtype:trojan-activity; sid:91237360; rev:1;) alert tcp $HOME_NET any -> [182.16.35.147] 60000 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237359/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_06; classtype:trojan-activity; sid:91237359; rev:1;) alert tcp $HOME_NET any -> [114.115.145.188] 8443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237357/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_06; classtype:trojan-activity; sid:91237357; rev:1;) alert tcp $HOME_NET any -> [142.171.229.85] 2096 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237358/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_06; classtype:trojan-activity; sid:91237358; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"mine-panel.space"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1237355/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_06; classtype:trojan-activity; sid:91237355; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"www.mine-panel.space"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1237356/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_06; classtype:trojan-activity; sid:91237356; rev:1;) alert tcp $HOME_NET any -> [212.193.11.40] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237354/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_06; classtype:trojan-activity; sid:91237354; rev:1;) alert tcp $HOME_NET any -> [212.193.11.40] 80 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237353/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_06; classtype:trojan-activity; sid:91237353; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ec2-44-196-101-127.compute-1.amazonaws.com"; depth:42; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1237351/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_06; classtype:trojan-activity; sid:91237351; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ec2-3-208-95-157.compute-1.amazonaws.com"; depth:40; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1237352/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_06; classtype:trojan-activity; sid:91237352; rev:1;) alert tcp $HOME_NET any -> [54.237.138.159] 443 (msg:"ThreatFox Serpent Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237350/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_06; classtype:trojan-activity; sid:91237350; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"enter.showconfig.ru"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1237349/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_06; classtype:trojan-activity; sid:91237349; rev:1;) alert tcp $HOME_NET any -> [41.216.183.64] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237348/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_06; classtype:trojan-activity; sid:91237348; rev:1;) alert tcp $HOME_NET any -> [142.93.191.198] 7443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237347/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_06; classtype:trojan-activity; sid:91237347; rev:1;) alert tcp $HOME_NET any -> [94.156.68.253] 80 (msg:"ThreatFox ERMAC botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237346/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_06; classtype:trojan-activity; sid:91237346; rev:1;) alert tcp $HOME_NET any -> [94.156.68.254] 80 (msg:"ThreatFox ERMAC botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237345/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_06; classtype:trojan-activity; sid:91237345; rev:1;) alert tcp $HOME_NET any -> [185.172.128.88] 80 (msg:"ThreatFox ERMAC botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237344/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_06; classtype:trojan-activity; sid:91237344; rev:1;) alert tcp $HOME_NET any -> [5.42.67.10] 80 (msg:"ThreatFox ERMAC botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237343/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_06; classtype:trojan-activity; sid:91237343; rev:1;) alert tcp $HOME_NET any -> [108.62.49.215] 88 (msg:"ThreatFox ERMAC botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237342/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_06; classtype:trojan-activity; sid:91237342; rev:1;) alert tcp $HOME_NET any -> [193.163.7.156] 8008 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237341/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_06; classtype:trojan-activity; sid:91237341; rev:1;) alert tcp $HOME_NET any -> [45.86.163.142] 22533 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237340/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_06; classtype:trojan-activity; sid:91237340; rev:1;) alert tcp $HOME_NET any -> [194.48.251.11] 4449 (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237339/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_06; classtype:trojan-activity; sid:91237339; rev:1;) alert tcp $HOME_NET any -> [172.233.240.86] 8080 (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237338/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_06; classtype:trojan-activity; sid:91237338; rev:1;) alert tcp $HOME_NET any -> [103.243.180.16] 5588 (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237337/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_06; classtype:trojan-activity; sid:91237337; rev:1;) alert tcp $HOME_NET any -> [103.243.180.7] 5588 (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237336/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_06; classtype:trojan-activity; sid:91237336; rev:1;) alert tcp $HOME_NET any -> [157.254.165.110] 8888 (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237335/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_06; classtype:trojan-activity; sid:91237335; rev:1;) alert tcp $HOME_NET any -> [195.62.47.154] 8890 (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237334/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_06; classtype:trojan-activity; sid:91237334; rev:1;) alert tcp $HOME_NET any -> [185.238.171.42] 4449 (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237333/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_06; classtype:trojan-activity; sid:91237333; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"microsft-security.com"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1237332/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_06; classtype:trojan-activity; sid:91237332; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ec2-52-76-234-184.ap-southeast-1.compute.amazonaws.com"; depth:54; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1237331/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_06; classtype:trojan-activity; sid:91237331; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"vps-zap1095765-1.zap-srv.com"; depth:28; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1237330/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_06; classtype:trojan-activity; sid:91237330; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"static.5.96.119.168.clients.your-server.de"; depth:42; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1237329/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_06; classtype:trojan-activity; sid:91237329; rev:1;) alert tcp $HOME_NET any -> [4.255.104.31] 443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237328/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_06; classtype:trojan-activity; sid:91237328; rev:1;) alert tcp $HOME_NET any -> [140.82.48.210] 2404 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237327/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_06; classtype:trojan-activity; sid:91237327; rev:1;) alert tcp $HOME_NET any -> [94.156.69.73] 8080 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237326/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_06; classtype:trojan-activity; sid:91237326; rev:1;) alert tcp $HOME_NET any -> [181.161.6.87] 8080 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237325/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_06; classtype:trojan-activity; sid:91237325; rev:1;) alert tcp $HOME_NET any -> [149.28.148.246] 80 (msg:"ThreatFox Hook botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237324/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_06; classtype:trojan-activity; sid:91237324; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"hookqd.tttseo.com"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1237322/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_06; classtype:trojan-activity; sid:91237322; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"pensive-shamir.45-134-26-33.plesk.page"; depth:38; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1237323/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_06; classtype:trojan-activity; sid:91237323; rev:1;) alert tcp $HOME_NET any -> [77.73.131.54] 50555 (msg:"ThreatFox Hook botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237321/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_06; classtype:trojan-activity; sid:91237321; rev:1;) alert tcp $HOME_NET any -> [185.216.70.119] 80 (msg:"ThreatFox Hook botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237320/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_06; classtype:trojan-activity; sid:91237320; rev:1;) alert tcp $HOME_NET any -> [93.123.39.249] 80 (msg:"ThreatFox Hook botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237319/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_06; classtype:trojan-activity; sid:91237319; rev:1;) alert tcp $HOME_NET any -> [20.6.81.237] 80 (msg:"ThreatFox Hook botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237318/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_06; classtype:trojan-activity; sid:91237318; rev:1;) alert tcp $HOME_NET any -> [185.216.70.117] 80 (msg:"ThreatFox Hook botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237317/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_06; classtype:trojan-activity; sid:91237317; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"tsaojzuv225.com"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1237316/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_06; classtype:trojan-activity; sid:91237316; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"webmail.jettresponse.com"; depth:24; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1237315/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_06; classtype:trojan-activity; sid:91237315; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"evgenytchurakin4.fvds.ru"; depth:24; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1237314/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_06; classtype:trojan-activity; sid:91237314; rev:1;) alert tcp $HOME_NET any -> [62.109.15.32] 80 (msg:"ThreatFox Hook botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237313/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_06; classtype:trojan-activity; sid:91237313; rev:1;) alert tcp $HOME_NET any -> [27.79.88.176] 8007 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237312/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_06; classtype:trojan-activity; sid:91237312; rev:1;) alert tcp $HOME_NET any -> [172.96.172.69] 6606 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237311/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_06; classtype:trojan-activity; sid:91237311; rev:1;) alert tcp $HOME_NET any -> [45.145.55.81] 8808 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237310/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_06; classtype:trojan-activity; sid:91237310; rev:1;) alert tcp $HOME_NET any -> [45.154.98.190] 6606 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237309/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_06; classtype:trojan-activity; sid:91237309; rev:1;) alert tcp $HOME_NET any -> [45.154.98.190] 7707 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237308/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_06; classtype:trojan-activity; sid:91237308; rev:1;) alert tcp $HOME_NET any -> [216.250.254.227] 6606 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237306/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_06; classtype:trojan-activity; sid:91237306; rev:1;) alert tcp $HOME_NET any -> [216.250.254.227] 8808 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237307/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_06; classtype:trojan-activity; sid:91237307; rev:1;) alert tcp $HOME_NET any -> [46.246.82.4] 2000 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237305/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_06; classtype:trojan-activity; sid:91237305; rev:1;) alert tcp $HOME_NET any -> [172.96.172.203] 7707 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237304/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_06; classtype:trojan-activity; sid:91237304; rev:1;) alert tcp $HOME_NET any -> [172.96.172.203] 8808 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237303/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_06; classtype:trojan-activity; sid:91237303; rev:1;) alert tcp $HOME_NET any -> [20.215.41.119] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237302/; target:src_ip; metadata: confidence_level 90, first_seen 2024_02_06; classtype:trojan-activity; sid:91237302; rev:1;) alert tcp $HOME_NET any -> [3.133.3.35] 443 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237301/; target:src_ip; metadata: confidence_level 90, first_seen 2024_02_06; classtype:trojan-activity; sid:91237301; rev:1;) alert tcp $HOME_NET any -> [43.249.9.224] 2053 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237300/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_06; classtype:trojan-activity; sid:91237300; rev:1;) alert tcp $HOME_NET any -> [101.43.161.148] 8081 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237299/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_06; classtype:trojan-activity; sid:91237299; rev:1;) alert tcp $HOME_NET any -> [192.3.101.133] 4433 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237298/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_06; classtype:trojan-activity; sid:91237298; rev:1;) alert tcp $HOME_NET any -> [104.234.240.6] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237296/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_06; classtype:trojan-activity; sid:91237296; rev:1;) alert tcp $HOME_NET any -> [192.3.101.133] 88 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237297/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_06; classtype:trojan-activity; sid:91237297; rev:1;) alert tcp $HOME_NET any -> [103.42.30.219] 8088 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237295/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_06; classtype:trojan-activity; sid:91237295; rev:1;) alert tcp $HOME_NET any -> [137.175.97.93] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237294/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_06; classtype:trojan-activity; sid:91237294; rev:1;) alert tcp $HOME_NET any -> [64.226.76.0] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237293/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_06; classtype:trojan-activity; sid:91237293; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"www.164-90-169-184.cprapid.com"; depth:30; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1237292/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_06; classtype:trojan-activity; sid:91237292; rev:1;) alert tcp $HOME_NET any -> [47.99.66.200] 8001 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237291/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_06; classtype:trojan-activity; sid:91237291; rev:1;) alert tcp $HOME_NET any -> [129.226.154.245] 8888 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237290/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_06; classtype:trojan-activity; sid:91237290; rev:1;) alert tcp $HOME_NET any -> [129.226.154.245] 888 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237289/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_06; classtype:trojan-activity; sid:91237289; rev:1;) alert tcp $HOME_NET any -> [20.163.176.140] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237288/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_06; classtype:trojan-activity; sid:91237288; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"30.210.31.34.bc.googleusercontent.com"; depth:37; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1237287/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_06; classtype:trojan-activity; sid:91237287; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/l1nc0in.php"; depth:12; nocase; http.host; content:"a0913447.xsph.ru"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1237286/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_06; classtype:trojan-activity; sid:91237286; rev:1;) alert tcp $HOME_NET any -> [74.91.116.12] 5552 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237285/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_06; classtype:trojan-activity; sid:91237285; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"78.46.251.181"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1237284/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_06; classtype:trojan-activity; sid:91237284; rev:1;) alert tcp $HOME_NET any -> [78.46.251.181] 443 (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237283/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_06; classtype:trojan-activity; sid:91237283; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pws/fre.php"; depth:12; nocase; http.host; content:"xmail.cfd"; depth:9; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1237281/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_06; classtype:trojan-activity; sid:91237281; rev:1;) alert tcp $HOME_NET any -> [157.90.20.51] 47753 (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237280/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_06; classtype:trojan-activity; sid:91237280; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pws/fre.php"; depth:12; nocase; http.host; content:"xmail.cfd"; depth:9; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1237279/; target:src_ip; metadata: confidence_level 75, first_seen 2024_02_06; classtype:trojan-activity; sid:91237279; rev:1;) alert tcp $HOME_NET any -> [91.92.247.252] 8276 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237277/; target:src_ip; metadata: confidence_level 75, first_seen 2024_02_06; classtype:trojan-activity; sid:91237277; rev:1;) alert tcp $HOME_NET any -> [91.92.247.252] 1312 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237278/; target:src_ip; metadata: confidence_level 75, first_seen 2024_02_06; classtype:trojan-activity; sid:91237278; rev:1;) alert tcp $HOME_NET any -> [109.107.181.228] 1676 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237276/; target:src_ip; metadata: confidence_level 75, first_seen 2024_02_06; classtype:trojan-activity; sid:91237276; rev:1;) alert tcp $HOME_NET any -> [109.107.181.228] 666 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237275/; target:src_ip; metadata: confidence_level 75, first_seen 2024_02_06; classtype:trojan-activity; sid:91237275; rev:1;) alert tcp $HOME_NET any -> [103.86.130.120] 443 (msg:"ThreatFox Get2 botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237274/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_06; classtype:trojan-activity; sid:91237274; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"mosaicyoungoccasionnyej.site"; depth:28; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1237272/; target:src_ip; metadata: confidence_level 75, first_seen 2024_02_06; classtype:trojan-activity; sid:91237272; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"updaterootapplederjuios.site"; depth:28; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1237273/; target:src_ip; metadata: confidence_level 75, first_seen 2024_02_06; classtype:trojan-activity; sid:91237273; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"modestessayevenmilwek.shop"; depth:26; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1237254/; target:src_ip; metadata: confidence_level 75, first_seen 2024_02_06; classtype:trojan-activity; sid:91237254; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"triangleseasonbenchwj.shop"; depth:26; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1237255/; target:src_ip; metadata: confidence_level 75, first_seen 2024_02_06; classtype:trojan-activity; sid:91237255; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"secretionsuitcasenioise.shop"; depth:28; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1237256/; target:src_ip; metadata: confidence_level 75, first_seen 2024_02_06; classtype:trojan-activity; sid:91237256; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"circulatejobspontane.shop"; depth:25; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1237257/; target:src_ip; metadata: confidence_level 75, first_seen 2024_02_06; classtype:trojan-activity; sid:91237257; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"tonguehypnothesislan.shop"; depth:25; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1237258/; target:src_ip; metadata: confidence_level 75, first_seen 2024_02_06; classtype:trojan-activity; sid:91237258; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"nationalistvetecanve.shop"; depth:25; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1237259/; target:src_ip; metadata: confidence_level 75, first_seen 2024_02_06; classtype:trojan-activity; sid:91237259; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"inviteaccessiblesaltw.shop"; depth:26; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1237260/; target:src_ip; metadata: confidence_level 75, first_seen 2024_02_06; classtype:trojan-activity; sid:91237260; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"stamprollabbeymemberw.site"; depth:26; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1237261/; target:src_ip; metadata: confidence_level 75, first_seen 2024_02_06; classtype:trojan-activity; sid:91237261; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"donorwifeconfusionstronko.site"; depth:30; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1237262/; target:src_ip; metadata: confidence_level 75, first_seen 2024_02_06; classtype:trojan-activity; sid:91237262; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"essayinterventiondepof.site"; depth:27; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1237263/; target:src_ip; metadata: confidence_level 75, first_seen 2024_02_06; classtype:trojan-activity; sid:91237263; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"smilesnugglemonstouseo.site"; depth:27; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1237264/; target:src_ip; metadata: confidence_level 75, first_seen 2024_02_06; classtype:trojan-activity; sid:91237264; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"offsetundressdriveryjow.site"; depth:28; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1237265/; target:src_ip; metadata: confidence_level 75, first_seen 2024_02_06; classtype:trojan-activity; sid:91237265; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"publishfavorharbouroe.site"; depth:26; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1237266/; target:src_ip; metadata: confidence_level 75, first_seen 2024_02_06; classtype:trojan-activity; sid:91237266; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"banquetmasteryfailurw.site"; depth:26; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1237267/; target:src_ip; metadata: confidence_level 75, first_seen 2024_02_06; classtype:trojan-activity; sid:91237267; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"exemptatmospherestingw.site"; depth:27; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1237268/; target:src_ip; metadata: confidence_level 75, first_seen 2024_02_06; classtype:trojan-activity; sid:91237268; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"pavementpreferencewjiao.site"; depth:28; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1237269/; target:src_ip; metadata: confidence_level 75, first_seen 2024_02_06; classtype:trojan-activity; sid:91237269; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"benddiscoleideasbridrew.site"; depth:28; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1237270/; target:src_ip; metadata: confidence_level 75, first_seen 2024_02_06; classtype:trojan-activity; sid:91237270; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"hovermeatglacierrjuw.site"; depth:25; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1237271/; target:src_ip; metadata: confidence_level 75, first_seen 2024_02_06; classtype:trojan-activity; sid:91237271; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api/firecom.php"; depth:16; nocase; http.host; content:"77.105.147.130"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1237252/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_06; classtype:trojan-activity; sid:91237252; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/31b57f88e9b186cd.php"; depth:21; nocase; http.host; content:"gsggaoo.top"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1237253/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_06; classtype:trojan-activity; sid:91237253; rev:1;) alert tcp $HOME_NET any -> [43.143.228.239] 7766 (msg:"ThreatFox Nanocore RAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237251/; target:src_ip; metadata: confidence_level 75, first_seen 2024_02_06; classtype:trojan-activity; sid:91237251; rev:1;) alert tcp $HOME_NET any -> [47.100.170.9] 50050 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237250/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_06; classtype:trojan-activity; sid:91237250; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/owa/guumxl4dhprl9owye74vbaqcbppfgijt"; depth:37; nocase; http.host; content:"ogind.drobpox.us"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1237248/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_06; classtype:trojan-activity; sid:91237248; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ogind.drobpox.us"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1237249/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_06; classtype:trojan-activity; sid:91237249; rev:1;) alert tcp $HOME_NET any -> [103.186.117.105] 1970 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237247/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_06; classtype:trojan-activity; sid:91237247; rev:1;) alert tcp $HOME_NET any -> [212.113.106.100] 8888 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237246/; target:src_ip; metadata: confidence_level 75, first_seen 2024_02_06; classtype:trojan-activity; sid:91237246; rev:1;) alert tcp $HOME_NET any -> [88.198.107.6] 443 (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237245/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_06; classtype:trojan-activity; sid:91237245; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"88.198.107.6"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1237244/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_06; classtype:trojan-activity; sid:91237244; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"frozenk.fr"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1237197/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_06; classtype:trojan-activity; sid:91237197; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ftp.frozenk.fr"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1237198/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_06; classtype:trojan-activity; sid:91237198; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"www.frozenk.fr"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1237199/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_06; classtype:trojan-activity; sid:91237199; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"vmi1357229.contaboserver.net"; depth:28; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1237200/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_06; classtype:trojan-activity; sid:91237200; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"maksonsab.ru"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1237201/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_06; classtype:trojan-activity; sid:91237201; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"www.maksonsab.ru"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1237202/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_06; classtype:trojan-activity; sid:91237202; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"dns.nateeka.com"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1237203/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_06; classtype:trojan-activity; sid:91237203; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"nateeka.com"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1237204/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_06; classtype:trojan-activity; sid:91237204; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ec2-107-23-38-171.compute-1.amazonaws.com"; depth:41; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1237205/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_06; classtype:trojan-activity; sid:91237205; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"farkhunda.3cx.us"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1237207/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_06; classtype:trojan-activity; sid:91237207; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"c0mmit.top"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1237215/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_06; classtype:trojan-activity; sid:91237215; rev:1;) alert tcp $HOME_NET any -> [93.123.85.149] 38245 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237224/; target:src_ip; metadata: confidence_level 75, first_seen 2024_02_06; classtype:trojan-activity; sid:91237224; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"bot.shop4youv2.de"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1237225/; target:src_ip; metadata: confidence_level 75, first_seen 2024_02_06; classtype:trojan-activity; sid:91237225; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"bot.elite-likes.de"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1237226/; target:src_ip; metadata: confidence_level 75, first_seen 2024_02_06; classtype:trojan-activity; sid:91237226; rev:1;) alert tcp $HOME_NET any -> [93.123.85.4] 9931 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237234/; target:src_ip; metadata: confidence_level 75, first_seen 2024_02_06; classtype:trojan-activity; sid:91237234; rev:1;) alert tcp $HOME_NET any -> [167.56.197.73] 995 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237243/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_06; classtype:trojan-activity; sid:91237243; rev:1;) alert tcp $HOME_NET any -> [124.220.235.28] 1002 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237242/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_06; classtype:trojan-activity; sid:91237242; rev:1;) alert tcp $HOME_NET any -> [3.143.234.125] 443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237241/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_06; classtype:trojan-activity; sid:91237241; rev:1;) alert tcp $HOME_NET any -> [45.9.191.183] 443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237240/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_06; classtype:trojan-activity; sid:91237240; rev:1;) alert tcp $HOME_NET any -> [20.224.11.48] 443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237238/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_06; classtype:trojan-activity; sid:91237238; rev:1;) alert tcp $HOME_NET any -> [216.189.159.197] 53 (msg:"ThreatFox BianLian botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237237/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_06; classtype:trojan-activity; sid:91237237; rev:1;) alert tcp $HOME_NET any -> [152.69.220.235] 1443 (msg:"ThreatFox Deimos botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237236/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_06; classtype:trojan-activity; sid:91237236; rev:1;) alert tcp $HOME_NET any -> [91.92.254.111] 1977 (msg:"ThreatFox Ave Maria botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237235/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_06; classtype:trojan-activity; sid:91237235; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/c6/fre.php"; depth:11; nocase; http.host; content:"sempersim.su"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1237233/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_06; classtype:trojan-activity; sid:91237233; rev:1;) alert tcp $HOME_NET any -> [94.156.64.228] 65517 (msg:"ThreatFox Nanocore RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237232/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_06; classtype:trojan-activity; sid:91237232; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/26048ad8.php"; depth:13; nocase; http.host; content:"a0915620.xsph.ru"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1237231/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_06; classtype:trojan-activity; sid:91237231; rev:1;) alert tcp $HOME_NET any -> [52.66.148.83] 10001 (msg:"ThreatFox Xtreme RAT botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237230/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_06; classtype:trojan-activity; sid:91237230; rev:1;) alert tcp $HOME_NET any -> [119.3.220.200] 9080 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237229/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_06; classtype:trojan-activity; sid:91237229; rev:1;) alert tcp $HOME_NET any -> [190.232.148.118] 3790 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237228/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_06; classtype:trojan-activity; sid:91237228; rev:1;) alert tcp $HOME_NET any -> [109.248.151.213] 45682 (msg:"ThreatFox Ave Maria botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237227/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_06; classtype:trojan-activity; sid:91237227; rev:1;) alert tcp $HOME_NET any -> [94.156.66.178] 8080 (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237223/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_06; classtype:trojan-activity; sid:91237223; rev:1;) alert tcp $HOME_NET any -> [45.148.244.206] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237222/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_06; classtype:trojan-activity; sid:91237222; rev:1;) alert tcp $HOME_NET any -> [159.223.72.29] 3790 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237221/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_05; classtype:trojan-activity; sid:91237221; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/match"; depth:6; nocase; http.host; content:"111.231.22.61"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1237220/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_05; classtype:trojan-activity; sid:91237220; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ga.js"; depth:6; nocase; http.host; content:"122.51.220.170"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1237219/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_05; classtype:trojan-activity; sid:91237219; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/activity"; depth:9; nocase; http.host; content:"107.189.14.144"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1237218/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_05; classtype:trojan-activity; sid:91237218; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/__utm.gif"; depth:10; nocase; http.host; content:"122.51.220.170"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1237217/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_05; classtype:trojan-activity; sid:91237217; rev:1;) alert tcp $HOME_NET any -> [47.76.34.199] 8001 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237216/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_05; classtype:trojan-activity; sid:91237216; rev:1;) alert tcp $HOME_NET any -> [41.201.100.168] 2078 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237214/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_05; classtype:trojan-activity; sid:91237214; rev:1;) alert tcp $HOME_NET any -> [109.255.66.174] 995 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237213/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_05; classtype:trojan-activity; sid:91237213; rev:1;) alert tcp $HOME_NET any -> [41.98.4.60] 443 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237212/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_05; classtype:trojan-activity; sid:91237212; rev:1;) alert tcp $HOME_NET any -> [85.107.13.154] 443 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237211/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_05; classtype:trojan-activity; sid:91237211; rev:1;) alert tcp $HOME_NET any -> [94.23.155.217] 445 (msg:"ThreatFox Responder botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237210/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_05; classtype:trojan-activity; sid:91237210; rev:1;) alert tcp $HOME_NET any -> [134.209.244.69] 443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237209/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_05; classtype:trojan-activity; sid:91237209; rev:1;) alert tcp $HOME_NET any -> [45.152.85.10] 443 (msg:"ThreatFox BianLian botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237208/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_05; classtype:trojan-activity; sid:91237208; rev:1;) alert tcp $HOME_NET any -> [154.195.152.232] 63641 (msg:"ThreatFox Nanocore RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237206/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_05; classtype:trojan-activity; sid:91237206; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/en_us/all.js"; depth:13; nocase; http.host; content:"101.37.14.112"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1237196/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_05; classtype:trojan-activity; sid:91237196; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pixel"; depth:6; nocase; http.host; content:"91.230.110.126"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1237195/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_05; classtype:trojan-activity; sid:91237195; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dot.gif"; depth:8; nocase; http.host; content:"154.8.157.205"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1237194/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_05; classtype:trojan-activity; sid:91237194; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/en_us/all.js"; depth:13; nocase; http.host; content:"101.43.161.148"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1237193/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_05; classtype:trojan-activity; sid:91237193; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dot.gif"; depth:8; nocase; http.host; content:"43.138.156.178"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1237192/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_05; classtype:trojan-activity; sid:91237192; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/match"; depth:6; nocase; http.host; content:"147.124.221.85"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1237191/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_05; classtype:trojan-activity; sid:91237191; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/index.htm"; depth:10; nocase; http.host; content:"anotherpalece.sytes.net"; depth:23; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1237189/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_05; classtype:trojan-activity; sid:91237189; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"anotherpalece.sytes.net"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1237190/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_05; classtype:trojan-activity; sid:91237190; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/visit.js"; depth:9; nocase; http.host; content:"91.230.110.126"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1237188/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_05; classtype:trojan-activity; sid:91237188; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/push"; depth:5; nocase; http.host; content:"101.43.161.148"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1237187/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_05; classtype:trojan-activity; sid:91237187; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dpixel"; depth:7; nocase; http.host; content:"154.8.157.205"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1237186/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_05; classtype:trojan-activity; sid:91237186; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/g.pixel"; depth:8; nocase; http.host; content:"91.230.110.126"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1237185/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_05; classtype:trojan-activity; sid:91237185; rev:1;) alert tcp $HOME_NET any -> [3.216.239.218] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237184/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_05; classtype:trojan-activity; sid:91237184; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/___utm.gif"; depth:11; nocase; http.host; content:"traincaster.net"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1237182/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_05; classtype:trojan-activity; sid:91237182; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"traincaster.net"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1237183/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_05; classtype:trojan-activity; sid:91237183; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ca"; depth:3; nocase; http.host; content:"39.105.101.138"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1237181/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_05; classtype:trojan-activity; sid:91237181; rev:1;) alert tcp $HOME_NET any -> [47.92.146.233] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237180/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_05; classtype:trojan-activity; sid:91237180; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jquery-3.3.1.min.js"; depth:20; nocase; http.host; content:"solar.huawei.com"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1237179/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_05; classtype:trojan-activity; sid:91237179; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/__utm.gif"; depth:10; nocase; http.host; content:"23.94.255.161"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1237178/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_05; classtype:trojan-activity; sid:91237178; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/match"; depth:6; nocase; http.host; content:"121.43.33.41"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1237177/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_05; classtype:trojan-activity; sid:91237177; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"peasanthovecapspll.shop"; depth:23; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1237176/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_05; classtype:trojan-activity; sid:91237176; rev:1;) alert tcp $HOME_NET any -> [103.69.96.162] 4502 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237175/; target:src_ip; metadata: confidence_level 75, first_seen 2024_02_05; classtype:trojan-activity; sid:91237175; rev:1;) alert tcp $HOME_NET any -> [95.217.215.24] 443 (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237174/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_05; classtype:trojan-activity; sid:91237174; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"95.217.215.24"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1237171/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_05; classtype:trojan-activity; sid:91237171; rev:1;) alert tcp $HOME_NET any -> [95.216.181.87] 80 (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237172/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_05; classtype:trojan-activity; sid:91237172; rev:1;) alert tcp $HOME_NET any -> [78.47.233.159] 9000 (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237173/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_05; classtype:trojan-activity; sid:91237173; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"78.47.233.159"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1237170/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_05; classtype:trojan-activity; sid:91237170; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/newagev"; depth:8; nocase; http.host; content:"t.me"; depth:4; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1237169/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_05; classtype:trojan-activity; sid:91237169; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"95.216.181.87"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1237168/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_05; classtype:trojan-activity; sid:91237168; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/profiles/76561199631487327"; depth:27; nocase; http.host; content:"steamcommunity.com"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1237167/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_05; classtype:trojan-activity; sid:91237167; rev:1;) alert tcp $HOME_NET any -> [174.138.56.147] 3790 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237166/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_05; classtype:trojan-activity; sid:91237166; rev:1;) alert tcp $HOME_NET any -> [85.215.237.245] 4483 (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237165/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_05; classtype:trojan-activity; sid:91237165; rev:1;) alert tcp $HOME_NET any -> [3.6.122.107] 19208 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237163/; target:src_ip; metadata: confidence_level 75, first_seen 2024_02_05; classtype:trojan-activity; sid:91237163; rev:1;) alert tcp $HOME_NET any -> [149.248.17.69] 3790 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237164/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_05; classtype:trojan-activity; sid:91237164; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/en-us/silentauth"; depth:17; nocase; http.host; content:"36.150.160.202"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1237162/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_05; classtype:trojan-activity; sid:91237162; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ie9compatviewlist.xml"; depth:22; nocase; http.host; content:"107.189.14.144"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1237161/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_05; classtype:trojan-activity; sid:91237161; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/j.ad"; depth:5; nocase; http.host; content:"124.221.248.167"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1237160/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_05; classtype:trojan-activity; sid:91237160; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/match"; depth:6; nocase; http.host; content:"185.91.127.221"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1237159/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_05; classtype:trojan-activity; sid:91237159; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ca"; depth:3; nocase; http.host; content:"185.91.127.221"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1237158/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_05; classtype:trojan-activity; sid:91237158; rev:1;) alert tcp $HOME_NET any -> [3.6.115.182] 19208 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237157/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_05; classtype:trojan-activity; sid:91237157; rev:1;) alert tcp $HOME_NET any -> [3.6.115.64] 19208 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237156/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_05; classtype:trojan-activity; sid:91237156; rev:1;) alert tcp $HOME_NET any -> [3.6.98.232] 19208 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237155/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_05; classtype:trojan-activity; sid:91237155; rev:1;) alert tcp $HOME_NET any -> [3.6.30.85] 19208 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237154/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_05; classtype:trojan-activity; sid:91237154; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/l1nc0in.php"; depth:12; nocase; http.host; content:"5.230.229.207"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1237153/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_05; classtype:trojan-activity; sid:91237153; rev:1;) alert tcp $HOME_NET any -> [54.39.179.157] 3790 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237152/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_05; classtype:trojan-activity; sid:91237152; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cdn-vs/cache.php"; depth:17; nocase; http.host; content:"mysticselect.com"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1237148/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_05; classtype:trojan-activity; sid:91237148; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cache/ewmrgqnaww.php"; depth:21; nocase; http.host; content:"mysticselect.com"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1237149/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_05; classtype:trojan-activity; sid:91237149; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"bizabiza.mywire.org"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1237150/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_05; classtype:trojan-activity; sid:91237150; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"bizabiza.mywire.org"; depth:19; nocase; reference:url, threatfox.abuse.ch/ioc/1237151/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_05; classtype:trojan-activity; sid:91237151; rev:1;) alert tcp $HOME_NET any -> [45.66.248.135] 5833 (msg:"ThreatFox BianLian botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237147/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_05; classtype:trojan-activity; sid:91237147; rev:1;) alert tcp $HOME_NET any -> [51.38.178.159] 4444 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237146/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_05; classtype:trojan-activity; sid:91237146; rev:1;) alert tcp $HOME_NET any -> [3.142.70.21] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237145/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_05; classtype:trojan-activity; sid:91237145; rev:1;) alert tcp $HOME_NET any -> [3.143.139.73] 8443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237144/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_05; classtype:trojan-activity; sid:91237144; rev:1;) alert tcp $HOME_NET any -> [141.145.196.196] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237143/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_05; classtype:trojan-activity; sid:91237143; rev:1;) alert tcp $HOME_NET any -> [167.172.47.15] 36936 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237142/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_05; classtype:trojan-activity; sid:91237142; rev:1;) alert tcp $HOME_NET any -> [180.139.173.232] 9999 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237141/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_05; classtype:trojan-activity; sid:91237141; rev:1;) alert tcp $HOME_NET any -> [3.109.228.183] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237140/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_05; classtype:trojan-activity; sid:91237140; rev:1;) alert tcp $HOME_NET any -> [175.24.130.231] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237139/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_05; classtype:trojan-activity; sid:91237139; rev:1;) alert tcp $HOME_NET any -> [137.74.7.196] 8001 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237138/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_05; classtype:trojan-activity; sid:91237138; rev:1;) alert tcp $HOME_NET any -> [4.156.181.32] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237137/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_05; classtype:trojan-activity; sid:91237137; rev:1;) alert tcp $HOME_NET any -> [18.194.227.164] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237136/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_05; classtype:trojan-activity; sid:91237136; rev:1;) alert tcp $HOME_NET any -> [18.157.139.50] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237135/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_05; classtype:trojan-activity; sid:91237135; rev:1;) alert tcp $HOME_NET any -> [172.205.168.27] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237134/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_05; classtype:trojan-activity; sid:91237134; rev:1;) alert tcp $HOME_NET any -> [212.39.153.66] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237133/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_05; classtype:trojan-activity; sid:91237133; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"login.vitamedicajobccb.com"; depth:26; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1237132/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_05; classtype:trojan-activity; sid:91237132; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"admiring-pascal.142-11-199-59.plesk.page"; depth:40; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1237130/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_05; classtype:trojan-activity; sid:91237130; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"drive.deenpel.com"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1237131/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_05; classtype:trojan-activity; sid:91237131; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"mail.dnl-l.ooguy.com"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1237129/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_05; classtype:trojan-activity; sid:91237129; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"www.charming-wright.142-11-199-59.plesk.page"; depth:44; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1237127/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_05; classtype:trojan-activity; sid:91237127; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"www.deenpel.com"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1237128/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_05; classtype:trojan-activity; sid:91237128; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"fonts.deenpel.com"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1237126/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_05; classtype:trojan-activity; sid:91237126; rev:1;) alert tcp $HOME_NET any -> [49.232.149.43] 60000 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237125/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_05; classtype:trojan-activity; sid:91237125; rev:1;) alert tcp $HOME_NET any -> [103.108.42.172] 60000 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237124/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_05; classtype:trojan-activity; sid:91237124; rev:1;) alert tcp $HOME_NET any -> [103.108.43.23] 60000 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237123/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_05; classtype:trojan-activity; sid:91237123; rev:1;) alert tcp $HOME_NET any -> [103.108.42.171] 60000 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237121/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_05; classtype:trojan-activity; sid:91237121; rev:1;) alert tcp $HOME_NET any -> [103.108.43.25] 60000 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237122/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_05; classtype:trojan-activity; sid:91237122; rev:1;) alert tcp $HOME_NET any -> [182.16.35.149] 60000 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237120/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_05; classtype:trojan-activity; sid:91237120; rev:1;) alert tcp $HOME_NET any -> [103.108.43.24] 60000 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237119/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_05; classtype:trojan-activity; sid:91237119; rev:1;) alert tcp $HOME_NET any -> [124.223.201.58] 60000 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237118/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_05; classtype:trojan-activity; sid:91237118; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"www.akunet.host"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1237117/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_05; classtype:trojan-activity; sid:91237117; rev:1;) alert tcp $HOME_NET any -> [93.123.85.14] 80 (msg:"ThreatFox MooBot botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237116/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_05; classtype:trojan-activity; sid:91237116; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"epsilonapi.fr"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1237115/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_05; classtype:trojan-activity; sid:91237115; rev:1;) alert tcp $HOME_NET any -> [52.200.22.116] 443 (msg:"ThreatFox Serpent Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237114/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_05; classtype:trojan-activity; sid:91237114; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"sw.sono.pw"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1237113/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_05; classtype:trojan-activity; sid:91237113; rev:1;) alert tcp $HOME_NET any -> [66.135.13.235] 9075 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237112/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_05; classtype:trojan-activity; sid:91237112; rev:1;) alert tcp $HOME_NET any -> [34.118.118.118] 5000 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237111/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_05; classtype:trojan-activity; sid:91237111; rev:1;) alert tcp $HOME_NET any -> [35.199.67.241] 5000 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237110/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_05; classtype:trojan-activity; sid:91237110; rev:1;) alert tcp $HOME_NET any -> [41.216.183.64] 80 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237109/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_05; classtype:trojan-activity; sid:91237109; rev:1;) alert tcp $HOME_NET any -> [98.66.153.174] 80 (msg:"ThreatFox ERMAC botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237108/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_05; classtype:trojan-activity; sid:91237108; rev:1;) alert tcp $HOME_NET any -> [89.23.97.83] 80 (msg:"ThreatFox ERMAC botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237107/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_05; classtype:trojan-activity; sid:91237107; rev:1;) alert tcp $HOME_NET any -> [188.27.175.18] 8080 (msg:"ThreatFox Orcus RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237106/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_05; classtype:trojan-activity; sid:91237106; rev:1;) alert tcp $HOME_NET any -> [109.107.182.205] 25 (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237105/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_05; classtype:trojan-activity; sid:91237105; rev:1;) alert tcp $HOME_NET any -> [194.33.191.239] 4449 (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237104/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_05; classtype:trojan-activity; sid:91237104; rev:1;) alert tcp $HOME_NET any -> [103.243.180.11] 5588 (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237103/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_05; classtype:trojan-activity; sid:91237103; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ec2-175-41-143-87.ap-southeast-1.compute.amazonaws.com"; depth:54; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1237102/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_05; classtype:trojan-activity; sid:91237102; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ec2-13-235-248-157.ap-south-1.compute.amazonaws.com"; depth:51; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1237101/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_05; classtype:trojan-activity; sid:91237101; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"192-46-228-106.ip.linodeusercontent.com"; depth:39; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1237099/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_05; classtype:trojan-activity; sid:91237099; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"vps-zap1065782-2.zap-srv.com"; depth:28; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1237100/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_05; classtype:trojan-activity; sid:91237100; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"files.paronibarry.net"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1237098/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_05; classtype:trojan-activity; sid:91237098; rev:1;) alert tcp $HOME_NET any -> [102.117.152.61] 104 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237097/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_05; classtype:trojan-activity; sid:91237097; rev:1;) alert tcp $HOME_NET any -> [102.117.152.61] 57963 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237096/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_05; classtype:trojan-activity; sid:91237096; rev:1;) alert tcp $HOME_NET any -> [102.117.152.61] 5903 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237094/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_05; classtype:trojan-activity; sid:91237094; rev:1;) alert tcp $HOME_NET any -> [102.117.152.61] 9036 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237095/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_05; classtype:trojan-activity; sid:91237095; rev:1;) alert tcp $HOME_NET any -> [102.117.152.61] 5671 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237093/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_05; classtype:trojan-activity; sid:91237093; rev:1;) alert tcp $HOME_NET any -> [102.117.152.61] 4242 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237092/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_05; classtype:trojan-activity; sid:91237092; rev:1;) alert tcp $HOME_NET any -> [102.117.152.61] 222 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237090/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_05; classtype:trojan-activity; sid:91237090; rev:1;) alert tcp $HOME_NET any -> [102.117.152.61] 832 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237091/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_05; classtype:trojan-activity; sid:91237091; rev:1;) alert tcp $HOME_NET any -> [102.117.152.61] 24828 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237089/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_05; classtype:trojan-activity; sid:91237089; rev:1;) alert tcp $HOME_NET any -> [102.117.152.61] 6009 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237087/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_05; classtype:trojan-activity; sid:91237087; rev:1;) alert tcp $HOME_NET any -> [102.117.152.61] 18925 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237088/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_05; classtype:trojan-activity; sid:91237088; rev:1;) alert tcp $HOME_NET any -> [102.117.152.61] 2376 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237086/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_05; classtype:trojan-activity; sid:91237086; rev:1;) alert tcp $HOME_NET any -> [102.117.152.61] 28015 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237085/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_05; classtype:trojan-activity; sid:91237085; rev:1;) alert tcp $HOME_NET any -> [102.117.152.61] 4444 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237083/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_05; classtype:trojan-activity; sid:91237083; rev:1;) alert tcp $HOME_NET any -> [102.117.152.61] 12920 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237084/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_05; classtype:trojan-activity; sid:91237084; rev:1;) alert tcp $HOME_NET any -> [102.117.152.61] 2375 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237082/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_05; classtype:trojan-activity; sid:91237082; rev:1;) alert tcp $HOME_NET any -> [102.117.152.61] 4781 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237080/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_05; classtype:trojan-activity; sid:91237080; rev:1;) alert tcp $HOME_NET any -> [102.117.152.61] 64741 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237081/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_05; classtype:trojan-activity; sid:91237081; rev:1;) alert tcp $HOME_NET any -> [41.216.183.126] 3741 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237079/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_05; classtype:trojan-activity; sid:91237079; rev:1;) alert tcp $HOME_NET any -> [191.82.252.2] 2000 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237078/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_05; classtype:trojan-activity; sid:91237078; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"erp.topixtechnology.com"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1237076/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_05; classtype:trojan-activity; sid:91237076; rev:1;) alert tcp $HOME_NET any -> [13.212.79.65] 443 (msg:"ThreatFox Hook botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237077/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_05; classtype:trojan-activity; sid:91237077; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"reksiaeksinov4.fvds.ru"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1237075/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_05; classtype:trojan-activity; sid:91237075; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"pegasus.chicecon.com"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1237073/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_05; classtype:trojan-activity; sid:91237073; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"dev.racun.app"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1237074/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_05; classtype:trojan-activity; sid:91237074; rev:1;) alert tcp $HOME_NET any -> [194.48.251.140] 80 (msg:"ThreatFox Hook botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237072/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_05; classtype:trojan-activity; sid:91237072; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"tsaojzhn885.com"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1237070/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_05; classtype:trojan-activity; sid:91237070; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ok.chicecon.com"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1237071/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_05; classtype:trojan-activity; sid:91237071; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"taojszxz.com"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1237068/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_05; classtype:trojan-activity; sid:91237068; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"tsaojzuv455.com"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1237069/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_05; classtype:trojan-activity; sid:91237069; rev:1;) alert tcp $HOME_NET any -> [79.137.207.154] 50555 (msg:"ThreatFox Hook botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237067/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_05; classtype:trojan-activity; sid:91237067; rev:1;) alert tcp $HOME_NET any -> [34.107.114.24] 80 (msg:"ThreatFox Hook botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237065/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_05; classtype:trojan-activity; sid:91237065; rev:1;) alert tcp $HOME_NET any -> [85.202.160.192] 80 (msg:"ThreatFox Hook botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237066/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_05; classtype:trojan-activity; sid:91237066; rev:1;) alert tcp $HOME_NET any -> [31.44.2.39] 80 (msg:"ThreatFox Hook botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237064/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_05; classtype:trojan-activity; sid:91237064; rev:1;) alert tcp $HOME_NET any -> [45.61.166.149] 80 (msg:"ThreatFox Hook botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237063/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_05; classtype:trojan-activity; sid:91237063; rev:1;) alert tcp $HOME_NET any -> [62.72.32.226] 80 (msg:"ThreatFox Hook botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237062/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_05; classtype:trojan-activity; sid:91237062; rev:1;) alert tcp $HOME_NET any -> [104.234.240.231] 80 (msg:"ThreatFox Hook botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237060/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_05; classtype:trojan-activity; sid:91237060; rev:1;) alert tcp $HOME_NET any -> [206.189.130.11] 80 (msg:"ThreatFox Hook botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237061/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_05; classtype:trojan-activity; sid:91237061; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"www.194-233-74-255.cprapid.com"; depth:30; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1237059/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_05; classtype:trojan-activity; sid:91237059; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"evgenytchurakin2.fvds.ru"; depth:24; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1237057/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_05; classtype:trojan-activity; sid:91237057; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"www.356142.fun"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1237058/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_05; classtype:trojan-activity; sid:91237058; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"karasergkaravaev.fvds.ru"; depth:24; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1237055/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_05; classtype:trojan-activity; sid:91237055; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"nickbaseev6.fvds.ru"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1237056/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_05; classtype:trojan-activity; sid:91237056; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"194-233-74-255.cprapid.com"; depth:26; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1237054/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_05; classtype:trojan-activity; sid:91237054; rev:1;) alert tcp $HOME_NET any -> [93.123.39.215] 80 (msg:"ThreatFox Hook botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237052/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_05; classtype:trojan-activity; sid:91237052; rev:1;) alert tcp $HOME_NET any -> [193.233.254.64] 50555 (msg:"ThreatFox Hook botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237053/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_05; classtype:trojan-activity; sid:91237053; rev:1;) alert tcp $HOME_NET any -> [137.184.43.170] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237050/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_05; classtype:trojan-activity; sid:91237050; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"www.64-225-100-2.cprapid.com"; depth:28; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1237051/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_05; classtype:trojan-activity; sid:91237051; rev:1;) alert tcp $HOME_NET any -> [172.96.172.69] 7707 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237048/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_05; classtype:trojan-activity; sid:91237048; rev:1;) alert tcp $HOME_NET any -> [172.96.172.69] 8808 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237049/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_05; classtype:trojan-activity; sid:91237049; rev:1;) alert tcp $HOME_NET any -> [20.106.168.188] 7707 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237047/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_05; classtype:trojan-activity; sid:91237047; rev:1;) alert tcp $HOME_NET any -> [20.106.168.188] 6606 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237046/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_05; classtype:trojan-activity; sid:91237046; rev:1;) alert tcp $HOME_NET any -> [45.141.215.222] 7707 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237045/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_05; classtype:trojan-activity; sid:91237045; rev:1;) alert tcp $HOME_NET any -> [190.28.167.19] 2000 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237043/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_05; classtype:trojan-activity; sid:91237043; rev:1;) alert tcp $HOME_NET any -> [45.154.98.190] 8808 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237044/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_05; classtype:trojan-activity; sid:91237044; rev:1;) alert tcp $HOME_NET any -> [107.161.81.150] 8808 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237042/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_05; classtype:trojan-activity; sid:91237042; rev:1;) alert tcp $HOME_NET any -> [45.154.98.34] 7707 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237041/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_05; classtype:trojan-activity; sid:91237041; rev:1;) alert tcp $HOME_NET any -> [68.67.203.245] 80 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237039/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_05; classtype:trojan-activity; sid:91237039; rev:1;) alert tcp $HOME_NET any -> [45.154.98.34] 6606 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237040/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_05; classtype:trojan-activity; sid:91237040; rev:1;) alert tcp $HOME_NET any -> [206.123.132.163] 2000 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237038/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_05; classtype:trojan-activity; sid:91237038; rev:1;) alert tcp $HOME_NET any -> [194.26.229.212] 8080 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237036/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_05; classtype:trojan-activity; sid:91237036; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ec2-18-134-234-207.eu-west-2.compute.amazonaws.com"; depth:50; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1237037/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_05; classtype:trojan-activity; sid:91237037; rev:1;) alert tcp $HOME_NET any -> [38.6.177.120] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237035/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_05; classtype:trojan-activity; sid:91237035; rev:1;) alert tcp $HOME_NET any -> [44.219.14.139] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237034/; target:src_ip; metadata: confidence_level 90, first_seen 2024_02_05; classtype:trojan-activity; sid:91237034; rev:1;) alert tcp $HOME_NET any -> [187.135.91.246] 2080 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237033/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_05; classtype:trojan-activity; sid:91237033; rev:1;) alert tcp $HOME_NET any -> [187.135.91.246] 2077 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237032/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_05; classtype:trojan-activity; sid:91237032; rev:1;) alert tcp $HOME_NET any -> [187.135.91.246] 1718 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237030/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_05; classtype:trojan-activity; sid:91237030; rev:1;) alert tcp $HOME_NET any -> [187.135.91.246] 2003 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237031/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_05; classtype:trojan-activity; sid:91237031; rev:1;) alert tcp $HOME_NET any -> [187.135.91.246] 2095 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237029/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_05; classtype:trojan-activity; sid:91237029; rev:1;) alert tcp $HOME_NET any -> [187.135.83.117] 2083 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237027/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_05; classtype:trojan-activity; sid:91237027; rev:1;) alert tcp $HOME_NET any -> [187.135.83.117] 2095 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237028/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_05; classtype:trojan-activity; sid:91237028; rev:1;) alert tcp $HOME_NET any -> [187.135.83.117] 2082 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237026/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_05; classtype:trojan-activity; sid:91237026; rev:1;) alert tcp $HOME_NET any -> [187.135.83.117] 1911 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237024/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_05; classtype:trojan-activity; sid:91237024; rev:1;) alert tcp $HOME_NET any -> [187.135.83.117] 2052 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237025/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_05; classtype:trojan-activity; sid:91237025; rev:1;) alert tcp $HOME_NET any -> [91.92.242.62] 82 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237023/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_05; classtype:trojan-activity; sid:91237023; rev:1;) alert tcp $HOME_NET any -> [91.92.242.62] 81 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237022/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_05; classtype:trojan-activity; sid:91237022; rev:1;) alert tcp $HOME_NET any -> [78.24.223.222] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237020/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_05; classtype:trojan-activity; sid:91237020; rev:1;) alert tcp $HOME_NET any -> [91.92.242.62] 83 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237021/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_05; classtype:trojan-activity; sid:91237021; rev:1;) alert tcp $HOME_NET any -> [123.60.10.196] 5555 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237019/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_05; classtype:trojan-activity; sid:91237019; rev:1;) alert tcp $HOME_NET any -> [167.179.86.31] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237018/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_05; classtype:trojan-activity; sid:91237018; rev:1;) alert tcp $HOME_NET any -> [68.183.213.199] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237016/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_05; classtype:trojan-activity; sid:91237016; rev:1;) alert tcp $HOME_NET any -> [140.143.223.55] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237017/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_05; classtype:trojan-activity; sid:91237017; rev:1;) alert tcp $HOME_NET any -> [4.228.218.10] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237015/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_05; classtype:trojan-activity; sid:91237015; rev:1;) alert tcp $HOME_NET any -> [4.228.218.10] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237014/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_05; classtype:trojan-activity; sid:91237014; rev:1;) alert tcp $HOME_NET any -> [93.179.124.200] 2053 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237012/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_05; classtype:trojan-activity; sid:91237012; rev:1;) alert tcp $HOME_NET any -> [82.147.85.148] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237013/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_05; classtype:trojan-activity; sid:91237013; rev:1;) alert tcp $HOME_NET any -> [43.143.241.241] 5555 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237011/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_05; classtype:trojan-activity; sid:91237011; rev:1;) alert tcp $HOME_NET any -> [117.50.196.59] 3255 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237010/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_05; classtype:trojan-activity; sid:91237010; rev:1;) alert tcp $HOME_NET any -> [123.56.81.44] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237009/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_05; classtype:trojan-activity; sid:91237009; rev:1;) alert tcp $HOME_NET any -> [124.221.248.167] 8443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237008/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_05; classtype:trojan-activity; sid:91237008; rev:1;) alert tcp $HOME_NET any -> [104.236.196.5] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237007/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_05; classtype:trojan-activity; sid:91237007; rev:1;) alert tcp $HOME_NET any -> [141.98.81.97] 81 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237006/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_05; classtype:trojan-activity; sid:91237006; rev:1;) alert tcp $HOME_NET any -> [34.31.210.30] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237005/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_05; classtype:trojan-activity; sid:91237005; rev:1;) alert tcp $HOME_NET any -> [129.204.245.247] 10080 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237003/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_05; classtype:trojan-activity; sid:91237003; rev:1;) alert tcp $HOME_NET any -> [129.204.245.247] 10443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237004/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_05; classtype:trojan-activity; sid:91237004; rev:1;) alert tcp $HOME_NET any -> [101.201.46.105] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237002/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_05; classtype:trojan-activity; sid:91237002; rev:1;) alert tcp $HOME_NET any -> [222.187.224.70] 8443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237001/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_05; classtype:trojan-activity; sid:91237001; rev:1;) alert tcp $HOME_NET any -> [124.222.173.133] 9443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236999/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_05; classtype:trojan-activity; sid:91236999; rev:1;) alert tcp $HOME_NET any -> [49.235.144.122] 9000 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237000/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_05; classtype:trojan-activity; sid:91237000; rev:1;) alert tcp $HOME_NET any -> [43.143.168.186] 9000 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236998/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_05; classtype:trojan-activity; sid:91236998; rev:1;) alert tcp $HOME_NET any -> [8.130.80.79] 8089 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236996/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_05; classtype:trojan-activity; sid:91236996; rev:1;) alert tcp $HOME_NET any -> [74.48.125.18] 2086 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236997/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_05; classtype:trojan-activity; sid:91236997; rev:1;) alert tcp $HOME_NET any -> [185.154.14.215] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236995/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_05; classtype:trojan-activity; sid:91236995; rev:1;) alert tcp $HOME_NET any -> [5.135.224.155] 8080 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236993/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_05; classtype:trojan-activity; sid:91236993; rev:1;) alert tcp $HOME_NET any -> [188.166.22.203] 4433 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236994/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_05; classtype:trojan-activity; sid:91236994; rev:1;) alert tcp $HOME_NET any -> [104.168.102.175] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236992/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_05; classtype:trojan-activity; sid:91236992; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"www.gifted-khayyam.104-168-102-175.plesk.page"; depth:45; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1236991/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_05; classtype:trojan-activity; sid:91236991; rev:1;) alert tcp $HOME_NET any -> [134.122.164.214] 5566 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236989/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_05; classtype:trojan-activity; sid:91236989; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"www.optimistic-rubin.104-168-102-175.plesk.page"; depth:47; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1236990/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_05; classtype:trojan-activity; sid:91236990; rev:1;) alert tcp $HOME_NET any -> [122.51.243.31] 39689 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236988/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_05; classtype:trojan-activity; sid:91236988; rev:1;) alert tcp $HOME_NET any -> [175.24.130.231] 9000 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236987/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_05; classtype:trojan-activity; sid:91236987; rev:1;) alert tcp $HOME_NET any -> [202.79.168.65] 5511 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236985/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_05; classtype:trojan-activity; sid:91236985; rev:1;) alert tcp $HOME_NET any -> [120.27.132.223] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236986/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_05; classtype:trojan-activity; sid:91236986; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"confident-bouman.104-168-102-175.plesk.page"; depth:43; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1236983/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_05; classtype:trojan-activity; sid:91236983; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"quirky-williamson.104-168-102-175.plesk.page"; depth:44; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1236984/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_05; classtype:trojan-activity; sid:91236984; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"kind-villani.104-168-102-175.plesk.page"; depth:39; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1236982/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_05; classtype:trojan-activity; sid:91236982; rev:1;) alert tcp $HOME_NET any -> [45.134.225.247] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236981/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_05; classtype:trojan-activity; sid:91236981; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"www.modest-colden.104-168-102-175.plesk.page"; depth:44; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1236980/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_05; classtype:trojan-activity; sid:91236980; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"sync.maksonsab.ru"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1236978/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_05; classtype:trojan-activity; sid:91236978; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"www.brave-herschel.104-168-102-175.plesk.page"; depth:45; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1236979/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_05; classtype:trojan-activity; sid:91236979; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"www.optimistic-almeida.104-168-102-175.plesk.page"; depth:49; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1236977/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_05; classtype:trojan-activity; sid:91236977; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"www.happy-burnell.104-168-102-175.plesk.page"; depth:44; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1236975/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_05; classtype:trojan-activity; sid:91236975; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ec2-13-36-225-33.eu-west-3.compute.amazonaws.com"; depth:48; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1236976/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_05; classtype:trojan-activity; sid:91236976; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"vibrant-fermat.104-168-102-175.plesk.page"; depth:41; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1236973/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_05; classtype:trojan-activity; sid:91236973; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"fervent-gates.104-168-102-175.plesk.page"; depth:40; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1236974/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_05; classtype:trojan-activity; sid:91236974; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"www.hardcore-wescoff.104-168-102-175.plesk.page"; depth:47; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1236972/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_05; classtype:trojan-activity; sid:91236972; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"modest-colden.104-168-102-175.plesk.page"; depth:40; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1236971/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_05; classtype:trojan-activity; sid:91236971; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"our.openarmscv.org"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1236969/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_05; classtype:trojan-activity; sid:91236969; rev:1;) alert tcp $HOME_NET any -> [88.119.169.207] 443 (msg:"ThreatFox FAKEUPDATES botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236970/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_05; classtype:trojan-activity; sid:91236970; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 99%)"; dns_query; content:"i.wanna.see.20242525.xyz"; depth:24; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1236968/; target:src_ip; metadata: confidence_level 99, first_seen 2024_02_05; classtype:trojan-activity; sid:91236968; rev:1;) alert tcp $HOME_NET any -> [175.24.197.196] 8001 (msg:"ThreatFox Ghost RAT botnet C2 traffic (ip:port - confidence level: 99%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236967/; target:src_ip; metadata: confidence_level 99, first_seen 2024_02_05; classtype:trojan-activity; sid:91236967; rev:1;) alert tcp $HOME_NET any -> [193.233.132.95] 50500 (msg:"ThreatFox RisePro botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236966/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_05; classtype:trojan-activity; sid:91236966; rev:1;) alert tcp $HOME_NET any -> [43.136.71.208] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236965/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_05; classtype:trojan-activity; sid:91236965; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api/methon/scan"; depth:16; nocase; http.host; content:"www.micros0fti.com"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1236964/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_05; classtype:trojan-activity; sid:91236964; rev:1;) alert tcp $HOME_NET any -> [172.67.165.208] 80 (msg:"ThreatFox Loki Password Stealer (PWS) botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236962/; target:src_ip; metadata: confidence_level 75, first_seen 2024_02_05; classtype:trojan-activity; sid:91236962; rev:1;) alert tcp $HOME_NET any -> [104.21.73.201] 80 (msg:"ThreatFox Loki Password Stealer (PWS) botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236963/; target:src_ip; metadata: confidence_level 75, first_seen 2024_02_05; classtype:trojan-activity; sid:91236963; rev:1;) alert tcp $HOME_NET any -> [101.201.46.105] 7777 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236961/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_05; classtype:trojan-activity; sid:91236961; rev:1;) alert tcp $HOME_NET any -> [156.251.19.27] 20399 (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236960/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_05; classtype:trojan-activity; sid:91236960; rev:1;) alert tcp $HOME_NET any -> [39.105.101.138] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236959/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_05; classtype:trojan-activity; sid:91236959; rev:1;) alert tcp $HOME_NET any -> [45.142.182.104] 4568 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236957/; target:src_ip; metadata: confidence_level 75, first_seen 2024_02_05; classtype:trojan-activity; sid:91236957; rev:1;) alert tcp $HOME_NET any -> [130.61.130.111] 2087 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236958/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_05; classtype:trojan-activity; sid:91236958; rev:1;) alert tcp $HOME_NET any -> [91.230.110.126] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236956/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_05; classtype:trojan-activity; sid:91236956; rev:1;) alert tcp $HOME_NET any -> [147.124.221.85] 8086 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236955/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_05; classtype:trojan-activity; sid:91236955; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"95.217.28.5"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1236954/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_05; classtype:trojan-activity; sid:91236954; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"88.99.38.67"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1236953/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_05; classtype:trojan-activity; sid:91236953; rev:1;) alert tcp $HOME_NET any -> [95.217.28.5] 443 (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236952/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_05; classtype:trojan-activity; sid:91236952; rev:1;) alert tcp $HOME_NET any -> [88.99.38.67] 443 (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236951/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_05; classtype:trojan-activity; sid:91236951; rev:1;) alert tcp $HOME_NET any -> [91.92.245.248] 1985 (msg:"ThreatFox Ave Maria botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236950/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_05; classtype:trojan-activity; sid:91236950; rev:1;) alert tcp $HOME_NET any -> [45.15.159.130] 80 (msg:"ThreatFox Meduza Stealer botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236949/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_05; classtype:trojan-activity; sid:91236949; rev:1;) alert tcp $HOME_NET any -> [103.145.107.109] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236948/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_05; classtype:trojan-activity; sid:91236948; rev:1;) alert tcp $HOME_NET any -> [116.204.123.237] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236947/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_05; classtype:trojan-activity; sid:91236947; rev:1;) alert tcp $HOME_NET any -> [123.57.3.221] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236946/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_05; classtype:trojan-activity; sid:91236946; rev:1;) alert tcp $HOME_NET any -> [41.99.71.216] 443 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236945/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_05; classtype:trojan-activity; sid:91236945; rev:1;) alert tcp $HOME_NET any -> [41.251.199.21] 995 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236944/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_05; classtype:trojan-activity; sid:91236944; rev:1;) alert tcp $HOME_NET any -> [41.98.253.127] 443 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236943/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_05; classtype:trojan-activity; sid:91236943; rev:1;) alert tcp $HOME_NET any -> [41.97.152.52] 443 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236942/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_05; classtype:trojan-activity; sid:91236942; rev:1;) alert tcp $HOME_NET any -> [84.237.209.170] 995 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236941/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_05; classtype:trojan-activity; sid:91236941; rev:1;) alert tcp $HOME_NET any -> [45.137.10.34] 3333 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236940/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_05; classtype:trojan-activity; sid:91236940; rev:1;) alert tcp $HOME_NET any -> [141.98.168.243] 80 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236939/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_05; classtype:trojan-activity; sid:91236939; rev:1;) alert tcp $HOME_NET any -> [141.98.168.243] 443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236938/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_05; classtype:trojan-activity; sid:91236938; rev:1;) alert tcp $HOME_NET any -> [45.78.32.214] 443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236937/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_05; classtype:trojan-activity; sid:91236937; rev:1;) alert tcp $HOME_NET any -> [35.73.145.106] 80 (msg:"ThreatFox Brute Ratel C4 botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236936/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_05; classtype:trojan-activity; sid:91236936; rev:1;) alert tcp $HOME_NET any -> [20.61.4.19] 4005 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236934/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_05; classtype:trojan-activity; sid:91236934; rev:1;) alert tcp $HOME_NET any -> [20.61.4.19] 4006 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236935/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_05; classtype:trojan-activity; sid:91236935; rev:1;) alert tcp $HOME_NET any -> [193.222.96.162] 53535 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236933/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_05; classtype:trojan-activity; sid:91236933; rev:1;) alert tcp $HOME_NET any -> [193.222.96.162] 8443 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236932/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_05; classtype:trojan-activity; sid:91236932; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"telergraml.org"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1236895/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_05; classtype:trojan-activity; sid:91236895; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"telergraml.org"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1236896/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_05; classtype:trojan-activity; sid:91236896; rev:1;) alert tcp $HOME_NET any -> [192.236.162.234] 80 (msg:"ThreatFox Loki Password Stealer (PWS) botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236928/; target:src_ip; metadata: confidence_level 75, first_seen 2024_02_05; classtype:trojan-activity; sid:91236928; rev:1;) alert tcp $HOME_NET any -> [91.92.247.108] 1986 (msg:"ThreatFox Ave Maria botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236931/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_05; classtype:trojan-activity; sid:91236931; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/667f720d.php"; depth:13; nocase; http.host; content:"hammiest-dependents.000webhostapp.com"; depth:37; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1236930/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_05; classtype:trojan-activity; sid:91236930; rev:1;) alert tcp $HOME_NET any -> [103.86.130.85] 443 (msg:"ThreatFox Get2 botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236929/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_05; classtype:trojan-activity; sid:91236929; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mozi.m"; depth:7; nocase; http.host; content:"59.178.76.117"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1236927/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_05; classtype:trojan-activity; sid:91236927; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/updates"; depth:8; nocase; http.host; content:"193.222.96.25"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1236926/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_04; classtype:trojan-activity; sid:91236926; rev:1;) alert tcp $HOME_NET any -> [124.220.49.74] 50050 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236925/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_04; classtype:trojan-activity; sid:91236925; rev:1;) alert tcp $HOME_NET any -> [5.149.249.74] 47987 (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236924/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_04; classtype:trojan-activity; sid:91236924; rev:1;) alert tcp $HOME_NET any -> [165.22.116.84] 50050 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236923/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_04; classtype:trojan-activity; sid:91236923; rev:1;) alert tcp $HOME_NET any -> [118.24.128.204] 50050 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236922/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_04; classtype:trojan-activity; sid:91236922; rev:1;) alert tcp $HOME_NET any -> [101.35.141.80] 50050 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236921/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_04; classtype:trojan-activity; sid:91236921; rev:1;) alert tcp $HOME_NET any -> [20.2.223.43] 50050 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236920/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_04; classtype:trojan-activity; sid:91236920; rev:1;) alert tcp $HOME_NET any -> [47.115.230.159] 50050 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236919/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_04; classtype:trojan-activity; sid:91236919; rev:1;) alert tcp $HOME_NET any -> [43.143.130.124] 50050 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236918/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_04; classtype:trojan-activity; sid:91236918; rev:1;) alert tcp $HOME_NET any -> [47.115.225.184] 50050 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236917/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_04; classtype:trojan-activity; sid:91236917; rev:1;) alert tcp $HOME_NET any -> [20.56.70.245] 50050 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236916/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_04; classtype:trojan-activity; sid:91236916; rev:1;) alert tcp $HOME_NET any -> [45.195.76.82] 50050 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236915/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_04; classtype:trojan-activity; sid:91236915; rev:1;) alert tcp $HOME_NET any -> [45.93.20.242] 50050 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236914/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_04; classtype:trojan-activity; sid:91236914; rev:1;) alert tcp $HOME_NET any -> [103.13.210.210] 8080 (msg:"ThreatFox Orcus RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236913/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_04; classtype:trojan-activity; sid:91236913; rev:1;) alert tcp $HOME_NET any -> [91.230.110.126] 4321 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236912/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_04; classtype:trojan-activity; sid:91236912; rev:1;) alert tcp $HOME_NET any -> [3.121.139.82] 16322 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236911/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_04; classtype:trojan-activity; sid:91236911; rev:1;) alert tcp $HOME_NET any -> [3.127.253.86] 16322 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236910/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_04; classtype:trojan-activity; sid:91236910; rev:1;) alert tcp $HOME_NET any -> [94.156.69.136] 1337 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236909/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_04; classtype:trojan-activity; sid:91236909; rev:1;) alert tcp $HOME_NET any -> [103.66.59.68] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236908/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_04; classtype:trojan-activity; sid:91236908; rev:1;) alert tcp $HOME_NET any -> [74.48.220.31] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236907/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_04; classtype:trojan-activity; sid:91236907; rev:1;) alert tcp $HOME_NET any -> [142.154.101.77] 443 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236906/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_04; classtype:trojan-activity; sid:91236906; rev:1;) alert tcp $HOME_NET any -> [74.12.144.248] 2222 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236904/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_04; classtype:trojan-activity; sid:91236904; rev:1;) alert tcp $HOME_NET any -> [154.246.150.122] 2078 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236905/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_04; classtype:trojan-activity; sid:91236905; rev:1;) alert tcp $HOME_NET any -> [31.190.194.12] 443 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236903/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_04; classtype:trojan-activity; sid:91236903; rev:1;) alert tcp $HOME_NET any -> [94.98.76.163] 443 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236902/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_04; classtype:trojan-activity; sid:91236902; rev:1;) alert tcp $HOME_NET any -> [86.222.181.33] 2222 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236901/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_04; classtype:trojan-activity; sid:91236901; rev:1;) alert tcp $HOME_NET any -> [193.178.147.164] 8010 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236900/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_04; classtype:trojan-activity; sid:91236900; rev:1;) alert tcp $HOME_NET any -> [143.198.78.107] 443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236899/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_04; classtype:trojan-activity; sid:91236899; rev:1;) alert tcp $HOME_NET any -> [38.62.236.182] 34712 (msg:"ThreatFox BianLian botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236898/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_04; classtype:trojan-activity; sid:91236898; rev:1;) alert tcp $HOME_NET any -> [51.158.96.140] 443 (msg:"ThreatFox BianLian botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236897/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_04; classtype:trojan-activity; sid:91236897; rev:1;) alert tcp $HOME_NET any -> [175.24.197.196] 53576 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236894/; target:src_ip; metadata: confidence_level 75, first_seen 2024_02_04; classtype:trojan-activity; sid:91236894; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/f993692117a3fda2.php"; depth:21; nocase; http.host; content:"185.172.128.24"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1236893/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_04; classtype:trojan-activity; sid:91236893; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/31b57f88e9b186cd.php"; depth:21; nocase; http.host; content:"91.206.178.118"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1236892/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_04; classtype:trojan-activity; sid:91236892; rev:1;) alert tcp $HOME_NET any -> [167.235.26.247] 9300 (msg:"ThreatFox BitRAT botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236891/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_04; classtype:trojan-activity; sid:91236891; rev:1;) alert tcp $HOME_NET any -> [195.201.242.216] 443 (msg:"ThreatFox BitRAT botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236890/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_04; classtype:trojan-activity; sid:91236890; rev:1;) alert tcp $HOME_NET any -> [123.206.29.183] 1234 (msg:"ThreatFox BitRAT botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236889/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_04; classtype:trojan-activity; sid:91236889; rev:1;) alert tcp $HOME_NET any -> [91.92.244.240] 1234 (msg:"ThreatFox BitRAT botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236888/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_04; classtype:trojan-activity; sid:91236888; rev:1;) alert tcp $HOME_NET any -> [194.9.172.238] 1443 (msg:"ThreatFox Empire Downloader botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236887/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_04; classtype:trojan-activity; sid:91236887; rev:1;) alert tcp $HOME_NET any -> [218.161.70.146] 80 (msg:"ThreatFox Empire Downloader botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236886/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_04; classtype:trojan-activity; sid:91236886; rev:1;) alert tcp $HOME_NET any -> [171.5.180.138] 3790 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236885/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_04; classtype:trojan-activity; sid:91236885; rev:1;) alert tcp $HOME_NET any -> [109.205.61.95] 3777 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236884/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_04; classtype:trojan-activity; sid:91236884; rev:1;) alert tcp $HOME_NET any -> [147.229.148.205] 5000 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236883/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_04; classtype:trojan-activity; sid:91236883; rev:1;) alert tcp $HOME_NET any -> [141.255.167.250] 4760 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236882/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_04; classtype:trojan-activity; sid:91236882; rev:1;) alert tcp $HOME_NET any -> [103.223.12.163] 3790 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236881/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_04; classtype:trojan-activity; sid:91236881; rev:1;) alert tcp $HOME_NET any -> [178.63.172.20] 443 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236880/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_04; classtype:trojan-activity; sid:91236880; rev:1;) alert tcp $HOME_NET any -> [94.188.60.245] 3333 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236879/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_04; classtype:trojan-activity; sid:91236879; rev:1;) alert tcp $HOME_NET any -> [159.65.156.37] 9990 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236878/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_04; classtype:trojan-activity; sid:91236878; rev:1;) alert tcp $HOME_NET any -> [94.156.69.37] 54984 (msg:"ThreatFox Nanocore RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236831/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_04; classtype:trojan-activity; sid:91236831; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"updacon.hopto.org"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1236832/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_04; classtype:trojan-activity; sid:91236832; rev:1;) alert tcp $HOME_NET any -> [192.253.251.98] 8848 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236877/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_04; classtype:trojan-activity; sid:91236877; rev:1;) alert tcp $HOME_NET any -> [186.169.69.242] 8523 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236876/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_04; classtype:trojan-activity; sid:91236876; rev:1;) alert tcp $HOME_NET any -> [45.76.12.238] 5555 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236875/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_04; classtype:trojan-activity; sid:91236875; rev:1;) alert tcp $HOME_NET any -> [178.236.247.250] 8848 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236874/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_04; classtype:trojan-activity; sid:91236874; rev:1;) alert tcp $HOME_NET any -> [111.92.243.131] 8848 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236873/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_04; classtype:trojan-activity; sid:91236873; rev:1;) alert tcp $HOME_NET any -> [91.92.242.235] 9898 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236872/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_04; classtype:trojan-activity; sid:91236872; rev:1;) alert tcp $HOME_NET any -> [45.76.196.96] 8848 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236871/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_04; classtype:trojan-activity; sid:91236871; rev:1;) alert tcp $HOME_NET any -> [47.242.73.99] 8848 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236870/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_04; classtype:trojan-activity; sid:91236870; rev:1;) alert tcp $HOME_NET any -> [141.255.159.87] 80 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236869/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_04; classtype:trojan-activity; sid:91236869; rev:1;) alert tcp $HOME_NET any -> [38.181.35.232] 8848 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236868/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_04; classtype:trojan-activity; sid:91236868; rev:1;) alert tcp $HOME_NET any -> [141.255.159.135] 80 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236867/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_04; classtype:trojan-activity; sid:91236867; rev:1;) alert tcp $HOME_NET any -> [154.246.204.6] 80 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236866/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_04; classtype:trojan-activity; sid:91236866; rev:1;) alert tcp $HOME_NET any -> [198.13.49.217] 8848 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236865/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_04; classtype:trojan-activity; sid:91236865; rev:1;) alert tcp $HOME_NET any -> [139.99.186.184] 8848 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236864/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_04; classtype:trojan-activity; sid:91236864; rev:1;) alert tcp $HOME_NET any -> [154.247.243.232] 80 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236863/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_04; classtype:trojan-activity; sid:91236863; rev:1;) alert tcp $HOME_NET any -> [171.80.235.121] 25565 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236862/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_04; classtype:trojan-activity; sid:91236862; rev:1;) alert tcp $HOME_NET any -> [154.246.107.125] 80 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236861/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_04; classtype:trojan-activity; sid:91236861; rev:1;) alert tcp $HOME_NET any -> [154.247.197.111] 80 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236860/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_04; classtype:trojan-activity; sid:91236860; rev:1;) alert tcp $HOME_NET any -> [141.255.146.46] 80 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236859/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_04; classtype:trojan-activity; sid:91236859; rev:1;) alert tcp $HOME_NET any -> [94.156.69.93] 4444 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236858/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_04; classtype:trojan-activity; sid:91236858; rev:1;) alert tcp $HOME_NET any -> [171.41.199.216] 25565 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236857/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_04; classtype:trojan-activity; sid:91236857; rev:1;) alert tcp $HOME_NET any -> [91.92.249.225] 2023 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236856/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_04; classtype:trojan-activity; sid:91236856; rev:1;) alert tcp $HOME_NET any -> [166.88.61.138] 9898 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236855/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_04; classtype:trojan-activity; sid:91236855; rev:1;) alert tcp $HOME_NET any -> [91.92.255.107] 8848 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236854/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_04; classtype:trojan-activity; sid:91236854; rev:1;) alert tcp $HOME_NET any -> [213.226.117.48] 1337 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236853/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_04; classtype:trojan-activity; sid:91236853; rev:1;) alert tcp $HOME_NET any -> [95.72.172.97] 9080 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236852/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_04; classtype:trojan-activity; sid:91236852; rev:1;) alert tcp $HOME_NET any -> [171.80.251.240] 25565 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236851/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_04; classtype:trojan-activity; sid:91236851; rev:1;) alert tcp $HOME_NET any -> [64.176.217.187] 6666 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236850/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_04; classtype:trojan-activity; sid:91236850; rev:1;) alert tcp $HOME_NET any -> [183.105.191.36] 80 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236849/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_04; classtype:trojan-activity; sid:91236849; rev:1;) alert tcp $HOME_NET any -> [154.204.178.170] 8848 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236848/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_04; classtype:trojan-activity; sid:91236848; rev:1;) alert tcp $HOME_NET any -> [171.80.235.135] 25565 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236847/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_04; classtype:trojan-activity; sid:91236847; rev:1;) alert tcp $HOME_NET any -> [85.209.176.79] 8848 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236846/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_04; classtype:trojan-activity; sid:91236846; rev:1;) alert tcp $HOME_NET any -> [171.80.234.90] 25565 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236845/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_04; classtype:trojan-activity; sid:91236845; rev:1;) alert tcp $HOME_NET any -> [210.56.49.4] 8848 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236844/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_04; classtype:trojan-activity; sid:91236844; rev:1;) alert tcp $HOME_NET any -> [148.135.34.21] 443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236843/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_04; classtype:trojan-activity; sid:91236843; rev:1;) alert tcp $HOME_NET any -> [91.92.253.204] 8080 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236842/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_04; classtype:trojan-activity; sid:91236842; rev:1;) alert tcp $HOME_NET any -> [88.99.150.167] 4444 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236841/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_04; classtype:trojan-activity; sid:91236841; rev:1;) alert tcp $HOME_NET any -> [88.99.150.149] 4444 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236840/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_04; classtype:trojan-activity; sid:91236840; rev:1;) alert tcp $HOME_NET any -> [88.99.150.167] 8080 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236839/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_04; classtype:trojan-activity; sid:91236839; rev:1;) alert tcp $HOME_NET any -> [104.248.249.135] 80 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236838/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_04; classtype:trojan-activity; sid:91236838; rev:1;) alert tcp $HOME_NET any -> [44.200.32.105] 443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236837/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_04; classtype:trojan-activity; sid:91236837; rev:1;) alert tcp $HOME_NET any -> [13.235.8.98] 443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236836/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_04; classtype:trojan-activity; sid:91236836; rev:1;) alert tcp $HOME_NET any -> [3.83.182.180] 443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236835/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_04; classtype:trojan-activity; sid:91236835; rev:1;) alert tcp $HOME_NET any -> [175.41.143.87] 443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236834/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_04; classtype:trojan-activity; sid:91236834; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/3cd2b41cbde8fc9c.php"; depth:21; nocase; http.host; content:"185.172.128.79"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1236833/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_04; classtype:trojan-activity; sid:91236833; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dpixel"; depth:7; nocase; http.host; content:"101.33.221.102"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1236830/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_04; classtype:trojan-activity; sid:91236830; rev:1;) alert tcp $HOME_NET any -> [107.23.38.171] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236829/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_04; classtype:trojan-activity; sid:91236829; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"dmobd90auod5w.cloudfront.net"; depth:28; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1236828/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_04; classtype:trojan-activity; sid:91236828; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books"; depth:60; nocase; http.host; content:"dmobd90auod5w.cloudfront.net"; depth:28; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1236827/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_04; classtype:trojan-activity; sid:91236827; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"d2zp39t2eezbsc.cloudfront.net"; depth:29; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1236826/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_04; classtype:trojan-activity; sid:91236826; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books"; depth:60; nocase; http.host; content:"d2zp39t2eezbsc.cloudfront.net"; depth:29; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1236825/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_04; classtype:trojan-activity; sid:91236825; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ca"; depth:3; nocase; http.host; content:"107.189.14.144"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1236824/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_04; classtype:trojan-activity; sid:91236824; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/acap.html"; depth:10; nocase; http.host; content:"167.71.88.65"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1236823/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_04; classtype:trojan-activity; sid:91236823; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"k-hbgsakedfme8azej.a03.azurefd.net"; depth:34; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1236822/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_04; classtype:trojan-activity; sid:91236822; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/w3c.js"; depth:7; nocase; http.host; content:"k-hbgsakedfme8azej.a03.azurefd.net"; depth:34; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1236821/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_04; classtype:trojan-activity; sid:91236821; rev:1;) alert tcp $HOME_NET any -> [47.119.19.34] 9999 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236820/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_04; classtype:trojan-activity; sid:91236820; rev:1;) alert tcp $HOME_NET any -> [104.131.9.172] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236819/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_04; classtype:trojan-activity; sid:91236819; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/w3c.js"; depth:7; nocase; http.host; content:"adibh.azureedge.net"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1236817/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_04; classtype:trojan-activity; sid:91236817; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"adibh.azureedge.net"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1236818/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_04; classtype:trojan-activity; sid:91236818; rev:1;) alert tcp $HOME_NET any -> [3.127.138.57] 17960 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236816/; target:src_ip; metadata: confidence_level 75, first_seen 2024_02_04; classtype:trojan-activity; sid:91236816; rev:1;) alert tcp $HOME_NET any -> [101.37.14.112] 8899 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236815/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_04; classtype:trojan-activity; sid:91236815; rev:1;) alert tcp $HOME_NET any -> [172.187.200.225] 443 (msg:"ThreatFox Nanocore RAT botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236814/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_04; classtype:trojan-activity; sid:91236814; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/auth/login"; depth:11; nocase; http.host; content:"77.105.147.90"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1236705/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_04; classtype:trojan-activity; sid:91236705; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/auth/login"; depth:11; nocase; http.host; content:"194.87.31.20"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1236702/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_04; classtype:trojan-activity; sid:91236702; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/auth/login"; depth:11; nocase; http.host; content:"95.216.100.78"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1236704/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_04; classtype:trojan-activity; sid:91236704; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/auth/login"; depth:11; nocase; http.host; content:"79.137.205.179"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1236703/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_04; classtype:trojan-activity; sid:91236703; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/auth/login"; depth:11; nocase; http.host; content:"89.185.85.34"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1236699/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_04; classtype:trojan-activity; sid:91236699; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/auth/login"; depth:11; nocase; http.host; content:"79.137.205.201"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1236700/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_04; classtype:trojan-activity; sid:91236700; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/auth/login"; depth:11; nocase; http.host; content:"85.192.63.65"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1236701/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_04; classtype:trojan-activity; sid:91236701; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/auth/login"; depth:11; nocase; http.host; content:"5.182.87.160"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1236697/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_04; classtype:trojan-activity; sid:91236697; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/auth/login"; depth:11; nocase; http.host; content:"85.192.63.35"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1236698/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_04; classtype:trojan-activity; sid:91236698; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/auth/login"; depth:11; nocase; http.host; content:"5.182.87.27"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1236695/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_04; classtype:trojan-activity; sid:91236695; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/auth/login"; depth:11; nocase; http.host; content:"95.181.173.28"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1236696/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_04; classtype:trojan-activity; sid:91236696; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/auth/login"; depth:11; nocase; http.host; content:"77.105.147.136"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1236694/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_04; classtype:trojan-activity; sid:91236694; rev:1;) alert tcp $HOME_NET any -> [195.85.207.219] 8082 (msg:"ThreatFox Hook botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236683/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_04; classtype:trojan-activity; sid:91236683; rev:1;) alert tcp $HOME_NET any -> [31.210.50.162] 8082 (msg:"ThreatFox Hook botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236684/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_04; classtype:trojan-activity; sid:91236684; rev:1;) alert tcp $HOME_NET any -> [94.131.113.192] 8082 (msg:"ThreatFox Hook botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236685/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_04; classtype:trojan-activity; sid:91236685; rev:1;) alert tcp $HOME_NET any -> [31.42.190.137] 8082 (msg:"ThreatFox Hook botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236687/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_04; classtype:trojan-activity; sid:91236687; rev:1;) alert tcp $HOME_NET any -> [154.198.245.50] 8082 (msg:"ThreatFox Hook botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236686/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_04; classtype:trojan-activity; sid:91236686; rev:1;) alert tcp $HOME_NET any -> [194.195.245.97] 8082 (msg:"ThreatFox Hook botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236689/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_04; classtype:trojan-activity; sid:91236689; rev:1;) alert tcp $HOME_NET any -> [195.10.205.18] 8082 (msg:"ThreatFox Hook botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236688/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_04; classtype:trojan-activity; sid:91236688; rev:1;) alert tcp $HOME_NET any -> [207.180.224.118] 8082 (msg:"ThreatFox Hook botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236690/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_04; classtype:trojan-activity; sid:91236690; rev:1;) alert tcp $HOME_NET any -> [91.92.249.240] 8082 (msg:"ThreatFox Hook botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236691/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_04; classtype:trojan-activity; sid:91236691; rev:1;) alert tcp $HOME_NET any -> [20.90.160.195] 8082 (msg:"ThreatFox Hook botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236692/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_04; classtype:trojan-activity; sid:91236692; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/auth/login"; depth:11; nocase; http.host; content:"79.137.202.225"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1236706/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_04; classtype:trojan-activity; sid:91236706; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/auth/login"; depth:11; nocase; http.host; content:"5.42.77.121"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1236709/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_04; classtype:trojan-activity; sid:91236709; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/auth/login"; depth:11; nocase; http.host; content:"146.70.161.13"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1236707/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_04; classtype:trojan-activity; sid:91236707; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/auth/login"; depth:11; nocase; http.host; content:"185.149.146.159"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1236708/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_04; classtype:trojan-activity; sid:91236708; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/auth/login"; depth:11; nocase; http.host; content:"193.233.133.81"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1236710/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_04; classtype:trojan-activity; sid:91236710; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/auth/login"; depth:11; nocase; http.host; content:"95.181.173.181"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1236711/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_04; classtype:trojan-activity; sid:91236711; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/auth/login"; depth:11; nocase; http.host; content:"178.236.247.9"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1236712/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_04; classtype:trojan-activity; sid:91236712; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/auth/login"; depth:11; nocase; http.host; content:"185.26.239.246"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1236713/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_04; classtype:trojan-activity; sid:91236713; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/auth/login"; depth:11; nocase; http.host; content:"185.106.94.31"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1236714/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_04; classtype:trojan-activity; sid:91236714; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/auth/login"; depth:11; nocase; http.host; content:"212.118.52.90"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1236715/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_04; classtype:trojan-activity; sid:91236715; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/auth/login"; depth:11; nocase; http.host; content:"8.217.23.144"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1236716/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_04; classtype:trojan-activity; sid:91236716; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/auth/login"; depth:11; nocase; http.host; content:"45.150.65.121"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1236717/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_04; classtype:trojan-activity; sid:91236717; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/auth/login"; depth:11; nocase; http.host; content:"212.113.116.56"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1236718/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_04; classtype:trojan-activity; sid:91236718; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/auth/login"; depth:11; nocase; http.host; content:"20.0.25.177"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1236719/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_04; classtype:trojan-activity; sid:91236719; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/auth/login"; depth:11; nocase; http.host; content:"178.236.246.39"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1236720/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_04; classtype:trojan-activity; sid:91236720; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/auth/login"; depth:11; nocase; http.host; content:"109.107.181.169"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1236721/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_04; classtype:trojan-activity; sid:91236721; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/auth/login"; depth:11; nocase; http.host; content:"89.185.85.132"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1236722/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_04; classtype:trojan-activity; sid:91236722; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/auth/login"; depth:11; nocase; http.host; content:"95.181.173.233"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1236723/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_04; classtype:trojan-activity; sid:91236723; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/auth/login"; depth:11; nocase; http.host; content:"79.137.207.44"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1236724/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_04; classtype:trojan-activity; sid:91236724; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/auth/login"; depth:11; nocase; http.host; content:"78.141.239.24"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1236725/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_04; classtype:trojan-activity; sid:91236725; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/auth/login"; depth:11; nocase; http.host; content:"5.42.72.7"; depth:9; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1236726/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_04; classtype:trojan-activity; sid:91236726; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/auth/login"; depth:11; nocase; http.host; content:"178.20.46.217"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1236727/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_04; classtype:trojan-activity; sid:91236727; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/auth/login"; depth:11; nocase; http.host; content:"178.20.43.135"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1236728/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_04; classtype:trojan-activity; sid:91236728; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/auth/login"; depth:11; nocase; http.host; content:"109.107.173.48"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1236729/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_04; classtype:trojan-activity; sid:91236729; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/auth/login"; depth:11; nocase; http.host; content:"74.50.93.136"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1236731/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_04; classtype:trojan-activity; sid:91236731; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/auth/login"; depth:11; nocase; http.host; content:"51.81.243.237"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1236730/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_04; classtype:trojan-activity; sid:91236730; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/auth/login"; depth:11; nocase; http.host; content:"5.42.72.48"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1236732/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_04; classtype:trojan-activity; sid:91236732; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/auth/login"; depth:11; nocase; http.host; content:"45.74.19.107"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1236733/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_04; classtype:trojan-activity; sid:91236733; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/auth/login"; depth:11; nocase; http.host; content:"185.106.94.70"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1236734/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_04; classtype:trojan-activity; sid:91236734; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/auth/login"; depth:11; nocase; http.host; content:"185.17.0.222"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1236735/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_04; classtype:trojan-activity; sid:91236735; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/auth/login"; depth:11; nocase; http.host; content:"178.236.246.253"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1236736/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_04; classtype:trojan-activity; sid:91236736; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/auth/login"; depth:11; nocase; http.host; content:"79.137.203.80"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1236737/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_04; classtype:trojan-activity; sid:91236737; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/auth/login"; depth:11; nocase; http.host; content:"94.228.170.86"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1236738/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_04; classtype:trojan-activity; sid:91236738; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/auth/login"; depth:11; nocase; http.host; content:"194.87.71.159"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1236739/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_04; classtype:trojan-activity; sid:91236739; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/auth/login"; depth:11; nocase; http.host; content:"79.137.203.233"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1236740/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_04; classtype:trojan-activity; sid:91236740; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/auth/login"; depth:11; nocase; http.host; content:"95.181.173.235"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1236741/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_04; classtype:trojan-activity; sid:91236741; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/auth/login"; depth:11; nocase; http.host; content:"95.181.173.8"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1236742/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_04; classtype:trojan-activity; sid:91236742; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/auth/login"; depth:11; nocase; http.host; content:"77.105.147.196"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1236743/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_04; classtype:trojan-activity; sid:91236743; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/auth/login"; depth:11; nocase; http.host; content:"5.42.78.61"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1236744/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_04; classtype:trojan-activity; sid:91236744; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/auth/login"; depth:11; nocase; http.host; content:"79.137.199.199"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1236745/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_04; classtype:trojan-activity; sid:91236745; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/auth/login"; depth:11; nocase; http.host; content:"79.137.207.226"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1236746/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_04; classtype:trojan-activity; sid:91236746; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/auth/login"; depth:11; nocase; http.host; content:"64.52.80.13"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1236748/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_04; classtype:trojan-activity; sid:91236748; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/auth/login"; depth:11; nocase; http.host; content:"193.233.133.97"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1236747/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_04; classtype:trojan-activity; sid:91236747; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/auth/login"; depth:11; nocase; http.host; content:"79.137.202.24"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1236749/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_04; classtype:trojan-activity; sid:91236749; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/auth/login"; depth:11; nocase; http.host; content:"89.208.103.72"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1236750/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_04; classtype:trojan-activity; sid:91236750; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/auth/login"; depth:11; nocase; http.host; content:"77.105.146.152"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1236751/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_04; classtype:trojan-activity; sid:91236751; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/auth/login"; depth:11; nocase; http.host; content:"185.225.200.120"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1236752/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_04; classtype:trojan-activity; sid:91236752; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/auth/login"; depth:11; nocase; http.host; content:"79.137.194.188"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1236753/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_04; classtype:trojan-activity; sid:91236753; rev:1;) alert tcp $HOME_NET any -> [193.161.193.99] 30520 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236558/; target:src_ip; metadata: confidence_level 75, first_seen 2024_02_04; classtype:trojan-activity; sid:91236558; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"jd03-30520.portmap.io"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1236559/; target:src_ip; metadata: confidence_level 75, first_seen 2024_02_04; classtype:trojan-activity; sid:91236559; rev:1;) alert tcp $HOME_NET any -> [147.185.221.18] 14881 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236574/; target:src_ip; metadata: confidence_level 75, first_seen 2024_02_04; classtype:trojan-activity; sid:91236574; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"auto-benjamin.gl.at.ply.gg"; depth:26; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1236575/; target:src_ip; metadata: confidence_level 75, first_seen 2024_02_04; classtype:trojan-activity; sid:91236575; rev:1;) alert tcp $HOME_NET any -> [213.159.61.169] 1177 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236663/; target:src_ip; metadata: confidence_level 75, first_seen 2024_02_04; classtype:trojan-activity; sid:91236663; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"vinijr27.duckdns.org"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1236662/; target:src_ip; metadata: confidence_level 75, first_seen 2024_02_04; classtype:trojan-activity; sid:91236662; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"noiphabibi.ddns.net"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1236664/; target:src_ip; metadata: confidence_level 75, first_seen 2024_02_04; classtype:trojan-activity; sid:91236664; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"mail4.the-kup-key.com"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1236794/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_04; classtype:trojan-activity; sid:91236794; rev:1;) alert tcp $HOME_NET any -> [123.207.50.70] 8080 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236791/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_04; classtype:trojan-activity; sid:91236791; rev:1;) alert tcp $HOME_NET any -> [74.48.84.59] 23 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236792/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_04; classtype:trojan-activity; sid:91236792; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"mail4.the-kup-key.com"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1236793/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_04; classtype:trojan-activity; sid:91236793; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"mta4.aerostatus.net"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1236788/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_04; classtype:trojan-activity; sid:91236788; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"mail4.the-kup-key.com"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1236789/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_04; classtype:trojan-activity; sid:91236789; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ns.go2tr.ir"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1236790/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_04; classtype:trojan-activity; sid:91236790; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"mta4.theaerie.ca"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1236786/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_04; classtype:trojan-activity; sid:91236786; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"mta4.sharenscookbook.com"; depth:24; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1236787/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_04; classtype:trojan-activity; sid:91236787; rev:1;) alert tcp $HOME_NET any -> [50.18.8.146] 17240 (msg:"ThreatFox Nanocore RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236783/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_04; classtype:trojan-activity; sid:91236783; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"0.tcp.us-cal-1.ngrok.io"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1236784/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_04; classtype:trojan-activity; sid:91236784; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"mail.aist.world"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1236785/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_04; classtype:trojan-activity; sid:91236785; rev:1;) alert tcp $HOME_NET any -> [184.72.44.51] 17240 (msg:"ThreatFox Nanocore RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236781/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_04; classtype:trojan-activity; sid:91236781; rev:1;) alert tcp $HOME_NET any -> [54.193.184.75] 17240 (msg:"ThreatFox Nanocore RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236782/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_04; classtype:trojan-activity; sid:91236782; rev:1;) alert tcp $HOME_NET any -> [3.140.223.7] 15696 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236769/; target:src_ip; metadata: confidence_level 75, first_seen 2024_02_04; classtype:trojan-activity; sid:91236769; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"tuxy.ddns.net"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1236779/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_04; classtype:trojan-activity; sid:91236779; rev:1;) alert tcp $HOME_NET any -> [52.8.87.87] 17240 (msg:"ThreatFox Nanocore RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236780/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_04; classtype:trojan-activity; sid:91236780; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"twjdy.freemyip.com"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1236795/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_04; classtype:trojan-activity; sid:91236795; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"moveleiros-projeto.ddns.net"; depth:27; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1236796/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_04; classtype:trojan-activity; sid:91236796; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"hjhghyfgtttyuuugfd7654332.cfd"; depth:29; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1236810/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_04; classtype:trojan-activity; sid:91236810; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"qweuurgr86765.cfd"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1236811/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_04; classtype:trojan-activity; sid:91236811; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"hjghgfgftdrdssst7654345.cfd"; depth:27; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1236808/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_04; classtype:trojan-activity; sid:91236808; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"hjgjghfgfhgdhfgsed56.cfd"; depth:24; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1236809/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_04; classtype:trojan-activity; sid:91236809; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"hghgfttcdsstyytff655cvhf.cfd"; depth:28; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1236806/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_04; classtype:trojan-activity; sid:91236806; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"hjfhwefhuuuuf8383992.cfd"; depth:24; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1236807/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_04; classtype:trojan-activity; sid:91236807; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"gfffhtdrtggdd654346.cfd"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1236803/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_04; classtype:trojan-activity; sid:91236803; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ghgfjfgfgfty6765433.cfd"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1236804/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_04; classtype:trojan-activity; sid:91236804; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ghgfttyuujg87654.cfd"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1236805/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_04; classtype:trojan-activity; sid:91236805; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ewuhruewhrhurw7837.cfd"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1236801/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_04; classtype:trojan-activity; sid:91236801; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"fffsddhddd3.cfd"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1236802/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_04; classtype:trojan-activity; sid:91236802; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"dfjfglklihilughgf434wdfg.cfd"; depth:28; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1236800/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_04; classtype:trojan-activity; sid:91236800; rev:1;) alert tcp $HOME_NET any -> [5.42.65.107] 80 (msg:"ThreatFox AMOS botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236797/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_04; classtype:trojan-activity; sid:91236797; rev:1;) alert tcp $HOME_NET any -> [206.237.15.161] 8096 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236799/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_04; classtype:trojan-activity; sid:91236799; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ygyjgjygjyfjyfftt6654433.cfd"; depth:28; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1236812/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_04; classtype:trojan-activity; sid:91236812; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ytytyfghhjhyt77865.cfd"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1236813/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_04; classtype:trojan-activity; sid:91236813; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/windowstestjavascript/provider3/dletopython8/voiddblowprovider/bigloadasync0temp/packetgametemporary.php"; depth:105; nocase; http.host; content:"185.195.27.26"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1236798/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_04; classtype:trojan-activity; sid:91236798; rev:1;) alert tcp $HOME_NET any -> [84.2.81.135] 6923 (msg:"ThreatFox Nanocore RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236778/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_04; classtype:trojan-activity; sid:91236778; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/j.ad"; depth:5; nocase; http.host; content:"47.116.198.16"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1236777/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_04; classtype:trojan-activity; sid:91236777; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cx"; depth:3; nocase; http.host; content:"39.106.74.90"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1236776/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_04; classtype:trojan-activity; sid:91236776; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/updates.rss"; depth:12; nocase; http.host; content:"107.189.14.144"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1236775/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_04; classtype:trojan-activity; sid:91236775; rev:1;) alert tcp $HOME_NET any -> [84.45.122.150] 53 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236774/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_04; classtype:trojan-activity; sid:91236774; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"can.comewithme.info"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1236773/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_04; classtype:trojan-activity; sid:91236773; rev:1;) alert tcp $HOME_NET any -> [193.222.96.25] 53 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236772/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_04; classtype:trojan-activity; sid:91236772; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"copper-king.com"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1236771/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_04; classtype:trojan-activity; sid:91236771; rev:1;) alert tcp $HOME_NET any -> [103.86.130.72] 443 (msg:"ThreatFox Get2 botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236770/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_04; classtype:trojan-activity; sid:91236770; rev:1;) alert tcp $HOME_NET any -> [189.140.50.67] 443 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236768/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_04; classtype:trojan-activity; sid:91236768; rev:1;) alert tcp $HOME_NET any -> [159.235.5.173] 443 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236767/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_04; classtype:trojan-activity; sid:91236767; rev:1;) alert tcp $HOME_NET any -> [74.12.144.248] 2078 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236766/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_04; classtype:trojan-activity; sid:91236766; rev:1;) alert tcp $HOME_NET any -> [45.243.218.9] 995 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236765/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_04; classtype:trojan-activity; sid:91236765; rev:1;) alert tcp $HOME_NET any -> [151.30.51.238] 443 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236764/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_04; classtype:trojan-activity; sid:91236764; rev:1;) alert tcp $HOME_NET any -> [79.107.138.79] 995 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236763/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_04; classtype:trojan-activity; sid:91236763; rev:1;) alert tcp $HOME_NET any -> [91.92.253.160] 6075 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236762/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_04; classtype:trojan-activity; sid:91236762; rev:1;) alert tcp $HOME_NET any -> [94.103.87.88] 8080 (msg:"ThreatFox BianLian botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236761/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_04; classtype:trojan-activity; sid:91236761; rev:1;) alert tcp $HOME_NET any -> [204.28.111.10] 8843 (msg:"ThreatFox Deimos botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236760/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_04; classtype:trojan-activity; sid:91236760; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mozi.m"; depth:7; nocase; http.host; content:"178.141.170.135"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1236759/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_04; classtype:trojan-activity; sid:91236759; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/_defaultwindows.php"; depth:20; nocase; http.host; content:"cm56126.tw1.ru"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1236758/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_04; classtype:trojan-activity; sid:91236758; rev:1;) alert tcp $HOME_NET any -> [13.245.184.253] 80 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236757/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_04; classtype:trojan-activity; sid:91236757; rev:1;) alert tcp $HOME_NET any -> [119.91.89.203] 8888 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236756/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_04; classtype:trojan-activity; sid:91236756; rev:1;) alert tcp $HOME_NET any -> [185.39.204.47] 3790 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236755/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_04; classtype:trojan-activity; sid:91236755; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/game/3/securetestuniversal/phpjshttpprocessorauthsqlwp.php"; depth:59; nocase; http.host; content:"85.209.9.184"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1236754/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_04; classtype:trojan-activity; sid:91236754; rev:1;) alert tcp $HOME_NET any -> [164.155.203.165] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236693/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_04; classtype:trojan-activity; sid:91236693; rev:1;) alert tcp $HOME_NET any -> [188.127.24.220] 80 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236682/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_04; classtype:trojan-activity; sid:91236682; rev:1;) alert tcp $HOME_NET any -> [103.86.130.35] 443 (msg:"ThreatFox Get2 botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236681/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_04; classtype:trojan-activity; sid:91236681; rev:1;) alert tcp $HOME_NET any -> [94.228.123.188] 3790 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236680/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_04; classtype:trojan-activity; sid:91236680; rev:1;) alert tcp $HOME_NET any -> [154.8.157.205] 8099 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236679/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_04; classtype:trojan-activity; sid:91236679; rev:1;) alert tcp $HOME_NET any -> [147.78.103.18] 80 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236678/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_04; classtype:trojan-activity; sid:91236678; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/eternalsecurehttppacketbigloadsqltest.php"; depth:42; nocase; http.host; content:"907916cm.nyashtech.top"; depth:22; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1236677/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_03; classtype:trojan-activity; sid:91236677; rev:1;) alert tcp $HOME_NET any -> [101.43.161.148] 4443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236676/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_03; classtype:trojan-activity; sid:91236676; rev:1;) alert tcp $HOME_NET any -> [13.36.225.33] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236675/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_03; classtype:trojan-activity; sid:91236675; rev:1;) alert tcp $HOME_NET any -> [154.8.157.205] 8999 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236674/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_03; classtype:trojan-activity; sid:91236674; rev:1;) alert tcp $HOME_NET any -> [23.94.255.161] 8001 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236673/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_03; classtype:trojan-activity; sid:91236673; rev:1;) alert tcp $HOME_NET any -> [88.214.25.253] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236672/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_03; classtype:trojan-activity; sid:91236672; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/latest/v2.36/mz6phzvyk"; depth:23; nocase; http.host; content:"88.214.25.253"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1236671/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_03; classtype:trojan-activity; sid:91236671; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/latest/v2.36/mz6phzvyk"; depth:23; nocase; http.host; content:"invoce-social.com"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1236670/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_03; classtype:trojan-activity; sid:91236670; rev:1;) alert tcp $HOME_NET any -> [88.214.25.253] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236669/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_03; classtype:trojan-activity; sid:91236669; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/latest/v2.36/mz6phzvyk"; depth:23; nocase; http.host; content:"88.214.25.253"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1236668/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_03; classtype:trojan-activity; sid:91236668; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"invoce-social.com"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1236667/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_03; classtype:trojan-activity; sid:91236667; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/latest/v2.36/mz6phzvyk"; depth:23; nocase; http.host; content:"invoce-social.com"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1236666/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_03; classtype:trojan-activity; sid:91236666; rev:1;) alert tcp $HOME_NET any -> [194.147.140.138] 3320 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236665/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_03; classtype:trojan-activity; sid:91236665; rev:1;) alert tcp $HOME_NET any -> [46.246.4.20] 3030 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236661/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_03; classtype:trojan-activity; sid:91236661; rev:1;) alert tcp $HOME_NET any -> [185.196.8.89] 4443 (msg:"ThreatFox Nimplant botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236660/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_03; classtype:trojan-activity; sid:91236660; rev:1;) alert tcp $HOME_NET any -> [173.44.141.146] 50050 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236659/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_03; classtype:trojan-activity; sid:91236659; rev:1;) alert tcp $HOME_NET any -> [13.56.214.28] 3790 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236658/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_03; classtype:trojan-activity; sid:91236658; rev:1;) alert tcp $HOME_NET any -> [178.73.218.3] 101 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236657/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_03; classtype:trojan-activity; sid:91236657; rev:1;) alert tcp $HOME_NET any -> [138.201.19.103] 3336 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236656/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_03; classtype:trojan-activity; sid:91236656; rev:1;) alert tcp $HOME_NET any -> [85.10.133.189] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236655/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_03; classtype:trojan-activity; sid:91236655; rev:1;) alert tcp $HOME_NET any -> [34.198.81.115] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236654/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_03; classtype:trojan-activity; sid:91236654; rev:1;) alert tcp $HOME_NET any -> [34.128.110.49] 9443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236653/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_03; classtype:trojan-activity; sid:91236653; rev:1;) alert tcp $HOME_NET any -> [52.146.15.133] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236652/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_03; classtype:trojan-activity; sid:91236652; rev:1;) alert tcp $HOME_NET any -> [3.25.226.216] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236651/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_03; classtype:trojan-activity; sid:91236651; rev:1;) alert tcp $HOME_NET any -> [35.199.114.125] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236650/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_03; classtype:trojan-activity; sid:91236650; rev:1;) alert tcp $HOME_NET any -> [18.157.139.50] 80 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236649/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_03; classtype:trojan-activity; sid:91236649; rev:1;) alert tcp $HOME_NET any -> [34.237.150.77] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236648/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_03; classtype:trojan-activity; sid:91236648; rev:1;) alert tcp $HOME_NET any -> [47.100.81.121] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236647/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_03; classtype:trojan-activity; sid:91236647; rev:1;) alert tcp $HOME_NET any -> [37.60.239.239] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236646/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_03; classtype:trojan-activity; sid:91236646; rev:1;) alert tcp $HOME_NET any -> [18.194.227.164] 80 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236645/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_03; classtype:trojan-activity; sid:91236645; rev:1;) alert tcp $HOME_NET any -> [49.234.190.91] 8083 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236644/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_03; classtype:trojan-activity; sid:91236644; rev:1;) alert tcp $HOME_NET any -> [104.238.214.47] 4444 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236643/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_03; classtype:trojan-activity; sid:91236643; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"account.vitamedicajobccb.com"; depth:28; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1236642/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_03; classtype:trojan-activity; sid:91236642; rev:1;) alert tcp $HOME_NET any -> [142.11.199.59] 80 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236641/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_03; classtype:trojan-activity; sid:91236641; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"outlook.vitamedicajobccb.com"; depth:28; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1236640/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_03; classtype:trojan-activity; sid:91236640; rev:1;) alert tcp $HOME_NET any -> [60.204.203.14] 60000 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236639/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_03; classtype:trojan-activity; sid:91236639; rev:1;) alert tcp $HOME_NET any -> [110.40.36.67] 60000 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236638/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_03; classtype:trojan-activity; sid:91236638; rev:1;) alert tcp $HOME_NET any -> [143.92.58.61] 60000 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236637/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_03; classtype:trojan-activity; sid:91236637; rev:1;) alert tcp $HOME_NET any -> [176.124.32.23] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236636/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_03; classtype:trojan-activity; sid:91236636; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"www.mywestpac.com"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1236635/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_03; classtype:trojan-activity; sid:91236635; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"103.54.57.251.sslip.io"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1236634/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_03; classtype:trojan-activity; sid:91236634; rev:1;) alert tcp $HOME_NET any -> [123.99.201.37] 808 (msg:"ThreatFox Kaiji botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236633/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_03; classtype:trojan-activity; sid:91236633; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"jolly-ganguly.45-141-215-173.plesk.page"; depth:39; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1236632/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_03; classtype:trojan-activity; sid:91236632; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"node1.abcd2.monster"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1236631/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_03; classtype:trojan-activity; sid:91236631; rev:1;) alert tcp $HOME_NET any -> [95.111.238.79] 80 (msg:"ThreatFox ERMAC botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236630/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_03; classtype:trojan-activity; sid:91236630; rev:1;) alert tcp $HOME_NET any -> [18.139.243.205] 80 (msg:"ThreatFox ERMAC botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236629/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_03; classtype:trojan-activity; sid:91236629; rev:1;) alert tcp $HOME_NET any -> [188.26.86.131] 8080 (msg:"ThreatFox Orcus RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236628/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_03; classtype:trojan-activity; sid:91236628; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"srv001e.feja111.de"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1236627/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_03; classtype:trojan-activity; sid:91236627; rev:1;) alert tcp $HOME_NET any -> [91.92.248.152] 6606 (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236626/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_03; classtype:trojan-activity; sid:91236626; rev:1;) alert tcp $HOME_NET any -> [91.92.248.121] 5902 (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236625/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_03; classtype:trojan-activity; sid:91236625; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"premier-stream.co.uk"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1236624/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_03; classtype:trojan-activity; sid:91236624; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ec2-13-235-8-98.ap-south-1.compute.amazonaws.com"; depth:48; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1236622/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_03; classtype:trojan-activity; sid:91236622; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"www.premier-stream.co.uk"; depth:24; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1236623/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_03; classtype:trojan-activity; sid:91236623; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ambankgruop.store"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1236621/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_03; classtype:trojan-activity; sid:91236621; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"www-12.eekal.com"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1236620/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_03; classtype:trojan-activity; sid:91236620; rev:1;) alert tcp $HOME_NET any -> [94.156.69.28] 8081 (msg:"ThreatFox RisePro botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236619/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_03; classtype:trojan-activity; sid:91236619; rev:1;) alert tcp $HOME_NET any -> [193.163.7.139] 8081 (msg:"ThreatFox RisePro botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236618/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_03; classtype:trojan-activity; sid:91236618; rev:1;) alert tcp $HOME_NET any -> [194.233.74.255] 80 (msg:"ThreatFox Hook botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236617/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_03; classtype:trojan-activity; sid:91236617; rev:1;) alert tcp $HOME_NET any -> [185.172.128.131] 80 (msg:"ThreatFox Hook botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236616/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_03; classtype:trojan-activity; sid:91236616; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"356142.fun"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1236614/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_03; classtype:trojan-activity; sid:91236614; rev:1;) alert tcp $HOME_NET any -> [3.72.85.14] 8001 (msg:"ThreatFox Hook botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236615/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_03; classtype:trojan-activity; sid:91236615; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"mail.194-233-74-255.cprapid.com"; depth:31; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1236612/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_03; classtype:trojan-activity; sid:91236612; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"tsola256.com"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1236613/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_03; classtype:trojan-activity; sid:91236613; rev:1;) alert tcp $HOME_NET any -> [3.1.206.216] 8001 (msg:"ThreatFox Hook botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236611/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_03; classtype:trojan-activity; sid:91236611; rev:1;) alert tcp $HOME_NET any -> [178.236.247.158] 80 (msg:"ThreatFox Hook botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236610/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_03; classtype:trojan-activity; sid:91236610; rev:1;) alert tcp $HOME_NET any -> [154.12.30.64] 80 (msg:"ThreatFox Hook botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236609/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_03; classtype:trojan-activity; sid:91236609; rev:1;) alert tcp $HOME_NET any -> [45.145.55.81] 6606 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236608/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_03; classtype:trojan-activity; sid:91236608; rev:1;) alert tcp $HOME_NET any -> [186.112.194.124] 8888 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236607/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_03; classtype:trojan-activity; sid:91236607; rev:1;) alert tcp $HOME_NET any -> [20.106.168.188] 8808 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236605/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_03; classtype:trojan-activity; sid:91236605; rev:1;) alert tcp $HOME_NET any -> [151.67.33.99] 8080 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236606/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_03; classtype:trojan-activity; sid:91236606; rev:1;) alert tcp $HOME_NET any -> [216.250.254.227] 7707 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236604/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_03; classtype:trojan-activity; sid:91236604; rev:1;) alert tcp $HOME_NET any -> [91.92.252.126] 6606 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236603/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_03; classtype:trojan-activity; sid:91236603; rev:1;) alert tcp $HOME_NET any -> [45.154.98.34] 8808 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236602/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_03; classtype:trojan-activity; sid:91236602; rev:1;) alert tcp $HOME_NET any -> [190.123.44.228] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236600/; target:src_ip; metadata: confidence_level 90, first_seen 2024_02_03; classtype:trojan-activity; sid:91236600; rev:1;) alert tcp $HOME_NET any -> [34.162.154.209] 443 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236601/; target:src_ip; metadata: confidence_level 90, first_seen 2024_02_03; classtype:trojan-activity; sid:91236601; rev:1;) alert tcp $HOME_NET any -> [47.111.31.7] 43365 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236599/; target:src_ip; metadata: confidence_level 90, first_seen 2024_02_03; classtype:trojan-activity; sid:91236599; rev:1;) alert tcp $HOME_NET any -> [172.96.137.224] 13975 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236598/; target:src_ip; metadata: confidence_level 90, first_seen 2024_02_03; classtype:trojan-activity; sid:91236598; rev:1;) alert tcp $HOME_NET any -> [185.82.219.87] 2351 (msg:"ThreatFox DarkGate botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236597/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_03; classtype:trojan-activity; sid:91236597; rev:1;) alert tcp $HOME_NET any -> [187.135.240.152] 1723 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236595/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_03; classtype:trojan-activity; sid:91236595; rev:1;) alert tcp $HOME_NET any -> [187.135.240.152] 1896 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236596/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_03; classtype:trojan-activity; sid:91236596; rev:1;) alert tcp $HOME_NET any -> [88.214.26.54] 52047 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236594/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_03; classtype:trojan-activity; sid:91236594; rev:1;) alert tcp $HOME_NET any -> [154.3.0.131] 8080 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236593/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_03; classtype:trojan-activity; sid:91236593; rev:1;) alert tcp $HOME_NET any -> [91.92.242.143] 8083 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236592/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_03; classtype:trojan-activity; sid:91236592; rev:1;) alert tcp $HOME_NET any -> [43.154.190.128] 4433 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236591/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_03; classtype:trojan-activity; sid:91236591; rev:1;) alert tcp $HOME_NET any -> [162.14.125.5] 5555 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236590/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_03; classtype:trojan-activity; sid:91236590; rev:1;) alert tcp $HOME_NET any -> [45.148.244.206] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236589/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_03; classtype:trojan-activity; sid:91236589; rev:1;) alert tcp $HOME_NET any -> [43.136.71.208] 2053 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236587/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_03; classtype:trojan-activity; sid:91236587; rev:1;) alert tcp $HOME_NET any -> [107.174.243.15] 554 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236588/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_03; classtype:trojan-activity; sid:91236588; rev:1;) alert tcp $HOME_NET any -> [154.9.252.97] 8080 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236586/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_03; classtype:trojan-activity; sid:91236586; rev:1;) alert tcp $HOME_NET any -> [192.3.235.87] 5555 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236585/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_03; classtype:trojan-activity; sid:91236585; rev:1;) alert tcp $HOME_NET any -> [107.189.14.144] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236584/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_03; classtype:trojan-activity; sid:91236584; rev:1;) alert tcp $HOME_NET any -> [47.120.54.55] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236582/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_03; classtype:trojan-activity; sid:91236582; rev:1;) alert tcp $HOME_NET any -> [43.138.156.178] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236583/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_03; classtype:trojan-activity; sid:91236583; rev:1;) alert tcp $HOME_NET any -> [107.172.201.247] 19211 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236581/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_03; classtype:trojan-activity; sid:91236581; rev:1;) alert tcp $HOME_NET any -> [110.42.209.75] 812 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236580/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_03; classtype:trojan-activity; sid:91236580; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ecs-116-205-190-164.compute.hwclouds-dns.com"; depth:44; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1236579/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_03; classtype:trojan-activity; sid:91236579; rev:1;) alert tcp $HOME_NET any -> [185.216.70.81] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236578/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_03; classtype:trojan-activity; sid:91236578; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ec2-3-22-66-152.us-east-2.compute.amazonaws.com"; depth:47; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1236577/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_03; classtype:trojan-activity; sid:91236577; rev:1;) alert tcp $HOME_NET any -> [176.122.189.30] 8088 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236576/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_03; classtype:trojan-activity; sid:91236576; rev:1;) alert tcp $HOME_NET any -> [5.42.73.251] 80 (msg:"ThreatFox Meduza Stealer botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236573/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_03; classtype:trojan-activity; sid:91236573; rev:1;) alert tcp $HOME_NET any -> [43.228.125.144] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236572/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_03; classtype:trojan-activity; sid:91236572; rev:1;) alert tcp $HOME_NET any -> [43.143.236.67] 8080 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236571/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_03; classtype:trojan-activity; sid:91236571; rev:1;) alert tcp $HOME_NET any -> [78.16.61.94] 443 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236570/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_03; classtype:trojan-activity; sid:91236570; rev:1;) alert tcp $HOME_NET any -> [96.87.28.171] 2222 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236569/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_03; classtype:trojan-activity; sid:91236569; rev:1;) alert tcp $HOME_NET any -> [41.99.50.6] 443 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236568/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_03; classtype:trojan-activity; sid:91236568; rev:1;) alert tcp $HOME_NET any -> [77.8.150.104] 443 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236567/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_03; classtype:trojan-activity; sid:91236567; rev:1;) alert tcp $HOME_NET any -> [148.135.11.253] 445 (msg:"ThreatFox Responder botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236566/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_03; classtype:trojan-activity; sid:91236566; rev:1;) alert tcp $HOME_NET any -> [20.38.38.37] 80 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236565/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_03; classtype:trojan-activity; sid:91236565; rev:1;) alert tcp $HOME_NET any -> [124.222.63.238] 8029 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236564/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_03; classtype:trojan-activity; sid:91236564; rev:1;) alert tcp $HOME_NET any -> [91.132.196.39] 9090 (msg:"ThreatFox Deimos botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236563/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_03; classtype:trojan-activity; sid:91236563; rev:1;) alert tcp $HOME_NET any -> [20.61.4.19] 4007 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236562/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_03; classtype:trojan-activity; sid:91236562; rev:1;) alert tcp $HOME_NET any -> [193.222.96.161] 53535 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236561/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_03; classtype:trojan-activity; sid:91236561; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/lowuniversal.php"; depth:17; nocase; http.host; content:"076902cm.nyashtech.top"; depth:22; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1236560/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_03; classtype:trojan-activity; sid:91236560; rev:1;) alert tcp $HOME_NET any -> [92.222.212.74] 1450 (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236557/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_03; classtype:trojan-activity; sid:91236557; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ga.js"; depth:6; nocase; http.host; content:"38.181.2.11"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1236556/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_03; classtype:trojan-activity; sid:91236556; rev:1;) alert tcp $HOME_NET any -> [212.224.86.54] 58003 (msg:"ThreatFox N-W0rm botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236555/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_03; classtype:trojan-activity; sid:91236555; rev:1;) alert tcp $HOME_NET any -> [216.98.13.172] 26604 (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236554/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_03; classtype:trojan-activity; sid:91236554; rev:1;) alert tcp $HOME_NET any -> [3.141.142.211] 17366 (msg:"ThreatFox Nanocore RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236552/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_03; classtype:trojan-activity; sid:91236552; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"vbatallafinal23.duckdns.org"; depth:27; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1236553/; target:src_ip; metadata: confidence_level 75, first_seen 2024_02_03; classtype:trojan-activity; sid:91236553; rev:1;) alert tcp $HOME_NET any -> [46.246.86.4] 101 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236551/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_03; classtype:trojan-activity; sid:91236551; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/7a957ef6cc168ff6.php"; depth:21; nocase; http.host; content:"194.120.116.120"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1236550/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_03; classtype:trojan-activity; sid:91236550; rev:1;) alert tcp $HOME_NET any -> [3.132.159.158] 17366 (msg:"ThreatFox Nanocore RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236542/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_03; classtype:trojan-activity; sid:91236542; rev:1;) alert tcp $HOME_NET any -> [3.140.223.7] 17366 (msg:"ThreatFox Nanocore RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236543/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_03; classtype:trojan-activity; sid:91236543; rev:1;) alert tcp $HOME_NET any -> [3.141.177.1] 17366 (msg:"ThreatFox Nanocore RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236544/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_03; classtype:trojan-activity; sid:91236544; rev:1;) alert tcp $HOME_NET any -> [3.141.210.37] 17366 (msg:"ThreatFox Nanocore RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236545/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_03; classtype:trojan-activity; sid:91236545; rev:1;) alert tcp $HOME_NET any -> [3.127.138.57] 13538 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236546/; target:src_ip; metadata: confidence_level 75, first_seen 2024_02_03; classtype:trojan-activity; sid:91236546; rev:1;) alert tcp $HOME_NET any -> [3.22.30.40] 13747 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236547/; target:src_ip; metadata: confidence_level 75, first_seen 2024_02_03; classtype:trojan-activity; sid:91236547; rev:1;) alert tcp $HOME_NET any -> [18.157.68.73] 13538 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236548/; target:src_ip; metadata: confidence_level 75, first_seen 2024_02_03; classtype:trojan-activity; sid:91236548; rev:1;) alert tcp $HOME_NET any -> [103.86.131.106] 443 (msg:"ThreatFox Get2 botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236549/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_03; classtype:trojan-activity; sid:91236549; rev:1;) alert tcp $HOME_NET any -> [88.210.9.117] 50500 (msg:"ThreatFox RisePro botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236541/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_03; classtype:trojan-activity; sid:91236541; rev:1;) alert tcp $HOME_NET any -> [209.38.216.156] 2087 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236540/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_03; classtype:trojan-activity; sid:91236540; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/__utm.gif"; depth:10; nocase; http.host; content:"149.104.27.40"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1236539/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_03; classtype:trojan-activity; sid:91236539; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dot.gif"; depth:8; nocase; http.host; content:"122.51.220.170"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1236538/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_03; classtype:trojan-activity; sid:91236538; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cm"; depth:3; nocase; http.host; content:"120.24.70.197"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1236537/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_03; classtype:trojan-activity; sid:91236537; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dpixel"; depth:7; nocase; http.host; content:"42.193.248.127"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1236536/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_03; classtype:trojan-activity; sid:91236536; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/j.ad"; depth:5; nocase; http.host; content:"47.115.225.184"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1236535/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_03; classtype:trojan-activity; sid:91236535; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/visit.js"; depth:9; nocase; http.host; content:"122.51.220.170"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1236534/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_03; classtype:trojan-activity; sid:91236534; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dot.gif"; depth:8; nocase; http.host; content:"185.91.127.221"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1236533/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_03; classtype:trojan-activity; sid:91236533; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pixel.gif"; depth:10; nocase; http.host; content:"47.115.230.159"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1236532/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_03; classtype:trojan-activity; sid:91236532; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/__utm.gif"; depth:10; nocase; http.host; content:"45.195.76.82"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1236531/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_03; classtype:trojan-activity; sid:91236531; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dot.gif"; depth:8; nocase; http.host; content:"120.24.70.197"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1236530/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_03; classtype:trojan-activity; sid:91236530; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ga.js"; depth:6; nocase; http.host; content:"139.155.135.131"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1236529/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_03; classtype:trojan-activity; sid:91236529; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ie9compatviewlist.xml"; depth:22; nocase; http.host; content:"60.204.208.32"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1236528/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_03; classtype:trojan-activity; sid:91236528; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/push"; depth:5; nocase; http.host; content:"182.254.140.58"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1236527/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_03; classtype:trojan-activity; sid:91236527; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/visit.js"; depth:9; nocase; http.host; content:"124.221.151.149"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1236526/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_03; classtype:trojan-activity; sid:91236526; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cx"; depth:3; nocase; http.host; content:"service-bzbl2uq7-1312255927.bj.apigw.tencentcs.com"; depth:50; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1236525/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_03; classtype:trojan-activity; sid:91236525; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ping"; depth:5; nocase; http.host; content:"cdns.casacam.net"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1236524/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_03; classtype:trojan-activity; sid:91236524; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api/methon/scan"; depth:16; nocase; http.host; content:"www.micros0fti.com"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1236522/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_03; classtype:trojan-activity; sid:91236522; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"www.micros0fti.com"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1236523/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_03; classtype:trojan-activity; sid:91236523; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/load"; depth:5; nocase; http.host; content:"www.xss.mba"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1236521/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_03; classtype:trojan-activity; sid:91236521; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ca"; depth:3; nocase; http.host; content:"47.99.93.124"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1236520/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_03; classtype:trojan-activity; sid:91236520; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/j.ad"; depth:5; nocase; http.host; content:"185.196.10.62"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1236519/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_03; classtype:trojan-activity; sid:91236519; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cx"; depth:3; nocase; http.host; content:"service-bzbl2uq7-1312255927.bj.apigw.tencentcs.com"; depth:50; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1236518/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_03; classtype:trojan-activity; sid:91236518; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pixel.gif"; depth:10; nocase; http.host; content:"139.155.90.81"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1236517/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_03; classtype:trojan-activity; sid:91236517; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/l1nc0in.php"; depth:12; nocase; http.host; content:"f0913347.xsph.ru"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1236516/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_03; classtype:trojan-activity; sid:91236516; rev:1;) alert tcp $HOME_NET any -> [85.239.34.70] 9110 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236514/; target:src_ip; metadata: confidence_level 75, first_seen 2024_02_03; classtype:trojan-activity; sid:91236514; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"z.botnet.rocks"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1236515/; target:src_ip; metadata: confidence_level 75, first_seen 2024_02_03; classtype:trojan-activity; sid:91236515; rev:1;) alert tcp $HOME_NET any -> [191.101.209.29] 20427 (msg:"ThreatFox Nanocore RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236507/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_03; classtype:trojan-activity; sid:91236507; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"statisticsong.com"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1236508/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_03; classtype:trojan-activity; sid:91236508; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"api.statisticsong.com"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1236509/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_03; classtype:trojan-activity; sid:91236509; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"panal.statisticsong.com"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1236510/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_03; classtype:trojan-activity; sid:91236510; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"panel.statisticsong.com"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1236511/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_03; classtype:trojan-activity; sid:91236511; rev:1;) alert tcp $HOME_NET any -> [45.13.227.186] 3912 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236512/; target:src_ip; metadata: confidence_level 75, first_seen 2024_02_03; classtype:trojan-activity; sid:91236512; rev:1;) alert tcp $HOME_NET any -> [45.13.227.186] 1312 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236513/; target:src_ip; metadata: confidence_level 75, first_seen 2024_02_03; classtype:trojan-activity; sid:91236513; rev:1;) alert tcp $HOME_NET any -> [42.236.91.107] 6666 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236506/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_03; classtype:trojan-activity; sid:91236506; rev:1;) alert tcp $HOME_NET any -> [103.61.139.69] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236505/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_03; classtype:trojan-activity; sid:91236505; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/updates"; depth:8; nocase; http.host; content:"103.61.139.69"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1236504/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_03; classtype:trojan-activity; sid:91236504; rev:1;) alert tcp $HOME_NET any -> [89.247.50.191] 80 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236503/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_03; classtype:trojan-activity; sid:91236503; rev:1;) alert tcp $HOME_NET any -> [62.72.5.16] 3790 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236502/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_03; classtype:trojan-activity; sid:91236502; rev:1;) alert tcp $HOME_NET any -> [89.208.103.187] 53 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236501/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_03; classtype:trojan-activity; sid:91236501; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"kami.magication.us"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1236500/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_03; classtype:trojan-activity; sid:91236500; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ztzkntjjntkwyzk3/"; depth:18; nocase; http.host; content:"karleonno.top"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1236499/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_03; classtype:trojan-activity; sid:91236499; rev:1;) alert tcp $HOME_NET any -> [18.229.146.63] 18785 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236497/; target:src_ip; metadata: confidence_level 75, first_seen 2024_02_03; classtype:trojan-activity; sid:91236497; rev:1;) alert tcp $HOME_NET any -> [18.228.115.60] 18785 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236495/; target:src_ip; metadata: confidence_level 75, first_seen 2024_02_03; classtype:trojan-activity; sid:91236495; rev:1;) alert tcp $HOME_NET any -> [18.229.248.167] 18785 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236496/; target:src_ip; metadata: confidence_level 75, first_seen 2024_02_03; classtype:trojan-activity; sid:91236496; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/j.ad"; depth:5; nocase; http.host; content:"111.231.22.61"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1236498/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_03; classtype:trojan-activity; sid:91236498; rev:1;) alert tcp $HOME_NET any -> [167.71.88.65] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236494/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_03; classtype:trojan-activity; sid:91236494; rev:1;) alert tcp $HOME_NET any -> [74.12.146.248] 2078 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236493/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_03; classtype:trojan-activity; sid:91236493; rev:1;) alert tcp $HOME_NET any -> [79.107.143.65] 995 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236492/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_03; classtype:trojan-activity; sid:91236492; rev:1;) alert tcp $HOME_NET any -> [122.114.8.164] 80 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236491/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_03; classtype:trojan-activity; sid:91236491; rev:1;) alert tcp $HOME_NET any -> [158.160.65.88] 443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236490/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_03; classtype:trojan-activity; sid:91236490; rev:1;) alert tcp $HOME_NET any -> [104.238.60.14] 443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236489/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_03; classtype:trojan-activity; sid:91236489; rev:1;) alert tcp $HOME_NET any -> [103.195.6.58] 80 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236488/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_03; classtype:trojan-activity; sid:91236488; rev:1;) alert tcp $HOME_NET any -> [47.236.237.46] 443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236487/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_03; classtype:trojan-activity; sid:91236487; rev:1;) alert tcp $HOME_NET any -> [209.127.186.195] 9443 (msg:"ThreatFox BianLian botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236486/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_03; classtype:trojan-activity; sid:91236486; rev:1;) alert tcp $HOME_NET any -> [60.247.153.126] 50050 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236485/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_03; classtype:trojan-activity; sid:91236485; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/g.pixel"; depth:8; nocase; http.host; content:"39.105.51.11"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1236484/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_03; classtype:trojan-activity; sid:91236484; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/activity"; depth:9; nocase; http.host; content:"39.105.51.11"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1236483/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_03; classtype:trojan-activity; sid:91236483; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/fwlink"; depth:7; nocase; http.host; content:"39.105.51.11"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1236482/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_03; classtype:trojan-activity; sid:91236482; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/c/msdownload/update/others/2020/10/29136388_"; depth:45; nocase; http.host; content:"91.92.242.62"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1236481/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_03; classtype:trojan-activity; sid:91236481; rev:1;) alert tcp $HOME_NET any -> [192.210.140.35] 7443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236480/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_03; classtype:trojan-activity; sid:91236480; rev:1;) alert tcp $HOME_NET any -> [42.193.248.127] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236479/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_03; classtype:trojan-activity; sid:91236479; rev:1;) alert tcp $HOME_NET any -> [18.158.35.237] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236478/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_02; classtype:trojan-activity; sid:91236478; rev:1;) alert tcp $HOME_NET any -> [18.158.35.237] 80 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236477/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_02; classtype:trojan-activity; sid:91236477; rev:1;) alert tcp $HOME_NET any -> [3.95.67.254] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236476/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_02; classtype:trojan-activity; sid:91236476; rev:1;) alert tcp $HOME_NET any -> [37.60.239.240] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236475/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_02; classtype:trojan-activity; sid:91236475; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"www2.deenpel.com"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1236474/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_02; classtype:trojan-activity; sid:91236474; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"content.deenpel.com"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1236473/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_02; classtype:trojan-activity; sid:91236473; rev:1;) alert tcp $HOME_NET any -> [58.59.222.51] 60000 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236472/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_02; classtype:trojan-activity; sid:91236472; rev:1;) alert tcp $HOME_NET any -> [62.204.41.197] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236471/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_02; classtype:trojan-activity; sid:91236471; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"www.controlpanel29.com"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1236470/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_02; classtype:trojan-activity; sid:91236470; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ec2-52-3-173-99.compute-1.amazonaws.com"; depth:39; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1236469/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_02; classtype:trojan-activity; sid:91236469; rev:1;) alert tcp $HOME_NET any -> [73.3.46.163] 4855 (msg:"ThreatFox Orcus RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236468/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_02; classtype:trojan-activity; sid:91236468; rev:1;) alert tcp $HOME_NET any -> [193.233.132.64] 8081 (msg:"ThreatFox RisePro botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236467/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_02; classtype:trojan-activity; sid:91236467; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"taobao7737.com"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1236466/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_02; classtype:trojan-activity; sid:91236466; rev:1;) alert tcp $HOME_NET any -> [193.233.255.105] 80 (msg:"ThreatFox Hook botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236465/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_02; classtype:trojan-activity; sid:91236465; rev:1;) alert tcp $HOME_NET any -> [34.29.228.84] 2000 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236464/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_02; classtype:trojan-activity; sid:91236464; rev:1;) alert tcp $HOME_NET any -> [45.141.215.222] 8808 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236463/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_02; classtype:trojan-activity; sid:91236463; rev:1;) alert tcp $HOME_NET any -> [43.139.189.26] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236462/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_02; classtype:trojan-activity; sid:91236462; rev:1;) alert tcp $HOME_NET any -> [91.236.116.26] 443 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236461/; target:src_ip; metadata: confidence_level 90, first_seen 2024_02_02; classtype:trojan-activity; sid:91236461; rev:1;) alert tcp $HOME_NET any -> [144.202.25.198] 443 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236460/; target:src_ip; metadata: confidence_level 90, first_seen 2024_02_02; classtype:trojan-activity; sid:91236460; rev:1;) alert tcp $HOME_NET any -> [206.166.251.32] 18443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236459/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_02; classtype:trojan-activity; sid:91236459; rev:1;) alert tcp $HOME_NET any -> [116.205.190.164] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236458/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_02; classtype:trojan-activity; sid:91236458; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/j.ad"; depth:5; nocase; http.host; content:"101.133.156.69"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1236457/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_02; classtype:trojan-activity; sid:91236457; rev:1;) alert tcp $HOME_NET any -> [157.245.222.152] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236456/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_02; classtype:trojan-activity; sid:91236456; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/forge/static/hulnwcwi"; depth:22; nocase; http.host; content:"service-jnajkkdg-1318687485.gz.apigw.tencentcs.com"; depth:50; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1236454/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_02; classtype:trojan-activity; sid:91236454; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"service-jnajkkdg-1318687485.gz.apigw.tencentcs.com"; depth:50; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1236455/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_02; classtype:trojan-activity; sid:91236455; rev:1;) alert tcp $HOME_NET any -> [84.45.122.150] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236453/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_02; classtype:trojan-activity; sid:91236453; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books"; depth:60; nocase; http.host; content:"comewithme.info"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1236451/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_02; classtype:trojan-activity; sid:91236451; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"comewithme.info"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1236452/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_02; classtype:trojan-activity; sid:91236452; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ptj"; depth:4; nocase; http.host; content:"39.105.51.11"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1236450/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_02; classtype:trojan-activity; sid:91236450; rev:1;) alert tcp $HOME_NET any -> [91.92.242.143] 8082 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236449/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_02; classtype:trojan-activity; sid:91236449; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/c/msdownload/update/others/2020/10/29136388_"; depth:45; nocase; http.host; content:"91.92.242.62"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1236448/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_02; classtype:trojan-activity; sid:91236448; rev:1;) alert tcp $HOME_NET any -> [41.97.220.8] 1177 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236447/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_02; classtype:trojan-activity; sid:91236447; rev:1;) alert tcp $HOME_NET any -> [45.150.79.56] 3790 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236446/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_02; classtype:trojan-activity; sid:91236446; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/b0f62e5c.php"; depth:13; nocase; http.host; content:"109.107.182.163"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1236445/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_02; classtype:trojan-activity; sid:91236445; rev:1;) alert tcp $HOME_NET any -> [95.217.65.174] 11130 (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236444/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_02; classtype:trojan-activity; sid:91236444; rev:1;) alert tcp $HOME_NET any -> [52.28.247.255] 11080 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236424/; target:src_ip; metadata: confidence_level 75, first_seen 2024_02_02; classtype:trojan-activity; sid:91236424; rev:1;) alert tcp $HOME_NET any -> [18.192.31.165] 11544 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236442/; target:src_ip; metadata: confidence_level 75, first_seen 2024_02_02; classtype:trojan-activity; sid:91236442; rev:1;) alert tcp $HOME_NET any -> [3.125.102.39] 11544 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236443/; target:src_ip; metadata: confidence_level 75, first_seen 2024_02_02; classtype:trojan-activity; sid:91236443; rev:1;) alert tcp $HOME_NET any -> [8.130.17.64] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236441/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_02; classtype:trojan-activity; sid:91236441; rev:1;) alert tcp $HOME_NET any -> [79.130.53.226] 2222 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236440/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_02; classtype:trojan-activity; sid:91236440; rev:1;) alert tcp $HOME_NET any -> [41.96.88.102] 443 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236439/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_02; classtype:trojan-activity; sid:91236439; rev:1;) alert tcp $HOME_NET any -> [201.137.204.103] 443 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236438/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_02; classtype:trojan-activity; sid:91236438; rev:1;) alert tcp $HOME_NET any -> [90.42.9.121] 2222 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236437/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_02; classtype:trojan-activity; sid:91236437; rev:1;) alert tcp $HOME_NET any -> [154.247.198.92] 2078 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236436/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_02; classtype:trojan-activity; sid:91236436; rev:1;) alert tcp $HOME_NET any -> [92.223.160.132] 443 (msg:"ThreatFox Responder botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236435/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_02; classtype:trojan-activity; sid:91236435; rev:1;) alert tcp $HOME_NET any -> [138.197.134.200] 8443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236434/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_02; classtype:trojan-activity; sid:91236434; rev:1;) alert tcp $HOME_NET any -> [91.92.253.138] 6075 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236433/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_02; classtype:trojan-activity; sid:91236433; rev:1;) alert tcp $HOME_NET any -> [84.32.44.210] 64543 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236431/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_02; classtype:trojan-activity; sid:91236431; rev:1;) alert tcp $HOME_NET any -> [193.233.132.73] 80 (msg:"ThreatFox Amadey botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236430/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_02; classtype:trojan-activity; sid:91236430; rev:1;) alert tcp $HOME_NET any -> [3.124.142.205] 11544 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236429/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_02; classtype:trojan-activity; sid:91236429; rev:1;) alert tcp $HOME_NET any -> [3.125.209.94] 11544 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236428/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_02; classtype:trojan-activity; sid:91236428; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/gjvjls3jd2v/index.php"; depth:22; nocase; http.host; content:"193.233.132.73"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1236427/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_02; classtype:trojan-activity; sid:91236427; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/99210de056092a58.php"; depth:21; nocase; http.host; content:"104.245.33.157"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1236426/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_02; classtype:trojan-activity; sid:91236426; rev:1;) alert tcp $HOME_NET any -> [159.69.86.27] 50500 (msg:"ThreatFox RisePro botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236425/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_02; classtype:trojan-activity; sid:91236425; rev:1;) alert tcp $HOME_NET any -> [35.228.7.192] 2376 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236423/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_02; classtype:trojan-activity; sid:91236423; rev:1;) alert tcp $HOME_NET any -> [20.106.168.188] 5050 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236422/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_02; classtype:trojan-activity; sid:91236422; rev:1;) alert tcp $HOME_NET any -> [18.197.239.109] 11080 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236420/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_02; classtype:trojan-activity; sid:91236420; rev:1;) alert tcp $HOME_NET any -> [3.69.157.220] 11080 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236421/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_02; classtype:trojan-activity; sid:91236421; rev:1;) alert tcp $HOME_NET any -> [3.69.115.178] 11080 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236419/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_02; classtype:trojan-activity; sid:91236419; rev:1;) alert tcp $HOME_NET any -> [77.1.170.194] 443 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236418/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_02; classtype:trojan-activity; sid:91236418; rev:1;) alert tcp $HOME_NET any -> [38.62.236.152] 443 (msg:"ThreatFox BianLian botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236417/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_02; classtype:trojan-activity; sid:91236417; rev:1;) alert tcp $HOME_NET any -> [152.203.66.173] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236416/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_02; classtype:trojan-activity; sid:91236416; rev:1;) alert tcp $HOME_NET any -> [3.219.110.4] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236414/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_02; classtype:trojan-activity; sid:91236414; rev:1;) alert tcp $HOME_NET any -> [189.112.212.12] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236415/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_02; classtype:trojan-activity; sid:91236415; rev:1;) alert tcp $HOME_NET any -> [113.37.87.82] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236413/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_02; classtype:trojan-activity; sid:91236413; rev:1;) alert tcp $HOME_NET any -> [18.191.227.114] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236412/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_02; classtype:trojan-activity; sid:91236412; rev:1;) alert tcp $HOME_NET any -> [70.34.252.126] 5333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236410/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_02; classtype:trojan-activity; sid:91236410; rev:1;) alert tcp $HOME_NET any -> [18.198.146.182] 80 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236411/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_02; classtype:trojan-activity; sid:91236411; rev:1;) alert tcp $HOME_NET any -> [141.94.244.50] 444 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236409/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_02; classtype:trojan-activity; sid:91236409; rev:1;) alert tcp $HOME_NET any -> [64.226.108.52] 17240 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236408/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_02; classtype:trojan-activity; sid:91236408; rev:1;) alert tcp $HOME_NET any -> [63.35.217.229] 8443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236407/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_02; classtype:trojan-activity; sid:91236407; rev:1;) alert tcp $HOME_NET any -> [34.29.171.229] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236406/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_02; classtype:trojan-activity; sid:91236406; rev:1;) alert tcp $HOME_NET any -> [20.195.169.69] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236405/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_02; classtype:trojan-activity; sid:91236405; rev:1;) alert tcp $HOME_NET any -> [40.76.178.37] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236404/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_02; classtype:trojan-activity; sid:91236404; rev:1;) alert tcp $HOME_NET any -> [54.174.138.45] 8080 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236403/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_02; classtype:trojan-activity; sid:91236403; rev:1;) alert tcp $HOME_NET any -> [34.226.155.20] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236402/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_02; classtype:trojan-activity; sid:91236402; rev:1;) alert tcp $HOME_NET any -> [34.125.18.85] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236400/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_02; classtype:trojan-activity; sid:91236400; rev:1;) alert tcp $HOME_NET any -> [40.67.208.154] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236401/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_02; classtype:trojan-activity; sid:91236401; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ec2-15-206-174-2.ap-south-1.compute.amazonaws.com"; depth:49; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1236399/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_02; classtype:trojan-activity; sid:91236399; rev:1;) alert tcp $HOME_NET any -> [123.249.83.178] 60000 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236398/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_02; classtype:trojan-activity; sid:91236398; rev:1;) alert tcp $HOME_NET any -> [120.55.85.239] 60000 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236397/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_02; classtype:trojan-activity; sid:91236397; rev:1;) alert tcp $HOME_NET any -> [47.113.218.12] 60000 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236396/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_02; classtype:trojan-activity; sid:91236396; rev:1;) alert tcp $HOME_NET any -> [8.137.106.49] 60000 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236395/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_02; classtype:trojan-activity; sid:91236395; rev:1;) alert tcp $HOME_NET any -> [47.108.233.40] 60000 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236394/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_02; classtype:trojan-activity; sid:91236394; rev:1;) alert tcp $HOME_NET any -> [23.105.197.219] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236393/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_02; classtype:trojan-activity; sid:91236393; rev:1;) alert tcp $HOME_NET any -> [142.171.229.78] 2096 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236392/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_02; classtype:trojan-activity; sid:91236392; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"mywestpac.com"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1236391/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_02; classtype:trojan-activity; sid:91236391; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"www.panitor.xyz"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1236390/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_02; classtype:trojan-activity; sid:91236390; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"panelbar.ct8.pl"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1236389/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_02; classtype:trojan-activity; sid:91236389; rev:1;) alert tcp $HOME_NET any -> [68.233.120.219] 80 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236388/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_02; classtype:trojan-activity; sid:91236388; rev:1;) alert tcp $HOME_NET any -> [45.139.104.69] 80 (msg:"ThreatFox MooBot botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236387/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_02; classtype:trojan-activity; sid:91236387; rev:1;) alert tcp $HOME_NET any -> [93.123.85.79] 80 (msg:"ThreatFox MooBot botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236386/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_02; classtype:trojan-activity; sid:91236386; rev:1;) alert tcp $HOME_NET any -> [51.195.83.136] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236385/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_02; classtype:trojan-activity; sid:91236385; rev:1;) alert tcp $HOME_NET any -> [79.137.197.6] 80 (msg:"ThreatFox Meduza Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236384/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_02; classtype:trojan-activity; sid:91236384; rev:1;) alert tcp $HOME_NET any -> [114.29.236.137] 80 (msg:"ThreatFox ERMAC botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236383/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_02; classtype:trojan-activity; sid:91236383; rev:1;) alert tcp $HOME_NET any -> [37.60.235.110] 80 (msg:"ThreatFox ERMAC botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236382/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_02; classtype:trojan-activity; sid:91236382; rev:1;) alert tcp $HOME_NET any -> [20.14.88.85] 8447 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236381/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_02; classtype:trojan-activity; sid:91236381; rev:1;) alert tcp $HOME_NET any -> [115.79.230.192] 9999 (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236380/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_02; classtype:trojan-activity; sid:91236380; rev:1;) alert tcp $HOME_NET any -> [115.79.230.192] 8000 (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236379/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_02; classtype:trojan-activity; sid:91236379; rev:1;) alert tcp $HOME_NET any -> [193.169.245.86] 4449 (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236378/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_02; classtype:trojan-activity; sid:91236378; rev:1;) alert tcp $HOME_NET any -> [193.168.141.92] 443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236377/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_02; classtype:trojan-activity; sid:91236377; rev:1;) alert tcp $HOME_NET any -> [94.156.68.145] 7639 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236376/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_02; classtype:trojan-activity; sid:91236376; rev:1;) alert tcp $HOME_NET any -> [181.162.151.66] 8080 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236375/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_02; classtype:trojan-activity; sid:91236375; rev:1;) alert tcp $HOME_NET any -> [88.210.9.117] 8081 (msg:"ThreatFox RisePro botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236374/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_02; classtype:trojan-activity; sid:91236374; rev:1;) alert tcp $HOME_NET any -> [45.87.153.107] 81 (msg:"ThreatFox Hook botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236372/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_02; classtype:trojan-activity; sid:91236372; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"nickbaseev1.fvds.ru"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1236373/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_02; classtype:trojan-activity; sid:91236373; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"omgs.asia"; depth:9; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1236371/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_02; classtype:trojan-activity; sid:91236371; rev:1;) alert tcp $HOME_NET any -> [91.92.244.215] 80 (msg:"ThreatFox Hook botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236370/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_02; classtype:trojan-activity; sid:91236370; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"nickbaseev4.fvds.ru"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1236369/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_02; classtype:trojan-activity; sid:91236369; rev:1;) alert tcp $HOME_NET any -> [20.236.74.148] 80 (msg:"ThreatFox Hook botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236368/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_02; classtype:trojan-activity; sid:91236368; rev:1;) alert tcp $HOME_NET any -> [165.232.64.60] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236367/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_02; classtype:trojan-activity; sid:91236367; rev:1;) alert tcp $HOME_NET any -> [64.226.104.86] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236366/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_02; classtype:trojan-activity; sid:91236366; rev:1;) alert tcp $HOME_NET any -> [64.225.100.2] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236365/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_02; classtype:trojan-activity; sid:91236365; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ec2-3-140-197-75.us-east-2.compute.amazonaws.com"; depth:48; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1236364/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_02; classtype:trojan-activity; sid:91236364; rev:1;) alert tcp $HOME_NET any -> [91.92.240.147] 7000 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236363/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_02; classtype:trojan-activity; sid:91236363; rev:1;) alert tcp $HOME_NET any -> [46.246.84.15] 2000 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236362/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_02; classtype:trojan-activity; sid:91236362; rev:1;) alert tcp $HOME_NET any -> [18.134.234.207] 443 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236361/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_02; classtype:trojan-activity; sid:91236361; rev:1;) alert tcp $HOME_NET any -> [186.112.194.124] 2404 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236360/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_02; classtype:trojan-activity; sid:91236360; rev:1;) alert tcp $HOME_NET any -> [179.61.251.93] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236359/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_02; classtype:trojan-activity; sid:91236359; rev:1;) alert tcp $HOME_NET any -> [39.105.213.32] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236358/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_02; classtype:trojan-activity; sid:91236358; rev:1;) alert tcp $HOME_NET any -> [163.197.211.60] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236357/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_02; classtype:trojan-activity; sid:91236357; rev:1;) alert tcp $HOME_NET any -> [20.241.197.233] 8444 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236355/; target:src_ip; metadata: confidence_level 90, first_seen 2024_02_02; classtype:trojan-activity; sid:91236355; rev:1;) alert tcp $HOME_NET any -> [170.64.194.84] 443 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236356/; target:src_ip; metadata: confidence_level 90, first_seen 2024_02_02; classtype:trojan-activity; sid:91236356; rev:1;) alert tcp $HOME_NET any -> [187.135.240.152] 2222 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236353/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_02; classtype:trojan-activity; sid:91236353; rev:1;) alert tcp $HOME_NET any -> [187.135.149.169] 2079 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236354/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_02; classtype:trojan-activity; sid:91236354; rev:1;) alert tcp $HOME_NET any -> [187.135.240.152] 2095 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236352/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_02; classtype:trojan-activity; sid:91236352; rev:1;) alert tcp $HOME_NET any -> [187.135.240.152] 1801 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236351/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_02; classtype:trojan-activity; sid:91236351; rev:1;) alert tcp $HOME_NET any -> [93.80.47.229] 81 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236350/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_02; classtype:trojan-activity; sid:91236350; rev:1;) alert tcp $HOME_NET any -> [91.92.242.62] 8088 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236349/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_02; classtype:trojan-activity; sid:91236349; rev:1;) alert tcp $HOME_NET any -> [91.92.242.62] 8083 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236348/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_02; classtype:trojan-activity; sid:91236348; rev:1;) alert tcp $HOME_NET any -> [91.92.249.234] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236346/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_02; classtype:trojan-activity; sid:91236346; rev:1;) alert tcp $HOME_NET any -> [91.92.242.62] 8082 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236347/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_02; classtype:trojan-activity; sid:91236347; rev:1;) alert tcp $HOME_NET any -> [91.92.242.143] 8088 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236345/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_02; classtype:trojan-activity; sid:91236345; rev:1;) alert tcp $HOME_NET any -> [23.26.137.225] 8081 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236344/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_02; classtype:trojan-activity; sid:91236344; rev:1;) alert tcp $HOME_NET any -> [154.221.17.44] 2999 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236343/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_02; classtype:trojan-activity; sid:91236343; rev:1;) alert tcp $HOME_NET any -> [201.68.220.236] 8081 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236342/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_02; classtype:trojan-activity; sid:91236342; rev:1;) alert tcp $HOME_NET any -> [134.122.164.200] 5566 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236341/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_02; classtype:trojan-activity; sid:91236341; rev:1;) alert tcp $HOME_NET any -> [207.180.224.247] 2222 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236340/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_02; classtype:trojan-activity; sid:91236340; rev:1;) alert tcp $HOME_NET any -> [185.91.127.221] 8089 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236338/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_02; classtype:trojan-activity; sid:91236338; rev:1;) alert tcp $HOME_NET any -> [123.57.174.3] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236339/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_02; classtype:trojan-activity; sid:91236339; rev:1;) alert tcp $HOME_NET any -> [91.92.249.233] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236337/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_02; classtype:trojan-activity; sid:91236337; rev:1;) alert tcp $HOME_NET any -> [195.85.250.96] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236335/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_02; classtype:trojan-activity; sid:91236335; rev:1;) alert tcp $HOME_NET any -> [74.48.84.59] 23 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236336/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_02; classtype:trojan-activity; sid:91236336; rev:1;) alert tcp $HOME_NET any -> [154.9.252.97] 2053 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236334/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_02; classtype:trojan-activity; sid:91236334; rev:1;) alert tcp $HOME_NET any -> [34.143.208.146] 9999 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236333/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_02; classtype:trojan-activity; sid:91236333; rev:1;) alert tcp $HOME_NET any -> [1.94.11.140] 39443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236332/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_02; classtype:trojan-activity; sid:91236332; rev:1;) alert tcp $HOME_NET any -> [91.92.243.77] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236331/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_02; classtype:trojan-activity; sid:91236331; rev:1;) alert tcp $HOME_NET any -> [172.233.25.65] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236330/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_02; classtype:trojan-activity; sid:91236330; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ec2-54-89-165-37.compute-1.amazonaws.com"; depth:40; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1236329/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_02; classtype:trojan-activity; sid:91236329; rev:1;) alert tcp $HOME_NET any -> [8.137.118.200] 9999 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236328/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_02; classtype:trojan-activity; sid:91236328; rev:1;) alert tcp $HOME_NET any -> [121.41.4.196] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236327/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_02; classtype:trojan-activity; sid:91236327; rev:1;) alert tcp $HOME_NET any -> [89.149.23.88] 20427 (msg:"ThreatFox Nanocore RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236324/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_02; classtype:trojan-activity; sid:91236324; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"technoblade.ddns.net"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1236325/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_02; classtype:trojan-activity; sid:91236325; rev:1;) alert tcp $HOME_NET any -> [39.32.193.156] 54984 (msg:"ThreatFox Nanocore RAT botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236326/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_02; classtype:trojan-activity; sid:91236326; rev:1;) alert tcp $HOME_NET any -> [38.46.13.118] 10443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236323/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_02; classtype:trojan-activity; sid:91236323; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/metro91/admin/1/ppptp.jpg"; depth:26; nocase; http.host; content:"101.34.251.178"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1236322/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_02; classtype:trojan-activity; sid:91236322; rev:1;) alert tcp $HOME_NET any -> [38.46.13.115] 10443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236321/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_02; classtype:trojan-activity; sid:91236321; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jquery-3.3.1.min.js"; depth:20; nocase; http.host; content:"38.46.13.114"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1236320/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_02; classtype:trojan-activity; sid:91236320; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dpixel"; depth:7; nocase; http.host; content:"8.134.165.196"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1236319/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_02; classtype:trojan-activity; sid:91236319; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jquery-3.3.1.min.js"; depth:20; nocase; http.host; content:"85.208.109.15"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1236318/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_02; classtype:trojan-activity; sid:91236318; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pixel"; depth:6; nocase; http.host; content:"103.239.247.51"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1236317/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_02; classtype:trojan-activity; sid:91236317; rev:1;) alert tcp $HOME_NET any -> [43.143.130.124] 7777 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236316/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_02; classtype:trojan-activity; sid:91236316; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/g.pixel"; depth:8; nocase; http.host; content:"121.43.62.136"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1236315/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_02; classtype:trojan-activity; sid:91236315; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/en-us/silentauth"; depth:17; nocase; http.host; content:"3.22.66.152"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1236314/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_02; classtype:trojan-activity; sid:91236314; rev:1;) alert tcp $HOME_NET any -> [42.193.248.127] 50050 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236313/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_02; classtype:trojan-activity; sid:91236313; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"okled.cc"; depth:8; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1236312/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_02; classtype:trojan-activity; sid:91236312; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api/3"; depth:6; nocase; http.host; content:"okled.cc"; depth:8; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1236311/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_02; classtype:trojan-activity; sid:91236311; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api/3"; depth:6; nocase; http.host; content:"www.okled.cc"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1236309/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_02; classtype:trojan-activity; sid:91236309; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"www.okled.cc"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1236310/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_02; classtype:trojan-activity; sid:91236310; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"cdns.casacam.net"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1236307/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_02; classtype:trojan-activity; sid:91236307; rev:1;) alert tcp $HOME_NET any -> [104.168.158.242] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236308/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_02; classtype:trojan-activity; sid:91236308; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api/v1/login"; depth:13; nocase; http.host; content:"cdns.casacam.net"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1236306/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_02; classtype:trojan-activity; sid:91236306; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/fwlink"; depth:7; nocase; http.host; content:"20.56.70.245"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1236305/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_02; classtype:trojan-activity; sid:91236305; rev:1;) alert tcp $HOME_NET any -> [121.41.4.196] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236304/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_02; classtype:trojan-activity; sid:91236304; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api/x"; depth:6; nocase; http.host; content:"service-2kefhgzl-1316598603.bj.tencentapigw.com.cn"; depth:50; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1236302/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_02; classtype:trojan-activity; sid:91236302; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"service-2kefhgzl-1316598603.bj.tencentapigw.com.cn"; depth:50; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1236303/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_02; classtype:trojan-activity; sid:91236303; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ga.js"; depth:6; nocase; http.host; content:"34.143.208.146"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1236301/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_02; classtype:trojan-activity; sid:91236301; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/push"; depth:5; nocase; http.host; content:"43.142.170.25"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1236300/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_02; classtype:trojan-activity; sid:91236300; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/j.ad"; depth:5; nocase; http.host; content:"20.196.198.116"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1236299/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_02; classtype:trojan-activity; sid:91236299; rev:1;) alert tcp $HOME_NET any -> [94.156.67.11] 65517 (msg:"ThreatFox Nanocore RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236291/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_02; classtype:trojan-activity; sid:91236291; rev:1;) alert tcp $HOME_NET any -> [103.86.131.102] 443 (msg:"ThreatFox Get2 botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236298/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_02; classtype:trojan-activity; sid:91236298; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ga.js"; depth:6; nocase; http.host; content:"20.196.198.116"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1236297/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_02; classtype:trojan-activity; sid:91236297; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ie9compatviewlist.xml"; depth:22; nocase; http.host; content:"cs.xcb.one"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1236296/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_02; classtype:trojan-activity; sid:91236296; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ca"; depth:3; nocase; http.host; content:"20.196.198.116"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1236295/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_02; classtype:trojan-activity; sid:91236295; rev:1;) alert tcp $HOME_NET any -> [158.160.124.3] 80 (msg:"ThreatFox Responder botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236294/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_02; classtype:trojan-activity; sid:91236294; rev:1;) alert tcp $HOME_NET any -> [54.227.145.71] 3790 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236293/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_02; classtype:trojan-activity; sid:91236293; rev:1;) alert tcp $HOME_NET any -> [45.129.199.136] 3790 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236292/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_02; classtype:trojan-activity; sid:91236292; rev:1;) alert tcp $HOME_NET any -> [139.155.90.81] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236290/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_02; classtype:trojan-activity; sid:91236290; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/push"; depth:5; nocase; http.host; content:"139.155.90.81"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1236289/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_02; classtype:trojan-activity; sid:91236289; rev:1;) alert tcp $HOME_NET any -> [80.79.7.197] 7707 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236287/; target:src_ip; metadata: confidence_level 75, first_seen 2024_02_02; classtype:trojan-activity; sid:91236287; rev:1;) alert tcp $HOME_NET any -> [80.79.7.197] 8808 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236288/; target:src_ip; metadata: confidence_level 75, first_seen 2024_02_02; classtype:trojan-activity; sid:91236288; rev:1;) alert tcp $HOME_NET any -> [80.79.7.197] 6606 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236286/; target:src_ip; metadata: confidence_level 75, first_seen 2024_02_02; classtype:trojan-activity; sid:91236286; rev:1;) alert tcp $HOME_NET any -> [172.105.62.186] 443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236285/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_02; classtype:trojan-activity; sid:91236285; rev:1;) alert tcp $HOME_NET any -> [192.52.166.9] 443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236284/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_02; classtype:trojan-activity; sid:91236284; rev:1;) alert tcp $HOME_NET any -> [54.199.117.47] 80 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236283/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_02; classtype:trojan-activity; sid:91236283; rev:1;) alert tcp $HOME_NET any -> [47.76.61.241] 443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236282/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_02; classtype:trojan-activity; sid:91236282; rev:1;) alert tcp $HOME_NET any -> [38.62.230.181] 443 (msg:"ThreatFox BianLian botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236281/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_02; classtype:trojan-activity; sid:91236281; rev:1;) alert tcp $HOME_NET any -> [38.62.230.181] 80 (msg:"ThreatFox BianLian botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236280/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_02; classtype:trojan-activity; sid:91236280; rev:1;) alert tcp $HOME_NET any -> [5.161.225.160] 80 (msg:"ThreatFox Deimos botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236279/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_02; classtype:trojan-activity; sid:91236279; rev:1;) alert tcp $HOME_NET any -> [43.198.97.99] 443 (msg:"ThreatFox Deimos botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236278/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_02; classtype:trojan-activity; sid:91236278; rev:1;) alert tcp $HOME_NET any -> [84.201.141.119] 7443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236277/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_02; classtype:trojan-activity; sid:91236277; rev:1;) alert tcp $HOME_NET any -> [151.236.9.226] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 95%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236250/; target:src_ip; metadata: confidence_level 95, first_seen 2024_02_02; classtype:trojan-activity; sid:91236250; rev:1;) alert tcp $HOME_NET any -> [185.123.53.208] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 95%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236252/; target:src_ip; metadata: confidence_level 95, first_seen 2024_02_02; classtype:trojan-activity; sid:91236252; rev:1;) alert tcp $HOME_NET any -> [185.36.143.155] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 95%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236251/; target:src_ip; metadata: confidence_level 95, first_seen 2024_02_02; classtype:trojan-activity; sid:91236251; rev:1;) alert tcp $HOME_NET any -> [45.155.121.203] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 95%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236248/; target:src_ip; metadata: confidence_level 95, first_seen 2024_02_02; classtype:trojan-activity; sid:91236248; rev:1;) alert tcp $HOME_NET any -> [45.155.121.157] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 95%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236247/; target:src_ip; metadata: confidence_level 95, first_seen 2024_02_02; classtype:trojan-activity; sid:91236247; rev:1;) alert tcp $HOME_NET any -> [85.239.34.69] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 95%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236249/; target:src_ip; metadata: confidence_level 95, first_seen 2024_02_02; classtype:trojan-activity; sid:91236249; rev:1;) alert tcp $HOME_NET any -> [45.129.199.23] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 95%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236244/; target:src_ip; metadata: confidence_level 95, first_seen 2024_02_02; classtype:trojan-activity; sid:91236244; rev:1;) alert tcp $HOME_NET any -> [45.129.199.165] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 95%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236245/; target:src_ip; metadata: confidence_level 95, first_seen 2024_02_02; classtype:trojan-activity; sid:91236245; rev:1;) alert tcp $HOME_NET any -> [45.155.120.130] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 95%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236246/; target:src_ip; metadata: confidence_level 95, first_seen 2024_02_02; classtype:trojan-activity; sid:91236246; rev:1;) alert tcp $HOME_NET any -> [5.230.41.133] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 95%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236243/; target:src_ip; metadata: confidence_level 95, first_seen 2024_02_02; classtype:trojan-activity; sid:91236243; rev:1;) alert tcp $HOME_NET any -> [147.45.45.81] 30063 (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236221/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_02; classtype:trojan-activity; sid:91236221; rev:1;) alert tcp $HOME_NET any -> [193.168.141.27] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 95%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236253/; target:src_ip; metadata: confidence_level 95, first_seen 2024_02_02; classtype:trojan-activity; sid:91236253; rev:1;) alert tcp $HOME_NET any -> [193.168.141.104] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 95%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236254/; target:src_ip; metadata: confidence_level 95, first_seen 2024_02_02; classtype:trojan-activity; sid:91236254; rev:1;) alert tcp $HOME_NET any -> [213.232.235.220] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 95%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236255/; target:src_ip; metadata: confidence_level 95, first_seen 2024_02_02; classtype:trojan-activity; sid:91236255; rev:1;) alert tcp $HOME_NET any -> [18.228.115.60] 11264 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236269/; target:src_ip; metadata: confidence_level 75, first_seen 2024_02_02; classtype:trojan-activity; sid:91236269; rev:1;) alert tcp $HOME_NET any -> [18.231.93.153] 11264 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236270/; target:src_ip; metadata: confidence_level 75, first_seen 2024_02_02; classtype:trojan-activity; sid:91236270; rev:1;) alert tcp $HOME_NET any -> [94.156.68.158] 9931 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236265/; target:src_ip; metadata: confidence_level 75, first_seen 2024_02_02; classtype:trojan-activity; sid:91236265; rev:1;) alert tcp $HOME_NET any -> [54.94.248.37] 11264 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236268/; target:src_ip; metadata: confidence_level 75, first_seen 2024_02_02; classtype:trojan-activity; sid:91236268; rev:1;) alert tcp $HOME_NET any -> [5.230.42.207] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236256/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_02; classtype:trojan-activity; sid:91236256; rev:1;) alert tcp $HOME_NET any -> [91.235.234.194] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236257/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_02; classtype:trojan-activity; sid:91236257; rev:1;) alert tcp $HOME_NET any -> [185.123.53.150] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236258/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_02; classtype:trojan-activity; sid:91236258; rev:1;) alert tcp $HOME_NET any -> [5.231.0.38] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 95%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236259/; target:src_ip; metadata: confidence_level 95, first_seen 2024_02_02; classtype:trojan-activity; sid:91236259; rev:1;) alert tcp $HOME_NET any -> [194.110.247.73] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 95%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236260/; target:src_ip; metadata: confidence_level 95, first_seen 2024_02_02; classtype:trojan-activity; sid:91236260; rev:1;) alert tcp $HOME_NET any -> [20.56.70.245] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236276/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_02; classtype:trojan-activity; sid:91236276; rev:1;) alert tcp $HOME_NET any -> [129.159.134.19] 8080 (msg:"ThreatFox WhiteSnake Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236275/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_02; classtype:trojan-activity; sid:91236275; rev:1;) alert tcp $HOME_NET any -> [31.210.173.10] 443 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236274/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_02; classtype:trojan-activity; sid:91236274; rev:1;) alert tcp $HOME_NET any -> [103.86.131.79] 443 (msg:"ThreatFox Get2 botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236273/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_02; classtype:trojan-activity; sid:91236273; rev:1;) alert tcp $HOME_NET any -> [47.115.225.184] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236272/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_02; classtype:trojan-activity; sid:91236272; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/temporary/sql6js8/wordpress3/7sqlasync/8/publicmariadb/central/to_serverasyncpublictemp.php"; depth:92; nocase; http.host; content:"185.87.199.107"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1236271/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_02; classtype:trojan-activity; sid:91236271; rev:1;) alert tcp $HOME_NET any -> [185.243.115.50] 3790 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236266/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_02; classtype:trojan-activity; sid:91236266; rev:1;) alert tcp $HOME_NET any -> [147.45.40.196] 80 (msg:"ThreatFox Meduza Stealer botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236264/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_02; classtype:trojan-activity; sid:91236264; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mozi.m"; depth:7; nocase; http.host; content:"182.124.119.149"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1236263/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_02; classtype:trojan-activity; sid:91236263; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/1/3secure/packet/gameflowerflowerpacket/local/generatoruniversal/asynclinesqlwindows/7javascripthttp/db57/track1python1/requestdatalifeexternal/packet4dbproton/providervm/testwindowstest/5javascriptwindows/pipe02public/processor/1securejavascript9/packetwp.php"; depth:261; nocase; http.host; content:"77.222.54.18"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1236262/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_02; classtype:trojan-activity; sid:91236262; rev:1;) alert tcp $HOME_NET any -> [100.21.141.96] 80 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236261/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_02; classtype:trojan-activity; sid:91236261; rev:1;) alert tcp $HOME_NET any -> [47.242.111.13] 443 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236242/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_01; classtype:trojan-activity; sid:91236242; rev:1;) alert tcp $HOME_NET any -> [136.244.78.33] 443 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236241/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_01; classtype:trojan-activity; sid:91236241; rev:1;) alert tcp $HOME_NET any -> [176.124.199.126] 443 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236240/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_01; classtype:trojan-activity; sid:91236240; rev:1;) alert tcp $HOME_NET any -> [91.151.93.75] 9443 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236239/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_01; classtype:trojan-activity; sid:91236239; rev:1;) alert tcp $HOME_NET any -> [182.254.140.58] 9999 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236238/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_01; classtype:trojan-activity; sid:91236238; rev:1;) alert tcp $HOME_NET any -> [122.51.220.170] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236237/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_01; classtype:trojan-activity; sid:91236237; rev:1;) alert tcp $HOME_NET any -> [47.76.56.64] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236236/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_01; classtype:trojan-activity; sid:91236236; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/make/apache/t0ztsfr9u"; depth:22; nocase; http.host; content:"waltonfoods.com"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1236235/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_01; classtype:trojan-activity; sid:91236235; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dpixel"; depth:7; nocase; http.host; content:"185.91.127.221"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1236234/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_01; classtype:trojan-activity; sid:91236234; rev:1;) alert tcp $HOME_NET any -> [45.15.156.209] 40481 (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236233/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_01; classtype:trojan-activity; sid:91236233; rev:1;) alert tcp $HOME_NET any -> [45.139.104.69] 443 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236232/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_01; classtype:trojan-activity; sid:91236232; rev:1;) alert tcp $HOME_NET any -> [94.156.65.19] 1337 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236231/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_01; classtype:trojan-activity; sid:91236231; rev:1;) alert tcp $HOME_NET any -> [38.12.28.242] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236230/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_01; classtype:trojan-activity; sid:91236230; rev:1;) alert tcp $HOME_NET any -> [2.56.109.134] 80 (msg:"ThreatFox Meduza Stealer botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236229/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_01; classtype:trojan-activity; sid:91236229; rev:1;) alert tcp $HOME_NET any -> [74.12.146.248] 2222 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236228/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_01; classtype:trojan-activity; sid:91236228; rev:1;) alert tcp $HOME_NET any -> [194.219.192.97] 995 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236227/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_01; classtype:trojan-activity; sid:91236227; rev:1;) alert tcp $HOME_NET any -> [18.188.25.88] 443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236226/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_01; classtype:trojan-activity; sid:91236226; rev:1;) alert tcp $HOME_NET any -> [164.92.180.123] 443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236225/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_01; classtype:trojan-activity; sid:91236225; rev:1;) alert tcp $HOME_NET any -> [103.116.248.171] 443 (msg:"ThreatFox Deimos botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236224/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_01; classtype:trojan-activity; sid:91236224; rev:1;) alert tcp $HOME_NET any -> [165.232.64.60] 7443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236223/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_01; classtype:trojan-activity; sid:91236223; rev:1;) alert tcp $HOME_NET any -> [146.190.126.61] 7443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236222/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_01; classtype:trojan-activity; sid:91236222; rev:1;) alert tcp $HOME_NET any -> [85.208.109.15] 9966 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236220/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_01; classtype:trojan-activity; sid:91236220; rev:1;) alert tcp $HOME_NET any -> [147.124.207.124] 24624 (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236219/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_01; classtype:trojan-activity; sid:91236219; rev:1;) alert tcp $HOME_NET any -> [54.94.248.37] 12136 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236030/; target:src_ip; metadata: confidence_level 75, first_seen 2024_02_01; classtype:trojan-activity; sid:91236030; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"0.tcp.sa.ngrok.io"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1236031/; target:src_ip; metadata: confidence_level 75, first_seen 2024_02_01; classtype:trojan-activity; sid:91236031; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"pjnbadfjandkadm3kd.com"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1236214/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_01; classtype:trojan-activity; sid:91236214; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"pjnbadfjandkadm3kd.com"; depth:22; nocase; reference:url, threatfox.abuse.ch/ioc/1236215/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_01; classtype:trojan-activity; sid:91236215; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"qcpanel.hackcrack.io"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1236216/; target:src_ip; metadata: confidence_level 75, first_seen 2024_02_01; classtype:trojan-activity; sid:91236216; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/imagelongpollapiprotectdefaultlinuxflowerprivate.php"; depth:53; nocase; http.host; content:"369023cm.nyashmyash.top"; depth:23; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1236218/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_01; classtype:trojan-activity; sid:91236218; rev:1;) alert tcp $HOME_NET any -> [124.221.151.149] 50050 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236217/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_01; classtype:trojan-activity; sid:91236217; rev:1;) alert tcp $HOME_NET any -> [103.191.15.137] 3790 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236213/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_01; classtype:trojan-activity; sid:91236213; rev:1;) alert tcp $HOME_NET any -> [5.181.156.118] 443 (msg:"ThreatFox NetSupportManager RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236212/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_01; classtype:trojan-activity; sid:91236212; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/phpsecureupdatelongpollmultiprotecttestlocaldownloads.php"; depth:58; nocase; http.host; content:"681428cm.nyashmyash.top"; depth:23; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1236211/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_01; classtype:trojan-activity; sid:91236211; rev:1;) alert tcp $HOME_NET any -> [84.155.4.131] 995 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236210/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_01; classtype:trojan-activity; sid:91236210; rev:1;) alert tcp $HOME_NET any -> [2.50.137.98] 995 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236209/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_01; classtype:trojan-activity; sid:91236209; rev:1;) alert tcp $HOME_NET any -> [81.213.221.120] 443 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236208/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_01; classtype:trojan-activity; sid:91236208; rev:1;) alert tcp $HOME_NET any -> [45.58.52.17] 9090 (msg:"ThreatFox BianLian botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236207/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_01; classtype:trojan-activity; sid:91236207; rev:1;) alert tcp $HOME_NET any -> [143.110.192.8] 18336 (msg:"ThreatFox BianLian botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236206/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_01; classtype:trojan-activity; sid:91236206; rev:1;) alert tcp $HOME_NET any -> [38.62.236.152] 80 (msg:"ThreatFox BianLian botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236205/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_01; classtype:trojan-activity; sid:91236205; rev:1;) alert tcp $HOME_NET any -> [102.134.252.5] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236204/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_01; classtype:trojan-activity; sid:91236204; rev:1;) alert tcp $HOME_NET any -> [154.41.253.67] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236202/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_01; classtype:trojan-activity; sid:91236202; rev:1;) alert tcp $HOME_NET any -> [18.184.153.186] 4444 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236201/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_01; classtype:trojan-activity; sid:91236201; rev:1;) alert tcp $HOME_NET any -> [45.142.100.44] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236200/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_01; classtype:trojan-activity; sid:91236200; rev:1;) alert tcp $HOME_NET any -> [146.190.32.94] 1724 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236199/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_01; classtype:trojan-activity; sid:91236199; rev:1;) alert tcp $HOME_NET any -> [87.254.230.24] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236198/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_01; classtype:trojan-activity; sid:91236198; rev:1;) alert tcp $HOME_NET any -> [139.162.173.229] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236197/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_01; classtype:trojan-activity; sid:91236197; rev:1;) alert tcp $HOME_NET any -> [120.26.3.31] 8080 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236196/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_01; classtype:trojan-activity; sid:91236196; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"sts.drivevvyze.com"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1236195/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_01; classtype:trojan-activity; sid:91236195; rev:1;) alert tcp $HOME_NET any -> [182.92.209.12] 60000 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236194/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_01; classtype:trojan-activity; sid:91236194; rev:1;) alert tcp $HOME_NET any -> [47.108.153.169] 60000 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236193/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_01; classtype:trojan-activity; sid:91236193; rev:1;) alert tcp $HOME_NET any -> [47.115.228.149] 60000 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236192/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_01; classtype:trojan-activity; sid:91236192; rev:1;) alert tcp $HOME_NET any -> [8.130.80.37] 60000 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236191/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_01; classtype:trojan-activity; sid:91236191; rev:1;) alert tcp $HOME_NET any -> [8.130.123.192] 60000 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236190/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_01; classtype:trojan-activity; sid:91236190; rev:1;) alert tcp $HOME_NET any -> [8.130.86.242] 60000 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236188/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_01; classtype:trojan-activity; sid:91236188; rev:1;) alert tcp $HOME_NET any -> [203.9.150.113] 60000 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236189/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_01; classtype:trojan-activity; sid:91236189; rev:1;) alert tcp $HOME_NET any -> [121.42.9.148] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236187/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_01; classtype:trojan-activity; sid:91236187; rev:1;) alert tcp $HOME_NET any -> [16.62.149.189] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236186/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_01; classtype:trojan-activity; sid:91236186; rev:1;) alert tcp $HOME_NET any -> [5.42.64.32] 80 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236185/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_01; classtype:trojan-activity; sid:91236185; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"panitor.xyz"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1236184/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_01; classtype:trojan-activity; sid:91236184; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"www.doobiefly.com"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1236183/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_01; classtype:trojan-activity; sid:91236183; rev:1;) alert tcp $HOME_NET any -> [45.118.146.123] 80 (msg:"ThreatFox MooBot botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236182/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_01; classtype:trojan-activity; sid:91236182; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"www.3psil0n.fr"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1236181/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_01; classtype:trojan-activity; sid:91236181; rev:1;) alert tcp $HOME_NET any -> [91.92.249.158] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236180/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_01; classtype:trojan-activity; sid:91236180; rev:1;) alert tcp $HOME_NET any -> [91.92.249.158] 80 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236179/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_01; classtype:trojan-activity; sid:91236179; rev:1;) alert tcp $HOME_NET any -> [94.156.144.48] 80 (msg:"ThreatFox ERMAC botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236178/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_01; classtype:trojan-activity; sid:91236178; rev:1;) alert tcp $HOME_NET any -> [189.152.202.202] 8880 (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236177/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_01; classtype:trojan-activity; sid:91236177; rev:1;) alert tcp $HOME_NET any -> [134.195.90.8] 8890 (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236176/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_01; classtype:trojan-activity; sid:91236176; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"rss-bridge.emkd.ru"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1236174/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_01; classtype:trojan-activity; sid:91236174; rev:1;) alert tcp $HOME_NET any -> [192.46.228.106] 80 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236175/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_01; classtype:trojan-activity; sid:91236175; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ec2-15-206-164-202.ap-south-1.compute.amazonaws.com"; depth:51; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1236173/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_01; classtype:trojan-activity; sid:91236173; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"emkd.ru"; depth:7; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1236172/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_01; classtype:trojan-activity; sid:91236172; rev:1;) alert tcp $HOME_NET any -> [211.24.117.21] 443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236171/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_01; classtype:trojan-activity; sid:91236171; rev:1;) alert tcp $HOME_NET any -> [45.147.250.155] 443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236170/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_01; classtype:trojan-activity; sid:91236170; rev:1;) alert tcp $HOME_NET any -> [197.225.117.157] 33920 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236168/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_01; classtype:trojan-activity; sid:91236168; rev:1;) alert tcp $HOME_NET any -> [197.225.117.157] 45118 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236169/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_01; classtype:trojan-activity; sid:91236169; rev:1;) alert tcp $HOME_NET any -> [197.225.117.157] 465 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236167/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_01; classtype:trojan-activity; sid:91236167; rev:1;) alert tcp $HOME_NET any -> [197.225.117.157] 102 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236166/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_01; classtype:trojan-activity; sid:91236166; rev:1;) alert tcp $HOME_NET any -> [197.225.117.157] 12078 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236165/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_01; classtype:trojan-activity; sid:91236165; rev:1;) alert tcp $HOME_NET any -> [197.225.117.157] 6667 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236163/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_01; classtype:trojan-activity; sid:91236163; rev:1;) alert tcp $HOME_NET any -> [197.225.117.157] 8000 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236164/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_01; classtype:trojan-activity; sid:91236164; rev:1;) alert tcp $HOME_NET any -> [197.225.117.157] 5220 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236162/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_01; classtype:trojan-activity; sid:91236162; rev:1;) alert tcp $HOME_NET any -> [197.225.117.157] 2079 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236160/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_01; classtype:trojan-activity; sid:91236160; rev:1;) alert tcp $HOME_NET any -> [197.225.117.157] 2222 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236161/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_01; classtype:trojan-activity; sid:91236161; rev:1;) alert tcp $HOME_NET any -> [197.225.117.157] 4840 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236159/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_01; classtype:trojan-activity; sid:91236159; rev:1;) alert tcp $HOME_NET any -> [197.225.117.157] 2004 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236158/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_01; classtype:trojan-activity; sid:91236158; rev:1;) alert tcp $HOME_NET any -> [197.225.117.157] 48148 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236157/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_01; classtype:trojan-activity; sid:91236157; rev:1;) alert tcp $HOME_NET any -> [197.225.117.157] 52200 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236155/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_01; classtype:trojan-activity; sid:91236155; rev:1;) alert tcp $HOME_NET any -> [197.225.117.157] 16993 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236156/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_01; classtype:trojan-activity; sid:91236156; rev:1;) alert tcp $HOME_NET any -> [197.225.117.157] 43014 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236154/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_01; classtype:trojan-activity; sid:91236154; rev:1;) alert tcp $HOME_NET any -> [197.225.117.157] 5432 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236152/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_01; classtype:trojan-activity; sid:91236152; rev:1;) alert tcp $HOME_NET any -> [197.225.117.157] 63842 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236153/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_01; classtype:trojan-activity; sid:91236153; rev:1;) alert tcp $HOME_NET any -> [197.225.117.157] 110 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236151/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_01; classtype:trojan-activity; sid:91236151; rev:1;) alert tcp $HOME_NET any -> [197.225.117.157] 60000 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236149/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_01; classtype:trojan-activity; sid:91236149; rev:1;) alert tcp $HOME_NET any -> [197.225.117.157] 64611 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236150/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_01; classtype:trojan-activity; sid:91236150; rev:1;) alert tcp $HOME_NET any -> [197.225.117.157] 50956 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236148/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_01; classtype:trojan-activity; sid:91236148; rev:1;) alert tcp $HOME_NET any -> [197.225.117.157] 45910 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236147/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_01; classtype:trojan-activity; sid:91236147; rev:1;) alert tcp $HOME_NET any -> [197.225.117.157] 5672 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236145/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_01; classtype:trojan-activity; sid:91236145; rev:1;) alert tcp $HOME_NET any -> [197.225.117.157] 8080 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236146/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_01; classtype:trojan-activity; sid:91236146; rev:1;) alert tcp $HOME_NET any -> [197.225.117.157] 64374 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236144/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_01; classtype:trojan-activity; sid:91236144; rev:1;) alert tcp $HOME_NET any -> [197.225.117.157] 6000 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236143/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_01; classtype:trojan-activity; sid:91236143; rev:1;) alert tcp $HOME_NET any -> [197.225.117.157] 5307 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236142/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_01; classtype:trojan-activity; sid:91236142; rev:1;) alert tcp $HOME_NET any -> [197.225.117.157] 20547 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236140/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_01; classtype:trojan-activity; sid:91236140; rev:1;) alert tcp $HOME_NET any -> [197.225.117.157] 51376 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236141/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_01; classtype:trojan-activity; sid:91236141; rev:1;) alert tcp $HOME_NET any -> [197.225.117.157] 18084 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236139/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_01; classtype:trojan-activity; sid:91236139; rev:1;) alert tcp $HOME_NET any -> [197.225.117.157] 16196 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236138/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_01; classtype:trojan-activity; sid:91236138; rev:1;) alert tcp $HOME_NET any -> [197.225.117.157] 11467 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236137/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_01; classtype:trojan-activity; sid:91236137; rev:1;) alert tcp $HOME_NET any -> [197.225.117.157] 2380 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236135/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_01; classtype:trojan-activity; sid:91236135; rev:1;) alert tcp $HOME_NET any -> [197.225.117.157] 8389 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236136/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_01; classtype:trojan-activity; sid:91236136; rev:1;) alert tcp $HOME_NET any -> [197.225.117.157] 2096 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236134/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_01; classtype:trojan-activity; sid:91236134; rev:1;) alert tcp $HOME_NET any -> [197.225.117.157] 49451 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236133/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_01; classtype:trojan-activity; sid:91236133; rev:1;) alert tcp $HOME_NET any -> [197.225.117.157] 6699 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236132/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_01; classtype:trojan-activity; sid:91236132; rev:1;) alert tcp $HOME_NET any -> [197.225.117.157] 9042 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236130/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_01; classtype:trojan-activity; sid:91236130; rev:1;) alert tcp $HOME_NET any -> [197.225.117.157] 6697 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236131/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_01; classtype:trojan-activity; sid:91236131; rev:1;) alert tcp $HOME_NET any -> [197.225.117.157] 6002 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236129/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_01; classtype:trojan-activity; sid:91236129; rev:1;) alert tcp $HOME_NET any -> [197.225.117.157] 27199 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236127/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_01; classtype:trojan-activity; sid:91236127; rev:1;) alert tcp $HOME_NET any -> [197.225.117.157] 31763 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236128/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_01; classtype:trojan-activity; sid:91236128; rev:1;) alert tcp $HOME_NET any -> [197.225.117.157] 24663 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236126/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_01; classtype:trojan-activity; sid:91236126; rev:1;) alert tcp $HOME_NET any -> [197.225.117.157] 6006 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236125/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_01; classtype:trojan-activity; sid:91236125; rev:1;) alert tcp $HOME_NET any -> [197.225.117.157] 8443 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236123/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_01; classtype:trojan-activity; sid:91236123; rev:1;) alert tcp $HOME_NET any -> [197.225.117.157] 2701 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236124/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_01; classtype:trojan-activity; sid:91236124; rev:1;) alert tcp $HOME_NET any -> [197.225.117.157] 6513 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236122/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_01; classtype:trojan-activity; sid:91236122; rev:1;) alert tcp $HOME_NET any -> [197.225.117.157] 8010 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236121/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_01; classtype:trojan-activity; sid:91236121; rev:1;) alert tcp $HOME_NET any -> [197.225.117.157] 37215 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236119/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_01; classtype:trojan-activity; sid:91236119; rev:1;) alert tcp $HOME_NET any -> [197.225.117.157] 5903 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236120/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_01; classtype:trojan-activity; sid:91236120; rev:1;) alert tcp $HOME_NET any -> [197.225.117.157] 36043 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236118/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_01; classtype:trojan-activity; sid:91236118; rev:1;) alert tcp $HOME_NET any -> [197.225.117.157] 28139 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236117/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_01; classtype:trojan-activity; sid:91236117; rev:1;) alert tcp $HOME_NET any -> [197.225.117.157] 50580 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236115/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_01; classtype:trojan-activity; sid:91236115; rev:1;) alert tcp $HOME_NET any -> [197.225.117.157] 46207 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236116/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_01; classtype:trojan-activity; sid:91236116; rev:1;) alert tcp $HOME_NET any -> [197.225.117.157] 40329 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236114/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_01; classtype:trojan-activity; sid:91236114; rev:1;) alert tcp $HOME_NET any -> [197.225.117.157] 58603 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236112/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_01; classtype:trojan-activity; sid:91236112; rev:1;) alert tcp $HOME_NET any -> [197.225.117.157] 61616 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236113/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_01; classtype:trojan-activity; sid:91236113; rev:1;) alert tcp $HOME_NET any -> [197.225.117.157] 995 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236111/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_01; classtype:trojan-activity; sid:91236111; rev:1;) alert tcp $HOME_NET any -> [197.225.117.157] 443 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236110/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_01; classtype:trojan-activity; sid:91236110; rev:1;) alert tcp $HOME_NET any -> [197.225.117.157] 9000 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236108/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_01; classtype:trojan-activity; sid:91236108; rev:1;) alert tcp $HOME_NET any -> [197.225.117.157] 18029 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236109/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_01; classtype:trojan-activity; sid:91236109; rev:1;) alert tcp $HOME_NET any -> [197.225.117.157] 6362 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236107/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_01; classtype:trojan-activity; sid:91236107; rev:1;) alert tcp $HOME_NET any -> [197.225.117.157] 2762 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236105/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_01; classtype:trojan-activity; sid:91236105; rev:1;) alert tcp $HOME_NET any -> [197.225.117.157] 5902 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236106/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_01; classtype:trojan-activity; sid:91236106; rev:1;) alert tcp $HOME_NET any -> [197.225.117.157] 1521 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236104/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_01; classtype:trojan-activity; sid:91236104; rev:1;) alert tcp $HOME_NET any -> [197.225.117.157] 2761 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236103/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_01; classtype:trojan-activity; sid:91236103; rev:1;) alert tcp $HOME_NET any -> [197.225.117.157] 40000 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236101/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_01; classtype:trojan-activity; sid:91236101; rev:1;) alert tcp $HOME_NET any -> [197.225.117.157] 2078 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236102/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_01; classtype:trojan-activity; sid:91236102; rev:1;) alert tcp $HOME_NET any -> [197.225.117.157] 10000 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236100/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_01; classtype:trojan-activity; sid:91236100; rev:1;) alert tcp $HOME_NET any -> [197.225.117.157] 5900 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236098/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_01; classtype:trojan-activity; sid:91236098; rev:1;) alert tcp $HOME_NET any -> [197.225.117.157] 6008 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236099/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_01; classtype:trojan-activity; sid:91236099; rev:1;) alert tcp $HOME_NET any -> [197.225.117.157] 1200 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236097/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_01; classtype:trojan-activity; sid:91236097; rev:1;) alert tcp $HOME_NET any -> [197.225.117.157] 1080 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236096/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_01; classtype:trojan-activity; sid:91236096; rev:1;) alert tcp $HOME_NET any -> [197.225.117.157] 10443 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236094/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_01; classtype:trojan-activity; sid:91236094; rev:1;) alert tcp $HOME_NET any -> [197.225.117.157] 18049 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236095/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_01; classtype:trojan-activity; sid:91236095; rev:1;) alert tcp $HOME_NET any -> [197.225.117.157] 8081 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236093/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_01; classtype:trojan-activity; sid:91236093; rev:1;) alert tcp $HOME_NET any -> [197.225.117.157] 2323 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236091/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_01; classtype:trojan-activity; sid:91236091; rev:1;) alert tcp $HOME_NET any -> [197.225.117.157] 4887 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236092/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_01; classtype:trojan-activity; sid:91236092; rev:1;) alert tcp $HOME_NET any -> [197.225.117.157] 10258 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236090/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_01; classtype:trojan-activity; sid:91236090; rev:1;) alert tcp $HOME_NET any -> [197.225.117.157] 57983 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236088/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_01; classtype:trojan-activity; sid:91236088; rev:1;) alert tcp $HOME_NET any -> [197.225.117.157] 6004 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236089/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_01; classtype:trojan-activity; sid:91236089; rev:1;) alert tcp $HOME_NET any -> [197.225.117.157] 52219 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236087/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_01; classtype:trojan-activity; sid:91236087; rev:1;) alert tcp $HOME_NET any -> [197.225.117.157] 50001 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236086/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_01; classtype:trojan-activity; sid:91236086; rev:1;) alert tcp $HOME_NET any -> [197.225.117.157] 2095 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236084/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_01; classtype:trojan-activity; sid:91236084; rev:1;) alert tcp $HOME_NET any -> [197.225.117.157] 4369 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236085/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_01; classtype:trojan-activity; sid:91236085; rev:1;) alert tcp $HOME_NET any -> [197.225.117.157] 40846 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236083/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_01; classtype:trojan-activity; sid:91236083; rev:1;) alert tcp $HOME_NET any -> [197.225.117.157] 27017 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236082/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_01; classtype:trojan-activity; sid:91236082; rev:1;) alert tcp $HOME_NET any -> [197.225.117.157] 6001 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236080/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_01; classtype:trojan-activity; sid:91236080; rev:1;) alert tcp $HOME_NET any -> [197.225.117.157] 7170 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236081/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_01; classtype:trojan-activity; sid:91236081; rev:1;) alert tcp $HOME_NET any -> [197.225.117.157] 3390 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236079/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_01; classtype:trojan-activity; sid:91236079; rev:1;) alert tcp $HOME_NET any -> [197.225.117.157] 44332 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236077/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_01; classtype:trojan-activity; sid:91236077; rev:1;) alert tcp $HOME_NET any -> [197.225.117.157] 104 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236078/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_01; classtype:trojan-activity; sid:91236078; rev:1;) alert tcp $HOME_NET any -> [197.225.117.157] 6597 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236076/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_01; classtype:trojan-activity; sid:91236076; rev:1;) alert tcp $HOME_NET any -> [191.82.244.204] 2000 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236075/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_01; classtype:trojan-activity; sid:91236075; rev:1;) alert tcp $HOME_NET any -> [91.92.247.180] 57420 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236074/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_01; classtype:trojan-activity; sid:91236074; rev:1;) alert tcp $HOME_NET any -> [5.42.67.89] 80 (msg:"ThreatFox Hook botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236073/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_01; classtype:trojan-activity; sid:91236073; rev:1;) alert tcp $HOME_NET any -> [42.96.11.30] 80 (msg:"ThreatFox Hook botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236072/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_01; classtype:trojan-activity; sid:91236072; rev:1;) alert tcp $HOME_NET any -> [172.94.4.158] 8088 (msg:"ThreatFox Hook botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236071/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_01; classtype:trojan-activity; sid:91236071; rev:1;) alert tcp $HOME_NET any -> [176.103.52.51] 7443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236070/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_01; classtype:trojan-activity; sid:91236070; rev:1;) alert tcp $HOME_NET any -> [178.73.192.6] 2000 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236069/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_01; classtype:trojan-activity; sid:91236069; rev:1;) alert tcp $HOME_NET any -> [142.171.213.30] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236068/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_01; classtype:trojan-activity; sid:91236068; rev:1;) alert tcp $HOME_NET any -> [38.147.189.43] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236067/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_01; classtype:trojan-activity; sid:91236067; rev:1;) alert tcp $HOME_NET any -> [34.162.103.107] 443 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236066/; target:src_ip; metadata: confidence_level 90, first_seen 2024_02_01; classtype:trojan-activity; sid:91236066; rev:1;) alert tcp $HOME_NET any -> [212.73.150.182] 8443 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236065/; target:src_ip; metadata: confidence_level 90, first_seen 2024_02_01; classtype:trojan-activity; sid:91236065; rev:1;) alert tcp $HOME_NET any -> [187.135.122.173] 2078 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236064/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_01; classtype:trojan-activity; sid:91236064; rev:1;) alert tcp $HOME_NET any -> [187.135.122.173] 1765 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236063/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_01; classtype:trojan-activity; sid:91236063; rev:1;) alert tcp $HOME_NET any -> [187.135.149.169] 2095 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236061/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_01; classtype:trojan-activity; sid:91236061; rev:1;) alert tcp $HOME_NET any -> [187.135.149.169] 1911 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236062/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_01; classtype:trojan-activity; sid:91236062; rev:1;) alert tcp $HOME_NET any -> [187.135.149.169] 2087 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236060/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_01; classtype:trojan-activity; sid:91236060; rev:1;) alert tcp $HOME_NET any -> [187.135.149.169] 2078 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236058/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_01; classtype:trojan-activity; sid:91236058; rev:1;) alert tcp $HOME_NET any -> [187.135.149.169] 2080 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236059/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_01; classtype:trojan-activity; sid:91236059; rev:1;) alert tcp $HOME_NET any -> [221.159.15.231] 80 (msg:"ThreatFox Ghost RAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236057/; target:src_ip; metadata: confidence_level 75, first_seen 2024_02_01; classtype:trojan-activity; sid:91236057; rev:1;) alert tcp $HOME_NET any -> [124.70.140.36] 8088 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236055/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_01; classtype:trojan-activity; sid:91236055; rev:1;) alert tcp $HOME_NET any -> [121.36.198.30] 8001 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236056/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_01; classtype:trojan-activity; sid:91236056; rev:1;) alert tcp $HOME_NET any -> [193.29.56.172] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236053/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_01; classtype:trojan-activity; sid:91236053; rev:1;) alert tcp $HOME_NET any -> [192.151.243.135] 2222 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236054/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_01; classtype:trojan-activity; sid:91236054; rev:1;) alert tcp $HOME_NET any -> [122.51.220.170] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236052/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_01; classtype:trojan-activity; sid:91236052; rev:1;) alert tcp $HOME_NET any -> [172.105.48.31] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236051/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_01; classtype:trojan-activity; sid:91236051; rev:1;) alert tcp $HOME_NET any -> [34.170.254.228] 8080 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236050/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_01; classtype:trojan-activity; sid:91236050; rev:1;) alert tcp $HOME_NET any -> [34.170.254.228] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236048/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_01; classtype:trojan-activity; sid:91236048; rev:1;) alert tcp $HOME_NET any -> [34.170.254.228] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236049/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_01; classtype:trojan-activity; sid:91236049; rev:1;) alert tcp $HOME_NET any -> [1.117.60.33] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236047/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_01; classtype:trojan-activity; sid:91236047; rev:1;) alert tcp $HOME_NET any -> [149.104.27.40] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236046/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_01; classtype:trojan-activity; sid:91236046; rev:1;) alert tcp $HOME_NET any -> [107.150.5.191] 8443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236044/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_01; classtype:trojan-activity; sid:91236044; rev:1;) alert tcp $HOME_NET any -> [192.210.186.187] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236045/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_01; classtype:trojan-activity; sid:91236045; rev:1;) alert tcp $HOME_NET any -> [47.236.108.15] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236043/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_01; classtype:trojan-activity; sid:91236043; rev:1;) alert tcp $HOME_NET any -> [47.109.74.65] 8080 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236042/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_01; classtype:trojan-activity; sid:91236042; rev:1;) alert tcp $HOME_NET any -> [47.95.31.78] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236041/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_01; classtype:trojan-activity; sid:91236041; rev:1;) alert tcp $HOME_NET any -> [59.110.47.212] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236039/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_01; classtype:trojan-activity; sid:91236039; rev:1;) alert tcp $HOME_NET any -> [152.136.100.26] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236040/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_01; classtype:trojan-activity; sid:91236040; rev:1;) alert tcp $HOME_NET any -> [20.171.192.244] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236038/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_01; classtype:trojan-activity; sid:91236038; rev:1;) alert tcp $HOME_NET any -> [205.185.118.120] 1200 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236037/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_01; classtype:trojan-activity; sid:91236037; rev:1;) alert tcp $HOME_NET any -> [23.224.81.191] 4444 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236036/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_01; classtype:trojan-activity; sid:91236036; rev:1;) alert tcp $HOME_NET any -> [81.70.79.31] 9999 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236035/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_01; classtype:trojan-activity; sid:91236035; rev:1;) alert tcp $HOME_NET any -> [185.91.127.221] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236033/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_01; classtype:trojan-activity; sid:91236033; rev:1;) alert tcp $HOME_NET any -> [43.248.189.11] 8443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236034/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_01; classtype:trojan-activity; sid:91236034; rev:1;) alert tcp $HOME_NET any -> [117.50.185.133] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236032/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_01; classtype:trojan-activity; sid:91236032; rev:1;) alert tcp $HOME_NET any -> [103.86.131.103] 443 (msg:"ThreatFox Get2 botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236029/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_01; classtype:trojan-activity; sid:91236029; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api/3"; depth:6; nocase; http.host; content:"124.70.140.36"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1236028/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_01; classtype:trojan-activity; sid:91236028; rev:1;) alert tcp $HOME_NET any -> [185.222.57.87] 4505 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236027/; target:src_ip; metadata: confidence_level 75, first_seen 2024_02_01; classtype:trojan-activity; sid:91236027; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"5.75.215.113"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1236025/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_01; classtype:trojan-activity; sid:91236025; rev:1;) alert tcp $HOME_NET any -> [5.75.215.113] 443 (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236026/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_01; classtype:trojan-activity; sid:91236026; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cm"; depth:3; nocase; http.host; content:"47.94.221.227"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1236024/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_01; classtype:trojan-activity; sid:91236024; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ie9compatviewlist.xml"; depth:22; nocase; http.host; content:"43.159.136.92"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1236023/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_01; classtype:trojan-activity; sid:91236023; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/updates.rss"; depth:12; nocase; http.host; content:"cdn-014.epsonupdate.uk"; depth:22; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1236022/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_01; classtype:trojan-activity; sid:91236022; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ptj"; depth:4; nocase; http.host; content:"47.99.93.124"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1236021/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_01; classtype:trojan-activity; sid:91236021; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cx"; depth:3; nocase; http.host; content:"20.196.198.116"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1236020/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_01; classtype:trojan-activity; sid:91236020; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/en_us/all.js"; depth:13; nocase; http.host; content:"cs.xcb.one"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1236019/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_01; classtype:trojan-activity; sid:91236019; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ca"; depth:3; nocase; http.host; content:"cs.xcb.one"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1236018/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_01; classtype:trojan-activity; sid:91236018; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/activity"; depth:9; nocase; http.host; content:"20.196.198.116"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1236017/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_01; classtype:trojan-activity; sid:91236017; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/activity"; depth:9; nocase; http.host; content:"20.196.198.116"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1236016/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_01; classtype:trojan-activity; sid:91236016; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pixel.gif"; depth:10; nocase; http.host; content:"cs.xcb.one"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1236015/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_01; classtype:trojan-activity; sid:91236015; rev:1;) alert tcp $HOME_NET any -> [4.246.234.87] 53 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236014/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_01; classtype:trojan-activity; sid:91236014; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cnn/cnnx/qwerty/stream_hdt/1/cnnxlive1_6.bootstrap"; depth:51; nocase; http.host; content:"20.42.56.4"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1236013/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_01; classtype:trojan-activity; sid:91236013; rev:1;) alert tcp $HOME_NET any -> [93.123.85.91] 3912 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236010/; target:src_ip; metadata: confidence_level 75, first_seen 2024_02_01; classtype:trojan-activity; sid:91236010; rev:1;) alert tcp $HOME_NET any -> [93.123.85.91] 1312 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236011/; target:src_ip; metadata: confidence_level 75, first_seen 2024_02_01; classtype:trojan-activity; sid:91236011; rev:1;) alert tcp $HOME_NET any -> [41.216.183.193] 4258 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236012/; target:src_ip; metadata: confidence_level 75, first_seen 2024_02_01; classtype:trojan-activity; sid:91236012; rev:1;) alert tcp $HOME_NET any -> [172.111.10.14] 9506 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236006/; target:src_ip; metadata: confidence_level 75, first_seen 2024_02_01; classtype:trojan-activity; sid:91236006; rev:1;) alert tcp $HOME_NET any -> [172.111.10.14] 9621 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236007/; target:src_ip; metadata: confidence_level 75, first_seen 2024_02_01; classtype:trojan-activity; sid:91236007; rev:1;) alert tcp $HOME_NET any -> [94.156.71.208] 3912 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236008/; target:src_ip; metadata: confidence_level 75, first_seen 2024_02_01; classtype:trojan-activity; sid:91236008; rev:1;) alert tcp $HOME_NET any -> [94.156.71.208] 1312 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236009/; target:src_ip; metadata: confidence_level 75, first_seen 2024_02_01; classtype:trojan-activity; sid:91236009; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/f1aba1fe.php"; depth:13; nocase; http.host; content:"self-lighting-subpr.000webhostapp.com"; depth:37; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1236005/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_01; classtype:trojan-activity; sid:91236005; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"mail830071003.mywebspace.zone"; depth:29; nocase; reference:url, threatfox.abuse.ch/ioc/1235996/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_01; classtype:trojan-activity; sid:91235996; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"mail838727492.mywebspace.zone"; depth:29; nocase; reference:url, threatfox.abuse.ch/ioc/1235997/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_01; classtype:trojan-activity; sid:91235997; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"rinababyshop.com"; depth:16; nocase; reference:url, threatfox.abuse.ch/ioc/1235998/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_01; classtype:trojan-activity; sid:91235998; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"li334-138.members.linode.com"; depth:28; nocase; reference:url, threatfox.abuse.ch/ioc/1235999/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_01; classtype:trojan-activity; sid:91235999; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"novaesolution.com"; depth:17; nocase; reference:url, threatfox.abuse.ch/ioc/1236000/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_01; classtype:trojan-activity; sid:91236000; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"umzug-logistic.de"; depth:17; nocase; reference:url, threatfox.abuse.ch/ioc/1236001/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_01; classtype:trojan-activity; sid:91236001; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"database.umzug-logistic.de"; depth:26; nocase; reference:url, threatfox.abuse.ch/ioc/1236002/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_01; classtype:trojan-activity; sid:91236002; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"mail.tezcaniletisim.com.tr"; depth:26; nocase; reference:url, threatfox.abuse.ch/ioc/1236004/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_01; classtype:trojan-activity; sid:91236004; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"tezcaniletisim.com.tr"; depth:21; nocase; reference:url, threatfox.abuse.ch/ioc/1236003/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_01; classtype:trojan-activity; sid:91236003; rev:1;) alert tcp $HOME_NET any -> [51.222.51.154] 8100 (msg:"ThreatFox FAKEUPDATES botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235945/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_01; classtype:trojan-activity; sid:91235945; rev:1;) alert tcp $HOME_NET any -> [51.222.51.155] 8100 (msg:"ThreatFox FAKEUPDATES botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235946/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_01; classtype:trojan-activity; sid:91235946; rev:1;) alert tcp $HOME_NET any -> [51.222.51.156] 8100 (msg:"ThreatFox FAKEUPDATES botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235947/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_01; classtype:trojan-activity; sid:91235947; rev:1;) alert tcp $HOME_NET any -> [51.222.51.152] 8100 (msg:"ThreatFox FAKEUPDATES botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235943/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_01; classtype:trojan-activity; sid:91235943; rev:1;) alert tcp $HOME_NET any -> [51.222.51.153] 8100 (msg:"ThreatFox FAKEUPDATES botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235944/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_01; classtype:trojan-activity; sid:91235944; rev:1;) alert tcp $HOME_NET any -> [51.222.51.149] 8100 (msg:"ThreatFox FAKEUPDATES botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235940/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_01; classtype:trojan-activity; sid:91235940; rev:1;) alert tcp $HOME_NET any -> [51.222.51.150] 8100 (msg:"ThreatFox FAKEUPDATES botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235941/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_01; classtype:trojan-activity; sid:91235941; rev:1;) alert tcp $HOME_NET any -> [51.222.51.151] 8100 (msg:"ThreatFox FAKEUPDATES botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235942/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_01; classtype:trojan-activity; sid:91235942; rev:1;) alert tcp $HOME_NET any -> [51.222.51.146] 8100 (msg:"ThreatFox FAKEUPDATES botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235937/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_01; classtype:trojan-activity; sid:91235937; rev:1;) alert tcp $HOME_NET any -> [51.222.51.147] 8100 (msg:"ThreatFox FAKEUPDATES botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235938/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_01; classtype:trojan-activity; sid:91235938; rev:1;) alert tcp $HOME_NET any -> [51.222.51.148] 8100 (msg:"ThreatFox FAKEUPDATES botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235939/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_01; classtype:trojan-activity; sid:91235939; rev:1;) alert tcp $HOME_NET any -> [51.222.51.145] 8100 (msg:"ThreatFox FAKEUPDATES botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235936/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_01; classtype:trojan-activity; sid:91235936; rev:1;) alert tcp $HOME_NET any -> [37.187.1.37] 80 (msg:"ThreatFox FAKEUPDATES botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235935/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_01; classtype:trojan-activity; sid:91235935; rev:1;) alert tcp $HOME_NET any -> [51.222.51.157] 8100 (msg:"ThreatFox FAKEUPDATES botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235948/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_01; classtype:trojan-activity; sid:91235948; rev:1;) alert tcp $HOME_NET any -> [51.222.51.158] 8100 (msg:"ThreatFox FAKEUPDATES botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235949/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_01; classtype:trojan-activity; sid:91235949; rev:1;) alert tcp $HOME_NET any -> [167.114.173.191] 8100 (msg:"ThreatFox FAKEUPDATES botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235950/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_01; classtype:trojan-activity; sid:91235950; rev:1;) alert tcp $HOME_NET any -> [198.50.214.209] 8100 (msg:"ThreatFox FAKEUPDATES botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235951/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_01; classtype:trojan-activity; sid:91235951; rev:1;) alert tcp $HOME_NET any -> [198.50.214.210] 8100 (msg:"ThreatFox FAKEUPDATES botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235952/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_01; classtype:trojan-activity; sid:91235952; rev:1;) alert tcp $HOME_NET any -> [198.50.214.212] 8100 (msg:"ThreatFox FAKEUPDATES botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235954/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_01; classtype:trojan-activity; sid:91235954; rev:1;) alert tcp $HOME_NET any -> [198.50.214.211] 8100 (msg:"ThreatFox FAKEUPDATES botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235953/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_01; classtype:trojan-activity; sid:91235953; rev:1;) alert tcp $HOME_NET any -> [198.50.214.213] 8100 (msg:"ThreatFox FAKEUPDATES botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235955/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_01; classtype:trojan-activity; sid:91235955; rev:1;) alert tcp $HOME_NET any -> [198.50.214.214] 8100 (msg:"ThreatFox FAKEUPDATES botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235956/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_01; classtype:trojan-activity; sid:91235956; rev:1;) alert tcp $HOME_NET any -> [198.50.214.215] 8100 (msg:"ThreatFox FAKEUPDATES botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235957/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_01; classtype:trojan-activity; sid:91235957; rev:1;) alert tcp $HOME_NET any -> [198.50.214.216] 8100 (msg:"ThreatFox FAKEUPDATES botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235958/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_01; classtype:trojan-activity; sid:91235958; rev:1;) alert tcp $HOME_NET any -> [198.50.214.217] 8100 (msg:"ThreatFox FAKEUPDATES botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235959/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_01; classtype:trojan-activity; sid:91235959; rev:1;) alert tcp $HOME_NET any -> [198.50.214.218] 8100 (msg:"ThreatFox FAKEUPDATES botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235960/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_01; classtype:trojan-activity; sid:91235960; rev:1;) alert tcp $HOME_NET any -> [198.50.214.219] 8100 (msg:"ThreatFox FAKEUPDATES botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235961/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_01; classtype:trojan-activity; sid:91235961; rev:1;) alert tcp $HOME_NET any -> [198.50.214.220] 8100 (msg:"ThreatFox FAKEUPDATES botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235962/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_01; classtype:trojan-activity; sid:91235962; rev:1;) alert tcp $HOME_NET any -> [198.50.214.221] 8100 (msg:"ThreatFox FAKEUPDATES botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235963/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_01; classtype:trojan-activity; sid:91235963; rev:1;) alert tcp $HOME_NET any -> [198.50.214.222] 8100 (msg:"ThreatFox FAKEUPDATES botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235964/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_01; classtype:trojan-activity; sid:91235964; rev:1;) alert tcp $HOME_NET any -> [138.197.150.104] 443 (msg:"ThreatFox FAKEUPDATES botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235966/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_01; classtype:trojan-activity; sid:91235966; rev:1;) alert tcp $HOME_NET any -> [159.203.48.121] 80 (msg:"ThreatFox FAKEUPDATES botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235968/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_01; classtype:trojan-activity; sid:91235968; rev:1;) alert tcp $HOME_NET any -> [104.248.54.93] 80 (msg:"ThreatFox FAKEUPDATES botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235967/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_01; classtype:trojan-activity; sid:91235967; rev:1;) alert tcp $HOME_NET any -> [159.203.3.76] 80 (msg:"ThreatFox FAKEUPDATES botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235969/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_01; classtype:trojan-activity; sid:91235969; rev:1;) alert tcp $HOME_NET any -> [87.106.251.121] 80 (msg:"ThreatFox FAKEUPDATES botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235970/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_01; classtype:trojan-activity; sid:91235970; rev:1;) alert tcp $HOME_NET any -> [212.227.141.35] 80 (msg:"ThreatFox FAKEUPDATES botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235971/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_01; classtype:trojan-activity; sid:91235971; rev:1;) alert tcp $HOME_NET any -> [45.76.179.15] 80 (msg:"ThreatFox FAKEUPDATES botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235972/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_01; classtype:trojan-activity; sid:91235972; rev:1;) alert tcp $HOME_NET any -> [45.77.45.237] 80 (msg:"ThreatFox FAKEUPDATES botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235973/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_01; classtype:trojan-activity; sid:91235973; rev:1;) alert tcp $HOME_NET any -> [207.148.89.210] 80 (msg:"ThreatFox FAKEUPDATES botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235974/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_01; classtype:trojan-activity; sid:91235974; rev:1;) alert tcp $HOME_NET any -> [190.96.113.171] 8082 (msg:"ThreatFox FAKEUPDATES botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235975/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_01; classtype:trojan-activity; sid:91235975; rev:1;) alert tcp $HOME_NET any -> [190.96.113.173] 8082 (msg:"ThreatFox FAKEUPDATES botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235976/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_01; classtype:trojan-activity; sid:91235976; rev:1;) alert tcp $HOME_NET any -> [190.96.113.174] 8082 (msg:"ThreatFox FAKEUPDATES botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235977/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_01; classtype:trojan-activity; sid:91235977; rev:1;) alert tcp $HOME_NET any -> [190.92.148.174] 80 (msg:"ThreatFox FAKEUPDATES botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235978/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_01; classtype:trojan-activity; sid:91235978; rev:1;) alert tcp $HOME_NET any -> [96.126.101.138] 80 (msg:"ThreatFox FAKEUPDATES botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235980/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_01; classtype:trojan-activity; sid:91235980; rev:1;) alert tcp $HOME_NET any -> [190.92.148.73] 80 (msg:"ThreatFox FAKEUPDATES botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235979/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_01; classtype:trojan-activity; sid:91235979; rev:1;) alert tcp $HOME_NET any -> [218.158.186.176] 18888 (msg:"ThreatFox FAKEUPDATES botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235981/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_01; classtype:trojan-activity; sid:91235981; rev:1;) alert tcp $HOME_NET any -> [222.107.255.119] 18888 (msg:"ThreatFox FAKEUPDATES botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235982/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_01; classtype:trojan-activity; sid:91235982; rev:1;) alert tcp $HOME_NET any -> [13.79.72.214] 80 (msg:"ThreatFox FAKEUPDATES botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235983/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_01; classtype:trojan-activity; sid:91235983; rev:1;) alert tcp $HOME_NET any -> [20.124.237.208] 443 (msg:"ThreatFox FAKEUPDATES botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235984/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_01; classtype:trojan-activity; sid:91235984; rev:1;) alert tcp $HOME_NET any -> [5.11.183.214] 1080 (msg:"ThreatFox FAKEUPDATES botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235985/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_01; classtype:trojan-activity; sid:91235985; rev:1;) alert tcp $HOME_NET any -> [202.158.36.51] 2134 (msg:"ThreatFox FAKEUPDATES botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235988/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_01; classtype:trojan-activity; sid:91235988; rev:1;) alert tcp $HOME_NET any -> [188.59.3.0] 30150 (msg:"ThreatFox FAKEUPDATES botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235986/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_01; classtype:trojan-activity; sid:91235986; rev:1;) alert tcp $HOME_NET any -> [68.178.148.35] 80 (msg:"ThreatFox FAKEUPDATES botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235987/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_01; classtype:trojan-activity; sid:91235987; rev:1;) alert tcp $HOME_NET any -> [45.146.252.6] 2687 (msg:"ThreatFox FAKEUPDATES botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235989/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_01; classtype:trojan-activity; sid:91235989; rev:1;) alert tcp $HOME_NET any -> [202.169.44.105] 443 (msg:"ThreatFox FAKEUPDATES botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235990/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_01; classtype:trojan-activity; sid:91235990; rev:1;) alert tcp $HOME_NET any -> [117.200.78.4] 8080 (msg:"ThreatFox FAKEUPDATES botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235991/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_01; classtype:trojan-activity; sid:91235991; rev:1;) alert tcp $HOME_NET any -> [185.78.165.105] 80 (msg:"ThreatFox FAKEUPDATES botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235992/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_01; classtype:trojan-activity; sid:91235992; rev:1;) alert tcp $HOME_NET any -> [13.208.144.176] 80 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235995/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_01; classtype:trojan-activity; sid:91235995; rev:1;) alert tcp $HOME_NET any -> [103.86.131.78] 443 (msg:"ThreatFox Get2 botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235994/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_01; classtype:trojan-activity; sid:91235994; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmp/index.php"; depth:14; nocase; http.host; content:"sjyey.com"; depth:9; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1235934/; target:src_ip; metadata: confidence_level 75, first_seen 2024_02_01; classtype:trojan-activity; sid:91235934; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmp/index.php"; depth:14; nocase; http.host; content:"babonwo.ru"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1235933/; target:src_ip; metadata: confidence_level 75, first_seen 2024_02_01; classtype:trojan-activity; sid:91235933; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/geoasync7/6traffic/asynchttp5multi/3/wordpressimagewordpressprivate/1update/request/4/pollvmlineproton/eternal/phpphp/eternalpythonsecurecpulongpolldefaultlinuxflowergeneratordatalife.php"; depth:188; nocase; http.host; content:"5.35.80.183"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1235932/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_01; classtype:trojan-activity; sid:91235932; rev:1;) alert tcp $HOME_NET any -> [91.92.249.69] 3609 (msg:"ThreatFox Vjw0rm botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235931/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_01; classtype:trojan-activity; sid:91235931; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/is-ready"; depth:9; nocase; http.host; content:"harold.jetos.com"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1235930/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_01; classtype:trojan-activity; sid:91235930; rev:1;) alert tcp $HOME_NET any -> [139.28.36.84] 2404 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235929/; target:src_ip; metadata: confidence_level 75, first_seen 2024_02_01; classtype:trojan-activity; sid:91235929; rev:1;) alert tcp $HOME_NET any -> [65.108.24.114] 2404 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235928/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_01; classtype:trojan-activity; sid:91235928; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ghf3fkdw/post.php"; depth:18; nocase; http.host; content:"81.19.140.204"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1235927/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_01; classtype:trojan-activity; sid:91235927; rev:1;) alert tcp $HOME_NET any -> [47.99.98.42] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235926/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_01; classtype:trojan-activity; sid:91235926; rev:1;) alert tcp $HOME_NET any -> [41.227.202.142] 443 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235925/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_01; classtype:trojan-activity; sid:91235925; rev:1;) alert tcp $HOME_NET any -> [72.27.102.76] 443 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235924/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_01; classtype:trojan-activity; sid:91235924; rev:1;) alert tcp $HOME_NET any -> [3.142.167.4] 12738 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235912/; target:src_ip; metadata: confidence_level 75, first_seen 2024_02_01; classtype:trojan-activity; sid:91235912; rev:1;) alert tcp $HOME_NET any -> [3.67.62.142] 11024 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235915/; target:src_ip; metadata: confidence_level 75, first_seen 2024_02_01; classtype:trojan-activity; sid:91235915; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"tzitziklishop3.ddns.net"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1235920/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_01; classtype:trojan-activity; sid:91235920; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mozi.m"; depth:7; nocase; http.host; content:"125.41.0.91"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1235923/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_01; classtype:trojan-activity; sid:91235923; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"wiund98272sb01jshbq.con-ip.com"; depth:30; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1235922/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_01; classtype:trojan-activity; sid:91235922; rev:1;) alert tcp $HOME_NET any -> [91.92.254.42] 6548 (msg:"ThreatFox Ave Maria botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235921/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_01; classtype:trojan-activity; sid:91235921; rev:1;) alert tcp $HOME_NET any -> [51.81.69.127] 80 (msg:"ThreatFox Amadey botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235919/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_01; classtype:trojan-activity; sid:91235919; rev:1;) alert tcp $HOME_NET any -> [191.233.28.7] 1024 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235918/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_01; classtype:trojan-activity; sid:91235918; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jpdsj3d4m/index.php"; depth:20; nocase; http.host; content:"51.81.69.127"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1235917/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_01; classtype:trojan-activity; sid:91235917; rev:1;) alert tcp $HOME_NET any -> [81.214.129.138] 1604 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235916/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_01; classtype:trojan-activity; sid:91235916; rev:1;) alert tcp $HOME_NET any -> [45.195.76.82] 9966 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235914/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_01; classtype:trojan-activity; sid:91235914; rev:1;) alert tcp $HOME_NET any -> [3.22.66.152] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235913/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_01; classtype:trojan-activity; sid:91235913; rev:1;) alert tcp $HOME_NET any -> [3.142.81.166] 12738 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235911/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_01; classtype:trojan-activity; sid:91235911; rev:1;) alert tcp $HOME_NET any -> [3.19.130.43] 12738 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235910/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_01; classtype:trojan-activity; sid:91235910; rev:1;) alert tcp $HOME_NET any -> [3.142.167.54] 12738 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235909/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_01; classtype:trojan-activity; sid:91235909; rev:1;) alert tcp $HOME_NET any -> [13.58.157.220] 12738 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235908/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_01; classtype:trojan-activity; sid:91235908; rev:1;) alert tcp $HOME_NET any -> [103.86.131.107] 443 (msg:"ThreatFox Get2 botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235907/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_01; classtype:trojan-activity; sid:91235907; rev:1;) alert tcp $HOME_NET any -> [47.76.34.199] 3790 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235906/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_01; classtype:trojan-activity; sid:91235906; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"atedhilarlymcken.com"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1235893/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_31; classtype:trojan-activity; sid:91235893; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"eriegentsfsepara.com"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1235894/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_31; classtype:trojan-activity; sid:91235894; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"lacycuratedhila.com"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1235895/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_31; classtype:trojan-activity; sid:91235895; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"licncesispervicear.com"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1235896/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_31; classtype:trojan-activity; sid:91235896; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"lymckensecuryre.com"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1235897/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_31; classtype:trojan-activity; sid:91235897; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"naightdecipientc.com"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1235898/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_31; classtype:trojan-activity; sid:91235898; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"normaticalacycurat.com"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1235899/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_31; classtype:trojan-activity; sid:91235899; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"nscormationw.com"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1235900/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_31; classtype:trojan-activity; sid:91235900; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"petropicalnorma.com"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1235901/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_31; classtype:trojan-activity; sid:91235901; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"yclearneriegen.com"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1235902/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_31; classtype:trojan-activity; sid:91235902; rev:1;) alert tcp $HOME_NET any -> [18.192.93.86] 11797 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235892/; target:src_ip; metadata: confidence_level 75, first_seen 2024_01_31; classtype:trojan-activity; sid:91235892; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"spain-se-lab.eastus.cloudapp.azure.com"; depth:38; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1235888/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_31; classtype:trojan-activity; sid:91235888; rev:1;) alert tcp $HOME_NET any -> [20.42.56.4] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235889/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_31; classtype:trojan-activity; sid:91235889; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"redflagssecurity.com"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1235887/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_31; classtype:trojan-activity; sid:91235887; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"www.redflagssecurity.com"; depth:24; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1235886/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_31; classtype:trojan-activity; sid:91235886; rev:1;) alert tcp $HOME_NET any -> [141.98.7.15] 1985 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235883/; target:src_ip; metadata: confidence_level 75, first_seen 2024_01_31; classtype:trojan-activity; sid:91235883; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"bots.gxz.me"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1235885/; target:src_ip; metadata: confidence_level 75, first_seen 2024_01_31; classtype:trojan-activity; sid:91235885; rev:1;) alert tcp $HOME_NET any -> [3.69.115.178] 12041 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235875/; target:src_ip; metadata: confidence_level 75, first_seen 2024_01_31; classtype:trojan-activity; sid:91235875; rev:1;) alert tcp $HOME_NET any -> [3.66.38.117] 12041 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235876/; target:src_ip; metadata: confidence_level 75, first_seen 2024_01_31; classtype:trojan-activity; sid:91235876; rev:1;) alert tcp $HOME_NET any -> [105.96.242.45] 1177 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235905/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_31; classtype:trojan-activity; sid:91235905; rev:1;) alert tcp $HOME_NET any -> [103.86.131.69] 443 (msg:"ThreatFox Get2 botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235904/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_31; classtype:trojan-activity; sid:91235904; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cx"; depth:3; nocase; http.host; content:"47.99.93.124"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1235903/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_31; classtype:trojan-activity; sid:91235903; rev:1;) alert tcp $HOME_NET any -> [101.34.251.178] 9999 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235891/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_31; classtype:trojan-activity; sid:91235891; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/longpolltrack.php"; depth:18; nocase; http.host; content:"718710cm.nyashtech.top"; depth:22; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1235890/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_31; classtype:trojan-activity; sid:91235890; rev:1;) alert tcp $HOME_NET any -> [38.46.13.114] 10443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235884/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_31; classtype:trojan-activity; sid:91235884; rev:1;) alert tcp $HOME_NET any -> [102.113.185.187] 443 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235882/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_31; classtype:trojan-activity; sid:91235882; rev:1;) alert tcp $HOME_NET any -> [141.136.44.219] 4443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235881/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_31; classtype:trojan-activity; sid:91235881; rev:1;) alert tcp $HOME_NET any -> [98.186.108.222] 443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235880/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_31; classtype:trojan-activity; sid:91235880; rev:1;) alert tcp $HOME_NET any -> [5.75.211.130] 2271 (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235879/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_31; classtype:trojan-activity; sid:91235879; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"5.75.211.130"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1235878/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_31; classtype:trojan-activity; sid:91235878; rev:1;) alert tcp $HOME_NET any -> [159.223.64.235] 4483 (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235877/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_31; classtype:trojan-activity; sid:91235877; rev:1;) alert tcp $HOME_NET any -> [3.68.171.119] 12041 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235874/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_31; classtype:trojan-activity; sid:91235874; rev:1;) alert tcp $HOME_NET any -> [18.197.239.109] 12041 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235873/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_31; classtype:trojan-activity; sid:91235873; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jsquery-3.3.1.min.js"; depth:21; nocase; http.host; content:"192.243.102.171"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1235872/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_31; classtype:trojan-activity; sid:91235872; rev:1;) alert tcp $HOME_NET any -> [3.69.115.178] 10673 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235871/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_31; classtype:trojan-activity; sid:91235871; rev:1;) alert tcp $HOME_NET any -> [18.197.239.109] 10673 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235870/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_31; classtype:trojan-activity; sid:91235870; rev:1;) alert tcp $HOME_NET any -> [3.69.157.220] 10673 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235869/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_31; classtype:trojan-activity; sid:91235869; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ns1.networkspacer.com"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1235868/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_31; classtype:trojan-activity; sid:91235868; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"waltonfoods.com"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1235862/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_31; classtype:trojan-activity; sid:91235862; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ns1.waltonfoods.com"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1235863/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_31; classtype:trojan-activity; sid:91235863; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ns1.globalusa.net"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1235864/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_31; classtype:trojan-activity; sid:91235864; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"globalusa.net"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1235865/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_31; classtype:trojan-activity; sid:91235865; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"asb-help-assistance.com"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1235866/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_31; classtype:trojan-activity; sid:91235866; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"networkspacer.com"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1235867/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_31; classtype:trojan-activity; sid:91235867; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"kennahammond.autos"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1235851/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_31; classtype:trojan-activity; sid:91235851; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"www.kennahammond.autos"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1235852/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_31; classtype:trojan-activity; sid:91235852; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"www.kayleycuevas.autos"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1235853/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_31; classtype:trojan-activity; sid:91235853; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"kayleycuevas.autos"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1235854/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_31; classtype:trojan-activity; sid:91235854; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"www.reidkelley.autos"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1235857/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_31; classtype:trojan-activity; sid:91235857; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"cademoses.autos"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1235855/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_31; classtype:trojan-activity; sid:91235855; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"www.madisonbartlett.autos"; depth:25; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1235856/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_31; classtype:trojan-activity; sid:91235856; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"www.cademoses.autos"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1235860/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_31; classtype:trojan-activity; sid:91235860; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"reidkelley.autos"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1235858/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_31; classtype:trojan-activity; sid:91235858; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"zzwibxun.jimmychunglin.com"; depth:26; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1235859/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_31; classtype:trojan-activity; sid:91235859; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"madisonbartlett.autos"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1235861/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_31; classtype:trojan-activity; sid:91235861; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/downloads/doomday.zip"; depth:22; nocase; http.host; content:"5.181.159.49"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1235849/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_31; classtype:trojan-activity; sid:91235849; rev:1;) alert tcp $HOME_NET any -> [5.181.159.49] 80 (msg:"ThreatFox DarkGate payload delivery (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235850/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_31; classtype:trojan-activity; sid:91235850; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/91c007b5.php"; depth:13; nocase; http.host; content:"185.185.68.50"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1235848/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_31; classtype:trojan-activity; sid:91235848; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"209.126.102.155"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1235755/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_31; classtype:trojan-activity; sid:91235755; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"followcache.com"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1235756/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_31; classtype:trojan-activity; sid:91235756; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ui_cache.js"; depth:12; nocase; http.host; content:"followcache.com"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1235757/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_31; classtype:trojan-activity; sid:91235757; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"152.89.218.213"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1235758/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_31; classtype:trojan-activity; sid:91235758; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"andiandnoah.com"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1235759/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_31; classtype:trojan-activity; sid:91235759; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cdn-vs/cache.php"; depth:17; nocase; http.host; content:"andiandnoah.com"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1235760/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_31; classtype:trojan-activity; sid:91235760; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"blessingjumarou1ubk01.duckdns.org"; depth:33; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1235822/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_31; classtype:trojan-activity; sid:91235822; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"blessingjumarou1ubk01.duckdns.org"; depth:33; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1235823/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_31; classtype:trojan-activity; sid:91235823; rev:1;) alert tcp $HOME_NET any -> [104.243.242.194] 39841 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235824/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_31; classtype:trojan-activity; sid:91235824; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"brodbeckconsulting.com"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1235825/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_31; classtype:trojan-activity; sid:91235825; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-content/filmcensurernes.png"; depth:31; nocase; http.host; content:"brodbeckconsulting.com"; depth:22; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1235826/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_31; classtype:trojan-activity; sid:91235826; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"159.253.214.149"; depth:15; nocase; reference:url, threatfox.abuse.ch/ioc/1235743/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_31; classtype:trojan-activity; sid:91235743; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"51.91.45.248"; depth:12; nocase; reference:url, threatfox.abuse.ch/ioc/1235744/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_31; classtype:trojan-activity; sid:91235744; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"51.79.99.120"; depth:12; nocase; reference:url, threatfox.abuse.ch/ioc/1235745/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_31; classtype:trojan-activity; sid:91235745; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"67.205.139.23"; depth:13; nocase; reference:url, threatfox.abuse.ch/ioc/1235746/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_31; classtype:trojan-activity; sid:91235746; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"183.90.230.5"; depth:12; nocase; reference:url, threatfox.abuse.ch/ioc/1235747/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_31; classtype:trojan-activity; sid:91235747; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"162.19.24.166"; depth:13; nocase; reference:url, threatfox.abuse.ch/ioc/1235748/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_31; classtype:trojan-activity; sid:91235748; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"62.210.137.149"; depth:14; nocase; reference:url, threatfox.abuse.ch/ioc/1235749/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_31; classtype:trojan-activity; sid:91235749; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"45.82.120.47"; depth:12; nocase; reference:url, threatfox.abuse.ch/ioc/1235750/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_31; classtype:trojan-activity; sid:91235750; rev:1;) alert tcp $HOME_NET any -> [3.69.157.220] 15520 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235754/; target:src_ip; metadata: confidence_level 75, first_seen 2024_01_31; classtype:trojan-activity; sid:91235754; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"185.66.9.215"; depth:12; nocase; reference:url, threatfox.abuse.ch/ioc/1235741/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_31; classtype:trojan-activity; sid:91235741; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"128.199.66.118"; depth:14; nocase; reference:url, threatfox.abuse.ch/ioc/1235742/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_31; classtype:trojan-activity; sid:91235742; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"216.69.162.32"; depth:13; nocase; reference:url, threatfox.abuse.ch/ioc/1235739/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_31; classtype:trojan-activity; sid:91235739; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"161.97.132.85"; depth:13; nocase; reference:url, threatfox.abuse.ch/ioc/1235740/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_31; classtype:trojan-activity; sid:91235740; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"91.241.48.106"; depth:13; nocase; reference:url, threatfox.abuse.ch/ioc/1235737/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_31; classtype:trojan-activity; sid:91235737; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"185.176.58.32"; depth:13; nocase; reference:url, threatfox.abuse.ch/ioc/1235738/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_31; classtype:trojan-activity; sid:91235738; rev:1;) alert tcp $HOME_NET any -> [38.180.60.31] 80 (msg:"ThreatFox DarkGate botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235847/; target:src_ip; metadata: confidence_level 75, first_seen 2024_01_31; classtype:trojan-activity; sid:91235847; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"api.d-n-s.name"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1235828/; target:src_ip; metadata: confidence_level 75, first_seen 2024_01_31; classtype:trojan-activity; sid:91235828; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"areekaweb.com"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1235829/; target:src_ip; metadata: confidence_level 75, first_seen 2024_01_31; classtype:trojan-activity; sid:91235829; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"clickcom.click"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1235830/; target:src_ip; metadata: confidence_level 75, first_seen 2024_01_31; classtype:trojan-activity; sid:91235830; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"clicko.click"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1235831/; target:src_ip; metadata: confidence_level 75, first_seen 2024_01_31; classtype:trojan-activity; sid:91235831; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"ehangmun.com"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1235832/; target:src_ip; metadata: confidence_level 75, first_seen 2024_01_31; classtype:trojan-activity; sid:91235832; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"entraide-internationale.fr"; depth:26; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1235833/; target:src_ip; metadata: confidence_level 75, first_seen 2024_01_31; classtype:trojan-activity; sid:91235833; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"line-api.com"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1235834/; target:src_ip; metadata: confidence_level 75, first_seen 2024_01_31; classtype:trojan-activity; sid:91235834; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"miltonhouse.nl"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1235835/; target:src_ip; metadata: confidence_level 75, first_seen 2024_01_31; classtype:trojan-activity; sid:91235835; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"secure-cama.com"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1235836/; target:src_ip; metadata: confidence_level 75, first_seen 2024_01_31; classtype:trojan-activity; sid:91235836; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"symantke.com"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1235837/; target:src_ip; metadata: confidence_level 75, first_seen 2024_01_31; classtype:trojan-activity; sid:91235837; rev:1;) alert tcp $HOME_NET any -> [206.188.196.44] 3790 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235827/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_31; classtype:trojan-activity; sid:91235827; rev:1;) alert tcp $HOME_NET any -> [94.103.87.88] 25 (msg:"ThreatFox BianLian botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235821/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_31; classtype:trojan-activity; sid:91235821; rev:1;) alert tcp $HOME_NET any -> [154.53.160.71] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235820/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_31; classtype:trojan-activity; sid:91235820; rev:1;) alert tcp $HOME_NET any -> [34.193.15.213] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235819/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_31; classtype:trojan-activity; sid:91235819; rev:1;) alert tcp $HOME_NET any -> [3.208.237.246] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235818/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_31; classtype:trojan-activity; sid:91235818; rev:1;) alert tcp $HOME_NET any -> [154.8.138.27] 2222 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235817/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_31; classtype:trojan-activity; sid:91235817; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"drivevvyze.com"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1235816/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_31; classtype:trojan-activity; sid:91235816; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"myaccount.deenpel.com"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1235815/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_31; classtype:trojan-activity; sid:91235815; rev:1;) alert tcp $HOME_NET any -> [47.109.136.12] 60000 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235814/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_31; classtype:trojan-activity; sid:91235814; rev:1;) alert tcp $HOME_NET any -> [211.97.157.183] 60000 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235813/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_31; classtype:trojan-activity; sid:91235813; rev:1;) alert tcp $HOME_NET any -> [124.223.56.72] 60000 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235812/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_31; classtype:trojan-activity; sid:91235812; rev:1;) alert tcp $HOME_NET any -> [43.138.110.8] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235810/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_31; classtype:trojan-activity; sid:91235810; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"23.105.197.219.16clouds.com"; depth:27; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1235811/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_31; classtype:trojan-activity; sid:91235811; rev:1;) alert tcp $HOME_NET any -> [123.249.86.77] 8089 (msg:"ThreatFox Kaiji botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235809/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_31; classtype:trojan-activity; sid:91235809; rev:1;) alert tcp $HOME_NET any -> [51.195.83.136] 80 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235808/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_31; classtype:trojan-activity; sid:91235808; rev:1;) alert tcp $HOME_NET any -> [51.195.83.136] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235807/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_31; classtype:trojan-activity; sid:91235807; rev:1;) alert tcp $HOME_NET any -> [147.45.40.99] 80 (msg:"ThreatFox Meduza Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235806/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_31; classtype:trojan-activity; sid:91235806; rev:1;) alert tcp $HOME_NET any -> [45.93.251.166] 5000 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235805/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_31; classtype:trojan-activity; sid:91235805; rev:1;) alert tcp $HOME_NET any -> [81.28.6.17] 80 (msg:"ThreatFox ERMAC botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235804/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_31; classtype:trojan-activity; sid:91235804; rev:1;) alert tcp $HOME_NET any -> [193.233.254.10] 80 (msg:"ThreatFox ERMAC botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235803/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_31; classtype:trojan-activity; sid:91235803; rev:1;) alert tcp $HOME_NET any -> [95.181.151.118] 80 (msg:"ThreatFox ERMAC botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235801/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_31; classtype:trojan-activity; sid:91235801; rev:1;) alert tcp $HOME_NET any -> [69.87.216.87] 80 (msg:"ThreatFox ERMAC botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235802/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_31; classtype:trojan-activity; sid:91235802; rev:1;) alert tcp $HOME_NET any -> [189.152.202.202] 49152 (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235799/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_31; classtype:trojan-activity; sid:91235799; rev:1;) alert tcp $HOME_NET any -> [189.152.202.202] 81 (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235800/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_31; classtype:trojan-activity; sid:91235800; rev:1;) alert tcp $HOME_NET any -> [189.152.202.202] 31193 (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235798/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_31; classtype:trojan-activity; sid:91235798; rev:1;) alert tcp $HOME_NET any -> [189.152.202.202] 16714 (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235797/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_31; classtype:trojan-activity; sid:91235797; rev:1;) alert tcp $HOME_NET any -> [189.152.202.202] 222 (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235796/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_31; classtype:trojan-activity; sid:91235796; rev:1;) alert tcp $HOME_NET any -> [91.92.252.217] 10443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235795/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_31; classtype:trojan-activity; sid:91235795; rev:1;) alert tcp $HOME_NET any -> [79.137.226.104] 80 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235793/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_31; classtype:trojan-activity; sid:91235793; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"pgad.emkd.ru"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1235794/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_31; classtype:trojan-activity; sid:91235794; rev:1;) alert tcp $HOME_NET any -> [46.4.80.247] 4782 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235792/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_31; classtype:trojan-activity; sid:91235792; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"karasergkaravaev1.fvds.ru"; depth:25; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1235791/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_31; classtype:trojan-activity; sid:91235791; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"nl1.nextpg.cfd"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1235790/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_31; classtype:trojan-activity; sid:91235790; rev:1;) alert tcp $HOME_NET any -> [188.119.112.49] 80 (msg:"ThreatFox Hook botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235789/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_31; classtype:trojan-activity; sid:91235789; rev:1;) alert tcp $HOME_NET any -> [193.233.254.106] 80 (msg:"ThreatFox Hook botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235788/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_31; classtype:trojan-activity; sid:91235788; rev:1;) alert tcp $HOME_NET any -> [89.148.24.117] 443 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235787/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_31; classtype:trojan-activity; sid:91235787; rev:1;) alert tcp $HOME_NET any -> [34.32.55.86] 443 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235786/; target:src_ip; metadata: confidence_level 90, first_seen 2024_01_31; classtype:trojan-activity; sid:91235786; rev:1;) alert tcp $HOME_NET any -> [44.219.14.139] 443 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235785/; target:src_ip; metadata: confidence_level 90, first_seen 2024_01_31; classtype:trojan-activity; sid:91235785; rev:1;) alert tcp $HOME_NET any -> [187.135.130.228] 2080 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235784/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_31; classtype:trojan-activity; sid:91235784; rev:1;) alert tcp $HOME_NET any -> [187.135.130.228] 1723 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235783/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_31; classtype:trojan-activity; sid:91235783; rev:1;) alert tcp $HOME_NET any -> [187.135.122.173] 2295 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235782/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_31; classtype:trojan-activity; sid:91235782; rev:1;) alert tcp $HOME_NET any -> [187.135.122.173] 2079 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235781/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_31; classtype:trojan-activity; sid:91235781; rev:1;) alert tcp $HOME_NET any -> [43.128.203.170] 8000 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235780/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_31; classtype:trojan-activity; sid:91235780; rev:1;) alert tcp $HOME_NET any -> [47.99.93.124] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235778/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_31; classtype:trojan-activity; sid:91235778; rev:1;) alert tcp $HOME_NET any -> [136.244.98.215] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235779/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_31; classtype:trojan-activity; sid:91235779; rev:1;) alert tcp $HOME_NET any -> [154.12.85.223] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235777/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_31; classtype:trojan-activity; sid:91235777; rev:1;) alert tcp $HOME_NET any -> [124.222.19.248] 4444 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235776/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_31; classtype:trojan-activity; sid:91235776; rev:1;) alert tcp $HOME_NET any -> [47.93.98.77] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235775/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_31; classtype:trojan-activity; sid:91235775; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"209.lan-za2-1.static.rozabg.com"; depth:31; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1235774/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_31; classtype:trojan-activity; sid:91235774; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/baselocal/73updategame/external06temporary/processor/universal/eternalgeomultiasynctestuniversalwptempcdncentral.php"; depth:117; nocase; http.host; content:"77.91.124.159"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1235773/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_31; classtype:trojan-activity; sid:91235773; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pixel.gif"; depth:10; nocase; http.host; content:"43.139.177.77"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1235772/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_31; classtype:trojan-activity; sid:91235772; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dpixel"; depth:7; nocase; http.host; content:"185.196.10.62"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1235771/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_31; classtype:trojan-activity; sid:91235771; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/introduction/edr"; depth:17; nocase; http.host; content:"110.40.151.20"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1235770/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_31; classtype:trojan-activity; sid:91235770; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ptj"; depth:4; nocase; http.host; content:"217.194.133.68"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1235769/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_31; classtype:trojan-activity; sid:91235769; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/g.pixel"; depth:8; nocase; http.host; content:"47.113.216.45"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1235768/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_31; classtype:trojan-activity; sid:91235768; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dpixel"; depth:7; nocase; http.host; content:"31.41.244.172"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1235767/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_31; classtype:trojan-activity; sid:91235767; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/introduction/edr"; depth:17; nocase; http.host; content:"110.40.151.20"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1235766/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_31; classtype:trojan-activity; sid:91235766; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ptj"; depth:4; nocase; http.host; content:"31.41.244.172"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1235765/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_31; classtype:trojan-activity; sid:91235765; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/j.ad"; depth:5; nocase; http.host; content:"8.222.165.110"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1235764/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_31; classtype:trojan-activity; sid:91235764; rev:1;) alert tcp $HOME_NET any -> [139.59.238.68] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235763/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_31; classtype:trojan-activity; sid:91235763; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/set/v9.32/omdf83jf6h"; depth:21; nocase; http.host; content:"139.59.238.68"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1235762/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_31; classtype:trojan-activity; sid:91235762; rev:1;) alert tcp $HOME_NET any -> [119.161.100.84] 10001 (msg:"ThreatFox Xtreme RAT botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235761/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_31; classtype:trojan-activity; sid:91235761; rev:1;) alert tcp $HOME_NET any -> [18.197.239.109] 15520 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235753/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_31; classtype:trojan-activity; sid:91235753; rev:1;) alert tcp $HOME_NET any -> [3.69.115.178] 15520 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235752/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_31; classtype:trojan-activity; sid:91235752; rev:1;) alert tcp $HOME_NET any -> [3.66.38.117] 15520 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235751/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_31; classtype:trojan-activity; sid:91235751; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"css2.officeserver.at"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1235735/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_31; classtype:trojan-activity; sid:91235735; rev:1;) alert tcp $HOME_NET any -> [20.170.42.196] 53 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235736/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_31; classtype:trojan-activity; sid:91235736; rev:1;) alert tcp $HOME_NET any -> [8.212.183.173] 53 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235734/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_31; classtype:trojan-activity; sid:91235734; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"dns.unitedromtech.com"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1235733/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_31; classtype:trojan-activity; sid:91235733; rev:1;) alert tcp $HOME_NET any -> [78.46.135.92] 1575 (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235732/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_31; classtype:trojan-activity; sid:91235732; rev:1;) alert tcp $HOME_NET any -> [172.96.14.67] 9785 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235731/; target:src_ip; metadata: confidence_level 75, first_seen 2024_01_31; classtype:trojan-activity; sid:91235731; rev:1;) alert tcp $HOME_NET any -> [172.96.14.30] 6871 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235730/; target:src_ip; metadata: confidence_level 75, first_seen 2024_01_31; classtype:trojan-activity; sid:91235730; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pixel"; depth:6; nocase; http.host; content:"47.109.102.98"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1235729/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_31; classtype:trojan-activity; sid:91235729; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/load"; depth:5; nocase; http.host; content:"43.138.62.36"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1235728/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_31; classtype:trojan-activity; sid:91235728; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/load"; depth:5; nocase; http.host; content:"1.13.17.173"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1235727/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_31; classtype:trojan-activity; sid:91235727; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/fwlink"; depth:7; nocase; http.host; content:"43.159.136.92"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1235726/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_31; classtype:trojan-activity; sid:91235726; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/j.ad"; depth:5; nocase; http.host; content:"139.155.0.238"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1235725/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_31; classtype:trojan-activity; sid:91235725; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ie9compatviewlist.xml"; depth:22; nocase; http.host; content:"108.165.113.54"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1235724/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_31; classtype:trojan-activity; sid:91235724; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/g.pixel"; depth:8; nocase; http.host; content:"108.165.113.54"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1235723/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_31; classtype:trojan-activity; sid:91235723; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/en_us/all.js"; depth:13; nocase; http.host; content:"124.71.5.199"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1235722/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_31; classtype:trojan-activity; sid:91235722; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/activity"; depth:9; nocase; http.host; content:"115.29.171.175"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1235721/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_31; classtype:trojan-activity; sid:91235721; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/push"; depth:5; nocase; http.host; content:"120.26.196.41"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1235720/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_31; classtype:trojan-activity; sid:91235720; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/updates.rss"; depth:12; nocase; http.host; content:"service-dlrbbup7-1309697666.bj.apigw.tencentcs.com"; depth:50; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1235719/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_31; classtype:trojan-activity; sid:91235719; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pixel.gif"; depth:10; nocase; http.host; content:"124.71.5.199"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1235718/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_31; classtype:trojan-activity; sid:91235718; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/j.ad"; depth:5; nocase; http.host; content:"47.109.102.98"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1235717/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_31; classtype:trojan-activity; sid:91235717; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"dns.ibmxwork.com"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1235716/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_31; classtype:trojan-activity; sid:91235716; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"support.ibmxwork.com"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1235715/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_31; classtype:trojan-activity; sid:91235715; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/activity"; depth:9; nocase; http.host; content:"service-bzbl2uq7-1312255927.bj.apigw.tencentcs.com"; depth:50; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1235714/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_31; classtype:trojan-activity; sid:91235714; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/load"; depth:5; nocase; http.host; content:"60.204.135.117"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1235713/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_31; classtype:trojan-activity; sid:91235713; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pixel"; depth:6; nocase; http.host; content:"79.124.40.106"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1235712/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_31; classtype:trojan-activity; sid:91235712; rev:1;) alert tcp $HOME_NET any -> [47.99.54.48] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235711/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_31; classtype:trojan-activity; sid:91235711; rev:1;) alert tcp $HOME_NET any -> [103.86.130.79] 443 (msg:"ThreatFox Get2 botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235710/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_31; classtype:trojan-activity; sid:91235710; rev:1;) alert tcp $HOME_NET any -> [115.243.250.34] 443 (msg:"ThreatFox IcedID botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235709/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_31; classtype:trojan-activity; sid:91235709; rev:1;) alert tcp $HOME_NET any -> [185.38.142.22] 666 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235701/; target:src_ip; metadata: confidence_level 75, first_seen 2024_01_31; classtype:trojan-activity; sid:91235701; rev:1;) alert tcp $HOME_NET any -> [45.140.146.208] 3790 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235708/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_31; classtype:trojan-activity; sid:91235708; rev:1;) alert tcp $HOME_NET any -> [172.94.32.33] 8808 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235707/; target:src_ip; metadata: confidence_level 75, first_seen 2024_01_31; classtype:trojan-activity; sid:91235707; rev:1;) alert tcp $HOME_NET any -> [172.94.32.33] 7707 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235706/; target:src_ip; metadata: confidence_level 75, first_seen 2024_01_31; classtype:trojan-activity; sid:91235706; rev:1;) alert tcp $HOME_NET any -> [172.94.32.33] 6606 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235705/; target:src_ip; metadata: confidence_level 75, first_seen 2024_01_31; classtype:trojan-activity; sid:91235705; rev:1;) alert tcp $HOME_NET any -> [172.94.32.33] 8881 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235704/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_31; classtype:trojan-activity; sid:91235704; rev:1;) alert tcp $HOME_NET any -> [124.70.140.36] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235703/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_31; classtype:trojan-activity; sid:91235703; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jsprotectdefaultwpcdn.php"; depth:26; nocase; http.host; content:"193.187.172.13"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1235702/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_31; classtype:trojan-activity; sid:91235702; rev:1;) alert tcp $HOME_NET any -> [5.42.64.45] 80 (msg:"ThreatFox AMOS botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235691/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_31; classtype:trojan-activity; sid:91235691; rev:1;) alert tcp $HOME_NET any -> [95.214.52.175] 13735 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235690/; target:src_ip; metadata: confidence_level 75, first_seen 2024_01_31; classtype:trojan-activity; sid:91235690; rev:1;) alert tcp $HOME_NET any -> [20.215.193.147] 80 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235700/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_31; classtype:trojan-activity; sid:91235700; rev:1;) alert tcp $HOME_NET any -> [38.6.177.93] 443 (msg:"ThreatFox pupy botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235699/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_31; classtype:trojan-activity; sid:91235699; rev:1;) alert tcp $HOME_NET any -> [34.244.129.215] 443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235698/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_31; classtype:trojan-activity; sid:91235698; rev:1;) alert tcp $HOME_NET any -> [185.49.70.105] 8080 (msg:"ThreatFox BianLian botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235697/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_31; classtype:trojan-activity; sid:91235697; rev:1;) alert tcp $HOME_NET any -> [149.248.21.89] 7443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235696/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_31; classtype:trojan-activity; sid:91235696; rev:1;) alert tcp $HOME_NET any -> [5.188.86.214] 7443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235695/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_31; classtype:trojan-activity; sid:91235695; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"195.20.16.155"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1235694/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_31; classtype:trojan-activity; sid:91235694; rev:1;) alert tcp $HOME_NET any -> [217.194.133.68] 7777 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235693/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_31; classtype:trojan-activity; sid:91235693; rev:1;) alert tcp $HOME_NET any -> [187.135.122.173] 2067 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235692/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_31; classtype:trojan-activity; sid:91235692; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"mfreshbnrem.ddns.net"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1235678/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_30; classtype:trojan-activity; sid:91235678; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"mfreshbnrem.ddns.net"; depth:20; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1235679/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_30; classtype:trojan-activity; sid:91235679; rev:1;) alert tcp $HOME_NET any -> [192.177.111.126] 2404 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235680/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_30; classtype:trojan-activity; sid:91235680; rev:1;) alert tcp $HOME_NET any -> [89.213.142.199] 28189 (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235689/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_30; classtype:trojan-activity; sid:91235689; rev:1;) alert tcp $HOME_NET any -> [45.137.148.124] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235688/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_30; classtype:trojan-activity; sid:91235688; rev:1;) alert tcp $HOME_NET any -> [86.190.166.133] 2222 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235687/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_30; classtype:trojan-activity; sid:91235687; rev:1;) alert tcp $HOME_NET any -> [72.27.36.68] 443 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235686/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_30; classtype:trojan-activity; sid:91235686; rev:1;) alert tcp $HOME_NET any -> [189.140.22.230] 443 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235685/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_30; classtype:trojan-activity; sid:91235685; rev:1;) alert tcp $HOME_NET any -> [62.15.128.250] 443 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235684/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_30; classtype:trojan-activity; sid:91235684; rev:1;) alert tcp $HOME_NET any -> [154.247.28.232] 2078 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235683/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_30; classtype:trojan-activity; sid:91235683; rev:1;) alert tcp $HOME_NET any -> [5.42.64.4] 80 (msg:"ThreatFox Amadey botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235682/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_30; classtype:trojan-activity; sid:91235682; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/updategovua/upd/downloads/words.exe"; depth:36; nocase; http.host; content:"bitbucket.org"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1235681/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_30; classtype:trojan-activity; sid:91235681; rev:1;) alert tcp $HOME_NET any -> [65.21.212.85] 2404 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235677/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_30; classtype:trojan-activity; sid:91235677; rev:1;) alert tcp $HOME_NET any -> [3.67.112.102] 11024 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235675/; target:src_ip; metadata: confidence_level 75, first_seen 2024_01_30; classtype:trojan-activity; sid:91235675; rev:1;) alert tcp $HOME_NET any -> [138.124.183.37] 443 (msg:"ThreatFox DarkGate botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235676/; target:src_ip; metadata: confidence_level 75, first_seen 2024_01_30; classtype:trojan-activity; sid:91235676; rev:1;) alert tcp $HOME_NET any -> [94.156.65.209] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235674/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_30; classtype:trojan-activity; sid:91235674; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jpdsj3d4m/index.php"; depth:20; nocase; http.host; content:"5.42.64.4"; depth:9; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1235673/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_30; classtype:trojan-activity; sid:91235673; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"nationalistvetecanve.shop"; depth:25; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1235672/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_30; classtype:trojan-activity; sid:91235672; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"gemcreedarticulateod.shop"; depth:25; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1235671/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_30; classtype:trojan-activity; sid:91235671; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"secretionsuitcasenioise.shop"; depth:28; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1235670/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_30; classtype:trojan-activity; sid:91235670; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"liabilityarrangemenyit.shop"; depth:27; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1235668/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_30; classtype:trojan-activity; sid:91235668; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"claimconcessionrebe.shop"; depth:24; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1235669/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_30; classtype:trojan-activity; sid:91235669; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"modestessayevenmilwek.shop"; depth:26; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1235667/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_30; classtype:trojan-activity; sid:91235667; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"triangleseasonbenchwj.shop"; depth:26; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1235666/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_30; classtype:trojan-activity; sid:91235666; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"culturesketchfinanciall.shop"; depth:28; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1235665/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_30; classtype:trojan-activity; sid:91235665; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"sofahuntingslidedine.shop"; depth:25; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1235664/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_30; classtype:trojan-activity; sid:91235664; rev:1;) alert tcp $HOME_NET any -> [3.64.4.198] 11024 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235663/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_30; classtype:trojan-activity; sid:91235663; rev:1;) alert tcp $HOME_NET any -> [3.67.161.133] 11024 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235662/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_30; classtype:trojan-activity; sid:91235662; rev:1;) alert tcp $HOME_NET any -> [18.158.58.205] 11024 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235661/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_30; classtype:trojan-activity; sid:91235661; rev:1;) alert tcp $HOME_NET any -> [18.192.93.86] 18227 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235660/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_30; classtype:trojan-activity; sid:91235660; rev:1;) alert tcp $HOME_NET any -> [18.157.68.73] 18227 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235659/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_30; classtype:trojan-activity; sid:91235659; rev:1;) alert tcp $HOME_NET any -> [3.127.138.57] 18227 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235658/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_30; classtype:trojan-activity; sid:91235658; rev:1;) alert tcp $HOME_NET any -> [18.156.13.209] 18227 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235657/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_30; classtype:trojan-activity; sid:91235657; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/order/tuc4.exe"; depth:15; nocase; http.host; content:"moon.spartabig.com"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1235557/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_30; classtype:trojan-activity; sid:91235557; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/order/tuc5.exe"; depth:15; nocase; http.host; content:"moon.spartabig.com"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1235558/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_30; classtype:trojan-activity; sid:91235558; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/order/tuc6.exe"; depth:15; nocase; http.host; content:"moon.spartabig.com"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1235559/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_30; classtype:trojan-activity; sid:91235559; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/order/tuc7.exe"; depth:15; nocase; http.host; content:"moon.spartabig.com"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1235560/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_30; classtype:trojan-activity; sid:91235560; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/order/tuc2.exe"; depth:15; nocase; http.host; content:"moon.spartabig.com"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1235561/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_30; classtype:trojan-activity; sid:91235561; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/order/tuc5.exe"; depth:15; nocase; http.host; content:"moon.spartabig.com"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1235564/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_30; classtype:trojan-activity; sid:91235564; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/order/tuc3.exe"; depth:15; nocase; http.host; content:"moon.spartabig.com"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1235562/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_30; classtype:trojan-activity; sid:91235562; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/order/tuc4.exe"; depth:15; nocase; http.host; content:"moon.spartabig.com"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1235563/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_30; classtype:trojan-activity; sid:91235563; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/order/tuc4.exe"; depth:15; nocase; http.host; content:"count.spartabig.com"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1235581/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_30; classtype:trojan-activity; sid:91235581; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/order/tuc3.exe"; depth:15; nocase; http.host; content:"count.spartabig.com"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1235580/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_30; classtype:trojan-activity; sid:91235580; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/order/tuc2.exe"; depth:15; nocase; http.host; content:"count.spartabig.com"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1235579/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_30; classtype:trojan-activity; sid:91235579; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/order/tuc6.exe"; depth:15; nocase; http.host; content:"ok.spartabig.com"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1235577/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_30; classtype:trojan-activity; sid:91235577; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/order/tuc7.exe"; depth:15; nocase; http.host; content:"ok.spartabig.com"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1235578/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_30; classtype:trojan-activity; sid:91235578; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/order/tuc5.exe"; depth:15; nocase; http.host; content:"ok.spartabig.com"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1235576/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_30; classtype:trojan-activity; sid:91235576; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/order/tuc4.exe"; depth:15; nocase; http.host; content:"ok.spartabig.com"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1235575/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_30; classtype:trojan-activity; sid:91235575; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/order/tuc3.exe"; depth:15; nocase; http.host; content:"ok.spartabig.com"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1235574/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_30; classtype:trojan-activity; sid:91235574; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/order/tuc2.exe"; depth:15; nocase; http.host; content:"ok.spartabig.com"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1235573/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_30; classtype:trojan-activity; sid:91235573; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/order/tuc7.exe"; depth:15; nocase; http.host; content:"ok.spartabig.com"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1235572/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_30; classtype:trojan-activity; sid:91235572; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/order/tuc6.exe"; depth:15; nocase; http.host; content:"ok.spartabig.com"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1235571/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_30; classtype:trojan-activity; sid:91235571; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/order/tuc5.exe"; depth:15; nocase; http.host; content:"ok.spartabig.com"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1235570/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_30; classtype:trojan-activity; sid:91235570; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/order/tuc4.exe"; depth:15; nocase; http.host; content:"ok.spartabig.com"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1235569/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_30; classtype:trojan-activity; sid:91235569; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/order/tuc3.exe"; depth:15; nocase; http.host; content:"ok.spartabig.com"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1235568/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_30; classtype:trojan-activity; sid:91235568; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/order/tuc2.exe"; depth:15; nocase; http.host; content:"ok.spartabig.com"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1235567/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_30; classtype:trojan-activity; sid:91235567; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/order/tuc7.exe"; depth:15; nocase; http.host; content:"moon.spartabig.com"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1235566/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_30; classtype:trojan-activity; sid:91235566; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/order/tuc6.exe"; depth:15; nocase; http.host; content:"moon.spartabig.com"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1235565/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_30; classtype:trojan-activity; sid:91235565; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/order/tuc5.exe"; depth:15; nocase; http.host; content:"count.spartabig.com"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1235582/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_30; classtype:trojan-activity; sid:91235582; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/order/tuc6.exe"; depth:15; nocase; http.host; content:"count.spartabig.com"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1235583/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_30; classtype:trojan-activity; sid:91235583; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/order/tuc7.exe"; depth:15; nocase; http.host; content:"count.spartabig.com"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1235584/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_30; classtype:trojan-activity; sid:91235584; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/order/tuc2.exe"; depth:15; nocase; http.host; content:"count.spartabig.com"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1235585/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_30; classtype:trojan-activity; sid:91235585; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/order/tuc3.exe"; depth:15; nocase; http.host; content:"count.spartabig.com"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1235586/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_30; classtype:trojan-activity; sid:91235586; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/order/tuc4.exe"; depth:15; nocase; http.host; content:"count.spartabig.com"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1235587/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_30; classtype:trojan-activity; sid:91235587; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/order/tuc5.exe"; depth:15; nocase; http.host; content:"count.spartabig.com"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1235588/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_30; classtype:trojan-activity; sid:91235588; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/order/tuc6.exe"; depth:15; nocase; http.host; content:"count.spartabig.com"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1235589/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_30; classtype:trojan-activity; sid:91235589; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/order/tuc7.exe"; depth:15; nocase; http.host; content:"count.spartabig.com"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1235590/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_30; classtype:trojan-activity; sid:91235590; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/order/tuc2.exe"; depth:15; nocase; http.host; content:"sell.spartabig.com"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1235591/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_30; classtype:trojan-activity; sid:91235591; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/order/tuc3.exe"; depth:15; nocase; http.host; content:"sell.spartabig.com"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1235592/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_30; classtype:trojan-activity; sid:91235592; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/order/tuc4.exe"; depth:15; nocase; http.host; content:"sell.spartabig.com"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1235593/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_30; classtype:trojan-activity; sid:91235593; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/order/tuc5.exe"; depth:15; nocase; http.host; content:"sell.spartabig.com"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1235594/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_30; classtype:trojan-activity; sid:91235594; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/order/tuc6.exe"; depth:15; nocase; http.host; content:"sell.spartabig.com"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1235595/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_30; classtype:trojan-activity; sid:91235595; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/order/tuc7.exe"; depth:15; nocase; http.host; content:"sell.spartabig.com"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1235596/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_30; classtype:trojan-activity; sid:91235596; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/order/tuc2.exe"; depth:15; nocase; http.host; content:"sell.spartabig.com"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1235597/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_30; classtype:trojan-activity; sid:91235597; rev:1;) alert tcp $HOME_NET any -> [210.61.91.39] 80 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235656/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_30; classtype:trojan-activity; sid:91235656; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/order/tuc3.exe"; depth:15; nocase; http.host; content:"sell.spartabig.com"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1235598/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_30; classtype:trojan-activity; sid:91235598; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/order/tuc4.exe"; depth:15; nocase; http.host; content:"sell.spartabig.com"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1235599/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_30; classtype:trojan-activity; sid:91235599; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/order/tuc5.exe"; depth:15; nocase; http.host; content:"sell.spartabig.com"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1235600/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_30; classtype:trojan-activity; sid:91235600; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/order/tuc6.exe"; depth:15; nocase; http.host; content:"sell.spartabig.com"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1235601/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_30; classtype:trojan-activity; sid:91235601; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/order/tuc7.exe"; depth:15; nocase; http.host; content:"sell.spartabig.com"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1235602/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_30; classtype:trojan-activity; sid:91235602; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"klosherskymoneyd.com"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1235604/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_30; classtype:trojan-activity; sid:91235604; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"klosherskymoneyd.com"; depth:20; nocase; reference:url, threatfox.abuse.ch/ioc/1235605/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_30; classtype:trojan-activity; sid:91235605; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/order/tuc3.exe"; depth:15; nocase; http.host; content:"moon.spartabig.com"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1235556/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_30; classtype:trojan-activity; sid:91235556; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/order/tuc2.exe"; depth:15; nocase; http.host; content:"moon.spartabig.com"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1235555/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_30; classtype:trojan-activity; sid:91235555; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"moon.spartabig.com"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1235550/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_30; classtype:trojan-activity; sid:91235550; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"ok.spartabig.com"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1235551/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_30; classtype:trojan-activity; sid:91235551; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"sell.spartabig.com"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1235552/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_30; classtype:trojan-activity; sid:91235552; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"count.spartabig.com"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1235553/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_30; classtype:trojan-activity; sid:91235553; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"spartabig.com"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1235554/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_30; classtype:trojan-activity; sid:91235554; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"ndbplus.rs"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1235548/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_30; classtype:trojan-activity; sid:91235548; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/m5.jpg"; depth:7; nocase; http.host; content:"ndbplus.rs"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1235549/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_30; classtype:trojan-activity; sid:91235549; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/_errorpages/plugzx.exe"; depth:23; nocase; http.host; content:"nab.blueyonderllc.top"; depth:21; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1235547/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_30; classtype:trojan-activity; sid:91235547; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/_errorpages/plugzx.exe"; depth:23; nocase; http.host; content:"nab.blueyonderllc.top"; depth:21; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1235546/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_30; classtype:trojan-activity; sid:91235546; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"nab.blueyonderllc.top"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1235545/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_30; classtype:trojan-activity; sid:91235545; rev:1;) alert tcp $HOME_NET any -> [147.185.221.17] 53003 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235543/; target:src_ip; metadata: confidence_level 75, first_seen 2024_01_30; classtype:trojan-activity; sid:91235543; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"bit-number.gl.at.ply.gg"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1235544/; target:src_ip; metadata: confidence_level 75, first_seen 2024_01_30; classtype:trojan-activity; sid:91235544; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cache/ewmrgqnaww.php"; depth:21; nocase; http.host; content:"andiandnoah.com"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1235527/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_30; classtype:trojan-activity; sid:91235527; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cdn-vs/cache.php"; depth:17; nocase; http.host; content:"andiandnoah.com"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1235526/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_30; classtype:trojan-activity; sid:91235526; rev:1;) alert tcp $HOME_NET any -> [192.243.102.171] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235655/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_30; classtype:trojan-activity; sid:91235655; rev:1;) alert tcp $HOME_NET any -> [34.125.227.117] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235654/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_30; classtype:trojan-activity; sid:91235654; rev:1;) alert tcp $HOME_NET any -> [3.80.84.233] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235653/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_30; classtype:trojan-activity; sid:91235653; rev:1;) alert tcp $HOME_NET any -> [52.21.211.84] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235652/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_30; classtype:trojan-activity; sid:91235652; rev:1;) alert tcp $HOME_NET any -> [8.137.54.12] 60000 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235651/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_30; classtype:trojan-activity; sid:91235651; rev:1;) alert tcp $HOME_NET any -> [43.136.58.193] 60000 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235650/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_30; classtype:trojan-activity; sid:91235650; rev:1;) alert tcp $HOME_NET any -> [154.223.17.208] 60000 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235649/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_30; classtype:trojan-activity; sid:91235649; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"node115.5-systems.ru"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1235648/; target:src_ip; metadata: confidence_level 75, first_seen 2024_01_30; classtype:trojan-activity; sid:91235648; rev:1;) alert tcp $HOME_NET any -> [134.255.252.185] 3000 (msg:"ThreatFox Bahamut botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235647/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_30; classtype:trojan-activity; sid:91235647; rev:1;) alert tcp $HOME_NET any -> [54.249.71.250] 18082 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235646/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_30; classtype:trojan-activity; sid:91235646; rev:1;) alert tcp $HOME_NET any -> [82.115.19.151] 80 (msg:"ThreatFox ERMAC botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235645/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_30; classtype:trojan-activity; sid:91235645; rev:1;) alert tcp $HOME_NET any -> [85.209.176.113] 4449 (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235644/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_30; classtype:trojan-activity; sid:91235644; rev:1;) alert tcp $HOME_NET any -> [85.209.176.184] 4449 (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235643/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_30; classtype:trojan-activity; sid:91235643; rev:1;) alert tcp $HOME_NET any -> [91.92.252.217] 7443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235642/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_30; classtype:trojan-activity; sid:91235642; rev:1;) alert tcp $HOME_NET any -> [50.118.225.41] 443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235641/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_30; classtype:trojan-activity; sid:91235641; rev:1;) alert tcp $HOME_NET any -> [181.162.169.153] 8080 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235640/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_30; classtype:trojan-activity; sid:91235640; rev:1;) alert tcp $HOME_NET any -> [191.82.204.88] 2000 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235639/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_30; classtype:trojan-activity; sid:91235639; rev:1;) alert tcp $HOME_NET any -> [185.172.128.103] 8081 (msg:"ThreatFox RisePro botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235638/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_30; classtype:trojan-activity; sid:91235638; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"evgenytchurakin.fvds.ru"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1235637/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_30; classtype:trojan-activity; sid:91235637; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ramzanlee.fvds.ru"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1235635/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_30; classtype:trojan-activity; sid:91235635; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"asp.keyshape.net"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1235636/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_30; classtype:trojan-activity; sid:91235636; rev:1;) alert tcp $HOME_NET any -> [5.42.67.88] 80 (msg:"ThreatFox Hook botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235634/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_30; classtype:trojan-activity; sid:91235634; rev:1;) alert tcp $HOME_NET any -> [185.172.128.85] 80 (msg:"ThreatFox Hook botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235632/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_30; classtype:trojan-activity; sid:91235632; rev:1;) alert tcp $HOME_NET any -> [212.109.195.164] 80 (msg:"ThreatFox Hook botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235633/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_30; classtype:trojan-activity; sid:91235633; rev:1;) alert tcp $HOME_NET any -> [64.227.124.8] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235631/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_30; classtype:trojan-activity; sid:91235631; rev:1;) alert tcp $HOME_NET any -> [209.145.56.0] 1995 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235630/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_30; classtype:trojan-activity; sid:91235630; rev:1;) alert tcp $HOME_NET any -> [91.92.240.147] 8000 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235629/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_30; classtype:trojan-activity; sid:91235629; rev:1;) alert tcp $HOME_NET any -> [94.156.67.155] 8088 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235628/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_30; classtype:trojan-activity; sid:91235628; rev:1;) alert tcp $HOME_NET any -> [186.112.205.208] 2404 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235627/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_30; classtype:trojan-activity; sid:91235627; rev:1;) alert tcp $HOME_NET any -> [3.19.71.233] 443 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235626/; target:src_ip; metadata: confidence_level 90, first_seen 2024_01_30; classtype:trojan-activity; sid:91235626; rev:1;) alert tcp $HOME_NET any -> [187.135.84.89] 2095 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235624/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_30; classtype:trojan-activity; sid:91235624; rev:1;) alert tcp $HOME_NET any -> [187.135.84.89] 2181 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235625/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_30; classtype:trojan-activity; sid:91235625; rev:1;) alert tcp $HOME_NET any -> [187.135.84.89] 2077 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235623/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_30; classtype:trojan-activity; sid:91235623; rev:1;) alert tcp $HOME_NET any -> [187.135.84.89] 2281 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235622/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_30; classtype:trojan-activity; sid:91235622; rev:1;) alert tcp $HOME_NET any -> [39.106.2.138] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235621/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_30; classtype:trojan-activity; sid:91235621; rev:1;) alert tcp $HOME_NET any -> [139.224.33.120] 8082 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235620/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_30; classtype:trojan-activity; sid:91235620; rev:1;) alert tcp $HOME_NET any -> [139.224.33.120] 8081 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235619/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_30; classtype:trojan-activity; sid:91235619; rev:1;) alert tcp $HOME_NET any -> [172.245.34.171] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235618/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_30; classtype:trojan-activity; sid:91235618; rev:1;) alert tcp $HOME_NET any -> [107.189.14.144] 8080 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235616/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_30; classtype:trojan-activity; sid:91235616; rev:1;) alert tcp $HOME_NET any -> [199.127.63.241] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235617/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_30; classtype:trojan-activity; sid:91235617; rev:1;) alert tcp $HOME_NET any -> [124.223.201.58] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235615/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_30; classtype:trojan-activity; sid:91235615; rev:1;) alert tcp $HOME_NET any -> [158.247.238.238] 8081 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235614/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_30; classtype:trojan-activity; sid:91235614; rev:1;) alert tcp $HOME_NET any -> [82.157.71.34] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235612/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_30; classtype:trojan-activity; sid:91235612; rev:1;) alert tcp $HOME_NET any -> [106.54.63.106] 82 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235613/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_30; classtype:trojan-activity; sid:91235613; rev:1;) alert tcp $HOME_NET any -> [8.222.165.110] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235611/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_30; classtype:trojan-activity; sid:91235611; rev:1;) alert tcp $HOME_NET any -> [8.136.4.15] 8000 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235610/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_30; classtype:trojan-activity; sid:91235610; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/1450/ladyisbeautiful.vbs"; depth:25; nocase; http.host; content:"65.20.81.37"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1235608/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_30; classtype:trojan-activity; sid:91235608; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/1450/irs.txt"; depth:13; nocase; http.host; content:"65.20.81.37"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1235609/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_30; classtype:trojan-activity; sid:91235609; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/drd/microsoftupdationgoingformicrosoftofficeupgradingtonewmsofficeprotoecoltoreducethesys.doc"; depth:94; nocase; http.host; content:"65.20.81.37"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1235607/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_30; classtype:trojan-activity; sid:91235607; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"allsmt.cam"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1235606/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_30; classtype:trojan-activity; sid:91235606; rev:1;) alert tcp $HOME_NET any -> [103.86.130.54] 443 (msg:"ThreatFox Get2 botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235603/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_30; classtype:trojan-activity; sid:91235603; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pixel.gif"; depth:10; nocase; http.host; content:"124.71.9.23"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1235542/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_30; classtype:trojan-activity; sid:91235542; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ca"; depth:3; nocase; http.host; content:"124.223.220.137"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1235541/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_30; classtype:trojan-activity; sid:91235541; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/w3c.js"; depth:7; nocase; http.host; content:"dctrvi.azureedge.net"; depth:20; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1235540/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_30; classtype:trojan-activity; sid:91235540; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cx"; depth:3; nocase; http.host; content:"47.115.212.213"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1235539/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_30; classtype:trojan-activity; sid:91235539; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ga.js"; depth:6; nocase; http.host; content:"81.70.0.37"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1235538/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_30; classtype:trojan-activity; sid:91235538; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/push"; depth:5; nocase; http.host; content:"39.106.26.184"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1235537/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_30; classtype:trojan-activity; sid:91235537; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pixel.gif"; depth:10; nocase; http.host; content:"47.104.232.113"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1235536/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_30; classtype:trojan-activity; sid:91235536; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/en_us/all.js"; depth:13; nocase; http.host; content:"47.92.246.30"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1235535/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_30; classtype:trojan-activity; sid:91235535; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/load"; depth:5; nocase; http.host; content:"114.55.133.151"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1235534/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_30; classtype:trojan-activity; sid:91235534; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dot.gif"; depth:8; nocase; http.host; content:"114.55.133.151"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1235533/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_30; classtype:trojan-activity; sid:91235533; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ga.js"; depth:6; nocase; http.host; content:"123.60.57.13"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1235532/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_30; classtype:trojan-activity; sid:91235532; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/fwlink"; depth:7; nocase; http.host; content:"117.72.13.42"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1235531/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_30; classtype:trojan-activity; sid:91235531; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jp.css"; depth:7; nocase; http.host; content:"91.238.181.237"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1235530/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_30; classtype:trojan-activity; sid:91235530; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/image/"; depth:7; nocase; http.host; content:"204.44.94.81"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1235529/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_30; classtype:trojan-activity; sid:91235529; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/interpret/today/vzardxorlr"; depth:27; nocase; http.host; content:"111.230.103.176"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1235528/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_30; classtype:trojan-activity; sid:91235528; rev:1;) alert tcp $HOME_NET any -> [49.7.197.52] 80 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235525/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_30; classtype:trojan-activity; sid:91235525; rev:1;) alert tcp $HOME_NET any -> [1.15.247.249] 50050 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235524/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_30; classtype:trojan-activity; sid:91235524; rev:1;) alert tcp $HOME_NET any -> [47.92.199.201] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235523/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_30; classtype:trojan-activity; sid:91235523; rev:1;) alert tcp $HOME_NET any -> [186.169.71.216] 5552 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235520/; target:src_ip; metadata: confidence_level 75, first_seen 2024_01_30; classtype:trojan-activity; sid:91235520; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"srryapi.store"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1235521/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_30; classtype:trojan-activity; sid:91235521; rev:1;) alert tcp $HOME_NET any -> [103.86.130.76] 443 (msg:"ThreatFox Get2 botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235522/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_30; classtype:trojan-activity; sid:91235522; rev:1;) alert tcp $HOME_NET any -> [8.218.137.213] 53 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235519/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_30; classtype:trojan-activity; sid:91235519; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"dns.t0nger.com"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1235518/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_30; classtype:trojan-activity; sid:91235518; rev:1;) alert tcp $HOME_NET any -> [119.45.62.15] 53 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235517/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_30; classtype:trojan-activity; sid:91235517; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ns3.gac-oa.com"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1235516/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_30; classtype:trojan-activity; sid:91235516; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ns2.gac-oa.com"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1235515/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_30; classtype:trojan-activity; sid:91235515; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ns1.gac-oa.com"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1235514/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_30; classtype:trojan-activity; sid:91235514; rev:1;) alert tcp $HOME_NET any -> [150.158.34.235] 53 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235513/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_30; classtype:trojan-activity; sid:91235513; rev:1;) alert tcp $HOME_NET any -> [81.19.136.234] 53 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235512/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_30; classtype:trojan-activity; sid:91235512; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"dns.atchesonprint.com"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1235511/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_30; classtype:trojan-activity; sid:91235511; rev:1;) alert tcp $HOME_NET any -> [114.115.210.125] 53 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235510/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_30; classtype:trojan-activity; sid:91235510; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"c1.tqrjfru.cn"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1235509/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_30; classtype:trojan-activity; sid:91235509; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/oda3zdkzymfjmddm/"; depth:18; nocase; http.host; content:"usdtethchasmanthiummgl.com"; depth:26; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1235502/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_30; classtype:trojan-activity; sid:91235502; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/oda3zdkzymfjmddm/"; depth:18; nocase; http.host; content:"usdtethchasmanthiumkls.com"; depth:26; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1235501/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_30; classtype:trojan-activity; sid:91235501; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/oda3zdkzymfjmddm/"; depth:18; nocase; http.host; content:"usdtethchasmanthiumapp.com"; depth:26; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1235499/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_30; classtype:trojan-activity; sid:91235499; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/oda3zdkzymfjmddm/"; depth:18; nocase; http.host; content:"usdtethchasmanthiumtch.com"; depth:26; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1235500/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_30; classtype:trojan-activity; sid:91235500; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/oda3zdkzymfjmddm/"; depth:18; nocase; http.host; content:"usdtethchasmanthiumlg.com"; depth:25; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1235498/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_30; classtype:trojan-activity; sid:91235498; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/oda3zdkzymfjmddm/"; depth:18; nocase; http.host; content:"usdtethchasmanthiumsmg.com"; depth:26; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1235497/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_30; classtype:trojan-activity; sid:91235497; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/oda3zdkzymfjmddm/"; depth:18; nocase; http.host; content:"94.156.68.144"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1235496/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_30; classtype:trojan-activity; sid:91235496; rev:1;) alert tcp $HOME_NET any -> [3.68.56.232] 14537 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235493/; target:src_ip; metadata: confidence_level 75, first_seen 2024_01_30; classtype:trojan-activity; sid:91235493; rev:1;) alert tcp $HOME_NET any -> [3.126.224.214] 14537 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235492/; target:src_ip; metadata: confidence_level 75, first_seen 2024_01_30; classtype:trojan-activity; sid:91235492; rev:1;) alert tcp $HOME_NET any -> [149.210.96.205] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235508/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_30; classtype:trojan-activity; sid:91235508; rev:1;) alert tcp $HOME_NET any -> [94.102.148.42] 1337 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235507/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_30; classtype:trojan-activity; sid:91235507; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/l1nc0in.php"; depth:12; nocase; http.host; content:"f0912091.xsph.ru"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1235506/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_30; classtype:trojan-activity; sid:91235506; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/originate/temporal/yv3bjpo5btv9"; depth:32; nocase; http.host; content:"103.50.206.45"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1235504/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_30; classtype:trojan-activity; sid:91235504; rev:1;) alert tcp $HOME_NET any -> [103.50.206.45] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235505/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_30; classtype:trojan-activity; sid:91235505; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/originate/temporal/yv3bjpo5btv9"; depth:32; nocase; http.host; content:"cloudflairly.com"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1235503/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_30; classtype:trojan-activity; sid:91235503; rev:1;) alert tcp $HOME_NET any -> [103.86.130.50] 443 (msg:"ThreatFox Get2 botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235495/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_30; classtype:trojan-activity; sid:91235495; rev:1;) alert tcp $HOME_NET any -> [103.72.97.236] 3790 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235494/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_30; classtype:trojan-activity; sid:91235494; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/phpsqlwindows.php"; depth:18; nocase; http.host; content:"562173cm.nyashmyash.top"; depth:23; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1235491/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_30; classtype:trojan-activity; sid:91235491; rev:1;) alert tcp $HOME_NET any -> [3.6.40.24] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235490/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_30; classtype:trojan-activity; sid:91235490; rev:1;) alert tcp $HOME_NET any -> [3.125.188.168] 14537 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235489/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_30; classtype:trojan-activity; sid:91235489; rev:1;) alert tcp $HOME_NET any -> [35.157.111.131] 14537 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235488/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_30; classtype:trojan-activity; sid:91235488; rev:1;) alert tcp $HOME_NET any -> [3.67.15.169] 14537 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235487/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_30; classtype:trojan-activity; sid:91235487; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"ccaue6.leadershiplink.my.id"; depth:27; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1235478/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_30; classtype:trojan-activity; sid:91235478; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"ccaue6.leadershiplink.my.id"; depth:27; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1235479/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_30; classtype:trojan-activity; sid:91235479; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"ccaue6.leadershiplink.my.id"; depth:27; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1235480/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_30; classtype:trojan-activity; sid:91235480; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"ccaue6.leadershiplink.my.id"; depth:27; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1235481/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_30; classtype:trojan-activity; sid:91235481; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"ccaue6.leadershiplink.my.id"; depth:27; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1235482/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_30; classtype:trojan-activity; sid:91235482; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"ccaue6.leadershiplink.my.id"; depth:27; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1235483/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_30; classtype:trojan-activity; sid:91235483; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"37.27.26.28"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1235486/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_30; classtype:trojan-activity; sid:91235486; rev:1;) alert tcp $HOME_NET any -> [37.27.26.28] 443 (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235485/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_30; classtype:trojan-activity; sid:91235485; rev:1;) alert tcp $HOME_NET any -> [103.69.194.227] 7443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235484/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_30; classtype:trojan-activity; sid:91235484; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/en_us/all.js"; depth:13; nocase; http.host; content:"service-bzbl2uq7-1312255927.bj.apigw.tencentcs.com"; depth:50; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1235477/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_30; classtype:trojan-activity; sid:91235477; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cm"; depth:3; nocase; http.host; content:"47.100.170.9"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1235476/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_30; classtype:trojan-activity; sid:91235476; rev:1;) alert tcp $HOME_NET any -> [110.43.68.243] 10001 (msg:"ThreatFox Xtreme RAT botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235475/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_30; classtype:trojan-activity; sid:91235475; rev:1;) alert tcp $HOME_NET any -> [62.204.41.234] 443 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235474/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_30; classtype:trojan-activity; sid:91235474; rev:1;) alert tcp $HOME_NET any -> [2.87.13.117] 2222 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235473/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_30; classtype:trojan-activity; sid:91235473; rev:1;) alert tcp $HOME_NET any -> [91.92.253.138] 443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235472/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_30; classtype:trojan-activity; sid:91235472; rev:1;) alert tcp $HOME_NET any -> [143.110.192.8] 44387 (msg:"ThreatFox BianLian botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235471/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_30; classtype:trojan-activity; sid:91235471; rev:1;) alert tcp $HOME_NET any -> [61.19.254.6] 2024 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235384/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_30; classtype:trojan-activity; sid:91235384; rev:1;) alert tcp $HOME_NET any -> [39.105.51.11] 28101 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235385/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_30; classtype:trojan-activity; sid:91235385; rev:1;) alert tcp $HOME_NET any -> [39.105.51.11] 28104 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235386/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_30; classtype:trojan-activity; sid:91235386; rev:1;) alert tcp $HOME_NET any -> [186.169.37.61] 5552 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235391/; target:src_ip; metadata: confidence_level 75, first_seen 2024_01_30; classtype:trojan-activity; sid:91235391; rev:1;) alert tcp $HOME_NET any -> [18.197.239.5] 14272 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235399/; target:src_ip; metadata: confidence_level 75, first_seen 2024_01_30; classtype:trojan-activity; sid:91235399; rev:1;) alert tcp $HOME_NET any -> [195.144.21.204] 1312 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235406/; target:src_ip; metadata: confidence_level 75, first_seen 2024_01_30; classtype:trojan-activity; sid:91235406; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/editcontent"; depth:12; nocase; http.host; content:"mkng.honors.howamerica.com"; depth:26; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1235409/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_30; classtype:trojan-activity; sid:91235409; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/unitylibrarymanager.exe"; depth:24; nocase; http.host; content:"3psil0n.fr"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1235388/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_30; classtype:trojan-activity; sid:91235388; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/unitylibrarymanager.exe"; depth:24; nocase; http.host; content:"3psil0n.fr"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1235387/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_30; classtype:trojan-activity; sid:91235387; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"3psil0n.fr"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1235389/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_30; classtype:trojan-activity; sid:91235389; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"178.236.246.25"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1235374/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_30; classtype:trojan-activity; sid:91235374; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"howamerica.com"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1235373/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_30; classtype:trojan-activity; sid:91235373; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/editcontent"; depth:12; nocase; http.host; content:"honors.howamerica.com"; depth:21; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1235372/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_30; classtype:trojan-activity; sid:91235372; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"honors.howamerica.com"; depth:21; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1235371/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_30; classtype:trojan-activity; sid:91235371; rev:1;) alert tcp $HOME_NET any -> [45.15.156.201] 10208 (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235358/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_30; classtype:trojan-activity; sid:91235358; rev:1;) alert tcp $HOME_NET any -> [147.185.221.18] 15309 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235356/; target:src_ip; metadata: confidence_level 75, first_seen 2024_01_30; classtype:trojan-activity; sid:91235356; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"people-primarily.gl.at.ply.gg"; depth:29; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1235357/; target:src_ip; metadata: confidence_level 75, first_seen 2024_01_30; classtype:trojan-activity; sid:91235357; rev:1;) alert tcp $HOME_NET any -> [3.125.223.134] 16777 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235355/; target:src_ip; metadata: confidence_level 75, first_seen 2024_01_30; classtype:trojan-activity; sid:91235355; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"www.classicstandupcomedylive.com"; depth:32; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1235329/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_30; classtype:trojan-activity; sid:91235329; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"www.classicstandupcomedy.com"; depth:28; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1235330/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_30; classtype:trojan-activity; sid:91235330; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"whyzup.com"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1235331/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_30; classtype:trojan-activity; sid:91235331; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"www.louangelwolf.com"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1235332/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_30; classtype:trojan-activity; sid:91235332; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"louangelwolf.com"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1235333/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_30; classtype:trojan-activity; sid:91235333; rev:1;) alert tcp $HOME_NET any -> [64.225.12.181] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235334/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_30; classtype:trojan-activity; sid:91235334; rev:1;) alert tcp $HOME_NET any -> [192.252.183.121] 8524 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235335/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_30; classtype:trojan-activity; sid:91235335; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/editcontent"; depth:12; nocase; http.host; content:"clbh.honors.howamerica.com"; depth:26; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1235340/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_30; classtype:trojan-activity; sid:91235340; rev:1;) alert tcp $HOME_NET any -> [187.135.84.89] 1962 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235470/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_30; classtype:trojan-activity; sid:91235470; rev:1;) alert tcp $HOME_NET any -> [187.135.84.89] 1911 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235469/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_30; classtype:trojan-activity; sid:91235469; rev:1;) alert tcp $HOME_NET any -> [187.135.84.89] 1935 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235468/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_30; classtype:trojan-activity; sid:91235468; rev:1;) alert tcp $HOME_NET any -> [65.109.90.47] 8081 (msg:"ThreatFox RisePro botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235467/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_30; classtype:trojan-activity; sid:91235467; rev:1;) alert tcp $HOME_NET any -> [187.135.84.89] 1925 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235466/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_30; classtype:trojan-activity; sid:91235466; rev:1;) alert tcp $HOME_NET any -> [187.135.84.89] 2086 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235465/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_30; classtype:trojan-activity; sid:91235465; rev:1;) alert tcp $HOME_NET any -> [187.135.84.89] 2083 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235464/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_30; classtype:trojan-activity; sid:91235464; rev:1;) alert tcp $HOME_NET any -> [103.86.131.57] 443 (msg:"ThreatFox Get2 botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235463/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_30; classtype:trojan-activity; sid:91235463; rev:1;) alert tcp $HOME_NET any -> [188.241.240.187] 3790 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235462/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_30; classtype:trojan-activity; sid:91235462; rev:1;) alert tcp $HOME_NET any -> [110.40.151.20] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235461/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_30; classtype:trojan-activity; sid:91235461; rev:1;) alert tcp $HOME_NET any -> [65.109.90.47] 50500 (msg:"ThreatFox RisePro botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235460/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_30; classtype:trojan-activity; sid:91235460; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"vpn752656009.softether.net"; depth:26; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1235459/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_30; classtype:trojan-activity; sid:91235459; rev:1;) alert tcp $HOME_NET any -> [41.216.183.31] 80 (msg:"ThreatFox GhostLocker botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235458/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_30; classtype:trojan-activity; sid:91235458; rev:1;) alert tcp $HOME_NET any -> [190.135.185.214] 995 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235457/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_30; classtype:trojan-activity; sid:91235457; rev:1;) alert tcp $HOME_NET any -> [88.214.25.249] 8443 (msg:"ThreatFox BianLian botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235456/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_30; classtype:trojan-activity; sid:91235456; rev:1;) alert tcp $HOME_NET any -> [18.198.146.182] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235455/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_30; classtype:trojan-activity; sid:91235455; rev:1;) alert tcp $HOME_NET any -> [47.100.210.152] 4433 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235454/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_30; classtype:trojan-activity; sid:91235454; rev:1;) alert tcp $HOME_NET any -> [45.155.124.147] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235453/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_30; classtype:trojan-activity; sid:91235453; rev:1;) alert tcp $HOME_NET any -> [35.184.204.195] 10443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235452/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_30; classtype:trojan-activity; sid:91235452; rev:1;) alert tcp $HOME_NET any -> [138.68.72.211] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235451/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_30; classtype:trojan-activity; sid:91235451; rev:1;) alert tcp $HOME_NET any -> [64.23.184.213] 8443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235450/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_30; classtype:trojan-activity; sid:91235450; rev:1;) alert tcp $HOME_NET any -> [64.23.184.213] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235449/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_30; classtype:trojan-activity; sid:91235449; rev:1;) alert tcp $HOME_NET any -> [47.76.34.199] 60000 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235448/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_30; classtype:trojan-activity; sid:91235448; rev:1;) alert tcp $HOME_NET any -> [120.46.45.74] 60000 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235447/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_30; classtype:trojan-activity; sid:91235447; rev:1;) alert tcp $HOME_NET any -> [120.25.226.253] 60000 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235446/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_30; classtype:trojan-activity; sid:91235446; rev:1;) alert tcp $HOME_NET any -> [122.10.68.253] 60000 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235445/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_30; classtype:trojan-activity; sid:91235445; rev:1;) alert tcp $HOME_NET any -> [2.58.113.172] 4433 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235444/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_30; classtype:trojan-activity; sid:91235444; rev:1;) alert tcp $HOME_NET any -> [5.182.86.194] 80 (msg:"ThreatFox Meduza Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235443/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_30; classtype:trojan-activity; sid:91235443; rev:1;) alert tcp $HOME_NET any -> [194.36.88.211] 80 (msg:"ThreatFox ERMAC botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235442/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_30; classtype:trojan-activity; sid:91235442; rev:1;) alert tcp $HOME_NET any -> [45.94.31.205] 6969 (msg:"ThreatFox Orcus RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235441/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_30; classtype:trojan-activity; sid:91235441; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ekfb.site"; depth:9; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1235440/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_30; classtype:trojan-activity; sid:91235440; rev:1;) alert tcp $HOME_NET any -> [91.92.253.160] 80 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235439/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_30; classtype:trojan-activity; sid:91235439; rev:1;) alert tcp $HOME_NET any -> [91.92.252.217] 80 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235438/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_30; classtype:trojan-activity; sid:91235438; rev:1;) alert tcp $HOME_NET any -> [185.93.69.149] 80 (msg:"ThreatFox Hook botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235437/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_30; classtype:trojan-activity; sid:91235437; rev:1;) alert tcp $HOME_NET any -> [3.140.197.75] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235436/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_30; classtype:trojan-activity; sid:91235436; rev:1;) alert tcp $HOME_NET any -> [45.61.137.134] 7443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235435/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_30; classtype:trojan-activity; sid:91235435; rev:1;) alert tcp $HOME_NET any -> [91.92.240.147] 8088 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235434/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_30; classtype:trojan-activity; sid:91235434; rev:1;) alert tcp $HOME_NET any -> [150.138.77.39] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235433/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_30; classtype:trojan-activity; sid:91235433; rev:1;) alert tcp $HOME_NET any -> [187.135.84.89] 2052 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235432/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_30; classtype:trojan-activity; sid:91235432; rev:1;) alert tcp $HOME_NET any -> [187.135.84.89] 2000 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235431/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_30; classtype:trojan-activity; sid:91235431; rev:1;) alert tcp $HOME_NET any -> [187.135.84.89] 2080 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235429/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_30; classtype:trojan-activity; sid:91235429; rev:1;) alert tcp $HOME_NET any -> [187.135.84.89] 2222 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235430/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_30; classtype:trojan-activity; sid:91235430; rev:1;) alert tcp $HOME_NET any -> [187.135.84.89] 2078 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235428/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_30; classtype:trojan-activity; sid:91235428; rev:1;) alert tcp $HOME_NET any -> [187.135.84.89] 2053 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235427/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_30; classtype:trojan-activity; sid:91235427; rev:1;) alert tcp $HOME_NET any -> [52.146.1.235] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235426/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_30; classtype:trojan-activity; sid:91235426; rev:1;) alert tcp $HOME_NET any -> [123.60.57.13] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235425/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_30; classtype:trojan-activity; sid:91235425; rev:1;) alert tcp $HOME_NET any -> [20.62.251.205] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235423/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_30; classtype:trojan-activity; sid:91235423; rev:1;) alert tcp $HOME_NET any -> [124.221.47.36] 81 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235424/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_30; classtype:trojan-activity; sid:91235424; rev:1;) alert tcp $HOME_NET any -> [117.72.42.234] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235422/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_30; classtype:trojan-activity; sid:91235422; rev:1;) alert tcp $HOME_NET any -> [123.249.114.61] 5555 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235421/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_30; classtype:trojan-activity; sid:91235421; rev:1;) alert tcp $HOME_NET any -> [188.213.198.232] 8888 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235420/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_30; classtype:trojan-activity; sid:91235420; rev:1;) alert tcp $HOME_NET any -> [45.144.232.99] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235419/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_30; classtype:trojan-activity; sid:91235419; rev:1;) alert tcp $HOME_NET any -> [45.144.232.99] 80 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235418/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_30; classtype:trojan-activity; sid:91235418; rev:1;) alert tcp $HOME_NET any -> [5.42.64.32] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235417/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_30; classtype:trojan-activity; sid:91235417; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/1poll/3external/50provider0/windows/windowslongpoll/0externaljavascriptjs/phpphp/0async7/61gamevoiddb/tolongpollwindowsprivate.php"; depth:131; nocase; http.host; content:"185.244.51.120"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1235410/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_30; classtype:trojan-activity; sid:91235410; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/l1nc0in.php"; depth:12; nocase; http.host; content:"a0912235.xsph.ru"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1235408/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_30; classtype:trojan-activity; sid:91235408; rev:1;) alert tcp $HOME_NET any -> [47.113.216.45] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235407/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_30; classtype:trojan-activity; sid:91235407; rev:1;) alert tcp $HOME_NET any -> [94.102.155.46] 1337 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235405/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_30; classtype:trojan-activity; sid:91235405; rev:1;) alert tcp $HOME_NET any -> [110.40.151.20] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235404/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_30; classtype:trojan-activity; sid:91235404; rev:1;) alert tcp $HOME_NET any -> [94.49.176.147] 3460 (msg:"ThreatFox Poison Ivy botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235403/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_29; classtype:trojan-activity; sid:91235403; rev:1;) alert tcp $HOME_NET any -> [187.135.84.89] 1801 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235402/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_29; classtype:trojan-activity; sid:91235402; rev:1;) alert tcp $HOME_NET any -> [47.92.231.107] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235401/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_29; classtype:trojan-activity; sid:91235401; rev:1;) alert tcp $HOME_NET any -> [182.61.25.107] 8080 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235398/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_29; classtype:trojan-activity; sid:91235398; rev:1;) alert tcp $HOME_NET any -> [18.157.68.73] 14272 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235397/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_29; classtype:trojan-activity; sid:91235397; rev:1;) alert tcp $HOME_NET any -> [3.126.37.18] 14272 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235396/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_29; classtype:trojan-activity; sid:91235396; rev:1;) alert tcp $HOME_NET any -> [3.127.59.75] 17426 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235395/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_29; classtype:trojan-activity; sid:91235395; rev:1;) alert tcp $HOME_NET any -> [3.127.253.86] 17426 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235394/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_29; classtype:trojan-activity; sid:91235394; rev:1;) alert tcp $HOME_NET any -> [18.198.77.177] 17426 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235393/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_29; classtype:trojan-activity; sid:91235393; rev:1;) alert tcp $HOME_NET any -> [3.121.139.82] 17426 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235392/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_29; classtype:trojan-activity; sid:91235392; rev:1;) alert tcp $HOME_NET any -> [65.21.176.122] 11263 (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235390/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_29; classtype:trojan-activity; sid:91235390; rev:1;) alert tcp $HOME_NET any -> [86.126.216.130] 443 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235370/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_29; classtype:trojan-activity; sid:91235370; rev:1;) alert tcp $HOME_NET any -> [31.117.0.33] 2222 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235369/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_29; classtype:trojan-activity; sid:91235369; rev:1;) alert tcp $HOME_NET any -> [154.246.153.209] 2078 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235368/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_29; classtype:trojan-activity; sid:91235368; rev:1;) alert tcp $HOME_NET any -> [47.17.109.197] 2222 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235366/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_29; classtype:trojan-activity; sid:91235366; rev:1;) alert tcp $HOME_NET any -> [145.82.146.57] 443 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235365/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_29; classtype:trojan-activity; sid:91235365; rev:1;) alert tcp $HOME_NET any -> [185.113.8.123] 443 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235364/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_29; classtype:trojan-activity; sid:91235364; rev:1;) alert tcp $HOME_NET any -> [2.49.56.253] 2222 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235362/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_29; classtype:trojan-activity; sid:91235362; rev:1;) alert tcp $HOME_NET any -> [38.242.209.51] 443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235361/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_29; classtype:trojan-activity; sid:91235361; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"callii.ydns.eu"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1235359/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_29; classtype:trojan-activity; sid:91235359; rev:1;) alert tcp $HOME_NET any -> [34.88.85.211] 2376 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235354/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_29; classtype:trojan-activity; sid:91235354; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"negliganceassumeruew.site"; depth:25; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1235353/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_29; classtype:trojan-activity; sid:91235353; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ama.exe"; depth:8; nocase; http.host; content:"185.172.128.154"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1235351/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_29; classtype:trojan-activity; sid:91235351; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cp.exe"; depth:7; nocase; http.host; content:"185.172.128.154"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1235352/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_29; classtype:trojan-activity; sid:91235352; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ma.exe"; depth:7; nocase; http.host; content:"185.172.128.154"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1235350/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_29; classtype:trojan-activity; sid:91235350; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"braidfadefriendklypk.site"; depth:25; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1235348/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_29; classtype:trojan-activity; sid:91235348; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"acquisitionfinancej.shop"; depth:24; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1235349/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_29; classtype:trojan-activity; sid:91235349; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"cooperatecliqueobstac.site"; depth:26; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1235346/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_29; classtype:trojan-activity; sid:91235346; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"racerecessionrestrai.site"; depth:25; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1235347/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_29; classtype:trojan-activity; sid:91235347; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"carvewomanflavourwop.site"; depth:25; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1235344/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_29; classtype:trojan-activity; sid:91235344; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"vesselspeedcrosswakew.site"; depth:26; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1235345/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_29; classtype:trojan-activity; sid:91235345; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"retainfactorypunishjkw.site"; depth:27; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1235342/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_29; classtype:trojan-activity; sid:91235342; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"communicationinchoicer.site"; depth:27; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1235343/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_29; classtype:trojan-activity; sid:91235343; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"brickabsorptiondullyi.site"; depth:26; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1235341/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_29; classtype:trojan-activity; sid:91235341; rev:1;) alert tcp $HOME_NET any -> [3.125.209.94] 16777 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235339/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_29; classtype:trojan-activity; sid:91235339; rev:1;) alert tcp $HOME_NET any -> [18.192.31.165] 16777 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235338/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_29; classtype:trojan-activity; sid:91235338; rev:1;) alert tcp $HOME_NET any -> [3.125.102.39] 16777 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235337/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_29; classtype:trojan-activity; sid:91235337; rev:1;) alert tcp $HOME_NET any -> [103.86.130.51] 443 (msg:"ThreatFox Get2 botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235336/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_29; classtype:trojan-activity; sid:91235336; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"www.currencyandsecurity.com"; depth:27; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1235318/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_29; classtype:trojan-activity; sid:91235318; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"currencyandsecurity.com"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1235319/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_29; classtype:trojan-activity; sid:91235319; rev:1;) alert tcp $HOME_NET any -> [5.181.159.27] 443 (msg:"ThreatFox NetSupportManager RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235310/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_29; classtype:trojan-activity; sid:91235310; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"167-172-234-147.ipv4.staticdns2.io"; depth:34; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1235317/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_29; classtype:trojan-activity; sid:91235317; rev:1;) alert tcp $HOME_NET any -> [167.172.234.147] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235320/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_29; classtype:trojan-activity; sid:91235320; rev:1;) alert tcp $HOME_NET any -> [64.237.213.102] 1800 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235316/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_29; classtype:trojan-activity; sid:91235316; rev:1;) alert tcp $HOME_NET any -> [45.137.116.2] 443 (msg:"ThreatFox Ave Maria botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235314/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_29; classtype:trojan-activity; sid:91235314; rev:1;) alert tcp $HOME_NET any -> [85.209.11.168] 443 (msg:"ThreatFox Ave Maria botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235315/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_29; classtype:trojan-activity; sid:91235315; rev:1;) alert tcp $HOME_NET any -> [2.58.14.224] 443 (msg:"ThreatFox Ave Maria botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235313/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_29; classtype:trojan-activity; sid:91235313; rev:1;) alert tcp $HOME_NET any -> [45.156.84.190] 443 (msg:"ThreatFox Ave Maria botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235312/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_29; classtype:trojan-activity; sid:91235312; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/downloads/securepacketgamedbtrack.php"; depth:38; nocase; http.host; content:"46.174.52.97"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1235311/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_29; classtype:trojan-activity; sid:91235311; rev:1;) alert tcp $HOME_NET any -> [85.102.165.243] 443 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235309/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_29; classtype:trojan-activity; sid:91235309; rev:1;) alert tcp $HOME_NET any -> [197.204.3.130] 443 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235308/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_29; classtype:trojan-activity; sid:91235308; rev:1;) alert tcp $HOME_NET any -> [216.238.83.84] 8443 (msg:"ThreatFox BianLian botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235307/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_29; classtype:trojan-activity; sid:91235307; rev:1;) alert tcp $HOME_NET any -> [18.135.30.45] 4445 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235306/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_29; classtype:trojan-activity; sid:91235306; rev:1;) alert tcp $HOME_NET any -> [23.20.6.114] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235305/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_29; classtype:trojan-activity; sid:91235305; rev:1;) alert tcp $HOME_NET any -> [101.34.47.66] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235304/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_29; classtype:trojan-activity; sid:91235304; rev:1;) alert tcp $HOME_NET any -> [20.174.1.50] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235303/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_29; classtype:trojan-activity; sid:91235303; rev:1;) alert tcp $HOME_NET any -> [163.172.150.135] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235302/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_29; classtype:trojan-activity; sid:91235302; rev:1;) alert tcp $HOME_NET any -> [13.247.14.43] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235301/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_29; classtype:trojan-activity; sid:91235301; rev:1;) alert tcp $HOME_NET any -> [122.10.12.198] 60000 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235300/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_29; classtype:trojan-activity; sid:91235300; rev:1;) alert tcp $HOME_NET any -> [101.42.149.18] 60000 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235299/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_29; classtype:trojan-activity; sid:91235299; rev:1;) alert tcp $HOME_NET any -> [43.139.195.144] 60000 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235298/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_29; classtype:trojan-activity; sid:91235298; rev:1;) alert tcp $HOME_NET any -> [175.178.116.26] 60000 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235297/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_29; classtype:trojan-activity; sid:91235297; rev:1;) alert tcp $HOME_NET any -> [47.107.44.15] 60000 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235296/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_29; classtype:trojan-activity; sid:91235296; rev:1;) alert tcp $HOME_NET any -> [20.240.201.149] 80 (msg:"ThreatFox Orcus RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235295/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_29; classtype:trojan-activity; sid:91235295; rev:1;) alert tcp $HOME_NET any -> [161.97.102.40] 22533 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235294/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_29; classtype:trojan-activity; sid:91235294; rev:1;) alert tcp $HOME_NET any -> [49.157.28.96] 443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235293/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_29; classtype:trojan-activity; sid:91235293; rev:1;) alert tcp $HOME_NET any -> [52.81.76.168] 80 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235292/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_29; classtype:trojan-activity; sid:91235292; rev:1;) alert tcp $HOME_NET any -> [165.227.213.147] 7552 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235291/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_29; classtype:trojan-activity; sid:91235291; rev:1;) alert tcp $HOME_NET any -> [64.227.124.8] 7443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235290/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_29; classtype:trojan-activity; sid:91235290; rev:1;) alert tcp $HOME_NET any -> [18.192.31.165] 13832 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235289/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_29; classtype:trojan-activity; sid:91235289; rev:1;) alert tcp $HOME_NET any -> [94.23.89.139] 443 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235288/; target:src_ip; metadata: confidence_level 90, first_seen 2024_01_29; classtype:trojan-activity; sid:91235288; rev:1;) alert tcp $HOME_NET any -> [109.117.91.172] 88 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235287/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_29; classtype:trojan-activity; sid:91235287; rev:1;) alert tcp $HOME_NET any -> [141.164.34.159] 2082 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235285/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_29; classtype:trojan-activity; sid:91235285; rev:1;) alert tcp $HOME_NET any -> [8.130.101.106] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235286/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_29; classtype:trojan-activity; sid:91235286; rev:1;) alert tcp $HOME_NET any -> [64.227.174.159] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235284/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_29; classtype:trojan-activity; sid:91235284; rev:1;) alert tcp $HOME_NET any -> [1.12.254.234] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235283/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_29; classtype:trojan-activity; sid:91235283; rev:1;) alert tcp $HOME_NET any -> [91.92.243.186] 445 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235282/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_29; classtype:trojan-activity; sid:91235282; rev:1;) alert tcp $HOME_NET any -> [8.134.165.196] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235280/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_29; classtype:trojan-activity; sid:91235280; rev:1;) alert tcp $HOME_NET any -> [42.192.45.240] 4446 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235281/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_29; classtype:trojan-activity; sid:91235281; rev:1;) alert tcp $HOME_NET any -> [172.105.8.252] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235279/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_29; classtype:trojan-activity; sid:91235279; rev:1;) alert tcp $HOME_NET any -> [8.140.254.212] 10000 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235278/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_29; classtype:trojan-activity; sid:91235278; rev:1;) alert tcp $HOME_NET any -> [142.171.233.211] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235277/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_29; classtype:trojan-activity; sid:91235277; rev:1;) alert tcp $HOME_NET any -> [47.108.145.250] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235276/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_29; classtype:trojan-activity; sid:91235276; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"stachmentsuprimeresult.com"; depth:26; nocase; reference:url, threatfox.abuse.ch/ioc/1235274/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_29; classtype:trojan-activity; sid:91235274; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/_defaultwindows.php"; depth:20; nocase; http.host; content:"a0910130.xsph.ru"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1235275/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_29; classtype:trojan-activity; sid:91235275; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"euunclaimedpymt.com"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1235272/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_29; classtype:trojan-activity; sid:91235272; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ap.php"; depth:7; nocase; http.host; content:"euunclaimedpymt.com"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1235271/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_29; classtype:trojan-activity; sid:91235271; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"stachmentsuprimeresult.com"; depth:26; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1235273/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_29; classtype:trojan-activity; sid:91235273; rev:1;) alert tcp $HOME_NET any -> [193.222.96.70] 59646 (msg:"ThreatFox WpBruteBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235270/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_29; classtype:trojan-activity; sid:91235270; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cdn-vs/cache.php"; depth:17; nocase; http.host; content:"ripnoticebook.com"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1235267/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_29; classtype:trojan-activity; sid:91235267; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cache/ewmrgqnaww.php"; depth:21; nocase; http.host; content:"ripnoticebook.com"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1235268/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_29; classtype:trojan-activity; sid:91235268; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/data.php"; depth:9; nocase; http.host; content:"ghostcitygames.com"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1235269/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_29; classtype:trojan-activity; sid:91235269; rev:1;) alert tcp $HOME_NET any -> [193.233.132.37] 50500 (msg:"ThreatFox RisePro botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235266/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_29; classtype:trojan-activity; sid:91235266; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/6cdvjjmfdowmbvw+3hrdrpttcvzkhu38mkim5i1ebnocvddqmkgb+i1vheoabuoujvud45ofvb3ebr2u0gug6p5ff/6dxxzmku4y+pgfeg=="; depth:109; nocase; http.host; content:"miner.eastestsite.com"; depth:21; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1235263/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_29; classtype:trojan-activity; sid:91235263; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/uuo0fipov381aa4kz3kynci+uwzzcbzmiy9xfjqpx0k7owtwiyvayjq4rnkjabg0ndhgesnodir9aey0a2hydccyrxezov1nmyvyncw="; depth:105; nocase; http.host; content:"miner.eastestsite.com"; depth:21; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1235264/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_29; classtype:trojan-activity; sid:91235264; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/rpmkpnw76c3ku7cwmkqmht3t79smo6jfwpjm3dt81cleu6ag3luwhsf9+n3w/f7hx/tlysfz8ntf+u2g0w=="; depth:85; nocase; http.host; content:"miner.eastestsite.com"; depth:21; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1235265/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_29; classtype:trojan-activity; sid:91235265; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"miner.eastestsite.com"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1235262/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_29; classtype:trojan-activity; sid:91235262; rev:1;) alert tcp $HOME_NET any -> [91.109.178.5] 1177 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235261/; target:src_ip; metadata: confidence_level 75, first_seen 2024_01_29; classtype:trojan-activity; sid:91235261; rev:1;) alert tcp $HOME_NET any -> [3.22.30.40] 14868 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235245/; target:src_ip; metadata: confidence_level 75, first_seen 2024_01_29; classtype:trojan-activity; sid:91235245; rev:1;) alert tcp $HOME_NET any -> [193.106.175.40] 443 (msg:"ThreatFox FAKEUPDATES payload delivery (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235242/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_29; classtype:trojan-activity; sid:91235242; rev:1;) alert tcp $HOME_NET any -> [3.17.7.232] 14868 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235244/; target:src_ip; metadata: confidence_level 75, first_seen 2024_01_29; classtype:trojan-activity; sid:91235244; rev:1;) alert tcp $HOME_NET any -> [65.109.242.38] 443 (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235260/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_29; classtype:trojan-activity; sid:91235260; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"65.109.242.38"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1235258/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_29; classtype:trojan-activity; sid:91235258; rev:1;) alert tcp $HOME_NET any -> [116.202.4.242] 2271 (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235259/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_29; classtype:trojan-activity; sid:91235259; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"116.202.4.242"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1235257/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_29; classtype:trojan-activity; sid:91235257; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tvrugrats"; depth:10; nocase; http.host; content:"t.me"; depth:4; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1235255/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_29; classtype:trojan-activity; sid:91235255; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/profiles/76561199627279110"; depth:27; nocase; http.host; content:"steamcommunity.com"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1235256/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_29; classtype:trojan-activity; sid:91235256; rev:1;) alert tcp $HOME_NET any -> [91.109.176.7] 1177 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235254/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_29; classtype:trojan-activity; sid:91235254; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ptj"; depth:4; nocase; http.host; content:"108.165.113.54"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1235253/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_29; classtype:trojan-activity; sid:91235253; rev:1;) alert tcp $HOME_NET any -> [124.223.52.82] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235252/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_29; classtype:trojan-activity; sid:91235252; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bootstrap-5.3.1.min.js"; depth:23; nocase; http.host; content:"124.223.52.82"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1235251/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_29; classtype:trojan-activity; sid:91235251; rev:1;) alert tcp $HOME_NET any -> [81.68.210.91] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235250/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_29; classtype:trojan-activity; sid:91235250; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api/x"; depth:6; nocase; http.host; content:"81.68.210.91"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1235249/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_29; classtype:trojan-activity; sid:91235249; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/linejsrequestdbdle.php"; depth:23; nocase; http.host; content:"194.36.209.243"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1235248/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_29; classtype:trojan-activity; sid:91235248; rev:1;) alert tcp $HOME_NET any -> [164.92.187.144] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235247/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_29; classtype:trojan-activity; sid:91235247; rev:1;) alert tcp $HOME_NET any -> [41.111.218.206] 3790 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235246/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_29; classtype:trojan-activity; sid:91235246; rev:1;) alert tcp $HOME_NET any -> [47.92.246.30] 880 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235243/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_29; classtype:trojan-activity; sid:91235243; rev:1;) alert tcp $HOME_NET any -> [3.77.102.212] 80 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235241/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_29; classtype:trojan-activity; sid:91235241; rev:1;) alert tcp $HOME_NET any -> [123.249.114.61] 50050 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235240/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_29; classtype:trojan-activity; sid:91235240; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/da341/index.php"; depth:16; nocase; http.host; content:"damel.shop"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1235239/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_29; classtype:trojan-activity; sid:91235239; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/match"; depth:6; nocase; http.host; content:"139.155.0.238"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1235238/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_29; classtype:trojan-activity; sid:91235238; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pixel.gif"; depth:10; nocase; http.host; content:"47.108.137.190"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1235237/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_29; classtype:trojan-activity; sid:91235237; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/g.pixel"; depth:8; nocase; http.host; content:"20.2.223.43"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1235236/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_29; classtype:trojan-activity; sid:91235236; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/j.ad"; depth:5; nocase; http.host; content:"47.108.137.190"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1235235/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_29; classtype:trojan-activity; sid:91235235; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cm"; depth:3; nocase; http.host; content:"175.178.73.141"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1235234/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_29; classtype:trojan-activity; sid:91235234; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jquery-3.3.1.min.js"; depth:20; nocase; http.host; content:"ns.chrome-crash.com"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1235233/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_29; classtype:trojan-activity; sid:91235233; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/index.php"; depth:10; nocase; http.host; content:"kitfishstore.ru"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1235232/; target:src_ip; metadata: confidence_level 75, first_seen 2024_01_29; classtype:trojan-activity; sid:91235232; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/index.php"; depth:10; nocase; http.host; content:"homemademagazine.ru"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1235231/; target:src_ip; metadata: confidence_level 75, first_seen 2024_01_29; classtype:trojan-activity; sid:91235231; rev:1;) alert tcp $HOME_NET any -> [185.248.163.250] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235230/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_29; classtype:trojan-activity; sid:91235230; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/auth/login"; depth:11; nocase; http.host; content:"193.233.255.60"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1235117/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_29; classtype:trojan-activity; sid:91235117; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/auth/login"; depth:11; nocase; http.host; content:"77.73.131.73"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1235118/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_29; classtype:trojan-activity; sid:91235118; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/auth/login"; depth:11; nocase; http.host; content:"77.232.142.8"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1235119/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_29; classtype:trojan-activity; sid:91235119; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/auth/login"; depth:11; nocase; http.host; content:"92.246.136.222"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1235120/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_29; classtype:trojan-activity; sid:91235120; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/auth/login"; depth:11; nocase; http.host; content:"94.228.168.159"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1235121/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_29; classtype:trojan-activity; sid:91235121; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/auth/login"; depth:11; nocase; http.host; content:"85.192.63.57"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1235122/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_29; classtype:trojan-activity; sid:91235122; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/auth/login"; depth:11; nocase; http.host; content:"45.141.215.173"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1235124/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_29; classtype:trojan-activity; sid:91235124; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/auth/login"; depth:11; nocase; http.host; content:"89.208.106.112"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1235123/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_29; classtype:trojan-activity; sid:91235123; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/auth/login"; depth:11; nocase; http.host; content:"141.98.83.242"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1235125/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_29; classtype:trojan-activity; sid:91235125; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/auth/login"; depth:11; nocase; http.host; content:"91.103.253.184"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1235126/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_29; classtype:trojan-activity; sid:91235126; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/auth/login"; depth:11; nocase; http.host; content:"85.192.63.57.sslip.io"; depth:21; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1235127/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_29; classtype:trojan-activity; sid:91235127; rev:1;) alert tcp $HOME_NET any -> [103.215.221.168] 80 (msg:"ThreatFox Loki Password Stealer (PWS) botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235190/; target:src_ip; metadata: confidence_level 75, first_seen 2024_01_29; classtype:trojan-activity; sid:91235190; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"abixmaly.duckdns.org"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1235194/; target:src_ip; metadata: confidence_level 75, first_seen 2024_01_29; classtype:trojan-activity; sid:91235194; rev:1;) alert tcp $HOME_NET any -> [103.92.235.29] 80 (msg:"ThreatFox Loki Password Stealer (PWS) botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235195/; target:src_ip; metadata: confidence_level 75, first_seen 2024_01_29; classtype:trojan-activity; sid:91235195; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"skscarsrjn.in"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1235196/; target:src_ip; metadata: confidence_level 75, first_seen 2024_01_29; classtype:trojan-activity; sid:91235196; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"rocheholding.top"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1235197/; target:src_ip; metadata: confidence_level 75, first_seen 2024_01_29; classtype:trojan-activity; sid:91235197; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"www.rnofinancial.com.au"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1235201/; target:src_ip; metadata: confidence_level 75, first_seen 2024_01_29; classtype:trojan-activity; sid:91235201; rev:1;) alert tcp $HOME_NET any -> [3.19.130.43] 10093 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235213/; target:src_ip; metadata: confidence_level 75, first_seen 2024_01_29; classtype:trojan-activity; sid:91235213; rev:1;) alert tcp $HOME_NET any -> [185.91.127.235] 1312 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235210/; target:src_ip; metadata: confidence_level 75, first_seen 2024_01_29; classtype:trojan-activity; sid:91235210; rev:1;) alert tcp $HOME_NET any -> [3.142.167.54] 10093 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235212/; target:src_ip; metadata: confidence_level 75, first_seen 2024_01_29; classtype:trojan-activity; sid:91235212; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/1zkzw2mq"; depth:9; nocase; http.host; content:"draggedline.org"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1235111/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_29; classtype:trojan-activity; sid:91235111; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ytw8d9xy"; depth:9; nocase; http.host; content:"climedballon.org"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1235112/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_29; classtype:trojan-activity; sid:91235112; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bdrvdw9c"; depth:9; nocase; http.host; content:"waterlinesheet.org"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1235114/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_29; classtype:trojan-activity; sid:91235114; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/rz7kfbxj"; depth:9; nocase; http.host; content:"dailytickyclock.org"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1235115/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_29; classtype:trojan-activity; sid:91235115; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"devquery.org"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1235116/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_29; classtype:trojan-activity; sid:91235116; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cd5fkzwv"; depth:9; nocase; http.host; content:"lemonicecold.org"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1235113/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_29; classtype:trojan-activity; sid:91235113; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mxlvy9nz"; depth:9; nocase; http.host; content:"throatpills.org"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1235110/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_29; classtype:trojan-activity; sid:91235110; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/zcqvjvq1"; depth:9; nocase; http.host; content:"surelytheme.org"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1235109/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_29; classtype:trojan-activity; sid:91235109; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dpw79r1k"; depth:9; nocase; http.host; content:"drilledgas.org"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1235108/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_29; classtype:trojan-activity; sid:91235108; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bxz6bx5c"; depth:9; nocase; http.host; content:"windowlight.org"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1235107/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_29; classtype:trojan-activity; sid:91235107; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"oracle-panel.online"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1235104/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_29; classtype:trojan-activity; sid:91235104; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"tunel.oracle-panel.online"; depth:25; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1235103/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_29; classtype:trojan-activity; sid:91235103; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/auth/login"; depth:11; nocase; http.host; content:"tunel.oracle-panel.online"; depth:25; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1235102/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_29; classtype:trojan-activity; sid:91235102; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/auth/login"; depth:11; nocase; http.host; content:"89.208.103.177"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1235101/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_29; classtype:trojan-activity; sid:91235101; rev:1;) alert tcp $HOME_NET any -> [89.208.103.177] 15666 (msg:"ThreatFox Meduza Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235099/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_29; classtype:trojan-activity; sid:91235099; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mju0mjdimtzmndvh/"; depth:18; nocase; http.host; content:"bb2wexx2x2aa.com"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1235093/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_29; classtype:trojan-activity; sid:91235093; rev:1;) alert tcp $HOME_NET any -> [78.153.139.198] 4000 (msg:"ThreatFox Raccoon botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235098/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_29; classtype:trojan-activity; sid:91235098; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mju0mjdimtzmndvh/"; depth:18; nocase; http.host; content:"wexx2x11x2aa.com"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1235092/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_29; classtype:trojan-activity; sid:91235092; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mju0mjdimtzmndvh/"; depth:18; nocase; http.host; content:"x2313xsdx2a.com"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1235091/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_29; classtype:trojan-activity; sid:91235091; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mju0mjdimtzmndvh/"; depth:18; nocase; http.host; content:"babawwe2aa.com"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1235089/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_29; classtype:trojan-activity; sid:91235089; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mju0mjdimtzmndvh/"; depth:18; nocase; http.host; content:"wexx2x2aa.com"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1235090/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_29; classtype:trojan-activity; sid:91235090; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mju0mjdimtzmndvh/"; depth:18; nocase; http.host; content:"xex2napggq.com"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1235088/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_29; classtype:trojan-activity; sid:91235088; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mju0mjdimtzmndvh/"; depth:18; nocase; http.host; content:"193.222.96.16"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1235087/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_29; classtype:trojan-activity; sid:91235087; rev:1;) alert tcp $HOME_NET any -> [185.81.157.135] 8181 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235229/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_29; classtype:trojan-activity; sid:91235229; rev:1;) alert tcp $HOME_NET any -> [72.11.158.94] 1604 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235228/; target:src_ip; metadata: confidence_level 75, first_seen 2024_01_29; classtype:trojan-activity; sid:91235228; rev:1;) alert tcp $HOME_NET any -> [79.137.205.212] 8080 (msg:"ThreatFox SpyBanker botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235081/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_29; classtype:trojan-activity; sid:91235081; rev:1;) alert tcp $HOME_NET any -> [192.252.183.20] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235227/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_29; classtype:trojan-activity; sid:91235227; rev:1;) alert tcp $HOME_NET any -> [192.252.183.17] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235226/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_29; classtype:trojan-activity; sid:91235226; rev:1;) alert tcp $HOME_NET any -> [192.252.183.18] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235225/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_29; classtype:trojan-activity; sid:91235225; rev:1;) alert tcp $HOME_NET any -> [192.252.183.19] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235224/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_29; classtype:trojan-activity; sid:91235224; rev:1;) alert tcp $HOME_NET any -> [86.122.235.152] 2222 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235223/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_29; classtype:trojan-activity; sid:91235223; rev:1;) alert tcp $HOME_NET any -> [31.190.83.230] 443 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235222/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_29; classtype:trojan-activity; sid:91235222; rev:1;) alert tcp $HOME_NET any -> [5.163.239.151] 995 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235221/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_29; classtype:trojan-activity; sid:91235221; rev:1;) alert tcp $HOME_NET any -> [91.140.64.57] 995 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235220/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_29; classtype:trojan-activity; sid:91235220; rev:1;) alert tcp $HOME_NET any -> [94.98.74.63] 2087 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235219/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_29; classtype:trojan-activity; sid:91235219; rev:1;) alert tcp $HOME_NET any -> [59.20.162.22] 443 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235218/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_29; classtype:trojan-activity; sid:91235218; rev:1;) alert tcp $HOME_NET any -> [34.244.129.215] 80 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235217/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_29; classtype:trojan-activity; sid:91235217; rev:1;) alert tcp $HOME_NET any -> [45.90.218.248] 443 (msg:"ThreatFox Deimos botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235216/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_29; classtype:trojan-activity; sid:91235216; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/c3/fre.php"; depth:11; nocase; http.host; content:"sempersim.su"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1235215/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_29; classtype:trojan-activity; sid:91235215; rev:1;) alert tcp $HOME_NET any -> [43.129.169.102] 8443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235214/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_29; classtype:trojan-activity; sid:91235214; rev:1;) alert tcp $HOME_NET any -> [111.230.103.176] 4433 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235211/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_29; classtype:trojan-activity; sid:91235211; rev:1;) alert tcp $HOME_NET any -> [43.230.202.77] 4568 (msg:"ThreatFox Ave Maria botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235209/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_29; classtype:trojan-activity; sid:91235209; rev:1;) alert tcp $HOME_NET any -> [87.98.177.182] 1337 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235208/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_29; classtype:trojan-activity; sid:91235208; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blb41/index.php"; depth:16; nocase; http.host; content:"blblz.shop"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1235207/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_29; classtype:trojan-activity; sid:91235207; rev:1;) alert tcp $HOME_NET any -> [149.102.231.75] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235206/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_29; classtype:trojan-activity; sid:91235206; rev:1;) alert tcp $HOME_NET any -> [124.71.9.23] 8055 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235205/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_29; classtype:trojan-activity; sid:91235205; rev:1;) alert tcp $HOME_NET any -> [23.155.8.220] 80 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235204/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_29; classtype:trojan-activity; sid:91235204; rev:1;) alert tcp $HOME_NET any -> [23.95.60.87] 8823 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235203/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_29; classtype:trojan-activity; sid:91235203; rev:1;) alert tcp $HOME_NET any -> [64.227.174.159] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235189/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_28; classtype:trojan-activity; sid:91235189; rev:1;) alert tcp $HOME_NET any -> [206.189.149.16] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235188/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_28; classtype:trojan-activity; sid:91235188; rev:1;) alert tcp $HOME_NET any -> [20.11.73.26] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235187/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_28; classtype:trojan-activity; sid:91235187; rev:1;) alert tcp $HOME_NET any -> [62.210.28.119] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235186/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_28; classtype:trojan-activity; sid:91235186; rev:1;) alert tcp $HOME_NET any -> [65.20.76.49] 4488 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235185/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_28; classtype:trojan-activity; sid:91235185; rev:1;) alert tcp $HOME_NET any -> [165.227.185.39] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235184/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_28; classtype:trojan-activity; sid:91235184; rev:1;) alert tcp $HOME_NET any -> [195.133.13.135] 4444 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235183/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_28; classtype:trojan-activity; sid:91235183; rev:1;) alert tcp $HOME_NET any -> [3.83.43.12] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235182/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_28; classtype:trojan-activity; sid:91235182; rev:1;) alert tcp $HOME_NET any -> [181.32.129.119] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235181/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_28; classtype:trojan-activity; sid:91235181; rev:1;) alert tcp $HOME_NET any -> [143.198.20.119] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235180/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_28; classtype:trojan-activity; sid:91235180; rev:1;) alert tcp $HOME_NET any -> [34.143.218.4] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235179/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_28; classtype:trojan-activity; sid:91235179; rev:1;) alert tcp $HOME_NET any -> [203.161.46.188] 5000 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235178/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_28; classtype:trojan-activity; sid:91235178; rev:1;) alert tcp $HOME_NET any -> [52.128.230.170] 60000 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235177/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_28; classtype:trojan-activity; sid:91235177; rev:1;) alert tcp $HOME_NET any -> [118.25.109.108] 60000 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235176/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_28; classtype:trojan-activity; sid:91235176; rev:1;) alert tcp $HOME_NET any -> [52.128.230.174] 60000 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235175/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_28; classtype:trojan-activity; sid:91235175; rev:1;) alert tcp $HOME_NET any -> [180.112.128.157] 8008 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235173/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_28; classtype:trojan-activity; sid:91235173; rev:1;) alert tcp $HOME_NET any -> [220.173.27.222] 60000 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235174/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_28; classtype:trojan-activity; sid:91235174; rev:1;) alert tcp $HOME_NET any -> [179.61.251.93] 80 (msg:"ThreatFox MooBot botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235172/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_28; classtype:trojan-activity; sid:91235172; rev:1;) alert tcp $HOME_NET any -> [3.213.37.39] 443 (msg:"ThreatFox Serpent Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235171/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_28; classtype:trojan-activity; sid:91235171; rev:1;) alert tcp $HOME_NET any -> [3.210.242.78] 443 (msg:"ThreatFox Serpent Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235170/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_28; classtype:trojan-activity; sid:91235170; rev:1;) alert tcp $HOME_NET any -> [190.123.44.228] 5000 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235169/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_28; classtype:trojan-activity; sid:91235169; rev:1;) alert tcp $HOME_NET any -> [185.196.10.245] 4443 (msg:"ThreatFox Nimplant botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235168/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_28; classtype:trojan-activity; sid:91235168; rev:1;) alert tcp $HOME_NET any -> [93.123.39.235] 8080 (msg:"ThreatFox ERMAC botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235167/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_28; classtype:trojan-activity; sid:91235167; rev:1;) alert tcp $HOME_NET any -> [185.237.14.236] 80 (msg:"ThreatFox ERMAC botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235166/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_28; classtype:trojan-activity; sid:91235166; rev:1;) alert tcp $HOME_NET any -> [159.69.86.27] 8081 (msg:"ThreatFox RisePro botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235164/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_28; classtype:trojan-activity; sid:91235164; rev:1;) alert tcp $HOME_NET any -> [39.38.245.19] 8888 (msg:"ThreatFox Orcus RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235162/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_28; classtype:trojan-activity; sid:91235162; rev:1;) alert tcp $HOME_NET any -> [154.212.146.81] 6606 (msg:"ThreatFox Orcus RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235163/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_28; classtype:trojan-activity; sid:91235163; rev:1;) alert tcp $HOME_NET any -> [20.163.19.3] 80 (msg:"ThreatFox Orcus RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235161/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_28; classtype:trojan-activity; sid:91235161; rev:1;) alert tcp $HOME_NET any -> [85.209.176.79] 4449 (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235160/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_28; classtype:trojan-activity; sid:91235160; rev:1;) alert tcp $HOME_NET any -> [156.253.13.217] 4848 (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235159/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_28; classtype:trojan-activity; sid:91235159; rev:1;) alert tcp $HOME_NET any -> [94.103.188.123] 1111 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235158/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_28; classtype:trojan-activity; sid:91235158; rev:1;) alert tcp $HOME_NET any -> [35.189.151.174] 5563 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235157/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_28; classtype:trojan-activity; sid:91235157; rev:1;) alert tcp $HOME_NET any -> [125.130.86.64] 4782 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235156/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_28; classtype:trojan-activity; sid:91235156; rev:1;) alert tcp $HOME_NET any -> [176.105.230.74] 2404 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235155/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_28; classtype:trojan-activity; sid:91235155; rev:1;) alert tcp $HOME_NET any -> [64.231.120.66] 8080 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235154/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_28; classtype:trojan-activity; sid:91235154; rev:1;) alert tcp $HOME_NET any -> [185.172.128.60] 80 (msg:"ThreatFox Hook botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235153/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_28; classtype:trojan-activity; sid:91235153; rev:1;) alert tcp $HOME_NET any -> [185.172.128.4] 80 (msg:"ThreatFox Hook botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235152/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_28; classtype:trojan-activity; sid:91235152; rev:1;) alert tcp $HOME_NET any -> [45.133.36.153] 80 (msg:"ThreatFox Hook botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235151/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_28; classtype:trojan-activity; sid:91235151; rev:1;) alert tcp $HOME_NET any -> [62.109.30.102] 80 (msg:"ThreatFox Hook botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235149/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_28; classtype:trojan-activity; sid:91235149; rev:1;) alert tcp $HOME_NET any -> [154.223.21.23] 80 (msg:"ThreatFox Hook botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235150/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_28; classtype:trojan-activity; sid:91235150; rev:1;) alert tcp $HOME_NET any -> [192.252.183.16] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235148/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_28; classtype:trojan-activity; sid:91235148; rev:1;) alert tcp $HOME_NET any -> [38.207.179.146] 48964 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235147/; target:src_ip; metadata: confidence_level 90, first_seen 2024_01_28; classtype:trojan-activity; sid:91235147; rev:1;) alert tcp $HOME_NET any -> [187.135.114.239] 2078 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235146/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_28; classtype:trojan-activity; sid:91235146; rev:1;) alert tcp $HOME_NET any -> [187.135.114.239] 1883 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235145/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_28; classtype:trojan-activity; sid:91235145; rev:1;) alert tcp $HOME_NET any -> [187.135.114.239] 1723 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235144/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_28; classtype:trojan-activity; sid:91235144; rev:1;) alert tcp $HOME_NET any -> [81.136.60.101] 1339 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235143/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_28; classtype:trojan-activity; sid:91235143; rev:1;) alert tcp $HOME_NET any -> [108.165.113.54] 8081 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235142/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_28; classtype:trojan-activity; sid:91235142; rev:1;) alert tcp $HOME_NET any -> [43.248.185.248] 8443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235141/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_28; classtype:trojan-activity; sid:91235141; rev:1;) alert tcp $HOME_NET any -> [121.41.50.152] 8088 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235140/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_28; classtype:trojan-activity; sid:91235140; rev:1;) alert tcp $HOME_NET any -> [31.41.244.172] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235139/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_28; classtype:trojan-activity; sid:91235139; rev:1;) alert tcp $HOME_NET any -> [139.155.135.131] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235138/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_28; classtype:trojan-activity; sid:91235138; rev:1;) alert tcp $HOME_NET any -> [35.164.187.16] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235137/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_28; classtype:trojan-activity; sid:91235137; rev:1;) alert tcp $HOME_NET any -> [38.60.253.13] 6443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235135/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_28; classtype:trojan-activity; sid:91235135; rev:1;) alert tcp $HOME_NET any -> [104.244.72.123] 8443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235136/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_28; classtype:trojan-activity; sid:91235136; rev:1;) alert tcp $HOME_NET any -> [139.162.134.160] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235134/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_28; classtype:trojan-activity; sid:91235134; rev:1;) alert tcp $HOME_NET any -> [82.97.251.102] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235132/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_28; classtype:trojan-activity; sid:91235132; rev:1;) alert tcp $HOME_NET any -> [8.130.123.25] 9999 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235133/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_28; classtype:trojan-activity; sid:91235133; rev:1;) alert tcp $HOME_NET any -> [139.196.226.108] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235131/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_28; classtype:trojan-activity; sid:91235131; rev:1;) alert tcp $HOME_NET any -> [206.189.80.59] 22614 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235130/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_28; classtype:trojan-activity; sid:91235130; rev:1;) alert tcp $HOME_NET any -> [192.169.69.26] 65517 (msg:"ThreatFox Nanocore RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235129/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_28; classtype:trojan-activity; sid:91235129; rev:1;) alert tcp $HOME_NET any -> [147.78.241.56] 313 (msg:"ThreatFox BitRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235128/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_28; classtype:trojan-activity; sid:91235128; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/__utm.gif"; depth:10; nocase; http.host; content:"108.165.113.54"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1235106/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_28; classtype:trojan-activity; sid:91235106; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/activity"; depth:9; nocase; http.host; content:"47.108.175.149"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1235105/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_28; classtype:trojan-activity; sid:91235105; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/receive.php"; depth:12; nocase; http.host; content:"190.123.44.240"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1235100/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_28; classtype:trojan-activity; sid:91235100; rev:1;) alert tcp $HOME_NET any -> [183.131.83.145] 8000 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235097/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_28; classtype:trojan-activity; sid:91235097; rev:1;) alert tcp $HOME_NET any -> [154.246.34.250] 2078 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235096/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_28; classtype:trojan-activity; sid:91235096; rev:1;) alert tcp $HOME_NET any -> [190.133.134.78] 995 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235095/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_28; classtype:trojan-activity; sid:91235095; rev:1;) alert tcp $HOME_NET any -> [38.62.236.182] 4567 (msg:"ThreatFox BianLian botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235094/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_28; classtype:trojan-activity; sid:91235094; rev:1;) alert tcp $HOME_NET any -> [103.86.131.87] 443 (msg:"ThreatFox Get2 botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235086/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_28; classtype:trojan-activity; sid:91235086; rev:1;) alert tcp $HOME_NET any -> [82.115.223.244] 4449 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235085/; target:src_ip; metadata: confidence_level 75, first_seen 2024_01_28; classtype:trojan-activity; sid:91235085; rev:1;) alert tcp $HOME_NET any -> [47.108.89.235] 50050 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235084/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_28; classtype:trojan-activity; sid:91235084; rev:1;) alert tcp $HOME_NET any -> [91.92.254.14] 4412 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235083/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_28; classtype:trojan-activity; sid:91235083; rev:1;) alert tcp $HOME_NET any -> [91.92.254.47] 81 (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235082/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_28; classtype:trojan-activity; sid:91235082; rev:1;) alert tcp $HOME_NET any -> [176.128.10.125] 1604 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235080/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_28; classtype:trojan-activity; sid:91235080; rev:1;) alert tcp $HOME_NET any -> [221.239.26.195] 3790 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235079/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_28; classtype:trojan-activity; sid:91235079; rev:1;) alert tcp $HOME_NET any -> [165.227.31.192] 22509 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235078/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_28; classtype:trojan-activity; sid:91235078; rev:1;) alert tcp $HOME_NET any -> [95.173.255.238] 4444 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235077/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_28; classtype:trojan-activity; sid:91235077; rev:1;) alert tcp $HOME_NET any -> [95.217.81.77] 35530 (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235076/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_28; classtype:trojan-activity; sid:91235076; rev:1;) alert tcp $HOME_NET any -> [20.201.116.50] 1024 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235075/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_28; classtype:trojan-activity; sid:91235075; rev:1;) alert tcp $HOME_NET any -> [185.222.58.84] 8990 (msg:"ThreatFox Nanocore RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235074/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_28; classtype:trojan-activity; sid:91235074; rev:1;) alert tcp $HOME_NET any -> [161.35.237.131] 3790 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235073/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_28; classtype:trojan-activity; sid:91235073; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/_defaultwindows.php"; depth:20; nocase; http.host; content:"cf43561.tw1.ru"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1235072/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_28; classtype:trojan-activity; sid:91235072; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ptj"; depth:4; nocase; http.host; content:"117.72.11.112"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1235071/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_28; classtype:trojan-activity; sid:91235071; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cx"; depth:3; nocase; http.host; content:"121.41.50.152"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1235070/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_28; classtype:trojan-activity; sid:91235070; rev:1;) alert tcp $HOME_NET any -> [45.154.2.102] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235069/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_28; classtype:trojan-activity; sid:91235069; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/activity"; depth:9; nocase; http.host; content:"8.141.10.30"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1235068/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_28; classtype:trojan-activity; sid:91235068; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"update.westus3.cloudapp.azure.com"; depth:33; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1235059/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_28; classtype:trojan-activity; sid:91235059; rev:1;) alert tcp $HOME_NET any -> [20.171.192.244] 50050 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235060/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_28; classtype:trojan-activity; sid:91235060; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"rxjh.online"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1235061/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_28; classtype:trojan-activity; sid:91235061; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"js.rxjh.online"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1235062/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_28; classtype:trojan-activity; sid:91235062; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"www.rxjh.online"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1235063/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_28; classtype:trojan-activity; sid:91235063; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cm"; depth:3; nocase; http.host; content:"121.41.50.152"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1235067/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_28; classtype:trojan-activity; sid:91235067; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/load"; depth:5; nocase; http.host; content:"104.143.47.87"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1235066/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_28; classtype:trojan-activity; sid:91235066; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"caranthir.zapto.org"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1235065/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_28; classtype:trojan-activity; sid:91235065; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pixel.gif"; depth:10; nocase; http.host; content:"caranthir.zapto.org"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1235064/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_28; classtype:trojan-activity; sid:91235064; rev:1;) alert tcp $HOME_NET any -> [103.86.130.67] 443 (msg:"ThreatFox Get2 botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235058/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_28; classtype:trojan-activity; sid:91235058; rev:1;) alert tcp $HOME_NET any -> [103.86.130.68] 443 (msg:"ThreatFox Get2 botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235057/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_28; classtype:trojan-activity; sid:91235057; rev:1;) alert tcp $HOME_NET any -> [185.196.8.220] 3790 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235056/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_28; classtype:trojan-activity; sid:91235056; rev:1;) alert tcp $HOME_NET any -> [111.230.103.176] 9443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235055/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_28; classtype:trojan-activity; sid:91235055; rev:1;) alert tcp $HOME_NET any -> [103.86.130.86] 443 (msg:"ThreatFox Get2 botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235054/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_28; classtype:trojan-activity; sid:91235054; rev:1;) alert tcp $HOME_NET any -> [109.242.113.157] 995 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235053/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_28; classtype:trojan-activity; sid:91235053; rev:1;) alert tcp $HOME_NET any -> [74.12.146.125] 2078 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235052/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_28; classtype:trojan-activity; sid:91235052; rev:1;) alert tcp $HOME_NET any -> [211.169.158.12] 443 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235051/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_28; classtype:trojan-activity; sid:91235051; rev:1;) alert tcp $HOME_NET any -> [151.48.177.238] 443 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235050/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_28; classtype:trojan-activity; sid:91235050; rev:1;) alert tcp $HOME_NET any -> [141.144.233.60] 443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235049/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_28; classtype:trojan-activity; sid:91235049; rev:1;) alert tcp $HOME_NET any -> [164.92.125.68] 443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235048/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_28; classtype:trojan-activity; sid:91235048; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"nowordshere.org"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1235007/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_28; classtype:trojan-activity; sid:91235007; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"greedyclowns.org"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1235008/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_28; classtype:trojan-activity; sid:91235008; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"getquery.org"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1235009/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_28; classtype:trojan-activity; sid:91235009; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"climedballon.org"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1235010/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_28; classtype:trojan-activity; sid:91235010; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"windowlight.org"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1235011/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_28; classtype:trojan-activity; sid:91235011; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"drilledgas.org"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1235013/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_28; classtype:trojan-activity; sid:91235013; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"devcodejs.org"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1235012/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_28; classtype:trojan-activity; sid:91235012; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"lemonicecold.org"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1235014/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_28; classtype:trojan-activity; sid:91235014; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"dailytickyclock.org"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1235015/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_28; classtype:trojan-activity; sid:91235015; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"devqeury.org"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1235016/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_28; classtype:trojan-activity; sid:91235016; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"slurpslimes.org"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1235017/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_28; classtype:trojan-activity; sid:91235017; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"deeptrickday.org"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1235018/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_28; classtype:trojan-activity; sid:91235018; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"greenpapers.org"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1235019/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_28; classtype:trojan-activity; sid:91235019; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"cancelledfirestarter.org"; depth:24; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1235020/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_28; classtype:trojan-activity; sid:91235020; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"cloudwebhub.pro"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1235021/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_28; classtype:trojan-activity; sid:91235021; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"biggerfun.org"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1235022/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_28; classtype:trojan-activity; sid:91235022; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"treegreeny.org"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1235023/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_28; classtype:trojan-activity; sid:91235023; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"surelytheme.org"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1235024/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_28; classtype:trojan-activity; sid:91235024; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"jqueryh.org"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1235025/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_28; classtype:trojan-activity; sid:91235025; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"neworderspath.org"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1235026/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_28; classtype:trojan-activity; sid:91235026; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"draggedline.org"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1235027/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_28; classtype:trojan-activity; sid:91235027; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"waterlinesheet.org"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1235028/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_28; classtype:trojan-activity; sid:91235028; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"bigbricks.org"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1235029/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_28; classtype:trojan-activity; sid:91235029; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"searchgear.pro"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1235030/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_28; classtype:trojan-activity; sid:91235030; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"metallife.org"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1235031/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_28; classtype:trojan-activity; sid:91235031; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"emperorplan.org"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1235032/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_28; classtype:trojan-activity; sid:91235032; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"catsndogz.org"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1235033/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_28; classtype:trojan-activity; sid:91235033; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"greedyfines.org"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1235034/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_28; classtype:trojan-activity; sid:91235034; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"libertader.org"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1235035/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_28; classtype:trojan-activity; sid:91235035; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"jsqur.com"; depth:9; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1235036/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_28; classtype:trojan-activity; sid:91235036; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"vibedroom.org"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1235037/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_28; classtype:trojan-activity; sid:91235037; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"codecruncher.pro"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1235038/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_28; classtype:trojan-activity; sid:91235038; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"biggreenlimes.org"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1235039/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_28; classtype:trojan-activity; sid:91235039; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"jqueryns.com"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1235041/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_28; classtype:trojan-activity; sid:91235041; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"cheatlab.tech"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1234852/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_28; classtype:trojan-activity; sid:91234852; rev:1;) alert tcp $HOME_NET any -> [77.246.104.220] 3422 (msg:"ThreatFox Rhadamanthys botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234851/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_28; classtype:trojan-activity; sid:91234851; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"kkudndkwatnfevcaqeefytqnh.top"; depth:29; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1234854/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_28; classtype:trojan-activity; sid:91234854; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"w33s1.xyz"; depth:9; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1234858/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_28; classtype:trojan-activity; sid:91234858; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"whxzqkbbtzvdyxdeseoiyujzs.co"; depth:28; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1234859/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_28; classtype:trojan-activity; sid:91234859; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"uohhunkmnfhbimtagizqgwpmv.to"; depth:28; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1234860/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_28; classtype:trojan-activity; sid:91234860; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"service-kboespoo-1317138495.gz.apigw.tencentcs.com"; depth:50; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1234861/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_28; classtype:trojan-activity; sid:91234861; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"serevto.com"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1234862/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_28; classtype:trojan-activity; sid:91234862; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"www.serevto.com"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1234863/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_28; classtype:trojan-activity; sid:91234863; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"mail.uapa-edu.com"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1234864/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_28; classtype:trojan-activity; sid:91234864; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"dzxngxmlsim3.cloudfront.net"; depth:27; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1234887/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_28; classtype:trojan-activity; sid:91234887; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"estagioonlineeseguro.ddns.net"; depth:29; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1234888/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_28; classtype:trojan-activity; sid:91234888; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"bing921.215436454.xyz"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1234885/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_28; classtype:trojan-activity; sid:91234885; rev:1;) alert tcp $HOME_NET any -> [202.144.192.114] 4433 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234886/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_28; classtype:trojan-activity; sid:91234886; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"dbdb.addea.workers.dev"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1234865/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_28; classtype:trojan-activity; sid:91234865; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"nnpservices.com"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1234883/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_28; classtype:trojan-activity; sid:91234883; rev:1;) alert tcp $HOME_NET any -> [189.18.237.245] 8081 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234889/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_28; classtype:trojan-activity; sid:91234889; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ec2-52-70-254-144.compute-1.amazonaws.com"; depth:41; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1234890/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_28; classtype:trojan-activity; sid:91234890; rev:1;) alert tcp $HOME_NET any -> [142.67.130.172] 54999 (msg:"ThreatFox Nanocore RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234893/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_28; classtype:trojan-activity; sid:91234893; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"divert64.hopto.org"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1234894/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_28; classtype:trojan-activity; sid:91234894; rev:1;) alert tcp $HOME_NET any -> [163.172.255.114] 9080 (msg:"ThreatFox WhiteSnake Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234898/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_28; classtype:trojan-activity; sid:91234898; rev:1;) alert tcp $HOME_NET any -> [54.37.196.189] 80 (msg:"ThreatFox WhiteSnake Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234899/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_28; classtype:trojan-activity; sid:91234899; rev:1;) alert tcp $HOME_NET any -> [37.252.188.127] 8080 (msg:"ThreatFox WhiteSnake Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234900/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_28; classtype:trojan-activity; sid:91234900; rev:1;) alert tcp $HOME_NET any -> [164.90.185.9] 443 (msg:"ThreatFox WhiteSnake Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234901/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_28; classtype:trojan-activity; sid:91234901; rev:1;) alert tcp $HOME_NET any -> [206.189.109.146] 80 (msg:"ThreatFox WhiteSnake Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234902/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_28; classtype:trojan-activity; sid:91234902; rev:1;) alert tcp $HOME_NET any -> [94.156.71.237] 3999 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234903/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_28; classtype:trojan-activity; sid:91234903; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"wired-ethical-marten.ngrok-free.app"; depth:35; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1234904/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_28; classtype:trojan-activity; sid:91234904; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/run.exe"; depth:8; nocase; http.host; content:"wired-ethical-marten.ngrok-free.app"; depth:35; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1234905/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_28; classtype:trojan-activity; sid:91234905; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"kinggru.duckdns.org"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1234989/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_28; classtype:trojan-activity; sid:91234989; rev:1;) alert tcp $HOME_NET any -> [90.15.154.112] 4899 (msg:"ThreatFox Nanocore RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234998/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_28; classtype:trojan-activity; sid:91234998; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"victacking.ddns.net"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1234999/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_28; classtype:trojan-activity; sid:91234999; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"195.20.16.155"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1235006/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_28; classtype:trojan-activity; sid:91235006; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"jqscr.com"; depth:9; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1235040/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_28; classtype:trojan-activity; sid:91235040; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"linedloop.org"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1235042/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_28; classtype:trojan-activity; sid:91235042; rev:1;) alert tcp $HOME_NET any -> [93.123.85.151] 43957 (msg:"ThreatFox MooBot botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235045/; target:src_ip; metadata: confidence_level 75, first_seen 2024_01_28; classtype:trojan-activity; sid:91235045; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"bp.somersaultcloud.xyz"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1235046/; target:src_ip; metadata: confidence_level 75, first_seen 2024_01_28; classtype:trojan-activity; sid:91235046; rev:1;) alert tcp $HOME_NET any -> [116.103.228.193] 80 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235047/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_28; classtype:trojan-activity; sid:91235047; rev:1;) alert tcp $HOME_NET any -> [187.135.114.239] 1660 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235044/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_28; classtype:trojan-activity; sid:91235044; rev:1;) alert tcp $HOME_NET any -> [158.247.254.47] 8443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235043/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_28; classtype:trojan-activity; sid:91235043; rev:1;) alert tcp $HOME_NET any -> [108.165.113.54] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235005/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_27; classtype:trojan-activity; sid:91235005; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/updates.rss"; depth:12; nocase; http.host; content:"108.165.113.54"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1235004/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_27; classtype:trojan-activity; sid:91235004; rev:1;) alert tcp $HOME_NET any -> [94.156.64.124] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235003/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_27; classtype:trojan-activity; sid:91235003; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/vlenath"; depth:8; nocase; http.host; content:"service.safaricom.workers.dev"; depth:29; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1235001/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_27; classtype:trojan-activity; sid:91235001; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"service.safaricom.workers.dev"; depth:29; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1235002/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_27; classtype:trojan-activity; sid:91235002; rev:1;) alert tcp $HOME_NET any -> [217.31.202.98] 80 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235000/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_27; classtype:trojan-activity; sid:91235000; rev:1;) alert tcp $HOME_NET any -> [44.211.174.103] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234997/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_27; classtype:trojan-activity; sid:91234997; rev:1;) alert tcp $HOME_NET any -> [51.81.35.61] 445 (msg:"ThreatFox Responder botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234996/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_27; classtype:trojan-activity; sid:91234996; rev:1;) alert tcp $HOME_NET any -> [143.110.192.8] 27978 (msg:"ThreatFox BianLian botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234995/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_27; classtype:trojan-activity; sid:91234995; rev:1;) alert tcp $HOME_NET any -> [141.255.159.227] 1177 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234994/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_27; classtype:trojan-activity; sid:91234994; rev:1;) alert tcp $HOME_NET any -> [103.86.131.46] 443 (msg:"ThreatFox Get2 botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234993/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_27; classtype:trojan-activity; sid:91234993; rev:1;) alert tcp $HOME_NET any -> [3.127.59.75] 16495 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234992/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_27; classtype:trojan-activity; sid:91234992; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/e3e70db1.php"; depth:13; nocase; http.host; content:"a0894373.xsph.ru"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1234991/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_27; classtype:trojan-activity; sid:91234991; rev:1;) alert tcp $HOME_NET any -> [38.207.179.166] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234990/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_27; classtype:trojan-activity; sid:91234990; rev:1;) alert tcp $HOME_NET any -> [143.110.192.8] 10451 (msg:"ThreatFox BianLian botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234988/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_27; classtype:trojan-activity; sid:91234988; rev:1;) alert tcp $HOME_NET any -> [45.66.248.135] 7438 (msg:"ThreatFox BianLian botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234987/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_27; classtype:trojan-activity; sid:91234987; rev:1;) alert tcp $HOME_NET any -> [74.70.4.221] 23 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234986/; target:src_ip; metadata: confidence_level 90, first_seen 2024_01_27; classtype:trojan-activity; sid:91234986; rev:1;) alert tcp $HOME_NET any -> [45.128.232.240] 23 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234985/; target:src_ip; metadata: confidence_level 90, first_seen 2024_01_27; classtype:trojan-activity; sid:91234985; rev:1;) alert tcp $HOME_NET any -> [51.159.6.180] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234984/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_27; classtype:trojan-activity; sid:91234984; rev:1;) alert tcp $HOME_NET any -> [45.77.154.69] 30042 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234983/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_27; classtype:trojan-activity; sid:91234983; rev:1;) alert tcp $HOME_NET any -> [141.94.244.50] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234982/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_27; classtype:trojan-activity; sid:91234982; rev:1;) alert tcp $HOME_NET any -> [3.18.239.172] 8443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234981/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_27; classtype:trojan-activity; sid:91234981; rev:1;) alert tcp $HOME_NET any -> [52.31.167.252] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234980/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_27; classtype:trojan-activity; sid:91234980; rev:1;) alert tcp $HOME_NET any -> [31.210.51.99] 4443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234979/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_27; classtype:trojan-activity; sid:91234979; rev:1;) alert tcp $HOME_NET any -> [195.122.14.251] 7005 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234978/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_27; classtype:trojan-activity; sid:91234978; rev:1;) alert tcp $HOME_NET any -> [139.59.68.45] 80 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234977/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_27; classtype:trojan-activity; sid:91234977; rev:1;) alert tcp $HOME_NET any -> [4.198.2.235] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234976/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_27; classtype:trojan-activity; sid:91234976; rev:1;) alert tcp $HOME_NET any -> [172.175.210.16] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234975/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_27; classtype:trojan-activity; sid:91234975; rev:1;) alert tcp $HOME_NET any -> [20.98.28.121] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234974/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_27; classtype:trojan-activity; sid:91234974; rev:1;) alert tcp $HOME_NET any -> [20.75.254.123] 9999 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234973/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_27; classtype:trojan-activity; sid:91234973; rev:1;) alert tcp $HOME_NET any -> [125.25.54.213] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234972/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_27; classtype:trojan-activity; sid:91234972; rev:1;) alert tcp $HOME_NET any -> [104.155.11.224] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234971/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_27; classtype:trojan-activity; sid:91234971; rev:1;) alert tcp $HOME_NET any -> [43.140.250.89] 8080 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234970/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_27; classtype:trojan-activity; sid:91234970; rev:1;) alert tcp $HOME_NET any -> [128.199.159.85] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234968/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_27; classtype:trojan-activity; sid:91234968; rev:1;) alert tcp $HOME_NET any -> [128.199.159.85] 8443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234969/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_27; classtype:trojan-activity; sid:91234969; rev:1;) alert tcp $HOME_NET any -> [34.201.66.228] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234967/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_27; classtype:trojan-activity; sid:91234967; rev:1;) alert tcp $HOME_NET any -> [18.211.99.106] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234965/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_27; classtype:trojan-activity; sid:91234965; rev:1;) alert tcp $HOME_NET any -> [159.203.136.239] 1724 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234966/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_27; classtype:trojan-activity; sid:91234966; rev:1;) alert tcp $HOME_NET any -> [20.123.192.20] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234964/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_27; classtype:trojan-activity; sid:91234964; rev:1;) alert tcp $HOME_NET any -> [159.223.224.238] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234963/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_27; classtype:trojan-activity; sid:91234963; rev:1;) alert tcp $HOME_NET any -> [4.147.247.174] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234962/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_27; classtype:trojan-activity; sid:91234962; rev:1;) alert tcp $HOME_NET any -> [52.128.230.172] 60000 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234961/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_27; classtype:trojan-activity; sid:91234961; rev:1;) alert tcp $HOME_NET any -> [43.139.177.77] 60000 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234960/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_27; classtype:trojan-activity; sid:91234960; rev:1;) alert tcp $HOME_NET any -> [149.104.24.104] 60000 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234958/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_27; classtype:trojan-activity; sid:91234958; rev:1;) alert tcp $HOME_NET any -> [52.128.230.173] 60000 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234959/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_27; classtype:trojan-activity; sid:91234959; rev:1;) alert tcp $HOME_NET any -> [52.128.230.171] 60000 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234957/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_27; classtype:trojan-activity; sid:91234957; rev:1;) alert tcp $HOME_NET any -> [185.117.152.159] 80 (msg:"ThreatFox ERMAC botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234956/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_27; classtype:trojan-activity; sid:91234956; rev:1;) alert tcp $HOME_NET any -> [93.123.39.235] 80 (msg:"ThreatFox ERMAC botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234955/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_27; classtype:trojan-activity; sid:91234955; rev:1;) alert tcp $HOME_NET any -> [193.233.132.37] 8081 (msg:"ThreatFox RisePro botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234954/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_27; classtype:trojan-activity; sid:91234954; rev:1;) alert tcp $HOME_NET any -> [46.101.126.207] 443 (msg:"ThreatFox PoshC2 botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234953/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_27; classtype:trojan-activity; sid:91234953; rev:1;) alert tcp $HOME_NET any -> [77.246.110.208] 8888 (msg:"ThreatFox Orcus RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234952/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_27; classtype:trojan-activity; sid:91234952; rev:1;) alert tcp $HOME_NET any -> [115.79.234.191] 4449 (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234951/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_27; classtype:trojan-activity; sid:91234951; rev:1;) alert tcp $HOME_NET any -> [96.30.193.6] 443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234950/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_27; classtype:trojan-activity; sid:91234950; rev:1;) alert tcp $HOME_NET any -> [51.79.197.146] 23456 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234949/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_27; classtype:trojan-activity; sid:91234949; rev:1;) alert tcp $HOME_NET any -> [223.155.16.91] 23333 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234947/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_27; classtype:trojan-activity; sid:91234947; rev:1;) alert tcp $HOME_NET any -> [223.155.16.108] 23333 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234948/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_27; classtype:trojan-activity; sid:91234948; rev:1;) alert tcp $HOME_NET any -> [45.40.96.155] 5000 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234946/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_27; classtype:trojan-activity; sid:91234946; rev:1;) alert tcp $HOME_NET any -> [95.164.2.178] 50555 (msg:"ThreatFox Hook botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234945/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_27; classtype:trojan-activity; sid:91234945; rev:1;) alert tcp $HOME_NET any -> [94.156.66.187] 80 (msg:"ThreatFox Hook botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234944/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_27; classtype:trojan-activity; sid:91234944; rev:1;) alert tcp $HOME_NET any -> [92.246.136.53] 80 (msg:"ThreatFox Hook botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234942/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_27; classtype:trojan-activity; sid:91234942; rev:1;) alert tcp $HOME_NET any -> [3.76.253.201] 81 (msg:"ThreatFox Hook botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234943/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_27; classtype:trojan-activity; sid:91234943; rev:1;) alert tcp $HOME_NET any -> [88.218.60.150] 80 (msg:"ThreatFox Hook botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234941/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_27; classtype:trojan-activity; sid:91234941; rev:1;) alert tcp $HOME_NET any -> [45.55.70.10] 80 (msg:"ThreatFox Hook botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234940/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_27; classtype:trojan-activity; sid:91234940; rev:1;) alert tcp $HOME_NET any -> [64.23.149.139] 80 (msg:"ThreatFox Hook botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234939/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_27; classtype:trojan-activity; sid:91234939; rev:1;) alert tcp $HOME_NET any -> [45.134.26.33] 80 (msg:"ThreatFox Hook botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234938/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_27; classtype:trojan-activity; sid:91234938; rev:1;) alert tcp $HOME_NET any -> [20.77.15.101] 80 (msg:"ThreatFox Hook botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234937/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_27; classtype:trojan-activity; sid:91234937; rev:1;) alert tcp $HOME_NET any -> [185.81.157.150] 777 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234936/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_27; classtype:trojan-activity; sid:91234936; rev:1;) alert tcp $HOME_NET any -> [94.46.246.95] 2404 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234935/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_27; classtype:trojan-activity; sid:91234935; rev:1;) alert tcp $HOME_NET any -> [103.28.89.112] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234934/; target:src_ip; metadata: confidence_level 90, first_seen 2024_01_27; classtype:trojan-activity; sid:91234934; rev:1;) alert tcp $HOME_NET any -> [34.162.51.179] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234933/; target:src_ip; metadata: confidence_level 90, first_seen 2024_01_27; classtype:trojan-activity; sid:91234933; rev:1;) alert tcp $HOME_NET any -> [80.78.22.159] 443 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234932/; target:src_ip; metadata: confidence_level 90, first_seen 2024_01_27; classtype:trojan-activity; sid:91234932; rev:1;) alert tcp $HOME_NET any -> [188.166.9.214] 443 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234931/; target:src_ip; metadata: confidence_level 90, first_seen 2024_01_27; classtype:trojan-activity; sid:91234931; rev:1;) alert tcp $HOME_NET any -> [79.36.28.36] 8080 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234930/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_27; classtype:trojan-activity; sid:91234930; rev:1;) alert tcp $HOME_NET any -> [105.98.42.244] 6001 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234929/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_27; classtype:trojan-activity; sid:91234929; rev:1;) alert tcp $HOME_NET any -> [114.55.133.151] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234928/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_27; classtype:trojan-activity; sid:91234928; rev:1;) alert tcp $HOME_NET any -> [223.255.246.169] 8443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234927/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_27; classtype:trojan-activity; sid:91234927; rev:1;) alert tcp $HOME_NET any -> [185.196.10.62] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234925/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_27; classtype:trojan-activity; sid:91234925; rev:1;) alert tcp $HOME_NET any -> [114.132.226.250] 8090 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234926/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_27; classtype:trojan-activity; sid:91234926; rev:1;) alert tcp $HOME_NET any -> [120.24.70.197] 8081 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234924/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_27; classtype:trojan-activity; sid:91234924; rev:1;) alert tcp $HOME_NET any -> [204.44.94.81] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234923/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_27; classtype:trojan-activity; sid:91234923; rev:1;) alert tcp $HOME_NET any -> [91.92.243.186] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234921/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_27; classtype:trojan-activity; sid:91234921; rev:1;) alert tcp $HOME_NET any -> [124.221.15.74] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234922/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_27; classtype:trojan-activity; sid:91234922; rev:1;) alert tcp $HOME_NET any -> [129.226.201.214] 4443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234920/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_27; classtype:trojan-activity; sid:91234920; rev:1;) alert tcp $HOME_NET any -> [60.205.115.92] 8011 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234918/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_27; classtype:trojan-activity; sid:91234918; rev:1;) alert tcp $HOME_NET any -> [31.41.244.172] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234919/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_27; classtype:trojan-activity; sid:91234919; rev:1;) alert tcp $HOME_NET any -> [69.165.74.218] 8081 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234917/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_27; classtype:trojan-activity; sid:91234917; rev:1;) alert tcp $HOME_NET any -> [192.3.98.47] 2000 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234916/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_27; classtype:trojan-activity; sid:91234916; rev:1;) alert tcp $HOME_NET any -> [107.172.61.67] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234914/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_27; classtype:trojan-activity; sid:91234914; rev:1;) alert tcp $HOME_NET any -> [121.43.117.166] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234915/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_27; classtype:trojan-activity; sid:91234915; rev:1;) alert tcp $HOME_NET any -> [178.54.217.55] 4444 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234913/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_27; classtype:trojan-activity; sid:91234913; rev:1;) alert tcp $HOME_NET any -> [43.163.224.112] 8081 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234912/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_27; classtype:trojan-activity; sid:91234912; rev:1;) alert tcp $HOME_NET any -> [101.35.169.206] 9999 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234911/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_27; classtype:trojan-activity; sid:91234911; rev:1;) alert tcp $HOME_NET any -> [195.230.23.126] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234910/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_27; classtype:trojan-activity; sid:91234910; rev:1;) alert tcp $HOME_NET any -> [117.72.39.83] 30005 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234909/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_27; classtype:trojan-activity; sid:91234909; rev:1;) alert tcp $HOME_NET any -> [104.143.47.87] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234908/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_27; classtype:trojan-activity; sid:91234908; rev:1;) alert tcp $HOME_NET any -> [155.138.231.45] 4444 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234907/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_27; classtype:trojan-activity; sid:91234907; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/receive.php"; depth:12; nocase; http.host; content:"op.mrstealth.pagekite.me"; depth:24; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1234897/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_27; classtype:trojan-activity; sid:91234897; rev:1;) alert tcp $HOME_NET any -> [91.109.186.13] 3790 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234896/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_27; classtype:trojan-activity; sid:91234896; rev:1;) alert tcp $HOME_NET any -> [194.33.191.53] 58001 (msg:"ThreatFox N-W0rm botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234895/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_27; classtype:trojan-activity; sid:91234895; rev:1;) alert tcp $HOME_NET any -> [8.141.10.30] 7777 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234892/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_27; classtype:trojan-activity; sid:91234892; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ga.js"; depth:6; nocase; http.host; content:"43.139.128.212"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1234891/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_27; classtype:trojan-activity; sid:91234891; rev:1;) alert tcp $HOME_NET any -> [92.63.178.58] 442 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234884/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_27; classtype:trojan-activity; sid:91234884; rev:1;) alert tcp $HOME_NET any -> [193.142.58.127] 80 (msg:"ThreatFox WhiteSnake Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234882/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_27; classtype:trojan-activity; sid:91234882; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp08/wp-includes/dtcla.php"; depth:27; nocase; http.host; content:"success.165gov.icu"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1234880/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_27; classtype:trojan-activity; sid:91234880; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"success.165gov.icu"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1234881/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_27; classtype:trojan-activity; sid:91234881; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/activity"; depth:9; nocase; http.host; content:"47.236.19.63"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1234879/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_27; classtype:trojan-activity; sid:91234879; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pixel.gif"; depth:10; nocase; http.host; content:"164.90.169.184"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1234878/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_27; classtype:trojan-activity; sid:91234878; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/html.css"; depth:9; nocase; http.host; content:"101.43.165.220"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1234877/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_27; classtype:trojan-activity; sid:91234877; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/visit.js"; depth:9; nocase; http.host; content:"47.236.19.63"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1234876/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_27; classtype:trojan-activity; sid:91234876; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"beacon.evilginx2.bio"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1234874/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_27; classtype:trojan-activity; sid:91234874; rev:1;) alert tcp $HOME_NET any -> [64.23.174.74] 53 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234875/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_27; classtype:trojan-activity; sid:91234875; rev:1;) alert tcp $HOME_NET any -> [20.172.163.134] 53 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234873/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_27; classtype:trojan-activity; sid:91234873; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"bec.security-ssl.org"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1234872/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_27; classtype:trojan-activity; sid:91234872; rev:1;) alert tcp $HOME_NET any -> [95.179.177.89] 53 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234871/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_27; classtype:trojan-activity; sid:91234871; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"dns.modernbeem.net"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1234870/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_27; classtype:trojan-activity; sid:91234870; rev:1;) alert tcp $HOME_NET any -> [45.77.193.76] 53 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234869/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_27; classtype:trojan-activity; sid:91234869; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"dns.investmenttech.net"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1234868/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_27; classtype:trojan-activity; sid:91234868; rev:1;) alert tcp $HOME_NET any -> [95.179.142.153] 53 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234867/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_27; classtype:trojan-activity; sid:91234867; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"dns.currentbee.net"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1234866/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_27; classtype:trojan-activity; sid:91234866; rev:1;) alert tcp $HOME_NET any -> [104.143.47.137] 2087 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234857/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_27; classtype:trojan-activity; sid:91234857; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"cc.youku.zip"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1234856/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_27; classtype:trojan-activity; sid:91234856; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/functionalstatus/"; depth:18; nocase; http.host; content:"cc.youku.zip"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1234855/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_27; classtype:trojan-activity; sid:91234855; rev:1;) alert tcp $HOME_NET any -> [43.130.60.49] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234853/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_27; classtype:trojan-activity; sid:91234853; rev:1;) alert tcp $HOME_NET any -> [193.233.254.78] 80 (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234850/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_27; classtype:trojan-activity; sid:91234850; rev:1;) alert tcp $HOME_NET any -> [116.203.143.98] 8081 (msg:"ThreatFox RisePro botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234848/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_27; classtype:trojan-activity; sid:91234848; rev:1;) alert tcp $HOME_NET any -> [109.107.182.26] 8081 (msg:"ThreatFox RisePro botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234849/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_27; classtype:trojan-activity; sid:91234849; rev:1;) alert tcp $HOME_NET any -> [94.98.179.7] 3460 (msg:"ThreatFox Poison Ivy botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234847/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_27; classtype:trojan-activity; sid:91234847; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/nntp.aspx"; depth:10; nocase; http.host; content:"fleury-dev-g8d5b7fhg8fghxcm.a03.azurefd.net"; depth:43; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1234845/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_27; classtype:trojan-activity; sid:91234845; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wais.html"; depth:10; nocase; http.host; content:"fleury-dev-g8d5b7fhg8fghxcm.a03.azurefd.net"; depth:43; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1234846/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_27; classtype:trojan-activity; sid:91234846; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"fleury-dev-g8d5b7fhg8fghxcm.a03.azurefd.net"; depth:43; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1234844/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_27; classtype:trojan-activity; sid:91234844; rev:1;) alert tcp $HOME_NET any -> [75.119.138.31] 8848 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234843/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_27; classtype:trojan-activity; sid:91234843; rev:1;) alert tcp $HOME_NET any -> [179.13.3.199] 8010 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234842/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_27; classtype:trojan-activity; sid:91234842; rev:1;) alert tcp $HOME_NET any -> [187.213.193.180] 443 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234841/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_27; classtype:trojan-activity; sid:91234841; rev:1;) alert tcp $HOME_NET any -> [41.99.122.66] 443 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234840/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_27; classtype:trojan-activity; sid:91234840; rev:1;) alert tcp $HOME_NET any -> [141.164.209.146] 443 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234839/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_27; classtype:trojan-activity; sid:91234839; rev:1;) alert tcp $HOME_NET any -> [72.27.73.7] 443 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234838/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_27; classtype:trojan-activity; sid:91234838; rev:1;) alert tcp $HOME_NET any -> [77.73.39.175] 1194 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234837/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_27; classtype:trojan-activity; sid:91234837; rev:1;) alert tcp $HOME_NET any -> [74.12.146.125] 2222 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234836/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_27; classtype:trojan-activity; sid:91234836; rev:1;) alert tcp $HOME_NET any -> [41.96.195.143] 443 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234835/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_27; classtype:trojan-activity; sid:91234835; rev:1;) alert tcp $HOME_NET any -> [38.242.21.30] 445 (msg:"ThreatFox Responder botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234834/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_27; classtype:trojan-activity; sid:91234834; rev:1;) alert tcp $HOME_NET any -> [137.117.205.207] 4444 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234832/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_27; classtype:trojan-activity; sid:91234832; rev:1;) alert tcp $HOME_NET any -> [4.205.75.12] 443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234833/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_27; classtype:trojan-activity; sid:91234833; rev:1;) alert tcp $HOME_NET any -> [137.117.205.207] 80 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234831/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_27; classtype:trojan-activity; sid:91234831; rev:1;) alert tcp $HOME_NET any -> [89.245.139.188] 80 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234830/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_27; classtype:trojan-activity; sid:91234830; rev:1;) alert tcp $HOME_NET any -> [89.245.139.188] 4444 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234829/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_27; classtype:trojan-activity; sid:91234829; rev:1;) alert tcp $HOME_NET any -> [52.136.223.233] 443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234828/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_27; classtype:trojan-activity; sid:91234828; rev:1;) alert tcp $HOME_NET any -> [52.136.223.233] 80 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234827/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_27; classtype:trojan-activity; sid:91234827; rev:1;) alert tcp $HOME_NET any -> [157.230.175.190] 7405 (msg:"ThreatFox BianLian botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234826/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_27; classtype:trojan-activity; sid:91234826; rev:1;) alert tcp $HOME_NET any -> [92.116.91.188] 443 (msg:"ThreatFox Deimos botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234825/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_27; classtype:trojan-activity; sid:91234825; rev:1;) alert tcp $HOME_NET any -> [165.227.106.254] 7443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234824/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_27; classtype:trojan-activity; sid:91234824; rev:1;) alert tcp $HOME_NET any -> [172.104.237.247] 7443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234823/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_27; classtype:trojan-activity; sid:91234823; rev:1;) alert tcp $HOME_NET any -> [37.27.17.204] 8080 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234822/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_27; classtype:trojan-activity; sid:91234822; rev:1;) alert tcp $HOME_NET any -> [5.189.253.164] 443 (msg:"ThreatFox IcedID botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234802/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_27; classtype:trojan-activity; sid:91234802; rev:1;) alert tcp $HOME_NET any -> [185.123.53.231] 443 (msg:"ThreatFox IcedID botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234803/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_27; classtype:trojan-activity; sid:91234803; rev:1;) alert tcp $HOME_NET any -> [5.230.44.226] 443 (msg:"ThreatFox IcedID botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234801/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_27; classtype:trojan-activity; sid:91234801; rev:1;) alert tcp $HOME_NET any -> [109.107.182.26] 50500 (msg:"ThreatFox RisePro botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234798/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_27; classtype:trojan-activity; sid:91234798; rev:1;) alert tcp $HOME_NET any -> [116.203.143.98] 50500 (msg:"ThreatFox RisePro botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234799/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_27; classtype:trojan-activity; sid:91234799; rev:1;) alert tcp $HOME_NET any -> [5.231.0.34] 443 (msg:"ThreatFox IcedID botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234800/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_27; classtype:trojan-activity; sid:91234800; rev:1;) alert tcp $HOME_NET any -> [172.232.172.123] 80 (msg:"ThreatFox DBatLoader payload delivery (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234779/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_27; classtype:trojan-activity; sid:91234779; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/400/isicentos.vbs"; depth:18; nocase; http.host; content:"172.232.172.123"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1234778/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_27; classtype:trojan-activity; sid:91234778; rev:1;) alert tcp $HOME_NET any -> [128.254.207.87] 443 (msg:"ThreatFox FAKEUPDATES botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234804/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_27; classtype:trojan-activity; sid:91234804; rev:1;) alert tcp $HOME_NET any -> [178.236.247.167] 443 (msg:"ThreatFox FAKEUPDATES botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234805/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_27; classtype:trojan-activity; sid:91234805; rev:1;) alert tcp $HOME_NET any -> [23.146.184.71] 443 (msg:"ThreatFox FAKEUPDATES botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234806/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_27; classtype:trojan-activity; sid:91234806; rev:1;) alert tcp $HOME_NET any -> [66.135.17.87] 443 (msg:"ThreatFox FAKEUPDATES botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234807/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_27; classtype:trojan-activity; sid:91234807; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"places.creeksidehuntingpreserve.com"; depth:35; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1234808/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_27; classtype:trojan-activity; sid:91234808; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"colors.usajicgu.com"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1234809/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_27; classtype:trojan-activity; sid:91234809; rev:1;) alert tcp $HOME_NET any -> [178.20.43.58] 80 (msg:"ThreatFox RecordBreaker botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234811/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_27; classtype:trojan-activity; sid:91234811; rev:1;) alert tcp $HOME_NET any -> [5.252.177.220] 80 (msg:"ThreatFox RecordBreaker botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234812/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_27; classtype:trojan-activity; sid:91234812; rev:1;) alert tcp $HOME_NET any -> [104.194.157.23] 80 (msg:"ThreatFox RecordBreaker botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234813/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_27; classtype:trojan-activity; sid:91234813; rev:1;) alert tcp $HOME_NET any -> [190.123.44.228] 80 (msg:"ThreatFox BlackNET RAT botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234821/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_27; classtype:trojan-activity; sid:91234821; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pythonjavascriptlowcpugameserverdb.php"; depth:39; nocase; http.host; content:"yedar2on.beget.tech"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1234820/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_27; classtype:trojan-activity; sid:91234820; rev:1;) alert tcp $HOME_NET any -> [23.155.8.220] 1800 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234819/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_27; classtype:trojan-activity; sid:91234819; rev:1;) alert tcp $HOME_NET any -> [77.246.110.208] 1337 (msg:"ThreatFox Orcus RAT botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234818/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_27; classtype:trojan-activity; sid:91234818; rev:1;) alert tcp $HOME_NET any -> [45.79.207.53] 3790 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234817/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_27; classtype:trojan-activity; sid:91234817; rev:1;) alert tcp $HOME_NET any -> [20.125.88.113] 80 (msg:"ThreatFox Responder botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234816/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_27; classtype:trojan-activity; sid:91234816; rev:1;) alert tcp $HOME_NET any -> [46.17.46.226] 8080 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234815/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_27; classtype:trojan-activity; sid:91234815; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/owa/nk6fekkvnwln1wrklks6hrb9moms13q4vdupalwm"; depth:45; nocase; http.host; content:"mirrors.office356.shop"; depth:22; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1234814/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_27; classtype:trojan-activity; sid:91234814; rev:1;) # Number of entries: 46448